Hp service Manager Single Sign On Implementation Integration with Integrated Windows Authentication
Download 357.16 Kb.
|
- Navigate this page:
- 3.3Demo setup IIS -> Tomcat -> HPSM web application
3.2Installation Prerequisites3.2.1Install Java 1.6 JDK The Java JDK will be for instance installed on the server in the directory “D:\localapp\jdk1.6.0_30”. This is done via the installation file “jdk-6u30-windows-i586/x64.exe”. Download the appropriate version (x86/x64) and at the time of writing (April 2012), 1.6.0_30 was the latest version downloadable from http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html .
Change the Windows Environment variable ‘JAVA_HOME’ to point to the new JDK via “Start/Configuration Settings/System/Advanced/Environment Variables/New System Variable” 
3.2.2Install Apache Tomcat 7
To install Tomcat the provided file “apache-tomcat-7.0.25-windows-XYZ.zip” must be for instance extracted to the directory “D:\localapp\tomcat7”. The extracted directory is the full program directory. Some prefer the easier way and will use the 32-bit/64-bit Windows Service Installer. Tomcat binaries can be downloaded from: http://tomcat.apache.org/download-70.cgi This setup is based on the downloadable 32-bit ZIP archive. Choose the appropriate version according to your OS architecture. 
Next step is to create a Windows Service for Tomcat. This can be done via the “service.bat”-command, delivered in the bin-directory. Run the “service.bat install”- command in the bin-directory and the windows service “Tomcat7” will be installed. If you want another service name, edit first service.bat. Note: Due to other versions of Tomcat which are installed on the server, it is possible that the “service.bat”-command doesn’t run properly. If this is the case, the Tomcat variable “CATALINA_HOME” has to be emptied before running the commando. This can be done via the following command set CATALINA_HOME= This will only change this variable in our command prompt session. 
Create the file “setenv.bat” in the Tomcat bin-directory with the following content: set CATALINA_OPTS=-XX:MaxPermSize=256m -Xms512M -Xmx512M -Dsun.net.client.defaultReadTimeout=600000 set CATALINA_HOME=D:\localapp\Tomcat7 REM default setting is 60 seconds, for customer A: 10 minutes REM CATALINA_OPTS="$CATALINA_OPTS -Dsun.net.client.defaultReadTimeout=60000 -Dsun.net.client.defaultConnectTimeout=60000" These parameters will be set when the Tomcat service starts. Instead of using the variable ‘JAVA_OPTS’, we’re manipulating the variable ‘CATALINA_HOME’, which ensures that the change of these variables will only affect this Tomcat service and no other JAVA-applications running on the server. 3.3Demo setup IIS -> Tomcat -> HPSM web application3.3.1Install IIS In the following paragraphs, screen shots are based on Windows 2003 and IIS6. Note: when using IIS7 and 7.5 think about: Review the settings we’ve documented and check the settings described in http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html and especially check if this paragraph make sense: “In a 64 Bit environment - at least for IIS 7 - the used IIS Application Pool should have "Enable 32-bit Applications" set to "False". Otherwise the redirector will not be called and returns an http code 404. If you think, the 32bit version of isapi_redirect.dll would do the job instead, you will get an http code 500, because the library is not loadable into a 64 Bit IIS. ”
By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity. As a best practice, do not disable this setting if Kerberos authentication is used in your environment and the application pool is configured to use a custom identity. 
