Configuring a fail-safe enterprise service bus after installation

If you are using the embedded version of BMC Remedy Single Sign-On  (Remedy SSO) authentication, you must set up a fail-safe configuration for the enterprise service bus (ESB). This ensures that local user management changes made on one instance of Remedy SSO are reflected in other Remedy SSO instances in your environment.

For example, with this fail-safe service bus configuration, if you add a new local user in the Remedy SSO instance on your repository, it is added to the Remedy SSO instance on your CDP and HA-CDP (if you have an HA-CDP installed).

To configure the fail-safe service bus communication between all three peers, you must modify the Tomcat context.xml and server broker-config.xml files for the repository, CDP, and HA-CDP (if you have an HA-CDP installed). If you do not have an HA-CDP installed, you can ignore the instructions related to the HA-CDP.

The following video (7:26) shows how to configure an enterprise service bus.

icon-play.png https://www.youtube.com/watch?v=obw23hTJ-vI

This topic describes the procedure to configure a fail-safe ESB:

In these instructions: 

  • Repo_HOME represents the repository installation directory.
  • CDP_HOME represents the CDP installation directory.
  • HACDP_HOME represents the HA-CDP installation directory.

Notes

  1. These steps are needed only if you are using the embedded version of BMC Remedy SSO authentication.
  2. Complete the fail-safe ESB configuration before performing user and role management tasks to ensure that user/role setup is propagated throughout your

    Some content is unavailable due to permissions.

    environment.
  3. Only configuration items under the Local User Management tab are replicated. Configuration items under the General, Realm, and Session tabs are not replicated.

The following diagram illustrates the ESB configuration for the Remedy SSO synchronization.

ESBconfiguration.PNG

To set up a fail-safe configuration for the enterprise service bus (ESB), complete the following steps:

Stop the component services

Before editing the files, stop the repository, CDP, and HA-CDP services (see Starting-and-stopping-product-components-and-services).

Configure the Tomcat context.xml files

Configure the Tomcat context.xml files for the repository, CDP, and HA-CDP (if you have one installed).

Configure the repository Tomcat context.xml file

  1. Navigate to the Repo_HOME/tomcat/conf directory.

  2. Edit the context.xml file and verify that the following parameters are set:

    <Parameter name="com.bmc.ao.ha.repo.ip" override="true" value=”<Repo_IPaddress>"/>
    <Parameter name="com.bmc.ao.ha.repo.port" override="true" value=”<Repo_HA_port>"/>
    • {{code language="none"}}
      <Repo_IPaddress>
      {{/code}}       is the repository HA address that was provided during the repository installation/upgrade in Advanced Options (see Repository-installation-worksheet).
    • <Repo_HA_port> is the repository HA port that was provided during the repository installation/upgrade in Advanced Options (see Repository-installation-worksheet).

  3. Verify that the following parameters are set to true:

    <Parameter name="com.bmc.ao.USE_HA_FAIL_SAFE_MODE" override="true" value=”true"/>
    <Parameter name="com.bmc.ao.USE_HA" override="true" value="true"/>
  4. Save your changes and close the file.

Configure the CDP Tomcat context.xml file

  1. Navigate to the CDP_HOME/tomcat/conf directory.

  2. Edit the context.xml file and verify that the following parameters are set:

    <Parameter name="com.bmc.ao.ha.repo.ip" override="true" value=”<Repo_IPaddress>"/>
    <Parameter name="com.bmc.ao.ha.repo.port" override="true" value=”<Repo_HA_port>"/>
    <Parameter name="com.bmc.ao.ha.cdp.ip" override="true" value=”<CDP_IPaddress>"/>
    <Parameter name="com.bmc.ao.ha.cdp.port" override="true" value=”CDP_HA_port>"/>
    • {{code language="none"}}
      <Repo_IPaddress>
      {{/code}}       is the repository HA address that was provided during the repository installation/upgrade in Advanced Options (see Repository-installation-worksheet).
    • <Repo_HA_port> is the repository HA port that was provided during the repository installation/upgrade in Advanced Options (see Repository-installation-worksheet).
    • <CDP_IPaddress> is the CDP HA address that was provided during the primary CDP installation/upgrade in Advanced Options (see CDP-installation-worksheet)
    • <CDP_HA_port> is the CDP HA port that was provided during the primary CDP installation/upgrade in Advanced Options (see CDP-installation-worksheet).

