Remedy Single Sign On Version 1 · The following document describes Plugin Single Sign On version 1.2 Component configuration and installation process for BMC Remedy ... BMC Action

Plugin Single Sign On Version 1.2 Installation Guide The following document describes Plugin Single Sign On version 1.2 Component configuration and installation process for BMC Remedy AR System TopPositions 2010-03-29

Plug-in Single Sign On Version 1.2

Copyright @ 2009 TopPositions

2

CONTENTS 1 INTRODUCTION ................................................................................................................... 3

2 WHAT IS PLUGIN SINGLE SIGN ON VERSION 1.2 ................................................................. 4

3 APPLICATION ....................................................................................................................... 5

4 EQUIPMENT COMPATIBILITY ............................................................................................... 6

5 HOW PLUGIN SSO WORKS ................................................................................................... 7

6 INSTALLATION AND CONFIGURATION .............................................................................. 10

6.1 Windows Authentication ............................................................................................... 10

6.2 ClearTrust / Sitemider ................................................................................................... 10

6.3 Installation ..................................................................................................................... 10

6.4 Installation Part 1 in the server environment (ARS Platform) ....................................... 10

6.5 Installation part II in the environment on the side of Mid-Tier server ......................... 17

6.6 Installation Part III SSO Authentication Service ............................................................. 22

6.7 Installation Part IV- Plugin SSO Authentication for BMC Remedy User Tool ................ 28

7 TROUBLESHOOTING .......................................................................................................... 33

7.1 SSO AREA plugin ............................................................................................................ 33

7.2 AREA LDAP plugin .......................................................................................................... 33

7.3 Mid-Tier SSO Plugin ....................................................................................................... 33

7.4 SSO Authentication Service ........................................................................................... 34

7.5 What’s next ................................................................................................................... 34

8 POTENTIAL ERRORS ........................................................................................................... 35

8.1 Mid-Tier can’t find the file mt-sso.jar ............................................................................ 35

8.2 Mid-Tier can’t find the file jespa-1.0.9.jar ..................................................................... 35

8.3 Mid-Tier can’t find the file with the licence .................................................................. 35

8.4 Mid-Tier can’t find the configuration file mt-sso.config ............................................... 35

8.5 Remedy SSO can’t find the Domain controller .............................................................. 36

8.6 Remedy SSO can’t log into Domain controller .............................................................. 36

8.7 SSO Authentication service doesn’t work ..................................................................... 36



3

1 INTRODUCTION

There is a very common problem each company has to deal with, that is entering an incorrect

password when logging in to system or a certain application. Frustrated and unsatisfied users are

unable to remember each password they are obliged to use, that leads up to many unavoidable

mistakes. The only one solution seems to be IT specialists support, and the next new password.

However it helps, it’s not a long- lasting support. The password’s change does not guarantee that the

new one will not be forgotten.

What is more, security policy forces users to recurrent password’s changes . Not to forget the

new phrases and numbers, users’ write tem on the self stick note sheets and stick them onto the

screens. It’s obvious, that such way of storing passwords is not a safe one.

That is why our team of IT specialists worked out an innovative system, that is Plugin SSO (

Plugin Single Sign On). This security method is safe and allows you to get a very easy access to BMC

Remedy AR System. Plugin SSO makes the whole process of logging in very quickly and without the

user’s participation. That is why, users’ do not have to think hours about a new password, but take

care their duties.

Plugin SSO is the best solution. All the problems will disappear as well as users’ frustration and

annoyance. Everyone knows, that a satisfied employee is an effective employee, and effectiveness

means profits. So let us help you to make a big profit.

For more information, please visit our Web site :

http://www.remedy-sso.com

http://www.remedy-sso.com/



4

2 WHAT IS PLUGIN SINGLE SIGN ON VERSION 1.2

Plugin SSO is a component that enables the access to the BMC Remedy AR System without the

necessity of logging in.