3.3.2Jakarta ISAPI plugin The Jakarta ISAPI plugin will be used to connect IIS with Tomcat. With the Jakarta plugin towards Tomcat, the Apache Java Protocol (AJP) is used. For more info, please see text below. Configure the Tomcat Web container to support the AJP protocol The Apache AJP protocol is packet-oriented and enables the Web server to communicate with the JSP/servlet container over TCP connections. Again, AJP is used here by IIS HTTP Server to communicate with Tomcat. To cut down on the expensive process of socket creation, the Web server attempts to maintain persistent TCP connections to the servlet container, and attempts to reuse a connection for multiple request/response cycles. Once the Web server has opened a connection to the servlet container and assigned a connection to a particular request, it will not be used for any other requests until the request handling cycle has terminated. This makes the code at either end of the connection simpler -- although it does cause more connections to be open at once. Once a connection is assigned to handle a particular request, the basic request information (HTTP headers, and so on) is sent over the TCP connection as a packet. At this point, the servlet container is presumably ready to start processing the request and sends the formatted packet of reply messages back to the Web server. Source: http://www.ibm.com/developerworks/websphere/library/techarticles/0703_krishnasamy/0703_krishnasamy.html 3.3.3Create directory structure for JAKARTA_ISAPI The Jakarta ISAPI plugin will be used to connect Tomcat with IIS1.
Create the following directory three subdirectories:
for the configuration files of the Jakarta ISAPI Plugin: 
This structure will be for instance created in the directory “D:\localapp\Apache\”on the webserver. The following files need to be placed in de bin-directory:
The following files need to be put in the conf-directory:
3.3.4Content of isapi_redirect files In this file the redirect settings used by Jakarta ISAPI can be configured.
# more information on http://tomcat.apache.org/connectors-doc/reference/iis.html # this properties file is intended to replace Windows registry settings
# This must be in a virtual directory with execute privileges #extension_uri=/jakarta/isapi_redirect.dll
extension_uri=/jakarta/isapi_redirect.dll # Full path to the log file for the ISAPI Redirector #log_file=$(ISAPI_PATH)\log\$(ISAPI_NAME).log log_file=D:\localapp\Apache\JAKARTA_ISAPI\log\isapi_redirect.log
log_level=info # Full path to the workers.properties file worker_file=D:\localapp\Apache\JAKARTA_ISAPI\conf\workers.properties # Full path to the uriworkermap.properties file worker_mount_file=D:\localapp\Apache\JAKARTA_ISAPI\conf\uriworkermap.properties # Improve security #reject_unsafe=1 # custom error page when back end is not there anymore #error_page= 3.3.5Configure workers.properties In this file the load balancing method of Jakarta ISAPI is configured. Two workers are defined: sm9lb for Service Manager and jkstatus for the jkmanager application. For the sm9lb-worker the redirect port settings are defined. The example below has defined 3 workers for possible load balancing. For this setup we only use one of them (tomcat1). More information can be found on http://tomcat.apache.org/connectors-doc/reference/workers.html # workers.properties.minimal - # # This file provides minimal jk configuration properties needed to # connect to Tomcat. #
# The workers that jk should create and work with #
# ------------------------ # First tomcat server # ------------------------ worker.tomcat1.port=8019 worker.tomcat1.host=16.111.0.12 worker.tomcat1.type=ajp13 worker.tomcat1.lbfactor=1
# Second tomcat server # ------------------------ #worker.tomcat2.port=8010 #worker.tomcat2.host=17.111.12.16 #worker.tomcat2.type=ajp13 #worker.tomcat2.lbfactor=1
# Third tomcat server # ------------------------ #worker.tomcat3.port=8011 #worker.tomcat3.host=16.101.12.164 #worker.tomcat3.type=ajp13 #worker.tomcat3.lbfactor=1
################ Define the LB worker # The advanced router LB worker ########################################## worker.list=sm9lb worker.sm9lb.type=lb #worker.sm9lb.balance_workers=tomcat1,tomcat2,tomcat3 # only worker tomcat1 will be used worker.sm9lb.balance_workers=tomcat1
worker.sm9lb.method=S worker.sm9lb.connection_pool_timeout=40 #worker.sm9lb.max_packet_size= 65536 # Add the status worker to the worker list worker.list=jkstatus # Define a 'jkstatus' worker using status worker.jkstatus.type=status Note: tomcat1, tomcat2 and tomcat3 are the jvmRoutes defined in Tomcat’s server.xml. When using one single Tomcat instance, it’s not needed to modify Tomcat’s server.xml. See screen shot below: 
