Configure LW-SSO in the Service Manager Web tier

Applies to User Roles:

System Administrator

If Lightweight Single Sign-On (LW-SSO) is enabled in the Service Manager Web tier, integrations from other HPE products will bypass Service Manager authentication when launching the Service Manager Web client, provided that the HPE product user is already authenticated and a proper token is used.

Note

  • To enable users to launch the Web client from another HPE product using LW-SSO, you must also enable LW-SSO in the Service Manager server.
  • Once you have enabled LW-SSO in the web tier, web client users should use the web tier server's fully-qualified domain name (FQDN) in the login URL: http://<myWebtierHostName>.<myDomain>:<port>/webtier-x.xx/index.do

The following procedure is provided as an example, assuming that the Service Manager Web tier is deployed on Tomcat.

To configure LW-SSO in the Service Manager Web tier:

  1. Open the <Tomcat>\webapps\< Service Manager Web tier>\WEB-INF\web.xml file in a text editor.

  2. Modify the web.xml file as follows:

    1. Set the <serverHost> parameter to the fully-qualified domain name of the Service Manager server.

      Note This is required to enable LW-SSO from the web tier to the server.

    2. Set the <serverPort> parameter to the communications port of the Service Manager server.
    3. Set the secureLogin and sslPort parameters. See Web parameter: secureLogin and Web parameter: sslPort.

      • If you do not want to configure SSL between Tomcat and the browser, set secureLogin to false.
      • We recommend that you enable secure login in a production environment. Once secureLogin is enabled, you must configure SSL for Tomcat. For details, see the Apache Tomcat documentation.
    4. Change the value of context parameter isCustomAuthenticationUsed to false.
    5. Remove the comment tags (<!-- and -->) enclosing the following elements to enable LW-SSO authentication.
      <!--
        <filter>
          <filter-name>LWSSO</filter-name>
          <filter-class>com.hp.sw.bto.ast.security.lwsso.LWSSOFilter</filter-class>
        </filter>
        -->
      ......
      <!--
        <filter-mapping>
          <filter-name>LWSSO</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
        -->
    6. Save the web.xml file.
  3. Open the <Tomcat>\webapps\<Service Manager Web tier>\WEB-INF\classes\lwssofmconf.xml file in a text editor.
  4. Modify the lwssofmconf.xml file as follows:

    1. Set the value of enableLWSSOFramework to true (default is false).
    2. Set the <domain> parameter to the domain name of the server where you deploy your Service Manager Web tier. For example, if your Web tier's fully qualified domain name is mywebtier.domain.hp.com, then the domain portion is domain.hp.com.

      Note To use LW-SSO, your Service Manager web tier and server must be deployed in the same domain; therefore you should use the same domain name for the web tier and server. If you fail to do so, users who log in from another application (for example, HPE Enterprise Collaboration) to the web tier can log in but may be forcibly logged out after a while.

    3. Set the <initString> value to the password used to connect HPE applications through LW-SSO (minimum length: 12 characters). For example, smintegrationlwsso. Make sure that other HPE applications (for example, Release Control) connecting to Service Manager through LW-SSO share the same password in their LW-SSO configurations.
    4. In the <multiDomain> element, set the trusted hosts connecting through LW-SSO. If the Service Manager web tier server and other application servers connecting through LW-SSO are in the same domain, you can ignore the <multiDomain> element ; If the servers are in multiple domains, for each server, you must set the correct DNSDomain (domain name), NetBiosName (server name), IP (IP address), and FQDN (fully-qualified domain name) values. The following is an example.

      <DNSDomain>example.com</DNSDomain>
      <NetBiosName>myserver</NetBiosName>
      <IP>1.23.456.789</IP>
      <FQDN>myserver.example.com</FQDN>

      Note As of version 9.30, Service Manager uses <multiDomain> instead of <protectedDomains>, which is used in earlier versions. The multi-domain functionality is relevant only for UI LW-SSO (not for web services LW-SSO). This functionality is based on the HTTP referrer. Therefore, LW-SSO supports links from one application to another and does not support typing a URL in a browser window, except when both applications are in the same domain.

