Configure LW-SSO in the Service Manager Web tier

Applies to User Roles:

System Administrator

If Lightweight Single Sign-On (LW-SSO) is enabled in the Service Manager Web tier, integrations from other HPE products will bypass Service Manager authentication when launching the Service Manager Web client, provided that the HPE product user is already authenticated and a proper token is used.

Note

  • To enable users to launch the Web client from another HPE product using LW-SSO, you must also enable LW-SSO in the Service Manager server.
  • Once you have enabled LW-SSO in the web tier, web client users should use the web tier server's fully-qualified domain name (FQDN) in the login URL: http://<myWebtierHostName>.<myDomain>:<port>/webtier-x.xx/index.do
  • This section describes the steps for non-FIPS mode. When the Service Manager Server is running in FIPS mode, the steps are slightly different. See Configure LW-SSO in the Web tier for FIPS mode.

The following procedure is provided as an example, assuming that the Service Manager Web tier is deployed on Tomcat.

To configure LW-SSO in the Service Manager Web tier:

  1. Open the <Tomcat>\webapps\< Service Manager Web tier>\WEB-INF\web.xml file in a text editor.

  2. Modify the web.xml file as follows:

    1. Set the <serverHost> parameter to the fully-qualified domain name of the Service Manager server.

      Note This is required to enable LW-SSO from the web tier to the server.

    2. Set the <serverPort> parameter to the communications port of the Service Manager server.
    3. Change the value of context parameter isCustomAuthenticationUsed to false.

      <context-param>
          <param-name>isCustomAuthenticationUsed</param-name>
          <param-value>false</param-value>
      </context-param>
    4. Remove the comment tags (<!-- and -->) enclosing the following elements to enable LW-SSO authentication.
      <!--
        <filter>
          <filter-name>LWSSO</filter-name>
          <filter-class>com.hp.sw.bto.ast.security.lwsso.LWSSOFilter</filter-class>
        </filter>
        -->
      ......
      <!--
        <filter-mapping>
          <filter-name>LWSSO</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
        -->
    5. Save the web.xml file.
  3. Open the <Tomcat>\webapps\<Service Manager Web tier>\WEB-INF\classes\lwssofmconf.xml file in a text editor.
  4. Modify the lwssofmconf.xml file as follows:

    1. Set the value of enableLWSSOFramework to true (default is false).

      <enableLWSSO
          enableLWSSOFramework="true"
          enableCookieCreation="true"
          cookieCreationType="LWSSO"/>
    2. Set the <domain> parameter to the domain name of the server where you deploy your Service Manager Web tier. For example, if your Web tier's fully qualified domain name is mywebtier.domain.hp.com, then the domain portion is domain.hp.com.

      Note To use LW-SSO, your Service Manager web tier and server must be deployed in the same domain; therefore you should use the same domain name for the web tier and server. If you fail to do so, users who log in from another application (for example, HPE Enterprise Collaboration) to the web tier can log in but may be forcibly logged out after a while.

    3. Set the initString value to the password used to connect HPE applications through LW-SSO (minimum length: 12 characters). For example, smintegrationlwsso. Make sure that other HPE applications (for example, Release Control) connecting to Service Manager through LW-SSO share the same password in their LW-SSO configurations.

      Important For LW-SSO between Service Manager and Service Manager Service Portal, the initString value must be 32 characters long and contain both numbers and letters.

    4. In the <multiDomain> element, set the trusted hosts connecting through LW-SSO. If the Service Manager web tier server and other application servers connecting through LW-SSO are in the same domain, you can ignore the <multiDomain> element ; If the servers are in multiple domains, for each server, you must set the correct DNSDomain (domain name), NetBiosName (server name), IP (IP address), and FQDN (fully-qualified domain name) values. The following is an example.

      <DNSDomain>example.com</DNSDomain>
      <NetBiosName>myserver</NetBiosName>
      <IP>1.23.456.789</IP>
      <FQDN>myserver.example.com</FQDN>

      Note As of version 9.30, Service Manager uses <multiDomain> instead of <protectedDomains>, which is used in earlier versions. The multi-domain functionality is relevant only for UI LW-SSO (not for web services LW-SSO). This functionality is based on the HTTP referrer. Therefore, LW-SSO supports links from one application to another and does not support typing a URL in a browser window, except when both applications are in the same domain.

    5. Check the secureHTTPCookie value (default: true).

      • If you set secureHTTPCookie to true (default), you must also set secureLogin in the web tier configuration file (web.xml) to true (default); if you set secureHTTPCookie to false, you can set secureLogin to either true or false. In a production environment, you are recommended to set both parameters to true.
      • If you do not want to use SSL, set both secureHTTPCookie and secureLogin to false.
    6. Save the lwssofmconf.xml file.
  5. Open the <Tomcat>\webapps\<Service Manager Web tier>\WEB-INF\classes\application-context.xml in a text editor.
  6. Modify the application-context.xml file as follows:

    1. Add lwSsoFilter to the filterChainProxy bean:

      <sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter,lwSsoFilter,anonymousAuthFilter"/>

      If you need to enable web tier LW-SSO for integrations and also enable trusted sign-on for your web client users, add lwSsoFilter followed by preAuthenticationFilter, as shown in the following:

      <sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter,lwSsoFilter,preAuthenticationFilter,anonymousAuthFilter"/>

      For information about how to enable trusted sign-on in Service Manager, see Example: Enabling trusted sign-on.

    2. Uncomment the lwSsoFilter bean by removing the comment tags:

        <bean id="lwSsoFilter" class="com.hp.ov.sm.client.webtier.lwsso.LwSsoPreAuthenticationFilter">
          <property name="authenticationManager">
            <ref bean="authenticationManager"/>
          </property>
          <property name="defaultRole">
            <value>ROLE_PRE</value>
          </property>
       </bean>
    3. Save the application-context.xml file.
  7. Restart Tomcat so that the configuration takes effect.