Troubleshooting BMC Atrium Single Sign-On problems

This topic describes the common problems faced in BMC Atrium Single Sign-On (SSO) and BMC Atrium Orchestrator (BAO) integration. 

Re-registering agents in Atrium SSO after an upgrade

When you upgrade Atrium SSO to any later version, sometimes the integration fails and you may encounter one of the following scenarios:

  • During a BAO upgrade, you see a message similar to the following example:
    The registering AtriumSSO agent process failed. Please refer to installation guide and register the agent of https://<fqdn for baoComponent>:38080/baoComponent manually.
  • After upgrading BAO, when attempting to log into BAO, you see the following message:
    BMCSSG1757E: Integration with Atrium SSO is failing. Please contact the product's support team for help with resolving this integration problem (BMCSSG1766E: Local Atrium SSO certificate does not match remote server certificate. Agent may need to be re-integrated with Atrium SSO server.)

If one of these scenarios occurs, re-register the agents in Atrium SSO again.

Important

You must shut down the BAO server before re-registering agents.

If you are registering agents on a new Atrium SSO, you must manually edit the context.xml file in the repository directory to point to the new Atrium SSO server URL. 

The sample commands on this page are intended for use when BAO is configured for HTTPS. If you are using HTTP, adjust your commands following the guidelines in the Registration command parameters table.


The following BMC Communities video (6:41) shows how to re-register web agents in Atrium SSO.

 https://youtu.be/s7lbj_lCjoQ

To re-register agents:

  1. Go to the Atrium SSO Admin Console and click Agent Details.  
  2. Select the check boxes against the BAO agents and click Delete.
  3. Remove the ${ao_home}/tomcat/atssoAgents directory for the component for which you are re-registering the agents.
    • For the repository, this is $<REPO_HOME>/tomcat/atssoAgents
    • For the CDP, this is $<CDP_HOME>/tomcat/atssoAgents
  4. Go to the command prompt and run the following command, replacing the variables with your environment information (see the Registration command parameters table below for details):

    <AOComponent Install Folder>\jvm\bin\java" -jar "<AO ComponentInstall Folder>\webagent\deployer\deployer.jar" 
    --install --container-type tomcatv7 
    --atrium-sso-url <https://customers-sso-instance:port/atriumsso>
    --web-app-url <https://url-to-AO-component> or <https://url-to-AO-Load-Balancer>
    --notify-url <https://url-to-AO-component>
    --web-app-logout-uri /logout 
    --container-base-dir "<AO ComponentInstall Folder>\tomcat" 
    --admin-name <amadmin>
    --admin-pwd <ampassword> 
    --jvm-truststore "<AOComponent Install Folder>\jvm\lib\security\cacerts" 
    --jvm-truststore-password changeit 
    --truststore "<AO Component InstallFolder>\tomcat\conf\.keystore" 
    --truststore-password changeit 
    --not-enforced-uri-file "<AO Component Install Folder>\excludedURLs"

    Note

    The command should all be on one line (no new lines inserted) as shown in this sample command:

    <AOComponent Install Folder>\jvm\bin\java" -jar "<AO ComponentInstall Folder>\webagent\deployer\deployer.jar" --install --container-type tomcatv7 --atrium-sso-url <https://customers-sso-instance:port/atriumsso> --web-app-url <https://url-to-AO-component> or <https://url-to-AO-Load-Balancer> --notify-url <https://url-to-AO-component> --web-app-logout-uri /logout --container-base-dir "<AO ComponentInstall Folder>\tomcat" --admin-name <amadmin>--admin-pwd <ampassword> --jvm-truststore "<AOComponent Install Folder>\jvm\lib\security\cacerts" --jvm-truststore-password changeit --truststore "<AO Component InstallFolder>\tomcat\conf\.keystore" --truststore-password changeit --not-enforced-uri-file "<AO Component Install Folder>\excludedURLs"


    Sample command for the repository:

