DESCRIPTION
BMC Atrium Single Sign-On 8.1
Citation preview
URL:
Table of Contents
3 What's new
__________________________________________________________________________
12
3.1 Version 8.1.00
____________________________________________________________________
14
3.1.1 Redesigned user interface
______________________________________________________ 15
3.1.2 Predefined authentication module
_______________________________________________ 15
3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR
System integration ______________ 15
3.1.4 BMC Atrium Orchestrator Platform integration
______________________________________ 16
3.1.5 Click jacking prevention
_______________________________________________________ 16
3.2 License entitlements
_______________________________________________________________
16
3.3.1 Patch 3 for version 8.1.00: 8.1.00.03
______________________________________________ 17
3.3.2 Patch 2 for version 8.1.00: 8.1.00.02
______________________________________________ 18
3.3.3 Patch 1 for version 8.1.00: 8.1.00.01
______________________________________________ 19
3.4 Documentation updates after release
__________________________________________________ 20
3.4.1 Added BMC Mobility integration documentation
____________________________________ 20
3.4.2 Added BMC EUEM integration documentation
______________________________________ 20
4 Key concepts
________________________________________________________________________
20
4.2 BMC Atrium Single Sign-On and OpenAM
_______________________________________________ 22
4.2.1 OpenAM technologies
________________________________________________________ 22
4.3 Administrator password
_____________________________________________________________
23
4.5 Log on and log off behavior
_________________________________________________________ 24
4.6 Certificates
______________________________________________________________________
25
4.6.3 Related topics
_______________________________________________________________
26
4.7 Authentication chaining
____________________________________________________________
26
5 Planning
____________________________________________________________________________
29
5.1 Checking the compatibility matrix for system requirements and
supported configurations __________ 30
5.1.1 To access the compatibility matrixes
_____________________________________________ 30
5.2 End-to-end BMC Atrium Single Sign-On procedure
_______________________________________ 30
5.3.1 Business value
_______________________________________________________________
32
5.3.3 Deployment architecture
______________________________________________________ 33
5.3.4 Deployment model
___________________________________________________________
35
5.3.5 Deployment tasks
____________________________________________________________
37
5.3.6 Deployment parameters
_______________________________________________________ 38
5.3.7 Related topics
_______________________________________________________________
40
6.1.2 Downloading the installation files
________________________________________________ 44
6.2 Installation options
________________________________________________________________
48
6.3 Configuring Terminal Services and DEP parameters
_______________________________________ 48
6.3.1 To update Terminal Services configuration options for Windows
Server 2008 ______________ 48
6.4 Installing BMC Atrium Single Sign-On as a standalone
_____________________________________ 50
6.4.1 Before you begin
_____________________________________________________________
51
6.4.2 To install BMC Atrium Single Sign-On as a standalone
_________________________________ 51
6.4.3 Where to go from here
________________________________________________________ 54
6.5 Installing BMC Atrium Single Sign-On as a High Availability
cluster ____________________________ 55
6.5.1 HA prerequisites
_____________________________________________________________
56
6.5.2 HA pre-installation tasks
_______________________________________________________ 56
6.5.3 To install BMC Atrium Single Sign-On as an HA cluster
________________________________ 56
6.5.4 HA post-installation activities
___________________________________________________ 57
6.5.5 Installing the first node for an HA cluster on a new Tomcat
server _______________________ 57
6.5.6 Installing additional nodes for an HA cluster on a new Tomcat
server _____________________ 63
6.5.7 Installing the first node for an HA cluster on an external
Tomcat server ___________________ 68
6.5.8 Installing additional nodes for an HA cluster on an external
Tomcat server _________________ 70
6.6 Installing BMC Atrium Single Sign-On on an external Tomcat
server ___________________________ 72
6.6.1 Before you begin
_____________________________________________________________
73
6.6.2 To install BMC Atrium Single Sign-On on an external Tomcat
server ______________________ 73
6.6.3 Where to go from here
________________________________________________________ 74
6.6.4 Policy file additions for external Tomcat installations
_________________________________ 75
6.6.5 JVM parameter additions for external Tomcat installations
_____________________________ 76
6.6.6 Configuring an external Tomcat instance for FIPS-140
________________________________ 76
6.6.7 Configuring a JVM for the Tomcat Server
__________________________________________ 77
6.6.8 Setting an HTTPS connection
___________________________________________________ 78
6.7 Installing BMC Atrium Single Sign-On with the AR System server
and Mid Tier ___________________ 79
6.7.1 Installing video
______________________________________________________________
80
6.7.3 Related topics
_______________________________________________________________
81
6.7.5 Installing or upgrading AR System server
__________________________________________ 84
6.7.6 Installing or upgrading BMC Remedy Mid Tier
______________________________________ 86
BMC Atrium Single Sign-On 8.1 Page of5 389
6.7.7 Running the SSOARIntegration utility on the AR System server
__________________________ 88
6.7.8 Reviewing AR server external authentication settings and
configuring group mapping ________ 91
6.7.9 Running the SSOMidtierIntegration utility on the Mid Tier
_____________________________ 92
6.7.10 Managing the AR System users and groups for authentication
__________________________ 97
6.7.11 Running a health check on the BMC Atrium Single Sign-On
installation __________________ 109
6.8 Installing silently
_________________________________________________________________
112
6.8.2 Uninstalling in silent mode
____________________________________________________ 114
6.8.3 Example options.txt file
_______________________________________________________ 114
6.9 Uninstalling BMC Atrium Single Sign-On
_______________________________________________ 117
6.9.1 Running the uninstaller on Windows
_____________________________________________ 117
6.9.2 Running the uninstaller on Solaris or Linux
________________________________________ 117
6.9.3 Invocation error during uninstallation
____________________________________________ 118
7 Configuring after installation
____________________________________________________________
119
7.1 To set up a method for authentication
_________________________________________________ 120
7.2 SAMLv2 authentication
____________________________________________________________
121
7.5 Authentication chaining
____________________________________________________________
122
7.7 Where to go from here
____________________________________________________________
122
7.8 Using AR for authentication
_________________________________________________________ 122
7.8.1 Before you begin
____________________________________________________________
123
7.8.2 To configure an AR module
____________________________________________________ 123
7.8.3 To configure an AR user store
__________________________________________________ 124
7.9 Using CAC for authentication
_______________________________________________________ 126
7.9.1 CAC certificate usage
________________________________________________________ 126
7.9.2 To set up CAC to use for authentication
__________________________________________ 127
7.9.3 Modify the Tomcat server
_____________________________________________________ 127
7.9.4 Import DoD CA certificates
____________________________________________________ 128
7.9.5 To import certificates
________________________________________________________ 128
7.9.6 Set up CAC certificates
_______________________________________________________ 129
7.9.7 If using OCSP, enable OCSP for the server
_________________________________________ 131
7.9.8 Where to go from here
_______________________________________________________ 131
7.9.9 Related topics
______________________________________________________________
132
7.10.1 Configuring Kerberos video
____________________________________________________ 133
7.10.2 Before you begin
____________________________________________________________
133
7.10.3 To set up Kerberos to use for authentication
_______________________________________ 133
7.10.4 Where to go from here
_______________________________________________________ 133
7.10.5 Generating a keytab for the service principal and mapping
the Kerberos service name _______ 134
7.10.6 Configuring the Kerberos module
_______________________________________________ 136
7.10.7 Reconfiguring your browser
___________________________________________________ 138
7.11.1 Before you begin
____________________________________________________________
139
7.11.2 To set up LDAP (AD) for authentication
___________________________________________ 139
7.11.3 LDAP (AD) parameters
________________________________________________________ 139
7.11.4 Where to go from here
_______________________________________________________ 141
7.12 Using RSA SecurID for authentication
_________________________________________________ 141
7.12.1 To configure the SecurID module
_______________________________________________ 141
7.12.2 SecurID parameters
__________________________________________________________
142
7.13 Using SAMLv2 for authentication
_____________________________________________________ 143
7.13.1 Configuring SAML V2 video
____________________________________________________ 144
7.13.2 SAMLv2 configuration options
_________________________________________________ 144
7.13.3 SAMLv2 implementation
______________________________________________________ 144
7.13.5 Typical SAMLv2 deployment architecture
_________________________________________ 145
7.13.6 Related topics
______________________________________________________________
146
7.13.7 Configuring BMC Atrium Single Sign-On as an SP
___________________________________ 146
7.13.8 Configuring BMC Atrium Single Sign-On as an IdP
__________________________________ 153
7.13.9 Federating user accounts in bulk
________________________________________________ 157
8 Upgrading
__________________________________________________________________________
165
