Administer > Configure NNMi to Work in a GNM Environment > Configuring Single Sign-On for Global Network Management

Configuring Single Sign-On for Global Network Management

You can configure NNMi single sign-on (SSO) to facilitate access to NNMi regional managers from an NNMi global manager.

Note You must configure single sign-on before connecting regional managers from a global manager. See Use Single Sign-On (SSO) with NNMi for more information.

The SSO feature communicates a user name among NNMi management servers, but not passwords or roles. For example, NNMi associates the same username on one NNMi management server (global1) with a different role on other NNMi management servers (regional1 or regional2). Any of these three NNMi management servers could associate a different password with the same username.

If a global and regional manager resides in the same management domain, and you do not copy the Initialization String value from the global NNMi management server to the regional NNMi management server as shown in step 4, you could have NNMi console access problems. To avoid this, either configure SSO correctly using the following steps, or disable SSO as described in Disabling SSO.

To configure SSO to work with the global network management feature, complete the following steps:

Note Global and regional managers need to be in the same domain.

  1. Open the following file on global1,regional1, and regional2:

    • Windows: %NNM_PROPS%\nms-ui.properties
    • Linux: $NNM_PROPS/nms-ui.properties
  2. On global1, regional1, and regional2, look for a section in the file that resembles the following:

    com.hp.nms.ui.sso.isEnabled = false

    Change this as follows:

    com.hp.nms.ui.sso.isEnabled = true
  3. Locate the SSO NNMi initialization string for global1. Look for a section in the nms-ui.properties file that resembles the following:

    com.hp.nms.ui.sso.initString =Initialization String

  4. Copy the value of Initialization String from the nms-ui.properties file on global1 to the nms-ui.properties files on regional1 and regional2. All of the servers must use the same value for Initialization String. Save your changes.

    Note NNMi supports copying the Initialization String value from the global NNMi management server to the regional NNMi management servers. In this step, you copied the Initialization String value from the global manager to the two regional managers. Always copy the Initialization String value from the global manager to the regional managers if you want to use SSO with the global network management feature.

    Note If a global and regional manager resides in the same management domain, and you do not copy the Initialization String value from the global NNMi management server to the regional NNMi management server, disable SSO to avoid NNMi console access problems. See Disabling SSO for more information.

  5. If global1, regional1, and regional2 are in different domains, modify the protectedDomains content. To do this, look in the nms-ui.properties file for a section that resembles the following:

    com.hp.nms.ui.sso.protectedDomains=group1.mycompany.com

    Suppose global1 is in global1.company1.com, regional1 is in regional1.company2.com and regional2 is in regional2.company3.com. Modify the protectedDomains section of the nms-ui.properties file on global1, regional1 and regional2 as follows:

    com.hp.nms.ui.sso.protectedDomains=regional1.company1.com, regional2.company2.com,regional3.company3.com
  6. Save your changes.
  7. Run the following command sequence on global1, regional1, and regional2:

    • On Windows: %nnminstalldir%\bin\nnmsso.ovpl –reload
    • On Linux: /opt/OV/bin/nnmsso.ovpl –reload

    Note There are no manual configuration steps to perform to enable single sign-on in an application failover configuration. For example, If you plan to configure single sign-on in an application failover configuration, NNMi replicates the above changes from the active NNMi management server to the standby NNMi management server.