BMC Server Automation employs a two-stage procedure for authenticating client application users to their respective middle-tier servers. First, client users authenticate with a BMC Server Automation Authentication Service (one of the services hosted by a BMC Server Automation Application Server) and acquire an SSO session credential. Then, having acquired a credential, the client application establishes a TLS session with a middle tier service — either an Application Service or Network Shell Proxy Service. After the TLS session is established, the client presents its SSO session credential to the service, which validates the credential and uses it to establish the identity of the client user. Readers familiar with HTTP cookies might view SSO session credentials as analogous to cookies used to communicate an authenticated identity to a BMC Server Automation service.
SSO session credentials have a finite lifetime and can be cached in the file system of the client host. BMC Server Automation Console users can choose whether to cache newly acquired session credentials in a cache file. The session credential cache file can only hold one session credential. This constraint will be relaxed in a future release.
If a client application's credential cache contains an unexpired session credential, that credential can be used to establish a new client/server session without requiring the user to re-authenticate. All BMC Server Automation client applications except BMC BladeLogic Decision Support for Server Automation can share the same session credential.
The BMC Server Automation Console has user authentication utilities built into it. The two client command line applications (BLCLI and Network Shell) do not. To connect to a middle tier server, the command line applications require access to a session credential that was acquired previously. BMC Server Automation provides a command line-based user authentication utility called
blcred. Users can authenticate with
blcred and acquire session credentials for the command line applications.
BMC BladeLogic Decision Support for Server Automation is a web-based application that uses BMC Server Automation single sign-on functionality in a different manner than other BMC Server Automation applications. A reports user logs in by providing the user credentials required for his or her authentication type. The reports server uses these credentials to authenticate to the BMC Server Automation Authentication Service.
Single sign-on functionality supports the following authentication mechanisms: