That s why it s more practical to only implement SSO on the web client. Before you run this exercise, make sure you have the following files:

Transcription

1 How to implement SSO for web client ONLY: To activate SSO on web client, you only have to generate certificates for the WEB Application Server. If you want to activate SSO for the windows client, you have to generate certificates for ALL users that will use the windows client. That s why it s more practical to only implement SSO on the web client. PREREQ: Before you run this exercise, make sure you have the following files: certcreateca.bat certcreatesrvcert.bat certcreateclient.bat Java JDK installed opensslforca.conf Openssl.exe Ssleay32.dll libeay32.dll Contents of the batch file is at the end of this document Contents of the batch file is at the end of this document Contents of the batch file is at the end of this document You can download this from the internet Contents of the conf file is at the end of this document You can download this from the internet You can download this from the internet You can download this from the internet Let s assume the following values: AATAPP123.aat.com.au AATWEB123.aat.com.au SM SM Application Server Name SM Web Application Server Name Tomcat Webapps folder name Steps: 1. Make sure you have set up SM properly with a web client running using Tomcat/IIS 6.0 with ISAPI Filter. This is important, otherwise SSO will not work. It s so hard to implement using Apache Server so you might as well use IIS 6.0. Make sure everything is running so you won t have to spend too much debugging. The succeeding steps are useless unless you have a working service manager system with a web client that runs in IIS Open the batch files and update the entry set JAVA_HOME="C:\Program Files\Java\jre1.5.0_12" with the location of Java JRE in the computer where you will run the batch files. 3. Execute the batch file certcreateca.bat by typing in the command line: certcreateca.bat NEW When prompted for Common Name or First/Last Name enter: AATAPP123.aat.com.au Ignore the other questions by pressing the Enter key A sample screen is shown on the next page. Make sure you don t have any errors inside the command line screen. Otherwise, the succeeding steps will not work.

2 This step will create the following folders and files: Certs\cacerts Certs\mycacert.pem Crs (folder) Key\cakey.pem

3 4. Execute the certcreatesrvcert.bat. A sample output screen is shown below: It will create the following files: Certs\mycacert.srl Certs\smservercert.pem Crs\servercert_request.crs Key\server.keystore

4 5. Execute the certcreateclient.bat by executing it as follows: certcreateclient.bat web When prompted for the First/Last Name or Common Name, enter AATWEB123.aat.com.au. This is important, I got confused before. I thought that I should enter the server name of the Service Manager. IT SHOULD BE THE WEB APPLICATION SERVER NAME where you will copy the Certificate to.

5 It will create the following files: Certs\clientpubkey.cert Certs\Scclientcert.pem Certs\trustedclients.keystore Crs\clientcert_request.crs Key\web.keystore 6. Copy the files certs/cacerts, certs/trustedclients.keystore, key/server.keystore to the RUN directory. 7. Copy the files certs/cacerts and web.keystore to the WEB-INF directory of the sm web apps folder. 8. Open the web.xml located in the Tomcat webapps location and change the values of the highlighted items. Please note that the sample file below has already been updated. <?xml version="1.0" encoding="utf-8"?> (C) Copyright Hewlett-Packard Development Company, L.P. All Rights Reserved. <web-app xmlns=" xmlns:xsi=" xsi:schemalocation=" version="2.4"> <display-name>hp Service Manager</display-name> <description>hp Service Manager</description> CWC custom parameters used to affect the CWC framework <param-name>issavenavpathskipped</param-name> <param-name>shownavcollapse</param-name> Use of the backchannel iframe (used for list grouping) <param-name>isbackchannelused</param-name>

6 <param-name>isbreadcrumbtrayused</param-name> <param-value>false</param-value> Control sorting of the system navigator <param-name>sortnavitems</param-name> MESSAGE TRAY must be set to true <param-name>ismessagetrayused</param-name> <param-name>showlistcollapse</param-name> <param-value>false</param-value> <param-name>showdetailcollapse</param-name> <param-value>false</param-value> <param-name>showrefreshnavbutton</param-name> <param-name>showhelp</param-name> <param-value>false</param-value> <param-name>showlogout</param-name> <param-name>showframeworkreset</param-name> <param-value>false</param-value> <param-name>strappname</param-name> <param-value>hp Service Manager Web</param-value> <param-name>srclist</param-name> <param-value>list.do</param-value> <param-name>srcdetail</param-name> <param-value>detail.do</param-value> <param-name>srclistdetail</param-name> <param-value>detail.do</param-value> <param-name>srcmessages</param-name> <param-value>detail.do</param-value> <param-name>showaddbookmark</param-name> <param-value>false</param-value> <param-name>showsynctree</param-name> <param-value>false</param-value> <param-name>showspellcheck</param-name> Spring configuration files Apps should use the ST security component as is, configuring it via a security.properties file. This app provides specifies custom security in it's application-context.xml to change the behavior, making it more suitable to a sample app.

7 <param-name>contextconfiglocation</param-name> <param-value>classpath*:application-context.xml</param-value> Key bindings for commom operations. These key numbers are combined w/ the ALT key to produce the complete keystroke. Take note that certain third-party browser toolbars trap ALT+<key> for their own use. Be sure to select keys that will not confict w/ such toolbar key mappings. default is 'g' <param-name>keymessages</param-name> <param-value>71</param-value> default is 'p' <param-name>keyprint</param-name> <param-value>80</param-value> default is 'c' <param-name>keyspellcheck</param-name> <param-value>67</param-value> default is 'n' <param-name>keycollapseexpandnav</param-name> <param-value>78</param-value> default is 'r' <param-name>keyrefresh</param-name> <param-value>82</param-value> default is 'o' <param-name>keyabout</param-name> <param-value>79</param-value> default is the number '1' <param-name>keymanagefav</param-name> <param-value>49</param-value> default is the number '2' <param-name>keyaddfav</param-name> <param-value>50</param-value> override default F1 <param-name>functionkeyhelp</param-name> <param-value/> default is 'i' <param-name>keyhelp</param-name> <param-value>73</param-value> <param-name>isfullscreenlogin</param-name> <param-value>false</param-value> <param-name>iscustomauthenticationused</param-name> <param-value>false</param-value> <param-name>logouturl</param-name> <param-value>/goodbye.jsp</param-value> Response Compression

8 <filter> <filter-name>compression Filter</filter-name> <filter-class>org.apache.compressionfilters.compressionfilter</filter-class> <param-name>compressionthreshold</param-name> <param-value>2048</param-value> <param-name>debug</param-name> <param-value>0</param-value> </filter> Acegi security filter (proxy for the spring bean filter chain) <filter> <filter-name>acegi Filter Chain Proxy</filter-name> <filter-class>org.acegisecurity.util.filtertobeanproxy</filter-class> <param-name>targetclass</param-name> <param-value>org.acegisecurity.util.filterchainproxy</param-value> </filter> <filter> <filter-name>cachecontrol</filter-name> <filter-class> org.acegisecurity.util.filtertobeanproxy </filter-class> <param-name>targetbean</param-name> <param-value>cachecontrolproxy</param-value> </filter> LWSSO filter for integrations using HP lightweight single sign-on PLEASE NOTE: Uncomment this filter and the associated filter-mapping, and see application-context.xml for additional configuration needed for LWSSO. <filter> <filter-name>lwsso</filter-name> <filter-class>com.hp.sw.bto.ast.security.lwsso.lwssofilter</filter-class> </filter> filter mappings for Cache Control <filter-mapping> <filter-name>cachecontrol</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> LWSSO filter-mapping, please read description for LWSSO filter above before uncommenting this. <filter-mapping> <filter-name>lwsso</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> Acegi <filter-mapping> <filter-name>acegi Filter Chain Proxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>compression Filter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-name>compression Filter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping> <filter-mapping> <filter-name>compression Filter</filter-name> <url-pattern>*.html</url-pattern> </filter-mapping> <filter-mapping>

9 <filter-name>compression Filter</filter-name> <url-pattern>*.css</url-pattern> </filter-mapping> <filter-mapping> <filter-name>compression Filter</filter-name> <url-pattern>*.js</url-pattern> </filter-mapping> <listener> <listener-class>com.hp.ov.cwc.web.cwcservletcontextlistener </listener-class> </listener> Loads the root application context of this web app at startup. The application context is then available via WebApplicationContextUtils.getWebApplicationContext(servletContext). <listener> <listener-class>org.springframework.web.context.contextloaderlistener </listener-class> </listener> Acegi The HttpSessionEventPublisher will publish HttpSessionCreatedEvent and HttpSessionDestroyedEvent to the WebApplicationContext <listener> <listener-class>org.acegisecurity.ui.session.httpsessioneventpublisher </listener-class> </listener> <servlet> <description/> <display-name>hp Service Manager Web</display-name> <servlet-name>hp Service Manager Web</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.webcontrollerservlet </servlet-class> ******************************************************** The following parameters can also be supplied in the URL ******************************************************** Specify the HP Service Manager server host and port location <param-name>serverhost</param-name> <param-value>aatapp123.aat.com.au</param-value> <param-name>serverport</param-name> <param-value>13080</param-value> <param-name>honorurlhost</param-name> <param-value>false</param-value> <param-name>honorurlport</param-name> <param-value>false</param-value> ESS users would override this with URL param. But the application could be set to always operate in ESS mode if this were set to true. If so the user will not need to have that parameter set. When it is true the server is notifed so that the correct applications are initialized. <param-name>essuser</param-name> <param-value>false</param-value> Enable background checking of status messages. When enabled the user's browser issues requests back to the server on timed basis and updates the client's message bar with new messages if any are supplied. <param-name>refreshmessages</param-name> Number of milliseconds between message refresh check

