Upload
doanngoc
View
227
Download
1
Embed Size (px)
Citation preview
Plugin Single Sign On Version 1.2 Installation Guide The following document describes Plugin Single Sign On version 1.2 Component configuration and installation process for BMC Remedy AR System TopPositions 2010-03-29
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
2
CONTENTS 1 INTRODUCTION ................................................................................................................... 3
2 WHAT IS PLUGIN SINGLE SIGN ON VERSION 1.2 ................................................................. 4
3 APPLICATION ....................................................................................................................... 5
4 EQUIPMENT COMPATIBILITY ............................................................................................... 6
5 HOW PLUGIN SSO WORKS ................................................................................................... 7
6 INSTALLATION AND CONFIGURATION .............................................................................. 10
6.1 Windows Authentication ............................................................................................... 10
6.2 ClearTrust / Sitemider ................................................................................................... 10
6.3 Installation ..................................................................................................................... 10
6.4 Installation Part 1 in the server environment (ARS Platform) ....................................... 10
6.5 Installation part II in the environment on the side of Mid-Tier server ......................... 17
6.6 Installation Part III SSO Authentication Service ............................................................. 22
6.7 Installation Part IV- Plugin SSO Authentication for BMC Remedy User Tool ................ 28
7 TROUBLESHOOTING .......................................................................................................... 33
7.1 SSO AREA plugin ............................................................................................................ 33
7.2 AREA LDAP plugin .......................................................................................................... 33
7.3 Mid-Tier SSO Plugin ....................................................................................................... 33
7.4 SSO Authentication Service ........................................................................................... 34
7.5 What’s next ................................................................................................................... 34
8 POTENTIAL ERRORS ........................................................................................................... 35
8.1 Mid-Tier can’t find the file mt-sso.jar ............................................................................ 35
8.2 Mid-Tier can’t find the file jespa-1.0.9.jar ..................................................................... 35
8.3 Mid-Tier can’t find the file with the licence .................................................................. 35
8.4 Mid-Tier can’t find the configuration file mt-sso.config ............................................... 35
8.5 Remedy SSO can’t find the Domain controller .............................................................. 36
8.6 Remedy SSO can’t log into Domain controller .............................................................. 36
8.7 SSO Authentication service doesn’t work ..................................................................... 36
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
3
1 INTRODUCTION
There is a very common problem each company has to deal with, that is entering an incorrect
password when logging in to system or a certain application. Frustrated and unsatisfied users are
unable to remember each password they are obliged to use, that leads up to many unavoidable
mistakes. The only one solution seems to be IT specialists support, and the next new password.
However it helps, it’s not a long- lasting support. The password’s change does not guarantee that the
new one will not be forgotten.
What is more, security policy forces users to recurrent password’s changes . Not to forget the
new phrases and numbers, users’ write tem on the self stick note sheets and stick them onto the
screens. It’s obvious, that such way of storing passwords is not a safe one.
That is why our team of IT specialists worked out an innovative system, that is Plugin SSO (
Plugin Single Sign On). This security method is safe and allows you to get a very easy access to BMC
Remedy AR System. Plugin SSO makes the whole process of logging in very quickly and without the
user’s participation. That is why, users’ do not have to think hours about a new password, but take
care their duties.
Plugin SSO is the best solution. All the problems will disappear as well as users’ frustration and
annoyance. Everyone knows, that a satisfied employee is an effective employee, and effectiveness
means profits. So let us help you to make a big profit.
For more information, please visit our Web site :
http://www.remedy-sso.com
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
4
2 WHAT IS PLUGIN SINGLE SIGN ON VERSION 1.2
Plugin SSO is a component that enables the access to the BMC Remedy AR System without the
necessity of logging in.
Our system uses Security Support Provider Interface(SSPI). Exerted all over the world SSPI
authentication systems work on Windows and give you the highest level of information security.
Plugin SSO supports joint security policy for all passwords in the company so that it makes the
information stored in the BMC AR Remedy System safer.
The fact that, the Plugin SSO was created and tested by the best IT security specialists makes
your information unavailable for unwanted audience.
Our System as the only one in the world guarantees handling of the Microsoft NT LAN
Manager version. 2 (NTLMv2). Moreover, NTLMv2 is recommended and used by the best IT security
specialists all over the world.
NTLMv2 service is asserted by the IOPLEX component.
Here you can find more information about IOPLEX:
http://www.ioplex.com
Plugin SSO is a product for BMC Remedy AR system and does not require any complex
process of installation or configuration.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
5
3 APPLICATION
As a very flexible solution, Plugin SSO can be applied in various equipment and system
configurations.
Plugin SSO supports:
BMC Remedy AR System, vol. 7.0, 7.1, 7.5 and 7.6,
Operating systems like Windows, Linux, Solaris and HP-UX,
J2EE Containers like Apache Tomcat, Weblogic, Websphere and others,
The outside authentication systems like ClearTrust and SiteMinder ( they authenticate
users through “Http header” protocol),
Internet browsers like Internet Explorer and Mozilla Firefox ( Mozilla Firefox requires
Windows Authentication Configuration,
Java 1.5 and 1.6,
All variants of the NTLM protocol (NTLM by default).
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
6
4 EQUIPMENT COMPATIBILITY
Automatic Plugin SSO log in can be used on the following operating systems:
Matrix of the solution compatybility
Operating systems
Windows 2000, 2003, 2008 Sun Solaris 9.x HP-UX 11.x Linux 2.6.x+
BMC Action Request System
7.0 7.1 (MT patch 6+) 7.5 (MT patch 1+)
Plugin SSO supports many typical WWW security systems.
Popular products
Authentication systems
ClearTrust SiteMinder Quest QSJ HTTP Basic
Plugin SSO supports Windows Authentication (NTLM v2) in “Out of Box” version.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
7
5 HOW PLUGIN SSO WORKS
Plugin SSO allows to get to Remedy AR System surroundings on the basis of authorization that
was made when logging into the corporate network( by Windows domain authorization).
When correctly logged into the Windows domain, user doesn’t have to log once again to
connect with BMC Remedy AR System.
Plugin SSO Works as a plugin installed on BMC Remedy AR System and is able to support Web-
SSO systems or work autonomously.
This component logs the users’ with BMC Remedy AR System automatically by the Web
browser of BMC Remedy User Application.
The following diagram shows how Plugin SSO authorizes user’s system by the use of Windows
Authentication Protocol.
User’ s authorization by Plugin SSO
In case of Web browser, Plugin SSO is triggered out when user is logging into one of the
following Mid Tier Server addresses: /arsys/home, /arsys/forms /arsys/apps
Plugin SSO asks the user's Web browser to send the NTLM header together with the user’s
data. Then it checks if this data is correct or not . If the user was identified by the Windows
Controller, user gains the access to the BMC Remedy AR System.
The following diagram shows the user’s authorization by the web browser
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
8
User’s logging in by the Internet Browser
When BMC remedy User authorization application used, Plugin SSO is being triggered when
the application opened. Plugin SSO is being given a special ticket to SSO Authorization Service. This
service is activated at any Windows server after SSPI Negotiate (NTLM) authorization.
Then, BMC Remedy User sends the ticket to BMC AR Remedy System. Plugin AREA SSO verifies
this ticket in the SSO Authorization Service. Each ticket is generated for particular user and for the
computer, from which user is trying to connect to BMC Remedy AS System.
The following diagram shows how BMC Remedy User authorizes users’.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
9
User’s logging in by the BMC Remedy User
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
10
6 INSTALLATION AND CONFIGURATION
6.1 Windows Authentication
If you do not have an external SSO system (ClearTrust, SiteMinder, etc.) and would like Mid-
Tier to authenticate users within Windows Controller, you will need to make extra moves to install
the component BMC Remedy Mid-Tier.
Our solution works only if Apache Tomcat has already been started as a standalone
application. We do not support the product ServletExec, as it is not presently recommended by BMC.
6.2 ClearTrust / Sitemider
After some time a session of ClearTrust and Siteminder expires. On this account length of the
session must be synchronized with length of the BMC Remedy Mid-Tier module session. To prevent a
situation when a user is still logged in the BMC Remedy AR system and is no longer logged in SSO
module, while installing Mid-Tier the following steps must be taken:
Configure ClearTrust or Siteminder to protect the paths /arsys/home, /arsys/forms
oraz /arsys/apps.
Adjust length of Mid-Tier session one minute shorter than the session in ClearTrust or
Siteminder.
6.3 Installation
Installation consists of two parts. It involves the ARS Server (ITSM)and also the MidTier
module. First two parts are obligatory. Installation pack contains 3 directories: mt ,ars and rut. The
first directory contains files that are required for the installation in MidTier server.
The third one contains files necessary in case of SSO authorization made by BMC Remedy User.
6.4 Installation Part 1 in the server environment (ARS Platform)
All the files necessary for this part of installation you can find in ars directory.
Files copying to AR system
1. Copy areasso.dll/areasso.so file to operational directory of ARS server (It is the same
directory that includes the file arserver.exe)
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
11
2. Copy area-sso.cfg/area-sso.conf file to the directory containing ar.cfg/ar.conf. (It is
the same directory that includes the file ar.cfg/ar.conf. e.g.: c:\program files\AR
Server\conf)
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
12
Checking whether the AR External Authentication (AREA) is switched on
In order to do that you need to:
Log the BMC Remedy User Tool
Open AR System Administration Console
Open System->General->Server Information
Open the folder EA
Make sure RPC 390695 is selected
Make sure Cross Reference Blank Password is marked
Save the potential changes.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
13
The following picture presents how to configure AR External Authentication.
You need to make sure AREAHUB has been installed and started.
In order to check it you have to examine the file ar.cfg/ar.conf or use the BMC Remedy User
Tool.
To do it you need to:
Log in Remedy into the administration account using BMC Remedy User Tool
Find form Configuration ARDBC
On the list find the value areahub.
The picture illustrates the way of searching for areahub
When on the list there is a proper record, it means that AREA-HUB has been suitably
installed.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
14
The picture illustrates the search result on condition that the areahub has been suitably
installed
When AREAHUB has not been installed you will have to do it by making appropriate
entries in the file ar.cfg/ar.conf:
Windows
Plugin: areahub.dll
Solaris/Linux
Plugin: areahub.so
In order to verify whether Plugin AREAHUB works properly you need to restart service
BMC Remedy AR System. After having restarted the system in the log file of a plugin
there should be the following entry (if the log file is large you should search in there
the value ARSYS.AREA.HUB ):
In order to turn on logging of Plugin Server you need to move to the chapter entitled Turning
on of the Plugin Server.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
15
AREAHUB configuration for Plugin AREA SSO usage
To activate AREA SSO Plugin add the following entries to ar.cfg/ar.conf file (this configuration
uses the additional authorization based on LDAP) :
Plugin: areahub.dll
AREA-Hub-Plugin: areasso.dll
AREA-Hub-Plugin: arealdap.dll
Configuration using the authorization pursuant to form User:
Plugin: areahub.dll
AREA-Hub-Plugin: areasso.dll
AREA SSO plugin configuration in the area-sso.cfg/area-sso.conf file.
You should change the following entries in the area-sso.cfg/area-sso.conf file.
Parametr Opis
MidTier-Enabled If the users’ will connect to BMC Remedy AR System by Web browser this
parameter should be „enabled”.
For ex.: MidTier-Enabled: Enabled
MidTier-IP Addresses of the Mid-Tier Servers that users will be authorized by.
For ex.: MidTier-IP: 127.0.0.1;192.168.21.2
New-MidTier-Shared-Key
Shared key password identical, just like the one configured in the second
part of installation guide.
The password is going to be encoded after restarting BMC Remedy AR
System in area-sso.cfg/area-sso.conf file.
For ex.: New-MidTier-Shared-Key: <password>
RUT-Enabled If users will connect to the BMC Remedy AR System by BMC Remedy User,
this parameter should be “enabled”
For ex.: RUT-Enabled: Enabled
AuthService-IP IP address of SSO Authentication Service
For ex.: AuthService-IP: 127.0.0.1
This parameter should be “enabled” if “RUT-Enabled” is set to Enabled.
AuthService-Port TCP port on which SSO Authentication Service works.
Default parameter value is 11000 port
For ex.: AuthService-Port: 12000
Configuration of the AREA LDAP plugin
If the BMC AREA LDAP Plugin is used to store data about users in LDAP or in Active-Directory
you will need to follow the instructions in the following chapter. In the case when the data about
users is stored in the form User within AR System you will need to go straight to the chapter Turning
on of the Plugin Server logging.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
16
After having made sure that plugin AREAHUB has been properly installed you will have to take
another step consisting in configuring or checking whether BMC AREA LDAP Plugin has been properly
installed and configured.
The installation and configuration details can be found in the documents of BMC AR System:
BMC Remedy Action Request System 7.0 Integrating with Plugins and Third-Party Products
http://www.bmc.com/supportu/documents/84/67/58467/58467.pdf
Page 163
BMC Remedy Action Request System 7.1.00 Integrating with Plugins and Third-Party Products
http://www.bmc.com/supportu/documents/93/94/69394/69394.pdf
Page 133
BMC Remedy Action Request System 7.5.00 Integration Guide
http://www.bmc.com/supportu/documents/53/80/95380/95380.pdf
Page 143
To verify if the BMC AREA LDAP plugin configuration is appropriate you should open the AREA LDAP
Configuration form and check the data entered into the form is correct:
The picture illustrates a model BMC AREA LDAP plugin configuration.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
17
Turning on of the Plugin Server logging
In order to verify that Remedy SSO Plugin works properly you need to select logging into Plug-
In Server from the level of the authorized ARS user in the module Server Information and in the
folder Log Files you need to select All in the Plugin Log Level.
The picture illustrates the way of configuring logging of the Plugin Server.
6.5 Installation part II in the environment on the side of Mid-Tier server
All the files to be used in this part of the installation you can find in mt directory.
Java SDK Environment
At first you need to check if Java SDK has been installed in the Server.
Installation of Java JRE is not sufficient for the correct functioning of the system.
Copying and changes of the files
1. Patch the file Web.xml that can be found in the Mid-Tier server via update of
the file web.xml.patch.
The contents of the patch needs to be copied into the file Mid-Tier\WEB-INF
\web.xml between the last entry of a type </filter> and the first one of a type
<filter-mapping>
2. Copy the mt-sso.jar file to Mid-Tier\WEB-INF\lib directory
3. Copy jespa-1.0..jar file to Mid-Tier\WEB-INF\lib directory
4. Copy bcprov-jdk15-144.jar file to Mid-Tier\WEB-INF\lib directory
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
18
5. Copy mt-sso.config file to Mid-Tier\WEB-INF\classes directory
6. Copy mt-sso.license file to Mid-Tier\WEB-INF\classes directory
7. Copy the whole sso directory to Mid-Tier\shared directory
8. After having made all the above changes you need to restart Mid-Tier server.
Creating service account for NETLOGON communication
If the authorization is supposed to take place in Windows Controller, you need to create a
service account in Active Directory. Otherwise you can move on to the next point Configuration of
the MidTier SSO plugin via http website
To create the service account in Active Directory you have to use a tool called Active Directory
Users and Computers (ADUC). NETLOGON service requires the account to be of a Computer type (A regular user’s account
will not work.) We recommend to enter the same value using letter, digits and underlining (without spaces) in
the field "Computer name" (cn) and "pre-Windows 2000 name" (sAMAccountName).
The created service account should have its own DN that has to be used to change the
password in the next step.
E.g.:
If the account has been called REMEDY and the name of the domain in which the account has
been created is example.com DN for this account will equal:
CN=REMEDY,CN=Computers,DC=example,DC=com.
Change of a password to the service account
A password to the service account must be entered in the MidTier SSO Plugin configuration.
Password change can be made only by using the Microsoft tools or with help of the script attached to
the installation pack:
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
19
The above scripts should be activated from the station that has rights to the Active Directory.
The following example demonstrates how to change the password for the account
CN=REMEDY,CN=Computers,DC=example,DC=com:
Configuration of the MidTier SSO plugin via http website
In order to configure MidTier SSO Plugin you need to:
1. Open the website of the configuration tool in your internet browser:
http://path-to-midtier/arsys/shared/sso/config.jsp
2. Log in the administration panel by using a password.
3. The default password for the administration panel is “password”.
4. Select General Settings
MidTier SSO configuration tool contains the following section:
Core Configuration
Parametr Opis
Turn On/Off Turning on and turning off of MidTier SSO plugin
Shared Key In this field you should enter the same password as the one defined on the side of ARS Server (SharedKey)
SSO Log Level Log level of MidTierSSO plugin Potential values:
Info – information about configuration
Trace – information about users logging into the system
C:\>cscript SetComputerPass.vbs CN=REMEDY,CN=Computers,DC=example,DC=com Password: **********
'SetComputerPass.vbs Option Explicit Dim strDn, objPassword, strPassword, objComputer If WScript.arguments.count <> 1 Then
WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>" WScript.Quit
End If strDn = WScript.arguments.item(0) Set objPassword = CreateObject("ScriptPW.Password") WScript.StdOut.Write "Password:" strPassword = objPassword.GetPassword() Set objComputer = GetObject("LDAP://" & strDn) objComputer.SetPassword strPassword WScript.Echo WScript.Echo "Password set on " & strDn WScript.Quit
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
20
Debug – debugging information
All – all the information
Username conversion Username conversion Possible values:
To Upper case – changes all the letters in the username into upper case ones:
For example.: [email protected]
To Lower case – changes all the letters in the username into lower case ones:
For example.: [email protected]
HTTP header(s) containing username
If the external SSO system sends the username in a specific HTTP header , in this field you should enter the name of this header. Otherwise this field should remain empty.
Windows Authentication Configuration
When the users’ authorization is to take place in Windows Controller, you need to fill in the
following Fields. Otherwise you need to restart Mid-Tier module. The installation of Mid-Tier SSO
Plugin is completed.
Parametr Opis
Active Directory domain
Name of the domain into which users will be authenticated must be entered in full format:
For example.: example.com
NTLM log level NTLM protocol log level Possible values:
None – no logging
Critical – critical errors
Basic – basic information
Detailed – detailed information
Debbuging – all the information
Computer Account Name of a user’s account created in the point: Creating service account for NETLOGON
For example.: [email protected]* *It is necessary to type $ after username.
Computer Password Password to the user’s account (Computer Account) modified in the point: Change of a password to the service account
Canonical Account Name
Format of a user logging into Remedy system. Possible values:
Username – only username.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
21
For example.: abaker
Backslash – username + domain name separated by a symbol ‘\’
For example.: EXAMPLE\abaker
Principal – username + full domain name separated by a symbol
‘@’
For exampe.: [email protected]
Save the changes and then restart MidTier application.
