Configuring the Authentication Service

A default installation of a BMC Server Automation Application Server sets up an Authentication Service to support single sign-on and SRP authentication. Additional configuration is necessary to support other authentication protocols. The Authentication Service runs on the same machine as the Application Server.

Various options exist for modifying the standard behavior of an Authentication Service. Use the following procedure to set any of those options.

To configure the Authentication Service

1. Start the Application Server Administration console (that is, the blasadmin utility), as described in Starting the Application Server Administration console.
2. To specify a listening port other than 9840 for the Authentication Service, enter the following:
   set AuthServer AuthSvcPort #
   where # is the number of the port. Setting AuthSvcPort to 0 turns off the Authentication Service.
   
3. To specify the duration of session credentials that the Authentication Service issues, enter the following:
   set AuthServer SessionCredentialLifetime #
   where # is the lifetime, in minutes, of issued session credentials. By default, the session credential lifetime is 600 minutes (10 hours).
   
4. To specify the types of authentication mechanisms that are enabled, do any of the following:
   • To enable or disable SRP authentication, enter the following:
     set AuthServer IsSRPAuthEnabled true|false
     By default this value is set to true.
     
   • To enable or disable LDAP authentication, enter the following:
     set AuthServer IsLdapAuthEnabled true|false
     By default, this value is set to false.
     
   • To enable or disable SecurID authentication, enter the following:
     set AuthServer IsSecurIdAuthEnabled true|false
     By default, this value is set to false.
     
   • To enable or disable PKI authentication, enter the following:
     set PkiAuth IsEnabled true|false
     By default, this value is set to false.
     
   • To enable or disable AD/Kerberos authentication, enter the following:
     set AuthServer IsADKAuthEnabled true|false
     By default, this value is set to false.
     
   • To enable or disable Domain Authentication, enter the following:
     set AuthServer IsDomainAuthEnabled true|false
     By default, this value is set to false.
     
5. To write nondefault destination service URLs into a session credential, do any of the following:
   • To override the default Application Service URL, enter the following:
     set AuthServer AppServiceURLs <serviceURL,...,serviceURL>
     where <serviceURL,...,serviceURL> is a list of alternative Application Service's service URLs. For example:
     set AuthServer AppServiceURLs service:appsvc.bladelogic: blsess://host1.bladelogic.com:9841,service:appsvc. bladelogic:blsess://host2.bladelogic.com:9841
     Typically, you do not change the default Application Server URL. However, if you want to run Network Shell Script Jobs that include BLCLI commands, you can direct these commands to run on a particular Application Server. By default BLCLI commands run on the Application Server processing the job.
     
   • To configure the Authentication Service so it does not write any Application Service service URLs into the session credential it issues, enter the following:
     set AuthServer AppServiceURLs " "
     Note the blank space between the quotation marks.
     
   • To configure the Authentication Service so it reverts to its default behavior of writing the service URL of the local Application Service into session credentials, enter the following:
     set AuthServer AppServiceURLs ""
     Note that there is no blank space between the quotation marks.
     
   • To configure any Application Server that is not functioning as a Network Shell proxy server so that it sends Network Shell traffic to a Network Shell proxy server, enter the following:
     set AuthServer ProxyServiceURLs <serviceURL>
     where <serviceURL> is the alternative Network Shell Proxy Service URL. For example,
     set AuthServer ProxyServiceURLs service:proxysvc.bladelogic:blsess://host1.bladelogic.com:9842
     
   • To configure the Authentication Service so it does not write any Network Shell Proxy Service service URLs into the session credential it issues, enter the following:
     set AuthServer ProxyServiceURLs " "
     Note the blank space between the quotation marks.
     
   • To configure the Authentication Service so it reverts to its default behavior of writing the service URL of the local Network Shell Proxy Service into session credentials (assuming the local proxy service is enabled), enter the following:
     set AuthServer ProxyServiceURLs ""
     Note that there is no blank space between the quotation marks.
     Providing service URLs lets you specify alternative addresses (in the form of service URLs) for an Application Service or Network Shell Proxy Service. This is particularly useful when your installation has a network configuration (for example, a firewall) that requires address translations.
     By default the Authentication Service creates a session credential that only includes the service URL for the local Application Service. If the local Network Shell Proxy Service is enabled, the Authentication Service, by default, includes its service URL in the session credential it issues.
     
6. To specify the maximum number of worker threads used for authentication, enter the following:
   set AuthServer MaxAuthSvcThreads #
   where # is the maximum number of threads that can process requests from clients. By default, the maximum is 5.
   
7. To specify a time-out for responses from Authentication Service worker threads, enter the following:
   set AuthServer AuthSvcSocketTimeout #
   where # is the maximum number of minutes to wait for a response from a worker thread. After the maximum is exceeded, the connection times out. By default the maximum is 1.
   
8. Restart the Application Server (see Restarting a specific Application Server).