Our system uses Security Support Provider Interface(SSPI). Exerted all over the world SSPI

authentication systems work on Windows and give you the highest level of information security.

Plugin SSO supports joint security policy for all passwords in the company so that it makes the

information stored in the BMC AR Remedy System safer.

The fact that, the Plugin SSO was created and tested by the best IT security specialists makes

your information unavailable for unwanted audience.

Our System as the only one in the world guarantees handling of the Microsoft NT LAN

Manager version. 2 (NTLMv2). Moreover, NTLMv2 is recommended and used by the best IT security

specialists all over the world.

NTLMv2 service is asserted by the IOPLEX component.

Here you can find more information about IOPLEX:

http://www.ioplex.com

Plugin SSO is a product for BMC Remedy AR system and does not require any complex

process of installation or configuration.

http://www.ioplex.com/



5

3 APPLICATION

As a very flexible solution, Plugin SSO can be applied in various equipment and system

configurations.

Plugin SSO supports:

BMC Remedy AR System, vol. 7.0, 7.1, 7.5 and 7.6,

Operating systems like Windows, Linux, Solaris and HP-UX,

J2EE Containers like Apache Tomcat, Weblogic, Websphere and others,

The outside authentication systems like ClearTrust and SiteMinder ( they authenticate

users through “Http header” protocol),

Internet browsers like Internet Explorer and Mozilla Firefox ( Mozilla Firefox requires

Windows Authentication Configuration,

Java 1.5 and 1.6,

All variants of the NTLM protocol (NTLM by default).



6

4 EQUIPMENT COMPATIBILITY

Automatic Plugin SSO log in can be used on the following operating systems:

Matrix of the solution compatybility

Operating systems

Windows 2000, 2003, 2008 Sun Solaris 9.x HP-UX 11.x Linux 2.6.x+

BMC Action Request System

7.0 7.1 (MT patch 6+) 7.5 (MT patch 1+)

Plugin SSO supports many typical WWW security systems.

Popular products

Authentication systems

ClearTrust SiteMinder Quest QSJ HTTP Basic

Plugin SSO supports Windows Authentication (NTLM v2) in “Out of Box” version.



7

5 HOW PLUGIN SSO WORKS

Plugin SSO allows to get to Remedy AR System surroundings on the basis of authorization that

was made when logging into the corporate network( by Windows domain authorization).

When correctly logged into the Windows domain, user doesn’t have to log once again to

connect with BMC Remedy AR System.

Plugin SSO Works as a plugin installed on BMC Remedy AR System and is able to support Web-

SSO systems or work autonomously.

This component logs the users’ with BMC Remedy AR System automatically by the Web

browser of BMC Remedy User Application.

The following diagram shows how Plugin SSO authorizes user’s system by the use of Windows

Authentication Protocol.

User’ s authorization by Plugin SSO

In case of Web browser, Plugin SSO is triggered out when user is logging into one of the

following Mid Tier Server addresses: /arsys/home, /arsys/forms /arsys/apps

Plugin SSO asks the user's Web browser to send the NTLM header together with the user’s

data. Then it checks if this data is correct or not . If the user was identified by the Windows

Controller, user gains the access to the BMC Remedy AR System.

The following diagram shows the user’s authorization by the web browser



8

User’s logging in by the Internet Browser

When BMC remedy User authorization application used, Plugin SSO is being triggered when

the application opened. Plugin SSO is being given a special ticket to SSO Authorization Service. This

service is activated at any Windows server after SSPI Negotiate (NTLM) authorization.

Then, BMC Remedy User sends the ticket to BMC AR Remedy System. Plugin AREA SSO verifies

this ticket in the SSO Authorization Service. Each ticket is generated for particular user and for the

computer, from which user is trying to connect to BMC Remedy AS System.

The following diagram shows how BMC Remedy User authorizes users’.



