Home Home
BMC Atrium Single Sign-On 8.1
URL:
Date: 16-Jan-2014 15:56
Table of Contents
1 Featured content ______________________________________________________________________ 12 2 About BMC Atrium Single Sign-On ________________________________________________________ 12 3 What's new __________________________________________________________________________ 12 3.1 Version 8.1.00 ____________________________________________________________________ 14 3.1.1 Redesigned user interface ______________________________________________________ 15 3.1.2 Predefined authentication module _______________________________________________ 15 3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System integration ______________ 15 3.1.4 BMC Atrium Orchestrator Platform integration ______________________________________ 16 3.1.5 Click jacking prevention _______________________________________________________ 16 3.2 License entitlements _______________________________________________________________ 16 3.3 Service packs and patches ___________________________________________________________ 17 3.3.1 Patch 3 for version 8.1.00: 8.1.00.03 ______________________________________________ 17 3.3.2 Patch 2 for version 8.1.00: 8.1.00.02 ______________________________________________ 18 3.3.3 Patch 1 for version 8.1.00: 8.1.00.01 ______________________________________________ 19 3.4 Documentation updates after release __________________________________________________ 20 3.4.1 Added BMC Mobility integration documentation ____________________________________ 20 3.4.2 Added BMC EUEM integration documentation ______________________________________ 20 4 Key concepts ________________________________________________________________________ 20 4.1 BMC Atrium Single Sign-On architecture ________________________________________________ 21 4.2 BMC Atrium Single Sign-On and OpenAM _______________________________________________ 22 4.2.1 OpenAM technologies ________________________________________________________ 22 4.2.2 Atrium Single Sign-On user console access ________________________________________ 23 4.3 Administrator password _____________________________________________________________ 23 4.4 Default cookie domain _____________________________________________________________ 23 4.5 Log on and log off behavior _________________________________________________________ 24 4.6 Certificates ______________________________________________________________________ 25 4.6.1 Certificate Signing Request _____________________________________________________ 25 4.6.2 New CA certificates __________________________________________________________ 26 4.6.3 Related topics _______________________________________________________________ 26 4.7 Authentication chaining ____________________________________________________________ 26 4.7.1 Authentication chaining example ________________________________________________ 27 4.8 High Availability deployment _________________________________________________________ 28 4.9 JEE filter-based agents _____________________________________________________________ 29 5 Planning ____________________________________________________________________________ 29 5.1 Checking the compatibility matrix for system requirements and supported configurations __________ 30 5.1.1 To access the compatibility matrixes _____________________________________________ 30
5.3.1 Business value _______________________________________________________________ 32 5.3.2 Federated authentication and SAML ______________________________________________ 32 5.3.3 Deployment architecture ______________________________________________________ 33 5.3.4 Deployment model ___________________________________________________________ 35 5.3.5 Deployment tasks ____________________________________________________________ 37 5.3.6 Deployment parameters _______________________________________________________ 38 5.3.7 Related topics _______________________________________________________________ 40 6 Installing ____________________________________________________________________________ 40 6.1 Preparing for installation ____________________________________________________________ 42 6.1.1 Prerequisites for installation ____________________________________________________ 42 6.1.2 Downloading the installation files ________________________________________________ 44 6.2 Installation options ________________________________________________________________ 48 6.3 Configuring Terminal Services and DEP parameters _______________________________________ 48 6.3.1 To update Terminal Services configuration options for Windows Server 2008 ______________ 48 6.4 Installing BMC Atrium Single Sign-On as a standalone _____________________________________ 50 6.4.1 Before you begin _____________________________________________________________ 51 6.4.2 To install BMC Atrium Single Sign-On as a standalone _________________________________ 51 6.4.3 Where to go from here ________________________________________________________ 54 6.5 Installing BMC Atrium Single Sign-On as a High Availability cluster ____________________________ 55 6.5.1 HA prerequisites _____________________________________________________________ 56 6.5.2 HA pre-installation tasks _______________________________________________________ 56 6.5.3 To install BMC Atrium Single Sign-On as an HA cluster ________________________________ 56 6.5.4 HA post-installation activities ___________________________________________________ 57 6.5.5 Installing the first node for an HA cluster on a new Tomcat server _______________________ 57 6.5.6 Installing additional nodes for an HA cluster on a new Tomcat server _____________________ 63 6.5.7 Installing the first node for an HA cluster on an external Tomcat server ___________________ 68 6.5.8 Installing additional nodes for an HA cluster on an external Tomcat server _________________ 70 6.6 Installing BMC Atrium Single Sign-On on an external Tomcat server ___________________________ 72 6.6.1 Before you begin _____________________________________________________________ 73 6.6.2 To install BMC Atrium Single Sign-On on an external Tomcat server ______________________ 73 6.6.3 Where to go from here ________________________________________________________ 74 6.6.4 Policy file additions for external Tomcat installations _________________________________ 75 6.6.5 JVM parameter additions for external Tomcat installations _____________________________ 76 6.6.6 Configuring an external Tomcat instance for FIPS-140 ________________________________ 76 6.6.7 Configuring a JVM for the Tomcat Server __________________________________________ 77 6.6.8 Setting an HTTPS connection ___________________________________________________ 78 6.7 Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier ___________________ 79 6.7.1 Installing video ______________________________________________________________ 80 6.7.2 Overview of installation steps ___________________________________________________ 80 6.7.3 Related topics _______________________________________________________________ 81 6.7.4 Installing BMC Atrium Single Sign-On _____________________________________________ 81 6.7.5 Installing or upgrading AR System server __________________________________________ 84 6.7.6 Installing or upgrading BMC Remedy Mid Tier ______________________________________ 86
6.7.7 Running the SSOARIntegration utility on the AR System server __________________________ 88 6.7.8 Reviewing AR server external authentication settings and configuring group mapping ________ 91 6.7.9 Running the SSOMidtierIntegration utility on the Mid Tier _____________________________ 92 6.7.10 Managing the AR System users and groups for authentication __________________________ 97 6.7.11 Running a health check on the BMC Atrium Single Sign-On installation __________________ 109 6.8 Installing silently _________________________________________________________________ 112 6.8.1 Running the installer in silent mode ______________________________________________ 114 6.8.2 Uninstalling in silent mode ____________________________________________________ 114 6.8.3 Example options.txt file _______________________________________________________ 114 6.9 Uninstalling BMC Atrium Single Sign-On _______________________________________________ 117 6.9.1 Running the uninstaller on Windows _____________________________________________ 117 6.9.2 Running the uninstaller on Solaris or Linux ________________________________________ 117 6.9.3 Invocation error during uninstallation ____________________________________________ 118 7 Configuring after installation ____________________________________________________________ 119 7.1 To set up a method for authentication _________________________________________________ 120 7.2 SAMLv2 authentication ____________________________________________________________ 121 7.3 Predefined authentication module ____________________________________________________ 121 7.4 User Profile panel ________________________________________________________________ 122 7.5 Authentication chaining ____________________________________________________________ 122 7.6 Authentication chaining flags ________________________________________________________ 122 7.7 Where to go from here ____________________________________________________________ 122 7.8 Using AR for authentication _________________________________________________________ 122 7.8.1 Before you begin ____________________________________________________________ 123 7.8.2 To configure an AR module ____________________________________________________ 123 7.8.3 To configure an AR user store __________________________________________________ 124 7.9 Using CAC for authentication _______________________________________________________ 126 7.9.1 CAC certificate usage ________________________________________________________ 126 7.9.2 To set up CAC to use for authentication __________________________________________ 127 7.9.3 Modify the Tomcat server _____________________________________________________ 127 7.9.4 Import DoD CA certificates ____________________________________________________ 128 7.9.5 To import certificates ________________________________________________________ 128 7.9.6 Set up CAC certificates _______________________________________________________ 129 7.9.7 If using OCSP, enable OCSP for the server _________________________________________ 131 7.9.8 Where to go from here _______________________________________________________ 131 7.9.9 Related topics ______________________________________________________________ 132 7.10 Using Kerberos for authentication ____________________________________________________ 132 7.10.1 Configuring Kerberos video ____________________________________________________ 133 7.10.2 Before you begin ____________________________________________________________ 133 7.10.3 To set up Kerberos to use for authentication _______________________________________ 133 7.10.4 Where to go from here _______________________________________________________ 133 7.10.5 Generating a keytab for the service principal and mapping the Kerberos service name _______ 134
7.11 Using LDAP (Active Directory) for authentication _________________________________________ 138 7.11.1 Before you begin ____________________________________________________________ 139 7.11.2 To set up LDAP (AD) for authentication ___________________________________________ 139 7.11.3 LDAP (AD) parameters ________________________________________________________ 139 7.11.4 Where to go from here _______________________________________________________ 141 7.12 Using RSA SecurID for authentication _________________________________________________ 141 7.12.1 To configure the SecurID module _______________________________________________ 141 7.12.2 SecurID parameters __________________________________________________________ 142 7.12.3 To modify the rsa_api.properties file _____________________________________________ 142 7.12.4 Where to go from here _______________________________________________________ 143 7.13 Using SAMLv2 for authentication _____________________________________________________ 143 7.13.1 Configuring SAML V2 video ____________________________________________________ 144 7.13.2 SAMLv2 configuration options _________________________________________________ 144 7.13.3 SAMLv2 implementation ______________________________________________________ 144 7.13.4 Typical SAMLv2 deployment ___________________________________________________ 145 7.13.5 Typical SAMLv2 deployment architecture _________________________________________ 145 7.13.6 Related topics ______________________________________________________________ 146 7.13.7 Configuring BMC Atrium Single Sign-On as an SP ___________________________________ 146 7.13.8 Configuring BMC Atrium Single Sign-On as an IdP __________________________________ 153 7.13.9 Federating user accounts in bulk ________________________________________________ 157 8 Upgrading __________________________________________________________________________ 165 8.1 To upgrade BMC Atrium Single Sign-On _______________________________________________ 166 8.2 To upgrade BMC Atrium Single Sign-On in silent mode ____________________________________ 166 8.3 Preparing to upgrade BMC Analytics for BSM ___________________________________________ 166 8.3.1 To remove the J2EE agent for BMC Analytics for BSM ________________________________ 166 8.4 Upgrading HA nodes ______________________________________________________________ 167 8.4.1 To upgrade HA nodes ________________________________________________________ 167 9 Integrating _________________________________________________________________________ 168 9.1 Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00 _______________________ 169 9.1.1 Configuring external authentication for AR System integration _________________________ 170 9.1.2 Installing BMC Atrium Single Sign-On for AR System integration ________________________ 171 9.1.3 Configuring BMC Atrium Single Sign-On for integration ______________________________ 173 9.1.4 Manually configuring mid tier for BMC Atrium Single Sign-On user authentication __________ 176 9.1.5 Configuring the BMC Atrium Single Sign-On server for AR System integration _____________ 183 9.1.6 Running a health check on the BMC Atrium Single Sign-On integration __________________ 195 9.2 Integrating BMC Dashboards for BSM _________________________________________________ 198 9.2.1 Before you begin ____________________________________________________________ 198 9.2.2 To integrate BMC Dashboards for BSM ___________________________________________ 199 9.3 Integrating BMC Analytics for BSM ___________________________________________________ 199 9.3.1 Before you begin ____________________________________________________________ 199 9.3.2 To integrate BMC Analytics for BSM _____________________________________________ 200 9.4 Integrating BMC ProactiveNet _______________________________________________________ 200 9.4.1 Before you begin ___________________________________________________________ 200
9.4.2 To integrate BMC ProactiveNet during installation __________________________________ 201 9.4.3 To integrate BMC ProactiveNet after installation ____________________________________ 201 9.4.4 To define users and groups ____________________________________________________ 202 9.4.5 To create new users _________________________________________________________ 202 9.4.6 To assign users to user groups _________________________________________________ 203 9.4.7 To clean up Web Agent entries when the BMC ProactiveNet Server is uninstalled ___________ 203 9.5 Integrating BMC IT Business Management Suite _________________________________________ 204 9.5.1 Before you begin ___________________________________________________________ 204 9.5.2 To integrate BMC IT Business Management Suite ___________________________________ 204 9.6 Integrating BMC ITBM and WebSphere application server __________________________________ 205 9.6.1 Before you begin ___________________________________________________________ 205 9.6.2 To configure the WebSphere application server to work with the BMC Atrium Single Sign-On server ___________________________________________________________________________ 205 9.7 Integrating BMC Capacity Optimization _______________________________________________ 207 9.7.1 Before you begin ___________________________________________________________ 208 9.7.2 To integrate BMC Capacity Optimization _________________________________________ 208 9.8 Integrating BMC Atrium Orchestrator Platform __________________________________________ 209 9.8.1 Before you begin ____________________________________________________________ 210 9.8.2 BMC Atrium Orchestrator Platform installation worksheet ____________________________ 210 9.8.3 Where to go from here _______________________________________________________ 212 9.9 Integrating BMC Real End User Experience Monitoring ____________________________________ 212 9.9.1 Preparing BMC Atrium SSO server for integration ___________________________________ 212 9.9.2 Preparing the Console component for the BMC Atrium SSO integration __________________ 212 9.10 Integrating BMC Mobility for ITSM 8.1.00 _______________________________________________ 212 9.10.1 Before you begin ____________________________________________________________ 212 9.10.2 Limitations ________________________________________________________________ 213 9.10.3 Integrating BMC Mobility to support SAML authentication ____________________________ 213 9.10.4 Related Topics _____________________________________________________________ 214 10 Using ______________________________________________________________________________ 214 10.1 Navigating the interface ____________________________________________________________ 215 10.1.1 Editor options ______________________________________________________________ 215 10.1.2 Status panel ________________________________________________________________ 215 10.1.3 BMC Realm panel ___________________________________________________________ 216 10.1.4 Sessions panel ______________________________________________________________ 216 10.1.5 Realm Editor _______________________________________________________________ 216 10.1.6 Agent manager _____________________________________________________________ 233 10.1.7 HA Nodes manager __________________________________________________________ 234 10.1.8 Server Configuration Editor ____________________________________________________ 237 10.2 Managing keystores with a keytool utility ______________________________________________ 239 10.2.1 Creating new keystores ______________________________________________________ 240 10.2.2 Using the keytool utility _______________________________________________________ 241
10.2.5 Generating self-signed certificates ______________________________________________ 249 10.2.6 Checking the truststore for certificates ___________________________________________ 250 10.3 Configuring FIPS-140 mode _________________________________________________________ 251 10.3.1 Converting to FIPS-140 mode __________________________________________________ 251 10.3.2 Monitoring FIPS-140 and normal mode conversions _________________________________ 256 10.3.3 Changing FIPS-140 network ciphers _____________________________________________ 257 10.3.4 Converting from FIPS-140 to normal mode _______________________________________ 258 10.4 Using an external LDAP user store ____________________________________________________ 260 10.4.1 To create an external LDAP user store ____________________________________________ 261 10.4.2 To modify an existing external LDAP user store _____________________________________ 261 10.4.3 LDAPv3 User Store parameters _________________________________________________ 261 10.4.4 General tab ________________________________________________________________ 261 10.4.5 Search tab _________________________________________________________________ 262 11 Administering _______________________________________________________________________ 263 11.1 Managing users __________________________________________________________________ 264 11.1.1 To access the User page ______________________________________________________ 265 11.1.2 To add a new user ___________________________________________________________ 265 11.1.3 To search for users __________________________________________________________ 266 11.1.4 To delete users _____________________________________________________________ 266 11.1.5 To modify user information ___________________________________________________ 266 11.1.6 To enable or disable a user account _____________________________________________ 266 11.1.7 To add a group membership to a user account _____________________________________ 267 11.1.8 To remove a group membership from a user account ________________________________ 267 11.1.9 To view user sessions ________________________________________________________ 267 11.1.10To terminate an active user session _____________________________________________ 268 11.2 Managing user groups _____________________________________________________________ 268 11.2.1 To access the Group page ____________________________________________________ 269 11.2.2 To create a new group _______________________________________________________ 269 11.2.3 To delete a group ___________________________________________________________ 269 11.2.4 To assign a group membership _________________________________________________ 270 11.2.5 To remove users from a group _________________________________________________ 270 11.3 Managing authentication modules ____________________________________________________ 271 11.3.1 To manage authentication modules _____________________________________________ 271 11.3.2 To create a new module ______________________________________________________ 271 11.3.3 To edit a module ____________________________________________________________ 271 11.3.4 To delete a module __________________________________________________________ 272 11.3.5 To change the criteria for a module _____________________________________________ 272 11.3.6 To reorder the modules in a chain _______________________________________________ 272 11.4 Managing nodes in a cluster ________________________________________________________ 273 11.4.1 To modify the server configuration on a node ______________________________________ 273 11.4.2 To delete a node from the cluster _______________________________________________ 273 11.4.3 Resynchronizing nodes in a cluster ______________________________________________ 273 11.4.4 Starting nodes in a cluster _____________________________________________________ 274
11.4.5 Stopping nodes in a cluster ____________________________________________________ 274 11.5 Managing agents _________________________________________________________________ 275 11.5.1 To edit an agent account _____________________________________________________ 275 11.5.2 To delete an agent account ____________________________________________________ 275 11.6 Managing the server configuration ___________________________________________________ 276 11.6.1 To modify the server configuration ______________________________________________ 276 11.6.2 Server configuration parameters ________________________________________________ 276 11.6.3 Server Configuration Editor parameters __________________________________________ 276 11.6.4 HTTP Only and HTTPS Only ___________________________________________________ 277 11.6.5 Session parameter defaults ____________________________________________________ 278 11.7 Stopping and restarting the BMC Atrium Single Sign-On server ______________________________ 279 11.7.1 Stopping and restarting on Windows ____________________________________________ 279 11.7.2 Stopping and restarting on UNIX or Linux _________________________________________ 279 12 Troubleshooting _____________________________________________________________________ 279 12.1 Collecting diagnostics _____________________________________________________________ 281 12.1.1 To run the support utility _____________________________________________________ 282 12.1.2 Support utility location _______________________________________________________ 282 12.1.3 Log file locations ____________________________________________________________ 282 12.1.4 Using BMC Atrium Single Sign-On for logging _____________________________________ 284 12.2 Working with error messages _______________________________________________________ 285 12.3 Logon and logoff issues ____________________________________________________________ 316 12.3.1 Automatic IdP logon behavior __________________________________________________ 316 12.3.2 URL re-direct issues _________________________________________________________ 316 12.4 Upgrading from 7.6.04 to 8.1 silent installation issue ______________________________________ 317 12.4.1 Upgrading without specifying the host name ______________________________________ 319 12.4.2 Upgrading by re-defining the host name __________________________________________ 319 12.5 Troubleshooting AR authentication ___________________________________________________ 320 12.5.1 User has no profile in this organization ___________________________________________ 320 12.5.2 Error saving user or group edits _________________________________________________ 321 12.5.3 Error in SAML Authentication when Auto Federation is enabled _________________________ 321 12.6 Troubleshooting AR System server and Mid Tier integrations ________________________________ 321 12.6.1 Manually running the SSOARIntegration utility on the AR System server __________________ 321 12.6.2 Manually running the SSOMidtierIntegration utility on the AR System server _______________ 323 12.7 Troubleshooting CAC authentication _________________________________________________ 326 12.7.1 Example of a default logging level error __________________________________________ 327 12.7.2 Example of a debug log error when a certificate is not available ________________________ 327 12.7.3 Changing the clientAuth setting ________________________________________________ 328 12.7.4 Turning on network debug logging ______________________________________________ 328 12.7.5 Example of a client not responding with a certificate ________________________________ 329 12.7.6 Example of a client sending a certificate __________________________________________ 329 12.7.7 Example of a list of certificates sent to the client ___________________________________ 330
12.7.10Clock skew too great for CAC authentication ______________________________________ 331 12.8 Troubleshooting FIPS-140 conversion _________________________________________________ 331 12.9 Troubleshooting JEE agents ________________________________________________________ 331 12.9.1 To remove a JEE agent from BMC Atrium Single Sign-On _____________________________ 332 12.9.2 To remove a JEE agent from WebSphere _________________________________________ 332 12.9.3 To remove a JEE agent from Tomcat ____________________________________________ 332 12.9.4 To remove a JEE agent from JBoss or WebLogic ___________________________________ 333 12.10Troubleshooting Kerberos authentication ______________________________________________ 333 12.10.1Invalid user name for Kerberos authentication _____________________________________ 334 12.10.2Invalid service principal name for Kerberos authentication ____________________________ 334 12.10.3Invalid keytab index number for Kerberos authentication _____________________________ 335 12.10.4Invalid password for Kerberos authentication ______________________________________ 335 12.10.5Incorrect server name for Kerberos authentication __________________________________ 335 12.10.6Browser sending NTLM instead of Kerberos _______________________________________ 336 12.10.7Browser not correctly configured for Kerberos authentication _________________________ 337 12.10.8Clock skew too great for Kerberos authentication __________________________________ 338 12.10.9Chained authentication failure in Microsoft Internet Explorer __________________________ 338 12.11Troubleshooting an external LDAP user store ___________________________________________ 339 12.11.1No users in User tab _________________________________________________________ 339 12.11.2No groups in Group tab ______________________________________________________ 339 12.12Troubleshooting SAMLv2 __________________________________________________________ 340 12.12.1IdP metadata issues __________________________________________________________ 341 12.12.2SAMLv2 keystore issues _______________________________________________________ 341 12.12.3Metadata issues ____________________________________________________________ 342 12.12.4Certificate issues ___________________________________________________________ 342 12.13Troubleshooting redirect URLs ______________________________________________________ 343 12.13.1Modifying the load balancer (or reverse proxy) for redirect URLs _______________________ 343 12.13.2Using load balancer (or reverse proxy) host names for redirect URLs ____________________ 344 12.13.3Cookie name change for a HA node _____________________________________________ 344 12.14Session sharing in HA mode issue ____________________________________________________ 345 12.14.1To configure point-to-point sessions sharing ______________________________________ 345 12.15Troubleshooting installation or upgrade issues __________________________________________ 346 12.16Resolving installation issues on LINUX operating system ___________________________________ 346 12.16.1Installation failure due to missing libraries ________________________________________ 346 12.16.2Installation failure due to low level of entropy _____________________________________ 346 13 Known and corrected issues ____________________________________________________________ 347 13.1 Installation and upgrade issues ______________________________________________________ 348 13.2 Other issues ____________________________________________________________________ 350 14 Support information __________________________________________________________________ 351 14.1 Contacting Customer Support _______________________________________________________ 351 14.2 Support status ___________________________________________________________________ 351 15 PDFs ______________________________________________________________________________ 352 16 Tracking tools _______________________________________________________________________ 353
16.1 Comments dashboard _____________________________________________________________ 353 16.2 Pages without labels in this space ____________________________________________________ 363 16.3 Technical Bulletin SW00448553 _____________________________________________________ 369 16.3.1 BMC Atrium Single Sign-On ___________________________________________________ 369 16.3.2 Issue _____________________________________________________________________ 369 16.3.3 Workaround procedure ______________________________________________________ 369 16.3.4 Workaround scripts __________________________________________________________ 370 16.3.5 Where to get the latest product information _______________________________________ 372 16.4 Enabling multiple realms ___________________________________________________________ 372 16.4.1 Realm panel _______________________________________________________________ 373 16.4.2 To enable multiple realms _____________________________________________________ 374 16.4.3 To create a new realm ________________________________________________________ 374 16.5 Configuring multi-tenancy support ___________________________________________________ 374 16.5.1 Configuring multi-tenancy support ______________________________________________ 375 16.6 Overview steps to install and configure HA Load-Balancing environment with SSO ______________ 378 16.7 Number of pages in space __________________________________________________________ 383 16.8 Installing and managing certificates in BMC Atrium SSO ___________________________________ 383 16.8.1 Installing certificates on a standalone server _______________________________________ 383 16.8.2 Installing certificates in HA load balancing environment ______________________________ 383 16.8.3 Importing a certificate into keystore.p12 __________________________________________ 383 16.8.4 Importing a certificate into cacerts.p12 ___________________________________________ 383 16.8.5 Finding intermediate CA ______________________________________________________ 383 16.8.6 Importing certificate chains and intermediate certificates _____________________________ 383 16.9 Installing certificates after integration with other BMC products _____________________________ 383 17 Index ______________________________________________________________________________ 384
This space contains information about the BMC Atrium Single Sign-On 8.1 release.
1 Featured content
For information about Patch 1 for 8.1.00, see Patch 1 for version 8.1.00: 8.1.00.01 (see page 19). For information about Patch 2 for 8.1.00, see Patch 2 for version 8.1.00: 8.1.00.02 (see page 18). For information about Patch 3 for 8.1.00, see Patch 3 for version 8.1.00: 8.1.00.03 (see page 17).
For Patch 1 for 8.1.00, BMC Atrium Orchestrator Platform version 7.7.00 integrates with BMC Atrium Single Sign-on, see Integrating BMC Atrium Orchestrator Platform (see page 209) and the BMC Atrium
online documentation.
Orchestrator Platform
To understand enhancements for this release, see Version 8.1.00.
To understand key concepts associated with BMC Atrium Single Sign-On, see Key concepts (see page 20). To review a high level end-to-end procedure, see End-to-end BMC Atrium Single Sign-On process. To review an end-to-end deployment example for BMC Remedy AR System and the mid tier using SAMLv2 authentication, see BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31).
To review an end-to-end deployment for BMC Remedy AR System and the mid tier using AR
authentication, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page
.
79)
2 About BMC Atrium Single Sign-On
BMC Atrium Single Sign-On is an authentication system that supports many authentication protocols and
provides single sign-on and single sign-off for users of BMC products. BMC Atrium Single Sign-On allows users to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system.
Using these authentication methods require that you have previously installed the BMC Atrium Single Sign-On server and configured it with an authentication server such as LDAP, RSA SecurID, or others. Not only does BMC Atrium Single Sign-On support authentication with traditional systems such as LDAP or Active Directory, it also supports integration into existing single sign-on systems. BMC Atrium Single Sign-On is the central integration point that performs integration with the local enterprise systems.
3 What's new
This section provides information about what is new or changed in this space, including resolved issues, documentation updates, maintenance releases, service packs, and patches. It also provides license entitlement information for the release.
Tip
To stay informed of changes to this space, place a watch on this page.
The following updates have been added since the release of the space:
Date Title Summary
July 5, 2013 Patch 3 for version 8.1.00: 8.1.00.03 (see page 17)
Patch 3 for version 8.1.00 provides the following updates: : T
HTTP Only and HTTPS Only (see page 238) he Server Configuration Editor provides two new options: HTTP Only and HTTPS Only.
:
Security tab The Security tab provides the following features. Login Failure Lockout
Valid Forwarding Domains
: The Kerberos Editor provides the feature modifying the UserId format.
UserId Format (see page 227)
Starting this release, BMC Atirum Single Sign-On provides protection against clickjacking by preventing web pages from being embedded within another frame. Clickjacking is a technique of tricking a web user into clicking a web page link which is potentially revealing confidential information or taking control of the user's computer. When the user clicks on a known web page link, the user's information is revealed to the intruder.
Patch 2 for version 8.1.00: 8.1.00.02 (see page 18)
Patch 2 for version 8.1.00 provides the following updates:
Configuring BMC Atrium SSO in FIPS-140 Mode (see page 251)
Patch 1 for version 8.1.00: 8.1.00.01 (see page 19)
Patch 1 for version 8.1.00 provides fixes related to BMC Atrium Single Sign-On integration with BMC Atrium Orchestrator 7.7 and other BMC products.