8.1 To upgrade BMC Atrium Single Sign-On
_______________________________________________ 166
8.2 To upgrade BMC Atrium Single Sign-On in silent mode
____________________________________ 166
8.3 Preparing to upgrade BMC Analytics for BSM
___________________________________________ 166
8.3.1 To remove the J2EE agent for BMC Analytics for BSM
________________________________ 166
8.4 Upgrading HA nodes
______________________________________________________________
167
8.4.1 To upgrade HA nodes
________________________________________________________ 167
9 Integrating
_________________________________________________________________________
168
9.1 Integrating BMC Atrium Single Sign-On with AR System Version
8.0.00 _______________________ 169
9.1.1 Configuring external authentication for AR System integration
_________________________ 170
9.1.2 Installing BMC Atrium Single Sign-On for AR System
integration ________________________ 171
9.1.3 Configuring BMC Atrium Single Sign-On for integration
______________________________ 173
9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On
user authentication __________ 176
9.1.5 Configuring the BMC Atrium Single Sign-On server for AR
System integration _____________ 183
9.1.6 Running a health check on the BMC Atrium Single Sign-On
integration __________________ 195
9.2 Integrating BMC Dashboards for BSM
_________________________________________________ 198
9.2.1 Before you begin
____________________________________________________________
198
9.2.2 To integrate BMC Dashboards for BSM
___________________________________________ 199
9.3 Integrating BMC Analytics for BSM
___________________________________________________ 199
9.3.1 Before you begin
____________________________________________________________
199
9.3.2 To integrate BMC Analytics for BSM
_____________________________________________ 200
9.4 Integrating BMC ProactiveNet
_______________________________________________________ 200
9.4.1 Before you begin
___________________________________________________________
200
9.4.4 To define users and groups
____________________________________________________ 202
9.4.5 To create new users
_________________________________________________________ 202
9.4.6 To assign users to user groups
_________________________________________________ 203
9.4.7 To clean up Web Agent entries when the BMC ProactiveNet
Server is uninstalled ___________ 203
9.5 Integrating BMC IT Business Management Suite
_________________________________________ 204
9.5.1 Before you begin
___________________________________________________________
204
9.5.2 To integrate BMC IT Business Management Suite
___________________________________ 204
9.6 Integrating BMC ITBM and WebSphere application server
__________________________________ 205
9.6.1 Before you begin
___________________________________________________________
205
9.6.2 To configure the WebSphere application server to work with
the BMC Atrium Single Sign-On
server
___________________________________________________________________________
205
9.7.1 Before you begin
___________________________________________________________
208
9.7.2 To integrate BMC Capacity Optimization
_________________________________________ 208
9.8 Integrating BMC Atrium Orchestrator Platform
__________________________________________ 209
9.8.1 Before you begin
____________________________________________________________
210
9.8.2 BMC Atrium Orchestrator Platform installation worksheet
____________________________ 210
9.8.3 Where to go from here
_______________________________________________________ 212
9.9 Integrating BMC Real End User Experience Monitoring
____________________________________ 212
9.9.1 Preparing BMC Atrium SSO server for integration
___________________________________ 212
9.9.2 Preparing the Console component for the BMC Atrium SSO
integration __________________ 212
9.10 Integrating BMC Mobility for ITSM 8.1.00
_______________________________________________ 212
9.10.1 Before you begin
____________________________________________________________
212
9.10.2 Limitations
________________________________________________________________
213
9.10.4 Related Topics
_____________________________________________________________
214
10.1.1 Editor options
______________________________________________________________
215
10.1.2 Status panel
________________________________________________________________
215
10.1.4 Sessions panel
______________________________________________________________
216
10.1.5 Realm Editor
_______________________________________________________________
216
10.1.6 Agent manager
_____________________________________________________________
233
10.2 Managing keystores with a keytool utility
______________________________________________ 239
10.2.1 Creating new keystores
______________________________________________________ 240
10.2.2 Using the keytool utility
_______________________________________________________ 241
10.2.3 Importing a certificate into the truststore
_________________________________________ 243
10.2.4 Generating and importing CA certificates
_________________________________________ 245
10.2.5 Generating self-signed certificates
______________________________________________ 249
10.2.6 Checking the truststore for certificates
___________________________________________ 250
10.3 Configuring FIPS-140 mode
_________________________________________________________ 251
10.3.1 Converting to FIPS-140 mode
__________________________________________________ 251
10.3.2 Monitoring FIPS-140 and normal mode conversions
_________________________________ 256
10.3.3 Changing FIPS-140 network ciphers
_____________________________________________ 257
10.3.4 Converting from FIPS-140 to normal mode
_______________________________________ 258
10.4 Using an external LDAP user store
____________________________________________________ 260
10.4.1 To create an external LDAP user store
____________________________________________ 261
10.4.2 To modify an existing external LDAP user store
_____________________________________ 261
10.4.3 LDAPv3 User Store parameters
_________________________________________________ 261
10.4.4 General tab
________________________________________________________________
261
10.4.5 Search tab
_________________________________________________________________
262
11.1.3 To search for users
__________________________________________________________
266
11.1.4 To delete users
_____________________________________________________________
266
11.1.5 To modify user information
___________________________________________________ 266
11.1.6 To enable or disable a user account
_____________________________________________ 266
11.1.7 To add a group membership to a user account
_____________________________________ 267
11.1.8 To remove a group membership from a user account
________________________________ 267
11.1.9 To view user sessions
________________________________________________________ 267
11.1.10To terminate an active user session
_____________________________________________ 268
11.2 Managing user groups
_____________________________________________________________
268
11.2.1 To access the Group page
____________________________________________________ 269
11.2.2 To create a new group
_______________________________________________________ 269
11.2.3 To delete a group
___________________________________________________________
269
11.2.4 To assign a group membership
_________________________________________________ 270
11.2.5 To remove users from a group
_________________________________________________ 270
11.3 Managing authentication modules
____________________________________________________ 271
11.3.1 To manage authentication modules
_____________________________________________ 271
11.3.2 To create a new module
______________________________________________________ 271
11.3.3 To edit a module
____________________________________________________________
271
11.3.4 To delete a module
__________________________________________________________
272
11.3.5 To change the criteria for a module
_____________________________________________ 272
11.3.6 To reorder the modules in a chain
_______________________________________________ 272
11.4 Managing nodes in a cluster
________________________________________________________ 273
11.4.1 To modify the server configuration on a node
______________________________________ 273
11.4.2 To delete a node from the cluster
_______________________________________________ 273
11.4.3 Resynchronizing nodes in a cluster
______________________________________________ 273
11.4.4 Starting nodes in a cluster
_____________________________________________________ 274
11.4.5 Stopping nodes in a cluster
____________________________________________________ 274
11.5 Managing agents
_________________________________________________________________
275
11.6 Managing the server configuration
___________________________________________________ 276
11.6.1 To modify the server configuration
______________________________________________ 276
11.6.2 Server configuration parameters
________________________________________________ 276
11.6.3 Server Configuration Editor parameters
__________________________________________ 276
11.6.4 HTTP Only and HTTPS Only
___________________________________________________ 277
11.6.5 Session parameter defaults
____________________________________________________ 278
11.7 Stopping and restarting the BMC Atrium Single Sign-On server
______________________________ 279
11.7.1 Stopping and restarting on Windows
____________________________________________ 279
11.7.2 Stopping and restarting on UNIX or Linux
_________________________________________ 279
12 Troubleshooting
_____________________________________________________________________
279
12.1.2 Support utility location
_______________________________________________________ 282
12.1.3 Log file locations
____________________________________________________________
282
12.1.4 Using BMC Atrium Single Sign-On for logging
_____________________________________ 284
12.2 Working with error messages
_______________________________________________________ 285
12.3 Logon and logoff issues
____________________________________________________________
316
12.3.1 Automatic IdP logon behavior
__________________________________________________ 316
12.3.2 URL re-direct issues
_________________________________________________________ 316
12.4 Upgrading from 7.6.04 to 8.1 silent installation issue
______________________________________ 317
12.4.1 Upgrading without specifying the host name
______________________________________ 319
12.4.2 Upgrading by re-defining the host name
__________________________________________ 319
12.5 Troubleshooting AR authentication
___________________________________________________ 320
12.5.1 User has no profile in this organization
___________________________________________ 320
12.5.2 Error saving user or group edits
