Hp service Manager Single Sign On Implementation Integration with Integrated Windows Authentication
General HPSM web tier deployment tasks
Download 357.16 Kb.
|
- Navigate this page:
- 3.6Service Manager Configuration File Changes
- 3.7Configure Tomcat
3.5General HPSM web tier deployment tasks1. Back up your web.xml file, splash screen, style sheets, and any other customizations you made, including your webtier-X.YZ.war (.ear) file. 2. Delete or uninstall the existing webtier-X.YZ.war (.ear) file. Note: The "Update Application" function in WebSphere Application Server 6.x allows you to redeploy using a new copy of webtier-X.YZ.war (.ear). First, update the web.xml in the webtier-X.YZ.war (.ear) file, and then redo the shared library configuration. For more information, see the IBM WebSphere documentation. 3. Deploy the new webtier-X.YZ.war (.ear) file by following the instructions in the Service Manager Installation Guide. Note: It is best practice to deploy with a unique context root. For example: /webtier-9.21.168 /sm or /itsm 4. Replace the new versions of any files you customized with your customized versions. 5. Make any new customizations necessary for your deployment. Be sure to set the secureLogin and sslPort parameters and other SSO parameters 6. Restart the Application server. Note: Before accessing the new Web Tier, HP recommends that all users empty their browser cache. 7. Enable trustedsignon:1 in sm.ini and/or SSL settings if required on the HPSM application server and restart it. 3.6Service Manager Configuration File Changes3.6.1Sm.ini Changes
Example content that can be added to sm.ini: ##################################################################################### ### SSO & SSL parameters ## ********************************************** #This parameter defines whether servlet container processes have an HTTPS (SSL-encrypted HTTP) communications port available. #A servlet container process can only have one HTTPS port open at a time. #Servlet container processes can only use an HTTPS communications port if the sslConnector parameter is enabled. #This parameter requires the use of the httpsPort parameter. #It is best practice to place this parameter in the Service Manager initialization file so that #you enable or disable the HTTPS port for all servlet containers on the same system.
#This parameter defines whether the Service Manager server requires SSL connections from all incoming client requests. #Enable this parameter to require all clients to use SSL connections. #Unless you also require each client to have its own certificate, clients can connect to the server using anonymous SSL. #When enabled, clients that have their own certificates will use those certificates for SSL connections, while clients #without their own certificates will use the Service Manager server's certificate for SSL connections. ssl:1 # do not force ssl, it's an option, sslConnector will work when ssl certificates are used #This parameter defines whether trusted clients can log in to the Service Manager server without having to provide login information. #Enable this parameter to allow trusted clients to bypass the Service Manager login screen. #Users must already have logged on to a trusted authentication source for trusted sign-on to succeed. ## enable Single Sign-On and Trusted Sign-on without SSL trustedsignon:1 #This parameter defines whether the Service Manager server requires signed certificates from all incoming client requests. #Enable this parameter to limit access to the Service Manager server to only those clients that present signed certificates. #When enabled, clients can no longer connect to the Service Manager server using the server's certificate for anonymous SSL. #Each client must have its own signed certificate. #If you enable this parameter with the value ssl_reqClientAuth:2 then in addition to presenting client certificates, #the server validates each client certificate against a list of trusted clients as defined by the trustedClientsJKS parameter. #The server only allows connections from clients with certificates in the trusted clients list. ssl_reqClientAuth:2 # SSL files and passwords truststoreFile:cacerts truststorePass:HPitsm_9 keystoreFile:w2k8r2x64ccrm.ccrm.bel.hp.keystore keystorePass:HPitsm_9 ssl_trustedClientsJKS:trustedclients.jks ssl_trustedClientsPwd:HPitsm_9 ##################################################################################### Note: Be aware that by adding all these parameters in sm.ini, you will apply all these settings for all servlets. If you still need access for a Windows client, you either generate SSL certificates for each client installation or you open an additional servlet in debugnode mode and add ssl:0 to disable SSL. 3.6.2Sm.cfg Example setup:
# to avoid this error: "Please provide httpsPort or disable sslConnector", # add sslConnector:0 to the LB instead of adding an extra unused httpsPort
sm -httpPort:13082 –httpsPort:13434 3.7Configure Tomcat3.7.1Extraction webtier file Make sure the Tomcat service is not running. Rename the webtier war-file delivered with the official installation of Service Manager to “smbsc.war”. Deploy the war-file in the webapps-directory of Tomcat. Start Tomcat in order to have the war-file extracted in the webapps-directory. After the “smbsc”-directory has been created; the Tomcat-service can be stopped again.
The tomcatAuthentication="false" attribute supported by the AJP protocol connector tells Tomcat to not use its internal (primitive) authentication mechanism, but instead to use remote authentication provided by the front-end web server. This is also explained in http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html . Disable tomcat authentication in server.xml for port 8009 (IIS redirects by default from 80 to 8009): 
Go to the file “server.xml” in the conf-directory of the Tomcat installation. Change the following settings:
To
3.7.3Changes in HPSM’s web.xml The web.xml-file is located in the WEB-INF-directory of the Service Manager web-container. Change these settings to enable custom SSO: Enable SSO: 
isCustomAuthenticationUsed true
to
isCustomAuthenticationUsed false isCustomAuthenticationUsed2: default is true (even if we use the OOTB authentication), put it on false when you enable SSO or LWSSO. Enable SSL: 
and the HP Service Manager server --> ssl
false to
ssl
true secureLogin and sslPort Be sure to set the secureLogin3 and sslPort4 parameters correctly. These settings don’t influence SSO. By default secureLogin is set to true and sslPort to 8443. Verify if your HTTP server (can be IIS, Apache or even Tomcat) is SSL enabled (using HTTPS), if not, set secureLogin to false. 
Defaults are true and 8443 Enter the SSL certificate info: 
but still needs a leading slash --> cacerts /WEB-INF/cacerts for client authentication when using single sign-on, but not for a standard SSL connection. --> but still needs a leading slash -->
keystore
/WEB-INF/ keystorePassword clientkeystore Enter the environment specific information: 
serverHost SERVER_FQDN serverPort 13080 3.7.4Changes to HPSM’s application-context.xml This file can be found in WEB-INF\classes and configure it like this: 
Make sure the ‘preAuthenticationFilter’ is added to the string, this will activate the JAVA-bean necessary for the IWA based authentication.
This file can be found in WEB-INF and configure it like this: log4j.rootLogger=info,R #uncomment next line to output to console. #log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout # Pattern to output the caller's file name and line number. log4j.appender.stdout.layout.ConversionPattern=%5p [%t] (%F:%L) - %m%n log4j.appender.R=org.apache.log4j.RollingFileAppender log4j.appender.R.File=${catalina.base}/logs/smbsc.log log4j.appender.R.MaxFileSize=2000KB # Keep one backup file log4j.appender.R.MaxBackupIndex=2 log4j.appender.R.layout=org.apache.log4j.PatternLayout log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n 3.7.4.1extended log4j.properties We propose to replace the default log4j.properties with the one described below. It offers debug parameters if needed and fixes timestamp writing in the log files. Edit 
We’ve added some more debugging options, changed the log path and added timestamps to the lines recorded in the log files. 
Content of log4j.properties: log4j.rootLogger=info,R ## HP PSO: added by BDG: incase extensive debugging is needed #log4j.rootLogger=debug,R
#log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
## HP PSO: modified by BDG: added %d{HH:mm:ss,SSSS} log4j.appender.stdout.layout.ConversionPattern=%d{HH:mm:ss,SSSS} %5p [%t] (%F:%L) - %m%n
## HP PSO: modified by BDG log4j.appender.R.File=/websphere/logs/scei_server/itsmsso.log
log4j.appender.R.MaxFileSize=20000KB # Keep one backup file ## HP PSO: modified by BDG: 1 -> 2 log4j.appender.R.MaxBackupIndex=2
## HP PSO: modified by BDG: added %d{HH:mm:ss,SSSS} log4j.appender.R.layout.ConversionPattern=%d{HH:mm:ss,SSSS} %p %t %c - %m%n
#log4j.logger.com.hp.ov.sm.client.eclipse.web=DEBUG #log4j.logger.com.hp.ov.cwc=DEBUG #log4j.logger.org.acegisecurity=DEBUG #log4j.logger.com.hp.sw.bto.ast.security=DEBUG
Directory: hpeb -> attachments -> hpeb hpeb -> Asset Manager Web installation detailed steps hpeb -> Installing the Linux Client System hpeb -> Deploy Operating System toolbar button hpeb -> Pcm-04. 00. 00. 1609-x64. exe Download 357.16 Kb. Share with your friends:
|