Configuring BMC Remedy Single Sign-On integration for BMC Digital Workplace Catalog
You must have system administrator privileges to install and configure BMC Remedy Single Sign-On (SSO) to enable BMC Digital Workplace users to perform end-to-end service request tasks through BMC Digital Workplace Catalog and BMC Remedy IT Service Management.
Important
BMC Digital Workplace Catalog requires BMC Remedy Single Sign-On release 9.1.03 or later.
Before you begin
This topic assumes you have already installed and configured BMC Remedy SSO onto a Windows or Linux server. After verifying the following setup requirements, you can configure the BMC Digital Workplace Catalog server to authenticate through BMC Remedy SSO.
Values in <ANGLE_BRACKETS> refer to the server parameters that were used when installing BMC Digital Workplace Catalog .
- To leverage and use the default BMC Digital Workplace Catalog system users, while using any of the supported authentication systems, you must
enable AR System authentication for bypass
. For more information on setting up your groups and accounts, see Overview of user accounts and groups for BMC Digital Workplace Catalog. - Ensure you can access:
- BMC Remedy SSO administration console as the administrator.
- BMC Digital Workplace Catalog server from the command line as
<BMC_DWP_USER>. Example: Demo
- Set up a Mid Tier to manage the BMC Digital Workplace Catalog server.
For instructions, see Setting up a Remedy Mid Tier for system administration of the BMC Digital Workplace Catalog server. - Confirm the following system settings, used in options.txt when the application was installed:
- The location of the application installation, referred to as
<installLocation>.
Example: /opt/bmc/digitalworkplace - The tenant domain name configured for the application.
Example: calbro.com - The fully qualified domain name or IP address of the server on which BMC Digital Workplace Catalog is installed, referred to as
<BMC_DWP_SERVER_HOST_NAME>.
Example: 127.0.0.1
- The location of the application installation, referred to as
- Create a catalog administrator user with admin, myit admin, and myit super admin permissions on the ITSM server.
To configure BMC Remedy Single Sign-On
To configure the authentication scheme to prepare for integration with BMC Digital Workplace Catalog:
- Log onto the BMC Remedy SSO administration console.
- Go to General > Advanced and set values based on the following example:
- Cookie Name: Any arbitrary value.
- Backchannel Service URL: The URL to access BMC Remedy SSO.
- Go to Realm > General to confirm that the value of the Tenant field matches the tenant domain name configured for BMC Digital Workplace Catalog .
Go to Realm > Authentication to confirm the AR Server Information settings.
Click Test.
The success message will appear if the configuration is correct.
- Save the configuration.
To configure the BMC Digital Workplace Catalog server
To configure BMC Digital Workplace Catalog to use BMC Remedy SSO, you must copy the required integration files into specific locations. Then you must edit the configuration files, and configure the external authentication options using BMC Remedy Mid Tier.
To copy the BMC Remedy SSO files into the required locations
When you installed BMC Digital Workplace Catalog , the installer copied the required BMC Remedy SSO agent library and configuration files into a hidden location on the server.
On the BMC Digital Workplace Catalog server, find the hidden .rsso folder.
Example# cd <installLocation>/sb/ # ls -alThe .rsso folder is a hidden file in the list of files and folders.
Copy the following files from <installLocation>/sb/.rsso into the specified target locations.
File name Target location rsso-agent-osgi.jar
<installLocation>/deploy
rsso-agent.properties <installLocation>/conf rsso.cfg <installLocation>/conf gson-2.3.1.jar <installLocation>/pluginsvr rsso-area-plugin-all.jar <installLocation>/pluginsvr
To edit the configuration files
Use a text editor to edit the configuration files to modify the required settings.
On the BMC Digital Workplace Catalog server, stop the application before editing the configuration files to match your settings.
Example# cd <installLocation> # ./dwpcontroller stopOpen <installLocation>/conf/rsso-agent.properties, and confirm or update the following values:
Property name Example value Comment agent-id agent-sbe Unique value for each application where BMC Remedy SSO is configured. In a clustered system, all nodes of the same application share the same agent-id. The agent-id values for BMC Digital Workplace and BMC Digital Workplace Catalog must match -- the logout functionality will not work otherwise. logout-urls /sso_logout Default value; do not change. sso-external-url https://idprovider.calbro.com/rsso Public RSSO server URL for end user login/logout . sso-service-url https://api.calbro.com/rsso API endpoint URL of the BMC Remedy SSO server used for internal calls within the application.
