Administer > Setup and Configuration > Configuring LW-SSO Authentication

Configuring LW-SSO Authentication

Operations Connector can use lightweight single sign-on (LW-SSO) for the user authentication strategy, which allows the Operations Connector users to be managed in the same way as the OMi users and groups. LW-SSO is the recommended strategy for OMi. The Operations Connector installation program enables LW-SSO authentication by default.

You can configure LW-SSO authentication either when you configure Operations Connector using the bsmc-conf command or later on using the command lwsso-conf. For details on how to use bsmc-conf, see Operations Connector Installation and Upgrade section.

This section describes how to configure LW-SSO authentication for an existing Operations Connector installation using lwsso-conf:

How to configure LW-SSO authentication for an existing Operations Connector installation

  1. Prerequisite: Obtain the following information from OMi:

    • OMi domain name. You need to know the domain name of the OMi gateway server to which Operations Connector sends data (for example, example.com).

      If the OMi gateway servers and the Operations Connector run in different subdomains, for example, deu.example.com and ind.example.com, specify only the name of the parent domain, which is example.com in this example.

      Operations Connector and the OMi gateway server to which it is reporting must run in the same top-level domain.

    • LW-SSO token key. Obtain the token key defined in OMi as follows:

      1. In the OMi user interface, navigate to the Users and Permissions manager:

        Administration > Users > Authentication Management

      2. In the Single Sign-On Configuration group, view the value of the Token Creation Key (initString) setting.

      3. Record the value so it will be available to you later in this procedure.

        If the setting is not defined, work with an OMi administrator to define it.

        1. Click Configure to open the Authentication Wizard.

        2. Click Single Sign-On to view the Single Sign-On panel, and select Lightweight for the Single Sign-On Authentication mode.

        3. Generate the Token Creation Key (initString). Record the value so it will be available to you later in this procedure.

        4. Define the domain or subdomains that are participating in the LW-SSO configuration:

          • If OMi and the Operations Connector instances are running in different subdomains type the name of the parent domain in theOperations Manager i field.
          • If OMi and the Operations Connector instances are running in the same domain, select Parse automatically and add the domain to the Trusted Hosts/Domains list.
        5. Click Finish to save your changes and close the wizard.
    • Operations Connector groups and roles. Define the groups and roles that are allowed to log into the Operations Connector:

      1. In the OMi user interface, navigate to the Infrastructure Settings manager:

        Administration > Setup and Maintenance > Infrastructure Settings

      2. Click Foundations and select Single Sign-On in the drop-down list.

      3. Set Add user groups information to LW-SSO token to true.

        The default group for Operations Connector is BSMC_ADMINS.

      4. Set Add user roles information to LW-SSO token to true.

  2. Use the lwsso-conf command to configure LW-SSO:

    lwsso-conf.[bat|sh] -lwsso_key <lwssoKey> [-lwsso_domain <lwssoDomainName>] [-lwsso_groups <group0> [<group1> ...]]

    where:

    • -lwsso_key <lwssoKey> is the token key (init string) generated in the OMi.

      Single-sign on can only work if the token key that you type here is exactly the same as the token key on the OMi server.

    • -lwsso_domain <lwssoDomainName> specifies the domain of the associated OMi gateway server.

    • -lwsso_groups <group0> [<group1> ...] specifies the OMi users and roles that will have access to Operations Connector. Separate individual groups with spaces (for example, -lwsso_groups BSMC_ADMINS SUPERUSER).

  3. Restart ovc:

    ovc -restart

How to configure LW-SSO authentication for an existing Operations Connector installation

  1. Prerequisite: Obtain the following information from OMi:

    • OMi domain name. You need to know the domain name of the OMi gateway server to which Operations Connector sends data (for example, example.com).

      If the OMi gateway servers and the Operations Connector run in different subdomains, for example, deu.example.com and ind.example.com, specify only the name of the parent domain, which is example.com in this example.

      Operations Connector and the OMi gateway server to which it is reporting must run in the same top-level domain.

    • LW-SSO token key. Obtain the token key defined in OMi as follows:

      1. In the OMi user interface, navigate to the Users and Permissions manager:

        Administration > Users > Authentication Management

      2. In the Single Sign-On Configuration group, view the value of the Token Creation Key (initString) setting.

      3. Record the value so it will be available to you later in this procedure.

        If the setting is not defined, work with an OMi administrator to define it.

        1. Click Configure to open the Authentication Wizard.

        2. Click Single Sign-On to view the Single Sign-On panel, and select Lightweight for the Single Sign-On Authentication mode.

        3. Generate the Token Creation Key (initString). Record the value so it will be available to you later in this procedure.

        4. Define the domain or subdomains that are participating in the LW-SSO configuration:

          • If OMi and the Operations Connector instances are running in different subdomains type the name of the parent domain in the Operations Manager i field.
          • If OMi and the Operations Connector instances are running in the same domain, select Parse automatically and add the domain to the Trusted Hosts/Domains list.
        5. Click Finish to save your changes and close the wizard.
    • Operations Connector groups and roles. Define the groups and roles that are allowed to log into the Operations Connector:

      1. In the OMi user interface, navigate to the Infrastructure Settings manager:

        Administration > Setup and Maintenance > Infrastructure Settings

      2. Click Foundations and select Single Sign-On in the drop-down list.

      3. Set Add user groups information to LW-SSO token to true.

        The default group for Operations Connector is BSMC_ADMINS.

      4. Set Add user roles information to LW-SSO token to true.

  2. On the Operations Connector system, navigate to and open the LW-SSO configuration file: 

    Windows: %OVDataDir%\conf\HPOprBSMC\lwsso-config.xml

    Linux: /var/opt/OV/conf/HPOprBSMC/lwsso-config.xml

  3. Enable LW-SSO authentication by changing the value of enableLWSSOFramework to true:

    <enableLWSSO enableLWSSOFramework="true"
                 enableCookieCreation="true"
                 cookieCreationType="LWSSO"
                 version="2.4"/>
  4. Insert the LW-SSO token key by changing the initString value to the desired initString, for example my_initString:

    <in-ui-lwsso>
       <lwssoValidation id="ID000001">
          <domain/>
          <crypto cipherType="symmetricBlockCipher"
                  engineName="AES"
                  paddingModeName="CBC"
                  keySize="256"
                  encodingMode="Base64Url"
                  initString="my_initString"/>
       </lwssoValidation>
    </in-ui-lwsso>
  5. Change the <DNSDomain> value to the desired domain name, for example example.com

    <multiDomain>
       <trustedHosts>
          <DNSDomain>example.com</DNSDomain>
          <!--
          <DNSDomain>company.com</DNSDomain>
          <NetBiosName>host</NetBiosName>
          <IP>16.59.34.64</IP>
          <FQDN>host.company.com</FQDN>
          -->
       </trustedHosts>
    </multiDomain>
  6. Save the file with your changes.

  7. Change the groups and roles that are allowed to log into the Operations Connector. Use the ovconfchg command-line interface to modify the list of users and groups:

    ovconfchg -ns BSMC.LWSSO -set BSMAccessGroups BSMC_ADMINS,SUPERUSER,<myGroup>,<myRole>

    Separate individual groups and roles with commas (,). Enter DISABLED to indicate that group-based authentication is not used.

  8. Restart ovc:

    ovc -restart

LW-SSO security warnings

This section describes security warnings relevant to LW-SSO configuration. For more information about LW-SSO, see the Platform Administration section.

  • Confidential initString parameter in LW-SSO security.

    LW-SSO uses symmetric encryption to validate an LW-SSO token. The initString parameter within the configuration is used for initialization of the secret key. An application creates a token, and each application that uses the same initString parameter validates the token.

    • It is not possible to use LW-SSO without setting the initString parameter.

    • The initString parameter is confidential information and should be treated as such in terms of publishing, transporting, and persistency.

    • The initString should be shared only between applications integrating with each other using LW-SSO.

    • The minimum length of the initString is 12 characters.

  • LW-SSO should be disabled unless it is specifically required.

  • Symmetric encryption implication.

    LW-SSO uses symmetric cryptography for issuing and validating LW-SSO tokens. Therefore, any application using LW-SSO can issue a token to be trusted by all other applications sharing the same initString. This potential risk is relevant when an application sharing the initString either resides or is accessible in an untrusted location.