TrueSight Server Automation employs a two-stage procedure for authenticating client application users to their respective middle-tier servers. First, client users authenticate with a TrueSight Server Automation Authentication Service (one of the services hosted by a TrueSight Server Automation Application Server) and acquire an SSO session credential. Then, having acquired a credential, the client application establishes a TLS session with a middle tier service — either an Application Service or Network Shell Proxy Service. After the TLS session is established, the client presents its SSO session credential to the service, which validates the credential and uses it to establish the identity of the client user. Readers familiar with HTTP cookies might view SSO session credentials as analogous to cookies used to communicate an authenticated identity to a TrueSight Server Automation service.
SSO session credentials have a finite lifetime and can be cached in the file system of the client host. TrueSight Server Automation Console users can choose whether to cache newly acquired session credentials in a cache file. The session credential cache file can only hold one session credential. This constraint will be relaxed in a future release.
If a client application's credential cache contains an unexpired session credential, that credential can be used to establish a new client/server session without requiring the user to re-authenticate. All TrueSight Server Automation client applications except BMC Decision Support for Server Automation or TrueSight Smart Reporting for Server Automation can share the same session credential.
The TrueSight Server Automation Console has user authentication utilities built into it. The two client command line applications (BLCLI and Network Shell) do not. To connect to a middle tier server, the command line applications require access to a session credential that was acquired previously. TrueSight Server Automation provides a command line-based user authentication utility called
blcred. Users can authenticate with
blcred and acquire session credentials for the command line applications.
BMC Decision Support for Server Automation or TrueSight Smart Reporting for Server Automation is a web-based application that uses TrueSight Server Automation single sign-on functionality in a different manner than other TrueSight Server Automation applications. A reports user logs in by providing the user credentials required for his or her authentication type. The reports server uses these credentials to authenticate to the TrueSight Server Automation Authentication Service.
Single sign-on functionality supports the following authentication mechanisms: