BMC Atrium Single Sign-On 7.6.04 Administration Guide August 2011 www.bmc.com
Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information about the company, its products, corporate offices, special events, and career opportunities. United States and Canada Address BMC SOFTWARE INC 2101 CITYWEST BLVD HOUSTON TX 77042-2827 USA Outside United States and Canada Telephone 713 918 8800 or 800 841 2031 Telephone (01) 713 918 8800 Fax (01) 713 918 8000 Fax 713 918 8000 If you have comments or suggestions about this documentation, contact Information Design and Development by email at doc_feedback@bmc.com. Copyright 2006, 2007, 2009-2011 BMC Software, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. Linux is the registered trademark of Linus Torvalds. UNIX is the registered trademark of The Open Group in the US and other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted rights notices included in this documentation. Restricted rights legend U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time. Contractor/Manufacturer is BMC Software, Inc., 2101 CityWest Blvd., Houston, TX 77042-2827, USA. Any contract notices should be sent to this address.
Customer Support You can obtain technical support by using the Support page on the BMC Software website or by contacting Customer Support by telephone or email. To expedite your inquiry, please see Before Contacting BMC Software. Support website You can obtain technical support from BMC Software 24 hours a day, 7 days a week at http://www.bmc.com/support_home. From this website, you can: Read overviews about support services and programs that BMC Software offers. Find the most current information about BMC Software products. Search a database for problems similar to yours and possible solutions. Order or download product documentation. Report a problem or ask a question. Subscribe to receive email notices when new product versions are released. Find worldwide BMC Software support center locations and contact information, including email addresses, fax numbers, and telephone numbers. Support by telephone or email In the United States and Canada, if you need technical support and do not have access to the Web, call 800 537 1813 or send an email message to customer_support@bmc.com. (In the Subject line, enter SupID:<yourSupportContractID>, such as SupID:12345.) Outside the United States and Canada, contact your local support center for assistance. Before contacting BMC Software Have the following information available so that Customer Support can begin working on your issue immediately: Product information Product name Product version (release number) License number and password (trial or permanent) Operating system and environment information Machine type Operating system type, version, and service pack System hardware configuration Serial numbers Related software (database, application, and communication) including type, version, and service pack or maintenance level Sequence of events leading to the problem Commands and options that you used Messages received (and the time and date that you received them) Product error messages Messages from the operating system, such as file system full Messages from related software
License key and password information If you have a question about your license key or password, contact Customer Support through one of the following methods: E-mail customer_support@bmc.com. (In the Subject line, enter SupID:<yourSupportContractID>, such as SupID:12345.) In the United States and Canada, call 800 537 1813. Outside the United States and Canada, contact your local support center for assistance. Submit a new issue at http://www.bmc.com/support_home.
Contents Chapter 1 BMC Atrium Single Sign-On overview 11 BMC Atrium SSO overview................................................ 12 Log on and log off behavior................................................ 13 BMC Atrium SSO and OpenSSO............................................ 14 OpenSSO Administrator console access.................................. 14 Atrium SSO user console access......................................... 15 Realms.................................................................. 15 Authentication........................................................... 15 JEE filter-based agents..................................................... 16 Certificates............................................................... 18 Generating a CSR...................................................... 18 Adding a new CA certificate............................................ 19 Integrating with BMC Remedy AR System................................... 19 Chapter 2 Installing and configuring BMC Atrium SSO 21 Prerequisites............................................................. 22 Disk space requirements................................................ 22 Log file memory requirements.......................................... 22 Configuring Terminal Services parameters................................... 22 Installing BMC Atrium SSO as a standalone.................................. 23 Before you begin...................................................... 23 Default cookie domain................................................. 24 Administrator password............................................... 25 Where to go from here................................................. 25 Installing BMC Atrium SSO on an external Tomcat server...................... 25 Configuring an external Tomcat instance for FIPS-140......................... 