    5. Check the secureHTTPCookie value (default: true).

      • If you set secureHTTPCookie to true (default), you must also set secureLogin in the web.xml file to true (default); if you set secureHTTPCookie to false, you can set secureLogin to either true or false. In a production environment, you are recommended to set both parameters to true.
      • If you do not want to use SSL, set both secureHTTPCookie and secureLogin to false.
    6. Here is an example of lwssofmconf.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      <lwsso-config xmlns="http://www.hp.com/astsecurity/idmenablmentfw/lwsso/2.0">
        <enableLWSSO
      	enableLWSSOFramework="true"
      	enableCookieCreation="true"
      	cookieCreationType="LWSSO"/>
      
        <webui>
      	    <validation>
      	      <in-ui-lwsso>
      	        <lwssoValidation id="ID000001">
      	         <domain>example.com</domain>
      	          <crypto cipherType="symmetricBlockCipher"
      	            engineName="AES" paddingModeName="CBC" keySize="256"
      	            encodingMode="Base64Url"
      	            initString="This is a shared secret passphrase"/>
      	        </lwssoValidation>
      	      </in-ui-lwsso>
      	      
      	      <validationPoint
      	        enabled="false"
      	        refid="ID000001" 
      	        authenicationPointServer="http://server1.example.com:8080/bsf"/>
      	      
      	    </validation>
      	    
      	    <creation>
      	      <lwssoCreationRef useHTTPOnly="true" secureHTTPCookie="true">
      	        <lwssoValidationRef refid="ID000001"/>
      	        <expirationPeriod>50</expirationPeriod>
      	      </lwssoCreationRef>
      	    </creation>
      	    
      	    <logoutURLs>
      	        <url>.*/goodbye.jsp.*</url>
      		<url>.*/cwc/logoutcleanup.jsp.*</url>
      	    </logoutURLs>
      	    
      	    <nonsecureURLs>
      		<url>.*/images/.*</url>
      		<url>.*/js/.*</url>
      		<url>.*/css/.*</url>
      		<url>.*/cwc/tree/.*</url>
      		<url>.*/sso_timeout.jsp.*</url>
      	   </nonsecureURLs>
      	    
      	    <multiDomain>
                    <trustedHosts>
                       <DNSDomain>example.com</DNSDomain>
                       <DNSDomain>example1.com</DNSDomain>
                       <NetBiosName>myserver</NetBiosName>  
                       <NetBiosName>myserver1</NetBiosName>                     
                       <IP>xxx.xxx.xxx.xxx</IP>       
                       <IP>xxx.xxx.xxx.xxx</IP>
                       <FQDN>myserver.example.com</FQDN>
                       <FQDN>myserver1.example1.com</FQDN>    
                    </trustedHosts>
                 </multiDomain>
        </webui>
      	  
      	  <lwsso-plugin type="Acegi">
      	    <roleIntegration
      	      rolePrefix="ROLE_"
      	      fromLWSSO2Plugin="external"
      	      fromPlugin2LWSSO="enabled"
      	      caseConversion="upperCase"/>
      	      
      	    <groupIntegration
      	      groupPrefix=""
      	      fromLWSSO2Plugin="external"
      	      fromPlugin2LWSSO="enabled"
      	      caseConversion="upperCase"/>
      	  </lwsso-plugin>
      </lwsso-config>
    7. Save the lwssofmconf.xml file.
  5. Open the <Tomcat>\webapps\<Service Manager Web tier>\WEB-INF\classes\application-context.xml in a text editor.
  6. Modify the application-context.xml as follows:

    1. Add lwSsoFilter to filterChainProxy:

      /**=httpSessionContextIntegrationFilter,lwSsoFilter,anonymousProcessingFilter

      Note If you need to enable web tier LW-SSO for integrations and also enable trusted sign-on for your web client users, add lwSsoFilter followed by preAuthenticationFilter, as shown in the following: /**=httpSessionContextIntegrationFilter,lwSsoFilter,preAuthenticationFilter,anonymousProcessingFilter.

      For information about how to enable trusted sign-on in Service Manager, see Example: Enabling trusted sign-on.

    2. Uncomment bean lwSsoFilter:

      <bean id="lwSsoFilter" class="com.hp.ov.sm.client.webtier.lwsso.LwSsoPreAuthenticationFilter">

    3. Save the application-context.xml file.
  7. Repack the updated Service Manager web tier files and replace the old web tier .war file deployed in the <Tomcat>\webapps folder.
  8. Restart Tomcat so that the configuration takes effect.