    C:\Program Files\BMC Software\BAO\repo\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\repo\webagent\deployer\deployer.jar" 
    --install --container-type tomcatv7 
    --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso 
    --web-app-url https://<fqdn for your component>:28080/baorepo or <https://url-to-AO-Load-Balancer>
    --notify-url <https://<fqdn for your component>:28080/baorepo
    --web-app-logout-uri "/logout" 
    --container-base-dir "C:\Program Files\BMC Software\BAO\repo\tomcat" 
    --admin-name amadmin --admin-pwd <sso admin password>
    --jvm-truststore "C:\Program Files\BMC Software\BAO\repo\jvm\lib\security\cacerts" 
    --jvm-truststore-password changeit 
    --truststore "C:\Program Files\BMC Software\BAO\repo\tomcat\conf\.keystore" 
    --truststore-password changeit 
    --not-enforced-uri-file "C:\Program Files\BMC Software\BAO\repo\excludedURLs"

    Note

    The command should all be on one line (no new lines inserted) as shown in this sample command:

    C:\Program Files\BMC Software\BAO\repo\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\repo\webagent\deployer\deployer.jar" --install --container-type tomcatv7 --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso --web-app-url https://<fqdn for your component>:28080/baorepo or <https://url-to-AO-Load-Balancer> --notify-url <https://<fqdn for your component>:28080/baorepo --web-app-logout-uri "/logout" --container-base-dir "C:\Program Files\BMC Software\BAO\repo\tomcat" --admin-name amadmin --admin-pwd <sso admin password> --jvm-truststore "C:\Program Files\BMC Software\BAO\repo\jvm\lib\security\cacerts" --jvm-truststore-password changeit --truststore "C:\Program Files\BMC Software\BAO\repo\tomcat\conf\.keystore" --truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\BAO\repo\excludedURLs"

    Note

    If you have manually deleted the CDP agent from Atrium SSO, you need to manually create the excludeURLs file with the following values:

    /baocdp/orca*
    /baocdp/ws*
    /baocdp/atsso*
    /baocdp/rest*

    While re-registering the CDP agent, specify the excludedURLs file path in the command.

    Sample command for the CDP:

    C:\Program Files\BMC Software\BAO\CDP\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\CDP\webagent\deployer\deployer.jar" 
    --install --container-type tomcatv7 
    --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso 
    --web-app-url https://<fqdn for your component>:38080/baocdp or <https://url-to-AO-Load-Balancer>
    --notify-url <https://<fqdn for your component>:38080/baocdp
    --web-app-logout-uri "/logout" 
    --container-base-dir "C:\Program Files\BMC Software\BAO\CDP\tomcat" 
    --admin-name amadmin --admin-pwd <sso admin password>
    --jvm-truststore "C:\Program Files\BMC Software\BAO\CDP\jvm\lib\security\cacerts" 
    --jvm-truststore-password changeit 
    --truststore "C:\Program Files\BMC Software\BAO\CDP\tomcat\conf\.keystore" 
    --truststore-password changeit
    --not-enforced-uri-file "C:\Program Files\BMC Software\BAO\CDP\config\excludedURLs"

    Note

    The command should all be on one line (no new lines inserted) as shown in this sample command:

    C:\Program Files\BMC Software\BAO\CDP\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\CDP\webagent\deployer\deployer.jar" --install --container-type tomcatv7 --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso --web-app-url https://<fqdn for your component>:38080/baocdp or <https://url-to-AO-Load-Balancer> --notify-url <https://<fqdn for your component>:38080/baocdp --web-app-logout-uri "/logout" --container-base-dir "C:\Program Files\BMC Software\BAO\CDP\tomcat" --admin-name amadmin --admin-pwd <sso admin password> --jvm-truststore "C:\Program Files\BMC Software\BAO\CDP\jvm\lib\security\cacerts" --jvm-truststore-password changeit --truststore "C:\Program Files\BMC Software\BAO\CDP\tomcat\conf\.keystore" --truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\BAO\CDP\config\excludedURLs"

    Sample command for the graphing server:

    Note

    The graphing server is not supported in 7.8.02 and later releases.

     

    C:\Program Files\BMC Software\BAO\CDP\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\CDP\webagent\deployer\deployer.jar" 
    --install --container-type tomcatv7 
    --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso 
    --web-app-url https://<fqdn for your component>:38080/baograph or <https://url-to-AO-Load-Balancer>
    --notify-url <https://<fqdn for your component>:38080/baograph
    --web-app-logout-uri "/logout" 
    --container-base-dir "C:\Program Files\BMC Software\BAO\CDP\tomcat" 
    --admin-name amadmin --admin-pwd <sso admin password>
    --jvm-truststore "C:\Program Files\BMC Software\BAO\CDP\jvm\lib\security\cacerts" 
    --jvm-truststore-password changeit 
    --truststore "C:\Program Files\BMC Software\BAO\CDP\tomcat\conf\.keystore" 
    --truststore-password changeit
    --not-enforced-uri-file "C:\Program Files\BMC Software\BAO\CDP\config\excludedURLs"

    Note

    The command should all be on one line (no new lines inserted) as shown in this sample command:

    C:\Program Files\BMC Software\BAO\CDP\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\CDP\webagent\deployer\deployer.jar" --install --container-type tomcatv7 --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso --web-app-url https://<fqdn for your component>:38080/baograph or <https://url-to-AO-Load-Balancer> --notify-url <https://<fqdn for your component>:38080/baograph --web-app-logout-uri "/logout" --container-base-dir "C:\Program Files\BMC Software\BAO\CDP\tomcat" --admin-name amadmin --admin-pwd <sso admin password> --jvm-truststore "C:\Program Files\BMC Software\BAO\CDP\jvm\lib\security\cacerts" --jvm-truststore-password changeit --truststore "C:\Program Files\BMC Software\BAO\CDP\tomcat\conf\.keystore" --truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\BAO\CDP\config\excludedURLs"

    Sample command for the OCP (installed with the CDP):

    C:\Program Files\BMC Software\BAO\CDP\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\CDP\webagent\deployer\deployer.jar" 
    --install --container-type tomcatv7 
    --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso 
    --web-app-url https://<fqdn for your component>:38080/baoocp or <https://url-to-AO-Load-Balancer>
    --notify-url <https://<fqdn for your component>:38080/baocdp
    --web-app-logout-uri "/logout" 
    --container-base-dir "C:\Program Files\BMC Software\BAO\CDP\tomcat" 
    --admin-name amadmin --admin-pwd <sso admin password>
    --jvm-truststore "C:\Program Files\BMC Software\BAO\CDP\jvm\lib\security\cacerts" 
    --jvm-truststore-password changeit 
    --truststore "C:\Program Files\BMC Software\BAO\CDP\tomcat\conf\.keystore" 
    --truststore-password changeit
    --not-enforced-uri-file "C:\Program Files\BMC Software\BAO\CDP\config\excludedURLs"

    Note

    The command should all be on one line (no new lines inserted) as shown in this sample command:

    C:\Program Files\BMC Software\BAO\CDP\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\CDP\webagent\deployer\deployer.jar" --install --container-type tomcatv7 --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso --web-app-url https://<fqdn for your component>:38080/baoocp or <https://url-to-AO-Load-Balancer> --notify-url <https://<fqdn for your component>:38080/baoocp --web-app-logout-uri "/logout" --container-base-dir "C:\Program Files\BMC Software\BAO\CDP\tomcat" --admin-name amadmin --admin-pwd <sso admin password> --jvm-truststore "C:\Program Files\BMC Software\BAO\CDP\jvm\lib\security\cacerts" --jvm-truststore-password changeit --truststore "C:\Program Files\BMC Software\BAO\CDP\tomcat\conf\.keystore" --truststore-password changeit --not-enforced-uri-file "C:\Program Files\BMC Software\BAO\CDP\config\excludedURLs"