You can also use the same URL as sso-external-url .Open the <installLocation>/pluginsvr/pluginsvr_config.xml file and comment out or remove the following plugin sections:
Example<!-- <plugin> <name>ARSYS.ARF.ATSSOCONFIRMPWD</name> ... </plugin> --> <!-- <plugin> <name>ARSYS.AREA.ATRIUMSSO</name> ... </plugin> --> <!-- <plugin> <name>ARSYS.ARDBC.PENTAHO</name> ... </plugin> -->In the same <installLocation>/pluginsvr/pluginsvr_config.xml file, insert the following section. Replace
$installLocationin the example to match where you installed the application:Example<plugin> <name>ARSYS.AREA.RSSO</name> <classname>com.bmc.rsso.plugin.area.RSSOPlugin</classname> <pathelement type="location">$installLocation/pluginsvr/rsso-area-plugin-all.jar</pathelement> <pathelement type="location">$installLocation/pluginsvr/gson-2.3.1.jar</pathelement> <userDefined> <configFile>$installLocation/conf/rsso.cfg</configFile> </userDefined> </plugin>Open the <installLocation>/conf/ar.conf file, and comment out or remove the following entries.
In the example, 127.0.0.1 represents the server IP address that is specified in the installation configuration as:
BMC_DWP_SERVER_HOST_NAMEExample#Server-Plugin-Alias: ARSYS.ARDBC.PENTAHO ARSYS.ARDBC.PENTAHO 127.0.0.1:9999 #Server-Plugin-Alias: ARSYS.ARF.ARMIGRATE ARSYS.ARF.ARMIGRATE 127.0.0.1:9999 #Server-Plugin-Alias: ARSYS.ARF.ATSSOCONFIRMPWD 127.0.0.0.1:9999 #Server-Plugin-Alias: ARSYS.ARDBC.ARREPORTENGINE ARSYS.ARDBC.ARREPORTENGINE 127.0.0.1:9999In the same <installLocation>/conf/ar.conf file, insert the following line. Replace
127.0.0.1with the server IP address or fully qualified domain name specified in the installation configuration as:BMC_DWP_SERVER_HOST_NAME.ExampleServer-Plugin-Alias: AREA AREA 127.0.0.1:9999Open the <installLocation>/conf/rsso.cfg file, and verify all lines that begin with
SSO-SERVICE-URLare commented out:Example#SSO-SERVICE-URL: http://rsso-server-example.com:9000/rssoOpen the <installLocation>/sb/env/set_script_variables.sh file, and set export TENANT_NAME to match the Tenant field in the BMC Remedy SSO Realm configuration:
Exampleexport TENANT_NAME=calbro.com
To configure the external authentication options using BMC Remedy Mid Tier
The following configuration must be performed using the credentials of the application administrator user, specified in the installation configuration as: <BMC_DWP_ADMIN>
In the following steps, the example <BMC_DWP_ADMIN> account is the default Demo user.
- Log onto the BMC Remedy Mid Tier configured for the BMC Digital Workplace Catalog server as the application administrator.
Select AR System Administration > AR System Administration Console.
Expand Common Server Configuration > General
Click Server Information.
On the EA tab at the server level:
Set External Authentication Server RPC Program Number to 390695:
- Clear the Cross Reference Blank Password check box.
Note
EA is an acronym for External Authentication. For more information about configuring alternate single sign-on methods, and the meaning of the component settings, see Setting external authentication options (BMC Remedy Action Request System 9.1 online documentation).
Ignore the warning to restart the AR System server. You will restart after you configure the tenant settings.- Click Apply.
- Click Close to return to Common Server Configuration > General.
- Log out of the AR System Administration Console.
To prepare for Remedy ITSM user sync utility
If you will be copying users from an existing Remedy IT Service Management user database, you must modify a tenant configuration setting as the tenant administrator.
In the following steps, the example tenant administrator is hannah_admin@calbro.com.
- Log onto the BMC Remedy Mid Tier configured for the BMC Digital Workplace Catalog server as the tenant administrator.
Select AR System Administration > AR System Administration Console.
Expand Tenant Server Configuration > General
Click Server Information.
On the EA tab:
Select the Cross Reference Blank Password check box.
From the Authentication Chaining Mode options, select ARS - AREA.
- Click Apply.
- Click Close to return to Tenant Server Configuration > General.
- Log out of the AR System Administration Console.
To restart the server
Start the server, and enter the credentials of the system administrator when prompted.