_________________________________________________ 321
12.5.3 Error in SAML Authentication when Auto Federation is enabled
_________________________ 321
12.6 Troubleshooting AR System server and Mid Tier integrations
________________________________ 321
12.6.1 Manually running the SSOARIntegration utility on the AR
System server __________________ 321
12.6.2 Manually running the SSOMidtierIntegration utility on the AR
System server _______________ 323
12.7 Troubleshooting CAC authentication
_________________________________________________ 326
12.7.1 Example of a default logging level error
__________________________________________ 327
12.7.2 Example of a debug log error when a certificate is not
available ________________________ 327
12.7.3 Changing the clientAuth setting
________________________________________________ 328
12.7.4 Turning on network debug logging
______________________________________________ 328
12.7.5 Example of a client not responding with a certificate
________________________________ 329
12.7.6 Example of a client sending a certificate
__________________________________________ 329
12.7.7 Example of a list of certificates sent to the client
___________________________________ 330
12.7.8 Example of URL certificate authentication not enabled
_______________________________ 330
12.7.9 Example of OCSP certificate failure
______________________________________________ 331
12.8 Troubleshooting FIPS-140 conversion
_________________________________________________ 331
12.9 Troubleshooting JEE agents
________________________________________________________ 331
12.9.1 To remove a JEE agent from BMC Atrium Single Sign-On
_____________________________ 332
12.9.2 To remove a JEE agent from WebSphere
_________________________________________ 332
12.9.3 To remove a JEE agent from Tomcat
____________________________________________ 332
12.9.4 To remove a JEE agent from JBoss or WebLogic
___________________________________ 333
12.10Troubleshooting Kerberos authentication
______________________________________________ 333
12.10.2Invalid service principal name for Kerberos authentication
____________________________ 334
12.10.3Invalid keytab index number for Kerberos authentication
_____________________________ 335
12.10.4Invalid password for Kerberos authentication
______________________________________ 335
12.10.5Incorrect server name for Kerberos authentication
__________________________________ 335
12.10.6Browser sending NTLM instead of Kerberos
_______________________________________ 336
12.10.7Browser not correctly configured for Kerberos authentication
_________________________ 337
12.10.8Clock skew too great for Kerberos authentication
__________________________________ 338
12.10.9Chained authentication failure in Microsoft Internet
Explorer __________________________ 338
12.11Troubleshooting an external LDAP user store
___________________________________________ 339
12.11.1No users in User tab
_________________________________________________________ 339
12.11.2No groups in Group tab
______________________________________________________ 339
12.12Troubleshooting SAMLv2
__________________________________________________________
340
12.13Troubleshooting redirect URLs
______________________________________________________ 343
12.13.1Modifying the load balancer (or reverse proxy) for redirect
URLs _______________________ 343
12.13.2Using load balancer (or reverse proxy) host names for
redirect URLs ____________________ 344
12.13.3Cookie name change for a HA node
_____________________________________________ 344
12.14Session sharing in HA mode issue
____________________________________________________ 345
12.14.1To configure point-to-point sessions sharing
______________________________________ 345
12.15Troubleshooting installation or upgrade issues
__________________________________________ 346
12.16Resolving installation issues on LINUX operating system
___________________________________ 346
12.16.1Installation failure due to missing libraries
________________________________________ 346
12.16.2Installation failure due to low level of entropy
_____________________________________ 346
13 Known and corrected issues
____________________________________________________________
347
13.1 Installation and upgrade issues
______________________________________________________ 348
13.2 Other issues
____________________________________________________________________
350
14 Support information
__________________________________________________________________
351
14.2 Support status
___________________________________________________________________
351
16.1 Comments dashboard
_____________________________________________________________
353
16.3 Technical Bulletin SW00448553
_____________________________________________________ 369
16.3.1 BMC Atrium Single Sign-On
___________________________________________________ 369
16.3.2 Issue
_____________________________________________________________________
369
16.4 Enabling multiple realms
___________________________________________________________
372
16.4.1 Realm panel
_______________________________________________________________
373
16.4.3 To create a new realm
________________________________________________________ 374
16.5 Configuring multi-tenancy support
___________________________________________________ 374
16.5.1 Configuring multi-tenancy support
______________________________________________ 375
16.6 Overview steps to install and configure HA Load-Balancing
environment with SSO ______________ 378
16.7 Number of pages in space
__________________________________________________________
383
16.8 Installing and managing certificates in BMC Atrium SSO
___________________________________ 383
16.8.1 Installing certificates on a standalone server
_______________________________________ 383
16.8.2 Installing certificates in HA load balancing environment
______________________________ 383
16.8.3 Importing a certificate into keystore.p12
__________________________________________ 383
16.8.4 Importing a certificate into cacerts.p12
___________________________________________ 383
16.8.5 Finding intermediate CA
______________________________________________________ 383
16.8.6 Importing certificate chains and intermediate certificates
_____________________________ 383
16.9 Installing certificates after integration with other BMC
products _____________________________ 383
17 Index
______________________________________________________________________________
384
BMC Atrium Single Sign-On 8.1 Page of12 389
This space contains information about the BMC Atrium Single Sign-On
8.1 release.
1 Featured content
For information about Patch 1 for 8.1.00, see .Patch 1 for version
8.1.00: 8.1.00.01 (see page 19)
For information about Patch 2 for 8.1.00, see .Patch 2 for version
8.1.00: 8.1.00.02 (see page 18)
For information about Patch 3 for 8.1.00, see .Patch 3 for version
8.1.00: 8.1.00.03 (see page 17)
For Patch 1 for 8.1.00, BMC Atrium Orchestrator Platform version
7.7.00 integrates with BMC Atrium Single
Sign-on, see and theIntegrating BMC Atrium Orchestrator Platform
(see page 209) BMC Atrium
online documentation.Orchestrator Platform
To understand enhancements for this release, see .Version
8.1.00
To understand key concepts associated with BMC Atrium Single
Sign-On, see .Key concepts (see page 20)
To review a high level end-to-end procedure, see .End-to-end BMC
Atrium Single Sign-On process
To review an end-to-end deployment example for BMC Remedy AR System
and the mid tier using SAMLv2
authentication, see .BMC Atrium Single Sign-On using SAMLv2
deployment example (see page 31)
To review an end-to-end deployment for BMC Remedy AR System and the
mid tier using AR
authentication, see Installing BMC Atrium Single Sign-On with the
AR System server and Mid Tier (see page
.79)
2 About BMC Atrium Single Sign-On BMC Atrium Single Sign-On is an
authentication system that supports many authentication protocols
and
provides single sign-on and single sign-off for users of BMC
products. BMC Atrium Single Sign-On allows users to
present credentials only once for authentication and subsequently
be automatically authenticated by every BMC
product that is integrated into the system.
Using these authentication methods require that you have previously
installed the BMC Atrium Single Sign-On
server and configured it with an authentication server such as
LDAP, RSA SecurID, or others. Not only does BMC
Atrium Single Sign-On support authentication with traditional
systems such as LDAP or Active Directory, it also
supports integration into existing single sign-on systems. BMC
Atrium Single Sign-On is the central integration
point that performs integration with the local enterprise
systems.
3 What's new This section provides information about what is new or
changed in this space, including resolved issues,
documentation updates, maintenance releases, service packs, and
patches. It also provides license entitlement
information for the release.
Tip
To stay informed of changes to this space, place a watch on this
page.
The following updates have been added since the release of the
space:
Date Title Summary
Patch 3 for version 8.1.00 provides the following updates:
: THTTP Only and HTTPS Only (see page 238) he Server Configuration
Editor provides two new options: HTTP Only and
HTTPS Only.
Login Failure Lockout
Valid Forwarding Domains
: The Kerberos Editor provides the feature modifying the UserId
format.UserId Format (see page 227)
Starting this release, BMC Atirum Single Sign-On provides
protection against clickjacking by preventing web pages
from being embedded within another frame. Clickjacking is a
technique of tricking a web user into clicking a web page
link which is potentially revealing confidential information or
taking control of the user's computer. When the user
clicks on a known web page link, the user's information is revealed
to the intruder.
Patch 2 for
Configuring BMC Atrium SSO in FIPS-140 Mode (see page 251)
Patch 1 for
19)
Patch 1 for version 8.1.00 provides fixes related to BMC Atrium
Single Sign-On integration with BMC Atrium Orchestrator 7.7
and other BMC products.
Redesigned user interface
Predefined authentication module
New utility to simplify BMC Atrium Single Sign-On and AR System
integration
BMC Atrium Orchestrator Platform integration
BMC Atrium Single Sign-On 8.1 Page of14 389
To obtain a full space export of the BMC Atrium Single Sign-On, see
PDFs (see page 352)
Three new videos are now uploaded on to our online documentation
from the February 14, 2013 BMC
Software Webinars 2013 – Atrium Single Sign-On (Atrium SSO) :
Installing BMC Atrium Single Sign-On with the AR System server and
Mid Tier (see page 79)
provides a high-level overview as well as important tips.
describes how to configure SAML V2Using SAMLv2 for
authentication
describes how to configure BMC Atrium SSO toUsing Kerberos
for authentication (see page 132)
leverage Kerberos.
3.1 Version 8.1.00 BMC Atrium Single Sign-On 8.1 includes the
following enhancements.
