Configuring BMC Remedy Single Sign-On integration for BMC Digital Workplace Catalog

You must have system administrator privileges to install and configure BMC Remedy Single Sign-On (SSO) to enable BMC Digital Workplace users to perform end-to-end service request tasks through BMC Digital Workplace Catalog and BMC Remedy IT Service Management.

Important

BMC Digital Workplace Catalog requires BMC Remedy Single Sign-On release 9.1.03 or later.

Before you begin

This topic assumes you have already installed and configured BMC Remedy SSO onto a Windows or Linux server. After verifying the following setup requirements, you can configure the BMC Digital Workplace Catalog server to authenticate through BMC Remedy SSO.

Values in <ANGLE_BRACKETS> refer to the server parameters that were used when installing BMC Digital Workplace Catalog .

To leverage and use the default BMC Digital Workplace Catalog system users, while using any of the supported authentication systems, you must enable AR System authentication for bypass. For more information on setting up your groups and accounts, see Overview-of-user-accounts-and-groups-for-BMC-Digital-Workplace-Catalog.
Ensure you can access:
- BMC Remedy SSO administration console as the administrator.
- BMC Digital Workplace Catalog server from the command line as <BMC_DWP_USER>. Example: Demo

Set up a Mid Tier to manage the BMC Digital Workplace Catalog server.
For instructions, see Setting-up-a-Remedy-Mid-Tier-for-system-administration-of-the-BMC-Digital-Workplace-Catalog-server.
Confirm the following system settings, used in options.txt when the application was installed:
- The location of the application installation, referred to as <installLocation>.
  Example: /opt/bmc/digitalworkplace
- The tenant domain name configured for the application.
  Example: calbro.com
- The fully qualified domain name or IP address of the server on which BMC Digital Workplace Catalog is installed, referred to as <BMC_DWP_SERVER_HOST_NAME>.
  Example: 127.0.0.1
Create a catalog administrator user with admin, myit admin, and myit super admin permissions on the ITSM server.

To configure BMC Remedy Single Sign-On

To configure the authentication scheme to prepare for integration with BMC Digital Workplace Catalog:

Log onto the BMC Remedy SSO administration console.
Go to General > Advanced and set values based on the following example:
- Cookie Name: Any arbitrary value.
- Backchannel Service URL: The URL to access BMC Remedy SSO.
Go to Realm > General to confirm that the value of the Tenant field matches the tenant domain name configured for BMC Digital Workplace Catalog .
Go to Realm > Authentication to confirm the AR Server Information settings.
Click Test.
The success message will appear if the configuration is correct.
Save the configuration.

To configure the BMC Digital Workplace Catalog server

To configure BMC Digital Workplace Catalog to use BMC Remedy SSO, you must copy the required integration files into specific locations. Then you must edit the configuration files, and configure the external authentication options using BMC Remedy Mid Tier.

To copy the BMC Remedy SSO files into the required locations
To edit the configuration files
To configure the external authentication options using BMC Remedy Mid Tier
To prepare for Remedy ITSM user sync utility
To restart the server

To copy the BMC Remedy SSO files into the required locations

When you installed BMC Digital Workplace Catalog , the installer copied the required BMC Remedy SSO agent library and configuration files into a hidden location on the server.

On the BMC Digital Workplace Catalog server, find the hidden .rsso folder.
Example
# cd <installLocation>/sb/
# ls -al
The .rsso folder is a hidden file in the list of files and folders.

Copy the following files from <installLocation>/sb/.rsso into the specified target locations.

File name	Target location
rsso-agent-osgi.jar	<installLocation>/deploy
rsso-agent.properties	<installLocation>/conf
rsso.cfg	<installLocation>/conf
gson-2.3.1.jar	<installLocation>/pluginsvr
rsso-area-plugin-all.jar	<installLocation>/pluginsvr

To edit the configuration files

Use a text editor to edit the configuration files to modify the required settings.

On the BMC Digital Workplace Catalog server, stop the application before editing the configuration files to match your settings.
Example
# cd <installLocation>
# ./dwpcontroller stop

Open <installLocation>/conf/rsso-agent.properties, and confirm or update the following values:

Property name	Example value	Comment
agent-id	agent-sbe	Unique value for each application where BMC Remedy SSO is configured. In a clustered system, all nodes of the same application share the same agent-id. The agent-id values for BMC Digital Workplace and BMC Digital Workplace Catalog must match -- the logout functionality will not work otherwise.
logout-urls	/sso_logout	Default value; do not change.
sso-external-url	https://idprovider.calbro.com/rsso	Public RSSO server URL for end user login/logout .
sso-service-url	https://api.calbro.com/rsso	API endpoint URL of the BMC Remedy SSO server used for internal calls within the application. You can also use the same URL as sso-external-url .

Open the <installLocation>/pluginsvr/pluginsvr_config.xml file and comment out or remove the following plugin sections:
Example
In the same <installLocation>/pluginsvr/pluginsvr_config.xml file, insert the following section. Replace $installLocation in the example to match where you installed the application:
Example
<plugin>
   <name>ARSYS.AREA.RSSO</name>
   <classname>com.bmc.rsso.plugin.area.RSSOPlugin</classname>
   <pathelement type="location">$installLocation/pluginsvr/rsso-area-plugin-all.jar</pathelement>
   <pathelement type="location">$installLocation/pluginsvr/gson-2.3.1.jar</pathelement>
   <userDefined>
       <configFile>$installLocation/conf/rsso.cfg</configFile>
   </userDefined>
</plugin>
Open the <installLocation>/conf/ar.conf file, and comment out or remove the following entries.
In the example, 127.0.0.1 represents the server IP address that is specified in the installation configuration as: BMC_DWP_SERVER_HOST_NAME
Example
#Server-Plugin-Alias: ARSYS.ARDBC.PENTAHO ARSYS.ARDBC.PENTAHO 127.0.0.1:9999
#Server-Plugin-Alias: ARSYS.ARF.ARMIGRATE ARSYS.ARF.ARMIGRATE 127.0.0.1:9999
#Server-Plugin-Alias: ARSYS.ARF.ATSSOCONFIRMPWD 127.0.0.0.1:9999
#Server-Plugin-Alias: ARSYS.ARDBC.ARREPORTENGINE ARSYS.ARDBC.ARREPORTENGINE 127.0.0.1:9999
In the same <installLocation>/conf/ar.conf file, insert the following line. Replace 127.0.0.1 with the server IP address or fully qualified domain name specified in the installation configuration as: BMC_DWP_SERVER_HOST_NAME.
Example
Server-Plugin-Alias: AREA AREA 127.0.0.1:9999
Open the <installLocation>/conf/rsso.cfg file, and verify all lines that begin with SSO-SERVICE-URL are commented out:
Example
#SSO-SERVICE-URL: http://rsso-server-example.com:9000/rsso
Open the <installLocation>/sb/env/set_script_variables.sh file, and set export TENANT_NAME to match the Tenant field in the BMC Remedy SSO Realm configuration:
Example
export TENANT_NAME=calbro.com

To configure the external authentication options using BMC Remedy Mid Tier

The following configuration must be performed using the credentials of the application administrator user, specified in the installation configuration as: <BMC_DWP_ADMIN>

In the following steps, the example <BMC_DWP_ADMIN> account is the default Demo user.

Log onto the BMC Remedy Mid Tier configured for the BMC Digital Workplace Catalog server as the application administrator.
Select AR System Administration > AR System Administration Console.
Expand Common Server Configuration > General
Click Server Information.
On the EA tab at the server level:
- Set External Authentication Server RPC Program Number to 390695:
- Clear the Cross Reference Blank Password check box.
EA is an acronym for External Authentication. For more information about configuring alternate single sign-on methods, and the meaning of the component settings, see Setting-external-authentication-options (BMC Remedy Action Request System 9.1 online documentation).
Ignore the warning to restart the AR System server. You will restart after you configure the tenant settings.
Click Apply.
Click Close to return to Common Server Configuration > General.
Log out of the AR System Administration Console.

To prepare for Remedy ITSM user sync utility

If you will be copying users from an existing Remedy IT Service Management user database, you must modify a tenant configuration setting as the tenant administrator.

In the following steps, the example tenant administrator is hannah_admin@calbro.com.

Log onto the BMC Remedy Mid Tier configured for the BMC Digital Workplace Catalog server as the tenant administrator.
Select AR System Administration > AR System Administration Console.
Expand Tenant Server Configuration > General
Click Server Information.
On the EA tab:
- Select the Cross Reference Blank Password check box.
- From the Authentication Chaining Mode options, select ARS - AREA.
Click Apply.
Click Close to return to Tenant Server Configuration > General.
Log out of the AR System Administration Console.

To restart the server

Start the server, and enter the credentials of the system administrator when prompted.

Example

# cd /opt/bmc/ARsystem
# ./dwpcontroller start

BMC Remedy SSO for secondary servers

When configuring additional BMC Digital Workplace Catalog servers to authenticate using BMC Remedy SSO as an ID provider, ensure that all the servers share the same values for the following settings:

sso-external-url
sso-service-url
agent-id

BMC Remedy SSO for other BMC applications

When configuring authentication for applications such as BMC Digital Workplace, Smart IT, and Remedy IT Service Management, note the following highlights:

General BMC Remedy SSO configuration
To configure BMC Remedy Mid Tier to not require the tenant domain
For more information about configuring Remedy SSO with other BMC applications

General BMC Remedy SSO configuration

When configuring BMC Digital Workplace, BMC Remedy with Smart IT, and BMC Remedy Mid Tier to authenticate using BMC Remedy SSO as an ID provider, ensure that all the servers point to the same RSSO server specified in the following settings:

sso-external-url
sso-service-url

To configure BMC Remedy Mid Tier to not require the tenant domain

Without this setting, applications require login requests in a format used by BMC Digital Workplace Catalog.
Example: user@domain.com

With this setting, applications accept login requests that do not include a tenant domain.
Example: user

On the server that hosts the mid tier, go to the following location:
<Mid Tier installation directory>/conf
For instance, /opt/bmc/ARSystem/midtier/conf
Create a new file called: rsso-authenticator.properties
Open the rsso-authenticator.properties file in a text editor, and add the following line:
ignore-tenant=true
Save and close the file.
Go to <Mid Tier installation directory>/WEB-INF/classes (For instance, /opt/bmc/ARSystem/midtier/WEB-INF/classes) and open the config.properties file in a text editor, and add the following line to reference the rsso-authenticator.properties file:
arsystem.authenticator.config.file=rsso-authenticator.properties
In the apache tomcat\conf\catalina.properties file, add the following line:
shared.loader=<Mid Tier installation directory>\conf
OR
shared.loader="C:/MidtierPath/conf"
Save and close the file.
(Windows server only) On a Windows server that hosts the mid tier, perform the following tasks:
1. Open the Tomcat console, and add <Mid Tier installation directory>\conf to the Java Classpath:
2. Restart the Tomcat server.

For more information about configuring Remedy SSO with other BMC applications

For specific information, see the following topics in the BMC Remedy SSO 9.1 online documentation:

To configure logging to help troubleshoot issues with RSSO

On the BMC Digital Workplace Catalogserver, open /opt/bmc/dw/bin/arserverd.conf.
Copy the last jvm.option.xx parameter, and add it to the file.
Replace the xx value of the jvm.option.xx parameter with the "+1" value. In the following example, the previous line was 22:
jvm.option.23=-Drsso.log.cfg.file=/opt/bmc/digitalworkplace/conf/rsso-log.cfg
Open /opt/bmc/digitalworkplace/conf/rsso-log.cfg, and make sure it has the following configuration:
rsso.log.name.format=rs_Try.%g.log
rsso.log.level=FINEST
rsso.log.roll=10
rsso.log.limit=5242880
rsso.log.dir=/opt/bmc/digitalworkplace/db/
Open /opt/bmc/digitalworkplace/pluginsvr/log4j_pluginsvr.xml
Make the following changes to debug:
<logger name="com.bmc.arsys.pluginsvr">
<level value="debug" />
</logger>
......
<root>
<priority value ="error" />
<appender-ref ref="PluginLog" />
</root>
Open the /opt/bmc/digitalworkplace/conf/logback_server.xml
<logger name="com.bmc.rsso" level="DEBUG" additivity="false">
<appender-ref ref="BUNDLE" />
</logger>
Restart the BMC Digital Workplace Catalog server.
Log in to the Mid tier tool as Demo.
Click on the AR System Administration Console, and go to Common Server Configuration > General > Plugin Server Configuration.
Click OK through the warning messages that show up.
Once the Plugin Server Configuration screen appears, click on the Plugin Server Configuration tab.
Under the Logging Configuration, switch the Enable Plugin Log to True and the Log Level to Debug, and click Apply.
Click OK through the warning messages that show up.

Validation

Once you have carried out all the necessary steps, log in to BMC Digital Workplace Catalog and BMC Digital Workplace to ensure Remedy SSO has been installed and configured correctly. If it is correctly installed, you will be able to access both servers by logging in just once.

Troubleshooting

Core bundles report "not yet up"

If you attempt to restart the BMC Digital Workplace Catalog platform server before completing the configuration steps, you might see the following error repeated: