BMC Atrium SSO 8 1

BMC Software Confidential
BMC Atrium Single Sign-On 8.1
Home
Date:
16-Jan-2014 15:56
URL:
https://docs.bmc.com/docs/display/sso81/Home
Home
Page 2 of 389
Home
Table of Contents
1 Featured content ______________________________________________________________________ 12
2 About BMC Atrium Single Sign-On ________________________________________________________ 12
3 What's new __________________________________________________________________________ 12
3.1 Version 8.1.00 ____________________________________________________________________ 14
3.1.1
Redesigned user interface ______________________________________________________ 15
3.1.2 Predefined authentication module _______________________________________________ 15

3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System integration ______________ 15
3.1.4 BMC Atrium Orchestrator Platform integration ______________________________________ 16
3.1.5 Click jacking prevention _______________________________________________________ 16
3.2 License entitlements _______________________________________________________________ 16
3.3 Service packs and patches ___________________________________________________________ 17
3.3.1 Patch 3 for version 8.1.00: 8.1.00.03 ______________________________________________ 17
3.4 Documentation updates after release __________________________________________________ 20
3.4.1 Added BMC Mobility integration documentation ____________________________________ 20
3.4.2 Added BMC EUEM integration documentation ______________________________________ 20
4 Key concepts ________________________________________________________________________ 20
4.1 BMC Atrium Single Sign-On architecture ________________________________________________ 21
4.2 BMC Atrium Single Sign-On and OpenAM _______________________________________________ 22
4.2.1 OpenAM technologies ________________________________________________________ 22
4.2.2 Atrium Single Sign-On user console access ________________________________________ 23
4.3 Administrator password _____________________________________________________________ 23
4.4 Default cookie domain _____________________________________________________________ 23
4.5 Log on and log off behavior _________________________________________________________ 24
4.6 Certificates ______________________________________________________________________ 25
4.6.1 Certificate Signing Request _____________________________________________________ 25
4.6.2 New CA certificates __________________________________________________________ 26
4.6.3 Related topics _______________________________________________________________ 26
4.7 Authentication chaining ____________________________________________________________ 26
4.7.1 Authentication chaining example ________________________________________________ 27
4.8 High Availability deployment _________________________________________________________ 28
4.9 JEE filter-based agents _____________________________________________________________ 29
5 Planning ____________________________________________________________________________ 29
5.1 Checking the compatibility matrix for system requirements and supported configurations __________ 30
5.1.1
To access the compatibility matrixes _____________________________________________ 30
5.2 End-to-end BMC Atrium Single Sign-On procedure _______________________________________ 30

5.3 BMC Atrium Single Sign-On using SAMLv2 deployment example ______________________________ 31
Page 3 of 389
Home
5.3.1 Business value _______________________________________________________________ 32

5.3.2 Federated authentication and SAML ______________________________________________ 32
5.3.3 Deployment architecture ______________________________________________________ 33
5.3.4 Deployment model ___________________________________________________________ 35
5.3.5 Deployment tasks ____________________________________________________________ 37
5.3.6 Deployment parameters _______________________________________________________ 38
5.3.7 Related topics _______________________________________________________________ 40
6 Installing ____________________________________________________________________________ 40
6.1 Preparing for installation ____________________________________________________________ 42
6.1.1
Prerequisites for installation ____________________________________________________ 42
6.1.2 Downloading the installation files ________________________________________________ 44

6.2 Installation options ________________________________________________________________ 48
6.3 Configuring Terminal Services and DEP parameters _______________________________________ 48
6.3.1 To update Terminal Services configuration options for Windows Server 2008 ______________ 48
6.4 Installing BMC Atrium Single Sign-On as a standalone _____________________________________ 50
6.4.1 Before you begin _____________________________________________________________ 51
6.4.2 To install BMC Atrium Single Sign-On as a standalone _________________________________ 51
6.4.3 Where to go from here ________________________________________________________ 54
6.5 Installing BMC Atrium Single Sign-On as a High Availability cluster ____________________________ 55
6.5.1 HA prerequisites _____________________________________________________________ 56
6.5.2 HA pre-installation tasks _______________________________________________________ 56
6.5.3 To install BMC Atrium Single Sign-On as an HA cluster ________________________________ 56
6.5.4 HA post-installation activities ___________________________________________________ 57
6.5.5 Installing the first node for an HA cluster on a new Tomcat server _______________________ 57
6.5.6 Installing additional nodes for an HA cluster on a new Tomcat server _____________________ 63
6.5.7 Installing the first node for an HA cluster on an external Tomcat server ___________________ 68
6.5.8 Installing additional nodes for an HA cluster on an external Tomcat server _________________ 70
6.6 Installing BMC Atrium Single Sign-On on an external Tomcat server ___________________________ 72
6.6.1 Before you begin _____________________________________________________________ 73
6.6.2 To install BMC Atrium Single Sign-On on an external Tomcat server ______________________ 73
6.6.3 Where to go from here ________________________________________________________ 74
6.6.4 Policy file additions for external Tomcat installations _________________________________ 75
6.6.5 JVM parameter additions for external Tomcat installations _____________________________ 76
6.6.6 Configuring an external Tomcat instance for FIPS-140 ________________________________ 76
6.6.7 Configuring a JVM for the Tomcat Server __________________________________________ 77
6.6.8 Setting an HTTPS connection ___________________________________________________ 78
6.7 Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier ___________________ 79
6.7.1 Installing video ______________________________________________________________ 80
6.7.2 Overview of installation steps ___________________________________________________ 80
6.7.3 Related topics _______________________________________________________________ 81
6.7.4 Installing BMC Atrium Single Sign-On _____________________________________________ 81
6.7.5 Installing or upgrading AR System server __________________________________________ 84
6.7.6 Installing or upgrading BMC Remedy Mid Tier ______________________________________ 86
Page 4 of 389
Home
6.7.7 Running the SSOARIntegration utility on the AR System server __________________________ 88

6.7.8 Reviewing AR server external authentication settings and configuring group mapping ________ 91
6.7.9 Running the SSOMidtierIntegration utility on the Mid Tier _____________________________ 92
6.7.10 Managing the AR System users and groups for authentication __________________________ 97
6.7.11 Running a health check on the BMC Atrium Single Sign-On installation __________________ 109
6.8 Installing silently _________________________________________________________________ 112
6.8.1 Running the installer in silent mode ______________________________________________ 114
6.8.2 Uninstalling in silent mode ____________________________________________________ 114
6.8.3 Example options.txt file _______________________________________________________ 114
6.9 Uninstalling BMC Atrium Single Sign-On _______________________________________________ 117
6.9.1 Running the uninstaller on Windows _____________________________________________ 117
6.9.2 Running the uninstaller on Solaris or Linux ________________________________________ 117
6.9.3 Invocation error during uninstallation ____________________________________________ 118
7 Configuring after installation ____________________________________________________________ 119
7.1 To set up a method for authentication _________________________________________________ 120
7.2 SAMLv2 authentication ____________________________________________________________ 121
7.3 Predefined authentication module ____________________________________________________ 121
7.4 User Profile panel ________________________________________________________________ 122
7.5 Authentication chaining ____________________________________________________________ 122
7.6 Authentication chaining flags ________________________________________________________ 122
7.7 Where to go from here ____________________________________________________________ 122
7.8 Using AR for authentication _________________________________________________________ 122
7.8.1 Before you begin ____________________________________________________________ 123
7.8.2 To configure an AR module ____________________________________________________ 123
7.8.3 To configure an AR user store __________________________________________________ 124
7.9 Using CAC for authentication _______________________________________________________ 126
7.9.1 CAC certificate usage ________________________________________________________ 126
7.9.2 To set up CAC to use for authentication __________________________________________ 127
7.9.3 Modify the Tomcat server _____________________________________________________ 127
7.9.4 Import DoD CA certificates ____________________________________________________ 128
7.9.5 To import certificates ________________________________________________________ 128
7.9.6 Set up CAC certificates _______________________________________________________ 129
7.9.7 If using OCSP, enable OCSP for the server _________________________________________ 131
7.9.8 Where to go from here _______________________________________________________ 131
7.9.9 Related topics ______________________________________________________________ 132
7.10 Using Kerberos for authentication ____________________________________________________ 132
7.10.1 Configuring Kerberos video ____________________________________________________ 133
7.10.2 Before you begin ____________________________________________________________ 133
7.10.3 To set up Kerberos to use for authentication _______________________________________ 133
7.10.5 Generating a keytab for the service principal and mapping the Kerberos service name _______ 134
7.10.6 Configuring the Kerberos module _______________________________________________ 136
7.10.7 Reconfiguring your browser ___________________________________________________ 138
Page 5 of 389
Home
7.11 Using LDAP (Active Directory) for authentication _________________________________________ 138

7.11.1 Before you begin ____________________________________________________________ 139
7.11.2 To set up LDAP (AD) for authentication ___________________________________________ 139
7.11.3 LDAP (AD) parameters ________________________________________________________ 139
7.12 Using RSA SecurID for authentication _________________________________________________ 141
7.12.1 To configure the SecurID module _______________________________________________ 141
7.12.2 SecurID parameters __________________________________________________________ 142
7.12.3 To modify the rsa_api.properties file _____________________________________________ 142
7.13 Using SAMLv2 for authentication _____________________________________________________ 143
7.13.1 Configuring SAML V2 video ____________________________________________________ 144
7.13.2 SAMLv2 configuration options _________________________________________________ 144
7.13.3 SAMLv2 implementation ______________________________________________________ 144
7.13.4 Typical SAMLv2 deployment ___________________________________________________ 145
7.13.5 Typical SAMLv2 deployment architecture _________________________________________ 145
7.13.6 Related topics ______________________________________________________________ 146
7.13.7 Configuring BMC Atrium Single Sign-On as an SP ___________________________________ 146
7.13.8 Configuring BMC Atrium Single Sign-On as an IdP __________________________________ 153
7.13.9 Federating user accounts in bulk ________________________________________________ 157
8 Upgrading __________________________________________________________________________ 165
8.1 To upgrade BMC Atrium Single Sign-On _______________________________________________ 166
8.2 To upgrade BMC Atrium Single Sign-On in silent mode ____________________________________ 166
8.3 Preparing to upgrade BMC Analytics for BSM ___________________________________________ 166
8.3.1 To remove the J2EE agent for BMC Analytics for BSM ________________________________ 166
8.4 Upgrading HA nodes ______________________________________________________________ 167
8.4.1 To upgrade HA nodes ________________________________________________________ 167
9 Integrating _________________________________________________________________________ 168
9.1 Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00 _______________________ 169
9.1.1
Configuring external authentication for AR System integration _________________________ 170
9.1.2 Installing BMC Atrium Single Sign-On for AR System integration ________________________ 171
9.1.3 Configuring BMC Atrium Single Sign-On for integration ______________________________ 173
9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user authentication __________ 176
9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System integration _____________ 183
9.1.6 Running a health check on the BMC Atrium Single Sign-On integration __________________ 195
9.2 Integrating BMC Dashboards for BSM _________________________________________________ 198
9.2.1 Before you begin ____________________________________________________________ 198
9.2.2 To integrate BMC Dashboards for BSM ___________________________________________ 199
9.3 Integrating BMC Analytics for BSM ___________________________________________________ 199
9.3.1 Before you begin ____________________________________________________________ 199
9.3.2 To integrate BMC Analytics for BSM _____________________________________________ 200
9.4 Integrating BMC ProactiveNet _______________________________________________________ 200
9.4.1 Before you begin ___________________________________________________________ 200
Page 6 of 389
Home
9.4.2 To integrate BMC ProactiveNet during installation __________________________________ 201

9.4.3 To integrate BMC ProactiveNet after installation ____________________________________ 201
9.4.4 To define users and groups ____________________________________________________ 202
9.4.5 To create new users _________________________________________________________ 202
9.4.6 To assign users to user groups _________________________________________________ 203
9.4.7 To clean up Web Agent entries when the BMC ProactiveNet Server is uninstalled ___________ 203
9.5 Integrating BMC IT Business Management Suite _________________________________________ 204
9.5.1 Before you begin ___________________________________________________________ 204
9.5.2 To integrate BMC IT Business Management Suite ___________________________________ 204
9.6 Integrating BMC ITBM and WebSphere application server __________________________________ 205
9.6.1 Before you begin ___________________________________________________________ 205
9.6.2 To configure the WebSphere application server to work with the BMC Atrium Single Sign-On
server ___________________________________________________________________________ 205
9.7 Integrating BMC Capacity Optimization _______________________________________________ 207
9.7.1 Before you begin ___________________________________________________________ 208
9.7.2 To integrate BMC Capacity Optimization _________________________________________ 208
9.8 Integrating BMC Atrium Orchestrator Platform __________________________________________ 209
9.8.1 Before you begin ____________________________________________________________ 210
9.8.2 BMC Atrium Orchestrator Platform installation worksheet ____________________________ 210
9.9 Integrating BMC Real End User Experience Monitoring ____________________________________ 212
9.9.1 Preparing BMC Atrium SSO server for integration ___________________________________ 212
9.9.2 Preparing the Console component for the BMC Atrium SSO integration __________________ 212
9.10 Integrating BMC Mobility for ITSM 8.1.00 _______________________________________________ 212
9.10.1 Before you begin ____________________________________________________________ 212
9.10.2 Limitations ________________________________________________________________ 213
9.10.3 Integrating BMC Mobility to support SAML authentication ____________________________ 213
9.10.4 Related Topics _____________________________________________________________ 214
10 Using ______________________________________________________________________________ 214
10.1 Navigating the interface ____________________________________________________________ 215
10.1.1 Editor options ______________________________________________________________ 215
10.1.2 Status panel ________________________________________________________________ 215
10.1.3 BMC Realm panel ___________________________________________________________ 216
10.1.4 Sessions panel ______________________________________________________________ 216
10.1.5 Realm Editor _______________________________________________________________ 216
10.1.6 Agent manager _____________________________________________________________ 233
10.1.7 HA Nodes manager __________________________________________________________ 234
10.1.8 Server Configuration Editor ____________________________________________________ 237
10.2 Managing keystores with a keytool utility ______________________________________________ 239
10.2.1 Creating new keystores ______________________________________________________ 240
10.2.2 Using the keytool utility _______________________________________________________ 241
10.2.3 Importing a certificate into the truststore _________________________________________ 243
10.2.4 Generating and importing CA certificates _________________________________________ 245
Page 7 of 389
Home
10.2.5 Generating self-signed certificates ______________________________________________ 249

10.2.6 Checking the truststore for certificates ___________________________________________ 250
10.3 Configuring FIPS-140 mode _________________________________________________________ 251
10.3.1 Converting to FIPS-140 mode __________________________________________________ 251
10.3.2 Monitoring FIPS-140 and normal mode conversions _________________________________ 256
10.3.3 Changing FIPS-140 network ciphers _____________________________________________ 257
10.3.4 Converting from FIPS-140 to normal mode _______________________________________ 258
10.4 Using an external LDAP user store ____________________________________________________ 260
10.4.1 To create an external LDAP user store ____________________________________________ 261
10.4.2 To modify an existing external LDAP user store _____________________________________ 261
10.4.3 LDAPv3 User Store parameters _________________________________________________ 261
10.4.4 General tab ________________________________________________________________ 261
10.4.5 Search tab _________________________________________________________________ 262
11 Administering _______________________________________________________________________ 263
11.1 Managing users __________________________________________________________________ 264
11.1.1 To access the User page ______________________________________________________ 265
11.1.2 To add a new user ___________________________________________________________ 265
11.1.3 To search for users __________________________________________________________ 266
11.1.4 To delete users _____________________________________________________________ 266
11.1.5 To modify user information ___________________________________________________ 266
11.1.6 To enable or disable a user account _____________________________________________ 266
11.1.7 To add a group membership to a user account _____________________________________ 267
11.1.8 To remove a group membership from a user account ________________________________ 267
11.1.9 To view user sessions ________________________________________________________ 267
11.1.10To terminate an active user session _____________________________________________ 268
11.2 Managing user groups _____________________________________________________________ 268
11.2.1 To access the Group page ____________________________________________________ 269
11.2.2 To create a new group _______________________________________________________ 269
11.2.3 To delete a group ___________________________________________________________ 269
11.2.4 To assign a group membership _________________________________________________ 270
11.2.5 To remove users from a group _________________________________________________ 270
11.3 Managing authentication modules ____________________________________________________ 271
11.3.1 To manage authentication modules _____________________________________________ 271
11.3.2 To create a new module ______________________________________________________ 271
11.3.3 To edit a module ____________________________________________________________ 271
11.3.4 To delete a module __________________________________________________________ 272
11.3.5 To change the criteria for a module _____________________________________________ 272
11.3.6 To reorder the modules in a chain _______________________________________________ 272
11.4 Managing nodes in a cluster ________________________________________________________ 273
11.4.1 To modify the server configuration on a node ______________________________________ 273
11.4.2 To delete a node from the cluster _______________________________________________ 273
11.4.3 Resynchronizing nodes in a cluster ______________________________________________ 273
11.4.4 Starting nodes in a cluster _____________________________________________________ 274
Page 8 of 389
Home
11.4.5 Stopping nodes in a cluster ____________________________________________________ 274

11.5 Managing agents _________________________________________________________________ 275
11.5.1 To edit an agent account _____________________________________________________ 275
11.5.2 To delete an agent account ____________________________________________________ 275
11.6 Managing the server configuration ___________________________________________________ 276
11.6.1 To modify the server configuration ______________________________________________ 276
11.6.2 Server configuration parameters ________________________________________________ 276
11.6.3 Server Configuration Editor parameters __________________________________________ 276
11.6.4 HTTP Only and HTTPS Only ___________________________________________________ 277
11.6.5 Session parameter defaults ____________________________________________________ 278
11.7 Stopping and restarting the BMC Atrium Single Sign-On server ______________________________ 279
11.7.1 Stopping and restarting on Windows ____________________________________________ 279
11.7.2 Stopping and restarting on UNIX or Linux _________________________________________ 279
12 Troubleshooting _____________________________________________________________________ 279
12.1 Collecting diagnostics _____________________________________________________________ 281
12.1.1 To run the support utility _____________________________________________________ 282
12.1.2 Support utility location _______________________________________________________ 282
12.1.3 Log file locations ____________________________________________________________ 282
12.1.4 Using BMC Atrium Single Sign-On for logging _____________________________________ 284
12.2 Working with error messages _______________________________________________________ 285
12.3 Logon and logoff issues ____________________________________________________________ 316
12.3.1 Automatic IdP logon behavior __________________________________________________ 316
12.3.2 URL re-direct issues _________________________________________________________ 316
12.4 Upgrading from 7.6.04 to 8.1 silent installation issue ______________________________________ 317
12.4.1 Upgrading without specifying the host name ______________________________________ 319
12.4.2 Upgrading by re-defining the host name __________________________________________ 319
12.5 Troubleshooting AR authentication ___________________________________________________ 320
12.5.1 User has no profile in this organization ___________________________________________ 320
12.5.2 Error saving user or group edits _________________________________________________ 321
12.5.3 Error in SAML Authentication when Auto Federation is enabled _________________________ 321
12.6 Troubleshooting AR System server and Mid Tier integrations ________________________________ 321
12.6.1 Manually running the SSOARIntegration utility on the AR System server __________________ 321
12.6.2 Manually running the SSOMidtierIntegration utility on the AR System server _______________ 323
12.7 Troubleshooting CAC authentication _________________________________________________ 326
12.7.1 Example of a default logging level error __________________________________________ 327
12.7.2 Example of a debug log error when a certificate is not available ________________________ 327
12.7.3 Changing the clientAuth setting ________________________________________________ 328
12.7.4 Turning on network debug logging ______________________________________________ 328
12.7.5 Example of a client not responding with a certificate ________________________________ 329
12.7.6 Example of a client sending a certificate __________________________________________ 329
12.7.7 Example of a list of certificates sent to the client ___________________________________ 330
12.7.8 Example of URL certificate authentication not enabled _______________________________ 330
12.7.9 Example of OCSP certificate failure ______________________________________________ 331
Page 9 of 389
Home
12.7.10Clock skew too great for CAC authentication ______________________________________ 331

12.8 Troubleshooting FIPS-140 conversion _________________________________________________ 331
12.9 Troubleshooting JEE agents ________________________________________________________ 331
12.9.1 To remove a JEE agent from BMC Atrium Single Sign-On _____________________________ 332
12.9.2 To remove a JEE agent from WebSphere _________________________________________ 332
12.9.3 To remove a JEE agent from Tomcat ____________________________________________ 332
12.9.4 To remove a JEE agent from JBoss or WebLogic ___________________________________ 333
12.10Troubleshooting Kerberos authentication ______________________________________________ 333
12.10.1Invalid user name for Kerberos authentication _____________________________________ 334
12.10.2Invalid service principal name for Kerberos authentication ____________________________ 334
12.10.3Invalid keytab index number for Kerberos authentication _____________________________ 335
12.10.4Invalid password for Kerberos authentication ______________________________________ 335
12.10.5Incorrect server name for Kerberos authentication __________________________________ 335
12.10.6Browser sending NTLM instead of Kerberos _______________________________________ 336
12.10.7Browser not correctly configured for Kerberos authentication _________________________ 337
12.10.8Clock skew too great for Kerberos authentication __________________________________ 338
12.10.9Chained authentication failure in Microsoft Internet Explorer __________________________ 338
12.11Troubleshooting an external LDAP user store ___________________________________________ 339
12.11.1No users in User tab _________________________________________________________ 339
12.11.2No groups in Group tab ______________________________________________________ 339
12.12Troubleshooting SAMLv2 __________________________________________________________ 340
12.12.1IdP metadata issues __________________________________________________________ 341
12.12.2SAMLv2 keystore issues _______________________________________________________ 341
12.12.3Metadata issues ____________________________________________________________ 342
12.12.4Certificate issues ___________________________________________________________ 342
12.13Troubleshooting redirect URLs ______________________________________________________ 343
12.13.1Modifying the load balancer (or reverse proxy) for redirect URLs _______________________ 343
12.13.2Using load balancer (or reverse proxy) host names for redirect URLs ____________________ 344
12.13.3Cookie name change for a HA node _____________________________________________ 344
12.14Session sharing in HA mode issue ____________________________________________________ 345
12.14.1To configure point-to-point sessions sharing ______________________________________ 345
12.15Troubleshooting installation or upgrade issues __________________________________________ 346
12.16Resolving installation issues on LINUX operating system ___________________________________ 346
12.16.1Installation failure due to missing libraries ________________________________________ 346
12.16.2Installation failure due to low level of entropy _____________________________________ 346
13 Known and corrected issues ____________________________________________________________ 347
13.1 Installation and upgrade issues ______________________________________________________ 348
13.2 Other issues ____________________________________________________________________ 350
14 Support information __________________________________________________________________ 351
14.1 Contacting Customer Support _______________________________________________________ 351
14.2 Support status ___________________________________________________________________ 351
15 PDFs ______________________________________________________________________________ 352
16 Tracking tools _______________________________________________________________________ 353
Page 10 of 389
Home
16.1 Comments dashboard _____________________________________________________________ 353

16.2 Pages without labels in this space ____________________________________________________ 363
16.3 Technical Bulletin SW00448553 _____________________________________________________ 369
16.3.1 BMC Atrium Single Sign-On ___________________________________________________ 369
16.3.2 Issue _____________________________________________________________________ 369
16.3.3 Workaround procedure ______________________________________________________ 369
16.3.4 Workaround scripts __________________________________________________________ 370
16.3.5 Where to get the latest product information _______________________________________ 372
16.4 Enabling multiple realms ___________________________________________________________ 372
16.4.1 Realm panel _______________________________________________________________ 373
16.4.2 To enable multiple realms _____________________________________________________ 374
16.4.3 To create a new realm ________________________________________________________ 374
16.5 Configuring multi-tenancy support ___________________________________________________ 374
16.5.1 Configuring multi-tenancy support ______________________________________________ 375
16.6 Overview steps to install and configure HA Load-Balancing environment with SSO ______________ 378
16.7 Number of pages in space __________________________________________________________ 383
16.8 Installing and managing certificates in BMC Atrium SSO ___________________________________ 383
16.8.1 Installing certificates on a standalone server _______________________________________ 383
16.8.2 Installing certificates in HA load balancing environment ______________________________ 383
16.8.3 Importing a certificate into keystore.p12 __________________________________________ 383
16.8.4 Importing a certificate into cacerts.p12 ___________________________________________ 383
16.8.5 Finding intermediate CA ______________________________________________________ 383
16.8.6 Importing certificate chains and intermediate certificates _____________________________ 383
16.9 Installing certificates after integration with other BMC products _____________________________ 383
17 Index ______________________________________________________________________________ 384
Page 11 of 389
Home
This space contains information about the BMC Atrium Single Sign-On 8.1 release.
1 Featured content
For information about Patch 1 for 8.1.00, see Patch 1 for version 8.1.00: 8.1.00.01 (see page 19).
For Patch 1 for 8.1.00, BMC Atrium Orchestrator Platform version 7.7.00 integrates with BMC Atrium Single
Sign-on, see Integrating BMC Atrium Orchestrator Platform (see page 209) and the BMC Atrium
Orchestrator Platform online documentation.
To understand enhancements for this release, see Version 8.1.00.
To understand key concepts associated with BMC Atrium Single Sign-On, see Key concepts (see page 20).
To review a high level end-to-end procedure, see End-to-end BMC Atrium Single Sign-On process.
To review an end-to-end deployment example for BMC Remedy AR System and the mid tier using SAMLv2
authentication, see BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31).
To review an end-to-end deployment for BMC Remedy AR System and the mid tier using AR
authentication, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page
79).
2 About BMC Atrium Single Sign-On

BMC Atrium Single Sign-On is an authentication system that supports many authentication protocols and
provides single sign-on and single sign-off for users of BMC products. BMC Atrium Single Sign-On allows users to
present credentials only once for authentication and subsequently be automatically authenticated by every BMC
product that is integrated into the system.
Using these authentication methods require that you have previously installed the BMC Atrium Single Sign-On
server and configured it with an authentication server such as LDAP, RSA SecurID, or others. Not only does BMC
Atrium Single Sign-On support authentication with traditional systems such as LDAP or Active Directory, it also
supports integration into existing single sign-on systems. BMC Atrium Single Sign-On is the central integration
point that performs integration with the local enterprise systems.
3 What's new
This section provides information about what is new or changed in this space, including resolved issues,
documentation updates, maintenance releases, service packs, and patches. It also provides license entitlement
information for the release.
Page 12 of 389
Home
Tip
To stay informed of changes to this space, place a watch on this page.
The following updates have been added since the release of the space:
Date
Title
Summary
July
5,
2013
Patch 3 for
version
8.1.00:
8.1.00.03
(see page
17)
Patch 3 for version 8.1.00 provides the following updates:

HTTP Only and HTTPS Only (see page 238): T he Server Configuration Editor provides two new options: HTTP Only and
HTTPS Only.
Security tab: The Security tab provides the following features.
Login Failure Lockout
Valid Forwarding Domains
UserId Format (see page 227): The Kerberos Editor provides the feature modifying the UserId format.
Starting this release, BMC Atirum Single Sign-On provides protection against clickjacking by preventing web pages
from being embedded within another frame. Clickjacking is a technique of tricking a web user into clicking a web page
link which is potentially revealing confidential information or taking control of the user's computer. When the user
clicks on a known web page link, the user's information is revealed to the intruder.
Patch 2 for
version
8.1.00:
8.1.00.02
(see page
18)
Patch 2 for version 8.1.00 provides the following updates:
Patch 1 for
version
8.1.00:
8.1.00.01
(see page
19)
Patch 1 for version 8.1.00 provides fixes related to BMC Atrium Single Sign-On integration with BMC Atrium Orchestrator 7.7
and other BMC products.
Version
8.1.00
Version 2013.02 provides following features:
Configuring BMC Atrium SSO in FIPS-140 Mode (see page 251)
Redesigned user interface

Predefined authentication module
New utility to simplify BMC Atrium Single Sign-On and AR System integration
BMC Atrium Orchestrator Platform integration
Page 13 of 389
Home
To obtain a full space export of the BMC Atrium Single Sign-On, see PDFs (see page 352)
Three new videos are now uploaded on to our online documentation from the February 14, 2013 BMC
Software Webinars 2013 Atrium Single Sign-On (Atrium SSO) :
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
provides a high-level overview as well as important tips.
Using SAMLv2 for authentication describes how to configure SAML V2
Using Kerberos for authentication (see page 132) describes how to configure BMC Atrium SSO to
leverage Kerberos.
3.1 Version 8.1.00

BMC Atrium Single Sign-On 8.1 includes the following enhancements.
Redesigned user interface (see page 15)
Predefined authentication module (see page 15)
New utility to simplify BMC Atrium Single Sign-On and AR System integration (see page 15)
BMC Atrium Orchestrator Platform integration (see page 16)
Click jacking prevention (see page 16)
Tip
For information about issues corrected in this release, see Known and corrected issues.
Page 14 of 389
Home
Version 8.1.00 was released shortly after version 8.0.00, a major release that contained significantly more
enhancements. If you are considering an upgrade from a version prior to 8.0.00, you might be interested in
seeing the enhancements listed in the documentation for version 8.0.00.
3.1.1 Redesigned user interface

The BMC Atrium Single Sign-On 8.1, has completely redesigned the user interface. This redesign affects the
majority of the BMC Atrium Single Sign-On documentation.
The following image shows the BMC Atrium SSO Admin Console:
3.1.2 Predefined authentication module

To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module
is provided. This predefined authentication module allows you to quickly configure your system. The Internal
LDAP authentication module uses the internal LDAP server as an authentication source in the authentication
chain and does not have parameters to configure.
For more information about the Internal LDAP module, see Configuring after installation.
3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System
integration
The BMC Remedy AR System 8.1 introduces a new utility that greatly simplifies the integration between BMC
Atrium Single Sign-On and the AR System server and Mid Tier.
Page 15 of 389
Home
The Single Sign-On integration is now removed from the AR System installer. As a result, you no longer have to
follow the error-prone steps if you chose to integrate BMC Atrium Single Sign-On after you installed the AR
System server and Mid Tier.
You use the one utility to integrate both the AR System server and the Mid Tier, but with slightly different inputs.
For more information, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page
79).
3.1.4 BMC Atrium Orchestrator Platform integration

With this release, BMC Atrium Orchestrator Platform 7.7 uses the BMC Atrium Single Sign-On 8.1.00 (Patch1 or
later) authentication system to provide single sign-on and single sign-off. For more information about BMC
Atrium Orchestrator Platform 7.7, see the BMC Atrium Orchestrator Platform 7.7 online documentation. For more
information about integrating BMC Atrium Orchestrator Platform 7.7 with BMC Atrium Single Sign-On, see
Integrating BMC Atrium Orchestrator Platform (see page 209).
3.1.5 Click jacking prevention

With Patch 3 for version 8.1.00: 8.1.00.03 (see page 17) click jacking prevention is added.
3.2 License entitlements

This topic explains the entitlements that apply to licenses you purchase from BMC Software. For information
about restrictions to those licenses, please see your Product Order Form.
Note
You can download the components mentioned herein from the Electronic Product Distribution website.
Use the same user name and password that you use to access the Customer Support website.
If you do not have a current license for the components you want, contact a BMC sales representative by calling
800 793 4262. If you cannot download the components, contact a sales representative and ask for a physical kit
to be shipped to you.
BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document. Configurations
not listed might still operate properly and so customers can choose to run in a configuration not listed as
supported. Such configurations would be considered "unconfirmed". BMC will accept issues reported in
unconfirmed configurations but we reserve the right to request customer assistance in problem determination,
including recreating the problem on a supported configuration.
Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a
supported environment will be addressed at the discretion of BMC. Defects requiring time and resources beyond
Page 16 of 389
Home
commercially reasonable effort might not be addressed. If a configuration is found to be incompatible with BMC
Atrium Single Sign-On, support for that configuration will be specifically documented as not supported (or
unsupported). Visit the Customization Policy under the Support Contacts & Policies link on the BMC support
website.
3.3 Service packs and patches

This section contains information about service packs and patches for BMC Atrium Single Sign-On.
Patch 3 for version 8.1.00: 8.1.00.03 (see page 17)
3.3.1 Patch 3 for version 8.1.00: 8.1.00.03

This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) and provides
instructions for downloading and installing the patch. It is organized as follows:
Corrected issues (see page 17)
Installing the patch (see page 17)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about issues corrected in Patch 3 (8.1.00.03), see Known and Corrected issues. Click the Corrected in
column heading to sort the table by version.
Patch 3 also includes the fixes from Patch 2 and Patch 1 for version 8.1.00.
Installing the patch

Patch 3 for BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation. You can download the 8.1.00.03
installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and
perform your normal installation. For instructions about downloading the files that you need for installation, see
Downloading the installation files (see page 44).
Recommendation
Backup BMC Atrium Single Sign-On before proceeding with the patch installation.
Page 17 of 389
Home
To install BMC Atrium Single Sign-On 8.1.00 Patch 3, see Installing (see page 40).
To perform a silent installation, see Installing silently (see page 112).
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 3 from an earlier version (8.1.00 or 8.1.00.01 or
8.1.00.02), see Upgrading.

This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02), and provides
instructions for downloading and installing the patch. It is organized as follows:
Note
BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02) has been replaced with Patch 3 (8.1.00.03) and
can no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full
installation and includes the fixes that were available in Patch 1 (8.1.00.01) and Patch 2 (8.1.00.02). For
information about downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3
for version 8.1.00: 8.1.00.03 (see page 17).

Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 2 (8.1.00.02), see Known and corrected issues. Click the Corrected in

BMC Atrium Single Sign-On Patch 2 features are included in BMC Atrium Single Sign-On Patch 3 installation. You
can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product
Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you
need for installation, see Downloading the installation files (see page 44) .
Recommendation
Back up BMC Atrium Single Sign-On before proceeding with the patch installation.
Page 18 of 389
Home
To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40).
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 2 from an earlier version (8.1.00 or 8.1.00.01), see
Upgrading.

This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01), and provides
instructions for downloading and installing the patch.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01) has been replaced with Patch 3 (8.1.00.03) and can
no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full
installation and includes the fixes that were available in Patch 1 (8.1.00.01). For information about
downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3 for version 8.1.00:
8.1.00.03 (see page 17).
The following topics are provided:

Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 1 (8.1.00.01), see Known and corrected issues. Click the Corrected in

BMC Atrium Single Sign-On Patch 1 features are included in BMC Atrium Single Sign-On Patch 3 installation. You
can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product
Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you
need for installation, see Downloading the installation files (see page 44) .
Recommendation
Page 19 of 389
Home
Back up BMC Atrium Single Sign-On before proceeding with the patch installation.
To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40).
3.4 Documentation updates after release

This topic contains information about documentation updates for BMC Atrium Single Sign-On that are not
related to urgent issues, maintenance releases, service packs, or patches. These updates are added to the
documentation independent of any specific release.
Added BMC Mobility integration documentation (see page 20)
Added BMC EUEM integration documentation (see page 20)
3.4.1 Added BMC Mobility integration documentation

You can integrate BMC Atrium Single Sign-On with BMC Mobility for supporting Security Assertion Markup
Language (SAML). The typical process for integrating BMC Atrium Single Sign-On with BMC Remedy IT Service
Management (ITSM) is to install BMC Atrium Single Sign-On, install BMC Remedy ITSM, and then integrate Atrium
SSO with ITSM. For more information, see Integrating BMC Mobility for ITSM 8.1.00 (see page 212).
3.4.2 Added BMC EUEM integration documentation

BMC Real End User Experience Monitoring (EUEM) uses the BMC Atrium Single Sign-On (SSO) authentication
system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows to present credentials
only once for authentication and subsequently be automatically authenticated by every BMC product that is
integrated into the system. For more information, see Integrating BMC Real End User Experience Monitoring (see
page 212).
4 Key concepts
BMC contributors content
For additional information, you can also refer to the following webinar conducted by BMC Support.
You can also connect with other users for related discussions on the BMC Community.
Use this section to get high-level conceptual knowledge that helps you to use the BMC Atrium Single Sign-On
product.
The following topics provide key conceptual information about BMC Atrium Single Sign-On:
Page 20 of 389
Home
BMC Atrium Single Sign-On architecture

BMC Atrium Single Sign-On and OpenAM (see page 22)
Administrator password
Default cookie domain
Log on and log off behavior (see page 24)
Certificates
Authentication chaining
High Availability deployment
JEE filter-based agents
4.1 BMC Atrium Single Sign-On architecture

The benefit to BMC products that have BMC Atrium Sign-On as an authentication option is that all of the
authentication protocols supported by BMC Atrium Sign-On are available to the product and any new protocols
added are available without any product changes. The BMC Atrium Sign-On server and agents provide the
needed integration into these systems so a product does not need any adjustments.
The following diagram shows a high level implementation of BMC Atrium Single Sign-On integration with BMC
Dashboards for BSM, BMC Analytics for BSM, and BMC Remedy IT Service Management.
BMC Atrium Single Sign-On integration with BMC products
Page 21 of 389
Home
4.2 BMC Atrium Single Sign-On and OpenAM

BMC Atrium Single Sign-On is built on the open source project OpenAM. This project has a long history of
providing authentication and authorization across many different platforms by using many authentication
techniques. BMC Atrium Single Sign-On provides a simplified, turnkey system that applies OpenAM technology to
BMC products. Configuration of the servers and agents is automated as much as possible, allowing for easy
adoption.
OpenAM technologies (see page 22)
Atrium Single Sign-On user console access (see page 23)
4.2.1 OpenAM technologies

BMC Atrium Single Sign-On uses a subset of the technologies within the OpenAM project that are required by
BMC products. The current technologies of OpenAM that are certified by BMC Atrium Single Sign-On include:
Authentication schemes - Internal, LDAP, BMC Remedy Action Request (AR) System, Active Directory, RSA
SecurID, Common Access Cards (CAC), ActivIdentity-based, Kerberos, and SAMLv2
Page 22 of 389
Home
Authentication chaining
Groups
Important
BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document.
Reported defects either found to be unique to an unconfirmed configuration or not reproducible within
a supported environment are addressed at the discretion of BMC. Visit the Customization Policy under
the Support Contacts & Policies link on the BMC support website.
4.2.2 Atrium Single Sign-On user console access

The user console access is through the following URL:
https://<atssohost>:<port>/atriumsso/UI/Login?realm=BmcRealm
This URL can be used to verify the authentication module configuration. You do not need to rely on an installed
and configured BMC application to initiate login in order to test configuration of authentication modules.
4.3 Administrator password

The administrator password is used to access BMC Atrium Single Sign-On through a browser. This access allows
user accounts to be created and enables other authentication algorithms. Also, the administrator password is
used to integrate application servers that have deployed the BMC Atrium Single Sign-On Web agent to integrate
with BMC Atrium Single Sign-On.
4.4 Default cookie domain

The default cookie domain value is the network domain of the computer you are installing the server on. The
default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between
servers within the domain.
By removing domain elements (lowest sub-domain first), the cookie becomes visible to servers outside of the
BMC Atrium Single Sign-On domain. For example, changing the domain adprod.bmc.com to bmc.com gives all of
the servers within the bmc.com domain access to the cookies stored by the server in a user's browser. The danger
of increasing the cookie visibility is illustrated when the value is changed to com, giving all servers in the internet
com domain access to the cookie.
Note
Page 23 of 389
Home
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example,
installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in
the bmc.com domain is not supported. You must move all your computers into the same domain.
4.5 Log on and log off behavior

When using a single sign-on system, the normal authentication behavior is altered. The practice of logging on
when you start a product is automatically performed when the second product is started. This change happens
without any user involvement.
When you log off, you are logged off of all BMC Atrium Single Sign-On integrated products.
If you want to continue working with other BMC products:
Quit the product instead of logging out of BMC Atrium Single Sign-On.
If the product supports application-only log off, log off the application and close the browser.
Important
When quitting an product, the normal behavior is to log off and then quit. This process results in
termination of all the product connections. If you want to continue working with other BMC products,
quit the product that you are finished with, but only log off the last product.
With web applications, the BMC Atrium Single Sign-On authentication status is maintained through sessions
within the web browsers. When web applications share the same browser session, the authentication state with
BMC Atrium Single Sign-On is shared by these applications.
To use a different login ID without logging off BMC Atrium Single Sign-On, you must start a new session in the
web browser. The following table summarizes how to share current sessions and how to create new sessions
with the browsers supported by BMC Atrium Single Sign-On.
Session behavior in supported browsers
Browser
Share Session
New Session
Firefox 4
New tab, Ctrl-N for new window, or launch from Start menu or shortcut
Use Private Browsing
Internet
Explorer 7
New tab or Ctrl-N to create a new window
Launch new browser using Start menu or

shortcut
Internet
Explorer 8
New tab, Ctrl-N to create a new window, or launch new browser from Start menu
or short-cut
Use New Session in File menu
Use New Session in File menu
Page 24 of 389
Home
Browser
Share Session
Internet
New tab, Ctrl-N to create a new window, or launch new browser from Start menu
Explorer 9
or short-cut
New Session
When BMC products launch a new application, the applications use the process needed to ensure a shared
session and a seamless experience.
4.6 Certificates
The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure
(HTTPS/TLS/SSL) communications. These communications occur by doing one of the following:
when accessing the admin console
users login or logout of the system.
an external LDAP server is accessed with TLS/SSL
exchanging SAMLv2 metadata
for user authentication (CAC)
The keystore contains the information used to identify the BMC Atrium Single Sign-On server to remote servers
and users. The truststore is used to hold the certificates of remote servers, users and signing authorities that are
to be trusted by the BMC Atrium Single Sign-On server.
These files are stored in the following directory:
<installationDirectory>/BMC Software/AtriumSSO/tomcat/conf
The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers
and other programs to warn users about the insecure nature of the certificate each time the user authenticates.
This certificate warning can be prevented by doing one of the following:
Permanently importing the self-signed certificate into the user's truststore.
Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA).
The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for
authentication. In this case, the user has an established trust relationship with the CA, and this relationship is
extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported.
4.6.1 Certificate Signing Request

A CA digitally signed certificate is obtain by generating a Certificate Signing Request (CSR):
The output from the command must be sent to the CA for a digital signature. After the signed identity certificate
is returned, the next step is to import the signed identity certificate into the keystore where it replaces the current
self-signed certificate.
Page 25 of 389
Home
The keytool utility is used to obtain a CSR, to obtain a signed certificate, and to import the signed certificate in
order to replace the self-signed certificate. This tool is available with Oracle JDKs and BMC Atrium Single
Sign-On.
Note
When importing the newly signed certificates, you must first import the CA root certificates and
intermediate certificates, if required.
4.6.2 New CA certificates

Adding another certificate is necessary when:
CAC authentication is used
LDAP is used with SSL/TLS
Department of Defense (DoD) issues new CA certificates
CA certificates used to create a signed certificate for the BMC Atrium Single Sign-On server is not already
within the truststore
The keytool utility is used to import a new CA certificate into the BMC Atrium Single Sign-On truststore.
4.6.3 Related topics

Managing keystores with a keytool utility (see page 239)
Generating self-signed certificates (see page 249)
4.7 Authentication chaining

An Authentication Chain is the object used by BMC Atrium Single Sign-On for specifying how authentication is to
be performed. A chain can be a single authentication module or a combination of multiple authentication
modules. Chaining allows different modules to act as a single authority.
At its simplest form, an authentication chain consists of only a single authentication module. A chain can also be a
complex combination of multiple authentication modules joined to validate the credentials that are used to
authenticate a user. Through chaining, different modules can be merged to appear as a single authority.
For example, if two organizations merge to form a new, single organization, then the authentication system from
each organization could be used as a module within a single chain.
The effect of combining these modules into this single chain is that the users only provide credentials to a
single authority.
The chain can be configured to check each of the modules until the user is authenticated.
Page 26 of 389
Home
This chaining creates the perception of a merged authority despite the reality of multiple, disparate
systems that are actually employed.
Authentication chains allow the combination of authentication modules to process authentication requests. One
of the best uses for combining modules is to merge different authentication schemes to appear as a single
authentication scheme.
For example, when two departments have their own LDAP servers, these two servers could be put into a single
chain and users would appear to validate against a single authority.
The processing of the chain to determine the overall status of authentication is controlled by the criteria specified
for each of modules in the chain. The following figure illustrates authentication chaining where authentication
modules are tried in an ordered sequence.
4.7.1 Authentication chaining example
The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain
or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one
Sufficient or Optional module must authenticate the user. See Managing authentication modules (see page 271).
In the chaining process for the above example illustration, three LDAP servers combined into a single authority,
would be:
1. Check with LDAP A
Pass: Stop processing and accept user
Fail: Proceed to next
2. Check with LDAP B
Fail: Proceed to next
3. Check with LDAP C
Fail: Stop processing and reject user
With this configuration, the first LDAP server is presented the user credentials for authentication. If the
authentication succeeds, then processing stops with the user being authenticated. If the user is not within the
first LDAP server, then the credentials are passed to the second LDAP server. Each server is checked in the
Page 27 of 389
Home
sequence specified until either the user passes and is considered successfully authenticated, or the user fails to
authenticate and is rejected.
4.8 High Availability deployment

The following figure shows a typical deployment scenario of BMC Atrium Single Sign-On operating in a High
Availability (HA) environment. Two BMC Atrium Single Sign-On servers are installed to form a cluster. A load
balancer is used as a front end to the cluster, giving the external applications the appearance of a single server.
The load balancer distributes requests among BMC Atrium Single Sign-On servers. In the event of a system failure,
the load balancer re-directs requests to the remaining servers.
When operating as a cluster, BMC Atrium Single Single Sign-On functions as a single virtual server. Therefore,
certain configuration information is shared between nodes. For example, when one node is configured, the other
nodes have the same information.
The following information is global to all nodes in the cluster:
Administrative accounts
Authentication
User profiles
Data stores
User accounts (internal LDAP)
Typical HA deployment
When configured, BMC Atrium Single Sign-On server nodes communicate with each other through the LDAP and
Page 28 of 389
Home
HTTPS ports. These ports are specified during installation. The following figure shows the communication
between the nodes and the load balancer.
Communication between BMC Atrium Single Sign-On nodes and a load balancer
4.9 JEE filter-based agents

With this release of BMC Atrium Single Sign-On, a light-weight agent is available for use by BMC applications. This
section describes how configuration items apply to this newer agent.
In addition to functioning as the central server, BMC Atrium Single Sign-On uses agents which are integrated into
each of the BMC products. These agents perform the following functions:
Accessing authentication services
Coordinating with the server to authenticate users
Validating existing authentications
For more information about agent configuration parameters, see Agent manager.
5 Planning
The following topics provide information and instructions for planning a BMC Atrium Single Sign-On installation
and configuration:
Page 29 of 389
Home
Note
All products that run in BMC Remedy AR System support BMC Atrium Single Sign-On including AR
System Mid-tier products (BMC Remedy ITSM, BMC Atrium Core, BMC Atrium CMDB, and so on), BMC
Atrium Dashboard and Analytics, BMC IT Business Management Suite, BMC ProActive Performance
Management (version 9.0), and BMC Capacity Optimization.
Checking the compatibility matrix for system requirements and supported configurations
End-to-end BMC Atrium Single Sign-On process
BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
5.1 Checking the compatibility matrix for system requirements

and supported configurations
Consult the BMC Remedy and BMC Atrium product compatibility information for the 8.0 system configuration
information.
5.1.1 To access the compatibility matrixes

1. Navigate to http://www.bmc.com/support/product-availability-compatibility.
2. Click BMC Solution and Product Availability and Compatibility Utility .
3. In the Product Name field, enter the product name, for example:
BMC Atrium CMDB Enterprise Manager
BMC Atrium CMDB Suite
4. In the Product Version field, enter the version number.
5. In the Select Component field, enter BMC Atrium Single Sign-On.
6. Review the compatibility information listed in the tabs at the bottom of the page.
Note
To access the product compatibility information on the Customer Support website, you must have a
Support login.
5.2 End-to-end BMC Atrium Single Sign-On procedure

This topic provides a high-level process of what you need to do to set up and configure BMC Atrium Single
Sign-On with BMC products.
1.
Page 30 of 389
Home
1. Review the information that you need to understand prior to installing, such as the What's new (see page
12), Key concepts (see page 20), Planning (see page 29), Preparing for installation topics.
2. Install BMC Atrium Single Sign-On. See Installing (see page 40) for the different installation options, such
as High Availability (HA).
3. Install other BMC products for integrating with BMC Atrium Single Sign-On.
For information about integrating and configuring BMC Remedy AR System version 8.1, see Installing
BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79).
For information about integrating and configuring BMC Remedy AR System version 8.0, see
Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00.
For information about other BMC product integration, such as BMC Dashboards and Analytics for
BSM, see Integrating.
4. Configure your method of authentication. See Configuring after installation. The following are the
authentication module sections:
Using AR for authentication
Using SAMLv2 for authentication
Using Kerberos for authentication (see page 132)
Using CAC for authentication
Using LDAP (Active Directory) for authentication
Using RSA SecurID for authentication
5. If you implement multiple authentication methods, see Managing authentication modules (see page 271).
6. Create and manage users and user groups. See Managing users (see page 264) and Managing user groups
(see page 268).
5.3 BMC Atrium Single Sign-On using SAMLv2 deployment

example
This topic provides an example of how BMC Atrium Single Sign-On using Security Assertion Markup Language 2.0
(SAMLv2) can be deployed.
Page 31 of 389
Home
Business value (see page 32)

Federated authentication and SAML (see page 32)
Deployment architecture (see page 33)
Deployment model (see page 35)
Deployment tasks (see page 37)
Deployment parameters (see page 38)
Related topics (see page 40)
5.3.1 Business value

This deployment example shows you how BMC Atrium Single Sign-On uses SAMLv2 authentication. Single
sign-on means that you only need to present credentials once for authentication, and you are subsequently
automatically authenticated by every BMC product that is integrated into the system. This means that if you are
looking at a report that has links to incident or change records, you can click on the link and go directly to the
records without logging in again.
An additional important value is that with federated authentication the user logon credentials (for example, user
name and password) are not exposed to the Service Provider (SP) and are not sent over the internet. The
authentication is done on premise by the Identity Provider (IdP).
5.3.2 Federated authentication and SAML

SAMLv2 is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses
security tokens containing assertions to pass information about a principal (usually an end user) between an
Identify Provider (IdP) and a web service.
SAMLv2 enables federated authentication between your environment and the BMC Remedy applications. When
using SAMLv2, the BMC Remedy infrastructure is defined as a Service Provider (SP), and your infrastructure that
performs the user authentication is the IdP. With SAMLv2 enabled, a user that tries to access BMC Remedy
applications without having previously authenticated is redirected to your IdP. After authentication, the user is
redirected back to the originally requested resource (BMC Remedy application).
Note
Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated
single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in
the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM
form and record).
Page 32 of 389
Home
Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and
the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and
the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow
you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required.
For more information about SAMLv2, see Using SAMLv2 for authentication.
5.3.3 Deployment architecture

This deployment example consists of the following components:
In the BMC environment:
BMC Remedy web applications supporting BMC Atrium Single Sign-On
BMC Atrium Single Sign-On agents which are add-ons to any BMC Remedy web application
BMC Atrium Single Sign-On server which serves as the SP and runs as a web application on the
Apache Tomcat server
In your environment:
You use a browser to access BMC Remedy applications.
An authentication server is responsible for your users authentication, which is usually located on
premise. This is the IdP component.
The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server are connected by a trust relationship
(federation) so they can honor each others authentication information.
The following sequence diagram shows the interactions between BMC Atrium Single Sign-On and SAMLv2
components. These interactions are listed in the sequential order that they occur.
BMC Atrium Single Sign-On and SAMLv2 components sequence diagram
Page 33 of 389
Home
The following sequence diagram illustrates the flow of events and the interaction between components for single
log off (SLO):
Single log off sequence diagram
Page 34 of 389
Home
5.3.4 Deployment model

The following diagram shows the components that are part of this deployment example:
Page 35 of 389
Home
A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are
put in front of the application servers. Load balancers are used to distribute the workload and optimize
application performance. Reverse proxies are used to distribute the workload, optimize application
performance, and hide the existence and characteristics of internal servers.
BMC Remedy Mid Tier is deployed on a separate virtual machine (VM).
A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another
VM but on two different Apache Tomcat servers.
BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management
are deployed on two different VMs to avoid performance issues.
You deploy the browser and the SAMLv2 IdP server from your environment.
Page 36 of 389
Home
5.3.5 Deployment tasks

The following table lists the main steps involved in installing and configuring the deployed BMC Products with
BMC Atrium Single Sign-On with SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP
with a remote IdP.
Note
Review the Deployment parameters (see page 38) list before starting the deployment tasks.
Step
Task
1.
Install BMC Atrium Single Sign-On.
2.
Install BMC Remedy AR System server.
3.
Install the BMC Remedy Mid Tier.
4.
(Optional) Configure your load balancer or reverse proxy.

Note: For more information, see Troubleshooting redirect URLs (see page 343).
5.
Run the SSOARIntegration utility on the AR System server (see page 88).
6.
Run the SSOMidtierIntegration utility on the BMC Remedy Mid Tier (see page 92).
7.
Configure group mapping for the AR System and BMC Atrium Single Sign-On (see page 91).
8.
Configure the BMC Atrium Single Sign-On server for AR System (see page 97)
Note: Though AR authentication module should be configured, you must delete the AR user stores when using SAML v2 for authentication.
The AR data store is not needed for authentication in SAMLv2 deployment.
9.
Run a health check on the BMC Atrium Single Sign-On installation.
10.
Configure BMC Atrium Single Sign-On to use SAMLv2 authentication with BMC Atrium Single Sign-On as a Service Provider and a remote
Identity Provider.
Note: Each time a BMC product is integrated (steps 10 -12) with the BMC Atrium Single Sign-On Service Provider, the J2EE agents
configuration must be modified so the integrating product can function in the Federated Single Sign-On.
11.
(Optional) Integrate BMC Dashboards for Business Service Management (see page 198) and configure it.
Note: For more information, see the BMC Dashboards for Business Service Management Installation Guide at PDFs.
12.
(Optional) Integrate BMC Analytics for Business Service Management (see page 199) and configure it.
Note: For more information, see Installing.
13.
(Optional) Integrate BMC IT Business Management Suite (see page 204).

Note: For more information, see Installing.
Page 37 of 389
Home
5.3.6 Deployment parameters

The deployment environment assumes MS Windows 2008, MS SQL Server 2008, New Tomcats, and the defaults
are accepted. It also assumes that BMC Remedy AR system server groups and BMC Atrium Single Sign-On high
availability (HA) are not deployed.
The BMC Atrium Single Sign-On authentication is SAMLv2 where BMC Atrium Single Sign-On is configured as an
Service Provider (SP) with a remote Identity Provider (IdP).
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC
Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same computer, ensure that the HTTP,
HTTPS, and Shutdown port numbers are different.
The following parameters are set in deployment of the following BMC Products and BMC Atrium Single Sign-On
authentication:
BMC Remedy AR System
BMC Remedy Mid Tier
BMC Atrium Single Sign-On
SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
BMC Dashboards for BSM
BMC Analytics for BSM
Product
install/configuration
Parameters
Description
AR System installation
Planning spreadsheet
Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.
Mid Tier installation
Planning spreadsheet
Complete the Planning Spreadsheet on BMC Remedy AR System 8.1.
Atrium SSO installation
FQDN of host name
The Fully Qualified Domain Name (FQDN) for the host. For example, ssoserver.bmc.com.
HTTP, HTTPS, Shutdown

port numbers
If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product,
provide port numbers that are different from the other BMC Product.
Cookie domain
The cookie name is the name of the cookie that agent will check for the SSO session token. It
should match the cookie name of the server configuration. For example, atsso_bmc_com.
Atrium SSO server

password
The password for the BMC Atrium Single Sign-On server. Default: amadmin
AR Server Name
The AR server name. For example, arsystemserver.bmc.com
AR System integration
Page 38 of 389
Home
Product
Parameters
Description
AR Server User
The AR server user. For example, Demo.
AR Server Password
The AR server password. For example, Demo.
AR Server Port
The AR server port. For example, 0.
Atrium SSO URL
URL for the BMC Atrium Single Sign-On server. For example,
https://ssoserver.bmc.com:8443/atriumsso
SSO Admin Name
The BMC Single Sign-On administrator name. Default: amadmin.
SSO Admin Password
The BMC Single Sign-On administrator password.
truststore
(Optional) The truststore path.
truststore-password
(Optional) The truststore password.
force
(Optional) If "Yes" is provided then the utility will not wait for the user to shutdown the
webserver (if not done already), in case, the webserver is other then tomcat or jboss. Default:
No
AR Server Name
The AR Server name from the AR System integration. For example, arsystemserver.bmc.com.
AR Server User
The AR Server user from the AR System integration. For example, Demo.
AR Server Password
The AR Server password from the AR System integration. For example, Demo.
AR Server Port
The AR Server port from the AR System integration. For example, 0.
Container Type
Supported contain types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6,

TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBLOGICV10
Web App URL
The Mid Tier URL if a load balancer is not implemented. Otherwise, the load balancer URL. Be
sure the server name is provided with fully qualified domain name and port is also provided in
the URL.
For example, http://midtierloadbalancer.bmc.com:8080/arsys
webserverhomedirectory
The webserver home directory. For example, C:\Program Files\Apache Software

Foundation\Tomcat6.
JREInstallDirectory
Path to the JRE directory. For example, C:\Program Files\Java\jre7
MidtierHome
Mid Tier home directory. For example, C:\Program Files\BMC Software\ARSystem\midtier
serverinstancename
The WebSphere instance name is required for the WebSphere server.
instanceconfigdirectory
The WebSphere configuration directory is required for the WebSphere server.
weblogicdomainhome
The BEA domain home is required for the WebLogic web application.
AR System external
authentication group
mapping for SSO
AR Group Name
LDAP Group Name
Administrator
BmcAdmins
Dashboards installation
Fully Qualified Host Name
Fully qualified host name of the BMC Atrium Single Sign-On server.
Mid Tier integration

Port Number
Page 39 of 389
Home
Product
Parameters
Description
Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is
installed on the same computer as another BMC Product, provide port numbers that are
different from the other BMC Product.
Administrator login name
User name and password for the BMC Atrium Single Sign-On server administrator.
and password
Analytics installation
SAMLv2 authentication
BMC Dashboards
User name and password of the BMC Dashboards for BSM administrator user. This user must
administrator Name and

Password
exist in BMC Atrium Single Sign-On.
Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is
Port Number
installed on the same computer as another BMC Product, provide port numbers that are
different from the other BMC Product.
Administrator login name

and password
Remote IdP metadata file
The metadata file for the remote Identity Provider (IdP). For example, sso-idp.xml.
BMC Remedy AR System

agent Federated login
URL & logout URI
Login and logout URIs are the locations that the agent will send the users browsers when the
specified function is needed.
BMC Dashboards agent

Federated login URL &
logout URI
BMC Analytics agent

Federated login URL &
logout URI

Agent manager
6 Installing
The BMC Atrium Single Sign-On server component is available for download from the BSM EPD site at
http://webapps.bmc.com/epd or can be found in the BMC Atrium Shared Components box.
The typical method for integrate BMC Atrium Single Sign-On with BMC Remedy AR System or any BMC product is
to:
1.
Page 40 of 389
Home
1. Install BMC Atrium Single Sign-On.

2. Install BMC Remedy AR System or other BMC products.
3. Integrate with BMC Remedy AR System or other BMC products.
Important
The following topics provide information and instructions for installing BMC Atrium Single Sign-On:
Page 41 of 389
Home
Preparing for installation

Installation options (see page 48)
Configuring Terminal Services and DEP parameters
Installing BMC Atrium Single Sign-On as a standalone (see page 50)
Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55)
Installing BMC Atrium Single Sign-On on an external Tomcat server (see page 72)
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
Installing silently (see page 112)
Uninstalling BMC Atrium Single Sign-On (see page 117)
6.1 Preparing for installation

Review or perform the following tasks before you start installing.
1. Review the Planning (see page 29) topics.
2. Review the Prerequisites for installation (see page 42) and update your environment.
3. Review the Compatibility matrix.
4. Download the installation files (see page 44).
6.1.1 Prerequisites for installation

This topic describes the prerequisites for installing BMC Atrium Single Sign-On.
Warning
If you have not met all of the requirements before you begin the installation, you might have issues with
the installation.You must fulfill the necessary requirements on this page before you begin with
installation.
Limitation (see page 42)

Access and permissions (see page 43)
Disk space requirements (see page 43)
Memory requirements (see page 43)
Log file memory requirements (see page 43)
System requirements (see page 43)
Entropy level requirements (see page 44)
Firewalls (see page 44)
Limitation
Do not deploy BMC Atrium Single Sign-On on an Network File System (NFS) file system.
Page 42 of 389
Home
Access and permissions

If you are a nonroot runtime user of the BMC Atrium Single Sign-On web container instance, you must be
able to write to your own home directory.
(Microsoft Windows) You must have administrator privileges.
(UNIX) You can be any user. However, root privileges are required to set up auto-startup of the services.
Disk space requirements

This section contains information about prerequisite storage space requirements for installation and log files.
Before installing BMC Atrium Single Sign-On, you must have at least the following available disk space:
(Microsoft Windows) 650 MB
(Linux) 750 MB
(Oracle Solaris) 850 MB
Memory requirements
If you are installing BMC Atrium Single Sign-On on an external Tomcat server, 1024K of RAM is required. For an
extremal Tomcat 7 server and JDK 1.7, increase memory an additional 20% for a minimum of 1.2 MB.
Log file memory requirements

An additional 7-10 GB of space is recommended for log file growth, depending on the volume of users and
products integrating with the BMC Atrium Single Sign-On server.
To manage log file storage space effectively, perform the following tasks:
Delete the debug log files periodically, especially if the debug level is set to message.
Check the .access and .error log files periodically in the logs directory.
Consider configuring the log rotation to delete the oldest log files.
System requirements
If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux (RHEL) 6.x, you must install the
following 32-bit RPM packages to make 32-bit JRE support and the user interface available to the installer:
Glibc.i686
libXtst.i686
Page 43 of 389
Home
Entropy level requirements

If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux computers and the entropy level on
the server is under 150, you might experience installation issues. If an installation or silent installation aborts
suddenly, finishes very quickly, or takes a long time to complete, the computer might be experiencing low
entropy issues. To avoid these issues, perform the following tasks:
Verify the level of entropy in the entropy_avail file at the following location: cat
/proc/sys/kernel/random/entropy_avail
If the level of entropy is less than 150, run the following commands as root user or restart your computer.
Running the command is the preferred option as it helps in maintaining the entropy level after installation.
If your server has a low entropy level, you should configure your server to run the following commands
while starting up your server.
rngd
yum install rng-tools
echo 'EXTRAOPTIONS="-i -o /dev/random -r /dev/urandom -t 10 -W 2048"' >>/etc/sysconfig/rngd
chkconfig rngd on
service rngd restart
Firewalls
The ports that you selected when you installed the BMC Atrium Single Sign-On server must be accessible from
the clients that are authenticated through the server. Configure the firewalls to allow access to the HTTPS port
used for authentication, as well as the LDAP and Apache MQ ports in the nodes of a cluster.
6.1.2 Downloading the installation files

This topic provides instructions for downloading the files that you need for installation. The latest BMC Atrium
Single Sign-On GA version on the BMC Electronic Product Distribution (EPD) website is 8.1.00. 03 .
Files to download (see page 44)
To download the files (see page 45)
Enabling search in the offline documentation (see page 47)
Where to go from here (see page 47)
Files to download
The following table provides the product files available on the BMC EPD website for BMC Atrium Single Sign-On.
You can find the installer and documentation related to BMC Atrium Single Sign-On version 8.1.00.03 on the
Products tab itself.
Page 44 of 389
Home
Note
The BMC Atrium Single Sign-On is provided with the ESM solution suites. On the BMC EPD website, you
must visit the download sections for BMC Remedy IT Service Management, BMC ProactiveNet
Performance Management, BMC BladeLogic Automation, or BMC Application Management suites to
obtain the the latest version of BMC Atrium Single Sign-On.
You can download the latest installer files from any of the ESM solution suites on the EPD web site. For example,
BMC Remedy IT Service Management Suite > BMC Remedy IT Service Management Suite 8.1.00 -
OperatingSystem > BMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem
Hyperlink on EPD page
File names on EPD page
BMCAtriumSSO8.1.00.03.windows.zip
Version 8.1.00.03 - Microsoft

Windows
Version 8.1.00.02 - Oracle
Solaris
BMCAtriumSSO8.1.00.03.solaris.tar.gz

Version 8.1.00.02 - Linux (for
AIX)
BMCAtriumSSO8.1.00.03.linux.tar.gz

Version 8.1.00.03
Documentation
BMCAtriumSSO_8.1_Patch3_Help.zip
This zip file contains an archived version of the online documentation for BMC Atrium Single Sign-On 8.1. For the
latest and most comprehensive content, see the BMC Online Technical Documentation portal (docs.bmc.com) for
this release.
Note
The installation files for BMC Atrium Single Sign-On versions 8.1.00.02 have been replaced with the
installation files for version 8.1.00.03, and can no longer be downloaded from the EPD site. Patch 3 for
BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation and includes the fixes that were
available in Patch 1 and Patch 2 (8.1.00.01 and 8.1.00.02). You can download the Patch 3 installation files
from the BMC EPD site and perform your normal installation.
To download the files

The product files that you download from the EPD website might contain some or all of the patches listed on a
product's Customer Support web page. If the EPD page shows that a patch is included in a file you downloaded,
you do not need to obtain that patch separately.
1. Create a directory in which to place the downloaded files.
Page 45 of 389
1.
Home
Note
On Microsoft Windows computers, ensure that the directory is only one level into the directory
structure. The EPD package creates a directory in the temporary directory when you extract the
files, and the directory that contains the installation image should not be in a directory deeper
than two levels into the directory structure.
2. Go to http://www.bmc.com/available/epd.html.
3. At the logon prompt, enter your user ID and password, and click Submit.
4. On the Export Compliance and Access Terms page, provide the required information, agree to the terms of
the agreements, and click Continue.
5. If you are accessing this site for the first time, create an EPD profile to specify the languages and platforms
that you want to see, per the EPD site help; otherwise, skip to step 6.
6. Verify that the correct profile is displayed for your download purpose, and select the Licensed Products
tab.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) installation files are available on the
Licensed Products tab.
7. Locate the solution for which you are using BMC Atrium Single Sign-On, such as BMC Remedy IT Service
Management Suite, and expand its entries.
Note
As BMC Atrium Single Sign-On is a part of ESM solution suite, you must visit the download
sections for BMC Remedy IT Service Management, BMC ProactiveNet Performance Management,
BMC BladeLogic Automation, or BMC Application Management suites to obtain the the latest
version of BMC Atrium Single Sign-On. For the steps in this process, BMC Remedy IT Service
Management is used.
8. Expand the BMC Remedy IT Service Management Suite 8.1.00 directory for the appropriate platform and
language.
9. Expand the BMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem directory for the appropriate
platform and language.
10. Select the check boxes next to the files and documents that you want to download.
11. Click Download (FTP) or Download Manager:
Download (FTP) places the selected items in an FTP directory, and the credentials and FTP
instructions are sent to you in an email message.
Page 46 of 389
11.
Home
Download Manager enables you to download multiple files consecutively and to resume an
interrupted download if the connection drops.
This method requires a one-time installation of the Akamai NetSession client program on the target
computer and is usually the faster and more reliable way to transfer files. A checksum operation is
used to verify file integrity automatically.
Enabling search in the offline documentation

The Offline Documentation - productName version zip file contains an archived version of the online
documentation. For the latest and most comprehensive content, see the BMC Online Technical Documentation
Portal. The search contains local files
To enable search in the offline documentation

Deploy the offline documentation on a web server by using one of the following methods:
If this is the first BMC offline documentation archive that you are installing on the web server, extract the
zip file to the web application deployment folder of your web container (servlet container).
For example, with an Apache Tomcat web server, extract the zip file to
<TomcatInstallationDirectory>\webapps
If at least one BMC offline documentation archive is already installed on the web server, perform the
following steps:
1. Extract the zip file to your hard drive.
2. Open the extracted localhelp folder.
3. Copy only the productName version folder and the productName version.map.txt file to the localhelp
folder of your web container (servlet container).
For example, if you are deploying BMC Asset Management 8.1 documentation to an Apache Tomcat web
server, copy the asset81 folder and the BMC Asset Management 8.1.map.txt file to
<TomcatInstallationDirectory>\webapps\localhelp. Do not include the other folders and file.
To view the offline documentation in a browser

Type the following URL:
http://<servletName>:<portNumber>/localhelp/<extractedDocumentationFolder>/Home.html
For example: http://SanJoseTomcat:8080/localhelp/ars81/Home.html
Where to go from here

Carefully review the Prerequisites for installation (see page 42) for your platform and other tasks
necessary specific to the type of installation you choose.
For installation instructions, see Installing (see page 40).
Page 47 of 389
Home
6.2 Installation options

This topic provides information about the various installation options for BMC Atrium Single Sign-On:
Goal
Reference
To integrate BMC Atrium Single Sign-On with Terminal Services. If you are using Terminal Services to
install BMC Atrium Single Sign-On, you must configure the Terminal Services parameters prior to
installation.
Configuring Terminal Services and DEP

parameters
To install BMC Atrium Single Sign-On as a standalone on the provided Tomcat.
Installing BMC Atrium Single Sign-On as a

standalone (see page 50)
To install BMC Atrium Single Sign-On as a high availability cluster.

High Availability cluster (see page 55)
To install BMC Atrium Single Sign-On with AR System and Mid Tier. These installation instructions are
for BMC Atrium Single Sign-On, AR System, and Mid Tier version 8.1 and later.
Installing BMC Atrium Single Sign-On with

the AR System server and Mid Tier (see page
79)
To integrate BMC Atrium Single Sign-On with the AR System (version 8.0.00 only) after BMC Remedy
Integrating BMC Atrium Single Sign-On
AR System has been installed.
with AR System (Version 8.0.00 only)
To install BMC Atrium Single Sign-On on an external Tomcat server.
Installing BMC Atrium Single Sign-On on an

external Tomcat server (see page 72)
To install BMC Atrium Single Sign-On on an external Tomcat server and enable FIPS-140 mode.
1. Configuring an external Tomcat
instance for FIPS-140 (see page 76)
2. Installing BMC Atrium Single Sign-On
on an external Tomcat server (see
page 72)
3. Configuring FIPS-140 mode (see
page 251)
6.3 Configuring Terminal Services and DEP parameters

If you are planning to install BMC Atrium Single Sign-On via Terminal Services (Remote Desktop Services), you
must first configure Terminal Services and DEP parameters.
6.3.1 To update Terminal Services configuration options for Windows Server

2008
1. From the Windows Start menu, click Run.
2. Type gpedit.msc, then click OK.
3. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote
Desktop Services > Remote Desktop Session Host > Temporary Folders.
4. Enable the settings for Do not delete temporary folders on exitand Do not use temporary folders per
session.
5.
Page 48 of 389
Home
5. (optional) Restart the computer.

6. If the settings do not take affect, complete the following steps:
a. From the Windows Start menu, click Run.
b. Type regedit, then click OK.
c. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server.
d. Update PerSessionTempDir to 0 and DeleteTempDirsOnExit to 0.
e. (optional) Restart the computer.
To update Terminal Services configuration options for Windows Server 2003

1. From the Windows Start menu, click Run.
2. Type tscc.msc, then click OK.
3. In Server Settings, set Delete temporary folders on exit to No.
4. Set Use temporary folders per session to No.
6. If the settings do not take affect, complete the following steps:
a. From the Windows Start menu, click Run.
b. Type regedit, then click OK.
c. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server.
d. Update PerSessionTempDir to 0 and DeleteTempDirsOnExit to 0.
e. (optional) Restart the computer.
To configure the DEP feature

If you are using the data execution prevention (DEP) feature in Windows, configure DEP for executable programs.
Note
If you do not configure these items before you run the installer, an installer panel appears listing the
steps required to handle these issues.
1. From the Windows Start menu, click Control Panel; then double-click System.
2. Click the Advanced tab.
3. In the Performance area, click Settings.
4. On the Data Execution Prevention tab, verify if the Turn on DEP for all programs and services except those I
select option is selected.
If the Turn on DEP for essential Windows programs and services only option is selected, no configuration is
required.
Note
Page 49 of 389
Home
If you do not select the Turn on DEP for all programs and services except those I select option,
and then perform the remaining steps in this procedure, the installer might not run correctly.
5. If the Turn on DEP for all programs and services except for those I select option is selected, click Add.
6. Browse to the executable, and then click Open.
The installation program appears in the DEP program area.
7. Click Apply; then click OK.
6.4 Installing BMC Atrium Single Sign-On as a standalone

This topic provides instructions for performing a BMC Atrium Single Sign-On standalone installation. In this
installation, a Tomcat server and JVM are installed and properly configured for use by the BMC Atrium Single
Sign-On server. This installation method is the simplest and easiest to perform since all of the administrative and
configuration details are performed by the installation program.
Page 50 of 389
Home
Before you begin (see page 51)

To install BMC Atrium Single Sign-On as a standalone (see page 51)
6.4.1 Before you begin

Obtain the zipped BMC Atrium Single Sign-On files from the BMC product package via Electronic Product
Download (EPD) or the BMC Atrium Single Sign-On DVD.
If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will
not allow another installation. Uninstall the existing version.
Prepare to run the installation program for your operating system.
For example, you must update Terminal Services configuration options and configure the DEP feature if
you are using Windows. For more information, see Configuring Terminal Services and DEP parameters.
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR
System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC
recommends that you install BMC Atrium Single Sign-On on a different computer than the computer
where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid
Tier).
6.4.2 To install BMC Atrium Single Sign-On as a standalone

1. Unzip the BMC Atrium Single Sign-On files.
2. Run the installation program.
The setup executable is located in the Disk1directory of the extracted files.
(Microsoft Windows ) Run setup.cmd.
(UNIX ) Run setup.sh (which automatically detects the appropriate subscript to execute).
3. In the lower right corner of the Welcome panel, click Next.
4. Review the license agreement, click I agree to the terms of license agreement, and then click Next.
5. Accept the default destination directory or browse to select a different directory, and then click Next.
6. In the Host Name Information panel, verify that the hostname presented is the Fully Qualified Domain
Name (FQDN) for the host, and then click Next.
Correct the value as needed.
7. Choose to install non-clustered or clustered Atrium Single Sign-On Server, and then click Next.
Non-clustered Atrium Single Sign-On Server Standalone Single Sign-On Server.
Page 51 of 389
7.
Home
Clustered Atrium Single Sign-On Server Implemented as a redundant system with session failover.
Clustered install requires at least two nodes. For more information, see Installing BMC Atrium Single
Sign-On as a High Availability cluster (see page 55).
8. Verify that Install New Tomcat is selected, and then click Next.
The Tomcat server options are:
Install New Tomcat (default)
Use External Tomcat. See Installing BMC Atrium Single Sign-On on an external Tomcat server (see
page 72) to install with this option.
Note
When installing on Linux servers, you must configure JVM for Tomcat after the installation. For
more information about configuring JVM, see Configuring a JVM for the Tomcat Server (see page
77).
9. Accept the default Tomcat HTTP port number (8080), HTTPS port number (8443), and Shutdown port
number (8005), or enter different port numbers, and then click Next. If any of the port numbers are
incorrect, a panel identifies the incorrect port number and requires you to return to the previous page to
correct the values before proceeding with the installation.
Note
When installing on Linux servers, port selections below 1000 require the server to run as root, or
use a port forwarding mechanism.
10. Enter a cookie domain, and then click Next.

The domain value of the cookie should be the network domain of BMC Atrium Single Sign-On or one of its
parent domains. For more information, see Default cookie domain.
Note
The higher the level of the selected parent domain, the higher the risk of user impersonation.
Top-level domains are not supported (for example, com or com.ca ).
installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System
server in the bmc.com domain is not supported. You must move all your computers into the same
domain.
11.
Page 52 of 389
Home
11. Enter a strong administrator password (at least 8 characters long), confirm the password, and then click
Next.
The default SSO administrator name is amadmin.
Note
Passwords with special characters must be specified in quotes.
For more information, see Administrator password.

12. Review the installation summary and click Install.
13. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single
Sign-On URL.
a. Navigate to Start > All Programs > BMC Software > BMC Atrium S.SO > Administrator to launch the
BMC Atrium SSO Admin Console.
The URL to open the BMC Atrium SSO Admin Console is:
https://<ssoserver>.<domain>:<port>/atriumsso
For example, https://ssoserver.bmc.com:8443/atriumsso
b. When you are prompted that you are connecting to an insecure or untrusted connection, add the
exception and then continue.
Note: Browsers display this warning because you have not yet configured the SSO authentication as
a trusted provider.
c. Confirm that you can view the BMC Atrium SSO logon panel.
d. Log on with the SSO administrator name (for example, amadmin) and password.
The BMC Atrium SSO Admin Console appears.
(Click the image to expand it.)
Page 53 of 389
Home
14. (Optional) Create an administrative user account for BMC Products to perform search functions on the
user store (for example, to list user names and emails).
If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins
group to the new user account.
If you are using an external system for authentication (such as AR System, LDAP, or Active Directory),
assign the BmcSearchAdmins group to either an already existing user account or a new user
account.
6.4.3 Where to go from here

Installing or upgrading AR System server
To secure certificates with an external CA, see Managing keystores with a keytool utility (see page 239).
To configure authentication, see Configuring after installation. For a specific authentication method, see
the specific method. For example, for LDAP or Active Directory, see Using LDAP (Active Directory) for
authentication.
Page 54 of 389
Home
6.5 Installing BMC Atrium Single Sign-On as a High Availability

cluster
BMC Atrium Single Sign-On a High Availability (HA) cluster environment is implemented as a redundant system
with session failover. In this model, if a node fails, the BMC Atrium Single Sign-On load is transitioned to the
remaining servers with minimal interruption.
When multiple BMC Atrium Single Sign-On servers are installed and configured to operate as a cluster, a system
failure is absorbed by the remaining cluster nodes. The BMC best practice is to run BMC Atrium Single Sign-On
cluster behind a firewall to protect the communications channels, such as replication, BMC Atrium Single
Sign-On sessions, and administrative communications, between the nodes. The communications are encrypted,
however, the ports must be exposed for connections from the other clustered machines.
Page 55 of 389
Home
HA prerequisites (see page 56)

HA pre-installation tasks (see page 56)
To install BMC Atrium Single Sign-On as an HA cluster (see page 56)
HA post-installation activities (see page 57)
6.5.1 HA prerequisites
BMC Atrium Single Sign-On HA requires the following:
An installed load balancer.
The load balancer must support HTTP traffic.
The load balancer must be configured with HTTP session stick mode.
The load balancer must be configured for HTTPS communication.
Note
HTTP session sticky mode is used to ensure that the first BMC Atrium Single Sign-On server continues to
be used for subsequent requests (excluding node failure).
6.5.2 HA pre-installation tasks

BMC recommends that you install the provided BMC Atrium Single Sign-On Tomcat server and Java virtual
machine (JVM). Although, installation onto an external (customer-provided) Tomcat server and JVM is supported,
this configuration is not recommended.
Before installing the first node, the following information is needed for cluster setup:
URL that the load balancer uses for the cluster. The load balancer uses this URL to disperse calls to the
cluster nodes.
Port number for the internal LDAP server
Port number for the replication of the internal LDAP server
The port numbers are used by LDAP for communicating data and for replication information. The specified ports
should not be used by other programs and must be accessible from every computer that is part of the cluster.
6.5.3 To install BMC Atrium Single Sign-On as an HA cluster

1. Installing the first node for an HA cluster on a new Tomcat server (see page 57) or Installing the first node
for an HA cluster on an external Tomcat server (see page 68).
Note
Page 56 of 389
1.
Home
Be sure to copy the configuration file to the additional nodes.
2. Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional
nodes for an HA cluster on an external Tomcat server (see page 70).
Note
After installing BMC Atrium Single Sign-On in HA mode, verify that the cookie name for all the nodes are
the same. For more information about verifying the cookie name, see Managing nodes in a cluster (see
page 273).
6.5.4 HA post-installation activities

After adding a new additional node:
Ensure Load Balancer is configured with the new node
Update Apache MQ configuration of new node and existing nodes (if static configuration is used)
Restart existing nodes sequentially
After a cookie name is changed for a particular BMC Atrium Single Sign-On for the HA cluster, restart the
BMC Atrium Single Sign-On server.
Note
In some cases, BMC Atrium Single Sign-On server restart, browser cache purge, and cookies cleanup do
not help to avoid a multiple redirects error. In that case, reboot OS.
6.5.5 Installing the first node for an HA cluster on a new Tomcat server
The following provides information and instructions for installing the first node for an HA cluster on a new
Tomcat.
To install the first node for an HA cluster on a new Tomcat (see page 58)
Before you begin

Page 57 of 389
Home
You must have a network load balancer configured for creating a HA cluster.
Important
Tier).
To install the first node for an HA cluster on a new Tomcat

The setup executable is located in the Disk1 directory of the extracted files.
(Microsoft Windows ) Run setup.cmd
(UNIX ) Run setup.sh
6. In the BMC Atrium SSO Server Cluster Options panel, perform the following actions:
Page 58 of 389
Home
a. Select Clustered BMC Atrium SSO Server.

b. Select New Cluster Installation (First node).
c. Click Next.
7. Enter a file name and location for storing the cluster configuration information and click Next. The file can
have any extension but it is recommended that you use .cfg as the extension because the file is storing
cluster configuration information.
For example, clusterconfig.cfg. When you enter the file name and click Next, a config file with that name is
automatically created on your computer.
Important
This file is needed when subsequent nodes are added to the cluster and it contains sensitive
information that is used when installing subsequent nodes.
8. Enter the LDAP port number (8091), LDAP replication port (8092), LDAP administration port (8093), and
click Next.
9.
Page 59 of 389
Home
9. Enter the load balancer URL and click Next.

For example:
https://loadBalancerFQDN:port/atriumsso
https://BMCLoadBalancer.bmc.com:8443/atriumsso
As you are installing BMC Atrium SSO in a cluster environment, you must use the load balancer
URL mentioned in this step for integration with other products. For example, when you are
integrating BMC Atrium SSO with BMC Remedy Mid Tier, you must add the load balancer URL
instead of the BMC Atrium SSO server URL. For more information, see Running the
SSOMidtierIntegration utility on the Mid Tier (see page 92).
10. Verify that Install New Tomcat is selected and click Next.
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates
with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only
application on the Tomcat server.
11. Accept the default Tomcat server HTTP port number (8080), HTTPS port number (8443), and Shutdown
port number (8005), or enter different port numbers, and click Next.
If any of the port numbers are incorrect, a pop-up menu identifies the incorrect port number and allows
you to modify the selection.
12. Enter a cookie domain and click Next.
parent domains.
Important
The higher the level of the selected parent domain, the higher the risk of user
impersonation.
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For
example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and
the AR System server in the bmc.com domain is not supported. You must move all your
computers into the same domain.
13. Enter a strong administrator password, confirm the password, and click Next.
The default administrator name is amadmin.
14.
Page 60 of 389
Home

After the first node has been successfully installed, additional nodes can be added to the cluster by using
the file created during the first installation.
Sign-On URL.
a. Navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the
BMC Atrium SSO Admin Console .
https://<ssoServer>.<domain>:<port>/atriumsso
For example:
https://ssoServer.bmc.com:8443/atriumsso
b. When you are prompted that you are connecting to an untrusted connection, add the exception and
then continue.
Note
The browsers display this warning because you have not yet configured the SSO
authentication as a trusted provider.
c. Confirm that you can view the BMC Atrium Single Sign-On login panel.
Page 61 of 389
Home
16. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the SSO load balancer.
For example:
https://ssoloadbalancer.bmc.com:8443/atriumsso}
The BMC Atrium SSO login screen appears. After you log on, the SSO server appears in the HA Nodes List.
account.
Page 62 of 389
Home

Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or
Installing additional nodes for an HA cluster on an external Tomcat server (see page 70)
6.5.6 Installing additional nodes for an HA cluster on a new Tomcat server

The following provides information and instructions for installing additional nodes for an HA cluster on a new
Tomcat.
To install an addition node for an HA cluster on a new Tomcat (see page 63)
Before you begin

Install the first node for an HA cluster on a new Tomcat server (see page 57).
Download (EPD) or the BMC Atrium Single Sign-On DVD for the additional nodes.
Ensure that the first node and all the additional nodes are running in the HA cluster.
Important
Tier).
To install an addition node for an HA cluster on a new Tomcat

During subsequent node installations, previously installed nodes must be available so the newly added node can
fully integrate into the cluster.
1. Ensure that all nodes are running and available.
2.
Page 63 of 389
Home
2. Copy the cluster configuration file (created during the first node's installation) to the Disk1directory of the
extracted files before installing BMC Atrium Single Sign-On on the node.
Note
The installation and configuration information of the first node is used when installing additional
nodes.

Launch the setup executable located in the Disk1directory of the extracted files.
8. In the BMC Atrium SSO Server Cluster Options panel, perform the following actions:
Page 64 of 389
Home
a. Select Clustered Atrium SSO Server.

b. Select Add this node to an existing cluster.
c. Click Next.
9. In the BMC Atrium SSO Cluster Configuration File Information panel, browse to the Disk1 directory where
you copied the file, and then click Next.
10. Enter the LDAP port number (8091), LDAP replication port (8092), LDAP administration port (8093), and
click Next.
Note
application on the Tomcat server.
12. Accept the default Tomcat server HTTP port number (8080), HTTPS port number (8443), and Shutdown
port number (8005), or enter different port numbers, and click Next.
Page 65 of 389
Home
12.
If any of the port numbers are incorrect, a pop-up menu identifies the incorrect port number and allows
you to modify the selection.
After the second node has been successfully installed, additional nodes can be added to the cluster by
using the file created during the first installation.
Sign-On URL.
https://<ssoServer>.<domain>:<port>/atriumsso/atsso/console/login/Login.html
For example:
https://ssoServer.bmc.com:8443/atriumsso/atsso/console/login/Login.html
b. When you are prompted that you are connecting to an untrusted connection, add the exception and
then continue.
Note
Browsers display this warning because you have not yet configured the SSO authentication
as a trusted provider.
c. Confirm that you can view the BMC Atrium Single Sign-On login panel.
Page 66 of 389
Home
15. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the SSO load balancer.
For example:
https://ssoloadbalancer.bmc.com:8443/atriumsso
The BMC Atrium SSO login screen appears. After you log on, your SSO servers appear in the HA Nodes List.
account.
Page 67 of 389
Home

To install the AR System server, see Installing or upgrading AR System server.
authentication.
6.5.7 Installing the first node for an HA cluster on an external Tomcat server
The following provides information and instructions for installing the first node for an HA cluster on an external
Tomcat.
To install BMC Atrium Single Sign-On on the first node for an external Tomcat (see page 68)
Before you begin

Before installing BMC Atrium Single Sign-On on the first node for an external Tomcat, make sure you have
performed the tasks in Prerequisites for installation (see page 42) and the Before you begin section on Installing
BMC Atrium Single Sign-On on an external Tomcat server (see page ).
To install BMC Atrium Single Sign-On on the first node for an external Tomcat
1. Run the installation program, autorun.
If autorun does not automatically launch the appropriate file, launch the setup executable located in the
Disk1 directory of the extracted files. This script automatically detects the appropriate subscript to execute.
2. Accept the default destination directory, or browse to select a different directory, and click Next.
3. Enter the hostname if the provided name is incorrect and click Next.
4. Select Clustered Atrium SSO Server.
5. Select New Cluster Installation (First node), and click Next.
6. Enter a file name and location for storing the cluster configuration information and click Next.
This cluster configuration file is needed when subsequent nodes are added to the cluster.
Important
This file contains sensitive information.
7. Enter the LDAP port and LDAP replication port, and click Next.
8.
Page 68 of 389
Home
8. Enter the load balancer URL and click Next.

9. Click Use External Tomcat and click Next.
Note
application in the Tomcat server.
10. Enter the Tomcat server directory at the prompt and click Next.
11. At the Tomcat Application Server Selection panel, enter the path to the Tomcat server.
After the path is entered, the installer verifies that:
The directory has a webapps directory that can be written to.
The main program, tomcat6.exe, is present (even on UNIX).
The server.xml file contains a Connector with port and secure defined and scheme set to https. The
installer parses important information from this Connector entry and stores it.
The installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, asking
that you start or stop it when necessary.
12. Enter additional information at the prompts. Be prepared with information about:
JDK directory location
Tomcat server port
BMC Atrium Single Sign-On Truststore certificate location and password
BMC Atrium Single Sign-On Keystore password, alias, and certificate
BMC Atrium Single Sign-On cookie domain
BMC Atrium Single Sign-On administrator name and password
(Windows ) You will be asked whether your external Tomcat server is started using scripts or as a
Windows service.
13. Stop the Tomcat server.
14. After installation is complete, follow the installer directions to restart the Tomcat server.
The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make
modification to the server configuration, be sure to test each change to ensure that the BMC Atrium Single
Sign-On application continues to function correctly.
15. Replace the existing certificate with a Certificate Authority (CA) signed identity certificate.
16. Verify that your BMC Atrium Single Sign-On installation was successful:
a. Launch the administrator console.
b. Confirm that you can view the BMC Atrium Single Sign-On login panel.

Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or
Installing additional nodes for an HA cluster on an external Tomcat server (see page 70)
Page 69 of 389
Home
6.5.8 Installing additional nodes for an HA cluster on an external Tomcat

server
The following provides information and instructions for installing additional nodes for an HA cluster on an
external Tomcat.
To install BMC Single Sign-On on additional nodes for an external Tomcat (see page 70)
Before you begin

Before installing BMC Atrium Single Sign-On on the first node for an external Tomcat, make sure you have
performed the tasks in Prerequisites for installation (see page 42) and Before you begin in Installing BMC
Atrium Single Sign-On on an external Tomcat server (see page 73).
Ensure that the first node and all the additional nodes are running in the HA cluster.
To install BMC Single Sign-On on additional nodes for an external Tomcat

During subsequent node installations, previously installed nodes must be available so that the newly added node
can fully integrate into the cluster.
1. Ensure that all nodes are up and available.
2. Copy the cluster configuration file (created during the first node's installation) to the local file system prior
to installing BMC Atrium Single Sign-On on the node.
3. Run the installation program, autorun.
If autorun does not automatically launch the appropriate file, launch the setup executable located in the
Disk1 directory of the extracted files. This script automatically detects the appropriate subscript to execute.
4. Accept the default destination directory, or browse to select a different directory, and click Next.
5. Enter the host name if the provided name is incorrect and click Next.
6. Select Clustered Atrium SSO Server.
7. Select Add this node to an existing cluster.
8. Enter the location of the cluster configuration file and click Next.
9. Enter the LDAP port and LDAP replication port, and click Next.
10. Click Use External Tomcat and click Next. The Tomcat server options are:
Use External Tomcat
Note
Page 70 of 389
Home
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that
integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single
Sign-On be the only application in the Tomcat server.
11. Enter the Tomcat server directory at the prompt and click Next.
After the path is entered, the installer verifies that:
The server.xml file contains a Connector with port and secure defined, with scheme set to https. The
installer parses important information from this Connector entry and stores it.
The installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, asking
that you start or stop it when necessary.
13. Enter additional information at the prompts. Be prepared with information about:
Tomcat server port
BMC Atrium Single Sign-On Truststore certificate location and password
BMC Atrium Single Sign-On Keystore password, alias, and certificate
(Windows ) You will be asked whether your external Tomcat is started using scripts or as a Windows
service.
15. After installation is complete, follow the installer directions to restart the Tomcat server.
The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make
modification to the server configuration, be sure to test each change to insure that the BMC Atrium Single
Sign-On application continues to function correctly.
16. Replace the existing certificate with a Certificate Authority (CA) signed identity certificate.
a. Launch the administrator console.
b. Confirm that you can view the BMC Atrium Single Sign-On login panel.

To install the AR System server, see Installing or upgrading AR System server
authentication.
Page 71 of 389
Home
6.6 Installing BMC Atrium Single Sign-On on an external

Tomcat server
This section explains how to install BMC Atrium Single Sign-On on an external Tomcat server. This installation
option allows the BMC Atrium Single Sign-On server to be installed using versions of Tomcat and Java VM that
are different from those provided by the standalone installation option.
Using this option allows greater flexibility in choosing the Tomcat server and Java Virtual Machine (JVM), but at
the expense of adding administration of the Tomcat server and JVM. In addition, correct version selection must
also be performed to avoid incompatibilities. Due to these added responsibilities, BMC recommends that this
option be performed only when the default selections are not sufficient.
Page 72 of 389
Home

To install BMC Atrium Single Sign-On on an external Tomcat server (see page 73)

Description
Before installation, make sure you have performed the tasks in Prerequisites for installation (see page 42).
Verify that no other product or application is installed on your Tomcat server.
Note: The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with BMC Atrium Single Sign-On. BMC
recommends that BMC Atrium Single Sign-On be the only application in the Tomcat server.
Modify the external Tomcat policy file. See Policy file additions for external Tomcat installations (see page 75).
Configure JVM that will run the Tomcat server. See Configuring a JVM for the Tomcat Server (see page 77).
Modify the Tomcat server hosting the BMC Atrium Single Sign-On application to define an HTTPS connection with an explicit truststore and explicit
keystore declaration. See Setting an HTTPS connection (see page 78).
Add JVM initialization parameters to the JVM that is running the external Tomcat. See JVM parameter additions for external Tomcat installations (see
page 76).
If you plan to enable FIPS, perform the tasks in Configuring an external Tomcat instance for FIPS-140 (see page 76) and the FIPS-140 preparation
steps in Configuring FIPS-140 mode (see page 251).
6.6.2 To install BMC Atrium Single Sign-On on an external Tomcat server

1. If autorun does not automatically launch the appropriate file, launch the setup executable.
The setup executable is located in the Disk1directory of the extracted files:
(Microsoft Windows) Run setup.cmd.
(UNIX) Run setup.sh (which automatically detects the appropriate subscript to execute).
2. Accept the default destination directory or browse to select a different directory and click Next.
3. Verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, correct the
value as needed, and click Next.
4. Click Use External Tomcat.
Use External Tomcat
5. At the prompt, enter the Tomcat directory (or use the browse button to specify the Tomcat directory) and
click Next.
After clicking Next, the installer verifies that:
Page 73 of 389
6.
Home
The server.xml file contains a connector with port and secure defined and with scheme set to https.
The installer parses important information from this Connector entry and stores it.
As the installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, it will
ask that you start or stop it when necessary.
7. (Windows) You will be asked whether your external Tomcat server is started by using scripts or as a
Windows service. If the Tomcat server is started as a Windows service, enter the name of this service.
8. Enter additional information at the prompts.
Be prepared with information about:
Tomcat HTTPS server port
Tomcat truststore certificate location and password
Tomcat keystore password, alias, and certificate
Tomcat cookie domain
Tomcat administrator name and password
10. During installation, follow the installer directions to restart the Tomcat server.
a. Launch the BMC Atrium Single Sign-On administrator console and confirm that you can view BMC
Atrium SSO Admin Console.
The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you
make modifications to the server configuration, be sure to test each change to insure that the BMC
Atrium Single Sign-On application functions correctly.
user data store (for example, to list user names, emails, and so on).
Note
If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the
BMCSearchAdmins group to the new user account.
13. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign
the BmcSearchAdmins group to either an already existing user account or a new user account.

To install the AR System server, see Installing AR System server (with BMC Atrium Single Sign-On)
To install BMC Atrium Single Sign-On server in silent mode, see Installing silently (see page 112).
authentication.
Page 74 of 389
Home
6.6.4 Policy file additions for external Tomcat installations

If you plan on installing BMC Atrium Single Sign-On on an external Tomcat, the Tomcat policy file, catalina.policy,
must be modified. The policy file is located at <install>/tomcat/conf.
To configure the policy file for external Tomcat installations, add the following lines to the Tomcat policy file:
//
// AtriumSSO additions for tomcat 6/7
//
grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read, write, execute, delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanPermission "*" , "*" ;
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory","write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
Page 75 of 389
Home
permission
permission
permission
permission
permission
permission
permission
permission
permission
};
java.net.NetPermission "getProxySelector";
java.security.SecurityPermission "getProperty.authconfigprovider.factory";
java.security.SecurityPermission "setProperty.authconfigprovider.factory";
javax.security.auth.AuthPermission "doAsPrivileged";
javax.security.auth.AuthPermission "modifyPublicCredentials";
java.security.SecurityPermission "insertProvider.XMLDSig";
java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
java.security.SecurityPermission "getProperty.ocsp.*";
6.6.5 JVM parameter additions for external Tomcat installations

The following initialization parameters must be specified for the JVM that is running an external Tomcat. If
Tomcat is controlled via scripts, these JVM parameters can be included in a script file:
(Microsoft Windows) setenv.bat
(UNIX) setenv.sh
When Tomcat is installed as a Windows Service, include these values in the wrapper. When the wrapper is a
supplied Apache wrapper (via Tomcat6w.exe or Tomcat7w.exe), the JVM additions are added to the Java tab.
-Dcom.sun.identity.configuration.directory=<tomcat-dir>\webapps\atriumsso\WEB-INF\config
-XX:PermSize=64m
-XX:MaxPermSize=256m
-Dcom.sun.identity.session.connectionfactory.provider=com.bmc.atrium.sso.opensso.extensions.ha.ConnectionFactoryProvi
Note
<truststore-canonical-name> and <keystore-canonical-name> are the full path and name to the
truststore and keystore that were created by the user for use by the Tomcat server.
6.6.6 Configuring an external Tomcat instance for FIPS-140

The Federal Information Processing Standard (FIPS-140) are standards for use in computer systems by all
non-military government agencies and government contractors. For example, data encoding and encryption
standards. For information about FIPS-140, see Configuring FIPS-140 mode (see page 251).
To configure an external Tomcat instance for FIPS-140

If you plan to enable FIPS-140 and are installing to an external Tomcat server, perform these steps:
1. Configure the Tomcat server for auto-deployment of .war files.
2. Use the same keystore for both non-FIPS and FIPS versions of your server.xml file.
3. Perform the following modifications to the server.xmlfile for non-FIPS and FIPS versions:
a.
Page 76 of 389
Home
3.
a. Duplicate the original file to create a FIPS version (named server.xml.fips) and non-FIPS version
(named server.xml.nofips).
b. In the new FIPS version of the file, use the following ciphers attributes to force a higher level of
encryption (or use your own values):
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH
CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_ DES_EDE_CBC_SHA"
c. Add the XML comment to tag the file as FIPS-140: 
4. Perform the following modifications to the java.securityfile for non-FIPS and FIPS versions:
a. Duplicate the original file, creating java.security.nofips and java.security.fips versions.
b. In java.security.fips, make sure that the provider is the first one in the security providers list, with the
remaining providers renumbered.
For example, the following list places the JsafeJCE provider at the top of the list with a key suffix of
1, while the providers after JsafeJCE are renumbered to follow the first. The
com.rsa.cryptoj.jce.kat.strategy and com.rsa.cryptoj.jce.fips140initialmode properties are placed
after the security providers list.
For those properties, use the exact values shown in the following example:
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.10=sun.security.mscapi.SunMSCAPI
com.rsa.cryptoj.jce.kat.strategy=on.load
com.rsa.cryptoj.jce.fips140initialmode=FIPS140_SSL_MODE
6.6.7 Configuring a JVM for the Tomcat Server

To configure a JVM that will run the Tomcat server, perform the following steps. The location of the JVM is
always determined by the administrator who configures the Tomcat server. E nsure that JAVA_HOME and PATH
environment variables are set.
To configure a JVM for the Tomcat server

1. Install the cryptography library (cryptoj.jar) in the following location:
(Microsoft Windows) jdkDirectory\jre\lib\ext

(UNIX) jdkDirectory/jre/lib/ext
Page 77 of 389
Home
BMC Atrium Single Sign-On uses RSA CryptoJ library (cryptoj.jar) for cryptographic functions. The RSA
CryptoJ library can be acquired from Support or through another BMC Atrium Single Sign-On installation
(using Tomcat/JVM).
2. Perform the following modifications to the java.security file.
Add a new line to the end of providers' definition list, and ensure that the provider is sequentially
numbered.
security.provider.x=com.rsa.jsafe.provider.JsafeJCE
x specifies the order in which the security providers will be searched.

The java.security file can be found at:
(Microsoft Windows) jdkDirectory\jre\lib\security

(UNIX) jdkDirectory/jre/lib/security
Note
The RSA provider can be the last provider in the security providers list, except when BMC Atrium Single
Sign-On is running in FIPS mode. For this configuration, the RSA provider must be first, with the
remaining ones renumbered.
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
For more information on configuring JVM for running the Tomcat server, see tomcat-6.0-doc and
tomcat-7.0-doc.
6.6.8 Setting an HTTPS connection

To set up an HTTPS connection, the Tomcat server that hosts the BMC Atrium Single Sign-On server must be
modified to define an HTTPS connection with an explicit truststore and an explicit keystore.
The default Tomcat server used by BMC Artium Single Sign-On uses a keystore and a truststore for secure
(HTTPS, Transport Layer Security) communications.
If the Tomcat server does not have a truststore and a keystore, new self-signed certificates must be generated
using the keytool. See Managing keystores with a keytool utility (see page 239).
The following XML code is an example of the HTTPS connection and is one of the configuration supported.
The example shows use of keystore and truststore of type PKCS12, named keystore.p12 and cacerts.p12 along
with password "keystore_password" and "truststore_password" respectively.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
Page 78 of 389
Home
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RS
A_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_D
SS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA
_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
keystoreFile="CATALINA_HOME/conf/keystore.p12"
keystorePass="keystore_password "
keystoreType="PKCS12"
keystoreProviderName="JsafeJCE"
truststoreFile="CATALINA_HOME/conf/cacerts.p12"
truststorePass="truststore_password"
truststoreType="PKCS12"
truststoreProviderName="JsafeJCE"/>
Note
Switch CATALINA_HOME to the full path in the Tomcat directory. The values provided to
CATALINA_HOME needs to be adjusted according to the environment.
Related topics
Creating new keystores (see page 240)
Generating and importing CA certificates
Importing a certificate into the truststore (see page 243)
6.7 Installing BMC Atrium Single Sign-On with the AR System

server and Mid Tier
This section describes how to perform a BMC Atrium Single Sign-On installation. This topic contains the following
information:
Page 79 of 389
Home
Installing video (see page 80)

Overview of installation steps (see page 80)
6.7.1 Installing video

Click the following BMC Atrium Single Sign-On 8.1 installation video for more information:
Watch video on YouTube at http://www.youtube.com/watch?v=gmSZJnin1WM
6.7.2 Overview of installation steps

In the 8.1 release, you use a single utility AtriumSSOIntegrationUtility installed both with the AR System
server and the BMC Remedy Mid Tier to integrate with the BMC single sign-on solution. To perform the
integration, you first run the utility on the computer where the AR System server is installed, and then you run the
utility a second time on the computer where the Mid Tier is installed.
BMC contributors content
For additional information, you can also refer to the following webinar conducted by BMC Support.
You can also connect with other users for related discussions on the BMC Community.
Perform the following steps:
1. Installing BMC Atrium Single Sign-On
2. Installing or upgrading AR System server
3. Installing or upgrading BMC Remedy Mid Tier
4. Running the SSOARIntegration utility on the AR System server (see page 88)
5. Reviewing AR server external authentication settings and configuring group mapping (see page 91)
6. Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)
7. Managing the AR System users and groups for authentication (see page 97)
8. Running a health check on the BMC Atrium Single Sign-On installation
Important
Page 80 of 389
Home
Note
For detailed information on installing and configuring BMC Atrium Service Context, see Setting up BMC
Atrium Service Context. As a bare minimum, you must install the Web Services Registry (UDDI), which is
required for BMC Atrium Service Context. The Web Services Registry is an option within the BMC Atrium
Core installation program.

Configuring after installation
6.7.4 Installing BMC Atrium Single Sign-On

This topic provides instructions for performing a BMC Atrium Single Sign-On standalone installation. In this
installation, a Tomcat server and JVM are installed and properly configured for use by the BMC Atrium Single
Sign-On server. This installation method is the simplest and easiest to perform since all of the administrative and
configuration details are performed by the installation program.
Before you begin (see page )
To install BMC Atrium Single Sign-On as a standalone (see page )
Where to go from here (see page )
Before you begin

Note
Tier).
Page 81 of 389
Home
To install BMC Atrium Single Sign-On as a standalone

The setup executable is located in the Disk1directory of the extracted files.
7. Choose to install non-clustered or clustered Atrium Single Sign-On Server, and then click Next.
8. Verify that Install New Tomcat is selected, and then click Next.
Note
When installing on Linux servers, you must configure JVM for Tomcat after the installation. For
more information about configuring JVM, see Configuring a JVM for the Tomcat Server (see page
77).
number (8005), or enter different port numbers, and then click Next. If any of the port numbers are
incorrect, a panel identifies the incorrect port number and requires you to return to the previous page to
correct the values before proceeding with the installation.
Note
Page 82 of 389
Home
10. Enter a cookie domain, and then click Next.

parent domains. For more information, see Default cookie domain.
Note
The higher the level of the selected parent domain, the higher the risk of user impersonation.
Top-level domains are not supported (for example, com or com.ca ).
installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System
server in the bmc.com domain is not supported. You must move all your computers into the same
domain.
11. Enter a strong administrator password (at least 8 characters long), confirm the password, and then click
Next.
The default SSO administrator name is amadmin.
Note
Passwords with special characters must be specified in quotes.
For more information, see Administrator password.

Sign-On URL.
a. Navigate to Start > All Programs > BMC Software > BMC Atrium S.SO > Administrator to launch the
BMC Atrium SSO Admin Console.
https://<ssoserver>.<domain>:<port>/atriumsso
For example, https://ssoserver.bmc.com:8443/atriumsso
b. When you are prompted that you are connecting to an insecure or untrusted connection, add the
Note: Browsers display this warning because you have not yet configured the SSO authentication as
a trusted provider.
c. Confirm that you can view the BMC Atrium SSO logon panel.
d.
Page 83 of 389
Home
account.

Installing or upgrading AR System server
authentication.
6.7.5 Installing or upgrading AR System server

You must install or upgrade the AR System server to version 8.1 as part of the BMC Atrium Single Sign-On
configuration.
Page 84 of 389
Home
Recommendation
When you are installing BMC Remedy AR System, BMC recommends:

To avoid configuration problems, accept the default values displayed in the installer unless you
have a valid reason to modify them.
To reduce installation time significantly, do not install the products over the wide area network
(WAN).
Install BMC Remedy Mid Tier on a separate computer from the AR System server.
Before you begin

Install the SSO server.
Prepare to run the AR System installer for your operating system.
you are using Windows. For more information, see Preparing the Windows environment.
Make sure that 32-bit or 64-bit JRE is installed.
Review the planning spreadsheet for AR System installations.
To install or upgrade the BMC Remedy AR System server

1. Download the AR System installer, or navigate to the installation directory on the CD.
2. Unzip the suite installer (ARSuiteKitWindows.zip).
3. Navigate to the Disk 1 folder.
4. Start the installer.
For Windows, run setup.cmd.
For UNIX, log in as root and run setup.sh.
7. On the Products selection panel, perform the following actions:
a. Select Install.
b. Select AR System Server.
c. Navigate to the directory in which you want to install the BMC Remedy AR System application.
The default location is C:\Program Files\BMC Software\ARSystem.
d. Click Next.
The installer validates the system resources of your computer and displays a list of available features.
8. Create an AR System administrator user with a strong login name and password to use with Atrium Single
Sign-On.
Page 85 of 389
8.
Home
Note
To correctly configure Atrium Single Sign-On, the AR System administrator user requires a
password. You cannot use the default installed Demo user with no password.
9. Enter the values from the planning spreadsheet for the features that you want to install.
After you have entered the required information, the installer validates your input, and then the Installation
Preview panel appears, listing the product and product features that will be installed.
Note
Run Sanity Check is selected by default. BMC recommends that you run the additional validation
tests of your installation.
10. Click Next.

The installer installs the AR System features you have selected. After post-installation cleanup, a summary
of the installation appears.
11. Click View Log to review the SEVERE error messages or warnings in the product installer log.
See whether errors are due to network, host, or other environment-related issues. You can view a log file
of the installation:
C:\Users\Administrator\AppData\Local\Temp\arsystem_install_log.txt
12. Close the log when you finish.
13. Click Done to exit the AR System installer.

Installing or upgrading BMC Remedy Mid Tier
Related topics
For detailed information on installing the AR System, see:
Completing the planning spreadsheet
Performing a new installation
6.7.6 Installing or upgrading BMC Remedy Mid Tier

You must install the BMC Remedy Mid Tier to version 8.1 as part of the BMC Single Sign-On configuration.
Recommendation
Page 86 of 389
Home
When you are installing BMC Remedy AR System, BMC recommends:

To avoid configuration problems, accept the default values displayed in the installer unless you
have a valid reason to modify them.
To reduce installation time significantly, do not install the products over the wide area network
(WAN).
Install BMC Remedy Mid Tier on a separate computer from the AR System server.
Do not install BMC Atrium Single Sign-on and BMC Remedy Mid-Tier on the same computer. BMC
Atrium Single Sign-on and BMC Remedy Mid-Tier must use different Tomcat instances because if
the mid-tier computer needs to be restarted, all the other applications will be unavailable because
BMC Atrium Single Sign-on will be down during the restart.
Before you begin

Install the BMC Single Sign-On server.
Prepare to run the AR System installer for your operating system.
you are using Windows. For more information, see Preparing the Windows environment.
Install the 32-bit or 64-bit JRE and JDK 1.6.0_23 or higher.
Set the JAVA_HOME and JRE_HOME environment variables.
For Solaris, JDK7 has a different folder structure than JDK6. For example, set the JDK7 JAVA_HOME
to /data1/software/jdk1.7.0_05/bin/sparcv9/.
Review the planning worksheet for AR System installations.
To install or upgrade the BMC Remedy Mid Tier

1. Download the AR System installer, or navigate to the installation directory on the CD.
2. Unzip the suite installer (ARSuiteKitWindows.zip).
3. Navigate to the Disk 1 folder.
4. Start the installer.
For Windows, run setup.cmd.
For UNIX, log in as root and run setup.sh.
7. On the Products selection panel, perform the following actions:
a. Select Install.
b. Select AR System Mid-Tier.
c. Navigate to the directory in which you want to install the BMC Remedy AR System application.
The default location is C:\Program Files\BMC Software\ARSystem.
d.
Page 87 of 389
Home
d. Click Next.
The installer validates the system resources of your computer and displays a list of available features.
8. In the AR System Server List panel, perform the following actions:
a. Enter the fully-qualified domain names of the AR System servers.
b. Enter the remaining values:
c. Click Next.
9. Enter the values from the planning worksheets for the features that you want to install.
After you have entered the required information, the installer validates your input, and then the Installation
Preview panel appears, listing the product and product features that will be installed.
Note
Run Sanity Check is selected by default. BMC recommends that you run the additional validation
tests of your installation.
10. Click Next.

The installer installs the AR System features you have selected. After post-installation cleanup, a summary
of the installation appears.
11. Click View Log to review the SEVERE error messages or warnings in the product installer log.
See whether errors are due to network, host, or other environment-related issues. You can view a log file
of the installation:
C:\Users\Administrator\AppData\Local\Temp\arsystem_install_log.txt
12. Close the log when you finish.
13. Click Done to exit the AR System installer.
Configuring the BMC Atrium Single Sign-On server for AR System (see page 86)
Related topics
For detailed information on installing the AR System, see:
Completing the planning spreadsheet
Performing a new installation
6.7.7 Running the SSOARIntegration utility on the AR System server

Performing the Single Sign-On integration with the AR System server and the BMC Remedy Mid Tier is a two-step
sequence:
1. Run the SSOARIntegration utility on the computer where the AR System server is installed (this procedure).
2. Run the SSOMidtierIntegration utility on the computer where the Mid Tier is installed (see page 92).
Page 88 of 389
Home
Before you begin

Make sure that Oracle JRE 1.6.0_23 or higher is installed on the AR System server.
If you have enabled the FIPS-140 mode (see page 251) in BMC Atrium SSO, you must add the
-Datsso.sdk.in.fips140.mode=true parameter to the armonitor.conf file on the server where BMC Remedy
AR System is installed. For the steps, see Enabling FIPS support for BMC Atrium SSO.
To run the SSOARIntegration utility to integrate Single Sign-On and the AR System
server
1. On the computer where the AR System server is installed, navigate to the
<ARSystemServerInstall>\artools\AtriumSSOIntegrationUtility directory.
For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility.
2. Open the arintegration.txt file and update the parameters for your environment.
For example, you can enter the supported container types such as Tomcat 6, JBOSS v4, and so on.
Tip
When you are using a BMC Atrium SSO load balancer, you must add the load balancer URL in the
--atrium-sso-url parameter instead of adding the server URL.
#AR Server Name, Provide the AR server name.

--ar-server-name=arsystemserver.bmc.com
#AR Server User, Provide the AR server user.

--ar-server-user=Demo
#AR Server Password, Provide the AR server password.
--ar-server-password=Demo
#AR Server Port, Provide the AR server port.
--ar-server-port=0
#Atrium SSO URL, Provide the Atrium SSO URL
#and and make sure the server name is
#provided with fully qualified domain name
#and port is also provided in the URL.
--atrium-sso-url=https://ssoserver.bmc.com:8443/atriumsso
#Atrium SSO Admin Name
--admin-name=amadmin
#Atrium SSO Password
--admin-pwd=ssoadminpassword
Page 89 of 389
Home
#TrustStore Path, Path to the truststore directory.

#This is an optional parameter.
#Remove # to uncomment and use the below property.
#--truststore=truststorepath | Optional parameter.
#TrustStore Password. This is an optional parameter.
#--truststore-password=truststorepassword | Optional parameter.
#force option, It accepts values as "Yes" or "No" where default is "No".
#If "Yes" is provided then utility will not wait
#for user to shutdown the webserver, if not shutdown already.
#This is true in case, where webserver is other then tomcat or jboss.
#--force=<Yes or No>
Note
Blank passwords are not supported. Your AR System server user must have a password
before you run this utility.
Fully-qualified domain names for the AR System server and Atrium SSO URL parameters are
required.
The --truststore=truststorepath and --truststore-password=truststorepassword parameters
are optional when integrating Single Sign-On and the AR System server. The #TrustStore
Path is the local java truststore path and the value is used for providing the path of the
certificate. This value is added automatically by the SSOARIntegration utility using the local
java truststore.
The --force=Yes or No parameter is optional. If you pass this input, you are not prompted
for any manual inputs to restart the AR System server and the server is started
automatically. Otherwise, you are prompted to restart the AR System server.
Review the optional inputs carefully for your environment.
3. Open a command window and navigate to the

4. Enter the following command:
java -jar SSOARIntegration.jar --inputfile arintegration.txt
5. When prompted by the utility, restart the AR System server.

6. Review AR server external authentication settings and group mapping (see page 91) and restart the AR
System server.
7. When execution is successfully completed, run the SSOMidtierIntegration utility on the Mid Tier (see page
92).
Page 90 of 389
Home
7.
Info
To troubleshoot installation failures, or for information about log files or configurations
performed by the SSOMidtierIntegration utility, see Troubleshooting AR System server and Mid
Tier integrations.

Reviewing AR server external authentication settings and configuring group mapping (see page 91)
Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)
6.7.8 Reviewing AR server external authentication settings and configuring

group mapping
Before you can properly configure BMC Atrium Single Sign-On, you must configure group mapping for external
authentication in the BMC Remedy AR System server.
To configure external authentication for AR System (see page 91)
Before you begin

Make sure that the AREA LDAP plug-in is properly configured.
To configure external authentication for AR System

1. Use a browser to log on to the AR System server (by using the mid tier).
For example:
http://midTier:8080/arsys
2. Open the AR System Administration Console.
3. Open the Server Information window by selecting System > General > Server Information.
4. Click the EA tab
(Click the following image to expand it.)
Page 91 of 389
Home
5. Verify the following information:

Field
Value
External Authentication Server RPC Program Number
390695
External Authentication Server Timeout (seconds) RPC
80
External Authentication Server Timeout (seconds) Need To Sync
300 (default)
6. Verify that Authenticate Unregistered Users is selected.

7. Verify that Authentication Chaining Mode is set to ARS-AREA.
8. Set the Group Mapping.
For example, you can map the Atrium Single Sign-On group BmcAdmins to the AR group Administrator.
9. Click OK.

Running the SSOMidtierIntegration utility on the Mid Tier (see page 92)
6.7.9 Running the SSOMidtierIntegration utility on the Mid Tier

After you ran SSOARIntegration utility on the computer where the AR System server is installed, you must now
run the SSOMidtierIntegration utility on the computer where the Mid Tier is installed.
Page 92 of 389
Home
Note
When BMC Remedy Mid Tier is deployed in cluster environment, you must run the SSOMidtierIntegration
utility on the all the computers where the Mid Tier is installed.
This topic contains the following information:

To run the SSOMidtierIntegration utility to integrate Single Sign-On and the Mid Tier (see page 93)
Reverse proxy URLs (see page 97)
Before you begin

Make sure that Oracle JRE 1.6.0_23 or higher is installed.
Before you begin, perform the BMC Atrium Single Sign-On and AR System server integration (see page 88)
.
If the Mid Tier web server is not Tomcat or JBoss, verify the Mid Tier URL before passing it as an input; you
cannot verify it later when the web server is shut down.
To run the SSOMidtierIntegration utility to integrate Single Sign-On and the Mid Tier
1. On the computer where the Mid Tier is installed, navigate to the
<MidTierInstall>\AtriumSSOIntegrationUtility directory.
For example, navigate to C:\Program Files\BMC Software\ARSystem\midtier\AtriumSSOIntegrationUtility.
2. Open the midtierintegration.txt file and update the parameters for your environment.
For example, you can enter the supported container types such as Tomcat 6, JBOSS v4, and so on.
Tip
When you are using a BMC Atrium SSO load balancer, you must add the load balancer URL
in the --atrium-sso-url parameter instead of adding the server URL.
When you are using a mid tier load balancer or reverse proxy, you must add the
--web-app-url and --notify-url URLs. In this case, add the load balancer URL in the
--web-app-url parameter and add the mid tier URL in the --notify-url parameter.
When you are not using a mid tier load balancer, do not use the --notify-url parameter
and add the mid tier URL in the --web-app-url.
# Install mode, it accepts values as "Install" or "Uninstall" and it is case insensitive.

# Provide "Install", if you want to install the agent. Provide "Uninstall", if you want to
Uninstall the Agent.
--install-mode=Install
Page 93 of 389
Home
# Container Type, Type of webserver being used to host midtier

--container-type=TOMCATV6
# Supported container types include JBOSSV4, JBOSSV5, SERVLETEXECV5, SERVLETEXECV6,
# TOMCATV5, TOMCATV6, TOMCATV7, WEBSPHEREV6, WEBSPHEREV7, WEBLOGICV10
#Web App URL, Provide the midtier URL in case load balancer is not there otherwise provide the load
balancer url,
# and make sure the server name is provided with fully qualified domain name
# and port is also provided in the URL.
#--web-app-url=MidtierURL or LoadBalancerURL
--web-app-url=http://midtierloadbalancer.bmc.com:8080/arsys
#Container Base Directory, Provide the webserver home directory.
--container-base-dir=C:\Program Files\Apache Software Foundation\Tomcat6.0
#JRE Path, Provide the path to the JRE home and make sure that you haven't provided till "bin".
--jre-path=C:\Program Files\Java\jre7
#Midtier Home, Midtier Home Directory
--midtier-home=C:\Program Files\BMC Software\ARSystem\midtier
#Midtier URL, Provide the midtier URL here in case load balancer is being used.
#--notify-url=http://midtier.bmc.com:8080/arsys
#Atrium SSO URL, Provide the Atrium SSO URL and and make sure the server name is
# provided with fully qualified domain name and port is also provided in the URL.
#If SSO load balancer is used, add the Atrium SSO load balancer URL instead of Atrium SSO server
name.
--atrium-sso-url=https://ssoserver.bmc.com:8443/atriumsso
#Atrium SSO Admin Name
--admin-name=amadmin
#Atrium SSO Password
--admin-pwd=ssoadminpassword
#TrustStore Path, Path to the truststore directory. This is an optional parameter.
#--truststore=truststorepath | Optional parameter.
#TrustStore Passowrd. This is an optional parameter.
#--truststore-password=truststorepassword | Optional parameter.
#The Atrium SSO realm that this agent will use for user authentication. Default is /BmcRealm.
#--agent-realm=RealmName
#force option, It accepts values as "Yes" or "No" where default is "No".
#If
"Yes" is provided then utility will not wait for user to shutdown the
webserver, if not done already in case, webserver is other then tomcat
Page 94 of 389
Home
or jboss.
--force=<Yes or No>
#Server
Instance Name, Provide the name of Websphere instance name being used.
It is required only in case Websphere being used to host the midtier.
#--server-instance-name=WebSphere server instance name
#Server
Instance Name, Provide the path to the Websphere instance configuration
directory. It is required only in case Websphere being used to host the
midtier.
#--instance-config-directory=WebSphere server instance configuration directory
#Weblogic Domain Name, Provide the Weblogic domain name. It is required only in case WebLogic being
used to host the midtier.
#--weblogic-domain-home=Domain Name
Note
Blank passwords are not supported. Your AR System server user must have a password
before you run this utility.
Fully-qualified domain names for the AR System server and BMC Atrium SSO URL
parameters are required.
If necessary, you can run the SSOMidtierIntegration utility multiple times, for example, to
install or uninstall the integration (depending on the install-mode setting in the
midtierintegration.txt file). The utility checks if an agent exists from a previous installation. If
an agent exists, the utility uninstalls it and then re-installs a new agent.
Review the optional inputs carefully for your environment.
3. Save your changes to midtierintegration.txt.

4. At the command prompt or shell window, navigate to the <MidTierInstall>\AtriumSSOIntegrationUtility
directory.
5. Enter the following jar command at the command prompt:
java -jar SSOMidtierIntegration.jar --inputfile midtierintegration.txt
6. Manually shut down the web server if you are prompted by the utility.
Note
Page 95 of 389
6.
Home
The utility automatically shuts down Tomcat and JBoss.
7. When execution is successfully completed, open the BMC Atrium SSO Admin console.
The URL to open the BMC Atrium SSO Admin console is:
https://<ssoServer>.<domain>:<port>/atriumsso
For example:
https://ssoServer.bmc.com:8443/atriumsso/atsso
Note
To troubleshoot installation failures, or for information about log files or configurations
performed by the SSOMidtierIntegration utility, see Troubleshooting AR System server and Mid
Tier integrations.
8. When you are prompted that you are connecting to an insecure or untrusted connection, add the
9. Under Agents List, verify that the agent was created.
For example, /arsys@MidTier.labs.bmc.com:8080 should be present.
Page 96 of 389
Home
Reverse proxy URLs

Important
Before you pass the reverse proxy URL as input in the utility command, make sure that you can log
on to the application using the reverse proxy URL from the Mid-Tier computer where the
command is run.
If the reverse proxy server and the Mid Tier are installed on the same computer, stop the reverse
proxy server before you run the SSOMidtierIntegration utility with the Mid Tier. When the utility
completes its operation, restart the reverse proxy server.
If you must use reverse proxy URLs to run the Mid-Tier integration with the SSOMidtierIntegration utility, the
utility works with or without ports in the --web-app-url parameter.
1. Configure BMC Atrium Single Sign-On for AR authentication and set up users and groups (see page 97).
Note
If you do not plan to use BMC Atrium Single Sign-On AR authentication and plan to use different
authentication methods, see Configuring after installation.
To use and manage authentication chaining, see Managing authentication modules (see
page 271).
To set up and manage users and user groups, see Managing users (see page 264) and
Managing user groups (see page 268).
2. Run a health check on the BMC Atrium Single Sign-On installation.
6.7.10 Managing the AR System users and groups for authentication

The Action Request (AR) authentication module allows BMC Atrium Single Sign-On to use the user accounts
within a BMC Remedy AR System server for authentication. This module is normally used in conjunction with the
AR Data Store to retrieve group information and other user attributes from the AR System server.
Configure the AR module for AR System (see page 98)
Configure AR user stores for AR System (see page 101)
Managing the AR System users and groups (see page 103)
Page 97 of 389
Home
When you enable authentication chaining mode, all authentication methods in the chain are attempted in the
specified order until either the authentication succeeds or all the methods in the chain fail.
Note
If you plan to use an authentication method other than or in addition to the AR module, see the
applicable authentication method in Configuring after installation. For example, Using Kerberos for
authentication (see page 132) or Using SAMLv2 for authentication.
Configure the AR module for AR System

Click here to expand: Steps (6)
1. On the SSO Server, navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to
launch the BMC Atrium SSO Admin Console and log on.
2. Click Edit BMC Realm to open the Realm Editor.
3. Set User Profile to Dynamic.
4. On the Realm Authentication panel, click Add.

5. Click AR.
Page 98 of 389
5.
Home
## Enter the
AR parameters (see page ).
a. Click Save.
6. On the Realm Authentication panel, set the process order of the authentication chain:
a. For the AR module, under Flag, select Sufficient.
b. Select the AR module.
c. Click Up so that AR is first in the list.
d. Set Internal LDAP to Optional.
Page 99 of 389
Home
d.
Sufficient means that, with multiple authentication modules, if you are successfully authenticated
with the first module, the remaining modules are skipped. But if the login fails, authentication moves
to the next module in the chain. Setting AR to Sufficient and placing it as the first module in the list
means that if you are authenticated with the AR System server, you are successfully authenticated by
BMC Atrium Single Sign-On and you proceed to the Mid Tier.
Note
With Single Sign-On, you want to trigger authentication providers in the right order. The order is: Required > Requisite >
Sufficient > Optional.
If you set both realms to Required, then you would need both authentications to establish the session.
For more information on creating an authentication chain, see the Realm Authentication panel described in Realm Editor.
AR parameters
Parameters
Description
Server Host
Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name
includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).
Page 100 of 389
Home
Parameters
Description
Server Port
(Required) AR Server Port Number is the location where the AR System server is listening.
Number
Note: Enter a value of 0 if the AR System server is using port mapping.
Default
Authentication
This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts
the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the
String
credentials provided by the user along with this authentication string.
Allow AR
If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.
Guests
Note
When using SAML v2 for authentication, you must not use AR user stores. Though AR authentication
module should be configured, the AR data store is not needed for authentication in SAMLv2 deployment.
Configure AR user stores for AR System

1.
Page 101 of 389
Home
1. On the User Stores panel, click Add.

2. Select AR User Store.

3. Enter the AR User Store parameters (see page ).
4. Click Save.
AR User Store parameters

Section
Parameter
Name
AR Server
Description
Label for the AR user store.
Host Name
Host
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The
full host name includes the domain name (bmc.com) of the computer and the individual name of the server (
yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example,
yourServer.bmc.com.
Port
(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR
Server is using port mapping.
Administrative
Access
Name
(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges.
Empty or blank passwords for this internal user are not supported with a new user store.
Authentication
Provide the authentication string that is needed when the Administrator account is used to connect with the AR
System server.
Page 102 of 389
Home
Section
Parameter
Description
Password and
Password for the AR System administrative user of the AR Server user store account (for example, admin).
Confirm
Password
Connection
Pool
Linger Time
(seconds)
(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain
unused in the pool before being closed.
Pool size
(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data
requests for the AR System server.
Managing the AR System users and groups

BMC Atrium Single Sign-On provides basic user and group management features with the internal LDAP server.
These features allow an administrator to manage users, groups, and memberships in the groups.
Note
When you configure the AR User Store for the AR System, all your AR System users and groups are already listed.
From the User page, the administrator can create, delete, and manage group memberships.
To access the User page (see page )
To add a new user (see page )
BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide
authorization and authentication of users. If a BMC product does not use the group memberships of the BMC
Atrium Single Sign-On system, then that product's documentation must be consulted to determine groups to
privileges mapping.
To access the Group page (see page )
To create a new group (see page )
To access the User page

Navigate to the following location:
1. Open the Realm Editor.
2. Click the Users tab.
New users can only be created when you are using the internal LDAP server for authentication. If an external
source is used for authentication, new users must be created within that external system.
Note
If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash ( \ ) must precede the special
character. For example, Baldwin\,bob.
When creating a new user, each field that is marked with an asterisk is a required field.
Page 103 of 389
Home
To add a new user

1. In the Realm Editor, click the Users tab.
Current AR System users created in your AR System server are already listed.
2.
Page 104 of 389
Home
2. Click Add to open the User Editor.
3. In the User Id field, enter a unique identifier for the new user.
This value is used as the user ID when the user logs in.
4. Specify the user's status.
The default is Active.
5. Add the name attributes.
The name attributes (First Name, Full Name, and Last Name) can be provided to BMC products to
help identify user accounts by using terms that are more user-friendly. The actual use of these
attributes, though, is dependent on the BMC product.
You must assign an initial password of at least 8 characters when creating the account. After the
password is created, the user can log into BMC Atrium Single Sign-On and update the password and
their personal information through the following URL:
https://FQDNHostName:port/BMC Atrium SSO?realm=BmcRealm
6. Click the Groups tab.
7. From the list of available groups, add the user to group membership (for example, BmcAdmins).
8. Click Save.
Page 105 of 389
Home
To access the Group page

BMC Atrium Single Sign-On provides predefined groups to help with the Administrator privileges that some BMC
products might require. For example, the BmcSearchAdmin group provides privileges that allow a user to connect
to the server to perform identity searches.
Note
Care should be exercised when assigning the BmcSearchAdmin group because these elevated privileges allow greater access to BMC Atrium
Single Sign-On than is normally allowed.

To create a new group

Normally, BMC products install the groups that they need managed into BMC Atrium Single Sign-On as part of
their installation. However, a situation might arise in which a group might need to be created or re-created.
1.
Page 106 of 389
Home
1. In the Realm Editor, click the Groups tab.

Current AR System groups created in your AR System server are already listed.
2.
Page 107 of 389
Home
2. Click Add to open the Group Editor.
3. Enter a new, unique name for the group.

4. Add available users to the new group.
5. Click Save.
Related topics
Page 108 of 389
Home

6.7.11 Running a health check on the BMC Atrium Single Sign-On

installation
After you finish all these procedures, run a health check of your integration of BMC Atrium Single Sign-On with
BMC Remedy AR System.
To run a health check on the BMC Atrium Single Sign-On integration

1. Log on to the BMC Remedy Mid Tier Configuration Tool.
The default path is http://<FQDN midtier server>:<port>/arsys/shared/config/config.jsp.
For example:
http://Midtier.bmc.com:8080/arsys/shared/config/config.jsp
Tip
Clear the cache on your browser if you see redirect errors.
If your integration is successful, you should see the normal Mid Tier configuration logon, not the BMC
Atrium SSO logon screen.
Page 109 of 389
Home
2. In the AR Server Setting panel, verify that the list of AR System servers includes their fully-qualified domain
names.
3. Log on to the AR System server.
For example:
http://Midtier.bmc.com:8080/arsys
The BMC Atrium Single Sign-On server redirects the server URL to the BMC Atrium Single Sign-On server,
and the BMC Atrium SSO logon screen appears.
Page 110 of 389
Home
4. Enter the User Name and Password of an AR System user and then click Log In.
If BMC Atrium Single Sign-On is properly integrated and configured, the Applications startup page appears.
Page 111 of 389
Home
6.8 Installing silently

In addition to using the GUI interface, the installer and uninstaller programs can be run from scripts. This topic
provides examples for installing and uninstalling BMC Atrium Single Sign-On in silent mode by using the setup
script from the command line.
Running the installer in silent mode (see page 114)
Uninstalling in silent mode (see page 114)
Example options.txt file (see page 114)
The following represents the general command line syntax:
Page 112 of 389
Home
setup.sh|setup.cmd -i silent -DOPTIONS_FILE=<AtriumSSO directory path><file>
Note
The full path to the AtriumSSO directory must be specified.
If you are configuring BMC Atrium Single Sign-On as a High Availability (HA) cluster, you must complete the HA
prerequistes and HA pre-installation tasks before running the installer in silent mode on the first node and the
additional nodes. Before running the installer in silent mode on an additional node, you must also complete the
following tasks:
Ensure that all nodes are running and available.
Copy the configuration file (created during the first nodes installation) to the Disk1 directory of the
extracted files before installing BMC Atrium Single Sign-On on the node.
You must also complete the HA post-installation activities after you have run the installer in silent mode on all the
nodes.
Page 113 of 389
Home
For information about the additional parameters that you must add in the SSOSilentInstallOptions.txt file, see
Example options.txt file (see page 114).
6.8.1 Running the installer in silent mode

1. Open a command line window.
2. Navigate to the AtriumSSO directory. For example, on Windows, the default location is C:\SSO\AtriumSSO.
3. Create the SSOSilentInstallOptions.txt file with any environment-specific parameters. For details on the file
format, see the Silent installation example.
4. Run the setup command with the following syntax:
setup.sh|setup.cmd -i silent -DOPTIONS_FILE=<AtriumSSO directory path>SSOSilentInstallOptions.txt
a. Launch the Administrator console.
b. Confirm that you can view the BMC Atrium Single Sign-On logon panel.
Note
If you install in silent mode, you must also uninstall in silent mode to uninstall the server.
6.8.2 Uninstalling in silent mode

1. Open a command-line window.
2. Navigate to the AtriumSSO directory. For example, on Windows, the default location is C:\SSO\AtriumSSO.
3. Run UninstallAtrium.exewith the following syntax:
UninstallAtriumSSO.exe -i silent -DOPTIONS_FILE=<AtriumSSO directory

path>SSOSilentUninstallOptions.txt
where SSOSilentUninstallOptions.txtcontains:
-silent
-U productAtriumSSO
-U featureAtriumSSO
6.8.3 Example options.txt file

The following Windows example invokes a silent installation where the administrator password is admin123.
Page 114 of 389
Home
setup.cmd -i silent -DOPTIONS_FILE=C:\SSO\AtriumSSO\SSOSilentInstallOptions.txt
You can also generate a new administrator password using the following command:
Disk1/support/AtriumSSOMaintenanceTool.sh -silent -encrypt -encrypt -password=test -confirm_password=test

DES\:a751b8161238d05108839e457d4e2050
The SSOSilentInstallOptions.txt file contains:
-P
-A
-J
-J
-J
-J
-J
-J
-J
-J
installLocation=C:\SSO\AtriumSSO
featureAtriumSSO
ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005
ATRIUMSSO_TOMCAT_HTTP_PORT=8080
ATRIUMSSO_INSTALL_TOMCAT=true
ATRIUMSSO_TOMCAT_HTTPS_PORT=8443
ATRIUMSSO_SERVER_PASSWORD=DES\:3996ba109b2b3f035fb4200116c2339a78ecec52023308de
ATRIUMSSO_SERVER_PASSWORD_2=DES\:3996ba109b2b3f035fb4200116c2339a78ecec52023308de
ATRIUMSSO_COOKIE_DOMAIN=bmc.com
ATRIUMSSO_HOST_NAME=atrium-sso-vm4.bmc.com
The SSOSilentInstallOptions.txt file for installing BMC Atrium Single Sign-On on external Tomcat specifying that
the installer will use Tomcat scripts for starting/stopping Tomcat processes contains the following parameters:
-P
-A
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
installLocation=/root/bmc/AtriumSSO
featureAtriumSSO
ATRIUMSSO_INSTALL_TOMCAT=false
ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280
ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280
ATRIUMSSO_HOST_NAME=vl-aus-rh55-atm-sp01.bmc.com
USE_EXTERNAL_SCRIPTS=true
CLUSTER_MODE=STANDALONE_STRING
ATRIUMSSO_EXISTING_TOMCAT_DIRECTORY=/root/apache-tomcat-6.0.37
TRUSTSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/cacerts.p12
TRUSTSTORE_PASSWORD=changeit
KEYSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/keystore.p12
KEYSTORE_PASSWORD=changeit
KEYSTORE_ALIAS=tomcat
JAVA_LOCATION=/usr/jdk64
JDK_LOCATION=/usr/jdk64
The SSOSilentInstallOptions.txt file for installing BMC Atrium Single Sign-On on external Tomcat server specifying
the installer uses Windows service of Tomcat server contains the following parameters:
Page 115 of 389
Home
-P
-A
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
installLocation=/root/bmc/AtriumSSO
featureAtriumSSO
ATRIUMSSO_INSTALL_TOMCAT=false
ATRIUMSSO_HOST_NAME=vl-aus-rh55-atm-sp01.bmc.com
USE_EXTERNAL_SCRIPTS=false
ATRIUMSSO_EXISTING_TOMCAT_SERVICE=Tomcat
CLUSTER_MODE=STANDALONE_STRING
ATRIUMSSO_EXISTING_TOMCAT_DIRECTORY=/root/apache-tomcat-6.0.37
TRUSTSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/cacerts.p12
TRUSTSTORE_PASSWORD=changeit
KEYSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/keystore.p12
KEYSTORE_PASSWORD=changeit
KEYSTORE_ALIAS=tomcat
JAVA_LOCATION=/usr/jdk64
JDK_LOCATION=/usr/jdk64
When installing BMC Atrium Single Sign-On as a High Availability (HA) cluster, the SSOSilentInstallOptions.txt file
must contain some additional parameters.
The SSOSilentInstallOptions.txt file for installing the first node for a HA cluster must contain the following
parameters:
-P
-A
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
installLocation=C:\SSO\AtriumSSO
featureAtriumSSO
CLUSTER_MODE=FIRST_MEMBER_CLUSTER_STRING
MEMBER_LOCATION=/home/xuser/5162_node.dat
LOAD_BALANCER_URL=https://iBMC-JBHBBK1.bmc.com:443/atriumsso
ATRIUMSSO_LDAP_REPLICATION_PORT=8092
ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005
ATRIUMSSO_HOST_NAME=rlnx-al-vm01.bmc.com
ATRIUMSSO_LDAP_PORT=8091
The SSOSilentInstallOptions.txt file for installing additional nodes for a HA cluster must contain the following
parameters:
-P installLocation=/opt/bmc/AtriumSSO
-A featureAtriumSSO
-J ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005
Page 116 of 389
Home
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
CLUSTER_MODE=ADDITIONAL_MEMBER_CLUSTER_STRING
MEMBER_LOCATION=/tmp/SSO/5162_node.dat
ATRIUMSSO_LDAP_REPLICATION_PORT=8092
ATRIUMSSO_HOST_NAME=vm-rhel5-rds1276.bmc.com
ATRIUMSSO_LDAP_PORT=8091
6.9 Uninstalling BMC Atrium Single Sign-On

During installation, the uninstaller is installed with BMC Atrium Single Sign-On. Running the uninstaller removes
BMC Atrium Single Sign-On from the system.
Running the uninstaller on Windows (see page 117)
Running the uninstaller on Solaris or Linux (see page 117)
Invocation error during uninstallation (see page 118)
6.9.1 Running the uninstaller on Windows

To uninstall BMC Atrium Single Sign-On from a Microsoft Windows platform, use the Add or Remove Programs
option on the control panel.
1. From the control panel, select Add or Remove Programs.
2. Select BMC Atrium Single Sign-On in the list.
3. Click Change or Remove Programs once it is displayed.
This last action launches the uninstaller program.
Note
Because of varying Windows system dependencies, a reboot might be required to completely the
uninstall BMC Atrium Single Sign-On.
6.9.2 Running the uninstaller on Solaris or Linux

To run the uninstaller on Oracle Solaris or Linux, the uninstaller must be launched from within a graphical
environment, for example, from the console or through an X-Windows server.
1. Change the working directory to the installation directory. The following is the default directory:
$ cd /opt/SSO
2.
Page 117 of 389
Home
2. Run the UninstallAtriumSSO script.

$ ./UninstallAtriumAsso
If the GUI environment is properly setup, the uninstaller program launches and walks the user through the
steps to remove BMC Atrium Single Sign-On.
Important
Be sure to select the BMC Atrium Single Sign-On component, otherwise the uninstaller will
remove the server.
3. Manually delete the BMC Atrium Single Sign-On log file artifacts. These log files are left in the file system
regardless of the reboot.
6.9.3 Invocation error during uninstallation

If the GUI environment is incorrectly set up, an invocation error similar to the following occurs when you run the
uninstaller:
Invocation of this Java Application has caused an InvocationTargetException. This application will now
exit. (LAX)
-J ATRIUMSSO_HOST_NAME=atrium-sso-vm4.bmc.com
Stack Trace:
java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation which requires it.
at java.awt.GraphicsEnvironment.checkHeadless(Unknown Source)
at java.awt.Window.<init>(Unknown Source)
at java.awt.Frame.<init>(Unknown Source)
at java.awt.Frame.<init>(Unknown Source)
at javax.swing.JFrame.<init>(Unknown Source)
at com.zerog.ia.installer.LifeCycleManager.g(DashoA8113)
at com.zerog.ia.installer.LifeCycleManager.h(DashoA8113)
at com.zerog.ia.installer.LifeCycleManager.a(DashoA8113)
at com.zerog.ia.installer.Main.main(DashoA8113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.zerog.lax.LAX.launch(DashoA8113)
at com.zerog.lax.LAX.main(DashoA8113)
This Application has Unexpectedly Quit: Invocation of this Java Application has caused an
InvocationTargetException. This application will now exit. (LAX)
Page 118 of 389
Home
7 Configuring after installation

When initially installed, BMC Atrium Single Sign-On is configured for immediate use. This default configuration
uses the internal data store as an authentication source. This configuration is suitable for demonstrations,
proof-of-concept deployments, testing, and other small deployment scenarios. However, for a large-scale
system, you should configure the use of an external user repository for authentication, such as an LDAP server.
Page 119 of 389
Home
To set up a method for authentication (see page 120)

SAMLv2 authentication (see page 121)
Predefined authentication module (see page 121)
User Profile panel (see page 122)
Authentication chaining (see page 122)
Authentication chaining flags (see page 122)
7.1 To set up a method for authentication

To set up the LDAP / Active Directory, Kerberos, Certificate / CAC, RSA SecurId, AR, and Internal LDAP
authentication methods, you use the Realm Authentication panel on the BMC Realm.
1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm.
2. On the Main tab (default), select a User Profile type.
Note
The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method.
Alternatively, if you want to edit an existing module, select the module and click Edit.
4. Provide the parameters for the method and Save.
5. Set the flag for the authentication method.
The following image displays the available authentication methods:
Page 120 of 389
Home
7.2 SAMLv2 authentication

In BMC Atrium Single Sign-On, SAMLv2 is implemented from the Federation panel in the BMC realm.
7.3 Predefined authentication module

To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module
is provided. This predefined authentication module allows you to quickly configure your system. The Internal
LDAP authentication module uses the internal LDAP server as an authentication source in the authentication
chain and does not have parameters to configure.
When you select the Internal LDAP authentication module, it is added directly to the authentication chain without
invoking an editor. The module can't be edited (since it does not have parameters) but it can be moved in priority
and the authentication flag for it can be changed.
The internal LDAP server is shown in User Stores panel with a name of embedded and type of Internal LDAP.
Page 121 of 389
Home
7.4 User Profile panel

The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or
Dynamic.
In the User Profile panel, select either Dynamic or Ignored.
Dynamic Specifies that a local Single Sign-On user profile is created after a successful authentication, if
it does not already exist
Ignored Specifies that no local Single Sign-On user profile is created or required for authentication
Required Specifies that a local Single Sign-On user profile with the same user ID is required for
authentication to be successful
7.5 Authentication chaining

In addition, new chains can be created if a complex authentication chain is needed. For more information about
authentication chains, see Managing authentication modules (see page 271).
The order of authentication is changed by selecting an authentication method and clicking Up or Down.
7.6 Authentication chaining flags

Each module allows you to specify the criteria for authentication processing. If you are implementing only one
authentication module instance, the flag must be set to Required. The criteria categories are Required, Requisite,
Sufficient, and Optional.
7.7 Where to go from here

The following topics provide information and instructions associated with configuration methods used with BMC
Atrium Single Sign-On:
7.8 Using AR for authentication

The AR System Data Store plug-in allows group information associated with BMC Remedy AR System server users
to be retrieved and provided to BMC products. The AR authentication module and the AR user store are designed
Page 122 of 389
Home
to be used together because it provides additional information for users authenticated against the AR System
server.
Note
The AR user store provides read-only access to the user information stored in AR System server and
read-only access to user and group lists and memberships.

To configure an AR module (see page 123)
To configure an AR user store (see page 124)

Ensure that the AR System Data Store plug-in is installed.
Ensure that you have the server location and an administrator account since they are required to configure
the AR user store..
Note
User management functionality, assigning group information that is retrieved from the AR System server
to users that exist in another data store (for example, the internal data store), and saving changes
involving information retrieved from the AR System server are not available.
7.8.2 To configure an AR module

Click to expand
Note
Page 123 of 389
Home
Important
For the AR module, the flag is set to Sufficient.
When adding or editing an AR module, the following options are available:

Save to save your modifications.
Reset to remove your modifications and stay on the editor.
Help launches a browser that provides you with online help.
Cancel to cancel and return to the launch page.
Parameters
Description
Server Host
Name
Server Port
Number
Default
Authentication
String
Allow AR
Guests
7.8.3 To configure an AR user store

Click to expand
Info
You must study these points if you want to configure an AR user store.
If you are using a persistent NameID element you cannot define AR User Store. You must use
transient NameID element to define an AR User Store.
Existing profiles within the embedded LDAP User Store should be deleted before adding the AR
User Store.
1. Log on to the BMC Atrium SSO Admin Console.

2. Click Edit BMC Realm.
3. On the User Store panel, click Add to create a new AR user stor.
Alternatively, if you want to edit an existing AR user store, select the user store and click Edit.
4.
Page 124 of 389
Home

5. Provide the configuration parameters (see page ) for the AR user store.
6. Click Save.
The AR User Store Editor is used for both editing an existing user store's parameters and for creating a new AR
user store. The AR User Store Editor has the following options:
Save to save your modifications
Reset to remove your modifications and stay on the LDAP page.
Back to Data Stores to navigate back to the Authentication tab.
After configuration is finished, the data store is immediately available to provide group information to users who
are authenticating with the AR authentication module.
Section
Parameter
Name
AR Server
Host
Description
Host Name
yourServer.bmc.com.
Administrative
Access
Port
Name
Authentication
System server.
Password and
Confirm
Password
Connection
Linger Time
Pool
(seconds)
Pool size
For more information about common problems, see Troubleshooting AR authentication (see page 320).
Page 125 of 389
Home
7.9 Using CAC for authentication

BMC Atrium Single Sign-On supports Common Access Card (CAC) authentication. Beyond the scope of this
document is acquiring CACs, the Department of Defense (DoD) Certificate Authority (CA) certificates, and the
installation and configuration of card readers and middleware software for these card readers. The administrator
who is configuring BMC Atrium Single Sign-On for CAC authentication is assumed to be familiar with these
topics.
7.9.1 CAC certificate usage

Click to expand
In order for CAC authentication to function, the BMC Atrium Single Sign-On server must be prepared with the
signer certificates of the identity certificates. These certificates are be presented to the server for authentication.
The certificate for the Issuer must be imported into the BMC Atrium Single Sign-On server's truststore before the
clients can send their certificates. The server provides a list of certificates that are trusted. When a request is
received for a client certification and there are multiple trusted certificates available, you can select the certificate
that you want to use.
For example, when Firefox receives a request for a client certificate and multiple trusted certificates are provided
by the list sent from the server, a User Identification Request popup is displayed which allows the user to select a
certificate.
Note
For a single user test, the user's certificate (the certificate signed by the Issuer) could be imported into
the truststore. However, if this method is used, then every user's certificate must be imported into the
truststore.
Certificate signed by the Issuer

For example, the following certificate is signed by the Issuer (C=TX, O="BMC Software, Inc.", CN=AtriumSSO):
Owner: C=TX, O="BMC Software, Inc.", OU=AtriumSSO, CN=GoodSSO

Issuer: C=TX, O="BMC Software, Inc.", CN=AtriumSSO
Serial number: 56acad6af0be9e08
Valid from: Sun Feb 20 17:04:30 CST 2011 until: Tue Feb 19 17:04:30 CST 2013
Certificate fingerprints:
MD5: 4A:D6:7C:82:E4:2F:18:0B:8C:48:72:50:E2:56:02:5F
SHA1: 96:9E:6F:DD:A1:41:9C:F5:BD:4A:CC:9E:8B:79:41:6E:4C:A2:C9:69
Signature algorithm name: SHA1withRSA
Version: 3
Page 126 of 389
Home
Certificate for the Issuer

For example, the following certificate is the certificate for the Issuer:
Owner: C=TX, O="BMC Software, Inc.", CN=AtriumSSO

Issuer: C=TX, O="BMC Software, Inc.", CN=AtriumSSO
Serial number: 49b6786d72bb8c34
Valid from: Thu Oct 15 16:01:31 CDT 2009 until: Thu Apr 21 16:01:31 CDT 2016
MD5: 81:85:78:CD:80:6A:C1:55:09:7A:FB:79:35:9F:06:5C
SHA1: 0D:2B:E2:90:ED:9E:24:39:19:B0:93:2F:15:87:3C:8D:F6:D0:03:3D
Version: 3
7.9.2 To set up CAC to use for authentication

BMC Atrium Single Sign-On supports using CACs through the ActivClient software from ActivIdentity. See the
ActivClient documentation for the configuration steps needed for clients to use CACs, card readers, and browser
setup.
1. Modify the Tomcat server (see page 127)
2. Import DoD CA certificates (see page 128)
3. Set up CAC certificates (see page 129)
4. If using OCSP, enable OCSP for the server (see page 131)
7.9.3 Modify the Tomcat server

Click to expand
Before setting up CAC authentication, the Tomcat server hosting the BMC Atrium Single Sign-On application
must be configured to ask clients for certificates and the Tomcat server's truststore must be set up with the root
certificates for the CACs and the Online Certificate Status Protocol (OCSP) server.
To modify the Tomcat server

1. Stop the BMC Atrium Single Sign-On Tomcat server.
2. Edit the following file:
<installationDirectory>/BMC Software/BMC Atrium SSO/tomcat/conf/server.xml
3. Search the file to find the Connector definition used to configure the server's HTTP and HTTPS
communications. The tag is similar to the following:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
Page 127 of 389
Home
keystoreFile="C:\Program Files\BMC Software\BMC Atrium SSO\tomcat\conf\keystore"

keystorePass="internal4bmc"
truststoreFile="C:\Program Files\BMC Software\BMC Atrium SSO\tomcat\conf\cacerts.p12"
truststorePass="changeit" />
4. Change the clientAuth attribute from "false" to "want".

clientAuth="want"
The clientAuthattribute enables Tomcat to ask for client certificates.
Important
Do not set the clientAuth attribute to "true" because this setting breaks certain BMC Atrium
SSO-to-Agent communications.
After the change, the Connector tag is similar to the following:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

clientAuth="want" sslProtocol="TLS"
keystoreFile="C:\Program Files\BMC Software\BMC Atrium SSO\tomcat\conf\keystore.p12"
truststoreFile="C:\Program Files\BMC Software\BMC Atrium SSO\tomcat\conf\cacerts.p12"
truststorePass="changeit" />
7.9.4 Import DoD CA certificates

Click to expand
The DoD CA certificates appropriate for your CACs must be imported into the BMC Atrium Single Sign-On
server's truststore before using CAC for authentication. Importing the certificates allows the server to send the
appropriate query to the client to return the correct certificate. Refer to the documentation from the supplier of
your CACs for the location where the current root certificates can be acquired.
The server's truststore (named cacerts.p12 ) is located in the <installationDirectory>/BMC Software/BMC Atrium
SSO/tomcat/conf. The following instructions uses the Oracle keytool utility to import the certificate, but another
tool could also be used.
7.9.5 To import certificates

1. Add the bin directory to the PATH environment variable.
When BMC Atrium Single Sign-On is installed with its own Tomcat server, a JDK is installed with the server.
When using this JDK, the DoD certificate can be imported into the server's truststore by using the keytool
Page 128 of 389
1.
Home
command (keytool.exe on Windows), located within the JDK's bin directory. This bin directory needs to be
added to the PATH environment variable if it is not already a part of that variable.
2. To add the location, run the following command:
(UNIX) export PATH=<installationLocation>/BMC Software/BMC Atrium SSO/jdk/bin:$PATH
(Microsoft Windows) set PATH=<installationLocation>\BMC Software\BMC Atrium
SSO\jdk\bin;%PATH%
3. Copy the DoD CA certificate file into the following directory:
<installationDirectory>/BMC Software/BMC Atrium SSO/tomcat/conf
4. Use the keytool utility to import the certificate into the truststore using the following parameters:
keytool -importcert -keystore cacerts.p12 -file DOD_CA19.car -alias DOD_CA19
-storetype PKCS12 -providername JsafeJCE
Note
In this example, the certificate file name, DOD_CA19.cer, may not be appropriate for your use.
5. Enter the password (Default: changeit).

6. Accept the certificate at the prompt.
7. If SSL is used to communicate with an external LDAP server, import that server's certificate into the
truststore.
Use the keytool utility to import the LDAP server's certificate into the BMC Atrium Single Sign-On
truststore.
If the LDAP server requires a client certificate, export the BMC Atrium Single Sign-On certificate and
import it into the LDAP server's truststore before enabling CAC authentication.
If CA signed certificates are used for LDAPs, import the CA signed certificate and any intermediate
signing certificates into the truststores instead.
8. If you plan to use OCSP for authentication, import the OCSP responder certificate in the BMC Atrium
Single Sign-On truststore with the alias, AtssoOCSP.
9. Restart the Tomcat server.
7.9.6 Set up CAC certificates

Click to expand
This topic provides instructions for setting up CAC certificates to use for CAC authentication.
To set up CAC certificates

Page 129 of 389
Home
2.
Note
Note
You can provide parameter information for OCSP authentication, CRL authentication, or both. BMC does
not recommend using the CRL approach due to the performance load experienced with the
ever-increasing length of CRL lists.
CAC certificate parameters

When adding or editing a CAC certificate module, the following options are available:
Field
Parameters
Description
Name
Name for the Certificate and CAC authentication.
Use OCSP
Click Use OCSP in order to use the OCSP responder. BMC recommends that you use OCSP for validation.
Note: The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be greater than
15 minutes. Otherwise, the certificate authentication fails. See Clock skew too great for CAC authentication (see page
331).
Certificate
Field for
User
Profile
Select one of the options. Options are Subject CN (Common Name attribute of the Subject DN), Subject DN
(Distinguished Name), Subject UID (UID attribute of the Subject DN), Email, None, Other.
Forwarded
Certificates
When running behind a load balancer or reverse proxy, the verification of ownership of the private key is not possible
thru the SSL/TLS connection. Because of this verification restriction, the BMC Atrium Single Sign-On server requires
that the fronting server be listed as a trusted host from which forwarded certificates can be trusted.
Forwarded
Certificate
List
This is the list of trusted host name that you add via the Trusted Host Name field. To delete a certificate, select the
trusted host name and click Remove.
Page 130 of 389
Home
Field
Parameters
Description
Trusted Host
Enter the name of a host from which a forwarded certificate can be trusted.
Name
Certificate
Enter the name of the HTTP header that the forwarded certificate can be passed under.
HTTP Header
Name
Certificate
Revocation
Use CRL
Lists (CRL)
Select Use CRL to use a Certificate Revocation List (CRL).

Note: BMC does not recommend using the CRL approach due to the performance load experienced with the
LDAP Server
Where
Provide the Host and Port for the LDAP server where the certificates are stored. The host name must end with a colon
following by the port number for the LDAP server.
Certificates
are Stored
LDAP Start
Search DN
Enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP
server, you must have sufficient privileges to perform the search.
LDAP Server
Password
Confirm
LDAP Server
Password
Provide and confirm the password to connecting with the LDAP server.
Check CA
with CRL
When verifying a certificate, the CA certificate used to sign the certificate can also be verified in the CRL.
Use SSL/TLS
If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium Single Sign-On truststore so
that SSL can connect with the LDAP server.
Trusted
Certificates
Browse on your desktop to upload the trusted certificates file. Once the file is upload and in the trusted certificates list.
You can also select the file, and click Remove to remove the file.
7.9.7 If using OCSP, enable OCSP for the server

Click to expand
If you plan to use OCSP for authentication, enable OCSP for the server.
1. Verify that the OCSP responder certificate was imported into the BMC Atrium Single Sign-On truststore.
2. On the BMC Atrium SSO Admin Console, click Edit Server Configuration.
3. In the Online Certificate Status Protocol field, select Enable OCSP and provide the server URL.
4. Click Save.

Administering (see page 263) for information about authentication, users, and groups.
Page 131 of 389
Home

Troubleshooting CAC authentication (see page 326)
7.10 Using Kerberos for authentication

Kerberos is a network authentication protocol that is designed to provide strong authentication for client/server
applications by using strong cryptography so that a client can prove its identity to a server (and vice versa) across
an insecure network connection. This topic contains the following information:
Page 132 of 389
Home
Configuring Kerberos video (see page 133)

To set up Kerberos to use for authentication (see page 133)
7.10.1 Configuring Kerberos video

Click the following BMC Atrium Single Sign-On 8.1 Kerberos configuration video for more information:
Watch video on YouTube at http://www.youtube.com/watch?v=Deo2od9ePRg

Before using Kerberos for authentication, a service principal for the BMC Atrium Single Sign-On server must be
added to the realm. This service principal is used by clients to request a service ticket when authenticating. The
service principal name is based on the host name of the server running BMC Atrium Single Sign-On.
To use Kerberos authentication with Active Directory (AD) installed on a Windows 2008 machine, upgrade
Windows 2008 to SP2 (at least) or apply the Hotfix for Windows (KB951191). In addition, the identity used for the
service principal cannot be the computer identity hosting the Atrium SSO service.
Note
Kerberos authentication can not be used to authenticate clients from the same computer where BMC
Atrium Single Sign-On is installed.
7.10.3 To set up Kerberos to use for authentication

1. Generating a keytab for the service principal and mapping the Kerberos service name (see page 134)
2. Configuring the Kerberos module
3. Reconfiguring your browser (see page 138)
For information about troubleshooting issues with Kerberos, see Troubleshooting Kerberos authentication (see
page 333).

For information about managing users, user groups, and authentication modules, see Administering (see
page 263).
Page 133 of 389
Home
For information about troubleshooting issues with Kerberos, see Troubleshooting Kerberos authentication
(see page 333).
7.10.5 Generating a keytab for the service principal and mapping the
Kerberos service name
After the accounts for the service principals are created, a keytab file must be generated. This file contains
sensitive information used by the BMC Atrium Single Sign-On servers when working with the Key Distribution
Center (KDC) and Active Directory (AD). For Kerberos, the ktadd command is used to add the sensitive
information to the keytab file and to map the Kerberos service name to the Active Directory identity.
Note
Anyone with read permissions to a keytab file can use all of the keys it contains. Permissions must be
restricted and monitored on the keytab files that you create.
To generate a keytab file for the service principal and map the Kerberos service
name
1. In the Active Directory server, run the ktpass command.
2. Map additional SPNs to the Kerberos identity using setspn.exe
3. Copy the generated keytab file to the BMC Atrium Single Sign-On server host.
ktpass command syntax

By running the ktpass command, you generate a keytab file and create a mapping that associates the Kerberos
service name with the identity in Active Directory.
ktpass /out <file> /mapuser <user> /princ HTTP/<host>@<DOMAIN> /pass <password> /ptype
KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0
In this case:
<file> is the name of the keytab file that you are generating.
<user> is the user name of the identity for the Atrium SSO service.
<host> is the fully qualified domain name of the host including the internet domain (FQDN).
<password> is the password for the principal account.
<DOMAIN> is the Active Directory domain name.
Note
Page 134 of 389
Home
The host name can also be modified through the host's file. If you modified the host name
through the host's file, the browser and the system might need to be rebooted for the name
change to take effect.
The internet domain and Active Directory domain are different domains. The internet domain is
used to form a hierarchy of compuetr names for mapping a computer name to a host address.
The Active Directory (AD) domain is used for grouping users for authentication purposes and
maps to a Kerberos realm.
The principal name is case-sensitive. By convention:

Kerberos realms (and AD Domains) are written in uppercase.
Host names are written in lowercase.
Database look ups are case-sensitive.
Important
The case-sensitive constraint means that the principal names expressed in the mappings must be written
using the same case as those returned by a domain name lookup. The Active Directory is not
case-sensitive while MIT Kerberos is case-sensitive.
setspn.exe command syntax

The setspn.exe utility program allows manipulation of SPNs within Active Directory. Multiple SPNs may need to be
mapped to the Atrium SSO identity, depending upon the network configuration and whether running in HA mode
behind a load balancer. Please refer to the Microsoft documentation for further details.
To add a new SPN, use the following command syntax:
setspn.exe -S <serviceclass>/<host>[:<port>] <account name>
In this case:
<serviceclass> - For Atrium SSO SPN, always uses HTTP.
<host> is the fully qualified name of the host where the Atrium SSO server is running.
<port> is the port that Atrium SSO is using.
<account name> is the name of the user identity for the Atrium SSO service.
To check for duplicate SPNs, use the following command syntax:
setspn.exe -X
This command uses a lot of memory in order to scan a large Active Directory database.
Page 135 of 389
Home
ktpass and setspn.exe command example

C:\>ktpass /out ssohost.keytab /princ HTTP /sample-host.bmc.com@DOMAIN.COM /ptype
KRB5_NT_PRINCIPAL /kvno 0 /mapuser atriumsso
This example also illustrates the best-practice for the case of the components of the SPN:
HTTP - all uppercase
Host name - all lowercase
Domain name - all uppercase
In addition, note that the user-name does not contain any spaces.
While the example does provide the identity that the SPN is going to be mapped to, the setspn.exe command
should also be executed to provide a complete mapping.
C:\>setspn.exe -A HTTP /sample-host.bmc.com@DOMAIN.COM /atriumsso
The setspn.exe should map the above SPN using the Fully Qualified Domain Name (FQDN) of the Atrium SSO
server, and an additional SPN using just the host name. In other words, the following SPNs should be mapped:
HTTP/sample-host.bmc.com@DOMAIN.COM
HTTP/sample-host@DOMAIN.COM
Important
When running in HA mode behind a load balancer, the name of the load balancer should be used instead
of Atrium SSO server.
A delay occurs in AD, when changes to identities are made. Altering the mapping SPNs can take about 15 minutes
before the mappings are pushed out to the affected systems. This delay means that it will take some time after
updating the identity SPNs before a login test can be performed.
7.10.6 Configuring the Kerberos module

This topic provides instructions for configuring the Kerberos module.
To configure the Kerberos module

Note
Page 136 of 389
2.
Home
Important
Restart the BMC Atrium Single Sign-On server after configuring the Kerberos module.
Kerberos configuration parameters

When adding or editing a Kerberos module, the following options are available:
Parameters
Description
Service
Principal
The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when
authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.
Keytab File
Name
The Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file. The keytab file contains the
password for the service principal.
Kerberos
Realm
The KDC domain name.
KDC
Server
The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller.
UserId
Format
The following parameters are used:

Use Domain Name with Principal: If this check box is selected, the service allows BMC Atrium Single Sign-On to automatically
use the Kerberos principal with the domain controller's domain name during authentication.
Forced character case: The Forced character case allows you to select the type of character case you want for your user ID. You
can choose any of the three options: No change, UPPERCASE and lowercase. The UserId is displayed in the selected format in
the user store.
Return
UserId to
User Store
If this check box is selected, the user store searches will use the original UserId instead of using the value modified by the UserId
Format parameter. For example, when you search the userstore the userid from the authentication could be atsso\abcxyz but the value
abcxyz will be used to search the User store.
Page 137 of 389
Home
7.10.7 Reconfiguring your browser

This topic provides instructions for reconfiguring your browser for Kerberos.
To reconfigure Internet Explorer

Your Internet Explorer must be version 7 or greater. The following instructions are for Internet Explorer 8.
1. Navigate to Tools > Internet Options > Advanced.
2. On the Advanced tab and in the Security section, select the Enable Integrated Windows Authentication
option (requires restart).
3. On the Security tab, select Local Intranet.
4. Click Custom Level.
5. In the User Authentication/Logon section, select Automatic logon only in Intranet zone.
6. Click OK.
7. Click Sites and select all of the options (default).
8. From the Sites popup, click Advanced and add the Access Manager web site to the local zone (the website
might be already added). For example, sample.bmc.com.
9. Click Add.
10. Click OK for all of the pop-ups.
To reconfigure Firefox
1. Enter the following URL: about:config
2. Click I'll be careful, I promise!
3. Double click the Preference Name: network.negotiate-auth.trusted-uris
4. Add the Fully Qualified Domain Name (FQDN) of the host, for example, sample.bmc.com.
5. Click OK.
7.11 Using LDAP (Active Directory) for authentication

BMC Atrium Single Sign-On provides support for using external Lightweight Directory Access Protocol (LDAP)
servers for authentication. Support for LDAP also includes using external Active Directory (AD) servers for
authentication. The Active Directory authentication must be configured for the enterprise environment.
Page 138 of 389
Home

To set up LDAP (AD) for authentication (see page 139)
LDAP (AD) parameters (see page 139)

If you plan to enabled SSL access, import the certificates and restart the Tomcat server before setting up LDAP
(AD) authentication. See Managing keystores with a keytool utility (see page 239) for more information.
7.11.2 To set up LDAP (AD) for authentication

Note
Note
If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server
before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for
more information.
7.11.3 LDAP (AD) parameters

When adding or editing an LDAP module, the following options are available:
Page 139 of 389
Home
Field
Parameter
Description
Primary
Name
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
Port
If the LDAP server is not listening on the default port (389), specify the port number.
Use SSL
(Optional) Enable to use SSL to connect to the LDAP servers. In addition, before communications can be established,
LDAP
Server
the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On
Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see
Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for
SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore.
Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before
enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.
Secondary
Name
LDAP
Server
The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user
fails to authenticate with the primary server.
Port
If the secondary server is not listening on the default LDAP port, specify the port number.
Use SSL
(Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established,
User
Account
for Search
Set Recheck
Primary
Server
Interval
(minutes)
(Optional) This parameter is the amount of time that the server uses the secondary server before attempting to
re-connect with the primary server can be configured.
Distinguished
Name,
Password,
Confirm
Password
(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform
searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password
confirmation.
For example, you can use the Distinguished Name as CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com and
choose the password of your choice.
Attributes
for User
Search
Attribute
Name
Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.
DN to
Start
Search
Base DN
Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for
performance reasons. The depth of the search that is performed can be configured. If an Object search is specified,
then the DN should be the DN of the node containing the users.
For example, you can add CN as attribute name for User Search.
For example, CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com

Attribute for
User Profile
Name
Enter the starting locations within the LDAP directory for performing user searches. For each starting point, enter the
login name (DN). The Base DN and attribute for user profile name are additional search parameters.For example, you
can use CN as attribute for user profile name.
Page 140 of 389
Home

In Administering (see page 263), see managing users, user groups, and authentication modules.
7.12 Using RSA SecurID for authentication

RSA SecurID provides a two-factor authentication scheme for user authentication. This approach uses a
password that has a very short life span, typically one minute. By combining a passcode with a hardware
generated token value, users are authenticated with this short-span password. This method of authentication
narrows the opportunity for exploitation by anyone who manages to eavesdrop on the Transport Layer Security
(TLS) confidential communications.
Note
After authentication, the combination passcode + token is no longer valid.
To configure the SecurID module (see page 141)

SecurID parameters (see page 142)
To modify the rsa_api.properties file (see page 142)
7.12.1 To configure the SecurID module

To use SecurID Chain for user authentication, the module must first be configured with information about the
RSA Authentication Manager server. This information is contained in the sdconf.rec file. After being configured,
SecurID Chain is enabled for authentication use.
1. Copy the sdconf.rec file retrieved from the RSA SecurID server to the BMC Atrium Single Sign-On server at
the following location:
<installationDirectory>/BMC Software/BMC Atrium SSO/tomcat/webapps/BMC Atrium
SSO/WEB-INF/config/BMC Atrium SSO/auth/ace/data
2. Configure the SecurID module.
a. On the BMC Atrium SSO Admin Console, click Edit BMC Realm.
b. On the Main tab (default), select a User Profile type.
Note
c.
Page 141 of 389
Home
c. In the Realm Authentication panel, click Add for a new authentication method and select the
method. Alternatively, if you want to edit an existing module, select the module and click Edit.
d. Provide the parameters for the method and Save.
e. Set the flag for the authentication method.
3. (Optional) Edit the rsa_api.properties file for additional configuration.
7.12.2 SecurID parameters

When adding or editing a SecureID module, the following options are available:
Parameters
Description
ACE/Server Configuration Path
Specify the full path for the new location of the sdconf.rec file.
The configuration path is used to specify the location of the sdconf.rec file used to contact the RSA SecurID server.
7.12.3 To modify the rsa_api.properties file

Additional configuration of the SecurID module communications with the RSA Authentication Manager is
available by editing the rsa_api.properties file.
SecurID authentication files and locations

RSA SecurID
authentication file
name
Locations
rsa_api.properties
<installationDirectory>/BMC Software/BMC Atrium SSO/tomcat/webapps/BMC Atrium SSO/WEB-INF/config/BMC Atrium

SSO/auth/ace/data
The above location is the default, however, the path is configurable on the SecurID authentication module configuration.
installationDirectory is the base configuration directory specified during BMC Atrium Single Sign-On configuration.
sdconf.rec
Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.
Node Secret
sdstatus.12
Properties of primary importance (and their default values)

SDCONF_FILE (FILE)
SDCONF_LOC: <configurationDirectory>/<uri>/auth/ace/data/sdconf.rec
Page 142 of 389
Home
SDSTATUS_TYPE (FILE)
SDSTATUS_LOC: <configurationDirectory>/<uri>/auth/ace/data/sdstatus
SDNDSCRT_TYPE (FILE)
SDNDSCRT_LOC: <configurationDirectory>/<uri>/auth/ace/data/secured
RSA_LOG_FILE: <configurationDirectory>/<uri>/debug/rsa_api.log
RSA_LOG_LEVEL (INFO; other values are OFF, DEBUG, WARN, ERROR, FATAL)
RSA_DEBUG_FILE, if RSA_ENABLE_DEBUG=YES: <configurationDirectory>/<uri>/debug/rsa_api_debug.log

In Administering (see page 263), see managing users, user groups, and authentication modules.
7.13 Using SAMLv2 for authentication

Security Assertion Markup Language (SAML) is an XML-based OASIS standard for exchanging user identity and
security attributes information. It uses security tokens containing assertions to pass information about a principal
(usually an end user) between an identity provider (IdP) and a web service.
SAMLv2 is implemented by grouping a collection of entities to form a Circle of Trust. The Circle of Trust is
composed of a Service Provider (SP) and an Identity Provider (IdP). The Identity Provider authenticates the users
and provides this information to the Service Provider. The Service Provider hosts services that the user accesses.
Page 143 of 389
Home
Configuring SAMLv2 video (see page )

SAMLv2 configuration options (see page 144)
SAMLv2 implementation (see page 144)
Typical SAMLv2 deployment (see page 145)
Typical SAMLv2 deployment architecture (see page 145)
7.13.1 Configuring SAML V2 video

Click the following BMC Atrium Single Sign-On 8.1 SAML V2 configuration video for more information:
Watch video on YouTube at http://www.youtube.com/watch?v=ZebEMQuoVhA
7.13.2 SAMLv2 configuration options

BMC Atrium Single Sign-On can be configured to perform as an SP or as an IdP. In addition, the user accounts
can be federated in bulk.
Configuring BMC Atrium Single Sign-On as an SP
Configuring BMC Atrium Single Sign-On as an IdP
Federating user accounts in bulk (see page 157)
7.13.3 SAMLv2 implementation

In BMC Atrium Single Sign-On, SAMLv2 is implemented from the Federation panel in the BMC realm.
Page 144 of 389
Home
7.13.4 Typical SAMLv2 deployment

In a typical SAMLv2 deployment scenario, the BMC Atrium Single Sign-On server is configured as an SP for BMC
products. The BMC Atrium Single Sign-On SP is then added to a Circle of Trust which includes an IdP. The IdP
provides the authentication services for the BMC Atrium Single Sign-On system.
In addition, the IdP caches authentication information within the browser. This information allows the IdP to
automatically re-authenticate a user without the user re-entering their credentials. For more information about
automatic logon behavior, see Logon and logoff issues (see page 316).
Note
BMC Atrium Single Sign-On SAMLv2 implementation is limited to:
SAML 2.0 browser-based transient Federation and Federated SSO
Browser-based HTTP GET and POST binding mechanisms of the SAML 2.0 protocol
7.13.5 Typical SAMLv2 deployment architecture

The following illustration shows BMC Atrium Single Sign-On configured as an SP. BMC products are integrated
with BMC Atrium Single Sign-On which, in turn, hosts the SP for the Circle of Trust. For the IdP, any SAMLv2 IdP
can be used. In addition, a second BMC Atrium Single Sign-On server can be configured to host an IdP.
BMC Atrium Single Sign-On server configured as an SP
Page 145 of 389
Home

Troubleshooting SAMLv2
7.13.7 Configuring BMC Atrium Single Sign-On as an SP

In a Circle of Trust, BMC Atrium Single Sign-On is normally configured as a Service Provider (SP) for BMC
products. The Circle of Trust is then completed with an Identity Provider (IdP) to provide authentication for the
federated single sign-on. Following topics are provided:
Verify that certificates were imported into the truststore (see page 147)
Create a local SP (see page 147)
Create a remote IdP (see page 149)
Modify the JEE agents (see page 150)
Agent Editor (see page 151)
Page 146 of 389
Home
(Optional) Federate your user accounts in bulk (see page 153)

Verify that certificates were imported into the truststore

Before configuring BMC Atrium Single Sign-On with a Service Provider, verify that all the certificates used for
network communication (Transport Layer Security) between the servers that are participating in the Circle of
Trust have been imported into the truststore of BMC Atrium Single Sign-On.
If you are using signed certificates, import only the root CA certificate.
If you are using self-signed certificates, import the public certificates into the truststore.
For more information about importing certificates, see Managing keystores with a keytool utility (see page 239)
and Importing a certificate into the truststore (see page 243).
Create a local SP
If you are using a second BMC Atrium Single Sign-On server as an IdP, the certificate from that server must be
exported from the <installationDirectory>/tomcat/conf/keystore.p12 file and imported into the cacerts.p12 of the
BMC Atrium Single Sign-On server that is providing the SP role.
To create a local SP
1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm.
2. On the Federation tab, click Add.
3. Select Local Service Provider (SP).
4. Provide the local SP information.
5. Click Save.
Local SP parameters
The Local Service Provider (SP) Editor has the following options:
Field
Parameter
Description
Name
Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that
reflects the expected SP name.
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in
the agents configuration.
Binding
Page 147 of 389
Home
Field
Parameter
Description
This option determines the way in which SAML messages will be sent and received between the IdP and
the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not
possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect
or XHTML Form with Post.
Artificact
The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP
Encoding
and is usually related to binding method. From the drop down menu, select URI or FORM.
Sign Messages
Signing Certificate Alias
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used
to verify the messages have not been altered in transit and that it originated with the SP.
Authentication, Logout
These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have
Request, Logout
Response, Manager
been signed by the SP.
Name ID, Artifact

Resolve, and Post
Resolve
Encrypt
Elements
Assertion Time
Encryption Certificate
Alias
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2
messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or
AES-256, from the drop-down menu.
Assertion, Attribute,
Name ID
Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.
Not-Before Skew
(seconds)
In order to compensate for clock drift between remote machines, this value specifies the amount of
time that a message will be considered valid when it is received before the issue time in the message.
Effective Time (seconds)
Amount of time that an assertion is valid counting from the assertion's issue time.
SOAP Basic
Authentication
SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing
these endpoints must provide these user name and password values.
Attribute
Mapping
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external
user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A
mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute
from the drop down that the external attribute is going to map to, and click Add to put the new
mapping into the table.
Auto
Federation
Allows BMC Atrium Single Sign-On to use an attribute of the Assertion from the IdP to automatically
create an identity within the BMC Atrium Single Sign-On system. The identity is created by passing the
initial double-login normally performed when federating a user account with SAMLv2.
Name ID
Format
Defines the name identifier formats supported by the service provider. Name identifiers are a way for
providers to communicate with each other regarding a user.
The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the
Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the
first one in this list is chosen and supported by the remote Identity Provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A
transient identifier is temporary and no data will be written to the user's persistent data store.
Note:
Page 148 of 389
Home
Field
Parameter
Description
For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the
persistent nameID format must be on the top of the list.
Authentication
This attribute maps the SAMLv2-defined authentication context classes to the authentication level set
Context
for the user session for the service provider.
Create a remote IdP

2. On the Federation panel, click Add.
3. Select Remote Identity Provider (IdP).
4. Before uploading the IdP metadata, you must import a signed certificate into the cot.jks keystore used for
SAMLv2 authentication. The location of the cot.jks file is <installationDirectory>/tomcat directory.
5. Create a name for the remote IdP and upload the IdP metadata on the Create Identity Provider (IdP)
pop-up.
Parameters
Description
Name
Name for the remote IdP.
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and
any required path information. This URL is IdP-specific. For information on the metadata URL, consult the IdP documentation.
For information about providing IdP metadata from another Atrium Single Sign-On server, see Providing IdP metadata from
another Atrium Single Sign-On server (see page 149)
File Upload
Select File Upload to upload a file that contains the remote IdP metadata.
Providing IdP metadata from another Atrium Single Sign-On server

When using another Atrium Single Sign-On server as an IdP, the following URL template is used to access
the metadata needed by the SP:
https://<host>:<port>/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=<entityid>
In this case:
6.
7.
8.
9.
10.
host is the FQDN of the BMC Atrium Single Sign-On server hosting the IdP.
port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the
IdP.
entityid is the name of the IdP hosted by the BMC Atrium Single Sign-On server.
For example:
https://idp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=https://id
Click Save
On the Federation panel, select the remote IdP.
Click Edit.
Provide the remote IdP parameters.
Click Save.
Page 149 of 389
Home
Remote IdP Editor parameters

The Remote Identity Provider (IdP) Editor has the following options:
Field
Parameter
Name
Description
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a
value that reflects the expected IdP name.
Binding
This option determines the way in which SAML messages will be sent and received between the
IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP
and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2
messages: HTTP Redirect or XHTML Form with Post.
Sign
Messages
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing
is used to verify the messages have not been altered in transit and that it originated with the
IdP.
Authentication Request, Logout
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to
Request, Logout Response, Manager

Name ID Request, Manager Name ID
have been signed by the SP.
Response, and Artifact Resolve

Encrypt
Encryption Certificate Alias
Elements
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the
SAMLv2 messages.
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES,
AES-128, or AES-256, from the drop-down menu.
Name ID
Specifies whether to encrypt the Name ID or leave it in plain text.
Modify the JEE agents

As part of configuring BMC Atrium Single Sign-On to host a SP, the J2EE agents configuration must be modified
to work with SAMLv2 federation.
Note
Each time a BMC product is integrated with the BMC Atrium Single Sign-On SP, the configuration must
be modified so the integrating product can function in the Federated SSO.
1. On the BMC Atrium SSO Admin Console, click Agent Details.

2. Select the agents associated with a BMC product integrated with this Atrium Single Sign-On server. For
example, dashboards@sample.bmc.com:8443.
3. Click Edit.
a.
Page 150 of 389
Home
3.
a. Delete the URLs in the login URI field.
b. Enter the Federated login URL. For information about the log in URL syntax, see Federated log in URL
syntax (see page 152).
c. Delete the URLs in the logout URI field.
d. Enter the Federated logout URL. For information about the log out URL syntax, see Federated log
out URL syntax (see page 152).
e. Click Save.
The Agent manager provides an Agent panel that allows you to edit, delete, and search for an agent as well as
provides the agent name, realm, and the state. The state indicated whether the agent is running or is down. When
searching for an agent, *, returns all of the names and applies to all columns in the agent panel. Finding the filter
string within any of these values selects the agent to be returned for display. This feature allows you to filter the
list of agents to the ones running by specifying "Running".
Agent Editor
The Agent Editor allows you to modify the configuration of an agent. By modifying the agent configuration, you
can correct problems caused by environment difficulties. For example, with a remote host, the host may report
their FQDN (Fully Qualified Domain Name) incorrectly using a plain name such as machine instead of
machine.bmc.com.
The Agent Editor is launched when you select an agent and click Edit. The Agent Editor has the following options:
Parameter
Description
Notification
URL
The URL where the agent will receive notifications from the server about session logouts. It is composed of the products base URI
with "/atsso" concatenated to the end. For example, https://sample.bmc.com/arsys/atsso
Status
Determines whether the agent is enforcing SSO authentication (active) or not (inactive).
Logging
Level
The level of logging the agent will perform in the product.
Redirect
Limit
The number of times that the agent redirects the browser to the server for authentication before signaling an error- 0 means infinite.
Password
and Confirm
Password
Password used by the agent to access its configuration in the SSO server.
Cookie
Name
The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the
server configuration.
Note: To ensure browser compatibility, the cookie name should contain only alphanumeric and underscore characters.
Page 151 of 389
Home
Parameter
Description
Login URI
Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. When an
and Logout
URI
agent is federated, the login and logout URLs for the agent must be modified to interact with the IdP.
Login Probe
and Logout
The probe validates that the destination is accessible before sending the user to the location. If they are not, the agent tells the user
that the SSO system is inaccessible. The probe should be turned off in environments where the URI cannot be contacted from the
Probe
agent's environment, such as when the URI contains a host that is to be accessed through a reverse proxy.
Enable
Select this option to enable session cache. Disabling cache has a severe performance impact.
Cache
Fully
This FQDN mapping allows the agent to fix the URL used to access the application in order to get the browser to send cookies to the
Qualified
Domain
application. The SSO session is identified through cookies. When a URL is not using a FQDN host name, the browser does not know
the domain of the server and therefore, won't send any cookies to the server.
Name
Mapping
FQDN of
Agent Host
The FQDN entered is the FQDN of the host where the agent is located. Enabling FQDN mapping causes the agent to perform the
forwarding from the entered host names to the entered FQDN.
Trigger host
list and
Trigger Host
Name
The hosts that will trigger the FQDN redirect to occur. The Trigger host list allows you to remove the host from the list. Trigger Host
Name allows you to add a host to the Trigger host list.
Not
Enforced
URI and URI
The Not Enforced URI field allows you to remove URIs from the Not Enforced URI list. The URI field allows you to add a URI to the
Not Enforced URI list.
Federated log in URL syntax

https://<host>:<port>/atriumsso/spssoinit?metaAlias=/BmcRealm/sp&idpEntityID=<entityId>
In this case:
host is the FQDN of the Atrium Single Sign-On server hosting the SP.
port is the port used for secure communication of the Atrium Single Sign-On server hosting the SP.
entityId is the name of the IdP to be used by this SP.
Federated log out URL syntax

https://<host>:<port>/atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=<entityId>&RelayState=<webappURL
In this case:
host is the FQDN of the BMC Atrium Single Sign-On server hosting the SP
port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the SP.
entityId is the name of the IdP to be used by this SP.
webappURL is the URL for the webapp for this agent.
Page 152 of 389
Home
(Optional) Federate your user accounts in bulk

For information about using bulk federation, see Federating user accounts in bulk (see page 157).

For information about managing users, user groups, and authentication modules, see Administering (see page
263) section.
7.13.8 Configuring BMC Atrium Single Sign-On as an IdP

If you configure the BMC Atrium Single Sign-On server as an Identity Provider (IdP), do not use the server as the
integration server for BMC products. Instead, a separate BMC Atrium Single Sign-On server should be configured
as a Service Provider (SP) and used as the integration host.
Important
Do not integrate BMC products into a BMC Atrium Single Sign-On server when it is configured as an
Identity Provider.
Verify that a X509 certificate is imported into the keystore

Before creating the IdP, a X509 certificate is needed for signing communications between the IdP and SP of the
SAML Circle of Trust (COT). When joining an already existing COT, the certificate for the COT must be imported
into the keystore.. A default certificate is created and stored in the keystore during the installation with the alias
name of test. This certificate can be used without creating and importing a new certificate.
To import the Circle of Trust certificate

When BMC Atrium Single Sign-On is configured as an IdP, the Circle of Trust certificate must be imported into a
keystore for the server to use.
1. Navigate to the keystore location, and replace the test certificate with your generated certificate.
Note
The default Circle of Trust keystore location and name is <installationDirectory>/tomcat/cot.jks.
This keystore must be of the type, JKS (not PKCS12 or any other type). The default password for
the keystore and certificates is changeit.
2.
Page 153 of 389
Home
2. If the password for the keystore was changed, update the default .keypass and .storepass configuration
files with the encrypted form of the new password.
The configuration files are located in the same <installationDirectory>/tomcat/ directory as the Circle of
Trust keystore.
3. Stop and restart the Tomcat server.
Note
The new certificate is not available to use for creating an IdP until the Tomcat server is stopped
and restarted.
To encrypt the passwords for storage in the files

1. Enter the following URL into the browser:
https://:/atriumsso/encode.jsp
In this case:
2.
3.
4.
5.
host is the FQDN of the BMC Atrium Single Sign-On host.

port is the port number that BMC Atrium Single Sign-On is using for secure communication.
Enter a new password.
To encrypt the value, click Encode.
Copy the encrypted password into the configuration files.
Stop and restart the BMC Atrium Single Sign-On server.
Create a local IdP

The Local Identity Provider (IdP) Editor has the following options:
To create a local IdP

2. On the Federation tab, click Add.
3. Select Local Identity Provider (SP).
4. Provide the local IdP information.
5. Click Save.
Note
Page 154 of 389
Home
If there are issues with keystore configuration, an error message is displayed.
Field
Parameter
Description
Name
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that
reflects the expected IdP name.
Binding
possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP
Redirect or XHTML Form with Post.
Sign
Messages
Encrypt
Elements
Assertion
Time
to verify the messages have not been altered in transit and that it originated with the IdP.
Request, Logout Response,
Manager Name ID Request,
Manager Name ID Response,
and Artifact Resolve
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have
SAMLv2 messages.
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128,
or AES-256, from the drop-down menu.
Name ID
Not-Before Skew (seconds)
Attribute
Mapping
mapping is defined by entering the name of the Name In Assertion and selecting the Local Attribute
Name from the drop down that the attribute is going to map to, and click Add to put the new mapping
into the table.
Create a remote SP
2. On the Federation panel, click Add.
3. Select Remote Service Provider (IdP).
4. Create a name for the remote IdP and upload the IdP metadata on the Create Service Provider (SP) pop-up.
Parameters
Description
Name
Name for the remote SP.
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and
any required path information. This URL is IdP-specific. For information on the metadata URL, consult the SP documentation.
For information about providing SP metadata from another Atrium Single Sign-On server, see Providing SP metadata from
another Atrium Single Sign-On server (see page 156)
Page 155 of 389
Home
Parameters
Description
File Upload
Select File Upload to upload a file that contains the remote SP metadata.
Providing SP metadata from another Atrium Single Sign-On server

For accessing SP metadata, the following URL syntax is used:
https://<host>:<port>/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=<entityid>
In the case:
5.
6.
7.
8.
9.
host is the FQDN of the server hosting the SP.

port is the port used for secure communications of the server hosting the SP.
entityid is the name of the SP hosted by the server.
For example:
https://sp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=https://sp:8
Click Save
On the Federation panel, select the remote IdP.
Click Edit.
Provide the remote SP parameters.
Click Save.
Remote SP Editor parameters

The Remote Service Provider (SP) Editor has the following options:
Field
Parameter
Name
Description
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified
in the agents configuration.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP
and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is
not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP
Artificact
Encoding
Sign Messages
Authentication Request,
Logout Request, Logout
Response, Manager Name
Page 156 of 389
Home
Field
Parameter
Description
ID, Artifact Resolve, and

Post Resolve
Encrypt
Elements
Alias
SAMLv2 messages.
Name ID
SOAP Basic
Authentication
Attribute
Mapping
(Optional) Federate your user accounts in bulk

For information about using bulk federation, see Federating user accounts in bulk (see page 157).

For information about managing users, user groups, and authentication modules, see Administering (see
page 263).
For information about troubleshooting SAMLv2 authentication, see Troubleshooting SAMLv2.
7.13.9 Federating user accounts in bulk

In order for users to do single sign-on between an Identity Provider (IdP) and a Service Provider (SP), the user
accounts must be federated, or linked together. When an account is federated, the two systems agree on a
common identifier for a user. The common identifier is used when the systems communicate about the user. In
this way, account names do not need to be shared between the two systems. Instead, a unique name specific to
the federated identity is agreed upon by the two systems.
Note
If bulk federation is not used, then when a user first tries to access a BMC product that is integrated with
a BMC Atrium Single Sign-On SP, the user follows a two-step process to create a federated account.
First, the user authenticates with the IdP and then the user authenticates with the SP.
The following topics provide basic information and instructions for federating user accounts in bulk:
Page 157 of 389
Home
bulkFederation utility syntax (see page 158)

bulkFederation utility commands (see page 158)
To perform bulk federation (see page 159)
The following topics provide additional information for federating user accounts in bulk:
Identity files for user accounts (see page 160)
bulkFederation command parameters (see page 161)
Create command results output file
Federate command results output file
Create-federate command results output file
Import command results output file
Create-import command results output file
Error messages for bulk federation of user accounts
bulkFederation utility syntax

Bulk federation is accomplished by using the bulkFederation utility with the following syntax:
(Microsoft Windows) bulkFederation.bat <command> <arg1> ...< argN>
(UNIX) bulkFederation.sh <command> <arg1> ... <argN>
bulkFederation utility commands

The following bulkFederation utility commands are used for bulk account federation:
Short form
Long form
command
command
Description
create
Creates accounts in bulk.
federate
Federates accounts in bulk.
cf
create-federate
Creates and federates accounts in bulk. Used to create local user accounts in bulk and to federate at the
same time.
import
Imports remote federation data.
ci
create-import
Creates accounts and imports federation data. Used to create user accounts in bulk and to import the
federated identity mapping data at the same time.
Page 158 of 389
Home
To perform bulk federation

1. Provide either an identity list file or an identity mapping file.
An identity list file is simple text file with only your local user IDs.
An identity mapping file is a simple text file with both your local user IDs and your remote user IDs.
2. Create user accounts on each server (local and remote) with the createcommand.
Use either your identity list file or your identity mapping file as the input file on the local server.
Use a separate identity list file or your federated mapping file on the remote server.
For example (UNIX):
bulkFederation.sh create -ap myAdminPassword -au amAdmin -rf
myDiagnosticFile1 -um userIdMapFile.dat
In this example, an identity mapping file, userIdMapFile.dat, is used.
3. Federate the user accounts on the local server with the federatecommand.
Be sure that your user accounts were created on each server (local and remote).
Use your identity mapping file as the input file and provide a file name for the output file that will
contain the federated identity mapping data.
For example (UNIX ):
bulkFederation.sh federate -ap myAdminPassword -au amAdmin -fm /BmcRealm/sp
-nm nameIdMapFile.dat -re IdP -rf myResultsFile2 -um userIdMapFile.dat
In this example, nameIdMapFile.dat is the output file for the federated identity mapping data that is
generated by the federate command.
4. Copy the federated identity mapping data file to the remote server.
5. Import the federated identity mapping data into the remote server with the import command.
The federated identity mapping data file is the output file from the federate step and becomes the input file
for the import step.
For example (UNIX ):
bulkFederation.sh import -ap myAdminPassword -au amAdmin -im /BmcRealm/idp -nm
nameIdMapFile.dat -rf myResultsFile3
In this example, nameIdMapFile.dat contains the federated identity mapping data that is generated by the
federatecommand and imported into the remote server.
Note
Alternatively, you can use the create-federate command to replace the separate create and
federate steps and the create-import command to replace the separate create and import
steps.
Page 159 of 389
Home
Identity files for user accounts

Identity files are used to create and federate user accounts:
Identity list file (see page 160)
Identity mapping file (see page 160)
Federated identity mapping file (see page 160)
Identity list file

The identity list file is used only with the create command. This file contains the user IDs to create accounts on
the local server. In the following example, the local server is the service provider.
Example identity list file
Identity list file format
Example
local id 1
spuser1
local id 2
spuser2
...
spuser3
...
spuser4
local id N
spuser5
Identity mapping file

The identity mapping file is used for both the create-federate and federate commands and can be used for
the create command. This file contains the local user IDs and the remote user IDs in a pipe-delimited format. In
the following example, the remote server is the identity provider.
Example identity mapping file
Identity mapping file format
Example
local id 1|remote id 1
spuser1|idpuser1
local id 2|remote id 2
spuser2|idpuser2
...
spuser3|idpuser3
...
spuser4|idpuser4
local id N|remote id N
spuser5|idpuser5
Federated identity mapping file

The data for the federated identity mapping file is generated by the federate command on the local server and
used by the import command to import the data into the remote server. The account creation only attempts to
Page 160 of 389
Home
create accounts that are local to the target server.

Example of federated identity mapping data
Federated identity mapping data example
#local: https://sample-sp.bmc.com:8443/atriumsso
#remote: https://sample-idp.bmc.com:8443/atriumsso
#role: IDP
#specification: saml2
idpuser1|sg8yuVj6Qblp9A3IJgDSkhomhiCO1
bulkFederation command parameters

The following topics provide information for bulkFederation command parameters:
Create command syntax (see page 161)
Federate command syntax (see page 161)
Create-federate command syntax (see page 162)
Import command syntax (see page 162)
Create-import command syntax (see page 162)
bulkFederation parameter summary (see page 162)
Create command syntax

If only account creation is being executed (the create option), you can use an input file with only a list of local
user IDs or with the mapping entries. Either of the two input file formats work since the local ID is always the first
entry and is used to create users.
Create command and parameters with bulkFederation.sh (UNIX ):
bulkFederation.sh create|c -ap <arg1> -au <arg2> -dp <arg3> -rf <arg4> -um <arg5>
Note
If an account creation fails, the bulkFederation utility continues to create accounts with subsequent user
IDs in the list.
Federate command syntax

Federate command and parameters with bulkFederation.sh (UNIX ):
Page 161 of 389
Home
bulkFederation.sh federate|f -ap <arg1> -au <arg2> -fm <arg3> -nm <arg4> -re <arg5> -rf
<arg6> -um <arg7>
Note
The ID names are indicated in the federate and create-federate output file, not the FQDN.
Create-federate command syntax

Create-federate command and parameters with bulkFederation.sh (UNIX ):
bulkFederation.sh create-federate|cf -ap <arg1> -au <arg2> -dp <arg3> -fm <arg4> -nm
<arg5> -re <arg6> -rf <arg7> -um <arg8>
Import command syntax

Import command and parameters with bulkFederation.sh (UNIX ):
bulkFederation.sh import|i -ap <arg1> -au <arg2> -im <arg3> -nm <arg4> -rf <arg5>
Create-import command syntax

Create-import comand and parameters with bulkFederation.sh (UNIX ):
bulkFederation.sh create-import|ci -ap <arg1> -au <arg2> -dp <arg3> -im <arg4> -nm
<arg5> -rf <arg6>
bulkFederation parameter summary

The following summarizes the bulkFederation utility commands and the parameters that each command uses. In
addition, to view bulkFederation utility command parameters, enter the command without any arguments.
bulkFederation parameter summary
Short
form
parameter
Long form parameter
Command that
uses the parameter
Description
-ap
--admin-pswd
create
Administrator account password for the specified BMC Atrium Single Sign-On
server.
federate
create-federate
import
create-import
-au
--admin-user
create
federate
Administrator account name for the specified BMC Atrium Single Sign-On server.
Default: amAdmin
create-federate
import
create-import
Page 162 of 389
Home
Short
form
Long form parameter
Command that
uses the parameter
Description
--default-password
create
Default password setting includes:
parameter
-dp
create-federate
create-import
-fm
--federation-meta-alias
federate
create-federate
-im
-nm
--import-meta-alias
--name-id-file
NONE for no password setting

UID to use the user ID name
RANDOM for a generated password.
Meta alias of the service provider (not the entity name of the service provider)
where the federation data is generated. Default: /BmcRealm/sp.
create-import
Meta alias of the service provider (not the entity name of the service provider)
where the federation data is imported. Default:/BmcRealm/idp
federate
Name of the file for the federated identity mapping data. This data is generated
create-federate
by the federate and create-federate command and imported by another
import
instance of BMC Atrium Single Sign-On with the import command.
import
create-import
-re
--remote-identity-id
federate
Name of the remote identity provider. Default: IdP
create-federate
-rf
--result-file
federate
Name for a file that will contain diagnostic information from the bulkFederation
commands. Use a unique file name for each bulkFederation command. This file is
create-federate
a parseable XML file.
create
import
create-import
-um
--user-id-file
federate
Identity list file containing either the local user IDs (used to create accounts) or
the local to remote identity mapping file (used to both create and federate). The
create-federate
identity mapping file must use pipe-delimited user IDs.
create

The following is an example of the output content generated when you run a bulkFederation create command
with the -rf parameter. This file is a parseable XML file that contains diagnostic information.
.\userIdMapFile.dat
SUCCESS
spuser1
ur8kcdpsfpha
SUCCESS
spuser2
FAILURE
BMCSSG1743E
IO error encountered when attempting to create the
user: id=spuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Fault detail goes here!
spuser3
ss4nmsq9qdq1
SUCCESS
spuser4
FAILURE
BMCSSG1744E
Process was interrupted when attempting to create the user:
id=spuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
spuser5
iud8eavvcb36
SUCCESS

The following is an example of the output content generated when you run a bulkFederation federate
command with the -rf parameter. This file is a parseable XML file that contains diagnostic information.
Page 163 of 389
Home
.\userIdMapFile.dat
.\nameIdMapFile.dat
SUCCESS
spuser2
FAILURE
BMCSSG1749E
Illegal universal identifier:
Illegal universal identifier
spuser4
FAILURE
BMCSSG1749E
Illegal universal identifier:

The following is an example of the output content generated when you run a bulkFederation create-federate
.\userIdMapFile.dat
SUCCESS
spuser1
qvk6241mtplh
SUCCESS
spuser2
FAILURE
BMCSSG1743E
user: id=spuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
spuser3
ivv6obvae1om
SUCCESS
spuser4
FAILURE
BMCSSG1744E
spuser5
i5mcq3d0n6g5
SUCCESS
.\userIdMapFile.dat
.\nameIdMapFile.dat
SUCCESS
spuser2
FAILURE
BMCSSG1749E
Illegal universal identifier: id=spuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
spuser4
FAILURE
BMCSSG1749E
Illegal universal identifier: id=spuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net

The following is an example of the output content generated when you run a bulkFederation import command
with the -rf parameter. This file is a parseable XML file that contains diagnostic information.
.\nameIdMapFile.dat
SUCCESS
idpuser2
FAILURE
BMCSSG1749E
Illegal universal identifier: id=idpuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
idpuser4
FAILURE
BMCSSG1749E
Illegal universal identifier: id=idpuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net

The following is an example of the output content generated when you run a bulkFederation create-import
.\userIdMapFile.dat
SUCCESS
idpuser1
562h359q1gsl
SUCCESS
idpuser2
FAILURE
BMCSSG1743E
user: id=idpuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Fault detail goes
here!
idpuser3
d301pnuve493
SUCCESS
idpuser4
FAILURE
BMCSSG1744E
id=idpuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
idpuser5
ffm0et9qa59e
SUCCESS
.\nameIdMapFile.dat
FAILURE
Page 164 of 389
Home
BMCSSG1748E
goes here!
Process was interrupted when attempting to import federation data.
Fault detail

Error number
Description
BMCSSG1740E
Main command line option unrecognized.
BMCSSG1741E
Invalid sub-options encountered.
BMCSSG1742E
Failed to read the input file: <inputFilename>
BMCSSG1743E
IO error encountered when attempting to create the user: <userID>
BMCSSG1744E
Process was interrupted when attempting to create the user: <userID>
BMCSSG1745E
IO error encountered when attempting to federate users identities.
BMCSSG1746E
Process was interrupted when attempting to federate user identities.
BMCSSG1747E
IO error encountered when attempting to import federation data.
BMCSSG1748E
BMCSSG1749E
Illegal universal identifier: <userID or DN>
BMCSSG1750E
Failed to write response file: <responseFilename>
BMCSSG1751E
Local ID is missing or empty for line (<lineNumber>): <lineContents>
BMCSSG1752E
Failed to create the temporary user ID mapping file.
BMCSSG1753E
BMCSSG1754E
Failed to save the temporary user ID mapping file.
BMCSSG1755E
Failed to save the name ID mapping file.
BMCSSG1756E
Failed to delete the temporary name ID mapping file.
8 Upgrading
You can upgrade a previous installation of BMC Atrium Single Sign-On by using the installer provided with BMC
Atrium Single Sign-On. This procedure for upgrading BMC Atrium Single Sign-On is the same for both Microsoft
Windows and UNIX.

For other upgrading information, see:
Page 165 of 389
Home
Preparing to upgrade BMC Analytics for BSM

Upgrading HA nodes
8.1 To upgrade BMC Atrium Single Sign-On

Note
BMC recommends that you backup BMC Atrium Single Sign-On before proceeding with an upgrade.
1. On the target computer, start the BMC Atrium Single Sign-On installation utility.
2. When prompted, agree to the license agreement.
3. When the upgrade is complete, review the summary information.
4. To view the upgrade logs, click View Log.
5. To close the dialog, click Done.
8.2 To upgrade BMC Atrium Single Sign-On in silent mode

BMC Atrium Single Sign-On can be upgraded to version 8.1 in silent mode with the same parameters as for silent
installation. For more information, see Installing silently (see page 112).
8.3 Preparing to upgrade BMC Analytics for BSM

If you are upgrading BMC Analytics for BSM, you need to remove the J2EE agent from BMC Atrium Single
Sign-On.
8.3.1 To remove the J2EE agent for BMC Analytics for BSM
1. Ensure that you stopped and disabled the Tomcat server that you installed during the BMC Analytics for
BSM installation.
2. Log on to the BMC Atrium Single Sign-On server.
4. Select the J2EE agent for the BMC Analytics for BSM host and click Delete. The J2EE agent is removed
from the list.
5. Proceed with your BMC Analytics for BSM upgrade.
Page 166 of 389
Home
8.4 Upgrading HA nodes

The HA upgrade process is to update each node in the cluster individually by running the installation program and
allowing it to perform an update of the installed software. This process of installing HA clusters is documented in
Installing BMC Atrium Single Sign-On as a High Availability cluster (see page 55). The overall process is similar to
a new cluster installation in that a cluster configuration file is created when you upgrade the first node. This
cluster configuration file is used when you upgrade the subsequent nodes. Essentially, the first upgraded node
creates a new cluster and then each subsequent node that is upgraded is added to the new cluster.
Note
BMC recommends that you configure the load balancer for the cluster to block access to the cluster
before upgrading nodes. The cluster cannot be in use during the upgrade.
BMC recommends that you backup the first node in the cluster prior to upgrading.
8.4.1 To upgrade HA nodes

1. Ensure that the cluster is not being used.
2. Run the installation program, autorun on the first node.
a. Provide the administrator password.
b. Select First node of cluster upgrade and click Next
c. Provide the location and file name for where you want the cluster configuration information saved
and click Next.
This cluster configuration file is needed when subsequent nodes are added to the cluster.
Important
This file contains sensitive information.
3. Copy the cluster configuration file to the computer that hosts the subsequent node.
4. Run the installation program, autorun on the subsequent node.
a. Provide the administrator password.
b. Select the Additional node of cluster upgrade option and click Next.
c. Provide the location of the cluster configuration file (created during the first node upgrade).
5. For additional nodes, repeat steps 3 and 4.
6.
Page 167 of 389
Home
6. (Optional) Add new nodes to the cluster by running the installation program on a computer which does not
already contain a node. For more information about adding new nodes to the cluster, see Installing
additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional nodes for
an HA cluster on an external Tomcat server (see page 70).
Note
The order of in which nodes are upgraded does not matter since any node can be the first node. The
state of the nodes (running or not) does not impact the upgrade.
9 Integrating
The following topics provide information and instructions for integrating BMC products with BMC Atrium Single
Sign-On:
Page 168 of 389
Home
Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00

Integrating BMC Dashboards for BSM (see page 198)
Integrating BMC Analytics for BSM (see page 199)
Integrating BMC ProactiveNet (see page 200)
Integrating BMC IT Business Management Suite (see page 204)
Integrating BMC ITBM and WebSphere application server (see page 205)
Integrating BMC Capacity Optimization (see page 207)
Integrating BMC Atrium Orchestrator Platform (see page 209)
Integrating BMC Real End User Experience Monitoring (see page 212)
Integrating BMC Mobility for ITSM 8.1.00 (see page 212)
9.1 Integrating BMC Atrium Single Sign-On with AR System

Version 8.0.00
The typical method for integrating BMC Atrium Single Sign-On with BMC Remedy AR System is to install BMC
Atrium Single Sign-On, install BMC Remedy AR System, and then integrate with BMC Remedy AR System.
However, if you did not integrate the AR System server and the Mid Tier with BMC Atrium Single Sign-On during
installation, perform the following manual integration steps.
Important
These instructions are for BMC Remedy AR System version 8.0.00 only.
BMC recommends that you upgrade to BMC Remedy AR System 8.1 because a new utility is introduced
that greatly simplifies the integration between BMC Atrium Single Sign-On and the AR System server and
Mid Tier. For more information about using the new utility, see Installing BMC Atrium Single Sign-On
with the AR System server and Mid Tier (see page 79).
Step
Task
Configure external authentication in the AR System server. (see page 170)
Install the BMC Atrium Single Sign-On server.
Configure BMC Atrium Single Sign-On integration.
Configure the mid tier for BMC Atrium Single Sign-On user authentication. (see page 176)
Configure the BMC Atrium Single Sign-On server for AR System integration (see page 183)
Run a health check of the integration.
Page 169 of 389
Home
Note
All products that run in BMC Remedy AR System support BMC Atrium Single Sign-On including AR
System Mid Tier products (BMC Remedy ITSM, BMC Atrium Core, BMC Atrium CMDB, and so on), BMC
Atrium Dashboard and Analytics, BMC IT Business Management Suite, BMC ProActive Performance
Management (version 9.0), and so on.
For more information about integrating with BMC Remedy AR System, see the BMC Remedy AR System 8.0 online
documentation installing and integrating information.
9.1.1 Configuring external authentication for AR System integration

Before you can correctly configure BMC Atrium Single Sign-On, you must configure external authentication
settings in the BMC Remedy AR System server.
To configure external authentication for AR System integration (see page 170)
Before you begin

Install the AREA LDAP plug-in used with the AR System server . For more information, see the BMC Remedy AR
System 8.0 online documentation.
To configure external authentication for AR System integration

1. Use a browser to log on to the AR System server (by using the mid tier).
For example:
http://midTier:8080/arsys
2. Open the AR System Administration Console.
3. Open the Server Information window by selecting System > General > Server Information.
4. Click the Configuration tab.
5. Clear Allow Guest Users.
6. Click the EA tab
(Click the following image to expand it.)
Page 170 of 389
Home
7. Set the following information:

Field
Value
External Authentication Server RPC Program Number
390695
External Authentication Server Timeout (seconds) RPC
80
External Authentication Server Timeout (seconds) Need To Sync
300 (default)
8. Select Authenticate Unregistered Users.

9. Set Authentication Chaining Mode to AREA-ARS.
10. Set the Group Mapping.
For example, you can map the Atrium Single Sign-On group BmcAdmins to the AR group Administrator.
11. Click OK.

Installing BMC Atrium Single Sign-On for AR System integration.
9.1.2 Installing BMC Atrium Single Sign-On for AR System integration

The following topic provides information and instructions for installing BMC Atrium Single Sign-On for AR System
integration:
Page 171 of 389
Home
To install BMC Atrium Single Sign-On as a standalone

The installation program, autorun, automatically detects the appropriate subscript to run. However, if the
appropriate file is not launched, manually run the setup executable. The setup executable is located in the
Disk1 directory of the extracted files.
3. Accept the default destination directory or browse to select a different directory and click Next.
4. Verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, correct the
value as needed, and click Next.
5. Choose to install non-clustered or clustered Atrium Single Sign-On Server.
number (8005), or enter different port numbers and click Next.
If any of the port numbers are incorrect, a panel identifies the incorrect port number and requires you to
return to the previous page to correct the values before proceeding with the installation.
Note
8. Enter a cookie domain and click Next.

parent domains. See Default cookie domain for more information.
Important
The higher the level of the selected parent domain, the higher the risk of user
impersonation. Top-level domains are not supported (for example, com or com.ca ).
Page 172 of 389
Home
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For
example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and
the AR System server in the bmc.com domain is not supported. You must move all your
computers into the same domain.
9. Enter a strong administrator password (at least 8 characters long), confirm the password, and click Next.
The default administrator name is amadmin. See Administrator password for more information.
Sign-On URL.
http://<ssoServer>.<domain>:<port>/atriumsso/atsso/console/login/Login.html
For example:
http://ssoServer.bmc.com:8443/atriumsso/atsso/console/login/Login.html
b. Confirm that you can view the OpenSSO login panel.
user data store (for example, to list user names and emails).
account.

Configuring BMC Atrium Single Sign-On for integration
9.1.3 Configuring BMC Atrium Single Sign-On for integration

The BMC Remedy AR System server is integrated with the BMC Atrium Single Sign-On solution by a new Atrium
Single Sign-On plug-in. To configure this plug-in, you must provide values for certain configuration parameters
on the new Atrium Single Sign-On Integration tab, located on the AR System Administration: Server Information
form.
Alternatively, you can also perform the Atrium Single Sign-On integration related configuration while installing
the AR System server. To do this, you must provide the values for the configuration parameters on the new
Atrium Single Sign-On Configuration screen after selecting the Configure Atrium SSO check box.
To configure the connection to the BMC Atrium Single Sign-On Solution (see page 174)
Page 173 of 389
Home
Note
To activate the connection to BMC Atrium Single Sign-On, use the Atrium SSO Integration tab of the AR
System Administration: Server Information form.
BMC Atrium Single Sign-On integration is supported only on web clients. For information about
manually configuring the mid tier for Atrium Single Sign-On integration, see Manually configuring mid
tier for BMC Atrium Single Sign-On user authentication (see page 176).
Before you begin

Install the BMC Atrium Single Sign-On server
Note
recommends that BMC Atrium Single Sign-On be the only application in the Tomcat server.
To configure the connection to the BMC Atrium Single Sign-On Solution

1. From the mid tier interface, open the AR System Administration Console, and click System > General >
Server Information.
2.
Page 174 of 389
Home
2. In the AR System Administration: Server Information form, click the Atrium SSO Integration tab.
AR System Administration: Server Information form--Atrium SSO Integration tab
3. Enter the BMC Atrium Single Sign-On server Location.

Host Name--The host name of the computer where BMC Atrium Single Sign-On server is
configured. If the AR System server and BMC Atrium Single Sign-On server are in same domain, enter
the machine name or the machine name with domain name. Make sure that the BMC Atrium Single
Sign-On host name is accessible from the machine where AR System server is installed. If the AR
System server and BMC Atrium Single Sign-On server are in different domains, a trust relationship
between these two domains must be established before configuring BMC Atrium Single Sign-On
server.
Note
Use the FQDN for the BMC Atrium Single Sign-On server host name, not simply the host
name.
Port number The port on which BMC Atrium Single Sign-On server is configured (typically 8443).
Page 175 of 389
Home
Protocol (optional parameter) The default value for this parameter is https. However, this field can
also be set to http. For example:
https://<server>:<port>/<AtriumSSO-URI>
https://ssoServer.bmc.com:8443/atriumsso]
4. Enter the Atrium Single Sign-On Admin User.
The BMC Atrium Single Sign-On administrator name, by default, is amadmin.
5. Enter the Atrium Single Sign-On Admin Password.
6. (Optional) Enter the Atrium Single Sign-On Keystore Path.
The keystore file location is where the BMC Atrium Single Sign-On keystore is saved. This path includes the
keystore file name. Enter this value only if you have configured a keystore. This field is not mandatory and
you can define it later.|
7. (Optional) Enter the Atrium Single Sign-On Keystore Password.
Enter this value only if you specify the Keystore path.
8. Click Apply.
For more information on a full single sign-on solution that includes BMC Atrium, see the Knowledge Base article
KA286851. You must have a BMC customer support account to access this information.
The example is not a supported product and there is no implied support if you use it.

Manually configuring mid tier for BMC Atrium Single Sign-On user authentication (see page 176)
9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user
authentication
For the mid tier to communicate with the BMC Atrium Single Sign-On server for user authentication, follow the
steps below to manually configure the mid tier.
Note
If you do not select the Configuration of Atrium Single Sign-On option during the AR System
server installation or during the stand-alone installation of mid tier, only then perform the steps in
this section.
BMC recommends, you do not install BMC Atrium Single Sign-on and BMC Remedy Mid-Tier on
the same computer. BMC Atrium Single Sign-on and BMC Remedy Mid-Tier must use different
Tomcat because if the mid-tier computer needs to be restarted, all the other applications will be
unavailable because BMC Atrium Single Sign on will be down during the restart.
Page 176 of 389
Home
To manually configure the Mid Tier for BMC Atrium Single Sign-On user
authentication
1. Go to the computer where you installed the Mid Tier.
2. Stop the mid tier service, if it is already running.
3. Copy all the jar files from the <MidtierInstallDir>\webagent\dist\jee\WEB-INF\lib directory to the
<MidtierInstallDir>\WEB-INF\lib directory.
For example, copy all the jar files from C:\Program Files\BMC
Software\ARSystem\midtier\webagent\dist\jee\WEB-INF\lib to C:\Program Files\BMC
Software\ARSystem\midtier\WEB-INF\lib.
4. Go to the <MidtierInstallDir>\Web-Inf directory and open the web.xml file in an editor.
5. Uncomment the <filter> and <filter-mapping> tags for the Atrium Single Sign-On filter.
These tags should look like the following:


<filter>
<filter-name>Agent</filter-name>
<filter-class>com.bmc.atrium.sso.agents.web.SSOFilter</filter-class>
</filter>

<filter-mapping>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
Make sure that you save your changes to the web.xml file.
6. Go to the <MidtierInstallDir>\Web-Inf\classes directory (for example, C:\Program Files\BMC
Software\ARSystem\midtier\WEB-INF\classes) and open the config.properties file in an editor.
7. Add an attribute in the config.properties file.
For this, comment the DefaultAuthenticator line (arsystem.authenticator=com.remedy.arsys.
session.DefaultAuthenticator) and add the following line for the Atrium Single Sign-On Authenticator:
arsystem.authenticator=com.remedy.arsys.sso.AtriumSSOAuthenticator
Make sure that you save your changes to the config.properties file.
8. Go to the computer where you installed the AR System serve and open the ar.cfg (Microsoft Windows) or
ar.conf (UNIX or Linux) file in an editor.
The default location for Windows is C:\Program Files\BMC Software\ARSystem\Conf.
9. Add the following SSO AREA plug-in entries to the ar.cfgfile:
(Unix) Plugin areaatriumsso.so
Page 177 of 389
9.
Home
(Windows) Plugin areaatriumsso.dll

For example:
Plugin: areaatriumsso.dll
Server Plugin Alias ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSOFQDN of AR System server
name:PluginPort
For example:
Server-Plugin-Alias: ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSO arSystemServer.bmc.
com:9999
Make sure that the SSO entries are listed first; otherwise they will not be used by the AR System
server.
Plugin: areaatriumsso.dll
Plugin: ardbcconf.dll
Plugin: reportplugin.dll
Plugin: ServerAdmin.dll
Server-Plugin-Alias: ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSO
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARF.REGISTRY ARSYS.ARF.REGISTRY xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARDBC.REGISTRY ARSYS.ARDBC.REGISTRY
Server-Plugin-Alias: ARSYS.ARDBC.ARREPORTENGINE ARSYS.ARDBC.ARREPORTENGINE
Server-Plugin-Alias: ARSYS.ARF.QUERYPARSER ARSYS.ARF.QUERYPARSER
Server-Plugin-Alias: ARSYS.ALRT.WEBSERVICE ARSYS.ALRT.WEBSERVICE
Server-Plugin-Alias: ARSYS.ARF.PARSEPARAMETERS ARSYS.ARF.PARSEPARAMETERS
Server-Plugin-Alias: ARSYS.ARF.PUBLISHREPORT ARSYS.ARF.PUBLISHREPORT
Server-Plugin-Alias: ARSYS.ARF.REPORTSCHEDULER ARSYS.ARF.REPORTSCHEDULER
Server-Plugin-Alias: ARSYS.ARF.RSAKEYPAIRGENERATOR ARSYS.ARF.RSAKEYPAIRGENERATOR
Server-Plugin-Alias: ARSYS.ALRT.TWITTER ARSYS.ALRT.TWITTER xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARF.TWITTER ARSYS.ARF.TWITTER xyz-abc-x28-vm1.dsl.bmc.com:9999
10. Save your changes to the ar.cfg or ar.conf file.

11. Go back to the computer where you installed the Mid Tier.
12. Copy the cacerts file from the JDK installed location to the Tomcat conf folder.
For example, copy cacerts from C:\Program Files\Java\jdk1.7.0_03\jre\lib\security to
C:\Program Files\Apache Software Foundation\Tomcat6.0\conf.
13. If your Mid Tier installation does not already include the not-enforced.txt file, save the attached file to the
Mid Tier folder.
For example, right-click the link, and then select Save link as to the C:\Program Files\BMC
Software\ARSystem\midtier folder.
A typical not-enforced.txt file contains the URIs listed in the code snippet below. URIs listed in this file are
Page 178 of 389
13.
Home
not protected by the agent. Their contents are uploaded into the BMC Atrium Single Sign-On server to
become part of the Agent configuration.
When you later finish integration, this file is no longer used or needed. If you must update the agent
configuration, access Agent Details on the BMC Atrium SSO Admin Console to modify the Not Enforced
URI Processing values.
/arsys/services/*
/arsys/WSDL/*
/arsys/shared/config/*
/arsys/shared/doc/*
/arsys/shared/images/*
/arsys/shared/timer/*
/arsys/shared/ar_url_encoder.jsp
/arsys/shared/error.jsp
/arsys/shared/file_not_found.jsp
/arsys/shared/HTTPPost.class
/arsys/shared/login.jsp
/arsys/shared/login_common.jsp
/arsys/shared/view_form.jsp
/arsys/shared/logout.jsp
/arsys/shared/wait.jsp
/arsys/servlet/ConfigServlet
/arsys/servlet/GoatConfigServlet
/arsys/plugins/*
14. Execute the deployer script to deploy the WebAgent.

For this, run the following script through command line interface under the deployer directory (
webagent\deployer):
java -jar deployer.jar --install --container-type -TOMCATversion --atrium-sso-url

AtriumSSOURL<FQDNofAtriumSSOServer>:<port>/atriumsso --web-app-url
MidtierSSOURL<FQDNofMidtierServer>:<port>/arsys --container-base-dir AppServerHome --admin-name
AtriumServerAdminUsername --admin-pwd AtriumServerAdminPassword --jvm-truststore "JavaHome
\jre\lib\security\cacerts" --jvm-truststore-password TruststorePassword --truststore
"AppServerHome\conf\cacerts" --truststore-password TruststorePassword --not-enforced-uri-file
"midTierPath\not-enforced.txt" --web-app-logout-uri /shared/loggedout.jsp
For example,
java -jar deployer.jar --install --container-type tomcatv6 --atrium-sso-url

https://ssoServer.bmc.com:8443/atriumsso --web-app-url http://midTierServer:8080/arsys
--container-base-dir "c:\Program Files\Apache Software Foundation\Tomcat6.0" --admin-name amadmin
--admin-pwd Let$in09 --jvm-truststore "c:\Program Files\Java\jdk1.7.0_03\jre\lib\security\cacerts"
--jvm-truststore-password changeit --truststore "c:\Program Files\Apache Software
Foundation\Tomcat6.0\conf\cacerts" --truststore-password changeit --not-enforced-uri-file
"C:\Program Files\BMC Software\ARSystem\midtier\not-enforced.txt" --web-app-logout-uri
/shared/loggedout.jsp
Page 179 of 389
Home
15. Make sure that the deployer script successfully finishes execution and is completed.
Tip
If the deployer script fails:
a. Delete the <containerBaseDir>/atssoAgents folder (for example, C:\Program
Files\Apache Software Foundation\Tomcat6.0\atssoAgents).
b. Delete the agent if it exists in Agent Details on the BMC Atrium SSO Admin Console.
c. Re-run the deployer script after you fixed the problem (for example, added additional
parameters).
16. Start the mid tier service.

By default, this plug-in is configured to work with the native plug-in server (C plug-in). You can also use this
plug-in directly with the Java plug-in server. For more information on the configuration settings, see Using the
Java plug-in server for dynamic plug-in loading in the BMC Remedy AR System 8.1 online documentation.
Note
If the container is not using HTTPS, the truststore and truststore-password parameters can
be ignored. For example:
Page 180 of 389
Home

https://ssoServer.bmc.com:8443/atriumsso --web-app-url http://midTierServer:8080/arsys
--container-base-dir "C:\Program Files\Apache Software Foundation\Tomcat6.0" --admin-name
amAdmin --admin-pwd bmcAdm1n --jvm-truststore "C:\Program
Files\Java\jre6\lib\security\cacerts" --jvm-truststore-password changeit
--not-enforced-uri-file "C:\Program Files\BMC Software\ARSystem\midtier\not-enforced.txt"
--web-app-logout-uri /shared/loggedout.jsp
If the --web-app-logout-uri parameter is not specified, you can specify the parameter value in
Agent Details on the BMC Atrium SSO Admin Console:
2. Select the agent and click Edit.
3. In the Logout Processing section, replace the default value with
/arsys/shared/loggedout.jsp.
When you are using a load balancer or reverse proxy, you must add the --web-app-url and
--notify-url URLs. In this case, the --web-app-url URL must be the load balancer URL and
the --notify-url must be the mid tier URL. For example:

https://ssoServer.bmc.com:8443/atriumsso --web-app-url http://loadbalancerURL:8080/arsys
----container-base-dir "C:\Program Files\Apache Software
Foundation\Tomcat6.0" --admin-name amAdmin --admin-pwd bmcAdm1n --jvm-truststore
"C:\Program Files\Java\jre6\lib\security\cacerts" --jvm-truststore-password changeit
--not-enforced-uri-file "C:\Program Files\BMC Software\ARSystem\midtier\not-enforced.txt"
--web-app-logout-uri /shared/loggedout.jsp
For more information about containers, agents, and deployer commands, see:
Container types, containers, and agents
Deployer commands for various JSP engines

Configuring the BMC Atrium Single Sign-On server for AR System integration (see page 183)

The --container-type parameter specifies not only the type of the container in which the agent is being
embedded, but also the type of web agent being used for integration. The TOMCAT and WEBSPHERE types are used
exclusively for the original Web Agent. All of the remaining types ( GENERIC, TOMCATV6, and so on) are used
exclusively to deploy the newer JEE Filter agent. Make sure that you use the correct type for the agent.
Page 181 of 389
Home
Container type
Agent
Container
TOMCAT
Web Agent
Apache Tomcat v6
WEBSPHERE
Web Agent
IBM WebSphere v6
IBM WebSphere v7
GENERIC
JEE Agent
Any
JBOSSV4
JEE Agent
RedHat JBoss v4
JBOSSV5
JEE Agent
RedHat JBoss v5
SERVLETEXECV5
JEE Agent
New Atlanta ServletExec AS v5
SERVLETEXECV6
JEE Agent
New Atlanta ServletExec AS v6
TOMCATV5
JEE Agent
Apache Tomcat v5
TOMCATV6
JEE Agent
Apache Tomcat v6
WEBSPHEREV6
JEE Agent
IBM WebSphere v6
WEBSPHEREV7
JEE Agent
IBM WebSphere v7
WEBSPHEREV10
JEE Agent
Oracle WebLogic v10

The deployer command changes with change in the JSP Engine (Container). The following examples show how
the deployer command changes when the following containers are used.
Apache Tomcat (see page 182)
Red Hat JBoss (see page 182)
Oracle WebLogic (see page 183)
IBM WebSphere (see page 183)
Apache Tomcat
java -jar deployer.jar --install --container-type -TOMCATversion --atrium-sso-url AtriumSSOURL<
Note
Do not use tomcat for --container-type; use tomcatv6 instead.
Red Hat JBoss
"/opt/java1.5/jre/bin/java" -jar deployer.jar --install --container-type JBOSSV4 --atrium-sso-u
Page 182 of 389
Home
Oracle WebLogic
"/usr/jdk/instances/jdk1.6.0/bin/java" -jar deployer.jar --install --container-type WEBLOGICV10
IBM WebSphere
"/usr/java5/bin/java" -jar deployer.jar --uninstall --force --container-type WEBSPHEREV7 --atri
9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System
integration
The Action Request (AR) authentication module allows BMC Atrium Single Sign-On to use the user accounts
within a BMC Remedy AR System server for authentication. This module is normally used in conjunction with the
AR Data Store to retrieve group information and other user attributes from the AR System server.
Configure the AR module for AR System (see page )
Configure AR user stores for AR System (see page )
Managing the AR System users and groups (see page )
When you enable authentication chaining mode, all authentication methods in the chain are attempted in the
specified order until either the authentication succeeds or all the methods in the chain fail.
Note
If you plan to use an authentication method other than or in addition to the AR module, see the
applicable authentication method in Configuring after installation. For example, Using Kerberos for
authentication (see page 132) or Using SAMLv2 for authentication.
Configure the AR module for AR System

1. On the SSO Server, navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to
launch the BMC Atrium SSO Admin Console and log on.
2. Click Edit BMC Realm to open the Realm Editor.
3.
Page 183 of 389
Home
3. Set User Profile to Dynamic.

4. On the Realm Authentication panel, click Add.

5. Click AR.
Page 184 of 389
Home
## Enter the
AR parameters (see page ).
a. Click Save.
6. On the Realm Authentication panel, set the process order of the authentication chain:
a. For the AR module, under Flag, select Sufficient.
b. Select the AR module.
c. Click Up so that AR is first in the list.
d. Set Internal LDAP to Optional.
Page 185 of 389
Home
d.
Sufficient means that, with multiple authentication modules, if you are successfully authenticated
with the first module, the remaining modules are skipped. But if the login fails, authentication moves
to the next module in the chain. Setting AR to Sufficient and placing it as the first module in the list
means that if you are authenticated with the AR System server, you are successfully authenticated by
BMC Atrium Single Sign-On and you proceed to the Mid Tier.
Note
With Single Sign-On, you want to trigger authentication providers in the right order. The order is: Required > Requisite >
Sufficient > Optional.
If you set both realms to Required, then you would need both authentications to establish the session.
For more information on creating an authentication chain, see the Realm Authentication panel described in Realm Editor.
AR parameters
Parameters
Description
Server Host
Name
Page 186 of 389
Home
Parameters
Description
Server Port
Number
Default
Authentication
String
Allow AR
Guests
Note
When using SAML v2 for authentication, you must not use AR user stores. Though AR authentication
module should be configured, the AR data store is not needed for authentication in SAMLv2 deployment.
Configure AR user stores for AR System

1.
Page 187 of 389
Home
1. On the User Stores panel, click Add.


3. Enter the AR User Store parameters (see page ).
4. Click Save.
AR User Store parameters

Section
Parameter
Name
AR Server
Description
Host Name
Host
yourServer.bmc.com.
Port
Administrative
Access
Name
Authentication
System server.
Page 188 of 389
Home
Section
Parameter
Description
Password and
Confirm
Password
Connection
Pool
Linger Time
(seconds)
Pool size
Managing the AR System users and groups

Note
When you configure the AR User Store for the AR System, all your AR System users and groups are already listed.
From the User page, the administrator can create, delete, and manage group memberships.
To access the User page (see page )
To add a new user (see page )
authorization and authentication of users. If a BMC product does not use the group memberships of the BMC
Atrium Single Sign-On system, then that product's documentation must be consulted to determine groups to
privileges mapping.
To access the Group page (see page )
To create a new group (see page )
To access the User page

2. Click the Users tab.
Note
If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash ( \ ) must precede the special
Page 189 of 389
Home
To add a new user

1. In the Realm Editor, click the Users tab.
Current AR System users created in your AR System server are already listed.
2.
Page 190 of 389
Home
2. Click Add to open the User Editor.
3. In the User Id field, enter a unique identifier for the new user.
4. Specify the user's status.
The default is Active.
5. Add the name attributes.
The name attributes (First Name, Full Name, and Last Name) can be provided to BMC products to
help identify user accounts by using terms that are more user-friendly. The actual use of these
attributes, though, is dependent on the BMC product.
You must assign an initial password of at least 8 characters when creating the account. After the
password is created, the user can log into BMC Atrium Single Sign-On and update the password and
their personal information through the following URL:
https://FQDNHostName:port/BMC Atrium SSO?realm=BmcRealm
7. From the list of available groups, add the user to group membership (for example, BmcAdmins).
8. Click Save.
Page 191 of 389
Home
To access the Group page

Note
Care should be exercised when assigning the BmcSearchAdmin group because these elevated privileges allow greater access to BMC Atrium
Single Sign-On than is normally allowed.

To create a new group

their installation. However, a situation might arise in which a group might need to be created or re-created.
1.
Page 192 of 389
Home
1. In the Realm Editor, click the Groups tab.

Current AR System groups created in your AR System server are already listed.
2.
Page 193 of 389
Home
2. Click Add to open the Group Editor.

4. Add available users to the new group.
5. Click Save.
Related topics
Page 194 of 389
Home


Running a health check on the BMC Atrium Single Sign-On integration
9.1.6 Running a health check on the BMC Atrium Single Sign-On integration
After you finish all these procedures, run a health check of your integration of BMC Atrium Single Sign-On with
BMC Remedy AR System.
To run a health check on the BMC Atrium Single Sign-On integration

1. On the Mid Tier computer, log in to the BMC Remedy Mid Tier Configuration Tool.
The default path is http://midTierServer.FQDN:8080/arsys/shared/config/config.jsp.
For example:
http://vw-pune-bmc-dv88.labs.bmc.com:8080/arsys/shared/config/config.jsp
Tip
Clear the cache on your browser if you see redirect errors.
If your integration is successful (for example, by using the not_enforced.txt file during the agent
deployment), you should see the normal Mid Tier configuration logon, not the BMC Atrium SSO logon
screen.
Page 195 of 389
Home
2. Log on to the AR System server.

For example:
http://vw-pune-bmc-dv88.labs.bmc.com:8080/arsys
The BMC Atrium Single Sign-On server redirects the server URL to the BMC Atrium Single Sign-On server,
and the BMC Atrium SSO logon screen appears.
Page 196 of 389
Home
3. Enter the User Name and Password of an AR System user and then click Log In.
Demo is the AR System default logon (without any password).
If BMC Atrium Single Sign-On is properly integrated and configured, the Applications startup page appears.
Page 197 of 389
Home
9.2 Integrating BMC Dashboards for BSM

If you plan to use BMC Atrium Single Sign-On as your method of authentication, you must install and configure
the BMC Atrium Sign-On server before installing BMC Dashboards for Business Service Management (BSM). Also,
ensure that any users that you want to use in BMC Dashboards for BSM exist in the BMC Atrium Single Sign-On
server.

Install BMC Atrium Sign-On server and configure with an authentication method before installing BMC
Dashboards for BSM.
Ensure that the BMC Dashboards for BSM administrator and any users that you want to use in BMC
Dashboards for BSM exist in the BMC Atrium Sign-On server. See Managing users (see page 264) and
Managing user groups (see page 268).
Page 198 of 389
Home
Note
For BMC Dashboards for BSM version 7.7.00 and higher, instead of re-installing, you can run the installer
again to set the BMC Atrium Single Sign-On parameters.
9.2.2 To integrate BMC Dashboards for BSM

When executing the BMC Dashboards for BSM installer, select the BMC Atrium Single Sign-On Authentication
method and provide the following information:
Field
Description
HTTPS Port Number
HTTPS port number used by the BMC Atrium Single Sign-On server.
Administrator Name and Password
BMC Dashboards administrator Name

and Password
User name and password of the BMC Dashboards for BSM administrator user. This user must exist in
BMC Atrium Single Sign-On.
9.3 Integrating BMC Analytics for BSM

If you plan to use BMC Atrium Single Sign-On as your method of authentication, you must install and configure
the BMC Atrium Sign-On server before installing BMC Analytics for Business Service Management (BSM). Also,
ensure that any users that you want to use in BMC Analytics for BSM exist in the BMC Atrium Single Sign-On
server.
BMC Analytics for BSM is compatible with Apache Tomcat or Microsoft IIS. If you are using BMC Atrium Sign-On
with BMC Analytics for BSM, only Apache Tomcat is supported. Also, when you install using BMC Atrium Sign-On,
a new Apache Tomcat service is installed. If you plan to use BMC Analytics for BSM with Apache Tomcat, you
should install a new Tomcat during the SAP BusinessObjects installation instead of using an existing Tomcat. If
you have an existing Tomcat installation, provide different port numbers.
To integrate BMC Analytics for BSM (see page 200)

Install and configure the BMC Atrium Sign-On server before installing BMC Analytics for BSM.
Ensure that any users that you want to use in BMC Analytics for BSM
exist in the BMC Atrium Sign-On server. See Managing users (see page 264) and Managing user groups (see
page 268).
Ensure that your SAP BusinessObjects Enterprise XI host is part of the DNS domain or subdomain of the
BMC Atrium Single Sign-On server host.
Page 199 of 389
Home
Ensure that BMC Analytics for BSM is installing with a Apache Tomcat. A new Apache Tomcat should be
installed during the SAP BusinessObjects installation instead of using an existing Tomcat. If you have an
existing Tomcat installation, provide different port numbers.
Note
For BMC Analytics for BSM version 7.6.06 and higher, instead of re-installing, you can run the installer
again to set the BMC Atrium Single Sign-On parameters.
9.3.2 To integrate BMC Analytics for BSM

When executing the BMC Analytics for BSM installer, select BMC Atrium Single Sign-On and provide the following
information:
Field
Description
HTTPS Port Number
HTTPS port number used by the BMC Atrium Single Sign-On server.
Administrator Name
User name for the BMC Atrium Single Sign-On server administrator.
Administrator Password
Password for the BMC Atrium Single Sign-On server administrator.
9.4 Integrating BMC ProactiveNet

BMC ProactiveNet 9.0.00 uses the BMC Atrium Single Sign-On authentication system to provide single sign-on
and single sign-off. BMC Atrium Single Sign-On allows users to present credentials only once for authentication
and subsequently be automatically authenticated by every BMC product that is integrated into the system.
Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group
mapping. See Managing users (see page 264) and Managing user groups (see page 268).

BMC Atrium Single Sign-On must be installed and configured before installing BMC ProactiveNet.
Ensure that the BMC ProactiveNet users and user groups are created in BMC Atrium Single Sign-On. See To
define users and groups (see page 202).
Ensure that the BMC ProactiveNet users are assigned to groups. See To assign users to user groups (see
page 203).
Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group
mapping.
Page 200 of 389
Home
Note
The BMC ProactiveNet Single Sign-On feature can be integrated either during installation, or
post-installation.
9.4.2 To integrate BMC ProactiveNet during installation

Note
The BMC ProactiveNet Server installer prompts for information that must already be defined in BMC
Atrium Single Sign-On.
1. Select Single Sign-On (SSO) - Enable and configure

2. Provide the following information:
Field
Description
Atrium SSO Server

Hostname Domain
Enter the fully qualified name of the BMC Atrium Single Sign-On server.
ProactiveNet Server
Hostname Domain
Enter the fully qualified host name of the server where BMC ProactiveNet Server is installed. By default, this field is
populated with the host name of the server on which the installer is executed.
Atrium SSO HTTPS

Port
Enter the BMC Atrium Single Sign-On secure port number. The default port number is 8443.
Searcher ID
Enter the BMC Atrium Single Sign-On Searcher ID used to search all user names and
groups.
Searcher Password
Enter the password of the Searcher ID user.
Atrium SSO AmAdmin

Password
Enter the BMC Atrium Single Sign-On server amAdmin password.
9.4.3 To integrate BMC ProactiveNet after installation

The BMC Atrium Single Sign-On feature can be configured post-installation in one of two ways:
Using the Post Installation Configuration interface in the BMC Proactivenet Operations Console. For more
information, see the BMC ProactiveNet User Guide.
Using the pw sso commands. For more information, see the BMC ProactiveNet CLI Reference Guide.
Once BMC Atrium Single Sign-On is integrated, when you launch BMC ProactiveNet, the BMC Atrium SSO screen
appears. Enter your user name and password and BMC ProactiveNet
automatically launches.
Page 201 of 389
Home
If you launch BMC ProactiveNet and try to log in as a user who is not associated with a
valid user group in BMC Atrium Single Sign-On, BMC ProactiveNet displays an error stating "Invalid
username/password".
If you receive a message that the BMC ProactiveNet Server has restarted, you must close the browser, then
re-open the browser and log back in.
9.4.4 To define users and groups

To enable single sign on, you must first create BMC ProactiveNet users and user groups in BMC Atrium Single
Sign-On. Users and user groups defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group
mapping.
During installation of BMC ProactiveNet, the BMC ProactiveNet Server Installer prompts for information that must
already be defined in BMC Atrium Single Sign-On. Therefore the minimum required definition in BMC Atrium
Single Sign-On, before installing BMC ProactiveNet, is the following:
1. Create a Searcher user and assign the BmcSearchAdmins group.
2. Define the SSO amAdmin user and assign full access privileges. (The SSO amAdmin user is automatically
created during installation of BMC Atrium Single Sign-On.)
3. Create an Administrative user group and assign the BmcAdmins group.
9.4.5 To create new users

1. Sign onto BMC Atrium Single Sign-On.
2. Click Edit BMC Realm and select the Usertab.
Note
When integrating a BMC ProactiveNet Server with an external system such as SSO or LDAP for
authentication, ensure that the same user name does not exist in both the external system and the
BMC ProactiveNet Server.
If the same user exists in both, user group associations defined in BMC ProactiveNet will be
considered.
a. Click Add.
b. In the UserId field, enter a unique identifier for the new user. This value is used as the
user ID when the user logs in. If special characters, such as comma ( , ) , semi-colon ( ; ),
or plus sign ( + ) are used in the user ID, the backslash () must precede the special
c. Enter the user's last name and full name.
d.
Page 202 of 389
Home
d. Enter an initial default password (which the user changes) and confirm this default
password.
e. In the Status field, verify that the Active radio button is selected (default).
f. Click Save.
9.4.6 To assign users to user groups

1. In BMC Atrium Single Sign-On, click Edit BmcRealm and select the Groups tab.
2. Select the group name and click Edit.
3. Select users from the Available Users list.
4. Click Add.
5. Alternatively, you can add all of the users by clicking Add All.
Note
An initial password must be provided when creating the account. Once created, the user can log
into BMC Atrium Single Sign-On and update the password and their personal information through
the following URL:
6. Click Save to save the changes.

The membership change is immediately put into effect.
9.4.7 To clean up Web Agent entries when the BMC ProactiveNet Server is
uninstalled
The following steps are required to delete Web Agent entries on the BMC Atrium Single Sign-On Server when the
BMC ProactiveNet Server is uninstalled.
Note
Any changes made to a BMC Atrium Single Sign-On user will not be reflected in an active BMC
ProactiveNet session.
The user must log out and log back in for the changes to be in effect.
1. On BMC Atrium Single Sign-On Console, click Edit BMC Realm.

2. Click Agents Details.
A list of the Agents that are registered on the Single Sign-On server displays.
3.
Page 203 of 389
Home
3. Identify the two Agents corresponding to your BMC ProactiveNet Server host.
Search for the following patterns:
/@<BMC ProactiveNet Server Host>:<Port>

/admin@<BMC ProactiveNetServer Host>:<Port>
4. Mark the Agents to delete by selecting their corresponding checkboxes.

5. Click Delete.
9.5 Integrating BMC IT Business Management Suite

BMC Atrium Single Sign-On is an authentication system that supports many authentication protocols and
provides single sign-on and single signoff for users of BMC products. A user can present credentials once for
authentication and subsequently be automatically authenticated by every BMC Software product that is
integrated into the system.

You must install BMC Atrium Single Sign-On server before using the BMC IT Business Management Suite
installation program to set up the configuration.
9.5.2 To integrate BMC IT Business Management Suite

When installing the BMC IT Business Management Suite, select the check box to configure BMC IT Business
Management Suite with BMC Atrium Single Sign-On server.
Use these options to configure BMC IT Business Management Suite to work with BMC Atrium Single Sign-On.
Installation
parameter
Value
Atrium SSO
Location
Specify the location of the BMC Atrium Single Sign-On server.
Atrium SSO
Admin User
Specify the administrative user name.
Atrium SSO
Admin
Password
Specify the BMC Atrium Single Sign-On server administrative password.
Atrium SSO
Keystore
Path
Specify the location of the keystore. The default Tomcat server used by the BMC Atrium Single Sign-On server uses a keystore and a
truststore for its secure (HTTPS/TLS) communications. These files are stored within the directory at <installDir>/BMC
Software/AtriumSSO/tomcat/conf.
Atrium SSO
Keystore
Password
Specify the password of the keystore.
Page 204 of 389
Home
9.6 Integrating BMC ITBM and WebSphere application server

As an option, you can configure the IBM WebSphere application server to work with the BMC Atrium Single
Sign-On server. To configure the WebSphere application server to work with the BMC Atrium Single Sign-On
server, you must have already installed and set up the BMC Atrium Single Sign-On server.

If you have already deployed BMC IT Business Management Suite on WebSphere, you must first undeploy the
application and then configure the WebSphere application server to work with the BMC Atrium Single Sign-On
server.
9.6.2 To configure the WebSphere application server to work with the BMC
Atrium Single Sign-On server
1. Stop the application server.
2. Copy the certificate truststore file (cacerts) from the <WebSphereHome>\java\jre\lib\security directory to
the <WebSphereHome>\bin directory.
3. Copy the deployment utility webagent.zip file from the BMC Atrium Single Sign-On server build to the
temporary directory called <WEB_AGENT_DIR>
4. Run the following deployer script from the websphere java directory:
java -jar $<WEB_AGENT_DIR>\deployer.jar --install --container-type WEBSPHEREV7

--atrium-sso-url https://<FQDN-of-Atrium-SSO-Server>:<port>/atriumsso
--web-app-url http://<FQDN-of-ITBM-Server>:<port>/itm --container-base-dir
"<WEBSPHERE_HOME>" --instance-config-directory "<ITBM_APPLICATION_CONFIG_DIR>"
--server-instance-name "<WEBSPHERE_APPLICATION_SERVER_FOR_ITBM>" --admin-name
amadmin --admin-pwd password --jvm-truststore
"<WEBSPHERE_HOME>\java\jre\lib\security\cacerts"
--jvm-truststore-password changeit --truststore "<WEBSPHERE_HOME>\bin\cacerts"
--truststore-password changeit
For example, you can specify the following script:
java -jar "C:\Program Files\BMC

Software\ARSystem\midtier\webagent\deployer\deployer.jar"
--install --container-type WEBSPHEREV7
--atrium-sso-url https://w8k-itsm-vm16.dsl.bmc.com:8443/atriumsso
--web-app-url http://w28-itm-vm02.dsl.bmc.com:9080/itm/
--container-base-dir "C:\Program Files\IBM\WebSphere\AppServer"
--instance-config-directory "C:\Program Files\IBM\WebSphere\AppServer\profiles
\AppSrv01\config\cells\w28-itm-vm02Node01Cell\nodes\w28-itm-vm02Node01\servers
\server1"
--server-instance-name "server1" --admin-name amadmin --admin-pwd password
Page 205 of 389
Home
--jvm-truststore
"C:\Program Files\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts"
--jvm-truststore-password changeit
--truststore "C:\Program Files\IBM\WebSphere\AppServer\bin\cacerts"
--truststore-password changeit
Note
When you run the script using the java command, use the WebSphere copy of the java version,
not the one from the Oracle JDK.
5. Start the application server.

6. In the WebSphere application logon window, specify the User ID as itmadm and Password as itmadmin and
press Enter.
7. In the left navigation pane of the Integrated Solutions console, click Servers > Server Types > WebSphere
application servers.
8. In the WebSphere application servers page, click the server on which you have installed BMC IT Business
Management Suite.
9. In the Application servers > server page, click Java and Process Management in the Server Infrastructure
options on the right.
10. In the Java and Process Management options, click Process definition.
11. In the Process definition page, click Java Virtual Machine in the Additional Properties options.
12. In the Java Virtual Machine page, click Custom properties.
13. To specify a new property, click New.
14. In the Custom properties > New page, specify the following properties and values for custom repository:
Name
Value
atsso.configuration.dir
Atrium SSO agents configuration directory. For example, C:\Program Files\IBM\WebSphere\AppServer\atssoAgents
15. Click OK.

16. Click Save in the Message box at the top of the screen to commit the changes.
17. In the left navigation pane of the Integrated Solutions Console, click Security > Global security.
18. In the Global security page, click the Security Configuration Wizard button.
19. In the Specify extent of protection page, select Enable application security and click Next.
20. In the Select user repository page, select the Standalone custom registry option and click Next.
21. Add the following properties and values for the custom repository:
Name
Value
sso.installed true cacerts
C:/Program Files/IBM/WebSphere/AppServer/bin/cacerts
Note: If your folder path contains spaces, copy cacerts from <Websphere_Home>\bin\cacerts to any temp
directory (for example, C:/bmc/).
cacerts.password
changeit
Page 206 of 389
Home
Name
Value
sso.acceptAllServerCertificates
true
22. Click Next.

23. Verify the Summary page, and click Finish.
25. In the Global security window, click the Available realm definition list and select Standalone custom
registry.
26. Click the Set as current button.
27. Click the Java Authentication and Authorization Service option.
28. In Java Authentication and Authorization Service, click System Logins.
29. In the resources list, select the WEB_INBOUND resource.
30. In the JAAS login modules table, click the com.itmsoft.security.auth.module.ITBMLoginModule option.
31. Specify the following custom properties and values:
Name
Value
sso.installed true cacerts.path
C:/Program Files/IBM/WebSphere/AppServer/bin/cacerts
Note: If your folder path contains spaces, copy cacerts from <Websphere_Home>\bin\cacerts to any temp
directory (for example, C:/bmc/).
cacerts.password
changeit
sso.acceptAllServerCertificates
true
32. Click Apply and OK.

34. Log out and restart the WebSphere server before deploying the BMC IT Business Management Suite.
35. Deploy BMC IT Business Management Suite on the WebSphere application server.
9.7 Integrating BMC Capacity Optimization

This topic provides instructions for integrating BMC Capacity Optimization with the BMC Atrium Single Sign-On.
Notes
For information about compatible versions of these BMC applications, see BSM Interoperability
8.5.1.
This topic does not describe how to integrate data from BMC Atrium CMDB into BMC Capacity
Optimization using Extract, Transform, and Load tasks (ETL tasks). For information about
integrating data from BMC Atrium CMDB into BMC Capacity Optimization, see Integrating BMC
Capacity Optimization with BMC Atrium CMDB in the BMC Capacity Optimization online
documentation.
Page 207 of 389
Home

Before you can enable integration with BMC Atrium Single Sign-On, you must have BMC Atrium CMDB installed
and running.
Before you can enable launching of BMC Capacity Optimization from BMC ProactiveNet when viewing a CI
(device) associated with an event, you must integrate BMC ProactiveNet with BMC Atrium CMDB.
9.7.2 To integrate BMC Capacity Optimization

1. Log on to the BMC Capacity Optimization Console as a user with the administrator role.
2. Click the Administration tab.
3. In the Navigation area, expand System.
4. Click Configuration.
5. Click the BMC Environment tab.
6. At the bottom of the BMC Environment tab, click Edit.
7. In the BMC Atrium Single-Sign-On area, next to Atrium Single-Sign-On, select Enable Atrium single sign-on
for authentication in BMC Capacity Optimization.
BMC Atrium Single Sign-On server information boxes appear.
8. Type the following:
Atrium SSO Server Host: Type the address of the BMC Atrium Single Sign-On server host.
Atrium SSO Server Port: Type the BMC Atrium Single Sign-On server port number.
Atrium SSO Server Username: Type the user name for BMC Atrium Single Sign-On server
authentication.
Atrium SSO Server Password: Type the password for BMC Atrium Single Sign-On server
authentication.
Note
The BMC Atrium Single Sign-On server user must be assigned an administrator role.
9. Click Execute.
A utility runs that registers BMC Capacity Optimization with the BMC Atrium Single Sign-On server.
10. Click Save.
11. Close your BMC Capacity Optimization Console browser window.
12. Verify that BMC Capacity Optimization services have been restarted (see the Verifying that BMC Capacity
Optimization services are running section of Verifying BMC Capacity Optimization installation).
13. Log on to the BMC Capacity Optimization Console (see Accessing the BMC Capacity Optimization console
).
Page 208 of 389
Home
9.8 Integrating BMC Atrium Orchestrator Platform

BMC Atrium Orchestrator Platform 7.7 uses the BMC Atrium Single Sign-On authentication system to provide
single sign-on and single sign-off. BMC Atrium Single Sign-On allows users to present credentials only once for
authentication and subsequently be automatically authenticated by every BMC product that is integrated into the
system. For more information about BMC Atrium Orchestrator Platform 7.7 installation and integration with BMC
Atrium Single Sign-on, see the BMC Atrium Orchestrator Platform 7.7 online documentation.
Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC Atrium Orchestrator
Platform group mapping. See Managing users (see page 264) and Managing user groups (see page 268).
Page 209 of 389
Home

BMC Atrium Orchestrator Platform installation worksheet (see page 210)

BMC Atrium Single Sign-On version 8.1.00 Patch 1 (8.1.00.01) or later must be installed and configured before
installing BMC Atrium Orchestrator Platform 7.7.
Download the installation files from the BMC EPD website. Ensure that BMC Atrium Single Sign-On version
8.1.00 Patch 1 (8.1.00.01) or later is implemented.
Ensure that the target computer meets the minimum system requirements for your environment.
Complete the BMC Atrium Orchestrator Platform installation worksheet (see page 210).
Exit all other programs.
Log on as an administrator and have administrator rights on the computer where you will install BMC
Atrium Single Sign-On.
For example, you must update Terminal Services configuration options and configure the DEP feature if you are
using Windows. For more information, see Configuring terminal services on Windows 2008 and Windows 2012
computers and Configuring DEP on Windows computers.
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with
BMC Atrium Single Sign-On (for example, BMC Atrium Orchestrator). BMC recommends that you install
BMC Atrium Single Sign-On on a different computer from the computer where you plan to install a BMC
product (for example, the AR System server or the BMC Remedy Mid Tier).
9.8.2 BMC Atrium Orchestrator Platform installation worksheet

BMC Atrium Single Sign-On is a required server component that you install first, before any other BMC Atrium
Orchestrator components. Before installing BMC Atrium Single Sign-On, use this worksheet to record
information specific to your system. The installation parameters in this worksheet correspond to the parameters
in the GUI installation and the options file.
Directory Selection panel
Installation parameter
Default value and notes
Your value
Destination Directory
Windows:
C:\Program Files\BMC Software\AtriumSSO
Page 210 of 389
Home
Your value
UNIX:
/opt/bmc/atriumsso
Server panel
Your value
Hostname
Fully qualified host name of the server where you install BMC Atrium Single Sign-On
BMC Atrium SSO Cluster Options panel

Your
value
Non-clustered BMC Atrium SSO Server

(Current Setting)
Stand-alone Single Sign-On Server
Clustered BMC Atrium SSO Server
Implemented as a redundant system with session failover. Clustered installation requires

at least two nodes
Tomcat Application Server Selection panel

Your value
Install New Tomcat
Install new Tomcat server on the computer where you install BMC Atrium Single Sign-On
Use External Tomcat
Path where the external Tomcat Application Server resides
Tomcat Application Server Information panel

HTTP port number
HTTP port number used by the BMC Atrium Single Sign-On server
HTTPS port number
HTTP port number used by the BMC Atrium Single Sign-On server
Shutdown port number
Shutdown port number used by the BMC Atrium Single Sign-On server
Your value
BMC Atrium SSO Server Information panel

Cookie Domain
Network domain of the computer on which you are installing the server
Password
Password required to log on to BMC Atrium Single Sign-On server
Confirm Password
Confirm the password
Your value
Page 211 of 389
Home

Create a BMC Atrium Orchestrator user account and assign the user account to a group in BMC Atrium
Single Sign-On. See Managing users (see page 264) and Managing user groups (see page 268).
After you create a BMC Atrium Orchestrator group and user, install the BMC Atrium Orchestrator Platform
repository.
9.9 Integrating BMC Real End User Experience Monitoring

This page has not been approved for publication.
9.9.1 Preparing BMC Atrium SSO server for integration

9.9.2 Preparing the Console component for the BMC Atrium SSO
integration
9.10 Integrating BMC Mobility for ITSM 8.1.00

This topic describes how to integrate BMC Atrium Single Sign-On with BMC Mobility for supporting Security
Assertion Markup Language (SAML). The typical process for integrating BMC Atrium Single Sign-On with BMC
Remedy IT Service Management (ITSM) is to install BMC Atrium Single Sign-On, install BMC Remedy ITSM, and
then integrate Atrium SSO with ITSM.
Following topics are provided:
Limitations (see page 213)
Integrating BMC Mobility to support SAML authentication (see page 213)
Related Topics (see page 214)

Ensure that you have BMC Remedy ITSM installed, before you can enable integration with BMC Atrium
Single Sign-On.
Page 212 of 389
Home
Ensure that users of BMC Remedy ITSM that you want to use, exist in the BMC Atrium Sign-On server. See
Managing users (see page 264) and Managing user groups (see page 268).
9.10.2 Limitations
The mobile applications do not support pop-up windows for login. The SAML IdP in Atrium SSO must
provide a login page that is compatible with the embedded WebKit browser.
The only identity provider (IdP) that BMC Mobility for ITSM supports is BMC Atrium SSO, which is the only
supported service provider (SP). Other IdPs and SPs are not supported.
9.10.3 Integrating BMC Mobility to support SAML authentication

You must use the following steps for configuring BMC Mobility and BMC Atrium SSO so that BMC Mobility can
use single sign-on for logging on to BMC Mobility.
To integrate Atrium SSO support in BMC Mobility Server

1. Stop the BMC Mobility server.
2. Copy all the jar files from the <MidtierInstallDir>\webagent\dist\jee\WEB-INF\lib directory to the
<MidtierInstallDir>\WEB-INF\lib directory.
For example, copy all the jar files from C:\Program
Files\BMCSoftware\ARSystem\midtier\webagent\dist\jee\WEB-INF\lib to C:\Program
Files\BMCSoftware\ARSystem\midtier\WEB-INF\lib.
3. Uncomment the BMC Atrium Single Sign-On filter in the web.xml file on BMC Mobility server.
To integrate BMC Mobility in BMC Atrium SSO Console

1. Configure the Login URl for the BMC Atrium Single Sign-On server using following steps:
a. Log on to the BMC Atrium SSO Admin Console and click Agent Details.
b. Select the /MobilityServer@FQDN:portNumber agent and click Edit.
c. In the Agent Editor, change the Login URl to be the same as the Mid Tier Agent Login URl (for
example, https://serverName:portNumber
/atriumsso/spssoinit?metaAlias=/BmcRealm/sp&idpEntityID=idp).
Login URl field in the Agent Editor
Click the following figure to expand it.
Page 213 of 389
Home
2. Configure the Logout URl for the BMC Atrium Single Sign-On server using following steps:
a. In the Agent Editor, change the Logout URl to be the same as the Mid Tier Agent Logout URl (for
example, https://serverName:portNumber
/atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=idp).
To enable SAML logon

1. Open the Mobility Administration: Tenant form in a browser.
2. Search for the record with Tenant ID 000000000000001.
3. Change the SAML Authentication setting to Yes.
4. Save your changes.
You must start the BMC Mobility server after making the configuration changes.
9.10.4 Related Topics

Agent manager
10 Using
The following topics provide information and instructions for using the BMC Atrium Single Sign-On:
Page 214 of 389
Home
Navigating the interface

Configuring FIPS-140 mode (see page 251)
Using an external LDAP user store (see page 260)
10.1 Navigating the interface

On the BMC Atrium SSO Admin Console, you can see the overall health of the Atrium Single Sign-On server and
launch into specific areas for management. The Administrator console contains four panels providing server
health (Status), access to realms for management (Realm Manager), and access to current sessions for
management (Sessions). In addition, the console has a top-level Help button launches a browser that provides
you with online help.
Note
To access the BMC Atrium SSO Admin Console, use a Fully Qualified Domain Name (FQDN) URL.
Editor options (see page 215)

Status panel (see page 215)
BMC Realm panel (see page 216)
Sessions panel (see page 216)
10.1.1 Editor options

Each editor provides the following options when adding or editing items:
10.1.2 Status panel

The Status panel shows the current memory usage of the server, a pie chart showing the number of active/idle
sessions, another pie chart showing the up/down status (the server that the agent is defined for) of the agents
integrated with this server or cluster.
Edit Server Configuration launches the Server Configuration Editor (see page 237) which allows you to edit
the server parameters.
Agent Details launches the Agent Manager where you can edit agents using the Agent Editor or delete
agents.
Page 215 of 389
Home
Agents List lists the agents on the system.