10 <param-name>refreshmessagesinterval</param-name> <param-value>15000</param-value> Enable to support the display of active note messages <param-name>viewactivenotes</param-name> <param-value>false</param-value> Specify the location of help server. If defined, the browser provides the user with a link to online help page <param-name>helpserverhost</param-name> <param-value/> <param-name>helpserverport</param-name> <param-value/> Enable to prompt the user to save their changes if they modify a record and then attempt to leave the screen without saving <param-name>viewpromptforsave</param-name> Enables split list/detail display after a search is performed. <param-name>viewrecordlist</param-name> Specify the number of row displayed in the record list <param-name>recordlistcount</param-name> <param-value>32</param-value> Enables submission of forms when the user presses the ENTER key. <param-name>autosubmit</param-name> Enables secure encoding of queries <param-name>querysecurity</param-name> Use of the custom tab orders defined in the form designer to set the tabindex attributes. Default is false and the tabindex is set to blanks which will let the browsers determine the tab orders. <param-name>useservertabs</param-name> <param-value>false</param-value> ******************************************************** The following parameters can't be supplied in the URL: they can only be changed in web.xml ******************************************************** Control the encryption of network communication between the application server and the HP Service Manager server <param-name>ssl</param-name> Specify the CA certificate store to use in encrypted communication If this value is empty, the JDK's default jre/lib/security/cacerts file is used If this is a relative path, it will be relative to the web application's deploy directory but still needs a leading slash <param-name>cacerts</param-name> <param-value>/web-inf/cacerts</param-value> Specify the client's private keystore to use in encrypted communication. This is necessary

11 for client authentication when using single sign-on, but not for a standard SSL connection. If this is a relative path, it will be relative to the web application's deploy directory but still needs a leading slash <param-name>keystore</param-name> <param-value>/web-inf/web.keystore</param-value> Specify the password for the client's private keystore <param-name>keystorepassword</param-name> <param-value>clientkeystore</param-value> Compress network communication between the application server and the HP Service Manager server <param-name>compress_soap</param-name> <load-on-startup>1</load-on-startup> </servlet> <servlet> <description>a compression capable servlet used for downloading file attachments associated with the current DBMS record. </description> <display-name>attachment Download Servlet</display-name> <servlet-name>attachmentdownload</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.filedownloadservlet </servlet-class> <param-name>scope</param-name> <param-value>attachmentsonly</param-value> <param-name>disablecompression</param-name> </servlet> <servlet> <description>a compression capable servlet used for downloading file attachments associated with the current DBMS record. </description> <display-name>file Download Servlet</display-name> <servlet-name>filedownload</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.filedownloadservlet </servlet-class> <param-name>scope</param-name> <param-value>attachmentsonly</param-value> <param-name>forcedownload</param-name> <param-name>disablecompression</param-name> </servlet> <servlet> <description>file Upload Servlet.</description> <display-name>file Upload Servlet</display-name> <servlet-name>fileupload</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.fileuploadservlet</servlet-class> </servlet> <servlet> <description>image Upload Servlet.</description> <display-name>image Upload Servlet</display-name> <servlet-name>imageupload</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.fileuploadservlet</servlet-class> <param-name>allowed</param-name> <param-value>bmp,jpg,jpeg,png,gif</param-value>

12 <param-name>success</param-name> <param-value>../imageuploaded.jsp</param-value> </servlet> <servlet> <description>attachment upload servlet</description> <display-name>attachment Upload Servlet</display-name> <servlet-name>attachmentupload</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.fileuploadservlet</servlet-class> <param-name>success</param-name> <param-value>../attachmentuploaded.jsp</param-value> </servlet> <servlet> <description>unique attachment upload servlet</description> <display-name>unique Upload Servlet</display-name> <servlet-name>uniqueupload</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.fileuploadservlet</servlet-class> <param-name>success</param-name> <param-value>../uniqueuploaded.jsp</param-value> </servlet> <servlet> <description>servlet allowing download of an attachment from any record in the database </description> <display-name>attachment Servlet</display-name> <servlet-name>attachment</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.attachmentservlet</servlet-class> </servlet> <servlet> <description>servlet allowing download of an attachment image from any record in the database and scale it for display </description> <display-name>image Servlet</display-name> <servlet-name>image</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.imageservlet</servlet-class> </servlet> <servlet> <description>servlet to get a graph definition or update from an application </description> <display-name>graph Servlet</display-name> <servlet-name>graph</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.graphservlet</servlet-class> </servlet> <servlet> <description>servlet to get content of a Popup Subform </description> <display-name>popup Subform</display-name> <servlet-name>popupsubform</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.hoverformservlet</servlet-class> </servlet> <servlet> <description>servlet in charge of messages management</description> <display-name>messages</display-name> <servlet-name>messages</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.messagesservlet</servlet-class> </servlet> <servlet> <description>servlet allowing download of HTML content to display in HTML viewer </description> <display-name>html Viewer</display-name> <servlet-name>htmlviewer</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.htmlviewerservlet</servlet-class> </servlet> <servlet> <description>servlet to open a record or list from a link in the HTML viewer </description> <display-name>record Link</display-name> <servlet-name>recordlink</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.linkservlet</servlet-class> </servlet> <servlet>

