HP Operations Orchestration Software

Similar documents
HP Operations Orchestration Software

HP Operations Orchestration Software

HP Operations Orchestration Software

HP Operations Orchestration Software

HP Operations Orchestration Software

HP Operations Orchestration Software

HP AutoPass License Server

Configuring Kerberos based SSO in Weblogic Application server Environment

HP Operations Orchestration

Windows AD Single Sign On

HP ALM Client MSI Generator

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

HP Operations Orchestration

HP Operations Orchestration

HP Business Availability Center

HP Operations Orchestration

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

HP UFT Connection Agent

Single Sign On (SSO) with Polarion 17.3

HP Data Center Automation Appliance

HP ALM. Software Version: patch 2. Business Views Microsoft Excel Add-in User Guide

IDE Connector Customizer Readme

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

HP Operations Orchestration

Operations Orchestration. Software Version: Windows and Linux Operating Systems. Central User Guide

HPE Remote Analysis Agent Software Version: 5.2 Microsoft Windows. Technical Note

CA SiteMinder Federation Standalone

HP Database and Middleware Automation

How Do I Manage Active Directory

US FEDERAL: Enabling Kerberos for Smartcard Authentication to Apache.

HPE Security Fortify WebInspect Enterprise Software Version: Windows operating systems. Installation and Implementation Guide

HP Service Test Management

HP Project and Portfolio Management Center

HPE Storage Optimizer Software Version: 5.4. Support Matrix

HP 3PAR OS MU1 Patch 11

HP Enterprise Collaboration

HP Management Integration Framework 1.7

TIBCO Spotfire Connecting to a Kerberized Data Source

HP Integration with Incorta: Connection Guide. HP Vertica Analytic Database

HP Network Node Manager i Software Step-by-Step Guide to Scheduling Reports using Network Performance Server

White Paper. Fabasoft on Linux - Fabasoft Folio Web Management. Fabasoft Folio 2017 R1 Update Rollup 1

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

HPE ControlPoint. Software Version: Support Matrix

Configuring Embedded LDAP Authentication

HPE Remote Analysis Agent Software Version: 5.3 Microsoft Windows. Technical Note

HP Automation Insight

HP ALM. Software Version: Tutorial

How does it look like?

TIBCO ActiveMatrix BPM Single Sign-On

HPE Security ArcSight Connectors

Release Notes. Operations Smart Plug-in for Virtualization Infrastructure

HPE ALM Client MSI Generator

HP Service Health Reporter Configuring SHR to use Windows AD Authentication

HPE Enterprise Integration Module for SAP Solution Manager 7.1

HPE Security ArcSight SmartConnectors. Format Preserving Encryption Environment Setup Guide

HP LeftHand SAN Solutions

SINGLE SIGN ON. The following document describes the configuration of Single Sign On (SSO) using a Windows 2008 R2 or Windows SBS server.

SiteScope Adapter for HP OpenView Operations

HP Service Health Reporter

HPE Automatic Number Plate Recognition Software Version: Automatic Number Plate Recognition Release Notes

HP Virtual Connect Enterprise Manager

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. SM Reports help topics for printing

HP Service Health Reporter

HP ALM Synchronizer for Agile Manager

HP UFT Web Add-in Extensibility

Legal Notices. The information contained herein is subject to change without notice.

HP Universal CMDB. Software Version: Content Pack (CP18) Discovery and Integrations Content Guide - Discovery Activities

OMi Management Pack for Microsoft SQL Server. Software Version: For the Operations Manager i for Linux and Windows operating systems.

HPE ALM Excel Add-in. Microsoft Excel Add-in Guide. Software Version: Go to HELP CENTER ONLINE

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. Collaboration Guide

HP ALM. Software Version: Tutorial

HP Enterprise Integration module for SAP applications

Universal CMDB. Software Version: Content Pack (CP20) Discovery and Integrations Content Guide - Discovery Activities

HP SM Service Catalog-PPM Center Project Proposal Integration Solution

HP-UX PAM RADIUS A Release Notes

HP Operations Manager

HPE Security ArcSight User Behavior Analytics

HP Records Manager. Kofax Capture Template. Software Version: 8.1. Document Release Date: August 2014

HP Business Service Management

HPE Security ArcSight Connectors

HP Service Manager Integration Suite (SMIS)

HP Fortify Scanning Plugin for Xcode

ALM. What's New. Software Version: Go to HELP CENTER ONLINE

NTLM NTLM. Feature Description

HPE Operations Bridge Reporter

HPE Security ArcSight Connectors

HP ALM Lab Management

DoD Common Access Card Authentication. Feature Description

HP Service Manager. Process Designer Tailoring Best Practices Guide (Codeless Mode)

Release Notes: ProCurve Identity Driven Manager Version 2.0, Update 2

Integrating HP Cloud Service Automation with HP Virtualization Performance Viewer

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

Single Sign-On Extensions Library THE BEST RUN. PUBLIC SAP Single Sign-On 3.0 SP02 Document Version:

HP Network Node Manager ispi Performance for Quality Assurance Software

Intelligent Provisioning 1.64(B) Release Notes

HP 3PAR OS MU3 Patch 18 Release Notes

Intelligent Provisioning 1.70 Release Notes

HP Enterprise Integration Module for SAP Solution Manager

HP ALM Performance Center

IDOL Site Admin. Software Version: User Guide

Transcription:

HP Operations Orchestration Software Software Version: 9.00 Procedure and Technical Support Best Practices for Configuring SSO using Active Directory George Daflidis-Kotsis GSD OO Support - Hewlett-Packard Ltd / 2013

Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notices Copyright 2010 Hewlett-Packard Development Company, L.P. Trademark Notices All marks mentioned in this document are the property of their respective owners. ii

Finding or updating documentation on the Web Documentation enhancements are a continual project at Hewlett-Packard Software. You can obtain or update the HP OO documentation set and tutorials at any time from the HP Software Product Manuals web site. You will need an HP Passport to log in to the web site. To obtain HP OO documentation and tutorials Go to the HP Software Product Manuals web site (http://support.openview.hp.com/selfsolve/manuals). Log in with your HP Passport user name and password. OR If you do not have an HP Passport, click New users please register to create an HP Passport, then return to this page and log in. If you need help getting an HP Passport, see your HP OO contact. In the Product list box, scroll down to and select Operations Orchestration. In the Product Version list, click the version of the manuals that you re interested in. In the Operating System list, click the relevant operating system. Click the Search button. In the Results list, click the link for the file that you want. Where to Find Help, Tutorials, and More The HP Operations Orchestration software (HP OO) documentation set is made up of the following: Help for Central Central Help provides information to the following: Finding and running flows For HP OO administrators, configuring the functioning of HP OO Generating and viewing the information available from the outcomes of flow runs The Central Help system is also available as a PDF document in the HP OO home directory, in the \Central\docs subdirectory. Help for Studio Studio Help instructs flow authors at varying levels of programming ability. The Studio Help system is also available as a PDF document in the HP OO home directory, in the \Studio\docs subdirectory. Animated tutorials for Central and Studio HP OO tutorials can each be completed in less than half an hour and provide basic instruction on the following: iii

In Central, finding, running, and viewing information from flows In Studio, modifying flows The tutorials are available in the Central and Studio subdirectories of the HP OO home directory. Self-documentation for operations and flows in the Accelerator Packs and ITIL folders Self-documentation is available in the descriptions of the operations and steps that are included in the flows. Support For support information, including patches, troubleshooting aids, support contract management, product manuals and more, visit the following site: http://support.openview.hp.com iv

This Document This document provides insight for setting up SSO using OO 9.00 and an Active Directory domain for authentication. With this document an attempt to address various issues encountered when configuring SSO using the instructions included in the Administrator s Guide, which are vague, to say the least. Certain issues arise, such as how the principal is set up (the procedure explained in the Administrator s Guide is misleading). Also, it is not made crystal clear that DES authentication is outdated (as it is using a weak 56-bit cipher) and it is only included in the instructions for backward compatibility of Central installation on Linux. These instructions will allow Windows to select a stronger encryption cipher of their choice. This procedure is based on a Windows 2008 R2 Central installation using a Windows 2008 R2 AD domain controller. Setting up SSO works better in Windows 2003, at least as far as the existing instructions are concerned, but since Windows 2003 is EOS by Microsoft, new instructions based on Windows 2008 R2 were required. For the purposes of this document, we will assume a realm/dns domain called ooemea.com, with the legacy NT Domain name being OOEMEA. The OO Central FQDN used is oo900win-sso.ooemea.com. The KDC s FQDN will be msad.ooemea.com. Kerberos is case sensitive so anything that appears in CAPS in this document must be defined in CAPS in the actual procedure carried out. Be careful when copy/pasting text from this document as sometimes the characters look normal but are not actually, causing unexplained errors when used as part of a command described in this document. 1

On the Active Directory Domain Controller: In the Active Directory Users & Computers windows interface create a user, for example with username sso_login making sure that you only check "Password never expires" in the account options. Execute: ktpass -out mycentral.keytab -princ HTTP/oo900winsso.ooemea.com@OOEMEA.COM -mapuser OOEMEA\sso_login -pass opsware - crypto ALL -ptype KRB5_NT_PRINCIPAL Notes: The mycentral part of the mycentral.keytab name can be any given name. It can even be the name of the Central server. Using just sso_login instead of OOEMEA\sso_login will also work. Copy the mycentral.keytab created above to the Central server machine in the %ICONCLUDE_HOME%\Central\conf\ subdirectory. In the Active Directory Users & Computers windows interface select the sso_login user created above, Right Click and select Properties. o Go to the Delegation tab and select Trust this user for delegation to any service (Kerberos only). o Go to the Account tab and check Do not require Kerberos preauthentication. On Central server machine, as OOEMEA\Administrator: Go to %ICONCLUDE_HOME%\Central\conf: o In jaaslogin.conf add (Use / instead of \ for path delimiter for keytab): com.sun.security.jgss.accept { com.sun.security.auth.module.krb5loginmodule required storekey=true donotprompt=true usekeytab=true kdc=msad.ooemea.com keytab="c:/program Files/Hewlett-Packard/Operations Orchestration/Central/conf/mycentral.keytab" realm="ooemea.com" principal="http/oo900win-sso.ooemea.com@ooemea.com" debug=true; }; 2

Create krb5.conf containing: [libdefaults] default_realm = OOEMEA.COM ticket_lifetime = 24000 [realms] OOEMEA.COM = { kdc = msad.ooemea.com admin_server = msad.ooemea.com default_domain =.OOEMEA.COM } [domain_realm].ooemea.com = OOEMEA.COM ooemea.com = OOEMEA.COM [pam] debug = true Note: Make sure that there is a space before and after each = sign Copy krb5.conf to C:\Windows\krb5.ini This is an optional step on some systems. Note: If you need to use a specific cipher (e.g. AES128) you have to add the following two lines in the [libdefaults] section of krb5.conf and krb5.ini: default_tkt_enctypes = aes128-cts-hmac-sha1-96 permitted_enctypes = aes128-cts-hmac-sha1-96 In the Central UI, go to: Administration -> System Configuration -> Authentication. Tick the Kerberos enabled checkbox under Kerberos Settings Under the same section, in the Kerberos5 configuration file line enter the path to your krb5.conf file, e.g.: /Central/conf/krb5.conf Note: You are not required to fill out any of the other configurables in this section. Execute: kinit -J-Dsun.security.krb5.debug=true -f sso_login - This step is optional on some systems. Edit: %ICONCLUDE_HOME%\Central\WEB-INF\applicationContext.xml o Locate bean authenticationentrypoint o Change property: loginformurl from /static/login.htm to /static/ssologin.htm Save & restart Central. 3

Configure Browsers (on a computer that belogs to the OOEMEA domain) Log on with an AD user to a computer that belogs to the OOEMEA domain. Do not use the machine that Central is installed on. In IE: Add https://*.ooemea.com to the trusted site list for the Local internet zone after logging on as an AD user and running IE. Depending on your permissions, you might have to execute IE using "Run as Administrator". Note: If the test fails, you might need to perform the following: Modify the registry per http://support.microsoft.com/kb/2709891 o A add the following key-value pairs under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa SuppressExtendedProtection = 2 LmCompatibilityLevel = 3 In FireFox: At the Address bar type: about:config In the next screen click on the I ll be careful, I promise button. Set the following parameters: o network.negotiate-auth.delegation-uris = ooemea.com o network.negotiate-auth.trusted-uris = ooemea.com How to test A user is needed, that belongs to the OOEMEA domain and also belongs to an OO external group. Log on using that user to a PC that belongs to the OOEMEA domain. Note: If you use the server that Central is installed on it will not work. Make sure that the right modifications to the browser used have been made, as described above. Clear the browser history, especially login sessions & cookies. Restart the browser. Point the browser to: https://oo900win-sso.ooemea.com:8443/pas/app If SSO works, the browser will directly display the Central UI dashboard and not the login screen. 4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback