Single Sign On Plugin: Remote installation pre-requisites

  • View
    220

  • Download
    5

Embed Size (px)

Text of Single Sign On Plugin: Remote installation pre-requisites

  • SSO Plugin Troubleshooting SSO Plugin - BMC AR System & Mid Tier

    J System Solutions http://www.javasystemsolutions.com

  • JSS SSO Plugin Troubleshooting

    Introduction.................................................................................................................................. 3

    Common investigation methods ..................................................................................................... 4

    Log files ................................................................................................................................... 4

    Fiddler .......................................................................................................................................... 6

    Download Fiddler ...................................................................................................................... 6

    Installing Fiddler ....................................................................................................................... 6

    Configure the browser to use Fiddler .......................................................................................... 7

    Starting Fiddler ......................................................................................................................... 7

    HTTPS Traffic ........................................................................................................................... 7

    Verifying Service Principle Names (SPNs) ........................................................................................ 8

    The setspn utility ...................................................................................................................... 8

    See accounts that are set to which SPN...................................................................................... 8

    Duplicate SPNs.......................................................................................................................... 8

    Removing an SPN ..................................................................................................................... 9

    Understanding logging in BMC AR System .................................................................................... 10

    Troubleshooting in BMC AR System .............................................................................................. 11

    Troubleshooting in HP Service Manager ........................................................................................ 12

    Frequently asked questions.......................................................................................................... 13

    Appendix A: Acronyms, Abbreviations & Definitions ....................................................................... 24

  • Page 3 of 24

    http://www.javasystemsolutions.com

    Introduction

    This document provides a list of troubleshooting methods used with the JSS products along with the

    steps to resolve the most common issues customers face

    If there are any questions, do not hesitate to contact JSS support.

    mailto:support@javasystemsolutions.com

  • Page 4 of 24

    http://www.javasystemsolutions.com

    Common investigation methods

    The following section describes the common tasks used to diagnose any issues with SSO Plugin.

    Log files

    This section describes the common log files used within SSO Plugin and how to enable them.

    Product BMC AR System AREA plugin

    Description The SSO Plugin AREA module writes to this file.

    Purpose Verification that the SSO Plugin AREA module has loaded and configured

    correctly.

    This file is created on AR Server start-up, AR System configuration changes and

    on every authentication attempt.

    Default

    location

    Windows - C:\Program Files\BMC Software\ServerName\Arserver\db

    UNIX/Linux - /opt/bmc/ARSystem/db

    How to enable Login to the application as an administrative user

    Open the AR System Administration Console

    Click System from the navigation pane

    Click General

    Click Server Information

    Click Log Files tab

    Click the Plug-in Server checkbox

    Make a note of the Plug-in log file name

    Select ALL from the Plug-in Log Level drop down

    Click Apply

    Screenshot example:

    Product Apache Tomcat

    Description The SSO Plugin Mid Tier module writes to this file.

    Purpose Verification that the SSO Plugin Mid Tier module has loaded and configured

    correctly.

    This file is written to on Mid Tier start-up, SSO Plugin configuration changes

    and all Mid Tier authentication requests.

    Default

    location

    Windows - C:\Program Files\Apache Software Foundation\Tomcat 6.0\logs

    UNIX/Linux: This will depend on the OS and installation method. Here is the

    example of a default location /opt/apache/tomcat6.0/logs

    Tip: To help find the process Id of Tomcat type:

    ps -ef | grep tomcat

  • Page 5 of 24

    http://www.javasystemsolutions.com

    Which will return something like this; note the PID is 404:

    root 404 1 4 19:41 00:00:39 /usr/jdk1.7.0_02/jre/bin/java -

    Djava.util.logging.config.file=/opt/apache/tomcat

    To help find the log file type lsof -p PID where PID is the process id of your

    Tomcat server. In the above example, it was 404

    lsof -p 404 | grep "tomcat6.0/logs"

    Which will return something like this:

    java 404 root 1676 27754677

    /opt/apache/tomcat6.0/logs/stdout.2013-04-15.log

    How to enable Via a browser, enter the following URL:

    http://yourMidTierHost/arsys/jss-sso/index.jsp

    On the left pane above the Login button:

    o on BMC Mid Tier, enter the same password used for the

    configuration E.g. /arsys/shared/config/config.jsp, (the

    installation default is arsystem).

    o on other deployments (Analytics, Dashboards etc), enter the

    SSO Plugin administration password (the installation default is

    jss).

    Click Configuration.

    Select the desired log level from the Log Level menu. It is

    recommended that Trace be selected for investigating any issues and

    Severe for normal operating times.

    Click Set Configuration. When using SSO Plugin 4+, the BMC AR System

    AREA plugin log file is automatically configured and the location

    reported through the user interface.

    Screenshot example:

  • Page 6 of 24

    http://www.javasystemsolutions.com

    Fiddler

    Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and a web engine e.g. Tomcat running Mid Tier. Fiddler is freeware and can debug traffic from virtually any application that supports a proxy, including Internet Explorer, Google Chrome, Apple Safari, Mozilla

    Firefox, Opera, and more.

    Download Fiddler

    To download Fiddler, go here:

    http://fiddler2.com/get-fiddler

    Installing Fiddler

    Select 'Run' from any Security Warning dialog.

    Agree to the License Agreement.

    Select the install directory for Fiddler.

  • Page 7 of 24

    http://www.javasystemsolutions.com

    Click 'Close' when installation completes.

    Configure the browser to use Fiddler

    Follow these steps for the following browsers: IE, Chrome and Safari. To capture traffic from most browsers, enable File > Capture Traffic.

    When using FireFox: Click Tools > Options > Advanced > Network > Settings > Use System Proxy Settings

    Starting Fiddler

    Find Fiddler2 from the Windows start menu or type fiddler2 in the Start button >> Run

    HTTPS Traffic

    If you are using secure socket layer (SSL), you will be accessing the BMC Mid Tier with https in the URL bar. This encrypts traffic and therefore you need to tell Fiddler to decrypt it.

    To do so click Tools > Fiddler Options

    When the dialog appears, select "Decrypt HTTPS traffic" and click OK

  • Page 8 of 24

    http://www.javasystemsolutions.com

    Verifying Service Principle Names (SPNs)

    The following section will help diagnose SPN specific issues.

    A common configuration step when establishing a Kerberos authentication method is the use of a

    Service Principal Name, or SPN, to identify a specific service. The service account configuration is

    stored in the SSO Plugin configuration linked from the SSO Plugin status page, ie.

    http://yourMidTier/arsys/jss-sso/index.jsp on BMC Mid Tier,

    http://yourWebTier/webtier/jss-sso/index.jsp on HP Service Manager.

    Example screenshot here:

    The setspn utility

    SetSPN is a built in utility with Windows Server 2008 and Server 2008 R2 for most releases, and is

    also available in the Windows Support Tools. You dont have to download SetSPN to use it. You can

    run SetSPN from member servers or workstations. It can be used to add and delete Service Principal

    Names to/from an Active Directory account, and search for duplicate SPNs that cause Kerberos to

    stop working.

    See accounts that are set to which SPN

    To list the SPNs assigned to an account do the following

    C:\Users\administrator.DEV>setspn -L JSS-SSO-SERVICE

    Registered ServicePrincipalNames for CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=j

    avasystemsolutions,DC=local:

    HTTP/w7604.dev.javasystemsolutions.local

    The example above shows the SPN of HTTP/w7604.dev.javasystemsolutions.local is set to the

    domain account of JSS-SSO-SERVICE.

    Duplicate SPNs

    Kerberos will not work