Redesigned user interface (see page 15)
Predefined authentication module (see page 15)
New utility to simplify BMC Atrium Single Sign-On and AR System
integration (see page 15)
BMC Atrium Orchestrator Platform integration (see page 16)
Click jacking prevention (see page 16)
Tip
For information about issues corrected in this release, see .Known
and corrected issues
BMC Atrium Single Sign-On 8.1 Page of15 389
Version 8.1.00 was released shortly after version 8.0.00, a major
release that contained significantly more
enhancements. If you are considering an upgrade from a version
prior to 8.0.00, you might be interested in
seeing the .enhancements listed in the documentation for version
8.0.00
3.1.1 Redesigned user interface
The BMC Atrium Single Sign-On 8.1, has completely redesigned the
user interface. This redesign affects the
majority of the BMC Atrium Single Sign-On documentation.
The following image shows the BMC Atrium SSO Admin Console:
3.1.2 Predefined authentication module
To help with the configuration of BMC Atrium Single Sign-On, a
predefined Internal LDAP authentication module
is provided. This predefined authentication module allows you to
quickly configure your system. The Internal
LDAP authentication module uses the internal LDAP server as an
authentication source in the authentication
chain and does not have parameters to configure.
For more information about the Internal LDAP module, see
.Configuring after installation
3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR
System
integration
The BMC Remedy AR System 8.1 introduces a new utility that greatly
simplifies the integration between BMC
Atrium Single Sign-On and the AR System server and Mid Tier.
BMC Atrium Single Sign-On 8.1 Page of16 389
The Single Sign-On integration is now removed from the AR System
installer. As a result, you no longer have to
follow the error-prone steps if you chose to integrate BMC Atrium
Single Sign-On you installed the ARafter
System server and Mid Tier.
You use the one utility to integrate both the AR System server and
the Mid Tier, but with slightly different inputs.
For more information, see Installing BMC Atrium Single Sign-On with
the AR System server and Mid Tier (see page
.79)
3.1.4 BMC Atrium Orchestrator Platform integration
With this release, BMC Atrium Orchestrator Platform 7.7 uses the
BMC Atrium Single Sign-On 8.1.00 (Patch1 or
later) authentication system to provide single sign-on and single
sign-off. For more information about BMC
Atrium Orchestrator Platform 7.7, see the online documentation. For
moreBMC Atrium Orchestrator Platform 7.7
information about integrating BMC Atrium Orchestrator Platform 7.7
with BMC Atrium Single Sign-On, see
.Integrating BMC Atrium Orchestrator Platform (see page 209)
3.1.5 Click jacking prevention
With click jacking prevention is added.Patch 3 for version 8.1.00:
8.1.00.03 (see page 17)
3.2 License entitlements This topic explains the entitlements that
apply to licenses you purchase from BMC Software. For
information
about restrictions to those licenses, please see your Product Order
Form.
Note
You can download the components mentioned herein from the
.Electronic Product Distribution website
Use the same user name and password that you use to access the
website.Customer Support
If you do not have a current license for the components you want,
contact a BMC sales representative by calling
800 793 4262. If you cannot download the components, contact a
sales representative and ask for a physical kit
to be shipped to you.
BMC Atrium Single Sign-On is certified on the configurations
explicitly stated in this document. Configurations
not listed might still operate properly and so customers can choose
to run in a configuration not listed as
supported. Such configurations would be considered "unconfirmed".
BMC will accept issues reported in
unconfirmed configurations but we reserve the right to request
customer assistance in problem determination,
including recreating the problem on a supported
configuration.
Reported defects either found to be unique to an unconfirmed
configuration or not reproducible within a
supported environment will be addressed at the discretion of BMC.
Defects requiring time and resources beyond
BMC Atrium Single Sign-On 8.1 Page of17 389
commercially reasonable effort might not be addressed. If a
configuration is found to be incompatible with BMC
Atrium Single Sign-On, support for that configuration will be
specifically documented as not supported (or
unsupported). Visit the Customization Policy under the Support
Contacts & Policies link on the BMC support
website.
3.3 Service packs and patches This section contains information
about service packs and patches for BMC Atrium Single
Sign-On.
Patch 3 for version 8.1.00: 8.1.00.03 (see page 17)
Patch 2 for version 8.1.00: 8.1.00.02 (see page 18)
Patch 1 for version 8.1.00: 8.1.00.01 (see page 19)
3.3.1 Patch 3 for version 8.1.00: 8.1.00.03
This topic contains information about fixes in BMC Atrium Single
Sign-On 8.1.00 Patch 3 (8.1.00.03) and provides
instructions for downloading and installing the patch. It is
organized as follows:
Corrected issues (see page 17)
Installing the patch (see page 17)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single
Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about issues corrected in Patch 3 (8.1.00.03), see . Click
theKnown and Corrected issues Corrected in
column heading to sort the table by version.
Patch 3 also includes the fixes from Patch 2 and Patch 1 for
version 8.1.00.
Installing the patch
Patch 3 for BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full
installation. You can download the 8.1.00.03
installation files from the tab on the BMC Electronic Product
Distribution (EPD) site andLicensed Products
perform your normal installation. For instructions about
downloading the files that you need for installation, see
.Downloading the installation files (see page 44)
Recommendation
Backup BMC Atrium Single Sign-On before proceeding with the patch
installation.
BMC Atrium Single Sign-On 8.1 Page of18 389
To install BMC Atrium Single Sign-On 8.1.00 Patch 3, see
.Installing (see page 40)
To perform a silent installation, see .Installing silently (see
page 112)
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 3 from an
earlier version (8.1.00 or 8.1.00.01 or
8.1.00.02), see .Upgrading
3.3.2 Patch 2 for version 8.1.00: 8.1.00.02
This topic contains information about fixes in BMC Atrium Single
Sign-On 8.1.00 Patch 2 (8.1.00.02), and provides
instructions for downloading and installing the patch. It is
organized as follows:
Note
BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02) has been
replaced with Patch 3 (8.1.00.03) and
can no longer be downloaded from the BMC Electronic Product
Distribution (EPD) site. Patch 3 is a full
installation and includes the fixes that were available in Patch 1
(8.1.00.01) and Patch 2 (8.1.00.02). For
information about downloading and installing BMC Atrium Single
Sign-On 8.1.00 Patch 3, see Patch 3
.for version 8.1.00: 8.1.00.03 (see page 17)
Corrected issues (see page 18)
Installing the patch (see page 18)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single
Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 2 (8.1.00.02), see .
Click theKnown and corrected issues Corrected in
column heading to sort the table by version.
Installing the patch
BMC Atrium Single Sign-On Patch 2 features are included in BMC
Atrium Single Sign-On Patch 3 installation. You
can download the 8.1.00.03 installation files from the tab on the
BMC Electronic Producticensed Products
Distribution (EPD) site and perform your normal installation. For
instructions about downloading the files that you
.need for installation, see Downloading the installation files (see
page 44)
Recommendation
Back up BMC Atrium Single Sign-On before proceeding with the patch
installation.
BMC Atrium Single Sign-On 8.1 Page of19 389
To install BMC Atrium Single Sign-On 8.1, see .Installing (see page
40)
To perform a silent installation, see .Installing silently (see
page 112)
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 2 from an
earlier version (8.1.00 or 8.1.00.01), see
.Upgrading
3.3.3 Patch 1 for version 8.1.00: 8.1.00.01
This topic contains information about fixes in BMC Atrium Single
Sign-On 8.1.00 Patch 1 (8.1.00.01), and provides
instructions for downloading and installing the patch.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01) has been
replaced with Patch 3 (8.1.00.03) and can
no longer be downloaded from the BMC Electronic Product
Distribution (EPD) site. Patch 3 is a full
installation and includes the fixes that were available in Patch 1
(8.1.00.01). For information about
downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch
3, see Patch 3 for version 8.1.00:
.8.1.00.03 (see page 17)
Installing the patch (see page 19)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single
Sign-On 8.1 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 1 (8.1.00.01), see .
Click theKnown and corrected issues Corrected in
column heading to sort the table by version.
Installing the patch
BMC Atrium Single Sign-On Patch 1 features are included in BMC
Atrium Single Sign-On Patch 3 installation. You
can download the installation files from the tab on the BMC
Electronic Product8.1.00.03 Licensed Products
Distribution (EPD) site and perform your normal installation. For
instructions about downloading the files that you
.need for installation, see Downloading the installation files (see
page 44)
BMC Atrium Single Sign-On 8.1 Page of20 389
Back up BMC Atrium Single Sign-On before proceeding with the patch
installation.
To install BMC Atrium Single Sign-On 8.1, see .Installing (see page
40)
To perform a silent installation, see .Installing silently (see
page 112)
3.4 Documentation updates after release This topic contains
information about documentation updates for BMC Atrium Single
Sign-On that are not
related to urgent issues, maintenance releases, service packs, or
patches. These updates are added to the
documentation independent of any specific release.
Added BMC Mobility integration documentation (see page 20)
Added BMC EUEM integration documentation (see page 20)
3.4.1 Added BMC Mobility integration documentation
You can integrate BMC Atrium Single Sign-On with BMC Mobility for
supporting Security Assertion Markup
Language (SAML). The typical process for integrating BMC Atrium
Single Sign-On with BMC Remedy IT Service
Management (ITSM) is to install BMC Atrium Single Sign-On, install
BMC Remedy ITSM, and then integrate Atrium
SSO with ITSM. For more information, see .Integrating BMC Mobility
for ITSM 8.1.00 (see page 212)
3.4.2 Added BMC EUEM integration documentation
BMC Real End User Experience Monitoring (EUEM) uses the BMC Atrium
Single Sign-On (SSO) authentication
system to provide single sign-on and single sign-off. BMC Atrium
Single Sign-On allows to present credentials
only once for authentication and subsequently be automatically
authenticated by every BMC product that is
integrated into the system. For more information, see Integrating
BMC Real End User Experience Monitoring (see
.page 212)
4 Key concepts
BMC contributors content
For additional information, you can also refer to the following
webinar conducted by .MC Support
You can also connect with other users for related discussions on
the .BMC Community
Use this section to get high-level conceptual knowledge that helps
you to use the BMC Atrium Single Sign-On
product.
The following topics provide key conceptual information about BMC
Atrium Single Sign-On:
BMC Atrium Single Sign-On architecture
BMC Atrium Single Sign-On and OpenAM (see page 22)
Administrator password
Certificates
High Availability deployment
JEE filter-based agents
4.1 BMC Atrium Single Sign-On architecture The benefit to BMC
products that have BMC Atrium Sign-On as an authentication option
is that all of the
authentication protocols supported by BMC Atrium Sign-On are
available to the product and any new protocols
added are available without any product changes. The BMC Atrium
Sign-On server and agents provide the
needed integration into these systems so a product does not need
any adjustments.
The following diagram shows a high level implementation of BMC
Atrium Single Sign-On integration with BMC
Dashboards for BSM, BMC Analytics for BSM, and BMC Remedy IT
Service Management.
BMC Atrium Single Sign-On integration with BMC products
BMC Atrium Single Sign-On 8.1 Page of22 389
4.2 BMC Atrium Single Sign-On and OpenAM BMC Atrium Single Sign-On
is built on the open source project OpenAM. This project has a long
history of
providing authentication and authorization across many different
platforms by using many authentication
techniques. BMC Atrium Single Sign-On provides a simplified,
turnkey system that applies OpenAM technology to
BMC products. Configuration of the servers and agents is automated
as much as possible, allowing for easy
adoption.
Atrium Single Sign-On user console access (see page 23)
4.2.1 OpenAM technologies
BMC Atrium Single Sign-On uses a subset of the technologies within
the OpenAM project that are required by
BMC products. The current technologies of OpenAM that are certified
by BMC Atrium Single Sign-On include:
Authentication schemes - Internal, LDAP, BMC Remedy Action Request
(AR) System, Active Directory, RSA
SecurID, Common Access Cards (CAC), ActivIdentity-based, Kerberos,
and SAMLv2
Authentication chaining
Groups
Important
BMC Atrium Single Sign-On is certified on the configurations
explicitly stated in this document.
Reported defects either found to be unique to an unconfirmed
configuration or not reproducible within
a supported environment are addressed at the discretion of BMC.
Visit the Customization Policy under
the Support Contacts & Policies link on the BMC support
website.
4.2.2 Atrium Single Sign-On user console access
The user console access is through the following URL:
https://<atssohost>:<port>/atriumsso/UI/Login?realm=BmcRealm
This URL can be used to verify the authentication module
configuration. You do not need to rely on an installed
and configured BMC application to initiate login in order to test
configuration of authentication modules.
4.3 Administrator password The administrator password is used to
access BMC Atrium Single Sign-On through a browser. This access
allows
user accounts to be created and enables other authentication
algorithms. Also, the administrator password is
used to integrate application servers that have deployed the BMC
Atrium Single Sign-On Web agent to integrate
with BMC Atrium Single Sign-On.
4.4 Default cookie domain The default cookie domain value is the
network domain of the computer you are installing the server on.
The
default cookie domain specifies the most restrictive access. This
value is used to control cookie visibility between
servers within the domain.
By removing domain elements (lowest sub-domain first), the cookie
becomes visible to servers outside of the
BMC Atrium Single Sign-On domain. For example, changing the domain
to gives all ofdprod.bmc.com bmc.com
the servers within the domain access to the cookies stored by the
server in a user's browser. The dangermc.com
of increasing the cookie visibility is illustrated when the value
is changed to , giving all servers in the internetom
domain access to the cookie.om
Note
BMC Atrium Single Sign-On 8.1 Page of24 389
You cannot use sibling domains or cross-domains with BMC Atrium
Single Sign-On. For example,
installing the BMC Atrium Single Sign-On server in the domain and
the AR System server inemedy.com
the domain is not supported. You must move all your computers into
the same domain.mc.com
4.5 Log on and log off behavior When using a single sign-on system,
the normal authentication behavior is altered. The practice of
logging on
when you start a product is automatically performed when the second
product is started. This change happens
without any user involvement.
When you log off, you are logged off of all BMC Atrium Single
Sign-On integrated products.
If you want to continue working with other BMC products:
Quit the product instead of logging out of BMC Atrium Single
Sign-On.
If the product supports application-only log off, log off the
application and close the browser.
Important
When quitting an product, the normal behavior is to log off and
then quit. This process results in
termination of all the product connections. If you want to continue
working with other BMC products,
quit the product that you are finished with, but only log off the
last product.
With web applications, the BMC Atrium Single Sign-On authentication
status is maintained through sessions
within the web browsers. When web applications share the same
browser session, the authentication state with
BMC Atrium Single Sign-On is shared by these applications.
To use a different login ID without logging off BMC Atrium Single
Sign-On, you must start a new session in the
web browser. The following table summarizes how to share current
sessions and how to create new sessions
with the browsers supported by BMC Atrium Single Sign-On.
Session behavior in supported browsers
Browser Share Session New Session
Firefox 4 New tab, for new window, or launch from menu or
shortcuttrl-N Start Use Private Browsing
Internet
Explorer 7
New tab or to create a new windowtrl-N Launch new browser using
menu ortart
shortcut
Internet
Explorer 8
New tab, to create a new window, or launch new browser from
menutrl-N Start
or short-cut
Browser Share Session New Session
Internet
Explorer 9
New tab, to create a new window, or launch new browser from
menutrl-N Start
or short-cut
When BMC products launch a new application, the applications use
the process needed to ensure a shared
session and a seamless experience.
4.6 Certificates The default Tomcat server used by BMC Atrium
Single Sign-On uses a keystore and a truststore for secure
(HTTPS/TLS/SSL) communications. These communications occur by doing
one of the following:
when accessing the admin console
users login or logout of the system.
an external LDAP server is accessed with TLS/SSL
exchanging SAMLv2 metadata
for user authentication (CAC)
The keystore contains the information used to identify the BMC
Atrium Single Sign-On server to remote servers
and users. The truststore is used to hold the certificates of
remote servers, users and signing authorities that are
to be trusted by the BMC Atrium Single Sign-On server.
These files are stored in the following directory:
<installationDirectory>/BMC
Software/AtriumSSO/tomcat/conf
The initial keystore created during the installation uses a
self-signed certificate. This certificate causes browsers
and other programs to warn users about the insecure nature of the
certificate each time the user authenticates.
This certificate warning can be prevented by doing one of the
following:
Permanently importing the self-signed certificate into the user's
truststore.
Obtaining and importing a signed identity certificate from a
trusted Certificate Authority (CA).
The CA vouches for the authenticity of the server's identity when
the user visits BMC Atrium Single Sign-On for
authentication. In this case, the user has an established trust
relationship with the CA, and this relationship is
extended to BMC Atrium Single Sign-On after a digitally signed
identity certificate is imported.
4.6.1 Certificate Signing Request
A CA digitally signed certificate is obtain by generating a
Certificate Signing Request (CSR):
The output from the command must be sent to the CA for a digital
signature. After the signed identity certificate
is returned, the next step is to import the signed identity
certificate into the keystore where it replaces the current
self-signed certificate.
BMC Atrium Single Sign-On 8.1 Page of26 389
The keytool utility is used to obtain a CSR, to obtain a signed
certificate, and to import the signed certificate in
order to replace the self-signed certificate. This tool is
available with Oracle JDKs and BMC Atrium Single
Sign-On.
Note
When importing the newly signed certificates, you must first import
the CA root certificates and
intermediate certificates, if required.
4.6.2 New CA certificates
CAC authentication is used
Department of Defense (DoD) issues new CA certificates
CA certificates used to create a signed certificate for the BMC
Atrium Single Sign-On server is not already
within the truststore
The keytool utility is used to import a new CA certificate into the
BMC Atrium Single Sign-On truststore.
4.6.3 Related topics
Generating self-signed certificates (see page 249)
4.7 Authentication chaining An Authentication Chain is the object
used by BMC Atrium Single Sign-On for specifying how authentication
is to
be performed. A chain can be a single authentication module or a
combination of multiple authentication
modules. Chaining allows different modules to act as a single
authority.
At its simplest form, an authentication chain consists of only a
single authentication module. A chain can also be a
complex combination of multiple authentication modules joined to
validate the credentials that are used to
authenticate a user. Through chaining, different modules can be
merged to appear as a single authority.
For example, if two organizations merge to form a new, single
organization, then the authentication system from
each organization could be used as a module within a single
chain.
The effect of combining these modules into this single chain is
that the users only provide credentials to a
single authority.
1.
2.
3.
This chaining creates the perception of a merged authority despite
the reality of multiple, disparate
systems that are actually employed.
Authentication chains allow the combination of authentication
modules to process authentication requests. One
of the best uses for combining modules is to merge different
authentication schemes to appear as a single
authentication scheme.
For example, when two departments have their own LDAP servers,
these two servers could be put into a single
chain and users would appear to validate against a single
authority.
The processing of the chain to determine the overall status of
authentication is controlled by the criteria specified
for each of modules in the chain. The following figure illustrates
authentication chaining where authentication
modules are tried in an ordered sequence.
4.7.1 Authentication chaining example
The overall status is successful if all of the Required and
Requisite modules pass before either the end of the chain
or the first successful Sufficient module. When there are no
Required or Requisite modules, then at least one
Sufficient or Optional module must authenticate the user. See
.Managing authentication modules (see page 271)
In the chaining process for the above example illustration, three
LDAP servers combined into a single authority,
would be:
Fail: Proceed to next
Check with LDAP B
Fail: Proceed to next
Check with LDAP C
Pass: Stop processing and accept user
Fail: Stop processing and reject user
With this configuration, the first LDAP server is presented the
user credentials for authentication. If the
authentication succeeds, then processing stops with the user being
authenticated. If the user is not within the
BMC Atrium Single Sign-On 8.1 Page of28 389
sequence specified until either the user passes and is considered
successfully authenticated, or the user fails to
authenticate and is rejected.
4.8 High Availability deployment The following figure shows a
typical deployment scenario of BMC Atrium Single Sign-On operating
in a High
Availability (HA) environment. Two BMC Atrium Single Sign-On
servers are installed to form a cluster. A load
balancer is used as a front end to the cluster, giving the external
applications the appearance of a single server.
The load balancer distributes requests among BMC Atrium Single
Sign-On servers. In the event of a system failure,
the load balancer re-directs requests to the remaining
servers.
When operating as a cluster, BMC Atrium Single Single Sign-On
functions as a single virtual server. Therefore,
certain configuration information is shared between nodes. For
example, when one node is configured, the other
nodes have the same information.
The following information is global to all nodes in the
cluster:
Administrative accounts
Typical HA deployment
BMC Atrium Single Sign-On 8.1 Page of29 389
HTTPS ports. These ports are specified during installation. The
following figure shows the communication
between the nodes and the load balancer.
Communication between BMC Atrium Single Sign-On nodes and a load
balancer
4.9 JEE filter-based agents With this release of BMC Atrium Single
Sign-On, a light-weight agent is available for use by BMC
applications. This
section describes how configuration items apply to this newer
agent.
In addition to functioning as the central server, BMC Atrium Single
Sign-On uses agents which are integrated into
each of the BMC products. These agents perform the following
functions:
Accessing authentication services
Validating existing authentications
For more information about agent configuration parameters, see
.Agent manager
5 Planning The following topics provide information and
instructions for planning a BMC Atrium Single Sign-On
installation
1.
2.
3.
4.
5.
6.
Note
All products that run in BMC Remedy AR System support BMC Atrium
Single Sign-On including AR
System Mid-tier products (BMC Remedy ITSM, BMC Atrium Core, BMC
Atrium CMDB, and so on), BMC
Atrium Dashboard and Analytics, BMC IT Business Management Suite,
BMC ProActive Performance
Management (version 9.0), and BMC Capacity Optimization.
Checking the compatibility matrix for system requirements and
supported configurations
End-to-end BMC Atrium Single Sign-On process
BMC Atrium Single Sign-On using SAMLv2 deployment example (see page
31)
5.1 Checking the compatibility matrix for system requirements
and supported configurations Consult the BMC Remedy and BMC Atrium
product compatibility information for the 8.0 system
configuration
information.
Navigate to
.http://www.bmc.com/support/product-availability-compatibility
In the field, enter the product name, for example:roduct Name
BMC Atrium CMDB Enterprise Manager
BMC Atrium CMDB Suite
In the field, enter BMC Atrium Single Sign-On.elect Component
Review the compatibility information listed in the tabs at the
bottom of the page.
Note
To access the product compatibility information on the Customer
Support website, you must have a
Support login.
5.2 End-to-end BMC Atrium Single Sign-On procedure This topic
provides a high-level process of what you need to do to set up and
configure BMC Atrium Single
Sign-On with BMC products.
1.
2.
3.
4.
5.
6.
Review the information that you need to understand prior to
installing, such as the What's new (see page
, , , topics.12) Key concepts (see page 20) Planning (see page 29)
Preparing for installation
Install BMC Atrium Single Sign-On. See for the different
installation options, suchInstalling (see page 40)
as High Availability (HA).
Install other BMC products for integrating with BMC Atrium Single
Sign-On.
For information about integrating and configuring BMC Remedy AR
System version 8.1, see Installing
.BMC Atrium Single Sign-On with the AR System server and Mid Tier
(see page 79)
For information about integrating and configuring BMC Remedy AR
System version 8.0, see
.Integrating BMC Atrium Single Sign-On with AR System Version
8.0.00
For information about other BMC product integration, such as BMC
Dashboards and Analytics for
BSM, see .Integrating
Configure your method of authentication. See . The following are
theConfiguring after installation
authentication module sections:
Using CAC for authentication
Using RSA SecurID for authentication
If you implement multiple authentication methods, see .Managing
authentication modules (see page 271)
Create and manage users and user groups. See andManaging users (see
page 264) Managing user groups
.(see page 268)
5.3 BMC Atrium Single Sign-On using SAMLv2 deployment
example This topic provides an example of how BMC Atrium Single
Sign-On using Security Assertion Markup Language 2.0
(SAMLv2) can be deployed.
Business value (see page 32)
Federated authentication and SAML (see page 32)
Deployment architecture (see page 33)
Deployment model (see page 35)
Deployment tasks (see page 37)
Deployment parameters (see page 38)
Related topics (see page 40)
5.3.1 Business value
This deployment example shows you how BMC Atrium Single Sign-On
uses SAMLv2 authentication. Single
sign-on means that you only need to present credentials once for
authentication, and you are subsequently
automatically authenticated by every BMC product that is integrated
into the system. This means that if you are
looking at a report that has links to incident or change records,
you can click on the link and go directly to the
records without logging in again.
An additional important value is that with federated authentication
the user logon credentials (for example, user
name and password) are not exposed to the Service Provider (SP) and
are not sent over the internet. The
authentication is done on premise by the Identity Provider
(IdP).
5.3.2 Federated authentication and SAML
SAMLv2 is an XML-based OASIS standard for exchanging user identity
and security attributes information. It uses
security tokens containing assertions to pass information about a
principal (usually an end user) between an
Identify Provider (IdP) and a web service.
SAMLv2 enables federated authentication between your environment
and the BMC Remedy applications. When
using SAMLv2, the BMC Remedy infrastructure is defined as a Service
Provider (SP), and your infrastructure that
performs the user authentication is the IdP. With SAMLv2 enabled, a
user that tries to access BMC Remedy
applications without having previously authenticated is redirected
to your IdP. After authentication, the user is
redirected back to the originally requested resource (BMC Remedy
application).
Note
Although SAMLv2 supports both IdP-initiated single sign-on and
SP-initiated single sign-on, SP-initiated
single sign-on is essential to allow specific use cases for deep
linking to specific pages and resources in
the applications (for example, a notification URL that contains a
link to a specific BMC Remedy ITSM
form and record).
BMC Atrium Single Sign-On 8.1 Page of33 389
Configuration of SAMLv2 integration is largely the exchange of
SAMLv2 metadata between your environment and
the BMC Remedy environment. You provide IdP metadata , which
defines the URLs that you use for SAMLv2, and
the certificate used for validation of assertions. The BMC Remedy
infrastructure provides SP metadata to allow
you to preregister the BMC Remedy SP in your SAMLv2 infrastructure
as required.