13 <description>navigation Menu Servlet</description> <display-name>navigation Menu</display-name> <servlet-name>navmenu</servlet-name> <servlet-class>com.hp.ov.sm.client.webtier.navmenuservlet</servlet-class> </servlet> <servlet> <description>responsible for emitting references to.css files associated with a custom theme </description> <display-name>theme Servlet</display-name> <servlet-name>themeservlet</servlet-name> <servlet-class>com.hp.ov.cwc.web.themeservlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>themeservlet</servlet-name> <url-pattern>/cwc/customthemecss</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>hp Service Manager Web</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>filedownload</servlet-name> <url-pattern>/servlet/download/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>attachmentdownload</servlet-name> <url-pattern>/attachments/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>fileupload</servlet-name> <url-pattern>/servlet/upload</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>imageupload</servlet-name> <url-pattern>/servlet/imageupload</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>attachmentupload</servlet-name> <url-pattern>/servlet/attachmentupload</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>uniqueupload</servlet-name> <url-pattern>/servlet/uniqueupload</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>attachment</servlet-name> <url-pattern>/servlet/attachment/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>image</servlet-name> <url-pattern>/servlet/image</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>graph</servlet-name> <url-pattern>/servlet/graph</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>popupsubform</servlet-name> <url-pattern>/popupsubform</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>messages</servlet-name> <url-pattern>/servlet/messages</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>htmlviewer</servlet-name> <url-pattern>/servlet/htmlviewer</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>recordlink</servlet-name> <url-pattern>/servlet/recordlink</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>navmenu</servlet-name> <url-pattern>/cwc/nav.menu</url-pattern>

14 </servlet-mapping> The following session-timeout value is in minutes. If a user closes a browser window without logging out, the application server will wait this long before sending HP Service Manager a request to end the user's scenter process. <session-config> <session-timeout>15</session-timeout> </session-config> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <error-page> <exception-type>java.lang.throwable</exception-type> <location>/cwc/error.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/goodbye.jsp</location> </error-page> <jsp-config> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <el-ignored>false</el-ignored> <page-encoding>utf-8</page-encoding> </jsp-property-group> </jsp-config> <env-entry> <description>hp Service Manager client theme</description> <env-entry-name>alternatetheme</env-entry-name> <env-entry-type>java.lang.string</env-entry-type> <env-entry-value/> </env-entry> <env-entry> <description>log4j configuration properties file location</description> <env-entry-name>log.properties</env-entry-name> <env-entry-type>java.lang.string</env-entry-type> <env-entry-value>/web-inf/log4j.properties</env-entry-value> </env-entry> </web-app> 9. Open the application-context.xml file located at WEB-INF/classes and set the following highlighted values. Please note that the copy below has been updated already: <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" " Application specific beans go here. Applications should configure component behavior via properties files, and not duplicate configuration information. <beans> this bean is used by the Filter Chain Proxy defined in the web.xml it applies a chain of filters based on the pattern. In this case it applies a filter to set up a Spring context for the session, and then the HTTP Basic authentication filter. <bean id="filterchainproxy" class="org.acegisecurity.util.filterchainproxy"> <property name="filterinvocationdefinitionsource"> <value> PATTERN_TYPE_APACHE_ANT /images/**=#none# /js/**=#none# /css/**=#none# /cwc/images/**=#none# /cwc/js/**=#none# /cwc/css/**=#none# /cwc/tree/**=#none# /**=httpsessioncontextintegrationfilter,preauthenticationfilter,anonymousprocessingfil ter </value> </property> </bean> add preauthenticationfilter before the anonymousprocessingfilter in the filter

15 chain above to enable preauthentication, thus: /**=httpsessioncontextintegrationfilter,preauthenticationfilter,anonymousprocessingfil ter or for integrations requiring HP Lightweight Single Sign-on (lwsso) use the lwssofilter and uncomment it below. /**=httpsessioncontextintegrationfilter,lwssofilter,anonymousprocessingfilter <bean id="cachecontrolproxy" class="org.acegisecurity.util.filterchainproxy"> <property name="filterinvocationdefinitionsource"> <value> PATTERN_TYPE_APACHE_ANT /images/**=cachefilter /js/**=cachefilter /css/**=cachefilter /cwc/images/**=cachefilter /cwc/js/**=cachefilter /cwc/css/**=cachefilter /cwc/tree/**=cachefilter /*.do*=nevercachefilter /**/*.jsp=nevercachefilter /*.jsp=nevercachefilter </value> </property> </bean> <bean id="nevercachefilter" class="com.hp.ov.cwc.web.cachecontrolfilter"> <property name="headers"> <map> <entry key="expires"><value>sat, 6 May :00:00 GMT</value></entry> <entry key="cache-control"><value>no-store, no-cache, must-revalidate, postcheck=0, pre-check=0</value></entry> <entry key="pragma"><value>no-cache</value></entry> </map> </property> </bean> This filter tells the browser to cache these files up to the specified max-age time specified in seconds sec is 2 hours. See RFC-2616 for more information. <bean id="cachefilter" class="com.hp.ov.cwc.web.cachecontrolfilter"> <property name="headers"> <map> <entry key="expires"><value>sat, 6 May :00:00 GMT</value></entry> <entry key="cache-control"><value>public, max-age=7200</value></entry> </map> </property> </bean> <bean id="httpsessioncontextintegrationfilter" class="org.acegisecurity.context.httpsessioncontextintegrationfilter"> <property name="allowsessioncreation"> <value>true</value> </property> <property name="context"> <value>org.acegisecurity.context.securitycontextimpl</value> </property> </bean> <bean id="anonymousprocessingfilter" class="org.acegisecurity.providers.anonymous.anonymousprocessingfilter"> <property name="key"> <value>foobar</value> </property> <property name="userattribute"> <value>anonymoususer,role_anonymous</value> </property> </bean> <bean id="anonymousauthenticationprovider" class="org.acegisecurity.providers.anonymous.anonymousauthenticationprovider"> <property name="key"> <value>foobar</value> </property>

16 </bean> <bean id="authenticationmanager" class="org.acegisecurity.providers.providermanager"> <property name="providers"> <list> <ref bean="preauthenticationprovider"/> <ref bean="anonymousauthenticationprovider"/> </list> </property> </bean> <bean id="preauthenticationfilter" class="com.hp.ov.cwc.security.acegi.preauthenticationfilter"> <property name="authenticationmanager"> <ref bean="authenticationmanager"/> </property> <property name="defaultrole"> <value>role_pre</value> </property> </bean> <bean id="preauthenticationprovider" class="com.hp.ov.cwc.security.acegi.preauthenticationprovider"/> <bean id="spellcheck" class="com.hp.ov.cwc.web.spellchecker.wintertree.spellcheckerbean"> <property name="propertiesfile"> <value>/web-inf/wintertree.properties</value> </property> </bean> <bean id="spellcheck" class="com.hp.ov.cwc.web.spellchecker.wintertree.spellcheckerbean"> <property name="propertiesfile"> <map> <entry> <key> <value>en</value> </key> <value>/web-inf/wintertree.properties</value> </entry> <entry> <key> <value>de</value> </key> <value>/web-inf/wintertree_de.properties</value> </entry> <entry> <key> <value>es</value> </key> <value>/web-inf/wintertree_es.properties</value> </entry> <entry> <key> <value>fr</value> </key> <value>/web-inf/wintertree_fr.properties</value> </entry> <entry> <key> <value>it</value> </key> <value>/web-inf/wintertree_it.properties</value> </entry> </map> </property> </bean> This bean is used for HP Lightweight Single Sign-on, to integrate with other Hewlett-Packard software products. Uncomment it here and reference it in the filterchainproxy as commented above. <bean id="lwssofilter" class="com.hp.ov.sm.client.webtier.lwsso.lwssopreauthenticationfilter"> <property name="authenticationmanager"> <ref bean="authenticationmanager"/>

17 </property> <property name="defaultrole"> <value>role_pre</value> </property> </bean> </beans> 10. Go to IIS Manager and go to Default Web site. There should be a Jakarta virtual directory in there as a result of installing the ISAPI Filter. Go to its properties (right click) and go to Directory Security. Make sure it looks like the screen below:

18 11. Make sure that the Directory Security of the Default Website (right click to go to Properties) looks like the one below: 12. Open \Apache Software Foundation\Tomcat 5.5\conf\server.xml and update as follows: <?xml version="1.0"?> Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Example Server Configuration File Note that component elements are nested corresponding to their parent-child relationships with each other A "Server" is a singleton element that represents the entire JVM, which may contain one or more "Service" instances. The Server listens for a shutdown command on the indicated port. Note: A "Server" is not itself a "Container", so you may not define subcomponents such as "Valves" or "Loggers" at this level. <Server port="8005" shutdown="shutdown">

19 Comment these entries out to disable JMX MBeans support used for the administration web application <Listener classname="org.apache.catalina.core.aprlifecyclelistener" /> <Listener classname="org.apache.catalina.mbeans.serverlifecyclelistener" /> <Listener classname="org.apache.catalina.mbeans.globalresourceslifecyclelistener" /> <Listener classname="org.apache.catalina.storeconfig.storeconfiglifecyclelistener"/> Global JNDI resources <GlobalNamingResources> Test entry for demonstration purposes <Environment name="simplevalue" type="java.lang.integer" value="30"/> Editable user database that can also be used by UserDatabaseRealm to authenticate users <Resource name="userdatabase" auth="container" type="org.apache.catalina.userdatabase" description="user database that can be updated and saved" factory="org.apache.catalina.users.memoryuserdatabasefactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> A "Service" is a collection of one or more "Connectors" that share a single "Container" (and therefore the web applications visible within that Container). Normally, that Container is an "Engine", but this is not required. Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" or "Loggers" at this level. Define the Tomcat Stand-Alone Service <Service name="catalina"> A "Connector" represents an endpoint by which requests are received and responses are returned. Each Connector passes requests on to the associated "Container" (normally an Engine) for processing. By default, a non-ssl HTTP/1.1 Connector is established on port You can also enable an SSL HTTP/1.1 Connector on port 8443 by following the instructions below and uncommenting the second Connector entry. SSL support requires the following steps (see the SSL Config HOWTO in the Tomcat 5 documentation bundle for more detailed instructions): * If your JDK version 1.3 or prior, download and install JSSE or later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". * Execute: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) with a password value of "changeit" for both the certificate and the keystore itself. By default, DNS lookups are enabled when a web application calls request.getremotehost(). This can have an adverse impact on performance, so you can disable it by setting the "enablelookups" attribute to "false". When DNS lookups are disabled, request.getremotehost() will return the String version of the IP address of the remote client. Define a non-ssl HTTP/1.1 Connector on port 8080 <Connector port="8080" maxhttpheadersize="8192" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" /> Note : To disable connection timeouts, set connectiontimeout value to 0 Note : To use gzip compression you could set the following properties : compression="on" compressionminsize="2048" nocompressionuseragents="gozilla, traviata" compressablemimetype="text/html,text/xml"

20 Define a SSL HTTP/1.1 Connector on port 8443 <Connector port="8443" maxhttpheadersize="8192" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" disableuploadtimeout="true" acceptcount="100" scheme="https" secure="true" clientauth="false" sslprotocol="tls" /> Define an AJP 1.3 Connector on port 8009 <Connector port="8009" enablelookups="false" tomcatauthentication="false" redirectport="8443" protocol="ajp/1.3" /> Define a Proxied HTTP/1.1 Connector on port 8082 See proxy documentation for more information about using this. <Connector port="8082" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" acceptcount="100" connectiontimeout="20000" proxyport="80" disableuploadtimeout="true" /> An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). You should set jvmroute to support load-balancing via AJP ie : <Engine name="standalone" defaulthost="localhost" jvmroute="jvm1"> Define the top level container in our container hierarchy <Engine name="catalina" defaulthost="localhost"> The request dumper valve dumps useful debugging information about the request headers and cookies that were received, and the response headers and cookies that were sent, for all requests received by this instance of Tomcat. If you care only about requests to a particular virtual host, or a particular application, nest this element inside the corresponding <Host> or <Context> entry instead. For a similar mechanism that is portable to all Servlet 2.4 containers, check out the "RequestDumperFilter" Filter in the example application (the source for this filter may be found in "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). Request dumping is disabled by default. Uncomment the following element to enable it. <Valve classname="org.apache.catalina.valves.requestdumpervalve"/> Because this Realm is here, an instance will be shared globally This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. <Realm classname="org.apache.catalina.realm.userdatabaserealm" resourcename="userdatabase"/> Comment out the old realm but leave here for now in case we need to go back quickly <Realm classname="org.apache.catalina.realm.memoryrealm" /> Replace the above Realm with one of the following to get a Realm stored in a database and accessed via JDBC <Realm classname="org.apache.catalina.realm.jdbcrealm" drivername="org.gjt.mm.mysql.driver"

21 connectionurl="jdbc:mysql://localhost/authority" connectionname="test" connectionpassword="test" usertable="users" usernamecol="user_name" usercredcol="user_pass" userroletable="user_roles" rolenamecol="role_name" /> <Realm classname="org.apache.catalina.realm.jdbcrealm" drivername="oracle.jdbc.driver.oracledriver" connectionname="scott" connectionpassword="tiger" usertable="users" usernamecol="user_name" usercredcol="user_pass" userroletable="user_roles" rolenamecol="role_name" /> <Realm classname="org.apache.catalina.realm.jdbcrealm" drivername="sun.jdbc.odbc.jdbcodbcdriver" connectionurl="jdbc:odbc:catalina" usertable="users" usernamecol="user_name" usercredcol="user_pass" userroletable="user_roles" rolenamecol="role_name" /> Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. <Host name="localhost" appbase="webapps" unpackwars="true" autodeploy="true" xmlvalidation="false" xmlnamespaceaware="false"> Defines a cluster for this node, By defining this element, means that every manager will be changed. So when running a cluster, only make sure that you have webapps in there that need to be clustered and remove the other ones. A cluster has the following parameters: classname = the fully qualified name of the cluster class name = a descriptive name for your cluster, can be anything mcastaddr = the multicast address, has to be the same for all the nodes mcastport = the multicast port, has to be the same for all the nodes mcastbindaddr = bind the multicast socket to a specific address mcastttl = the multicast TTL if you want to limit your broadcast mcastsotimeout = the multicast readtimeout mcastfrequency = the number of milliseconds in between sending a "I'm alive" heartbeat mcastdroptime = the number a milliseconds before a node is considered "dead" if no heartbeat is received tcpthreadcount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes tcplistenaddress = the listen address (bind address) for TCP cluster request on this host, in case of multiple ethernet cards. auto means that address becomes InetAddress.getLocalHost().getHostAddress() tcplistenport = the tcp listen port case the OS tcpselectortimeout = the timeout (ms) for the Selector.select() method in has a wakup bug in java.nio. Set to 0 for no timeout printtoscreen = true means that managers will also print to std.out expiresessionsonshutdown = true means that usedirtyflag = true means that we only replicate a session after

22 setattribute,removeattribute has been called. false means to replicate the session after each request. false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) <% HashMap map = (HashMap)session.getAttribute("map"); map.put("key","value"); %> replicationmode = can be either 'pooled', 'synchronous' or 'asynchronous'. * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. * Synchronous means that the thread that executes the request, is also the thread the replicates the data to the other nodes, and will not return until all nodes have received the information. * Asynchronous means that there is a specific 'sender' thread for each cluster node, so the request thread will queue the replication request into a "smart" queue, and then return to the client. The "smart" queue is a queue where when a session is added to the queue, and the same session already exists in the queue from a previous request, that session will be replaced in the queue instead of replicating two requests. This almost never happens, unless there is a large network delay. When configuring for clustering, you also add in a valve to catch all the requests coming in, at the end of the request, the session may or may not be replicated. A session is replicated if and only if all the conditions are met: 1. usedirtyflag is true or setattribute or removeattribute has been called AND 2. a session exists (has been created) 3. the request is not trapped by the "filter" attribute The filter attribute is to filter out requests that could not modify the session, hence we don't replicate the session after the end of this request. The filter is negative, ie, anything you put in the filter, you mean to filter out, ie, no replication will be done on requests that match one of the filters. The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI ending with.gif and.js are intercepted. The deployer element can be used to deploy apps cluster wide. Currently the deployment only deploys/undeploys to working members in the cluster so no WARs are copied upons startup of a broken node. The deployer watches a directory (watchdir) for WAR files when watchenabled="true" When a new war file is added the war gets deployed to the local instance, and then deployed to the other instances in the cluster. When a war file is deleted from the watchdir the war is undeployed locally and cluster wide <Cluster classname="org.apache.catalina.cluster.tcp.simpletcpcluster" managerclassname="org.apache.catalina.cluster.session.deltamanager" expiresessionsonshutdown="false" usedirtyflag="true" notifylistenersonreplication="true">