Version 8.1.00
Version 2013.02 provides following features:
Redesigned user interface Predefined authentication module
New utility to simplify BMC Atrium Single Sign-On and AR System integration BMC Atrium Orchestrator Platform integration
To obtain a full space export of the BMC Atrium Single Sign-On, see PDFs (see page 352)
Three new videos are now uploaded on to our online documentation from the February 14, 2013 BMC Software Webinars 2013 – Atrium Single Sign-On (Atrium SSO) :
Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
provides a high-level overview as well as important tips.
describes how to configure SAML V2
Using SAMLv2 for authentication
describes how to configure BMC Atrium SSO to
Using Kerberos for authentication (see page 132)
leverage Kerberos.
3.1 Version 8.1.00
BMC Atrium Single Sign-On 8.1 includes the following enhancements.
Redesigned user interface (see page 15)
Predefined authentication module (see page 15)
New utility to simplify BMC Atrium Single Sign-On and AR System integration (see page 15) BMC Atrium Orchestrator Platform integration (see page 16)
Click jacking prevention (see page 16)
Tip
Version 8.1.00 was released shortly after version 8.0.00, a major release that contained significantly more enhancements. If you are considering an upgrade from a version prior to 8.0.00, you might be interested in seeing the enhancements listed in the documentation for version 8.0.00.
3.1.1 Redesigned user interface
The BMC Atrium Single Sign-On 8.1, has completely redesigned the user interface. This redesign affects the majority of the BMC Atrium Single Sign-On documentation.
The following image shows the BMC Atrium SSO Admin Console:
3.1.2 Predefined authentication module
To help with the configuration of BMC Atrium Single Sign-On, a predefined Internal LDAP authentication module is provided. This predefined authentication module allows you to quickly configure your system. The Internal LDAP authentication module uses the internal LDAP server as an authentication source in the authentication chain and does not have parameters to configure.
For more information about the Internal LDAP module, see Configuring after installation.
3.1.3 New utility to simplify BMC Atrium Single Sign-On and AR System
integration
The Single Sign-On integration is now removed from the AR System installer. As a result, you no longer have to follow the error-prone steps if you chose to integrate BMC Atrium Single Sign-On after you installed the AR System server and Mid Tier.
You use the one utility to integrate both the AR System server and the Mid Tier, but with slightly different inputs. For more information, see Installing BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page
.
79)
3.1.4 BMC Atrium Orchestrator Platform integration
With this release, BMC Atrium Orchestrator Platform 7.7 uses the BMC Atrium Single Sign-On 8.1.00 (Patch1 or later) authentication system to provide single sign-on and single sign-off. For more information about BMC Atrium Orchestrator Platform 7.7, see the BMC Atrium Orchestrator Platform 7.7 online documentation. For more information about integrating BMC Atrium Orchestrator Platform 7.7 with BMC Atrium Single Sign-On, see
.
Integrating BMC Atrium Orchestrator Platform (see page 209)
3.1.5 Click jacking prevention
With Patch 3 for version 8.1.00: 8.1.00.03 (see page 17) click jacking prevention is added.
3.2 License entitlements
This topic explains the entitlements that apply to licenses you purchase from BMC Software. For information about restrictions to those licenses, please see your Product Order Form.
Note
You can download the components mentioned herein from the Electronic Product Distribution website. Use the same user name and password that you use to access the Customer Support website.
If you do not have a current license for the components you want, contact a BMC sales representative by calling 800 793 4262. If you cannot download the components, contact a sales representative and ask for a physical kit to be shipped to you.
BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document. Configurations not listed might still operate properly and so customers can choose to run in a configuration not listed as supported. Such configurations would be considered "unconfirmed". BMC will accept issues reported in
unconfirmed configurations but we reserve the right to request customer assistance in problem determination, including recreating the problem on a supported configuration.
Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment will be addressed at the discretion of BMC. Defects requiring time and resources beyond
commercially reasonable effort might not be addressed. If a configuration is found to be incompatible with BMC Atrium Single Sign-On, support for that configuration will be specifically documented as not supported (or unsupported). Visit the Customization Policy under the Support Contacts & Policies link on the BMC support website.
3.3 Service packs and patches
This section contains information about service packs and patches for BMC Atrium Single Sign-On.
Patch 3 for version 8.1.00: 8.1.00.03 (see page 17) Patch 2 for version 8.1.00: 8.1.00.02 (see page 18) Patch 1 for version 8.1.00: 8.1.00.01 (see page 19)
3.3.1 Patch 3 for version 8.1.00: 8.1.00.03
This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 3 (8.1.00.03) and provides instructions for downloading and installing the patch. It is organized as follows:
Corrected issues (see page 17) Installing the patch (see page 17)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about issues corrected in Patch 3 (8.1.00.03), see Known and Corrected issues. Click the Corrected in column heading to sort the table by version.
Patch 3 also includes the fixes from Patch 2 and Patch 1 for version 8.1.00.
Installing the patch
Patch 3 for BMC Atrium Single Sign-On 8.1.00 (8.1.00.03) is a full installation. You can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you need for installation, see
.
Downloading the installation files (see page 44)
To install BMC Atrium Single Sign-On 8.1.00 Patch 3, see Installing (see page 40). To perform a silent installation, see Installing silently (see page 112).
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 3 from an earlier version (8.1.00 or 8.1.00.01 or 8.1.00.02), see Upgrading.
3.3.2 Patch 2 for version 8.1.00: 8.1.00.02
This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02), and provides instructions for downloading and installing the patch. It is organized as follows:
Note
BMC Atrium Single Sign-On 8.1.00 Patch 2 (8.1.00.02) has been replaced with Patch 3 (8.1.00.03) and can no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full installation and includes the fixes that were available in Patch 1 (8.1.00.01) and Patch 2 (8.1.00.02). For information about downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3
.
for version 8.1.00: 8.1.00.03 (see page 17)
Corrected issues (see page 18) Installing the patch (see page 18)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1.00 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 2 (8.1.00.02), see Known and corrected issues. Click the Corrected in column heading to sort the table by version.
Installing the patch
BMC Atrium Single Sign-On Patch 2 features are included in BMC Atrium Single Sign-On Patch 3 installation. You can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you
. need for installation, see Downloading the installation files (see page 44)
Recommendation
To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40). To perform a silent installation, see Installing silently (see page 112).
To upgrade to BMC Atrium Single Sign-On 8.1.00 Patch 2 from an earlier version (8.1.00 or 8.1.00.01), see .
Upgrading
3.3.3 Patch 1 for version 8.1.00: 8.1.00.01
This topic contains information about fixes in BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01), and provides instructions for downloading and installing the patch.
Note
BMC Atrium Single Sign-On 8.1.00 Patch 1 (8.1.00.01) has been replaced with Patch 3 (8.1.00.03) and can no longer be downloaded from the BMC Electronic Product Distribution (EPD) site. Patch 3 is a full installation and includes the fixes that were available in Patch 1 (8.1.00.01). For information about downloading and installing BMC Atrium Single Sign-On 8.1.00 Patch 3, see Patch 3 for version 8.1.00:
.
