This documentation supports the 22.4 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). To view an earlier version, select the version from the Product version menu.

Manually integrating Helix SSO with BMC applications

You manually integrate BMC Helix Single Sign-On with BMC applications when you want to install the  BMC Helix SSO server and BMC Helix SSO agents on platforms that are not supported by the BMC Helix SSO installer. 

In addition, compared to the BMC Helix SSO installer, the manual integration steps are easier to execute in various automation and deployment scripts.

The BMC Helix SSO agent is usually configured to communicate with only one BMC Helix SSO server. For information about how to configure the web agent to communicate with multiple servers, see Connecting-the-same-BMC-Helix-SSO-agent-to-different-BMC-Helix-SSO-servers.

You can integrate BMC Helix SSO with the following BMC applications:

  • Action Request System (AR Server)
  • Mid Tier
  • BMC TrueSight Presentation Server
  • BMC Helix CMDB
  • BMC Helix Dashboards

Related topics

Performing-the-installation

Removing-BMC-Helix-SSO-integration-from-Action-Request-System-and-Mid-Tier

Before you begin

  1. Manually install Helix SSO.
  2. Create a system backup. If there is a need to remove the BMC Helix SSO integration from a BMC application, you will need to restore files to their previous state.

To manually integrate BMC Helix SSO with the AR System server rsso-area-plug-in

  1. Make sure the following AREA plug-in settings (<AR>/Conf/ar.cfg) are configured on the AR Server (can be set from the Server Information form > EA tab):

    External-Authentication-RPC-Socket: 390695
    Authentication-Chaining-Mode: 1
    Crossref-Blank-Password: T
  2. Copy rsso.cfg from rsso-area-plugin to <AR>/Conf.

  3. In rsso.cfg, adjust the value of your BMC Helix SSO server service url:

    SSO-SERVICE-URL: <rsso_service_url>

    Important

    You must set the sso-service-url in the configuration file only if you integrate AR System with a single BMC Helix SSO server.

    To integrate AR System with multiple BMC Helix SSO servers, you must configure this setting for each server in the BMC Helix SSO Admin Console.

  4. Copy rsso-area-plugin-all.jar file from rsso-area-plugin to <AR>/pluginsvr directory.
  5. Copy gson-2.8.6.jar and slf4j-api-1.7.30.jar from lib to <AR>/pluginsvr directory.

  6. Edit <AR>/pluginsvr/pluginsvr_config.xml, and add BMC Helix SSO AREA plugin by replacing <AR> with the corresponding path:

    <plugin>
       <name>ARSYS.AREA.RSSO</name>
       <classname>com.bmc.rsso.plugin.area.RSSOPlugin</classname>
       <pathelement type="location"><AR>/pluginsvr/rsso-area-plugin-all.jar</pathelement>
       <pathelement type="location"><AR>/pluginsvr/gson-2.8.6.jar</pathelement>
       <pathelement type="location"><AR>/pluginsvr/slf4j-api-1.7.30.jar</pathelement>
       <userDefined>
           <configFile><AR>/Conf/rsso.cfg</configFile>
       </userDefined>
    </plugin>
  7. Restart the AR System server.

To improve the security of a 

BMC Helix SSO

 AREA plug-in, you can specify an optional property APP-TENANT:<tenant's name> in the rsso.cfg file. Ensure that the provided tenant's name coincides with the tenant's value specified in the Realm. For more information, see Configuring-general-settings-for-a-realm.

To manually integrate BMC Helix SSO with Mid Tier

  1. Stop the Tomcat service installed on Mid Tier.
  2. Configure the Authenticator as follows:

    1. Edit the following line in the config.properties file (<Mid_Tier>/WEB-INF/classes) to use the RSSOAuthenticator:

      arsystem.authenticator=com.bmc.rsso.plugin.authenticator.RSSOAuthenticator
    2. Copy the rsso-authenticator-plugin-all.jar file from rsso-authenticator-plugin to the <Mid_Tier>/WEB-INF/lib folder.
    3. Copy the gson-2.8.6.jar file from BMC Helix SSO installation package Disk1\files\lib to the <Mid_Tier>/WEB-INF/lib folder.
  3. Configure the Web Agent as follows:
    1. Copy the rsso-agent-all.jar file from /rsso-agent to the <Mid_Tier>/WEB-INF/lib folder.

    2. Copy /rsso-agent/rsso-agent.properties file to the <Mid_Tier>/WEB-INF/classes folder, and modify it as required:

      logout-urls=/atssologout.html

      sso-external-url=${sp-services-url}
      # sso-external-url is a public user-facing URL exposed for end-users for authentication.
      # In standalone mode, sso-external-url must be an HTTPS URL. For example, https://my-rsso.bmc.com/rsso
      # If Helix SSO is installed in an HA mode, sso-service-url must be a Load Balancer (LB) URL.

      sso-service-url=${sp-services-internal-url}
      # If Helix SSO is installed in an HA mode, sso-service-url must be a Load Balancer (LB) URL.
      # In standalone mode, sso-service-url is recommended to be an HTTP URL. For example, http://my-rsso.bmc.com/rsso.

      agent-id=${agent-id}
      # agent-id must be a unique identifier. Agent-id must be the same on all nodes in a Mid Tier HA cluster.
      # BMC recommends to set this value to a simple identifier instead of a HTTP URL.

