Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Home
Date:
16-Jan-2014 15:56
URL:
https://docs.bmc.com/docs/display/sso81/Home
Home
Page 2 of 389
Home
Table of Contents
1 Featured content ______________________________________________________________________ 12
2 About BMC Atrium Single Sign-On ________________________________________________________ 12
3 What's new __________________________________________________________________________ 12
3.1 Version 8.1.00 ____________________________________________________________________ 14
3.1.1
Page 3 of 389
Home
Page 4 of 389
Home
Page 5 of 389
Home
9.1.2 Installing BMC Atrium Single Sign-On for AR System integration ________________________ 171
9.1.3 Configuring BMC Atrium Single Sign-On for integration ______________________________ 173
9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user authentication __________ 176
9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System integration _____________ 183
9.1.6 Running a health check on the BMC Atrium Single Sign-On integration __________________ 195
9.2 Integrating BMC Dashboards for BSM _________________________________________________ 198
9.2.1 Before you begin ____________________________________________________________ 198
9.2.2 To integrate BMC Dashboards for BSM ___________________________________________ 199
9.3 Integrating BMC Analytics for BSM ___________________________________________________ 199
9.3.1 Before you begin ____________________________________________________________ 199
9.3.2 To integrate BMC Analytics for BSM _____________________________________________ 200
9.4 Integrating BMC ProactiveNet _______________________________________________________ 200
9.4.1 Before you begin ___________________________________________________________ 200
Page 6 of 389
Home
Page 7 of 389
Home
Page 8 of 389
Home
Page 9 of 389
Home
Page 10 of 389
Home
Page 11 of 389
Home
This space contains information about the BMC Atrium Single Sign-On 8.1 release.
1 Featured content
For information about Patch 1 for 8.1.00, see Patch 1 for version 8.1.00: 8.1.00.01 (see page 19).
For information about Patch 2 for 8.1.00, see Patch 2 for version 8.1.00: 8.1.00.02 (see page 18).
For information about Patch 3 for 8.1.00, see Patch 3 for version 8.1.00: 8.1.00.03 (see page 17).
For Patch 1 for 8.1.00, BMC Atrium Orchestrator Platform version 7.7.00 integrates with BMC Atrium Single
Sign-on, see Integrating BMC Atrium Orchestrator Platform (see page 209) and the BMC Atrium
Orchestrator Platform online documentation.
To understand enhancements for this release, see Version 8.1.00.
To understand key concepts associated with BMC Atrium Single Sign-On, see Key concepts (see page 20).
To review a high level end-to-end procedure, see End-to-end BMC Atrium Single Sign-On process.
To review an end-to-end deployment example for BMC Remedy AR System and the mid tier using SAMLv2
authentication, see BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31).
To review an end-to-end deployment for BMC Remedy AR System and the mid tier using AR
authentication, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page
79).
3 What's new
This section provides information about what is new or changed in this space, including resolved issues,
documentation updates, maintenance releases, service packs, and patches. It also provides license entitlement
information for the release.
Page 12 of 389
Home
Tip
To stay informed of changes to this space, place a watch on this page.
The following updates have been added since the release of the space:
Date
Title
Summary
July
5,
2013
Patch 3 for
version
8.1.00:
8.1.00.03
(see page
17)
Patch 2 for
version
8.1.00:
8.1.00.02
(see page
18)
Patch 1 for
version
8.1.00:
8.1.00.01
(see page
19)
Patch 1 for version 8.1.00 provides fixes related to BMC Atrium Single Sign-On integration with BMC Atrium Orchestrator 7.7
and other BMC products.
Version
8.1.00
Page 13 of 389
Home
To obtain a full space export of the BMC Atrium Single Sign-On, see PDFs (see page 352)
Three new videos are now uploaded on to our online documentation from the February 14, 2013 BMC
Software Webinars 2013 Atrium Single Sign-On (Atrium SSO) :
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
provides a high-level overview as well as important tips.
Using SAMLv2 for authentication describes how to configure SAML V2
Using Kerberos for authentication (see page 132) describes how to configure BMC Atrium SSO to
leverage Kerberos.
Tip
For information about issues corrected in this release, see Known and corrected issues.
Page 14 of 389
Home
Version 8.1.00 was released shortly after version 8.0.00, a major release that contained significantly more
enhancements. If you are considering an upgrade from a version prior to 8.0.00, you might be interested in
seeing the enhancements listed in the documentation for version 8.0.00.
3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System
integration
The BMC Remedy AR System 8.1 introduces a new utility that greatly simplifies the integration between BMC
Atrium Single Sign-On and the AR System server and Mid Tier.
Page 15 of 389
Home
The Single Sign-On integration is now removed from the AR System installer. As a result, you no longer have to
follow the error-prone steps if you chose to integrate BMC Atrium Single Sign-On after you installed the AR
System server and Mid Tier.
You use the one utility to integrate both the AR System server and the Mid Tier, but with slightly different inputs.
For more information, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page
79).
Note
You can download the components mentioned herein from the Electronic Product Distribution website.
Use the same user name and password that you use to access the Customer Support website.
If you do not have a current license for the components you want, contact a BMC sales representative by calling
800 793 4262. If you cannot download the components, contact a sales representative and ask for a physical kit
to be shipped to you.
BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document. Configurations
not listed might still operate properly and so customers can choose to run in a configuration not listed as
supported. Such configurations would be considered "unconfirmed". BMC will accept issues reported in
unconfirmed configurations but we reserve the right to request customer assistance in problem determination,
including recreating the problem on a supported configuration.
Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a
supported environment will be addressed at the discretion of BMC. Defects requiring time and resources beyond
Page 16 of 389
Home
commercially reasonable effort might not be addressed. If a configuration is found to be incompatible with BMC
Atrium Single Sign-On, support for that configuration will be specifically documented as not supported (or
unsupported). Visit the Customization Policy under the Support Contacts & Policies link on the BMC support
website.
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about issues corrected in Patch 3 (8.1.00.03), see Known and Corrected issues. Click the Corrected in
column heading to sort the table by version.
Patch 3 also includes the fixes from Patch 2 and Patch 1 for version 8.1.00.
Recommendation
Backup BMC Atrium Single Sign-On before proceeding with the patch installation.
Page 17 of 389
Home
To install BMC Atrium Single Sign-On 8.1.00 Patch 3, see Installing (see page 40).
To perform a silent installation, see Installing silently (see page 112).
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 3 from an earlier version (8.1.00 or 8.1.00.01 or
8.1.00.02), see Upgrading.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02) has been replaced with Patch 3 (8.1.00.03) and
can no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full
installation and includes the fixes that were available in Patch 1 (8.1.00.01) and Patch 2 (8.1.00.02). For
information about downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3
for version 8.1.00: 8.1.00.03 (see page 17).
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 2 (8.1.00.02), see Known and corrected issues. Click the Corrected in
column heading to sort the table by version.
Recommendation
Back up BMC Atrium Single Sign-On before proceeding with the patch installation.
Page 18 of 389
Home
To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40).
To perform a silent installation, see Installing silently (see page 112).
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 2 from an earlier version (8.1.00 or 8.1.00.01), see
Upgrading.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01) has been replaced with Patch 3 (8.1.00.03) and can
no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full
installation and includes the fixes that were available in Patch 1 (8.1.00.01). For information about
downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3 for version 8.1.00:
8.1.00.03 (see page 17).
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 1 (8.1.00.01), see Known and corrected issues. Click the Corrected in
column heading to sort the table by version.
Recommendation
Page 19 of 389
Home
Back up BMC Atrium Single Sign-On before proceeding with the patch installation.
To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40).
To perform a silent installation, see Installing silently (see page 112).
4 Key concepts
BMC contributors content
For additional information, you can also refer to the following webinar conducted by BMC Support.
You can also connect with other users for related discussions on the BMC Community.
Use this section to get high-level conceptual knowledge that helps you to use the BMC Atrium Single Sign-On
product.
The following topics provide key conceptual information about BMC Atrium Single Sign-On:
Page 20 of 389
Home
Page 21 of 389
Home
Page 22 of 389
Home
Authentication chaining
Groups
Important
BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document.
Reported defects either found to be unique to an unconfirmed configuration or not reproducible within
a supported environment are addressed at the discretion of BMC. Visit the Customization Policy under
the Support Contacts & Policies link on the BMC support website.
Note
Page 23 of 389
Home
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example,
installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in
the bmc.com domain is not supported. You must move all your computers into the same domain.
Important
When quitting an product, the normal behavior is to log off and then quit. This process results in
termination of all the product connections. If you want to continue working with other BMC products,
quit the product that you are finished with, but only log off the last product.
With web applications, the BMC Atrium Single Sign-On authentication status is maintained through sessions
within the web browsers. When web applications share the same browser session, the authentication state with
BMC Atrium Single Sign-On is shared by these applications.
To use a different login ID without logging off BMC Atrium Single Sign-On, you must start a new session in the
web browser. The following table summarizes how to share current sessions and how to create new sessions
with the browsers supported by BMC Atrium Single Sign-On.
Session behavior in supported browsers
Browser
Share Session
New Session
Firefox 4
New tab, Ctrl-N for new window, or launch from Start menu or shortcut
Internet
Explorer 7
Internet
Explorer 8
New tab, Ctrl-N to create a new window, or launch new browser from Start menu
or short-cut
Page 24 of 389
Home
Browser
Share Session
Internet
New tab, Ctrl-N to create a new window, or launch new browser from Start menu
Explorer 9
or short-cut
New Session
When BMC products launch a new application, the applications use the process needed to ensure a shared
session and a seamless experience.
4.6 Certificates
The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure
(HTTPS/TLS/SSL) communications. These communications occur by doing one of the following:
when accessing the admin console
users login or logout of the system.
an external LDAP server is accessed with TLS/SSL
exchanging SAMLv2 metadata
for user authentication (CAC)
The keystore contains the information used to identify the BMC Atrium Single Sign-On server to remote servers
and users. The truststore is used to hold the certificates of remote servers, users and signing authorities that are
to be trusted by the BMC Atrium Single Sign-On server.
These files are stored in the following directory:
<installationDirectory>/BMC Software/AtriumSSO/tomcat/conf
The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers
and other programs to warn users about the insecure nature of the certificate each time the user authenticates.
This certificate warning can be prevented by doing one of the following:
Permanently importing the self-signed certificate into the user's truststore.
Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA).
The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for
authentication. In this case, the user has an established trust relationship with the CA, and this relationship is
extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported.
Page 25 of 389
Home
The keytool utility is used to obtain a CSR, to obtain a signed certificate, and to import the signed certificate in
order to replace the self-signed certificate. This tool is available with Oracle JDKs and BMC Atrium Single
Sign-On.
Note
When importing the newly signed certificates, you must first import the CA root certificates and
intermediate certificates, if required.
Page 26 of 389
Home
This chaining creates the perception of a merged authority despite the reality of multiple, disparate
systems that are actually employed.
Authentication chains allow the combination of authentication modules to process authentication requests. One
of the best uses for combining modules is to merge different authentication schemes to appear as a single
authentication scheme.
For example, when two departments have their own LDAP servers, these two servers could be put into a single
chain and users would appear to validate against a single authority.
The processing of the chain to determine the overall status of authentication is controlled by the criteria specified
for each of modules in the chain. The following figure illustrates authentication chaining where authentication
modules are tried in an ordered sequence.
The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain
or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one
Sufficient or Optional module must authenticate the user. See Managing authentication modules (see page 271).
In the chaining process for the above example illustration, three LDAP servers combined into a single authority,
would be:
1. Check with LDAP A
Pass: Stop processing and accept user
Fail: Proceed to next
2. Check with LDAP B
Pass: Stop processing and accept user
Fail: Proceed to next
3. Check with LDAP C
Pass: Stop processing and accept user
Fail: Stop processing and reject user
With this configuration, the first LDAP server is presented the user credentials for authentication. If the
authentication succeeds, then processing stops with the user being authenticated. If the user is not within the
first LDAP server, then the credentials are passed to the second LDAP server. Each server is checked in the
Page 27 of 389
Home
sequence specified until either the user passes and is considered successfully authenticated, or the user fails to
authenticate and is rejected.
When configured, BMC Atrium Single Sign-On server nodes communicate with each other through the LDAP and
Page 28 of 389
Home
HTTPS ports. These ports are specified during installation. The following figure shows the communication
between the nodes and the load balancer.
Communication between BMC Atrium Single Sign-On nodes and a load balancer
5 Planning
The following topics provide information and instructions for planning a BMC Atrium Single Sign-On installation
and configuration:
Page 29 of 389
Home
Note
All products that run in BMC Remedy AR System support BMC Atrium Single Sign-On including AR
System Mid-tier products (BMC Remedy ITSM, BMC Atrium Core, BMC Atrium CMDB, and so on), BMC
Atrium Dashboard and Analytics, BMC IT Business Management Suite, BMC ProActive Performance
Management (version 9.0), and BMC Capacity Optimization.
Checking the compatibility matrix for system requirements and supported configurations
End-to-end BMC Atrium Single Sign-On process
BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
Note
To access the product compatibility information on the Customer Support website, you must have a
Support login.
1.
BMC Atrium Single Sign-On 8.1
Page 30 of 389
Home
1. Review the information that you need to understand prior to installing, such as the What's new (see page
12), Key concepts (see page 20), Planning (see page 29), Preparing for installation topics.
2. Install BMC Atrium Single Sign-On. See Installing (see page 40) for the different installation options, such
as High Availability (HA).
3. Install other BMC products for integrating with BMC Atrium Single Sign-On.
For information about integrating and configuring BMC Remedy AR System version 8.1, see Installing
BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79).
For information about integrating and configuring BMC Remedy AR System version 8.0, see
Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00.
For information about other BMC product integration, such as BMC Dashboards and Analytics for
BSM, see Integrating.
4. Configure your method of authentication. See Configuring after installation. The following are the
authentication module sections:
Using AR for authentication
Using SAMLv2 for authentication
Using Kerberos for authentication (see page 132)
Using CAC for authentication
Using LDAP (Active Directory) for authentication
Using RSA SecurID for authentication
5. If you implement multiple authentication methods, see Managing authentication modules (see page 271).
6. Create and manage users and user groups. See Managing users (see page 264) and Managing user groups
(see page 268).
Page 31 of 389
Home
Note
Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated
single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in
the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM
form and record).
Page 32 of 389
Home
Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and
the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and
the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow
you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required.
For more information about SAMLv2, see Using SAMLv2 for authentication.
Page 33 of 389
Home
The following sequence diagram illustrates the flow of events and the interaction between components for single
log off (SLO):
Single log off sequence diagram
Page 34 of 389
Home
Page 35 of 389
Home
A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are
put in front of the application servers. Load balancers are used to distribute the workload and optimize
application performance. Reverse proxies are used to distribute the workload, optimize application
performance, and hide the existence and characteristics of internal servers.
BMC Remedy Mid Tier is deployed on a separate virtual machine (VM).
A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another
VM but on two different Apache Tomcat servers.
BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management
are deployed on two different VMs to avoid performance issues.
You deploy the browser and the SAMLv2 IdP server from your environment.
Page 36 of 389
Home
Note
Review the Deployment parameters (see page 38) list before starting the deployment tasks.
Step
Task
1.
2.
3.
4.
5.
Run the SSOARIntegration utility on the AR System server (see page 88).
6.
Run the SSOMidtierIntegration utility on the BMC Remedy Mid Tier (see page 92).
7.
Configure group mapping for the AR System and BMC Atrium Single Sign-On (see page 91).
8.
Configure the BMC Atrium Single Sign-On server for AR System (see page 97)
Note: Though AR authentication module should be configured, you must delete the AR user stores when using SAML v2 for authentication.
The AR data store is not needed for authentication in SAMLv2 deployment.
9.
10.
Configure BMC Atrium Single Sign-On to use SAMLv2 authentication with BMC Atrium Single Sign-On as a Service Provider and a remote
Identity Provider.
Note: Each time a BMC product is integrated (steps 10 -12) with the BMC Atrium Single Sign-On Service Provider, the J2EE agents
configuration must be modified so the integrating product can function in the Federated Single Sign-On.
11.
(Optional) Integrate BMC Dashboards for Business Service Management (see page 198) and configure it.
Note: For more information, see the BMC Dashboards for Business Service Management Installation Guide at PDFs.
12.
(Optional) Integrate BMC Analytics for Business Service Management (see page 199) and configure it.
Note: For more information, see Installing.
13.
Page 37 of 389
Home
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC
Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same computer, ensure that the HTTP,
HTTPS, and Shutdown port numbers are different.
The following parameters are set in deployment of the following BMC Products and BMC Atrium Single Sign-On
authentication:
BMC Remedy AR System
BMC Remedy Mid Tier
BMC Atrium Single Sign-On
SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
BMC Dashboards for BSM
BMC Analytics for BSM
Product
install/configuration
Parameters
Description
AR System installation
Planning spreadsheet
Planning spreadsheet
The Fully Qualified Domain Name (FQDN) for the host. For example, ssoserver.bmc.com.
If BMC Atrium Single Sign-On is installed on the same computer as another BMC Product,
provide port numbers that are different from the other BMC Product.
Cookie domain
The cookie name is the name of the cookie that agent will check for the SSO session token. It
should match the cookie name of the server configuration. For example, atsso_bmc_com.
The password for the BMC Atrium Single Sign-On server. Default: amadmin
AR Server Name
AR System integration
Page 38 of 389
Home
Product
install/configuration
Parameters
Description
AR Server User
AR Server Password
AR Server Port
URL for the BMC Atrium Single Sign-On server. For example,
https://ssoserver.bmc.com:8443/atriumsso
truststore
truststore-password
force
(Optional) If "Yes" is provided then the utility will not wait for the user to shutdown the
webserver (if not done already), in case, the webserver is other then tomcat or jboss. Default:
No
AR Server Name
The AR Server name from the AR System integration. For example, arsystemserver.bmc.com.
AR Server User
The AR Server user from the AR System integration. For example, Demo.
AR Server Password
The AR Server password from the AR System integration. For example, Demo.
AR Server Port
Container Type
The Mid Tier URL if a load balancer is not implemented. Otherwise, the load balancer URL. Be
sure the server name is provided with fully qualified domain name and port is also provided in
the URL.
For example, http://midtierloadbalancer.bmc.com:8080/arsys
webserverhomedirectory
JREInstallDirectory
MidtierHome
serverinstancename
instanceconfigdirectory
weblogicdomainhome
The BEA domain home is required for the WebLogic web application.
AR System external
authentication group
mapping for SSO
AR Group Name
LDAP Group Name
Administrator
BmcAdmins
Dashboards installation
Fully qualified host name of the BMC Atrium Single Sign-On server.
Page 39 of 389
Home
Product
install/configuration
Parameters
Description
Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is
installed on the same computer as another BMC Product, provide port numbers that are
different from the other BMC Product.
Administrator login name
User name and password for the BMC Atrium Single Sign-On server administrator.
and password
Analytics installation
SAMLv2 authentication
BMC Dashboards
User name and password of the BMC Dashboards for BSM administrator user. This user must
Fully qualified host name of the BMC Atrium Single Sign-On server.
Port numbers used by the BMC Atrium Single Sign-On server. If BMC Atrium Single Sign-On is
Port Number
installed on the same computer as another BMC Product, provide port numbers that are
different from the other BMC Product.
User name and password for the BMC Atrium Single Sign-On server administrator.
The metadata file for the remote Identity Provider (IdP). For example, sso-idp.xml.
Login and logout URIs are the locations that the agent will send the users browsers when the
specified function is needed.
Login and logout URIs are the locations that the agent will send the users browsers when the
specified function is needed.
Login and logout URIs are the locations that the agent will send the users browsers when the
specified function is needed.
6 Installing
The BMC Atrium Single Sign-On server component is available for download from the BSM EPD site at
http://webapps.bmc.com/epd or can be found in the BMC Atrium Shared Components box.
The typical method for integrate BMC Atrium Single Sign-On with BMC Remedy AR System or any BMC product is
to:
1.
BMC Atrium Single Sign-On 8.1
Page 40 of 389
Home
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC
Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same computer, ensure that the HTTP,
HTTPS, and Shutdown port numbers are different.
The following topics provide information and instructions for installing BMC Atrium Single Sign-On:
Page 41 of 389
Home
Warning
If you have not met all of the requirements before you begin the installation, you might have issues with
the installation.You must fulfill the necessary requirements on this page before you begin with
installation.
Limitation
Do not deploy BMC Atrium Single Sign-On on an Network File System (NFS) file system.
Page 42 of 389
Home
Memory requirements
If you are installing BMC Atrium Single Sign-On on an external Tomcat server, 1024K of RAM is required. For an
extremal Tomcat 7 server and JDK 1.7, increase memory an additional 20% for a minimum of 1.2 MB.
System requirements
If you are installing BMC Atrium Single Sign-On on Red Hat Enterprise Linux (RHEL) 6.x, you must install the
following 32-bit RPM packages to make 32-bit JRE support and the user interface available to the installer:
Glibc.i686
libXtst.i686
Page 43 of 389
Home
Firewalls
The ports that you selected when you installed the BMC Atrium Single Sign-On server must be accessible from
the clients that are authenticated through the server. Configure the firewalls to allow access to the HTTPS port
used for authentication, as well as the LDAP and Apache MQ ports in the nodes of a cluster.
Files to download
The following table provides the product files available on the BMC EPD website for BMC Atrium Single Sign-On.
You can find the installer and documentation related to BMC Atrium Single Sign-On version 8.1.00.03 on the
Products tab itself.
Page 44 of 389
Home
Note
The BMC Atrium Single Sign-On is provided with the ESM solution suites. On the BMC EPD website, you
must visit the download sections for BMC Remedy IT Service Management, BMC ProactiveNet
Performance Management, BMC BladeLogic Automation, or BMC Application Management suites to
obtain the the latest version of BMC Atrium Single Sign-On.
You can download the latest installer files from any of the ESM solution suites on the EPD web site. For example,
BMC Remedy IT Service Management Suite > BMC Remedy IT Service Management Suite 8.1.00 -
OperatingSystem > BMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem
Hyperlink on EPD page
BMCAtriumSSO8.1.00.03.windows.zip
BMCAtriumSSO8.1.00.03.solaris.tar.gz
BMCAtriumSSO8.1.00.03.linux.tar.gz
BMCAtriumSSO_8.1_Patch3_Help.zip
This zip file contains an archived version of the online documentation for BMC Atrium Single Sign-On 8.1. For the
latest and most comprehensive content, see the BMC Online Technical Documentation portal (docs.bmc.com) for
this release.
Note
The installation files for BMC Atrium Single Sign-On versions 8.1.00.02 have been replaced with the
installation files for version 8.1.00.03, and can no longer be downloaded from the EPD site. Patch 3 for
BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation and includes the fixes that were
available in Patch 1 and Patch 2 (8.1.00.01 and 8.1.00.02). You can download the Patch 3 installation files
from the BMC EPD site and perform your normal installation.
Page 45 of 389
1.
Home
Note
On Microsoft Windows computers, ensure that the directory is only one level into the directory
structure. The EPD package creates a directory in the temporary directory when you extract the
files, and the directory that contains the installation image should not be in a directory deeper
than two levels into the directory structure.
2. Go to http://www.bmc.com/available/epd.html.
3. At the logon prompt, enter your user ID and password, and click Submit.
4. On the Export Compliance and Access Terms page, provide the required information, agree to the terms of
the agreements, and click Continue.
5. If you are accessing this site for the first time, create an EPD profile to specify the languages and platforms
that you want to see, per the EPD site help; otherwise, skip to step 6.
6. Verify that the correct profile is displayed for your download purpose, and select the Licensed Products
tab.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) installation files are available on the
Licensed Products tab.
7. Locate the solution for which you are using BMC Atrium Single Sign-On, such as BMC Remedy IT Service
Management Suite, and expand its entries.
Note
As BMC Atrium Single Sign-On is a part of ESM solution suite, you must visit the download
sections for BMC Remedy IT Service Management, BMC ProactiveNet Performance Management,
BMC BladeLogic Automation, or BMC Application Management suites to obtain the the latest
version of BMC Atrium Single Sign-On. For the steps in this process, BMC Remedy IT Service
Management is used.
8. Expand the BMC Remedy IT Service Management Suite 8.1.00 directory for the appropriate platform and
language.
9. Expand the BMC Atrium Single Sign-On Version 8.1.00 for OperatingSystem directory for the appropriate
platform and language.
10. Select the check boxes next to the files and documents that you want to download.
11. Click Download (FTP) or Download Manager:
Download (FTP) places the selected items in an FTP directory, and the credentials and FTP
instructions are sent to you in an email message.
Page 46 of 389
11.
BMC Software Confidential
Home
Download Manager enables you to download multiple files consecutively and to resume an
interrupted download if the connection drops.
This method requires a one-time installation of the Akamai NetSession client program on the target
computer and is usually the faster and more reliable way to transfer files. A checksum operation is
used to verify file integrity automatically.
Page 47 of 389
Home
Reference
To integrate BMC Atrium Single Sign-On with Terminal Services. If you are using Terminal Services to
install BMC Atrium Single Sign-On, you must configure the Terminal Services parameters prior to
installation.
To install BMC Atrium Single Sign-On with AR System and Mid Tier. These installation instructions are
for BMC Atrium Single Sign-On, AR System, and Mid Tier version 8.1 and later.
To integrate BMC Atrium Single Sign-On with the AR System (version 8.0.00 only) after BMC Remedy
To install BMC Atrium Single Sign-On on an external Tomcat server and enable FIPS-140 mode.
1. Configuring an external Tomcat
instance for FIPS-140 (see page 76)
2. Installing BMC Atrium Single Sign-On
on an external Tomcat server (see
page 72)
3. Configuring FIPS-140 mode (see
page 251)
Page 48 of 389
Home
Note
If you do not configure these items before you run the installer, an installer panel appears listing the
steps required to handle these issues.
1. From the Windows Start menu, click Control Panel; then double-click System.
2. Click the Advanced tab.
3. In the Performance area, click Settings.
4. On the Data Execution Prevention tab, verify if the Turn on DEP for all programs and services except those I
select option is selected.
If the Turn on DEP for essential Windows programs and services only option is selected, no configuration is
required.
Note
Page 49 of 389
Home
If you do not select the Turn on DEP for all programs and services except those I select option,
and then perform the remaining steps in this procedure, the installer might not run correctly.
5. If the Turn on DEP for all programs and services except for those I select option is selected, click Add.
6. Browse to the executable, and then click Open.
The installation program appears in the DEP program area.
7. Click Apply; then click OK.
8. (optional) Restart the computer.
Page 50 of 389
Home
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR
System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC
recommends that you install BMC Atrium Single Sign-On on a different computer than the computer
where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid
Tier).
Page 51 of 389
7.
Home
Clustered Atrium Single Sign-On Server Implemented as a redundant system with session failover.
Clustered install requires at least two nodes. For more information, see Installing BMC Atrium Single
Sign-On as a High Availability cluster (see page 55).
8. Verify that Install New Tomcat is selected, and then click Next.
The Tomcat server options are:
Install New Tomcat (default)
Use External Tomcat. See Installing BMC Atrium Single Sign-On on an external Tomcat server (see
page 72) to install with this option.
Note
When installing on Linux servers, you must configure JVM for Tomcat after the installation. For
more information about configuring JVM, see Configuring a JVM for the Tomcat Server (see page
77).
9. Accept the default Tomcat HTTP port number (8080), HTTPS port number (8443), and Shutdown port
number (8005), or enter different port numbers, and then click Next. If any of the port numbers are
incorrect, a panel identifies the incorrect port number and requires you to return to the previous page to
correct the values before proceeding with the installation.
Note
When installing on Linux servers, port selections below 1000 require the server to run as root, or
use a port forwarding mechanism.
Note
The higher the level of the selected parent domain, the higher the risk of user impersonation.
Top-level domains are not supported (for example, com or com.ca ).
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example,
installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System
server in the bmc.com domain is not supported. You must move all your computers into the same
domain.
11.
BMC Atrium Single Sign-On 8.1
Page 52 of 389
Home
11. Enter a strong administrator password (at least 8 characters long), confirm the password, and then click
Next.
The default SSO administrator name is amadmin.
Note
Passwords with special characters must be specified in quotes.
Page 53 of 389
Home
14. (Optional) Create an administrative user account for BMC Products to perform search functions on the
user store (for example, to list user names and emails).
If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins
group to the new user account.
If you are using an external system for authentication (such as AR System, LDAP, or Active Directory),
assign the BmcSearchAdmins group to either an already existing user account or a new user
account.
Page 54 of 389
Home
Page 55 of 389
Home
6.5.1 HA prerequisites
BMC Atrium Single Sign-On HA requires the following:
An installed load balancer.
The load balancer must support HTTP traffic.
The load balancer must be configured with HTTP session stick mode.
The load balancer must be configured for HTTPS communication.
Note
HTTP session sticky mode is used to ensure that the first BMC Atrium Single Sign-On server continues to
be used for subsequent requests (excluding node failure).
Note
Page 56 of 389
1.
Home
2. Installing additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional
nodes for an HA cluster on an external Tomcat server (see page 70).
Note
After installing BMC Atrium Single Sign-On in HA mode, verify that the cookie name for all the nodes are
the same. For more information about verifying the cookie name, see Managing nodes in a cluster (see
page 273).
Note
In some cases, BMC Atrium Single Sign-On server restart, browser cache purge, and cookies cleanup do
not help to avoid a multiple redirects error. In that case, reboot OS.
6.5.5 Installing the first node for an HA cluster on a new Tomcat server
The following provides information and instructions for installing the first node for an HA cluster on a new
Tomcat.
Before you begin (see page 57)
To install the first node for an HA cluster on a new Tomcat (see page 58)
Where to go from here (see page 63)
Page 57 of 389
Home
If there is already an installation of BMC Atrium Single Sign-On on the target computer, the installer will
not allow another installation. Uninstall the existing version.
Prepare to run the installation program for your operating system.
For example, you must update Terminal Services configuration options and configure the DEP feature if
you are using Windows. For more information, see Configuring Terminal Services and DEP parameters.
You must have a network load balancer configured for creating a HA cluster.
Important
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR
System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC
recommends that you install BMC Atrium Single Sign-On on a different computer than the computer
where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid
Tier).
Page 58 of 389
Home
Important
This file is needed when subsequent nodes are added to the cluster and it contains sensitive
information that is used when installing subsequent nodes.
8. Enter the LDAP port number (8091), LDAP replication port (8092), LDAP administration port (8093), and
click Next.
9.
BMC Atrium Single Sign-On 8.1
Page 59 of 389
Home
As you are installing BMC Atrium SSO in a cluster environment, you must use the load balancer
URL mentioned in this step for integration with other products. For example, when you are
integrating BMC Atrium SSO with BMC Remedy Mid Tier, you must add the load balancer URL
instead of the BMC Atrium SSO server URL. For more information, see Running the
SSOMidtierIntegration utility on the Mid Tier (see page 92).
10. Verify that Install New Tomcat is selected and click Next.
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates
with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only
application on the Tomcat server.
11. Accept the default Tomcat server HTTP port number (8080), HTTPS port number (8443), and Shutdown
port number (8005), or enter different port numbers, and click Next.
If any of the port numbers are incorrect, a pop-up menu identifies the incorrect port number and allows
you to modify the selection.
12. Enter a cookie domain and click Next.
The domain value of the cookie should be the network domain of BMC Atrium Single Sign-On or one of its
parent domains.
Important
The higher the level of the selected parent domain, the higher the risk of user
impersonation.
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For
example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and
the AR System server in the bmc.com domain is not supported. You must move all your
computers into the same domain.
13. Enter a strong administrator password, confirm the password, and click Next.
The default administrator name is amadmin.
14.
BMC Atrium Single Sign-On 8.1
Page 60 of 389
Home
Note
The browsers display this warning because you have not yet configured the SSO
authentication as a trusted provider.
c. Confirm that you can view the BMC Atrium Single Sign-On login panel.
d. Log on with the SSO administrator name (for example, amadmin) and password.
The BMC Atrium SSO Admin Console appears.
(Click the image to expand it.)
Page 61 of 389
Home
16. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the SSO load balancer.
For example:
https://ssoloadbalancer.bmc.com:8443/atriumsso}
The BMC Atrium SSO login screen appears. After you log on, the SSO server appears in the HA Nodes List.
17. (Optional) Create an administrative user account for BMC Products to perform search functions on the
user store (for example, to list user names and emails).
If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins
group to the new user account.
If you are using an external system for authentication (such as AR System, LDAP, or Active Directory),
assign the BmcSearchAdmins group to either an already existing user account or a new user
account.
Page 62 of 389
Home
Important
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR
System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC
recommends that you install BMC Atrium Single Sign-On on a different computer than the computer
where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid
Tier).
2.
BMC Atrium Single Sign-On 8.1
Page 63 of 389
Home
2. Copy the cluster configuration file (created during the first node's installation) to the Disk1directory of the
extracted files before installing BMC Atrium Single Sign-On on the node.
Note
The installation and configuration information of the first node is used when installing additional
nodes.
Page 64 of 389
Home
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates
with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only
application on the Tomcat server.
12. Accept the default Tomcat server HTTP port number (8080), HTTPS port number (8443), and Shutdown
port number (8005), or enter different port numbers, and click Next.
BMC Atrium Single Sign-On 8.1
Page 65 of 389
Home
12.
If any of the port numbers are incorrect, a pop-up menu identifies the incorrect port number and allows
you to modify the selection.
13. Review the installation summary and click Install.
After the second node has been successfully installed, additional nodes can be added to the cluster by
using the file created during the first installation.
14. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single
Sign-On URL.
a. Navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the
BMC Atrium SSO Admin Console .
The URL to open the BMC Atrium SSO Admin Console is:
https://<ssoServer>.<domain>:<port>/atriumsso/atsso/console/login/Login.html
For example:
https://ssoServer.bmc.com:8443/atriumsso/atsso/console/login/Login.html
b. When you are prompted that you are connecting to an untrusted connection, add the exception and
then continue.
Note
Browsers display this warning because you have not yet configured the SSO authentication
as a trusted provider.
c. Confirm that you can view the BMC Atrium Single Sign-On login panel.
d. Log on with the SSO administrator name (for example, amadmin) and password.
The BMC Atrium SSO Admin Console appears.
(Click the image to expand it.)
Page 66 of 389
Home
15. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the SSO load balancer.
For example:
https://ssoloadbalancer.bmc.com:8443/atriumsso
The BMC Atrium SSO login screen appears. After you log on, your SSO servers appear in the HA Nodes List.
16. (Optional) Create an administrative user account for BMC Products to perform search functions on the
user store (for example, to list user names and emails).
If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins
group to the new user account.
If you are using an external system for authentication (such as AR System, LDAP, or Active Directory),
assign the BmcSearchAdmins group to either an already existing user account or a new user
account.
Page 67 of 389
Home
6.5.7 Installing the first node for an HA cluster on an external Tomcat server
The following provides information and instructions for installing the first node for an HA cluster on an external
Tomcat.
Before you begin (see page 68)
To install BMC Atrium Single Sign-On on the first node for an external Tomcat (see page 68)
Where to go from here (see page 69)
To install BMC Atrium Single Sign-On on the first node for an external Tomcat
1. Run the installation program, autorun.
If autorun does not automatically launch the appropriate file, launch the setup executable located in the
Disk1 directory of the extracted files. This script automatically detects the appropriate subscript to execute.
(Microsoft Windows ) Run setup.cmd
(UNIX ) Run setup.sh
2. Accept the default destination directory, or browse to select a different directory, and click Next.
3. Enter the hostname if the provided name is incorrect and click Next.
4. Select Clustered Atrium SSO Server.
5. Select New Cluster Installation (First node), and click Next.
6. Enter a file name and location for storing the cluster configuration information and click Next.
This cluster configuration file is needed when subsequent nodes are added to the cluster.
Important
This file contains sensitive information.
7. Enter the LDAP port and LDAP replication port, and click Next.
8.
BMC Atrium Single Sign-On 8.1
Page 68 of 389
Home
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates
with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single Sign-On be the only
application in the Tomcat server.
10. Enter the Tomcat server directory at the prompt and click Next.
11. At the Tomcat Application Server Selection panel, enter the path to the Tomcat server.
After the path is entered, the installer verifies that:
The directory has a webapps directory that can be written to.
The main program, tomcat6.exe, is present (even on UNIX).
The server.xml file contains a Connector with port and secure defined and scheme set to https. The
installer parses important information from this Connector entry and stores it.
The installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, asking
that you start or stop it when necessary.
12. Enter additional information at the prompts. Be prepared with information about:
JDK directory location
Tomcat server port
BMC Atrium Single Sign-On Truststore certificate location and password
BMC Atrium Single Sign-On Keystore password, alias, and certificate
BMC Atrium Single Sign-On cookie domain
BMC Atrium Single Sign-On administrator name and password
(Windows ) You will be asked whether your external Tomcat server is started using scripts or as a
Windows service.
13. Stop the Tomcat server.
14. After installation is complete, follow the installer directions to restart the Tomcat server.
The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make
modification to the server configuration, be sure to test each change to ensure that the BMC Atrium Single
Sign-On application continues to function correctly.
15. Replace the existing certificate with a Certificate Authority (CA) signed identity certificate.
16. Verify that your BMC Atrium Single Sign-On installation was successful:
a. Launch the administrator console.
b. Confirm that you can view the BMC Atrium Single Sign-On login panel.
Page 69 of 389
Home
Note
Page 70 of 389
Home
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that
integrates with BMC Atrium Single Sign-On. BMC recommends that BMC Atrium Single
Sign-On be the only application in the Tomcat server.
11. Enter the Tomcat server directory at the prompt and click Next.
12. At the Tomcat Application Server Selection panel, enter the path to the Tomcat server.
After the path is entered, the installer verifies that:
The directory has a webapps directory that can be written to.
The main program, tomcat6.exe, is present (even on UNIX).
The server.xml file contains a Connector with port and secure defined, with scheme set to https. The
installer parses important information from this Connector entry and stores it.
The installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, asking
that you start or stop it when necessary.
13. Enter additional information at the prompts. Be prepared with information about:
JDK directory location
Tomcat server port
BMC Atrium Single Sign-On Truststore certificate location and password
BMC Atrium Single Sign-On Keystore password, alias, and certificate
(Windows ) You will be asked whether your external Tomcat is started using scripts or as a Windows
service.
14. Stop the Tomcat server.
15. After installation is complete, follow the installer directions to restart the Tomcat server.
The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you make
modification to the server configuration, be sure to test each change to insure that the BMC Atrium Single
Sign-On application continues to function correctly.
16. Replace the existing certificate with a Certificate Authority (CA) signed identity certificate.
17. Verify that your BMC Atrium Single Sign-On installation was successful:
a. Launch the administrator console.
b. Confirm that you can view the BMC Atrium Single Sign-On login panel.
Page 71 of 389
Home
Page 72 of 389
Home
Page 73 of 389
6.
BMC Software Confidential
Home
The server.xml file contains a connector with port and secure defined and with scheme set to https.
The installer parses important information from this Connector entry and stores it.
As the installer deploys the BMC Atrium Single Sign-On web application to the Tomcat server, it will
ask that you start or stop it when necessary.
7. (Windows) You will be asked whether your external Tomcat server is started by using scripts or as a
Windows service. If the Tomcat server is started as a Windows service, enter the name of this service.
8. Enter additional information at the prompts.
Be prepared with information about:
JDK directory location
Tomcat HTTPS server port
Tomcat truststore certificate location and password
Tomcat keystore password, alias, and certificate
Tomcat cookie domain
Tomcat administrator name and password
9. Stop the Tomcat server.
10. During installation, follow the installer directions to restart the Tomcat server.
11. Verify that your BMC Atrium Single Sign-On installation was successful:
a. Launch the BMC Atrium Single Sign-On administrator console and confirm that you can view BMC
Atrium SSO Admin Console.
The Tomcat server can now be used as the BMC Atrium Single Sign-On application server. If you
make modifications to the server configuration, be sure to test each change to insure that the BMC
Atrium Single Sign-On application functions correctly.
12. (Optional) Create an administrative user account for BMC Products to perform search functions on the
user data store (for example, to list user names, emails, and so on).
Note
If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the
BMCSearchAdmins group to the new user account.
13. If you are using an external system for authentication (such as AR System, LDAP, or Active Directory), assign
the BmcSearchAdmins group to either an already existing user account or a new user account.
Page 74 of 389
Home
//
// AtriumSSO additions for tomcat 6/7
//
grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read, write, execute, delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanPermission "*" , "*" ;
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory","write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
Page 75 of 389
Home
permission
permission
permission
permission
permission
permission
permission
permission
permission
};
java.net.NetPermission "getProxySelector";
java.security.SecurityPermission "getProperty.authconfigprovider.factory";
java.security.SecurityPermission "setProperty.authconfigprovider.factory";
javax.security.auth.AuthPermission "doAsPrivileged";
javax.security.auth.AuthPermission "modifyPublicCredentials";
java.security.SecurityPermission "insertProvider.XMLDSig";
java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
java.security.SecurityPermission "getProperty.ocsp.*";
-Dcom.sun.identity.configuration.directory=<tomcat-dir>\webapps\atriumsso\WEB-INF\config
-XX:PermSize=64m
-XX:MaxPermSize=256m
-Dcom.sun.identity.session.connectionfactory.provider=com.bmc.atrium.sso.opensso.extensions.ha.ConnectionFactoryProvi
Note
<truststore-canonical-name> and <keystore-canonical-name> are the full path and name to the
truststore and keystore that were created by the user for use by the Tomcat server.
Page 76 of 389
Home
3.
a. Duplicate the original file to create a FIPS version (named server.xml.fips) and non-FIPS version
(named server.xml.nofips).
b. In the new FIPS version of the file, use the following ciphers attributes to force a higher level of
encryption (or use your own values):
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH
CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_ DES_EDE_CBC_SHA"
c. Add the XML comment to tag the file as FIPS-140: <!-- FIPS140 -->
4. Perform the following modifications to the java.securityfile for non-FIPS and FIPS versions:
a. Duplicate the original file, creating java.security.nofips and java.security.fips versions.
b. In java.security.fips, make sure that the provider is the first one in the security providers list, with the
remaining providers renumbered.
For example, the following list places the JsafeJCE provider at the top of the list with a key suffix of
1, while the providers after JsafeJCE are renumbered to follow the first. The
com.rsa.cryptoj.jce.kat.strategy and com.rsa.cryptoj.jce.fips140initialmode properties are placed
after the security providers list.
For those properties, use the exact values shown in the following example:
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.10=sun.security.mscapi.SunMSCAPI
com.rsa.cryptoj.jce.kat.strategy=on.load
com.rsa.cryptoj.jce.fips140initialmode=FIPS140_SSL_MODE
Page 77 of 389
Home
BMC Atrium Single Sign-On uses RSA CryptoJ library (cryptoj.jar) for cryptographic functions. The RSA
CryptoJ library can be acquired from Support or through another BMC Atrium Single Sign-On installation
(using Tomcat/JVM).
2. Perform the following modifications to the java.security file.
Add a new line to the end of providers' definition list, and ensure that the provider is sequentially
numbered.
security.provider.x=com.rsa.jsafe.provider.JsafeJCE
Note
The RSA provider can be the last provider in the security providers list, except when BMC Atrium Single
Sign-On is running in FIPS mode. For this configuration, the RSA provider must be first, with the
remaining ones renumbered.
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
For more information on configuring JVM for running the Tomcat server, see tomcat-6.0-doc and
tomcat-7.0-doc.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
Page 78 of 389
Home
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RS
A_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_D
SS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA
_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
keystoreFile="CATALINA_HOME/conf/keystore.p12"
keystorePass="keystore_password "
keystoreType="PKCS12"
keystoreProviderName="JsafeJCE"
truststoreFile="CATALINA_HOME/conf/cacerts.p12"
truststorePass="truststore_password"
truststoreType="PKCS12"
truststoreProviderName="JsafeJCE"/>
Note
Switch CATALINA_HOME to the full path in the Tomcat directory. The values provided to
CATALINA_HOME needs to be adjusted according to the environment.
Related topics
Creating new keystores (see page 240)
Generating self-signed certificates (see page 249)
Generating and importing CA certificates
Importing a certificate into the truststore (see page 243)
Page 79 of 389
Home
Important
BMC recommends that you install the BMC Remedy Mid Tier, BMC Remedy AR System server, and BMC
Atrium Single Sign-On server on separate computers.
However, if you do install more than one BMC Product on the same computer, ensure that the HTTP,
HTTPS, and Shutdown port numbers are different.
Page 80 of 389
Home
Note
For detailed information on installing and configuring BMC Atrium Service Context, see Setting up BMC
Atrium Service Context. As a bare minimum, you must install the Web Services Registry (UDDI), which is
required for BMC Atrium Service Context. The Web Services Registry is an option within the BMC Atrium
Core installation program.
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR
System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC
recommends that you install BMC Atrium Single Sign-On on a different computer than the computer
where you plan to install a BMC product (for example, the AR System server or the BMC Remedy Mid
Tier).
Page 81 of 389
Home
Note
When installing on Linux servers, you must configure JVM for Tomcat after the installation. For
more information about configuring JVM, see Configuring a JVM for the Tomcat Server (see page
77).
9. Accept the default Tomcat HTTP port number (8080), HTTPS port number (8443), and Shutdown port
number (8005), or enter different port numbers, and then click Next. If any of the port numbers are
incorrect, a panel identifies the incorrect port number and requires you to return to the previous page to
correct the values before proceeding with the installation.
Note
Page 82 of 389
Home
When installing on Linux servers, port selections below 1000 require the server to run as root, or
use a port forwarding mechanism.
Note
The higher the level of the selected parent domain, the higher the risk of user impersonation.
Top-level domains are not supported (for example, com or com.ca ).
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example,
installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System
server in the bmc.com domain is not supported. You must move all your computers into the same
domain.
11. Enter a strong administrator password (at least 8 characters long), confirm the password, and then click
Next.
The default SSO administrator name is amadmin.
Note
Passwords with special characters must be specified in quotes.
d.
BMC Atrium Single Sign-On 8.1
Page 83 of 389
Home
d. Log on with the SSO administrator name (for example, amadmin) and password.
The BMC Atrium SSO Admin Console appears.
(Click the image to expand it.)
14. (Optional) Create an administrative user account for BMC Products to perform search functions on the
user store (for example, to list user names and emails).
If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins
group to the new user account.
If you are using an external system for authentication (such as AR System, LDAP, or Active Directory),
assign the BmcSearchAdmins group to either an already existing user account or a new user
account.
Page 84 of 389
Home
Recommendation
Page 85 of 389
8.
BMC Software Confidential
Home
Note
To correctly configure Atrium Single Sign-On, the AR System administrator user requires a
password. You cannot use the default installed Demo user with no password.
9. Enter the values from the planning spreadsheet for the features that you want to install.
After you have entered the required information, the installer validates your input, and then the Installation
Preview panel appears, listing the product and product features that will be installed.
Note
Run Sanity Check is selected by default. BMC recommends that you run the additional validation
tests of your installation.
Related topics
For detailed information on installing the AR System, see:
Completing the planning spreadsheet
Performing a new installation
Recommendation
Page 86 of 389
Home
d.
BMC Atrium Single Sign-On 8.1
Page 87 of 389
Home
d. Click Next.
The installer validates the system resources of your computer and displays a list of available features.
8. In the AR System Server List panel, perform the following actions:
a. Enter the fully-qualified domain names of the AR System servers.
b. Enter the remaining values:
c. Click Next.
9. Enter the values from the planning worksheets for the features that you want to install.
After you have entered the required information, the installer validates your input, and then the Installation
Preview panel appears, listing the product and product features that will be installed.
Note
Run Sanity Check is selected by default. BMC recommends that you run the additional validation
tests of your installation.
Related topics
For detailed information on installing the AR System, see:
Completing the planning spreadsheet
Performing a new installation
Page 88 of 389
Home
To run the SSOARIntegration utility to integrate Single Sign-On and the AR System
server
1. On the computer where the AR System server is installed, navigate to the
<ARSystemServerInstall>\artools\AtriumSSOIntegrationUtility directory.
For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility.
2. Open the arintegration.txt file and update the parameters for your environment.
For example, you can enter the supported container types such as Tomcat 6, JBOSS v4, and so on.
Tip
When you are using a BMC Atrium SSO load balancer, you must add the load balancer URL in the
--atrium-sso-url parameter instead of adding the server URL.
Page 89 of 389
Home
Note
Blank passwords are not supported. Your AR System server user must have a password
before you run this utility.
Fully-qualified domain names for the AR System server and Atrium SSO URL parameters are
required.
The --truststore=truststorepath and --truststore-password=truststorepassword parameters
are optional when integrating Single Sign-On and the AR System server. The #TrustStore
Path is the local java truststore path and the value is used for providing the path of the
certificate. This value is added automatically by the SSOARIntegration utility using the local
java truststore.
The --force=Yes or No parameter is optional. If you pass this input, you are not prompted
for any manual inputs to restart the AR System server and the server is started
automatically. Otherwise, you are prompted to restart the AR System server.
Review the optional inputs carefully for your environment.
Page 90 of 389
Home
7.
Info
To troubleshoot installation failures, or for information about log files or configurations
performed by the SSOMidtierIntegration utility, see Troubleshooting AR System server and Mid
Tier integrations.
Page 91 of 389
Home
Value
390695
80
300 (default)
Page 92 of 389
Home
Note
When BMC Remedy Mid Tier is deployed in cluster environment, you must run the SSOMidtierIntegration
utility on the all the computers where the Mid Tier is installed.
To run the SSOMidtierIntegration utility to integrate Single Sign-On and the Mid Tier
1. On the computer where the Mid Tier is installed, navigate to the
<MidTierInstall>\AtriumSSOIntegrationUtility directory.
For example, navigate to C:\Program Files\BMC Software\ARSystem\midtier\AtriumSSOIntegrationUtility.
2. Open the midtierintegration.txt file and update the parameters for your environment.
For example, you can enter the supported container types such as Tomcat 6, JBOSS v4, and so on.
Tip
When you are using a BMC Atrium SSO load balancer, you must add the load balancer URL
in the --atrium-sso-url parameter instead of adding the server URL.
When you are using a mid tier load balancer or reverse proxy, you must add the
--web-app-url and --notify-url URLs. In this case, add the load balancer URL in the
--web-app-url parameter and add the mid tier URL in the --notify-url parameter.
When you are not using a mid tier load balancer, do not use the --notify-url parameter
and add the mid tier URL in the --web-app-url.
Page 93 of 389
Home
Page 94 of 389
Home
or jboss.
#Remove # to uncomment and use the below property.
--force=<Yes or No>
#Server
Instance Name, Provide the name of Websphere instance name being used.
It is required only in case Websphere being used to host the midtier.
#Remove # to uncomment and use the below property.
#--server-instance-name=WebSphere server instance name
#Server
Instance Name, Provide the path to the Websphere instance configuration
directory. It is required only in case Websphere being used to host the
midtier.
#Remove # to uncomment and use the below property.
#--instance-config-directory=WebSphere server instance configuration directory
#Weblogic Domain Name, Provide the Weblogic domain name. It is required only in case WebLogic being
used to host the midtier.
#Remove # to uncomment and use the below property.
#--weblogic-domain-home=Domain Name
Note
Blank passwords are not supported. Your AR System server user must have a password
before you run this utility.
Fully-qualified domain names for the AR System server and BMC Atrium SSO URL
parameters are required.
If necessary, you can run the SSOMidtierIntegration utility multiple times, for example, to
install or uninstall the integration (depending on the install-mode setting in the
midtierintegration.txt file). The utility checks if an agent exists from a previous installation. If
an agent exists, the utility uninstalls it and then re-installs a new agent.
Review the optional inputs carefully for your environment.
6. Manually shut down the web server if you are prompted by the utility.
Note
Page 95 of 389
6.
BMC Software Confidential
Home
7. When execution is successfully completed, open the BMC Atrium SSO Admin console.
The URL to open the BMC Atrium SSO Admin console is:
https://<ssoServer>.<domain>:<port>/atriumsso
For example:
https://ssoServer.bmc.com:8443/atriumsso/atsso
Note
To troubleshoot installation failures, or for information about log files or configurations
performed by the SSOMidtierIntegration utility, see Troubleshooting AR System server and Mid
Tier integrations.
8. When you are prompted that you are connecting to an insecure or untrusted connection, add the
exception and then continue.
9. Under Agents List, verify that the agent was created.
For example, /arsys@MidTier.labs.bmc.com:8080 should be present.
Page 96 of 389
Home
Before you pass the reverse proxy URL as input in the utility command, make sure that you can log
on to the application using the reverse proxy URL from the Mid-Tier computer where the
command is run.
If the reverse proxy server and the Mid Tier are installed on the same computer, stop the reverse
proxy server before you run the SSOMidtierIntegration utility with the Mid Tier. When the utility
completes its operation, restart the reverse proxy server.
If you must use reverse proxy URLs to run the Mid-Tier integration with the SSOMidtierIntegration utility, the
utility works with or without ports in the --web-app-url parameter.
Where to go from here
1. Configure BMC Atrium Single Sign-On for AR authentication and set up users and groups (see page 97).
Note
If you do not plan to use BMC Atrium Single Sign-On AR authentication and plan to use different
authentication methods, see Configuring after installation.
To use and manage authentication chaining, see Managing authentication modules (see
page 271).
To set up and manage users and user groups, see Managing users (see page 264) and
Managing user groups (see page 268).
Page 97 of 389
Home
When you enable authentication chaining mode, all authentication methods in the chain are attempted in the
specified order until either the authentication succeeds or all the methods in the chain fail.
Note
If you plan to use an authentication method other than or in addition to the AR module, see the
applicable authentication method in Configuring after installation. For example, Using Kerberos for
authentication (see page 132) or Using SAMLv2 for authentication.
Page 98 of 389
5.
BMC Software Confidential
Home
## Enter the
AR parameters (see page ).
a. Click Save.
6. On the Realm Authentication panel, set the process order of the authentication chain:
a. For the AR module, under Flag, select Sufficient.
b. Select the AR module.
c. Click Up so that AR is first in the list.
d. Set Internal LDAP to Optional.
(Click the image to expand it.)
BMC Atrium Single Sign-On 8.1
Page 99 of 389
Home
d.
Sufficient means that, with multiple authentication modules, if you are successfully authenticated
with the first module, the remaining modules are skipped. But if the login fails, authentication moves
to the next module in the chain. Setting AR to Sufficient and placing it as the first module in the list
means that if you are authenticated with the AR System server, you are successfully authenticated by
BMC Atrium Single Sign-On and you proceed to the Mid Tier.
Note
With Single Sign-On, you want to trigger authentication providers in the right order. The order is: Required > Requisite >
Sufficient > Optional.
If you set both realms to Required, then you would need both authentications to establish the session.
For more information on creating an authentication chain, see the Realm Authentication panel described in Realm Editor.
AR parameters
Parameters
Description
Server Host
Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name
includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).
Home
Parameters
Description
Server Port
(Required) AR Server Port Number is the location where the AR System server is listening.
Number
Note: Enter a value of 0 if the AR System server is using port mapping.
Default
Authentication
This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts
the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the
String
Allow AR
If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.
Guests
Note
When using SAML v2 for authentication, you must not use AR user stores. Though AR authentication
module should be configured, the AR data store is not needed for authentication in SAMLv2 deployment.
1.
BMC Atrium Single Sign-On 8.1
Home
Parameter
Name
AR Server
Description
Label for the AR user store.
Host Name
Host
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The
full host name includes the domain name (bmc.com) of the computer and the individual name of the server (
yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example,
yourServer.bmc.com.
Port
(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR
Server is using port mapping.
Administrative
Access
Name
(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges.
Empty or blank passwords for this internal user are not supported with a new user store.
Authentication
Provide the authentication string that is needed when the Administrator account is used to connect with the AR
System server.
Home
Section
Parameter
Description
Password and
Password for the AR System administrative user of the AR Server user store account (for example, admin).
Confirm
Password
Connection
Pool
Linger Time
(seconds)
(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain
unused in the pool before being closed.
Pool size
(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data
requests for the AR System server.
From the User page, the administrator can create, delete, and manage group memberships.
To access the User page (see page )
To add a new user (see page )
BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide
authorization and authentication of users. If a BMC product does not use the group memberships of the BMC
Atrium Single Sign-On system, then that product's documentation must be consulted to determine groups to
privileges mapping.
To access the Group page (see page )
To create a new group (see page )
When creating a new user, each field that is marked with an asterisk is a required field.
Home
2.
BMC Atrium Single Sign-On 8.1
Home
3. In the User Id field, enter a unique identifier for the new user.
This value is used as the user ID when the user logs in.
4. Specify the user's status.
The default is Active.
5. Add the name attributes.
The name attributes (First Name, Full Name, and Last Name) can be provided to BMC products to
help identify user accounts by using terms that are more user-friendly. The actual use of these
attributes, though, is dependent on the BMC product.
You must assign an initial password of at least 8 characters when creating the account. After the
password is created, the user can log into BMC Atrium Single Sign-On and update the password and
their personal information through the following URL:
https://FQDNHostName:port/BMC Atrium SSO?realm=BmcRealm
6. Click the Groups tab.
7. From the list of available groups, add the user to group membership (for example, BmcAdmins).
8. Click Save.
Home
1.
BMC Atrium Single Sign-On 8.1
Home
2.
BMC Atrium Single Sign-On 8.1
Home
Related topics
Using SAMLv2 for authentication
Using Kerberos for authentication (see page 132)
Using CAC for authentication
Home
Tip
Clear the cache on your browser if you see redirect errors.
If your integration is successful, you should see the normal Mid Tier configuration logon, not the BMC
Atrium SSO logon screen.
(Click the image to expand it.)
Home
2. In the AR Server Setting panel, verify that the list of AR System servers includes their fully-qualified domain
names.
3. Log on to the AR System server.
For example:
http://Midtier.bmc.com:8080/arsys
The BMC Atrium Single Sign-On server redirects the server URL to the BMC Atrium Single Sign-On server,
and the BMC Atrium SSO logon screen appears.
Home
4. Enter the User Name and Password of an AR System user and then click Log In.
If BMC Atrium Single Sign-On is properly integrated and configured, the Applications startup page appears.
Home
Home
Note
The full path to the AtriumSSO directory must be specified.
If you are configuring BMC Atrium Single Sign-On as a High Availability (HA) cluster, you must complete the HA
prerequistes and HA pre-installation tasks before running the installer in silent mode on the first node and the
additional nodes. Before running the installer in silent mode on an additional node, you must also complete the
following tasks:
Ensure that all nodes are running and available.
Copy the configuration file (created during the first nodes installation) to the Disk1 directory of the
extracted files before installing BMC Atrium Single Sign-On on the node.
You must also complete the HA post-installation activities after you have run the installer in silent mode on all the
nodes.
Home
For information about the additional parameters that you must add in the SSOSilentInstallOptions.txt file, see
Example options.txt file (see page 114).
5. Verify that your BMC Atrium Single Sign-On installation was successful:
a. Launch the Administrator console.
b. Confirm that you can view the BMC Atrium Single Sign-On logon panel.
Note
If you install in silent mode, you must also uninstall in silent mode to uninstall the server.
where SSOSilentUninstallOptions.txtcontains:
-silent
-U productAtriumSSO
-U featureAtriumSSO
Home
You can also generate a new administrator password using the following command:
-P
-A
-J
-J
-J
-J
-J
-J
-J
-J
installLocation=C:\SSO\AtriumSSO
featureAtriumSSO
ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005
ATRIUMSSO_TOMCAT_HTTP_PORT=8080
ATRIUMSSO_INSTALL_TOMCAT=true
ATRIUMSSO_TOMCAT_HTTPS_PORT=8443
ATRIUMSSO_SERVER_PASSWORD=DES\:3996ba109b2b3f035fb4200116c2339a78ecec52023308de
ATRIUMSSO_SERVER_PASSWORD_2=DES\:3996ba109b2b3f035fb4200116c2339a78ecec52023308de
ATRIUMSSO_COOKIE_DOMAIN=bmc.com
ATRIUMSSO_HOST_NAME=atrium-sso-vm4.bmc.com
The SSOSilentInstallOptions.txt file for installing BMC Atrium Single Sign-On on external Tomcat specifying that
the installer will use Tomcat scripts for starting/stopping Tomcat processes contains the following parameters:
-P
-A
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
installLocation=/root/bmc/AtriumSSO
featureAtriumSSO
ATRIUMSSO_INSTALL_TOMCAT=false
ATRIUMSSO_TOMCAT_HTTPS_PORT=8443
ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280
ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280
ATRIUMSSO_COOKIE_DOMAIN=bmc.com
ATRIUMSSO_HOST_NAME=vl-aus-rh55-atm-sp01.bmc.com
USE_EXTERNAL_SCRIPTS=true
CLUSTER_MODE=STANDALONE_STRING
ATRIUMSSO_EXISTING_TOMCAT_DIRECTORY=/root/apache-tomcat-6.0.37
TRUSTSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/cacerts.p12
TRUSTSTORE_PASSWORD=changeit
KEYSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/keystore.p12
KEYSTORE_PASSWORD=changeit
KEYSTORE_ALIAS=tomcat
JAVA_LOCATION=/usr/jdk64
JDK_LOCATION=/usr/jdk64
The SSOSilentInstallOptions.txt file for installing BMC Atrium Single Sign-On on external Tomcat server specifying
the installer uses Windows service of Tomcat server contains the following parameters:
Home
-P
-A
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
installLocation=/root/bmc/AtriumSSO
featureAtriumSSO
ATRIUMSSO_INSTALL_TOMCAT=false
ATRIUMSSO_TOMCAT_HTTPS_PORT=8443
ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280
ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280
ATRIUMSSO_COOKIE_DOMAIN=bmc.com
ATRIUMSSO_HOST_NAME=vl-aus-rh55-atm-sp01.bmc.com
USE_EXTERNAL_SCRIPTS=false
ATRIUMSSO_EXISTING_TOMCAT_SERVICE=Tomcat
CLUSTER_MODE=STANDALONE_STRING
ATRIUMSSO_EXISTING_TOMCAT_DIRECTORY=/root/apache-tomcat-6.0.37
TRUSTSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/cacerts.p12
TRUSTSTORE_PASSWORD=changeit
KEYSTORE_LOCATION=/root/apache-tomcat-6.0.37/conf/keystore.p12
KEYSTORE_PASSWORD=changeit
KEYSTORE_ALIAS=tomcat
JAVA_LOCATION=/usr/jdk64
JDK_LOCATION=/usr/jdk64
When installing BMC Atrium Single Sign-On as a High Availability (HA) cluster, the SSOSilentInstallOptions.txt file
must contain some additional parameters.