9

User’s logging in by the BMC Remedy User



10

6 INSTALLATION AND CONFIGURATION

6.1 Windows Authentication

If you do not have an external SSO system (ClearTrust, SiteMinder, etc.) and would like Mid-

Tier to authenticate users within Windows Controller, you will need to make extra moves to install

the component BMC Remedy Mid-Tier.

Our solution works only if Apache Tomcat has already been started as a standalone

application. We do not support the product ServletExec, as it is not presently recommended by BMC.

6.2 ClearTrust / Sitemider

After some time a session of ClearTrust and Siteminder expires. On this account length of the

session must be synchronized with length of the BMC Remedy Mid-Tier module session. To prevent a

situation when a user is still logged in the BMC Remedy AR system and is no longer logged in SSO

module, while installing Mid-Tier the following steps must be taken:

Configure ClearTrust or Siteminder to protect the paths /arsys/home, /arsys/forms

oraz /arsys/apps.

Adjust length of Mid-Tier session one minute shorter than the session in ClearTrust or

Siteminder.

6.3 Installation

Installation consists of two parts. It involves the ARS Server (ITSM)and also the MidTier

module. First two parts are obligatory. Installation pack contains 3 directories: mt ,ars and rut. The

first directory contains files that are required for the installation in MidTier server.

The third one contains files necessary in case of SSO authorization made by BMC Remedy User.

6.4 Installation Part 1 in the server environment (ARS Platform)

All the files necessary for this part of installation you can find in ars directory.

Files copying to AR system

1. Copy areasso.dll/areasso.so file to operational directory of ARS server (It is the same

directory that includes the file arserver.exe)



11

2. Copy area-sso.cfg/area-sso.conf file to the directory containing ar.cfg/ar.conf. (It is

the same directory that includes the file ar.cfg/ar.conf. e.g.: c:\program files\AR

Server\conf)



12

Checking whether the AR External Authentication (AREA) is switched on

In order to do that you need to:

Log the BMC Remedy User Tool

Open AR System Administration Console

Open System->General->Server Information

Open the folder EA

Make sure RPC 390695 is selected

Make sure Cross Reference Blank Password is marked

Save the potential changes.



13

The following picture presents how to configure AR External Authentication.

You need to make sure AREAHUB has been installed and started.

In order to check it you have to examine the file ar.cfg/ar.conf or use the BMC Remedy User

Tool.

To do it you need to:

Log in Remedy into the administration account using BMC Remedy User Tool

Find form Configuration ARDBC

On the list find the value areahub.

The picture illustrates the way of searching for areahub

When on the list there is a proper record, it means that AREA-HUB has been suitably

installed.



14

The picture illustrates the search result on condition that the areahub has been suitably

installed

When AREAHUB has not been installed you will have to do it by making appropriate

entries in the file ar.cfg/ar.conf:

Windows

Plugin: areahub.dll

Solaris/Linux

Plugin: areahub.so

In order to verify whether Plugin AREAHUB works properly you need to restart service

BMC Remedy AR System. After having restarted the system in the log file of a plugin

there should be the following entry (if the log file is large you should search in there

the value ARSYS.AREA.HUB ):

In order to turn on logging of Plugin Server you need to move to the chapter entitled Turning

on of the Plugin Server.



15

AREAHUB configuration for Plugin AREA SSO usage

To activate AREA SSO Plugin add the following entries to ar.cfg/ar.conf file (this configuration

uses the additional authorization based on LDAP) :

Plugin: areahub.dll

AREA-Hub-Plugin: areasso.dll

AREA-Hub-Plugin: arealdap.dll

Configuration using the authorization pursuant to form User:

Plugin: areahub.dll

AREA-Hub-Plugin: areasso.dll

AREA SSO plugin configuration in the area-sso.cfg/area-sso.conf file.

You should change the following entries in the area-sso.cfg/area-sso.conf file.

Parametr Opis

MidTier-Enabled If the users’ will connect to BMC Remedy AR System by Web browser this

parameter should be „enabled”.

For ex.: MidTier-Enabled: Enabled

MidTier-IP Addresses of the Mid-Tier Servers that users will be authorized by.

For ex.: MidTier-IP: 127.0.0.1;192.168.21.2

New-MidTier-Shared-Key

Shared key password identical, just like the one configured in the second

part of installation guide.

The password is going to be encoded after restarting BMC Remedy AR

System in area-sso.cfg/area-sso.conf file.

For ex.: New-MidTier-Shared-Key: <password>

RUT-Enabled If users will connect to the BMC Remedy AR System by BMC Remedy User,

this parameter should be “enabled”

For ex.: RUT-Enabled: Enabled

AuthService-IP IP address of SSO Authentication Service

For ex.: AuthService-IP: 127.0.0.1

This parameter should be “enabled” if “RUT-Enabled” is set to Enabled.

AuthService-Port TCP port on which SSO Authentication Service works.

Default parameter value is 11000 port

For ex.: AuthService-Port: 12000

Configuration of the AREA LDAP plugin

If the BMC AREA LDAP Plugin is used to store data about users in LDAP or in Active-Directory

you will need to follow the instructions in the following chapter. In the case when the data about

users is stored in the form User within AR System you will need to go straight to the chapter Turning

on of the Plugin Server logging.



16

After having made sure that plugin AREAHUB has been properly installed you will have to take

another step consisting in configuring or checking whether BMC AREA LDAP Plugin has been properly

installed and configured.

The installation and configuration details can be found in the documents of BMC AR System:

BMC Remedy Action Request System 7.0 Integrating with Plugins and Third-Party Products

http://www.bmc.com/supportu/documents/84/67/58467/58467.pdf

Page 163

BMC Remedy Action Request System 7.1.00 Integrating with Plugins and Third-Party Products


Page 133

BMC Remedy Action Request System 7.5.00 Integration Guide


Page 143

To verify if the BMC AREA LDAP plugin configuration is appropriate you should open the AREA LDAP

Configuration form and check the data entered into the form is correct:

The picture illustrates a model BMC AREA LDAP plugin configuration.

http://documents.bmc.com/supportu/documents/84/67/58467/58467.pdf





17

Turning on of the Plugin Server logging

In order to verify that Remedy SSO Plugin works properly you need to select logging into Plug-

In Server from the level of the authorized ARS user in the module Server Information and in the

folder Log Files you need to select All in the Plugin Log Level.

The picture illustrates the way of configuring logging of the Plugin Server.

6.5 Installation part II in the environment on the side of Mid-Tier server

All the files to be used in this part of the installation you can find in mt directory.

Java SDK Environment

At first you need to check if Java SDK has been installed in the Server.

Installation of Java JRE is not sufficient for the correct functioning of the system.

Copying and changes of the files

1. Patch the file Web.xml that can be found in the Mid-Tier server via update of

the file web.xml.patch.

The contents of the patch needs to be copied into the file Mid-Tier\WEB-INF

\web.xml between the last entry of a type </filter> and the first one of a type

<filter-mapping>

2. Copy the mt-sso.jar file to Mid-Tier\WEB-INF\lib directory

3. Copy jespa-1.0..jar file to Mid-Tier\WEB-INF\lib directory

4. Copy bcprov-jdk15-144.jar file to Mid-Tier\WEB-INF\lib directory



18

5. Copy mt-sso.config file to Mid-Tier\WEB-INF\classes directory

6. Copy mt-sso.license file to Mid-Tier\WEB-INF\classes directory

7. Copy the whole sso directory to Mid-Tier\shared directory

8. After having made all the above changes you need to restart Mid-Tier server.

Creating service account for NETLOGON communication

If the authorization is supposed to take place in Windows Controller, you need to create a

service account in Active Directory. Otherwise you can move on to the next point Configuration of

the MidTier SSO plugin via http website

To create the service account in Active Directory you have to use a tool called Active Directory

Users and Computers (ADUC). NETLOGON service requires the account to be of a Computer type (A regular user’s account

will not work.) We recommend to enter the same value using letter, digits and underlining (without spaces) in

the field "Computer name" (cn) and "pre-Windows 2000 name" (sAMAccountName).