      use-in-memory-cache=true
      # Allows to choose between HttpSession and in-memory cache to store token data.
      # Option can't be changed at run time

  4. Edit the <Mid_Tier>/WEB-INF/web.xml file and add the following BMC Helix SSO filter configuration:

    <filter>
       <filter-name>RSSOFilter</filter-name>
       <filter-class>com.bmc.rsso.agent.RSSOFilter</filter-class>
    </filter>
    <filter-mapping>
       <filter-name>RSSOFilter</filter-name>
       <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
       <listener-class>com.bmc.rsso.agent.RSSOListener</listener-class>
    </listener>


    Important

    You must disable the Atrium Single Sign-On filter if it exists in the web.xml file by commenting it. 

  5. Copy the rsso-agent/rsso-log.cfg file to the <Mid_Tier>/WEB-INF/classes folder.
  6. Copy the following files from the lib folder to the <Mid_Tier>/WEB-INF/lib folder:
    • caffeine-<version>.jar
    • jjwt-impl-<version>.jar
    • org.apache.oltu.oauth2.client-<version>.jar
    • jjwt-api-<version>.jar
    • json-<version>.jar
    • slf4j-api-<version>.jar
    • jjwt-gson-<version>.jar
  7. Copy rsso-agent-all.jar from the Disk1/files/rsso-agent folder to the <Mid_Tier>/WEB-INF/lib folder.
  8. Restart Mid Tier/Tomcat.

To manually integrate BMC Helix SSO with BMC TrueSight Presentation Server

  1. Stop the BMC TrueSight Presentation Server.

  2. Place the BMC Helix SSO filter into ${truesight.home}/modules/tomcat/conf/web.xml as the first filter:

    <filter>
       <filter-name>RSSOFilter</filter-name>
       <filter-class>com.bmc.rsso.agent.RSSOFilter</filter-class>
    </filter>
    <filter-mapping>
       <filter-name>RSSOFilter</filter-name>
       <url-pattern>/*</url-pattern>
    </filter-mapping>
  3. Create the following folder: 
    <TrueSightPServer>\truesightpserver\modules\tomcat\rsso_agent.
  4. Copy the following files into the created folder:
    • caffeine-<version>.jar
    • jjwt-impl-<version>.jar
    • org.apache.oltu.oauth2.client-<version>.jar
    • jjwt-api-<version>.jar
    • jjwt-gson-<version>.jar
    • json-<version>.jar
    • slf4j-api-<version>.jar
    • rsso-client-impl.jar
    • rsso-sdk-atsso.jar
    • rsso-agent-all.jar
  5. Delete rsso-agent.properties file from rsso-agent-all.jar.
  6. Open the file <TrueSightPServer>\truesightpserver\conf\services\csr.conf, and make the following changes: 
    1. Add the following paths to the classpath list:
      • ${truesight.home}/modules/tomcat/rsso_agent/caffeine-<version>.jar
      • ${truesight.home}/modules/tomcat/jjwt-impl-<version>.jar
      • ${truesight.home}/modules/tomcat/rsso_agent/org.apache.oltu.oauth2.client-<version>.jar
      • ${truesight.home}/modules/tomcat/rsso_agent/jjwt-api-<version>.jar
      • ${truesight.home}/modules/tomcat/rsso_agent/json-<version>.jar
      • ${truesight.home}/modules/tomcat/rsso_agents/slf4j-api-<version>.jar
      • ${truesight.home}/modules/tomcat/rsso_agents/jjwt-gson-<version>.jar
      • ${truesight.home}/modules/tomcat/rsso_agents/rsso-client-impl.jar
      • ${truesight.home}/modules/tomcat/rsso_agents/rsso-sdk-atsso.jar
      • ${truesight.home}/modules/tomcat/rsso_agents/rsso-agent-all.jar
    2. Comment the following line with path:
      ${truesight.home}/lib/dependencies/gson-<version>.jar.
  7. Configure the BMC Helix SSO agent. 

    • Open the <TrueSightPServer>\truesightpserver\modules\tomcat\rsso_agent\rsso-agent.properties file and add the following configuration:

      agent-id=tsps_agent
      sso-external-url=https://<RSSO_HOST_PORT>/rsso
      sso-service-url=https://<RSSO_HOST_PORT>/rsso
  8. Generate a new SSL certificate with CN=<TSPS_HOST> and replace the existing certificate in keystore <TrueSightPServer>\truesightpserver\conf\secure\loginvault.ks.
  9. Start the BMC TrueSight Presentation Server.

To manually integrate BMC Helix SSO with BMC Helix CMDB

If you have integrated BMC Helix SSO with AR System and Mid Tier, BMC Helix SSO is automatically integrated with new BMC CMDB UI. If the integration fails, integrate BMC Helix SSO with new CMDB UI manually. See Manually integrating BMC Helix Single Sign-On with Jetty server.

To remove the integration of BMC Helix SSO from a BMC application

To remove the integration of BMC Helix SSO from a BMC application, perform the manual integration steps in reverse order. 

For information about how to remove integration between BMC Helix SSO and AR System, see Removing-BMC-Helix-SSO-integration-from-Action-Request-System-and-Mid-Tier.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*