For more information about SAMLv2, see .Using SAMLv2 for
authentication
5.3.3 Deployment architecture
In the BMC environment:
BMC Remedy web applications supporting BMC Atrium Single
Sign-On
BMC Atrium Single Sign-On agents which are add-ons to any BMC
Remedy web application
BMC Atrium Single Sign-On server which serves as the SP and runs as
a web application on the
Apache Tomcat server
In your environment:
You use a browser to access BMC Remedy applications.
An authentication server is responsible for your users
authentication, which is usually located on
premise. This is the IdP component.
The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server
are connected by a trust relationship
(federation) so they can honor each other’s authentication
information.
The following sequence diagram shows the interactions between BMC
Atrium Single Sign-On and SAMLv2
components. These interactions are listed in the sequential order
that they occur.
BMC Atrium Single Sign-On and SAMLv2 components sequence
diagram
BMC Atrium Single Sign-On 8.1 Page of34 389
The following sequence diagram illustrates the flow of events and
the interaction between components for single
log off (SLO):
5.3.4 Deployment model
BMC Atrium Single Sign-On 8.1 Page of36 389
A load balancer or reverse proxy routes inbound connections to the
appropriate target web server and are
put in front of the application servers. Load balancers are used to
distribute the workload and optimize
application performance. Reverse proxies are used to distribute the
workload, optimize application
performance, and hide the existence and characteristics of internal
servers.
BMC Remedy Mid Tier is deployed on a separate virtual machine
(VM).
A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On
server are deployed on the another
VM but on two different Apache Tomcat servers.
BMC Dashboards for Business Services Management and BMC Analytics
for Business Services Management
are deployed on two different VMs to avoid performance
issues.
5.3.5 Deployment tasks
The following table lists the main steps involved in installing and
configuring the deployed BMC Products with
BMC Atrium Single Sign-On with SAMLv2 authentication where BMC
Atrium Single Sign-On is configured as an SP
with a remote IdP.
Review the list before starting the deployment tasks.Deployment
parameters (see page 38)
Step Task
2. .Install BMC Remedy AR System server
3. .Install the BMC Remedy Mid Tier
4. (Optional) Configure your load balancer or reverse proxy.
For more information, see .ote: Troubleshooting redirect URLs
(see page 343)
5. .Run the SSOARIntegration utility on the AR System server (see
page 88)
6. .Run the SSOMidtierIntegration utility on the BMC Remedy Mid
Tier (see page 92)
7. .Configure group mapping for the AR System and BMC Atrium Single
Sign-On (see page 91)
8. Configure the BMC Atrium Single Sign-On server for AR System
(see page 97)
Though AR authentication module should be configured, you
must delete the AR user stores when using SAML v2 for
authentication.ote:
The AR data store is not needed for authentication in SAMLv2
deployment.
9. .Run a health check on the BMC Atrium Single Sign-On
installation
10. Configure BMC Atrium Single Sign-On to use SAMLv2
authentication with BMC Atrium Single Sign-On as a Service Provider
and a remote
.Identity Provider
Each time a BMC product is integrated (steps 10 -12) with the
BMC Atrium Single Sign-On Service Provider, the J2EE
agentsote:
configuration must be modified so the integrating product can
function in the Federated Single Sign-On.
11. (Optional) and .Integrate BMC Dashboards for Business Service
Management (see page 198) configure it
For more information, see the BMC Dashboards for Business
Service Management Installation Guide at .ote: PDFs
12. (Optional) and .Integrate BMC Analytics for Business Service
Management (see page 199) configure it
For more information, see .ote: Installing
13. (Optional) .Integrate BMC IT Business Management Suite (see
page 204)
For more information, see .ote: Installing
5.3.6 Deployment parameters
The deployment environment assumes MS Windows 2008, MS SQL Server
2008, New Tomcats, and the defaults
are accepted. It also assumes that BMC Remedy AR system server
groups and BMC Atrium Single Sign-On high
availability (HA) are deployed.not
The BMC Atrium Single Sign-On authentication is SAMLv2 where BMC
Atrium Single Sign-On is configured as an
Service Provider (SP) with a remote Identity Provider (IdP).
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy
AR System server, and BMC
Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same
computer, ensure that the HTTP,
HTTPS, and Shutdown port numbers are different.
The following parameters are set in deployment of the following BMC
Products and BMC Atrium Single Sign-On
authentication:
BMC Remedy AR System
BMC Remedy Mid Tier
BMC Atrium Single Sign-On
SAMLv2 authentication where BMC Atrium Single Sign-On is configured
as an SP with a remote IdP.
BMC Dashboards for BSM
BMC Analytics for BSM
Mid Tier installation Planning spreadsheet Complete the on
.Planning Spreadsheet BMC Remedy AR System 8.1
Atrium SSO installation FQDN of host name The Fully Qualified
Domain Name (FQDN) for the host. For example,
ssoserver.bmc.com.
HTTP, HTTPS, Shutdown
port numbers
If BMC Atrium Single Sign-On is installed on the same computer as
another BMC Product,
provide port numbers that are different from the other BMC
Product.
Cookie domain The cookie name is the name of the cookie that agent
will check for the SSO session token. It
should match the cookie name of the server configuration. For
example, atsso_bmc_com.
Atrium SSO server
password
The password for the BMC Atrium Single Sign-On server. Default:
amadmin
AR System integration AR Server Name The AR server name. For
example, arsystemserver.bmc.com
Product
install/configuration
AR Server User The AR server user. For example, Demo.
AR Server Password The AR server password. For example, Demo.
AR Server Port The AR server port. For example, 0.
Atrium SSO URL URL for the BMC Atrium Single Sign-On server. For
example,
https://ssoserver.bmc.com:8443/atriumsso
SSO Admin Name The BMC Single Sign-On administrator name. Default:
amadmin.
SSO Admin Password The BMC Single Sign-On administrator
password.
truststore (Optional) The truststore path.
truststore-password (Optional) The truststore password.
force (Optional) If "Yes" is provided then the utility will not
wait for the user to shutdown the
webserver (if not done already), in case, the webserver is other
then tomcat or jboss. Default:
No
Mid Tier integration AR Server Name The AR Server name from the AR
System integration. For example, arsystemserver.bmc.com.
AR Server User The AR Server user from the AR System integration.
For example, Demo.
AR Server Password The AR Server password from the AR System
integration. For example, Demo.
AR Server Port The AR Server port from the AR System integration.
For example, 0.
Container Type Supported contain types include JBOSSV4, JBOSSV5,
SERVLETEXECV5, SERVLETEXECV6,
TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7,
WEBLOGICV10
Web App URL The Mid Tier URL if a load balancer is not implemented.
Otherwise, the load balancer URL. Be
sure the server name is provided with fully qualified domain name
and port is also provided in
the URL.
Foundation\Tomcat6.
JREInstallDirectory Path to the JRE directory. For example,
C:\Program Files\Java\jre7
MidtierHome Mid Tier home directory. For example, C:\Program
Files\BMC Software\ARSystem\midtier
serverinstancename The WebSphere instance name is required for the
WebSphere server.
instanceconfigdirectory The WebSphere configuration directory is
required for the WebSphere server.
weblogicdomainhome The BEA domain home is required for the WebLogic
web application.
AR System external
Administrator
BmcAdmins
Dashboards installation Fully Qualified Host Name Fully qualified
host name of the BMC Atrium Single Sign-On server.
HTTP, HTTPS, Shutdown
Parame ers Description
Port numbers used by the BMC Atrium Single Sign-On server. If BMC
Atrium Single Sign-On is
installed on the same computer as another BMC Product, provide port
numbers that are
different from the other BMC Product.
Administrator login name
and password
User name and password for the BMC Atrium Single Sign-On server
administrator.
BMC Dashboards
Password
User name and password of the BMC Dashboards for BSM administrator
user. This user must
exist in BMC Atrium Single Sign-On.
Analytics installation Fully Qualified Host Name Fully qualified
host name of the BMC Atrium Single Sign-On server.
HTTP, HTTPS, Shutdown
Port Number
Port numbers used by the BMC Atrium Single Sign-On server. If BMC
Atrium Single Sign-On is
installed on the same computer as another BMC Product, provide port
numbers that are
different from the other BMC Product.
Administrator login name
and password
User name and password for the BMC Atrium Single Sign-On server
administrator.
SAMLv2 authentication Remote IdP metadata file The metadata file
for the remote Identity Provider (IdP). For example,
sso-idp.xml.
BMC Remedy AR System
agent Federated login
URL & logout URI
Login and logout URIs are the locations that the agent will send
the users browsers when the
specified function is needed.
logout URI
Login and logout URIs are the locations that the agent will send
the users browsers when the
specified function is needed.
logout URI
Login and logout URIs are the locations that the agent will send
the users browsers when the
specified function is needed.
