Configure LW-SSO in the Web tier for FIPS mode

If Lightweight Single Sign-On (LW-SSO) is enabled in the Service Manager Web Tier, integrations from legacy HPE products will bypass Service Manager authentication when launching the Service Manager Web client, provided that the user of the legacy HPE product is already authenticated and a proper token is used.

Prerequisite:

Before you proceed, make sure you have enabled FIPS mode in the Web Tier. For detailed instructions, see Configure FIPS mode in the Web Tier.

To configure LW-SSO in the Service Manager Web tier:

1. Open the <Tomcat>\webapps\< Service Manager Web tier>\WEB-INF\web.xml file in a text editor.

2. Modify the web.xml file as follows:

   1. Set the <serverHost> parameter to the fully-qualified domain name of the Service Manager server.

      Note This is required to enable LW-SSO from the web tier to the server.

   2. Set the <serverPort> parameter to the communications port of the Service Manager server.

   3. Change the value of context parameter isCustomAuthenticationUsed to false.

      <context-param>
          <param-name>isCustomAuthenticationUsed</param-name>
          <param-value>false</param-value>
      </context-param>

   4. Remove the comment tags (<!-- and -->) enclosing the following elements to enable LW-SSO authentication.

      <!--
        <filter>
          <filter-name>LWSSO</filter-name>
          <filter-class>com.hp.sw.bto.ast.security.lwsso.LWSSOFilter</filter-class>
        </filter>
        -->
      ......
      <!--
        <filter-mapping>
          <filter-name>LWSSO</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
        -->

   5. Save the web.xml file.
3. Open the <Tomcat>\webapps\<Service Manager Web tier>\WEB-INF\classes\lwssofmconf.xml file in a text editor.

4. Update the lwssofmconf.xml file as described in the following steps.

   1. Set the value of enableLWSSOFramework to true (default is false).

      <enableLWSSO
          enableLWSSOFramework="true"
          enableCookieCreation="true"
          cookieCreationType="LWSSO"/>

   2. Locate the following section.

      <lwssoValidation>
                  <domain>example.com</domain>
                  <crypto cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    encodingMode="Base64Url"
                    initString="This is a shared secret passphrase"/>
                  <!-- When Service Manager is running in FIPS mode, the crypto configuration above needs to be replaced with the configuration below. The initString value must be 32 characters long and contain no spaces.  -->
                  <!--
                  <crypto cryptoSource="jce" cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    pbeDigestAlgorithm="SHA1" encodingMode="Base64Url"
                    jcePbeAlgorithmName="AES" jcePbeMacAlgorithmName="AES"
                    macType="hmac"
                    macAlgorithmName="SHA1" directKeyEncoded="true" directKeyEncoding="Base64Url"
                    algorithmPaddingName="PKCS5Padding"
                    pbeCount="20" macKeySize="256" macPbeCount="20"
                    initString="rqa9mkdmfkvdvienfj4usldo9205mvid">
                  </crypto>
                  --> 
      </lwssoValidation>

   3. Update this section by doing the following:

      • Comment out the ordinary crypoto configuration part.
      • Uncomment the FIPS mode crypto configuration part.
      • Configure the domain of the host.

      • Update the default initString value to your own value, if needed.

        Caution The initString value is shared among all parties that participate in LW-SSO. In FIPs mode, this value must be 32 characters long and contain no spaces; otherwise LW-SSO will not work in FIPS mode.

      The following is an example:

      <lwssoValidation>
          <domain>myhostdomain.com</domain>
           <!--
                 <crypto cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    encodingMode="Base64Url"
                    initString="This is a shared secret passphrase"/>
            -->
            <!-- When Service Manager is running in FIPS mode, the crypto configuration above needs to be replaced with the configuration below.
            The initString value must be 32 characters long and contain no spaces. --> 
        
                  <crypto cryptoSource="jce" cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    pbeDigestAlgorithm="SHA1" encodingMode="Base64Url"
                    jcePbeAlgorithmName="AES" jcePbeMacAlgorithmName="AES"
                    macType="hmac"
                    macAlgorithmName="SHA1" directKeyEncoded="true" directKeyEncoding="Base64Url"
                    algorithmPaddingName="PKCS5Padding"
                    pbeCount="20" macKeySize="256" macPbeCount="20"
                    initString="1qaz2wsxfkvdvienfj4usldo9205mvid">
                  </crypto>
      </lwssoValidation>

   4. In the <multiDomain> element, set the trusted hosts connecting through LW-SSO. If the Service Manager web tier server and other application servers connecting through LW-SSO are in the same domain, you can ignore the <multiDomain> element; If the servers are in multiple domains, for each server, you must set the correct DNSDomain (domain name), NetBiosName (server name), IP (IP address), and FQDN (fully-qualified domain name) values. The following is an example.

      <DNSDomain>example.com</DNSDomain>

      <NetBiosName>myserver</NetBiosName>

      <IP>1.23.456.789</IP>

      <FQDN>myserver.example.com</FQDN>

      Note As of version 9.30, Service Manager uses <multiDomain> instead of <protectedDomains>, which is used in earlier versions. The multi-domain functionality is relevant only for UI LW-SSO (not for web services LW-SSO). This functionality is based on the HTTP referrer. Therefore, LW-SSO supports links from one application to another and does not support typing a URL in a browser window, except when both applications are in the same domain.

   5. Check the secureHTTPCookie value (default: true).

      • If you set secureHTTPCookie to true (default), you must also set secureLogin in the web tier configuration file (web.xml) to true (default); if you set secureHTTPCookie to false, you can set secureLogin to either true or false. In a production environment, you are recommended to set both parameters to true.
      • If you do not want to use SSL, set both secureHTTPCookie and secureLogin to false.
   6. Save the lwssofmconf.xml file.
5. Open the <Tomcat>\webapps\<Service Manager Web tier>\WEB-INF\classes\application-context.xml in a text editor.

6. Modify the application-context.xml as follows:

   1. Add lwSsoFilter to the filterChainProxy bean:

      <sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter,lwSsoFilter,anonymousAuthFilter"/>

      Note If you need to enable web tier LW-SSO for integrations and also enable trusted sign-on for your web client users, add lwSsoFilter followed by preAuthenticationFilter, as shown in the following:

      <sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter,lwSsoFilter,preAuthenticationFilter,anonymousAuthFilter"/>

      For information about how to enable trusted sign-on in Service Manager, see Example: Enabling trusted sign-on.

   2. Uncomment the lwSsoFilter bean by removing the comment tags:

        <bean id="lwSsoFilter" class="com.hp.ov.sm.client.webtier.lwsso.LwSsoPreAuthenticationFilter">
          <property name="authenticationManager">
            <ref bean="authenticationManager"/>
          </property>
          <property name="defaultRole">
            <value>ROLE_PRE</value>
          </property>
       </bean>

   3. Save the application-context.xml file.
7. Restart Tomcat so that the configuration takes effect.