    Sample command for the OCP (standalone installation):

    C:\Program Files\BMC Software\BAO\OCP\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\OCP\webagent\deployer\deployer.jar" --install --container-type tomcatv7
    --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso
    --web-app-url https://<fqdn for your component>:38080/baoocp or <https://url-to-AO-Load-Balancer>
    --notify-url <https://<fqdn for your component>:38080/baoocp
    --web-app-logout-uri "/logout"
    --container-base-dir "C:\Program Files\BMC Software\BAO\OCP\tomcat"
    --admin-name amadmin --admin-pwd <sso admin password>
    --jvm-truststore "C:\Program Files\BMC Software\BAO\OCP\jvm\lib\security\cacerts"
    --jvm-truststore-password changeit
    --truststore "C:\Program Files\BMC Software\BAO\OCP\tomcat\conf\.keystore"
    --truststore-password changeit 

    Note

    The command should all be on one line (no new lines inserted) as shown in this sample command: 

    C:\Program Files\BMC Software\BAO\OCP\jvm\bin\java" -jar "C:\Program Files\BMC Software\BAO\OCP\webagent\deployer\deployer.jar" --install --container-type tomcatv7 --atrium-sso-url https://<fqdn for sso server>:8443/atriumsso --web-app-url https://<fqdn for your component>:38080/baoocp or <https://url-to-AO-Load-Balancer> --notify-url <https://<fqdn for your component>:38080/baoocp --web-app-logout-uri "/logout" --container-base-dir "C:\Program Files\BMC Software\BAO\OCP\tomcat" --admin-name amadmin --admin-pwd <sso admin password> --jvm-truststore "C:\Program Files\BMC Software\BAO\OCP\jvm\lib\security\cacerts" --jvm-truststore-password changeit --truststore "C:\Program Files\BMC Software\BAO\OCP\tomcat\conf\.keystore" --truststore-password changeit 
  5. Restart BAO peers. 

Registration command parameters 

ParameterDefinitionRequired
container-typeType of Web server used to host BAO.Yes
atrium-sso-urlAddress of the Atrium SSO instance.Yes
web-app-urlAddress of BAO or of the load balancer.Yes
web-app-logout-uriThe URL where the application is directed upon user logout.Yes
container-base-dirThe Web server home directory.Yes
admin-nameThe Atrium SSO admin user name.Yes
admin-pwdThe Atrium SSO admin password.Yes
jvm-truststoreThe truststore location. Include the path and file name of JVM’s truststore file (cacerts).Yes
jvm-truststore-passwordThe cacerts truststore file password.Yes
truststoreThe truststore location. Include the path and file name of SSL certificate keystore.Required if BAO is configured for HTTPS.
truststore-passwordThe SSL certificate truststore file password.Required if BAO is configured for HTTPS.
not-enforced-uri-fileThe file that Atrium SSO uses to store the data that goes in its NotEnforcedURI table.

Yes

This is not required if you installed the Operator Control Panel separately from the CDP.

notify-urlThe BAO address if web-app-url specifies a load balancer.Required if web-app-url specifies a load balancer.

Note

You can verify that agents were re-registered by logging into Atrium SSO, clicking Agent Details, and checking that the agents are listed.

Verify your Not Enforced URIs list and load balancer domain

After completing the previous steps, check that your Not Enforced URIs and load balancer domain setups are correct. (See KA000029966 How can I re-register a BAO instance with Atrium SSO).

From the Atrium SSO Admin Console verify your Not Enforced URIs lists by clicking Agent Details, checking that the appropriate agent from the list is displayed and editing it. In the agent details Not Enforced URIs list, verify the following values for your setup:

  • For the CDP, the following values must be present:
    /baocdp/orca*
    /baocdp/ws*
    /baocdp/atsso*
  • For the repository the following values must be present:
    /baorepo/http/resource*
    /baorepo/http/configuration*
    /baorepo/resource
    /baorepo/http/mediaMetadataField*

 

Also, verify that the domain of the load balancer matches the domain of your BAO peer.