The created service account should have its own DN that has to be used to change the

password in the next step.

E.g.:

If the account has been called REMEDY and the name of the domain in which the account has

been created is example.com DN for this account will equal:

CN=REMEDY,CN=Computers,DC=example,DC=com.

Change of a password to the service account

A password to the service account must be entered in the MidTier SSO Plugin configuration.

Password change can be made only by using the Microsoft tools or with help of the script attached to

the installation pack:



19

The above scripts should be activated from the station that has rights to the Active Directory.

The following example demonstrates how to change the password for the account

CN=REMEDY,CN=Computers,DC=example,DC=com:

Configuration of the MidTier SSO plugin via http website

In order to configure MidTier SSO Plugin you need to:

1. Open the website of the configuration tool in your internet browser:

http://path-to-midtier/arsys/shared/sso/config.jsp

2. Log in the administration panel by using a password.

3. The default password for the administration panel is “password”.

4. Select General Settings

MidTier SSO configuration tool contains the following section:

Core Configuration

Parametr Opis

Turn On/Off Turning on and turning off of MidTier SSO plugin

Shared Key In this field you should enter the same password as the one defined on the side of ARS Server (SharedKey)

SSO Log Level Log level of MidTierSSO plugin Potential values:

Info – information about configuration

Trace – information about users logging into the system

C:\>cscript SetComputerPass.vbs CN=REMEDY,CN=Computers,DC=example,DC=com Password: **********

'SetComputerPass.vbs Option Explicit Dim strDn, objPassword, strPassword, objComputer If WScript.arguments.count <> 1 Then

WScript.Echo "Usage: SetComputerPass.vbs <ComputerDN>" WScript.Quit

End If strDn = WScript.arguments.item(0) Set objPassword = CreateObject("ScriptPW.Password") WScript.StdOut.Write "Password:" strPassword = objPassword.GetPassword() Set objComputer = GetObject("LDAP://" & strDn) objComputer.SetPassword strPassword WScript.Echo WScript.Echo "Password set on " & strDn WScript.Quit

http://path-to-midtier/arsys/shared/sso/config.jsp



20

Debug – debugging information

All – all the information

Username conversion Username conversion Possible values:

To Upper case – changes all the letters in the username into upper case ones:

For example.: [email protected]

To Lower case – changes all the letters in the username into lower case ones:


HTTP header(s) containing username

If the external SSO system sends the username in a specific HTTP header , in this field you should enter the name of this header. Otherwise this field should remain empty.

Windows Authentication Configuration

When the users’ authorization is to take place in Windows Controller, you need to fill in the

following Fields. Otherwise you need to restart Mid-Tier module. The installation of Mid-Tier SSO

Plugin is completed.

Parametr Opis

Active Directory domain

Name of the domain into which users will be authenticated must be entered in full format:

For example.: example.com

NTLM log level NTLM protocol log level Possible values:

None – no logging

Critical – critical errors

Basic – basic information

Detailed – detailed information

Debbuging – all the information

Computer Account Name of a user’s account created in the point: Creating service account for NETLOGON

For example.: [email protected]* *It is necessary to type $ after username.

Computer Password Password to the user’s account (Computer Account) modified in the point: Change of a password to the service account

Canonical Account Name

Format of a user logging into Remedy system. Possible values:

Username – only username.



21

For example.: abaker

Backslash – username + domain name separated by a symbol ‘\’

For example.: EXAMPLE\abaker

Principal – username + full domain name separated by a symbol

‘@’

For exampe.: [email protected]

Save the changes and then restart MidTier application.

Configuration of the Remedy SSO solution via edition of the file mt-sso.config

To configurate MidTier SSO plugin manually, you should change mt-sso.config file that you can

find in the Midtier\WEB-INF\classes directory.

