Install > Install Service Request Catalog (SRC) > Complete additional authentication tasks

Complete additional authentication tasks

There are a variety of authentication scenarios that require additional tasks. Perform these tasks if you want to use an external centralized authentication point, or to work with other Micro Focus products through LW-SSO. The number of tasks depend on the configuration settings you specified.

You can skip these tasks if you install SRC for demo or testing.

Typical scenarios

The difference among these scenarios is your preferred authentication method:

  • LWSSO
  • TSO

Another consideration is whether you want encryption using SSL. The following tables describe each scenario and the remaining configuration steps.

Method Communication Remaining steps
External Authentication TSO Configure basic authentication
    SSL is required
    Configure TSO Properties
Method Communication Remaining steps
External Authentication LW-SSO Configure basic authentication
    SSL is Optional
    Configure LWSSO Properties

 

Method Communication Remaining steps
LW-SSO Compatible Authentication LW-SSO Configure basic authentication
    SSL is optional
    Configure LWSSO Properties

External authentication

Customers often use external methods, such as SiteMinder or Active Directory, to authenticate their users. The typical scenario is to authenticate the user once (pre-authentication) and then enable that user to access resources or other applications without additional login or authentication procedures. For example, an employee would log in one time to the corporate intranet and then be able to access Service Request Catalog to request services and support. If you are a customer, consultant, or partner, read this section to learn how to implement a single sign-on solution for Service Request Catalog using a pre-authentication method with a REMOTE_USER HTTP header value.

Before you begin

Verify that you completed all steps to deploy and configure Service Request Catalog. There are common tasks that you need to complete for all supported authentication scenarios.

Note All commands are shown in Windows format. For Linux installations, convert them to match your local Linux path conventions.

Task 1. Install OpenSSL

OpenSSL is an open source toolkit for the SSL protocol that contains a variety of utility functions. You can obtain the OpenSSL toolkit from a variety of sources. You will need it to complete required tasks.

You can obtain OpenSSL if you install Cygwin, which is available at
http://www.cygwin.com/

Although Cygwin has multiple components, you need only the following:

  • OpenSSL runtime environment
  • OpenSSL base environment

Install it in a directory that you can easily navigate to at the command line. Example: C:\cygwin.

You need OpenSSL on both the Service Request Catalog and Service Manager servers. You can simplify running openssl commands if you create an environment variable that specifies the openssl location: cygwin\bin\openssl.

Cygwin is governed by the GNU General Public License.

Verify: Open the Cygwin Command Prompt window by double-clicking C:\cygwin\Cygwin.bat. You will need this window later. Confirm that you have OpenSSL available by typing this command:

openssl -help

Tip If a command fails when you run openssl commands that reference files in various locations, the problem may be that you are not running the command from the file directory, or you do not have an environment variable defined for openssl that enables you to run from any directory.

Task 2. Configure a JAVA HOME variable

Make sure there is a JAVA_HOME environment variable configured on the Service Manager server and on the Service Request Catalog server. Service Manager installs a complete JRE in this location:

C:\Program Files\Mirco Focus\Service Manager x.xx\Server\RUN\jre\bin.

Verify: Open a Windows Command Prompt window. Confirm that you have the keytool application available by typing this command at the prompt:

keytool -help

If an error message appears, confirm that you have JAVA_HOME configured correctly and that it includes the \bin folder in that path.

On the Service Request Catalog server, JAVA_HOME should point to the same Java instance used by Tomcat.

Note Each instance of a Java Runtime or Java Developer’s Kit contains a ...\lib\security\cacerts file. Some test or production servers could have more than one version installed. It is important that you consistently reference the same Java instance that is used by Tomcat.

Task 3. Review some configuration tips

During the configuration process, you need to access certain folders and files. Create a separate Windows Explorer window for each.

  • You may want to set up a remote desktop connection in advance to the server where the Service Manager server is installed.
    • On the Service Manager server, have the following folder available. The root may vary, depending on your installation conventions.

      C:\Program Files\Micro Focus\Service Manager x.xx\Server\RUN

  • You may want to set up a remote desktop connection in advance to the server where Service Request Catalog is deployed.
    • On the Service Request Catalog server, locate your installation of Java. The root may vary, depending on your installation conventions. You will need to access this file:

      C:\Program Files\Java\jdk1.x.x_xx\jre\lib\security\cacerts

    • On the Service Request Catalog server, create a new folder that you can locate easily where you can store new security files related to Trusted Sign-On.

      Example: C:\...\src-x.xx\_TSO\

    • On the Service Request Catalog server, locate the folder where you unzipped the .war file. You will need to access these files:

      C:\...\src-x.xx\WEB-INF\classes\applicationContext.properties

      C:\...\src-x.xx\WEB-INF\classes\lwssofmconf.properties

      Tip Set up separate windows for each of these folders and files ahead of time to speed up the configuration process. Arranging them side by side will make it easy to switch from one to the other.

Task 4. Verify server communication

HP recommends that you verify that the Service Request Catalog server and the Service Manager server can communicate. From the Service Request Catalog server, open a Command Prompt window and ping the Service Manager server using its fully qualified domain name.

  1. From the Service Manager server, open a Command Prompt window and ping the Service Request Catalog server using its fully qualified domain name.
  2. If you have any communications failures, add the fully qualified domain name and IP of the other server to the local Hosts file.

    Note Keep both Command Prompt windows open. You will need them to complete subsequent steps.

Configure SSL (Optional for LWSSO)

These tasks support the transfer of encrypted data between Service Request Catalog and the Service Manager server. To configure SSL for Service Request Catalog, follow these steps:

Import the CA certificate

Follow these steps only if you do not have a digital security certificate issued by a certificate authority provider, such as Verisign, Thawte, or your corporate certificate authority. The digital certificate contains a public key, the identity of the owner, and a matching private key. The certificate is required to encrypt data sent and received in a “trusted” environment. If you do not have a digital certificate from an external provider, you must create your own certificate to enable encrypted data transfer between the Service Manager server and the trusted Service Request Catalog application.

  1. From the Cygwin Command Prompt window, change directories and navigate to the new folder you created to contain Trusted Sign-On files.

    Example: cd "C:\...\src-x.xx\_TSO\"

  2. From this directory, run the following openssl commands to generate a private key for the certificate authority.

    Command Description
    genrsa Generate an RSA private key
    -des3 A cipher methodology
    -passout pass: Specify a password for the created file
    -out filename.pem Create an output file

    Copy and paste this command into your Cygwin Command Prompt window:

    openssl genrsa -des3 -passout pass:changeit -out certificateAuthorityKey.pem 1024

    Caution Copy and paste is a shortcut to reduce typing errors and improve efficiency. However, the commands may be long with many parameters. Make sure you copy the entire command, even when it wraps over multiple lines. When you paste it into the Command Prompt window, it will appear as a single line.

    Verify: This folder should contain a new file named certificateAuthorityKey.pem.

  3. The following openssl commands generate a self-signed certificate for the certificate authority.

    Command Description
    req Request a certificate
    -new The certificate is new
    -x509 x509 is a self-signed certificate utility (For more information, see www.openssl.org)
    -days 365 Expires after one year
    -key certificateAuthorityKey.pem Specify the certificate file name name
    -passin pass: Specify a password for the certificate file
    -subj "/CN=www.xxx.com" If you were using an external certificate authority, this would be their domain name. Because we are creating our own, the domain is not relevant but the command must have some reference.
    -out filename.pem Create this certificate file

    Copy and paste this command into your Cygwin Command Prompt window:

    openssl req -new -x509 -days 365 -key certificateAuthorityKey.pem -passin pass:changeit -subj "/CN=www.xxx.com" -out certificateAuthorityCert.pem

    Verify: This folder should contain a new file named certificateAuthorityCert.pem

  4. From the Windows Command Prompt window, navigate to the new folder you created to contain Trusted Sign-On files.

    Example: C:\...\src-\_TSO\

  5. The following keytool commands generate a public/private key pair for Service Request Catalog. The trusted certificate entry is stored in an entity known as a keystore. For more information about keytool, see www.oracle.com.

    Command Description
    -genkey Generate a key pair, which contains a public key and associated private key pair
    -dname "CN=fqdn" Specify the fully qualified domain name of the Service Request Catalog server
    -validity 365 Expires after one year
    -alias alias_name Creates a unique name, or alias, for a new trusted certificate entry. In this case, use src as the alias_name.
    -keypass Specify a password for the certificate file.
    -keystore Specify the name of the Service Manager keystore file.
    -storepass Specify a password for the keystore file.

    Copy and paste this command into your Windows Command Prompt window:

    keytool -genkey -dname "CN=fqdn" -validity 365 -alias src -keypass changeit -keystore srcKeystore.jks -storepass changeit

    Tip Copy it into a plain text file first, substitute your fully qualified domain name for fqdn, and then copy and paste it into the command line. Make sure you use the fully qualified domain name, not an IP address. A fully qualified domain name looks like this: server.name.qualifier.

    Verify: This folder should contain a new file named srcKeystore.jks.

  6. The following keytool commands generate a Certificate Signing Request (CSR) for Service Request Catalog.

    Command Description
    -certreq Generate a Certificate Signing Request (CSR)
    -alias alias_name src is the alias name
    -file The file name is srcCSR.pem
    -keypass Specify a password for the .pem file
    -keystore Specify the name of the Service Request Catalog keystore file.
    -storepass Specify a password for the keystore file.

    Copy and paste this command into your Windows Command Prompt window:

    keytool -certreq -alias src -file srcCSR.pem -keypass changeit -keystore srcKeystore.jks -storepass changeit

    Verify: This folder should contain a new file named srcCSR.pem.

  7. Return to your Cygwin Command Prompt window.

  8. Run the following openssl commands to sign the CSR that you created in step 6.

    Command Description
    x509 x509 is a self-signed certificate utility (For more information, see www.openssl.org)
    -req Request a certificate
    -in filename.pem CSR file name
    -CA filename.pem File name of the certificate to be signed
    -CAkey filename.pem File that contains the private key
    -passin pass: Specify the password for the key file
    -days 365 Expires in one year
    -set_serial Optional. Serial number of the file (Can replace the -CA parameter)
    -out filename.pem Create an output file for the signed certificate

    Copy and paste this command into your Cygwin Command Prompt window:

    openssl x509 -req -in srcCSR.pem -CA certificateAuthorityCert.pem -CAkey certificateAuthorityKey.pem -passin pass:changeit -days 365 -set_serial 1 -out srcCert.pem

    Verify: You should see these messages display in the command window:

    Signature ok subject=/CN=yourFQDN Getting CA Private Key

    This folder should contain a new file named srcCert.pem.

  9. Return to your Windows Command Prompt window.

  10. The following keytool commands import the Certificate Authority certificate into the Service Request Catalog keystore file.

    Command Description
    -importcert Read the certificate (or certificate chain) from the file and put it in the alias keystore
    -noprompt No user input required
    -alias alias_name certificateAuthority is the alias name for the certificateAuthorityCert.pem file
    -keypass Specify the password for the certificateAuthorityCert.pem file
    -file The file name is certificateAuthorityCert.pem
    -keystore Specify the name of the Service Request Catalog keystore file
    -storepass Specify the password for the Service Request Catalog keystore file

    Copy and paste this command into your Windows Command Prompt window:

    Keytool -importcert -noprompt -alias certificateAuthority -keypass changeit -file certificateAuthorityCert.pem -keystore srcKeystore.jks -storepass changeit

    Verify: You should see the following message display in the command window.

    Certificate was added to keystore

  11. The following keytool commands import the signed certificate file for Service Request Catalog into the Service Request Catalog keystore file.

    Command Description
    -importcert Read the certificate (or certificate chain) from the file and put it in the alias keystore
    -alias alias_name src is the alias for the srcCert.pem
    -keypass Specify the password for srcCert.pem file
    -file The file name is certificateAuthorityCert.pem
    -keystore Specify the name of the Service Request Catalog keystore file
    -storepass Specify the password for the Service Request Catalog keystore file

    Copy and paste this command into your Windows Command Prompt window:

    keytool -importcert -alias src -keypass changeit -file srcCert.pem -keystore srcKeystore.jks -storepass changeit

    Verify: You should see the following message display in the command window.

    Certificate reply was installed in keystore

Import the Trusted CA certificate

If you support Trusted Sign-On authentication, these steps are required. Use either a digital security certificate issued by a certificate authority provider or a self-signed certificate to complete the task.

Complete these steps in the Windows Command Prompt window on the Service Request Catalog server.

  1. Navigate to your JAVA_HOME location where the cacerts file resides.

    Example: C:\...\jre\lib\security\cacerts

  2. Navigate to the folder that you created to store new security files related to Trusted Sign-On.

    Example: C:\...\src-\_TSO\

  3. Copy the following file:

    C:\...\src-\_TSO\certificatAuthoritycert.pem

  4. Paste the file from step 3 in the JAVA_HOME location where the cacerts file resides:

    Example: C:\...\jre\lib\security\certificatAuthoritycert.pem

  5. Copy the following file:

    C:\...\src-\_TSO\certificatAuthorityKey.pem

  6. Paste the file from step 5 in the same JAVA_HOME location from step 4.

    Verify: The result should be two new files in the same folder that contains the cacerts file.

    C:\...\jre\lib\security\cacerts C:\...\jre\lib\security\certificatAuthoritycert.pem C:\...\jre\lib\security\certificatAuthorityKey.pem

  7. Import the signing certificate authority's public certificate into the cacerts file to establish a chain of trust.  To do this, execute the following command:

    keytool -importcert -noprompt -alias certificateAuthority -keypass changeit -file certificateAuthorityCert.pem -keystore cacerts -storepass changeit

    Verify: The keytool application displays the following confirmation message:

    Certificate was added to the keystore.

Copy files to the Service Manager server

Copy the files in the following steps from the Service Request Catalog server to the Service Manager server before you start the next task.

  1. From your JAVA_HOME location on the Service Request Catalog server, copy the following file:

    C:\...\jre\lib\security\cacerts

  2. On the Service Manager server, paste the file into the following folder:

    C:\Program Files\Micro Focus\Service Manager x.xx\Server\RUN

  3. On the Service Request Catalog server, copy the following self-signed certificate and key files:

    certificateAuthorityCert.pem

    certificateAuthorityKey.pem

  4. Paste the files from step 3 into the following folder:

    C:\Program Files\Micro Focus\Service Manager x.xx\Server\RUN

Import the CA certificate for Service Manager

If you support Trusted Sign-On authentication, and you do not have a digital security certificate issued by a certificate authority provider, such as Verisign, Thawte, or your corporate certificate authority, the following steps are required. You will need the same certificate authority that you used to create your own keystore and certificate for Service Request Catalog.

Complete this task on the Service Manager server to enable encrypted data transfer between the Service Manager server and the trusted Service Request Catalog application.

  1. In a Windows Command Prompt window, navigate to the following folder:

    C:\Program Files\Micro Focus\Service Manager x.xx\Server\RUN

  2. From this directory, run keytool.exe to generate a public/private key pair for Service Manager. To do this, copy and paste the following command into your Windows Command Prompt window:

    keytool -genkey -dname "CN=fqdn" -validity 365 -alias sm -keypass changeit -keystore smKeystore.jks -storepass changeit

    Tip Copy it into a plain text file first, substitute your fully qualified domain name, and then copy and paste it into the command line.

    Verify: The C:\Program Files\Micro Focus\Service Manager x.xx\Server\RUN directory contains a new file named smKeystore.jks.

  3. Run keytool.exe again to generate a Certificate Signing Request (CSR) for Service Request Catalog. Copy and paste this command into your Windows Command Prompt window:

    keytool -certreq -alias sm -file smCSR.pem -keypass changeit -keystore smKeystore.jks -storepass changeit

    Verify: The C:\Program Files\Micro Focus\Service Manager x.xx\Server\RUN directory contains a new file named smCSR.pem.

  4. Open a Cygwin Command Prompt window on the Service Manager server and navigate to the following folder:

    C:\Program Files\Micro Focus\Service Manager x.xx\Server\RUN

  5. Run openssl with the following commands to sign the CSR. To do this, copy and paste the following command into your Cygwin Command Prompt window:

    openssl x509 -req -in smCSR.pem -CA certificateAuthorityCert.pem -CAkey certificateAuthorityKey.pem -passin pass:changeit -days 365 -set_serial 1 -out smCert.pem

    Verify: You should see these messages display in the command window, and the folder should contain a new file named smCert.pem:

    Signature ok

    subject=/CN=<yourFQDN>

    Getting CA Private Key

  6. Return to your Windows Command Prompt window.
  7. Run keytool.exe again to import the Certificate Authority certificate into the Service Manager keystore file. To do this, copy and paste the following command into your Windows Command Prompt window:

    keytool -importcert -noprompt -alias certificateAuthority -keypass changeit -file certificateAuthorityCert.pem -keystore smKeystore.jks -storepass changeit

    Verify: You should see the following message displayed in the command window:

    Certificate was added to keystore

  8. Run keytool.exe again to import the signed certificate file for Service Manager into the Service Manager keystore file. To do this, copy and paste this command into your Windows Command Prompt window:

    keytool -importcert -alias sm -keypass changeit -file smCert.pem -keystore smKeystore.jks -storepass changeit

    Verify: You should see the following message displayed in the command window:

    Certificate reply was installed in keystore

  9. On the Service Request Catalog server, copy the Service Request Catalog self-signed certificate file:

    srcCert.pem

  10. Paste the srcCert.pem file into the following folder on the Service Manager server:

    C:\Program Files\Micro Focus\Service Manager x.xx\Server\RUN

  11. Run keytool.exe with the following commands to import the Service Request Catalog certificate as a trusted client of Service Manager: 

    keytool -importcert -noprompt -alias src -keypass changeit -file srcCert.pem -keystore clientcerts.keystore -storepass changeit

    Verify: The keytool application should display the following confirmation message:

    Certificate was added to the keystore

Configure LWSSO properties

If Lightweight Single Sign-On (LW-SSO) is enabled in Service Request Catalog, integrations from other Micro Focus products will bypass Service Manager authentication when launching Service Request Catalog, provided that the product user is already authenticated and a proper token is used.

Note  

  • To enable users to launch the Service Request Catalog from another Micro Focus product using LW-SSO, you must also enable LW-SSO in the Service Manager server.
  • Once you have enabled LW-SSO in the Service Request Catalog, SRC users should use the SRC server's fully-qualified domain name (FQDN) in the login URL.  For example, users should specify the URL as follows
    http://<mySrcHostName>.<myDomain>:<port>/src/
  • The following procedure is provided as an example, and assumes Service Request Catalog is deployed on a Tomcat Web application server.

To configure LW-SSO in the Service Request Catalog, follow these steps:

  1. Deploy the Service Request Catalog on a Web application server (for example, Tomcat), and modify the Service Manager Server name and port in web.xml and applicationContext.properties if necessary.
  2. Modify the web.xml file located in the < Service Request Catalog >\WEB-INF\ directory.

    Remove the comment tags (<!-- and -->) enclosing the following elements to enable LW-SSO authentication.
    <!-- LWSSO listener for integrations using HP lightweight single sign-on. -->
    <!--
    <listener>
    	<listener-class>com.hp.sw.bto.ast.security.lwsso.conf.LWSSOContextListener</listener-class>
    </listener>
    <context-param>
    	<param-name>com.hp.sw.bto.ast.security.lwsso.conf.fileLocation</param-name>
    	<param-value>lwssofmconf.xml</param-value>
    </context-param>
    -->
    <!-- LWSSO filter for integrations using HP lightweight single sign-on. -->
    <!--
    <filter>
    	<filter-name>LWSSO</filter-name>
    	<filter-class>com.hp.sw.bto.ast.security.lwsso.LWSSOFilter</filter-class>
    </filter>
    <filter-mapping>	
    	<filter-name>LWSSO</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping>
    -->
  3. In the lwssofmconf.xml file that is located in the < Service Request Catalog >\WEB-INF\classes\ directory, modify or add the following parameters.
    1. Set the value of enableLWSSOFramework to true (default is true).
    2. <domain>: Domain name of the server where you deploy your Service Request Catalog. For example, if your Service Request Catalog's fully qualified domain name is mysrc.domain.hp.com, then the domain portion is domain.hp.com.

      <initString>: Password used to connect HP products (minimum length: 12 characters). For example, smintegrationlwsso. Make sure that this value is the same as those used in the LW-SSO configurations of the other HP products (such as Operations Orchestration, and Business Service Management), which you want to connect via LW-SSO.

      <multiDomain>: The <multiDomain> element should include the domain names (DNSDomain), server names (NetBiosName), IP addresses (IP), fully-qualified domain names (FQDN) of the Service Manager web tier server and other product servers (for example, the Release Control server).

      Note The multi-domain functionality is relevant only for UI LW-SSO (not for web services LW-SSO). In addition, you must set the multiDomain element in each product for which you want to support LW-SSO. The multi-domain functionality is based on the HTTP referrer. Therefore, LW-SSO supports links from one application to another and does not support typing a URL into a browser window, except when both applications are in the same domain.

      The following is an example of a configured lwssofmconf.xml file:

      <?xml version="1.0" encoding="UTF-8"?>
      <lwsso-config xmlns="http://www.hp.com/astsecurity/idmenablmentfw/lwsso/2.0">
      <enableLWSSO enableLWSSOFramework="true"
      enableCookieCreation="true"
      enableAutoCookieCreation="true"
      cookieCreationType="LWSSO"
      enableSAML2Support="false" />
      <webui>
      <validation>
      <in-ui-lwsso>
      <lwssoValidation id="ID000001">
      <domain>hp.example.net</domain>
      <!-- lw -->
      <crypto cipherType="symmetricBlockCipher"
      engineName="AES" paddingModeName="CBC" keySize="256"
      encodingMode="Base64Url"
      initString="This is a shared secret passphrase"> </crypto>
      ……
      </lwssoValidation>
      </in-ui-lwsso>
      <in-lwssoAutoCreate enableAutoCookieCreation="true" enableUserReplacement="true" refid="ID000002"/>
      <validationPoint
      enabled="false"
      refid="ID000002"
      authenicationPointServer="http://psinghal2.americas.hpqcorp.net:8080/bsf"/>
      </validation>
      <creation>
      <lwssoCreationRef id="ID000002" useHTTPOnly="true">
      <lwssoValidationRef refid="ID000001"/>
      <expirationPeriod>30</expirationPeriod>
      </lwssoCreationRef>
      </creation>
      <logoutURLs>
      <url>.*logout.jsp</url>
      </logoutURLs>
      <multiDomain>
      <trustedHosts>
      <DNSDomain>hp.example.net</DNSDomain>
      <DNSDomain>emea.example.net</DNSDomain>
      </trustedHosts>
      </multiDomain>
      </webui>
      <lwsso-plugin type="SpringSecurity">
      <roleIntegration rolePrefix="ROLE_"
      fromLWSSO2Plugin="internal"
      fromPlugin2LWSSO="disabled"
      caseConversion="upperCase"/>
      </lwsso-plugin>
      </lwsso-config>
  4. Modify applicationContext.properties file located in the <Service Request Catalog >\WEB-INF\classes\ directory. In the # Security Mode section, to specify Light Weight Single Sign-On (LWSSO), and remove the comment symbol that precedes #src.security.mode=lwsso to specify LWSSO as your communication method between Service Request Catalog and Service Manager. Insert the comment symbol in front of the default value.

    Your applications.Context properties files should resemble the following:

    #src.security.mode=default
    src.security.mode=lwsso
    #src.security.mode=tso

    To enable Single Sign-On with LWSSO, set the src.security.SSOenabled property to true.

  5. Restart Tomcat so that the configuration takes effect.

Configure TSO

To set up Trusted Sign-On between Service Request Catalog and the Service Manager server, follow these steps:.

  1. Make sure the Certificates have been created. Please reference “Configure SSL” section to create Certificates and make sure the following Certificates have been created for Service Request Catalog and Service Manager.

    CA Certificate: cacerts
    Client Key Store: srcKeystore.jks
    Server Key Store: smKeystore.jks
    Trusted Client Key Store: clientcerts.keystore

  2. Confirm the applicationContext.properties file settings on the Service Request Catalog server are correct.  To do this, follow these steps:
    1. Open the applicationContext.properties in a text editor. You can find this file in the following directory:

      C:\...\src-\WEB-INF\classes\applicationContext.properties

    2. Locate the # Service Manager Connector Configuration settings and then verify that the http security protocol is used.

      sm.protocol=https

    3. Verify that the hostname is correct.

      sm.hostname=xxx.xxx.xxx.xxx

    4. Verify that the port is responding to https.

      sm.port=13443

    5. Locate the # Security Mode: settings and remove the a comment symbol (#) and space that precedes TSO if present, and there is a comment symbol (#) and space before the default mode parameter:

      # src.security.mode=default

      # src.security.mode=lwsso

      src.security.mode=tso

      To enable TSO, set the src.security.SSOenabled property to true.

    6. Locate # Trusted Sign-On settings and then verify that the Certificate path and password are set.

      Note Assume that the Certificate files are saved in Directory c:\_TSO.

      src.trustStore=C:\\_TSO \\cacerts

      src.trustStorePassword=changeit

      src.keyStore=C:\\ _TSO \\ srcKeystore.jks

      src.keyStorePassword=changeit

    7. Save the file if you made any changes.  However, you may want to leave it open in the text editor for future reference.
  3. Confirm that the server.xml file on Tomcat are set to get REMOTE_USER from the HTTP Header. To do this, follow these steps:
    1. Locate # Define an AJP 1.3 Connector on port 8009 settings.

    2. Verify that the property tomcatAuthentication is set to false.

      <Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" />

Configure Common Access Cards

To enable Common Access Cards (CAC) for SRC, follow these steps:

  1. Enable CAC in Service Manager. To do this, use the cacsign on parameter from a Service Manager command line, or specify it in the sm.ini file.

    Command line: sm -httpPort:13080 -cacsignon:1
    Initialization file: cacsignon:1

    For more information on this parameter, see the following section of the Service Manager Help Center:

    • "Parameter: cacsignon"
  2. Complete the following tasks from the "Example: enabling CAC sign-on" section of the Service Manager Help Server.

    Task 1. Enable required SSL encryption and trusted clients.
    Task 2. Enable CAC sign-on in the SM server.
    Task 5. Connect your web application server to the web server.
    Task 6. Configure your web application server to use SSL.
    Task 7. Configure the web server to use SSL.
    Task 8. Create operator records for CAC users
    Task 9. Configure web browsers to enable web client users to use CAC.
    Task 10. Test your CAC sign-on setup.

    Note  

    • When you perform "Task 1. Enable required SSL encryption and trusted clients" you will be referred to "Example: Enabling required SSL encryption and trusted clients" section of the Service Manager Help Center. You will need to copy the keystore files generated at Step 9 of this procedure to the WEB-INF folder in your SRC deployment or, if needed, to a folder that you plan to specify in the applicationContext.properties file.
    • Tasks 3 and 4, which are missing from the preceding list, refer to the configuration of the Service Manager Web tier and Windows client, and are not a consideration for Service Request Catalog.
    • If you choose to use CAC, make sure that you have configured SRC to use SSL and either TSO or LW-SSO (as appropriate for your environment) as described in Install Service Request Catalog (SRC).

The following tables show a summary of how your property files should be configured after you have enabled CAC:

ApplicationContext.properties
Configure these properties Comments  

 

sm.protocol=
sm.hostname=
sm.port=13443
src.trustStore=
src.trustStorePassword=
src.keyStore=
src.keyStorePassword=

Enables two-way SSL between SRC and Service Manager.

Note The keys are generated when you complete "Task 1. Enable required SSL encryption and trusted clients." See the previous note for details.

sm.protocol=https
sm.hostname=[FQDN]
sm.port=13443
src.trustStore=C:\\client\\cacerts
src.trustStorePassword=changeit
src.keyStore=C:\\client\\src.keystore
src.keyStorePassword=clientkeystore
 
src.security.mode=cac
src.security.cac=true
Enables CAC.  
src.security.secureLogin=true
src.security.sslPort=8443
Enables SSL Connection between SRC and the end user's client browser.  

 

cacConfiguration.properties
Configure these properties Comments  
certificateFieldExtractDN=Subject.CN

This parameter is used to get the field in the certificate that stores the login name. If the DN is from one of the fields in the Subject, set this parameter using the following format:

Subject.CN

Subject.CN means extracting the DN from the Common Name field in Subject.

 
validationStrategy=1

Client Certificate Verification Sequence is as follows:

  1. Check the revocation status using local CRL.
  2. Check revocation status using an online CRL.
  3. Check revocation status using OCSP.
  4. Check if the status is expired.
  5. Check if the certificate type is smart card.
 
RootCertPath=

Specifies file path to the issuer CA certificate. This is a mandatory property.

Example:

RootCertPath=C:/client/CAC/hp_ca_for_cac.cer
 
CRLRefreshScheduler=

Specifies a schedule in minutes for CRL refresh, if CRL check is enabled.

Example:

CRLRefreshScheduler=1440
 
CRLDownloadURL=

The URL that identifies the location of the CRL. If it is not specified, the CRL Distribution Point from the certificate being validated will be used.  This behavior will slow performance dramatically.

 CRLDownloadURL=http://onsitecrl.example.com/LatestCRL.crl
 
CRLStoreLocation=

Specifies the CRL file path.

 
OCSPResponderURL=

The URL that identifies the location of the OCSP responder. By default, the location of the OCSP responder is determined implicitly from the certificate being validated. This property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.

OCSPResponderURL=http://ocsp.example.net:80