Setting up authentication for BMC BladeLogic SSO

This section provides detailed setup instructions required for BMC BladeLogic SSO and the settings for the adapter. The BMC BladeLogic SSO feature has the following types of authentication:

• Active Directory and Kerberos
• SRP using user name and password
• SRP using credentials specified in the user_info.dat file

By default, the SRP based SSO feature is enabled on BMC Server Automation. If you need to use Active Directory and Kerberos for authentication, you must configure BMC Server Automation from the instructions in the "Implementing BladeLogic Active Directory/Kerberos Solution" section of the BMC BladeLogic Administration Guide. In addition, the following setup instructions differ from the BMC BladeLogic Administration Guide and are necessary to ensure that the feature works correctly.

The BMC BladeLogic Administration Guide  contains instructions for a user called blauthsvc. The BMC BladeLogic Administration Guide does not contain a reference for a user who actually acts as a client and logs in to the BMC Server Automation using Active Directory and Kerberos. The following instructions for the application adapter are for two users, blauthsvc and kinituser. Both of these users are Active Directory users and have two specific properties enabled in Active Directory:

• The password does not expire
• Data Encryption Standard (DES) encryption is enabled. 

In the following instructions, the blappserv_login.conf and blappserv_krb5.conf files apply to the user blauthsvc, and the blappclient_login.conf and blappclient_krb5.conf files apply to kinituser.

To set up Active Directory and Kerberos for BMC BladeLogic SSO in BMC Server Automation, you must set up the blclient_login.conf file as displayed in the following code snippet:

The following steps and example demonstrate how to set up BMC BladeLogic SSO for a user called kinituser.

1. To generate the keytab file for kinituser, use the following command and adjust the element values based on your configuration:
2. C:\Documents and Settings\kinituser>ktpass \-out
    kinituser.keytab \-princ kinituser@BMC.COM \-mapuser
    kinituser@BMC.COM \-pass passw0rd# \-ptype KRB5_NT_PRINCIPAL
    \-crypto DES-CBC-MD5
   

   Element	Description
   <kinituser.keytab>	Specifies the output file name
   <-princ>	Specifies the principal user name with domain Specify the domain name in upper case.
   <-mapuser>	Specifies the map user name with domain Specify the domain name in upper case.
   <-pass>	Specifies the user password

   The command generates the following warning, which you can ignore: 

   
   Targeting domain controller: S-17abd.BMC.com
   Using legacy password setting method }}
   Failed to set property "servicePrincipalName"
   to "kinituser" on Dn "CN=kinituser, CN=Users,DC=BMC,DC=com":
   0x13.
   WARNING: Unable to set SPN mapping data.
   If kinituser already has an SPN mapping installed for
    kinituser, this is no cause for concern.
   Key created.
   Output keytab to kinituser.keytab:
   Keytab version: 0x502
   keysize 47 kinituser@BMC.COM ptype 1 (KRB5_NT_PRINCIPAL)
   vno 5 etype 0x3 (DES-CBC-MD5) keylength 8 (0x58a2b043e3bc91e0)
   
3. Create corresponding users in the BMC Server Automation database by using the Configuration Manager console.
4. You can verify the Active Directory and Kerberos configuration by performing either one of the following steps:

   1. Using the command line
       Execute the following command, where the username and password are for the kinituser created using the instructions in the earlier section. 

      
      C:\Documents and Settings\kinituser>blcred cred \-acquire
       \-profile AD
      Debug is  true storeKey false useTicketCache true useKeyTab
       false doNotPrompt true ticketCache is C:\Documents and
       Settings\kinituser\krb5cc_kinituser KeyTab is
        null refreshKrb5Config is false principal is null
       tryFirstPass is false useFirstPass is false storePass is
       false clearPass is false
      Acquire TGT from Cache
      Principal is kinituser@BMC.COM
      Commit Succeeded
      Authentication succeeded: acquired session credential
      
   2. Using the BMC BladeLogic Configuration Manager Console
      Log on to the BMC BladeLogic Configuration Manager Console using the Active Directory and Kerberos profile.
      
      If the logon is successful with either of these methods, the Active Directory and Kerberos authentication is verified and is ready to be used with the adapter. After logging on, the session credentials are generated by default in your home directory.

To set up BMC BladeLogic SSO peers in TrueSight Orchestration

For the BMC Server Automation adapter to function properly, you must perform the following steps:

1. On the peer on which the adapter is enabled, navigate to Control Panel => Administrative Tools => Services.
2. In the Services window, right-click the TrueSight Orchestration service and select Properties from the menu.
3. Click the Log On tab, and click the option for the account.

4. Enter the user name and password for this service. 

   Warning

   Note

   To ensure that the BMC Server Automation adapter functions properly, you must use the same credentials that you used when configuring the adapter.
   For the example with kinituser, use kinituser to configure the adapter.
   

5. Click Apply and then click OK.

6. Restart the TrueSight Orchestration service. 

   Warning

   Note

   For information about troubleshooting issues with configuring the adapter, see Troubleshooting the BMC Server Automation adapter.