Managing the server configuration
BMC Atrium Single Sign-On server parameters can be modified or enabled including the server session, cookie name and domain, the password for accessing the server, the FQDN, logging level, FIPS-140 enablement, CAC usage of Online Certificate Status Protocol (OCSP) enablement.
To modify the server configuration
- On the BMC Atrium SSO Admin Console, click Edit Server Configuration.
- Modify the BMC Atrium Single Sign-On server parameters.
- Click Save.
Committed changes take effect immediately. A server restart is not necessary.
Server configuration parameters
The Server Configuration Editor enables you to update the following parameters when you install or configure the BMC Atrium Single Sign-On server:
General tab
Field | Parameters | Description |
---|---|---|
Cookies
|
| The cookie name is automatically created at installation, based on the fully qualified domain name (FQDN) of the BMC Atrium Single Sign-On host. |
| The default cookie domain value is the network domain of the computer on which you are installing the server. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. For more information about the default cookie domain, see Default cookie domain. | |
HTTP Only | Select the HTTP Only check box to mark the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as JavaScript from accessing the cookie. For more information about the HTTP Only parameter, see HTTP Only and HTTPS Only. | |
HTTPS Only | Select the HTTPS Only check box to mark the cookie with the Secure option, which ensures that the cookie is transmitted over only HTTPS connections from the browser to the server. For more information about the HTTPS Only parameter, see HTTP Only and HTTPS Only. | |
amAdmin |
| The password for accessing the BMC Atrium Single Sign-On server |
External URL | None | FQDN for the BMC Atrium Single Sign-On server |
Logging Level | None | Logging-level options:
|
Enable FIPS-140 | None | Configure FIPS-140 before enabling. See Configuring FIPS-140 mode. |
Online Certificate Status Protocol | None | Common Access Card (CAC) can use Online Certificate Status Protocol (OCSP). If CAC is using OCSP, configure CAC before enabling. If CAC is not using OCSP, configuration is not required. |
Session
|
| Time after which your session is logged out, even when you are active. The time constraints are automatically enforced when this value is selected. Default: 120 minutes After the set maximum timeout value is reached, the user must close the browser and re-login into the system, irrespective of activity. The value for maximum session time is usually either 4 hours, 8 hours, or 12 hours. Note: The Max Session Time value must be greater than the Idle Timeout value. |
| Time after which your session is logged out if you are inactive or away. The time constraints are automatically enforced when this value is selected. Default: 30 minutes Note: When you have integrated BMC Atrium Single Sign-On with BMC Remedy AR System, the BMC Atrium Single Sign-On Idle Timeout value must be 3 minutes more than the BMC Remedy Mid Tier Session Timeout (Minutes) value. For example, if the BMC Remedy Mid Tier timeout is set to 90 minutes, then BMC Atrium Single Sign-On idle timeout should be set to 93. | |
| Time after which the cache is cleared. Time constraints are automatically enforced. Default: 3 minutes | |
| Maximum number of concurrent sessions allowed for a user. Click Enable to enable Max Session Count per User. Default: 5
|
Certificates tab
Field/Action | Parameters | Description |
---|---|---|
Certificates | Alias | The alias used to index the entry. You can click the alias to open the certificate details. Details function is not represented as button action. To execute a details action, click the specified alias name in the Certificates table. |
Type | Entry type; for example, Certificate for cert only entries and pair for Certificates with Private Keys. | |
Owner | The DN of the owner of the certificate. | |
Certificate Store | KeyStore | You can manage BMC Atrium Single Sign-On server certificate using the KeyStore option. The store contains the certificate that will be served when a client connects to the BMC Atrium Single Sign-On server. The KeyStore file is keystore.p12. |
TrustStore | You can manage the external CA certificates using the TrustStore option. The store contains the certificates with which you want BMC Atrium Single Sign-On to form a trust relationship. The TrustStore file is cacerts.p12. | |
SAMLv2 KeyStore | Use this option for signing and encryption certificate for SAMLv2 Service Provider (SP) or Identity Provider (IdP). The SAMLv2 KeyStore file is cot.jks. | |
Session KeyStore | Use this option for SSL/TLS certificates for session sharing. The Session KeyStore file is apache.mq.store.p12. | |
Import | None | Use Import to add a certificate or private key pair to the keystores and truststores. When you click Import, the Upload Certificate Editor is displayed. Enter or upload the valid certificate details. You can paste a PEM-encoded certificate, or browse to upload a PEM/DER-encoded certificate file or a PKCS12 file. You can also enter a host and port from which to capture a certificate. If you want to import a key pair, upload the PEM-encoded pairs or the PKCS12 file. When you select the PKCS12 file, an additional password field is provided, allowing you to enter the password for the KeyStore. After you upload the certificate, verify the details in the Import Certificate Editor. Enter the alias for the certificate. Note: If you want to update an existing certificate in the keystore or truststore, reimport it, add the same alias, and confirm the reimport process. |
Delete | None | To delete the certificate, select it and click Delete. |
CSR | None | Use to generate a new CSR. When you select a certificate key pair and click CSR, a new window with CSR details appears. You can then save the CSR details to a new file or copy the CSR details to send to the CA. You must then send this CSR to the Certificate Authority (CA) for digitally signing. The CA signs the CSR using a private key that validates the server's identity and returns a signed identity certificate. The CSR is available only when you select a single key pair; it is disabled for truststores. |
New | None | Use New to create a new certificate or a private key using the following parameters:
Note: The New option is available for keystores only. |
PEM | None | You can export a certificate or certificate key pair in PEM format. Select any certificate or key pair and click PEM. A new window with appears with the PEM certificate. You can then save the PEM details to a new file or copy the PEM details. Note: You cannot export the private key using the PEM option. However, for the value with private key, you can export a certificate. |
HTTP Only and HTTPS Only
With the release of BMC Atrium Single Sign-On 8.1 Patch 3, the Server Configuration Editor provides two new options: HTTP Only and HTTPS Only.
The HTTP Only
parameter marks the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as JavaScript from accessing the cookie. When enabled, the HTTPS Only
parameter marks the cookie with the Secure option, which ensures that the cookie is transmitted only over HTTPS connections from the browser to the server.
The default value of these check boxes is false. When set to true, these options prevent scripts and third-party programs from accessing the cookies.
To secure BMC Atrium Single Sign-On as a stand-alone server
- Open the Edit Server Configuration tab on the BMC Atrium SSO Admin Console.
- Select the HTTP Only and HTTPS Only check boxes, and click Save.
- Restart the BMC Atrium Single Sign-On server.
- Clear all cookies from the browser history.
To secure BMC Atrium Single Sign-On as a High Availability cluster
- Open the HA Node Details tab on the BMC Atrium SSO Admin Console.
- Select the node for which the HTTP Only and HTTPS Only options are to be enabled.
Select the HTTP Only and HTTPS Only check boxes for each node, and click Save.
Note
Configuration warnings appear, telling you that the HTTP Only and HTTPS Only features are out of synch for some nodes. You can ignore the warnings and click OK.
- Restart the server.
- Clear all cookies from the browser history.
Note
A warning is displayed after the configuration change is saved when the HTTP Only, HTTPS Only, Cookie Name, or Cookie Domain setting is out of synch with other nodes. The warning message includes a list of other nodes that do not match the currently saved value.
Session parameter defaults
The session parameters defaults for the BMC Atrium Single Sign-On server are:
- Max Session Time (Default: 120 minutes)
- Idle Timeout (Default: 30 minutes)
- Cache Time (Default: 3 minutes)
- Max Session Count per User (Default: 5)
Comments
Idle Timeout: "Note: When you have integrated BMC Atrium Single Sign-On with BMC Remedy AR System, the BMC Atrium Single Sign-On Idle Timeout value must be 3 minutes more than the BMC Remedy Mid Tier Session Timeout (Minutes) value."
Why is that? Is there an explanation to why it has to be exactly 3 minutes? Or is it meant to be "at least" 3 minutes?
E.g. in our current environment we have a MT timeout of 59, because the MT loadbalancer times out after 60 minutes, and 90 minutes for SSO Idle Timeout. Is that a reasonable setting or do we have to reduce the SSO timeout?
Log in or register to comment.