HA Node Details launches HA Nodes manager (see page 234) where you can edit nodes with the Server
Configuration Editor (see page 237) or delete dead nodes. In non-HA systems, you can access the Server
Configuration Editor (see page 237) by clicking Edit Server Configuration. This manager provides access to
the changing overall operation parameters.
HA Node List lists the HA nodes on the system.
10.1.3 BMC Realm panel

From the BMC Realm panel, an Edit BMC Realm button is available to access the Realm Editor where the realm
can be modified. In addition, Authentication List and User Store List is available that displays the authentication
modules and user stores defined for the realm.
Edit BMC Realm launches the Realm Editor which allows you to manage realm authentication, federation,
user stores (AR and LDAPv3), users, and user groups.
Federation and user profile status is provided.
Authentication List lists the authentication modules that are established for the realm.
User Store List lists the user stores that are established for the realm.
10.1.4 Sessions panel

The Sessions panel allows you to view the current sessions and to invalidate any session. The following columns
are displayed in the Sessions table:
UserId
Time Remaining
Max Session Time
Time Idle
Max Idle Time
Node Name (the server that the session is defined on)
10.1.5 Realm Editor

Use the tabs in the Realm editor to set the user profile, manage the realm authentication modules, federate
modules, and manage user stores, as well as manage users and user groups.
Main tab (see page 216)
User tab (see page 218)
Groups tab (see page 218)
Security tab (see page 219)
Editors available from Realm Editor (see page 221)
Main tab
The Main tab provides the following panels for specifying parameters:
Page 216 of 389
Home
User Profile panel

The User Profile panel allows you to set user profile parameters. Parameter options are: Ignored, Required, or
Dynamic.
In the User Profile panel, select either Dynamic or Ignored.
Dynamic Specifies that a local Single Sign-On user profile is created after a successful authentication, if
it does not already exist
Ignored Specifies that no local Single Sign-On user profile is created or required for authentication
Required Specifies that a local Single Sign-On user profile with the same user ID is required for
authentication to be successful
Realm Authentication panel
The Authentication panel allows you to create, edit, and delete authentication module instances and to establish
an authentication chain. An authentication chain is a series of authentication modules through which the user
must pass to authenticate. The chain can be constructed to allow complex processing of the modules.
For example, you can use authentication chaining to merge multiple LDAP servers into a single authentication
unit. Chaining multiple LDAP modules together with a sufficient relationship ensures that each LDAP module is
checked to authenticate the user. If any module successfully authenticates the user, the user is identified and
given an SSO session.
The combination of modules in a chain uses the following flags per module:
Required Identifies modules that are required to succeed. Regardless of whether the authentication
succeeds or fails, authentication still proceeds through the authentication chain of modules.
Requisite Identifies modules that are required to succeed. If authentication succeeds, authentication
proceeds through the authentication chain of modules. If authentication fails, control immediately returns
to the application (authentication does not proceed through the authentication chain of modules).
Sufficient Identifies modules that are not required to succeed. If it does succeed, control immediately
returns to the application (authentication does not proceed through the authentication chain of modules).
If authentication fails, authentication continues authentication does not proceed through the
authentication chain of modules.
Optional Identifies modules that are not required to succeed. Regardless of whether the authentication
succeeds or fails, authentication still proceeds through the authentication chain of modules.
The Requisite and Sufficient flags are most commonly used. These flags allow the processing to stop when the
authentication status of the user is known. The Required and Sufficient flags do not stop the processing but force
each module to be evaluated.
The overall authentication succeeds only if all modules that are flagged with Required and Requisite succeed.
Page 217 of 389
Home
If a module that is flagged with Sufficient succeeds, only the Required and Requisite modules that precede
that Sufficient module must have succeeded for the overall authentication to succeed.
If no Required or Requisite modules are configured for an application, then at least one Sufficient or
Optional module must succeed.
Federation panel
The Federation panel is used for managing the membership of Local Identity Provider (IdP) and Local Service
Provider (SP) entities that belong in a Circle of Trust (COT). The name of the COT is derived from the name of the
realm to allow a logical mapping into the OpenAM abstractions.
The IdP and SP entities created in the realm are automatically be assigned membership in the single COT for the
realm.
This panel allows you to add, edit, and federate realms. When you add a realm, you can specify the type of realm
(for example, IdP or SP for SAMLv3 authentication).
User Stores panel
The User Stores panel allows you to manage user stores (add, delete, edit, and reorder).
The User Store Manager allows you to define external User Stores from which user attributes (email address,
phone numbers, and so forth) and group memberships can be obtained. By default, the internal LDAPv3 data
store is configured as a User Store for the BmcRealm. However, external LDAPv3 servers, BMC Remedy AR System
servers, and even an RDBMS can be used (with a customer-provided JDBC driver).
The User Store Manager allows you to create new User Stores from existing types or existing Templates, edit
existing user stores, and delete deprecated ones. Templates are based upon user stores types but include initial
configuration values. An example of a template would be to provide meaningful default values for an Active
Directory user store.
User tab
The User tab allows you to create new users, delete existing users, and edit the attributes and memberships of
those users. By selecting a user you can edit or delete the user.
When searching for a user /* for each respective panel returns all of the names. A letter such as "m" returns all
names with the letter "m" in the user. A short string such as "mc" returns names that have "mc" in the user (for
example, McCormick).
Groups tab
The Groups tab allows you to create new groups, delete existing groups, and edit the attributes of the group. By
selecting an group you can edit or delete the group.
Page 218 of 389
Home
When searching for a group /* for each respective panel returns all of the names. A letter such as "d" returns all
names with the letter "m". A short string such as "dm" returns names that have "dm" in the group name (for
example, admin).
Security tab
The Security tab provides the following features:
Login Failure Lockout

The Login Failure Lockout feature enables the user to lock the account in order to maintain security of the
account. The Login Failure Lockout feature provides following options:
Enable Login Lockout - To activate the lockout feature you need to select the Enable Login Lockout check
box. The lockout mode is a memory lockout which can be cleared by restarting the BMC Atrium Single
Sign-On server, or by disabling the Enable Login Lockout and re-enabling it again.
Lockout Duration - Sets the interval (in minutes) that a user must wait after lockout before attempting to
authenticate again. Entering a value greater than 0 enables memory lockout and disables physical lockout.
Memory lockout locks the user's account in memory for specified number of minutes. The account is
unlocked after the period has passed.
Number of Login Attempts Before Lockout - Sets the number of incorrect attempts permitted for a user to
log on to the account, within the interval set in Lockout Duration, before being locked out
The administrator can clear all the users lockouts by disabling the lockout feature and setting the lockout
duration to 0. Both operations are necessary. When the lockout feature is disabled, the duration should also be
set to 0.
Note
To ensure that the administrator always has the access to the server, the account lockout feature is not
applicable for the amAdmin account.
Valid Forwarding Domains

The Valid Forwarding Domains feature provides a limit to the domains that the BMC Atrium Single Sign-On server
will forward to the browser after authentication. To enable this feature, you must provide at least one URL to the
list of Valid Forwarding Domains. An empty list indicates that the feature is disabled.
To add a URL to the list of valid forwarding domains

1. Insert the URL in the Trusted Domain field.
2. Click Add.
3. For the changes to take effect, restart the BMC Atrium Single Sign-on server.
Page 219 of 389
Home
Note
Ensure that you provide the absolute path for the URL that you enter in the list of Valid Forwarding
Domains, such as:
https://sample.bmc.com:8080/test
If you try to access a URL that is not present in Valid Forwarding Domains, you are redirected to a page that has
an error message and a link to log out of the BMC Atrium Single Sign-On server.
Page 220 of 389
Home
Editors available from Realm Editor

The following editors are used for creating and editing authentication module instances, SAML federation, and
user stores.
User and Group editors

User Editor
Group Editor
Authentication module instance editors

AR Editor (see page 223)
LDAP (Active Directory) Editor (see page 223)
Kerberos Editor (see page 227)
SecurID Editor (see page 227)
CAC (certificate) Editor
Federation editors
Local Service Provider (SP) Editor (see page 230)
Create Identity Provider (see page 228)
Remote Identity Provider (IdP) Editor
Local Identity Provider (IdP) Editor
Create Service Provider (see page 229)
Remote Service Provider (SP) Editor (see page 232)
User store editors

AR User Store Editor
LDAPv3 (Active Directory) User Store Editor (see page 225)
User Editor
The User Editor allows you to provide specific about the user as well as to set their status (Active or Inactive).
Save saves your modifications.
Reset removes your modifications.
Help accesses online help.
Cancel cancels and returns you to the Users tab on the Realm Editor.
There are two tabs available from the User Editor:
Main tab allows you to create and edit user information.
Groups tab allows you to assign users to groups.
Page 221 of 389
Home
Tab
Parameters
Description
Main
User ID
The name of the user that you are creating or editing.
Status
Active and Inactive status are available.
User
Provide the user information. As a minimum, provide the full name, first name, last name, and a default password and
information
confirm password.
Available
The list of groups available on the system.
Groups
Groups
Member Of
The list of groups of which the user is a member.
Add and Add All allows you to add groups to this user. The group is then listed in the Member Of list rather
than the Available Groups list.
Remove and Remove All allows you to remove groups from this user. The group is then listed in the
Available Groups list rather than the Member Of list.
Group Editor
The Group Editor allows you to create a group and to add users to the group. You can add users individually or
add all users to the members list and you can delete users individually or delete all users from the members list.
Save saves your modifications.
Reset removes your modifications and keeps you on the Group Editor.
Help accesses the online help.
Cancel cancels and returns you to the Groups tab on the Realm Editor.
Parameters
Description
Group
Name
The name of the group that you are creating or editing.
Available
Users
The list of user available on the system. You can filter the available users by any character in their User ID. For example, if a User ID has
the letter, "r" in the string, all users with the letter "r" will display in the Available Users list. If there isn't a character in the Filter field, all
users are displayed.
Members
The list of users that are members of this group.
Add and Add All allows you to add users to this group. The user is then listed in the Members list rather
than the Available Users list.
Remove and Remove All allows you to remove users from this group. The user is then listed in the Available
Users list rather than the Members list.
Page 222 of 389
Home
AR Editor
Parameters
Description
Server Host
Name
Server Port
Number
Default
Authentication
String
Allow AR
Guests

Section
Parameter
Description
Name
AR Server
Host
Host Name
yourServer.bmc.com.
Port
Administrative
Access
Name
Authentication
System server.
Password and
Confirm
Password
Connection
Pool
Linger Time
(seconds)
Pool size
LDAP (Active Directory) Editor

Field
Parameter
Description
Name
Page 223 of 389
Home
Field
Parameter
Description
Port
Use SSL
(Optional) Enable to use SSL to connect to the LDAP servers. In addition, before communications can be established,
Primary
LDAP
Server
Secondary
Name
LDAP
Server
The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user
fails to authenticate with the primary server.
Port
If the secondary server is not listening on the default LDAP port, specify the port number.
Use SSL
(Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established,
User
Account
for Search
Set Recheck
Primary
Server
Interval
(minutes)
(Optional) This parameter is the amount of time that the server uses the secondary server before attempting to
re-connect with the primary server can be configured.
Distinguished
Name,
Password,
Confirm
Password
(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform
searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password
confirmation.
For example, you can use the Distinguished Name as CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com and
choose the password of your choice.
Attributes
for User
Search
Attribute
Name
Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.
DN to
Start
Search
Base DN
Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for
performance reasons. The depth of the search that is performed can be configured. If an Object search is specified,
then the DN should be the DN of the node containing the users.
For example, you can add CN as attribute name for User Search.
For example, CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com

Attribute for
User Profile
Name
Enter the starting locations within the LDAP directory for performing user searches. For each starting point, enter the
login name (DN). The Base DN and attribute for user profile name are additional search parameters.For example, you
can use CN as attribute for user profile name.
Page 224 of 389
Home
LDAPv3 (Active Directory) User Store Editor

The LDAPv3 user store uses Active Directory as the user store type. The General tab contains parameters for the
LDAP server configuration. The Search tab contain parameters to search for user and group attributes.
General tab
Field
Parameter
Description
LDAP
Server
Name
Port
Use SSL
(Optional) Enable SSL to connect to the LDAP servers.

Before enabling SSL:
The certificates for the LDAP servers (primary and secondary) must be imported into the JVM truststore and the
BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC
Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If client
authentication is required, the BMC Atrium Single Sign-On server's certificate might need to be imported into
the LDAP server's truststore.
Restart the Tomcat server. For more information about CA certificates, see Managing keystores with a keytool
utility (see page 239) .
User
Account
for Search
Distinguished
Name,
Password,
Confirm
Password
(Required) The Distinguished Name (DN) is the login name that is used to connect to the LDAP server. A root user
must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user,
the password, and the password confirmation.
Connection
Pool
Minimum
Size
The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP
server. Before modifying the default values, BMC recommends that you complete performance timings to determine
appropriate values.
Maximum
Size
appropriate values.
External
Attribute
Atrium SSO
Attribute
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external data store and
map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the
name of the External Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute
is going to map to, and click Add to put the new mapping into the table.
Attribute
Mapping
Search tab
Field
Search
Base DN
Parameter
Description
Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific
as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is
specified, then the DN should be the DN of the node containing the users.
Number of seconds the search is performed before it times out.
Page 225 of 389
Home
Field
Parameter
Description
Search
Timeout
(seconds)
Max
Search
Maximum number of results that are returned.
Results
Users
Search
User attribute on which to perform the search.
Attribute
Search
Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail.
Filter
For example, (objectclass=person).
Users -
Status
Attribute that indicates the user status. For example, userAccountControl.
Status
Attribute
Active
Value
Identifies the value of the attribute when the account is active.
Inactive
Value
Identifies the value of the attribute when the account is inactive.
Container
Attribute
Defines the LDAP attribute used to distinguish the container holding the people.
Attribute
Value
Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values
should be blank.
Users
Attribute
Name for
Group
Specifies the attribute of the user which identifies the group to which the user belongs. For example, memberOf.
Groups
Search
Attribute
Contains the name of the attribute which holds the name of the group. This attribute value is used in searches for user
groups.
Search
Filter
Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable,
update the filter with the correct objectclass name. For example, (objectclass=group).
Container
Attribute
Defines the LDAP attribute used to distinguish the container holding the groups.
Attribute
Value
Specifies the value for LDAP Groups Container attribute value. If groups are not within a container (relative to the user),
then these values should be blank.
Groups
Attribute
Name for
User
The attribute name of a group within the LDAP system that contains the names of the users that belong to the group.
Caching
Max Age
(seconds)
The maximum time that a cached value will continue to be used before the cached value is updated from the external
LDAP server.
Cache
Size
(bytes)
The number of bytes of memory that will be used to hold cached search items from the external LDAP server.
Users People
Container
Groups Groups
Container
Page 226 of 389
Home
Kerberos Editor
Parameters
Description
Service
The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when
Principal
authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.
Keytab File
The Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file. The keytab file contains the
Name
password for the service principal.
Kerberos
The KDC domain name.
Realm
KDC
The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller.
Server
UserId
The following parameters are used:
Format
Use Domain Name with Principal: If this check box is selected, the service allows BMC Atrium Single Sign-On to automatically
use the Kerberos principal with the domain controller's domain name during authentication.
Forced character case: The Forced character case allows you to select the type of character case you want for your user ID. You
can choose any of the three options: No change, UPPERCASE and lowercase. The UserId is displayed in the selected format in
the user store.
Return
UserId to
If this check box is selected, the user store searches will use the original UserId instead of using the value modified by the UserId
Format parameter. For example, when you search the userstore the userid from the authentication could be atsso\abcxyz but the value
User Store
abcxyz will be used to search the User store.
SecurID Editor
Parameters
Description
ACE/Server Configuration Path
Specify the full path for the new location of the sdconf.rec file.
The configuration path is used to specify the location of the sdconf.rec file used to contact the RSA SecurID server.

Field
Parameters
Description
Name
Name for the Certificate and CAC authentication.
Use OCSP
Click Use OCSP in order to use the OCSP responder. BMC recommends that you use OCSP for validation.
Note: The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be greater than
15 minutes. Otherwise, the certificate authentication fails. See Clock skew too great for CAC authentication (see page
331).
Certificate
Field for
User
Profile
Select one of the options. Options are Subject CN (Common Name attribute of the Subject DN), Subject DN
(Distinguished Name), Subject UID (UID attribute of the Subject DN), Email, None, Other.
Forwarded
Certificates
When running behind a load balancer or reverse proxy, the verification of ownership of the private key is not possible
thru the SSL/TLS connection. Because of this verification restriction, the BMC Atrium Single Sign-On server requires
that the fronting server be listed as a trusted host from which forwarded certificates can be trusted.
Page 227 of 389
Home
Field
Parameters
Description
Forwarded
This is the list of trusted host name that you add via the Trusted Host Name field. To delete a certificate, select the
Certificate
List
trusted host name and click Remove.
Trusted Host
Name
Enter the name of a host from which a forwarded certificate can be trusted.
Certificate
HTTP Header
Enter the name of the HTTP header that the forwarded certificate can be passed under.
Name
Certificate
Use CRL
Revocation
Lists (CRL)
Select Use CRL to use a Certificate Revocation List (CRL).

Note: BMC does not recommend using the CRL approach due to the performance load experienced with the
LDAP Server
Provide the Host and Port for the LDAP server where the certificates are stored. The host name must end with a colon
Where
Certificates
are Stored
following by the port number for the LDAP server.
LDAP Start
Search DN
Enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP
server, you must have sufficient privileges to perform the search.
LDAP Server
Password
Confirm
LDAP Server
Password
Provide and confirm the password to connecting with the LDAP server.
Check CA
with CRL
When verifying a certificate, the CA certificate used to sign the certificate can also be verified in the CRL.
Use SSL/TLS
If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium Single Sign-On truststore so
that SSL can connect with the LDAP server.
Trusted
Certificates
Browse on your desktop to upload the trusted certificates file. Once the file is upload and in the trusted certificates list.
You can also select the file, and click Remove to remove the file.
Create Identity Provider

Parameters
Description
Name
Name for the remote IdP.
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any
required path information. This URL is IdP-specific. For information on the metadata URL, consult the IdP documentation. For
information about providing IdP metadata from another Atrium Single Sign-On server, see Providing IdP metadata from another
Atrium Single Sign-On server (see page 229)
File Upload
Select File Upload to upload a file that contains the remote IdP metadata.
Page 228 of 389
Home
Providing IdP metadata from another Atrium Single Sign-On server

When using another Atrium Single Sign-On server as an IdP, the following URL template is used to access the
metadata needed by the SP:
https://<host>:<port>/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=<entityid>
In this case:
host is the FQDN of the BMC Atrium Single Sign-On server hosting the IdP.
port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the IdP.
entityid is the name of the IdP hosted by the BMC Atrium Single Sign-On server.
For example:
https://idp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=https://idp:1844
Create Service Provider

Parameters
Description
Name
Name for the remote SP.
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any
required path information. This URL is IdP-specific. For information on the metadata URL, consult the SP documentation. For
information about providing SP metadata from another Atrium Single Sign-On server, see Providing SP metadata from another Atrium
Single Sign-On server (see page 229)
File Upload
Select File Upload to upload a file that contains the remote SP metadata.
Providing SP metadata from another Atrium Single Sign-On server

For accessing SP metadata, the following URL syntax is used:
https://<host>:<port>/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=<entityid>
In the case:
host is the FQDN of the server hosting the SP.

port is the port used for secure communications of the server hosting the SP.
entityid is the name of the SP hosted by the server.
For example:
https://sp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=https://sp:8443/a
Page 229 of 389
Home
Field
Parameter
Description
Name
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that
reflects the expected IdP name.
Binding
possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP
Sign
Messages
to verify the messages have not been altered in transit and that it originated with the IdP.
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have
Request, Logout Response,

Manager Name ID Request,
Manager Name ID Response,

and Artifact Resolve
Encrypt
Elements
SAMLv2 messages.
Name ID
Assertion
Time
Not-Before Skew (seconds)
Attribute
Mapping
mapping is defined by entering the name of the Name In Assertion and selecting the Local Attribute
Name from the drop down that the attribute is going to map to, and click Add to put the new mapping
into the table.
Local Service Provider (SP) Editor

Field
Parameter
Description
Name
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in
the agents configuration.
Binding
possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect
or XHTML Form with Post.
Artificact
Encoding
Sign Messages
Page 230 of 389
Home
Field
Parameter
Description
Request, Logout
Response, Manager
Name ID, Artifact

Resolve, and Post
Resolve
Encrypt
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2
Elements
Alias
messages.
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or
AES-256, from the drop-down menu.
Name ID
Assertion Time
Not-Before Skew
(seconds)
SOAP Basic
Authentication
Attribute
Mapping
Auto
Federation
Allows BMC Atrium Single Sign-On to use an attribute of the Assertion from the IdP to automatically
create an identity within the BMC Atrium Single Sign-On system. The identity is created by passing the
initial double-login normally performed when federating a user account with SAMLv2.
Name ID
Format
Defines the name identifier formats supported by the service provider. Name identifiers are a way for
providers to communicate with each other regarding a user.
The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the
Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the
first one in this list is chosen and supported by the remote Identity Provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A
transient identifier is temporary and no data will be written to the user's persistent data store.
Note:
For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the
persistent nameID format must be on the top of the list.
Authentication
Context
This attribute maps the SAMLv2-defined authentication context classes to the authentication level set
for the user session for the service provider.
Page 231 of 389
Home

Field
Parameter
Description
Name
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a
value that reflects the expected IdP name.
Binding
This option determines the way in which SAML messages will be sent and received between the
IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP
and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2
messages: HTTP Redirect or XHTML Form with Post.
Sign
Messages
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing
is used to verify the messages have not been altered in transit and that it originated with the
IdP.
Authentication Request, Logout
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to
Request, Logout Response, Manager

Name ID Request, Manager Name ID
Response, and Artifact Resolve
have been signed by the SP.
Encrypt
Elements
SAMLv2 messages.
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES,
AES-128, or AES-256, from the drop-down menu.
Name ID
Remote Service Provider (SP) Editor

Field
Parameter
Description
Name
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified
in the agents configuration.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP
and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is
not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP
Artificact
Encoding
Sign Messages
Authentication Request,
Logout Request, Logout
Response, Manager Name
ID, Artifact Resolve, and
Post Resolve
Page 232 of 389
Home
Field
Parameter
Description
Encrypt
Elements
Alias
SAMLv2 messages.
Name ID
SOAP Basic
Authentication
Attribute
Mapping
10.1.6 Agent manager

The Agent manager provides an Agent panel that allows you to edit, delete, and search for an agent as well as
provides the agent name, realm, and the state. The state indicated whether the agent is running or is down. When
searching for an agent, *, returns all of the names and applies to all columns in the agent panel. Finding the filter
string within any of these values selects the agent to be returned for display. This feature allows you to filter the
list of agents to the ones running by specifying "Running".
Agent Editor
The Agent Editor allows you to modify the configuration of an agent. By modifying the agent configuration, you
can correct problems caused by environment difficulties. For example, with a remote host, the host may report
their FQDN (Fully Qualified Domain Name) incorrectly using a plain name such as machine instead of
machine.bmc.com.
The Agent Editor is launched when you select an agent and click Edit. The Agent Editor has the following options:
Parameter
Description
Notification
URL
The URL where the agent will receive notifications from the server about session logouts. It is composed of the products base URI
with "/atsso" concatenated to the end. For example, https://sample.bmc.com/arsys/atsso
Status
Determines whether the agent is enforcing SSO authentication (active) or not (inactive).
Logging
Level
The level of logging the agent will perform in the product.
Page 233 of 389
Home
Parameter
Description
Redirect
The number of times that the agent redirects the browser to the server for authentication before signaling an error- 0 means infinite.
Limit
Password
Password used by the agent to access its configuration in the SSO server.
and Confirm
Password
Cookie
Name
The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the
server configuration.
Note: To ensure browser compatibility, the cookie name should contain only alphanumeric and underscore characters.
Login URI
Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. When an
and Logout
URI
agent is federated, the login and logout URLs for the agent must be modified to interact with the IdP.
Login Probe
and Logout
The probe validates that the destination is accessible before sending the user to the location. If they are not, the agent tells the user
that the SSO system is inaccessible. The probe should be turned off in environments where the URI cannot be contacted from the
Probe
agent's environment, such as when the URI contains a host that is to be accessed through a reverse proxy.
Enable
Cache
Select this option to enable session cache. Disabling cache has a severe performance impact.
Fully
Qualified
Domain
Name
Mapping
This FQDN mapping allows the agent to fix the URL used to access the application in order to get the browser to send cookies to the
application. The SSO session is identified through cookies. When a URL is not using a FQDN host name, the browser does not know
the domain of the server and therefore, won't send any cookies to the server.
FQDN of
Agent Host
The FQDN entered is the FQDN of the host where the agent is located. Enabling FQDN mapping causes the agent to perform the
forwarding from the entered host names to the entered FQDN.
Trigger host
list and
Trigger Host
Name
The hosts that will trigger the FQDN redirect to occur. The Trigger host list allows you to remove the host from the list. Trigger Host
Name allows you to add a host to the Trigger host list.
Not
Enforced
URI and URI
The Not Enforced URI field allows you to remove URIs from the Not Enforced URI list. The URI field allows you to add a URI to the
Not Enforced URI list.
10.1.7 HA Nodes manager

The HA Nodes manager is launched from the Administrator Console. On the HA Pie Chart, click Expand. The HA
Nodes manager provides an HA Nodes panel that allows you to edit, delete, and search for an HA node. In
addition, you can click Return to Console to return to the BMC Atrium SSO Admin Console.
When searching for an HA node, /* for each respective panel, returns all of the names. A letter such as m, returns
all names with the letter m in the host name. A short string such as mc, returns names that have mc in the host
name (for example, /atrium-sso-vm2.bmc.com.)
You can sort HA Nodes by each of the columns in the panel:
Host Name
Page 234 of 389
Home
Port
Status
When you edit a host, the Server Configuration Editor pops up with the following parameters:
The Server Configuration Editor provides the parameters that must be updated when you install or configure
Server Configuration Editor parameters (see page )
HTTP Only and HTTPS Only (see page )
Server Configuration Editor parameters

Field
Parameters
Description
Cookies
Cookie
Name
The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based
upon the FQDN of the Atrium BMC Atrium Single Sign-On host.
Cookie
Domain
The default cookie domain value is the network domain of the computer you are installing the server on. The default
cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within
the domain. For more information about the default cookie domain, see Default cookie domain.
HTTP Only
Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as,
JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only
(see page 236) .
HTTPS
Only
Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is
transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only
parameter, see HTTP Only and HTTPS Only (see page 236).
Password
& Confirm
Password
The password for accessing the BMC Atrium Single Sign-On server.
amAdmin
External
URL
FQDN for the BMC Atrium Single Sign-On server.
Logging
Level
Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message
contains the most amount of information.
Enable
FIPS-140
Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).
Online
Certificate
Status
Protocol
CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP,
configuration is not required.
To enable, provide the Server URL and select Enable OCSP.
Session
Max
Session
Time
Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time
constraints are automatically enforced when this value is selected.
Note: The Max Session Time value should be more than the Idle Timeout value.
Page 235 of 389
Home
Field
Parameters
Description
Idle
Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time
Timeout

Note: When you have integrated BMC Atrium SSO with BMC Remedy AR System, you the Idle Timeout value should be 3
minutes more than the BMC Mid Tier idle timeout value.
Cache
Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.
Time
Max
Maximum number of concurrent sessions allowed for a user. The default value is 5.
Session
Count per
Click Enable to enable Max Session Count per User.
User
When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.
HTTP Only and HTTPS Only

With the release of BMC Atrium Single Sign-On 8.1 Patch 3, the Server Configuration Editor provides two new
options: HTTP Only and HTTPS Only.
The HTTP Only parameter marks the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as,
JavaScript from accessing the cookie. When you enable the HTTPS Only parameter, it marks the cookie with the
Secure option, which ensures that the cookie is transmitted only over HTTPS connections from the browser to
the server.
The default value of these check boxes is false. When set to true, the option prevents scripts and third-party
programs from accessing the cookies.
To secure BMC Atrium Single Sign-On as a stand-alone server

1. Open the Edit Server Configuration tab on the BMC Atrium Single Sign-On Admin Console.
2. Select the HTTP Only and HTTPS Only check boxes, and click Save.
3. Restart the BMC Atrium Single Sign-On server.
4. Clear all the existing cookies from the browser history.
To secure BMC Atrium Single Sign-On as a high-availability cluster

1. Open the HA Node Details tab on the BMC Atrium Single Sign-On Admin Console.
2. Select the node for which the HTTP Only and HTTPS Only options are to be enabled.
3. Select the HTTP Only and HTTPS Only check boxes for each node, and click Save.
Note
Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of
sync for some nodes. You can ignore the warnings and click OK.
4.
Page 236 of 389
Home
4. Restart the server.

Note
A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie
Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of
other nodes that do not match the currently saved value.
10.1.8 Server Configuration Editor

Server Configuration Editor parameters (see page 237)
HTTP Only and HTTPS Only (see page 238)
Server Configuration Editor parameters

Field
Parameters
Description
Cookies
Cookie
Name
Cookie
Domain
HTTP Only
(see page 238) .
amAdmin
HTTPS
Only
Password
& Confirm
Password
External
URL
Logging
Level
Enable
FIPS-140
Page 237 of 389
Home
Field
Parameters
Description
Online
Certificate
Status

Protocol
Session
Max
Session
Time
Idle
Timeout
Cache
Time
Max
Session
Count per
User
HTTP Only and HTTPS Only

the server.


Page 238 of 389
Home
3.
Note

Note
10.2 Managing keystores with a keytool utility

The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure
(HTTPS/Transport Layer Security) communications. These files are stored in the following directory:
For more information about using Certificate Authority (CA) certificates, see:
Creating new keystores (see page 240)
Using the keytool utility (see page 241)
Importing a certificate into the truststore (see page 243)
Checking the truststore for certificates
The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers
and other programs to warn users about the insecure nature of the certificate each time the user authenticates.
The certificate warning can be prevented by doing one of the following:
Permanently importing the self-signed certificate into the user's truststore.
Obtaining and importing a signed identity certificate from a trusted CA. The CA vouches for the
authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication.
In this case, the user has an established trust relationship with the CA. This relationship is extended to BMC
Atrium Single Sign-On after a digitally signed identity certificate is imported. By default, BMC Atrium Single
Sign-On is installed with a self-signed certificate. Although valid, this certificate causes warning messages when
Page 239 of 389
Home
users access the server to perform authentication. The warning messages occur because the certificate is not
signed by a CA.
10.2.1 Creating new keystores

The following topics provide information and instructions for creating new keystores:
To create a new keystore (see page 240)
Locations of keystore and truststores (see page 241)
Example of creating a new keystore (see page 241)
To create a new keystore

1. From the command prompt, change your working directory to
<installationDirectory>\AtriumSSO\tomcat\conf.
2. Create a new keystore by using a new password to secure the certificate:
Microsoft Windows:
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore
%CATALINA_HOME%\conf\keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass
keystore_password -keypass keystore_password -providername JsafeJCE
UNIX:
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore
$CATALINA_HOME/conf/keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass
keystore_password -keypass keystore_password -providername JsafeJCE
Note
Based on your requirements, you can use the keysize value as 1024 or 2048.
3. After the keystore has been created, you need to provide six parameters which forms a distinguished name
for a certificate associated with the key.
CN - Common Name of the certificate owner (usually FQDN of the host)
OU - Organizational Unit of the certificate owner
O - Organization to which the certificate owner belongs
L - Locality name of the certificate owner
ST - State or province of the certificate owner
C - Country of the certificate owner
4. Update the server.xml file with the new password for the keystore.
Page 240 of 389
Home
For details, see the Tomcat documentation at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#SSL.
Locations of keystore and truststores

With the BMC Atrium Single Sign-On default installation, the keystore and truststores are in the following
locations:
Keystore:
<installationDirectory>/tomcat/conf/keystore.p12
Tomcat truststore:
<installationDirectory>/tomcat/conf/cacerts.p12
JVM truststore:
<installationDirectory>/jvm/jre/lib/security/cacerts.p12
Example of creating a new keystore

The following is an example of how to create a new keystore:
C:\apache-tomcat-6.0.20>keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.p12 validity 999
-keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password
Enter keystore password:
What is your first and last name?
[Unknown]: sample.bmc.com
What is the name of your organizational unit?
[Unknown]: BMC Atrium SSO
What is the name of your organization?
[Unknown]: BMC Software, Inc.
What is the name of your City or Locality?
[Unknown]: Austin
What is the name of your State or Province?
[Unknown]: TX
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US correct?
[no]: yes
10.2.2 Using the keytool utility

The keytool utility is used to obtain a digitally signed identity certificate to replace the self-signed certificate. This
utility is available with Oracle JDKs and BMC Atrium Atrium Single Sign-On.
The keytool utility must be available within the shell command environment to generate a certificate signing
request (CSR) or to import a CA signed certificate.
To verify that the keytool utility is available (see page 242)
Page 241 of 389
Home
Setting up the environment (see page 242)

To verify that the keytool utility is available

1. Open a shell command window.
2. In the command prompt, invoke the keytool utility:
On Windows Type keytool.exe, and press Enter.

On UNIX: Type keytool and press Enter.
Note
The keytool utility from Oracle JDK Java 1.5 or 1.6 can also be used.
3. If the keytool utility is available, a help message is generated that shows the keytool options. The following
is the help output relevant to generating the CSR:
-certreq [-v] [-protected]

[-alias <alias>] [-sigalg <sigalg>]
[-file <csr_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
4. Proceed with generating and importing CA certificates.

If the tool is not available, proceed with setting up the environment.
Setting up the environment

Before running the keytool utility, the environment variable path must be initialized with the location of the
keytool.
Update the following path:
Note
On UNIX, the keytool program is called keytool. On Windows, the program is keytool.exe.
On Windows
<installationDirectory>\BMC Software\AtriumSSO\jdk/bin
Page 242 of 389
Home
For example,
PATH=<installationDirectory>\BMC Software\AtriumSSO\jdk\bin;%PATH%
On UNIX
<installationDirectory>/BMC Software/AtriumSSO/jdk/bin
For example,
PATH=<installationDirectory>/BMC Software/AtriumSSO/jdk/bin:$PATH

10.2.3 Importing a certificate into the truststore

To establish secure communications with a remote server (such as a remote LDAP server), a certificate must be
imported into the BMC Atrium Single Sign-On truststore. The certificate must be in printable DER format (file
extension .pem ) or in the binary DER format (file extensions .cer, .crt, or .der ).
Note
For High Availability installations, the certificate must be imported on each node.
The following topics provide information and instructions for importing a certificate into the truststore:
To import the certificate in Windows (see page 243)
To import the certificate in UNIX (see page 244)
Example of importing a new certificate to the truststore (see page 244)
Example of a certificate in DER format (see page 245)
To import the certificate in Windows

1. Copy the file into the BMC Atrium Single Sign-On server's conf directory:
<installationDirectory>\BMC Software\AtriumSSO\tomcat\conf
2. On the command line, change the working directory to:
3. Modify the environment to use the JDK that is installed with BMC Atrium Single Sign-On.
set PATH=<installationDirectory>\jdk\bin;%PATH%
4. Run the keytool utility with the following parameters:
Page 243 of 389
4.
Home
keytool -importcert -keystore %CATALINA_HOME%\conf\cacerts.p12 -trustcacerts -alias tomcat -keypass

truststore_password -storepass truststore_password -file <certificateFile> -storetype PKCS12
-providername JsafeJCE
Note
This keytool command is based on a default installation. Other values might be needed if BMC
Atrium Single Sign-On was installed in an external Tomcat container or if the default truststore
has been altered.
5. Stop and restart the BMC Atrium Single Sign-On server.
To import the certificate in UNIX

1. Copy the file into the BMC Atrium Single Sign-On server's conf directory:
3. Modify the environment to use the JDK installed with BMC Atrium Single Sign-On.
PATH=<installationDirectory>/jdk/bin:$PATH;export PATH
4. Run the keytool utility with the following parameters:
keytool -importcert -keystore $CATALINA_HOME/conf/cacerts.p12 -trustcacerts -alias tomcat -keypass

truststore_password -storepass truststore_password -file <certificateFile> -storetype PKCS12
Note
This keytool command is based on a default installation. Other values may be needed if BMC
Atrium Single Sign-On was installed in an external Tomcat container or if the default truststore
has been altered.
5. Stop and restart the BMC Atrium Single Sign-On server.
Example of importing a new certificate to the truststore

The following is an example of how to import a certificate to the truststore:
C:\apache-tomcat-6.0.20\conf>keytool
-import -keystore cacerts.p12 -trustcacerts -alias tomcat -keypass truststore_password storepass
truststore_password file mykey.cer -storetype PKCS12
Page 244 of 389
Home
Owner:
CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US
Issuer:
CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US
Serial
number: 266df6fc
Valid
from: Sat Jun 15 10:22:28 BST 2013 until: Thu Mar 10 09:22:28 GMT 2016
MD5: 43:C3:22:11:F1:5B:AD:66:73:C5:24:74:80:EF:4F:78
SHA1: 72:05:0F:FE:25:50:F7:B8:4D:F5:E8:BA:8F:88:89:2B:96:93:BB:14
SHA256:
DA:9B:BA:85:2E:D2:45:74:3F:FB:D7:6A:D4:86:74:E8:B9:FA:9F:01:25:35:61:CA:00:D1:8C:2B:F8:F6:77:A4
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
Example of a certificate in DER format

The following is an example of a certificate in printable DER format:
-----BEGIN CERTIFICATE----MIICxTCCAi4CCQCLjB2QrqlKazANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMC
VVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xFTATBgNVBAoMDEJN
QyBTb2Z0d2FyZTEUMBIGA1UECwwLQXRyaXVtIENvcmUxJDAiBgNVBAMMG2libWMt
amJoYmJrMS5hZHByb2QuYm1jLmNvbTEjMCEGCSqGSIb3DQEJARYUYWRhbV9saW5l
aGFuQGJtYy5jb20wHhcNMTEwOTAxMjEyNDU4WhcNMzkwMTE3MjEyNDU4WjCBpjEL
MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xFTAT
BgNVBAoMDEJNQyBTb2Z0d2FyZTEUMBIGA1UECwwLQXRyaXVtIENvcmUxJDAiBgNV
BAMMG2libWMtamJoYmJrMS5hZHByb2QuYm1jLmNvbTEjMCEGCSqGSIb3DQEJARYU
YWRhbV9saW5laGFuQGJtYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AMtRpEhBcegujENQ7ZefrlnZxmnH54oav9VNxv6nQqneJB8sQVqg1Z+zNUPzuLPF
bY2GTn/eSfXbL8RJgDnczGkL21XP8uH5NkOdBBYrcCnlV4pf+ZZxpBvmpJ1g/39L
OcEc7r2R0w8D+nST9x5w88g95cOrZV9hGy08XLt0Ep7XAgMBAAEwDQYJKoZIhvcN
AQEFBQADgYEAQUekME4Cv+cYCbccKNcUkjk4du8RZpZIM4PtXsqIxRYcjCCK3GQ2
Pr0fOTaAXR/qeL7x55r5ab6IIAmgx7zS9PsvEaFBoVhd26371cQxd7pY3ZOkEEpq
EvF8m2WKcJGE9yzFSBWvBndd4k2Vb7EOP/1ORak6LarwfSD24SKyY7M=
-----END CERTIFICATE-----
10.2.4 Generating and importing CA certificates

Generating CSRs (see page 246)
Adding and removing a CA certificate (see page 248)
Page 245 of 389
Home
By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate
causes warning messages when users access the server to perform authentication. The warning messages occur
because the certificate is not signed by a CA.
To generate and import a CA signed identity certificate

1. Generate a CSR.
The CSR must be sent to a CA to be digitally signed and returned. The CA signs the CSR using a private key
which validates the server's identity and returns a signed identity certificate.
For more information, see Generating CSRs (see page 246).
2. Import the CA certificate into the BMC Atrium Single Sign-On Tomcat server keystore.
Importing a certificate into the truststore (see page 243).
3. Stop and restart the Tomcat server.
Note
The new CA certificate does not take effect until the Tomcat server is restarted.
4. Update all integrated application truststores with the new public key.
The following command shows how to generate a new certificate with the same algorithm and key size as the
certificate generated during the installation. This certificate also includes an alternative server that enables the
server to be accessed through a different FQDN, which occurs when the BMC Atrium Single Sign-On server is
running behind a load balancer or reverse proxy server or accessed locally from the computer on which the
server is executing.
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore "keystore.p12"
-storepass internal4bmc -storetype pkcs12 -providername JsafeJCE -dname "CN=loadbalancer.bmc.com,
OU=AtriumSSO Server, O=BMC, ST=TX, C=US" -ext "san=DNS:node1.bmc.com,DNS:node2.bmc.com"
The identity of the owner contains the FQDN of the BMC Atrium Single Sign-On server as the CN attribute of the
Distinguished Name (DN).
Note
The alternative server names can also be specified by the Certificate Authority (CA) when the server
certificate is signed.
Generating CSRs
To obtain CA signed certificate for BMC Atrium Single Sign-On, you need to generate a CSR.
Page 246 of 389
Home
To generate a CSR in Windows (see page 247)

To generate a CSR in UNIX (see page 247)
CSR Example (see page 247)
Importing the signed certificate (see page 248)
To generate a CSR in Windows

2. Modify the environment to use the JDK that is installed with BMC Atrium Single Sign-On.
set PATH=<installationDirectory>\jdk\bin;%PATH%
3. Run the following keytool command:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.p12 -storepass
internal4bmc -storetype PKCS12 -providername JsafeJCE
To generate a CSR in UNIX

2. Modify the environment to use the JDK installed with BMC Atrium Single Sign-On.
PATH=<installationDirectory>/jdk/bin:$PATH;export PATH
3. Run the following keytool command:
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore keystore.p12 -storepass
internal4bmc -storetype PKCS12 -providername JsafeJCE
Note
For both Windows and UNIX, the supplied default password for the BMC Atrium Single Sign-On Tomcat
server is internal4bmc. You will need to provide another password if the keystore is replaced with a
locally-generated file.
CSR Example
The command generates and saves the CSR in the certreq.csr file. The certreq.csr file is an example and has the
following content:
-----BEGIN NEW CERTIFICATE REQUEST----MIIBmDCCAQECAQAwWDEZMBcGA1UECxMQQXRyaXVtU1NPIFNlcnZlcjEVMBMGA1UEChMMQk1DIFNv
Page 247 of 389
Home
ZnR3YXJlMSQwIgYDVQQDExtpQk1DLUpCSEJCSzEuYWRwcm9kLmJtYy5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAJABuagV7e12Yu3m0LmNWEmVE4HXrdaB+uOyZFyKLZxO2e+WX3r9vc9q
al5VQSE1yME6ml53B9sWS2RWA5d8xDPW8ppQe3dqQdf3QDDzfXQ18MmZAfraSbv6Y2Tj0Oad10Uf
c8NUXYCvKNcmdHzkabaHuTOXuhfyGyzyCgFdd/jTAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAx
oNCBNvnbYNHD02QOIXEP4eMd9HlfJjvJHtAS6SyibMEd00mq/BD5iV1TewwkmvJRn1BjmzGXNO1c
xbasQaHN9l0+HP4X6aWfRIJtq9GOj4d9Y2wb5L6SEsgnCtnvbHDsMR0AEBLPCR7nVJ4vgQsZ9xLj
EfQB8idnyyimIfoqqQ==
-----END NEW CERTIFICATE REQUEST-----
The toolkit command output must be sent to the CA for a digital signature.
Note
The Common Name (CN) of the certificate cannot be modified because the CN must match the host
name of the server. If the names do not match, the browser issues a warning that the server is trying to
impersonate another site.
Importing the signed certificate

After a CSR is signed by a CA, follow the instructions for importing a certificate to the truststore (see page 243).
Before importing the signed certificate import the signing root CA and any intermediate signing certificates into
the truststore.

Adding and removing a CA certificate

Adding another certificate is necessary when:
Common Access Card (CAC) authentication is used.
The Department of Defense (DoD) issues new CA certificates.
Or if you are using SSL with LDAP for authentication.
By default, the BMC Atrium Single Sign-On truststore already contains the current certificates for CAC.
Adding a CA certificate
To add another CA certificate see, Importing a certificate into the truststore (see page 243).
Note
Replacing the self-signed certificate on the BMC Atrium Single Sign-On server invalidates the certificates
that are already accepted by users. In addition, you need to install the new certificate into the truststore
of all the integrated BMC applications.
Page 248 of 389
Home
Removing a CA certificate
Before removing a certificate, identify the alias of the certificate by listing the contents of stores.
To list the contents of stores

1. To list the contents of the truststore, use the following command:
keytool -v -list -keystore -cacerts.p12 -storepass changeit -providername JsafeJCE
2. To list the contents of the keystore, use the following command:
keytool -v -list -keystore keystore.p12 -storepass internal4bmc -providername JsafeJCE
To remove an existing certificate

1. To remove an existing certificate (identified by myAlias in this example) from the truststore, use the
following command:
keytool -delete -alias myAlias -keystore cacerts.p12 -storepass changeit -providername JsafeJCE
2. To remove a certificate from the keystore, use the following command:
keytool -delete -alias myAlias -keystore keystore.p12 -storepass internal4bmc -providername

JsafeJCE

10.2.5 Generating self-signed certificates

BMC Atrium Single Sign-On is installed with a self-signed certificate.
A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies.
A self-signed certificate is used:
By the initial keystore created during installation of BMC Atrium Single Sign-On.
For configuring Secure Sockets Layer (SSL) connection between the agent and the BMC Atrium Single
Sign-On server.
Page 249 of 389
Home
To create a new self-signed certificate

Run the following command:
Microsoft Windows
keytool -export -alias tomcat -keystore %CATALINA_HOME%\conf\keystore.p12 -file

%CATALINA_HOME%\conf\mykey.cer -storetype pkcs12 -storepass keystore_password -providername
JsafeJCE
For example,
C:\Users\>keytool -export -alias tomcat -keystore keystore.p12 -file mykey.cer -storetype pkcs12
-storepass keystore_password -providername JsafeJCE
Certificate stored in file <mykey.cer>
UNIX
keytool -export -alias tomcat -keystore $CATALINA_HOME/conf/keystore.p12 -file

$CATALINA_HOME/conf/mykey.cer -storetype pkcs12 -storepass keystore_password -providername JsafeJCE
After you create a self-signed certificate, browsers and other programs issue warnings to users about an insecure
certificate each time the user authenticates.
You can prevent the certificate warning by permanently importing the self-signed certificate into the user's
truststore. See, Importing a certificate into the truststore (see page 243).
10.2.6 Checking the truststore for certificates

Check the contents of the BMC Atrium Single Sign-On truststore to verify that the certificate has been imported
or that the Issuer (Signer) certificate has been imported.
To perform this check, use the keytool utility to place the contents of the truststore into a text file to review the
contents. The keytool utility is available in the Java Developer Kit (JDK) that is embedded with a BMC Atrium
Single Sign-On installation. BMC recommends that you use this version of keytool.
To check the truststore for certificates

1. From the command prompt or shell window, change your working directory to:
<installationDirectory>\AtriumSSO\tomcat\conf
2. Add the bin directory to the PATH environment variable.
(UNIX) PATH=<installationDirectory>/AtriumSSO/jdk/bin:$PATH; export PATH
(Microsoft Windows) SET PATH=<installationDirectory>\AtriumSSO\jdk\bin;%PATH%
3.
Page 250 of 389
Home
3. After the PATH variable is set, execute the following keytool command to place the contents into a
certs.txt file:
keytool -list -v -keystore cacerts.p12 -storepass changeit -storetype PKCS12
-providername JsafeJCE > certs.txt
4. Check the certs.txt file for the certificate. If the certificate is not in the truststore, import the desired
certificate into the keystore.
10.3 Configuring FIPS-140 mode

The following topics provide information and instructions for configuring FIPS-140 mode:
Converting to FIPS-140 mode (see page 251)
Monitoring FIPS-140 and normal mode conversions (see page 256)
Changing FIPS-140 network ciphers (see page 257)
Converting from FIPS-140 to normal mode (see page 258)
10.3.1 Converting to FIPS-140 mode

BMC recommends that you monitor the FIPS-140 mode conversion. See Monitoring FIPS-140 and normal mode
conversions (see page 256).
To convert from BMC Atrium Single Sign-On to FIPS-140 mode

(Click to expand)
1 Before you begin
Before you begin

When operating in FIPS-140 mode, BMC Atrium Single Sign-On blocks contact with products which are not also
operating in a FIPS-140 compliant mode. Before performing the switch to FIPS-140 mode:
Perform a system backup before switching to (or from) FIPS-140 mode. An unexpected hardware or
software failure during the conversion can corrupt the server configuration.
Verify that the integrated BMC products are capable of operating in a FIPS-140 compliant mode and are
capable of making the reconfiguration that is required to continue operating with BMC Atrium Single
Sign-On.
If you plan to integrate additional products with BMC Atrium Single Sign-On after the switch to FIPS-140
mode is complete, be sure that these products can be integrated with the server. See the BMC Atrium
Single Sign-On Product Availability Compatibility on the support website.
Ensure that your Internet browser is capable of supporting 256-bit Advanced Encryption Standard (AES)
encryption. See #Browser cipher capabilities (see page 252).
Obtain the RSA CryptoJ FIPS cryptography module. See #RSA CryptoJ FIPS cryptography module (see
page 252).
Page 251 of 389
Home
Contact Customer Support for access to the RSA CryptoJ FIPS cryptography module. This library file must
be installed into the server's Java Virtual Machine (JVM), replacing the current version which is not
certified.
Obtain unlimited strength Java policy files.
BMC Atrium Single Sign-On uses Oracle JVM 1.7.0_03. The unlimited policy files for this JVM are available
for download from the following URL: http://java.sun.com/javase/downloads/index.jsp.
Browser cipher capabilities

When operating in FIPS-140 mode with default networking ciphers, the Internet browser must be capable of
supporting 256-bit Advanced Encryption Standard (AES) encryption. Otherwise, the browser cannot connect with
BMC Atrium Single Sign-On for administrator or user authentication purposes. FireFox 3+ is able to operate at this
level. Internet Explorer might not be able to support 256-bit AES depending on the version.
You can check your browser cipher capabilities at the following URL: http://www.fortify.net/sslcheck.html. This
web site provides the encryption status of your browser.
RSA CryptoJ FIPS cryptography module

The FIPS-approved cryptography module used by BMC Atrium Single Sign-On for FIPS-140 compliance is the RSA
CryptoJ library version 6.1.
The following table shows the algorithms used in normal mode and FIPS-140 mode.
Purpose
Normal
FIPS-140
Encryption
DES
AES-256
Hash
MD5,
SHA1,
SHA256,
SHA512
SHA1, SHA256, SHA512
Network
protocol
TLS 1.0
TLS 1.0
Network
ciphers
Any TLS
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521, TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Random
SHA1PRNG
FIPS186PRNG
2 Install the unlimited strength policy files
Page 252 of 389
Home
To install the unlimited strength policy files

BMC Atrium Single Sign-On uses Oracle JVM version 1.7.0_03. By default, this JVM is installed with strong
encryption policy files allowing for limited strength settings for encryption algorithms. These limitations prevent
BMC Atrium Single Sign-On from running in FIPS-140 mode. To overcome this limitation, the Unlimited Strength
Jurisdiction Policy Files must be downloaded from Oracle and installed into the BMC Atrium Single Sign-On JVM.
Warning
BMC Atrium Single Sign-On and all integrated products must be shut down before installing the
unlimited strength policy files. BMC Atrium Single Sign-On cannot be in use during the conversion to
FIPS-140 mode. If possible, a firewall should be employed to block all remote access to the server.
1. Shut down all BMC Atrium Single Sign-On integrated products.

2. Stop BMC Atrium Single Sign-On.
3. If you have not done so already, download the archive that contains the unlimited strength policy files
from the following URL: http://java.sun.com/javase/downloads/index.jsp.
4. Extract the contents of the files.
5. Make a backup copy of the currently installed strong strength policy files.
6. Copy the unlimited strength policy files into the BMC Atrium Single Sign-On JVM.
JVM location
The JVM is located in the following default location:
(Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\jdk\jre\lib\security
(UNIX) /opt/bmc/AtriumSSO/jdk/jre/lib/security
If BMC Atrium Single Sign-On has been installed in a non-default location, the location of the JVM can be
determined by using the following pattern:
(Windows) <installationDirectory>\AtriumSSO\jdk\jre\lib\security
(UNIX) <installationDirectory>/AtriumSSO/jdk/jre/lib/security
In this case, installationDirectory is the base directory selected during the server installation.
For BMC Atrium Single Sign-On servers using an external Tomcat server, the location of the JVM was determined
by the administrator that configured the Tomcat server. Regardless of the JVM location, the following templates
indicate the correct location:
(Windows) <jdkDirectory>\jre\lib\security
(UNIX) <jdkDirectory>/jre/lib/security
In this case, jdkDirectory is the base directory of the JDK used to run BMC Atrium Single Sign-On.
Page 253 of 389
Home
3 Install the cryptography library
To install the cryptography library

For cryptographic functions in normal mode, BMC Atrium Single Sign-On uses the JVM and a version of the RSA
CryptoJ library that is not certified for FIPS-140 operation. However, when placed into FIPS-140 mode, the server
reconfigures the JVM to use the RSA CryptoJ provider as the primary provider. In addition, the cryptography
needs of the server exclusively uses this provider.
For the server to start in FIPS-140 mode successfully, the FIPS-140 certified version of the RSA CryptoJ library
must be installed into the JVM, replacing the uncertified version. The versions of the library can be externally
identified by the names of the libraries. Normal mode library is cryptoj.jar and the FIPS-140 mode libraries are
cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar.
Note
Contact BMC Software support for instructions on accessing the FIPS-140 version of the library.
1. Make a backup copy of the cryptoj.jar file. You might need to restore BMC Atrium Single Sign-On to normal
encryption mode.
2. Copy the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files onto the file
system of the computer hosting BMC Atrium Single Sign-On.
3. Copy the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files to the server's
JVM library directory.
4. Remove the cryptoj.jarfile.
Note
This is an important step to prevent a collision of the two libraries.
JVM library file location

The JVM library is located in the following default location:
(Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\jdk\jre\lib\ext
(UNIX) /opt/bmc/AtriumSSO/jdk/jre/lib/ext
If BMC Atrium Single Sign-On server has been installed in a non-default location, determine the location of the
JVM library using the following pattern:
(Windows) <installationDirectory>\AtriumSSO\jdk\jre\lib\ext
(UNIX) <installationDirectory>/AtriumSSO/jdk/jre/lib/ext
Page 254 of 389
Home
In this case, installationDirectory is the base directory selected during the server installation.
For BMC Atrium Single Sign-On servers utilizing an external Tomcat server, the location of the JVM was
determined by the administrator that configured the Tomcat server. Regardless of the JVM location, the following
templates indicate the correct location:
(Windows) jdkDirectory\jre\lib\ext
(UNIX) jdkDirectory/jre/lib/ext
4 Enable FIPS-140 mode
To enable FIPS-140 mode

After restarting BMC Atrium Single Sign-On with the required JVM modifications in place, the server's
configuration can be updated to trigger the change of cryptography. Before performing this next step, be sure
that the following JVM modifications have been performed:
Unlimited strength policy files are installed.
The library cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files are installed in library directory.
The library cryptoj.jar file has been removed from the library directory.
1. (Optional) Update your network ciphers if desired. See Changing FIPS-140 network ciphers (see page 257).
2. Restart BMC Atrium Single Sign-On.
3. Log on to BMC Atrium Single Sign-On administrator console.
4. Click Edit Server Configuration.
5. Select Enable FIPS-140
6. Click Save.
Warning
After the configuration has been successfully saved, the conversion process starts. This process
cannot be interrupted. Do not stop BMC Atrium Single Sign-On, log on with another
Administrator console, log off the current Administrator console, or initiate any other interactions
with the server.
This process takes approximately 10 to 20 seconds, depending upon the computer hardware. Be sure that
the background task validation process posts a successful conversion message before proceeding to the
next step.
7. Monitor the log files for the completion of the cryptography conversion. For more information on how to
monitor the conversion, see Monitoring FIPS-140 and normal mode conversions (see page 256).
8. After the conversion process completes, stop and start the server.
9. Verify that the server is properly operating in FIPS-140 mode by viewing the BMC Atrium Single Sign-On
log file (for example, atsso.0.log)
10.
Page 255 of 389
Home
10. Reconfigure all integrated products to operate in FIPS-140 mode.
Note
All products which were configured with BMC Atrium Single Sign-On prior to conversion to
FIPS-140 mode must be reconfigured to operate in FIPS-140 compliant mode. These integrated
products cannot use BMC Atrium Single Sign-On for authentication until they are synchronized
10.3.2 Monitoring FIPS-140 and normal mode conversions

The conversion task communicates through the BMC Atrium Single Sign-On log file (for example, atsso.0.log ).
The log file contains messages to signify the start of the conversion, any errors, and the completion of the
process. See Managing BMC Atrium Single Sign-On logging (see page 284).
Conversion to FIPS-140 mode messages (see page 256)
Conversion to normal mode messages (see page 257)
Using the default installation locations as an example, the log file is located at:
(Microsoft Windows ) C:\Program Files\BMC Software\AtriumSSO\tomcat\temp
(UNIX ) /opt/bmc/AtriumSSO/tomcat/conf
Conversion to FIPS-140 mode messages

Before starting the conversion, the background task validates that the JVM has been correctly modified and is
capable of running in FIPS-140 mode. If the JVM test fails, the task logs an error message indicating the JVM
inadequacies and the conversion aborts.
In addition, when BMC Atrium Single Sign-On is installed on an external Tomcat server, the background task
verifies that the required Tomcat server and JVM configuration files exist.
When starting the conversion to FIPS-140 mode, the initial message displayed is:
BMCSSG1599I=Switching Atrium SSO server to FIPS-140 mode
When the conversion process successfully finishes, it posts this message:
BMCSSG1601I=Switch of Atrium SSO server to FIPS-140 mode completed
After saving the configuration change, the conversion process alters the encrypted data within the server. Until
the process completes, BMC recommends that you monitor the security page in case the process fails.
Page 256 of 389
Home
Conversion to normal mode messages

When starting the conversion from FIPS-140 mode to normal mode, the initial message displayed is:
BMCSSG1598I=Switching Atrium SSO server to normal mode (not FIPS-140 mode)
When the conversion process successfully finishes, it posts this message:
BMCSSG1600E=Switch of Atrium SSO server to normal mode completed
10.3.3 Changing FIPS-140 network ciphers

The network ciphers can be updated if stronger protection for communication is desired. Although, the network
ciphers are independent of FIPS-140 mode, both the unlimited strength policy files and cryptography library are
required to modify the network ciphers.
The following topics provide information and instruction for changing FIPS-140 network ciphers:
Default location for the server.xml file (see page 257)
To modify the server.xml file (see page 257)
Multiple ciphers example (see page 257)
Single cipher example (see page 258)
Default location for the server.xml file

The ciphers that the Transport Layer Security (TLS) protocol uses can be adjusted by editing the BMC Atrium
Single Sign-On server.xml file. This file is located at the following default locations:
(Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\tomcat\conf
(UNIX) /opt/bmc/AtriumSSO/tomcat/conf
To modify the server.xml file

1. Make a backup copy of the server.xml file.
2. Open the server.xml file in your favorite text editor.
3. Search for the Connector tag with the attribute scheme="https".
4. Modify the cipher attribute by adding or removing items.
Multiple ciphers example

In the following example, the FIPS-140 version of the server.xml file has multiple ciphers:


<Connector port="<at:var at:name="TOMCAT_HTTPS_PORT" />" protocol="HTTP/1.1" SSLEnabled="true"
Page 257 of 389
Home

ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521, TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
keystoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/keystore.p12"
keystoreProvider="JsafeJCE"
truststoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/cacerts.p12"
truststorePass="changeit"
truststoreProvider="JsafeJCE" />
Single cipher example

In the following example, the FIPS-140 version of the server.xml file has a single cipher
(TLS_RSA_WITH_3DES_EDE_CBC_SHA).