3.3.6Configure uriworkermap.properties In this properties file the HPSM web application with example context root smbsc is configured to work with the already configured worker sm9lb. The jkmanager-tag is redirected to the worker jkstatus. # uriworkermap.properties - IIS # # This file provides sample mappings for example wlb # worker defined in workermap.properties.minimal # The general syntax for this file is: # [URL]=[Worker name]
#/manager/*=wlb # Optionally filter out all .jpeg files inside that context # For no mapping the url has to start with exclamation (!) !/servlets-examples/*.jpeg=wlb # # Mount jkstatus to /jkmanager # For production servers you will need to secure the access to the /jkmanager url via IIS # #/jkmanager=jkstatus /jkmanager|/*=jkstatus # HPSM 9.30 web application /smbsc|/*=sm9lb 3.3.7Configuring the Tomcat ISAPI Connector in IIS 3.3.7.1Web Services Extensions for Jakarta Note: In case port 80 on IIS cannot be use, continue on 3.3.7.5 You cannot use port 80 ? below. Open IIS Manager, and expand the Internet Information Services tree, from the 
Verify that the Default Web Site has been stopped, 
From the Internet Information Services tree, select the Web Services Extensions node Right click on the “Web Service Extensions” and select “Add a new Web service extension …” item: 
Enter the following line into the ‘Extension name’ field in the opened window: Jakarta Isapi Redirector. 
Via the Add button, select the isapi_redirect.dll and after clicking OK, select the checkbox ‘Set extension status to Allowed’. 
3.3.7.2Step 2: configure isapi_redirect.dll Right-click on the Default Web Site node in the IIS Manager tree, and select Properties from the drop-down menu. 
From the Default Web Site Properties window, select the ISAPI Filters tab, and click on the Add button, 
On the Add/Edit Filter Properties window set the following parameters : Filter name: Jakarta Isapi Redirector, Executable: for instance C:\Apache\JAKARTA_ISAPI\bin\isapi_redirect.dll 
3.3.7.3New -> Virtual Directory for Jakarta
3.3.7.4Check running ISAPI filter
Note - If you check on its status, you may notice that the ISAPI filter hasn’t been successfully loaded at this stage, even if you have re-started IIS. This is expected behavior and is documented in the IIS6 Operations Guide, “In an effort to optimize resources in IIS 6.0, an ISAPI filter is not loaded until a request is made to a Web site that requires the ISAPI filter. Until this request is made, IIS Manager does not display the status of the ISAPI filter.” http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/93f23233-2a47-4104-b0b4-a7ec0d3116f3.mspx However, once IIS has served a successful request to it you will see the status of the ISAPI filter change to ‘Loaded’. 3.3.7.5You cannot use port 80 ? Note: If the previous steps were executed, you can ignore this paragraph. As there is another web site running on port 80 in the customers environment, we will define a new web site that listens on port 81. Please create a new node under Web Sites with the following properties: 
Step 1: Web Services Extensions for Jakarta Open the IIS Manager, and expand the Internet Information Services tree, from the 
From the Internet Information Services tree, select the Web Services Extensions node Right click on the “Web Service Extensions” and select “Add a new Web service extension …” item: 
Enter the following line into the ‘Extension name’ field in the opened window: Jakarta Isapi Redirector. 
Via the Add button, select the isapi_redirect.dll and after clicking OK, select the checkbox ‘Set extension status to Allowed’. Finally, you’ll get back to this screen:
Step 2: configure isapi_redirect.dll Right-click on the newly created node in the IIS Manager tree, and select Properties from the drop-down menu. From the Site Properties window, select the ISAPI Filters tab, and click on the Add button:
On the Add/Edit Filter Properties window set the following parameters : Filter name: Jakarta Isapi Redirector, Executable: D:\localapps\Apcache\JAKARTA_ISAPI\bin\isapi_redirect.dll
Step 3: New -> Virtual Directory for Jakarta On the Node Properties window click on the OK to save the settings, right-click on the node in the IIS Manager tree, and select New -> Virtual Directory... from the drop-down menu. This launches the Virtual Directory Creation Wizard, From the Virtual Directory Creation Wizard, Virtual Directory Alias, set the Alias to: Jakarta. 