  3. Verify that the following parameters are set to true:

    <Parameter name="com.bmc.ao.USE_HA_FAIL_SAFE_MODE" override="true" value="true"/>
    <Parameter name="com.bmc.ao.USE_HA" override="true" value="true"/> 
  4. Save your changes and close the file.

Configure the HA-CDP Tomcat context.xml file

  1. Navigate to the HACDP_HOME/tomcat/conf directory.

  2. Edit the context.xml file and verify that the following parameters are set:

    <Parameter name="com.bmc.ao.ha.repo.ip" override="true" value=”<Repo_IPaddress>"/>
    <Parameter name="com.bmc.ao.ha.repo.port" override="true" value=”<Repo_HA_port>"/>
    <Parameter name="com.bmc.ao.ha.cdp.ip" override="true" value=”<CDP_IPaddress>"/>
    <Parameter name="com.bmc.ao.ha.cdp.port" override="true" value=”CDP_HA_port>"/>
    <Parameter name="com.bmc.ao.ha.hacdp.ip" override="true" value=”<HACDP_IPaddress>"/>
    <Parameter name="com.bmc.ao.ha.hacdp.port" override="true" value=”HACDP_HA_port>"/>
    • {{code language="none"}}
      <Repo_IPaddress>
      {{/code}}       is the repository HA address that was provided during the repository installation/upgrade in Advanced Options (see Repository-installation-worksheet).
    • <Repo_HA_port> is the repository HA port that was provided during the repository installation/upgrade in Advanced Options (see Repository-installation-worksheet).
    • <CDP_IPaddress> is the CDP HA address that was provided during the primary CDP installation/upgrade in Advanced Options (see CDP-installation-worksheet)
    • <CDP_HA_port> is the CDP HA port that was provided during the primary CDP installation/upgrade in Advanced Options (see CDP-installation-worksheet).
    • <HACDP_IPaddress> is the HA-CDP HA address that was provided during the HA-CDP installation/upgrade in Advanced Options (see HA-CDP-installation-worksheet)
    • <HACDP_HA_port> is the HA-CDP HA port that was provided during the HA-CDP installation/upgrade in Advanced Options (see HA-CDP-installation-worksheet).

  3. Verify that the following parameters are set to true:

    <Parameter name="com.bmc.ao.USE_HA_FAIL_SAFE_MODE" override="true" value="true"/>
    <Parameter name="com.bmc.ao.USE_HA" override="true" value="true"/>
  4. Save your changes and close the file.

Configure the broker-config.xml files

Configure the broker.xml files for the repository, CDP, and HA-CDP (if you have one installed).

Configure the repository communication in the broker-config.xml file

  1. Navigate to the AO_HOME/repository/server/.jms directory.
  2. Edit the broker-config.xml file, search for the <transportConnectors> section, and after the </transportConnectors> line, add the following lines to the file using the sample for your environment.

    • CDP only (no HA-CDP installed)

      <networkConnectors>
          <networkConnector uri="static:(ssl://<CDP_IPaddress>:<CDP_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_CDP">
            <dynamicallyIncludedDestinations>
              <topic physicalName="&gt;" />
            </dynamicallyIncludedDestinations>
          </networkConnector>
        </networkConnectors> 
      • <CDP_IPaddress> is the value for the com.bmc.ao.ha.cdp.ip parameter in the CDP_HOME/tomcat/conf/context.xml file.
      • <CDP_HA_port> is the value for the com.bmc.ao.ha.cdp.port parameter in the CDP_HOME/tomcat/conf/context.xml file.