# cd /opt/bmc/ARsystem
# ./dwpcontroller startBMC Remedy SSO for secondary servers
When configuring additional BMC Digital Workplace Catalog servers to authenticate using BMC Remedy SSO as an ID provider, ensure that all the servers share the same values for the following settings:
- sso-external-url
- sso-service-url
- agent-id
BMC Remedy SSO for other BMC applications
When configuring authentication for applications such as BMC Digital Workplace, Smart IT, and Remedy IT Service Management, note the following highlights:
General BMC Remedy SSO configuration
When configuring BMC Digital Workplace, BMC Remedy with Smart IT, and BMC Remedy Mid Tier to authenticate using BMC Remedy SSO as an ID provider, ensure that all the servers point to the same RSSO server specified in the following settings:
- sso-external-url
- sso-service-url
To configure BMC Remedy Mid Tier to not require the tenant domain
Without this setting, applications require login requests in a format used by BMC Digital Workplace Catalog.
Example: user@domain.com
With this setting, applications accept login requests that do not include a tenant domain.
Example: user
On the server that hosts the mid tier, go to the following location:
<Mid Tier installation directory>/conf For instance, /opt/bmc/ARSystem/midtier/conf- Create a new file called: rsso-authenticator.properties
Open the rsso-authenticator.properties file in a text editor, and add the following line:
ignore-tenant=trueSave and close the file.
Go to
<Mid Tier installation directory>/WEB-INF/classes(For instance,/opt/bmc/ARSystem/midtier/WEB-INF/classes) and open the config.properties file in a text editor, and add the following line to reference the rsso-authenticator.properties file:arsystem.authenticator.config.file=rsso-authenticator.propertiesIn the apache tomcat\conf\catalina.properties file, add the following line:
shared.loader=<Mid Tier installation directory>\conf- Save and close the file.
- (Windows server only) On a Windows server that hosts the mid tier, perform the following tasks:
- Open the Tomcat console, and add <Mid Tier installation directory>\conf to the Java Classpath:
- Restart the Tomcat server.
- Open the Tomcat console, and add <Mid Tier installation directory>\conf to the Java Classpath:
For more information about configuring Remedy SSO with other BMC applications
For specific information, see the following topics in the BMC Remedy SSO 9.1 online documentation:
To configure logging to help troubleshoot issues with RSSO
- On the BMC Digital Workplace Catalogserver, open /opt/bmc/dw/bin/arserverd.conf.
- Copy the last jvm.option.xx parameter, and add it to the file.
Replace the xx value of the jvm.option.xx parameter with the "+1" value. In the following example, the previous line was 22:
jvm.option.23=-Drsso.log.cfg.file=/opt/bmc/digitalworkplace/conf/rsso-log.cfgOpen /opt/bmc/digitalworkplace/conf/rsso-log.cfg, and make sure it has the following configuration:
rsso.log.name.format=rs_Try.%g.log rsso.log.level=FINEST rsso.log.roll=10 rsso.log.limit=5242880 rsso.log.dir=/opt/bmc/digitalworkplace/db/- Open /opt/bmc/digitalworkplace/pluginsvr/log4j_pluginsvr.xml
Make the following changes to debug:
<logger name="com.bmc.arsys.pluginsvr"> <level value="debug" /> </logger> ...... <root> <priority value ="error" /> <appender-ref ref="PluginLog" /> </root>Open the /opt/bmc/digitalworkplace/conf/logback_server.xml
<logger name="com.bmc.rsso" level="DEBUG" additivity="false"> <appender-ref ref="BUNDLE" /> </logger>Restart the BMC Digital Workplace Catalog server.
Log in to the Mid tier tool as Demo.
- Click on the AR System Administration Console, and go to Common Server Configuration > General > Plugin Server Configuration.
- Click OK through the warning messages that show up.
- Once the Plugin Server Configuration screen appears, click on the Plugin Server Configuration tab.
- Under the Logging Configuration, switch the Enable Plugin Log to True and the Log Level to Debug, and click Apply.
- Click OK through the warning messages that show up.
Validation
Once you have carried out all the necessary steps, log in to BMC Digital Workplace Catalog and BMC Digital Workplace to ensure Remedy SSO has been installed and configured correctly. If it is correctly installed, you will be able to access both servers by logging in just once.
Troubleshooting
Core bundles report "not yet up"
If you attempt to restart the BMC Digital Workplace Catalog platform server before completing the configuration steps, you might see the following error repeated:
Checking core bundles are up before running migrations. Not yet up
...Ensure that you complete the configuration before restarting the server. If you have completed the configuration and still receive this error, check for any exceptions in the following log files:
- <installLocation>/db/arjavaplugin.log
- <installLocation>/db/arerror.log
Where to go from here
Complete the remaining procedures in Configuring after installation of BMC Digital Workplace Catalog that are required for your deployment scenario.
Comments