27 Installing and uninstalling in silent mode.................................... 28 Installing in silent mode................................................ 28 Uninstalling in silent mode............................................. 29 Silent installation example.............................................. 29 Upgrading BMC Atrium SSO............................................... 29 Stopping and restarting BMC Atrium SSO................................... 30 Stopping and restarting on Windows.................................... 30 Stopping and restarting on UNIX or Linux................................ 30 Uninstalling BMC Atrium SSO............................................. 31 Running the uninstaller on Windows.................................... 31 Running the uninstaller on Solaris or Linux............................... 31 Contents 5
Uninstaller invocation error............................................. 32 Chapter 3 Using CA certificates 33 Certificates overview...................................................... 34 Using the keytool utility................................................... 34 Obtaining and importing CA certificates..................................... 35 Generating CSRs in Windows........................................... 35 Importing CA certificates in Windows.................................... 36 Generating CSRs in UNIX............................................... 37 Importing CA certificates in UNIX....................................... 37 Adding another CA certificate.............................................. 38 Creating new keystores.................................................... 38 Locating the keystore and truststores..................................... 38 Creating a keystore example............................................ 38 Chapter 4 Authentication chaining 41 Authentication chaining overview........................................... 42 Authentication chaining example........................................... 42 Chapter 5 Using LDAP for authentication 45 Setting up LDAP to use for authentication.................................... 46 Configuring the LDAP module............................................. 46 LDAP configuration parameters......................................... 46 Enabling LDAP authentication.............................................. 49 Chapter 6 Using AR Server for authentication 51 Setting up AR to use for authentication...................................... 52 Configuring the AR module................................................ 52 AR configuration parameters............................................ 52 Enabling AR authentication................................................ 53 Enabling the AR data store................................................. 54 Accessing the AR data store configuration page............................ 54 Configuring the AR data store........................................... 55 New data store configuration example.................................... 56 Troubleshooting AR System module......................................... 56 User has no profile in this organization................................... 57 Error saving user or group edits......................................... 57 Chapter 7 Using Active Directory for authentication 59 Setting up Active Directory for authentication................................ 60 Configuring the Active Directory module.................................... 60 Active Directory configuration information............................... 60 Enabling Active Directory authentication.................................... 63 Chapter 8 Using RSA SecurID for authentication 65 Setting up SecurID to use for authentication.................................. 66 6 Administration Guide
Specifying the sdconf.rec location........................................... 66 Configuring to rely on an RSA SecurID server............................. 66 Reconfiguring the SecurID module...................................... 67 Enabling RSA SecurID authentication....................................... 67 Modifying the rsa_api.properties file........................................ 68 Chapter 9 Using CAC for authentication 71 CAC configuration overview............................................... 72 Modifying the Tomcat server............................................... 72 Importing DoD CA certificates............................................. 73 Validating CAC certificates................................................ 74 Using OCSP responder to validate certificates............................. 74 Using CRL to validate certificates........................................ 75 Specifying CAC users..................................................... 76 Allowing any user access with a valid CAC card........................... 76 Allowing a subset of users access through the internal data store............ 76 Allowing a subset of user access through an external LDAP server........... 77 Enabling CAC Chain...................................................... 78 Troubleshooting CAC authentication........................................ 78 URL certificate authentication not enabled................................ 79 OCSP verify failed..................................................... 79 Chapter 10 Using an external LDAP data store 81 External LDAP server overview............................................ 82 Creating a new data store.................................................. 82 Modifying an existing data store............................................ 85 Troubleshooting an external LDAP data store................................ 85 No users in User tab................................................... 86 No groups in Group tab................................................ 86 Chapter 11 Configuring FIPS-140 mode 87 FIPS-140 overview........................................................ 88 Prerequisites for converting to FIPS-140 mode................................ 88 Before converting to FIPS-140 mode......................................... 89 Converting to FIPS-140 mode............................................... 89 Installing unlimited strength policy files.................................. 89 Installing the cryptography library....................................... 90 Enabling FIPS-140 mode................................................ 92 Monitoring FIPS-140 mode conversion................................... 93 Reconfiguring integrated products....................................... 93 Troubleshooting FIPS-140 conversion.................................... 93 Converting back to normal mode........................................... 94 Enabling normal mode................................................. 94 Restoring the original encryption files and non-fips-140 library............. 95 Reconfiguring integrated products....................................... 95 Monitoring normal mode conversion..................................... 95 Changing the FIPS-140 network ciphers..................................... 96 Modifying the server.xml file........................................... 96 Contents 7
Multiple ciphers example............................................... 96 Single cipher example.................................................. 97 Chapter 12 Logging 99 Logging overview........................................................ 100 Support utility........................................................... 100 Support utility location................................................ 100 Running the support utility............................................ 100 Log file locations......................................................... 101 Log directory......................................................... 101 Debug directory...................................................... 102 Managing BMC Atrium SSO logging....................................... 102 Modifying logging attributes........................................... 102 Adjusting logging levels............................................... 103 Logging with RSA SecurID............................................. 103 Using JEE agents for logging.............................................. 103 Adjusting logging levels............................................... 104 Agent audit logging................................................... 104 Log file rotation...................................................... 105 Manually removing JEE agents............................................ 106 Removing JEE agents from BMC Atrium SSO............................. 106 Removing JEE agents from WebSphere.................................. 107 Removing JEE agents from Tomcat...................................... 107 Removing JEE agents from JBoss or WebLogic............................ 108 Using Java agents........................................................ 108 Chapter 13 Managing users and groups 109 Managing users.......................................................... 110 Adding users......................................................... 110 Searching for users.................................................... 111 Deleting users........................................................ 111 Modifying user accounts............................................... 111 Viewing user sessions................................................. 113 Terminating user sessions.............................................. 113 Managing groups........................................................ 114 Predefined groups.................................................... 114 Creating groups...................................................... 114 Deleting groups...................................................... 114 Adding users to groups................................................ 115 Removing users from groups........................................... 115 Chapter 14 Other Administrator Tasks 117 Configuring session parameters............................................ 118 Cleaning up BMC product agents.......................................... 118 Deleting agent accounts............................................... 119 Managing authentication modules......................................... 119 Creating Modules..................................................... 119 Editing modules...................................................... 120 8 Administration Guide
Deleting modules..................................................... 120 Managing authentication chains........................................... 120 Creating chains...................................................... 121 Editing chains........................................................ 121 Deleting chains....................................................... 121 Adding modules to chains............................................. 122 Deleting modules from chains.......................................... 123 Editing a module instance in a chain.................................... 123 Reordering modules in chains.......................................... 123 Appendix A Policy file additions for external Tomcat installations 125 Adding to the policy file.................................................. 126 Appendix B Error messages 129 Error Messages.......................................................... 130 Contents 9
10 Administration Guide
1 BMC Chapter Atrium Single Sign-On overview The following topics are provided:! BMC Atrium SSO overview (page 12)! Log on and log off behavior (page 13)! BMC Atrium SSO and OpenSSO (page 14)! Realms (page 15)! Authentication (page 15)! JEE filter-based agents (page 16)! Certificates (page 18)! Integrating with BMC Remedy AR System (page 19) Chapter 1 BMC Atrium Single Sign-On overview 11
BMC Atrium Single Sign-on 7.6.04 BMC Atrium SSO overview BMC Atrium Single Sign-On (BMC Atrium SSO) is an authentication system that supports many authentication protocols and provides single sign-on and single sign-off for users of BMC products. BMC Atrium SSO allows users to present credentials only once for authentication and subsequently be automatically authenticated by every BMC product that is integrated into the system. Not only does BMC Atrium SSO support authentication with traditional systems such as LDAP or Active Directory, it also supports integration into existing SSO systems. BMC Atrium SSO is the central integration point that performs integration with the local enterprise systems. BMC Atrium SSO can be configured:! As a standalone system! To rely upon an existing enterprise system, such as an LDAP server In addition to functioning as the central server, BMC Atrium SSO uses agents which are integrated into each of the BMC products. These agents perform the following functions:! Accessing authentication services! Coordinating with the server to authenticate users! Validating existing authentications Figure 1-1: BMC Atrium SSO integration with BMC products 12 Administration Guide
Log on and log off behavior When initially installed, BMC Atrium SSO is configured for immediate use. This default configuration uses the internal data store as an authentication source. This configuration is suitable for demonstrations, proof-of-concept deployments, testing, and other small deployment scenarios. However, for a large-scale system, you should configure the use of an external user repository for authentication, such as an LDAP server. To help with the configuration of BMC Atrium SSO, predefined authentication chains are provided using LDAP, RSA SecurID, and other methods. These predefined authentication chains allow you to:! Configure an authentication module specifically for your deployment environment.! Quickly configure your system.! Create more complex chains by modifying the predefined chains In addition, new chains can be created if a complex authentication chain is needed. To use authentication chains, see the Authentication Configuration section. Log on and log off behavior When using an SSO system, the normal authentication behavior is altered. The practice of logging on when you start a product is automatically performed when the second product is started. This change happens without any user involvement. When you log off, you are logged off of all BMC Atrium SSO-integrated products. If you want to continue working with other BMC products:! Quit the product instead of logging out of BMC Atrium SSO.! If the product supports application-only log off, log off the application and close the browser. IMPORTANT When quitting an product, the normal behavior is to log off and then quit. This process results in termination of all the product connections. If you want to continue working with other BMC products, quit the product that you are finished with, but only log off the last product. With web applications, the BMC Atrium SSO authentication status is maintained through sessions within the web browsers. When web applications share the same browser session, the authentication state with BMC Atrium SSO is shared by these applications. Chapter 1 BMC Atrium Single Sign-On overview 13
BMC Atrium Single Sign-on 7.6.04 To use a different login ID without logging off BMC Atrium SSO, you must start a new session in the web browser. The following table summarizes how to share current sessions and how to create new sessions with the browsers supported by BMC Atrium SSO. Table 1-1: Session behavior in supported browsers Browser Share Session New Session Firefox 3 New tab, Ctrl-N for new window, or launch from Start menu or shortcut Use Private Browsing Internet Explorer 6 Ctrl-N to create a new window Launch new browser using Start menu or shortcut Internet Explorer 7 Internet Explorer 8 New tab or Ctrl-N to create a new window New tab, Ctrl-N to create a new window, or launch new browser from Start menu or short-cut Launch new browser using Start menu or shortcut Use New Session in File menu When BMC products launch a new application, the applications use the process needed to ensure a shared session and a seamless experience. BMC Atrium SSO and OpenSSO BMC Atrium SSO is built on the open source project OpenSSO. This project has a long history of providing authentication and authorization across many different platforms by using many authentication techniques. The OpenSSO platform is built using a pluggable architecture which allows the system to expand as new authentication technologies evolve. The goal of BMC Atrium SSO is to provide a simplified, turnkey system that applies OpenSSO technology to BMC products. Configuration of the servers and agents is automated as much as possible, allowing for easy adoption. OpenSSO Administrator console access The OpenSSO Administrator console is accessed through this URL: https://host:port/atriumsso?service=adminconsoleservice! In this syntax, host is the FQDN of the server host.! In this syntax, port is the HTTPS port selected during server installation (default is 8443).! The default administrator name is AmAdmin.! The password is one that you supplied during installation. When BMC Atrium SSO is installed on a Microsoft Windows platform, a shortcut is created in the Start menu which can be used to access the Administrator console. 14 Administration Guide
Realms Atrium SSO user console access Realms Authentication The user console access is through the following URL: https://host:port/atriumsso?realm=bmcrealm This URL can be used to verify the authentication module configuration. You do not need to rely on an installed and configured BMC application to initiate login in order to test configuration of authentication modules. The BMC Atrium SSO system makes use of the following realms within OpenSSO:! The Top Level Realm is the root realm that is used for administrative purposes. Specifically, the root realm is used during BMC product integration for remote Administrator access and as a repository for the J2EE agent configurations. To maintain this function, the root realm authentication must use an authentication scheme involving user name and password, such as the internal LDAP server.! The BmcRealm is used by BMC products for user authentication. As such, this realm does not have the constraints that the root realm does, and can be modified to use any authentication scheme needed. BMC Atrium SSO uses a subset of the technologies within the OpenSSO project that are required by BMC products. The current technologies of OpenSSO that are certified by BMC Atrium SSO include:! Authentication chaining! Authentication schemes! Internal! LDAP! BMC Remedy Action Request (AR) System! Active Directory! RSA SecurID! Common Access Cards (CAC), ActivIdentity-based! Groups Chapter 1 BMC Atrium Single Sign-On overview 15
BMC Atrium Single Sign-on 7.6.04 IMPORTANT BMC Atrium SSO certifies a subset of platforms and technologies supported by OpenSSO 8.0. BMC Atrium SSO is certified on the configurations explicitly stated in this document. Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment are addressed at the discretion of BMC. Visit the Customization Policy under the Support Contacts & Policies link on the BMC support website. JEE filter-based agents In this release of BMC Atrium SSO, a new JEE filter-based agent replaces the OpenSSO J2EE agent from BMC Atrium SSO 1.0. You can continue to manage these newer agents by using the J2EE Administrator console. With this release of BMC Atrium SSO, a new, lighter-weight agent is available for use by BMC applications. This new agent uses OpenSSO J2EE agent configuration features for its configuration. This section describes how configuration items apply to this newer agent. When using the JEE filter-based agent, some of the OpenSSO J2EE agent configurations are not used or do not apply. 16 Administration Guide
JEE filter-based agents The following table lists the functions that are enabled. Table 1-2: Administrator console functions with JEE Tab Global Notes All functions are enabled except: Profile! Location of Agent Configuration Repository! Configuration Reload Interval! Agent Root URL for CDSSO General! Agent Filter Mode (always SSO only) User Mapping! User Mapping Mode (always uses USER_ID) Application Audit! Audit Log Location (always LOCAL)! Remote Log File Name Logout Processing! Application Logout Handler is unused All parameters are used in:! Not Enforced URI Processing! Not Enforced IP Processing! Profile Attributes Processing! Response Attributes Processing! Common Attributes Fetching Processing! Privilege Attributes Processing SSO No parameters are used in:! Login Processing! Access Denied URI Processing! Custom Authentication Processing All parameters are used except:! Cross Domain SSO Chapter 1 BMC Atrium Single Sign-On overview 17
BMC Atrium Single Sign-on 7.6.04 Tab Open SSO Services Notes All parameters are used in:! Login URL! Authentication Service No parameters are used in:! Policy Client Service! Session Client Service Miscellaneous No parameters are used in User Data Cache Service except:! Enable Notification of User Data Cache! User Data Cache Polling Time All parameters are used in:! Locale Advanced No parameters are used in:! Port Check Processing! Deprecated Agent Properties No parameters are used in the Advanced section. Certificates Generating a CSR 18 Administration Guide The default Tomcat server used by BMC Atrium SSO uses a keystore and a truststore for secure (HTTPS/TLS) communications. These files are stored in the following directory: installationdirectory/bmc Software/AtriumSSO/tomcat/conf The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers and other programs to warn users about the insecure nature of the certificate each time the user authenticates. This certificate warning can be prevented by doing one of the following:! Permanently importing the self-signed certificate into the user s truststore.! Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA). The CA vouches for the authenticity of the server s identity when the user visits the BMC Atrium SSO for authentication. In this case, the user has an established trust relationship with the CA, and this relationship is extended to BMC Atrium SSO after a digitally signed identity certificate is imported. A CA digitally signed certificate is obtain by generating a Certificate Signing Request (CSR):
