Administer > System Security > FIPS mode > Configuring LW-SSO in FIPS mode > Configure LW-SSO in SRC for FIPS mode

Configure LW-SSO in SRC for FIPS mode

Applies to User Roles:

System Administrator

If Lightweight Single Sign-On (LW-SSO) is enabled in Service Request Catalog (SRC), integrations from other HPE products will bypass Service Manager authentication when launching Service Request Catalog, provided that the HPE product user is already authenticated and a proper token is used.

  • To enable users to launch the Service Request Catalog from another HPE product using LW-SSO, you must also enable LW-SSO in the Service Manager server.
  • Once you have enabled LW-SSO in SRC, SRC users should use the SRC server's fully-qualified domain name (FQDN) in the login URL. For example, users should specify the URL as follows: http://<mySrcHostName>.<myDomain>:<port>/src/

To configure LW-SSO in SRC for FIPS mode, follow these steps:

  1. Deploy SRC on Tomcat, and modify the Service Manager Server name and port in the web.xml and applicationContext.properties files if necessary.

    Note Be sure to use the FQDN of the SM Server host as the server name.

  2. Modify the web.xml file located in the <Service Request Catalog>\WEB-INF\ directory.

    Remove the comment tags (<!-- and -->) enclosing the following elements to enable LW-SSO authentication.

    <!-- LWSSO listener for integrations using HP lightweight single sign-on. -->
    <!--
    <listener>
    	<listener-class>com.hp.sw.bto.ast.security.lwsso.conf.LWSSOContextListener</listener-class>
    </listener>
    <context-param>
    	<param-name>com.hp.sw.bto.ast.security.lwsso.conf.fileLocation</param-name>
    	<param-value>lwssofmconf.xml</param-value>
    </context-param>
    -->
    <!-- LWSSO filter for integrations using HP lightweight single sign-on. -->
    <!--
    <filter>
    	<filter-name>LWSSO</filter-name>
    	<filter-class>com.hp.sw.bto.ast.security.lwsso.LWSSOFilter</filter-class>
    </filter>
    <filter-mapping>	
    	<filter-name>LWSSO</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping>
    -->
  3. In the lwssofmconf.xml file that is located in the < Service Request Catalog >\WEB-INF\classes\ directory, modify or add the following parameters.

    1. Set the value of enableLWSSOFramework to true (default is true).

      <enableLWSSO enableLWSSOFramework="true"
                       enableCookieCreation="true"
                       enableAutoCookieCreation="true"
                       cookieCreationType="LWSSO"
                       enableSAML2Support="false" />
    2. Locate the following section.

      <lwssoValidation>
                  <domain>example.com</domain>
                  <crypto cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    encodingMode="Base64Url"
                    initString="This is a shared secret passphrase"/>
                  <!-- When Service Manager is running in FIPS mode, the crypto configuration above needs to be replaced with the configuration below. The initString value must be 32 characters long and contain no spaces.  -->
                  <!--
                  <crypto cryptoSource="jce" cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    pbeDigestAlgorithm="SHA1" encodingMode="Base64Url"
                    jcePbeAlgorithmName="AES" jcePbeMacAlgorithmName="AES"
                    macType="hmac"
                    macAlgorithmName="SHA1" directKeyEncoded="true" directKeyEncoding="Base64Url"
                    algorithmPaddingName="PKCS5Padding"
                    pbeCount="20" macKeySize="256" macPbeCount="20"
                    initString="rqa9mkdmfkvdvienfj4usldo9205mvid">
                  </crypto>
                  --> 
      </lwssoValidation>
    3. Update this section by doing the following:

      • Comment out the ordinary crypoto configuration part.
      • Uncomment the FIPS mode crypto configuration part.
      • Configure the domain of the host.
      • Update the default initString value to your own value, if needed.

        Caution The initString value is shared among all parties that participate in LW-SSO. In FIPs mode, this value must be 32 characters long and contain no spaces; otherwise LW-SSO will not work in FIPS mode.

      The following is an example:

      <lwssoValidation>
          <domain>myhostdomain.com</domain>
           <!--
                 <crypto cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    encodingMode="Base64Url"
                    initString="This is a shared secret passphrase"/>
            -->
            <!-- When Service Manager is running in FIPS mode, the crypto configuration above needs to be replaced with the configuration below.
            The initString value must be 32 characters long and contain no spaces. --> 
        
                  <crypto cryptoSource="jce" cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    pbeDigestAlgorithm="SHA1" encodingMode="Base64Url"
                    jcePbeAlgorithmName="AES" jcePbeMacAlgorithmName="AES"
                    macType="hmac"
                    macAlgorithmName="SHA1" directKeyEncoded="true" directKeyEncoding="Base64Url"
                    algorithmPaddingName="PKCS5Padding"
                    pbeCount="20" macKeySize="256" macPbeCount="20"
                    initString="1qaz2wsxfkvdvienfj4usldo9205mvid">
                  </crypto>
      </lwssoValidation>

      Note Here, myhostdomain.com refers to the domain of the SRC host.

  4. Configure trusted domains in the <multiDomain> element. The <multiDomain> element should include the domain names (DNSDomain), server names (NetBiosName), IP addresses (IP), fully-qualified domain names (FQDN) of the Service Manager Web Tier server and other product servers (for example, the Release Control server).

  5. Modify the applicationContext.properties file located in the <Service Request Catalog >\WEB-INF\classes\ directory.

    1. Specify LW-SSO as your communication method between SRC and Service Manager. Your applications.Context properties files should resemble the following:

      #src.security.mode=default
      src.security.mode=lwsso
      #src.security.mode=tso
    2. To enable Single Sign-On with LW-SSO, set the src.security.ssoEnabled property to true.
  6. Restart the SRC Tomcat so that your configuration takes effect.