Implementing Remedy Single Sign-On authentication

supports integration with  to enable single sign-on authentication when using the REST APIs. When you authenticate with the  Server, you can access the  resources using the REST API calls without providing the user credentials again. This topic provides information about how to enable and use  authentication.

This authentication works as follows:

1744712573443-126.png

See the following topics:

Prerequisites 

  • Create a user in the  console and enable  authentication. For more information, see Creating-users.
  • Make sure that TLSv1.2 is configured on the Application Server. If you are upgrading , manually change the TLS setting to TLSv 1.2 for the EnabledTlsContextProtocol property in the appserver-options.properties file, and restart the Application Server. For more information, see Configuring-the-TLS-protocol.

  • If you want to use the HTTPS connection for , obtain the  certificate. For more information, see Implementing private certificates in the Remedy Single Sign-On Server.

  • Copy the  certificate to <TSSA_installation_dir>/br/deployments.

Configuring the  authentication 

Do the following:

  1. Log in to the system where  is installed.
    • (Windows) Log in as an administrator.
    • (Linux) Log in as a root user.
  2. On the nsh prompt, run the following commands:
    1. blasadmin
    2. show RemedySsoAuth all

  3. Specify values for these parameters:

    Parameter

    Description

    Blasadmin command examples

    IsEnabled

    Set to true to enable  authentication. By default, this authentication is disabled.

    set RemedySsoAuth IsEnabled true

    RemedySsoServerURL

    Specify the URL of the server that hosts the  Server.

    set RemedySsoAuth RemedySsoServerUrl http://<host_name>:<port>/rsso/

    NEW IN 23.4.01 ClientId

    Important

    Only applicable to TSSA Console.

    Provide the client ID generated on the Remedy SSO server during OAuth client creation.

    set RemedySsoAuth ClientId <RemedySSOClientID>

    NEW IN 23.4.01 ClientSecret

    Important

    Only applicable to TSSA Console.

    Provide the client Secret generated on the Remedy SSO server during OAuth client creation.

    set RemedySsoAuth ClientSecret <RemedySSOClientSecret>

    If the  is configured to use the HTTPS connection, specify values for the following additional parameters:

    TrustStorePassword

    Specify the truststore password for the  server certificate validation.

    set RemedySsoAuth TruststorePassword  <trustore_password> 

    TrustStorePathname

    Specify the keystore path for the  server certificate validation.

    set RemedySsoAuth TrustStorePathname <TSSA_installation_dir>/br/deployments

    TrustStoreType

    Specify the truststore type to be used for the  server certificate validation.

    set RemedySsoAuth TrustStoreType JKS
  4. Exit blasadmin.
  5. Restart the Application Server.

Configuring Web Proxy server

TrueSight Server Automation supports communication with Remedy or Helix SSO via a Web Proxy server (For example, SQUID Proxy Server), configured through the Application server's blasAdmin commands.

Perform the following steps to configure the Web Proxy server:

  1. Configure the web proxy details by adding the following Blasadmin commands
    ParameterDescriptionBlasadmin command examples
    HttpProxyServerNameSpecify the hostname or IP address of the HTTP proxy server.set remedyssoAuth HttpProxyServerName <server>
    HttpProxyServerPort

    Specify the port number used to connect to the HTTP proxy server.

     

    set remedyssoAuth HttpProxyServerPort <port>

    Note: Enter only positive integer values.

    HttpProxyProtocolSpecify the protocol (http or https) used by the HTTP proxy server.

    set remedyssoAuth HttpProxyProtocol <http/https>

    For example: If a proxy protocol HTTPS is configured , the proxy server's certificate must be imported into the truststore specified by TrustStorePathname.
    To view the truststore path, run the command: show remedyssoauth TrustStorePathname.

    HttpProxyUserSpecify the username required for proxy server authentication (if needed).

    set remedyssoAuth HttpProxyUser <user>

    Note : If authentication is enabled on proxy server, those authentication credentials can be configured using specified HTTPPRoxyUser and HTTPProxypassword parameters. 

    HttpProxyPasswordSpecify the password associated with the proxy user for authentication.

    set remedyssoAuth HttpProxyPassword <pwd>

    Note : If authentication is enabled on proxy server, those authentication credentials can be configured using specified HttpProxyUser and HttpProxyPassword parameters. 

       

    ​​​

  2. ​​​Restart the Application Server.

Using the  authentication 

Do the following:

  1. Log in to the system where  is installed.
    • (Windows) Log in as an administrator.
    • (Linux) Log in as a root user.

  2. Make a call to the  Server to obtain a token.

    Token generation example

    1. Run the following command:

      curl -X POST "https://<host_name>/rsso/api/v1.0/token" -H  "accept: application/json"
      -H  "Content-Type: application/json" -d "{  \"username\": \"rssoUser\",  \"password\": \"password\",
        \"      realm\": \"*\" }" --insecure

      Example output:

      {
      "rsso_token": "VND_RSSO_V2.eyJpYXQiOjE2MTA2NzY2MTQ2OTcsInNydiI6Imh0dHBzOixyzxtLXB1bi10NHdib3YuYm
      1jLmNvbTo4NDQzL3Jzc24i6CJybG0iOiIqIiwidG9rZW5JZCI6Il9iZWE1OWZiNy1kZWM1LTQxODMtODVkMS02NDE3ZDE2MjY2NmMifQ=="
      }

    2. Decode this output (string after VND_RSSO_V2.) in the base64 format. For example, run the following command on a Linux system:

      echo eyJpYXQiOjE2MTA2NzY2MTQ2OTcsInNydiI6Imh0dHBzOixyzxtLXB1bi10NHdib3YuYm
      1jLmNvbTo4NDQzL3Jzc24i6CJybG0iOiIqIiwidG9rZW5JZCI6Il9iZWE1OWZiNy1kZWM1LTQxODMtODVkMS02NDE3ZDE2MjY2NmMifQ====
      | base64 -d

      For more information about encoding and decoding base64 , see Base64 encode and decode.https://www.base64decode.org/Example result:

      {
      "iat": 1610676614697,
      "srv": "https://:/rsso",
      "rlm": "*",
      "tokenId": "_bee55fb7-dec5-4184-85d1-6317d162666c"
      }
  3. Use the  token that you obtained in the previous step for the subsequent API calls.

  4. For example, make the following call to the GET:/v1/servers API to get a list of all servers:

    curl -X GET "https://<host_name>/bsa-rest/v1/servers" -H "accept: application/json" -H "Authorization: Bearer <token>="

For information about using the Swagger UI, see Trying-out-the-REST-APIs.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*