Registering agents on a new Atrium SSO server

If you are registering agents on a new Atrium SSO server, you must manually edit the context.xml file in the repository directory to point to the new Atrium SSO server URL. 

To change the Atrium SSO URL:

  1. Go to <AO_HOME>/tomcat/conf/context.xml.
  2. Look for the com.bmc.ao.sso.ATRIUM_SSO_SERVER_URL property and provide the URL to the Atrium SSO server, which you want to connect to the repository. 

For more information, see Knowledge Base article KA000029966.

Checking that the CDP can communicate with Atrium SSO

The CDP should be able to communicate with Atrium SSO if the SSO port is accessible. You can use telenet to check the port connection. 

The telenet command format is similar to the following:

telnet <SSOserver> <SSOportnumber> 

For more information about using telenet, see  Using telnet to check port access

Problem starting BAO when BAO and Atrium SSO are installed on the same server

If BAO and Atrium SSO are installed on the same server and BAO fails to start, ensure that the Atrium SSO service is running before starting the BAO service.

  1. Start the Atrium SSO service (see Starting and stopping product components and services).
  2. Log into the Atrium SSO console to ensure that it is running.
  3. Start the BAO service (see Starting and stopping product components and services).
  4. Log into BAO (see Logging into Grid Manager and Repository Manager).

BMC Atrium Orchestrator peer does not start after installation or BMC Atrium Orchestrator does not run properly

The symptoms may be that BAO fails to register with BMC Atrium Single Sign-On or that peers take several hours to start. This may be due to inadequate system entropy.
See the BMC Atrium Single Sign-On System requirements page for more information. You can also find information in Knowledge Article Actions fail in Atrium Orchestrator due to low system entropy KA000066336.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Andrew Pelz

    We have our CDP behind a load balancer VIP, when we connect to the url of the VIP, we are redirected to the SSO for authentication.  Once authenticated we are redirected to CDP host url, instead of the load balancer VIP url.  How can we ensure we are redirected back to the VIP?

    May 10, 2016 02:27
    1. Dorothy Poole

      Thank you for your comment/question. Here is the response from a team member:

      You have to register the CDP with SSO, such that SSO is aware of the load balancer. You must use the manual registration command on this page, making sure to use the following parameters:

      • web-app-url: The URL of the load balancer
      • notify-url: The direct URL of BAO

      BAO at installation doesn’t know about the load balancer so it registers with SSO with no notify-url and with web-app-url as BAO’s direct URL, so that’s where SSO sends the user upon login.

      I hope that helps.

      May 10, 2016 02:29
  2. Vinnie Lima

    An important correction on steps above to re-register AtriumSSO agent for a WINDOWS-based BAO installation.

     

    You CANNOT have a keystore beginning with a period (.).  Please adapt the documentation to reflect this distinction, as the command will actually return success but the agent will not register with SSO.

    Nov 02, 2016 05:34
    1. Dorothy Poole

      Thank you for your comment. I'm investigating this with the development team and will update the page accordingly.

      Nov 03, 2016 07:16
    1. Dorothy Poole

      I have created a defect (DRAUM-21725) for the team to investigate this issue and I will update the doc based on the results of the investigation.

      Nov 08, 2016 08:41
  3. Rainer Noeth

    Please add the hints from the KA000029966 to this side that the BAO repo need other excludeURLs as the CDP

     

    For a Repository the following values must be present:

    /baorepo/http/resource*

    /baorepo/http/configuration*

    /baorepo/resource

    /baorepo/http/mediaMetadataField*

    Dec 29, 2016 12:07
    1. Shweta Hardikar

      Thanks for the comment, Rainer. We will update this topic based on your recommendations as soon as possible.

       

      Jan 02, 2017 10:20
    1. Dorothy Poole

      Hi Rainer. Thank you for pointing this out. I've added that information and a link to the KA article.

      Jan 03, 2017 09:55