Core Configuration

Parametr Opis

remedy.sso.status Turning on and turning off of the Remedy SSO plugin. Possible values:

on/off

remedy.sso.username.case Username conversion. Possible values:

upper – changes all the letters in the username into

upper case ones:


lower – changes all the letters in the username into

lower case ones:


remedy.sso.http.header If the external SSO system sends the username in a specific HTTP header , in this field you should enter the name of this header. Otherwise this field should remain empty.

remedy.sso.new.sharedKey A password that has been defined on the side of ARS server (SharedKey). After restarting Mid-Tier service the password will be hashed and saved in the configuration file within the parameter: remedy.sso.sharedKey

remedy.sso.loglevel Remedy SSO log level Possible values:

Info – information about configuration

Trace – information about users logging into system

Debug – debugging information

All – all the information



22

Windows Authentication Configuration

Parametr Opis

jespa.bindstr Name of the domain into which users will be authenticated must be entered in full format:

For example.: example.com

jespa.log.level NTML protocol log level Possible values:

0 – no logging 1 – critical errors 2 – basic information 3 – detailed information 4+ – all the information

jespa.service.acctname Name of a user’s account created in the point: Creating service account for NETLOGON

For example.: [email protected]* *It is necessary to type $ after username.

jespa.service.new.password Password to the user’s account (Computer Account) modified in the point: Change of a password to the service account After restarting Mid-Tier service the password should be hashed and saved in the configuration file within the parameter jespa.service.password

jespa.account.canonicalForm Format of a user logging into Remedy AR System. Possible values:

2 – only username.

For example.: abaker.

3 – username + domain name separated by a symbol ‘\’


4 – username + full domain name separated by a symbol ‘@’


Save the changes and then restart MidTier application.

In the file you can use additional options for Windows Authentication. More details can be

found in technical documentation for Jespa module:

Jespa Operator's Manual

6.6 Installation Part III SSO Authentication Service

All the files to be used in this part of the installation you can find in rut directory.

If the automatic logging should not work on BMC Remedy User Tool application, please miss

the rest part of this chapter.

SSO Authentication Service is the service that is run on Windows server. It identifies users’ in

the Windows controller by the SSPI Negotiation interface(NTLM protocol).

mailto:[email protected]

http://www.ioplex.com/d/Jespa_Operators_Manual.pdf?ts=1249338799



23

The following service may be run on each Windows Server that is connected to the domain.

Run Installer’s

1. Run setup.exe on the server where the SSO Authentication Service will be installed ( be

logged on the administrator’s account).

2. If there is no Microsoft .Net Framework 3.5 on the server, it’s installer will install

automatically.

3. Choose Next on the first screen.

4. Accept the license by choosing checkbox „YES – I accept the terms of the License

Agreement”, and then click Next.



24

5. Choose the directory where SSO Authentication Service will be installed, and then click

Next.

6. Choose SSO Authentication Service from the list and remove SSO Authentication plugin,

then click Next.



25

7. Type TCP port number used by the SSO Authentication Service(the port address must be

unused by any others services), then click Next.

8. Choose format of a username logging into Remedy AR System, then click Next.



26

In Canonical Account Name you can choose between the following:

Username – only username.

For example.: abaker

Backslash – username + domain name separated by a symbol ‘\’


Principal – username + full domain name separated by a symbol ‘@’


In the UserName Conversion area you can choose between the following :

Upper – changes all the letters in the username into upper case ones:


Lower– changes all the letters in the username into lower case ones:


9. Give the BMC Remedy AR System localization to which users’ will be automatically logged

in. When the formula left empty, the configuration will be necessary on each user’s

station. Then choose Next.



27

10. Continue installation by choosing Next.

11. Installation completed. Choose Finish to close installer.



28

6.7 Installation Part IV- Plugin SSO Authentication for BMC Remedy User Tool

All the files to be used in this part of the installation you can find in rut directory.

