1. Back up your web.xml file, splash screen, style sheets, and any other customizations you made, including your webtier-X.YZ.war (.ear) file.
2. Delete or uninstall the existing webtier-X.YZ.war (.ear) file.
Note: The "Update Application" function in WebSphere Application Server 6.x allows you to redeploy using a new copy of webtier-X.YZ.war (.ear). First, update the web.xml in the webtier-X.YZ.war (.ear) file, and then redo the shared library configuration. For more information, see the IBM WebSphere documentation.
3. Deploy the new webtier-X.YZ.war (.ear) file by following the instructions in the Service Manager Installation Guide.
Note: It is best practice to deploy with a unique context root. For example: /webtier-9.21.168 /sm or /itsm
4. Replace the new versions of any files you customized with your customized versions.
5. Make any new customizations necessary for your deployment. Be sure to set the secureLogin and sslPort parameters and other SSO parameters
6. Restart the Application server.
Note: Before accessing the new Web Tier, HP recommends that all users empty their browser cache.
7. Enable trustedsignon:1 in sm.ini and/or SSL settings if required on the HPSM application server and restart it.
3.6Service Manager Configuration File Changes
3.6.1Sm.ini
Changes
-
Enable SSO by adding trustedsignon:1
-
Add sslConnector:1, ssl:1 and ssl_reqClientAuth:2
-
The settings which are needed to work with the SSL certificates:
-
keystoreFile:servercert.keystore
-
keystorePass:SM930Password
-
ssl_trustedClientsJKS:trustedclients.keystore
-
ssl_trustedClientsPwd:SM930Password
-
truststoreFile:cacerts
-
truststorePass:changeit
Example content that can be added to sm.ini:
#####################################################################################
### SSO & SSL parameters
## **********************************************
#This parameter defines whether servlet container processes have an HTTPS (SSL-encrypted HTTP) communications port available.
#A servlet container process can only have one HTTPS port open at a time.
#Servlet container processes can only use an HTTPS communications port if the sslConnector parameter is enabled.
#This parameter requires the use of the httpsPort parameter.
#It is best practice to place this parameter in the Service Manager initialization file so that
#you enable or disable the HTTPS port for all servlet containers on the same system.
sslConnector:1
#This parameter defines whether the Service Manager server requires SSL connections from all incoming client requests.
#Enable this parameter to require all clients to use SSL connections.
#Unless you also require each client to have its own certificate, clients can connect to the server using anonymous SSL.
#When enabled, clients that have their own certificates will use those certificates for SSL connections, while clients
#without their own certificates will use the Service Manager server's certificate for SSL connections.
ssl:1
# do not force ssl, it's an option, sslConnector will work when ssl certificates are used
#This parameter defines whether trusted clients can log in to the Service Manager server without having to provide login information.
#Enable this parameter to allow trusted clients to bypass the Service Manager login screen.
#Users must already have logged on to a trusted authentication source for trusted sign-on to succeed.
## enable Single Sign-On and Trusted Sign-on without SSL
trustedsignon:1
#This parameter defines whether the Service Manager server requires signed certificates from all incoming client requests.
#Enable this parameter to limit access to the Service Manager server to only those clients that present signed certificates.
#When enabled, clients can no longer connect to the Service Manager server using the server's certificate for anonymous SSL.
#Each client must have its own signed certificate.
#If you enable this parameter with the value ssl_reqClientAuth:2 then in addition to presenting client certificates,
#the server validates each client certificate against a list of trusted clients as defined by the trustedClientsJKS parameter.
#The server only allows connections from clients with certificates in the trusted clients list.
ssl_reqClientAuth:2
# SSL files and passwords
truststoreFile:cacerts
truststorePass:HPitsm_9
keystoreFile:w2k8r2x64ccrm.ccrm.bel.hp.keystore
keystorePass:HPitsm_9
ssl_trustedClientsJKS:trustedclients.jks
ssl_trustedClientsPwd:HPitsm_9
#####################################################################################
Note:
Be aware that by adding all these parameters in sm.ini, you will apply all these settings for all servlets.
If you still need access for a Windows client, you either generate SSL certificates for each client installation or you open an additional servlet in debugnode mode and add ssl:0 to disable SSL.
3.6.2Sm.cfg
Example setup:
# start a Service Manager LoadBalancer + servlets
# to avoid this error: "Please provide httpsPort or disable sslConnector",
# add sslConnector:0 to the LB instead of adding an extra unused httpsPort
sm -loadBalancer -httpPort:13080 -sslConnector:0
sm -httpPort:13081 –httpsPort:13433
sm -httpPort:13082 –httpsPort:13434
3.7Configure Tomcat
3.7.1Extraction webtier file
Make sure the Tomcat service is not running.
Rename the webtier war-file delivered with the official installation of Service Manager to “smbsc.war”. Deploy the war-file in the webapps-directory of Tomcat. Start Tomcat in order to have the war-file extracted in the webapps-directory.
After the “smbsc”-directory has been created; the Tomcat-service can be stopped again.
3.7.2Configure Tomcat's server.xml
The tomcatAuthentication="false" attribute supported by the AJP protocol connector tells Tomcat to not use its internal (primitive) authentication mechanism, but instead to use remote authentication provided by the front-end web server. This is also explained in http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html .
Disable tomcat authentication in server.xml for port 8009 (IIS redirects by default from 80 to 8009):
Go to the file “server.xml” in the conf-directory of the Tomcat installation.
Change the following settings:
To
tomcatAuthentication="false" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" />
3.7.3Changes in HPSM’s web.xml
The web.xml-file is located in the WEB-INF-directory of the Service Manager web-container.
Change these settings to enable custom SSO:
Enable SSO:
isCustomAuthenticationUsed
true
to
isCustomAuthenticationUsed
false
isCustomAuthenticationUsed2: default is true (even if we use the OOTB authentication), put it on false when you enable SSO or LWSSO.
Enable SSL:
and the HP Service Manager server -->
ssl
false
to
ssl
true
secureLogin and sslPort
Be sure to set the secureLogin3 and sslPort4 parameters correctly. These settings don’t influence SSO. By default secureLogin is set to true and sslPort to 8443. Verify if your HTTP server (can be IIS, Apache or even Tomcat) is SSL enabled (using HTTPS), if not, set secureLogin to false.
Defaults are true and 8443
Enter the SSL certificate info:
but still needs a leading slash -->
cacerts
/WEB-INF/cacerts
for client authentication when using single sign-on, but not for a standard SSL connection. -->
but still needs a leading slash -->
keystore
/WEB-INF/.keystore
keystorePassword
clientkeystore
Enter the environment specific information:
serverHost
SERVER_FQDN
serverPort
13080
3.7.4Changes to HPSM’s application-context.xml
This file can be found in WEB-INF\classes and configure it like this:
Make sure the ‘preAuthenticationFilter’ is added to the string, this will activate the JAVA-bean necessary for the IWA based authentication.
-
Changes to log4j.properties.
This file can be found in WEB-INF and configure it like this:
log4j.rootLogger=info,R
#uncomment next line to output to console.
#log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
# Pattern to output the caller's file name and line number.
log4j.appender.stdout.layout.ConversionPattern=%5p [%t] (%F:%L) - %m%n
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=${catalina.base}/logs/smbsc.log
log4j.appender.R.MaxFileSize=2000KB
# Keep one backup file
log4j.appender.R.MaxBackupIndex=2
log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
3.7.4.1extended log4j.properties
We propose to replace the default log4j.properties with the one described below. It offers debug parameters if needed and fixes timestamp writing in the log files.
Edit /WEB-INF/log4j.properties:
We’ve added some more debugging options, changed the log path and added timestamps to the lines recorded in the log files.
Content of log4j.properties:
log4j.rootLogger=info,R
## HP PSO: added by BDG: incase extensive debugging is needed
#log4j.rootLogger=debug,R
#uncomment next line to output to console.
#log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
# Pattern to output the caller's file name and line number.
## HP PSO: modified by BDG: added %d{HH:mm:ss,SSSS}
log4j.appender.stdout.layout.ConversionPattern=%d{HH:mm:ss,SSSS} %5p [%t] (%F:%L) - %m%n
log4j.appender.R=org.apache.log4j.RollingFileAppender
## HP PSO: modified by BDG
log4j.appender.R.File=/websphere/logs/scei_server/itsmsso.log
## HP PSO: modified by BDG: 100KB -> 20000KB
log4j.appender.R.MaxFileSize=20000KB
# Keep one backup file
## HP PSO: modified by BDG: 1 -> 2
log4j.appender.R.MaxBackupIndex=2
log4j.appender.R.layout=org.apache.log4j.PatternLayout
## HP PSO: modified by BDG: added %d{HH:mm:ss,SSSS}
log4j.appender.R.layout.ConversionPattern=%d{HH:mm:ss,SSSS} %p %t %c - %m%n
## HP PSO: added by BDG: incase extensive debugging is needed
#log4j.logger.com.hp.ov.sm.client.eclipse.web=DEBUG
#log4j.logger.com.hp.ov.cwc=DEBUG
#log4j.logger.org.acegisecurity=DEBUG
#log4j.logger.com.hp.sw.bto.ast.security=DEBUG
Share with your friends: |