Configure LW-SSO in the Service Manager Web tier

Applies to User Roles: System Administrator

If Lightweight Single Sign-On (LW-SSO) is enabled in the Service Manager Web tier, integrations from other Micro Focus products will bypass Service Manager authentication when launching the Service Manager Web client, provided that the Micro Focus product user is already authenticated and a proper token is used.

Note

  • All products involved in LW-SSO must use the same user account.

  • To enable users to launch the Web client from another Micro Focus product using LW-SSO, you must also enable LW-SSO in the Service Manager server.
  • Once you have enabled LW-SSO in the web tier, web client users should use the web tier server's fully-qualified domain name (FQDN) in the login URL: http://<myWebtierHostName>.<myDomain>:<port>/webtier-x.xx/index.do
  • This section describes the steps for non-FIPS mode. When the Service Manager Server is running in FIPS mode, the steps are slightly different. See Configure LW-SSO in the Web tier for FIPS mode.

The following procedure is provided as an example, assuming that the Service Manager Web tier is deployed on Tomcat.

Configuration required for Tomcat 8.5 or later

If you are using Tomcat 8.5 or later, you need to configure Tomcat to use a legacy cookie processor; otherwise, when LW-SSO is enabled for the Web tier, an exception would occur when users log in to Service Manager and then log out.

You can configure Tomcat to use the legacy cookie processor for all web applications deployed on it, or only for the Service Manger web tier.

For all web applications:

  1. Open the <Tomcat>/conf/context.xml file in a text editor.
  2. Insert the following line inside the <Context> tag pair:

    <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor"/>
  3. Save the file.

For the Web tier only:

  1. In the <Tomcat>/conf/Catalina/localhost folder, create an empty XML file with the same name as your Web tier. For example:

    webtier-9.60.xml

  2. Copy the following lines to the file:

    <?xml version='1.0' encoding='utf-8'?>
    <Context>
       <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor"/>  
    </Context>
  3. Save the file.

To configure LW-SSO in the Service Manager Web tier:

  1. Open the <Tomcat>\webapps\< Service Manager Web tier>\WEB-INF\web.xml file in a text editor.

  2. Modify the web.xml file as follows:

    1. Set the <serverHost> parameter to the fully-qualified domain name of the Service Manager server.

      Note This is required to enable LW-SSO from the web tier to the server.

    2. Set the <serverPort> parameter to the communications port of the Service Manager server.
    3. Change the value of context parameter isCustomAuthenticationUsed to false.

      <context-param>
          <param-name>isCustomAuthenticationUsed</param-name>
          <param-value>false</param-value>
      </context-param>
    4. Remove the comment tags (<!-- and -->) enclosing the following elements to enable LW-SSO authentication.
      <!--
        <filter>
          <filter-name>LWSSO</filter-name>
          <filter-class>com.hp.sw.bto.ast.security.lwsso.LWSSOFilter</filter-class>
        </filter>
        -->
      ......
      <!--
        <filter-mapping>
          <filter-name>LWSSO</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
        -->
    5. Save the web.xml file.
  3. Open the <Tomcat>\webapps\<Service Manager Web tier>\WEB-INF\classes\lwssofmconf.xml file in a text editor.
  4. Modify the lwssofmconf.xml file as follows:

    1. Set the value of enableLWSSOFramework to true (default is false).

      <enableLWSSO
          enableLWSSOFramework="true"
          enableCookieCreation="true"
          cookieCreationType="LWSSO"/>
    2. Set the <domain> parameter to the domain name of the server where you deploy your Service Manager Web tier. For example, if your Web tier's fully qualified domain name is mywebtier.domain.hp.com, then the domain portion is domain.hp.com.

      Note To use LW-SSO, your Service Manager web tier and server must be deployed in the same domain; therefore you should use the same domain name for the web tier and server. If you fail to do so, users who log in from another application (for example, Micro Focus Enterprise Collaboration) to the web tier can log in but may be forcibly logged out after a while.

    3. Set the initString value to the password used to connect Micro Focus applications through LW-SSO (minimum length: 12 characters). For example, smintegrationlwsso. Make sure that other Micro Focus applications (for example, Release Control) connecting to Service Manager through LW-SSO share the same password in their LW-SSO configurations.

      Important For LW-SSO between Service Manager and Service Manager Service Portal, the initString value must be 32 characters long and contain both numbers and letters.

    4. In the <multiDomain> element, set the trusted hosts connecting through LW-SSO. If the Service Manager web tier server and other application servers connecting through LW-SSO are in the same domain, you can ignore the <multiDomain> element ; If the servers are in multiple domains, for each server, you must set the correct DNSDomain (domain name), NetBiosName (server name), IP (IP address), and FQDN (fully-qualified domain name) values. The following is an example.

      <DNSDomain>example.com</DNSDomain>
      <NetBiosName>myserver</NetBiosName>
      <IP>1.23.456.789</IP>
      <FQDN>myserver.example.com</FQDN>

      Note As of version 9.30, Service Manager uses <multiDomain> instead of <protectedDomains>, which is used in earlier versions. The multi-domain functionality is relevant only for UI LW-SSO (not for web services LW-SSO). This functionality is based on the HTTP referrer. Therefore, LW-SSO supports links from one application to another and does not support typing a URL in a browser window, except when both applications are in the same domain.

    5. Check the secureHTTPCookie value (default: true).

      • If you set secureHTTPCookie to true (default), you must also set secureLogin in the web tier configuration file (web.xml) to true (default); if you set secureHTTPCookie to false, you can set secureLogin to either true or false. In a production environment, you are recommended to set both parameters to true.
      • If you do not want to use SSL, set both secureHTTPCookie and secureLogin to false.
    6. Save the lwssofmconf.xml file.
  5. Open the <Tomcat>\webapps\<Service Manager Web tier>\WEB-INF\classes\application-context.xml in a text editor.
  6. Modify the application-context.xml file as follows:

    1. Add lwSsoFilter to the filterChainProxy bean:

      <sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter,lwSsoFilter,anonymousAuthFilter"/>

      If you need to enable web tier LW-SSO for integrations and also enable trusted sign-on for your web client users, add lwSsoFilter followed by preAuthenticationFilter, as shown in the following:

      <sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter,lwSsoFilter,preAuthenticationFilter,anonymousAuthFilter"/>

      For information about how to enable trusted sign-on in Service Manager, see Example: Enabling trusted sign-on.

    2. Uncomment the lwSsoFilter bean by removing the comment tags:

        <bean id="lwSsoFilter" class="com.hp.ov.sm.client.webtier.lwsso.LwSsoPreAuthenticationFilter">
          <property name="authenticationManager">
            <ref bean="authenticationManager"/>
          </property>
          <property name="defaultRole">
            <value>ROLE_PRE</value>
          </property>
       </bean>
    3. Save the application-context.xml file.
  7. Restart Tomcat so that the configuration takes effect.

Related topics

Using LW-SSO with integrations

Configure LW-SSO in the Service Manager server