Integrating with BMC Remedy AR System The output from the command must be sent to the CA for a digital signature. After the signed identity certificate is returned, the next step is to import the signed identity certificate into the keystore where it replaces the current self-signed certificate. NOTE The keytool utility is used to obtain a CSR, to obtain a signed certificate, and to import the signed certificate in order to replace the self-signed certificate. This tool is available with Oracle JDKs and BMC Atrium SSO. Adding a new CA certificate Adding another certificate is necessary when CAC authentication is used, when the Department of Defense (DoD) issues new CA certificates, or the CA certificates used to create a signed certificate for the BMC Atrium SSO server is not already within the truststore. The keytool utility is used to import a new CA certificate into the BMC Atrium SSO truststore. Integrating with BMC Remedy AR System The typical method for BMC Atrium SSO with BMC Remedy AR System is to install BMC Atrium SSO, install BMC Remedy AR System, and then integrate with BMC Remedy AR System. For information on integrating with BMC Remedy AR System, see the BMC Remedy AR System Installation Guide and Integration Guide. Chapter 1 BMC Atrium Single Sign-On overview 19
BMC Atrium Single Sign-on 7.6.04 20 Administration Guide
2 Installing Chapter and configuring BMC Atrium SSO The following topics are provided:! Prerequisites (page 22)! Configuring Terminal Services parameters (page 22)! Installing BMC Atrium SSO as a standalone (page 23)! Installing BMC Atrium SSO on an external Tomcat server (page 25)! Configuring an external Tomcat instance for FIPS-140 (page 27)! Installing and uninstalling in silent mode (page 28)! Upgrading BMC Atrium SSO (page 29)! Stopping and restarting BMC Atrium SSO (page 30)! Uninstalling BMC Atrium SSO (page 31) Chapter 2 Installing and configuring BMC Atrium SSO 21
BMC Atrium Single Sign-on 7.6.04 Prerequisites Disk space requirements Before installing BMC Atrium SSO, make sure you have met the following prerequisites:! Do not deploy BMC Atrium SSO on an NFS-mounted file system.! If the runtime user of the BMC Atrium SSO web container instance is a non-root user, this user must be able to write to his own home directory.! (Windows) You must have administrator privileges.! (UNIX) You can be any user. However, root privileges are required to set up auto-startup of the services. This section contains information about prerequisite storage space requirements for installation and log files. Before installing BMC Atrium SSO, you must have at least the following available disk space:! (Windows) 650 MB! (Linux) 750 MB! (Solaris) 850 MB Log file memory requirements An additional 7-10 GB of space is recommended for log file growth, depending on the volume of users and products integrating with the BMC Atrium SSO server. To manage log file storage space effectively, perform the following tasks:! Delete the debug log files periodically, especially if the debug level is set to message.! Check the.access and.error log files periodically in the logs directory.! Consider configuring the log rotation to delete the oldest log files. Configuring Terminal Services parameters If you are planning to install BMC Atrium SSO by using Terminal Services, you must first configure Terminal Services. To configure Terminal Services on Windows Server 2003 1 Navigate to the Terminal Services Configuration page. 2 In the Use temporary folders per session field, click No (disabled). 22 Administration Guide
Installing BMC Atrium SSO as a standalone 3 In the Delete temporary folders on exit field, click No (disabled). To configure Terminal Services on Windows Server 2008 (64-bit) 1 In Group Policy Editor, select: Computer Configuration > Windows Components > Terminal Services > Terminal Server > Temporary folders 2 In the Do not delete temp folder upon exit field, click Enabled. 3 In the Do not use temporary folders per session field, click Enabled. Installing BMC Atrium SSO as a standalone Before you begin This section describes how to perform a BMC Atrium SSO standalone installation. In this installation, a Tomcat server and JVM are installed and properly configured for use by the BMC Atrium SSO server. This installation method is the simplest and easiest to perform since all of the administrative and configuration details are performed by the installation program.! Obtain the zipped BMC Atrium SSO files from the BMC product package via Electronic Product Download (EPD) or the BMC Atrium SSO DVD.! If there is already an installation of BMC Atrium SSO the target computer, the installer will not allow another installation. Uninstall the existing version. Perform the following steps to install BMC Atrium SSO as a standalone system: To install BMC Atrium SSO standalone 1 Run the installation program. The installation program, autorun, automatically detects the appropriate subscript to run. However, if the appropriate file is not launched, manually run the setup executable. The setup executable is located in the Disk1 directory of the extracted files. (Windows) Run setup.cmd. (UNIX) Run setup.sh (which automatically detects the appropriate subscript to execute). 2 Accept the default destination directory or browse to select a different directory and click Next. 3 Verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, correct the value as needed, and click Next. 4 Verify that Install New Tomcat is selected and click Next. The Tomcat server options are: Chapter 2 Installing and configuring BMC Atrium SSO 23
BMC Atrium Single Sign-on 7.6.04! Install New Tomcat (default)! Use External Tomcat. See Installing BMC Atrium SSO on an external Tomcat server to install with this option. NOTE The BMC Atrium SSO Tomcat server cannot be shared with any product that integrates with BMC Atrium SSO. BMC recommends that BMC Atrium SSO be the only application in the Tomcat server. 5 Accept the default Tomcat HTTP port number, HTTPS port number, and Shutdown port number or enter different port numbers and click Next. If any of the port numbers are incorrect, a panel identifies the incorrect port number and requires you to return to the previous page to correct the values before proceeding with the installation. NOTE When installing on Linux servers, port selections below 1000 require the server to run as root, or use a port forwarding mechanism. 6 Enter a cookie domain and click Next. The domain value of the cookie should be the network domain of BMC Atrium SSO or one of its parent domains. See Default cookie domain on page 24 for more information. IMPORTANT The higher the level of the selected parent domain, the higher the risk of user impersonation. Top-level domains are not supported (for example, "com" or "com.ca"). 7 Enter a strong administrator password, confirm the password, and click Next. The default administrator name is amadmin. See Administrator password on page 25 for more information. 8 Review the installation summary and click Install. 9 Verify that your BMC Atrium SSO installation was successful by accessing the BMC Atrium SSO URL. Default cookie domain a Launch the Administrator console. b Confirm that you can view the OpenSSO login panel. The default cookie domain value is the network domain of the computer you are installing the server on. The default cookie domain specifies the most restrictive access. This value is used to control cookie visibility between servers within the domain. By removing domain elements (lowest sub-domain first), the cookie becomes visible to servers outside of the BMC Atrium SSO domain. 24 Administration Guide
Installing BMC Atrium SSO on an external Tomcat server For example, changing the domain adprod.bmc.com to bmc.com gives all of the servers within the bmc.com domain access to the cookies stored by the server in a user s browser. The danger of increasing the cookie visibility is illustrated when the value is changed to com, giving all servers in the internet com domain access to the cookie. Administrator password The administrator password is used to access BMC Atrium SSO through a browser. This access allows user accounts to be created and enables other authentication algorithms. Also, the administrator password is used to integrate application servers that have deployed the BMC Atrium SSO Web agent to integrate with BMC Atrium SSO. Where to go from here! To secure certificates with an external CA, see Using CA certificates on page 33.! To configure authentication, such as LDAP or Active Directory, see Using LDAP for authentication on page 45 or Using Active Directory for authentication on page 59.! To create users, see Managing users and groups on page 109. Installing BMC Atrium SSO on an external Tomcat server This section explains how to install BMC Atrium SSO on an external Tomcat server. This installation option allows the BMC Atrium SSO server to be installed using versions of Tomcat and Java VM that are different from those provided by the standalone installation option. Using this option allows greater flexibility in choosing the Tomcat and JVM, but at the expense of adding administration of the Tomcat server and JVM. In addition, correct version selection must also be performed to avoid incompatibilities. Due to these added responsibilities, BMC recommends that this option be performed only when the default selections are not sufficient. Before installation! Before installation, make sure you have performed the tasks in Prerequisites on page 22.! Verify that no other product or application installed on your Tomcat server. Chapter 2 Installing and configuring BMC Atrium SSO 25
BMC Atrium Single Sign-on 7.6.04 NOTE The BMC Atrium SSO Tomcat server cannot be shared with any product that integrates with BMC Atrium SSO. BMC recommends that BMC Atrium SSO be the only application in the Tomcat server.! If you plan to enable FIPS, perform the tasks in Configuring an external Tomcat instance for FIPS-140 on page 27. To install BMC Atrium SSO on an external Tomcat server 1 If autorun does not automatically launch the appropriate file, launch the setup executable, located in the Disk1 directory of the extracted files.! (Windows) Run setup.cmd.! (UNIX) Run setup.sh (which automatically detects the appropriate subscript to execute). 