23 <Membership classname="org.apache.catalina.cluster.mcast.mcastservice" mcastaddr=" " mcastport="45564" mcastfrequency="500" mcastdroptime="3000"/> <Receiver classname="org.apache.catalina.cluster.tcp.replicationlistener" tcplistenaddress="auto" tcplistenport="4001" tcpselectortimeout="100" tcpthreadcount="6"/> <Sender classname="org.apache.catalina.cluster.tcp.replicationtransmitter" replicationmode="pooled" acktimeout="15000"/> <Valve classname="org.apache.catalina.cluster.tcp.replicationvalve" filter=".*\.gif;.*\.js;.*\.jpg;.*\.htm;.*\.html;.*\.txt;"/> <Deployer classname="org.apache.catalina.cluster.deploy.farmwardeployer" tempdir="/tmp/war-temp/" deploydir="/tmp/war-deploy/" watchdir="/tmp/war-listen/" watchenabled="false"/> </Cluster> Normally, users must authenticate themselves to each web app individually. Uncomment the following entry if you would like a user to be authenticated the first time they encounter a resource protected by a security constraint, and then have that user identity maintained across *all* web applications contained in this virtual host. <Valve classname="org.apache.catalina.authenticator.singlesignon" /> Access log processes all requests for this virtual host. By default, log files are created in the "logs" directory relative to $CATALINA_HOME. If you wish, you can specify a different directory with the "directory" attribute. Specify either a relative (to $CATALINA_HOME) or absolute path to the desired directory. <Valve classname="org.apache.catalina.valves.accesslogvalve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolvehosts="false"/> Access log processes all requests for this virtual host. By default, log files are created in the "logs" directory relative to $CATALINA_HOME. If you wish, you can specify a different directory with the "directory" attribute. Specify either a relative (to $CATALINA_HOME) or absolute path to the desired directory. This access log implementation is optimized for maximum performance, but is hardcoded to support only the "common" and "combined" patterns. <Valve classname="org.apache.catalina.valves.fastcommonaccesslogvalve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolvehosts="false"/> </Host> </Engine> </Service> </Server>

24 13. Your SM.INI file should look like the one below: # ServiceManager Initialization file # (c) Copyright 2008 Hewlett-Packard Development Company, L.P. # 3/25/10 7:03 AM #Default Autopass Directory on Unix Platform #autopass_dir:/opt/ov/hpovlic #Default Autopass Directory on Windows Platform #autopass_dir:c:/program Files/Common Files/Hewlett-Packard/HPOvLIC shared_memory: log:../logs/sm.log alertlog:../logs/sm.alert.log system:13080 sslconnector:0 sqldictionary:sqlserver [sqlserver] sqldb:sm7dev sqllogin:sm7admin/$m7adm1n plugin0:kmplugin.dll #SSL/SSO setup #Keystore keystorefile:server.keystore keystorepass:serverkeystore #Trusted Clients File and password ssl_trustedclientsjks:trustedclients.keystore ssl_trustedclientspwd:trustedclients #Known Certificate Authorities - The signing CA must be in here truststorefile:cacerts truststorepass:changeit

25 14. Edit the uriworkermap.properties in the \Apache Software Foundation\Tomcat 5.5\conf folder. Please note that this file will only be created after you installed ISAPI Filter. When installing ISAPI Filter, you have to change the default location to the location of your Tomcat. # uriworkermap.properties - IIS # # This file provides sample mappings for example wlb # worker defined in workermap.properties.minimal # The general syntax for this file is: # [URL]=[Worker name] /admin/*=wlb /manager/*=wlb /jsp-examples/*=wlb /servlets-examples/*=wlb /smdev/*=wlb *.jsp=wlb *.do=wlb # Optionally filter out all.jpeg files inside that context # For no mapping the url has to start with exclamation (!)!/servlets-examples/*.jpeg=wlb # # Mount jkstatus to /jkmanager # For production servers you will need to # secure the access to the /jkmanager url # /jkmanager=jkstatus 15. Your SM.CFG should look like the one below: # # HP Service Manager Server Configuration File # # Used by HP Service Manager service on Windows and smstart script on Unix # to start the Service Manager server processes. # ###################################################################################### # # (c) Copyright 2008 Hewlett-Packard Development Company, L.P. # All Rights Reserved # ###################################################################################### # # start a Service Manager listener # #sm # When unable to start the server as a service # uncomment the following line to produce an output # file which may contain some information from the # Java JVM. #cmd /c "sm" > C:\\process_stdout 2>&1 # # start background schedulers # sm -httpport: loadbalancer #you need to have a copy of the cacerts file in the windows client directory before #you can use the below port, otherwise use sm -httpport: httpsport: sslconnector:1 -ssl:1 #the ports below are for web client use only because we only generated SSL certificates for the #web app server sm -httpport: httpsport: sslconnector:1 -ssl:1 -ssl_reqclientauth:1 sm -httpport: httpsport: sslconnector:1 -ssl:1 -ssl_reqclientauth:2 -debugnode:1 sm -httpport: httpsport: sslconnector:1 -ssl:1 -ssl_reqclientauth:2 -trustedsignon:1 - debugnode:1

26 sm -que:ir sm system.start 16. Make sure you create an operator record that matches your windows account and password before you proceed to the next step. 17. In your web.xml, try using the following ports IN ORDER. This will help you in debugging process. Make sure that you can connect to the service manager successfully when using the ports. You should be able to connect successfully using the port and before you attempt The last port is the set up that uses trusted sign on You should still see the login screen when you use this port. The parameters for this port only signify that the web application server has a valid certificate when communicating with the server You should still see the login screen when you use this port. The parameters for this port only signify that the web application server s certificate is in the list of trusted certificates of the server You should now be presented with the main screen and NOT the login screen. 18. Check the sm.log file for error messages. Sometimes, you just have to regenerate again the Client Certificates in order to fix some errors. 19. Make sure that you ve also set the IIS and Jakarta Directory Security properly (integrated windows authentication)

27 Contents of certcreateca.bat SM SSL Certificates Creator (server component) This batch file facilitates the creation of the SSL certificates that are needed to setup SSL encryption for Service Manager 7.0x. Run this batch file only once to create the certificates for the Service Manager server Based on HPs file but CA creation separated out. G.A. off if "X%1X"=="XNEWX" goto ok goto dontrun :ok Openssl settings This batch file uses the openssl.conf file as input for the the openssl program. All _default values can be set according to your organisation. Only one openssl.conf is needed set OPENSSL=openssl Java Settings set the JAVA_HOME variable to the installation path of the JRE you want to use set JAVA_HOME="C:\Program Files\Java\jre1.5.0_12" set KEYTOOL=%JAVA_HOME%\bin\keytool Password settings These are the default password settings used by the openssl and keytool programs. All passwords can be changed, EXCEPT the CACERT_PASSWD, as this is the default password that the SUN cacert from the JRE uses! set set CACERT_PASSWD=changeit set SERVER_KEYSTORE_PASSWD=serverkeystore set CLIENT_KEYSTORE_PASSWD=clientkeystore set /q /q /q crs copy %JAVA_HOME%\lib\security\cacerts %JAVA_HOME%\lib\security\cacerts.orig copy %JAVA_HOME%\lib\security\cacerts certs\cacerts Private Key & Root Certificate generation REM create the private key for your Creating a Self-Signed Certificate (cakey.pem) %OPENSSL% genrsa -des3 -passout pass:%caroot_passwd% -out key/cakey.pem 2048

28 REM create the root CA Creating the root ca certificate (mycacert.pem) %OPENSSL% req -new -key key/cakey.pem -x509 -days out certs\mycacert.pem -config./openssl.conf -passin pass:%caroot_passwd% REM import the certificate into the System-wide Importing the certificate into the System-wide keystore (cacerts) %KEYTOOL% -import -keystore certs/cacerts -trustcacerts -alias servicemanager -file certs/mycacert.pem -storepass %CACERT_PASSWD% copy certs\cacerts %JAVA_HOME%\lib\security goto end :dontrun echo!!!!!!!!!!! Dont run this unless you want to overwrite your CA authority echo!!!!!!!!!! Use the following syntax if you really want to create new CA echo certceateca NEW pause :end

29 Contents of certcreatesrvcert.bat SM SSL Certificates Creator (server component) This batch file facilitates the creation of the SSL certificates that are needed to setup SSL encryption for Service Manager 7.0x. Run this batch file only once to create the certificates for the Service Manager server off Openssl settings This batch file uses the openssl.conf file as input for the the openssl program. All _default values can be set according to your organisation. Only one openssl.conf is needed set OPENSSL=openssl Java Settings set the JAVA_HOME variable to the installation path of the JRE you want to use set JAVA_HOME="C:\Program Files\Java\jre1.5.0_12" set KEYTOOL=%JAVA_HOME%\bin\keytool Password settings These are the default password settings used by the openssl and keytool programs. All passwords can be changed, EXCEPT the CACERT_PASSWD, as this is the default password that the SUN cacert from the JRE uses! set set CACERT_PASSWD=changeit set SERVER_KEYSTORE_PASSWD=serverkeystore set CLIENT_KEYSTORE_PASSWD=clientkeystore set TRUSTEDCLIENTS_KEYSTORE_PASSWD=trustedclients /q key /q certs /q crs key certs crs #copy %JAVA_HOME%\lib\security\cacerts %JAVA_HOME%\lib\security\cacerts.orig #copy %JAVA_HOME%\lib\security\cacerts certs\cacerts Server Key & Certficate generation REM generate private server key and Creating the Server keystore (server.keystore) %KEYTOOL% -genkey -alias smserver -keystore key/server.keystore -storepass %SERVER_KEYSTORE_PASSWD%