8.1.00.03 (see page 17)
The following topics are provided:
Corrected issues (see page 19) Installing the patch (see page 19)
Note
BMC Atrium Orchestrator Platform 7.7 must use BMC Atrium Single Sign-On 8.1 Patch 1 or later.
Corrected issues
To learn about the issues corrected in Patch 1 (8.1.00.01), see Known and corrected issues. Click the Corrected in column heading to sort the table by version.
Installing the patch
BMC Atrium Single Sign-On Patch 1 features are included in BMC Atrium Single Sign-On Patch 3 installation. You can download the 8.1.00.03 installation files from the Licensed Products tab on the BMC Electronic Product Distribution (EPD) site and perform your normal installation. For instructions about downloading the files that you
. need for installation, see Downloading the installation files (see page 44)
Back up BMC Atrium Single Sign-On before proceeding with the patch installation.
To install BMC Atrium Single Sign-On 8.1, see Installing (see page 40). To perform a silent installation, see Installing silently (see page 112).
3.4 Documentation updates after release
This topic contains information about documentation updates for BMC Atrium Single Sign-On that are not related to urgent issues, maintenance releases, service packs, or patches. These updates are added to the documentation independent of any specific release.
Added BMC Mobility integration documentation (see page 20) Added BMC EUEM integration documentation (see page 20)
3.4.1 Added BMC Mobility integration documentation
You can integrate BMC Atrium Single Sign-On with BMC Mobility for supporting Security Assertion Markup Language (SAML). The typical process for integrating BMC Atrium Single Sign-On with BMC Remedy IT Service Management (ITSM) is to install BMC Atrium Single Sign-On, install BMC Remedy ITSM, and then integrate Atrium SSO with ITSM. For more information, see Integrating BMC Mobility for ITSM 8.1.00 (see page 212).
3.4.2 Added BMC EUEM integration documentation
BMC Real End User Experience Monitoring (EUEM) uses the BMC Atrium Single Sign-On (SSO) authentication system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. For more information, see Integrating BMC Real End User Experience Monitoring (see
.
page 212)
4 Key concepts
BMC contributors content
For additional information, you can also refer to the following webinar conducted by BMC Support. You can also connect with other users for related discussions on the BMC Community.
Use this section to get high-level conceptual knowledge that helps you to use the BMC Atrium Single Sign-On product.
BMC Atrium Single Sign-On architecture
BMC Atrium Single Sign-On and OpenAM (see page 22) Administrator password
Default cookie domain
Log on and log off behavior (see page 24) Certificates
Authentication chaining High Availability deployment JEE filter-based agents
4.1 BMC Atrium Single Sign-On architecture
The benefit to BMC products that have BMC Atrium Sign-On as an authentication option is that all of the
authentication protocols supported by BMC Atrium Sign-On are available to the product and any new protocols added are available without any product changes. The BMC Atrium Sign-On server and agents provide the needed integration into these systems so a product does not need any adjustments.
The following diagram shows a high level implementation of BMC Atrium Single Sign-On integration with BMC Dashboards for BSM, BMC Analytics for BSM, and BMC Remedy IT Service Management.
4.2 BMC Atrium Single Sign-On and OpenAM
BMC Atrium Single Sign-On is built on the open source project OpenAM. This project has a long history of providing authentication and authorization across many different platforms by using many authentication
techniques. BMC Atrium Single Sign-On provides a simplified, turnkey system that applies OpenAM technology to BMC products. Configuration of the servers and agents is automated as much as possible, allowing for easy adoption.
OpenAM technologies (see page 22)
Atrium Single Sign-On user console access (see page 23)
4.2.1 OpenAM technologies
BMC Atrium Single Sign-On uses a subset of the technologies within the OpenAM project that are required by BMC products. The current technologies of OpenAM that are certified by BMC Atrium Single Sign-On include:
Authentication schemes - Internal, LDAP, BMC Remedy Action Request (AR) System, Active Directory, RSA SecurID, Common Access Cards (CAC), ActivIdentity-based, Kerberos, and SAMLv2
Authentication chaining Groups
Important
BMC Atrium Single Sign-On is certified on the configurations explicitly stated in this document.
Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment are addressed at the discretion of BMC. Visit the Customization Policy under the Support Contacts & Policies link on the BMC support website.
4.2.2 Atrium Single Sign-On user console access
The user console access is through the following URL:https://<atssohost>:<port>/atriumsso/UI/Login?realm=BmcRealm
This URL can be used to verify the authentication module configuration. You do not need to rely on an installed and configured BMC application to initiate login in order to test configuration of authentication modules.
4.3 Administrator password
The administrator password is used to access BMC Atrium Single Sign-On through a browser. This access allows user accounts to be created and enables other authentication algorithms. Also, the administrator password is used to integrate application servers that have deployed the BMC Atrium Single Sign-On Web agent to integrate with BMC Atrium Single Sign-On.
4.4 Default cookie domain
The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain.
By removing domain elements (lowest sub-domain first), the cookie becomes visible to servers outside of the BMC Atrium Single Sign-On domain. For example, changing the domain adprod.bmc.com to bmc.com gives all of the servers within the bmc.com domain access to the cookies stored by the server in a user's browser. The danger of increasing the cookie visibility is illustrated when the value is changed to com, giving all servers in the internet
domain access to the cookie. com
You cannot use sibling domains or cross-domains with BMC Atrium Single Sign-On. For example, installing the BMC Atrium Single Sign-On server in the remedy.com domain and the AR System server in the bmc.com domain is not supported. You must move all your computers into the same domain.
4.5 Log on and log off behavior
When using a single sign-on system, the normal authentication behavior is altered. The practice of logging on when you start a product is automatically performed when the second product is started. This change happens without any user involvement.
When you log off, you are logged off of all BMC Atrium Single Sign-On integrated products. If you want to continue working with other BMC products:
Quit the product instead of logging out of BMC Atrium Single Sign-On.
If the product supports application-only log off, log off the application and close the browser.
Important
When quitting an product, the normal behavior is to log off and then quit. This process results in termination of all the product connections. If you want to continue working with other BMC products, quit the product that you are finished with, but only log off the last product.
With web applications, the BMC Atrium Single Sign-On authentication status is maintained through sessions within the web browsers. When web applications share the same browser session, the authentication state with BMC Atrium Single Sign-On is shared by these applications.
To use a different login ID without logging off BMC Atrium Single Sign-On, you must start a new session in the web browser. The following table summarizes how to share current sessions and how to create new sessions with the browsers supported by BMC Atrium Single Sign-On.
Session behavior in supported browsers
Browser Share Session New Session
Firefox 4 New tab, Ctrl-N for new window, or launch from Start menu or shortcut Use Private Browsing Internet
Explorer 7
New tab or Ctrl-N to create a new window Launch new browser using Start menu or shortcut
Internet Explorer 8
New tab, Ctrl-N to create a new window, or launch new browser from Start menu or short-cut
Use New Session in File menu
Browser Share Session New Session
Internet Explorer 9
New tab, Ctrl-N to create a new window, or launch new browser from Start menu or short-cut
When BMC products launch a new application, the applications use the process needed to ensure a shared session and a seamless experience.
4.6 Certificates
The default Tomcat server used by BMC Atrium Single Sign-On uses a keystore and a truststore for secure (HTTPS/TLS/SSL) communications. These communications occur by doing one of the following:
when accessing the admin console users login or logout of the system.
an external LDAP server is accessed with TLS/SSL exchanging SAMLv2 metadata
for user authentication (CAC)
The keystore contains the information used to identify the BMC Atrium Single Sign-On server to remote servers and users. The truststore is used to hold the certificates of remote servers, users and signing authorities that are to be trusted by the BMC Atrium Single Sign-On server.
These files are stored in the following directory:
<installationDirectory>/BMC Software/AtriumSSO/tomcat/conf
The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers and other programs to warn users about the insecure nature of the certificate each time the user authenticates. This certificate warning can be prevented by doing one of the following:
Permanently importing the self-signed certificate into the user's truststore.
Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA).
The CA vouches for the authenticity of the server's identity when the user visits BMC Atrium Single Sign-On for authentication. In this case, the user has an established trust relationship with the CA, and this relationship is extended to BMC Atrium Single Sign-On after a digitally signed identity certificate is imported.
4.6.1 Certificate Signing Request
A CA digitally signed certificate is obtain by generating a Certificate Signing Request (CSR):
The keytool utility is used to obtain a CSR, to obtain a signed certificate, and to import the signed certificate in order to replace the self-signed certificate. This tool is available with Oracle JDKs and BMC Atrium Single Sign-On.
Note
When importing the newly signed certificates, you must first import the CA root certificates and intermediate certificates, if required.
4.6.2 New CA certificates
Adding another certificate is necessary when: CAC authentication is used
LDAP is used with SSL/TLS
Department of Defense (DoD) issues new CA certificates
CA certificates used to create a signed certificate for the BMC Atrium Single Sign-On server is not already within the truststore
The keytool utility is used to import a new CA certificate into the BMC Atrium Single Sign-On truststore.
4.6.3 Related topics
Managing keystores with a keytool utility (see page 239) Generating self-signed certificates (see page 249)
4.7 Authentication chaining
An Authentication Chain is the object used by BMC Atrium Single Sign-On for specifying how authentication is to be performed. A chain can be a single authentication module or a combination of multiple authentication
modules. Chaining allows different modules to act as a single authority.
At its simplest form, an authentication chain consists of only a single authentication module. A chain can also be a complex combination of multiple authentication modules joined to validate the credentials that are used to authenticate a user. Through chaining, different modules can be merged to appear as a single authority.
For example, if two organizations merge to form a new, single organization, then the authentication system from each organization could be used as a module within a single chain.
The effect of combining these modules into this single chain is that the users only provide credentials to a single authority.
1.
2.
3.
This chaining creates the perception of a merged authority despite the reality of multiple, disparate systems that are actually employed.
Authentication chains allow the combination of authentication modules to process authentication requests. One of the best uses for combining modules is to merge different authentication schemes to appear as a single authentication scheme.
For example, when two departments have their own LDAP servers, these two servers could be put into a single chain and users would appear to validate against a single authority.
The processing of the chain to determine the overall status of authentication is controlled by the criteria specified for each of modules in the chain. The following figure illustrates authentication chaining where authentication modules are tried in an ordered sequence.
4.7.1 Authentication chaining example
The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user. See Managing authentication modules (see page 271).
In the chaining process for the above example illustration, three LDAP servers combined into a single authority, would be:
Check with LDAP A
Pass: Stop processing and accept user Fail: Proceed to next
Check with LDAP B
Pass: Stop processing and accept user Fail: Proceed to next
Check with LDAP C
Pass: Stop processing and accept user Fail: Stop processing and reject user
sequence specified until either the user passes and is considered successfully authenticated, or the user fails to authenticate and is rejected.
4.8 High Availability deployment
The following figure shows a typical deployment scenario of BMC Atrium Single Sign-On operating in a High Availability (HA) environment. Two BMC Atrium Single Sign-On servers are installed to form a cluster. A load balancer is used as a front end to the cluster, giving the external applications the appearance of a single server. The load balancer distributes requests among BMC Atrium Single Sign-On servers. In the event of a system failure, the load balancer re-directs requests to the remaining servers.
When operating as a cluster, BMC Atrium Single Single Sign-On functions as a single virtual server. Therefore, certain configuration information is shared between nodes. For example, when one node is configured, the other nodes have the same information.
The following information is global to all nodes in the cluster: Administrative accounts
Authentication User profiles Data stores
User accounts (internal LDAP) Typical HA deployment
HTTPS ports. These ports are specified during installation. The following figure shows the communication between the nodes and the load balancer.
Communication between BMC Atrium Single Sign-On nodes and a load balancer
4.9 JEE filter-based agents
With this release of BMC Atrium Single Sign-On, a light-weight agent is available for use by BMC applications. This section describes how configuration items apply to this newer agent.
In addition to functioning as the central server, BMC Atrium Single Sign-On uses agents which are integrated into each of the BMC products. These agents perform the following functions:
Accessing authentication services
Coordinating with the server to authenticate users Validating existing authentications
For more information about agent configuration parameters, see Agent manager.
5 Planning
1. 2. 3. 4. 5. 6. 1. Note
All products that run in BMC Remedy AR System support BMC Atrium Single Sign-On including AR System Mid-tier products (BMC Remedy ITSM, BMC Atrium Core, BMC Atrium CMDB, and so on), BMC Atrium Dashboard and Analytics, BMC IT Business Management Suite, BMC ProActive Performance Management (version 9.0), and BMC Capacity Optimization.
Checking the compatibility matrix for system requirements and supported configurations End-to-end BMC Atrium Single Sign-On process
BMC Atrium Single Sign-On using SAMLv2 deployment example (see page 31)
5.1 Checking the compatibility matrix for system requirements
and supported configurations
Consult the BMC Remedy and BMC Atrium product compatibility information for the 8.0 system configuration information.
5.1.1 To access the compatibility matrixes
Navigate to http://www.bmc.com/support/product-availability-compatibility. Click BMC Solution and Product Availability and Compatibility Utility.
In the Product Name field, enter the product name, for example: BMC Atrium CMDB Enterprise Manager
BMC Atrium CMDB Suite
In the Product Version field, enter the version number.
In the Select Component field, enter BMC Atrium Single Sign-On.
Review the compatibility information listed in the tabs at the bottom of the page.
Note
To access the product compatibility information on the Customer Support website, you must have a Support login.
5.2 End-to-end BMC Atrium Single Sign-On procedure
This topic provides a high-level process of what you need to do to set up and configure BMC Atrium Single Sign-On with BMC products.
1. 2. 3. 4. 5. 6.
Review the information that you need to understand prior to installing, such as the What's new (see page
, , , topics.
12) Key concepts (see page 20) Planning (see page 29) Preparing for installation
Install BMC Atrium Single Sign-On. See Installing (see page 40) for the different installation options, such as High Availability (HA).
Install other BMC products for integrating with BMC Atrium Single Sign-On.
For information about integrating and configuring BMC Remedy AR System version 8.1, see Installing
.
BMC Atrium Single Sign-On with the AR System server and Mid Tier (see page 79)
For information about integrating and configuring BMC Remedy AR System version 8.0, see .
Integrating BMC Atrium Single Sign-On with AR System Version 8.0.00
For information about other BMC product integration, such as BMC Dashboards and Analytics for BSM, see Integrating.
Configure your method of authentication. See Configuring after installation. The following are the authentication module sections:
Using AR for authentication Using SAMLv2 for authentication
Using Kerberos for authentication (see page 132) Using CAC for authentication
Using LDAP (Active Directory) for authentication Using RSA SecurID for authentication
If you implement multiple authentication methods, see Managing authentication modules (see page 271). Create and manage users and user groups. See Managing users (see page 264) and Managing user groups
.
(see page 268)
5.3 BMC Atrium Single Sign-On using SAMLv2 deployment
example
This topic provides an example of how BMC Atrium Single Sign-On using Security Assertion Markup Language 2.0 (SAMLv2) can be deployed.
Business value (see page 32)
Federated authentication and SAML (see page 32) Deployment architecture (see page 33)
Deployment model (see page 35) Deployment tasks (see page 37) Deployment parameters (see page 38) Related topics (see page 40)
5.3.1 Business value
This deployment example shows you how BMC Atrium Single Sign-On uses SAMLv2 authentication. Single sign-on means that you only need to present credentials once for authentication, and you are subsequently automatically authenticated by every BMC product that is integrated into the system. This means that if you are looking at a report that has links to incident or change records, you can click on the link and go directly to the records without logging in again.
An additional important value is that with federated authentication the user logon credentials (for example, user name and password) are not exposed to the Service Provider (SP) and are not sent over the internet. The
authentication is done on premise by the Identity Provider (IdP).
5.3.2 Federated authentication and SAML
SAMLv2 is an XML-based OASIS standard for exchanging user identity and security attributes information. It uses security tokens containing assertions to pass information about a principal (usually an end user) between an Identify Provider (IdP) and a web service.
SAMLv2 enables federated authentication between your environment and the BMC Remedy applications. When using SAMLv2, the BMC Remedy infrastructure is defined as a Service Provider (SP), and your infrastructure that performs the user authentication is the IdP. With SAMLv2 enabled, a user that tries to access BMC Remedy applications without having previously authenticated is redirected to your IdP. After authentication, the user is redirected back to the originally requested resource (BMC Remedy application).
Note
Although SAMLv2 supports both IdP-initiated single sign-on and SP-initiated single sign-on, SP-initiated single sign-on is essential to allow specific use cases for deep linking to specific pages and resources in the applications (for example, a notification URL that contains a link to a specific BMC Remedy ITSM form and record).
Configuration of SAMLv2 integration is largely the exchange of SAMLv2 metadata between your environment and the BMC Remedy environment. You provide IdP metadata , which defines the URLs that you use for SAMLv2, and the certificate used for validation of assertions. The BMC Remedy infrastructure provides SP metadata to allow you to preregister the BMC Remedy SP in your SAMLv2 infrastructure as required.
For more information about SAMLv2, see Using SAMLv2 for authentication.
5.3.3 Deployment architecture
This deployment example consists of the following components: In the BMC environment:
BMC Remedy web applications supporting BMC Atrium Single Sign-On
BMC Atrium Single Sign-On agents which are add-ons to any BMC Remedy web application BMC Atrium Single Sign-On server which serves as the SP and runs as a web application on the Apache Tomcat server
In your environment:
You use a browser to access BMC Remedy applications.
An authentication server is responsible for your users authentication, which is usually located on premise. This is the IdP component.
The SAMLv2 IdP server and the BMC Atrium Single Sign-On SP server are connected by a trust relationship (federation) so they can honor each other’s authentication information.
The following sequence diagram shows the interactions between BMC Atrium Single Sign-On and SAMLv2 components. These interactions are listed in the sequential order that they occur.
The following sequence diagram illustrates the flow of events and the interaction between components for single log off (SLO):
5.3.4 Deployment model
A load balancer or reverse proxy routes inbound connections to the appropriate target web server and are put in front of the application servers. Load balancers are used to distribute the workload and optimize application performance. Reverse proxies are used to distribute the workload, optimize application performance, and hide the existence and characteristics of internal servers.
BMC Remedy Mid Tier is deployed on a separate virtual machine (VM).
A second BMC Remedy Mid Tier and the BMC Atrium Single Sign-On server are deployed on the another VM but on two different Apache Tomcat servers.
BMC Dashboards for Business Services Management and BMC Analytics for Business Services Management are deployed on two different VMs to avoid performance issues.
5.3.5 Deployment tasks
The following table lists the main steps involved in installing and configuring the deployed BMC Products with BMC Atrium Single Sign-On with SAMLv2 authentication where BMC Atrium Single Sign-On is configured as an SP with a remote IdP.
Note
Review the Deployment parameters (see page 38) list before starting the deployment tasks.
Step Task
1. Install BMC Atrium Single Sign-On. 2. Install BMC Remedy AR System server. 3. Install the BMC Remedy Mid Tier.
4. (Optional) Configure your load balancer or reverse proxy.
For more information, see .
Note: Troubleshooting redirect URLs (see page 343)
5. Run the SSOARIntegration utility on the AR System server (see page 88). 6. Run the SSOMidtierIntegration utility on the BMC Remedy Mid Tier (see page 92).
7. Configure group mapping for the AR System and BMC Atrium Single Sign-On (see page 91). 8. Configure the BMC Atrium Single Sign-On server for AR System (see page 97)
Though AR authentication module should be configured, you must delete the AR user stores when using SAML v2 for authentication. Note:
The AR data store is not needed for authentication in SAMLv2 deployment. 9. Run a health check on the BMC Atrium Single Sign-On installation.
10. Configure BMC Atrium Single Sign-On to use SAMLv2 authentication with BMC Atrium Single Sign-On as a Service Provider and a remote
.
Identity Provider
Each time a BMC product is integrated (steps 10 -12) with the BMC Atrium Single Sign-On Service Provider, the J2EE agents Note:
configuration must be modified so the integrating product can function in the Federated Single Sign-On. 11. (Optional) Integrate BMC Dashboards for Business Service Management (see page 198) and configure it.
For more information, see the BMC Dashboards for Business Service Management Installation Guide at .
Note: PDFs
12. (Optional) Integrate BMC Analytics for Business Service Management (see page 199) and configure it. For more information, see .
Note: Installing
13. (Optional) Integrate BMC IT Business Management Suite (see page 204). For more information, see .
