BMC Atrium SSO 8 1

URL:

Table of Contents
3 What's new __________________________________________________________________________ 12
3.1 Version 8.1.00 ____________________________________________________________________ 14
3.1.1 Redesigned user interface ______________________________________________________ 15
3.1.2 Predefined authentication module _______________________________________________ 15
3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System integration ______________ 15
3.1.4 BMC Atrium Orchestrator Platform integration ______________________________________ 16
3.1.5 Click jacking prevention _______________________________________________________ 16
3.2 License entitlements _______________________________________________________________ 16
3.3.1 Patch 3 for version 8.1.00: 8.1.00.03 ______________________________________________ 17
3.4 Documentation updates after release __________________________________________________ 20
3.4.1 Added BMC Mobility integration documentation ____________________________________ 20
3.4.2 Added BMC EUEM integration documentation ______________________________________ 20
4 Key concepts ________________________________________________________________________ 20
4.2 BMC Atrium Single Sign-On and OpenAM _______________________________________________ 22
4.2.1 OpenAM technologies ________________________________________________________ 22
4.3 Administrator password _____________________________________________________________ 23
4.5 Log on and log off behavior _________________________________________________________ 24
4.6 Certificates ______________________________________________________________________ 25
4.6.3 Related topics _______________________________________________________________ 26
4.7 Authentication chaining ____________________________________________________________ 26
5 Planning ____________________________________________________________________________ 29
5.1 Checking the compatibility matrix for system requirements and supported configurations __________ 30
5.1.1 To access the compatibility matrixes _____________________________________________ 30
5.2 End-to-end BMC Atrium Single Sign-On procedure _______________________________________ 30

5.3.1 Business value _______________________________________________________________ 32
5.3.3 Deployment architecture ______________________________________________________ 33
5.3.4 Deployment model ___________________________________________________________ 35
5.3.5 Deployment tasks ____________________________________________________________ 37
5.3.6 Deployment parameters _______________________________________________________ 38
5.3.7 Related topics _______________________________________________________________ 40
6.1.2 Downloading the installation files ________________________________________________ 44
6.2 Installation options ________________________________________________________________ 48
6.3 Configuring Terminal Services and DEP parameters _______________________________________ 48
6.3.1 To update Terminal Services configuration options for Windows Server 2008 ______________ 48
6.4 Installing BMC Atrium Single Sign-On as a standalone _____________________________________ 50
6.4.1 Before you begin _____________________________________________________________ 51
6.4.2 To install BMC Atrium Single Sign-On as a standalone _________________________________ 51
6.4.3 Where to go from here ________________________________________________________ 54
6.5 Installing BMC Atrium Single Sign-On as a High Availability cluster ____________________________ 55
6.5.1 HA prerequisites _____________________________________________________________ 56
6.5.2 HA pre-installation tasks _______________________________________________________ 56
6.5.3 To install BMC Atrium Single Sign-On as an HA cluster ________________________________ 56
6.5.4 HA post-installation activities ___________________________________________________ 57
6.5.5 Installing the first node for an HA cluster on a new Tomcat server _______________________ 57
6.5.6 Installing additional nodes for an HA cluster on a new Tomcat server _____________________ 63
6.5.7 Installing the first node for an HA cluster on an external Tomcat server ___________________ 68
6.5.8 Installing additional nodes for an HA cluster on an external Tomcat server _________________ 70
6.6 Installing BMC Atrium Single Sign-On on an external Tomcat server ___________________________ 72
6.6.1 Before you begin _____________________________________________________________ 73
6.6.2 To install BMC Atrium Single Sign-On on an external Tomcat server ______________________ 73
6.6.3 Where to go from here ________________________________________________________ 74
6.6.4 Policy file additions for external Tomcat installations _________________________________ 75
6.6.5 JVM parameter additions for external Tomcat installations _____________________________ 76
6.6.6 Configuring an external Tomcat instance for FIPS-140 ________________________________ 76
6.6.7 Configuring a JVM for the Tomcat Server __________________________________________ 77
6.6.8 Setting an HTTPS connection ___________________________________________________ 78
6.7 Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier ___________________ 79
6.7.1 Installing video ______________________________________________________________ 80
6.7.3 Related topics _______________________________________________________________ 81
6.7.5 Installing or upgrading AR System server __________________________________________ 84
6.7.6 Installing or upgrading BMC Remedy Mid Tier ______________________________________ 86

BMC Atrium Single Sign-On 8.1 Page of5 389
6.7.7 Running the SSOARIntegration utility on the AR System server __________________________ 88
6.7.8 Reviewing AR server external authentication settings and configuring group mapping ________ 91
6.7.9 Running the SSOMidtierIntegration utility on the Mid Tier _____________________________ 92
6.7.10 Managing the AR System users and groups for authentication __________________________ 97
6.7.11 Running a health check on the BMC Atrium Single Sign-On installation __________________ 109
6.8 Installing silently _________________________________________________________________ 112
6.8.2 Uninstalling in silent mode ____________________________________________________ 114
6.8.3 Example options.txt file _______________________________________________________ 114
6.9 Uninstalling BMC Atrium Single Sign-On _______________________________________________ 117
6.9.1 Running the uninstaller on Windows _____________________________________________ 117
6.9.2 Running the uninstaller on Solaris or Linux ________________________________________ 117
6.9.3 Invocation error during uninstallation ____________________________________________ 118
7 Configuring after installation ____________________________________________________________ 119
7.1 To set up a method for authentication _________________________________________________ 120
7.2 SAMLv2 authentication ____________________________________________________________ 121
7.5 Authentication chaining ____________________________________________________________ 122
7.7 Where to go from here ____________________________________________________________ 122
7.8 Using AR for authentication _________________________________________________________ 122
7.8.1 Before you begin ____________________________________________________________ 123
7.8.2 To configure an AR module ____________________________________________________ 123
7.8.3 To configure an AR user store __________________________________________________ 124
7.9 Using CAC for authentication _______________________________________________________ 126
7.9.1 CAC certificate usage ________________________________________________________ 126
7.9.2 To set up CAC to use for authentication __________________________________________ 127
7.9.3 Modify the Tomcat server _____________________________________________________ 127
7.9.4 Import DoD CA certificates ____________________________________________________ 128
7.9.5 To import certificates ________________________________________________________ 128
7.9.6 Set up CAC certificates _______________________________________________________ 129
7.9.7 If using OCSP, enable OCSP for the server _________________________________________ 131
7.9.8 Where to go from here _______________________________________________________ 131
7.9.9 Related topics ______________________________________________________________ 132
7.10.1 Configuring Kerberos video ____________________________________________________ 133
7.10.2 Before you begin ____________________________________________________________ 133
7.10.3 To set up Kerberos to use for authentication _______________________________________ 133
7.10.5 Generating a keytab for the service principal and mapping the Kerberos service name _______ 134
7.10.6 Configuring the Kerberos module _______________________________________________ 136
7.10.7 Reconfiguring your browser ___________________________________________________ 138

7.11.1 Before you begin ____________________________________________________________ 139
7.11.2 To set up LDAP (AD) for authentication ___________________________________________ 139
7.11.3 LDAP (AD) parameters ________________________________________________________ 139
7.12 Using RSA SecurID for authentication _________________________________________________ 141
7.12.1 To configure the SecurID module _______________________________________________ 141
7.12.2 SecurID parameters __________________________________________________________ 142
7.13 Using SAMLv2 for authentication _____________________________________________________ 143
7.13.1 Configuring SAML V2 video ____________________________________________________ 144
7.13.2 SAMLv2 configuration options _________________________________________________ 144
7.13.3 SAMLv2 implementation ______________________________________________________ 144
7.13.5 Typical SAMLv2 deployment architecture _________________________________________ 145
7.13.6 Related topics ______________________________________________________________ 146
7.13.7 Configuring BMC Atrium Single Sign-On as an SP ___________________________________ 146
7.13.8 Configuring BMC Atrium Single Sign-On as an IdP __________________________________ 153
7.13.9 Federating user accounts in bulk ________________________________________________ 157
8 Upgrading __________________________________________________________________________ 165
8.1 To upgrade BMC Atrium Single Sign-On _______________________________________________ 166
8.2 To upgrade BMC Atrium Single Sign-On in silent mode ____________________________________ 166
8.3 Preparing to upgrade BMC Analytics for BSM ___________________________________________ 166
8.3.1 To remove the J2EE agent for BMC Analytics for BSM ________________________________ 166
8.4 Upgrading HA nodes ______________________________________________________________ 167
8.4.1 To upgrade HA nodes ________________________________________________________ 167
9 Integrating _________________________________________________________________________ 168
9.1 Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00 _______________________ 169
9.1.1 Configuring external authentication for AR System integration _________________________ 170
9.1.2 Installing BMC Atrium Single Sign-On for AR System integration ________________________ 171
9.1.3 Configuring BMC Atrium Single Sign-On for integration ______________________________ 173
9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user authentication __________ 176
9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System integration _____________ 183
9.1.6 Running a health check on the BMC Atrium Single Sign-On integration __________________ 195
9.2 Integrating BMC Dashboards for BSM _________________________________________________ 198
9.2.1 Before you begin ____________________________________________________________ 198
9.2.2 To integrate BMC Dashboards for BSM ___________________________________________ 199
9.3 Integrating BMC Analytics for BSM ___________________________________________________ 199
9.3.1 Before you begin ____________________________________________________________ 199
9.3.2 To integrate BMC Analytics for BSM _____________________________________________ 200
9.4 Integrating BMC ProactiveNet _______________________________________________________ 200
9.4.1 Before you begin ___________________________________________________________ 200

9.4.4 To define users and groups ____________________________________________________ 202
9.4.5 To create new users _________________________________________________________ 202
9.4.6 To assign users to user groups _________________________________________________ 203
9.4.7 To clean up Web Agent entries when the BMC ProactiveNet Server is uninstalled ___________ 203
9.5 Integrating BMC IT Business Management Suite _________________________________________ 204
9.5.1 Before you begin ___________________________________________________________ 204
9.5.2 To integrate BMC IT Business Management Suite ___________________________________ 204
9.6 Integrating BMC ITBM and WebSphere application server __________________________________ 205
9.6.1 Before you begin ___________________________________________________________ 205
9.6.2 To configure the WebSphere application server to work with the BMC Atrium Single Sign-On
server ___________________________________________________________________________ 205
9.7.1 Before you begin ___________________________________________________________ 208
9.7.2 To integrate BMC Capacity Optimization _________________________________________ 208
9.8 Integrating BMC Atrium Orchestrator Platform __________________________________________ 209
9.8.1 Before you begin ____________________________________________________________ 210
9.8.2 BMC Atrium Orchestrator Platform installation worksheet ____________________________ 210
9.9 Integrating BMC Real End User Experience Monitoring ____________________________________ 212
9.9.1 Preparing BMC Atrium SSO server for integration ___________________________________ 212
9.9.2 Preparing the Console component for the BMC Atrium SSO integration __________________ 212
9.10 Integrating BMC Mobility for ITSM 8.1.00 _______________________________________________ 212
9.10.1 Before you begin ____________________________________________________________ 212
9.10.2 Limitations ________________________________________________________________ 213
9.10.4 Related Topics _____________________________________________________________ 214
10.1.1 Editor options ______________________________________________________________ 215
10.1.2 Status panel ________________________________________________________________ 215
10.1.4 Sessions panel ______________________________________________________________ 216
10.1.5 Realm Editor _______________________________________________________________ 216
10.1.6 Agent manager _____________________________________________________________ 233
10.2 Managing keystores with a keytool utility ______________________________________________ 239
10.2.1 Creating new keystores ______________________________________________________ 240
10.2.2 Using the keytool utility _______________________________________________________ 241
10.2.3 Importing a certificate into the truststore _________________________________________ 243
10.2.4 Generating and importing CA certificates _________________________________________ 245

10.2.5 Generating self-signed certificates ______________________________________________ 249
10.2.6 Checking the truststore for certificates ___________________________________________ 250
10.3 Configuring FIPS-140 mode _________________________________________________________ 251
10.3.1 Converting to FIPS-140 mode __________________________________________________ 251
10.3.2 Monitoring FIPS-140 and normal mode conversions _________________________________ 256
10.3.3 Changing FIPS-140 network ciphers _____________________________________________ 257
10.3.4 Converting from FIPS-140 to normal mode _______________________________________ 258
10.4 Using an external LDAP user store ____________________________________________________ 260
10.4.1 To create an external LDAP user store ____________________________________________ 261
10.4.2 To modify an existing external LDAP user store _____________________________________ 261
10.4.3 LDAPv3 User Store parameters _________________________________________________ 261
10.4.4 General tab ________________________________________________________________ 261
10.4.5 Search tab _________________________________________________________________ 262
11.1.3 To search for users __________________________________________________________ 266
11.1.4 To delete users _____________________________________________________________ 266
11.1.5 To modify user information ___________________________________________________ 266
11.1.6 To enable or disable a user account _____________________________________________ 266
11.1.7 To add a group membership to a user account _____________________________________ 267
11.1.8 To remove a group membership from a user account ________________________________ 267
11.1.9 To view user sessions ________________________________________________________ 267
11.1.10To terminate an active user session _____________________________________________ 268
11.2 Managing user groups _____________________________________________________________ 268
11.2.1 To access the Group page ____________________________________________________ 269
11.2.2 To create a new group _______________________________________________________ 269
11.2.3 To delete a group ___________________________________________________________ 269
11.2.4 To assign a group membership _________________________________________________ 270
11.2.5 To remove users from a group _________________________________________________ 270
11.3 Managing authentication modules ____________________________________________________ 271
11.3.1 To manage authentication modules _____________________________________________ 271
11.3.2 To create a new module ______________________________________________________ 271
11.3.3 To edit a module ____________________________________________________________ 271
11.3.4 To delete a module __________________________________________________________ 272
11.3.5 To change the criteria for a module _____________________________________________ 272
11.3.6 To reorder the modules in a chain _______________________________________________ 272
11.4 Managing nodes in a cluster ________________________________________________________ 273
11.4.1 To modify the server configuration on a node ______________________________________ 273
11.4.2 To delete a node from the cluster _______________________________________________ 273
11.4.3 Resynchronizing nodes in a cluster ______________________________________________ 273
11.4.4 Starting nodes in a cluster _____________________________________________________ 274

11.4.5 Stopping nodes in a cluster ____________________________________________________ 274
11.5 Managing agents _________________________________________________________________ 275
11.6 Managing the server configuration ___________________________________________________ 276
11.6.1 To modify the server configuration ______________________________________________ 276
11.6.2 Server configuration parameters ________________________________________________ 276
11.6.3 Server Configuration Editor parameters __________________________________________ 276
11.6.4 HTTP Only and HTTPS Only ___________________________________________________ 277
11.6.5 Session parameter defaults ____________________________________________________ 278
11.7 Stopping and restarting the BMC Atrium Single Sign-On server ______________________________ 279
11.7.1 Stopping and restarting on Windows ____________________________________________ 279
11.7.2 Stopping and restarting on UNIX or Linux _________________________________________ 279
12 Troubleshooting _____________________________________________________________________ 279
12.1.2 Support utility location _______________________________________________________ 282
12.1.3 Log file locations ____________________________________________________________ 282
12.1.4 Using BMC Atrium Single Sign-On for logging _____________________________________ 284
12.2 Working with error messages _______________________________________________________ 285
12.3 Logon and logoff issues ____________________________________________________________ 316
12.3.1 Automatic IdP logon behavior __________________________________________________ 316
12.3.2 URL re-direct issues _________________________________________________________ 316
12.4 Upgrading from 7.6.04 to 8.1 silent installation issue ______________________________________ 317
12.4.1 Upgrading without specifying the host name ______________________________________ 319
12.4.2 Upgrading by re-defining the host name __________________________________________ 319
12.5 Troubleshooting AR authentication ___________________________________________________ 320
12.5.1 User has no profile in this organization ___________________________________________ 320
12.5.2 Error saving user or group edits _________________________________________________ 321
12.5.3 Error in SAML Authentication when Auto Federation is enabled _________________________ 321
12.6 Troubleshooting AR System server and Mid Tier integrations ________________________________ 321
12.6.1 Manually running the SSOARIntegration utility on the AR System server __________________ 321
12.6.2 Manually running the SSOMidtierIntegration utility on the AR System server _______________ 323
12.7 Troubleshooting CAC authentication _________________________________________________ 326
12.7.1 Example of a default logging level error __________________________________________ 327
12.7.2 Example of a debug log error when a certificate is not available ________________________ 327
12.7.3 Changing the clientAuth setting ________________________________________________ 328
12.7.4 Turning on network debug logging ______________________________________________ 328
12.7.5 Example of a client not responding with a certificate ________________________________ 329
12.7.6 Example of a client sending a certificate __________________________________________ 329
12.7.7 Example of a list of certificates sent to the client ___________________________________ 330
12.7.8 Example of URL certificate authentication not enabled _______________________________ 330
12.7.9 Example of OCSP certificate failure ______________________________________________ 331

12.8 Troubleshooting FIPS-140 conversion _________________________________________________ 331
12.9 Troubleshooting JEE agents ________________________________________________________ 331
12.9.1 To remove a JEE agent from BMC Atrium Single Sign-On _____________________________ 332
12.9.2 To remove a JEE agent from WebSphere _________________________________________ 332
12.9.3 To remove a JEE agent from Tomcat ____________________________________________ 332
12.9.4 To remove a JEE agent from JBoss or WebLogic ___________________________________ 333
12.10Troubleshooting Kerberos authentication ______________________________________________ 333
12.10.2Invalid service principal name for Kerberos authentication ____________________________ 334
12.10.3Invalid keytab index number for Kerberos authentication _____________________________ 335
12.10.4Invalid password for Kerberos authentication ______________________________________ 335
12.10.5Incorrect server name for Kerberos authentication __________________________________ 335
12.10.6Browser sending NTLM instead of Kerberos _______________________________________ 336
12.10.7Browser not correctly configured for Kerberos authentication _________________________ 337
12.10.8Clock skew too great for Kerberos authentication __________________________________ 338
12.10.9Chained authentication failure in Microsoft Internet Explorer __________________________ 338
12.11Troubleshooting an external LDAP user store ___________________________________________ 339
12.11.1No users in User tab _________________________________________________________ 339
12.11.2No groups in Group tab ______________________________________________________ 339
12.12Troubleshooting SAMLv2 __________________________________________________________ 340
12.13Troubleshooting redirect URLs ______________________________________________________ 343
12.13.1Modifying the load balancer (or reverse proxy) for redirect URLs _______________________ 343
12.13.2Using load balancer (or reverse proxy) host names for redirect URLs ____________________ 344
12.13.3Cookie name change for a HA node _____________________________________________ 344
12.14Session sharing in HA mode issue ____________________________________________________ 345
12.14.1To configure point-to-point sessions sharing ______________________________________ 345
12.15Troubleshooting installation or upgrade issues __________________________________________ 346
12.16Resolving installation issues on LINUX operating system ___________________________________ 346
12.16.1Installation failure due to missing libraries ________________________________________ 346
12.16.2Installation failure due to low level of entropy _____________________________________ 346
13 Known and corrected issues ____________________________________________________________ 347
13.1 Installation and upgrade issues ______________________________________________________ 348
13.2 Other issues ____________________________________________________________________ 350
14 Support information __________________________________________________________________ 351
14.2 Support status ___________________________________________________________________ 351
16.1 Comments dashboard _____________________________________________________________ 353
16.3 Technical Bulletin SW00448553 _____________________________________________________ 369
16.3.1 BMC Atrium Single Sign-On ___________________________________________________ 369
16.3.2 Issue _____________________________________________________________________ 369
16.4 Enabling multiple realms ___________________________________________________________ 372
16.4.1 Realm panel _______________________________________________________________ 373
16.4.3 To create a new realm ________________________________________________________ 374
16.5 Configuring multi-tenancy support ___________________________________________________ 374
16.5.1 Configuring multi-tenancy support ______________________________________________ 375
16.6 Overview steps to install and configure HA Load-Balancing environment with SSO ______________ 378
16.7 Number of pages in space __________________________________________________________ 383
16.8 Installing and managing certificates in BMC Atrium SSO ___________________________________ 383
16.8.1 Installing certificates on a standalone server _______________________________________ 383
16.8.2 Installing certificates in HA load balancing environment ______________________________ 383
16.8.3 Importing a certificate into keystore.p12 __________________________________________ 383
16.8.4 Importing a certificate into cacerts.p12 ___________________________________________ 383
16.8.5 Finding intermediate CA ______________________________________________________ 383
16.8.6 Importing certificate chains and intermediate certificates _____________________________ 383
16.9 Installing certificates after integration with other BMC products _____________________________ 383
17 Index ______________________________________________________________________________ 384
This space contains information about the BMC Atrium Single Sign-On 8.1 release.
1 Featured content
For information about Patch 1 for 8.1.00, see .Patch 1 for version 8.1.00: 8.1.00.01 (see page 19)
For Patch 1 for 8.1.00, BMC Atrium Orchestrator Platform version 7.7.00 integrates with BMC Atrium Single
Sign-on, see and theIntegrating BMC Atrium Orchestrator Platform (see page 209) BMC Atrium
online documentation.Orchestrator Platform
To understand enhancements for this release, see .Version 8.1.00
To understand key concepts associated with BMC Atrium Single Sign-On, see .Key concepts (see page 20)
To review a high level end-to-end procedure, see .End-to-end BMC Atrium Single Sign-On process
To review an end-to-end deployment example for BMC Remedy AR System and the mid tier using SAMLv2
authentication, see .BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
To review an end-to-end deployment for BMC Remedy AR System and the mid tier using AR
authentication, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page
.79)
2 About BMC Atrium Single Sign-On BMC Atrium Single Sign-On is an authentication system that supports many authentication protocols and
provides single sign-on and single sign-off for users of BMC products. BMC Atrium Single Sign-On allows users to
present credentials only once for authentication and subsequently be automatically authenticated by every BMC
product that is integrated into the system.
Using these authentication methods require that you have previously installed the BMC Atrium Single Sign-On
server and configured it with an authentication server such as LDAP, RSA SecurID, or others. Not only does BMC
Atrium Single Sign-On support authentication with traditional systems such as LDAP or Active Directory, it also
supports integration into existing single sign-on systems. BMC Atrium Single Sign-On is the central integration
point that performs integration with the local enterprise systems.
3 What's new This section provides information about what is new or changed in this space, including resolved issues,
documentation updates, maintenance releases, service packs, and patches. It also provides license entitlement
information for the release.
Tip
To stay informed of changes to this space, place a watch on this page.
The following updates have been added since the release of the space:
Date Title Summary
Patch 3 for version 8.1.00 provides the following updates:
: THTTP Only and HTTPS Only (see page 238) he Server Configuration Editor provides two new options: HTTP Only and
HTTPS Only.
Login Failure Lockout
Valid Forwarding Domains
: The Kerberos Editor provides the feature modifying the UserId format.UserId Format (see page 227)
Starting this release, BMC Atirum Single Sign-On provides protection against clickjacking by preventing web pages
from being embedded within another frame. Clickjacking is a technique of tricking a web user into clicking a web page
link which is potentially revealing confidential information or taking control of the user's computer. When the user
clicks on a known web page link, the user's information is revealed to the intruder.
Patch 2 for
Configuring BMC Atrium SSO in FIPS-140 Mode (see page 251)
Patch 1 for
19)
Patch 1 for version 8.1.00 provides fixes related to BMC Atrium Single Sign-On integration with BMC Atrium Orchestrator 7.7
and other BMC products.
Redesigned user interface
Predefined authentication module
New utility to simplify BMC Atrium Single Sign-On and AR System integration
BMC Atrium Orchestrator Platform integration
To obtain a full space export of the BMC Atrium Single Sign-On, see PDFs (see page 352)
Three new videos are now uploaded on to our online documentation from the February 14, 2013 BMC
Software Webinars 2013 – Atrium Single Sign-On (Atrium SSO) :
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
provides a high-level overview as well as important tips.
describes how to configure SAML V2Using SAMLv2 for authentication
describes how to configure BMC Atrium SSO toUsing Kerberos for authentication (see page 132)
leverage Kerberos.
3.1 Version 8.1.00 BMC Atrium Single Sign-On 8.1 includes the following enhancements.
Redesigned user interface (see page 15)
Predefined authentication module (see page 15)
New utility to simplify BMC Atrium Single Sign-On and AR System integration (see page 15)
BMC Atrium Orchestrator Platform integration (see page 16)
Click jacking prevention (see page 16)
Tip
For information about issues corrected in this release, see .Known and corrected issues
Version 8.1.00 was released shortly after version 8.0.00, a major release that contained significantly more
enhancements. If you are considering an upgrade from a version prior to 8.0.00, you might be interested in
seeing the .enhancements listed in the documentation for version 8.0.00
3.1.1 Redesigned user interface
The BMC Atrium Single Sign-On 8.1, has completely redesigned the user interface. This redesign affects the
majority of the BMC Atrium Single Sign-On documentation.
The following image shows the BMC Atrium SSO Admin Console:
3.1.2 Predefined authentication module
To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module
is provided. This predefined authentication module allows you to quickly configure your system. The Internal
LDAP authentication module uses the internal LDAP server as an authentication source in the authentication
chain and does not have parameters to configure.
For more information about the Internal LDAP module, see .Configuring after installation
3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System
integration
The BMC Remedy AR System 8.1 introduces a new utility that greatly simplifies the integration between BMC
Atrium Single Sign-On and the AR System server and Mid Tier.
The Single Sign-On integration is now removed from the AR System installer. As a result, you no longer have to
follow the error-prone steps if you chose to integrate BMC Atrium Single Sign-On you installed the ARafter
System server and Mid Tier.
You use the one utility to integrate both the AR System server and the Mid Tier, but with slightly different inputs.
For more information, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page
.79)
3.1.4 BMC Atrium Orchestrator Platform integration
With this release, BMC Atrium Orchestrator Platform 7.7 uses the BMC Atrium Single Sign-On 8.1.00 (Patch1 or
later) authentication system to provide single sign-on and single sign-off. For more information about BMC
Atrium Orchestrator Platform 7.7, see the online documentation. For moreBMC Atrium Orchestrator Platform 7.7
information about integrating BMC Atrium Orchestrator Platform 7.7 with BMC Atrium Single Sign-On, see
.Integrating BMC Atrium Orchestrator Platform (see page 209)
3.1.5 Click jacking prevention
With click jacking prevention is added.Patch 3 for version 8.1.00: 8.1.00.03 (see page 17)
3.2 License entitlements This topic explains the entitlements that apply to licenses you purchase from BMC Software. For information
about restrictions to those licenses, please see your Product Order Form.
Note
You can download the components mentioned herein from the .Electronic Product Distribution website
Use the same user name and password that you use to access the website.Customer Support
If you do not have a current license for the components you want, contact a BMC sales representative by calling
800 793 4262. If you cannot download the components, contact a sales representative and ask for a physical kit
to be shipped to you.
BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document. Configurations
not listed might still operate properly and so customers can choose to run in a configuration not listed as
supported. Such configurations would be considered "unconfirmed". BMC will accept issues reported in
unconfirmed configurations but we reserve the right to request customer assistance in problem determination,
including recreating the problem on a supported configuration.
Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a
supported environment will be addressed at the discretion of BMC. Defects requiring time and resources beyond
commercially reasonable effort might not be addressed. If a configuration is found to be incompatible with BMC
Atrium Single Sign-On, support for that configuration will be specifically documented as not supported (or
unsupported). Visit the Customization Policy under the Support Contacts & Policies link on the BMC support
website.
3.3 Service packs and patches This section contains information about service packs and patches for BMC Atrium Single Sign-On.
Patch 3 for version 8.1.00: 8.1.00.03 (see page 17)
3.3.1 Patch 3 for version 8.1.00: 8.1.00.03
This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) and provides
instructions for downloading and installing the patch. It is organized as follows:
Corrected issues (see page 17)
Installing the patch (see page 17)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about issues corrected in Patch 3 (8.1.00.03), see . Click theKnown and Corrected issues Corrected in
column heading to sort the table by version.
Patch 3 also includes the fixes from Patch 2 and Patch 1 for version 8.1.00.
Installing the patch
Patch 3 for BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation. You can download the 8.1.00.03
installation files from the tab on the BMC Electronic Product Distribution (EPD) site andLicensed Products
perform your normal installation. For instructions about downloading the files that you need for installation, see
.Downloading the installation files (see page 44)
Recommendation
Backup BMC Atrium Single Sign-On before proceeding with the patch installation.
To install BMC Atrium Single Sign-On 8.1.00 Patch 3, see .Installing (see page 40)
To perform a silent installation, see .Installing silently (see page 112)
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 3 from an earlier version (8.1.00 or 8.1.00.01 or
8.1.00.02), see .Upgrading
This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02), and provides
instructions for downloading and installing the patch. It is organized as follows:
Note
BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02) has been replaced with Patch 3 (8.1.00.03) and
can no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full
installation and includes the fixes that were available in Patch 1 (8.1.00.01) and Patch 2 (8.1.00.02). For
information about downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3
.for version 8.1.00: 8.1.00.03 (see page 17)
Corrected issues (see page 18)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 2 (8.1.00.02), see . Click theKnown and corrected issues Corrected in
BMC Atrium Single Sign-On Patch 2 features are included in BMC Atrium Single Sign-On Patch 3 installation. You
can download the 8.1.00.03 installation files from the tab on the BMC Electronic Producticensed Products
Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you
.need for installation, see Downloading the installation files (see page 44)
Recommendation
Back up BMC Atrium Single Sign-On before proceeding with the patch installation.
To install BMC Atrium Single Sign-On 8.1, see .Installing (see page 40)
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 2 from an earlier version (8.1.00 or 8.1.00.01), see
.Upgrading
This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01), and provides
instructions for downloading and installing the patch.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01) has been replaced with Patch 3 (8.1.00.03) and can
no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full
installation and includes the fixes that were available in Patch 1 (8.1.00.01). For information about
downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3 for version 8.1.00:
.8.1.00.03 (see page 17)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 1 (8.1.00.01), see . Click theKnown and corrected issues Corrected in
BMC Atrium Single Sign-On Patch 1 features are included in BMC Atrium Single Sign-On Patch 3 installation. You
can download the installation files from the tab on the BMC Electronic Product8.1.00.03 Licensed Products
Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you
.need for installation, see Downloading the installation files (see page 44)
Back up BMC Atrium Single Sign-On before proceeding with the patch installation.
To install BMC Atrium Single Sign-On 8.1, see .Installing (see page 40)
3.4 Documentation updates after release This topic contains information about documentation updates for BMC Atrium Single Sign-On that are not
related to urgent issues, maintenance releases, service packs, or patches. These updates are added to the
documentation independent of any specific release.
Added BMC Mobility integration documentation (see page 20)
Added BMC EUEM integration documentation (see page 20)
3.4.1 Added BMC Mobility integration documentation
You can integrate BMC Atrium Single Sign-On with BMC Mobility for supporting Security Assertion Markup
Language (SAML). The typical process for integrating BMC Atrium Single Sign-On with BMC Remedy IT Service
Management (ITSM) is to install BMC Atrium Single Sign-On, install BMC Remedy ITSM, and then integrate Atrium
SSO with ITSM. For more information, see .Integrating BMC Mobility for ITSM 8.1.00 (see page 212)
3.4.2 Added BMC EUEM integration documentation
BMC Real End User Experience Monitoring (EUEM) uses the BMC Atrium Single Sign-On (SSO) authentication
system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows to present credentials
only once for authentication and subsequently be automatically authenticated by every BMC product that is
integrated into the system. For more information, see Integrating BMC Real End User Experience Monitoring (see
.page 212)
4 Key concepts
BMC contributors content
For additional information, you can also refer to the following webinar conducted by .MC Support
You can also connect with other users for related discussions on the .BMC Community
Use this section to get high-level conceptual knowledge that helps you to use the BMC Atrium Single Sign-On
product.
The following topics provide key conceptual information about BMC Atrium Single Sign-On:
BMC Atrium Single Sign-On architecture
BMC Atrium Single Sign-On and OpenAM (see page 22)
Administrator password
Certificates
High Availability deployment
JEE filter-based agents
4.1 BMC Atrium Single Sign-On architecture The benefit to BMC products that have BMC Atrium Sign-On as an authentication option is that all of the
authentication protocols supported by BMC Atrium Sign-On are available to the product and any new protocols
added are available without any product changes. The BMC Atrium Sign-On server and agents provide the
needed integration into these systems so a product does not need any adjustments.
The following diagram shows a high level implementation of BMC Atrium Single Sign-On integration with BMC
Dashboards for BSM, BMC Analytics for BSM, and BMC Remedy IT Service Management.
BMC Atrium Single Sign-On integration with BMC products
4.2 BMC Atrium Single Sign-On and OpenAM BMC Atrium Single Sign-On is built on the open source project OpenAM. This project has a long history of
providing authentication and authorization across many different platforms by using many authentication
techniques. BMC Atrium Single Sign-On provides a simplified, turnkey system that applies OpenAM technology to
BMC products. Configuration of the servers and agents is automated as much as possible, allowing for easy
adoption.
Atrium Single Sign-On user console access (see page 23)
4.2.1 OpenAM technologies
BMC Atrium Single Sign-On uses a subset of the technologies within the OpenAM project that are required by
BMC products. The current technologies of OpenAM that are certified by BMC Atrium Single Sign-On include:
Authentication schemes - Internal, LDAP, BMC Remedy Action Request (AR) System, Active Directory, RSA
SecurID, Common Access Cards (CAC), ActivIdentity-based, Kerberos, and SAMLv2

Authentication chaining
Groups
Important
BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document.
Reported defects either found to be unique to an unconfirmed configuration or not reproducible within
a supported environment are addressed at the discretion of BMC. Visit the Customization Policy under
the Support Contacts & Policies link on the BMC support website.
4.2.2 Atrium Single Sign-On user console access
The user console access is through the following URL:
https://<atssohost>:<port>/atriumsso/UI/Login?realm=BmcRealm
This URL can be used to verify the authentication module configuration. You do not need to rely on an installed
and configured BMC application to initiate login in order to test configuration of authentication modules.
4.3 Administrator password The administrator password is used to access BMC Atrium Single Sign-On through a browser. This access allows
user accounts to be created and enables other authentication algorithms. Also, the administrator password is
used to integrate application servers that have deployed the BMC Atrium Single Sign-On Web agent to integrate
with BMC Atrium Single Sign-On.
4.4 Default cookie domain The default cookie domain value is the network domain of the computer you are installing the server on. The
default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between
servers within the domain.
By removing domain elements (lowest sub-domain first), the cookie becomes visible to servers outside of the
BMC Atrium Single Sign-On domain. For example, changing the domain to gives all ofdprod.bmc.com bmc.com
the servers within the domain access to the cookies stored by the server in a user's browser. The dangermc.com
of increasing the cookie visibility is illustrated when the value is changed to , giving all servers in the internetom
domain access to the cookie.om
Note
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example,
installing the BMC Atrium Single Sign-On server in the domain and the AR System server inemedy.com
the domain is not supported. You must move all your computers into the same domain.mc.com
4.5 Log on and log off behavior When using a single sign-on system, the normal authentication behavior is altered. The practice of logging on
when you start a product is automatically performed when the second product is started. This change happens
without any user involvement.
When you log off, you are logged off of all BMC Atrium Single Sign-On integrated products.
If you want to continue working with other BMC products:
Quit the product instead of logging out of BMC Atrium Single Sign-On.
If the product supports application-only log off, log off the application and close the browser.
Important
When quitting an product, the normal behavior is to log off and then quit. This process results in
termination of all the product connections. If you want to continue working with other BMC products,
quit the product that you are finished with, but only log off the last product.
With web applications, the BMC Atrium Single Sign-On authentication status is maintained through sessions
within the web browsers. When web applications share the same browser session, the authentication state with
BMC Atrium Single Sign-On is shared by these applications.
To use a different login ID without logging off BMC Atrium Single Sign-On, you must start a new session in the
web browser. The following table summarizes how to share current sessions and how to create new sessions
with the browsers supported by BMC Atrium Single Sign-On.
Session behavior in supported browsers
Browser Share Session New Session
Firefox 4 New tab, for new window, or launch from menu or shortcuttrl-N Start Use Private Browsing
Internet
Explorer 7
New tab or to create a new windowtrl-N Launch new browser using menu ortart
shortcut
Internet
Explorer 8
New tab, to create a new window, or launch new browser from menutrl-N Start
or short-cut

Browser Share Session New Session
Internet
Explorer 9
New tab, to create a new window, or launch new browser from menutrl-N Start
or short-cut
When BMC products launch a new application, the applications use the process needed to ensure a shared
session and a seamless experience.
4.6 Certificates The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure
(HTTPS/TLS/SSL) communications. These communications occur by doing one of the following:
when accessing the admin console
users login or logout of the system.
an external LDAP server is accessed with TLS/SSL
exchanging SAMLv2 metadata
for user authentication (CAC)
The keystore contains the information used to identify the BMC Atrium Single Sign-On server to remote servers
and users. The truststore is used to hold the certificates of remote servers, users and signing authorities that are
to be trusted by the BMC Atrium Single Sign-On server.
These files are stored in the following directory:
<installationDirectory>/BMC Software/AtriumSSO/tomcat/conf
The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers
and other programs to warn users about the insecure nature of the certificate each time the user authenticates.
This certificate warning can be prevented by doing one of the following:
Permanently importing the self-signed certificate into the user's truststore.
Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA).
The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for
authentication. In this case, the user has an established trust relationship with the CA, and this relationship is
extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported.
4.6.1 Certificate Signing Request
A CA digitally signed certificate is obtain by generating a Certificate Signing Request (CSR):
The output from the command must be sent to the CA for a digital signature. After the signed identity certificate
is returned, the next step is to import the signed identity certificate into the keystore where it replaces the current
self-signed certificate.
The keytool utility is used to obtain a CSR, to obtain a signed certificate, and to import the signed certificate in
order to replace the self-signed certificate. This tool is available with Oracle JDKs and BMC Atrium Single
Sign-On.
Note
When importing the newly signed certificates, you must first import the CA root certificates and
intermediate certificates, if required.
4.6.2 New CA certificates
CAC authentication is used
Department of Defense (DoD) issues new CA certificates
CA certificates used to create a signed certificate for the BMC Atrium Single Sign-On server is not already
within the truststore
The keytool utility is used to import a new CA certificate into the BMC Atrium Single Sign-On truststore.
4.6.3 Related topics
Generating self-signed certificates (see page 249)
4.7 Authentication chaining An Authentication Chain is the object used by BMC Atrium Single Sign-On for specifying how authentication is to
be performed. A chain can be a single authentication module or a combination of multiple authentication
modules. Chaining allows different modules to act as a single authority.
At its simplest form, an authentication chain consists of only a single authentication module. A chain can also be a
complex combination of multiple authentication modules joined to validate the credentials that are used to
authenticate a user. Through chaining, different modules can be merged to appear as a single authority.
For example, if two organizations merge to form a new, single organization, then the authentication system from
each organization could be used as a module within a single chain.
The effect of combining these modules into this single chain is that the users only provide credentials to a
single authority.

1.
2.
3.
This chaining creates the perception of a merged authority despite the reality of multiple, disparate
systems that are actually employed.
Authentication chains allow the combination of authentication modules to process authentication requests. One
of the best uses for combining modules is to merge different authentication schemes to appear as a single
authentication scheme.
For example, when two departments have their own LDAP servers, these two servers could be put into a single
chain and users would appear to validate against a single authority.
The processing of the chain to determine the overall status of authentication is controlled by the criteria specified
for each of modules in the chain. The following figure illustrates authentication chaining where authentication
modules are tried in an ordered sequence.
4.7.1 Authentication chaining example
The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain
or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one
Sufficient or Optional module must authenticate the user. See .Managing authentication modules (see page 271)
In the chaining process for the above example illustration, three LDAP servers combined into a single authority,
would be:
Fail: Proceed to next
Check with LDAP B
Fail: Proceed to next
Check with LDAP C
Pass: Stop processing and accept user
Fail: Stop processing and reject user
With this configuration, the first LDAP server is presented the user credentials for authentication. If the
authentication succeeds, then processing stops with the user being authenticated. If the user is not within the

sequence specified until either the user passes and is considered successfully authenticated, or the user fails to
authenticate and is rejected.
4.8 High Availability deployment The following figure shows a typical deployment scenario of BMC Atrium Single Sign-On operating in a High
Availability (HA) environment. Two BMC Atrium Single Sign-On servers are installed to form a cluster. A load
balancer is used as a front end to the cluster, giving the external applications the appearance of a single server.
The load balancer distributes requests among BMC Atrium Single Sign-On servers. In the event of a system failure,
the load balancer re-directs requests to the remaining servers.
When operating as a cluster, BMC Atrium Single Single Sign-On functions as a single virtual server. Therefore,
certain configuration information is shared between nodes. For example, when one node is configured, the other
nodes have the same information.
The following information is global to all nodes in the cluster:
Administrative accounts
Typical HA deployment

HTTPS ports. These ports are specified during installation. The following figure shows the communication
between the nodes and the load balancer.
Communication between BMC Atrium Single Sign-On nodes and a load balancer
4.9 JEE filter-based agents With this release of BMC Atrium Single Sign-On, a light-weight agent is available for use by BMC applications. This
section describes how configuration items apply to this newer agent.
In addition to functioning as the central server, BMC Atrium Single Sign-On uses agents which are integrated into
each of the BMC products. These agents perform the following functions:
Accessing authentication services
Validating existing authentications
For more information about agent configuration parameters, see .Agent manager
5 Planning The following topics provide information and instructions for planning a BMC Atrium Single Sign-On installation
1.
2.
3.
4.
5.
6.
Note
All products that run in BMC Remedy AR System support BMC Atrium Single Sign-On including AR
System Mid-tier products (BMC Remedy ITSM, BMC Atrium Core, BMC Atrium CMDB, and so on), BMC
Atrium Dashboard and Analytics, BMC IT Business Management Suite, BMC ProActive Performance
Management (version 9.0), and BMC Capacity Optimization.
Checking the compatibility matrix for system requirements and supported configurations
End-to-end BMC Atrium Single Sign-On process
BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
5.1 Checking the compatibility matrix for system requirements
and supported configurations Consult the BMC Remedy and BMC Atrium product compatibility information for the 8.0 system configuration
information.
Navigate to .http://www.bmc.com/support/product-availability-compatibility
In the field, enter the product name, for example:roduct Name
BMC Atrium CMDB Enterprise Manager
BMC Atrium CMDB Suite
In the field, enter BMC Atrium Single Sign-On.elect Component
Review the compatibility information listed in the tabs at the bottom of the page.
Note
To access the product compatibility information on the Customer Support website, you must have a
Support login.
5.2 End-to-end BMC Atrium Single Sign-On procedure This topic provides a high-level process of what you need to do to set up and configure BMC Atrium Single
Sign-On with BMC products.
1.
2.
3.
4.
5.
6.
Review the information that you need to understand prior to installing, such as the What's new (see page
, , , topics.12) Key concepts (see page 20) Planning (see page 29) Preparing for installation
Install BMC Atrium Single Sign-On. See for the different installation options, suchInstalling (see page 40)
as High Availability (HA).
Install other BMC products for integrating with BMC Atrium Single Sign-On.
For information about integrating and configuring BMC Remedy AR System version 8.1, see Installing
.BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
For information about integrating and configuring BMC Remedy AR System version 8.0, see
.Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00
For information about other BMC product integration, such as BMC Dashboards and Analytics for
BSM, see .Integrating
Configure your method of authentication. See . The following are theConfiguring after installation
authentication module sections:
Using CAC for authentication
Using RSA SecurID for authentication
If you implement multiple authentication methods, see .Managing authentication modules (see page 271)
Create and manage users and user groups. See andManaging users (see page 264) Managing user groups
.(see page 268)
5.3 BMC Atrium Single Sign-On using SAMLv2 deployment
example This topic provides an example of how BMC Atrium Single Sign-On using Security Assertion Markup Language 2.0
(SAMLv2) can be deployed.
Business value (see page 32)
Federated authentication and SAML (see page 32)
Deployment architecture (see page 33)
Deployment model (see page 35)
Deployment tasks (see page 37)
Deployment parameters (see page 38)
Related topics (see page 40)
5.3.1 Business value
This deployment example shows you how BMC Atrium Single Sign-On uses SAMLv2 authentication. Single
sign-on means that you only need to present credentials once for authentication, and you are subsequently
automatically authenticated by every BMC product that is integrated into the system. This means that if you are
looking at a report that has links to incident or change records, you can click on the link and go directly to the
records without logging in again.
An additional important value is that with federated authentication the user logon credentials (for example, user
name and password) are not exposed to the Service Provider (SP) and are not sent over the internet. The
authentication is done on premise by the Identity Provider (IdP).
5.3.2 Federated authentication and SAML
SAMLv2 is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses
security tokens containing assertions to pass information about a principal (usually an end user) between an
Identify Provider (IdP) and a web service.
SAMLv2 enables federated authentication between your environment and the BMC Remedy applications. When
using SAMLv2, the BMC Remedy infrastructure is defined as a Service Provider (SP), and your infrastructure that
performs the user authentication is the IdP. With SAMLv2 enabled, a user that tries to access BMC Remedy
applications without having previously authenticated is redirected to your IdP. After authentication, the user is
redirected back to the originally requested resource (BMC Remedy application).
Note
Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated
single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in
the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM
form and record).
Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and
the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and
the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow
you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required.
For more information about SAMLv2, see .Using SAMLv2 for authentication
5.3.3 Deployment architecture
In the BMC environment:
BMC Remedy web applications supporting BMC Atrium Single Sign-On
BMC Atrium Single Sign-On agents which are add-ons to any BMC Remedy web application
BMC Atrium Single Sign-On server which serves as the SP and runs as a web application on the
Apache Tomcat server
In your environment:
You use a browser to access BMC Remedy applications.
An authentication server is responsible for your users authentication, which is usually located on
premise. This is the IdP component.
The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server are connected by a trust relationship
(federation) so they can honor each other’s authentication information.
The following sequence diagram shows the interactions between BMC Atrium Single Sign-On and SAMLv2
components. These interactions are listed in the sequential order that they occur.
BMC Atrium Single Sign-On and SAMLv2 components sequence diagram
The following sequence diagram illustrates the flow of events and the interaction between components for single
log off (SLO):

5.3.4 Deployment model

A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are
put in front of the application servers. Load balancers are used to distribute the workload and optimize
application performance. Reverse proxies are used to distribute the workload, optimize application
performance, and hide the existence and characteristics of internal servers.
BMC Remedy Mid Tier is deployed on a separate virtual machine (VM).
A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another
VM but on two different Apache Tomcat servers.
BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management
are deployed on two different VMs to avoid performance issues.

5.3.5 Deployment tasks
The following table lists the main steps involved in installing and configuring the deployed BMC Products with
BMC Atrium Single Sign-On with SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP
with a remote IdP.
Review the list before starting the deployment tasks.Deployment parameters (see page 38)
Step Task
2. .Install BMC Remedy AR System server
3. .Install the BMC Remedy Mid Tier
4. (Optional) Configure your load balancer or reverse proxy.
For more information, see .ote: Troubleshooting redirect URLs (see page 343)
5. .Run the SSOARIntegration utility on the AR System server (see page 88)
6. .Run the SSOMidtierIntegration utility on the BMC Remedy Mid Tier (see page 92)
7. .Configure group mapping for the AR System and BMC Atrium Single Sign-On (see page 91)
8. Configure the BMC Atrium Single Sign-On server for AR System (see page 97)
Though AR authentication module should be configured, you must delete the AR user stores when using SAML v2 for authentication.ote:
The AR data store is not needed for authentication in SAMLv2 deployment.
9. .Run a health check on the BMC Atrium Single Sign-On installation
10. Configure BMC Atrium Single Sign-On to use SAMLv2 authentication with BMC Atrium Single Sign-On as a Service Provider and a remote
.Identity Provider
Each time a BMC product is integrated (steps 10 -12) with the BMC Atrium Single Sign-On Service Provider, the J2EE agentsote:
configuration must be modified so the integrating product can function in the Federated Single Sign-On.
11. (Optional) and .Integrate BMC Dashboards for Business Service Management (see page 198) configure it
For more information, see the BMC Dashboards for Business Service Management Installation Guide at .ote: PDFs
12. (Optional) and .Integrate BMC Analytics for Business Service Management (see page 199) configure it
For more information, see .ote: Installing
13. (Optional) .Integrate BMC IT Business Management Suite (see page 204)
For more information, see .ote: Installing
5.3.6 Deployment parameters
The deployment environment assumes MS Windows 2008, MS SQL Server 2008, New Tomcats, and the defaults
are accepted. It also assumes that BMC Remedy AR system server groups and BMC Atrium Single Sign-On high
availability (HA) are deployed.not
The BMC Atrium Single Sign-On authentication is SAMLv2 where BMC Atrium Single Sign-On is configured as an
Service Provider (SP) with a remote Identity Provider (IdP).
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC
Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same computer, ensure that the HTTP,
HTTPS, and Shutdown port numbers are different.
The following parameters are set in deployment of the following BMC Products and BMC Atrium Single Sign-On
authentication:
BMC Remedy AR System
BMC Remedy Mid Tier
BMC Atrium Single Sign-On
SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
BMC Dashboards for BSM
BMC Analytics for BSM
Mid Tier installation Planning spreadsheet Complete the on .Planning Spreadsheet BMC Remedy AR System 8.1
Atrium SSO installation FQDN of host name The Fully Qualified Domain Name (FQDN) for the host. For example, ssoserver.bmc.com.
HTTP, HTTPS, Shutdown
port numbers
If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product,
provide port numbers that are different from the other BMC Product.
Cookie domain The cookie name is the name of the cookie that agent will check for the SSO session token. It
should match the cookie name of the server configuration. For example, atsso_bmc_com.
Atrium SSO server
password
The password for the BMC Atrium Single Sign-On server. Default: amadmin
AR System integration AR Server Name The AR server name. For example, arsystemserver.bmc.com
Product
install/configuration
AR Server User The AR server user. For example, Demo.
AR Server Password The AR server password. For example, Demo.
AR Server Port The AR server port. For example, 0.
Atrium SSO URL URL for the BMC Atrium Single Sign-On server. For example,
https://ssoserver.bmc.com:8443/atriumsso
SSO Admin Name The BMC Single Sign-On administrator name. Default: amadmin.
SSO Admin Password The BMC Single Sign-On administrator password.
truststore (Optional) The truststore path.
truststore-password (Optional) The truststore password.
force (Optional) If "Yes" is provided then the utility will not wait for the user to shutdown the
webserver (if not done already), in case, the webserver is other then tomcat or jboss. Default:
No
Mid Tier integration AR Server Name The AR Server name from the AR System integration. For example, arsystemserver.bmc.com.
AR Server User The AR Server user from the AR System integration. For example, Demo.
AR Server Password The AR Server password from the AR System integration. For example, Demo.
AR Server Port The AR Server port from the AR System integration. For example, 0.
Container Type Supported contain types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6,
TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBLOGICV10
Web App URL The Mid Tier URL if a load balancer is not implemented. Otherwise, the load balancer URL. Be
sure the server name is provided with fully qualified domain name and port is also provided in
the URL.
Foundation\Tomcat6.
JREInstallDirectory Path to the JRE directory. For example, C:\Program Files\Java\jre7
MidtierHome Mid Tier home directory. For example, C:\Program Files\BMC Software\ARSystem\midtier
serverinstancename The WebSphere instance name is required for the WebSphere server.
instanceconfigdirectory The WebSphere configuration directory is required for the WebSphere server.
weblogicdomainhome The BEA domain home is required for the WebLogic web application.
AR System external
Administrator
BmcAdmins
Dashboards installation Fully Qualified Host Name Fully qualified host name of the BMC Atrium Single Sign-On server.

Parame ers Description
Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is
installed on the same computer as another BMC Product, provide port numbers that are
different from the other BMC Product.
Administrator login name
and password
User name and password for the BMC Atrium Single Sign-On server administrator.
BMC Dashboards
Password
User name and password of the BMC Dashboards for BSM administrator user. This user must
exist in BMC Atrium Single Sign-On.
Analytics installation Fully Qualified Host Name Fully qualified host name of the BMC Atrium Single Sign-On server.
Port Number
Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is
installed on the same computer as another BMC Product, provide port numbers that are
different from the other BMC Product.
Administrator login name
and password
User name and password for the BMC Atrium Single Sign-On server administrator.
SAMLv2 authentication Remote IdP metadata file The metadata file for the remote Identity Provider (IdP). For example, sso-idp.xml.
BMC Remedy AR System
agent Federated login
URL & logout URI
Login and logout URIs are the locations that the agent will send the users browsers when the
specified function is needed.
logout URI
logout URI
Agent manager
6 Installing The BMC Atrium Single Sign-On server component is available for download from the BSM EPD site at
or can be found in the BMC Atrium Shared Components box.http://webapps.bmc.com/epd
The typical method for integrate BMC Atrium Single Sign-On with BMC Remedy AR System or any BMC product is
to:
1.
2.
3.
Install BMC Remedy AR System or other BMC products.
Integrate with BMC Remedy AR System or other BMC products.
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC
Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same computer, ensure that the HTTP,
HTTPS, and Shutdown port numbers are different.

1.
2.
3.
4.
Configuring Terminal Services and DEP parameters
Installing BMC Atrium Single Sign-On as a standalone (see page 50)
Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)
Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
Installing silently (see page 112)
Uninstalling BMC Atrium Single Sign-On (see page 117)
6.1 Preparing for installation Review or perform the following tasks before you start installing.
Review the topics.Planning (see page 29)
Review the and update your environment.Prerequisites for installation (see page 42)
Review the .Compatibility matrix
6.1.1 Prerequisites for installation
This topic describes the prerequisites for installing BMC Atrium Single Sign-On.
Warning
If you have not met all of the requirements before you begin the installation, you might have issues with
the installation.You must fulfill the necessary requirements on this page before you begin with
installation.
Memory requirements (see page 43)
Log file memory requirements (see page 43)
System requirements (see page 43)
Entropy level requirements (see page 44)
Firewalls (see page 44)
Limitation
Do not deploy BMC Atrium Single Sign-On on an Network File System (NFS) file system.
Access and permissions
If you are a nonroot runtime user of the BMC Atrium Single Sign-On web container instance, you must be
able to write to your own home directory.
( ) You must have administrator privileges.Microsoft Windows
( ) You can be any user. However, root privileges are required to set up auto-startup of the services.UNIX
Disk space requirements
This section contains information about prerequisite storage space requirements for installation and log files.
Before installing BMC Atrium Single Sign-On, you must have at least the following available disk space:
( ) 650 MBMicrosoft Windows
Memory requirements
If you are installing BMC Atrium Single Sign-On on an external Tomcat server, 1024K of RAM is required. For an
extremal Tomcat 7 server and JDK 1.7, increase memory an additional 20% for a minimum of 1.2 MB.
Log file memory requirements
An additional 7-10 GB of space is recommended for log file growth, depending on the volume of users and
products integrating with the BMC Atrium Single Sign-On server.
To manage log file storage space effectively, perform the following tasks:
Delete the debug log files periodically, especially if the debug level is set to .essage
Check the and log files periodically in the logs directory.access .error
Consider configuring the log rotation to delete the oldest log files.
System requirements
If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux (RHEL) 6.x, you must install the
following 32-bit RPM packages to make 32-bit JRE support and the user interface available to the installer:
Glibc.i686
libXtst.i686
Entropy level requirements
If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux computers and the entropy level on
the server is under 150, you might experience installation issues. If an installation or silent installation aborts
suddenly, finishes very quickly, or takes a long time to complete, the computer might be experiencing low
entropy issues. To avoid these issues, perform the following tasks:
Verify the level of entropy in the file at the following location:ntropy_avail cat
/proc/sys/kernel/random/entropy_avail
If the level of entropy is less than 150, run the following commands as user or restart your computer.oot
Running the command is the preferred option as it helps in maintaining the entropy level after installation.
If your server has a low entropy level, you should configure your server to run the following commands
while starting up your server.
rngd
yum install rng-tools
echo 'EXTRAOPTIONS="-i -o /dev/random -r /dev/urandom -t 10 -W 2048"' >>/etc/sysconfig/rngd
chkconfig rngd on
service rngd restart
Firewalls
The ports that you selected when you installed the BMC Atrium Single Sign-On server must be accessible from
the clients that are authenticated through the server. Configure the firewalls to allow access to the HTTPS port
used for authentication, as well as the LDAP and Apache MQ ports in the nodes of a cluster.
6.1.2 Downloading the installation files
This topic provides instructions for downloading the files that you need for installation. The latest BMC Atrium
Single Sign-On GA version on the BMC Electronic Product Distribution (EPD) website is 8.1.00. .03
Files to download (see page 44)
To download the files (see page 45)
Enabling search in the offline documentation (see page 47)
Where to go from here (see page 47)
Files to download
The following table provides the product files available on the BMC EPD website for BMC Atrium Single Sign-On.
You can find the installer and documentation related to BMC Atrium Single Sign-On version 8.1.00.03 on the
Products tab itself.
1.
Note
The BMC Atrium Single Sign-On is provided with the ESM solution suites. On the BMC EPD website, you
must visit the download sections for BMC Remedy IT Service Management, BMC ProactiveNet
Performance Management, BMC BladeLogic Automation, or BMC Application Management suites to
obtain the the latest version of BMC Atrium Single Sign-On.
You can download the latest installer files from any of the ESM solution suites on the EPD web site. For example,
BMC Remedy IT Service Management Suite > BMC Remedy IT Service Management Suite 8.1.00 -
>peratingSystem BMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem
Hyperlink on EPD page File names on EPD page
BMC Atrium Single Sign-On
Documentation
BMCAtriumSSO_8.1_Patch3_Help.zip
This zip file contains an archived version of the online documentation for . For theBMC Atrium Single Sign-On 8.1
latest and most comprehensive content, see the BMC Online Technical Documentation portal (docs.bmc.com) for
this release.
Note
The installation files for BMC Atrium Single Sign-On versions 8.1.00.02 have been replaced with the
installation files for version 8.1.00.03, and can no longer be downloaded from the EPD site. Patch 3 for
BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation and includes the fixes that were
available in Patch 1 and Patch 2 (8.1.00.01 and 8.1.00.02). You can download the Patch 3 installation files
from the BMC EPD site and perform your normal installation.
To download the files
The product files that you download from the EPD website might contain some or all of the patches listed on a
product's Customer Support web page. If the EPD page shows that a patch is included in a file you downloaded,
you do not need to obtain that patch separately.

2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Note
On Microsoft Windows computers, ensure that the directory is only one level into the directory
structure. The EPD package creates a directory in the temporary directory when you extract the
files, and the directory that contains the installation image should not be in a directory deeper
than two levels into the directory structure.
Go to .http://www.bmc.com/available/epd.html
At the logon prompt, enter your user ID and password, and click .ubmit
On the Export Compliance and Access Terms page, provide the required information, agree to the terms of
the agreements, and click .ontinue
If you are accessing this site for the first time, create an EPD profile to specify the languages and platforms
that you want to see, per the ; otherwise, skip to step 6.EPD site help
Verify that the correct profile is displayed for your download purpose, and select the Licensed Products
tab.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) installation files are available on the
tab.icensed Products
Locate the solution for which you are using BMC Atrium Single Sign-On, such as BMC Remedy IT Service
, and expand its entries.anagement Suite
Note
As BMC Atrium Single Sign-On is a part of ESM solution suite, you must visit the download
sections for BMC Remedy IT Service Management, BMC ProactiveNet Performance Management,
BMC BladeLogic Automation, or BMC Application Management suites to obtain the the latest
version of BMC Atrium Single Sign-On. For the steps in this process, BMC Remedy IT Service
Management is used.
Expand the directory for the appropriate platform andMC Remedy IT Service Management Suite 8.1.00
language.
Expand the directory for the appropriateMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem
platform and language.
Select the check boxes next to the files and documents that you want to download.
Click or :ownload (FTP) Download Manager
places the selected items in an FTP directory, and the credentials and FTPownload (FTP)
instructions are sent to you in an email message.

1.
2.
3.
enables you to download multiple files consecutively and to resume anownload Manager
interrupted download if the connection drops.
This method requires a one-time installation of the Akamai NetSession client program on the target
computer and is usually the faster and more reliable way to transfer files. A checksum operation is
used to verify file integrity automatically.
Enabling search in the offline documentation
The zip file contains an archived version of the onlineffline

Documents

BMC Atrium SSO 8 1