Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- Requirements for trusted sign-on
- Example: Enabling trusted sign-on
- Example: Generating a server certificate with OpenSSL
- Example: Generating a client certificate with OpenSSL
- Example: Configuring the Web server for trusted sign-on
- Example: Viewing the contents of a cacerts file
- Update the cacerts keystore file
- Use keytool to create a certificate request
- Use keytool to create a private key
- Example: Enabling trusted sign-on
Example: Enabling trusted sign-on
Trusted sign-on allows users on trusted clients who have logged into a Windows domain to log on to Service Manager without providing a user name and password. Trusted sign-on requires the web application server to connect to a web server (such as Windows Internet Information Services (IIS) or Apache http server) for third-party authentication.
Notes:
- Service Manager 9.30 or later only supports trusted sign-on with SSL enabled and the
ssl_reqClientAuth
parameter set to "2". - To use trusted sign-on, you must first add your web tier and Windows clients to a domain.
This example assumes that you are using Tomcat as the web application server and Apache or IIS as the web server.
To enable trusted sign-on, perform the following tasks:
Task 1: Enable required SSL encryption and trusted clients.
For detailed steps, see Example: Enabling required SSL encryption and trusted clients.
Task 2: Configure the web tier to use trusted sign-on.
- Stop the web application server running the web tier.
- In the web tier's web.xml file, set
isCustomAuthenticationUsed
to false. -
In the <Tomcat>/conf/server.xml file, insert tomcatAuthentication="false" in the following section as shown below.
<Connector port=”8009”
enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
- Edit the web application server's application-context.xml file to enable pre-authentication.
Open <web tier installation path>\WEB-INF\classes\application-context.xml in a text editor, and search for the following string:
<sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter,anonymousAuthFilter"/>
Insert preAuthenticationFilter in the string:
<sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter,preAuthenticationFilter,anonymousAuthFilter"/>
Note: If you need to enable trusted sign-on for your web client users and also enable web tier lightweight single sign-on (LW-SSO) for integrations, add lwSsoFilter followed by preAuthenticationFilter, as shown in the following:
<sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter,lwSsoFilter,preAuthenticationFilter,anonymousAuthFilter"/>
For information about how to enable LW-SSO in the web tier, see Configure LW-SSO in the Service Manager Web tier.
-
Restart the web application server.
Task 3: Configure each Windows client to use trusted sign-on.
Do the following for each Windows client:
- Make sure SSL encryption is enabled for the Windows client. See task 1.
-
Open a client connection, and on the Connection tab select Use Trusted Sign-on, and click Apply.
Task 4: Install and configure the web server (Apache or IIS) to use trusted sign-on.
Install and configure an external authentication source, such as Microsoft Integrated Windows Authentication (IIS) or Apache, to ensure that Service Manager can use your private certificates. When using IIS, you need to configure an ISAPI connector for your web application server, and you need to modify the virtual directory to use Integrated Windows Authentication. For details, see Example: Configuring the web server for trusted sign-on.
Task 5: Create an operator record for each Windows user.
Create an operator record for each Windows user you want to log in to Service Manager. The operator's login name must match the user's NT account username, but does not require a password.
Task 6: Configure web browsers to enable web client users to use trusted sign-on.
Configure the web browser's security settings on each web client host. The following steps use Internet Explorer as an example.
-
Open Internet Explorer, and select Tools > Internet Options.
- On the Security tab, click Custom Level, scroll down to the User Authentication section at the bottom, and select Automatic logon with current username and password.
-
On the Security tab, click Trusted Sites > Sites, and add the web tier's server address (FQDN) to the list of sites:
http://<myWebtierHostName>.<myDomain>
Note: On FDCC-compliant computers, the security settings of Internet Explorer are locked by default and you cannot change them. For a workaround for this issue, see Troubleshooting: web client fails to automatically log in to Service Manager.
Task 7: Test your trusted sign-on setup.
- Start the Service Manager server, the web server (Apache or IIS), and the web application server (in this example, Tomcat).
-
Start a Windows client, and log in using trusted sign-on.
Service Manager should automatically log you in with your NT account username.
-
Start Internet Explorer, and open the web tier login URL: http://<myWebtierHostName>.<myDomain>:<port>/webtier-x.xx//index.do
Service Manager should automatically log you in without displaying the login screen.
Related concepts
Trusted sign-on
Example: Generating a server certificate with OpenSSL
Example: Generating a client certificate with OpenSSL
Example: Enabling required SSL encryption and trusted clients
Using LW-SSO with integrations
Related references
Requirements for trusted sign-on
Troubleshooting: web client fails to automatically log in to Service Manager
Related tasks
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to ovdoc-ITSM@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: