Administer > Configure a One-Time Authentication Token

Configure a One-Time Authentication Token

The one-time authentication token is an additional means for the user to access CMS UI by a direct link (URL with parameters). With such a URL, the user does not need input credentials. The advantage of this method is that:

  • The URL does not contain user credentials.
  • The URL is for one time use only (after initial use, the URL cannot be used again).

Note You must have administrator rights in order to generate an authentication token for another user.

To configure and use the one-time authentication token:

  1. Create a URL for obtaining the one time authentication token as follows:

    http://<server-name>:<port>/ucmdb-browser/generate-authentication-token.jsp?username=<your_user_name>&password=<your-encrypted_password>&server=<ucmdb-server>&logged-in-user=<logged_in_user_name>

    where the parameters server and logged-in-user are optional.

    The following is an example of a URL for obtaining one time authentication token:

    http://server-name:8088/ucmdb-browser/generate-authentication-token.jsp?username=johndoe&password=12345678&server=ucmdb-server

    To generate the encrypted password:

    1. Go to JMX console > UCMDB-UI:name=UCMDB Integration > getEncryptedPasswordForURL.
    2. In the user name field, enter the user name.
    3. In the password field, enter the user's password.
    4. Click Invoke.

    Note  

    • Parameter names are case sensitive and should be used exactly as they appear in this documentation.
    • When an optional parameter (such as server) is omitted, the first server from the configuration is used.
    • The server name in the [server] parameter should be taken from one of the <host_name> fields in CMS UI configuration file. If the [server] parameter is defined but it’s value does not correspond to any of the values of the <host_name> field in CMS UI configuration file, the authentication token will be not generated.

    • When you want to access CMS UI in a multi-customer environment, the following URL should be used:

      http://<server-name>:<port>/ucmdb-browser/generate-authentication-token.jsp?username=<your_user_name>&password=<your-encrypted_password>&server=<ucmdb-server>&customer-id=<id>&logged-in-user=<logged_in_user_name>

  2. Execute the URL prepared in the previous step. After successful execution, the Authentication-Token field in the response http-header contains the authentication token value created for the parameters you entered in the previous step. The http field is used here for a return value to enlarge security strength.

    Note  

    • The response http-header fields can be viewed by using any external request interceptor (such as Fiddler) or tools embedded into a web browser (for example, in Chrome: Developer Tools > Network tab).
    • If the credentials provided in the previous step are not valid, the authentication-token field is empty or not present at all.

Build the URL for the CMS UI by using the parameter authentication-token and the token value obtained in the previous step. For example:

http://server-name:8088/ucmdb-browser/?authentication-token=<token-value>

where token-value is the authentication token string obtained in the previous step.

After executing the URL, you are redirected to the CMS UI without having to enter user credentials.

Important For the one-time authentication token to work, you need to enable the LW-SSO framework. To do this, in the ucmdb_browser_lwsso_config.xml file, make sure that the value for enableLWSSOFramework, enableCookieCreation, and enableAutoCookieCreation is True.

<?xml version="1.0" encoding="UTF-8"?>
<lwsso-config
        xmlns="http://www.hp.com/astsecurity/idmenablmentfw/lwsso/2.0">
    <enableLWSSO enableLWSSOFramework="true" enableCookieCreation="true" enableAutoCookieCreation="true" cookieCreationType="LWSSO" enableSAML2Support="false"/>          

Note After restarting the server of the CMS UI, all prepared authentication tokens are no longer valid.