From the Virtual Directory Creation Wizard, Web Site Content Directory set the path to: “D:\localapps\Apache\JAKARTA_ISAPI\bin\” From the Virtual Directory Creation Wizard, Virtual Directory Access Permissions, enable the following checkboxes:
And accept the warning from the IIS Manager.
In the Internet Information Services tree, below the Site node, a new folder has been added called: Jakarta.
Check running ISAPI filter Start the Default Web Site, and verify that the Jakarta Isapi Redirector filter on the ISAPI Filters tab from the Default Web Site Properties window is up and running, and that the Priority is set to: High.
Note - If you check on its status, you may notice that the ISAPI filter hasn’t been successfully loaded at this stage, even if you have re-started IIS. This is expected behavior and is documented in the IIS6 Operations Guide, “In an effort to optimize resources in IIS 6.0, an ISAPI filter is not loaded until a request is made to a Web site that requires the ISAPI filter. Until this request is made, IIS Manager does not display the status of the ISAPI filter.” http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/93f23233-2a47-4104-b0b4-a7ec0d3116f3.mspx However, once IIS has served a successful request to it you will see the status of the ISAPI filter change to ‘Loaded’. 3.3.8Enable Integrated Windows Authentication (IWA) on IIS Go to the properties of the Default Web Site and go to the Directory Security tab, click the Edit button from Authentication and Access control.
Create a new virtual directory “jkmanager” and let it point to the ISAPI log file directory. 
Allow only 127.0.0.1 and local access: 
Beside 127.0.0.1, add also the local IP addresses of the web server (ex. 10.136.17.185): 
This is the result when you access jkmanager from the local machine. Only this URL will work: http://localhost:81/jkmanager 
3.3.10Configuring Internet Explorer Start the Internet Explorer browser on the machine
The following screen shots are based on IE8. 
Go to Tools- Internet Options. 
Click on the button Sites 
Add your IIS server FQDN (before, uncheck Require server verification if https is not enabled). Click close
Click button Custom level 
Go to the User Authentication part and change the default "Automatic logon in Intranet Zone" to "Automatic logon with current user name and password" Click OK and go to the Advanced Tab in Internet Options Check if Integrated Windows Authentication is enabled (Kerberos authN. instead of NTLM) 
3.3.11Request Entity Too Large In case you get a Request Entity Too Large error in your browser, you should consider these additional steps.
Figure : Request Entity Too Large error Very often the HTTP header encodes the users group membership in the authorization header. By default Tomcat has an 8k maximum header, whilst users belonging to many groups can have an authorization token that can swell to larger than this size. This explains why you see some people can login and others can't. To solve this issue, you just change the maxHttpHeaderSize to something larger than the default 8k and you should be set. In order to change the ISAPI Redirector, look for max_packet_size on http://tomcat.apache.org/connectors-doc/reference/workers.html and don't forget to read the comment about also changing the Tomcat configuration. On the Tomcat level, we need to change the packetSize. This attribute sets the maximum AJP packet size in Bytes. The maximum value is 65536. It should be the same as the max_packet_size directive configured for mod_jk. Normally it is not necessary to change the maximum packet size. Problems with the default value have been reported when sending certificates or certificate chains. The default value is 8192. A useful example can be found on http://builddeploy.blogspot.com/2009/04/resolving-http-error-413-request-entity.html Example Tomcat AJP port change:
enableLookups="false" redirectPort="8443" debug="0" tomcatAuthentication=”false” packetSize=20000 protocol="AJP/1.3" />”
The values of packetSize and max_packet_size must be equal ! Directory: hpeb -> attachments -> hpeb hpeb -> Asset Manager Web installation detailed steps hpeb -> Installing the Linux Client System hpeb -> Deploy Operating System toolbar button hpeb -> Pcm-04. 00. 00. 1609-x64. exe Download 357.16 Kb. Share with your friends:
|