<Connector port="<at:var at:name="TOMCAT_HTTPS_PORT" />" protocol="HTTP/1.1" SSLEnabled="true"
ciphers="TLS_RSA_WITH_3DES_EDE_CBC_SHA"
keystoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/keystore.p12"
keystoreProvider="JsafeJCE"
truststoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/cacerts.p12"
truststorePass="changeit"
truststoreProvider="JsafeJCE" />
10.3.4 Converting from FIPS-140 to normal mode

Converting BMC Atrium Single Sign-On to operate in normal mode, (for example, without FIPS-140
cryptography) is the same process as converting the server to FIPS-140 mode, except the Java Virtual Machine
(JVM) does not need to modified prior to triggering the conversion.
Note
Create a backup of the current server in case of a failure (hardware or software). If the server's
configuration becomes corrupted, you can use the backup to restore the original configuration.
While converting from FIPS-140 to normal mode, be sure to monitor the conversion. See Monitoring
FIPS-140 and normal mode conversions (see page 256) .
Page 258 of 389
Home
To convert to normal mode

1. Shut down all integrated products.
If possible, use a firewall to block external access to BMC Atrium Single Sign-On.
2. Log on to the BMC Atrium Single Sign-On administrator console.
4. De-select FIPS Mode.
5. Click Save.
Warning
Once the configuration has been successfully saved, the conversion process is triggered in the
background. This process cannot be interrupted. Do not stop BMC Atrium Single Sign-On, log on
with another Administrator console, log off the current Administrator console, or initiate any
other interactions with the server.
This process usually takes around 10 to 20 seconds, depending upon the computer hardware.
6. Ensure that a successful conversion message is posted.
Important
Be sure that the background task validation process posts a successful conversion message before
restoring the original encryption files and non-FIPS-140 library.
7. Restore the original encryption files and non-FIPS140 library.

a. Stop the BMC Atrium Single Sign-On server.
b. Restore the strong encryption file.
c. Restore the non-FIPS library.
d. Restart BMC Atrium Single Sign-On.
e. Verify that the server is properly operating in normal mode by viewing the BMC Atrium Single
Sign-On log file (for example, atsso.0.log )
8. Reconfigure integrated products to operate in normal mode.
Note
All integrated products must be reconfigured to operate in normal mode. These integrated
products cannot use BMC Atrium Single Sign-On for authentication until they are synchronized
Page 259 of 389
Home
10.4 Using an external LDAP user store

This topic describes the process and options available to an BMC Atrium Single Sign-On administrator when using
an external Lightweight Directory Access Protocol (LDAP) server to provide group and attribute values for
authenticated users. Users and groups cannot be managed from the BMC Atrium Single Sign-On server because
the LDAP server access is read-only.
Configuring an external user store is primarily needed when access to group membership information is required.
The LDAP authentication module can be used to retrieve user attributes without configuring an external user
store. For more information, see Using LDAP (Active Directory) for authentication.
Page 260 of 389
Home
An external LDAP server is used to augment the information available to BMC products. For more information
about the configuration options available with the LDAP user store, see the OpenAM documentation.
10.4.1 To create an external LDAP user store

1. Log on to the BMC Atrium SSO Admin Console
3. On the User Store panel, click Add and select LDAPv3 User Store.
4. On the General tab, provide the LDAP server configuration parameters.
5. On the Search tab, provide the user and group attributes used for searching.
6. Click Save.
10.4.2 To modify an existing external LDAP user store

1. Log on to the BMC Atrium SSO Admin Console
3. On the User Store panel, select the LDAPv3 user store and click Edit.
4. On the General tab, modify your LDAP server configuration parameters.
5. On the Search tab, modify your user and group attributes used for searching.
6. Click Save.
Note
The BMC Atrium Single Sign-On server does not need to be re-booted after altering the configuration.
After the alterations are committed, the changes go into effect immediately.
10.4.3 LDAPv3 User Store parameters

The LDAPv3 user store uses Active Directory as the user store type. The General tab contains parameters for the
LDAP server configuration. The Search tab contain parameters to search for user and group attributes.
10.4.4 General tab

Field
Parameter
Description
LDAP
Server
Name
Port
Use SSL
(Optional) Enable SSL to connect to the LDAP servers.

Before enabling SSL:
Page 261 of 389
Home
Field
Parameter
Description
The certificates for the LDAP servers (primary and secondary) must be imported into the JVM truststore and the
BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC
Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If client
authentication is required, the BMC Atrium Single Sign-On server's certificate might need to be imported into
the LDAP server's truststore.
Restart the Tomcat server. For more information about CA certificates, see Managing keystores with a keytool
utility (see page 239) .
User
Account
for Search
Distinguished
Name,
Password,
Confirm
Password
(Required) The Distinguished Name (DN) is the login name that is used to connect to the LDAP server. A root user
must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user,
the password, and the password confirmation.
Connection
Pool
Minimum
Size
appropriate values.
Maximum
Size
appropriate values.
External
Attribute
Atrium SSO
Attribute
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external data store and
map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the
name of the External Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute
is going to map to, and click Add to put the new mapping into the table.
Attribute
Mapping
10.4.5 Search tab

Field
Parameter
Search
Base DN
Description
Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific
as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is
specified, then the DN should be the DN of the node containing the users.
Search
Timeout
(seconds)
Number of seconds the search is performed before it times out.
Max
Search
Results
Maximum number of results that are returned.
Users
Users Status
Search
Attribute
User attribute on which to perform the search.
Search
Filter
Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail.
For example, (objectclass=person).
Status
Attribute
Attribute that indicates the user status. For example, userAccountControl.
Identifies the value of the attribute when the account is active.
Page 262 of 389
Home
Field
Parameter
Description
Active
Value
Inactive
Identifies the value of the attribute when the account is inactive.
Value
Users -
Container
People
Container
Attribute
Users
Defines the LDAP attribute used to distinguish the container holding the people.
Attribute
Value
Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values
should be blank.
Attribute
Name for
Specifies the attribute of the user which identifies the group to which the user belongs. For example, memberOf.
Group
Groups
Search
Attribute
Contains the name of the attribute which holds the name of the group. This attribute value is used in searches for user
groups.
Search
Filter
Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable,
update the filter with the correct objectclass name. For example, (objectclass=group).
Container
Attribute
Defines the LDAP attribute used to distinguish the container holding the groups.
Attribute
Value
Specifies the value for LDAP Groups Container attribute value. If groups are not within a container (relative to the user),
then these values should be blank.
Groups
Attribute
Name for
User
The attribute name of a group within the LDAP system that contains the names of the users that belong to the group.
Caching
Max Age
(seconds)
The maximum time that a cached value will continue to be used before the cached value is updated from the external
LDAP server.
Cache
Size
(bytes)
The number of bytes of memory that will be used to hold cached search items from the external LDAP server.
Groups Groups
Container
11 Administering
The following topics provide information and instructions for administering BMC Atrium Single Sign-On:
Page 263 of 389
Home
Managing users (see page 264)

Managing user groups (see page 268)
Managing authentication modules (see page 271)
Managing nodes in a cluster (see page 273)
Managing agents (see page 275)
Managing the server configuration (see page 276)
Stopping and restarting the BMC Atrium Single Sign-On server (see page 279)
11.1 Managing users

From the User tab, the administrator can create, delete, and manage user account information including
group memberships.
From the Groups tab, the administrator can manage group memberships.
BMC Atrium Single Sign-On is configured to use an internal LDAP for user authentication (default). While not
recommended for large-scale deployments, the internal database can be used for small deployments,
demonstrations, and other Proof-Of-Concept (POC) work. For larger deployments, BMC recommends that you
use an external authentication server, such as another LDAP server.
Page 264 of 389
Home
To access the User page (see page 265)

To add a new user (see page 265)
To search for users (see page 266)
To delete users (see page 266)
To modify user information (see page 266)
To enable or disable a user account (see page 266)
To add a group membership to a user account (see page 267)
To remove a group membership from a user account (see page 267)
To view user sessions (see page 267)
To terminate an active user session (see page 268)
11.1.1 To access the User page

2. Select the User tab.
Note
If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the
backslash () must precede the special character. For example, Baldwin\,bob.
11.1.2 To add a new user

3. Click New.
4. In the ID field, enter a unique identifier for the new user.
5. Enter the user's last name and full name.
6. Enter the password and confirm this password.
7. In the Status field, verify that the Active radio button is selected (default).
8. Click Save.
The name attributes (First, Full, and Last) can be provided to BMC products to help identify user accounts by using
terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product.
Page 265 of 389
Home
11.1.3 To search for users

If the number of users in the Available list is too large to find the user that you want to modify, use the search
function. The asterisk (*) returns all user accounts. Enter part of the user ID to refine the user account list.
For example, the pattern, "b*", returns users starting with the letter "b" (case-insensitive) such as "bob" and
"Baldwin".
11.1.4 To delete users

User accounts can only be deleted if BMC Atrium Single Sign-On is using the internal LDAP server for user
authentication needs.
3. Select the check box next to each user account in the User list that should be deleted.
4. Click Delete.
5. Click Ok.
11.1.5 To modify user information

3. Select the user link that you want modify.
4. Click Edit
5. Modify the user's information.
6. Click Save.
11.1.6 To enable or disable a user account

The user account can be enabled or disabled by changing the user status.
3. Select the user that you want modify.
4. In the Status field, click Active to enable or Inactiveto disable a user account.
Note
When a user account is disabled, the user cannot authenticate without losing any of the user
attributes, such as group memberships. A user loses group memberships when the user account is
deleted.
Page 266 of 389
Home
11.1.7 To add a group membership to a user account

A user is added to a group from the Group tab, however, the Group tab can be accessed from the User Editor
pop-up.
4. Select the Group tab.
5. Select a group from the Available Groups list.
6. Click Add.
Alternatively, click Add All to add all of the available groups to the user account.
7. Click Save.
Important
Be selective when adding users to a group, such the Predefined groups, so that elevated privileges
are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to perform
searches and BmcAgents has privileges to read configuration information.
11.1.8 To remove a group membership from a user account

A user is removed from a group from the Group tab, however, the Group tab can be accessed from the User
Editor pop-up.
4. Select the Group tab.
5. Select a group from the Member of list.
6. Click Remove.
Alternatively, click Remove All to remove all of the available groups from the user account.
7. Click Save.
11.1.9 To view user sessions

1. Log on to the BMC Atrium SSO Admin Console.
2. See the Sessions panel.
Note
Page 267 of 389
Home
The Sessions panel displays the sessions that are in the memory of the server. The replication
across nodes of the HA cluster is caused when the load balancer selects a different node from the
login node for validating a session. For example, when the AR server validates the SSO session
when mid-tier is accessed. So, a single session may be shown multiple times which confirms that
the session has been replicated on the additional nodes.
The number of sessions retrieved from the server are displayed in pages. You may not be able to
view all the sessions that are in the memory at a single time due to the maximum limit set for the
Sessions table. This limit does not restrict the number of sessions that are supported by the server
but restricts the number sessions that you can view in the Sessions table. To view a specific
session which is not available due to maximum limit, you can filter the sessions based on your
requirements.
11.1.10 To terminate an active user session

1. On the BMC Atrium SSO Admin Console.
2. In the Sessions panel, select the check box associated with the user session that you want to terminate.
3. Click Invalidate Session.
Important
Care should be exercised to not accidentally terminate the session that is used to access the console or
sessions that are used by BMC agents. These agent sessions use the following naming convention:
<BMCJEEAgent>@<host>:<port> or <uri>@<host>.<port> Terminating these sessions will, at best, close
the console the administrator is using or, at worst, prevent users from accessing the BMC products that
the agent is protecting.
11.2 Managing user groups

authorization of users as well as authentication. If a BMC product does use the group memberships of the BMC
Atrium Single Sign-On system, then that product's documentation must be consulted to determine which groups
to privileges mapping.
Page 268 of 389
Home
To access the Group page (see page 269)

To create a new group (see page 269)
To delete a group (see page 269)
To assign a group membership (see page 270)
To remove users from a group (see page 270)
11.2.1 To access the Group page

Note
Care should be exercised when assigning this group as these elevated privileges allow greater access to
BMC Atrium Single Sign-On than is normally provided.
11.2.2 To create a new group

2. Select the Groups tab.
3. Click Add.
5. From the Available Users list, select a user, click Add.
Alternatively, click Add All to add all of the users to the group.
6. Click Save.
their installation. However, a situation might arise in which a group might need to be created (or re-created).
11.2.3 To delete a group

3. Select the check box for the group that you want to delete.
4. Click Delete.
If too many groups are visible within the Group list to efficiently find the groups that you want to delete, use the
search function to filter out undesired groups. For example, by changing the search filter to "D", the group IDs
that start with the letter "d" (case-insensitive) are displayed.
Page 269 of 389
Home
When you delete a group, the group is removed from BMC Atrium Single Sign-On. Users that are members of the
group also have their group membership removed.
Important
Deleting groups that have been installed by other BMC products is not recommended. Doing so might
cause the product to malfunction or block access to the product itself.
11.2.4 To assign a group membership

3. Select a group name.
4. Select a user from the Available Users list.
5. Click Add. The user is added to the Members list.
Alternatively, click Add All to add all of the users to the group.
6. Click Save.
Multiple users can be assigned to a group from the Group page. The membership change is immediately put into
effect.
Important
Care should be exercised when adding users to a group, such as the Predefined groups, so that elevated
privileges are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to
perform searches and BmcAgents has privileges to read configuration information.
11.2.5 To remove users from a group

Users can be removed from a group from the Group page.
3. Select the group name.
4. Select a user from the Members list and click Remove.
Alternatively, click Remove All to remove all of the users from the group.
5. Click Save. The membership change is immediately put into effect.
Page 270 of 389
Home
11.3 Managing authentication modules

The basic building block of authentication in BMC Atrium Single Sign-On is the authentication module. These
modules specify the type of authentication (LDAP, RSA SecurID, and so on) as well as deployment-specific values
such as host names and port numbers.
To manage authentication modules (see page 271)
To create a new module (see page 271)
To edit a module (see page 271)
To delete a module (see page 272)
To change the criteria for a module (see page 272)
To reorder the modules in a chain (see page 272)
11.3.1 To manage authentication modules

Module instances can be created, edited, and deleted from the Realm Authentication panel. The Realm
Authentication panel is on the Main tab of the realm.
Add allows you to create a new module instance.
Edit allows you to modify the module instance parameters.
Delete allows you to remove the selected module instance.
Up and Down allows you to re-order a module instance in the authentication chain.
11.3.2 To create a new module

2. Click Add.
3. Select the type of new module instance.
4. Type a unique name for the module instance.
The name should be composed of alphanumeric characters and a few punctuation characters such as the
underscore, but no spaces, commas, or ampersands.
5. Provide the module parameters.
6. Click Save.
7. If you want to change the module configuration, edit the module.
The module's configuration must be edited before it can be used within an authentication chain.
11.3.3 To edit a module

2. Select the module instance check box.
3.
Page 271 of 389
Home
3. Click Edit.
A pop-up is launched that allows you to configure module attributes.
Note
See the sections on configuring that particular type of module. For example, Using LDAP (Active
Directory) for authentication.
11.3.4 To delete a module

2. Select the module instance check box.
3. Click Delete.
11.3.5 To change the criteria for a module

2. On the Flag option for the module, select a new criteria from the drop down menu.
The criteria for a module alters the authentication status of the chain. The criteria categories are Required,
Requisite, Sufficient, and Optional.
Required This module must authenticate the user. Regardless of pass or fail, processing of the chain
continues.
Requisite This module must authenticate the user. When authentication fails, processing of the chain
aborts.
Sufficient This module might authenticate the user. If authentication passes, processing of the chain
stops, otherwise processing continues.
Optional This module might authenticate the user. Processing continues regardless of success or failure.
The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain
or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one
Sufficient or Optional module must authenticate the user.
11.3.6 To reorder the modules in a chain

2. Select the Module instance that you want to move.
3. Click Up or Down to change the order in which the module instances are processed.
Page 272 of 389
Home
11.4 Managing nodes in a cluster

To manage nodes in a cluster including modifying the server configuration on each node or by deleting the node.
To modify the server configuration on a node (see page 273)
To delete a node from the cluster (see page 273)
The following topics provide additional information and instructions for managing nodes in a cluster:
Resynchronizing nodes in a cluster
Starting nodes in a cluster (see page 274)
Stopping nodes in a cluster (see page 274)
11.4.1 To modify the server configuration on a node

1. On the BMC Atrium SSO Admin Console, click HA Node Console.
2. Select the node that you want to modify.
3. Click Edit, modify the server parameters.
4. Click Save.
11.4.2 To delete a node from the cluster

Removing a node from a cluster deletes the node permanently from the cluster. When a node cannot be brought
back online, the node must be removed from the cluster configuration. For example, a node cannot be brought
back online when there is a complete hardware failure.
1. On the BMC Atrium SSO Admin Console, click HA Node Details.
2. Select the node that you want to remove.
3. Click Delete.
4. When prompted with "Delete selected nodes?", click OK.
11.4.3 Resynchronizing nodes in a cluster

When a node is unable to join a cluster, the information within the node becomes stale and out-of-sync with the
other nodes of the cluster. In this circumstance, the node must be brought up-to-date with the cluster before it
can participate.
To resynchronize a node in a cluster

1. Block access at the load balancer.
2. Execute the dsreplication utility from the command line:
dsreplication initialize -baseDN "dc=opensso,dc=java,dc=net" -adminUID

-portSource -hostDestination -portDestination -n
-adminPassword
-hostSource
Page 273 of 389
2.
Home
The dsreplication utility is in the following location:

(Microsoft Windows)
<installationDirectory>\tomcat\webapps\atriumsso\WEB-INF\config\opends\bat
(UNIX ) <installationDirectory>/tomcat/webapps/atriumsso/WEB-INF/config/opends/bin
3. Select menu option 3.
4. Stop and start the node.
5. Restore the load balancer.
11.4.4 Starting nodes in a cluster

This topic provides instructions for starting nodes in a cluster.
To start a Microsoft Windows node in a cluster

2. To start the BMC Atrium Single Sign-On server, use the Windows Services Control Panel.
You can start nodes in any order.
To start a UNIX node in a cluster

2. Execute the following command from the command line: (You can start nodes in any order.)
startup-tomcat.sh
11.4.5 Stopping nodes in a cluster

This topic provides instruction for stopping nodes in a cluster.
To stop a Microsoft Windows node in a cluster

2. To stop the BMC Atrium Single Sign-On server, use the Windows Services Control Panel.
You can stop nodes in any order.
To stop a UNIX node in a cluster

2. Execute the following command from the command line: (You can stop nodes in any order.)
shutdown-tomcat.sh
3.
Page 274 of 389
Home
11.5 Managing agents

BMC Atrium Single Sign-On allows you to edit and delete agents from the Agent Manager. The names for the
agent and user are based on the host name and port of the URL for the BMC product server where the agent
resides. This name uses the following template:
BMCJEE<Agent>@<host>:<port> or <uri>@<host>.<port>
host is the FQDN of the host.

port is the main port number.
uri is the URI of the application.
11.5.1 To edit an agent account

For information about the Agent Manager and agent parameters that can be modified, see Agent manager.
2. Select the agent that you want to edit.
3. Click Edit.
4. Modify the parameters and click Save.
11.5.2 To delete an agent account

If a product has become unusable and the uninstall utility can no longer be used to perform an orderly cleanup
and de-integration with BMC Atrium Single Sign-On, you might need to perform a manual cleanup.
Note
If all products within the JEE server no longer need authentication or you want to permanently block
access from the JEE server, deleting the agent accounts effectively terminates access by the agent. To
do so, both the J2EE agent and the user must be deleted from the root realm.

2. Select the J2EE agent that you want to delete.
3. Click Delete.
4. On the BMC Atrium SSO Admin Console, select the user session that has the same name as the J2EE agent
(if one exists).
5. Click Invalidate Selected.
Page 275 of 389
Home
11.6 Managing the server configuration

BMC Atrium Single Sign-On server parameters can be modified or enabled including the server session, cookie
name and domain, the password for accessing the server, the FQDN, logging level, FIPS-140 enablement, CAC
usage of Online Certificate Status Protocol (OCSP) enablement.
To modify the server configuration (see page 276)
Server configuration parameters (see page 276)
Server Configuration Editor parameters (see page 276)
HTTP Only and HTTPS Only (see page 277)
Session parameter defaults (see page 278)
11.6.1 To modify the server configuration

2. Modify the BMC Atrium Single Sign-On server parameters.
3. Click Save.
Committed changes take effect immediately. A server restart is not necessary.
11.6.2 Server configuration parameters

Server Configuration Editor parameters (see page )
HTTP Only and HTTPS Only (see page )
11.6.3 Server Configuration Editor parameters

Field
Parameters
Description
Cookies
Cookie
Name
Cookie
Domain
HTTP Only
(see page 277) .
HTTPS
Only
Page 276 of 389
Home
Field
Parameters
Description
amAdmin
Password
& Confirm
Password
External
URL
Logging
Level
Enable
FIPS-140
Online
Certificate
Status
Protocol
Session
Max
Session
Time
Idle
Timeout
Cache
Time
Max
Session
Count per
User
11.6.4 HTTP Only and HTTPS Only

the server.
Page 277 of 389
Home


Note

Note
11.6.5 Session parameter defaults

The session parameters defaults for the BMC Atrium Single Sign-On server are:
Max Session Time (Default: 120 minutes)
Idle Timeout (Default: 30 minutes)
Cache Time (Default: 3 minutes)
Max Session Count per User (Default: 5)
Page 278 of 389
Home
11.7 Stopping and restarting the BMC Atrium Single Sign-On

server
This section describes how to stop and restart the BMC Atrium Single Sign-On server on Microsoft Windows,
UNIX, and Linux.
11.7.1 Stopping and restarting on Windows

1. From the desktop of the application server host, use the Control Panel to go to the Administrator Tools'
Component Services dialog box.
2. Expand the Services folder.
3. Select BMC Atrium SSO.
4. Click Stop.
5. To restart BMC Atrium Single Sign-On, click Start.
11.7.2 Stopping and restarting on UNIX or Linux

Ensure that your Java processes are stopped before restarting BMC Atrium Single Sign-On. Start the UNIX or
Linux services by performing the following steps:
1. Navigate to the <installationDirectory>/AtriumSSO/bin directory.
2. To shut down the services, type the following command:
shutdown-tomcat.sh
3. To start the services, type the following command:
startup-tomcat.sh
12 Troubleshooting
BMC Atrium Single Sign-On (default) supports logging on both the server and agents. Logging is used for auditing
purposes and for general debugging of connection issues. The logging system supports rotation of the agent
audit log files. By default, these log files are not used or rotated because audit logging also occurs on the server. If
rotation is disabled, the file system might be consumed with log files.
Note
Page 279 of 389
Home
The logging system can be modified for each component of BMC Atrium Single Sign-On.
The following topics provide information about various issues that can occur with BMC Atrium Single Sign-On:
Page 280 of 389
Home
Collecting diagnostics (see page 281)

Working with error messages (see page 285)
Logon and logoff issues (see page 316)
Upgrading from 7.6.04 to 8.1 silent installation issue (see page 317)
Troubleshooting AR authentication (see page 320)
Troubleshooting AR System server and Mid Tier integrations
Troubleshooting FIPS-140 conversion
Troubleshooting JEE agents (see page 331)
Troubleshooting Kerberos authentication (see page 333)
Troubleshooting an external LDAP user store
Troubleshooting redirect URLs (see page 343)
Session sharing in HA mode issue (see page 345)
Troubleshooting installation or upgrade issues (see page 346)
Resolving installation issues on LINUX operating system (see page 346)
12.1 Collecting diagnostics

BMC Atrium Single Sign-On as a distributed system creates log files placed in many locations. The locations for
the log files generally depend on the component of the system (server or agents).
To help gather log files and other information that is critical to providing quality support, a Java utility is available
that has many of the components. This utility requires a modern Java 6 JVM.
To run the support utility (see page 282)
Support utility location (see page 282)
Page 281 of 389
Home
Log file locations (see page 282)

Using BMC Atrium Single Sign-On for logging (see page 284)
12.1.1 To run the support utility

1. On the command line, navigate to the directory containing the jar support utility.
2. Enter the following jar command:
java -jar atssoSupport.jar
After the utility completes, all of the gathered information is stored in the atssoSupport.zip file.
12.1.2 Support utility location

The server and the web agent places the jar support utility in a pre-defined location. Products which use the
Thick Agents for integration do not have a pre-defined location, but instead rely on a product-specific location.
The location within the server is:
<installationDirectory>/tomcat/webapps/atriumsso/WEB-INF/tools
The location within the agent is:
<container>/atssoAgents/bin
installationDirectory is the location where BMC Atrium Single Sign-On has been installed.
container is the base directory of the JEE container in which the agent has been installed.
12.1.3 Log file locations

BMC Atrium Single Sign-On has two main logging directories:
<installationDirectory>/tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/log
<installationDirectory>/tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/debug
Of the log and debug directory component files, the files that are most commonly used to resolve BMC Atrium
Single Sign-On issues are the Authentication and CoreSystem log files. These files contain the error entries about
failures to communicate with the authentication modules, with the exception of RSA SecurID. RSA SecurID also
uses the rsa_api.log and rsa_api_debug.log for additional logging.
Additional server log file locations (see page 283)
Install program log files (see page 283)
Log directory (see page 283)
Page 282 of 389
Home
Debug directory (see page 283)
Additional server log file locations

Additional server log files are located at:
<installationDirectory>/tomcat/logs
<installationDirectory>/tomcat/temp
Install program log files

The install program log files are in the temporary file system:
<tmp>/atriumsso_install_log.txt
<tmp>/AtriumSSOInstalledConfiguration.xml
<tmp>/AtriumSSOInstallingConfiguration.xml
Log directory
The log directory contains log files that are useful for auditing purposes. Each component of BMC Atrium Single
Sign-On creates two files within this directory, one for successful entries and the other for error entries. The
following components typically have files in this logging directory:
amAuthentication
amConsole
amPolicy
IDFF
WSFederation
amPolicyDelegation
amSSO
Debug directory
The debug directory contains additional log files that are geared towards problem resolution. The following BMC
Atrium Single Sign-On components typically have files in this logging directory:
Authentication
CoreSystem
Entitlement
IdRepo
Session
rsa_api_debug.log
rsa_api.log
Page 283 of 389
Home
12.1.4 Using BMC Atrium Single Sign-On for logging

BMC Atrium Single Sign-On provides logging level options at the server level and at the agent level. In addition,
debug logging can be enabled for RSA SecurID.
To enable logging at the server level (see page 284)
To enable logging at the agent level (see page 284)
To modify the rsa_api.properties file (see page 285)
The logging level options at both the server and agent level include:
Off Turns off logging.
Error (default) Returns the least amount of information. The logging level is typically kept at this default.
Message Generates the most verbose logs but severely impacts server performance. Message level
should only be used when an issue is being worked on.
Warning Returns more information than Error, but less than Message.
Note
BMC recommends that for normal operation, set Logging Level to either Off or Error.
To enable logging at the server level

2. In the Logging Level section, select your logging level from the drop down menu.
3. Click Save.
4. Restart the server for the logging configuration change to take effect.
The default log file location is in the following directory:
To enable logging at the agent level

2. Select the agent that you want to update.
3. In the Logging Level section, select your logging level from the drop down menu.
4. Click Save.
5. Restart the agent for the logging configuration change to take effect.
The default location for the log files generated by the agent is the temporary directory of the web container
where the agent is deployed. For example, for the Tomcat server, the location is the CATALINA_HOME directory
and for IBM WebSphere, the location is the AppServer directory.
Page 284 of 389
Home
To modify the rsa_api.properties file

For RSA SecurID, additional debug logging is available by modifying the rsa_api.properties file.
1. Navigate to <installationDirectory>/tomcat/webapps/atriumsso/WEB-INF/config/atriumsso/auth/ace/data
2. Edit the rsa_api.properties file.
3. Change the RSA_ENABLE_DEBUG property from NO to YES.
Changing this property increases the volume of debugging information supplied by the RSA SecurID
module.
4. Access the rsa_api_debug.log file in the debug logging directory for this information.
12.2 Working with error messages

Error number
Message
BMCSSG0000E
Undefined error message. Contact BMC Software, Inc.
BMCSSO1000E
Undefined error message. Contact BMC Software, Inc.
BMCSSO1001I
OpenSSO agent configuration override is on.
BMCSSO1002E
Cannot find config.properties in directory specified (%s)
BMCSSO1003I
BMC Atrium SSO agent is disabled.
BMCSSO1004I
No disabled user id specified, and user not already authenticated. Using user id "nobody".
BMCSSO1005E
Failed to configure logging: %s
BMCSSO1006E
Destination directory for templates does not exist: %s
BMCSSO1007E
Destination directory for templates is not a directory: %s
BMCSSO1008E
Required parameter not specified for configuration (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1009E
Failed to generated configuration for OpenSSO Agent.
BMCSSO1010E
BMC Atrium SSO security not configured.
BMCSSO1011E
BMC Atrium SSO security improperly configured. Internal error. Contact BMC Software, Inc.
BMCSSG1012E
BMC Atrium SSO security not integrated with server. Internal error. Contact BMC Software, Inc.
BMCSSO1013E
Failed internal agent configuration. Internal error. Contact BMC Software, Inc.
BMCSSO1014E
Failed internal agent configuration. Internal error. Contact BMC Software, Inc.
BMCSSO1015E
Agent configuration file (%s) already exists. Either delete agent or use replace agent.
BMCSSO1016W
Failed to get canonicalized host name.
BMCSSO1017E
Agent configuration file (%s) must be located within WEB-INF directory structure.
BMCSSO1018E
Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc.
Page 285 of 389
Home
Error number
Message
BMCSSO1019E
BMCSSO1020E
BMCSSG1021E
Cannot delete agent because configuration file specified does not exist.
BMCSSG1022E
Cannot delete agent because configuration file does not contain BMC Atrium SSO server information.
BMCSSG1023E
Error while processing deployer command (%s): %s
BMCSSG1024E
Failed to register agent with BMC Atrium SSO server (%s).
BMCSSG1025E
BMC Atrium SSO agent already registered with BMC Atrium SSO server. Must either replace or delete
this agent.
BMCSSG1026E
File system location of container lib could not be identified. Specify through the property BMC
Atrium SSO.container.lib.dir.
BMCSSG1027E
Failure generating or updating agent config.properties file (%s).
BMCSSG1028E
The web.xml file specified could not be found. Verify agent file system location supplied.
BMCSSG1029W
Agent configuration was disabled. Re-enabling security.
BMCSSG1030E
The web.xml file is not configured for FORM login. Please change the configuration to FORM login for
BMC Atrium SSO Agent configuration.
BMCSSG1031E
Failed administrator logon: %s
BMCSSG1032E
Failed agent logon: %s
BMCSSG1033E
Failed to find agent configuration file.
BMCSSG1034E
Parsing error while processing file %s.
BMCSSG1035E
Could not access configuration template file (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1036E
Could not find configuration template file. Internal error. Contact BMC Software, Inc.
BMCSSG1037E
Failed to create container control. Internal error. Contact BMC Software, Inc.
BMCSSG1038E
Failed to create container control for unknown type(%s). Internal error. Contact BMC Software, Inc.
BMCSSG1039E
Administrative function (%s) failed. Internal error. Contact BMC Software, Inc.
BMCSSG1040E
Tomcat cookie adjustment failed. Internal error. Contact BMC Software, Inc.
BMCSSG1041E
Failed to bounce container. Internal error. Contact BMC Software, Inc.
BMCSSG1042E
Invalid hostname specified for BMC Atrium SSO URL (%s). Must use FQDN.
BMCSSG1043E
Failed to resolve configuration path (%s) to canonical.
BMCSSG1044E
Failed domain lookup of hostname supplied for BMC Atrium SSO URL.
BMCSSG1045E
Failed to find configurator template. Internal Error. Contact BMC Software, Inc.
BMCSSG1046E
Failed to load configurator template. Internal Error. Contact BMC Software, Inc.
Page 286 of 389
Home
Error number
Message
BMCSSG1047E
Failed to load configurator template. Internal Error. Contact BMC Software, Inc.
BMCSSG1048E
Failed to execute configurator.
BMCSSG1049E
Execution of configurator failed with status code(%s).
BMCSSG1050E
Configuration of CAC was interrupted.
BMCSSG1051E
Configuration of CAC failed (%s).
BMCSSG1052E
Setup of administrative tool was interrupted.
BMCSSG1053E
Setup of administrative tool failed (%s).
BMCSSG1054E
Setup of administrative tool finished with non-zero result code (%s).
BMCSSG1055E
Invalid URL specified for BMC Atrium SSO server (%s).
BMCSSG1056E
BMC Atrium SSO configuration failed (%s).
BMCSSG1057I
Successfully configured BMC Atrium SSO server.
BMCSSG1058E
Invalid container home specified for BMC Atrium SSO server (%s).
BMCSSG1059E
Administrative password cannot be null or empty.
BMCSSG1060E
LDAP port specified is out of range (%d), must be 1..65534.
BMCSSG1061E
Failed to find executable jar file within classpath (%s).
BMCSSG1062E
Failed to connect with BMC Atrium SSO container. Container must be running with BMC Atrium SSO.war
deployed before configuration.
BMCSSG1063E
Invalid URL type (%s).
BMCSSG1064E
Error connecting with BMC Atrium SSO container (%s)- is it running?
BMCSSG1065E
Failed to create temporary file for configuration (%s).
BMCSSG1066E
Failed to write to temporary file for configuration (%s).
BMCSSG1067E
Failed reconfiguration of BMC Atrium SSO server.
BMCSSG1068E
Invalid cookie domain specified (%s).
BMCSSG1069E
Failed to rewrite server URL to include proper context URI.
BMCSSG1070E
Agent password or name is empty/null. Internal error. Contact BMC Software, Inc.
BMCSSG1071E
Administrator password or name is empty/null. Internal error. Contact BMC Software, Inc.
BMCSSG1072E
Failed to create agent profile (response code: %s).
BMCSSG1073E
Configuration for agents failed (%s).
BMCSSG1074E
Configuration for agents was interrupted.
BMCSSG1075E
Failed to create cache dir.
Page 287 of 389
Home
Error number
Message
BMCSSG1076E
Failed to create authentication context (%s). Is the BMC Atrium SSO server running?
BMCSSG1077E
Failed to begin login (%s).
BMCSSG1078E
Default BMC Atrium SSO server not specified with environment variable .
BMCSSG1079E
Badly formed URL for default BMC Atrium SSO server.
BMCSSG1080E
Failed to retrieve SSOToken (%s).
BMCSSG1081E
Failed to retrieve idle time (%s).
BMCSSG1082E
Failed to retrieve max idle time (%s).
BMCSSG1083E
Failed to retrieve max session time (%s).
BMCSSG1084E
Failed to retrieve principal (%s).
BMCSSG1085E
Failed to retrieve time left (%s).
BMCSSG1086E
Failed to logout (%s).
BMCSSG1087E
Failed to register for token events (%s).
BMCSSG1088E
Failed to get token event type (%s).
BMCSSG1089E
Failed to validate SSO token (%s).
BMCSSG1090E
Administrative password must be at least 8 characters in length.
BMCSSG1091E
Token cache too large to load (%d).
BMCSSG1092E
Failed to read fully from cache file (%s).
BMCSSG1093E
Failed to delete cache.
BMCSSG1094E
Failed to convert to XML. Internal Error. Contact BMC Software, Inc.
BMCSSG1095E
Failed to create lock on cache (%s).
BMCSSG1096E
Interrupted during create lock on cache (%s).
BMCSSG1097E
Failed to extract data from possibly corrupted cache (%s).
BMCSSG1098E
Failed to write to cache (%s).
BMCSSG1099E
Failed to write to cache (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1200E
Default BMC Atrium SSO server is not specified.
BMCSSG1201E
Default BMC Atrium SSO server URL is not specified correctly (%s).
BMCSSG1202E
Failed to retrieve SSOToken using token id. Is server certificate in truststore? (%s).
BMCSSG1203E
Login failed (%s).
BMCSSG1204E
Must authenticate a user before requesting token.
BMCSSG1205E
Failed to retrieve token (%s).
Page 288 of 389
Home
Error number
Message
BMCSSG1206E
System callback handler is not specified.
BMCSSG1207E
Failed to load class for callback handler.
BMCSSG1208E
Failed to create an instance of the class for callback handler (%s).
BMCSSG1209E
Unknown UIHandler specified: %s
BMCSSG1210E
Failure during login (%s).
BMCSSG1211E
BMCSSG1212W
Please enter a value for the password.
BMCSSG1213E
Failed to logout from BMC Atrium SSO server (%s).
BMCSSG1214E
Failed to abort from BMC Atrium SSO server (%s).
BMCSSG1215E
Invalid naming URL: %s
BMCSSG1216E
Invalid BMC Atrium SSO URL specified (%s).
BMCSSG1217E
Already logged into BMC Atrium SSO server. Logout before trying to login again.
BMCSSG1218E
Context must be reset before being used for another login.
BMCSSG1219E
Failed to find userid within Principal (%s).
BMCSSG1220E
Failed to create context from token (%s).
BMCSSG1221E
Improper response received from BMC Atrium SSO server (%d).
BMCSSG1222E
Failed to connect with BMC Atrium SSO server.
BMCSSG1223E
Invalid security provider specified (%s).
BMCSSG1224E
Invalid security algorithm specified (%s).
BMCSSG1225E
Could not resolve hostname for BMC Atrium SSO server (%s).
BMCSSG1226E
Failed to access user specified keystore file (%s): %s
BMCSSG1227E
Failed to execute keytool to generate certificate.
BMCSSG1228E
Keytool finished with non-zero status code (%d).
BMCSSG1229E
Keystore password not specified.
BMCSSG1230E
Keystore password not specified.
BMCSSG1231E
Trying to use insecure communications protocol HTTP instead of HTTPS. Must use HTTPS for server URL
(%s).
BMCSSG1232E
Could not find configuration utility. Has BMC Atrium SSO war file been deployed?
BMCSSG1233E
Could not connect using HTTPS and keystore specifications.
BMCSSG1234E
Failed to create TLS socket factory for HTTPS communications (%s).
Page 289 of 389
Home
Error number
Message
BMCSSG1235E
Specified insecure HTTP protocol for BMC Atrium SSO but configuration is blocking usage.
BMCSSG1236E
Failed to initialize HTTPS protocol using keystore specified (%s).
BMCSSG1237E
Failed to initialize HTTPS protocol using certificate file specified (%s).
BMCSSG1238E
Configuration for HTTPS protocol is incomplete- a keystore or certificate is required.
BMCSSG1239E
Error while loading keystore specified for web agent deployment and configuration.
BMCSSG1240E
Error while loading server certificate specified for web agent deployment and configuration.
BMCSSG1241E
Failed to connect with BMC Atrium SSO server for HTTPS certificate download (%s).
BMCSSG1242E
Failed to retrieve certificate from BMC Atrium SSO server for HTTPS configuration.
BMCSSG1243E
Failed to write retrieved certificate to cache (%s).
BMCSSG1244E
Failed to use HTTPS certificates for agent delete (%s).
BMCSSG1245W
Specified insecure HTTP protocol for BMC Atrium SSO server (%s).
BMCSSG1246E
Failed to load users keystore (%s).
BMCSSG1247E
Failed to create keystore manager(%s).
BMCSSG1248E
Failed to add new certificate to keystore(%s).
BMCSSG1250E
Failed to lock file for keystore update (%s).
BMCSSG1251E
Failed to unlock file after keystore update (%s).
BMCSSG1252E
Login failed. Verify user credentials and try again.
BMCSSG1253E
Failed to create LDAP chain (%s).
BMCSSG1254E
Failed to load keystore (%s).
BMCSSG1255E
Invalid token specified for BMC Atrium SSO server connection.
BMCSSG1256E
Alias cannot be null. Internal error. Contact BMC Software, Inc.
BMCSSG1257E
Failed to update keystore because of failure to delete original keystore file.
BMCSSG1258E
Failed to rename new keystore to replace original keystore.
BMCSSG1259E
Failed to load keystore from file (%s).
BMCSSG1260E
Failed to read data from file (%s). Keystore has been corrupted.
BMCSSG1261E
If keystore specified, then keystore type and password must also be provided.
BMCSSG1262E
No keystore available for private keys.
BMCSSG1263E
Failed to setup trust manager (%s).
BMCSSG1264E
Failed to bounce container after configuration step (%s).
BMCSSG1265E
Authentication callback failed to provide credentials (%s).
Page 290 of 389
Home
Error number
Message
BMCSSG1266E
BMC Atrium SSO URL is not specified through environment or system properties.
BMCSSG1267E
Invalid BMC Atrium SSO URL specified (%s).
BMCSSG1268E
A realm must be specified when connecting with BMC Atrium SSO (cannot be null).
BMCSSG1269E
A callback handler must be specified when connecting with BMC Atrium SSO (cannot be null).
BMCSSG1270E
Failed to find UID within DN (%s).
BMCSSG1271E
Empty DN provided for principal.
BMCSSG1272E
Failed to load JVM KeyStore(%s).
BMCSSG1273E
Missing store password for keystore file.
BMCSSG1274E
Malformed forwarding URL received (%s).
BMCSSG1275E
Failed to configure SecurID module (%s).
BMCSSG1276E
Failed creating ActiveDirectory chain (%s).
BMCSSG1277E
Failed adding ActiveDirectory module to ActiveDirectory chain (%s).
BMCSSG1278E
Failed creating ActiveDirectory module (%s).
BMCSSG1279E
Failed updating LDAP module (%s).
BMCSSG1280E
Failed updating AD module (%s).
BMCSSG1281E
Failed to create directory for file lock (%s).
BMCSSG1282E
BMCSSG1283E
Failed to execute keytool to export certificate.
BMCSSG1284E
BMCSSG1285E
Failed to connect with Identity REST services (%s).
BMCSSG1286E
Not connected with Identity REST services. Internal Error. Contact BMC Software, Inc.
BMCSSG1287E
Failed to fetch attributes from server (%s).
BMCSSG1288E
Failed to retrieve client host name(%s).
BMCSSG1289E
Failed to parse LDAP value (%s).
BMCSSG1290E
Failed to deserialize group file (%s).
BMCSSG1291E
Groups file (%s) does not exist.
BMCSSG1292E
Failed to upload groups to server (%s).
BMCSSG1293I
User canceled login.
BMCSSG1294E
Authentication failed for unknown reason.
BMCSSG1295E
Failed to find class (%s) in launching jar. Internal Error. Contact BMC Software, Inc.
Page 291 of 389
Home
Error number
Message
BMCSSG1296E
Failed to parse jar file URL (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1297E
Failed to locate jar entry in jar URL (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1298E
Failed to get jar URL (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1299E
Agent zip directory (%s) not found in jar file directory (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1300E
Agent action option must be specified (install, migrate, uninstall).
BMCSSG1301E
Failed to create temporary response file (%s).
BMCSSG1302E
When truststore option is specified, the password, type and alias must also be specified.
BMCSSG1303E
Truststore specified does not exist(%s).
BMCSSG1304E
JEE container base directory specified does not exist (%s).
BMCSSG1305E
JEE container base directory specified is not a directory (%s).
BMCSSG1306E
Couldn't find websphere agent zip (%s).
BMCSSG1307E
Websphere server instance configuration directory doesn't exist (%s).
BMCSSG1308E
Couldn't create temporary server certificate file (%s).
BMCSSG1309E
Failed to load response file from input stream (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1310E
Failed to open response file source file (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1311E
Failed to load response file from string (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1312E
Failed to open response file (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1313E
Failed to write into response file (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1314E
Missing value for variable (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1315E
Failed to generate random sequence (%s).
BMCSSG1316E
Failed to create temporary file (%s).
BMCSSG1317I
Successfully finished execution.
BMCSSG1318I
Deployer execution completed.
BMCSSG1319E
Failed deployer execution.
BMCSSG1320E
Failed to load agent configuration (%s).
BMCSSG1321E
Failed to save agent configuration (%s).
BMCSSG1322I
Detected agent installation.
BMCSSG1323I
Agent installation not detected.
BMCSSG1324E
Agent installation detected, but failed to instantiate (%s).
Page 292 of 389
Home
Error number
Message
BMCSSG1325E
Agent installation detected, but failed to instantiate (%s).
BMCSSG1326E
Failed to parse deployer options (%s).
BMCSSG1327E
Failed to access template file (%s).
BMCSSG1328E
Failed to find worker for task. Internal Error. Contact BMC Software, Inc.
BMCSSG1329E
Invalid parameter values.
BMCSSG1330E
Subscript execution failed (%s) (formerly code BMCSDG1330E).
BMCSSG1331E
Failed to create agent installation directory (%s).
BMCSSG1332E
Failed to connect with BMC Atrium SSO server (%s).
BMCSSG1333E
JEE container cannot be running during installation. Please stop the server and retry agent
installation.
BMCSSG1334E
BMC Atrium SSO server (%s) cannot be contacted. It must be running during agent installation.
BMCSSG1335E
Failed to netstat for JEE container ports (%s).
BMCSSG1336E
Failed to create agent account (%s).
BMCSSG1337E
Failed to create logout url (%s).
BMCSSG1338E
Failed to create BMC Agent (%s).
BMCSSG1339E
Failed to convert agent data (%s).
BMCSSG1340E
Agent installation finished with errors (formerly code BMCSDG1340E).
BMCSSG1341E
Agent already installed and configured for URL (%s). Use "--force" option to override.
BMCSSG1342E
Unknown agent specified for URL (%s). Use "--force" option to override.
BMCSSG1343E
Failed to update BMC Agent after uninstall (%s).
BMCSSG1344E
JEE truststore specified does not exist (%s).
BMCSSG1345E
JVM truststore specified does not exist (%s).
BMCSSG1346E
JEE password must be specified when JEE truststore is specified.
BMCSSG1347E
JVM password must be specified when JVM truststore is specified.
BMCSSG1348E
Couldn't find tomcat agent zip (%s).
BMCSSG1349E
BMC Atrium SSO filter experienced internal error processing security: %s
BMCSSG1350E
BMC Atrium SSO cannot be contacted. Contact security administrator.
BMCSSG1351E
Failed to create BmcRealm (%s).
BMCSSG1352E
Failed to create temporary file for property update (%s): %s
BMCSSG1353E
Failed to open stream to new property file (%s).
Page 293 of 389
Home
Error number
Message
BMCSSG1354E
Failed adding LDAP module to LDAP chain (%s).
BMCSSG1355E
Failed to write to new property file (%s).
BMCSSG1356E
Failed to update keystore for login(%s).
BMCSSG1357E
Failure during server certificate acceptance (%s).
BMCSSG1358E
Failure during server certificate acceptance (%s).
BMCSSG1359E
Used declined certificate from server (%s).
BMCSSG1360E
Failure checking server certificate against keystore (%s).
BMCSSG1361E
Wow, couldn't generate a unique filename for old file (%s).
BMCSSG1362E
Failed to rename old configuration file.
BMCSSG1363E
Server presented certificate unusable for server verification. CN must be hostname.
BMCSSG1364E
Failed setting auth level on in DataStore module (%s).
BMCSSG1365E
Failed to set CAC server configuration (%s).
BMCSSG1366E
Failed to create CAC module (%s).
BMCSSG1367E
Failed to set OCSP on in CAC module (%s).
BMCSSG1368E
Failed to create CAC chain (%s).
BMCSSG1369E
Failed to add CAC module to CAC chain (%s).
BMCSSG1370E
Failed to rollback to old configuration file.
BMCSSG1371E
Failed to create access to keystores (%s).
BMCSSG1372E
Failed to load MS-CAPI (%s).
BMCSSG1373E
A certificate is required for login, but none found. Is CAC card inserted?
BMCSSG1374E
Failed to prepare script for unix execution (%s).
BMCSSG1375E
Failed registering SecurID authentication module (%s).
BMCSSG1376E
Failed creating SecurID service (%s).
BMCSSG1377E
BMCSSG1378E
BMCSSG1379E
Failed to logout from BMC Atrium SSO server (%s).
BMCSSG1380E
Failed to commit log in with BMC Atrium SSO server (%s).
BMCSSG1381E
Failed to create SecurID module (%s).
BMCSSG1382E
Failed to create SecurID chain (%s).
BMCSSG1383E
Failed to add SecurID module to SecurID chain (%s).
Page 294 of 389
Home
Error number
Message
BMCSSG1284E
Failed to get encoding for certificate (%s).
BMCSSG1385E
Failed to deserialize subjects file (%s).
BMCSSG1386E
Subjects file (%s) does not exist.
BMCSSG1387E
Failed to serialize subjects file (%s).
BMCSSG1388E
BMC Atrium SSO URL specified is invalid (%s).
BMCSSG1389E
File to import doesn't exist (%s).
BMCSSG1390E
Failed subject import(%s).
BMCSSG1391E
Failed subject export(%s).
BMCSSG1392E
The GET operation is not supported for this service.
BMCSSG1393E
The POST operation is not supported for this service.
BMCSSG1394E
The PUT operation is not supported for this service.
BMCSSG1395E
The DELETE operation is not supported for this service.
BMCSSG1396E
Failed to return JSON message for exception (%s).
BMCSSG1397E
Unsupported media type requested from REST services (%s).
BMCSSG1398E
Failed to convert exception to JSON object (%s).
BMCSSG1399E
Failed to add info to JSON object (%s).
BMCSSG1400E
Failed to add FIPS info to JSON object (%s).
BMCSSG1401E
Missing required parameter for REST service (%s).
BMCSSG1402E
Missing required parameters for REST service (%s).
BMCSSG1403E
Failure performing identity search (%s).
BMCSSG1404E
Failure creating JSON object for identity search (%s).
BMCSSG1405E
Invalid URI specified for remote notification (%s).
BMCSSG1406E
Failed to register for token notifications (%s).
BMCSSG1407E
Invalid tokenid passed for notifications (%s).
BMCSSG1408E
A URI must be specified for notifications.
BMCSSG1409E
At least one tokenid must be specified to register for notifications.
BMCSSG1410E
Notification URI already registered to receive notifications.
BMCSSG1411E
The URI specified is not registered for notifications (%s).
BMCSSG1412E
The URI specified was terminated due to failure to retrieve notifications in a timely manner (%s).
BMCSSG1413E
The URL specified for remote HTTP client failed to parse (%s): %s
Page 295 of 389
Home
Error number
Message
BMCSSG1414E
Failed to create JSON message for notification (%s).
BMCSSG1415E
Received unsuccessful result code (%s) from HTTP send: %s
BMCSSG1416E
Test remote connection failed (%s).
BMCSSG1417W
Reverse remote client is not connected to receive messages (%s).
BMCSSG1418E
Invalid hostname specified for remote client (%s).
BMCSSG1419E
Failed to create TLS context (%s).
BMCSSG1420E
Failed to create reader/writers for socket notifications (%s).
BMCSSG1421E
Failed to build JSON object (%s).
BMCSSG1422E
Failed REST call to BMC Atrium SSO server (%s).
BMCSSG1423E
Internal error, no response code returned (%s).
BMCSSG1424E
Failed REST call with exception(%s): %s.
BMCSSG1425E
Internal error, no principal within session token (%s).
BMCSSG1426E
Internal error, no groups within session token (%s).
BMCSSG1427E
Internal error, no field %s within session token (%s).
BMCSSG1428E
Only agents and administrators can register for notifications on non-owner sessions.
BMCSSG1429E
Invalid URL specified (%s).
BMCSSG1430E
Failed to get BMC Atrium SSO server URL from notification (%s).
BMCSSG1431E
Failed to parse session notification from server (%s).
BMCSSG1432E
Error opening notification socket (%s).
BMCSSG1433E
Timed-out opening notification socket (%s).
BMCSSG1434E
Failed to create TLS socket (%s).
BMCSSG1435E
Failed to acquire FQDN for local host (%s).
BMCSSG1436E
Failed to compose URI for notifications (%s).
BMCSSG1437E
Failed to use reverse messenger with server (%s).
BMCSSG1438E
Failed to retrieve server version from info reply (%s).
BMCSSG1439E
Failed to retrieve server build date from info reply (%s).
BMCSSG1440E
BMC Atrium SSO server release is too old- does not support remote notification.
BMCSSG1441E
The URI specified was not registered for notification events (%s).
BMCSSG1442E
Failed to create messenger for reverse protocol (%s).
BMCSSG1443E
Invalid client certificate presented for notification (%s).
Page 296 of 389
Home
Error number
Message
BMCSSG1444E
Failed to create dynamic client certificate (%s).
BMCSSG1445E
Unknown user attribute specified for export (%s).
BMCSSG1446E
Failed to connect with BMC Atrium SSO internal LDAP server (%s).
BMCSSG1447E
Failed to create unload directory (%s).
BMCSSG1448E
Failure during configuration dump (%s).
BMCSSG1449E
Failure during properties dump (%s).
BMCSSG1450E
Invalid server URL specified (%s).
BMCSSG1451E
Dump directory does not exist(%s).
BMCSSG1452E
Invalid dump directory (%s).
BMCSSG1453E
Failure loading configuration (%s).
BMCSSG1454I
Successfully unloaded BMC Atrium SSO data.
BMCSSG1455I
Successfully loaded BMC Atrium SSO data.
BMCSSG1456E
Failed to unload BMC Atrium SSO data (%s).
BMCSSG1457E
Failed to load BMC Atrium SSO data (%s).
BMCSSG1458E
Failed to unload group data (%s).
BMCSSG1459E
Failed to unload user data (%s).
BMCSSG1460E
Failed to find amserver.jar for update (%s).
BMCSSG1461E
Failed to access updated amserver.jar from classpath. Internal error. Contact BMC Software, Inc.
BMCSSG1462E
Failed to write data to amserver.jar (%s).
BMCSSG1463E
Failed to open temporary file for updated jar contents (%s).
BMCSSG1464E
Failed to rename old amserver.jar to %s.
BMCSSG1465E
Failed to rename new file to amserver.jar.
BMCSSG1466E
Failed to stop SSO container (%s).
BMCSSG1467E
Failed to start SSO container (%s).
BMCSSG1468E
Failed to access LDAP config (%s).
BMCSSG1469E
Failed to save modified LDAP config (%s).
BMCSSG1470E
Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1471E
BMCSSG1472E
BMCSSG1473E
Failed to stop service for child process (%s).
Page 297 of 389
Home
Error number
Message
BMCSSG1474E
Unable to access LDAP configuration (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1475E
Missing property from configuration file (%s).
BMCSSG1476E
Failed to connect agent due to unsupported callback type.
BMCSSG1477E
Failed to retrieve cookie name from server (%s).
BMCSSG1478E
Failed to access configuration file (%s).
BMCSSG1479E
Failed to load from configuration file (%s).
BMCSSG1480E
Failed to open configuration file (%s).
BMCSSG1481E
Failed to store to configuration file (%s).
BMCSSG1482E
Failed to store secret key in keystore (%s).
BMCSSG1483E
Failed to generate secret key (%s).
BMCSSG1484E
Failed to encrypt with secret key (%s).
BMCSSG1485E
Configuration directory name is not specified in system property (%s).
BMCSSG1486E
Configuration directory does not exist (%s).
BMCSSG1487E
Web application configuration directory does not exist (%s).
BMCSSG1488E
Configuration file does not exist (%s).
BMCSSG1489E
Failed to find Tomcat v6 bin directory (%s).
BMCSSG1490E
Failed to access script file for JEE Agent integration (%s).
BMCSSG1491E
BMCSSG1492E
BMCSSG1493E
Agent configuration directory for webapp already exists. If agent not currently deployed, delete
directory and try again (%s).
BMCSSG1494E
Failed to create script file for JEE Agent integration (%s).
BMCSSG1495E
Failed to connect with BMC Atrium SSO server for token attributes (%s).
BMCSSG1496E
Incompatible message type received from BMC Atrium SSO server for token attributes (%s).
BMCSSG1497E
Failed to delete agent from BMC Atrium SSO server (%s).
BMCSSG1498E
Failed to delete agent user account from SSO server (%s).
BMCSSG1499E
Failed to decode agent password (%s).
BMCSSG1500E
Entry in keystore does not refer to secret key (%s).
BMCSSG1501E
Failed to get secret key (%s).
BMCSSG1502E
Failed to get agent token id (%s).
Page 298 of 389
Home
Error number
Message
BMCSSG1503E
Failed to get cookie name from server (%s).
BMCSSG1504E
Failed to get FIPS mode from server reply (%s).
BMCSSG1505E
Failed to get FIPS mode from server (%s).
BMCSSG1506E
BMC Atrium SSO server is operating in FIPS mode but this agent is not in FIPS mode.
BMCSSG1507E
BMC Atrium SSO server is not operating in FIPS mode but this agent is in FIPS mode.
BMCSSG1508E
BMC Atrium SSO server is currently not available.
BMCSSG1509E
Failed to convert URL to URI (%s).
BMCSSG1510E
Failed to compose notification URL (%s).
BMCSSG1511E
Failed to access agent attribute (%s) from server (%s).
BMCSSG1512E
Exceeded redirection limit.
BMCSSG1513E
Failed to decode cookie (%s).
BMCSSG1514E
Required identity event attribute missing (%s).
BMCSSG1515E
Failed to get repository for identity listener (%s).
BMCSSG1516E
Required token event attribute missing (%s).
BMCSSG1517E
Failed to download and configure agent (%s).
BMCSSG1518E
Agent was renamed- local configuration must be updated.
BMCSSG1519E
Agent was deleted- local configuration must be updated.
BMCSSG1520E
Failed to get time from server reply (%s).
BMCSSG1521E
Failed to create TLS socket factory (%s).
BMCSSG1522E
Failed to start web receiver thread (%s).
BMCSSG1523E
BMCSSG1524E
BMCSSG1525E
Failed to create script file for JEE Agent integration (%s).
BMCSSG1526E
Unable to get servlet context path. Use atsso.context.path in servlet init parameter.
BMCSSG1527E
Unknown contain type specified (%s).
BMCSSG1528E
Failed to find WebSphere script. Internal error. Contact BMC Software, Inc.
BMCSSG1529E
Failed to parse command line options for WebSphere7 (%s).
BMCSSG1530E
Instance directory specified does not exist (%s).
BMCSSG1531E
Failed to load WebSphere script (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1532E
Failed to execute WebSphere script (%s).
Page 299 of 389
Home
Error number
Message
BMCSSG1533E
WebSphere script failed.
BMCSSG1534E
Failed to store support utility program.
BMCSSG1535E
Failed to parse command line options for JBoss (%s).
BMCSSG1536E
Failed to find run.conf file (%s).
BMCSSG1537E
Failed to connect with BMC Atrium SSO server (%s). Is it running? Are the credentials correct?
BMCSSG1538E
Failed creating AR service (%s).
BMCSSG1539E
Failed to configure AR module (%s).
BMCSSG1540E
Failed creating AR module (%s).
BMCSSG1541E
Failed creating AR chain (%s).
BMCSSG1542E
Failed adding AR module to AR chain (%s).
BMCSSG1543E
Failed authentication with AR server (%s).
BMCSSG1544E
Failed to connect with AR server.
BMCSSG1545E
Unsupported type for operation with AR Server data source.
BMCSSG1546E
Failed to get groups for user (%s).
BMCSSG1547E
AR Server data source only supports group memberships.
BMCSSG1548E
AR Server host name not configured.
BMCSSG1549E
AR Server port number not configured.
BMCSSG1550E
Failed to create new agent account (%s) in BMC Atrium SSO server. Delete agent in administrator
console and try again.
BMCSSG1551E
Failed adding DataStore module to AR chain (%s).
BMCSSG1552E
Data store failed to connect to AR Server using administrator account.
BMCSSG1553I
AR authentication allowed guest login but that option is blocked.
BMCSSG1554E
Failed to convert file for UNIX execution.
BMCSSG1555E
Failed to load provider for keystore type (%s).
BMCSSG1556E
Failed to load provider for truststore type (%s).
BMCSSG1557E
BMCSSG1558E
Failed to load truststore (%s).
BMCSSG1559E
Failed to transfer public certificate to truststore (%s).
BMCSSG1560E
Failed to save truststore (%s).
BMCSSG1561E
Failed to remove old truststore.
Page 300 of 389
Home
Error number
Message
BMCSSG1562E
Failed to replace old truststore.
BMCSSG1563E
BMC Atrium SSO server is in FIPS mode but RSA library is not FIPS compliant.
BMCSSG1564E
Failed to load specified provider class (%s): %s
BMCSSG1565E
Failed initializing to non-FIPS mode (%s).
BMCSSG1566E
Failed initializing to setup socket factory for LDAP (%s).
BMCSSG1567E
Failed to create socket for LDAP (%s).
BMCSSG1568E
Failed to initialize service.
BMCSSG1569E
Invalid parameter.
BMCSSG1570E
Failed to initialize service (%s).
BMCSSG1571E
Failed to initialize to receive notifications of FIPS service changes (%s).
BMCSSG1572E
BMC Atrium SSO server FIPS configuration is out of sync with server environment.
BMCSSG1573E
Not enforced file specified doesn't exist.
BMCSSG1574E
Failed to extract agent certificate from keystore (%s).
BMCSSG1575E
Source file name for conversion cannot be null.
BMCSSG1576E
Source type for conversion cannot be null.
BMCSSG1577E
Destination type for conversion cannot be null.
BMCSSG1578E
Failed to create temporary file for conversion (%s).
BMCSSG1579E
Destination file already exists.
BMCSSG1580E
Failed to open source keystore (%s).
BMCSSG1581E
Failed to create destination keystore (%s).
BMCSSG1582E
Failed to load destination keystore (%s).
BMCSSG1583E
Failed to get item from source keystore (%s).
BMCSSG1584E
Failed to move items into destination keystore (%s).
BMCSSG1585E
Failed to save destination keystore (%s).
BMCSSG1586E
Failed to open destination keystore (%s).
BMCSSG1587E
Failed to delete old destination keystore (%s).
BMCSSG1588E
Failed to rename new destination keystore (%s).
BMCSSG1589E
Failed to capture BMC Atrium SSO server certificate (%s).
BMCSSG1590E
Unload directory doesn't exist.
BMCSSG1591E
Failed to parse Tomcat server.xml;
Page 301 of 389
Home
Error number
Message
BMCSSG1592E
Failed to setup truststore (%s).
BMCSSG1593E
BMC Atrium SSO server is running in FIPS140 mode, but the SDK is not configured for FIPS140.
BMCSSG1594E
BMC Atrium SSO server is not running in FIPS140 mode, but the SDK is configured for FIPS140.
BMCSSG1595E
Upgrade utility failed to connect with BMC Atrium SSO Server.
BMCSSG1596E
Failed to open server defaults (%s).
BMCSSG1597E
Failed to switch FIPS-140 mode (%s).
BMCSSG1598I
Switching Atrium SSO server to normal mode (not FIPS-140 mode).
BMCSSG1599I
Switching Atrium SSO server to FIPS-140 mode.
BMCSSG1600E
Switch of Atrium SSO server to normal mode completed.
BMCSSG1601I
Switch of Atrium SSO server to FIPS-140 mode completed.
BMCSSG1602E
Failed to update bootstrap information to FIPS-140 mode (has FIPS certified jar been installed?): %s
BMCSSG1603E
Failed to update bootstrap information to normal mode: %s
BMCSSG1604E
Failed to update server configuration to FIPS-140 mode: %s
BMCSSG1605E
Failed to update JVM configuration to FIPS-140 mode: %s
BMCSSG1606E
Failed to update server configuration to normal mode: %s
BMCSSG1607E
Failed to update JVM configuration to normal mode: %s
BMCSSG1608W
Detected CryptoJ library is not FIPS-140 compliant.
BMCSSG1609E
{{Failed to get FIPS-140 cipher for switch: %s }}
BMCSSG1610E
Failed to get normal cipher for switch: %s
BMCSSG1611E
Failed to switch FIPS mode: %s
BMCSSG1612E
Failed to update services information for switch to FIPS-140 mode: %s
BMCSSG1613E
Failed to update services information for switch to normal mode: %s
BMCSSG1614E
Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and
cryptojFIPS.jar have been installed into server JVM.
BMCSSG1615E
Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength
policy files and cryptojFIPS.jar have been installed into server JVM.
BMCSSG1616E
Failure converting cryptography for FIPS-140 switch (%s).
BMCSSG1617E
Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and that
RSA FIPS jars have been installed into server JVM.
BMCSSG1618E
policy files and RSA FIPS jars have been installed into server JVM.
Page 302 of 389
Home
BMCSSG1619E
Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and that
RSA FIPS jars have been installed into JVM.
BMCSSG1620E
policy files and RSA FIPS jars have been installed into JVM.
BMCSSG1621E
Failed to connect with Atrium SSO server (%s). Is server running in FIPS-140 mode?
BMCSSG1622E
Failed to switch from FIPS-140 mode.
BMCSSG1623E
Failed to switch to FIPS-140 mode.
BMCSSG1624I
Atrium SSO server is running in FIPS-140 mode.
BMCSSG1625I
Validated JVM ability for FIPS.
BMCSSG1626E
Failed to initialize cryptography (%s).
BMCSSG1627E
Failed to load LDAP configuration (%s).
BMCSSG1628E
Failed to parse LDAP configuration (%s).
BMCSSG1629E
Failed to update LDAP configuration (%s).
BMCSSG1630E
Failed to find ServletExec script file for modification (%s).
BMCSSG1631E
FIPS switch blocked due to missing server.xml.fips/server.xml.nofips and

java.security.fips/java.security.nofips files not available. For information about file
requirements, see Configuring an external Tomcat instance for FIPS-140.
BMCSSG1632E
Failed to parse configuration (%s).
BMCSSG1633E
Failed to extract OpenDS utilities (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1634E
Cluster configuration file specified does not exist (%s).
BMCSSG1635E
Cluster configuration file specified already exists (%s). Delete file or specify a non-existent
name.
BMCSSG1636E
Cluster save-config and read-config cannot be specified during the same configuration.
BMCSSG1637E
Failed to load properties from cluster config file (%s).
BMCSSG1638E
Failed to save properties to cluster configuration file (%s).
BMCSSG1639E
LDAP Replication port must be specified when cluster file is specified.
BMCSSG1640E
Cluster save or read file must be specified when LDAP replication port is specified.
BMCSSG1641E
LDAP Replication port must be between 1 and 65535, inclusive (%s).
BMCSSG1642E
Failed to delete internal LDAP configuration template (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1643E
Failed to copy internal LDAP configuration template for clustered server. Internal Error. Contact
BMC Software, Inc.
BMCSSG1644E
Failed to create directories for internal LDAP keystore (%s). Internal Error. Contact BMC Software,
Inc.
Page 303 of 389
Home
BMCSSG1645E
Failed to create keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1646E
Failed to create keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1647E
Failed to save keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1648E
Failed to save keystore pin for internal LDAP keystore (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1649E
Failed to format clustered OpenDS configuration template (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1650E
Failed to remove old LDAP truststore.
BMCSSG1651E
Failed to replace old LDAP truststore.
BMCSSG1652E
Failed to save LDAP truststore (%s).
BMCSSG1653E
Failed to transfer certificate (%s).
BMCSSG1654E
Failed to load LDAP truststore (%s).
BMCSSG1655E
Failed to get Keystore provider for type %s (%s).
BMCSSG1656E
Failed to get free port for internal LDAP communications (%s).
BMCSSG1657E
Failed to get LDAP keystore type (%s): %s
BMCSSG1658E
Failed to open LDAP keystore (%s).
BMCSSG1659E
LDAP keystore doesn't contain alias (%s).
BMCSSG1660E
Failed to pull certificate from LDAP keystore (%s).
BMCSSG1661E
Failed to get JVM truststore type (%s): %s
BMCSSG1662E
Failed to load JVM truststore (%s).
BMCSSG1663E
Failed to add LDAP certificate to JVM truststore (%s).
BMCSSG1664E
Failed to save JVM truststore (%s).
BMCSSG1665E
Failed to remove old JVM truststore.
BMCSSG1666E
Failed to replace old JVM truststore.
BMCSSG1667E
Invalid URL specified for Load Balancer (%s).
BMCSSG1668E
Both lb-url and lb-site-name parameters must be specified, or neither should be specified.
BMCSSG1669E
This host cannot be in the cluster because it is not in the same domain (or sub-domain) of the
cookie domain (%s).
BMCSSG1670E
Failed to update OpenDS java home scripts (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1671E
Failed to create message handler for message type %s. Internal Error. Contact BMC Software, Inc.
BMCSSG1672E
Failed to build message for queue: %s
Page 304 of 389
Home
BMCSSG1673E
Failed to parse received message from queue: %s
BMCSSG1674E
Failed to access DB Meta topics for sync: %s
BMCSSG1675E
Failed to access DB Meta topics for messages: %s
BMCSSG1676E
Failed to lookup local site id: %s
BMCSSG1677E
Failed to create connection to DB: %s
BMCSSG1678E
Failed to initialized embedded Apache MQ: %s
BMCSSG1679E
Failed to access DB response topic: %s
BMCSSG1680E
Failed to access DB requests topic: %s
BMCSSG1681E
Failed to create publisher for DB Meta topic: %s
BMCSSG1682E
Failed to create subscriber for DB Meta topic: %s
BMCSSG1683E
Failed to start message queue processing: %s
BMCSSG1684E
Message type does not match type in message (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1685E
Primary key not specified before generating response.
BMCSSG1686E
Secondary key not specified before generating response.
BMCSSG1687E
Failed to use message queue URI's specified (%s), and failed to use default VM message queue.
BMCSSG1688E
Failed setting message queue implementation (%s).
BMCSSG1689E
Failed creating stand-alone site (%s).
BMCSSG1690E
Failed setting site message queue attributes (%s).
BMCSSG1691E
Failed adding single server to site (%s).
BMCSSG1692E
Failed to reform ssoadm scripts (%s).
BMCSSG1693E
Failed to remove discover from ActiveMQ configuration (%s).
BMCSSG1694E
This Atrium SSO server does not support GROUP identity search (version of server is too old). Please
upgrade the Atrium SSO server.
BMCSSG1695E
Failed to get identities from search reply (%s).
BMCSSG1696E
Failed call to Atrium SSO server (%s).
BMCSSG1697I
Authentication process aborted.
BMCSSG1698E
Failed to build dialog in event thread (%s).
BMCSSG1699E
BMCSSG1700E
Cannot logout- context not logged in.
BMCSSG1701E
Authentication callback failed to provide credentials (%s).
BMCSSG1702E
Failed to parse session creation date/time (%s): %s
Page 305 of 389
Home
BMCSSG1703E
Invalid cluster URL specified in cluster configuration. Internal Error. Contact BMC Software. (%s)
BMCSSG1704E
Cannot convert parameters to proper encoding (%s).
BMCSSG1705E
Failed to convert authentication request into XML (%s). Internal Error. Contact BMC Software.
BMCSSG1706E
Failed to convert XML binary into UTF8 charset (%s). Internal Error. Contact BMC Software.
BMCSSG1707E
Failed to convert authentication response into Java (%s). Internal Error. Contact BMC Software.
BMCSSG1708E
No more callback requirements.
BMCSSG1709E
Authentication failure (%s): %s
BMCSSG1710E
Failed to re-initialize JEEFilter agent (%s).
BMCSSG1711E
Failed to find custom Callback class (%s): %s
BMCSSG1712E
Failed to load custom Callback class (%s): %s
BMCSSG1713E
HP-UX is not a supported JVM for Kerberos authentication.
BMCSSG1714E
Failed to get service ticket (%s).
BMCSSG1715E
Failed Kerberos login (%s).
BMCSSG1716E
Failed to create context for Kerberos login (%s).
BMCSSG1717E
Failed call to Atrium SSO server, return code: %s.
BMCSSG1718E
Failed to load Cookie Manager for JVM (%s).
BMCSSG1719E
Invalid container home specified for Atrium SSO server (%s).
BMCSSG1720E
Invalid container home specified for Atrium SSO server (%s).
BMCSSG1721E
BMCSSG1722E
BMCSSG1723E
BMCSSG1724E
BMCSSG1725E
BMCSSG1726E
BMCSSG1727E
BMCSSG1728E
BMCSSG1729E
Failed removing single server from site (%s).
BMCSSG1730E
Execution of dsreplication failed (%s).
BMCSSG1731E
Execution of dsreplication failed.
BMCSSG1732E
Failed to set OCSP server configuration (%s).
BMCSSG1733E
Failed getting local truststore (%s).
Page 306 of 389
Home
BMCSSG1734E
Failed loading local truststore.
BMCSSG1735E
Failed getting site members (%s).
BMCSSG1736E
Failed getting site members (%s).
BMCSSG1737E
Failed Agent authentication with Atrium SSO server. May need to re-integrate application with the
Atrium SSO server.
BMCSSG1738E
Failed to convert LDAP port during upgrade (%s).
BMCSSG1739E
Failed to stop server (%s). Internal error. Contact BMC Software.
BMCSSG1740E
Main command line option unrecognized.
BMCSSG1741E
Invalid sub-options encountered.
BMCSSG1742E
Failed to read the input file: %s
BMCSSG1742E
Failed to read the input file: %s
BMCSSG1743E
IO error encountered when attempting to create the user: %s
BMCSSG1744E
Process was interrupted when attempting to create the user: %s
BMCSSG1745E
IO error encountered when attempting to federate users identities.
BMCSSG1746E
Process was interrupted when attempting to federate user identities.
BMCSSG1747E
IO error encountered when attempting to import federation data.
BMCSSG1748E
BMCSSG1749E
Illegal universal identifier: %s
BMCSSG1750E
Failed to write response file: %s
BMCSSG1751E
Local ID is missing or empty for line (%s): %s
BMCSSG1752E
BMCSSG1753E
Failed to create the temporary name ID mapping file.
BMCSSG1754E
Failed to save the temporary user ID mapping file.
BMCSSG1755E
Failed to save the name ID mapping file.
BMCSSG1756E
Failed to delete the temporary name ID mapping file.
BMCSSG1757E
Integration with Atrium SSO is failing. Please contact %s support team for help with resolving this
integration problem (%s).
BMCSSG1758E
Failed to start container (%s). Internal error. Contact BMC Software.
BMCSSG1759E
Process inputs not supported in ssoadm. Internal error. Contact BMC Software.
BMCSSG1760E
Failed to initialize comm with Atrium SSO server: (%s)
BMCSSG1761E
Failed execution of command (%s) returning %s.
BMCSSG1762E
Failed execution of command (%s) returning %s.
Page 307 of 389
Home
BMCSSG1763E
Export service configuration not supported remotely. Internal error. Contact BMC Software.
BMCSSG1764E
Local certificate out of sync with remote server.
BMCSSG1765E
No certificate for remote server.
BMCSSG1766E
Local Atrium SSO certificate does not match remote server certificate. Agent may need to be
re-integrated with the Atrium SSO server.
BMCSSG1767E
Failed to setup temporary truststore (%s). Internal error. Contact BMC Software.
BMCSSG1768E
Failed to configure Atrium SSO server. Internal error. Contact BMC Software.
BMCSSG1769E
Error during configuration of Atrium SSO server (%s).
BMCSSG1770E
Atrium SSO failed to update the Data Store with the federation account information (%s).
BMCSSG1771E
Invalid response received from IdP (%s).
BMCSSG1772E
Atrium SSO failed to map the attributes received from the IdP (%s).
BMCSSG1773E
Your user account on the Atrium SSO SP has expired (%s). Please contact your administrator for
assistance.
BMCSSG1774E
Your user account on the Atrium SSO SP is inactive (%s). Please contact your administrator for
assistance.
BMCSSG1775E
Your user account on the Atrium SSO SP is locked (%s). Please contact your administrator for
assistance.
BMCSSG1776E
Failed to get Atrium SSO SP configuration for realm %s (%s).
BMCSSG1777E
Atrium SSO failed to find the federated user account specified (%s).
BMCSSG1778E
Atrium SSO failed to access session information (%s).
BMCSSG1779E
Atrium SSO failed to create a new session for federated user (%s).
BMCSSG1780E
An unexpected failure occurred while processing the SAMLv2 authentication (%s).
BMCSSG1781E
Failed to get SAMLv2 XML response: %s
BMCSSG1782E
Failed to get SAMLv2 XML request: %s
BMCSSG1783E
Failed to create site during upgrade (%s).
BMCSSG1784E
Error while trying to find server configuration name (%s).
BMCSSG1785E
Failed to find server configuration name.
BMCSSG1786E
Failed to delete site during upgrade (%s).
BMCSSG1787E
Failed to preserve SAMLv2 keystore (%s).
BMCSSG1788E
Failed to restore SAMLv2 keystore (%s).
BMCSSG1789E
Failed to parse ssoadm reply (%s). Internal error. Contact BMC Software.
BMCSSG1790E
SsoAdm state switch returned invalid reply: %s
BMCSSG1791E
Execution of dsconfig failed (%s).
Page 308 of 389
Home
BMCSSG1792E
Execution of dsconfig failed.
BMCSSG1793E
Failed to remove JMX communications (%s).
BMCSSG1794E
Failed to restrict admin connections to localhost only (%s).
BMCSSG1795E
Failed to restrict LDAP connections to localhost only (%s).
BMCSSG1796E
Login failed.
BMCSSG1797E
Failed to get token (%s).
BMCSSG1798E
Failed to get token from session (%s).
BMCSSG1799E
Insufficient privileges.
BMCSSG1800E
Failure while processing authentications for realm (%s). Internal Error. Contact BMC Software.
BMCSSG1801E
Failed to get list of user stores for realm access (%s). Internal Error. Contact BMC Software.
BMCSSG1802E
Failed to fetch COT for realm %s. Internal Error. Contact BMC Software.
BMCSSG1803E
Failed to verify if realm is Federated (%s). Internal Error. Contact BMC Software.
BMCSSG1804E
Failed to access realm attributes (%s). Internal Error. Contact BMC Software.
BMCSSG1805E
Failed to get authentication chain for realm (%s). Internal Error. Contact BMC Software.
BMCSSG1806E
Failed to convert authentication control value (%s). Internal Error. Contact BMC Software.
BMCSSG1807E
Failed to get federated information for realm (%s): %s. Internal Error. Contact BMC Software.
BMCSSG1808E
Failed to get federation information (%s). Internal Error. Contact BMC Software.
BMCSSG1809E
Failed to get user store information (%s). Internal Error. Contact BMC Software.
BMCSSG1810E
Failed to update user profile (%s).
BMCSSG1811E
Failed to get admin token (%s).
BMCSSG1812E
Failed to convert auth chain (%s).
BMCSSG1813E
Failed to save auth chain (%s).
BMCSSG1814E
Failed to remove unused datastore from realm (%s).
BMCSSG1815E
Failed to get federated entity list (%s).
BMCSSG1816E
Failed to find authentication module instance for realm (%s).
BMCSSG1817E
Failed to set authentication module attributes (%s).
BMCSSG1818E
Failed to create authentication module instance (%s).
BMCSSG1819E
Failed to create authentication module instance with unique name.
BMCSSG1820W
Unknown host name specified.
BMCSSG1821W
Host specified cannot be contacted.
BMCSSG1821E
Port must be in the range 1..65535 or not specified.
Page 309 of 389
Home
BMCSSG1822W
Could not connect to remote server on port specified.
BMCSSG1823E
Value cannot be empty.
BMCSSG1824E
Distinguished Name not valid.
BMCSSG1825E
The value must be a positive, non-zero value.
BMCSSG1826E
Invalid LDAP attribute name.
BMCSSG1827W
Unable to bind to LDAP server.
BMCSSG1828E
Failed to search for agents (%s).
BMCSSG1829E
Failed search for agent (%s).
BMCSSG1830E
Failed to get attributes for agent (%s).
BMCSSG1831W
Passwords should not be blank.
BMCSSG1832E
Invalid hostname specified.
BMCSSG1833E
Invalid URI specified.
BMCSSG1834E
Invalid URL specified.
BMCSSG1835E
Failed to update agent active status.
BMCSSG1836E
Failed to update agent attributes.
BMCSSG1837W
Agent not found (deleted?).
BMCSSG1838E
Cookie name cannot be reserved word: "expires", "domain", "path", "secure"
BMCSSG1839E
Cookie name cannot contain semi-colon, comma, white space or control characters.
BMCSSG1840W
It is recommended for best browser compatibilty that cookie name should only contain alphanumeric
characters and the underscore.
BMCSSG1841E
Cookie name cannot be over 4K in length.
BMCSSG1842E
Failed to process SAML keystore (%s).
BMCSSG1843E
Failed to process SAML keystore (%s).
BMCSSG1844E
Failed to load SAML keystore (%s).
BMCSSG1845E
Failed to access SAML entity (%s).
BMCSSG1846E
Failed to get IdP entity for realm (%s).
BMCSSG1847E
Failed to get encryption lists for realm (%s).
BMCSSG1848E
Failed to commit entity changes (%s).
BMCSSG1849E
Failed to create SAMLv2 idp (%s).
BMCSSG1850E
Failed to get SAMLv2 manager (%s).
BMCSSG1851E
Failed to create realm COT (%s).
Page 310 of 389
Home
BMCSSG1852E
Failed to update IdP encryption (%s).
BMCSSG1853E
When an encryption alias is specified, an encryption algorithm must also be specified.
BMCSSG1854E
Failed to search user stores (%s).
BMCSSG1855E
Failed to get user attributes (%s).
BMCSSG1856E
Failed to get user repo (%s).
BMCSSG1857I
Successfully created IdP.
BMCSSG1858W
Failed to verify host is accessible (%s).
BMCSSG1859E
Failed to verify AR host name.
BMCSSG1860E
File specified does not exist.
BMCSSG1861W
File specified does not exist.
BMCSSG1862E
File path specified refers to a directory.
BMCSSG1863E
File is not readable.
BMCSSG1864E
File path specified refers to a file.
BMCSSG1865E
Directory specified does not exist.
BMCSSG1866W
Directory specified does not exist.
BMCSSG1867E
Failed to create remote IdP (%s).
BMCSSG1868E
Realm for new IdP was not provided.
BMCSSG1869E
Name for new IdP was not provided.
BMCSSG1870E
XML for new IdP was not provided.
BMCSSG1871E
Failed to create remote SAMLv2 idp (%s).
BMCSSG1872E
Failed to create remote SAMLv2 idp (%s).
BMCSSG1873E
Invalid protocol specified for URL- only HTTP or HTTPS permitted.
BMCSSG1874E
Invalid URL specified.
BMCSSG1875E
Failed SSL/TLS negotiations. Verify IdP server certificate is in Atrium SSO truststore.
BMCSSG1876E
Failure connecting with remote IdP (%s).
BMCSSG1877E
Failure connecting with remote IdP (%s).
BMCSSG1878W
Service Principal doesn't start with primary HTTP.
BMCSSG1879E
Service Principal doesn't contain a Realm.
BMCSSG1880E
Service Principal doesn't contain a host name.
BMCSSG1881E
Invalid Service Principal- expected HTTP/hostname.domainname@dc_domain_name.
BMCSSG1882E
No Service Prinicipals found in keytab file specified.
Page 311 of 389
Home
BMCSSG1883E
Multiple Service Prinicipals found in keytab file specified.
BMCSSG1884E
Invalid token passed (%s).
BMCSSG1885E
Administrative token required.
BMCSSG1886E
Failed to fetch realms (%s).
BMCSSG1887E
Failed to parse realms response (%s).
BMCSSG1888E
Failed to get realm from token (%s).
BMCSSG1889E
Failed to get user attributes (%s).
BMCSSG1890E
UserId already exists.
BMCSSG1891E
Failed to get users groups (%s).
BMCSSG1892E
Failed to update user active status (%s).
BMCSSG1893E
Failed to update user active status (%s).
BMCSSG1894E
Failed to create new identity (%s).
BMCSSG1895E
Failed to commit user update (%s).
BMCSSG1896E
Failed to update user password (%s).
BMCSSG1897E
Failed to get token from session (%s).
BMCSSG1898E
Failed to get token manager (%s).
BMCSSG1899E
Failed to get server list (%s).
BMCSSG1900E
Failed to get server configuration (%s).
BMCSSG1901E
Invalid session idle timeout.
BMCSSG1902E
Invalid maximum session count.
BMCSSG1903E
Invalid maximum session time.
BMCSSG1904E
Invalid session cache time.
BMCSSG1905E
Top-level domains cannot be specified for the cookie domain.
BMCSSG1906E
Invalid cookie domain specified.
BMCSSG1907E
Failed to create token for realm access (%s).
BMCSSG1908E
Failed to delete federated entity (%s).
BMCSSG1909E
Failed to update server properties (%s).
BMCSSG1910E
Failed to update server site (%s).
BMCSSG1911E
Failed to update session dynamic attributes (%s).
BMCSSG1912E
Failed to update session global attributes (%s).
BMCSSG1913E
Failed to update session global attributes (%s).
Page 312 of 389
Home
BMCSSG1914E
Failed to update amAdmin password (%s).
BMCSSG1915E
Failed to save auth chain (%s).
BMCSSG1916E
Unknown realm passed for user store access (%s).
BMCSSG1917E
Unknown user store requested (%s).
BMCSSG1918E
Failed to acquire AM authentication manager object (%s).
BMCSSG1919E
Failed to create user store (%s).
BMCSSG1920E
Failed to update user store (%s).
BMCSSG1921E
Failed to delete user store (%s).
BMCSSG1922E
Value must be 1 or greater.
BMCSSG1923E
Minimum must be greater than maximum.
BMCSSG1924E
The cache max age must be at least 1 (default 600).
BMCSSG1925E
The cache size must be at least 1 (default 10240).
BMCSSG1926W
Failed to connect with AR server (%s).
BMCSSG1927W
Failed to connect with AR server.
BMCSSG1928E
The AR pool linger time cannot be less than or equal to zero.
BMCSSG1929E
The AR pool size cannot be less than or equal to zero.
BMCSSG1930E
Failed to get SP entity for realm (%s).
BMCSSG1931E
Failed to get encryption lists for realm (%s).
BMCSSG1932E
Skew must be greater than zero.
BMCSSG1933E
Failed to create hosted SAMLv2 sp (%s).
BMCSSG1934E
Failed to get SP entity for realm (%s).
BMCSSG1935E
Failed SSL/TLS negotiations. Verify SP server certificate is in Atrium SSO truststore.
BMCSSG1936E
Failure connecting with remote SP (%s).
BMCSSG1937E
Failure connecting with remote SP (%s).
BMCSSG1938I
Successfully created SP.
BMCSSG1939E
Failed to create remote SAMLv2 SP (%s).
BMCSSG1940E
Failed to create remote SAMLv2 SP (%s).
BMCSSG1941E
Realm for new SP was not provided.
BMCSSG1942E
XML for new SP was not provided.
BMCSSG1943E
Wild card attribute mapping only valid with * for both key and value.
BMCSSG1944E
Failed to add attribute to SP (%s).
Page 313 of 389
Home
BMCSSG1945E
Failed to get HA nodes (%s).
BMCSSG1946E
The server node cannot used for the admin console cannot be deleted (%s).
BMCSSG1947E
Failed to get server site name (%s).
BMCSSG1948E
Failed to delete node from site (%s).
BMCSSG1949E
Failed to delete node (%s).
BMCSSG1950E
Only super-admin is allowed to delete nodes.
BMCSSG1951E
Failed to access internal configuration.
BMCSSG1952E
Failed to prepare for disabling replication (%s).
BMCSSG1953W
Connect to AR with guest user- admin privileges are needed for user store operation.
BMCSSG1954E
Failed to write agent certificate to PEM file (%s).
BMCSSG1955E
Failed to write agent key to PEM file (%s).
BMCSSG1956E
Failed to write Atrium SSO certificate to PEM file (%s).
BMCSSG1957E
Unknow realm specified for agent (%s).
BMCSSG1958E
BMCSSG1959E
Failed to write certificate to PEM format (%s).
BMCSSG1960E
Failed to read PEM certificate from PEM format (%s).
BMCSSG1961E
Failed to import certificate (%s).
BMCSSG1962I
Successfully uploaded certificate.
BMCSSG1963E
Failed to convert uploaded file (%s).
BMCSSG1964E
Failed to convert DER to certificate (%s).
BMCSSG1965E
Failed to check truststore for replacements (%s).
BMCSSG1966E
Failed to load default values for user store (%s).
BMCSSG1967E
Failed to load certs from truststore (%s).
BMCSSG1968E
Failed to get group attributes (%s).
BMCSSG1969E
Failed to get group users (%s).
BMCSSG1970E
Group already exists.
BMCSSG1971E
Failed to add user (%s) to group (%s).
BMCSSG1972E
Failed to update group membership (%s).
BMCSSG1973E
Failed to set realm to use upgrade chain (%s).
BMCSSG1974E
Failed to dump realm auth properties (%s).
BMCSSG1975E
Failed to find auth type (%s).
Page 314 of 389
Home
BMCSSG1976E
Failed to dump realm ds properties (%s).
BMCSSG1977E
Failed to write realm auth properties (%s).
BMCSSG1978E
Failed to dump agent properties (%s).
BMCSSG1979E
Failed to write agent properties (%s).
BMCSSG1980E
Failed to dump realm auth properties (%s).
BMCSSG1981E
Failed to instantiate encryption (%s).
BMCSSG1982E
Failed creating upgrade chain (%s).
BMCSSG1983E
Failed to load agent properties file (%s).
BMCSSG1984E
Failed to load agent properties (%s).
BMCSSG1985E
Failed to get current auth instances (%s).
BMCSSG1986E
Failed to remove collision auth cfg (%s).
BMCSSG1987E
Failed to create realm (%s).
BMCSSG1988E
Failed to list user realms (%s).
BMCSSG1989E
Failed to delete many of the user realms.
BMCSSG1990E
Failed to delete these realms (%s).
BMCSSG1991E
Failed to create new realms web pages (%s).
BMCSSG1992E
Failed to delete new realms web pages (%s).
BMCSSG1993E
Failed to connect with internal LDAP (%s).
BMCSSG1994E
Failed to create realm container LDAP directory for realm (%s).
BMCSSG1995E
Failed to create people container in LDAP directory for realm (%s).
BMCSSG1996E
Failed to create people container in LDAP directory for realm (%s).
BMCSSG1997E
Failed to create new admin identity (%s).
BMCSSG1998E
Failed to create new search admin identity (%s).
BMCSSG1999E
Invalid demo password specified- must be at least 8 characters.
BMCSSG2000E
Failed to create demo identity (%s).
BMCSSG2001E
Failed help URL lookup (%s).
BMCSSG2002E
Root realm cannot be specified for agents.
Page 315 of 389
Home
12.3 Logon and logoff issues

Logon and logoff issues can occur (or appear to occur) associated with URL re-directs and normal Identity
Provider (IdP) behavior.
12.3.1 Automatic IdP logon behavior

With SAMLv2 authentication configurations, an automatic logon can occur after you have terminated your single
sign-on (SSO) session. This behavior gives the impression that the user was not logged out.
In SAMLv2 configurations, the IdP caches authentication information within the browser. This information allows
the IdP to automatically re-authenticate a user without the user re-entering their credentials.
The effect is that when a user logs out of a SAMLv2 system, a browser refresh can automatically log the user back
into the system. For this type of system, to ensure that the user is permanently logged off the system, close all
browser windows and tabs.
For example, when a user has two browser windows (or tabs) open, one with BMC Remedy Mid Tier and the other
with BMC Analytics and the user logs off of BMC Remedy Mid Tier and closes the window, the user terminates
their SSO session. If the user goes to the BMC Analytics window and refreshes the browser (for example, clicks on
a link), then the browser performs the action as through the user was still logged onto the system. What
transpired was that a new SSO session was created automatically for the user (due to the auto-logon of the IdP).
12.3.2 URL re-direct issues

Logon and logoff issues can occur (typically with a SAMLv2 configuration) when too many URL re-directs happen
between the browser and servers during logon and logoff processing.
1. Capture the HTTP traffic between the browser and servers using a capture tool such as Fiddler,
ieHttpHeaders, or Live HTTP Headers.
2. Identify potential configuration changes to the reverse proxy, load balancer, or BMC Atrium Single
Sign-On.
3. Modify the configuration:
If the re-direct is from https://sample.bmc.com/arsys to https://sample.bmc.com/arsys/ (a
forward-slash after arsys), check and modify the agent log on and log out URL configuration to
include the forward-slash.
If the re-direct is associated with Reverse Proxy or Load Balancer where a protocol switch from
HTTPS to HTTP occurs (for example, the browser communicates on HTTPS to the Reverse Proxy
which then communicates to the server using HTTP), configure the Reverse Proxy or Load Balancer
to include the HTTP AtssoReturnLocation header with the value https://.
In this case, the agent in the server uses the HTTP protocol for the return address which causes the
re-direct.
Page 316 of 389
Home
12.4 Upgrading from 7.6.04 to 8.1 silent installation issue

When upgrading BMC Atrium Single sign-On from version 7.6 to 8.1 version, if version 7.6 was installed through
the UI and version 8.1 was installed by a silent installation, and error occurs because of differences in the host
names provided during these installs (uppercase versus lowercase).
In a BMC Atrium Single Sign-On UI installation, uppercase host names are the default, for example,
KBP1-DHP-F48200.synapse.com.
In a BMC Atrium Single Sign-On silent installation, lowercase host names are the default, for example,
kbp1-dhp-f48200.synapse.com.
Two methods are provided for upgrading BMC Atrium Single Sign-On where version 7.6 was installed using the UI
and version 8.1 uses a silent installation.
Upgrading without specifying the host name (see page 319)
Upgrading by re-defining the host name (see page 319)
Different case values for only the browser works correctly because there is no difference between uppercase and
lowercase addresses. However, the host name value is used for BMC Atrium Single Sign-On administration
configuration where as host names are case-sensitive. The case-sensitive difference causes an error during the
upgrade.
BMC Atrium Single Sign-On version 7.6 UI installation example
Page 317 of 389
Home
BMC Atrium Single Sign-On version 8.1 silent installation example
Page 318 of 389
Home
12.4.1 Upgrading without specifying the host name

During the BMC Atrium Single Sign-On version 8.1 UI upgrade, if you do not provide values for the following
parameters, the upgrade Installer fills in the values from the previous installation.
Destination Directory
Hostname
Tomcat, tomcat ports
Cookie domain
1. Delete the ATRIUMSSO_HOST_NAME property from the SSOSilentInstallOptions.txt file.
2. Run the silent installation without providing the above parameters..
12.4.2 Upgrading by re-defining the host name

Alternatively, re-define the host name in the SSOSilentInstallOptions.txt file.
1. Before running the BMC Atrium Single Sign-On version 8.1 silent installation, run the mod.bat/mod.sh
command to obtain the BMC Atrium Single Sign-On server name.
For example, (Microsoft Windows):
<ATRIUM_DIR>\tomcat\webapps\atriumsso\WEB-INF\tools\ssoadm\atriumsso\bin\mod.bat list-servers -u
amadmin -f D:\pass.txt
Page 319 of 389
Home
Where pass.txt is the file with the non-encrypted password for the BMC Atrium Single Sign-On
administrator user (amadmin).
2. Edit the SSOSilentInstallOptions.txt file and modify the ATRIUM_HOST_NAME parameter to reflect only the
BMC Atrium Single Sign-On server name.
On the following example, KBP1-DHP-F48200.synapse.com is the correct value.
12.5 Troubleshooting AR authentication

This topic explains common errors associated with AR System authentication.
12.5.1 User has no profile in this organization

If the User Profile for the BMC Realm is set to Required instead of Dynamic or Ignored, the following error
message occurs when logging into a BMC product:
User has no profile in this organization
To modify the User Profile setting
1.
Page 320 of 389
Home
2. Select either Dynamic or Ignored.
12.5.2 Error saving user or group edits

An exception error occurs when you try to update user attributes or assign groups to users with information that
was retrieved from the AR Server. The AR Server Data Store provides read-only access to the user and group
information.
The error indicates that a search base entry does not exist.
12.5.3 Error in SAML Authentication when Auto Federation is enabled

Atrium Single-SignOn fails to find the federated user account specified and creates an exception error
(BMCSSG1777E) if Auto Federation is enabled and an AR user store is used.
Workaround:
Delete the AR user store.
For more information, see Using AR for authentication.
12.6 Troubleshooting AR System server and Mid Tier

integrations
Performing the BMC Atrium Single Sign-On integration with the BMC Remedy AR System server and the BMC
Remedy Mid Tier is a two-step sequence. If you have problems with BMC Atrium Single Sign-On installation and
configuration, review the following information.The BMC Atrium Core solution works with other BMC Atrium
solutions to facilitate the alignment of your IT organization with business priorities. BMC Atrium Core provides
tight integration across management tools used in your IT environment, saving your IT organization time and
money.
Manually running the SSOARIntegration utility on the AR System server (see page 321)
Manually running the SSOMidtierIntegration utility on the AR System server (see page 323)
12.6.1 Manually running the SSOARIntegration utility on the AR System

server
The SSOARIntegration utility uses the following inputs in the arintegration.txt file to integrate BMC Atrium Single
Sign-On and the AR System server:
[--ar-server-name=ARServerName]
[--ar-server-user=ARServerUser]
[--ar-server-password=ARServerPassword]
Page 321 of 389
Home
[--ar-server-port=ARServerPort]
[--atrium-sso-url=AtriumSSOURL]
[--admin-name=SSOAdminName]
[--admin-pwd=SSOAdminPassword]
[--truststore=truststorepath | Optional parameter]
[--truststore-password=truststorepassword | Optional parameter]
[--force=<Yes or No> Restart AR Server automatically | Optional parameter]
If needed, you can manually run the SSOARIntegration utility on the AR System server.
java -jar SSOARIntegration.jar --ar-server-name

ARServerName --ar-server-user ARServerUser --ar-server-password ARServerPassword
--ar-server-port ARServerPort --atrium-sso-url AtriumSSOURL --admin-name
SSOAdminName --admin-pwd SSOAdminPassword
For example:
java -jar C:\Program Files\BMC

Software\ARSystem\artools\AtriumSSOIntegrationUtility\SSOARIntegration.jar --ar-server-name
ARServer.labs.bmc.com --ar-server-user Demo --ar-server-password Demo
--ar-server-port 0 --atrium-sso-url https://ssoServer.bmc.com:8443/atriumsso
--admin-name amAdmin --admin-pwd bmcAdm1n
Tip
Copy and paste this example into a text editor, and modify the values for your own environment.
Then copy the final version into your command window.
3. Review the utility logs at

<ARSystemServerInstall>\artools\AtriumSSOIntegrationUtility\Logs\AtriumSSOIntegrationUtility.log.
If successful, the SSOARIntegrationutility performs the following actions on the AR System server:
Validates the user inputs and returns any errors.
Configures the SSO AREA plug-in with a Java plug-in entry in ar.cfg/ar.conf:
Server-Plugin-Alias: AREA AREA VW-PUN-REM-QA5J.pune-labs.bmc.com:9999
Configures the EA form for BMC Atrium Single Sign-On with the following entries in the ar.cfgfile:
Page 322 of 389
Home
Use-Password-File: T
Crossref-Blank-Password: T
External-Authentication-RPC-Socket: 390695
Authentication-Chaining-Mode: 1
Verifies the BMC Atrium Single Sign-On username and password by connecting with the BMC Atrium
Single Sign-On server and returns any errors.
Configures single sign-on with the following entries in the ar.cfgfile:
Atrium-SSO-Location: <<AtriumSSOURL>>
Atrium-SSO-Admin-User: SSOAdminName
Atrium-SSO-Admin-Password: SSOAdminPassword
Atrium-SSO-Keystore-Password: truststorepassword
Atrium-SSO-Keystore-Path: truststorepath
Restarts the AR System server.
12.6.2 Manually running the SSOMidtierIntegration utility on the AR System

server
The SSOMidtierIntegration utility uses the following inputs to integrate BMC Atrium Single Sign-On and the AR
System server:
[--install-mode=Install or Uninstall]
[--ar-server-name=ARServerName]
[--ar-server-user=ARServerUser]
[--ar-server-password=ARServerPassword]
[--ar-server-port=ARServerPort]
[--container-type=containertype]
[--web-app-url=MidtierURL or LoadBalancerURL]
[--container-base-dir=webserverhomedirectory]
[--jre-path=JREInstallDirectory]
[--midtier-home=MidtierHome]
[--notify-url=MidTierURL]
[--agent-realm=RealmName]
[--force SuppressAllManualInputs]
[--server-instance-name WebSphereinstancename required input for WebSphere server]
[--instance-config-directory WebSphereconfigdirectory required input for WebSphere server]
[--weblogic-domain-home BEAdomainhome required input for WebLogic web application]
Note
If you are using IBM WebSphere, pass the IBM Java path as an input for the --jre-path input
parameter.
Page 323 of 389
Home
Possible parameters for container-type and container-base-dir

For --container-type, specify one of the following possible values:
JBOSSV4
JBOSSV5
SERVLETEXECV5
SERVLETEXECV6
TOMCATV5
TOMCATV6
TOMCATV7
WEBSPHEREV6
WEBSPHEREV7
WEBLOGICV10
If you are using the Apache or IIS web application server, specify --container-base-dir as
<TOMCAT_Home_Dir> instead of the Apache or IIS directory, and specify the --container-type as
TOMCAT instead of Apache or IIS.
Additional parameters for IBM WebSphere

For IBM WebSphere, you can set these additional parameters:
[--server-instance-name WebSphereServerInstanceName]
[--instance-config-directory WebSphereServerInstanceConfigurationDirectory]
For example:
[--server-instance-name server1]
[--instance-config-directory
<WAS>/AppServer/profiles/AppSrv01/config/cells/<host>Node01Cell/nodes/<host>Node01/servers/server1]
Additional parameters for Oracle WebLogic

For Oracle WebLogic, you can set these additional parameters:
[--weblogic-domain-home DomainHomeDirectoryForDomainWhereWebAppIsDeployed]
For example:
[ --weblogic-domain-home <BEA_Home>/user_projects/domains/base_domain]
Page 324 of 389
Home
If needed, you can manually run the SSOMidtierIntegration utility on the AR System server.
java -jar SSOMidtierIntegration.jar --midtierintegration --ar-server-name ARServerName

--ar-server-user ARServerUser --ar-server-password ARServerPassword --ar-server-port ARServerPort
--install --container-type containertype --web-app-url MidtierURL --container-base-dir
webserverhomedirectory --jre-path JREInstallDirectory --midtier-home MidtierHome
For example:
java -jar C:\Program Files\BMC

Software\ARSystem\midtier\AtriumSSOIntegrationUtility\SSOMidtierIntegration.jar
--midtierintegration --ar-server-name ARServer.labs.bmc.com --ar-server-user Demo
--ar-server-password Demo --ar-server-port 0 --install --container-type TOMCATV6 --web-app-url
http://Midtier.bmc.com:8080/arsys --container-base-dir "C:\Program Files\Apache Software
Foundation\Tomcat6.0" --jre-path "C:\Program Files\Java\jre7" --midtier-home "C:\Program Files\BMC
Software\ARSystem\midtier"
Tip
Copy and paste this example into a text editor, and modify the values for your own environment.
Then copy the final version into your command window.
3. Review the utility logs at

<ARSystemServerInstall>\artools\AtriumSSOIntegrationUtility\Logs\AtriumSSOIntegrationUtility.log.
4. Review the web.xml file (located at C:\Program Files\BMC Software\ARSystem\midtier\WEB-INF) to verify
that the following settings are present:
<filter>
<filter-class>com.bmc.atrium.sso.agents.web.SSOFilter</filter-class>
</filter>
<filter-mapping>
<url-pattern>/*</url-pattern>
</filter-mapping>
5. Review the config.properties file (located at C:\Program Files\BMC

Software\ARSystem\midtier\WEB-INF\classes) to verify that the following entry is present:
Page 325 of 389
5.
Home
arsystem.authenticator=com.remedy.arsys.sso.AtriumSSOAuthenticator
The SSOMidtierIntegration utility performs the following actions on the Mid Tier:
Validates the user inputs and returns any errors.
Checks if you are installing or uninstalling.
Connects to AR System server and fetches SSO values. If successful, performs AR System server and
BMC Atrium Single Sign-On integration. Otherwise, returns an AR-SSO integration is not
done error.
Checks if Mid Tier is running and, if so, shuts it down before running the utility.
Copies files to Mid Tier and performs other modifications to the Mid Tier.
12.7 Troubleshooting CAC authentication

If authentication fails, there are several log directories and several debug methods that you can use to resolve
issues. If you discover that a certificate is not in the truststore, import the certificate into the keystore.
With the default logging level, check for errors in the normal BMC Atrium Single Sign-On log files in the log
directory: <installationDirectory>\AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\log
Check the Authentication file in the debug directory after setting the logging level to Message:
<installationDirectory>\AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\debug
Check the Authentication directory: BMC Atrium SSO \WEB-INF\config\Atrium SSO\debug\Authentication
Change the clientAuth setting in the Tomcat server.xml configuration file to True.
Turn on network debug logging.
Check the BMC Atrium Single Sign-On truststore to verify that the certificate has been imported or that the
Issuer (in other words, the Signer) certificate has been imported.
The following troubleshooting topics are addressed here:
Page 326 of 389
Home
Example of a default logging level error

Example of a debug log error when a certificate is not available
Changing the clientAuth setting
Turning on network debug logging (see page 328)
Example of a client not responding with a certificate
Example of a client sending a certificate
Example of a list of certificates sent to the client
Example of URL certificate authentication not enabled
Example of OCSP certificate failure
Clock skew too great for CAC authentication (see page 331)
12.7.1 Example of a default logging level error

A sign of the certificate issue can be seen in the normal BMC Atrium Single Sign-On log files with the default
logging level. The following error log comes from the amAuthentication.error file located in the following log
directory:
<installationDirectory>\AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\log
"2011-05-26 20:00:20" "Login Failed" "Not Available" "Not Available"

172.22.33.64 INFO o=bmcrealm,ou=services,dc=opensso,dc=java,dc=net
"cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net"
AUTHENTICATION-200 CAC "Not Available" 172.22.33.64
12.7.2 Example of a debug log error when a certificate is not available

After debug logging is enabled, a log entry is available in the Authentication file from the debug directory:
<installationDirectory>\AtriumSSO\tomcat\webapps\atriumsso\WEB-INF\config\atriumsso\debug
The CAC module logs an error when a certificate is not available for authentication. The following is a sample log
error:
LOGINFAILED Error....
amAuth:05/26/2011 06:28:47:604 PM CDT: Thread[http-8443-4,5,main]
Exception :
com.sun.identity.authentication.spi.AuthLoginException(1):null
com.sun.identity.authentication.spi.AuthLoginException(2):User certificate not found
com.sun.identity.authentication.spi.AuthLoginException: User certificate not found
at com.sun.identity.authentication.modules.cert.Cert.process(Cert.java:415)
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:866)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:965)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Page 327 of 389
Home
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
.... MORE TRACE DELETED
12.7.3 Changing the clientAuth setting

The simplest approach for identifying why a CAC or certificate login failed is to change the clientAuth setting in
the Tomcat server.xml configuration file to True.
This change makes the certificate exchange a required value. If the Transport Layer Security (TLS) handshake fails,
the browser presents an error message.
For example, the following message is displayed by Firefox when the TLS handshake fails:
*Secure Connection Failed*

An error occurred during a connection to SSL peer cannot verify your certificate
(Error code: ssl_error_bad_cert_alert)
12.7.4 Turning on network debug logging

If a more detailed examination of the communication between the client and the server is necessary, turn on
network debug logging to gather detailed information.
To turn on detailed network debug logging (see page 328)
To edit the service definition in Microsoft Windows (see page 328)
To edit the service definition in UNIX (see page 329)
To turn on detailed network debug logging

1. Stop the BMC Atrium Single Sign-On server.
2. Edit the service definition.
4. Attempt to log on using either the CAC card or a client certificate.
To edit the service definition in Microsoft Windows

1. From the command prompt, change your working directory to
<installationDirectory>\AtriumSSO\tomcat\bin.
2. Run the following command:
tomcat6w.exe //ES//BMCAtriumSSOTomcat
3. On the Java tab, add the following Java Virtual Machine (JVM) specification to the Java Options input field:
-Djavax.net.debug=ssl,handshake
4. On the Logging tab, enter the file names for the stdout and stderr fields. For example, c:\stdout.txt and
c:\stderr.txt.
5.
Page 328 of 389
Home
5. Click either OK or Apply.
To edit the service definition in UNIX

1. From a shell window, change your working directory to <installationDirectory>/AtriumSSO/tomcat/bin.
2. Edit the setenv.sh shell file and add the JVM directory to the existing CATALINA_OPTS definition:
-Djavax.net.debug=ssl,handshake
12.7.5 Example of a client not responding with a certificate

The following log from the Transport Layer Security (TLS) debug logs shows an example of when the client does
not respond with a certificate. In this example, there is a lack of logging between *** Certificate chain and
the *** section terminator.
*** ServerHelloDone
http-8443-1, WRITE: TLSv1 Handshake, length = 1606
http-8443-1, READ: TLSv1 Handshake, length = 109
*** Certificate chain
***
http-8443-1, SEND TLSv1 ALERT: fatal, description = bad_certificate
http-8443-1, WRITE: TLSv1 Alert, length = 2
http-8443-1, called closeSocket()
http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
12.7.6 Example of a client sending a certificate

The following is an example of a certificate chain when a client sends a certificate:
*** Certificate chain

chain [0] = [
[
Version: V3
Subject: CN=iBMC-JBHBBK1.adprod.bmc.com, O=BMC Software, OU=AtriumSSO Server
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
\\
\\
Key: Sun RSA public key, 1024 bits
modulus:
1153476415046747080545705726032711211661968880193177355336120528259205179
8701885413352651439456472027242135383823079486221876201099852580433674612
2095506217482528174781177916973132898161752304402048808946927230955649506
8627650608058272169958226152224835413140850196651094714261111749419276023
57110513103177317
public exponent: 65537
Validity:
[From: Thu May 26 17:35:59 CDT 2011, To: Sun May 23 17:35:59 CDT 2021]
Issuer: CN=iBMC-JBHBBK1.adprod.bmc.com, O=BMC Software, OU=AtriumSSO Server
Page 329 of 389
Home
SerialNumber: [
4dded5cf]
\\
\\
]
Algorithm: [SHA1withRSA]
Signature:
0000: 65 CC 79 95 9C F3 5A 66
0010: AC 12 A6 3F A2 E8 9B 47
0020: 3A 7C 33 D3 87 4D FD 8D
0030: 31 6E C9 66 AD 02 C5 9F
0040: 68 2A 3B 9C 4E 50 0B 2D
0050: 6E 91 6F C3 CD 6E AC 66
0060: B9 6B 96 1E 0A 90 67 05
0070: DF AD 3D 5F 1F DF 09 32
0070: DF AD 3D 5F 1F DF 09 32
]
***
59
65
55
04
8F
6E
A0
77
77
B1
D7
84
CE
C5
92
1A
F0
F0
3F
F5
FA
10
CB
E3
F1
39
39
53
23
E5
66
7D
1E
2B
13
13
EC
06
AB
2C
BB
B5
55
46
46
AD
A9
55
46
76
19
35
94
94
F7
6B
FB
C0
E0
06
07
DD
DD
CD
17
12
FA
75
17
D5
D7
D7
e.y...ZfY.?S....
...?...Ge..#..k.
:.3..M..U....U..
1n.f.......f,F..
h*;.NP.-.....v.u
n.o..n.fn.......
.k....g....+U5..
..=_...2w.9.F...
..=_...2w.9.F...
12.7.7 Example of a list of certificates sent to the client

The client receives a list of certificates from the server that the client uses when determining which certificates to
respond with. This list of certificates is sent at the end of the servers hello reply.
The client uses this list to scan its truststore for a certificate that is an exact match (for example, a self-signed
certificate), or for a certificate that is signed by one of these certificates. If no match is found, no certificate is sent
and the login fails.
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:*** ServerHelloDone
12.7.8 Example of URL certificate authentication not enabled

If the BMC Atrium Single Sign-On WEB-INF\config\Atrium SSO\debug\Authentication directory contains the
following error messages, then the Common Access Card (CAC) certificate was not passed in from the client.
Ensure that the certificates, or the correct certificates, were imported into the cacerts.p12 file.
amAuthCert:11/18/2009 01:17:37:922 PM CST: Thread[http-8443-6,5,main]

ERROR: Certificate: cert passed in URL not enabled for this client
ERROR: Certificate: exiting validate with exception
com.sun.identity.authentication.spi.AuthLoginException: URL certificate authentication not enabled.
at com.sun.identity.authentication.modules.cert.Cert.process(Cert.java:383)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:926)
at sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source)
....
Page 330 of 389
Home
12.7.9 Example of OCSP certificate failure

If you receive the following errors, verify that you imported the Online Certificate Status Protocol (OCSP)
certificates into the cacerts.p12 file:

ERROR: CertPath:verify failed.
ERROR: X509Certificate:CRL / OCSP verify failed.
12.7.10 Clock skew too great for CAC authentication

Clock skew is the range of time allowed for a server to accept authentication. If the clock skew too far off, you
will receive a clock skew too great error message. The clock skew between the BMC Atrium Single Sign-On
server and the OCSP server must not be more than 15 minutes, otherwise OCSP validation fails.
This error indicates that the clock on one or both of the servers has the wrong time. To resolve this issue either
use a time server to synchronize the computers, or manually set the clock on one or both of the computers to
the correct time.
12.8 Troubleshooting FIPS-140 conversion

If the conversion process fails:
1. From the BMC Atrium Single Sign-On administrator console, restore FIPS mode back to normal mode. For
more information about restoring normal mode, see Converting from FIPS-140 to normal mode (see page
258).
2. Save the configuration change.
3. Address the cause of the failure.
If any errors occurred during the conversion, they are posted after the initial BMCSSG1599I message.
4. Retry the FIPS-140 conversion after resolving the cause of the previous attempts failure.
12.9 Troubleshooting JEE agents

This following topics provide instruction for manually removing a JEE agent from BMC Atrium Single Sign-On.
These steps only involve BMC Atrium Single Sign-On configuration. Additional steps might be required for full
removal.
Page 331 of 389
Home
To remove a JEE agent from BMC Atrium Single Sign-On (see page 332)
To remove a JEE agent from WebSphere (see page 332)
To remove a JEE agent from Tomcat (see page 332)
To remove a JEE agent from JBoss or WebLogic (see page 333)
12.9.1 To remove a JEE agent from BMC Atrium Single Sign-On

2. Select the agent you want to delete.
3. Click Delete.
12.9.2 To remove a JEE agent from WebSphere

1. Stop IBM WebSphere Application Server (WAS).
2. Delete <installationDirectory>/AppServer/atssoAgents.
3. Delete <installationDirectory>/AppServer/.amAgentLocator.
4. Edit <WASHome>
\AppServer\profiles\AppSrv01\config\cells\<cell>\nodes\<node>\servers\server1\server.xml
a. Navigate to process:Server > processDefinitions > jvmEntries.
b. Remove from attribute genericJvmArguments the system property declarations (for example,
-Dcom.iplanet.services.debug.level=on ).
c. A sub tag of jvmEntries, classpath, contains the classpath for the JVM. Remove the BMC Atrium
Single Sign-On entries.
5. Restart WAS.
12.9.3 To remove a JEE agent from Tomcat

1. Stop Tomcat.
2. Delete <catalinaHome>/atssoAgents.
The following steps may not be applicable, depending on the agent used by the web application:
3. Delete <catalinaHome>/.amAgentLocator.
4. Edit <catalinaHome>conf/server.xml/and remove the realm definition. For example:
<Realm className>="com.sun.identity.agents.tomcat.v6.AmTomcatRealm" debug="99"/
5. Edit <catalinaHome>bin/setclasspath.sh (or catalinaHomebin/setclasspath.bat).

a. Delete the inclusion of setAgentclasspath.sh (or setAgentclasspath.bat ).
b. Delete <catalinaHome>bin/setAgentclasspath.bat.
6. Restart Tomcat.
Page 332 of 389
Home
12.9.4 To remove a JEE agent from JBoss or WebLogic

1. Stop the relevant application server.
2. Delete <directory>/atssoAgents.
3. Restart the relevant application server.
12.10 Troubleshooting Kerberos authentication

When diagnosing Kerberos authentication failures, access the logs on the Ticket Granting Server (TGS) to identify
failure root causes. In addition, install a utility program (for example, HTTPHeaders for Internet Explorer and Live
HTTP Headers for Firefox) into the browser to display headers that are sent between the browser and the BMC
Atrium Single Sign-On server. Headers help identify failure points.
The following commands are useful for troubleshooting:
klist tickets lists open tickets with TGS
klist purge closes tickets with TGS
Problems with the module configuration can be detected by turning on BMC Atrium Single Sign-On debug
logging and attempting to log in by using a test URL. Log entries are generated in the debug.out log file when
message level debugging is configured.
The following troubleshooting topics are addressed here:
Page 333 of 389
Home
Invalid user name for Kerberos authentication

Invalid service principal name for Kerberos authentication
Invalid keytab index number for Kerberos authentication
Invalid password for Kerberos authentication
Incorrect server name for Kerberos authentication
Browser sending NTLM instead of Kerberos (see page 336)
Browser not correctly configured for Kerberos authentication
Clock skew too great for Kerberos authentication
Chained authentication failure in Microsoft Internet Explorer (see page 338)
12.10.1 Invalid user name for Kerberos authentication

This error message indicates that the user name does not match the entry in the keytab file. Validate that the full
principal name is used and the correct service type, domain, and so on are specified.
New Service Login ...

amAuthWindowsDesktopSSO:06/24/2011 12:40:11:670 PM CDT: Thread[http-8443-2,5,main]
ERROR: Service Login Error:
Stack trace:
javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:654)
...
12.10.2 Invalid service principal name for Kerberos authentication

This error messages indicates a possible failure due to a discrepancy between the service principal name in the
keytab file and the actual service principal name in the TGS or Active Directory. This error can be caused by
renaming the service principal in the TGS without updating the keytab file. Validate the name (case-sensitive) and
re-generate the keytab file if the service principal name has changed.

New Service Login ...
Stack trace:
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
Page 334 of 389
Home
12.10.3 Invalid keytab index number for Kerberos authentication

This exception failure is generated in the logs when the keytab file was generated with a KVNO value different
from the one specified in the ticket. The solution is to regenerate the keytab file. Be sure to specify the /kvno 0
option; this ensures that the KVNO value is compatible.
amJAAS:10/18/2011 09:35:00:435 AM PDT: Thread[http-8443-1,5,main]

Exception: com.sun.identity.authentication.spi.AuthLoginException: Failed to authentication.
Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
12.10.4 Invalid password for Kerberos authentication

This error message from the Active Directory server indicates that the password in the keytab file is incorrect for
the specified principal. Verify that the password is correct and generate the keytab file if it is not correct or has
been changed since the file was generated.

Stack trace:
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
12.10.5 Incorrect server name for Kerberos authentication

This exception failure indicates that the server host name specified for the module configuration is incorrect, or
that the server is not accessible through the network. Validate the server name and that the server can be
contacted through the network.

Exception :
com.sun.identity.authentication.spi.AuthLoginException(2):Service authentication failed.
javax.security.auth.login.LoginException(3):Receive timed out
javax.security.auth.login.LoginException: Receive timed out
Page 335 of 389
Home
12.10.6 Browser sending NTLM instead of Kerberos

The following entry in the debug log files indicates that the token received from the client is a Microsoft Windows
NT LAN Manager (NTLM) token, not a Kerberos token as required. Verify that the BMC Atrium Single Sign-On
server has been set up correctly as a service principal and that the client and successfully request a Ticket for the
Service.

Retrieved config params from cache.
WARNING: Authentication token is NTLM.
SPNEGO token:
4e 54 4c 4d 53 53 50 00 01 00 00 00 07 82 08 a2
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
05 02 ce 0e 00 00 00 0f
When a browser is sending an NTLM token instead of a Kerberos token, the failure could be caused by a problem
obtaining a service token for the BMC Atrium Single Sign-On server. For example, failure to find a case-sensitive
lookup of the principal name results in an NTLM token being sent.
When debugging a client failure, enable the Kerberos event logging to identify failures. Disabling Kerberos event
logging after diagnosing the failure is important. For more information about how to enable Kerberos event
logging, see http://support.microsoft.com/kb/262177.
The following trace from an exchange between an Internet Explorer browser and the BMC Atrium Single Sign-On
server shows a successful negotiation.
GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, /
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ibmc-jbhbbk1.adprod.bmc.com:8443
Connection: Keep-Alive
Cookie:
s_pers=%20s_lv%3D1270043963949%7C1364651963949%3B%20s_lv_s%3DFirst%2520Visit%7C1270045763949%3B%20s_nr%3D127004396396
s_vi=[CS]v1|25D9AA60851D2F18-60000104E00EF3FE[CE];
__utma=246752535.599385143.1270043842.1270043842.1270043842.1
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: no-cache
Page 336 of 389
Home
Cache-Control: no-cache
Expires: 0
Cache-Control: private
X-DSAMEVersion: Atrium SSO 7.6.04(2011-June-28 13:47)
AM_CLIENT_TYPE: genericHTML
Set-Cookie:
AMAuthCookie=AQIC5wM2LY4SfcwV3%2FNDDybcVGsdeW%2B%2BRnGC93rfcaw%2FEf8%3D%40AAJTSQACMDIAAlNLAAkxOTE4MzI0NTIAAlMxAAIwMQ%
Domain=.bmc.com; Path=/
Set-Cookie: amlbcookie=01; Domain=.bmc.com; Path=/
WWW-Authenticate: Negotiate
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Wed, 29 Jun 2011 00:09:46 GMT
GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, /
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ibmc-jbhbbk1.adprod.bmc.com:8443
Connection: Keep-Alive
Authorization: Negotiate YIIE7gYGKwYBBQUCoIIE4jCCBN6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKw
YBBAGCNwICCqKCBLQEggSwYIIErAYJKoZIhvcSAQICAQBuggSbMIIEl6ADAgEFoQMCAQ6iBwMFACAAAACjggO/
YYIDuzCCA7egAwIBBaEQGw5CU01EU0wuQk1DLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG2libWMtamJoYmJrMS5h
ZHByb2QuYm1jLmNvbaOCA2wwggNooAMCARehAwIBA6KCA1oEggNWF2cjeeJwxrbN85nRgZ6kQQ49s7I54ndjXLJD
jdc62pRQqDDYaMn6KUBR5zPfwuvNRlL4e3n0MXtNLbUMgMGWiDBZlLVLRJg6p3tydxJC9eEiWYFu ...
12.10.7 Browser not correctly configured for Kerberos authentication

This stack trace indicates that the browser is not sending the Kerberos token. Validate that the browser is
configured for Kerberos authentication with the BMC Atrium Single Sign-On server. Verify that the principals in
the BMC Atrium Single Sign-On Kerberos configuration and the user account running the browser are all in the
same realm. Lastly, when multiple services are running on the same host or non-standard ports are being used for
HTTP and HTTPS connections, review the following Microsoft article for more information, see
http://support.microsoft.com/kb/908209.
amJAAS:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main]

Exception: com.sun.identity.authentication.spi.AuthLoginException: Invalid Kerberos token.
Set firstRequiredError to com.sun.identity.authentication.spi.AuthLoginException: Invalid Kerberos token.
amLoginModule:06/24/2011 02:35:46:834 PM CDT: Thread[http-8443-2,5,main]
Page 337 of 389
Home
ABORT return.... false

abort ignored
Exception :
com.sun.identity.authentication.spi.AuthLoginException(2):Invalid Kerberos token.
com.sun.identity.authentication.spi.AuthLoginException: Invalid Kerberos token.
at
com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:146)
12.10.8 Clock skew too great for Kerberos authentication

The time difference between the BMC Atrium Single Sign-On server and the Key Distribution Center (KDC) (or
ActiveDirectory domain controller) is too great. Normally, the time difference should be no great than 5 minutes.
Use a time server to synchronize the computers or adjust the time manually to be closer in sync.
Error: javax.security.auth.login.LoginException(3):Clock skew too great (37)
12.10.9 Chained authentication failure in Microsoft Internet Explorer

When Kerberos is chained together with LDAP or AR for authentication and you enter your credentials for login in
Internet Explorer (IE) browser, the authentication fails. You can detect the issue by removing Kerberos module
from the authentication chain. The authentication works correctly when Kerberos is removed from the
authentication chain. You might be facing this issue due to an optimization feature that Microsoft have added to
IE that causes IE to not send the user entered credentials to the BMC Atrium Single Sign-On server.
Tip
The problem can be avoided by using Mozilla Firefox or other compatible browsers.
Resolution
By disabling this optimization, the credentials are sent and the user is successfully authenticated.
Steps to follow from the KB article

To resolve this issue from the client side, use Registry Editor (Regedt32.exe) to add a value to the following
registry key:
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/
Page 338 of 389
Home
Note
The above registry key is one path; it has been wrapped for readability.
Add the following registry value:

Value Name: DisableNTLMPreAuth
Data Type: REG_DWORD
Value: 1
For more information about disabling the optimization feature, refer to the knowledge base (KB) article from
Microsoft, Restricting data to be posted to specific website.
Note
The KB also mentions about disabling Kerberos or Integrated Windows Authentication which should be
ignored.
12.11 Troubleshooting an external LDAP user store

This topic provides information to help you correct issues that might arise with configuring to use an external
LDAP user store.
12.11.1 No users in User tab

If there are no users in the User tab:
2. In the User Stores panel, select the LDAP user store, and click Edit.
3. Select the Search tab.
4. Verify that the Users Search Filter field value is correct for the LDAP server.
Specifically, the default filter must contain a class which is part of the LDAP structure.
5. If values were specified for the People Container Container Attribute and Attribute Value, remove those
values (leave those fields blank).
12.11.2 No groups in Group tab

If there are no groups in the Group tab:
2.
Page 339 of 389
Home
2. In the User Stores panel, select the LDAP user store, and click Edit.
3. Select the Search tab.
4. Verify that the Groups Search Filter field value is correct (the class selected is used in LDAP server).
5. Verify that the Groups Container Container Attribute and Attribute Value information are both correct.
Alternatively, try blank values (no characters).
12.12 Troubleshooting SAMLv2

This section includes the following issues:
Page 340 of 389
Home
IdP metadata issues

SAMLv2 keystore issues (see page 341)
Metadata issues (see page 342)
Certificate issues
12.12.1 IdP metadata issues

When using Atrium Single Sign-On server as an Identity Provider (IdP), the server needs to be able to provide the
metadata to Service Providers (SP) that are part of the Circle of Trust. The configuration of the IdP can be verified
by using this URL with a browser:
https://sample.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp
If the Atrium Single Sign-On server is correctly configured, the server returns an XML document which is the
metadata for the IdP.
libCOT:03/03/2011 02:55:51:194 PM CST: Thread[http-18443-6,5,main]

ERROR: COTManager.createCircleOfTrust:
com.sun.identity.plugin.configuration.ConfigurationException: Unable to create configuration of component
"LIBCOT" for realm "/BmcRealm".
This error usually indicates that the certificates from the IdP have not been stored into the truststore of the BMC
Atrium Single Sign-On server that is hosting the SP.
12.12.2 SAMLv2 keystore issues

If the SAMLv2 keystore is not correctly configured, the following error is displayed on the top of the page when
attempting to create a new IdP or SP:
Check the Federation log file in the following location:
The following error messages indicate that the keystore is of the wrong format (For SAMLv2, only keystores that
are in JKS format are supported. This keystore is used for holding certificates and private keys for signing and
encryption):
ERROR: mapPk2Cert.JKSKeyProvider:
java.io.IOException: Invalid keystore format
java.lang.NullPointerException
Page 341 of 389
Home
java.io.IOException: Keystore was tampered with, or password was incorrect
The following message indicates that the files containing the passwords for the store or the key do not contain
the correct values (the values must be encoded before being stored within the files):
libSAML:03/02/2011 12:42:23:418
ERROR: JKSKeyProvider: keystore
libSAML:03/02/2011 12:42:23:418
ERROR: JKSKeyProvider: keystore
PM CST: Thread[main,5,main]
file does not exist
PM CST: Thread[main,5,main]
password is null
The following message (displayed in the browser) indicates that the keystore file is incorrectly defined or missing:
HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data.
HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data.
12.12.3 Metadata issues

An error occurs when the BMC Atrium Single Sign-On server cannot find the Identity Provider (idP), or the request
sent by the client was syntactically incorrect.
In the status report, the following message is displayed:
Error processing AuthnRequest. Error retrieving meta data
At log n, the browser displays the following message:
HTTP Status 500 -
To resolve metadata issues

1. Verify that the agent URL for login has the IdP spelled correctly.
2. Verify that the IdP is defined in the BMC Atrium Single Sign-On server.
12.12.4 Certificate issues

In an exception report, the following message displays:
The server encountered an internal error () that prevented it from fulfilling this request.
This problem is usually caused by the HTTPS certificate or the root CA-signed certificate from the IdP or SP
server. The certificate might not be stored in the BMC Atrium Single Sign-On server's truststore.
Page 342 of 389
Home
To resolve certificate issues

1. Import the appropriate certificate into the truststore:
<installationDirectory>/tomcat/conf/cacerts.p12
The following message indicates the exception:
javax.servlet.ServletException: AMSetupFilter.doFilter
com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:118)
The following message indicates the root cause:
com.sun.identity.saml2.common.SAML2Exception: java.security.PrivilegedActionException:
com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed
com.sun.identity.saml2.profile.SPACSUtils.getResponseFromArtifact(SPACSUtils.java:382)
com.sun.identity.saml2.profile.SPACSUtils.getResponseFromGet(SPACSUtils.java:247)
com.sun.identity.saml2.profile.SPACSUtils.getResponse(SPACSUtils.java:161)
org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:180)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:91)
12.13 Troubleshooting redirect URLs

Multiple redirect URLs can occur when a load balancer or reverse proxy is implemented.
Modifying the load balancer (or reverse proxy) for redirect URLs (see page 343)
Using load balancer (or reverse proxy) host names for redirect URLs (see page 344)
Cookie name change for a HA node (see page 344)
12.13.1 Modifying the load balancer (or reverse proxy) for redirect URLs
If a BMC product is deployed behind a load balancer (or a reverse proxy), then the load balancer (or reverse proxy)
must specify a BMC Atrium Single Sign-On redirect URL for the product agent. This modification is valid for both
High Availability (HA) and non-HA environments.
Page 343 of 389
Home
Specify an HTTP Header with the name AtssoReturnLocation using the following syntax for the header value:
<protocol>://<fqdn.load.balancer>:<port>
Note
Note: To ensure browser compatibility, the load balancer hostname should contain not contain
underscore characters.
12.13.2 Using load balancer (or reverse proxy) host names for redirect URLs
If BMC Atrium Single Sign-On is deployed behind a load balancer (or reverse proxy), the product agent logon and
logoff configuration can be modified to use the load balancer (or reverse proxy) host names instead of the real
FQDN host names. In this case, the client browser is forwarded to the load balancer (or reverse proxy) host name
of the BMC Atrium Single Sign-On server. This modification is valid for both HA and non-HA environments.
Log into the BMC Atrium Single Sign-On Administrator console and edit the product agent's configuration. Use
the following template for the new logon and logoff URLs, respectively:
URL formats
Login
<protocol>://<fqdn.load.balancer>:(port>/atriumsso/UI/Login?realm=<Realm>
Logout
<protocol>://<fqdn.load.balancer>:(port>/atriumsso/UI/Logout?realm=<Realm>
12.13.3 Cookie name change for a HA node

In a BMC Atrium Single Sign-on HA environment, if a cookie name is changed for a particular BMC Atrium Single
Sign-On node, restart the BMC Atrium Single Sign-On server.
Note
In some cases, BMC Atrium Single Sign-On server restart, browser cache purge, and cookies cleanup do
not help to avoid a multiple redirects error. In that case, reboot the OS.
Page 344 of 389
Home
12.14 Session sharing in HA mode issue

In BMC Atrium Single Sign-On High Availability (HA) mode, session sharing can fail in some specific network
environments when the default protocol (multicast) is used by ApacheMQ. ApacheMQ is a third party component
which is used by Atrium Single Sign-On to inform all nodes in the cluster about sessions creation and termination
events. If session sharing fails, change the configuration settings to an alternative protocol.
12.14.1 To configure point-to-point sessions sharing

Perform the following on each node in the HA cluster.
1. Navigate to the <AtriumSSOinstallationDirectory>/tomcat/webapps/atriumsso/WEB-INF/classes/ directory.
2. Edit the activemq.xml file.
3. Replace the following tag:
<transportConnector uri="ssl://localhost:0?transport.needClientAuth=true&daemon=true"
discoveryUri="multicast://default?daemon=true&group=atsso" />
with:
<transportConnector uri="ssl://<hostname>:<port>?transport.needClientAuth=true&daemon=true "
/>
where:
hostname The host name of the current node.

port The port which will be used for the sessions sharing on this node.
4. Replace the following tag:
<networkConnector uri="multicast://default?daemon=true&group=atsso" />
with:
<networkConnector uri="static:(ssl://< hostname>:<port>?daemon=true[,ssl://<
hostname>:<port>?daemon=true,])"/>
where:
hostname The host name of another node in the HA cluster.

port The port which is used by another node for session sharing.
Note
The <hostname>:<port> pair is specified on another node in the <transportConnector /> tag.
5. Save the file.
Page 345 of 389
Home
Note
Shutdown all the nodes in the cluster after configuring point-to-point session sharing.
Do not start all the nodes at the same time. Start each node beginning from the first node only
after the previous node is fully started.
12.15 Troubleshooting installation or upgrade issues

12.16 Resolving installation issues on LINUX operating system

You may face the following issues during installation of BMC Atrium Single Sign-On on the Red Hat Enterprise
Linux computers.
Following topics are provided:
Installation failure due to missing libraries (see page 346)
Installation failure due to low level of entropy (see page 346)
12.16.1 Installation failure due to missing libraries

If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux (RHEL) 6.x and the installer aborts
suddenly, then the following 32-bit RPM packages must be installed to make 32-bit JRE support and the user
interface available to the installer:
Glibc.i686
libXtst.i686
12.16.2 Installation failure due to low level of entropy

In computing, entropy is the considered as the randomness collected by an operating system or an application
for use in cryptography or other uses that require random data. This randomness is often collected from
hardware sources, either existing ones such as mouse movements or specially provided randomness generators.
When the entropy level in an application decreases beyond a certain level, the linux operating systems running
BMC Atrium Single Sign-On (SSO) installer may face the following issue.
During installation BMC Atrium Single Sign-On (SSO) logs the entropy level for maintenance purpose. For
successful installation of BMC Atrium SSO, the entropy level should be substantially higher than 150. If an
Page 346 of 389
Home
installation or silent installation aborts suddenly, finishes very quickly, or takes a long time to complete, you may
be facing low entropy issues. When the entropy level on the computers running BMC Atrium SSO installer is less
than 150, the installation fails with the following error message:
There is potential problem with performance on this computer. The level of entropy is
150 and the random data generation time is 6 milliseconds. You may run the following
command as root user: 'rngd -b -r /dev/urandom -o /dev/random' or prefer to restart the
computer.
Info
You can verify the level of entropy at the following location on the linux computers using the following
command: cat/proc/sys/kernel/random/entropy_avail.
Workaround
For restoring the level of entropy and installing BMC Atrium SSO, you can use any of the the following options:
Run the following commands as root user. This option is preferred as it helps in maintaining the entropy
level after installation as well. If your server has a low entropy level, you should configure your server to run
the following commands while starting up your server.
rngd
yum install rng-tools
echo 'EXTRAOPTIONS="-i -o /dev/random -r /dev/urandom -t 10 -W 2048"'
/etc/sysconfig/rngd
chkconfig rngd on
service rngd restart
Restart your computer. This option in not recommended and will increase the entropy level temporarily.
This option can be used to identify if entropy is the only issue for installation failure.
13 Known and corrected issues

The following issues pertain to this release of BMC Atrium Core Single Sign-On and its service packs and patches.
They are divided as follows:
Installation and upgrade issues (see page )
Other issues (see page )
Page 347 of 389
Home
To see all open issues, or to see the issues corrected in a specific release, service pack, or patch, sort the table by
the Corrected in column. An issue with no version number listed here remains open.
Version numbers are given in the format MajorRelease.MinorRelease.ServicePack.Patch. For example, 8.2.04.01 is
patch 1 for service pack 4 of minor release 8.2.
13.1 Installation and upgrade issues

Known and corrected issues related to installation or upgrade
Click any column heading to sort this table or change sort direction
Defect ID
Description
Affected
versions
SW00452251
If you try to install BMC Atrium Single Sign-On version 8.1 on a volume where 8dot3 is disabled, the
installation fails.
8.1.00.03
Corrected
in
Workaround:
Enable 8dot3 names on the volume on which BMC Atrium Single Sign-On is installed. To enable 8dot3
naming:
1. Execute the following command in the command window with the elevated privileges:
fsutil.exe behaviour set disabled 8dot3 0
2. Recreate installation folders in order to force the generation of 8dot3 names.
SW00452338
The BMC Atrium Single Sign-On upgrade fails when the default password is changed in the server.xml and if
the certificate stores are not pointing to the default locations.
SW00443582
When you install BMC Atrium Single Sign-On with amadmin as login and password including special
characters, the authentication fails.
SW00425820
BMC Atrium Single Sign-On installer always shows the Keystore as "tomcat" when installing on an external
Tomcat server. This could be an issue if you have configured an external Tomcat server for BMC Atrium
Single Sign-On installation which has a keystore alias as other than "tomcat".
8.1.00.03
8.1.00.03
8.0.00
8.1.00
Workaround: Manually change the Keystore alias in the BMC Atrium Single Sign-On installer screen to the
alias you set while configuring your Tomcat server.
SW00447285
If you installed Tomcat 7 with the .exe installer, the SSO integration utility cannot stop and restart Tomcat.
Workaround:
Perform one of the following workarounds:
8.1.00
Manually stop Tomcat before you run the utility. You can ignore the exception at the end of
excecution: Error while starting Tomcat
Manually perform the integration.
SW00448578
The BMC Atrium Single Sign-On 8.1 documentation does not mention that before installing BMC Atrium
Single Sign-On 8.1.00 or later on Red Hat Enterprise Linux 6.x, you must install the following 32-bit RPM
packages:
8.1.00
8.1.00.02
Glibc.i686
libXtst.i686
Page 348 of 389
Home
Defect ID
Description
Affected
versions
Corrected
in
This information is now documented in the "System requirements" section on the Prerequisites for
installation (see page 42) page.
SW00450616
When you upgrade the following versions of BMC Atrium Single Sign-On, user assignments to custom
groups are not retained:
Version 8.1.00 to 8.1.00.01 or later
Versions 8.1.00 or 8.1.00.01 to 8.1.00.02 or later
8.1.00.01
8.1.00.02
8.1.00.03
Workaround: You must reassign users to the appropriate groups after the upgrade.
SW00448219
When you upgrade BMC Atrium Single Sign-On using an upgrade path of BMC Atrium Single Sign-On
version 8.1.00 to version 8.1.00.02 or later, and you have deployed BMC SSO in HA mode on Red Hat
Enterprise Linux Server release 6.2 operating system, the upgrade fails.
8.1.00.02
SW00446188
If you are installing BMC Atrium Single Sign-On on a Japanese or a Chinese locale, the installer fails.
8.1.00.02
SW00443648
While logging to the BMC Atrium Single Sign-On Administration page, in certain scenarios the Open AM
page gets displayed.
8.1.00.02
SW00447605
During the fresh installation of BMC Atrium Single Sign-On a non critical error message gets displayed,
which can be ignored.
8.1.00.02
SW00449708
During the fresh install of BMC Atrium Single Sign-On if there is a space in the name of the installation
folder, the installation fails.
8.1.00.02
SW00447623
SW00449894
Version 8.1.00.02 corrected defects related to BMC Atrium Single Sign-On in HA mode. These fixes include
sessions failover, replication of the configuration, and so on.
8.1.00.03
8.1.00.02
SW00449987
SW00450188
SW00450242
SW00450296
SW00450318
SW00451056
SW00451254
SW00451490
SW00455079
The signing and encryption certificates in the SAMLv2 keystore are lost during the upgrade of BMC Atrium
Single Sign-On version 8.0.00 to version 8.1.00.
8.1.00.03
Workaround: You must manually preserve the SAMLv2 keystore before the upgrade and restore it after the
upgrade is done.
To preserve the SAMLv2 keystore manually:
1. Create a backup of the SAMLv2 keystore outside the installation directory before performing the
upgrade.
Note: In BMC Atrium Single Sign-On server version 8.0 the keystore is stored in file named
keystore.jks which is located at <install>/tomcat/webapps/atriumsso/WEB-INF/config/atriumsso
2. After upgrade, rename the keystore.jks to cot.jks.
3. Replace the newly installed cot.jks located in <install>/tomcat directory.
4. Copy the .keypass and .storepass files to the <install>/tomcat directory, if the keystore passwords are
altered from the default value.
6. Open the Admin Console and edit the Local Service Provider editor to verify the proper certificate
alias has been created.
Page 349 of 389
Home
Defect ID
Description
Affected
versions
SW00455119
The user account federations are lost after you upgrade to BMC Atrium Single Sign-On version 8.1.00.03.
8.1.00.03
Corrected
in
Workaround: You must re-federate your account the first time you login to BMC Atrium Single Sign-On
server version 8.1.00.03.
13.2 Other issues

Known and corrected issues for areas other than installation and upgrade
Click any column heading to sort this table or change sort direction
Defect ID
Description
Affected
versions
Corrected
in
SW00440868
During a log out operation, if one user logged out, the BMC Atrium Single Sign-On logged out all the users.
8.1.00.03
SW00451947
When you create a new local Service Provider (SP), only PasswordProtectedTransport chack box is enabled
in the Default Authentication Context list present on the Local Service Provider (SP) Editor.
8.1.00.03
SW00451946
The User Editor does not show the groups from an external LDAP user store for the user from the same
external LDAP user store.
8.1.00.03
SW00447267
The validity of the agent certificate generated for BMC Atrium Single Sign-On is for 2 to 3 months, which
causes issues on some environment.
8.1.00.03
SW00450560
The BMC Atrium Single Sign-On agent requires some changes to support the network load balancers.
8.1.00.03
SW00451673
In the case of two or more authentication chains in BMC Atrium Single Sign-On, login is not successful
8.1.00.03
without displaying the second login page.

SW00451952
The BMC Atrium Single Sign-On does not provide the ability to select the Default Authentication Context in
8.1.00.03
the SAML Local Service Provider (SP) editor.

SW00453492
In the Administrator Console of the BMC Atrium Single Sign-On the Name ID option that allows the
8.1.00.03
selection of name ID formats and the ordering of those selections are missing from the Local Service
Provider (SP) editor window.
SW00452001
The values for member attributes between users and groups in external LDAP are stored incorrectly in BMC
Atrium Single Sign-On server.
SW00447654
Multi-threading issues occur while retrieving certificates from the BMC Atrium Single Sign-On server.
8.1.00
8.1.00.01
SW00448326
Cannot create users and groups with names similar (subset) to existing users and groups.
8.1.00
8.1.00.01
SW00448607
BMC Atrium Single Sign-On users cannot authenticate with BMC Atrium Orchestrator when integrated with
BMC Atrium Single Sign-On.
8.1.00
8.1.00.01
SW00448553
In a BMC Atrium Single Sign-On High Availability (HA) configuration, the replication of configuration
modules does not work correctly.
8.1.00
8.1.00.02
SW00450113
If you added the AR authentication module on the second place in the authentication chain for a realm for
which the user profile was set to Dynamic, users cannot successfully log on to that realm.
8.1.00
8.1.00.02
8.1.00
8.1.00.02
SW00450144
8.1.00.03
Page 350 of 389
Home
Defect ID
Description
Affected
versions
Corrected
in
8.1.00.02
8.1.00.03
8.1.00
8.1.00.03
In a BMC Atrium Single Sign-On High Availability (HA) configuration, when you restart an HA node and then
add a new module on another HA node that is not restarted, "unknown" authentication modules are
displayed in the authentication chain for the HA node that you restart.
SW00450660
In a BMC Atrium Single Sign-on High Availability (HA) configuration, when you try to log on to an
application that has been integrated with BMC Atrium Single Sign-On, the following error message might
be displayed:
User has no profile in this realm. Contact administrator
Workaround:
If you could previously log on to the application successfully, restarting the BMC Atrium SSO service and
logging on to the application again resolves the issue.
SW00450313
In a BMC Atrium Single Sign-On High Availability (HA) configuration, when you log on to the Admin
Console of two different nodes using the same browser, log out from one of the Admin Consoles, and
refresh the page of the other Admin Console, you are logged on to both the Admin Consoles again without
entering credentials.
8.1.00.01
8.1.00.02
14 Support information
This topic contains information about how to contact Customer Support and the support status for this and other
releases.
14.1 Contacting Customer Support

If you have problems with or questions about a BMC product, or for the latest support policies, see the Customer
Support website at http://www.bmc.com/support. You can access product documents, search the Knowledge
Base for help with an issue, and download products and maintenance. If you do not have access to the web and
you are in the United States or Canada, contact Customer Support at 800 537 1813. Outside the United States or
Canada, contact your local BMC office or agent.
14.2 Support status

Based on the support policy adopted September 1, 2011, for releases from that date forward, BMC provides
technical support for a product based on time rather than number of releases. The previous release-based policy
applies to releases before September 1, 2011. The support status for BMC Atrium Single Sign-On is the same as
the support status for BMC Atrium CMDB Suite. To view the support status for this release, see the BMC Atrium
CMDB Suite Support page.
Page 351 of 389
Home
15 PDFs
Ready-made PDFs
Snapshot
Date
File size
BMC Atrium Single Sign-On Version 8.1.00.01
03-21-2013
3.90 MB
Page 352 of 389
Home
16 Tracking tools
Comments dashboard (see page 353)
No Labels report (see page 363)
Technical Bulletin SW00448553 (see page 369)
Enabling multiple realms (see page 372)
Configuring multi-tenancy support
Overview steps to install and configure HA Load-Balancing environment with SSO (see page 378)
Number of pages in space (see page 383)
Installing and managing certificates in BMC Atrium SSO (see page 383)
Installing certificates after integration with other BMC products (see page 383)
16.1 Comments dashboard

Date and time
Page
Author
Comment
Thu May 23
Krassimir
(see page )Error:
Stoianov
com.atlassian.confluence.pages.Comment cannot be cast to

com.atlassian.confluence.pages.AbstractPage
Dixie Pine
(see page )Error:

07:56:33 CDT
2013
Fri Mar 15
18:26:28 CDT
Installation options (see page 48)
2013
Mon Sep 16
Troubleshooting Kerberos authentication (see
Keith
(see page )Error:
11:08:03 CDT
2013
page 333)
Linehan

Mon Aug 19
03:30:16 CDT
Installing silently (see page 112)
Hemant
Baliwala
(see page )Error:

2013
Wed Mar 20
16:20:34 CDT
2013
Example of a debug log error when a certificate is

not available
Dixie Pine
Error: com.atlassian.confluence.pages.Comment cannot be

cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20
16:21:37 CDT
2013
Dixie Pine

Wed Mar 20
16:22:39 CDT
2013
Dixie Pine
(see page )Error:

Wed Mar 20
16:24:03 CDT
2013
Dixie Pine

Dixie Pine
Page 353 of 389
Home
Date and time
Page
Author
Comment
Wed Mar 20
16:25:17 CDT
2013
Wed Mar 20
16:26:53 CDT
Example of URL certificate authentication not

enabled
Dixie Pine

Dixie Pine
2013
Wed Mar 20
16:28:09 CDT
2013
Wed Mar 20
16:36:10 CDT
Clock skew too great for CAC authentication (see

page 331)
Dixie Pine
2013
Wed Mar 20
(see page )Error:

Troubleshooting FIPS-140 conversion
Dixie Pine
16:46:37 CDT
2013

Wed Mar 20
16:47:58 CDT
2013
Troubleshooting JEE agents (see page 331)
Dixie Pine
(see page )Error:

Wed Mar 20
16:19:09 CDT
2013
Dixie Pine

Thu Jan 31
17:42:16 CST
2013
Reviewing AR server external authentication

settings and configuring group mapping (see page
91)
Ruth Harris
(see page )Error:

Fri Mar 15
12:13:35 CDT
2013
BMC Atrium Single Sign-On using SAMLv2

deployment example (see page 31)
Ruth Harris
(see page )Error:

Wed Mar 20
16:54:42 CDT
2013
Dixie Pine

Mon Mar 18
18:02:11 CDT
2013
Integrating BMC Dashboards for BSM (see page

198)
Volker
Scheithauer
(see page )Error:

Tue Jan 29
18:08:31 CST
2013

Ruth Harris
(see page )Error:

Tue Sep 03
05:09:42 CDT
2013
Stopping and restarting the BMC Atrium Single

Sign-On server (see page 279)
Abhay
Chokshi
(see page )Error:

Tue Sep 03
07:51:02 CDT
2013
Checking the compatibility matrix for system

requirements and supported configurations
Abhay
Chokshi

IdP metadata issues
Page 354 of 389
Home
Date and time
Author
Comment
Fri Jul 26
Keith
18:37:00 CDT
2013
Linehan
IdP metadata issues
Keith
Linehan

Thu Sep 05
Abhay
(see page )Error:
07:42:58 CDT
2013
Chokshi

Tue Sep 03
05:09:06 CDT
Stopping and restarting the BMC Atrium Single

Sign-On server (see page 279)
Abhay
Chokshi
(see page )Error:

Fri Jul 26
19:23:12 CDT
Page
2013
2013
Tue Mar 19
Integrating BMC Dashboards for BSM (see page
15:47:42 CDT
2013
198)
Ruth Harris
(see page )Error:
Sun Oct 27
15:03:36 CDT
2013

Abhay
Chokshi
(see page )Error:

Tue Jul 02
19:41:07 CDT
2013
Setting an HTTPS connection (see page 78)
Melanie
Boston
(see page )Error:

Tue Jul 02
19:51:58 CDT
2013
Configuring a JVM for the Tomcat Server (see

page 77)
Melanie
Boston
(see page )Error:

Wed Mar 20
15:58:32 CDT
2013
Collecting diagnostics (see page 281)
Dixie Pine
(see page )Error:

Fri Mar 15
12:13:14 CDT
2013

Ruth Harris
(see page )Error:

Mon Oct 28
07:24:34 CDT
2013

page 77)
Abhay
Chokshi
(see page )Error:

Tue Sep 03
07:55:12 CDT
2013

Abhay
Chokshi

Wed Nov 06
04:22:43 CST
2013
Abhay
Chokshi
(see page )Error:

Wed Mar 20
16:13:37 CDT
2013
Troubleshooting CAC authentication (see page

326)
Dixie Pine
(see page )Error:


Deepa Bhat
Page 355 of 389
Home
Date and time
Page
Author
Tue Mar 26
06:09:03 CDT
2013
Mon Feb 04
16:12:56 CST

Ruth Harris
2013
Comment
(see page )Error:

Wed Sep 04
Abhay
01:02:35 CDT
2013
Chokshi
Thu Jan 31
17:40:57 CST

Ruth Harris
(see page )Error:

2013
91)
Tue Jan 29
18:12:34 CST
2013
Tue Jan 29
23:05:33 CST
2013

Shweta
Hardikar
(see page )Error:

Thu Jan 17
18:19:34 CST
2013

91)
John
Stamps
(see page )Error:

Thu Aug 29
02:22:14 CDT
2013
IdP metadata issues
Ivan
Pirishanchin

Thu Jan 24
17:20:22 CST
2013

91)
Shlomi Afia
(see page )Error:

Wed Oct 30
14:20:49 CDT
2013
Keith
Linehan
(see page )Error:

Tue Mar 19
23:32:47 CDT
2013
HA Nodes manager (see page 234)
Dixie Pine
(see page )Error:

Wed Mar 20
17:01:59 CDT
2013
Dixie Pine
(see page )Error:

Wed Mar 20
17:16:50 CDT
2013
Dixie Pine

Mon Mar 18
17:22:19 CDT
2013

Dixie Pine
(see page )Error:

Ruth Harris
(see page )Error:

Page 356 of 389
Home
Date and time
Page
Author
Comment
Tue Jul 16
Nicholas
(see page )Error:
12:41:29 CDT
2013
page 77)
Butler

Tue Sep 03
05:46:53 CDT
Prerequisites for installation (see page 42)
Abhay
Chokshi
(see page )Error:

2013
Tue Sep 03
05:47:54 CDT
2013
Fri Nov 15
07:41:24 CST
Abhay
(see page )Error:
Chokshi

Abhay
Chokshi
(see page )Error:

2013
Fri Nov 15
07:42:35 CST
2013
Abhay
(see page )Error:
Chokshi

Mon Nov 25
07:09:23 CST
2013
Abhay
Chokshi
(see page )Error:

Mon Nov 25
07:10:07 CST
2013
Abhay
Chokshi
(see page )Error:

Mon Jan 21
17:10:52 CST
2013
Installing BMC Atrium Single Sign-On with the AR

System server and Mid Tier (see page 79)
John
Stamps
(see page )Error:

Wed Dec 11
05:27:44 CST
2013
Abhay
Chokshi
(see page )Error:

Tue Dec 10
09:57:33 CST
2013
Keith
Linehan
(see page )Error:

Tue Dec 10
10:07:37 CST
2013
Keith
Linehan
(see page )Error:

Tue Apr 23
08:41:21 CDT
2013
BMC Atrium Single Sign-On and OpenAM (see

page 22)
Hemant
Baliwala
(see page )Error:

Wed Jul 17
09:40:26 CDT
2013
BMC Atrium Single Sign-On and OpenAM (see

page 22)
Hemant
Baliwala
(see page )Error:

Mon Apr 15
13:01:06 CDT
2013
Patch 2 for version 8.1.00: 8.1.00.02 (see page 18

)
Kelly
Holcomb
(see page )Error:

Page 357 of 389
Home
Date and time
Page
Author
Comment
Tue Apr 16
Patch 2 for version 8.1.00: 8.1.00.02 (see page 18
Shubhangi
(see page )Error:
03:03:35 CDT
2013
Apte

Tue Feb 12
09:23:24 CST
Downloading the installation files (see page 44)
Ranganath
Samudrala
(see page )Error:

2013
Mon Mar 18
Ruth Harris
17:47:52 CDT
2013
Mon Dec 23
06:27:34 CST

Abhay
Chokshi
2013
Mon Mar 25
(see page )Error:
(see page )Error:

10:14:53 CDT
2013
Ranganath
(see page )Error:
Samudrala

Tue Mar 26
09:40:33 CDT
2013
Ruth Harris
(see page )Error:

Mon Dec 23
06:26:39 CST
2013
Abhay
Chokshi
(see page )Error:

Mon Dec 23
06:25:43 CST
2013
Abhay
Chokshi
(see page )Error:

Mon Dec 23
06:24:55 CST
2013
Abhay
Chokshi
(see page )Error:

Thu Jun 27
10:27:48 CDT
2013
Benoit Ischia
(see page )Error:

Mon Dec 23
06:24:10 CST
2013
Abhay
Chokshi
(see page )Error:

Wed Jul 24
03:09:54 CDT
2013
Hemant
Baliwala
(see page )Error:

Tue Oct 01
05:57:24 CDT
2013
Abhay
Chokshi
(see page )Error:

Tue Jul 02
18:58:53 CDT
2013
Server Configuration Editor (see page 237)
Melanie
Boston
(see page )Error:

Realm Editor
Dixie Pine
Page 358 of 389
Home
Date and time
Page
Author
Comment
Tue Mar 19
23:26:24 CDT
2013
Tue Jul 02
18:27:39 CDT
Realm Editor
Melanie
Boston

Boris Ioffe
2013
Tue Jun 04
14:56:25 CDT
2013
Thu Jul 11
12:08:14 CDT
Keith
Linehan

Nick Smith
2013
Wed Jul 17
10:04:36 CDT
2013
Thu Jul 18
07:33:25 CDT
2013
Hemant
Baliwala

Tue Sep 03
05:37:24 CDT
2013
Abhay
Chokshi

Tue Sep 03
06:00:30 CDT
2013
Abhay
Chokshi

Tue Sep 03
06:15:32 CDT
2013
Abhay
Chokshi

Sun Oct 27
14:39:02 CDT
2013
Abhay
Chokshi

Mon Mar 18
17:16:34 CDT
2013
Configuring Terminal Services and DEP

parameters
Dixie Pine

Tue Mar 19
23:00:40 CDT
2013
Running a health check on the BMC Atrium Single

Sign-On integration
Dixie Pine

Thu Sep 12
08:54:13 CDT
2013
Abhay
Chokshi

Thu Sep 12
09:45:54 CDT
2013
Abhay
Chokshi

Ruth Harris
Page 359 of 389
Home
Date and time
Page
Author
Mon Mar 18
Installing BMC Atrium Single Sign-On as a High
(see page )Error:
18:15:30 CDT
2013
Availability cluster (see page 55)

Mon Mar 18
18:14:08 CDT

Ruth Harris
2013
Comment
(see page )Error:

Fri Sep 06
Keith
(see page )Error:
09:46:03 CDT
2013
Linehan

Fri Sep 06
09:55:28 CDT

Keith
Linehan
(see page )Error:

2013
Thu Sep 12
Abhay
(see page )Error:
09:31:20 CDT
2013
Chokshi

Thu Jan 24
14:56:39 CST
2013
Managing the AR System users and groups for

authentication (see page 97)
Shlomi Afia
(see page )Error:

Thu Jan 31
17:51:14 CST
2013

Ruth Harris
(see page )Error:

Fri Feb 01
15:11:11 CST
2013

John
Stamps
(see page )Error:

Wed Jun 12
09:55:05 CDT
2013

Koray Kusat
(see page )Error:

Tue Mar 19
22:58:56 CDT
2013
Configuring the BMC Atrium Single Sign-On

server for AR System integration (see page 183)
Dixie Pine
(see page )Error:

Mon Mar 18
17:53:55 CDT
2013
Configuring after installation
Dixie Pine

Wed Mar 20
15:48:51 CDT
2013
Troubleshooting (see page 279)
Dixie Pine
(see page )Error:

Tue Mar 19
23:24:23 CDT
2013
Dixie Pine

Fri Jul 05
10:30:52 CDT
2013
Managing keystores with a keytool utility (see

page 239)
Tetiana
Pustovit
(see page )Error:

Page 360 of 389
Home
Date and time
Page
Author
Comment
Mon Jul 08
Hemant
(see page )Error:
02:37:01 CDT
2013
page 239)
Baliwala

Mon Jul 08
04:34:41 CDT

page 239)
Tetiana
Pustovit
(see page )Error:

2013
Wed Mar 20
Dixie Pine
00:09:53 CDT
2013
Mon Jul 08
04:32:49 CDT

Tetiana
Pustovit
2013
Mon Jul 08
(see page )Error:
(see page )Error:

04:53:55 CDT
2013
Hemant
(see page )Error:
Baliwala

Tue Jul 02
19:31:30 CDT
2013
Melanie
Boston
(see page )Error:

Wed Jan 08
10:20:44 CST
2014
Milan
Franzkowski

Wed Jan 08
10:21:55 CST
2014
Milan
Franzkowski

Thu Mar 14
11:59:45 CDT
2013
Integrating BMC Atrium Orchestrator Platform

(see page 209)
Deepa Bhat
(see page )Error:

Thu Mar 14
13:16:49 CDT
2013

(see page 209)
Ruth Harris
(see page )Error:

Thu Mar 14
22:20:17 CDT
2013

(see page 209)
Deepa Bhat
(see page )Error:

Tue Apr 16
10:26:03 CDT
2013

(see page 209)
Melody
Locke
(see page )Error:

Tue Apr 16
23:51:49 CDT
2013

(see page 209)
Deepa Bhat
(see page )Error:

Thu May 09
13:08:59 CDT
2013
Anil Premlall
(see page )Error:

Anil Premlall
Page 361 of 389
Home
Date and time
Page
Author
Comment
Thu May 09
(see page )Error:
16:09:00 CDT
2013

Thu Jan 09
07:05:25 CST
Abhay
Chokshi
2014
Fri Jul 19
Gourav Jain
03:57:27 CDT
2013
Fri Jul 19
04:18:57 CDT
(see page )Error:


Hemant
Baliwala

Gourav Jain
2013
Wed Aug 21
06:39:24 CDT
2013
Fri Sep 06
06:19:40 CDT
2013
Shrihari Sn

Thu Sep 12
08:48:03 CDT
2013
Abhay
Chokshi

Thu Jan 31
17:37:33 CST
2013
Overview steps to install and configure HA

Load-Balancing environment with SSO (see page
378)
Ruth Harris
(see page )Error:

Fri Mar 15
19:48:39 CDT
2013
Technical Bulletin SW00448553 (see page 369)
Dixie Pine
(see page )Error:

Tue Mar 19
17:14:04 CDT
2013
Integrating
Ruth Harris

Tue Mar 19
17:10:47 CDT
2013
Integrating
Ruth Harris

Thu Sep 05
07:41:32 CDT
2013
Integrating
Abhay
Chokshi

Wed Mar 20
16:17:09 CDT
2013
Dixie Pine

Mon Feb 04
13:37:00 CST
2013
Running the SSOMidtierIntegration utility on the

Mid Tier (see page 92)
John
Stamps
(see page )Error:

Page 362 of 389
Home
Date and time
Page
Author
Comment
Wed Jul 03
Adding and removing a CA certificate (see page
Melanie
(see page )Error:
12:03:23 CDT
2013
248)
Boston

Thu Jul 04
04:05:55 CDT
Adding and removing a CA certificate (see page

248)
Prachi
Kalyani
(see page )Error:

2013
Tue Oct 22
Troubleshooting Kerberos authentication (see
Abhay
(see page )Error:
03:19:49 CDT
2013
page 333)
Chokshi

Mon Jan 13
14:39:28 CST
Reconfiguring your browser (see page 138)
Anil Premlall
(see page )Error:

2014
Tue Jan 14
14:44:49 CST
2014
Abhay
(see page )Error:
Chokshi

Thu Jan 16
05:05:09 CST
2014
Abhay
Chokshi
(see page )Error:

Thu Jan 16
04:32:29 CST
2014
Abhay
Chokshi
(see page )Error:

Thu Jan 16
08:13:16 CST
2014
Abhay
Chokshi
(see page )Error:

Thu Jul 11
05:20:58 CDT
2013
Running the SSOARIntegration utility on the AR

System server (see page 88)
Koray Kusat
(see page )Error:

Thu Jul 18
08:18:33 CDT
2013

Hemant
Baliwala
(see page )Error:

Sat Oct 26
19:31:41 CDT
2013

Srivamsi
Patchipulusu
(see page )Error:

Mon Oct 28
10:56:32 CDT
2013

Abhay
Chokshi
(see page )Error:

16.2 Pages without labels in this space

This table contains all pages in this space that do not have labels, sorted by branch.
Print | Word
Page 363 of 389
Home
Parent
Page Title
Last
modified
by
Manually configuring mid tier for BMC Atrium Single Sign-On

user authentication (see page 176)
John
Stamps
Invalid service principal name for Kerberos authentication
Gary
Beason
Invalid keytab index number for Kerberos authentication
Gary
Beason
Invalid password for Kerberos authentication
Gary
Beason
Ruth Harris
Browser sending NTLM instead of Kerberos (see page 336)
Prachi
Kalyani
Invalid user name for Kerberos authentication
Gary
Beason
Ruth Harris
Ruth Harris
Realm Editor
AR Editor (see page 223)
Dixie Pine
Realm Editor
LDAPv3 (Active Directory) User Store Editor (see page 225)
Prachi
Kalyani
Realm Editor
John
Stamps
Realm Editor
User Editor
Ruth Harris
Realm Editor
Group Editor
Ruth Harris
Realm Editor
Ruth Harris
HA Nodes manager (see page 234)
Dixie Pine
Realm Editor
Remote Service Provider (SP) Editor (see page 232)
Dixie Pine
Realm Editor
SecurID Editor (see page 227)
Dixie Pine
Confluence
Admin
Stopping nodes in a cluster (see page 274)
Dixie Pine
Ruth Harris
Ruth Harris
Abhay
Chokshi
Page 364 of 389
Home
Parent
Page Title
Last
modified
by
Ruth Harris
Troubleshooting installation or upgrade issues (see page 346)
Abhay
Chokshi
Session sharing in HA mode issue (see page 345)
Abhay
Chokshi
Starting nodes in a cluster (see page 274)
Dixie Pine
Realm Editor
Ruth Harris
Upgrading
Preparing to upgrade BMC Analytics for BSM
Ruth Harris
Realm Editor
Local Service Provider (SP) Editor (see page 230)
Hemant
Baliwala
Example of a client not responding with a certificate
Ruth Harris
Ruth Harris
Gary
Beason
Ruth Harris
IdP metadata issues
Ruth Harris
Installing BMC Atrium Single Sign-On on an external Tomcat

server (see page 72)
Policy file additions for external Tomcat installations (see page 75

)
Prachi
Kalyani
Upgrading
Upgrading HA nodes
Ruth Harris
Realm Editor
Create Service Provider (see page 229)
Ruth Harris
Realm Editor
Create Identity Provider (see page 228)
Ruth Harris
Clock skew too great for CAC authentication (see page 331)
Dixie Pine
Planning (see page 29)
Checking the compatibility matrix for system requirements and

supported configurations
Abhay
Chokshi
Integrating
Integrating BMC Mobility for ITSM 8.1.00 (see page 212)
Abhay
Chokshi
Identity files for user accounts (see page 160)
Ruth Harris
Realm Editor
Ruth Harris
Logon and logoff issues (see page 316)
Dixie Pine
Ruth Harris
Integrating BMC Real End User Experience Monitoring (see page

212)
Preparing the Console component for the BMC Atrium SSO

integration (see page 212)
Abhay
Chokshi
bulkFederation command parameters (see page 161)
Dixie Pine
Page 365 of 389
Home
Parent
Page Title
Last
modified
by
Installing BMC Atrium Single Sign-On with the AR System server
Reviewing AR server external authentication settings and
and Mid Tier (see page 79)
configuring group mapping (see page 91)
Installing BMC Atrium Single Sign-On as a High Availability
Installing additional nodes for an HA cluster on an external Tomcat
Hemant
cluster (see page 55)
Baliwala
Example of a debug log error when a certificate is not available
Ruth Harris
Metadata issues (see page 342)
Dixie Pine
Ruth Harris
Certificate issues
Ruth Harris
Ruth Harris

Installing additional nodes for an HA cluster on a new Tomcat

Hemant
Baliwala
Example of URL certificate authentication not enabled
Dixie Pine

Configuring an external Tomcat instance for FIPS-140 (see page

76)
Prachi
Kalyani

Installing the first node for an HA cluster on an external Tomcat

Ruth Harris
Installing (see page 40)
Preparing for installation
Ruth Harris
Integrating BMC Atrium Single Sign-On with AR System Version

8.0.00
Configuring external authentication for AR System integration (see

page 170)
Dixie Pine
Browser not correctly configured for Kerberos authentication
Ruth Harris
Incorrect server name for Kerberos authentication
Gary
Beason

Installing BMC Atrium Single Sign-On
Ruth Harris
Resolving installation issues on LINUX operating system (see page

346)
Abhay
Chokshi
Integrating

212)
Abhay
Chokshi

212)
Preparing BMC Atrium SSO server for integration (see page 212)
Abhay
Chokshi
Generating a keytab for the service principal and mapping the

Kerberos service name (see page 134)
Abhay
Chokshi
Upgrading from 7.6.04 to 8.1 silent installation issue (see page 317)
Ruth Harris
Planning (see page 29)
Abhay
Chokshi
Ruth Harris
Page 366 of 389
Home
Parent
Page Title
Last
modified
by
Legal notices
Ruth Harris

JVM parameter additions for external Tomcat installations (see

page 76)
Prachi
Kalyani
Ruth Harris
Manually configuring mid tier for BMC Atrium Single Sign-On user
Abhay
8.0.00
Chokshi
SAMLv2 keystore issues (see page 341)
Abhay
Chokshi
Service packs and patches (see page 17)
Prachi
Kalyani
What's new (see page 12)
Documentation updates after release (see page 20)
Abhay
Chokshi
Service packs and patches (see page 17)
Abhay
Chokshi
Server Configuration Editor (see page 237)
Abhay
Chokshi
Agent manager
Melanie
Boston
Realm Editor
Prachi
Kalyani

Running a health check on the BMC Atrium Single Sign-On

installation
John
Stamps
Configuring BMC Atrium Single Sign-On as an IdP
Ruth Harris
Manually configuring mid tier for BMC Atrium Single Sign-On

user authentication (see page 176)
Ruth Harris

8.0.00
Configuring BMC Atrium Single Sign-On for integration
Prachi
Kalyani

8.0.00
Installing BMC Atrium Single Sign-On for AR System integration
Prachi
Kalyani

8.0.00
Running a health check on the BMC Atrium Single Sign-On

integration
Ruth Harris
Troubleshooting AR System server and Mid Tier integrations
Ruth Harris
Realm Editor
Kerberos Editor (see page 227)
Abhay
Chokshi

8.0.00
Configuring the BMC Atrium Single Sign-On server for AR System

integration (see page 183)
Abhay
Chokshi
Page 367 of 389
Home
Parent
Page Title
Last
modified
by
Using (see page 214)
Ruth Harris
Home (see page 11)
Using (see page 214)
Dixie Pine
Hemant
Baliwala
Ruth Harris
Integrating
Integrating BMC Atrium Orchestrator Platform (see page 209)
Abhay
Chokshi
Tracking tools (see page 353)
Comments dashboard (see page 353)
Ruth Harris
No Labels report (see page 363)
Ruth Harris
Number of pages in space (see page 383)
Bruce Cane
Installing and managing certificates in BMC Atrium SSO (see page

383)
Abhay
Chokshi
Installing certificates after integration with other BMC products

(see page 383)
Abhay
Chokshi
Abhay
Chokshi
Ruth Harris

Running the SSOMidtierIntegration utility on the Mid Tier (see page

92)
Abhay
Chokshi
Installing and managing certificates in BMC Atrium SSO (see

page 383)
Finding intermediate CA (see page 383)
Abhay
Chokshi

page 383)
Importing a certificate into cacerts.p12 (see page 383)
Abhay
Chokshi

page 383)
Importing a certificate into keystore.p12 (see page 383)
Abhay
Chokshi

page 383)
Importing certificate chains and intermediate certificates (see page

383)
Abhay
Chokshi

page 383)
Installing certificates in HA load balancing environment (see page

383)
Abhay
Chokshi

page 383)
Installing certificates on a standalone server (see page 383)
Abhay
Chokshi

Installing the first node for an HA cluster on a new Tomcat server

(see page 57)
Abhay
Chokshi
Chained authentication failure in Microsoft Internet Explorer (see

page 338)
Abhay
Chokshi
Page 368 of 389
Home
Parent
Page Title
Last
modified
by
Prachi
Kalyani
Dixie Pine
Realm Editor
Abhay
Chokshi

Running the SSOARIntegration utility on the AR System server (see

page 88)
Abhay
Chokshi
16.3 Technical Bulletin SW00448553

16.3.1 BMC Atrium Single Sign-On
Version 8.1.00
March 14, 2013
Defect SW00448553
BMC Software is alerting users of BMC Atrium Single Sign-On version 8.1.00 to a workaround for defect
SW00448553, which is associated with configuration replication in BMC Atrium Single Sign-On High Availability
(HA) configurations. This technical bulletin describes how to implement the workaround.
If you have any questions about the workaround, contact BMC Software Customer Support at 800 537 1813
(United States or Canada) or call your local support center.
Issue (see page 369)
Workaround procedure (see page 369)
Workaround scripts (see page 370)
Where to get the latest product information (see page 372)
16.3.2 Issue
In a BMC Atrium Single Sign-On High Availability (HA) configuration, replication of configuration modules does
not work correctly.
16.3.3 Workaround procedure

When multiple nodes are used as a primary server in a BMC Atrium Single Sign-On High Availability configuration
do the following:
1. Disable replication on all of the BMC Atrium Single Sign-On servers in the HA cluster by using the
dereplicate.bat script.
2.
Page 369 of 389
Home
2. Log on to each BMC Atrium Single Sign-On servers in the HA cluster and review the HA Node list in the
BMC Atrium SSO Admin Console HA Node list.
3. Select the BMC Atrium Single Sign-On server that lists all the nodes as primary server. If more than one
server lists all of the nodes as primary server, select any one as primary server.
4. Stop all the BMC Atrium Single Sign-On servers in the HA cluster except the primary server that you
selected.
5. Back up the primary server by using the backup.bat script.
6. Restore the primary server by using the restore.bat script. Execute this command on all BMC Atrium Single
Sign-On servers in the HA cluster.
7. Repeat steps 4 - 6 if you change the configuration on the primary server.
The following three scripts are used for this workaround:
dereplicate.bat Disables replication on all servers in HA cluster.
backup.bat Backs up the primary server.
restore.bat Restores the primary server.
16.3.4 Workaround scripts

dereplicate.bat script
set ATRIUM_SSO_DIR=D:\APPS\BMC Software\AtriumSSO
set OPENDS_DIR=%ATRIUM_SSO_DIR%\tomcat\webapps\atriumsso\WEB-INF\config\opends
set DSREPLICATION_PATH=%OPENDS_DIR%\bat\dsreplication.bat
set PASSWORD=admin123
set HOST1=kbp1-dhp-f48202.synapse.com
set ADMIN_PORT1=40444
set REPL_PORT1=40636
set HOST2=kbp1-dhp-f48202.synapse.com
set ADMIN_PORT2=41444
set REPL_PORT2=41636
call "%DSREPLICATION_PATH%" disable \--disableAll \-h %HOST1% \-p %ADMIN_PORT1% \--bindDN "cn=Directory
Manager" \--adminPassword %PASSWORD% \-X \-n
call "%DSREPLICATION_PATH%" disable \--disableAll \-h %HOST2% \-p %ADMIN_PORT2% \--bindDN "cn=Directory
Manager" \--adminPassword %PASSWORD% \-X \-n
backup.bat script
set DESTINATION_EXEC_DIR=%OPENDS_DIR%\bat
Page 370 of 389
Home
@rem
@rem ******************************************************************************************
@rem Set the BACKUP_DIR as commonly accessible drive among the members in the HA environemnt
@rem ******************************************************************************************
@rem
set BACKUP_DIR=<LOCAL_DRIVE>\atsso_opends_clone
set SOURCE_HOST=kbp1-dhp-f48202.synapse.com
set SOURCE_ADMIN_PORT=40444
set PASSWORD=admin123
rd "%BACKUP_DIR%" /S /Q
call "%DESTINATION_EXEC_DIR%\backup" --backendID userRoot --backupDirectory "%BACKUP_DIR%" -h
%SOURCE_HOST% -p %SOURCE_ADMIN_PORT% -D "cn=directory manager" -w %PASSWORD% --hash -X
restore.bat script
set DESTINATION_EXEC_DIR=%OPENDS_DIR%\bat
@rem
@rem \*****************************************************************************************\*
@rem Set the BACKUP_DIR to the primary server's mapped drive
@rem e.g., map the primary server location to Z:
@rem \*****************************************************************************************\*
@rem
set BACKUP_DIR=<PRIMARY_SERVER_BACKUP_DIRECTORY_MAPPED_TO_LOCAL_MACHINE>
@rem
@rem \**********************************************************\*
@rem Set the LOCAL_BACKUP_DIR as a folder on the current machine
@rem \**********************************************************\*
@rem
set LOCAL_BACKUP_DIR=<LOCAL_DRIVE>\atsso_opends_working_config
rd "%LOCAL_BACKUP_DIR%" /S /Q
md "%LOCAL_BACKUP_DIR%"
@rem
@rem copy the current working configuration folder
@rem
cd "%LOCAL_BACKUP_DIR%" && xcopy "%OPENDS_DIR%\db" /e
@rem
@rem copy the current working configuration folder
@rem
cd "%LOCAL_BACKUP_DIR%\db" && xcopy "%OPENDS_DIR%\db" /e
Page 371 of 389
Home
@rem
@rem before restoring let's make a copy of the existing configuration
@rem
call "%DESTINATION_EXEC_DIR%\restore" \--backupDirectory "%BACKUP_DIR%"
16.3.5 Where to get the latest product information

To view the latest BMC product documents, see the Customer Support website at http://www.bmc.com/support.
Notices, such as flashes, technical bulletins, and release notes, are available on the website. You can subscribe to
proactive alerts to receive email messages when notices are issued or updated. For more information about
proactive alerts, see the Customer Support website.
16.4 Enabling multiple realms

BMC Atrium Single Sign-On allows you to configure for multiple realms.
Realm panel (see page 373)
To enable multiple realms (see page 374)
To create a new realm (see page 374)
The following image shows the BMC Atrium SSO Admin Console when configured for multiple realms:
Page 372 of 389
Home
16.4.1 Realm panel

For the Remedy OnDemand solution, BMC Atrium Single Sign-On allows multiple realms. In this case, the Realm
panel replaces the BMC Realm panel in the BMC Atrium SSO Admin Console. The Realm panel displays the realm
name along with its user profile and status. Each realm has the same capability as the BmcRealm in terms of
managing realm authentication, federation, user stores (AR and LDAPv3), users, and user groups.
Note
BmcRealm is the default realm and can not be deleted.
Add launches the Create Realm Editor which allows you to add a realm to the system.
Edit launches the Realm Editor which allows you to manage that particular realm's authentication,
federation, user stores (AR and LDAPv3), users, and user groups.
Delete allows you to remove the realm from the system.
Filter field allows you to display specific realms based on your search criteria.
Page 373 of 389
Home
The following image shows a realm panel:
16.4.2 To enable multiple realms

1. Stop the BMC Atrium Single Sign-On server.
2. Edit the web.xml file.
3. Search for the parameter name "allow.multiple.realms".
4. Change the parameter value from false to true.
5. Save and exit the file.
For more information about restarting the server, see Stopping and restarting the BMC Atrium Single Sign-On
server (see page 279).
16.4.3 To create a new realm

1. On the Realm panel, click Add. The Create Realm Editor pops up.
2. In the Realm Name field, provide a name for the new realm.
3. In the User Profile field, select a user profile.
4. Click Save.
16.5 Configuring multi-tenancy support

Writer notes (Shubhangi Apte) on April 12, 2013
Page 374 of 389
Home
Ruth Harris had documented this information on the initial page for SSO 8.1.00 Patch 2. However, when I
followed up with Volodymyr Zaporozhets he said that the team will not be announcing multi-tenancy support in
patch 2. The team had initially talked about disabling this feature as the plan was to deliver it to BMC Remedy
OnDemand only. However, RoD later decided to wait until 8.8 for different reasons.
I have removed the following content from the SSO 8.1.00 Patch 2 page and have added it under Tracking tools
(in case this information is required for later releases).
16.5.1 Configuring multi-tenancy support

Patch 2 for version 8.1.00 supports multi-tenancy for Remedy onDemand (RoD). Deployment involves using BMC
Atrium Single Sign-On as a shared service which is implemented in High Availability (HA) mode. Each realm is
mapped to one web agent in the BMC Remedy Mid Tier whereas each customer has a Mid Tier. Deploying
multiple realms for customers is supported through an enhanced Web Agent. To update the Web Agent without
re-deployment, a script, upgrade-wa, is provided.
The following diagram illustrates the deployment architecture:
Page 375 of 389
Home
The Web Agent maps the server hostname (which is used by user to access a protected application) to the full
logon and logout URLs. The logon and logout URLs contain the information (for example, realm name and IdP ID)
required to separate different tenants from each other. The mapping is specified in the configuration file.
Note
When multi-tenancy support is enabled, the login and logout URLs specified for the Web Agent
configuration from the BMC Atrium SSO Console is not used.
Following diagram illustrates the authentication process when the mutli-tenant web-agent is used:
Configuration file
Configuration file is a properties file which contains records with the following format:
<hostName>|<login|logout>=<URL>
Configuration file example
pepsi.onbmc.com|login=https://sso.onbmc.com:8443/atriumsso/UI/Login?realm=/PepsiRealm
pepsi.onbmc.com|logout=https://sso.onbmc.com:8443/atriumsso/UI/Logout?realm=/PepsiRealm
coke.onbmc.com|login=https://sso.onbmc.com:8443/atriumsso/UI/Login?realm=/CokeRealm
coke.onbmc.com|logout=https://sso.onbmc.com:8443/atriumsso/UI/Logout?realm=/CokeRealm
To enable multi-tenancy support

place multitenancy.cfg.properties file (in build #24 and below place multitenancy.cfg.poperties file instead)
in the WebAgent configuration directory (e.g. atssoAgents/<webapp-name>).
disable FQDN check in the WebAgent configuration properties in the AtriumSSO console.
Page 376 of 389
Home
To disable multi-tenancy support

Remove configuration file.
Note
It is not necessary to restart the container with the WebAgent when enabling or disabling multi-tenency
support or to make changes its configuration. WebAgent periodically polls its configuration file. Poll time
configured via atsso.server.check.delay system property, default poll time - 2 minutes.
Web agent script

A script for updating the web agent without re-deployment is provided as part of the BMC Atrium Single Sign-On
8.1.00 Patch 2 release. The script is located in the webagent.zip/upgrade folder with both Microsoft Windows
(.bat) and Linux (.sh) versions available.
Note
In the upgrade folder is a README.txt file with the following content:
You can use the upgrade-wa script to upgrade WebAgent libraries without WebAgent re-deployment.
Usage
upgrade-wa [upgrade_lib_path] webapp_path
Parameters
upgrade_lib_path Path to the libraries that are used during the upgrade (optional)
webapp_path Path to the web application with the deployed WebAgent (required)
Load balancer configuration

Load balancer should be setup before the WebAgent, not Atrium SSO. In load balancer should be enabled
preserving of the HTTP host header during performing requests to the back-end servers.
In Apache Httpd this could be configured in the configuration file:
add or replace ProxyPreserveHost On option to the necessary VirtualHost sections.
add or replace DefaultType None option to the global configuration.
httpd.conf
Page 377 of 389
Home
<VirtualHost *:*>
. . .
ProxyPreserveHost On
. . .
</VirtualHost>
. . .
DefaultType None
. . .
16.6 Overview steps to install and configure HA

Load-Balancing environment with SSO
This topic provides a high-level road map for installing and configuring a high-availability (HA) Load-Balancing
server group environment with SSO.
Click the links to "drill down" to more specific instructions.
1. Create a comprehensive list of all the computers in your environment .
For example, list all your load-balancers, AR System servers, Mid Tiers, SSO servers, and so on.
Page 378 of 389
Home
Create a list in a text file for each server and its IP address, as well as all accepted fully qualified names.
2. Set up your load-balancers.
a. Configure the AR System server load-balancer with all your servers in the server group.
Make sure that your AR System server load-balancer includes all the computers on which you will
install AR System servers. Otherwise, you encounter various errors when you configure the Mid Tier
to use the AR System server load-balancer (see page 381).
b. Configure the Mid Tier load-balancer.
Make sure that your Mid Tier load-balancer includes all the computers on which you will install Mid
Tiers.
c.
Page 379 of 389
Home
c. Configure the SSO server load-balancer.

Make sure that your SSO load-balancer includes all the computers on which you will install SSO
servers.
3. Install the server group.
a. Install the first AR System server.
b. Install the first Mid Tier.
c. Obtain BMC Remedy license keys.
d. Testing the mid tier in your server group.
This step is temporary, to test the installation of the first AR System server.
e. Configuring the first server to be a server group member.
f. Testing and confirming that the first server is working properly.
g. Installing the next AR System server in the server group.
h. Configuring the next server for the server group.
i. Configure the Mid Tier to include all the AR System servers you just installed.
This step is temporary, to test the installations of the remaining AR System servers.
j. Testing and confirming that the current server is working properly.
Use the AR System Server Group Operation Ranking form to distribute the load between the AR
System servers and the load balancer.
Page 380 of 389
Home
k. Configure the Mid Tier to use the AR System server load-balancer.

Remove the first AR System from the Mid Tier and add the name of the virtual host of the AR System
server load balancer (for example, remedyssoservergroup).
l. Log on to the Mid Tier.
Make sure that the Mid Tier resolves to the AR System server load balancer.
Page 381 of 389
Home
You should be able to access, for example, the BMC Remedy AR System Administration Console.
m. Install the remaining Mid Tiers for your environment.
4. Configure the Mid Tier load-balancer with all your Mid Tiers in the server group.
When you log on to the Mid Tier load balancer, then Mid Tier load balancer should resolve to the AR
System server load balancer.
5. Install the SSO servers.

a. Installing BMC Atrium Single Sign-On.
b. Managing the AR System users and groups for authentication (see page 97).
c. Running the SSOARIntegration utility on the AR System server (see page 88)
d. Running the SSOMidtierIntegration utility on the Mid Tier (see page 92).
You configure the SSO AREA plug-in with a Java plug-in entry, along with other External
Authentication parameters.
6. Define additional SSO authentication methods.
Page 382 of 389
Home
16.7 Number of pages in space

Number of pages in this space: 206
16.8 Installing and managing certificates in BMC Atrium SSO

16.8.1 Installing certificates on a standalone server

16.8.2 Installing certificates in HA load balancing environment

16.8.3 Importing a certificate into keystore.p12

16.8.4 Importing a certificate into cacerts.p12

16.8.5 Finding intermediate CA

16.8.6 Importing certificate chains and intermediate certificates

16.9 Installing certificates after integration with other BMC

products
Page 383 of 389
Home
Index
a
adding 248
administration 263, 264, 268, 271, 273, 275
agents 263, 275, 279, 331
ar 97
architecture 20
ar system 320
authentication 97, 132, 263, 271, 320, 326, 333
authentication chains 263
authentication modules 271
b
bmc analytics 199
bmc atrium sso 11, 79, 284, 331
bmc capacity optimization 207
bmc dashboards 198
bmc internal 353, 369, 378
bmc itbm 204, 205
bmc proactivenet 200
bmc remedy ar system 31, 79, 97
bulkfederation 157
c
ca 248
cac 326
ca certificates 239
certificates 20, 239, 243, 246, 248, 249
ciphers 257
configuration 132, 251, 276
configuring jvm 77
console 22
conversion 251, 256
cookie domain 20
Page 384 of 389
Home
csr 246
customer support 351
d
data 260
deployment 20, 31
diagnostics 279, 281
downloads 44
e
errors 279, 285
external tomcat 72
f
features 12
federating 157, 263
fips 251, 251, 256, 257, 258
fips 140 251, 251, 256, 257, 258
fixes 12, 17, 19
g
generate csr 246
group membership 264
groups 97, 263, 268
h
ha 20, 55, 112, 263, 273
high availability 20, 55, 112, 263, 273
home 11
i
import 243
importing certificates 246
Page 385 of 389
Home
installation 40, 42, 48, 50, 55, 72, 79, 112

integration 198, 199, 200, 204, 205, 207
issues 12, 17, 19
j
jboss 331
jee 20, 279, 331
k
kerberos 132, 333
keystore 239, 240
keytool 239
l
ldap 260
licensing 12
linux 117
logs 282, 284
m
mid tier 31, 79
monitoring 256
n
network ciphers 257
new 12, 17, 19
nodes 263, 273
normal mode 258
o
openam 22
Page 386 of 389
Home
p
passwords 20
patches 12, 17, 19
pdfs 352
planning 29
prerequisites 42
product agents 275
r
realms 20
reference 31, 351
release notes 12
rsa api properties 284
s
saml 31
self signed 249
server 77
session behavior 20, 24
session parameters 263, 276
setting http connection 78
silent 112
sso 11, 22
sso server 263, 279
starting 279
stopping 279
store 260
supported 351
t
tomcat 77, 331
troubleshooting 279, 320, 326, 331, 333
truststore 239, 243
u
Page 387 of 389
Home
uninstalling 112, 117

unix 117
updates 12, 17, 19
user 260, 263
user accounts 157, 263
user groups 268
users 97, 264
v
versions 351
w
weblogic 331
websphere 205, 331
windows 117
Copyright 2013 BMC Software, Inc.

Copyright 2013 BladeLogic, Inc.
BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark
Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or
pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners.
BladeLogic and the BladeLogic logo are the exclusive properties of BladeLogic, Inc. The BladeLogic trademark is registered with the U.S. Patent and
Trademark Office, and may be registered or pending registration in other countries. All other BladeLogic trademarks, service marks, and logos may be
registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective
owners.
All Cisco trademarks that are referred to or displayed in the space are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in
the United States and certain other countries.
All IBM trademarks that are referred to or displayed in the space are trademarks of International Business Machines Corporation in the United States,
other countries, or both.
IT Infrastructure Library is a registered trade mark of the Cabinet Office.
ITIL is a registered trade mark of the Cabinet Office.
Linux is the registered trademark of Linus Torvalds.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
PinkVERIFY and PinkVERIFY logo Trademark Pink Elephant. Used under license from Pink Elephant.
All SAP trademarks that are referred to or displayed in the document are trademarks or registered trademarks of SAP AG in Germany and in several other
countries.
UNIX is the registered trademark of The Open Group in the US and other countries.
Page 388 of 389
Home
The information included in this documentation is the proprietary and confidential information of BMC Software, Inc., its affiliates, or licensors. Your use
of this information is subject to the terms and conditions of the applicable End User License agreement for the product and to the proprietary and
restricted rights notices included in the product documentation.
Restricted rights legend
U.S. Government Restricted Rights to Computer Software. UNPUBLISHEDRIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES.
Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR
Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time.
Contractor/Manufacturer is BMC SOFTWARE INC, 2101 CITYWEST BLVD, HOUSTON TX 77042-2827, USA. Any contract notices should be sent to this
address.
BMC Software Inc.
2101 CityWest Blvd, Houston TX 77042-2827, USA
713 918 8800
Customer Support: 800 537 1813 or contact your local support center
Page 389 of 389

BMC Atrium SSO 8 1

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

BMC Atrium SSO 8 1

Caricato da

Copyright:

Formati disponibili

BMC Software Confidential

BMC Atrium Single Sign-On 8.1

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

BMC Software Confidential

Redesigned user interface ______________________________________________________ 15

3.1.2 Predefined authentication module _______________________________________________ 15

To access the compatibility matrixes _____________________________________________ 30

5.2 End-to-end BMC Atrium Single Sign-On procedure _______________________________________ 30

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

5.3.1 Business value _______________________________________________________________ 32

Prerequisites for installation ____________________________________________________ 42

6.1.2 Downloading the installation files ________________________________________________ 44

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

6.7.7 Running the SSOARIntegration utility on the AR System server __________________________ 88

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

7.11 Using LDAP (Active Directory) for authentication _________________________________________ 138

Configuring external authentication for AR System integration _________________________ 170

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

9.4.2 To integrate BMC ProactiveNet during installation __________________________________ 201

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

10.2.5 Generating self-signed certificates ______________________________________________ 249

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

11.4.5 Stopping nodes in a cluster ____________________________________________________ 274

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

12.7.10Clock skew too great for CAC authentication ______________________________________ 331

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

16.1 Comments dashboard _____________________________________________________________ 353

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

2 About BMC Atrium Single Sign-On

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

Patch 3 for version 8.1.00 provides the following updates:

Patch 2 for version 8.1.00 provides the following updates:

Version 2013.02 provides following features:

Configuring BMC Atrium SSO in FIPS-140 Mode (see page 251)

Redesigned user interface

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

3.1 Version 8.1.00

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

3.1.1 Redesigned user interface

3.1.2 Predefined authentication module

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

3.1.4 BMC Atrium Orchestrator Platform integration

3.1.5 Click jacking prevention

3.2 License entitlements

BMC Atrium Single Sign-On 8.1

BMC Software Confidential

3.3 Service packs and patches

3.3.1 Patch 3 for version 8.1.00: 8.1.00.03

Installing the patch

BMC Atrium Single Sign-On 8.1