    • CDP and HA-CDP installed

      <networkConnectors>
          <networkConnector uri="static:(ssl://<CDP_IPaddress>:<CDP_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_CDP">
            <dynamicallyIncludedDestinations>
              <topic physicalName="&gt;" />
            </dynamicallyIncludedDestinations>
          </networkConnector>
          <networkConnector uri="static:(ssl://<HACDP_IPaddress>:<HACDP_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_HACDP">
            <dynamicallyIncludedDestinations>
              <topic physicalName="&gt;" />
            </dynamicallyIncludedDestinations>
          </networkConnector>
        </networkConnectors> 
      • <CDP_IPaddress> is the value for the com.bmc.ao.ha.cdp.ip parameter in the CDP_HOME/tomcat/conf/context.xml file.
      • <CDP_HA_port> is the value for the com.bmc.ao.ha.cdp.port parameter in the CDP_HOME/tomcat/conf/context.xml file.
      • <HACDP_IPaddress> is the value for the com.bmc.ao.ha.hacdp.ip parameter in the HACDP_HOME/tomcat/conf/context.xml file.
      • <HACDP_HA_port> is the value for the com.bmc.ao.ha.hacdp.port parameter in the HACDP_HOME/tomcat/conf/context.xml file.
  3. Save your changes and close the file.

Sample repository broker-config.xml file

The following example shows an example of the entire broker-config.xml file for the repository with fail-safe configuration for the enterprise service bus. This is meant to demonstrate where the new lines are added.

Important

Do not replace the existing broker-config.xml file in your environment with this example. You should retain your existing values for the following elements: external, cipher-suites, enable-jmx, broker-name, and transportConnectors.

<broker-config>
  <external>false</external>
  <cipher-suites>TLS_RSA_WITH_AES_256_CBC_SHA</cipher-suites>
  <enable-jmx>true</enable-jmx>
  <broker-name>ao-grid-framework-embedded-broker-0659d650-1ebc-4031-b587-857289635667</broker-name>
  <transportConnectors>
    <transportConnector uri="ssl://<Repo_HA_IPaddress>:<Repo_HA_Port>" name="ESB_TRANSPORT" enableStatusMonitor="true"
                        updateClusterClients="true" updateClusterClientsOnRemove="true" networkTTL="3" prefetchSize="1"
                        decreaseNetworkConsumerPriority="true" dynamicOnly="true" duplex="true" />
  </transportConnectors>
  <networkConnectors>
    <networkConnector uri="static:(ssl://<CDP_IPaddress>:<CDP_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_CDP">
      <dynamicallyIncludedDestinations>
        <topic physicalName="&gt;" />
      </dynamicallyIncludedDestinations>
    </networkConnector>
    <networkConnector uri="static:(ssl://<HACDP_IPaddress>:<HACDP_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_HACDP">
      <dynamicallyIncludedDestinations>
        <topic physicalName="&gt;" />
      </dynamicallyIncludedDestinations>
    </networkConnector>
  </networkConnectors>
</broker-config>

 

Configure the primary CDP communication in the broker-config.xml file

  1. Navigate to the AO_HOME/server/.jms directory.
  2. Edit the broker-config.xml file, search for the <transportConnectors> section, and after the </transportConnectors> line, add the following lines to the file using the sample for your environment.

    • CDP only (no HA-CDP installed)

      <networkConnectors>
          <networkConnector uri="static:(ssl://<Repo_IPaddress>:<Repo_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_REPO">
            <dynamicallyIncludedDestinations>
              <topic physicalName="&gt;" />
            </dynamicallyIncludedDestinations>
          </networkConnector>
      </networkConnectors> 
      • <Repo_IPaddress> is the value for the com.bmc.ao.ha.repo.ip parameter in the Repo_HOME/tomcat/conf/context.xml file.
      • <Repo_HA_port> is the value for the com.bmc.ao.ha.repo.port parameter in the Repo_HOME/tomcat/conf/context.xml file.

    • CDP and HA-CDP installed

      <networkConnectors>
          <networkConnector uri="static:(ssl://<Repo_IPaddress>:<Repo_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_REPO">
            <dynamicallyIncludedDestinations>
              <topic physicalName="&gt;" />
            </dynamicallyIncludedDestinations>
          </networkConnector>
          <networkConnector uri="static:(ssl://<HACDP_IPaddress>:<HACDP_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_HACDP">
            <dynamicallyIncludedDestinations>
              <topic physicalName="&gt;" />
            </dynamicallyIncludedDestinations>
          </networkConnector>
        </networkConnectors> 
      • <Repo_IPaddress> is the value for the com.bmc.ao.ha.repo.ip parameter in the Repo_HOME/tomcat/conf/context.xml file.
      • <Repo_HA_port> is the value for the com.bmc.ao.ha.repo.port parameter in the Repo_HOME/tomcat/conf/context.xml file.
      • <HACDP_IPaddress> is the value for the com.bmc.ao.ha.hacdp.ip parameter in the HACDP_HOME/tomcat/conf/context.xml file.
      • <HACDP_HA_port> is the value for the com.bmc.ao.ha.hacdp.port parameter in the HACDP_HOME/tomcat/conf/context.xml file.
  3. Save your changes and close the file.

Sample CDP broker-config.xml file with fail-safe configuration for the service bus

The following example shows an example of the entire broker-config.xml file for the primary CDP with fail-safe configuration for the enterprise service bus. This is meant to demonstrate where the new lines are added.

Important

Do not replace the existing broker-config.xml file in your environment with this example. You should retain your existing values for the following elements: external, cipher-suites, enable-jmx, broker-name, uri, and transportConnectors.

<broker-config>
  <external>false</external>
  <cipher-suites>TLS_RSA_WITH_AES_256_CBC_SHA</cipher-suites>
  <enable-jmx>true</enable-jmx>
  <broker-name>ao-grid-framework-embedded-broker-0659d650-1ebc-4031-b587-857289635667</broker-name>
  <uri>ssl://<CDP_HA_IPaddress>:<CDP_Peer-to-Peer_Port>?connectionTimeout=1000</uri>
  <transportConnectors>
    <transportConnector uri="ssl://<CDP_HA_IPaddress>:<CDP_HA_Port>" name="ESB_TRANSPORT" enableStatusMonitor="true"
                        updateClusterClients="true" updateClusterClientsOnRemove="true" networkTTL="3" prefetchSize="1"
                        decreaseNetworkConsumerPriority="true" dynamicOnly="true" duplex="true" />
  </transportConnectors>
  <networkConnectors>
    <networkConnector uri="static:(ssl://<Repo_IPaddress>:<Repo_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_REPO">
      <dynamicallyIncludedDestinations>
        <topic physicalName="&gt;" />
      </dynamicallyIncludedDestinations>
    </networkConnector>
    <networkConnector uri="static:(ssl://<HACDP_IPaddress>:<HACDP_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_HACDP">
      <dynamicallyIncludedDestinations>
        <topic physicalName="&gt;" />
      </dynamicallyIncludedDestinations>
    </networkConnector>
  </networkConnectors>
</broker-config>

 

Configure the HA-CDP communication in the broker-config.xml file

  1. Navigate to the AO_HOME/server/.jms directory.

  2. Edit the broker-config.xml file, search for the <transportConnectors> section, and after the </transportConnectors> line, add the following lines to the file.

    <networkConnectors>
        <networkConnector uri="static:(ssl://<Repo_IPaddress>:<Repo_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_REPO">
          <dynamicallyIncludedDestinations>
            <topic physicalName="&gt;" />
          </dynamicallyIncludedDestinations>
        </networkConnector>
        <networkConnector uri="static:(ssl://<CDP_IPaddress>:<CDP_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_CDP">
          <dynamicallyIncludedDestinations>
            <topic physicalName="&gt;" />
          </dynamicallyIncludedDestinations>
        </networkConnector>
      </networkConnectors> 
    • <Repo_IPaddress> is the value for the com.bmc.ao.ha.repo.ip parameter in the Repo_HOME/tomcat/conf/context.xml file.
    • <Repo_HA_port> is the value for the com.bmc.ao.ha.repo.port parameter in the Repo_HOME/tomcat/conf/context.xml file.
    • <CDP_IPaddress> is the value for the com.bmc.ao.ha.cdp.ip parameter in the CDP_HOME/tomcat/conf/context.xml file.
    • <CDP_HA_port> is the value for the com.bmc.ao.ha.cdp.port parameter in the CDP_HOME/tomcat/conf/context.xml file.
  3. Save your changes and close the file.

Sample HA-CDP broker-config.xml file with fail-safe configuration for the service bus

The following example shows an example of the entire broker-config.xml file for the HA-CDP with fail-safe configuration for the enterprise service bus. This is meant to demonstrate where the new lines are added.

Important

Do not replace the existing broker-config.xml file in your environment with this example. You should retain your existing values for the following elements: external, cipher-suites, enable-jmx, broker-name, uri, and transportConnectors.

<broker-config>
  <external>false</external>
  <cipher-suites>TLS_RSA_WITH_AES_256_CBC_SHA</cipher-suites>
  <enable-jmx>true</enable-jmx>
  <broker-name>ao-grid-framework-embedded-broker-0659d650-1ebc-4031-b587-857289635667</broker-name>
  <uri>ssl://<HACDP_HA_IPaddress>:<HACDP_Peer-to-Peer_Port>?connectionTimeout=1000</uri>
  <transportConnectors>
    <transportConnector uri="ssl://<HACDP_HA_IPaddress>:<HACDP_HA_Port>" name="ESB_TRANSPORT" enableStatusMonitor="true"
                        updateClusterClients="true" updateClusterClientsOnRemove="true" networkTTL="3" prefetchSize="1"
                        decreaseNetworkConsumerPriority="true" dynamicOnly="true" duplex="true" />
  </transportConnectors>
  <networkConnectors>
    <networkConnector uri="static:(ssl://<Repo_IPaddress>:<Repo_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_REPO">
      <dynamicallyIncludedDestinations>
        <topic physicalName="&gt;" />
      </dynamicallyIncludedDestinations>
    </networkConnector>
    <networkConnector uri="static:(ssl://<CDP_IPaddress>:<CDP_HA_port>)?maxReconnectDelay=60000&amp;useExponentialBackOff=false" name="ESB_NETWORK_CDP">
      <dynamicallyIncludedDestinations>
        <topic physicalName="&gt;" />
      </dynamicallyIncludedDestinations>
    </networkConnector>
  </networkConnectors>
</broker-config>

Restart the component services

After editing the context.xml and broker-config.xml files for all components, restart the repository, CDP, and HA-CDP services (see Starting-and-stopping-product-components-and-services).

Synchronizing two embedded SSO instances

If you add a CDP that is configured to use an embedded SSO, you can use the migration tool to synchronize the new SSO with existing SSO data. For example,

  • If you install a primary CDP, you can use the migration tool to synchronize the repository's embedded SSO data (the source) with the new CDP's embedded SSO (the destination). 
  • If you install an HA-CDP, you can use the migration tool to synchronize the primary CDP's embedded SSO data (the source) with the new HA-CDP's embedded SSO (the destination). 
Important

Use the migration tool only if you have any users or groups that are not synchronized with the embedded Remedy SSO before you configure the fail-safe enterprise service bus.

To synchronize two SSOs, run the following command:

tools\runAuthTool.bat --syncRsso --srcRssoUrl http(s)://<src_host>:<src_port> --srcRssoUser <src_RSSO_admin> --srcRssoPassword pass:<src_RSSO_admin_password> --srcRssoRealm <src_Rsso_Realm> --dstRssoUrl http(s)://<dst_host>:<dst_port> --dstRssoUser <dst_RSSO_admin> --dstRssoPassword pass:<dst_RSSO_admin_password>

For example,

tools\runAuthTool.bat --syncRsso --srcRssoUrl https://repositoryABC-12345.bmc.com:28080 --srcRssoUser Admin --srcRssoPassword pass:Password --srcRssoRealm BAOLocal --dstRssoUrl https://cdpABC-12345.bmc.com:38080 --dstRssoUser Admin --dstRssoPassword pass:Password
Important

When you synchronize between the two embedded Remedy SSO systems, users and roles embedded in the new RSSO do not have the same password as the existing RSSO. Instead, the passwords for the new users are in the following format:

  • If the user name is greater than or equal to 8 characters, then the password is the username or the loginname.
    For example, if the user name is repouser1, then the password is also repouser1.
  • If the user name is less than 8 characters, then the password is first 8 characters of the username or loginname appended with "1234567890abcdefghijklmnopqrstuvwxyz".
    For example, if the user name is repo, then the password is repo1234.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*