Configuration of the Remedy SSO solution via edition of the file mt-sso.config
To configurate MidTier SSO plugin manually, you should change mt-sso.config file that you can
find in the Midtier\WEB-INF\classes directory.
Core Configuration
Parametr Opis
remedy.sso.status Turning on and turning off of the Remedy SSO plugin. Possible values:
on/off
remedy.sso.username.case Username conversion. Possible values:
upper – changes all the letters in the username into
upper case ones:
For example.: [email protected]
lower – changes all the letters in the username into
lower case ones:
For example.: [email protected]
remedy.sso.http.header If the external SSO system sends the username in a specific HTTP header , in this field you should enter the name of this header. Otherwise this field should remain empty.
remedy.sso.new.sharedKey A password that has been defined on the side of ARS server (SharedKey). After restarting Mid-Tier service the password will be hashed and saved in the configuration file within the parameter: remedy.sso.sharedKey
remedy.sso.loglevel Remedy SSO log level Possible values:
Info – information about configuration
Trace – information about users logging into system
Debug – debugging information
All – all the information
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
22
Windows Authentication Configuration
Parametr Opis
jespa.bindstr Name of the domain into which users will be authenticated must be entered in full format:
For example.: example.com
jespa.log.level NTML protocol log level Possible values:
0 – no logging 1 – critical errors 2 – basic information 3 – detailed information 4+ – all the information
jespa.service.acctname Name of a user’s account created in the point: Creating service account for NETLOGON
For example.: [email protected]* *It is necessary to type $ after username.
jespa.service.new.password Password to the user’s account (Computer Account) modified in the point: Change of a password to the service account After restarting Mid-Tier service the password should be hashed and saved in the configuration file within the parameter jespa.service.password
jespa.account.canonicalForm Format of a user logging into Remedy AR System. Possible values:
2 – only username.
For example.: abaker.
3 – username + domain name separated by a symbol ‘\’
For example.: EXAMPLE\abaker
4 – username + full domain name separated by a symbol ‘@’
For example.: [email protected]
Save the changes and then restart MidTier application.
In the file you can use additional options for Windows Authentication. More details can be
found in technical documentation for Jespa module:
Jespa Operator's Manual
6.6 Installation Part III SSO Authentication Service
All the files to be used in this part of the installation you can find in rut directory.
If the automatic logging should not work on BMC Remedy User Tool application, please miss
the rest part of this chapter.
SSO Authentication Service is the service that is run on Windows server. It identifies users’ in
the Windows controller by the SSPI Negotiation interface(NTLM protocol).
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
23
The following service may be run on each Windows Server that is connected to the domain.
Run Installer’s
1. Run setup.exe on the server where the SSO Authentication Service will be installed ( be
logged on the administrator’s account).
2. If there is no Microsoft .Net Framework 3.5 on the server, it’s installer will install
automatically.
3. Choose Next on the first screen.
4. Accept the license by choosing checkbox „YES – I accept the terms of the License
Agreement”, and then click Next.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
24
5. Choose the directory where SSO Authentication Service will be installed, and then click
Next.
6. Choose SSO Authentication Service from the list and remove SSO Authentication plugin,
then click Next.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
25
7. Type TCP port number used by the SSO Authentication Service(the port address must be
unused by any others services), then click Next.
8. Choose format of a username logging into Remedy AR System, then click Next.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
26
In Canonical Account Name you can choose between the following:
Username – only username.
For example.: abaker
Backslash – username + domain name separated by a symbol ‘\’
For example.: EXAMPLE\abaker
Principal – username + full domain name separated by a symbol ‘@’
For exampe.: [email protected]
In the UserName Conversion area you can choose between the following :
Upper – changes all the letters in the username into upper case ones:
For exampe.: [email protected]
Lower– changes all the letters in the username into lower case ones:
For exampe.: [email protected]
9. Give the BMC Remedy AR System localization to which users’ will be automatically logged
in. When the formula left empty, the configuration will be necessary on each user’s
station. Then choose Next.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
27
10. Continue installation by choosing Next.
11. Installation completed. Choose Finish to close installer.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
28
6.7 Installation Part IV- Plugin SSO Authentication for BMC Remedy User Tool
All the files to be used in this part of the installation you can find in rut directory.
If you want the automatic Single Sign On logging in BMC Remedy User to work on the final
user’s workstation, please install SSO Authentication plugin.
Run Installer’s
1. Run setup.exe on the workstation where the SSO Authentication Plugin will be
installed.
2. If there is no Microsoft .Net Framework 3.5 on the workstation, it’s installer will install
automatically.
3. Choose Next on the first screen.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
29
4. Accept the license by choosing checkbox „YES – I accept the terms of the License
Agreement”, and then click Next.
5. Choose the directory where SSO Authentication Plugin will be installed, and then click
Next.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
30
6. Choose SSO Authentication Plugin from the list and remove SSO Authentication
Service, then click Next.
7. Give the SSO Authentication Service localization to which users’ will be automatically
logged in. Then choose Next.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
31
8. Continue installation by choosing Next.
9. Installation completed. Choose Finish to close installer.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
32
11. To verify whether the installation completed successfully, open the BMC Remedy User
application and check if the user was automatically logged in BMC Remedy AR System.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
33
7 TROUBLESHOOTING
If during the installation you faced a problem that cannot be solved you should take the
following steps in order to enable us to diagnose the problem.
7.1 SSO AREA plugin
In the beginning of problem diagnosis you need to verify whether SSO AREA plugin has been
correctly installed and configured.
Mid-Tier IP address
At first you need to check whether the Mid-Tier IP address in the file area-sso.cfg/area-
sso.conf has been correctly configured.
Shared-Key
Then you need to verify if shared-key has been correctly configured.
In order to do that you have to start the tool BMC Remedy User on the server on which Mid-
Tier is installed. After that you should enter your login coming from Active-Directory in the field
‘username’; the field ‘password’ should be left empty. You should key ‘shared-key’, that has been
previously configured during installation, in the field ‘authentication’. If you manage to log into the
system that would mean SSO AREA plugin has been properly installed and configured. Otherwise you
have to again set up a correct shared-key in the file area-sso.cfg/area-sso.conf.
7.2 AREA LDAP plugin
If AREA LDAP plugin is not used to authorize users in Active Directory you need to move on to
the next step.
Otherwise you have to start a tool BMC Remedy User. Then in the field ‘username’ enter your
login coming from Active-Directory; enter a domain password in the field ‘password’. If you manage
to log into the system that would mean AREA LDAP plugin has been properly installed and
configured. Otherwise you have to check the configuration of AREA LDAP plugin in the form AREA
LDAP Configuration.
7.3 Mid-Tier SSO Plugin
If SSO AREA plugin works properly, in the next step you need to check if plugin on the side of
Mid-Tier has been correctly installed.
MT-SSO.jar
At first you should check if the file MT-SSO.jar has been correctly installed.
In order to do that you need to check if there is the file MT-SSO.jar in the directory Mit-
Tier/WEB-INF/lib.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
34
mt-sso.config
In the next step you need to check if the file mt-sso.config has been correctly installed. In order
to do that you need to check if there is the file mt-sso.config in the directory Mit-Tier/WEB-
INF/classes.
mt-sso.license
Then you need to check if the file mt-sso.license has been correctly installed. In order to do
that you need to check if there is the file mt-sso.license in the directory Mit-Tier/WEB-INF/classes.
MidTier SSO Plugin Configuration
In order to verify whether MidTier SSO plugin has been correctly configured you need to open
the website of the Configuration tool:
http://mid-tier hostname/arsys/shared/sso/config.jsp.
Then after correct logging you need to verify if:
a correct licence has been installed
Remedy SSO plugin has been turned on
Windows Controller data have been entered correctly (if the controller is used for
users’ authentication)
7.4 SSO Authentication Service
If the SSO Auth Service doesn’t work, check the EventLog entries ( on the Server, on which it
was installed).
7.5 What’s next
If the problem continues you should forward an email to our support department including
following information:
file AR Server plugin log (with the Plugin-Log-Level adjusted to 100) with a user’s
logging attempt registered by BMC Remedy User-using shared-key;
files ar.cfg and area-sso.cfg from AR Server, and the file mt-sso.config from Midtier;
the file web.xml from Mid-Tier server;
log files from servlet engine on which Mid-Tier has been installed;
version numbers of the ARS server and Mid-Tier together with patch numbers
name and version number of servlet engine.
EventLog entries for SSO Auth Service.
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
35
8 POTENTIAL ERRORS
Below find a list of errors that may occur during installation:
8.1 Mid-Tier can’t find the file mt-sso.jar
If during installation you have forgotten to copy the file mt-sso.jar, in logs of Tomcat server
there should be the following error report:
8.2 Mid-Tier can’t find the file jespa-1.0.9.jar
If during installation you have forgotten to copy the file jespa-1.0.9.jar, in logs of Tomcat
server there should be the following error report:
8.3 Mid-Tier can’t find the file with the licence
If during installation you have forgotten to copy the file mt-sso.license, in logs of Tomcat
server there should be the following error report:
8.4 Mid-Tier can’t find the configuration file mt-sso.config
If during installation you have forgotten to copy the file mt-sso.config, in logs of Tomcat server
there should be the following error report:
15:33:20,317 Remedy Single Sign ON ERROR (filters.SSOHttpFilter:init:?) - Failed to load config file!
15:14:51,942 Remedy Single Sign ON ERROR (lic.LicenseManager:loadLicence:?) - Licence
file: /mt-sso.license not found
- Licence file: /mt-sso.license not found
15:14:51,942 Remedy Single Sign ON WARN (lic.LicenseManager:validateLicense:?) -
License not loaded
- License not loaded
15:14:51,942 Remedy Single Sign ON ERROR (filters.SSOHttpFilter:init:?) - License not
loaded
java.lang.NoClassDefFoundError: jespa/http/HttpSecurityService
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1852)
at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:876)
java.lang.ClassNotFoundException: remedy.sso.midtier.jespa.filters.SSOHttpFilter
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1362)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1208)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:207)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78)
Plug-in Single Sign On Version 1.2
Copyright @ 2009 TopPositions
36
8.5 Plugin SSO can’t find the Domain controller
If during installation you have incorrectly entered the domain name in the field Active
Directory domain, in logs of Tomcat server there should be the following error report:
8.6 Plugin SSO can’t log into Domain controller
If during configuration you have incorrectly entered the name of a service account or its
password, in the field Active Directory domain, in logs of Tomcat server there should be the following
error report:
8.7 SSO Authentication service doesn’t work
TCP Port is probably busy by the other service, Change the port’s number ( SSO Auth Service
should be installed again).
jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.
at jcifs.smb.SmbTransport.checkStatus(Unknown Source)
at jcifs.smb.SmbTransport.send(Unknown Source)
at jcifs.smb.SmbSession.sessionSetup(Unknown Source)
at jcifs.smb.SmbSession.send(Unknown Source)
at jcifs.smb.SmbTree.treeConnect(Unknown Source)
java.net.PortUnreachableException: ICMP Port Unreachable
at java.net.PlainDatagramSocketImpl.receive0(Native Method)
at java.net.PlainDatagramSocketImpl.receive(Unknown Source)
at java.net.DatagramSocket.receive(Unknown Source)
at com.sun.jndi.dns.DnsClient.doUdpQuery(Unknown Source)
at com.sun.jndi.dns.DnsClient.query(Unknown Source)
at com.sun.jndi.dns.Resolver.query(Unknown Source)