The SSOSilentInstallOptions.txt file for installing the first node for a HA cluster must contain the following
parameters:
-P
-A
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
installLocation=C:\SSO\AtriumSSO
featureAtriumSSO
ATRIUMSSO_INSTALL_TOMCAT=true
CLUSTER_MODE=FIRST_MEMBER_CLUSTER_STRING
MEMBER_LOCATION=/home/xuser/5162_node.dat
ATRIUMSSO_COOKIE_DOMAIN=bmc.com
LOAD_BALANCER_URL=https://iBMC-JBHBBK1.bmc.com:443/atriumsso
ATRIUMSSO_LDAP_REPLICATION_PORT=8092
ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005
ATRIUMSSO_SERVER_PASSWORD_2=DES\:097133405e7ea7a641f019bca8781280
ATRIUMSSO_TOMCAT_HTTP_PORT=8080
ATRIUMSSO_TOMCAT_HTTPS_PORT=8443
USE_EXTERNAL_SCRIPTS=false
ATRIUMSSO_SERVER_PASSWORD=DES\:097133405e7ea7a641f019bca8781280
ATRIUMSSO_HOST_NAME=rlnx-al-vm01.bmc.com
ATRIUMSSO_LDAP_PORT=8091
The SSOSilentInstallOptions.txt file for installing additional nodes for a HA cluster must contain the following
parameters:
-P installLocation=/opt/bmc/AtriumSSO
-A featureAtriumSSO
-J ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005
Home
-J
-J
-J
-J
-J
-J
-J
-J
-J
-J
ATRIUMSSO_TOMCAT_HTTP_PORT=8080
ATRIUMSSO_INSTALL_TOMCAT=true
ATRIUMSSO_TOMCAT_HTTPS_PORT=8443
CLUSTER_MODE=ADDITIONAL_MEMBER_CLUSTER_STRING
MEMBER_LOCATION=/tmp/SSO/5162_node.dat
ATRIUMSSO_COOKIE_DOMAIN=bmc.com
ATRIUMSSO_LDAP_REPLICATION_PORT=8092
ATRIUMSSO_HOST_NAME=vm-rhel5-rds1276.bmc.com
ATRIUMSSO_LDAP_PORT=8091
USE_EXTERNAL_SCRIPTS=false
Note
Because of varying Windows system dependencies, a reboot might be required to completely the
uninstall BMC Atrium Single Sign-On.
2.
BMC Atrium Single Sign-On 8.1
Home
Important
Be sure to select the BMC Atrium Single Sign-On component, otherwise the uninstaller will
remove the server.
3. Manually delete the BMC Atrium Single Sign-On log file artifacts. These log files are left in the file system
regardless of the reboot.
Invocation of this Java Application has caused an InvocationTargetException. This application will now
exit. (LAX)
-J ATRIUMSSO_HOST_NAME=atrium-sso-vm4.bmc.com
Stack Trace:
java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation which requires it.
at java.awt.GraphicsEnvironment.checkHeadless(Unknown Source)
at java.awt.Window.<init>(Unknown Source)
at java.awt.Frame.<init>(Unknown Source)
at java.awt.Frame.<init>(Unknown Source)
at javax.swing.JFrame.<init>(Unknown Source)
at com.zerog.ia.installer.LifeCycleManager.g(DashoA8113)
at com.zerog.ia.installer.LifeCycleManager.h(DashoA8113)
at com.zerog.ia.installer.LifeCycleManager.a(DashoA8113)
at com.zerog.ia.installer.Main.main(DashoA8113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.zerog.lax.LAX.launch(DashoA8113)
at com.zerog.lax.LAX.main(DashoA8113)
This Application has Unexpectedly Quit: Invocation of this Java Application has caused an
InvocationTargetException. This application will now exit. (LAX)
Home
Home
Note
The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method.
Alternatively, if you want to edit an existing module, select the module and click Edit.
4. Provide the parameters for the method and Save.
5. Set the flag for the authentication method.
The following image displays the available authentication methods:
Home
Home
Home
to be used together because it provides additional information for users authenticated against the AR System
server.
Note
The AR user store provides read-only access to the user information stored in AR System server and
read-only access to user and group lists and memberships.
Note
User management functionality, assigning group information that is retrieved from the AR System server
to users that exist in another data store (for example, the internal data store), and saving changes
involving information retrieved from the AR System server are not available.
Note
The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method.
Alternatively, if you want to edit an existing module, select the module and click Edit.
4. Provide the parameters for the method and Save.
5. Set the flag for the authentication method.
Home
Important
For the AR module, the flag is set to Sufficient.
Description
Server Host
Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name
includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).
Server Port
Number
(Required) AR Server Port Number is the location where the AR System server is listening.
Note: Enter a value of 0 if the AR System server is using port mapping.
Default
Authentication
String
This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts
the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the
credentials provided by the user along with this authentication string.
Allow AR
Guests
If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.
Info
You must study these points if you want to configure an AR user store.
If you are using a persistent NameID element you cannot define AR User Store. You must use
transient NameID element to define an AR User Store.
Existing profiles within the embedded LDAP User Store should be deleted before adding the AR
User Store.
Home
Parameter
Name
AR Server
Host
Description
Label for the AR user store.
Host Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The
full host name includes the domain name (bmc.com) of the computer and the individual name of the server (
yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example,
yourServer.bmc.com.
Administrative
Access
Port
(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR
Server is using port mapping.
Name
(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges.
Empty or blank passwords for this internal user are not supported with a new user store.
Authentication
Provide the authentication string that is needed when the Administrator account is used to connect with the AR
System server.
Password and
Confirm
Password for the AR System administrative user of the AR Server user store account (for example, admin).
Password
Connection
Linger Time
(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain
Pool
(seconds)
Pool size
(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data
requests for the AR System server.
For more information about common problems, see Troubleshooting AR authentication (see page 320).
Home
Note
For a single user test, the user's certificate (the certificate signed by the Issuer) could be imported into
the truststore. However, if this method is used, then every user's certificate must be imported into the
truststore.
Home
Home
Important
Do not set the clientAuth attribute to "true" because this setting breaks certain BMC Atrium
SSO-to-Agent communications.
1.
BMC Software Confidential
Home
command (keytool.exe on Windows), located within the JDK's bin directory. This bin directory needs to be
added to the PATH environment variable if it is not already a part of that variable.
2. To add the location, run the following command:
(UNIX) export PATH=<installationLocation>/BMC Software/BMC Atrium SSO/jdk/bin:$PATH
(Microsoft Windows) set PATH=<installationLocation>\BMC Software\BMC Atrium
SSO\jdk\bin;%PATH%
3. Copy the DoD CA certificate file into the following directory:
<installationDirectory>/BMC Software/BMC Atrium SSO/tomcat/conf
4. Use the keytool utility to import the certificate into the truststore using the following parameters:
keytool -importcert -keystore cacerts.p12 -file DOD_CA19.car -alias DOD_CA19
-storetype PKCS12 -providername JsafeJCE
Note
In this example, the certificate file name, DOD_CA19.cer, may not be appropriate for your use.
Home
2.
Note
The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method.
Alternatively, if you want to edit an existing module, select the module and click Edit.
4. Provide the parameters for the method and Save.
5. Set the flag for the authentication method.
Note
You can provide parameter information for OCSP authentication, CRL authentication, or both. BMC does
not recommend using the CRL approach due to the performance load experienced with the
ever-increasing length of CRL lists.
Parameters
Description
Name
Use OCSP
Click Use OCSP in order to use the OCSP responder. BMC recommends that you use OCSP for validation.
Note: The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be greater than
15 minutes. Otherwise, the certificate authentication fails. See Clock skew too great for CAC authentication (see page
331).
Certificate
Field for
User
Profile
Select one of the options. Options are Subject CN (Common Name attribute of the Subject DN), Subject DN
(Distinguished Name), Subject UID (UID attribute of the Subject DN), Email, None, Other.
Forwarded
Certificates
When running behind a load balancer or reverse proxy, the verification of ownership of the private key is not possible
thru the SSL/TLS connection. Because of this verification restriction, the BMC Atrium Single Sign-On server requires
that the fronting server be listed as a trusted host from which forwarded certificates can be trusted.
Forwarded
Certificate
List
This is the list of trusted host name that you add via the Trusted Host Name field. To delete a certificate, select the
trusted host name and click Remove.
Home
Field
Parameters
Description
Trusted Host
Enter the name of a host from which a forwarded certificate can be trusted.
Name
Certificate
Enter the name of the HTTP header that the forwarded certificate can be passed under.
HTTP Header
Name
Certificate
Revocation
Use CRL
Lists (CRL)
LDAP Server
Where
Provide the Host and Port for the LDAP server where the certificates are stored. The host name must end with a colon
following by the port number for the LDAP server.
Certificates
are Stored
LDAP Start
Search DN
Enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP
server, you must have sufficient privileges to perform the search.
LDAP Server
Password
Confirm
LDAP Server
Password
Provide and confirm the password to connecting with the LDAP server.
Check CA
with CRL
When verifying a certificate, the CA certificate used to sign the certificate can also be verified in the CRL.
Use SSL/TLS
If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium Single Sign-On truststore so
that SSL can connect with the LDAP server.
Trusted
Certificates
Browse on your desktop to upload the trusted certificates file. Once the file is upload and in the trusted certificates list.
You can also select the file, and click Remove to remove the file.
Home
Home
Note
Kerberos authentication can not be used to authenticate clients from the same computer where BMC
Atrium Single Sign-On is installed.
Home
For information about troubleshooting issues with Kerberos, see Troubleshooting Kerberos authentication
(see page 333).
7.10.5 Generating a keytab for the service principal and mapping the
Kerberos service name
After the accounts for the service principals are created, a keytab file must be generated. This file contains
sensitive information used by the BMC Atrium Single Sign-On servers when working with the Key Distribution
Center (KDC) and Active Directory (AD). For Kerberos, the ktadd command is used to add the sensitive
information to the keytab file and to map the Kerberos service name to the Active Directory identity.
Note
Anyone with read permissions to a keytab file can use all of the keys it contains. Permissions must be
restricted and monitored on the keytab files that you create.
To generate a keytab file for the service principal and map the Kerberos service
name
1. In the Active Directory server, run the ktpass command.
2. Map additional SPNs to the Kerberos identity using setspn.exe
3. Copy the generated keytab file to the BMC Atrium Single Sign-On server host.
Note
Home
The host name can also be modified through the host's file. If you modified the host name
through the host's file, the browser and the system might need to be rebooted for the name
change to take effect.
The internet domain and Active Directory domain are different domains. The internet domain is
used to form a hierarchy of compuetr names for mapping a computer name to a host address.
The Active Directory (AD) domain is used for grouping users for authentication purposes and
maps to a Kerberos realm.
Important
The case-sensitive constraint means that the principal names expressed in the mappings must be written
using the same case as those returned by a domain name lookup. The Active Directory is not
case-sensitive while MIT Kerberos is case-sensitive.
Home
Important
When running in HA mode behind a load balancer, the name of the load balancer should be used instead
of Atrium SSO server.
A delay occurs in AD, when changes to identities are made. Altering the mapping SPNs can take about 15 minutes
before the mappings are pushed out to the affected systems. This delay means that it will take some time after
updating the identity SPNs before a login test can be performed.
Note
2.
BMC Software Confidential
Home
The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method.
Alternatively, if you want to edit an existing module, select the module and click Edit.
4. Provide the parameters for the method and Save.
5. Set the flag for the authentication method.
Important
Restart the BMC Atrium Single Sign-On server after configuring the Kerberos module.
Description
Service
Principal
The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when
authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.
Keytab File
Name
The Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file. The keytab file contains the
password for the service principal.
Kerberos
Realm
KDC
Server
The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller.
UserId
Format
Return
UserId to
User Store
If this check box is selected, the user store searches will use the original UserId instead of using the value modified by the UserId
Format parameter. For example, when you search the userstore the userid from the authentication could be atsso\abcxyz but the value
abcxyz will be used to search the User store.
Home
To reconfigure Firefox
1. Enter the following URL: about:config
2. Click I'll be careful, I promise!
3. Double click the Preference Name: network.negotiate-auth.trusted-uris
4. Add the Fully Qualified Domain Name (FQDN) of the host, for example, sample.bmc.com.
5. Click OK.
Home
Note
The User Profile applies to all authentication methods used for authentication.
3. In the Realm Authentication panel, click Add for a new authentication method and select the method.
Alternatively, if you want to edit an existing module, select the module and click Edit.
4. Provide the parameters for the method and Save.
5. Set the flag for the authentication method.
Note
If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server
before enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for
more information.
Home
Field
Parameter
Description
Primary
Name
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
Port
If the LDAP server is not listening on the default port (389), specify the port number.
Use SSL
(Optional) Enable to use SSL to connect to the LDAP servers. In addition, before communications can be established,
LDAP
Server
the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On
Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see
Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for
SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore.
Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before
enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.
Secondary
Name
LDAP
Server
The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user
fails to authenticate with the primary server.
Port
If the secondary server is not listening on the default LDAP port, specify the port number.
Use SSL
(Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established,
the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On
Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see
Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for
SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore.
Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before
enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.
User
Account
for Search
Set Recheck
Primary
Server
Interval
(minutes)
(Optional) This parameter is the amount of time that the server uses the secondary server before attempting to
re-connect with the primary server can be configured.
Distinguished
Name,
Password,
Confirm
Password
(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform
searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password
confirmation.
For example, you can use the Distinguished Name as CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com and
choose the password of your choice.
Attributes
for User
Search
Attribute
Name
Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.
DN to
Start
Search
Base DN
Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for
performance reasons. The depth of the search that is performed can be configured. If an Object search is specified,
then the DN should be the DN of the node containing the users.
For example, you can add CN as attribute name for User Search.
Enter the starting locations within the LDAP directory for performing user searches. For each starting point, enter the
login name (DN). The Base DN and attribute for user profile name are additional search parameters.For example, you
can use CN as attribute for user profile name.
Home
Note
After authentication, the combination passcode + token is no longer valid.
Note
The User Profile applies to all authentication methods used for authentication.
c.
BMC Atrium Single Sign-On 8.1
Home
c. In the Realm Authentication panel, click Add for a new authentication method and select the
method. Alternatively, if you want to edit an existing module, select the module and click Edit.
d. Provide the parameters for the method and Save.
e. Set the flag for the authentication method.
3. (Optional) Edit the rsa_api.properties file for additional configuration.
Description
Specify the full path for the new location of the sdconf.rec file.
The configuration path is used to specify the location of the sdconf.rec file used to contact the RSA SecurID server.
Locations
rsa_api.properties
sdconf.rec
Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.
Node Secret
Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.
sdstatus.12
Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file.
Home
SDSTATUS_TYPE (FILE)
SDSTATUS_LOC: <configurationDirectory>/<uri>/auth/ace/data/sdstatus
SDNDSCRT_TYPE (FILE)
SDNDSCRT_LOC: <configurationDirectory>/<uri>/auth/ace/data/secured
RSA_LOG_FILE: <configurationDirectory>/<uri>/debug/rsa_api.log
RSA_LOG_LEVEL (INFO; other values are OFF, DEBUG, WARN, ERROR, FATAL)
RSA_DEBUG_FILE, if RSA_ENABLE_DEBUG=YES: <configurationDirectory>/<uri>/debug/rsa_api_debug.log
Home
Home
Note
BMC Atrium Single Sign-On SAMLv2 implementation is limited to:
SAML 2.0 browser-based transient Federation and Federated SSO
Browser-based HTTP GET and POST binding mechanisms of the SAML 2.0 protocol
Home
Home
Create a local SP
If you are using a second BMC Atrium Single Sign-On server as an IdP, the certificate from that server must be
exported from the <installationDirectory>/tomcat/conf/keystore.p12 file and imported into the cacerts.p12 of the
BMC Atrium Single Sign-On server that is providing the SP role.
To create a local SP
1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm.
2. On the Federation tab, click Add.
3. Select Local Service Provider (SP).
4. Provide the local SP information.
5. Click Save.
Local SP parameters
The Local Service Provider (SP) Editor has the following options:
Save to save your modifications.
Reset to remove your modifications and stay on the editor.
Help launches a browser that provides you with online help.
Cancel to cancel and return to the launch page.
Field
Parameter
Description
Name
Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that
reflects the expected SP name.
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in
the agents configuration.
Binding
Home
Field
Parameter
Description
This option determines the way in which SAML messages will be sent and received between the IdP and
the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not
possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect
or XHTML Form with Post.
Artificact
The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP
Encoding
and is usually related to binding method. From the drop down menu, select URI or FORM.
Sign Messages
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used
to verify the messages have not been altered in transit and that it originated with the SP.
Authentication, Logout
These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have
Request, Logout
Response, Manager
Assertion Time
Encryption Certificate
Alias
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2
messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or
AES-256, from the drop-down menu.
Assertion, Attribute,
Name ID
Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.
Not-Before Skew
(seconds)
In order to compensate for clock drift between remote machines, this value specifies the amount of
time that a message will be considered valid when it is received before the issue time in the message.
Amount of time that an assertion is valid counting from the assertion's issue time.
SOAP Basic
Authentication
SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing
these endpoints must provide these user name and password values.
Attribute
Mapping
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external
user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A
mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute
from the drop down that the external attribute is going to map to, and click Add to put the new
mapping into the table.
Auto
Federation
Allows BMC Atrium Single Sign-On to use an attribute of the Assertion from the IdP to automatically
create an identity within the BMC Atrium Single Sign-On system. The identity is created by passing the
initial double-login normally performed when federating a user account with SAMLv2.
Name ID
Format
Defines the name identifier formats supported by the service provider. Name identifiers are a way for
providers to communicate with each other regarding a user.
The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the
Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the
first one in this list is chosen and supported by the remote Identity Provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A
transient identifier is temporary and no data will be written to the user's persistent data store.
Note:
Home
Field
Parameter
Description
For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the
persistent nameID format must be on the top of the list.
Authentication
This attribute maps the SAMLv2-defined authentication context classes to the authentication level set
Context
Description
Name
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and
any required path information. This URL is IdP-specific. For information on the metadata URL, consult the IdP documentation.
For information about providing IdP metadata from another Atrium Single Sign-On server, see Providing IdP metadata from
another Atrium Single Sign-On server (see page 149)
File Upload
Select File Upload to upload a file that contains the remote IdP metadata.
6.
7.
8.
9.
10.
host is the FQDN of the BMC Atrium Single Sign-On server hosting the IdP.
port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the
IdP.
entityid is the name of the IdP hosted by the BMC Atrium Single Sign-On server.
For example:
https://idp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=https://id
Click Save
On the Federation panel, select the remote IdP.
Click Edit.
Provide the remote IdP parameters.
Click Save.
Home
Parameter
Name
Description
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a
value that reflects the expected IdP name.
Binding
This option determines the way in which SAML messages will be sent and received between the
IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP
and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2
messages: HTTP Redirect or XHTML Form with Post.
Sign
Messages
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing
is used to verify the messages have not been altered in transit and that it originated with the
IdP.
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to
Elements
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the
SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES,
AES-128, or AES-256, from the drop-down menu.
Name ID
Note
Each time a BMC product is integrated with the BMC Atrium Single Sign-On SP, the configuration must
be modified so the integrating product can function in the Federated SSO.
Home
3.
a. Delete the URLs in the login URI field.
b. Enter the Federated login URL. For information about the log in URL syntax, see Federated log in URL
syntax (see page 152).
c. Delete the URLs in the logout URI field.
d. Enter the Federated logout URL. For information about the log out URL syntax, see Federated log
out URL syntax (see page 152).
e. Click Save.
The Agent manager provides an Agent panel that allows you to edit, delete, and search for an agent as well as
provides the agent name, realm, and the state. The state indicated whether the agent is running or is down. When
searching for an agent, *, returns all of the names and applies to all columns in the agent panel. Finding the filter
string within any of these values selects the agent to be returned for display. This feature allows you to filter the
list of agents to the ones running by specifying "Running".
Agent Editor
The Agent Editor allows you to modify the configuration of an agent. By modifying the agent configuration, you
can correct problems caused by environment difficulties. For example, with a remote host, the host may report
their FQDN (Fully Qualified Domain Name) incorrectly using a plain name such as machine instead of
machine.bmc.com.
The Agent Editor is launched when you select an agent and click Edit. The Agent Editor has the following options:
Save to save your modifications.
Reset to remove your modifications and stay on the editor.
Help launches a browser that provides you with online help.
Cancel to cancel and return to the launch page.
Parameter
Description
Notification
URL
The URL where the agent will receive notifications from the server about session logouts. It is composed of the products base URI
with "/atsso" concatenated to the end. For example, https://sample.bmc.com/arsys/atsso
Status
Determines whether the agent is enforcing SSO authentication (active) or not (inactive).
Logging
Level
Redirect
Limit
The number of times that the agent redirects the browser to the server for authentication before signaling an error- 0 means infinite.
Password
and Confirm
Password
Password used by the agent to access its configuration in the SSO server.
Cookie
Name
The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the
server configuration.
Note: To ensure browser compatibility, the cookie name should contain only alphanumeric and underscore characters.
Home
Parameter
Description
Login URI
Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. When an
and Logout
URI
agent is federated, the login and logout URLs for the agent must be modified to interact with the IdP.
Login Probe
and Logout
The probe validates that the destination is accessible before sending the user to the location. If they are not, the agent tells the user
that the SSO system is inaccessible. The probe should be turned off in environments where the URI cannot be contacted from the
Probe
agent's environment, such as when the URI contains a host that is to be accessed through a reverse proxy.
Enable
Select this option to enable session cache. Disabling cache has a severe performance impact.
Cache
Fully
This FQDN mapping allows the agent to fix the URL used to access the application in order to get the browser to send cookies to the
Qualified
Domain
application. The SSO session is identified through cookies. When a URL is not using a FQDN host name, the browser does not know
the domain of the server and therefore, won't send any cookies to the server.
Name
Mapping
FQDN of
Agent Host
The FQDN entered is the FQDN of the host where the agent is located. Enabling FQDN mapping causes the agent to perform the
forwarding from the entered host names to the entered FQDN.
Trigger host
list and
Trigger Host
Name
The hosts that will trigger the FQDN redirect to occur. The Trigger host list allows you to remove the host from the list. Trigger Host
Name allows you to add a host to the Trigger host list.
Not
Enforced
URI and URI
The Not Enforced URI field allows you to remove URIs from the Not Enforced URI list. The URI field allows you to add a URI to the
Not Enforced URI list.
host is the FQDN of the Atrium Single Sign-On server hosting the SP.
port is the port used for secure communication of the Atrium Single Sign-On server hosting the SP.
entityId is the name of the IdP to be used by this SP.
In this case:
host is the FQDN of the BMC Atrium Single Sign-On server hosting the SP
port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the SP.
entityId is the name of the IdP to be used by this SP.
webappURL is the URL for the webapp for this agent.
Home
Important
Do not integrate BMC products into a BMC Atrium Single Sign-On server when it is configured as an
Identity Provider.
Note
The default Circle of Trust keystore location and name is <installationDirectory>/tomcat/cot.jks.
This keystore must be of the type, JKS (not PKCS12 or any other type). The default password for
the keystore and certificates is changeit.
2.
BMC Atrium Single Sign-On 8.1
Home
2. If the password for the keystore was changed, update the default .keypass and .storepass configuration
files with the encrypted form of the new password.
The configuration files are located in the same <installationDirectory>/tomcat/ directory as the Circle of
Trust keystore.
3. Stop and restart the Tomcat server.
Note
The new certificate is not available to use for creating an IdP until the Tomcat server is stopped
and restarted.
2.
3.
4.
5.
Note
Home
Field
Parameter
Description
Name
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that
reflects the expected IdP name.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP and
the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not
possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP
Redirect or XHTML Form with Post.
Sign
Messages
Encrypt
Elements
Assertion
Time
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used
to verify the messages have not been altered in transit and that it originated with the IdP.
Authentication, Logout
Request, Logout Response,
Manager Name ID Request,
Manager Name ID Response,
and Artifact Resolve
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have
been signed by the SP.
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the
SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128,
or AES-256, from the drop-down menu.
Name ID
In order to compensate for clock drift between remote machines, this value specifies the amount of
time that a message will be considered valid when it is received before the issue time in the message.
Amount of time that an assertion is valid counting from the assertion's issue time.
Attribute
Mapping
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external
user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A
mapping is defined by entering the name of the Name In Assertion and selecting the Local Attribute
Name from the drop down that the attribute is going to map to, and click Add to put the new mapping
into the table.
Create a remote SP
1. On the BMC Atrium SSO Admin Console, click Edit BmcRealm.
2. On the Federation panel, click Add.
3. Select Remote Service Provider (IdP).
4. Create a name for the remote IdP and upload the IdP metadata on the Create Service Provider (SP) pop-up.
Parameters
Description
Name
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and
any required path information. This URL is IdP-specific. For information on the metadata URL, consult the SP documentation.
For information about providing SP metadata from another Atrium Single Sign-On server, see Providing SP metadata from
another Atrium Single Sign-On server (see page 156)
Home
Parameters
Description
File Upload
Select File Upload to upload a file that contains the remote SP metadata.
5.
6.
7.
8.
9.
Parameter
Name
Description
Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that
reflects the expected SP name.
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified
in the agents configuration.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP
and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is
not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP
Redirect or XHTML Form with Post.
Artificact
Encoding
The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP
and is usually related to binding method. From the drop down menu, select URI or FORM.
Sign Messages
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used
to verify the messages have not been altered in transit and that it originated with the SP.
Authentication Request,
Logout Request, Logout
Response, Manager Name
These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have
been signed by the SP.
Home
Field
Parameter
Description
Encryption Certificate
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the
Elements
Alias
SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128,
or AES-256, from the drop-down menu.
Assertion, Attribute,
Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.
Name ID
SOAP Basic
SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing
Authentication
these endpoints must provide these user name and password values.
Attribute
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external
Mapping
user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A
mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute
from the drop down that the external attribute is going to map to, and click Add to put the new
mapping into the table.
Note
If bulk federation is not used, then when a user first tries to access a BMC product that is integrated with
a BMC Atrium Single Sign-On SP, the user follows a two-step process to create a federated account.
First, the user authenticates with the IdP and then the user authenticates with the SP.
The following topics provide basic information and instructions for federating user accounts in bulk:
Home
Long form
command
command
Description
create
federate
cf
create-federate
Creates and federates accounts in bulk. Used to create local user accounts in bulk and to federate at the
same time.
import
ci
create-import
Creates accounts and imports federation data. Used to create user accounts in bulk and to import the
federated identity mapping data at the same time.
Home
Note
Alternatively, you can use the create-federate command to replace the separate create and
federate steps and the create-import command to replace the separate create and import
steps.
Home
Example
local id 1
spuser1
local id 2
spuser2
...
spuser3
...
spuser4
local id N
spuser5
Example
local id 1|remote id 1
spuser1|idpuser1
local id 2|remote id 2
spuser2|idpuser2
...
spuser3|idpuser3
...
spuser4|idpuser4
local id N|remote id N
spuser5|idpuser5
Home
Note
If an account creation fails, the bulkFederation utility continues to create accounts with subsequent user
IDs in the list.
Home
bulkFederation.sh federate|f -ap <arg1> -au <arg2> -fm <arg3> -nm <arg4> -re <arg5> -rf
<arg6> -um <arg7>
Note
The ID names are indicated in the federate and create-federate output file, not the FQDN.
Command that
uses the parameter
Description
-ap
--admin-pswd
create
Administrator account password for the specified BMC Atrium Single Sign-On
server.
federate
create-federate
import
create-import
-au
--admin-user
create
federate
Administrator account name for the specified BMC Atrium Single Sign-On server.
Default: amAdmin
create-federate
import
create-import
Home
Short
form
Command that
uses the parameter
Description
--default-password
create
parameter
-dp
create-federate
create-import
-fm
--federation-meta-alias
federate
create-federate
-im
-nm
--import-meta-alias
--name-id-file
Meta alias of the service provider (not the entity name of the service provider)
where the federation data is generated. Default: /BmcRealm/sp.
create-import
Meta alias of the service provider (not the entity name of the service provider)
where the federation data is imported. Default:/BmcRealm/idp
federate
Name of the file for the federated identity mapping data. This data is generated
create-federate
import
import
create-import
-re
--remote-identity-id
federate
create-federate
-rf
--result-file
federate
Name for a file that will contain diagnostic information from the bulkFederation
commands. Use a unique file name for each bulkFederation command. This file is
create-federate
create
import
create-import
-um
--user-id-file
federate
Identity list file containing either the local user IDs (used to create accounts) or
the local to remote identity mapping file (used to both create and federate). The
create-federate
create
.\userIdMapFile.dat
SUCCESS
spuser1
ur8kcdpsfpha
SUCCESS
spuser2
FAILURE
BMCSSG1743E
IO error encountered when attempting to create the
user: id=spuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Fault detail goes here!
spuser3
ss4nmsq9qdq1
SUCCESS
spuser4
FAILURE
BMCSSG1744E
Process was interrupted when attempting to create the user:
id=spuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Fault detail goes here!
spuser5
iud8eavvcb36
SUCCESS
Home
.\userIdMapFile.dat
.\nameIdMapFile.dat
SUCCESS
spuser2
FAILURE
BMCSSG1749E
Illegal universal identifier:
id=spuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Illegal universal identifier
spuser4
FAILURE
BMCSSG1749E
Illegal universal identifier:
id=spuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Illegal universal identifier
.\userIdMapFile.dat
SUCCESS
spuser1
qvk6241mtplh
SUCCESS
spuser2
FAILURE
BMCSSG1743E
IO error encountered when attempting to create the
user: id=spuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Fault detail goes here!
spuser3
ivv6obvae1om
SUCCESS
spuser4
FAILURE
BMCSSG1744E
Process was interrupted when attempting to create the user:
id=spuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Fault detail goes here!
spuser5
i5mcq3d0n6g5
SUCCESS
.\userIdMapFile.dat
.\nameIdMapFile.dat
SUCCESS
spuser2
FAILURE
BMCSSG1749E
Illegal universal identifier: id=spuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Illegal universal identifier
spuser4
FAILURE
BMCSSG1749E
Illegal universal identifier: id=spuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Illegal universal identifier
.\nameIdMapFile.dat
SUCCESS
idpuser2
FAILURE
BMCSSG1749E
Illegal universal identifier: id=idpuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Illegal universal identifier
idpuser4
FAILURE
BMCSSG1749E
Illegal universal identifier: id=idpuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Illegal universal identifier
.\userIdMapFile.dat
SUCCESS
idpuser1
562h359q1gsl
SUCCESS
idpuser2
FAILURE
BMCSSG1743E
IO error encountered when attempting to create the
user: id=idpuser2,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Fault detail goes
here!
idpuser3
d301pnuve493
SUCCESS
idpuser4
FAILURE
BMCSSG1744E
Process was interrupted when attempting to create the user:
id=idpuser4,ou=User,o=BmcRealm,ou=services,dc=opensso,dc=java,dc=net
Fault detail goes here!
idpuser5
ffm0et9qa59e
SUCCESS
.\nameIdMapFile.dat
FAILURE
Home
BMCSSG1748E
goes here!
Fault detail
Description
BMCSSG1740E
BMCSSG1741E
BMCSSG1742E
BMCSSG1743E
BMCSSG1744E
BMCSSG1745E
BMCSSG1746E
BMCSSG1747E
BMCSSG1748E
BMCSSG1749E
BMCSSG1750E
BMCSSG1751E
BMCSSG1752E
BMCSSG1753E
BMCSSG1754E
BMCSSG1755E
BMCSSG1756E
8 Upgrading
You can upgrade a previous installation of BMC Atrium Single Sign-On by using the installer provided with BMC
Atrium Single Sign-On. This procedure for upgrading BMC Atrium Single Sign-On is the same for both Microsoft
Home
1. On the target computer, start the BMC Atrium Single Sign-On installation utility.
2. When prompted, agree to the license agreement.
3. When the upgrade is complete, review the summary information.
4. To view the upgrade logs, click View Log.
5. To close the dialog, click Done.
8.3.1 To remove the J2EE agent for BMC Analytics for BSM
1. Ensure that you stopped and disabled the Tomcat server that you installed during the BMC Analytics for
BSM installation.
2. Log on to the BMC Atrium Single Sign-On server.
3. On the BMC Atrium SSO Admin Console, click Agent Details.
4. Select the J2EE agent for the BMC Analytics for BSM host and click Delete. The J2EE agent is removed
from the list.
5. Proceed with your BMC Analytics for BSM upgrade.
Home
Note
BMC recommends that you configure the load balancer for the cluster to block access to the cluster
before upgrading nodes. The cluster cannot be in use during the upgrade.
BMC recommends that you backup the first node in the cluster prior to upgrading.
Important
This file contains sensitive information.
3. Copy the cluster configuration file to the computer that hosts the subsequent node.
4. Run the installation program, autorun on the subsequent node.
a. Provide the administrator password.
b. Select the Additional node of cluster upgrade option and click Next.
c. Provide the location of the cluster configuration file (created during the first node upgrade).
5. For additional nodes, repeat steps 3 and 4.
6.
BMC Atrium Single Sign-On 8.1
Home
6. (Optional) Add new nodes to the cluster by running the installation program on a computer which does not
already contain a node. For more information about adding new nodes to the cluster, see Installing
additional nodes for an HA cluster on a new Tomcat server (see page 63) or Installing additional nodes for
an HA cluster on an external Tomcat server (see page 70).
Note
The order of in which nodes are upgraded does not matter since any node can be the first node. The
state of the nodes (running or not) does not impact the upgrade.
9 Integrating
The following topics provide information and instructions for integrating BMC products with BMC Atrium Single
Sign-On:
Home
Important
These instructions are for BMC Remedy AR System version 8.0.00 only.
BMC recommends that you upgrade to BMC Remedy AR System 8.1 because a new utility is introduced
that greatly simplifies the integration between BMC Atrium Single Sign-On and the AR System server and
Mid Tier. For more information about using the new utility, see Installing BMC Atrium Single Sign-On
with the AR System server and Mid Tier (see page 79).
Step
Task
Configure the mid tier for BMC Atrium Single Sign-On user authentication. (see page 176)
Configure the BMC Atrium Single Sign-On server for AR System integration (see page 183)
Home
Note
All products that run in BMC Remedy AR System support BMC Atrium Single Sign-On including AR
System Mid Tier products (BMC Remedy ITSM, BMC Atrium Core, BMC Atrium CMDB, and so on), BMC
Atrium Dashboard and Analytics, BMC IT Business Management Suite, BMC ProActive Performance
Management (version 9.0), and so on.
For more information about integrating with BMC Remedy AR System, see the BMC Remedy AR System 8.0 online
documentation installing and integrating information.
Home
Value
390695
80
300 (default)
Home
Note
When installing on Linux servers, port selections below 1000 require the server to run as root, or
use a port forwarding mechanism.
Important
The higher the level of the selected parent domain, the higher the risk of user
impersonation. Top-level domains are not supported (for example, com or com.ca ).
Home
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For
example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and
the AR System server in the bmc.com domain is not supported. You must move all your
computers into the same domain.
9. Enter a strong administrator password (at least 8 characters long), confirm the password, and click Next.
The default administrator name is amadmin. See Administrator password for more information.
10. Review the installation summary and click Install.
11. Verify that your BMC Atrium Single Sign-On installation was successful by accessing the BMC Atrium Single
Sign-On URL.
a. Navigate to Start > All Programs > BMC Software > BMC Atrium SSO > Administrator to launch the
BMC Atrium SSO Admin Console .
The URL to open the BMC Atrium SSO Admin Console is:
http://<ssoServer>.<domain>:<port>/atriumsso/atsso/console/login/Login.html
For example:
http://ssoServer.bmc.com:8443/atriumsso/atsso/console/login/Login.html
b. Confirm that you can view the OpenSSO login panel.
12. (Optional) Create an administrative user account for BMC Products to perform search functions on the
user data store (for example, to list user names and emails).
If you are using the BMC Atrium Single Sign-On server's internal LDAP, assign the BMCSearchAdmins
group to the new user account.
If you are using an external system for authentication (such as AR System, LDAP, or Active Directory),
assign the BmcSearchAdmins group to either an already existing user account or a new user
account.
Home
Note
To activate the connection to BMC Atrium Single Sign-On, use the Atrium SSO Integration tab of the AR
System Administration: Server Information form.
BMC Atrium Single Sign-On integration is supported only on web clients. For information about
manually configuring the mid tier for Atrium Single Sign-On integration, see Manually configuring mid
tier for BMC Atrium Single Sign-On user authentication (see page 176).
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product (for example, the AR
System server or the BMC Remedy Mid Tier) that integrates with BMC Atrium Single Sign-On. BMC
recommends that BMC Atrium Single Sign-On be the only application in the Tomcat server.
2.
BMC Atrium Single Sign-On 8.1
Home
2. In the AR System Administration: Server Information form, click the Atrium SSO Integration tab.
AR System Administration: Server Information form--Atrium SSO Integration tab
(Click the image to expand it.)
Note
Use the FQDN for the BMC Atrium Single Sign-On server host name, not simply the host
name.
Port number The port on which BMC Atrium Single Sign-On server is configured (typically 8443).
Home
Protocol (optional parameter) The default value for this parameter is https. However, this field can
also be set to http. For example:
https://<server>:<port>/<AtriumSSO-URI>
https://ssoServer.bmc.com:8443/atriumsso]
4. Enter the Atrium Single Sign-On Admin User.
The BMC Atrium Single Sign-On administrator name, by default, is amadmin.
5. Enter the Atrium Single Sign-On Admin Password.
6. (Optional) Enter the Atrium Single Sign-On Keystore Path.
The keystore file location is where the BMC Atrium Single Sign-On keystore is saved. This path includes the
keystore file name. Enter this value only if you have configured a keystore. This field is not mandatory and
you can define it later.|
7. (Optional) Enter the Atrium Single Sign-On Keystore Password.
Enter this value only if you specify the Keystore path.
8. Click Apply.
For more information on a full single sign-on solution that includes BMC Atrium, see the Knowledge Base article
KA286851. You must have a BMC customer support account to access this information.
The example is not a supported product and there is no implied support if you use it.
9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user
authentication
For the mid tier to communicate with the BMC Atrium Single Sign-On server for user authentication, follow the
steps below to manually configure the mid tier.
Note
If you do not select the Configuration of Atrium Single Sign-On option during the AR System
server installation or during the stand-alone installation of mid tier, only then perform the steps in
this section.
BMC recommends, you do not install BMC Atrium Single Sign-on and BMC Remedy Mid-Tier on
the same computer. BMC Atrium Single Sign-on and BMC Remedy Mid-Tier must use different
Tomcat because if the mid-tier computer needs to be restarted, all the other applications will be
unavailable because BMC Atrium Single Sign on will be down during the restart.
Home
To manually configure the Mid Tier for BMC Atrium Single Sign-On user
authentication
1. Go to the computer where you installed the Mid Tier.
2. Stop the mid tier service, if it is already running.
3. Copy all the jar files from the <MidtierInstallDir>\webagent\dist\jee\WEB-INF\lib directory to the
<MidtierInstallDir>\WEB-INF\lib directory.
For example, copy all the jar files from C:\Program Files\BMC
Software\ARSystem\midtier\webagent\dist\jee\WEB-INF\lib to C:\Program Files\BMC
Software\ARSystem\midtier\WEB-INF\lib.
4. Go to the <MidtierInstallDir>\Web-Inf directory and open the web.xml file in an editor.
5. Uncomment the <filter> and <filter-mapping> tags for the Atrium Single Sign-On filter.
These tags should look like the following:
Make sure that you save your changes to the web.xml file.
6. Go to the <MidtierInstallDir>\Web-Inf\classes directory (for example, C:\Program Files\BMC
Software\ARSystem\midtier\WEB-INF\classes) and open the config.properties file in an editor.
7. Add an attribute in the config.properties file.
For this, comment the DefaultAuthenticator line (arsystem.authenticator=com.remedy.arsys.
session.DefaultAuthenticator) and add the following line for the Atrium Single Sign-On Authenticator:
arsystem.authenticator=com.remedy.arsys.sso.AtriumSSOAuthenticator
Make sure that you save your changes to the config.properties file.
8. Go to the computer where you installed the AR System serve and open the ar.cfg (Microsoft Windows) or
ar.conf (UNIX or Linux) file in an editor.
The default location for Windows is C:\Program Files\BMC Software\ARSystem\Conf.
9. Add the following SSO AREA plug-in entries to the ar.cfgfile:
(Unix) Plugin areaatriumsso.so
9.
BMC Software Confidential
Home
name:PluginPort
For example:
Server-Plugin-Alias: ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSO arSystemServer.bmc.
com:9999
Make sure that the SSO entries are listed first; otherwise they will not be used by the AR System
server.
Plugin: areaatriumsso.dll
Plugin: ardbcconf.dll
Plugin: reportplugin.dll
Plugin: ServerAdmin.dll
Server-Plugin-Alias: ARSYS.AREA.ATRIUMSSO ARSYS.AREA.ATRIUMSSO
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARF.REGISTRY ARSYS.ARF.REGISTRY xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARDBC.REGISTRY ARSYS.ARDBC.REGISTRY
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARDBC.ARREPORTENGINE ARSYS.ARDBC.ARREPORTENGINE
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARF.QUERYPARSER ARSYS.ARF.QUERYPARSER
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ALRT.WEBSERVICE ARSYS.ALRT.WEBSERVICE
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARF.PARSEPARAMETERS ARSYS.ARF.PARSEPARAMETERS
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARF.PUBLISHREPORT ARSYS.ARF.PUBLISHREPORT
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARF.REPORTSCHEDULER ARSYS.ARF.REPORTSCHEDULER
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARF.RSAKEYPAIRGENERATOR ARSYS.ARF.RSAKEYPAIRGENERATOR
xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ALRT.TWITTER ARSYS.ALRT.TWITTER xyz-abc-x28-vm1.dsl.bmc.com:9999
Server-Plugin-Alias: ARSYS.ARF.TWITTER ARSYS.ARF.TWITTER xyz-abc-x28-vm1.dsl.bmc.com:9999
13.
Home
not protected by the agent. Their contents are uploaded into the BMC Atrium Single Sign-On server to
become part of the Agent configuration.
When you later finish integration, this file is no longer used or needed. If you must update the agent
configuration, access Agent Details on the BMC Atrium SSO Admin Console to modify the Not Enforced
URI Processing values.
/arsys/services/*
/arsys/WSDL/*
/arsys/shared/config/*
/arsys/shared/doc/*
/arsys/shared/images/*
/arsys/shared/timer/*
/arsys/shared/ar_url_encoder.jsp
/arsys/shared/error.jsp
/arsys/shared/file_not_found.jsp
/arsys/shared/HTTPPost.class
/arsys/shared/login.jsp
/arsys/shared/login_common.jsp
/arsys/shared/view_form.jsp
/arsys/shared/logout.jsp
/arsys/shared/wait.jsp
/arsys/servlet/ConfigServlet
/arsys/servlet/GoatConfigServlet
/arsys/plugins/*
For example,
Home
15. Make sure that the deployer script successfully finishes execution and is completed.
Tip
If the deployer script fails:
a. Delete the <containerBaseDir>/atssoAgents folder (for example, C:\Program
Files\Apache Software Foundation\Tomcat6.0\atssoAgents).
b. Delete the agent if it exists in Agent Details on the BMC Atrium SSO Admin Console.
c. Re-run the deployer script after you fixed the problem (for example, added additional
parameters).
Note
If the container is not using HTTPS, the truststore and truststore-password parameters can
be ignored. For example:
Home
If the --web-app-logout-uri parameter is not specified, you can specify the parameter value in
Agent Details on the BMC Atrium SSO Admin Console:
1. On the BMC Atrium SSO Admin Console, click Agent Details.
2. Select the agent and click Edit.
3. In the Logout Processing section, replace the default value with
/arsys/shared/loggedout.jsp.
When you are using a load balancer or reverse proxy, you must add the --web-app-url and
--notify-url URLs. In this case, the --web-app-url URL must be the load balancer URL and
the --notify-url must be the mid tier URL. For example:
For more information about containers, agents, and deployer commands, see:
Container types, containers, and agents
Deployer commands for various JSP engines
Home
Container type
Agent
Container
TOMCAT
Web Agent
Apache Tomcat v6
WEBSPHERE
Web Agent
IBM WebSphere v6
IBM WebSphere v7
GENERIC
JEE Agent
Any
JBOSSV4
JEE Agent
RedHat JBoss v4
JBOSSV5
JEE Agent
RedHat JBoss v5
SERVLETEXECV5
JEE Agent
SERVLETEXECV6
JEE Agent
TOMCATV5
JEE Agent
Apache Tomcat v5
TOMCATV6
JEE Agent
Apache Tomcat v6
WEBSPHEREV6
JEE Agent
IBM WebSphere v6
WEBSPHEREV7
JEE Agent
IBM WebSphere v7
WEBSPHEREV10
JEE Agent
Apache Tomcat
Note
Do not use tomcat for --container-type; use tomcatv6 instead.
Home
Oracle WebLogic
IBM WebSphere
9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System
integration
The Action Request (AR) authentication module allows BMC Atrium Single Sign-On to use the user accounts
within a BMC Remedy AR System server for authentication. This module is normally used in conjunction with the
AR Data Store to retrieve group information and other user attributes from the AR System server.
Configure the AR module for AR System (see page )
Configure AR user stores for AR System (see page )
Managing the AR System users and groups (see page )
When you enable authentication chaining mode, all authentication methods in the chain are attempted in the
specified order until either the authentication succeeds or all the methods in the chain fail.
Note
If you plan to use an authentication method other than or in addition to the AR module, see the
applicable authentication method in Configuring after installation. For example, Using Kerberos for
authentication (see page 132) or Using SAMLv2 for authentication.
3.
BMC Atrium Single Sign-On 8.1
Home
Home
## Enter the
AR parameters (see page ).
a. Click Save.
6. On the Realm Authentication panel, set the process order of the authentication chain:
a. For the AR module, under Flag, select Sufficient.
b. Select the AR module.
c. Click Up so that AR is first in the list.
d. Set Internal LDAP to Optional.
(Click the image to expand it.)
BMC Atrium Single Sign-On 8.1
Home
d.
Sufficient means that, with multiple authentication modules, if you are successfully authenticated
with the first module, the remaining modules are skipped. But if the login fails, authentication moves
to the next module in the chain. Setting AR to Sufficient and placing it as the first module in the list
means that if you are authenticated with the AR System server, you are successfully authenticated by
BMC Atrium Single Sign-On and you proceed to the Mid Tier.
Note
With Single Sign-On, you want to trigger authentication providers in the right order. The order is: Required > Requisite >
Sufficient > Optional.
If you set both realms to Required, then you would need both authentications to establish the session.
For more information on creating an authentication chain, see the Realm Authentication panel described in Realm Editor.
AR parameters
Parameters
Description
Server Host
Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name
includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).
Home
Parameters
Description
Server Port
(Required) AR Server Port Number is the location where the AR System server is listening.
Number
Note: Enter a value of 0 if the AR System server is using port mapping.
Default
Authentication
This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts
the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the
String
Allow AR
If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.
Guests
Note
When using SAML v2 for authentication, you must not use AR user stores. Though AR authentication
module should be configured, the AR data store is not needed for authentication in SAMLv2 deployment.
1.
BMC Atrium Single Sign-On 8.1
Home
Parameter
Name
AR Server
Description
Label for the AR user store.
Host Name
Host
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The
full host name includes the domain name (bmc.com) of the computer and the individual name of the server (
yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example,
yourServer.bmc.com.
Port
(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR
Server is using port mapping.
Administrative
Access
Name
(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges.
Empty or blank passwords for this internal user are not supported with a new user store.
Authentication
Provide the authentication string that is needed when the Administrator account is used to connect with the AR
System server.
Home
Section
Parameter
Description
Password and
Password for the AR System administrative user of the AR Server user store account (for example, admin).
Confirm
Password
Connection
Pool
Linger Time
(seconds)
(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain
unused in the pool before being closed.
Pool size
(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data
requests for the AR System server.
From the User page, the administrator can create, delete, and manage group memberships.
To access the User page (see page )
To add a new user (see page )
BMC products can use the group membership capabilities of the BMC Atrium Single Sign-On system to provide
authorization and authentication of users. If a BMC product does not use the group memberships of the BMC
Atrium Single Sign-On system, then that product's documentation must be consulted to determine groups to
privileges mapping.
To access the Group page (see page )
To create a new group (see page )
When creating a new user, each field that is marked with an asterisk is a required field.
Home
2.
BMC Atrium Single Sign-On 8.1
Home
3. In the User Id field, enter a unique identifier for the new user.
This value is used as the user ID when the user logs in.
4. Specify the user's status.
The default is Active.
5. Add the name attributes.
The name attributes (First Name, Full Name, and Last Name) can be provided to BMC products to
help identify user accounts by using terms that are more user-friendly. The actual use of these
attributes, though, is dependent on the BMC product.
You must assign an initial password of at least 8 characters when creating the account. After the
password is created, the user can log into BMC Atrium Single Sign-On and update the password and
their personal information through the following URL:
https://FQDNHostName:port/BMC Atrium SSO?realm=BmcRealm
6. Click the Groups tab.
7. From the list of available groups, add the user to group membership (for example, BmcAdmins).
8. Click Save.
Home
1.
BMC Atrium Single Sign-On 8.1
Home
2.
BMC Atrium Single Sign-On 8.1
Home
Related topics
Using SAMLv2 for authentication
Using Kerberos for authentication (see page 132)
Using CAC for authentication
Home
9.1.6 Running a health check on the BMC Atrium Single Sign-On integration
After you finish all these procedures, run a health check of your integration of BMC Atrium Single Sign-On with
BMC Remedy AR System.
Tip
Clear the cache on your browser if you see redirect errors.
If your integration is successful (for example, by using the not_enforced.txt file during the agent
deployment), you should see the normal Mid Tier configuration logon, not the BMC Atrium SSO logon
screen.
Home
Home
3. Enter the User Name and Password of an AR System user and then click Log In.
Demo is the AR System default logon (without any password).
If BMC Atrium Single Sign-On is properly integrated and configured, the Applications startup page appears.
Home
Home
Note
For BMC Dashboards for BSM version 7.7.00 and higher, instead of re-installing, you can run the installer
again to set the BMC Atrium Single Sign-On parameters.
Description
Fully qualified host name of the BMC Atrium Single Sign-On server.
HTTPS port number used by the BMC Atrium Single Sign-On server.
User name and password for the BMC Atrium Single Sign-On server administrator.
User name and password of the BMC Dashboards for BSM administrator user. This user must exist in
BMC Atrium Single Sign-On.
Home
Ensure that BMC Analytics for BSM is installing with a Apache Tomcat. A new Apache Tomcat should be
installed during the SAP BusinessObjects installation instead of using an existing Tomcat. If you have an
existing Tomcat installation, provide different port numbers.
Note
For BMC Analytics for BSM version 7.6.06 and higher, instead of re-installing, you can run the installer
again to set the BMC Atrium Single Sign-On parameters.
Description
Fully qualified host name of the BMC Atrium Single Sign-On server.
HTTPS port number used by the BMC Atrium Single Sign-On server.
Administrator Name
User name for the BMC Atrium Single Sign-On server administrator.
Administrator Password
Home
Note
The BMC ProactiveNet Single Sign-On feature can be integrated either during installation, or
post-installation.
Description
Enter the fully qualified name of the BMC Atrium Single Sign-On server.
ProactiveNet Server
Hostname Domain
Enter the fully qualified host name of the server where BMC ProactiveNet Server is installed. By default, this field is
populated with the host name of the server on which the installer is executed.
Enter the BMC Atrium Single Sign-On secure port number. The default port number is 8443.
Searcher ID
Enter the BMC Atrium Single Sign-On Searcher ID used to search all user names and
groups.
Searcher Password
Home
If you launch BMC ProactiveNet and try to log in as a user who is not associated with a
valid user group in BMC Atrium Single Sign-On, BMC ProactiveNet displays an error stating "Invalid
username/password".
If you receive a message that the BMC ProactiveNet Server has restarted, you must close the browser, then
re-open the browser and log back in.
Note
When integrating a BMC ProactiveNet Server with an external system such as SSO or LDAP for
authentication, ensure that the same user name does not exist in both the external system and the
BMC ProactiveNet Server.
If the same user exists in both, user group associations defined in BMC ProactiveNet will be
considered.
a. Click Add.
b. In the UserId field, enter a unique identifier for the new user. This value is used as the
user ID when the user logs in. If special characters, such as comma ( , ) , semi-colon ( ; ),
or plus sign ( + ) are used in the user ID, the backslash () must precede the special
character. For example, Baldwin\,bob.
c. Enter the user's last name and full name.
d.
BMC Atrium Single Sign-On 8.1
Home
d. Enter an initial default password (which the user changes) and confirm this default
password.
e. In the Status field, verify that the Active radio button is selected (default).
f. Click Save.
Note
An initial password must be provided when creating the account. Once created, the user can log
into BMC Atrium Single Sign-On and update the password and their personal information through
the following URL:
9.4.7 To clean up Web Agent entries when the BMC ProactiveNet Server is
uninstalled
The following steps are required to delete Web Agent entries on the BMC Atrium Single Sign-On Server when the
BMC ProactiveNet Server is uninstalled.
Note
Any changes made to a BMC Atrium Single Sign-On user will not be reflected in an active BMC
ProactiveNet session.
The user must log out and log back in for the changes to be in effect.
Home
3. Identify the two Agents corresponding to your BMC ProactiveNet Server host.
Search for the following patterns:
Value
Atrium SSO
Location
Atrium SSO
Admin User
Atrium SSO
Admin
Password
Atrium SSO
Keystore
Path
Specify the location of the keystore. The default Tomcat server used by the BMC Atrium Single Sign-On server uses a keystore and a
truststore for its secure (HTTPS/TLS) communications. These files are stored within the directory at <installDir>/BMC
Software/AtriumSSO/tomcat/conf.
Atrium SSO
Keystore
Password
Home
9.6.2 To configure the WebSphere application server to work with the BMC
Atrium Single Sign-On server
1. Stop the application server.
2. Copy the certificate truststore file (cacerts) from the <WebSphereHome>\java\jre\lib\security directory to
the <WebSphereHome>\bin directory.
3. Copy the deployment utility webagent.zip file from the BMC Atrium Single Sign-On server build to the
temporary directory called <WEB_AGENT_DIR>
4. Run the following deployer script from the websphere java directory:
Home
--jvm-truststore
"C:\Program Files\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts"
--jvm-truststore-password changeit
--truststore "C:\Program Files\IBM\WebSphere\AppServer\bin\cacerts"
--truststore-password changeit
Note
When you run the script using the java command, use the WebSphere copy of the java version,
not the one from the Oracle JDK.
Value
atsso.configuration.dir
Value
C:/Program Files/IBM/WebSphere/AppServer/bin/cacerts
Note: If your folder path contains spaces, copy cacerts from <Websphere_Home>\bin\cacerts to any temp
directory (for example, C:/bmc/).
cacerts.password
changeit
Home
Name
Value
sso.acceptAllServerCertificates
true
Value
C:/Program Files/IBM/WebSphere/AppServer/bin/cacerts
Note: If your folder path contains spaces, copy cacerts from <Websphere_Home>\bin\cacerts to any temp
directory (for example, C:/bmc/).
cacerts.password
changeit
sso.acceptAllServerCertificates
true
Notes
For information about compatible versions of these BMC applications, see BSM Interoperability
8.5.1.
This topic does not describe how to integrate data from BMC Atrium CMDB into BMC Capacity
Optimization using Extract, Transform, and Load tasks (ETL tasks). For information about
integrating data from BMC Atrium CMDB into BMC Capacity Optimization, see Integrating BMC
Capacity Optimization with BMC Atrium CMDB in the BMC Capacity Optimization online
documentation.
Home
Note
The BMC Atrium Single Sign-On server user must be assigned an administrator role.
9. Click Execute.
A utility runs that registers BMC Capacity Optimization with the BMC Atrium Single Sign-On server.
10. Click Save.
11. Close your BMC Capacity Optimization Console browser window.
12. Verify that BMC Capacity Optimization services have been restarted (see the Verifying that BMC Capacity
Optimization services are running section of Verifying BMC Capacity Optimization installation).
13. Log on to the BMC Capacity Optimization Console (see Accessing the BMC Capacity Optimization console
).
Home
Home
Note
The BMC Atrium Single Sign-On Tomcat server cannot be shared with any product that integrates with
BMC Atrium Single Sign-On (for example, BMC Atrium Orchestrator). BMC recommends that you install
BMC Atrium Single Sign-On on a different computer from the computer where you plan to install a BMC
product (for example, the AR System server or the BMC Remedy Mid Tier).
Your value
Destination Directory
Windows:
C:\Program Files\BMC Software\AtriumSSO
Home
Installation parameter
Your value
UNIX:
/opt/bmc/atriumsso
Server panel
Installation parameter
Your value
Hostname
Fully qualified host name of the server where you install BMC Atrium Single Sign-On
Your
value
Your value
Install new Tomcat server on the computer where you install BMC Atrium Single Sign-On
HTTP port number used by the BMC Atrium Single Sign-On server
HTTP port number used by the BMC Atrium Single Sign-On server
Shutdown port number used by the BMC Atrium Single Sign-On server
Your value
Cookie Domain
Network domain of the computer on which you are installing the server
Password
Confirm Password
Your value
Home
9.9.2 Preparing the Console component for the BMC Atrium SSO
integration
This page has not been approved for publication.
Home
Ensure that users of BMC Remedy ITSM that you want to use, exist in the BMC Atrium Sign-On server. See
Managing users (see page 264) and Managing user groups (see page 268).
9.10.2 Limitations
The mobile applications do not support pop-up windows for login. The SAML IdP in Atrium SSO must
provide a login page that is compatible with the embedded WebKit browser.
The only identity provider (IdP) that BMC Mobility for ITSM supports is BMC Atrium SSO, which is the only
supported service provider (SP). Other IdPs and SPs are not supported.
Home
2. Configure the Logout URl for the BMC Atrium Single Sign-On server using following steps:
a. In the Agent Editor, change the Logout URl to be the same as the Mid Tier Agent Logout URl (for
example, https://serverName:portNumber
/atriumsso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=idp).
10 Using
The following topics provide information and instructions for using the BMC Atrium Single Sign-On:
Home
Note
To access the BMC Atrium SSO Admin Console, use a Fully Qualified Domain Name (FQDN) URL.
Home
Main tab
The Main tab provides the following panels for specifying parameters:
Home
Home
If a module that is flagged with Sufficient succeeds, only the Required and Requisite modules that precede
that Sufficient module must have succeeded for the overall authentication to succeed.
If no Required or Requisite modules are configured for an application, then at least one Sufficient or
Optional module must succeed.
Federation panel
The Federation panel is used for managing the membership of Local Identity Provider (IdP) and Local Service
Provider (SP) entities that belong in a Circle of Trust (COT). The name of the COT is derived from the name of the
realm to allow a logical mapping into the OpenAM abstractions.
The IdP and SP entities created in the realm are automatically be assigned membership in the single COT for the
realm.
This panel allows you to add, edit, and federate realms. When you add a realm, you can specify the type of realm
(for example, IdP or SP for SAMLv3 authentication).
User Stores panel
The User Stores panel allows you to manage user stores (add, delete, edit, and reorder).
The User Store Manager allows you to define external User Stores from which user attributes (email address,
phone numbers, and so forth) and group memberships can be obtained. By default, the internal LDAPv3 data
store is configured as a User Store for the BmcRealm. However, external LDAPv3 servers, BMC Remedy AR System
servers, and even an RDBMS can be used (with a customer-provided JDBC driver).
The User Store Manager allows you to create new User Stores from existing types or existing Templates, edit
existing user stores, and delete deprecated ones. Templates are based upon user stores types but include initial
configuration values. An example of a template would be to provide meaningful default values for an Active
Directory user store.
User tab
The User tab allows you to create new users, delete existing users, and edit the attributes and memberships of
those users. By selecting a user you can edit or delete the user.
When searching for a user /* for each respective panel returns all of the names. A letter such as "m" returns all
names with the letter "m" in the user. A short string such as "mc" returns names that have "mc" in the user (for
example, McCormick).
Groups tab
The Groups tab allows you to create new groups, delete existing groups, and edit the attributes of the group. By
selecting an group you can edit or delete the group.
Home
When searching for a group /* for each respective panel returns all of the names. A letter such as "d" returns all
names with the letter "m". A short string such as "dm" returns names that have "dm" in the group name (for
example, admin).
Security tab
The Security tab provides the following features:
Note
To ensure that the administrator always has the access to the server, the account lockout feature is not
applicable for the amAdmin account.
Home
Note
Ensure that you provide the absolute path for the URL that you enter in the list of Valid Forwarding
Domains, such as:
https://sample.bmc.com:8080/test
If you try to access a URL that is not present in Valid Forwarding Domains, you are redirected to a page that has
an error message and a link to log out of the BMC Atrium Single Sign-On server.
Home
Federation editors
Local Service Provider (SP) Editor (see page 230)
Create Identity Provider (see page 228)
Remote Identity Provider (IdP) Editor
Local Identity Provider (IdP) Editor
Create Service Provider (see page 229)
Remote Service Provider (SP) Editor (see page 232)
User Editor
The User Editor allows you to provide specific about the user as well as to set their status (Active or Inactive).
Save saves your modifications.
Reset removes your modifications.
Help accesses online help.
Cancel cancels and returns you to the Users tab on the Realm Editor.
There are two tabs available from the User Editor:
Main tab allows you to create and edit user information.
Groups tab allows you to assign users to groups.
Home
Tab
Parameters
Description
Main
User ID
Status
User
Provide the user information. As a minimum, provide the full name, first name, last name, and a default password and
information
confirm password.
Available
Groups
Groups
Member Of
Add and Add All allows you to add groups to this user. The group is then listed in the Member Of list rather
than the Available Groups list.
Remove and Remove All allows you to remove groups from this user. The group is then listed in the
Available Groups list rather than the Member Of list.
Group Editor
The Group Editor allows you to create a group and to add users to the group. You can add users individually or
add all users to the members list and you can delete users individually or delete all users from the members list.
Save saves your modifications.
Reset removes your modifications and keeps you on the Group Editor.
Help accesses the online help.
Cancel cancels and returns you to the Groups tab on the Realm Editor.
Parameters
Description
Group
Name
Available
Users
The list of user available on the system. You can filter the available users by any character in their User ID. For example, if a User ID has
the letter, "r" in the string, all users with the letter "r" will display in the Available Users list. If there isn't a character in the Filter field, all
users are displayed.
Members
Add and Add All allows you to add users to this group. The user is then listed in the Members list rather
than the Available Users list.
Remove and Remove All allows you to remove users from this group. The user is then listed in the Available
Users list rather than the Members list.
Home
AR Editor
Parameters
Description
Server Host
Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where the AR System server is located. The full host name
includes the domain name (bmc.com) of the computer and the individual name of the server (yourServer).
Server Port
Number
(Required) AR Server Port Number is the location where the AR System server is listening.
Note: Enter a value of 0 if the AR System server is using port mapping.
Default
This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts
Authentication
String
the user only for a name and password. In this situation, the value of this parameter is used to authenticate the user by re-using the
credentials provided by the user along with this authentication string.
Allow AR
Guests
If enabled, allows unknown or invalid users to authenticate to the AR System server as guests.
Parameter
Description
Name
AR Server
Host
Host Name
(Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR System server is located. The
full host name includes the domain name (bmc.com) of the computer and the individual name of the server (
yourServer). Replace the default values (sample.bmc.com) with the host name of your server (for example,
yourServer.bmc.com.
Port
(Required) Default: 0 Provide the port number where the AR Server is listening. The value of 0 is used when the AR
Server is using port mapping.
Administrative
Access
Name
(Required) Provide the user name of an AR Server user store account that has AR System Administrator privileges.
Empty or blank passwords for this internal user are not supported with a new user store.
Authentication
Provide the authentication string that is needed when the Administrator account is used to connect with the AR
System server.
Password and
Confirm
Password
Password for the AR System administrative user of the AR Server user store account (for example, admin).
