This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

To view an earlier version, select the version from the Product version menu.

Configuring after installation

When you install the BMC Helix Single Sign-On server, the database password is encrypted with a hard coded key.

Best practice

For security reasons, we recommend that you re-encrypt the database password with a new key after you perform a fresh installation of BMC Helix SSO. If you have BMC Helix SSO in high availability mode, you must re-encrypt the password with a new encryption key on each BMC Helix SSO server node.

Related topic

To re-encrypt the database password for BMC Helix SSO 

Perform the following steps to re-encrypt the database password:

  1. From the command line on BMC Helix SSO, run the following command to re-encrypt the password for the database user:

    java -jar rsso-ds-<RSSO_version>.jar <password> <new-key>

    The following table describes the parameters of the command:

    passwordEnter the unencrypted password of the database user.
    new-keyEnter a new encryption key. It can be any text value.
    rsso-ds-<RSSO_version>.jarThis file is located in the <tomcat>/webapps/rsso/WEB-INF/lib folder.
  2. For each server a BMC Helix SSO cluster, perform the following steps:
    1. Modify the rsso.key file in the <tomcat>/webapps/rsso/WEB-INF/classes folder.
      1. Change the existing line key=<old-key> to key.old=<old-key>, where <old-key> is the current key in the rsso.key file.
      2. Add a new line key=<new-key>, where <new-key> is the new encryption key.
    2. In the context.xml file in the <tomcat>/webapps/rsso/META-INF folder, update the password line as follows:
      password="AES:<encrypted-password>", where <encrypted-password> is the encrypted password.
  3. Verify that BMC Helix SSO works correctly with the newly encrypted password:   
    1. Log in to BMC Helix SSO Admin Сonsole.
    2. On the General tab, click Save without making any change. 
    3. Click the Realm tab.
    4. Edit each realm, and click Save without making any change.
  4. After you have verified that you can successfully save changes in BMC Helix SSO Admin Сonsole, you can remove the old key.  

    For each BMC Helix SSO server, remove the key.old=<old-key> encryption key from the rsso.key file in the <tomcat>/webapps/rsso/WEB-INF/classes folder.


    You do not need to restart the BMC Helix SSO server after you change the encryption key.

Where to go from here

When you have installed and configured the BMC Helix SSO server, you must integrate BMC Helix SSO with applications for which you want to enable single sign-on experience. For information about how to integrate BMC Helix SSO with other applications, see Integrating.

Was this page helpful? Yes No Submitting... Thank you