This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Integrating BMC ProactiveNet

BMC ProactiveNet 9.0.00 uses the BMC Atrium Single Sign-On authentication system to provide single sign-on and single sign-off. BMC Atrium Single Sign-On allows users to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system.

Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group mapping. See Managing users and Managing user groups.

Before you begin

BMC Atrium Single Sign-On must be installed and configured before installing BMC ProactiveNet.

  • Ensure that the BMC ProactiveNet users and user groups are created in BMC Atrium Single Sign-On. See To define users and groups.
  • Ensure that the BMC ProactiveNet users are assigned to groups. See To assign users to user groups.
  • If you want to use the latest features of BMC Atrium Single Sign-On, you must upgrade to the 9.0 web agents libraries on your existing BMC product servers.You do not need to reintegrate your products with BMC Atrium Single Sign-On. Contact the respective BMC product administrator for upgrading agent libraries.

Users, user groups and privileges defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group mapping.

Note

The BMC ProactiveNet Single Sign-On feature can be integrated either during installation, or post-installation.

To integrate BMC ProactiveNet during installation

Note

The BMC ProactiveNet Server installer prompts for information that must already be defined in BMC Atrium Single Sign-On.

  1. Select Single Sign-On (SSO) - Enable and configure
  2. Provide the following information:

    Field

    Description

    Atrium SSO Server Hostname Domain

    Enter the fully qualified name of the BMC Atrium Single Sign-On server.

    ProactiveNet Server Hostname Domain

    Enter the fully qualified host name of the server where BMC ProactiveNet Server is installed. By default, this field is populated with the host name of the server on which the installer is executed.

    Atrium SSO HTTPS Port

    Enter the BMC Atrium Single Sign-On secure port number. The default port number is 8443.

    Searcher ID

    Enter the BMC Atrium Single Sign-On Searcher ID used to search all user names and
    groups.

    Searcher Password

    Enter the password of the Searcher ID user.

    Atrium SSO AmAdmin Password

    Enter the BMC Atrium Single Sign-On server amAdmin password.

To integrate BMC ProactiveNet after installation

The BMC Atrium Single Sign-On feature can be configured post-installation in one of two ways:

  • Using the Post Installation Configuration interface in the BMC Proactivenet Operations Console. For more information, see the BMC ProactiveNet User Guide.
  • Using the pw sso commands. For more information, see the BMC ProactiveNet CLI Reference Guide.

Once BMC Atrium Single Sign-On is integrated, when you launch BMC ProactiveNet, the BMC Atrium SSO screen appears. Enter your user name and password and BMC ProactiveNet
automatically launches.

  • If you launch BMC ProactiveNet and try to log in as a user who is not associated with a
    valid user group in BMC Atrium Single Sign-On, BMC ProactiveNet displays an error stating "Invalid username/password".
  • If you receive a message that the BMC ProactiveNet Server has restarted, you must close the browser, then re-open the browser and log back in.

To define users and groups

To enable single sign on, you must first create BMC ProactiveNet users and user groups in BMC Atrium Single Sign-On. Users and user groups defined in BMC Atrium Single Sign-On are used for BMC ProactiveNet group mapping.

During installation of BMC ProactiveNet, the BMC ProactiveNet Server Installer prompts for information that must already be defined in BMC Atrium Single Sign-On. Therefore the minimum required definition in BMC Atrium Single Sign-On, before installing BMC ProactiveNet, is the following:

  1. Create a Searcher user and assign the BmcSearchAdmins group.
  2. Define the SSO amAdmin user and assign full access privileges. (The SSO amAdmin user is automatically created during installation of BMC Atrium Single Sign-On.)
  3. Create an Administrative user group and assign the BmcAdmins group.

To create new users

New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system.

  1. Sign onto BMC Atrium Single Sign-On.
  2. Click Edit BMC Realm and select the Usertab.

    Note

    When integrating a BMC ProactiveNet Server with an external system such as SSO or LDAP for authentication, ensure that the same user name does not exist in both the external system and the BMC ProactiveNet Server.

    If the same user exists in both, user group associations defined in BMC ProactiveNet will be considered.

    1. Click Add.
    2. In the UserId field, enter a unique identifier for the new user. This value is used as the
      user ID when the user logs in. If special characters, such as comma ( , ) , semi-colon ( ; ),
      or plus sign ( + ) are used in the user ID, the backslash () must precede the special
      character. For example, Baldwin\,bob.
    3. Enter the user's last name and full name.
    4. Enter an initial default password (which the user changes) and confirm this default
      password.
    5. In the Status field, verify that the Active radio button is selected (default).
    6. Click Save.

To assign users to user groups

  1. In BMC Atrium Single Sign-On, click Edit BmcRealm and select the Groups tab.
  2. Select the group name and click Edit.
  3. Select users from the Available Users list.
  4. Click Add.
  5. Alternatively, you can add all of the users by clicking Add All.

    Note

    An initial password must be provided when creating the account. Once created, the user can log into BMC Atrium Single Sign-On and update the password and their personal information through the following URL:

  6. Click Save to save the changes.

    The membership change is immediately put into effect.

To clean up Web Agent entries when the BMC ProactiveNet Server is uninstalled

The following steps are required to delete Web Agent entries on the BMC Atrium Single Sign-On Server when the BMC ProactiveNet Server is uninstalled.

Note

Any changes made to a BMC Atrium Single Sign-On user will not be reflected in an active BMC ProactiveNet session.

The user must log out and log back in for the changes to be in effect.

  1. On BMC Atrium Single Sign-On Console, click Edit BMC Realm.
  2. Click Agents Details.
    A list of the Agents that are registered on the Single Sign-On server displays.
  3. Identify the two Agents corresponding to your BMC ProactiveNet Server host.
    Search for the following patterns:

    /@<BMC ProactiveNet Server Host>:<Port>
    /admin@<BMC ProactiveNetServer Host>:<Port>
  4. Mark the Agents to delete by selecting their corresponding checkboxes.
  5. Click Delete.
Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Michael Evans

    it would be great to include a use case - like a real world example.  consider the below from Daric Smith:

     

    this at least gives a really good starting point for them to understand the requirements for TSPS.  The documentation you linked is still useless as it all just directs you over to Atrium SSO that has no information.  What is weird is with the below information it isn’t at all complicated to configure.  The lack of basic use-cases makes it extremely complicated.

     

    Considerations when configuring Atrium SSO for Truesight:

    1. If there are multiple application groups access Truesight Presentation, it will be well worth your while to either:
      1. Create new directory groups that fit a specific naming convention.
      2. Ensure you don’t select groups that are extremely broad such as Domain Users.  Create many search filters to get only the groups you need.  TSPS and Atrium SSO are very inefficient.
    2. There can be massive delays if you set your LDAP search base too high and you have a large directory, you won’t be able to enumerate accounts or groups as it will just time out.  Atrium SSO doesn’t perform any sync action and caches the data, it enumerates as needed.
    3. TSPS is limited by the Max Search Results.  This is probably the most important.  If your max search results are set to 100 but you have 101 accounts that you need access to, TSPS won’t see anything above the 100.
      1. This is incredibly important as you need to set your Search Filter and Search Base DN to be as granular as possible.
    4. In Atrium SSO you can create as many User Stores as needed to account for users or security groups in different SSOs.
      1. NOTE: Attributes are case sensitive.
      2. Every user or group within an LDAP or Active Directory Store has Attributes associated with it.  Open any user in Active Directory and click the Attributes tab (most domains allow any Domain user to view attributes).  Those are the attributes you reference for search attributes:

     

    1. Key attributes most often used in search filters:

                    i.      sAMAccountName: Sort of the NetBIOS name of user accounts.  Just the username nothing else.

                    ii.      distinguishedName (DN): This is the full path to a user account and can include the user account name.  The DN is also the path in the Search Base.

                    iii.      cn (canonicalName): This is the User Friendly name (or Full Name).

                    iv.      userPrinciaplName (UPN): This is the fully qualified domain name for a user.  This can be useful to ensure that bob@aol.com is very different than bob@microsoft.com.  There can be only one.

                    v.      There are many other attributes, but those are the most common used for user / group filters.

    1. Search filters are your friend.  You can search Google for examples of LDAP queries.  Some examples:

                    i.      Group Search Filter: (|(cn=Application Group*))

    1. 1.       This search filter will look for any group whose cn starts with Appliaction Group.

                    ii.      Many group search filter: (|(cn=Application Group*)(Bob’s Group)(Full*))

    1. 1.       Similar to the other filter, this now adds an OR to the enter filter.

                    iii.      User Search Filter: You are looking at the similar type of filter queries with users.

    1. 1.       Let’s say you have an administrative group that suffixes their standard usernames with something like admin.  You could do the following:
      1. a.       Search Attribute: sAMAccountName
      2. b.      Search Filter: (sAMAccountName=*-admin)
      3. e.      There are many more examples, but that will get you started with witling down your results to speed up SSO.

     

     

     

     

     

    Dec 17, 2015 12:28
    1. Kamalakannan Srinivasan

      Hi Michael,

      Thank you for your comment. I will discuss with the technical team and then incorporate your suggestions.

      Regards,

      Kamal

      Dec 17, 2015 11:01