Connection
Pool
Linger Time
(seconds)
(Required) Default: 60 Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain
unused in the pool before being closed.
Pool size
(Required) Default: 10 The Pool Size is the maximum number of connections the data store uses to service data
requests for the AR System server.
Parameter
Description
Name
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
Home
Field
Parameter
Description
Port
If the LDAP server is not listening on the default port (389), specify the port number.
Use SSL
(Optional) Enable to use SSL to connect to the LDAP servers. In addition, before communications can be established,
Primary
LDAP
Server
the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On
Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see
Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for
SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore.
Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before
enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.
Secondary
Name
LDAP
Server
The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user
fails to authenticate with the primary server.
Port
If the secondary server is not listening on the default LDAP port, specify the port number.
Use SSL
(Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established,
the certificates for the LDAP servers (primary and secondary) must be imported to the BMC Atrium Single Sign-On
Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see
Importing a certificate into the truststore (see page 243). If the remote LDAP server requires client authentication for
SSL, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore.
Note: If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before
enabling LDAP authentication. See Managing keystores with a keytool utility (see page 239) for more information.
User
Account
for Search
Set Recheck
Primary
Server
Interval
(minutes)
(Optional) This parameter is the amount of time that the server uses the secondary server before attempting to
re-connect with the primary server can be configured.
Distinguished
Name,
Password,
Confirm
Password
(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform
searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password
confirmation.
For example, you can use the Distinguished Name as CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com and
choose the password of your choice.
Attributes
for User
Search
Attribute
Name
Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.
DN to
Start
Search
Base DN
Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for
performance reasons. The depth of the search that is performed can be configured. If an Object search is specified,
then the DN should be the DN of the node containing the users.
For example, you can add CN as attribute name for User Search.
Enter the starting locations within the LDAP directory for performing user searches. For each starting point, enter the
login name (DN). The Base DN and attribute for user profile name are additional search parameters.For example, you
can use CN as attribute for user profile name.
Home
General tab
Field
Parameter
Description
LDAP
Server
Name
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
Port
If the LDAP server is not listening on the default port (389), specify the port number.
Use SSL
User
Account
for Search
Distinguished
Name,
Password,
Confirm
Password
(Required) The Distinguished Name (DN) is the login name that is used to connect to the LDAP server. A root user
must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user,
the password, and the password confirmation.
Connection
Pool
Minimum
Size
The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP
server. Before modifying the default values, BMC recommends that you complete performance timings to determine
appropriate values.
Maximum
Size
The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP
server. Before modifying the default values, BMC recommends that you complete performance timings to determine
appropriate values.
External
Attribute
Atrium SSO
Attribute
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external data store and
map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the
name of the External Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute
is going to map to, and click Add to put the new mapping into the table.
Attribute
Mapping
Search tab
Field
Search
Base DN
Parameter
Description
Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific
as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is
specified, then the DN should be the DN of the node containing the users.
Number of seconds the search is performed before it times out.
Home
Field
Parameter
Description
Search
Timeout
(seconds)
Max
Search
Results
Users
Search
Attribute
Search
Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail.
Filter
Users -
Status
Status
Attribute
Active
Value
Inactive
Value
Container
Attribute
Defines the LDAP attribute used to distinguish the container holding the people.
Attribute
Value
Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values
should be blank.
Users
Attribute
Name for
Group
Specifies the attribute of the user which identifies the group to which the user belongs. For example, memberOf.
Groups
Search
Attribute
Contains the name of the attribute which holds the name of the group. This attribute value is used in searches for user
groups.
Search
Filter
Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable,
update the filter with the correct objectclass name. For example, (objectclass=group).
Container
Attribute
Defines the LDAP attribute used to distinguish the container holding the groups.
Attribute
Value
Specifies the value for LDAP Groups Container attribute value. If groups are not within a container (relative to the user),
then these values should be blank.
Groups
Attribute
Name for
User
The attribute name of a group within the LDAP system that contains the names of the users that belong to the group.
Caching
Max Age
(seconds)
The maximum time that a cached value will continue to be used before the cached value is updated from the external
LDAP server.
Cache
Size
(bytes)
The number of bytes of memory that will be used to hold cached search items from the external LDAP server.
Users People
Container
Groups Groups
Container
Home
Kerberos Editor
Parameters
Description
Service
The Kerberos principal that is used for authentication. The service principal is used by clients to request a service ticket when
Principal
authenticating. The service principal name is based on the host name of the server running BMC Atrium Single Sign-On.
Keytab File
The Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file. The keytab file contains the
Name
Kerberos
Realm
KDC
The KDC host name. You must enter the fully qualified domain name (FQDN) of the domain controller.
Server
UserId
Format
Use Domain Name with Principal: If this check box is selected, the service allows BMC Atrium Single Sign-On to automatically
use the Kerberos principal with the domain controller's domain name during authentication.
Forced character case: The Forced character case allows you to select the type of character case you want for your user ID. You
can choose any of the three options: No change, UPPERCASE and lowercase. The UserId is displayed in the selected format in
the user store.
Return
UserId to
If this check box is selected, the user store searches will use the original UserId instead of using the value modified by the UserId
Format parameter. For example, when you search the userstore the userid from the authentication could be atsso\abcxyz but the value
User Store
SecurID Editor
Parameters
Description
Specify the full path for the new location of the sdconf.rec file.
The configuration path is used to specify the location of the sdconf.rec file used to contact the RSA SecurID server.
Parameters
Description
Name
Use OCSP
Click Use OCSP in order to use the OCSP responder. BMC recommends that you use OCSP for validation.
Note: The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be greater than
15 minutes. Otherwise, the certificate authentication fails. See Clock skew too great for CAC authentication (see page
331).
Certificate
Field for
User
Profile
Select one of the options. Options are Subject CN (Common Name attribute of the Subject DN), Subject DN
(Distinguished Name), Subject UID (UID attribute of the Subject DN), Email, None, Other.
Forwarded
Certificates
When running behind a load balancer or reverse proxy, the verification of ownership of the private key is not possible
thru the SSL/TLS connection. Because of this verification restriction, the BMC Atrium Single Sign-On server requires
that the fronting server be listed as a trusted host from which forwarded certificates can be trusted.
Home
Field
Parameters
Description
Forwarded
This is the list of trusted host name that you add via the Trusted Host Name field. To delete a certificate, select the
Certificate
List
Trusted Host
Name
Enter the name of a host from which a forwarded certificate can be trusted.
Certificate
HTTP Header
Enter the name of the HTTP header that the forwarded certificate can be passed under.
Name
Certificate
Use CRL
Revocation
Lists (CRL)
LDAP Server
Provide the Host and Port for the LDAP server where the certificates are stored. The host name must end with a colon
Where
Certificates
are Stored
LDAP Start
Search DN
Enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP
server, you must have sufficient privileges to perform the search.
LDAP Server
Password
Confirm
LDAP Server
Password
Provide and confirm the password to connecting with the LDAP server.
Check CA
with CRL
When verifying a certificate, the CA certificate used to sign the certificate can also be verified in the CRL.
Use SSL/TLS
If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium Single Sign-On truststore so
that SSL can connect with the LDAP server.
Trusted
Certificates
Browse on your desktop to upload the trusted certificates file. Once the file is upload and in the trusted certificates list.
You can also select the file, and click Remove to remove the file.
Description
Name
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any
required path information. This URL is IdP-specific. For information on the metadata URL, consult the IdP documentation. For
information about providing IdP metadata from another Atrium Single Sign-On server, see Providing IdP metadata from another
Atrium Single Sign-On server (see page 229)
File Upload
Select File Upload to upload a file that contains the remote IdP metadata.
Home
host is the FQDN of the BMC Atrium Single Sign-On server hosting the IdP.
port is the port used for secure communication of the BMC Atrium Single Sign-On server hosting the IdP.
entityid is the name of the IdP hosted by the BMC Atrium Single Sign-On server.
For example:
https://idp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=idp&realm=BmcRealm&entityid=https://idp:1844
Description
Name
URL
Select URL to acquire the remote IdP metadata from the URL location. Specify the FQDN of the host, including the port and any
required path information. This URL is IdP-specific. For information on the metadata URL, consult the SP documentation. For
information about providing SP metadata from another Atrium Single Sign-On server, see Providing SP metadata from another Atrium
Single Sign-On server (see page 229)
File Upload
Select File Upload to upload a file that contains the remote SP metadata.
https://sp.bmc.com:8443/atriumsso/saml2/jsp/exportmetadata.jsp?role=sp&realm=BmcRealm&entityid=https://sp:8443/a
Home
Field
Parameter
Description
Name
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a value that
reflects the expected IdP name.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP and
the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not
possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP
Redirect or XHTML Form with Post.
Sign
Messages
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used
to verify the messages have not been altered in transit and that it originated with the IdP.
Authentication, Logout
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to have
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the
SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128,
or AES-256, from the drop-down menu.
Name ID
Assertion
Time
In order to compensate for clock drift between remote machines, this value specifies the amount of
time that a message will be considered valid when it is received before the issue time in the message.
Amount of time that an assertion is valid counting from the assertion's issue time.
Attribute
Mapping
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external
user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A
mapping is defined by entering the name of the Name In Assertion and selecting the Local Attribute
Name from the drop down that the attribute is going to map to, and click Add to put the new mapping
into the table.
Parameter
Description
Name
Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that
reflects the expected SP name.
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in
the agents configuration.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP and
the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not
possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect
or XHTML Form with Post.
Artificact
Encoding
The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP
and is usually related to binding method. From the drop down menu, select URI or FORM.
Sign Messages
Home
Field
Parameter
Description
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used
to verify the messages have not been altered in transit and that it originated with the SP.
Authentication, Logout
These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have
Request, Logout
Response, Manager
Encryption Certificate
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2
Elements
Alias
messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or
AES-256, from the drop-down menu.
Assertion, Attribute,
Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.
Name ID
Assertion Time
Not-Before Skew
(seconds)
In order to compensate for clock drift between remote machines, this value specifies the amount of
time that a message will be considered valid when it is received before the issue time in the message.
Amount of time that an assertion is valid counting from the assertion's issue time.
SOAP Basic
Authentication
SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing
these endpoints must provide these user name and password values.
Attribute
Mapping
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external
user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A
mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute
from the drop down that the external attribute is going to map to, and click Add to put the new
mapping into the table.
Auto
Federation
Allows BMC Atrium Single Sign-On to use an attribute of the Assertion from the IdP to automatically
create an identity within the BMC Atrium Single Sign-On system. The identity is created by passing the
initial double-login normally performed when federating a user account with SAMLv2.
Name ID
Format
Defines the name identifier formats supported by the service provider. Name identifiers are a way for
providers to communicate with each other regarding a user.
The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the
Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the
first one in this list is chosen and supported by the remote Identity Provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A
transient identifier is temporary and no data will be written to the user's persistent data store.
Note:
For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the
persistent nameID format must be on the top of the list.
Authentication
Context
This attribute maps the SAMLv2-defined authentication context classes to the authentication level set
for the user session for the service provider.
Home
Parameter
Description
Name
Name for the IdP or accept the provided IdP name. The Name field is pre-populated with a
value that reflects the expected IdP name.
Binding
This option determines the way in which SAML messages will be sent and received between the
IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP
and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2
messages: HTTP Redirect or XHTML Form with Post.
Sign
Messages
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing
is used to verify the messages have not been altered in transit and that it originated with the
IdP.
These parameters are the SAMLv2 messages that are to be signed by the IdP or are expected to
Encrypt
Elements
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the
SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES,
AES-128, or AES-256, from the drop-down menu.
Name ID
Parameter
Description
Name
Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that
reflects the expected SP name.
MetaAlias
The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified
in the agents configuration.
Binding
This option determines the way in which SAML messages will be sent and received between the IdP
and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is
not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP
Redirect or XHTML Form with Post.
Artificact
Encoding
The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP
and is usually related to binding method. From the drop down menu, select URI or FORM.
Sign Messages
The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used
to verify the messages have not been altered in transit and that it originated with the SP.
Authentication Request,
Logout Request, Logout
Response, Manager Name
ID, Artifact Resolve, and
Post Resolve
These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have
been signed by the SP.
Home
Field
Parameter
Description
Encrypt
Encryption Certificate
The alias specifies the private key that will be used to encrypt the secret key used to encrypt the
Elements
Alias
SAMLv2 messages.
Encryption Algorithm
The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128,
or AES-256, from the drop-down menu.
Assertion, Attribute,
Specifies whether to encrypt the Assertion, Attribute, and Name ID or leave it in plain text.
Name ID
SOAP Basic
SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing
Authentication
these endpoints must provide these user name and password values.
Attribute
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external
Mapping
user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A
mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute
from the drop down that the external attribute is going to map to, and click Add to put the new
mapping into the table.
Agent Editor
The Agent Editor allows you to modify the configuration of an agent. By modifying the agent configuration, you
can correct problems caused by environment difficulties. For example, with a remote host, the host may report
their FQDN (Fully Qualified Domain Name) incorrectly using a plain name such as machine instead of
machine.bmc.com.
The Agent Editor is launched when you select an agent and click Edit. The Agent Editor has the following options:
Save to save your modifications.
Reset to remove your modifications and stay on the editor.
Help launches a browser that provides you with online help.
Cancel to cancel and return to the launch page.
Parameter
Description
Notification
URL
The URL where the agent will receive notifications from the server about session logouts. It is composed of the products base URI
with "/atsso" concatenated to the end. For example, https://sample.bmc.com/arsys/atsso
Status
Determines whether the agent is enforcing SSO authentication (active) or not (inactive).
Logging
Level
Home
Parameter
Description
Redirect
The number of times that the agent redirects the browser to the server for authentication before signaling an error- 0 means infinite.
Limit
Password
Password used by the agent to access its configuration in the SSO server.
and Confirm
Password
Cookie
Name
The cookie name is the name of the cookie that agent will check for the SSO session token. It should match the cookie name of the
server configuration.
Note: To ensure browser compatibility, the cookie name should contain only alphanumeric and underscore characters.
Login URI
Login and logout URIs are the locations that the agent will send the users browsers when the specified function is needed. When an
and Logout
URI
agent is federated, the login and logout URLs for the agent must be modified to interact with the IdP.
Login Probe
and Logout
The probe validates that the destination is accessible before sending the user to the location. If they are not, the agent tells the user
that the SSO system is inaccessible. The probe should be turned off in environments where the URI cannot be contacted from the
Probe
agent's environment, such as when the URI contains a host that is to be accessed through a reverse proxy.
Enable
Cache
Select this option to enable session cache. Disabling cache has a severe performance impact.
Fully
Qualified
Domain
Name
Mapping
This FQDN mapping allows the agent to fix the URL used to access the application in order to get the browser to send cookies to the
application. The SSO session is identified through cookies. When a URL is not using a FQDN host name, the browser does not know
the domain of the server and therefore, won't send any cookies to the server.
FQDN of
Agent Host
The FQDN entered is the FQDN of the host where the agent is located. Enabling FQDN mapping causes the agent to perform the
forwarding from the entered host names to the entered FQDN.
Trigger host
list and
Trigger Host
Name
The hosts that will trigger the FQDN redirect to occur. The Trigger host list allows you to remove the host from the list. Trigger Host
Name allows you to add a host to the Trigger host list.
Not
Enforced
URI and URI
The Not Enforced URI field allows you to remove URIs from the Not Enforced URI list. The URI field allows you to add a URI to the
Not Enforced URI list.
Home
Port
Status
When you edit a host, the Server Configuration Editor pops up with the following parameters:
The Server Configuration Editor provides the parameters that must be updated when you install or configure
BMC Atrium Single Sign-On server.
The following topics are provided:
Server Configuration Editor parameters (see page )
HTTP Only and HTTPS Only (see page )
Parameters
Description
Cookies
Cookie
Name
The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based
upon the FQDN of the Atrium BMC Atrium Single Sign-On host.
Cookie
Domain
The default cookie domain value is the network domain of the computer you are installing the server on. The default
cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within
the domain. For more information about the default cookie domain, see Default cookie domain.
HTTP Only
Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as,
JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only
(see page 236) .
HTTPS
Only
Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is
transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only
parameter, see HTTP Only and HTTPS Only (see page 236).
Password
& Confirm
Password
The password for accessing the BMC Atrium Single Sign-On server.
amAdmin
External
URL
Logging
Level
Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message
contains the most amount of information.
Enable
FIPS-140
Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).
Online
Certificate
Status
Protocol
CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP,
configuration is not required.
To enable, provide the Server URL and select Enable OCSP.
Session
Max
Session
Time
Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time
constraints are automatically enforced when this value is selected.
Note: The Max Session Time value should be more than the Idle Timeout value.
Home
Field
Parameters
Description
Idle
Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time
Timeout
Cache
Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.
Time
Max
Maximum number of concurrent sessions allowed for a user. The default value is 5.
Session
Count per
User
When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.
Note
Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of
sync for some nodes. You can ignore the warnings and click OK.
4.
BMC Atrium Single Sign-On 8.1
Home
Note
A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie
Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of
other nodes that do not match the currently saved value.
Parameters
Description
Cookies
Cookie
Name
The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based
upon the FQDN of the Atrium BMC Atrium Single Sign-On host.
Cookie
Domain
The default cookie domain value is the network domain of the computer you are installing the server on. The default
cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within
the domain. For more information about the default cookie domain, see Default cookie domain.
HTTP Only
Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as,
JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only
(see page 238) .
amAdmin
HTTPS
Only
Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is
transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only
parameter, see HTTP Only and HTTPS Only (see page 238).
Password
& Confirm
Password
The password for accessing the BMC Atrium Single Sign-On server.
External
URL
Logging
Level
Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message
contains the most amount of information.
Enable
FIPS-140
Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).
Home
Field
Parameters
Description
Online
CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP,
Certificate
Status
Protocol
Session
Max
Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time
Session
Time
Idle
Timeout
Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time
constraints are automatically enforced when this value is selected.
Note: The Max Session Time value should be more than the Idle Timeout value.
Note: When you have integrated BMC Atrium SSO with BMC Remedy AR System, you the Idle Timeout value should be 3
minutes more than the BMC Mid Tier idle timeout value.
Cache
Time
Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.
Max
Session
Count per
User
Maximum number of concurrent sessions allowed for a user. The default value is 5.
Click Enable to enable Max Session Count per User.
When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.
Home
3.
Note
Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of
sync for some nodes. You can ignore the warnings and click OK.
Note
A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie
Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of
other nodes that do not match the currently saved value.
Home
users access the server to perform authentication. The warning messages occur because the certificate is not
signed by a CA.
Microsoft Windows:
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore
%CATALINA_HOME%\conf\keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass
keystore_password -keypass keystore_password -providername JsafeJCE
UNIX:
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keystore
$CATALINA_HOME/conf/keystore.p12 -validity 999 -keysize 1024 -storetype pkcs12 -storepass
keystore_password -keypass keystore_password -providername JsafeJCE
Note
Based on your requirements, you can use the keysize value as 1024 or 2048.
3. After the keystore has been created, you need to provide six parameters which forms a distinguished name
for a certificate associated with the key.
CN - Common Name of the certificate owner (usually FQDN of the host)
OU - Organizational Unit of the certificate owner
O - Organization to which the certificate owner belongs
L - Locality name of the certificate owner
ST - State or province of the certificate owner
C - Country of the certificate owner
4. Update the server.xml file with the new password for the keystore.
Home
C:\apache-tomcat-6.0.20>keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.p12 validity 999
-keysize 1024 -storetype pkcs12 -storepass keystore_password -keypass keystore_password
Enter keystore password:
What is your first and last name?
[Unknown]: sample.bmc.com
What is the name of your organizational unit?
[Unknown]: BMC Atrium SSO
What is the name of your organization?
[Unknown]: BMC Software, Inc.
What is the name of your City or Locality?
[Unknown]: Austin
What is the name of your State or Province?
[Unknown]: TX
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US correct?
[no]: yes
Home
Note
The keytool utility from Oracle JDK Java 1.5 or 1.6 can also be used.
3. If the keytool utility is available, a help message is generated that shows the keytool options. The following
is the help output relevant to generating the CSR:
Note
On UNIX, the keytool program is called keytool. On Windows, the program is keytool.exe.
On Windows
<installationDirectory>\BMC Software\AtriumSSO\jdk/bin
BMC Atrium Single Sign-On 8.1
Home
For example,
PATH=<installationDirectory>\BMC Software\AtriumSSO\jdk\bin;%PATH%
On UNIX
<installationDirectory>/BMC Software/AtriumSSO/jdk/bin
For example,
PATH=<installationDirectory>/BMC Software/AtriumSSO/jdk/bin:$PATH
Note
For High Availability installations, the certificate must be imported on each node.
The following topics provide information and instructions for importing a certificate into the truststore:
To import the certificate in Windows (see page 243)
To import the certificate in UNIX (see page 244)
Example of importing a new certificate to the truststore (see page 244)
Example of a certificate in DER format (see page 245)
4.
BMC Software Confidential
Home
Note
This keytool command is based on a default installation. Other values might be needed if BMC
Atrium Single Sign-On was installed in an external Tomcat container or if the default truststore
has been altered.
Note
This keytool command is based on a default installation. Other values may be needed if BMC
Atrium Single Sign-On was installed in an external Tomcat container or if the default truststore
has been altered.
C:\apache-tomcat-6.0.20\conf>keytool
-import -keystore cacerts.p12 -trustcacerts -alias tomcat -keypass truststore_password storepass
truststore_password file mykey.cer -storetype PKCS12
Home
-providername JsafeJCE
Owner:
CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US
Issuer:
CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US
Serial
number: 266df6fc
Valid
from: Sat Jun 15 10:22:28 BST 2013 until: Thu Mar 10 09:22:28 GMT 2016
Certificate fingerprints:
MD5: 43:C3:22:11:F1:5B:AD:66:73:C5:24:74:80:EF:4F:78
SHA1: 72:05:0F:FE:25:50:F7:B8:4D:F5:E8:BA:8F:88:89:2B:96:93:BB:14
SHA256:
DA:9B:BA:85:2E:D2:45:74:3F:FB:D7:6A:D4:86:74:E8:B9:FA:9F:01:25:35:61:CA:00:D1:8C:2B:F8:F6:77:A4
Signature algorithm name: SHA256withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
-----BEGIN CERTIFICATE----MIICxTCCAi4CCQCLjB2QrqlKazANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMC
VVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xFTATBgNVBAoMDEJN
QyBTb2Z0d2FyZTEUMBIGA1UECwwLQXRyaXVtIENvcmUxJDAiBgNVBAMMG2libWMt
amJoYmJrMS5hZHByb2QuYm1jLmNvbTEjMCEGCSqGSIb3DQEJARYUYWRhbV9saW5l
aGFuQGJtYy5jb20wHhcNMTEwOTAxMjEyNDU4WhcNMzkwMTE3MjEyNDU4WjCBpjEL
MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xFTAT
BgNVBAoMDEJNQyBTb2Z0d2FyZTEUMBIGA1UECwwLQXRyaXVtIENvcmUxJDAiBgNV
BAMMG2libWMtamJoYmJrMS5hZHByb2QuYm1jLmNvbTEjMCEGCSqGSIb3DQEJARYU
YWRhbV9saW5laGFuQGJtYy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AMtRpEhBcegujENQ7ZefrlnZxmnH54oav9VNxv6nQqneJB8sQVqg1Z+zNUPzuLPF
bY2GTn/eSfXbL8RJgDnczGkL21XP8uH5NkOdBBYrcCnlV4pf+ZZxpBvmpJ1g/39L
OcEc7r2R0w8D+nST9x5w88g95cOrZV9hGy08XLt0Ep7XAgMBAAEwDQYJKoZIhvcN
AQEFBQADgYEAQUekME4Cv+cYCbccKNcUkjk4du8RZpZIM4PtXsqIxRYcjCCK3GQ2
Pr0fOTaAXR/qeL7x55r5ab6IIAmgx7zS9PsvEaFBoVhd26371cQxd7pY3ZOkEEpq
EvF8m2WKcJGE9yzFSBWvBndd4k2Vb7EOP/1ORak6LarwfSD24SKyY7M=
-----END CERTIFICATE-----
Home
By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate
causes warning messages when users access the server to perform authentication. The warning messages occur
because the certificate is not signed by a CA.
Note
The new CA certificate does not take effect until the Tomcat server is restarted.
4. Update all integrated application truststores with the new public key.
The following command shows how to generate a new certificate with the same algorithm and key size as the
certificate generated during the installation. This certificate also includes an alternative server that enables the
server to be accessed through a different FQDN, which occurs when the BMC Atrium Single Sign-On server is
running behind a load balancer or reverse proxy server or accessed locally from the computer on which the
server is executing.
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore "keystore.p12"
-storepass internal4bmc -storetype pkcs12 -providername JsafeJCE -dname "CN=loadbalancer.bmc.com,
OU=AtriumSSO Server, O=BMC, ST=TX, C=US" -ext "san=DNS:node1.bmc.com,DNS:node2.bmc.com"
The identity of the owner contains the FQDN of the BMC Atrium Single Sign-On server as the CN attribute of the
Distinguished Name (DN).
Note
The alternative server names can also be specified by the Certificate Authority (CA) when the server
certificate is signed.
Generating CSRs
To obtain CA signed certificate for BMC Atrium Single Sign-On, you need to generate a CSR.
Home
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.p12 -storepass
internal4bmc -storetype PKCS12 -providername JsafeJCE
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore keystore.p12 -storepass
internal4bmc -storetype PKCS12 -providername JsafeJCE
Note
For both Windows and UNIX, the supplied default password for the BMC Atrium Single Sign-On Tomcat
server is internal4bmc. You will need to provide another password if the keystore is replaced with a
locally-generated file.
CSR Example
The command generates and saves the CSR in the certreq.csr file. The certreq.csr file is an example and has the
following content:
Home
ZnR3YXJlMSQwIgYDVQQDExtpQk1DLUpCSEJCSzEuYWRwcm9kLmJtYy5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAJABuagV7e12Yu3m0LmNWEmVE4HXrdaB+uOyZFyKLZxO2e+WX3r9vc9q
al5VQSE1yME6ml53B9sWS2RWA5d8xDPW8ppQe3dqQdf3QDDzfXQ18MmZAfraSbv6Y2Tj0Oad10Uf
c8NUXYCvKNcmdHzkabaHuTOXuhfyGyzyCgFdd/jTAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAx
oNCBNvnbYNHD02QOIXEP4eMd9HlfJjvJHtAS6SyibMEd00mq/BD5iV1TewwkmvJRn1BjmzGXNO1c
xbasQaHN9l0+HP4X6aWfRIJtq9GOj4d9Y2wb5L6SEsgnCtnvbHDsMR0AEBLPCR7nVJ4vgQsZ9xLj
EfQB8idnyyimIfoqqQ==
-----END NEW CERTIFICATE REQUEST-----
The toolkit command output must be sent to the CA for a digital signature.
Note
The Common Name (CN) of the certificate cannot be modified because the CN must match the host
name of the server. If the names do not match, the browser issues a warning that the server is trying to
impersonate another site.
Adding a CA certificate
To add another CA certificate see, Importing a certificate into the truststore (see page 243).
Note
Replacing the self-signed certificate on the BMC Atrium Single Sign-On server invalidates the certificates
that are already accepted by users. In addition, you need to install the new certificate into the truststore
of all the integrated BMC applications.
Home
Removing a CA certificate
Before removing a certificate, identify the alias of the certificate by listing the contents of stores.
keytool -delete -alias myAlias -keystore cacerts.p12 -storepass changeit -providername JsafeJCE
Home
For example,
C:\Users\>keytool -export -alias tomcat -keystore keystore.p12 -file mykey.cer -storetype pkcs12
-storepass keystore_password -providername JsafeJCE
Certificate stored in file <mykey.cer>
UNIX
After you create a self-signed certificate, browsers and other programs issue warnings to users about an insecure
certificate each time the user authenticates.
You can prevent the certificate warning by permanently importing the self-signed certificate into the user's
truststore. See, Importing a certificate into the truststore (see page 243).
Home
3. After the PATH variable is set, execute the following keytool command to place the contents into a
certs.txt file:
keytool -list -v -keystore cacerts.p12 -storepass changeit -storetype PKCS12
-providername JsafeJCE > certs.txt
4. Check the certs.txt file for the certificate. If the certificate is not in the truststore, import the desired
certificate into the keystore.
Home
Contact Customer Support for access to the RSA CryptoJ FIPS cryptography module. This library file must
be installed into the server's Java Virtual Machine (JVM), replacing the current version which is not
certified.
Obtain unlimited strength Java policy files.
BMC Atrium Single Sign-On uses Oracle JVM 1.7.0_03. The unlimited policy files for this JVM are available
for download from the following URL: http://java.sun.com/javase/downloads/index.jsp.
Normal
FIPS-140
Encryption
DES
AES-256
Hash
MD5,
SHA1,
SHA256,
SHA512
Network
protocol
TLS 1.0
TLS 1.0
Network
ciphers
Any TLS
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521, TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Random
SHA1PRNG
FIPS186PRNG
Home
Warning
BMC Atrium Single Sign-On and all integrated products must be shut down before installing the
unlimited strength policy files. BMC Atrium Single Sign-On cannot be in use during the conversion to
FIPS-140 mode. If possible, a firewall should be employed to block all remote access to the server.
JVM location
The JVM is located in the following default location:
(Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\jdk\jre\lib\security
(UNIX) /opt/bmc/AtriumSSO/jdk/jre/lib/security
If BMC Atrium Single Sign-On has been installed in a non-default location, the location of the JVM can be
determined by using the following pattern:
(Windows) <installationDirectory>\AtriumSSO\jdk\jre\lib\security
(UNIX) <installationDirectory>/AtriumSSO/jdk/jre/lib/security
In this case, installationDirectory is the base directory selected during the server installation.
For BMC Atrium Single Sign-On servers using an external Tomcat server, the location of the JVM was determined
by the administrator that configured the Tomcat server. Regardless of the JVM location, the following templates
indicate the correct location:
(Windows) <jdkDirectory>\jre\lib\security
(UNIX) <jdkDirectory>/jre/lib/security
In this case, jdkDirectory is the base directory of the JDK used to run BMC Atrium Single Sign-On.
Home
Note
Contact BMC Software support for instructions on accessing the FIPS-140 version of the library.
1. Make a backup copy of the cryptoj.jar file. You might need to restore BMC Atrium Single Sign-On to normal
encryption mode.
2. Copy the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files onto the file
system of the computer hosting BMC Atrium Single Sign-On.
3. Copy the FIPS-140 mode libraries are cryptojce.jar, cryptojcommon.jar, and jcmFIPS.jar files to the server's
JVM library directory.
4. Remove the cryptoj.jarfile.
Note
This is an important step to prevent a collision of the two libraries.
Home
In this case, installationDirectory is the base directory selected during the server installation.
For BMC Atrium Single Sign-On servers utilizing an external Tomcat server, the location of the JVM was
determined by the administrator that configured the Tomcat server. Regardless of the JVM location, the following
templates indicate the correct location:
(Windows) jdkDirectory\jre\lib\ext
(UNIX) jdkDirectory/jre/lib/ext
4 Enable FIPS-140 mode
Warning
After the configuration has been successfully saved, the conversion process starts. This process
cannot be interrupted. Do not stop BMC Atrium Single Sign-On, log on with another
Administrator console, log off the current Administrator console, or initiate any other interactions
with the server.
This process takes approximately 10 to 20 seconds, depending upon the computer hardware. Be sure that
the background task validation process posts a successful conversion message before proceeding to the
next step.
7. Monitor the log files for the completion of the cryptography conversion. For more information on how to
monitor the conversion, see Monitoring FIPS-140 and normal mode conversions (see page 256).
8. After the conversion process completes, stop and start the server.
9. Verify that the server is properly operating in FIPS-140 mode by viewing the BMC Atrium Single Sign-On
log file (for example, atsso.0.log)
10.
BMC Atrium Single Sign-On 8.1
Home
Note
All products which were configured with BMC Atrium Single Sign-On prior to conversion to
FIPS-140 mode must be reconfigured to operate in FIPS-140 compliant mode. These integrated
products cannot use BMC Atrium Single Sign-On for authentication until they are synchronized
with BMC Atrium Single Sign-On.
After saving the configuration change, the conversion process alters the encrypted data within the server. Until
the process completes, BMC recommends that you monitor the security page in case the process fails.
Home
Home
Note
Create a backup of the current server in case of a failure (hardware or software). If the server's
configuration becomes corrupted, you can use the backup to restore the original configuration.
While converting from FIPS-140 to normal mode, be sure to monitor the conversion. See Monitoring
FIPS-140 and normal mode conversions (see page 256) .
Home
Warning
Once the configuration has been successfully saved, the conversion process is triggered in the
background. This process cannot be interrupted. Do not stop BMC Atrium Single Sign-On, log on
with another Administrator console, log off the current Administrator console, or initiate any
other interactions with the server.
This process usually takes around 10 to 20 seconds, depending upon the computer hardware.
6. Ensure that a successful conversion message is posted.
Important
Be sure that the background task validation process posts a successful conversion message before
restoring the original encryption files and non-FIPS-140 library.
Note
All integrated products must be reconfigured to operate in normal mode. These integrated
products cannot use BMC Atrium Single Sign-On for authentication until they are synchronized
with BMC Atrium Single Sign-On.
Home
Home
An external LDAP server is used to augment the information available to BMC products. For more information
about the configuration options available with the LDAP user store, see the OpenAM documentation.
Note
The BMC Atrium Single Sign-On server does not need to be re-booted after altering the configuration.
After the alterations are committed, the changes go into effect immediately.
Parameter
Description
LDAP
Server
Name
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
Port
If the LDAP server is not listening on the default port (389), specify the port number.
Use SSL
Home
Field
Parameter
Description
The certificates for the LDAP servers (primary and secondary) must be imported into the JVM truststore and the
BMC Atrium Single Sign-On Tomcat truststore. For more information on importing certifications into BMC
Atrium Single Sign-On truststore, see Importing a certificate into the truststore (see page 243). If client
authentication is required, the BMC Atrium Single Sign-On server's certificate might need to be imported into
the LDAP server's truststore.
Restart the Tomcat server. For more information about CA certificates, see Managing keystores with a keytool
utility (see page 239) .
User
Account
for Search
Distinguished
Name,
Password,
Confirm
Password
(Required) The Distinguished Name (DN) is the login name that is used to connect to the LDAP server. A root user
must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user,
the password, and the password confirmation.
Connection
Pool
Minimum
Size
The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP
server. Before modifying the default values, BMC recommends that you complete performance timings to determine
appropriate values.
Maximum
Size
The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP
server. Before modifying the default values, BMC recommends that you complete performance timings to determine
appropriate values.
External
Attribute
Atrium SSO
Attribute
Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external data store and
map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the
name of the External Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute
is going to map to, and click Add to put the new mapping into the table.
Attribute
Mapping
Parameter
Search
Base DN
Description
Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific
as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is
specified, then the DN should be the DN of the node containing the users.
Search
Timeout
(seconds)
Max
Search
Results
Users
Users Status
Search
Attribute
Search
Filter
Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail.
For example, (objectclass=person).
Status
Attribute
Home
Field
Parameter
Description
Active
Value
Inactive
Value
Users -
Container
People
Container
Attribute
Users
Defines the LDAP attribute used to distinguish the container holding the people.
Attribute
Value
Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values
should be blank.
Attribute
Name for
Specifies the attribute of the user which identifies the group to which the user belongs. For example, memberOf.
Group
Groups
Search
Attribute
Contains the name of the attribute which holds the name of the group. This attribute value is used in searches for user
groups.
Search
Filter
Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable,
update the filter with the correct objectclass name. For example, (objectclass=group).
Container
Attribute
Defines the LDAP attribute used to distinguish the container holding the groups.
Attribute
Value
Specifies the value for LDAP Groups Container attribute value. If groups are not within a container (relative to the user),
then these values should be blank.
Groups
Attribute
Name for
User
The attribute name of a group within the LDAP system that contains the names of the users that belong to the group.
Caching
Max Age
(seconds)
The maximum time that a cached value will continue to be used before the cached value is updated from the external
LDAP server.
Cache
Size
(bytes)
The number of bytes of memory that will be used to hold cached search items from the external LDAP server.
Groups Groups
Container
11 Administering
The following topics provide information and instructions for administering BMC Atrium Single Sign-On:
Home
Home
Note
If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the
backslash () must precede the special character. For example, Baldwin\,bob.
When creating a new user, each field that is marked with an asterisk is a required field.
Home
Note
When a user account is disabled, the user cannot authenticate without losing any of the user
attributes, such as group memberships. A user loses group memberships when the user account is
deleted.
Home
Important
Be selective when adding users to a group, such the Predefined groups, so that elevated privileges
are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to perform
searches and BmcAgents has privileges to read configuration information.
Note
Home
The Sessions panel displays the sessions that are in the memory of the server. The replication
across nodes of the HA cluster is caused when the load balancer selects a different node from the
login node for validating a session. For example, when the AR server validates the SSO session
when mid-tier is accessed. So, a single session may be shown multiple times which confirms that
the session has been replicated on the additional nodes.
The number of sessions retrieved from the server are displayed in pages. You may not be able to
view all the sessions that are in the memory at a single time due to the maximum limit set for the
Sessions table. This limit does not restrict the number of sessions that are supported by the server
but restricts the number sessions that you can view in the Sessions table. To view a specific
session which is not available due to maximum limit, you can filter the sessions based on your
requirements.
Important
Care should be exercised to not accidentally terminate the session that is used to access the console or
sessions that are used by BMC agents. These agent sessions use the following naming convention:
<BMCJEEAgent>@<host>:<port> or <uri>@<host>.<port> Terminating these sessions will, at best, close
the console the administrator is using or, at worst, prevent users from accessing the BMC products that
the agent is protecting.
Home
Note
Care should be exercised when assigning this group as these elevated privileges allow greater access to
BMC Atrium Single Sign-On than is normally provided.
Home
When you delete a group, the group is removed from BMC Atrium Single Sign-On. Users that are members of the
group also have their group membership removed.
Important
Deleting groups that have been installed by other BMC products is not recommended. Doing so might
cause the product to malfunction or block access to the product itself.
Important
Care should be exercised when adding users to a group, such as the Predefined groups, so that elevated
privileges are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to
perform searches and BmcAgents has privileges to read configuration information.
Home
3.
BMC Atrium Single Sign-On 8.1
Home
3. Click Edit.
A pop-up is launched that allows you to configure module attributes.
Note
See the sections on configuring that particular type of module. For example, Using LDAP (Active
Directory) for authentication.
Home
-adminPassword
-hostSource
2.
Home
Home
Note
If all products within the JEE server no longer need authentication or you want to permanently block
access from the JEE server, deleting the agent accounts effectively terminates access by the agent. To
do so, both the J2EE agent and the user must be deleted from the root realm.
Home
Parameters
Description
Cookies
Cookie
Name
The cookie name is automatically created at install time for the BMC Atrium Single Sign-On server. It is generated based
upon the FQDN of the Atrium BMC Atrium Single Sign-On host.
Cookie
Domain
The default cookie domain value is the network domain of the computer you are installing the server on. The default
cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within
the domain. For more information about the default cookie domain, see Default cookie domain.
HTTP Only
Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as,
JavaScript from accessing the cookie. For more information about HTTP Only parameter, see HTTP Only and HTTPS Only
(see page 277) .
HTTPS
Only
Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is
transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only
parameter, see HTTP Only and HTTPS Only (see page 277).
Home
Field
Parameters
Description
amAdmin
Password
The password for accessing the BMC Atrium Single Sign-On server.
& Confirm
Password
External
URL
Logging
Level
Logging level options are Off, Error, Warning, or Message. Error returns the least amount of information and Message
contains the most amount of information.
Enable
FIPS-140
Be sure to configure FIPS-140 before enabling, see Configuring FIPS-140 mode (see page 251).
Online
Certificate
CAC can use OCSP. If CAC is using OCSP, be sure to configure CAC before enabling. If CAC isn't using OCSP,
configuration is not required.
Status
Protocol
Session
Max
Session
Time
Time after which your session will be logged out even when you are active. The default time in 120 minutes. The time
constraints are automatically enforced when this value is selected.
Idle
Timeout
Time after which your session will be logged out if you are inactive or away. The default time in 30 minutes. The time
constraints are automatically enforced when this value is selected.
Note: The Max Session Time value should be more than the Idle Timeout value.
Note: When you have integrated BMC Atrium SSO with BMC Remedy AR System, you the Idle Timeout value should be 3
minutes more than the BMC Mid Tier idle timeout value.
Cache
Time
Time after which the cache will be cleared. Time constraints are automatically enforced. The default time is 3 minutes.
Max
Session
Count per
User
Maximum number of concurrent sessions allowed for a user. The default value is 5.
Click Enable to enable Max Session Count per User.
When the session limit is exceeded, select the desired behavior. The two options are Delete Oldest or Block New.
Home
Note
Configuration warnings appear, saying that the HTTP Only and HTTPS Only features are out of
sync for some nodes. You can ignore the warnings and click OK.
Note
A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie
Name, or Cookie Domain setting is out of sync with other nodes. The warning message includes a list of
other nodes that do not match the currently saved value.
Home
shutdown-tomcat.sh
startup-tomcat.sh
12 Troubleshooting
BMC Atrium Single Sign-On (default) supports logging on both the server and agents. Logging is used for auditing
purposes and for general debugging of connection issues. The logging system supports rotation of the agent
audit log files. By default, these log files are not used or rotated because audit logging also occurs on the server. If
rotation is disabled, the file system might be consumed with log files.
Note
Home
The logging system can be modified for each component of BMC Atrium Single Sign-On.
The following topics provide information about various issues that can occur with BMC Atrium Single Sign-On:
Home
Home
After the utility completes, all of the gathered information is stored in the atssoSupport.zip file.
installationDirectory is the location where BMC Atrium Single Sign-On has been installed.
container is the base directory of the JEE container in which the agent has been installed.
Home
Log directory
The log directory contains log files that are useful for auditing purposes. Each component of BMC Atrium Single
Sign-On creates two files within this directory, one for successful entries and the other for error entries. The
following components typically have files in this logging directory:
amAuthentication
amConsole
amPolicy
IDFF
WSFederation
amPolicyDelegation
amSSO
Debug directory
The debug directory contains additional log files that are geared towards problem resolution. The following BMC
Atrium Single Sign-On components typically have files in this logging directory:
Authentication
CoreSystem
Entitlement
IdRepo
Session
rsa_api_debug.log
rsa_api.log
Home
Note
BMC recommends that for normal operation, set Logging Level to either Off or Error.
Home
Message
BMCSSG0000E
BMCSSO1000E
BMCSSO1001I
BMCSSO1002E
BMCSSO1003I
BMCSSO1004I
No disabled user id specified, and user not already authenticated. Using user id "nobody".
BMCSSO1005E
BMCSSO1006E
BMCSSO1007E
BMCSSO1008E
Required parameter not specified for configuration (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1009E
BMCSSO1010E
BMCSSO1011E
BMC Atrium SSO security improperly configured. Internal error. Contact BMC Software, Inc.
BMCSSG1012E
BMC Atrium SSO security not integrated with server. Internal error. Contact BMC Software, Inc.
BMCSSO1013E
Failed internal agent configuration. Internal error. Contact BMC Software, Inc.
BMCSSO1014E
Failed internal agent configuration. Internal error. Contact BMC Software, Inc.
BMCSSO1015E
Agent configuration file (%s) already exists. Either delete agent or use replace agent.
BMCSSO1016W
BMCSSO1017E
Agent configuration file (%s) must be located within WEB-INF directory structure.
BMCSSO1018E
Home
Error number
Message
BMCSSO1019E
BMCSSO1020E
BMCSSG1021E
Cannot delete agent because configuration file specified does not exist.
BMCSSG1022E
Cannot delete agent because configuration file does not contain BMC Atrium SSO server information.
BMCSSG1023E
BMCSSG1024E
BMCSSG1025E
BMC Atrium SSO agent already registered with BMC Atrium SSO server. Must either replace or delete
this agent.
BMCSSG1026E
File system location of container lib could not be identified. Specify through the property BMC
Atrium SSO.container.lib.dir.
BMCSSG1027E
BMCSSG1028E
The web.xml file specified could not be found. Verify agent file system location supplied.
BMCSSG1029W
BMCSSG1030E
The web.xml file is not configured for FORM login. Please change the configuration to FORM login for
BMC Atrium SSO Agent configuration.
BMCSSG1031E
BMCSSG1032E
BMCSSG1033E
BMCSSG1034E
BMCSSG1035E
Could not access configuration template file (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1036E
Could not find configuration template file. Internal error. Contact BMC Software, Inc.
BMCSSG1037E
Failed to create container control. Internal error. Contact BMC Software, Inc.
BMCSSG1038E
Failed to create container control for unknown type(%s). Internal error. Contact BMC Software, Inc.
BMCSSG1039E
Administrative function (%s) failed. Internal error. Contact BMC Software, Inc.
BMCSSG1040E
Tomcat cookie adjustment failed. Internal error. Contact BMC Software, Inc.
BMCSSG1041E
BMCSSG1042E
Invalid hostname specified for BMC Atrium SSO URL (%s). Must use FQDN.
BMCSSG1043E
BMCSSG1044E
Failed domain lookup of hostname supplied for BMC Atrium SSO URL.
BMCSSG1045E
Failed to find configurator template. Internal Error. Contact BMC Software, Inc.
BMCSSG1046E
Failed to load configurator template. Internal Error. Contact BMC Software, Inc.
Home
Error number
Message
BMCSSG1047E
Failed to load configurator template. Internal Error. Contact BMC Software, Inc.
BMCSSG1048E
BMCSSG1049E
BMCSSG1050E
BMCSSG1051E
BMCSSG1052E
BMCSSG1053E
BMCSSG1054E
BMCSSG1055E
BMCSSG1056E
BMCSSG1057I
BMCSSG1058E
Invalid container home specified for BMC Atrium SSO server (%s).
BMCSSG1059E
BMCSSG1060E
BMCSSG1061E
BMCSSG1062E
Failed to connect with BMC Atrium SSO container. Container must be running with BMC Atrium SSO.war
deployed before configuration.
BMCSSG1063E
BMCSSG1064E
BMCSSG1065E
BMCSSG1066E
BMCSSG1067E
BMCSSG1068E
BMCSSG1069E
BMCSSG1070E
Agent password or name is empty/null. Internal error. Contact BMC Software, Inc.
BMCSSG1071E
Administrator password or name is empty/null. Internal error. Contact BMC Software, Inc.
BMCSSG1072E
BMCSSG1073E
BMCSSG1074E
BMCSSG1075E
Home
Error number
Message
BMCSSG1076E
Failed to create authentication context (%s). Is the BMC Atrium SSO server running?
BMCSSG1077E
BMCSSG1078E
Default BMC Atrium SSO server not specified with environment variable .
BMCSSG1079E
BMCSSG1080E
BMCSSG1081E
BMCSSG1082E
BMCSSG1083E
BMCSSG1084E
BMCSSG1085E
BMCSSG1086E
BMCSSG1087E
BMCSSG1088E
BMCSSG1089E
BMCSSG1090E
BMCSSG1091E
BMCSSG1092E
BMCSSG1093E
BMCSSG1094E
BMCSSG1095E
BMCSSG1096E
BMCSSG1097E
BMCSSG1098E
BMCSSG1099E
Failed to write to cache (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1200E
BMCSSG1201E
Default BMC Atrium SSO server URL is not specified correctly (%s).
BMCSSG1202E
Failed to retrieve SSOToken using token id. Is server certificate in truststore? (%s).
BMCSSG1203E
BMCSSG1204E
BMCSSG1205E
Home
Error number
Message
BMCSSG1206E
BMCSSG1207E
BMCSSG1208E
BMCSSG1209E
BMCSSG1210E
BMCSSG1211E
BMCSSG1212W
BMCSSG1213E
BMCSSG1214E
BMCSSG1215E
BMCSSG1216E
BMCSSG1217E
Already logged into BMC Atrium SSO server. Logout before trying to login again.
BMCSSG1218E
BMCSSG1219E
BMCSSG1220E
BMCSSG1221E
BMCSSG1222E
BMCSSG1223E
BMCSSG1224E
BMCSSG1225E
Could not resolve hostname for BMC Atrium SSO server (%s).
BMCSSG1226E
BMCSSG1227E
BMCSSG1228E
BMCSSG1229E
BMCSSG1230E
BMCSSG1231E
Trying to use insecure communications protocol HTTP instead of HTTPS. Must use HTTPS for server URL
(%s).
BMCSSG1232E
Could not find configuration utility. Has BMC Atrium SSO war file been deployed?
BMCSSG1233E
BMCSSG1234E
Home
Error number
Message
BMCSSG1235E
Specified insecure HTTP protocol for BMC Atrium SSO but configuration is blocking usage.
BMCSSG1236E
BMCSSG1237E
BMCSSG1238E
BMCSSG1239E
Error while loading keystore specified for web agent deployment and configuration.
BMCSSG1240E
Error while loading server certificate specified for web agent deployment and configuration.
BMCSSG1241E
Failed to connect with BMC Atrium SSO server for HTTPS certificate download (%s).
BMCSSG1242E
Failed to retrieve certificate from BMC Atrium SSO server for HTTPS configuration.
BMCSSG1243E
BMCSSG1244E
BMCSSG1245W
Specified insecure HTTP protocol for BMC Atrium SSO server (%s).
BMCSSG1246E
BMCSSG1247E
BMCSSG1248E
BMCSSG1250E
BMCSSG1251E
BMCSSG1252E
BMCSSG1253E
BMCSSG1254E
BMCSSG1255E
BMCSSG1256E
BMCSSG1257E
BMCSSG1258E
BMCSSG1259E
BMCSSG1260E
Failed to read data from file (%s). Keystore has been corrupted.
BMCSSG1261E
If keystore specified, then keystore type and password must also be provided.
BMCSSG1262E
BMCSSG1263E
BMCSSG1264E
BMCSSG1265E
Home
Error number
Message
BMCSSG1266E
BMC Atrium SSO URL is not specified through environment or system properties.
BMCSSG1267E
BMCSSG1268E
A realm must be specified when connecting with BMC Atrium SSO (cannot be null).
BMCSSG1269E
A callback handler must be specified when connecting with BMC Atrium SSO (cannot be null).
BMCSSG1270E
BMCSSG1271E
BMCSSG1272E
BMCSSG1273E
BMCSSG1274E
BMCSSG1275E
BMCSSG1276E
BMCSSG1277E
BMCSSG1278E
BMCSSG1279E
BMCSSG1280E
BMCSSG1281E
BMCSSG1282E
BMCSSG1283E
BMCSSG1284E
BMCSSG1285E
BMCSSG1286E
Not connected with Identity REST services. Internal Error. Contact BMC Software, Inc.
BMCSSG1287E
BMCSSG1288E
BMCSSG1289E
BMCSSG1290E
BMCSSG1291E
BMCSSG1292E
BMCSSG1293I
BMCSSG1294E
BMCSSG1295E
Failed to find class (%s) in launching jar. Internal Error. Contact BMC Software, Inc.
Home
Error number
Message
BMCSSG1296E
Failed to parse jar file URL (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1297E
Failed to locate jar entry in jar URL (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1298E
Failed to get jar URL (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1299E
Agent zip directory (%s) not found in jar file directory (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1300E
BMCSSG1301E
BMCSSG1302E
When truststore option is specified, the password, type and alias must also be specified.
BMCSSG1303E
BMCSSG1304E
BMCSSG1305E
BMCSSG1306E
BMCSSG1307E
BMCSSG1308E
BMCSSG1309E
Failed to load response file from input stream (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1310E
Failed to open response file source file (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1311E
Failed to load response file from string (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1312E
Failed to open response file (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1313E
Failed to write into response file (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1314E
Missing value for variable (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1315E
BMCSSG1316E
BMCSSG1317I
BMCSSG1318I
BMCSSG1319E
BMCSSG1320E
BMCSSG1321E
BMCSSG1322I
BMCSSG1323I
BMCSSG1324E
Home
Error number
Message
BMCSSG1325E
BMCSSG1326E
BMCSSG1327E
BMCSSG1328E
Failed to find worker for task. Internal Error. Contact BMC Software, Inc.
BMCSSG1329E
BMCSSG1330E
BMCSSG1331E
BMCSSG1332E
BMCSSG1333E
JEE container cannot be running during installation. Please stop the server and retry agent
installation.
BMCSSG1334E
BMC Atrium SSO server (%s) cannot be contacted. It must be running during agent installation.
BMCSSG1335E
BMCSSG1336E
BMCSSG1337E
BMCSSG1338E
BMCSSG1339E
BMCSSG1340E
BMCSSG1341E
Agent already installed and configured for URL (%s). Use "--force" option to override.
BMCSSG1342E
Unknown agent specified for URL (%s). Use "--force" option to override.
BMCSSG1343E
BMCSSG1344E
BMCSSG1345E
BMCSSG1346E
BMCSSG1347E
BMCSSG1348E
BMCSSG1349E
BMCSSG1350E
BMCSSG1351E
BMCSSG1352E
BMCSSG1353E
Home
Error number
Message
BMCSSG1354E
BMCSSG1355E
BMCSSG1356E
BMCSSG1357E
BMCSSG1358E
BMCSSG1359E
BMCSSG1360E
BMCSSG1361E
BMCSSG1362E
BMCSSG1363E
BMCSSG1364E
BMCSSG1365E
BMCSSG1366E
BMCSSG1367E
BMCSSG1368E
BMCSSG1369E
BMCSSG1370E
BMCSSG1371E
BMCSSG1372E
BMCSSG1373E
A certificate is required for login, but none found. Is CAC card inserted?
BMCSSG1374E
BMCSSG1375E
BMCSSG1376E
BMCSSG1377E
BMCSSG1378E
BMCSSG1379E
BMCSSG1380E
BMCSSG1381E
BMCSSG1382E
BMCSSG1383E
Home
Error number
Message
BMCSSG1284E
BMCSSG1385E
BMCSSG1386E
BMCSSG1387E
BMCSSG1388E
BMCSSG1389E
BMCSSG1390E
BMCSSG1391E
BMCSSG1392E
BMCSSG1393E
BMCSSG1394E
BMCSSG1395E
BMCSSG1396E
BMCSSG1397E
BMCSSG1398E
BMCSSG1399E
BMCSSG1400E
BMCSSG1401E
BMCSSG1402E
BMCSSG1403E
BMCSSG1404E
BMCSSG1405E
BMCSSG1406E
BMCSSG1407E
BMCSSG1408E
BMCSSG1409E
BMCSSG1410E
BMCSSG1411E
BMCSSG1412E
The URI specified was terminated due to failure to retrieve notifications in a timely manner (%s).
BMCSSG1413E
The URL specified for remote HTTP client failed to parse (%s): %s
Home
Error number
Message
BMCSSG1414E
BMCSSG1415E
BMCSSG1416E
BMCSSG1417W
BMCSSG1418E
BMCSSG1419E
BMCSSG1420E
BMCSSG1421E
BMCSSG1422E
BMCSSG1423E
BMCSSG1424E
BMCSSG1425E
BMCSSG1426E
BMCSSG1427E
BMCSSG1428E
Only agents and administrators can register for notifications on non-owner sessions.
BMCSSG1429E
BMCSSG1430E
Failed to get BMC Atrium SSO server URL from notification (%s).
BMCSSG1431E
BMCSSG1432E
BMCSSG1433E
BMCSSG1434E
BMCSSG1435E
BMCSSG1436E
BMCSSG1437E
BMCSSG1438E
BMCSSG1439E
BMCSSG1440E
BMC Atrium SSO server release is too old- does not support remote notification.
BMCSSG1441E
The URI specified was not registered for notification events (%s).
BMCSSG1442E
BMCSSG1443E
Home
Error number
Message
BMCSSG1444E
BMCSSG1445E
BMCSSG1446E
Failed to connect with BMC Atrium SSO internal LDAP server (%s).
BMCSSG1447E
BMCSSG1448E
BMCSSG1449E
BMCSSG1450E
BMCSSG1451E
BMCSSG1452E
BMCSSG1453E
BMCSSG1454I
BMCSSG1455I
BMCSSG1456E
BMCSSG1457E
BMCSSG1458E
BMCSSG1459E
BMCSSG1460E
BMCSSG1461E
Failed to access updated amserver.jar from classpath. Internal error. Contact BMC Software, Inc.
BMCSSG1462E
BMCSSG1463E
BMCSSG1464E
BMCSSG1465E
BMCSSG1466E
BMCSSG1467E
BMCSSG1468E
BMCSSG1469E
BMCSSG1470E
Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1471E
Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1472E
Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1473E
Home
Error number
Message
BMCSSG1474E
Unable to access LDAP configuration (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1475E
BMCSSG1476E
BMCSSG1477E
BMCSSG1478E
BMCSSG1479E
BMCSSG1480E
BMCSSG1481E
BMCSSG1482E
BMCSSG1483E
BMCSSG1484E
BMCSSG1485E
BMCSSG1486E
BMCSSG1487E
BMCSSG1488E
BMCSSG1489E
BMCSSG1490E
BMCSSG1491E
BMCSSG1492E
BMCSSG1493E
Agent configuration directory for webapp already exists. If agent not currently deployed, delete
directory and try again (%s).
BMCSSG1494E
BMCSSG1495E
Failed to connect with BMC Atrium SSO server for token attributes (%s).
BMCSSG1496E
Incompatible message type received from BMC Atrium SSO server for token attributes (%s).
BMCSSG1497E
BMCSSG1498E
BMCSSG1499E
BMCSSG1500E
BMCSSG1501E
BMCSSG1502E
Home
Error number
Message
BMCSSG1503E
BMCSSG1504E
BMCSSG1505E
BMCSSG1506E
BMC Atrium SSO server is operating in FIPS mode but this agent is not in FIPS mode.
BMCSSG1507E
BMC Atrium SSO server is not operating in FIPS mode but this agent is in FIPS mode.
BMCSSG1508E
BMCSSG1509E
BMCSSG1510E
BMCSSG1511E
BMCSSG1512E
BMCSSG1513E
BMCSSG1514E
BMCSSG1515E
BMCSSG1516E
BMCSSG1517E
BMCSSG1518E
BMCSSG1519E
BMCSSG1520E
BMCSSG1521E
BMCSSG1522E
BMCSSG1523E
BMCSSG1524E
BMCSSG1525E
BMCSSG1526E
Unable to get servlet context path. Use atsso.context.path in servlet init parameter.
BMCSSG1527E
BMCSSG1528E
Failed to find WebSphere script. Internal error. Contact BMC Software, Inc.
BMCSSG1529E
BMCSSG1530E
BMCSSG1531E
Failed to load WebSphere script (%s). Internal error. Contact BMC Software, Inc.
BMCSSG1532E
Home
Error number
Message
BMCSSG1533E
BMCSSG1534E
BMCSSG1535E
BMCSSG1536E
BMCSSG1537E
Failed to connect with BMC Atrium SSO server (%s). Is it running? Are the credentials correct?
BMCSSG1538E
BMCSSG1539E
BMCSSG1540E
BMCSSG1541E
BMCSSG1542E
BMCSSG1543E
BMCSSG1544E
BMCSSG1545E
BMCSSG1546E
BMCSSG1547E
BMCSSG1548E
BMCSSG1549E
BMCSSG1550E
Failed to create new agent account (%s) in BMC Atrium SSO server. Delete agent in administrator
console and try again.
BMCSSG1551E
BMCSSG1552E
BMCSSG1553I
BMCSSG1554E
BMCSSG1555E
BMCSSG1556E
BMCSSG1557E
BMCSSG1558E
BMCSSG1559E
BMCSSG1560E
BMCSSG1561E
Home
Error number
Message
BMCSSG1562E
BMCSSG1563E
BMC Atrium SSO server is in FIPS mode but RSA library is not FIPS compliant.
BMCSSG1564E
BMCSSG1565E
BMCSSG1566E
BMCSSG1567E
BMCSSG1568E
BMCSSG1569E
Invalid parameter.
BMCSSG1570E
BMCSSG1571E
BMCSSG1572E
BMC Atrium SSO server FIPS configuration is out of sync with server environment.
BMCSSG1573E
BMCSSG1574E
BMCSSG1575E
BMCSSG1576E
BMCSSG1577E
BMCSSG1578E
BMCSSG1579E
BMCSSG1580E
BMCSSG1581E
BMCSSG1582E
BMCSSG1583E
BMCSSG1584E
BMCSSG1585E
BMCSSG1586E
BMCSSG1587E
BMCSSG1588E
BMCSSG1589E
BMCSSG1590E
BMCSSG1591E
Home
Error number
Message
BMCSSG1592E
BMCSSG1593E
BMC Atrium SSO server is running in FIPS140 mode, but the SDK is not configured for FIPS140.
BMCSSG1594E
BMC Atrium SSO server is not running in FIPS140 mode, but the SDK is configured for FIPS140.
BMCSSG1595E
BMCSSG1596E
BMCSSG1597E
BMCSSG1598I
BMCSSG1599I
BMCSSG1600E
BMCSSG1601I
BMCSSG1602E
Failed to update bootstrap information to FIPS-140 mode (has FIPS certified jar been installed?): %s
BMCSSG1603E
BMCSSG1604E
BMCSSG1605E
BMCSSG1606E
BMCSSG1607E
BMCSSG1608W
BMCSSG1609E
BMCSSG1610E
BMCSSG1611E
BMCSSG1612E
BMCSSG1613E
BMCSSG1614E
Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and
cryptojFIPS.jar have been installed into server JVM.
BMCSSG1615E
Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength
policy files and cryptojFIPS.jar have been installed into server JVM.
BMCSSG1616E
BMCSSG1617E
Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and that
RSA FIPS jars have been installed into server JVM.
BMCSSG1618E
Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength
policy files and RSA FIPS jars have been installed into server JVM.
Home
BMCSSG1619E
Failed JVM test for FIPS-140 cryptography. Please validate unlimited strength policy files and that
RSA FIPS jars have been installed into JVM.
BMCSSG1620E
Failed JVM test for FIPS-140 cryptography with exception (%s). Please validate unlimited strength
policy files and RSA FIPS jars have been installed into JVM.
BMCSSG1621E
Failed to connect with Atrium SSO server (%s). Is server running in FIPS-140 mode?
BMCSSG1622E
BMCSSG1623E
BMCSSG1624I
BMCSSG1625I
BMCSSG1626E
BMCSSG1627E
BMCSSG1628E
BMCSSG1629E
BMCSSG1630E
BMCSSG1631E
BMCSSG1632E
BMCSSG1633E
Failed to extract OpenDS utilities (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1634E
BMCSSG1635E
Cluster configuration file specified already exists (%s). Delete file or specify a non-existent
name.
BMCSSG1636E
Cluster save-config and read-config cannot be specified during the same configuration.
BMCSSG1637E
BMCSSG1638E
BMCSSG1639E
BMCSSG1640E
Cluster save or read file must be specified when LDAP replication port is specified.
BMCSSG1641E
BMCSSG1642E
Failed to delete internal LDAP configuration template (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1643E
Failed to copy internal LDAP configuration template for clustered server. Internal Error. Contact
BMC Software, Inc.
BMCSSG1644E
Failed to create directories for internal LDAP keystore (%s). Internal Error. Contact BMC Software,
Inc.
Home
BMCSSG1645E
Failed to create keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1646E
Failed to create keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1647E
Failed to save keystore for internal LDAP keystore (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1648E
Failed to save keystore pin for internal LDAP keystore (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1649E
Failed to format clustered OpenDS configuration template (%s). Internal Error. Contact BMC Software,
Inc.
BMCSSG1650E
BMCSSG1651E
BMCSSG1652E
BMCSSG1653E
BMCSSG1654E
BMCSSG1655E
BMCSSG1656E
BMCSSG1657E
BMCSSG1658E
BMCSSG1659E
BMCSSG1660E
BMCSSG1661E
BMCSSG1662E
BMCSSG1663E
BMCSSG1664E
BMCSSG1665E
BMCSSG1666E
BMCSSG1667E
BMCSSG1668E
Both lb-url and lb-site-name parameters must be specified, or neither should be specified.
BMCSSG1669E
This host cannot be in the cluster because it is not in the same domain (or sub-domain) of the
cookie domain (%s).
BMCSSG1670E
Failed to update OpenDS java home scripts (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1671E
Failed to create message handler for message type %s. Internal Error. Contact BMC Software, Inc.
BMCSSG1672E
Home
BMCSSG1673E
BMCSSG1674E
BMCSSG1675E
BMCSSG1676E
BMCSSG1677E
BMCSSG1678E
BMCSSG1679E
BMCSSG1680E
BMCSSG1681E
BMCSSG1682E
BMCSSG1683E
BMCSSG1684E
Message type does not match type in message (%s). Internal Error. Contact BMC Software, Inc.
BMCSSG1685E
BMCSSG1686E
BMCSSG1687E
Failed to use message queue URI's specified (%s), and failed to use default VM message queue.
BMCSSG1688E
BMCSSG1689E
BMCSSG1690E
BMCSSG1691E
BMCSSG1692E
BMCSSG1693E
BMCSSG1694E
This Atrium SSO server does not support GROUP identity search (version of server is too old). Please
upgrade the Atrium SSO server.
BMCSSG1695E
BMCSSG1696E
BMCSSG1697I
BMCSSG1698E
BMCSSG1699E
BMCSSG1700E
BMCSSG1701E
BMCSSG1702E
Home
BMCSSG1703E
Invalid cluster URL specified in cluster configuration. Internal Error. Contact BMC Software. (%s)
BMCSSG1704E
BMCSSG1705E
Failed to convert authentication request into XML (%s). Internal Error. Contact BMC Software.
BMCSSG1706E
Failed to convert XML binary into UTF8 charset (%s). Internal Error. Contact BMC Software.
BMCSSG1707E
Failed to convert authentication response into Java (%s). Internal Error. Contact BMC Software.
BMCSSG1708E
BMCSSG1709E
BMCSSG1710E
BMCSSG1711E
BMCSSG1712E
BMCSSG1713E
BMCSSG1714E
BMCSSG1715E
BMCSSG1716E
BMCSSG1717E
BMCSSG1718E
BMCSSG1719E
BMCSSG1720E
BMCSSG1721E
BMCSSG1722E
BMCSSG1723E
BMCSSG1724E
BMCSSG1725E
Both lb-url and lb-site-name parameters must be specified, or neither should be specified.
BMCSSG1726E
Both lb-url and lb-site-name parameters must be specified, or neither should be specified.
BMCSSG1727E
BMCSSG1728E
BMCSSG1729E
BMCSSG1730E
BMCSSG1731E
BMCSSG1732E
BMCSSG1733E
Home
BMCSSG1734E
BMCSSG1735E
BMCSSG1736E
BMCSSG1737E
Failed Agent authentication with Atrium SSO server. May need to re-integrate application with the
Atrium SSO server.
BMCSSG1738E
BMCSSG1739E
BMCSSG1740E
BMCSSG1741E
BMCSSG1742E
BMCSSG1742E
BMCSSG1743E
BMCSSG1744E
BMCSSG1745E
BMCSSG1746E
BMCSSG1747E
BMCSSG1748E
BMCSSG1749E
BMCSSG1750E
BMCSSG1751E
BMCSSG1752E
BMCSSG1753E
BMCSSG1754E
BMCSSG1755E
BMCSSG1756E
BMCSSG1757E
Integration with Atrium SSO is failing. Please contact %s support team for help with resolving this
integration problem (%s).
BMCSSG1758E
BMCSSG1759E
Process inputs not supported in ssoadm. Internal error. Contact BMC Software.
BMCSSG1760E
BMCSSG1761E
BMCSSG1762E
Home
BMCSSG1763E
Export service configuration not supported remotely. Internal error. Contact BMC Software.
BMCSSG1764E
BMCSSG1765E
BMCSSG1766E
Local Atrium SSO certificate does not match remote server certificate. Agent may need to be
re-integrated with the Atrium SSO server.
BMCSSG1767E
Failed to setup temporary truststore (%s). Internal error. Contact BMC Software.
BMCSSG1768E
Failed to configure Atrium SSO server. Internal error. Contact BMC Software.
BMCSSG1769E
BMCSSG1770E
Atrium SSO failed to update the Data Store with the federation account information (%s).
BMCSSG1771E
BMCSSG1772E
Atrium SSO failed to map the attributes received from the IdP (%s).
BMCSSG1773E
Your user account on the Atrium SSO SP has expired (%s). Please contact your administrator for
assistance.
BMCSSG1774E
Your user account on the Atrium SSO SP is inactive (%s). Please contact your administrator for
assistance.
BMCSSG1775E
Your user account on the Atrium SSO SP is locked (%s). Please contact your administrator for
assistance.
BMCSSG1776E
BMCSSG1777E
Atrium SSO failed to find the federated user account specified (%s).
BMCSSG1778E
BMCSSG1779E
Atrium SSO failed to create a new session for federated user (%s).
BMCSSG1780E
BMCSSG1781E
BMCSSG1782E
BMCSSG1783E
BMCSSG1784E
BMCSSG1785E
BMCSSG1786E
BMCSSG1787E
BMCSSG1788E
BMCSSG1789E
Failed to parse ssoadm reply (%s). Internal error. Contact BMC Software.
BMCSSG1790E
BMCSSG1791E
Home
BMCSSG1792E
BMCSSG1793E
BMCSSG1794E
BMCSSG1795E
BMCSSG1796E
Login failed.
BMCSSG1797E
BMCSSG1798E
BMCSSG1799E
Insufficient privileges.
BMCSSG1800E
Failure while processing authentications for realm (%s). Internal Error. Contact BMC Software.
BMCSSG1801E
Failed to get list of user stores for realm access (%s). Internal Error. Contact BMC Software.
BMCSSG1802E
Failed to fetch COT for realm %s. Internal Error. Contact BMC Software.
BMCSSG1803E
Failed to verify if realm is Federated (%s). Internal Error. Contact BMC Software.
BMCSSG1804E
Failed to access realm attributes (%s). Internal Error. Contact BMC Software.
BMCSSG1805E
Failed to get authentication chain for realm (%s). Internal Error. Contact BMC Software.
BMCSSG1806E
Failed to convert authentication control value (%s). Internal Error. Contact BMC Software.
BMCSSG1807E
Failed to get federated information for realm (%s): %s. Internal Error. Contact BMC Software.
BMCSSG1808E
Failed to get federation information (%s). Internal Error. Contact BMC Software.
BMCSSG1809E
Failed to get user store information (%s). Internal Error. Contact BMC Software.
BMCSSG1810E
BMCSSG1811E
BMCSSG1812E
BMCSSG1813E
BMCSSG1814E
BMCSSG1815E
BMCSSG1816E
BMCSSG1817E
BMCSSG1818E
BMCSSG1819E
BMCSSG1820W
BMCSSG1821W
BMCSSG1821E
Home
BMCSSG1822W
BMCSSG1823E
BMCSSG1824E
BMCSSG1825E
BMCSSG1826E
BMCSSG1827W
BMCSSG1828E
BMCSSG1829E
BMCSSG1830E
BMCSSG1831W
BMCSSG1832E
BMCSSG1833E
BMCSSG1834E
BMCSSG1835E
BMCSSG1836E
BMCSSG1837W
BMCSSG1838E
BMCSSG1839E
Cookie name cannot contain semi-colon, comma, white space or control characters.
BMCSSG1840W
It is recommended for best browser compatibilty that cookie name should only contain alphanumeric
characters and the underscore.
BMCSSG1841E
BMCSSG1842E
BMCSSG1843E
BMCSSG1844E
BMCSSG1845E
BMCSSG1846E
BMCSSG1847E
BMCSSG1848E
BMCSSG1849E
BMCSSG1850E
BMCSSG1851E
Home
BMCSSG1852E
BMCSSG1853E
BMCSSG1854E
BMCSSG1855E
BMCSSG1856E
BMCSSG1857I
BMCSSG1858W
BMCSSG1859E
BMCSSG1860E
BMCSSG1861W
BMCSSG1862E
BMCSSG1863E
BMCSSG1864E
BMCSSG1865E
BMCSSG1866W
BMCSSG1867E
BMCSSG1868E
BMCSSG1869E
BMCSSG1870E
BMCSSG1871E
BMCSSG1872E
BMCSSG1873E
BMCSSG1874E
BMCSSG1875E
Failed SSL/TLS negotiations. Verify IdP server certificate is in Atrium SSO truststore.
BMCSSG1876E
BMCSSG1877E
BMCSSG1878W
BMCSSG1879E
BMCSSG1880E
BMCSSG1881E
BMCSSG1882E
Home
BMCSSG1883E
BMCSSG1884E
BMCSSG1885E
BMCSSG1886E
BMCSSG1887E
BMCSSG1888E
BMCSSG1889E
BMCSSG1890E
BMCSSG1891E
BMCSSG1892E
BMCSSG1893E
BMCSSG1894E
BMCSSG1895E
BMCSSG1896E
BMCSSG1897E
BMCSSG1898E
BMCSSG1899E
BMCSSG1900E
BMCSSG1901E
BMCSSG1902E
BMCSSG1903E
BMCSSG1904E
BMCSSG1905E
BMCSSG1906E
BMCSSG1907E
BMCSSG1908E
BMCSSG1909E
BMCSSG1910E
BMCSSG1911E
BMCSSG1912E
BMCSSG1913E
Home
BMCSSG1914E
BMCSSG1915E
BMCSSG1916E
BMCSSG1917E
BMCSSG1918E
BMCSSG1919E
BMCSSG1920E
BMCSSG1921E
BMCSSG1922E
BMCSSG1923E
BMCSSG1924E
BMCSSG1925E
BMCSSG1926W
BMCSSG1927W
BMCSSG1928E
BMCSSG1929E
BMCSSG1930E
BMCSSG1931E
BMCSSG1932E
BMCSSG1933E
BMCSSG1934E
BMCSSG1935E
BMCSSG1936E
BMCSSG1937E
BMCSSG1938I
BMCSSG1939E
BMCSSG1940E
BMCSSG1941E
BMCSSG1942E
BMCSSG1943E
Wild card attribute mapping only valid with * for both key and value.
BMCSSG1944E
Home
BMCSSG1945E
BMCSSG1946E
The server node cannot used for the admin console cannot be deleted (%s).
BMCSSG1947E
BMCSSG1948E
BMCSSG1949E
BMCSSG1950E
BMCSSG1951E
BMCSSG1952E
BMCSSG1953W
Connect to AR with guest user- admin privileges are needed for user store operation.
BMCSSG1954E
BMCSSG1955E
BMCSSG1956E
BMCSSG1957E
BMCSSG1958E
BMCSSG1959E
BMCSSG1960E
BMCSSG1961E
BMCSSG1962I
BMCSSG1963E
BMCSSG1964E
BMCSSG1965E
BMCSSG1966E
BMCSSG1967E
BMCSSG1968E
BMCSSG1969E
BMCSSG1970E
BMCSSG1971E
BMCSSG1972E
BMCSSG1973E
BMCSSG1974E
BMCSSG1975E
Home
BMCSSG1976E
BMCSSG1977E
BMCSSG1978E
BMCSSG1979E
BMCSSG1980E
BMCSSG1981E
BMCSSG1982E
BMCSSG1983E
BMCSSG1984E
BMCSSG1985E
BMCSSG1986E
BMCSSG1987E
BMCSSG1988E
BMCSSG1989E
BMCSSG1990E
BMCSSG1991E
BMCSSG1992E
BMCSSG1993E
BMCSSG1994E
BMCSSG1995E
BMCSSG1996E
BMCSSG1997E
BMCSSG1998E
BMCSSG1999E
BMCSSG2000E
BMCSSG2001E
BMCSSG2002E
Home
Home
Home
Home
<ATRIUM_DIR>\tomcat\webapps\atriumsso\WEB-INF\tools\ssoadm\atriumsso\bin\mod.bat list-servers -u
amadmin -f D:\pass.txt
Home
Where pass.txt is the file with the non-encrypted password for the BMC Atrium Single Sign-On
administrator user (amadmin).
2. Edit the SSOSilentInstallOptions.txt file and modify the ATRIUM_HOST_NAME parameter to reflect only the
BMC Atrium Single Sign-On server name.
On the following example, KBP1-DHP-F48200.synapse.com is the correct value.
Home
1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm.
2. Select either Dynamic or Ignored.
[--ar-server-name=ARServerName]
[--ar-server-user=ARServerUser]
[--ar-server-password=ARServerPassword]
Home
[--ar-server-port=ARServerPort]
[--atrium-sso-url=AtriumSSOURL]
[--admin-name=SSOAdminName]
[--admin-pwd=SSOAdminPassword]
[--truststore=truststorepath | Optional parameter]
[--truststore-password=truststorepassword | Optional parameter]
[--force=<Yes or No> Restart AR Server automatically | Optional parameter]
If needed, you can manually run the SSOARIntegration utility on the AR System server.
1. On the computer where the AR System server is installed, navigate to the
<ARSystemServerInstall>\artools\AtriumSSOIntegrationUtility directory.
For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility.
2. Enter the following command:
For example:
Tip
Copy and paste this example into a text editor, and modify the values for your own environment.
Then copy the final version into your command window.
Configures the EA form for BMC Atrium Single Sign-On with the following entries in the ar.cfgfile:
Home
Use-Password-File: T
Crossref-Blank-Password: T
External-Authentication-RPC-Socket: 390695
Authentication-Chaining-Mode: 1
Verifies the BMC Atrium Single Sign-On username and password by connecting with the BMC Atrium
Single Sign-On server and returns any errors.
Configures single sign-on with the following entries in the ar.cfgfile:
Atrium-SSO-Location: <<AtriumSSOURL>>
Atrium-SSO-Admin-User: SSOAdminName
Atrium-SSO-Admin-Password: SSOAdminPassword
Atrium-SSO-Keystore-Password: truststorepassword
Atrium-SSO-Keystore-Path: truststorepath
[--install-mode=Install or Uninstall]
[--ar-server-name=ARServerName]
[--ar-server-user=ARServerUser]
[--ar-server-password=ARServerPassword]
[--ar-server-port=ARServerPort]
[--container-type=containertype]
[--web-app-url=MidtierURL or LoadBalancerURL]
[--container-base-dir=webserverhomedirectory]
[--jre-path=JREInstallDirectory]
[--midtier-home=MidtierHome]
[--notify-url=MidTierURL]
[--agent-realm=RealmName]
[--force SuppressAllManualInputs]
[--server-instance-name WebSphereinstancename required input for WebSphere server]
[--instance-config-directory WebSphereconfigdirectory required input for WebSphere server]
[--weblogic-domain-home BEAdomainhome required input for WebLogic web application]
Note
If you are using IBM WebSphere, pass the IBM Java path as an input for the --jre-path input
parameter.
Home
[--server-instance-name WebSphereServerInstanceName]
[--instance-config-directory WebSphereServerInstanceConfigurationDirectory]
For example:
[--server-instance-name server1]
[--instance-config-directory
<WAS>/AppServer/profiles/AppSrv01/config/cells/<host>Node01Cell/nodes/<host>Node01/servers/server1]
[--weblogic-domain-home DomainHomeDirectoryForDomainWhereWebAppIsDeployed]
For example:
[ --weblogic-domain-home <BEA_Home>/user_projects/domains/base_domain]
Home
If needed, you can manually run the SSOMidtierIntegration utility on the AR System server.
1. On the computer where the AR System server is installed, navigate to the
<ARSystemServerInstall>\artools\AtriumSSOIntegrationUtility directory.
For example, navigate to C:\Program Files\BMC Software\ARSystem\artools\AtriumSSOIntegrationUtility.
2. Enter the following command:
For example:
Tip
Copy and paste this example into a text editor, and modify the values for your own environment.
Then copy the final version into your command window.
<filter>
<filter-name>Agent</filter-name>
<filter-class>com.bmc.atrium.sso.agents.web.SSOFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
5.
Home
arsystem.authenticator=com.remedy.arsys.sso.AtriumSSOAuthenticator
The SSOMidtierIntegration utility performs the following actions on the Mid Tier:
Validates the user inputs and returns any errors.
Checks if you are installing or uninstalling.
Connects to AR System server and fetches SSO values. If successful, performs AR System server and
BMC Atrium Single Sign-On integration. Otherwise, returns an AR-SSO integration is not
done error.
Checks if Mid Tier is running and, if so, shuts it down before running the utility.
Copies files to Mid Tier and performs other modifications to the Mid Tier.
Home
LOGINFAILED Error....
amAuth:05/26/2011 06:28:47:604 PM CDT: Thread[http-8443-4,5,main]
Exception :
com.sun.identity.authentication.spi.AuthLoginException(1):null
com.sun.identity.authentication.spi.AuthLoginException(2):User certificate not found
com.sun.identity.authentication.spi.AuthLoginException: User certificate not found
at com.sun.identity.authentication.modules.cert.Cert.process(Cert.java:415)
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:866)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:965)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Home
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
.... MORE TRACE DELETED
Home
*** ServerHelloDone
http-8443-1, WRITE: TLSv1 Handshake, length = 1606
http-8443-1, READ: TLSv1 Handshake, length = 109
*** Certificate chain
***
http-8443-1, SEND TLSv1 ALERT: fatal, description = bad_certificate
http-8443-1, WRITE: TLSv1 Alert, length = 2
http-8443-1, called closeSocket()
http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
Home
SerialNumber: [
4dded5cf]
\\
\\
]
Algorithm: [SHA1withRSA]
Signature:
0000: 65 CC 79 95 9C F3 5A 66
0010: AC 12 A6 3F A2 E8 9B 47
0020: 3A 7C 33 D3 87 4D FD 8D
0030: 31 6E C9 66 AD 02 C5 9F
0040: 68 2A 3B 9C 4E 50 0B 2D
0050: 6E 91 6F C3 CD 6E AC 66
0060: B9 6B 96 1E 0A 90 67 05
0070: DF AD 3D 5F 1F DF 09 32
0070: DF AD 3D 5F 1F DF 09 32
]
***
59
65
55
04
8F
6E
A0
77
77
B1
D7
84
CE
C5
92
1A
F0
F0
3F
F5
FA
10
CB
E3
F1
39
39
53
23
E5
66
7D
1E
2B
13
13
EC
06
AB
2C
BB
B5
55
46
46
AD
A9
55
46
76
19
35
94
94
F7
6B
FB
C0
E0
06
07
DD
DD
CD
17
12
FA
75
17
D5
D7
D7
e.y...ZfY.?S....
...?...Ge..#..k.
:.3..M..U....U..
1n.f.......f,F..
h*;.NP.-.....v.u
n.o..n.fn.......
.k....g....+U5..
..=_...2w.9.F...
..=_...2w.9.F...
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:*** ServerHelloDone
Home
Home
To remove a JEE agent from BMC Atrium Single Sign-On (see page 332)
To remove a JEE agent from WebSphere (see page 332)
To remove a JEE agent from Tomcat (see page 332)
To remove a JEE agent from JBoss or WebLogic (see page 333)
Home
Home
Home
Home
When a browser is sending an NTLM token instead of a Kerberos token, the failure could be caused by a problem
obtaining a service token for the BMC Atrium Single Sign-On server. For example, failure to find a case-sensitive
lookup of the principal name results in an NTLM token being sent.
When debugging a client failure, enable the Kerberos event logging to identify failures. Disabling Kerberos event
logging after diagnosing the failure is important. For more information about how to enable Kerberos event
logging, see http://support.microsoft.com/kb/262177.
The following trace from an exchange between an Internet Explorer browser and the BMC Atrium Single Sign-On
server shows a successful negotiation.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ibmc-jbhbbk1.adprod.bmc.com:8443
Connection: Keep-Alive
Cookie:
s_pers=%20s_lv%3D1270043963949%7C1364651963949%3B%20s_lv_s%3DFirst%2520Visit%7C1270045763949%3B%20s_nr%3D127004396396
s_vi=[CS]v1|25D9AA60851D2F18-60000104E00EF3FE[CE];
__utma=246752535.599385143.1270043842.1270043842.1270043842.1
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: no-cache
Home
Cache-Control: no-cache
Expires: 0
Cache-Control: private
X-DSAMEVersion: Atrium SSO 7.6.04(2011-June-28 13:47)
AM_CLIENT_TYPE: genericHTML
Set-Cookie:
AMAuthCookie=AQIC5wM2LY4SfcwV3%2FNDDybcVGsdeW%2B%2BRnGC93rfcaw%2FEf8%3D%40AAJTSQACMDIAAlNLAAkxOTE4MzI0NTIAAlMxAAIwMQ%
Domain=.bmc.com; Path=/
Set-Cookie: amlbcookie=01; Domain=.bmc.com; Path=/
WWW-Authenticate: Negotiate
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Wed, 29 Jun 2011 00:09:46 GMT
GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, /
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ibmc-jbhbbk1.adprod.bmc.com:8443
Connection: Keep-Alive
Authorization: Negotiate YIIE7gYGKwYBBQUCoIIE4jCCBN6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKw
YBBAGCNwICCqKCBLQEggSwYIIErAYJKoZIhvcSAQICAQBuggSbMIIEl6ADAgEFoQMCAQ6iBwMFACAAAACjggO/
YYIDuzCCA7egAwIBBaEQGw5CU01EU0wuQk1DLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG2libWMtamJoYmJrMS5h
ZHByb2QuYm1jLmNvbaOCA2wwggNooAMCARehAwIBA6KCA1oEggNWF2cjeeJwxrbN85nRgZ6kQQ49s7I54ndjXLJD
jdc62pRQqDDYaMn6KUBR5zPfwuvNRlL4e3n0MXtNLbUMgMGWiDBZlLVLRJg6p3tydxJC9eEiWYFu ...
Home
Tip
The problem can be avoided by using Mozilla Firefox or other compatible browsers.
Resolution
By disabling this optimization, the credentials are sent and the user is successfully authenticated.
Home
Note
The above registry key is one path; it has been wrapped for readability.
Note
The KB also mentions about disabling Kerberos or Integrated Windows Authentication which should be
ignored.
Home
2. In the User Stores panel, select the LDAP user store, and click Edit.
3. Select the Search tab.
4. Verify that the Groups Search Filter field value is correct (the class selected is used in LDAP server).
5. Verify that the Groups Container Container Attribute and Attribute Value information are both correct.
Alternatively, try blank values (no characters).
Home
This error usually indicates that the certificates from the IdP have not been stored into the truststore of the BMC
Atrium Single Sign-On server that is hosting the SP.
ERROR: mapPk2Cert.JKSKeyProvider:
java.io.IOException: Invalid keystore format
ERROR: mapPk2Cert.JKSKeyProvider:
java.lang.NullPointerException
Home
ERROR: mapPk2Cert.JKSKeyProvider:
java.io.IOException: Keystore was tampered with, or password was incorrect
The following message indicates that the files containing the passwords for the store or the key do not contain
the correct values (the values must be encoded before being stored within the files):
libSAML:03/02/2011 12:42:23:418
ERROR: JKSKeyProvider: keystore
libSAML:03/02/2011 12:42:23:418
ERROR: JKSKeyProvider: keystore
PM CST: Thread[main,5,main]
file does not exist
PM CST: Thread[main,5,main]
password is null
The following message (displayed in the browser) indicates that the keystore file is incorrectly defined or missing:
HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data.
HTTP Status 400 - Error processing AuthnRequest. Error retrieving meta data.
The server encountered an internal error () that prevented it from fulfilling this request.
This problem is usually caused by the HTTPS certificate or the root CA-signed certificate from the IdP or SP
server. The certificate might not be stored in the BMC Atrium Single Sign-On server's truststore.
Home
javax.servlet.ServletException: AMSetupFilter.doFilter
com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:118)
com.sun.identity.saml2.common.SAML2Exception: java.security.PrivilegedActionException:
com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed
com.sun.identity.saml2.profile.SPACSUtils.getResponseFromArtifact(SPACSUtils.java:382)
com.sun.identity.saml2.profile.SPACSUtils.getResponseFromGet(SPACSUtils.java:247)
com.sun.identity.saml2.profile.SPACSUtils.getResponse(SPACSUtils.java:161)
org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:180)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:91)
12.13.1 Modifying the load balancer (or reverse proxy) for redirect URLs
If a BMC product is deployed behind a load balancer (or a reverse proxy), then the load balancer (or reverse proxy)
must specify a BMC Atrium Single Sign-On redirect URL for the product agent. This modification is valid for both
High Availability (HA) and non-HA environments.
Home
Specify an HTTP Header with the name AtssoReturnLocation using the following syntax for the header value:
<protocol>://<fqdn.load.balancer>:<port>
Note
Note: To ensure browser compatibility, the load balancer hostname should contain not contain
underscore characters.
12.13.2 Using load balancer (or reverse proxy) host names for redirect URLs
If BMC Atrium Single Sign-On is deployed behind a load balancer (or reverse proxy), the product agent logon and
logoff configuration can be modified to use the load balancer (or reverse proxy) host names instead of the real
FQDN host names. In this case, the client browser is forwarded to the load balancer (or reverse proxy) host name
of the BMC Atrium Single Sign-On server. This modification is valid for both HA and non-HA environments.
Log into the BMC Atrium Single Sign-On Administrator console and edit the product agent's configuration. Use
the following template for the new logon and logoff URLs, respectively:
URL formats
Login
<protocol>://<fqdn.load.balancer>:(port>/atriumsso/UI/Login?realm=<Realm>
Logout
<protocol>://<fqdn.load.balancer>:(port>/atriumsso/UI/Logout?realm=<Realm>
Note
In some cases, BMC Atrium Single Sign-On server restart, browser cache purge, and cookies cleanup do
not help to avoid a multiple redirects error. In that case, reboot the OS.
Home
where:
Note
The <hostname>:<port> pair is specified on another node in the <transportConnector /> tag.
Home
Note
Shutdown all the nodes in the cluster after configuring point-to-point session sharing.
Do not start all the nodes at the same time. Start each node beginning from the first node only
after the previous node is fully started.
Home
installation or silent installation aborts suddenly, finishes very quickly, or takes a long time to complete, you may
be facing low entropy issues. When the entropy level on the computers running BMC Atrium SSO installer is less
than 150, the installation fails with the following error message:
There is potential problem with performance on this computer. The level of entropy is
150 and the random data generation time is 6 milliseconds. You may run the following
command as root user: 'rngd -b -r /dev/urandom -o /dev/random' or prefer to restart the
computer.
Info
You can verify the level of entropy at the following location on the linux computers using the following
command: cat/proc/sys/kernel/random/entropy_avail.
Workaround
For restoring the level of entropy and installing BMC Atrium SSO, you can use any of the the following options:
Run the following commands as root user. This option is preferred as it helps in maintaining the entropy
level after installation as well. If your server has a low entropy level, you should configure your server to run
the following commands while starting up your server.
rngd
yum install rng-tools
echo 'EXTRAOPTIONS="-i -o /dev/random -r /dev/urandom -t 10 -W 2048"'
/etc/sysconfig/rngd
chkconfig rngd on
service rngd restart
Restart your computer. This option in not recommended and will increase the entropy level temporarily.
This option can be used to identify if entropy is the only issue for installation failure.
Home
To see all open issues, or to see the issues corrected in a specific release, service pack, or patch, sort the table by
the Corrected in column. An issue with no version number listed here remains open.
Version numbers are given in the format MajorRelease.MinorRelease.ServicePack.Patch. For example, 8.2.04.01 is
patch 1 for service pack 4 of minor release 8.2.
Defect ID
Description
Affected
versions
SW00452251
If you try to install BMC Atrium Single Sign-On version 8.1 on a volume where 8dot3 is disabled, the
installation fails.
8.1.00.03
Corrected
in
Workaround:
Enable 8dot3 names on the volume on which BMC Atrium Single Sign-On is installed. To enable 8dot3
naming:
1. Execute the following command in the command window with the elevated privileges:
fsutil.exe behaviour set disabled 8dot3 0
2. Recreate installation folders in order to force the generation of 8dot3 names.
SW00452338
The BMC Atrium Single Sign-On upgrade fails when the default password is changed in the server.xml and if
the certificate stores are not pointing to the default locations.
SW00443582
When you install BMC Atrium Single Sign-On with amadmin as login and password including special
characters, the authentication fails.
SW00425820
BMC Atrium Single Sign-On installer always shows the Keystore as "tomcat" when installing on an external
Tomcat server. This could be an issue if you have configured an external Tomcat server for BMC Atrium
Single Sign-On installation which has a keystore alias as other than "tomcat".
8.1.00.03
8.1.00.03
8.0.00
8.1.00
Workaround: Manually change the Keystore alias in the BMC Atrium Single Sign-On installer screen to the
alias you set while configuring your Tomcat server.
SW00447285
If you installed Tomcat 7 with the .exe installer, the SSO integration utility cannot stop and restart Tomcat.
Workaround:
Perform one of the following workarounds:
8.1.00
Manually stop Tomcat before you run the utility. You can ignore the exception at the end of
excecution: Error while starting Tomcat
Manually perform the integration.
SW00448578
The BMC Atrium Single Sign-On 8.1 documentation does not mention that before installing BMC Atrium
Single Sign-On 8.1.00 or later on Red Hat Enterprise Linux 6.x, you must install the following 32-bit RPM
packages:
8.1.00
8.1.00.02
Glibc.i686
libXtst.i686
Home
Defect ID
Description
Affected
versions
Corrected
in
This information is now documented in the "System requirements" section on the Prerequisites for
installation (see page 42) page.
SW00450616
When you upgrade the following versions of BMC Atrium Single Sign-On, user assignments to custom
groups are not retained:
Version 8.1.00 to 8.1.00.01 or later
Versions 8.1.00 or 8.1.00.01 to 8.1.00.02 or later
8.1.00.01
8.1.00.02
8.1.00.03
Workaround: You must reassign users to the appropriate groups after the upgrade.
SW00448219
When you upgrade BMC Atrium Single Sign-On using an upgrade path of BMC Atrium Single Sign-On
version 8.1.00 to version 8.1.00.02 or later, and you have deployed BMC SSO in HA mode on Red Hat
Enterprise Linux Server release 6.2 operating system, the upgrade fails.
8.1.00.02
SW00446188
If you are installing BMC Atrium Single Sign-On on a Japanese or a Chinese locale, the installer fails.
8.1.00.02
SW00443648
While logging to the BMC Atrium Single Sign-On Administration page, in certain scenarios the Open AM
page gets displayed.
8.1.00.02
SW00447605
During the fresh installation of BMC Atrium Single Sign-On a non critical error message gets displayed,
which can be ignored.
8.1.00.02
SW00449708
During the fresh install of BMC Atrium Single Sign-On if there is a space in the name of the installation
folder, the installation fails.
8.1.00.02
SW00447623
SW00449894
Version 8.1.00.02 corrected defects related to BMC Atrium Single Sign-On in HA mode. These fixes include
sessions failover, replication of the configuration, and so on.
8.1.00.03
8.1.00.02
SW00449987
SW00450188
SW00450242
SW00450296
SW00450318
SW00451056
SW00451254
SW00451490
SW00455079
The signing and encryption certificates in the SAMLv2 keystore are lost during the upgrade of BMC Atrium
Single Sign-On version 8.0.00 to version 8.1.00.
8.1.00.03
Workaround: You must manually preserve the SAMLv2 keystore before the upgrade and restore it after the
upgrade is done.
To preserve the SAMLv2 keystore manually:
1. Create a backup of the SAMLv2 keystore outside the installation directory before performing the
upgrade.
Note: In BMC Atrium Single Sign-On server version 8.0 the keystore is stored in file named
keystore.jks which is located at <install>/tomcat/webapps/atriumsso/WEB-INF/config/atriumsso
2. After upgrade, rename the keystore.jks to cot.jks.
3. Replace the newly installed cot.jks located in <install>/tomcat directory.
4. Copy the .keypass and .storepass files to the <install>/tomcat directory, if the keystore passwords are
altered from the default value.
5. Restart the BMC Atrium Single Sign-On server.
6. Open the Admin Console and edit the Local Service Provider editor to verify the proper certificate
alias has been created.
Home
Defect ID
Description
Affected
versions
SW00455119
The user account federations are lost after you upgrade to BMC Atrium Single Sign-On version 8.1.00.03.
8.1.00.03
Corrected
in
Workaround: You must re-federate your account the first time you login to BMC Atrium Single Sign-On
server version 8.1.00.03.
Defect ID
Description
Affected
versions
Corrected
in
SW00440868
During a log out operation, if one user logged out, the BMC Atrium Single Sign-On logged out all the users.
8.1.00.03
SW00451947
When you create a new local Service Provider (SP), only PasswordProtectedTransport chack box is enabled
in the Default Authentication Context list present on the Local Service Provider (SP) Editor.
8.1.00.03
SW00451946
The User Editor does not show the groups from an external LDAP user store for the user from the same
external LDAP user store.
8.1.00.03
SW00447267
The validity of the agent certificate generated for BMC Atrium Single Sign-On is for 2 to 3 months, which
causes issues on some environment.
8.1.00.03
SW00450560
The BMC Atrium Single Sign-On agent requires some changes to support the network load balancers.
8.1.00.03
SW00451673
In the case of two or more authentication chains in BMC Atrium Single Sign-On, login is not successful
8.1.00.03
The BMC Atrium Single Sign-On does not provide the ability to select the Default Authentication Context in
8.1.00.03
In the Administrator Console of the BMC Atrium Single Sign-On the Name ID option that allows the
8.1.00.03
selection of name ID formats and the ordering of those selections are missing from the Local Service
Provider (SP) editor window.
SW00452001
The values for member attributes between users and groups in external LDAP are stored incorrectly in BMC
Atrium Single Sign-On server.
SW00447654
Multi-threading issues occur while retrieving certificates from the BMC Atrium Single Sign-On server.
8.1.00
8.1.00.01
SW00448326
Cannot create users and groups with names similar (subset) to existing users and groups.
8.1.00
8.1.00.01
SW00448607
BMC Atrium Single Sign-On users cannot authenticate with BMC Atrium Orchestrator when integrated with
BMC Atrium Single Sign-On.
8.1.00
8.1.00.01
SW00448553
In a BMC Atrium Single Sign-On High Availability (HA) configuration, the replication of configuration
modules does not work correctly.
8.1.00
8.1.00.02
SW00450113
If you added the AR authentication module on the second place in the authentication chain for a realm for
which the user profile was set to Dynamic, users cannot successfully log on to that realm.
8.1.00
8.1.00.02
8.1.00
8.1.00.02
SW00450144
8.1.00.03
Home
Defect ID
Description
Affected
versions
Corrected
in
8.1.00.02
8.1.00.03
8.1.00
8.1.00.03
In a BMC Atrium Single Sign-On High Availability (HA) configuration, when you restart an HA node and then
add a new module on another HA node that is not restarted, "unknown" authentication modules are
displayed in the authentication chain for the HA node that you restart.
SW00450660
In a BMC Atrium Single Sign-on High Availability (HA) configuration, when you try to log on to an
application that has been integrated with BMC Atrium Single Sign-On, the following error message might
be displayed:
User has no profile in this realm. Contact administrator
Workaround:
If you could previously log on to the application successfully, restarting the BMC Atrium SSO service and
logging on to the application again resolves the issue.
SW00450313
In a BMC Atrium Single Sign-On High Availability (HA) configuration, when you log on to the Admin
Console of two different nodes using the same browser, log out from one of the Admin Consoles, and
refresh the page of the other Admin Console, you are logged on to both the Admin Consoles again without
entering credentials.
8.1.00.01
8.1.00.02
14 Support information
This topic contains information about how to contact Customer Support and the support status for this and other
releases.
Home
15 PDFs
Ready-made PDFs
Snapshot
Date
File size
03-21-2013
3.90 MB
Home
16 Tracking tools
Comments dashboard (see page 353)
No Labels report (see page 363)
Technical Bulletin SW00448553 (see page 369)
Enabling multiple realms (see page 372)
Configuring multi-tenancy support
Overview steps to install and configure HA Load-Balancing environment with SSO (see page 378)
Number of pages in space (see page 383)
Installing and managing certificates in BMC Atrium SSO (see page 383)
Installing certificates after integration with other BMC products (see page 383)
Page
Author
Comment
Thu May 23
Krassimir
Stoianov
Dixie Pine
07:56:33 CDT
2013
Fri Mar 15
18:26:28 CDT
2013
com.atlassian.confluence.pages.AbstractPage
Mon Sep 16
Keith
11:08:03 CDT
2013
page 333)
Linehan
Mon Aug 19
03:30:16 CDT
Hemant
Baliwala
2013
com.atlassian.confluence.pages.AbstractPage
Wed Mar 20
16:20:34 CDT
2013
Dixie Pine
Wed Mar 20
16:21:37 CDT
2013
Dixie Pine
Wed Mar 20
16:22:39 CDT
2013
Dixie Pine
Wed Mar 20
16:24:03 CDT
2013
Dixie Pine
Dixie Pine
Home
Page
Author
Comment
Wed Mar 20
16:25:17 CDT
2013
cast to com.atlassian.confluence.pages.AbstractPage
Wed Mar 20
16:26:53 CDT
Dixie Pine
Dixie Pine
2013
Wed Mar 20
16:28:09 CDT
2013
Wed Mar 20
16:36:10 CDT
cast to com.atlassian.confluence.pages.AbstractPage
Dixie Pine
2013
Wed Mar 20
Dixie Pine
16:46:37 CDT
2013
Wed Mar 20
16:47:58 CDT
2013
Dixie Pine
Wed Mar 20
16:19:09 CDT
2013
Dixie Pine
Thu Jan 31
17:42:16 CST
2013
Ruth Harris
Fri Mar 15
12:13:35 CDT
2013
Ruth Harris
Wed Mar 20
16:54:42 CDT
2013
Dixie Pine
Mon Mar 18
18:02:11 CDT
2013
Volker
Scheithauer
Tue Jan 29
18:08:31 CST
2013
Ruth Harris
Tue Sep 03
05:09:42 CDT
2013
Abhay
Chokshi
Tue Sep 03
07:51:02 CDT
2013
Abhay
Chokshi
Home
Author
Comment
Fri Jul 26
Keith
18:37:00 CDT
2013
Linehan
cast to com.atlassian.confluence.pages.AbstractPage
Keith
Linehan
Thu Sep 05
Abhay
07:42:58 CDT
2013
Chokshi
Tue Sep 03
05:09:06 CDT
Abhay
Chokshi
Fri Jul 26
19:23:12 CDT
Page
2013
2013
com.atlassian.confluence.pages.AbstractPage
Tue Mar 19
15:47:42 CDT
2013
198)
Ruth Harris
Sun Oct 27
15:03:36 CDT
2013
Abhay
Chokshi
Tue Jul 02
19:41:07 CDT
2013
Melanie
Boston
Tue Jul 02
19:51:58 CDT
2013
Melanie
Boston
Wed Mar 20
15:58:32 CDT
2013
Dixie Pine
Fri Mar 15
12:13:14 CDT
2013
Ruth Harris
Mon Oct 28
07:24:34 CDT
2013
Abhay
Chokshi
Tue Sep 03
07:55:12 CDT
2013
Abhay
Chokshi
Wed Nov 06
04:22:43 CST
2013
Abhay
Chokshi
Wed Mar 20
16:13:37 CDT
2013
Dixie Pine
Deepa Bhat
Home
Page
Author
Tue Mar 26
06:09:03 CDT
2013
cast to com.atlassian.confluence.pages.AbstractPage
Mon Feb 04
16:12:56 CST
Ruth Harris
2013
Comment
Wed Sep 04
Abhay
01:02:35 CDT
2013
Chokshi
cast to com.atlassian.confluence.pages.AbstractPage
Thu Jan 31
17:40:57 CST
Ruth Harris
2013
91)
Tue Jan 29
18:12:34 CST
2013
Tue Jan 29
23:05:33 CST
2013
Shweta
Hardikar
Thu Jan 17
18:19:34 CST
2013
John
Stamps
Thu Aug 29
02:22:14 CDT
2013
Ivan
Pirishanchin
Thu Jan 24
17:20:22 CST
2013
Shlomi Afia
Wed Oct 30
14:20:49 CDT
2013
Keith
Linehan
Tue Mar 19
23:32:47 CDT
2013
Dixie Pine
Wed Mar 20
17:01:59 CDT
2013
Dixie Pine
Wed Mar 20
17:16:50 CDT
2013
Dixie Pine
Mon Mar 18
17:22:19 CDT
2013
Dixie Pine
com.atlassian.confluence.pages.AbstractPage
Ruth Harris
Home
Page
Author
Comment
Tue Jul 16
Nicholas
12:41:29 CDT
2013
page 77)
Butler
Tue Sep 03
05:46:53 CDT
Abhay
Chokshi
2013
Tue Sep 03
com.atlassian.confluence.pages.AbstractPage
Prerequisites for installation (see page 42)
05:47:54 CDT
2013
Fri Nov 15
07:41:24 CST
Abhay
Chokshi
Abhay
Chokshi
2013
Fri Nov 15
com.atlassian.confluence.pages.AbstractPage
Prerequisites for installation (see page 42)
07:42:35 CST
2013
Abhay
Chokshi
Mon Nov 25
07:09:23 CST
2013
Abhay
Chokshi
Mon Nov 25
07:10:07 CST
2013
Abhay
Chokshi
Mon Jan 21
17:10:52 CST
2013
John
Stamps
Wed Dec 11
05:27:44 CST
2013
Abhay
Chokshi
Tue Dec 10
09:57:33 CST
2013
Keith
Linehan
Tue Dec 10
10:07:37 CST
2013
Keith
Linehan
Tue Apr 23
08:41:21 CDT
2013
Hemant
Baliwala
Wed Jul 17
09:40:26 CDT
2013
Hemant
Baliwala
Mon Apr 15
13:01:06 CDT
2013
Kelly
Holcomb
Home
Page
Author
Comment
Tue Apr 16
Shubhangi
03:03:35 CDT
2013
Apte
Tue Feb 12
09:23:24 CST
Ranganath
Samudrala
2013
Mon Mar 18
com.atlassian.confluence.pages.AbstractPage
Downloading the installation files (see page 44)
Ruth Harris
17:47:52 CDT
2013
Mon Dec 23
06:27:34 CST
Abhay
Chokshi
2013
Mon Mar 25
10:14:53 CDT
2013
Ranganath
Samudrala
Tue Mar 26
09:40:33 CDT
2013
Ruth Harris
Mon Dec 23
06:26:39 CST
2013
Abhay
Chokshi
Mon Dec 23
06:25:43 CST
2013
Abhay
Chokshi
Mon Dec 23
06:24:55 CST
2013
Abhay
Chokshi
Thu Jun 27
10:27:48 CDT
2013
Benoit Ischia
Mon Dec 23
06:24:10 CST
2013
Abhay
Chokshi
Wed Jul 24
03:09:54 CDT
2013
Hemant
Baliwala
Tue Oct 01
05:57:24 CDT
2013
Abhay
Chokshi
Tue Jul 02
18:58:53 CDT
2013
Melanie
Boston
Realm Editor
Dixie Pine
Home
Page
Author
Comment
Tue Mar 19
23:26:24 CDT
2013
cast to com.atlassian.confluence.pages.AbstractPage
Tue Jul 02
18:27:39 CDT
Realm Editor
Melanie
Boston
Boris Ioffe
2013
Tue Jun 04
14:56:25 CDT
2013
Thu Jul 11
12:08:14 CDT
cast to com.atlassian.confluence.pages.AbstractPage
Keith
Linehan
Nick Smith
2013
Wed Jul 17
10:04:36 CDT
2013
cast to com.atlassian.confluence.pages.AbstractPage
Thu Jul 18
07:33:25 CDT
2013
Hemant
Baliwala
Tue Sep 03
05:37:24 CDT
2013
Abhay
Chokshi
Tue Sep 03
06:00:30 CDT
2013
Abhay
Chokshi
Tue Sep 03
06:15:32 CDT
2013
Abhay
Chokshi
Sun Oct 27
14:39:02 CDT
2013
Abhay
Chokshi
Mon Mar 18
17:16:34 CDT
2013
Dixie Pine
Tue Mar 19
23:00:40 CDT
2013
Dixie Pine
Thu Sep 12
08:54:13 CDT
2013
Abhay
Chokshi
Thu Sep 12
09:45:54 CDT
2013
Abhay
Chokshi
Ruth Harris
Home
Page
Author
Mon Mar 18
18:15:30 CDT
2013
Mon Mar 18
18:14:08 CDT
Ruth Harris
2013
Comment
Fri Sep 06
Keith
09:46:03 CDT
2013
Linehan
Fri Sep 06
09:55:28 CDT
Keith
Linehan
2013
com.atlassian.confluence.pages.AbstractPage
Thu Sep 12
Abhay
09:31:20 CDT
2013
Chokshi
Thu Jan 24
14:56:39 CST
2013
Shlomi Afia
Thu Jan 31
17:51:14 CST
2013
Ruth Harris
Fri Feb 01
15:11:11 CST
2013
John
Stamps
Wed Jun 12
09:55:05 CDT
2013
Koray Kusat
Tue Mar 19
22:58:56 CDT
2013
Dixie Pine
Mon Mar 18
17:53:55 CDT
2013
Dixie Pine
Wed Mar 20
15:48:51 CDT
2013
Dixie Pine
Tue Mar 19
23:24:23 CDT
2013
Dixie Pine
Fri Jul 05
10:30:52 CDT
2013
Tetiana
Pustovit
Home
Page
Author
Comment
Mon Jul 08
Hemant
02:37:01 CDT
2013
page 239)
Baliwala
Mon Jul 08
04:34:41 CDT
Tetiana
Pustovit
2013
Wed Mar 20
com.atlassian.confluence.pages.AbstractPage
Using the keytool utility (see page 241)
Dixie Pine
00:09:53 CDT
2013
Mon Jul 08
04:32:49 CDT
Tetiana
Pustovit
2013
Mon Jul 08
04:53:55 CDT
2013
Hemant
Baliwala
Tue Jul 02
19:31:30 CDT
2013
Melanie
Boston
Wed Jan 08
10:20:44 CST
2014
Milan
Franzkowski
Wed Jan 08
10:21:55 CST
2014
Milan
Franzkowski
Thu Mar 14
11:59:45 CDT
2013
Deepa Bhat
Thu Mar 14
13:16:49 CDT
2013
Ruth Harris
Thu Mar 14
22:20:17 CDT
2013
Deepa Bhat
Tue Apr 16
10:26:03 CDT
2013
Melody
Locke
Tue Apr 16
23:51:49 CDT
2013
Deepa Bhat
Thu May 09
13:08:59 CDT
2013
Anil Premlall
Anil Premlall
Home
Page
Author
Comment
Thu May 09
16:09:00 CDT
2013
Thu Jan 09
07:05:25 CST
Abhay
Chokshi
2014
Fri Jul 19
com.atlassian.confluence.pages.AbstractPage
Configuring multi-tenancy support
Gourav Jain
03:57:27 CDT
2013
Fri Jul 19
04:18:57 CDT
Hemant
Baliwala
Gourav Jain
2013
Wed Aug 21
06:39:24 CDT
2013
cast to com.atlassian.confluence.pages.AbstractPage
Fri Sep 06
06:19:40 CDT
2013
Shrihari Sn
Thu Sep 12
08:48:03 CDT
2013
Abhay
Chokshi
Thu Jan 31
17:37:33 CST
2013
Ruth Harris
Fri Mar 15
19:48:39 CDT
2013
Dixie Pine
Tue Mar 19
17:14:04 CDT
2013
Integrating
Ruth Harris
Tue Mar 19
17:10:47 CDT
2013
Integrating
Ruth Harris
Thu Sep 05
07:41:32 CDT
2013
Integrating
Abhay
Chokshi
Wed Mar 20
16:17:09 CDT
2013
Dixie Pine
Mon Feb 04
13:37:00 CST
2013
John
Stamps
Home
Page
Author
Comment
Wed Jul 03
Melanie
12:03:23 CDT
2013
248)
Boston
Thu Jul 04
04:05:55 CDT
Prachi
Kalyani
2013
com.atlassian.confluence.pages.AbstractPage
Tue Oct 22
Abhay
03:19:49 CDT
2013
page 333)
Chokshi
Mon Jan 13
14:39:28 CST
Anil Premlall
2014
Tue Jan 14
com.atlassian.confluence.pages.AbstractPage
Reconfiguring your browser (see page 138)
14:44:49 CST
2014
Abhay
Chokshi
Thu Jan 16
05:05:09 CST
2014
Abhay
Chokshi
Thu Jan 16
04:32:29 CST
2014
Abhay
Chokshi
Thu Jan 16
08:13:16 CST
2014
Abhay
Chokshi
Thu Jul 11
05:20:58 CDT
2013
Koray Kusat
Thu Jul 18
08:18:33 CDT
2013
Hemant
Baliwala
Sat Oct 26
19:31:41 CDT
2013
Srivamsi
Patchipulusu
Mon Oct 28
10:56:32 CDT
2013
Abhay
Chokshi
Home
Parent
Page Title
Last
modified
by
John
Stamps
Gary
Beason
Gary
Beason
Gary
Beason
Ruth Harris
Prachi
Kalyani
Gary
Beason
Ruth Harris
Ruth Harris
Realm Editor
Dixie Pine
Realm Editor
Prachi
Kalyani
Realm Editor
John
Stamps
Realm Editor
User Editor
Ruth Harris
Realm Editor
Group Editor
Ruth Harris
Realm Editor
Ruth Harris
Dixie Pine
Realm Editor
Dixie Pine
Realm Editor
Dixie Pine
Confluence
Admin
Dixie Pine
Ruth Harris
Ruth Harris
Abhay
Chokshi
Home
Parent
Page Title
Last
modified
by
Ruth Harris
Abhay
Chokshi
Abhay
Chokshi
Dixie Pine
Realm Editor
Ruth Harris
Upgrading
Ruth Harris
Realm Editor
Hemant
Baliwala
Ruth Harris
Ruth Harris
Gary
Beason
Ruth Harris
Troubleshooting SAMLv2
Ruth Harris
Prachi
Kalyani
Upgrading
Upgrading HA nodes
Ruth Harris
Realm Editor
Ruth Harris
Realm Editor
Ruth Harris
Clock skew too great for CAC authentication (see page 331)
Dixie Pine
Abhay
Chokshi
Integrating
Abhay
Chokshi
Ruth Harris
Realm Editor
Ruth Harris
Dixie Pine
Ruth Harris
Abhay
Chokshi
Dixie Pine
Home
Parent
Page Title
Last
modified
by
Hemant
Baliwala
Ruth Harris
Troubleshooting SAMLv2
Dixie Pine
Troubleshooting SAMLv2
Ruth Harris
Troubleshooting SAMLv2
Certificate issues
Ruth Harris
Ruth Harris
Hemant
Baliwala
Dixie Pine
Prachi
Kalyani
Ruth Harris
Ruth Harris
Dixie Pine
Ruth Harris
Gary
Beason
Ruth Harris
Abhay
Chokshi
Integrating
Abhay
Chokshi
Preparing BMC Atrium SSO server for integration (see page 212)
Abhay
Chokshi
Abhay
Chokshi
Upgrading from 7.6.04 to 8.1 silent installation issue (see page 317)
Ruth Harris
Abhay
Chokshi
Ruth Harris
Home
Parent
Page Title
Last
modified
by
Legal notices
Ruth Harris
Prachi
Kalyani
Ruth Harris
Manually configuring mid tier for BMC Atrium Single Sign-On user
Abhay
8.0.00
Chokshi
Troubleshooting SAMLv2
Abhay
Chokshi
Prachi
Kalyani
Abhay
Chokshi
Abhay
Chokshi
Abhay
Chokshi
Agent manager
Melanie
Boston
Realm Editor
Prachi
Kalyani
John
Stamps
Ruth Harris
Ruth Harris
Prachi
Kalyani
Prachi
Kalyani
Ruth Harris
Ruth Harris
Realm Editor
Abhay
Chokshi
Abhay
Chokshi
Home
Parent
Page Title
Last
modified
by
Ruth Harris
Dixie Pine
Hemant
Baliwala
Ruth Harris
Integrating
Abhay
Chokshi
Ruth Harris
Ruth Harris
Bruce Cane
Abhay
Chokshi
Abhay
Chokshi
Abhay
Chokshi
Ruth Harris
Abhay
Chokshi
Abhay
Chokshi
Abhay
Chokshi
Abhay
Chokshi
Abhay
Chokshi
Abhay
Chokshi
Abhay
Chokshi
Abhay
Chokshi
Abhay
Chokshi
Home
Parent
Page Title
Last
modified
by
Prachi
Kalyani
Dixie Pine
Realm Editor
Abhay
Chokshi
Abhay
Chokshi
16.3.2 Issue
In a BMC Atrium Single Sign-On High Availability (HA) configuration, replication of configuration modules does
not work correctly.
Home
2. Log on to each BMC Atrium Single Sign-On servers in the HA cluster and review the HA Node list in the
BMC Atrium SSO Admin Console HA Node list.
3. Select the BMC Atrium Single Sign-On server that lists all the nodes as primary server. If more than one
server lists all of the nodes as primary server, select any one as primary server.
4. Stop all the BMC Atrium Single Sign-On servers in the HA cluster except the primary server that you
selected.
5. Back up the primary server by using the backup.bat script.
6. Restore the primary server by using the restore.bat script. Execute this command on all BMC Atrium Single
Sign-On servers in the HA cluster.
7. Repeat steps 4 - 6 if you change the configuration on the primary server.
The following three scripts are used for this workaround:
dereplicate.bat Disables replication on all servers in HA cluster.
backup.bat Backs up the primary server.
restore.bat Restores the primary server.
backup.bat script
set ATRIUM_SSO_DIR=D:\APPS\BMC Software\AtriumSSO
set OPENDS_DIR=%ATRIUM_SSO_DIR%\tomcat\webapps\atriumsso\WEB-INF\config\opends
set DESTINATION_EXEC_DIR=%OPENDS_DIR%\bat
Home
@rem
@rem ******************************************************************************************
@rem Set the BACKUP_DIR as commonly accessible drive among the members in the HA environemnt
@rem ******************************************************************************************
@rem
set BACKUP_DIR=<LOCAL_DRIVE>\atsso_opends_clone
set SOURCE_HOST=kbp1-dhp-f48202.synapse.com
set SOURCE_ADMIN_PORT=40444
set PASSWORD=admin123
rd "%BACKUP_DIR%" /S /Q
call "%DESTINATION_EXEC_DIR%\backup" --backendID userRoot --backupDirectory "%BACKUP_DIR%" -h
%SOURCE_HOST% -p %SOURCE_ADMIN_PORT% -D "cn=directory manager" -w %PASSWORD% --hash -X
restore.bat script
set ATRIUM_SSO_DIR=D:\APPS\BMC Software\AtriumSSO
set OPENDS_DIR=%ATRIUM_SSO_DIR%\tomcat\webapps\atriumsso\WEB-INF\config\opends
set DESTINATION_EXEC_DIR=%OPENDS_DIR%\bat
@rem
@rem \*****************************************************************************************\*
@rem Set the BACKUP_DIR to the primary server's mapped drive
@rem e.g., map the primary server location to Z:
@rem \*****************************************************************************************\*
@rem
set BACKUP_DIR=<PRIMARY_SERVER_BACKUP_DIRECTORY_MAPPED_TO_LOCAL_MACHINE>
@rem
@rem \**********************************************************\*
@rem Set the LOCAL_BACKUP_DIR as a folder on the current machine
@rem \**********************************************************\*
@rem
set LOCAL_BACKUP_DIR=<LOCAL_DRIVE>\atsso_opends_working_config
rd "%LOCAL_BACKUP_DIR%" /S /Q
md "%LOCAL_BACKUP_DIR%"
@rem
@rem copy the current working configuration folder
@rem
cd "%LOCAL_BACKUP_DIR%" && xcopy "%OPENDS_DIR%\db" /e
@rem
@rem copy the current working configuration folder
@rem
cd "%LOCAL_BACKUP_DIR%\db" && xcopy "%OPENDS_DIR%\db" /e
Home
@rem
@rem before restoring let's make a copy of the existing configuration
@rem
call "%DESTINATION_EXEC_DIR%\restore" \--backupDirectory "%BACKUP_DIR%"
Home
Note
BmcRealm is the default realm and can not be deleted.
Add launches the Create Realm Editor which allows you to add a realm to the system.
Edit launches the Realm Editor which allows you to manage that particular realm's authentication,
federation, user stores (AR and LDAPv3), users, and user groups.
Delete allows you to remove the realm from the system.
Filter field allows you to display specific realms based on your search criteria.
Home
2. In the Realm Name field, provide a name for the new realm.
3. In the User Profile field, select a user profile.
4. Click Save.
Home
Ruth Harris had documented this information on the initial page for SSO 8.1.00 Patch 2. However, when I
followed up with Volodymyr Zaporozhets he said that the team will not be announcing multi-tenancy support in
patch 2. The team had initially talked about disabling this feature as the plan was to deliver it to BMC Remedy
OnDemand only. However, RoD later decided to wait until 8.8 for different reasons.
I have removed the following content from the SSO 8.1.00 Patch 2 page and have added it under Tracking tools
(in case this information is required for later releases).
Home
The Web Agent maps the server hostname (which is used by user to access a protected application) to the full
logon and logout URLs. The logon and logout URLs contain the information (for example, realm name and IdP ID)
required to separate different tenants from each other. The mapping is specified in the configuration file.
Note
When multi-tenancy support is enabled, the login and logout URLs specified for the Web Agent
configuration from the BMC Atrium SSO Console is not used.
Following diagram illustrates the authentication process when the mutli-tenant web-agent is used:
Configuration file
Configuration file is a properties file which contains records with the following format:
<hostName>|<login|logout>=<URL>
Configuration file example
pepsi.onbmc.com|login=https://sso.onbmc.com:8443/atriumsso/UI/Login?realm=/PepsiRealm
pepsi.onbmc.com|logout=https://sso.onbmc.com:8443/atriumsso/UI/Logout?realm=/PepsiRealm
coke.onbmc.com|login=https://sso.onbmc.com:8443/atriumsso/UI/Login?realm=/CokeRealm
coke.onbmc.com|logout=https://sso.onbmc.com:8443/atriumsso/UI/Logout?realm=/CokeRealm
Home
Note
It is not necessary to restart the container with the WebAgent when enabling or disabling multi-tenency
support or to make changes its configuration. WebAgent periodically polls its configuration file. Poll time
configured via atsso.server.check.delay system property, default poll time - 2 minutes.
Note
In the upgrade folder is a README.txt file with the following content:
You can use the upgrade-wa script to upgrade WebAgent libraries without WebAgent re-deployment.
Usage
upgrade-wa [upgrade_lib_path] webapp_path
Parameters
upgrade_lib_path Path to the libraries that are used during the upgrade (optional)
webapp_path Path to the web application with the deployed WebAgent (required)
Home
<VirtualHost *:*>
. . .
ProxyPreserveHost On
. . .
</VirtualHost>
. . .
DefaultType None
. . .
Home
Create a list in a text file for each server and its IP address, as well as all accepted fully qualified names.
2. Set up your load-balancers.
a. Configure the AR System server load-balancer with all your servers in the server group.
Make sure that your AR System server load-balancer includes all the computers on which you will
install AR System servers. Otherwise, you encounter various errors when you configure the Mid Tier
to use the AR System server load-balancer (see page 381).
b. Configure the Mid Tier load-balancer.
Make sure that your Mid Tier load-balancer includes all the computers on which you will install Mid
Tiers.
c.
BMC Atrium Single Sign-On 8.1
Home
Home
Home
You should be able to access, for example, the BMC Remedy AR System Administration Console.
m. Install the remaining Mid Tiers for your environment.
4. Configure the Mid Tier load-balancer with all your Mid Tiers in the server group.
When you log on to the Mid Tier load balancer, then Mid Tier load balancer should resolve to the AR
System server load balancer.
Home
Home
Index
a
adding 248
administration 263, 264, 268, 271, 273, 275
agents 263, 275, 279, 331
ar 97
architecture 20
ar system 320
authentication 97, 132, 263, 271, 320, 326, 333
authentication chains 263
authentication modules 271
b
bmc analytics 199
bmc atrium sso 11, 79, 284, 331
bmc capacity optimization 207
bmc dashboards 198
bmc internal 353, 369, 378
bmc itbm 204, 205
bmc proactivenet 200
bmc remedy ar system 31, 79, 97
bulkfederation 157
c
ca 248
cac 326
ca certificates 239
certificates 20, 239, 243, 246, 248, 249
ciphers 257
configuration 132, 251, 276
configuring jvm 77
console 22
conversion 251, 256
cookie domain 20
BMC Atrium Single Sign-On 8.1
Home
csr 246
customer support 351
d
data 260
deployment 20, 31
diagnostics 279, 281
downloads 44
e
errors 279, 285
external tomcat 72
f
features 12
federating 157, 263
fips 251, 251, 256, 257, 258
fips 140 251, 251, 256, 257, 258
fixes 12, 17, 19
g
generate csr 246
group membership 264
groups 97, 263, 268
h
ha 20, 55, 112, 263, 273
high availability 20, 55, 112, 263, 273
home 11
i
import 243
importing certificates 246
BMC Atrium Single Sign-On 8.1
Home
j
jboss 331
jee 20, 279, 331
k
kerberos 132, 333
keystore 239, 240
keytool 239
l
ldap 260
licensing 12
linux 117
logs 282, 284
m
mid tier 31, 79
monitoring 256
n
network ciphers 257
new 12, 17, 19
nodes 263, 273
normal mode 258
o
openam 22
Home
p
passwords 20
patches 12, 17, 19
pdfs 352
planning 29
prerequisites 42
product agents 275
r
realms 20
reference 31, 351
release notes 12
rsa api properties 284
s
saml 31
self signed 249
server 77
session behavior 20, 24
session parameters 263, 276
setting http connection 78
silent 112
sso 11, 22
sso server 263, 279
starting 279
stopping 279
store 260
supported 351
t
tomcat 77, 331
troubleshooting 279, 320, 326, 331, 333
truststore 239, 243
u
BMC Atrium Single Sign-On 8.1
Home
v
versions 351
w
weblogic 331
websphere 205, 331
windows 117
Home
The information included in this documentation is the proprietary and confidential information of BMC Software, Inc., its affiliates, or licensors. Your use
of this information is subject to the terms and conditions of the applicable End User License agreement for the product and to the proprietary and
restricted rights notices included in the product documentation.
Restricted rights legend
U.S. Government Restricted Rights to Computer Software. UNPUBLISHEDRIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES.
Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR
Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time.
Contractor/Manufacturer is BMC SOFTWARE INC, 2101 CITYWEST BLVD, HOUSTON TX 77042-2827, USA. Any contract notices should be sent to this
address.
BMC Software Inc.
2101 CityWest Blvd, Houston TX 77042-2827, USA
713 918 8800
Customer Support: 800 537 1813 or contact your local support center