If you want the automatic Single Sign On logging in BMC Remedy User to work on the final

user’s workstation, please install SSO Authentication plugin.

Run Installer’s

1. Run setup.exe on the workstation where the SSO Authentication Plugin will be

installed.

2. If there is no Microsoft .Net Framework 3.5 on the workstation, it’s installer will install

automatically.

3. Choose Next on the first screen.



29

4. Accept the license by choosing checkbox „YES – I accept the terms of the License

Agreement”, and then click Next.

5. Choose the directory where SSO Authentication Plugin will be installed, and then click

Next.



30

6. Choose SSO Authentication Plugin from the list and remove SSO Authentication

Service, then click Next.

7. Give the SSO Authentication Service localization to which users’ will be automatically

logged in. Then choose Next.



31

8. Continue installation by choosing Next.

9. Installation completed. Choose Finish to close installer.



32

11. To verify whether the installation completed successfully, open the BMC Remedy User

application and check if the user was automatically logged in BMC Remedy AR System.



33

7 TROUBLESHOOTING

If during the installation you faced a problem that cannot be solved you should take the

following steps in order to enable us to diagnose the problem.

7.1 SSO AREA plugin

In the beginning of problem diagnosis you need to verify whether SSO AREA plugin has been

correctly installed and configured.

Mid-Tier IP address

At first you need to check whether the Mid-Tier IP address in the file area-sso.cfg/area-

sso.conf has been correctly configured.

Shared-Key

Then you need to verify if shared-key has been correctly configured.

In order to do that you have to start the tool BMC Remedy User on the server on which Mid-

Tier is installed. After that you should enter your login coming from Active-Directory in the field

‘username’; the field ‘password’ should be left empty. You should key ‘shared-key’, that has been

previously configured during installation, in the field ‘authentication’. If you manage to log into the

system that would mean SSO AREA plugin has been properly installed and configured. Otherwise you

have to again set up a correct shared-key in the file area-sso.cfg/area-sso.conf.

7.2 AREA LDAP plugin

If AREA LDAP plugin is not used to authorize users in Active Directory you need to move on to

the next step.

Otherwise you have to start a tool BMC Remedy User. Then in the field ‘username’ enter your

login coming from Active-Directory; enter a domain password in the field ‘password’. If you manage

to log into the system that would mean AREA LDAP plugin has been properly installed and

configured. Otherwise you have to check the configuration of AREA LDAP plugin in the form AREA

LDAP Configuration.

7.3 Mid-Tier SSO Plugin

If SSO AREA plugin works properly, in the next step you need to check if plugin on the side of

Mid-Tier has been correctly installed.

MT-SSO.jar

At first you should check if the file MT-SSO.jar has been correctly installed.

In order to do that you need to check if there is the file MT-SSO.jar in the directory Mit-

Tier/WEB-INF/lib.



34

mt-sso.config

In the next step you need to check if the file mt-sso.config has been correctly installed. In order

to do that you need to check if there is the file mt-sso.config in the directory Mit-Tier/WEB-

INF/classes.

mt-sso.license

Then you need to check if the file mt-sso.license has been correctly installed. In order to do

that you need to check if there is the file mt-sso.license in the directory Mit-Tier/WEB-INF/classes.

MidTier SSO Plugin Configuration

In order to verify whether MidTier SSO plugin has been correctly configured you need to open

the website of the Configuration tool:

http://mid-tier hostname/arsys/shared/sso/config.jsp.

Then after correct logging you need to verify if:

a correct licence has been installed

Remedy SSO plugin has been turned on

Windows Controller data have been entered correctly (if the controller is used for

users’ authentication)

7.4 SSO Authentication Service

If the SSO Auth Service doesn’t work, check the EventLog entries ( on the Server, on which it

was installed).