Agent manager
6 Installing The BMC Atrium Single Sign-On server component is
available for download from the BSM EPD site at
or can be found in the BMC Atrium Shared Components
box.http://webapps.bmc.com/epd
The typical method for integrate BMC Atrium Single Sign-On with BMC
Remedy AR System or any BMC product is
to:
1.
2.
3.
Install BMC Remedy AR System or other BMC products.
Integrate with BMC Remedy AR System or other BMC products.
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy
AR System server, and BMC
Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same
computer, ensure that the HTTP,
HTTPS, and Shutdown port numbers are different.
1.
2.
3.
4.
Configuring Terminal Services and DEP parameters
Installing BMC Atrium Single Sign-On as a standalone (see page
50)
Installing BMC Atrium Single Sign-On as a High Availability cluster
(see page 55)
Installing BMC Atrium Single Sign-On on an external Tomcat server
(see page 72)
Installing BMC Atrium Single Sign-On with the AR System server and
Mid Tier (see page 79)
Installing silently (see page 112)
Uninstalling BMC Atrium Single Sign-On (see page 117)
6.1 Preparing for installation Review or perform the following
tasks before you start installing.
Review the topics.Planning (see page 29)
Review the and update your environment.Prerequisites for
installation (see page 42)
Review the .Compatibility matrix
6.1.1 Prerequisites for installation
This topic describes the prerequisites for installing BMC Atrium
Single Sign-On.
Warning
If you have not met all of the requirements before you begin the
installation, you might have issues with
the installation.You must fulfill the necessary requirements on
this page before you begin with
installation.
Memory requirements (see page 43)
Log file memory requirements (see page 43)
System requirements (see page 43)
Entropy level requirements (see page 44)
Firewalls (see page 44)
Limitation
Do not deploy BMC Atrium Single Sign-On on an Network File System
(NFS) file system.
Access and permissions
If you are a nonroot runtime user of the BMC Atrium Single Sign-On
web container instance, you must be
able to write to your own home directory.
( ) You must have administrator privileges.Microsoft
Windows
( ) You can be any user. However, root privileges are required to
set up auto-startup of the services.UNIX
Disk space requirements
This section contains information about prerequisite storage space
requirements for installation and log files.
Before installing BMC Atrium Single Sign-On, you must have at least
the following available disk space:
( ) 650 MBMicrosoft Windows
Memory requirements
If you are installing BMC Atrium Single Sign-On on an external
Tomcat server, 1024K of RAM is required. For an
extremal Tomcat 7 server and JDK 1.7, increase memory an additional
20% for a minimum of 1.2 MB.
Log file memory requirements
An additional 7-10 GB of space is recommended for log file growth,
depending on the volume of users and
products integrating with the BMC Atrium Single Sign-On
server.
To manage log file storage space effectively, perform the following
tasks:
Delete the debug log files periodically, especially if the debug
level is set to .essage
Check the and log files periodically in the logs directory.access
.error
Consider configuring the log rotation to delete the oldest log
files.
System requirements
If you are installing BMC Atrium Single Sign-On on Red Hat
Enterprise Linux (RHEL) 6.x, you must install the
following 32-bit RPM packages to make 32-bit JRE support and the
user interface available to the installer:
Glibc.i686
libXtst.i686
Entropy level requirements
If you are installing BMC Atrium Single Sign-On on Red Hat
Enterprise Linux computers and the entropy level on
the server is under 150, you might experience installation issues.
If an installation or silent installation aborts
suddenly, finishes very quickly, or takes a long time to complete,
the computer might be experiencing low
entropy issues. To avoid these issues, perform the following
tasks:
Verify the level of entropy in the file at the following
location:ntropy_avail cat
/proc/sys/kernel/random/entropy_avail
If the level of entropy is less than 150, run the following
commands as user or restart your computer.oot
Running the command is the preferred option as it helps in
maintaining the entropy level after installation.
If your server has a low entropy level, you should configure your
server to run the following commands
while starting up your server.
rngd
yum install rng-tools
echo 'EXTRAOPTIONS="-i -o /dev/random -r /dev/urandom -t 10 -W
2048"' >>/etc/sysconfig/rngd
chkconfig rngd on
service rngd restart
Firewalls
The ports that you selected when you installed the BMC Atrium
Single Sign-On server must be accessible from
the clients that are authenticated through the server. Configure
the firewalls to allow access to the HTTPS port
used for authentication, as well as the LDAP and Apache MQ ports in
the nodes of a cluster.
6.1.2 Downloading the installation files
This topic provides instructions for downloading the files that you
need for installation. The latest BMC Atrium
Single Sign-On GA version on the BMC Electronic Product
Distribution (EPD) website is 8.1.00. .03
Files to download (see page 44)
To download the files (see page 45)
Enabling search in the offline documentation (see page 47)
Where to go from here (see page 47)
Files to download
The following table provides the product files available on the BMC
EPD website for BMC Atrium Single Sign-On.
You can find the installer and documentation related to BMC Atrium
Single Sign-On version 8.1.00.03 on the
Products tab itself.
1.
Note
The BMC Atrium Single Sign-On is provided with the ESM solution
suites. On the BMC EPD website, you
must visit the download sections for BMC Remedy IT Service
Management, BMC ProactiveNet
Performance Management, BMC BladeLogic Automation, or BMC
Application Management suites to
obtain the the latest version of BMC Atrium Single Sign-On.
You can download the latest installer files from any of the ESM
solution suites on the EPD web site. For example,
BMC Remedy IT Service Management Suite > BMC Remedy IT Service
Management Suite 8.1.00 -
>peratingSystem BMC Atrium Single Sign-On Version 8.1.00 for
OperatingSystem
Hyperlink on EPD page File names on EPD page
BMC Atrium Single Sign-On
Documentation
BMCAtriumSSO_8.1_Patch3_Help.zip
This zip file contains an archived version of the online
documentation for . For theBMC Atrium Single Sign-On 8.1
latest and most comprehensive content, see the BMC Online Technical
Documentation portal (docs.bmc.com) for
this release.
Note
The installation files for BMC Atrium Single Sign-On versions
8.1.00.02 have been replaced with the
installation files for version 8.1.00.03, and can no longer be
downloaded from the EPD site. Patch 3 for
BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation
and includes the fixes that were
available in Patch 1 and Patch 2 (8.1.00.01 and 8.1.00.02). You can
download the Patch 3 installation files
from the BMC EPD site and perform your normal installation.
To download the files
The product files that you download from the EPD website might
contain some or all of the patches listed on a
product's Customer Support web page. If the EPD page shows that a
patch is included in a file you downloaded,
you do not need to obtain that patch separately.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Note
On Microsoft Windows computers, ensure that the directory is only
one level into the directory
structure. The EPD package creates a directory in the temporary
directory when you extract the
files, and the directory that contains the installation image
should not be in a directory deeper
than two levels into the directory structure.
Go to .http://www.bmc.com/available/epd.html
At the logon prompt, enter your user ID and password, and click
.ubmit
On the Export Compliance and Access Terms page, provide the
required information, agree to the terms of
the agreements, and click .ontinue
If you are accessing this site for the first time, create an EPD
profile to specify the languages and platforms
that you want to see, per the ; otherwise, skip to step 6.EPD site
help
Verify that the correct profile is displayed for your download
purpose, and select the Licensed Products
tab.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) installation
files are available on the
tab.icensed Products
Locate the solution for which you are using BMC Atrium Single
Sign-On, such as BMC Remedy IT Service
, and expand its entries.anagement Suite
Note
As BMC Atrium Single Sign-On is a part of ESM solution suite, you
must visit the download
sections for BMC Remedy IT Service Management, BMC ProactiveNet
Performance Management,
BMC BladeLogic Automation, or BMC Application Management suites to
obtain the the latest
version of BMC Atrium Single Sign-On. For the steps in this
process, BMC Remedy IT Service
Management is used.
Expand the directory for the appropriate platform andMC Remedy IT
Service Management Suite 8.1.00
language.
Expand the directory for the appropriateMC Atrium Single Sign-On
Version 8.1.00 for OperatingSystem
platform and language.
Select the check boxes next to the files and documents that you
want to download.
Click or :ownload (FTP) Download Manager
places the selected items in an FTP directory, and the
credentials and FTPownload (FTP)
instructions are sent to you in an email message.
1.
2.
3.
enables you to download multiple files consecutively and to resume
anownload Manager
interrupted download if the connection drops.
This method requires a one-time installation of the Akamai
NetSession client program on the target
computer and is usually the faster and more reliable way to
transfer files. A checksum operation is
used to verify file integrity automatically.
Enabling search in the offline documentation
The zip file contains an archived version of the onlineffline