7.5 What’s next

If the problem continues you should forward an email to our support department including

following information:

file AR Server plugin log (with the Plugin-Log-Level adjusted to 100) with a user’s

logging attempt registered by BMC Remedy User-using shared-key;

files ar.cfg and area-sso.cfg from AR Server, and the file mt-sso.config from Midtier;

the file web.xml from Mid-Tier server;

log files from servlet engine on which Mid-Tier has been installed;

version numbers of the ARS server and Mid-Tier together with patch numbers

name and version number of servlet engine.

EventLog entries for SSO Auth Service.



35

8 POTENTIAL ERRORS

Below find a list of errors that may occur during installation:

8.1 Mid-Tier can’t find the file mt-sso.jar

If during installation you have forgotten to copy the file mt-sso.jar, in logs of Tomcat server

there should be the following error report:

8.2 Mid-Tier can’t find the file jespa-1.0.9.jar

If during installation you have forgotten to copy the file jespa-1.0.9.jar, in logs of Tomcat

server there should be the following error report:

8.3 Mid-Tier can’t find the file with the licence

If during installation you have forgotten to copy the file mt-sso.license, in logs of Tomcat

server there should be the following error report:

8.4 Mid-Tier can’t find the configuration file mt-sso.config

If during installation you have forgotten to copy the file mt-sso.config, in logs of Tomcat server

there should be the following error report:

15:33:20,317 Remedy Single Sign ON ERROR (filters.SSOHttpFilter:init:?) - Failed to load config file!

15:14:51,942 Remedy Single Sign ON ERROR (lic.LicenseManager:loadLicence:?) - Licence

file: /mt-sso.license not found

- Licence file: /mt-sso.license not found

15:14:51,942 Remedy Single Sign ON WARN (lic.LicenseManager:validateLicense:?) -

License not loaded

- License not loaded

15:14:51,942 Remedy Single Sign ON ERROR (filters.SSOHttpFilter:init:?) - License not

loaded

java.lang.NoClassDefFoundError: jespa/http/HttpSecurityService

at java.lang.ClassLoader.defineClass1(Native Method)

at java.lang.ClassLoader.defineClass(Unknown Source)

at java.security.SecureClassLoader.defineClass(Unknown Source)

at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1852)

at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:876)

java.lang.ClassNotFoundException: remedy.sso.midtier.jespa.filters.SSOHttpFilter

at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1362)

at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1208)

at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:207)

at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302)

at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78)



36

8.5 Plugin SSO can’t find the Domain controller

If during installation you have incorrectly entered the domain name in the field Active

Directory domain, in logs of Tomcat server there should be the following error report:

8.6 Plugin SSO can’t log into Domain controller

If during configuration you have incorrectly entered the name of a service account or its

password, in the field Active Directory domain, in logs of Tomcat server there should be the following

error report:

8.7 SSO Authentication service doesn’t work

TCP Port is probably busy by the other service, Change the port’s number ( SSO Auth Service

should be installed again).

jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.

at jcifs.smb.SmbTransport.checkStatus(Unknown Source)

at jcifs.smb.SmbTransport.send(Unknown Source)

at jcifs.smb.SmbSession.sessionSetup(Unknown Source)

at jcifs.smb.SmbSession.send(Unknown Source)

at jcifs.smb.SmbTree.treeConnect(Unknown Source)

java.net.PortUnreachableException: ICMP Port Unreachable

at java.net.PlainDatagramSocketImpl.receive0(Native Method)

at java.net.PlainDatagramSocketImpl.receive(Unknown Source)

at java.net.DatagramSocket.receive(Unknown Source)

at com.sun.jndi.dns.DnsClient.doUdpQuery(Unknown Source)

at com.sun.jndi.dns.DnsClient.query(Unknown Source)

at com.sun.jndi.dns.Resolver.query(Unknown Source)

Documents

Remedy Single Sign On Version 1 · The following document describes Plugin Single Sign On version 1.2 Component configuration and installation process for BMC Remedy ... BMC Action