2 Accept the default destination directory or browse to select a different directory and click Next. 3 Verify that the hostname presented is the Fully Qualified Domain Name (FQDN) for the host, correct the value as needed, and click Next. 4 Click Use External Tomcat. The Tomcat server options are:! Install New Tomcat (default)! Use External Tomcat 5 At the prompt, enter the Tomcat directory (or use the browse button to specify the Tomcat directory) and click Next. 6 At the Tomcat Application Server Selection panel, enter the path to the Tomcat server. After clicking Next, the installer verifies that:! The directory has a webapps directory that can be written to.! The main program, tomcat6.exe, is present (even on UNIX).! The server.xml file contains a connector with port and secure defined and with scheme set to https. The installer parses important information from this Connector entry and stores it. As the installer deploys the BMC Atrium SSO web application to the Tomcat server, it will ask that you start or stop it when necessary. 7 (Windows) You will be asked whether your external Tomcat server is started by using scripts or as a Windows service. If the Tomcat server is started as a Windows service, enter the name of this service. 8 Enter additional information at the prompts. Be prepared with information about:! JDK directory location! Tomcat HTTPS server port! Tomcat truststore certificate location and password 26 Administration Guide
Configuring an external Tomcat instance for FIPS-140! Tomcat keystore password, alias, and certificate! Tomcat cookie domain! Tomcat administrator name and password 9 Stop the Tomcat server. 10 During installation, follow the installer directions to restart the Tomcat server. 11 Verify that your BMC Atrium SSO installation was successful: a Launch the Administrator console. b Confirm that you can view the OpenSSO login panel. The Tomcat server can now be used as the BMC Atrium SSO application server. If you make modifications to the server configuration, be sure to test each change to insure that the BMC Atrium SSO application functions correctly. Configuring an external Tomcat instance for FIPS-140 The Federal Information Processing Standard (FIPS-140) are standards for use in computer systems by all non-military government agencies and government contractors. For example, data encoding and encryption standards. See Configuring FIPS-140 mode (page 87) for more information. If you plan to enable FIPS-140 and are installing to an external Tomcat server, perform these steps: 1 Configure the Tomcat server for auto-deployment of.war files. 2 Use the same keystore for both non-fips and FIPS versions of your server.xml file. 3 Perform these modifications to the following files for non-fips and FIPS versions:! server.xml a Duplicate the original file to create a FIPS version (named server.xml.fips). b In the new FIPS version of the file, use the following ciphers attributes to force a higher level of encryption (using your own values): ciphers="ssl_rsa_with_rc4_128_md5,ssl_rsa_with_rc4_128_sha,tls_r SA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128 CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_C BC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_ DES_EDE_CBC_SHA" c Add the XML comment to tag the file as FIPS-140: <!-- FIPS140 --> d Also duplicate the server.xml file to the conf folder (named server.xml.nofip).! java.security Chapter 2 Installing and configuring BMC Atrium SSO 27
BMC Atrium Single Sign-on 7.6.04 e Duplicate the original file, creating java.security.nofips and java.security.fips versions. f In java.security.nofips, make sure that the provider is the first one in the security providers list, with the remaining providers renumbered. For example, the following list places the JsafeJCE provider at the top of the list with a key suffix of 1, while the providers after JsafeJCE are renumbered to follow the first. The com.rsa.cryptoj.jce.kat.strategy and com.rsa.cryptoj.jce.fips140initialmode properties are placed after the security providers list. For those properties, use the exact values shown in the following example: security.provider.1=com.rsa.jsafe.provider.jsafejce security.provider.2=sun.security.provider.sun security.provider.3=sun.security.rsa.sunrsasign security.provider.10=sun.security.mscapi.sunmscapi com.rsa.cryptoj.jce.kat.strategy=on.load com.rsa.cryptoj.jce.fips140initialmode=fips140_ssl_mode Installing and uninstalling in silent mode Installing in silent mode The installer and uninstaller program can be run from a script in addition to the GUI interface. This functionality is accessible by running the setup program from the command line and specifying certain parameters. This section provides examples for installing and uninstalling BMC Atrium SSO in silent mode with the setup script. The following represents the general command line syntax: {setup.sh setup.cmd} -i silent -DOPTIONS_FILE=<file> To install in silent mode 1 Open a command line window. 2 Navigate to the C:\SSO\AtriumSSO directory. 3 Create the SSOSilentInstallOptions.txt file with any environment-specific parameters. For details on the file format, see the Silent installation example (page 29) section. 4 Run the setup command by using the following syntax: setup.cmd -i silent -DOPTIONS_FILE=SSOSilentInstallOptions.txt 5 Verify that your BMC Atrium SSO installation was successful: 28 Administration Guide
Upgrading BMC Atrium SSO a Launch the Administrator console. b Confirm that you can view the OpenSSO login panel. Uninstalling in silent mode To uninstall in silent mode 1 Open a command-line window. 2 Run UninstallAtrium.exe by using the following syntax: C:\SSO\AtriumSSO\UninstallAtriumSSO.exe -i silent - DOPTIONS_FILE=SSOSilentUninstallOptions.txt where SSOSilentUninstallOptions.txt contains: -silent -U productatriumsso -U featureatriumsso Silent installation example The following example invokes a silent installation where the administrator password is admin123. setup.cmd -i silent -DOPTIONS_FILE=SSOSilentInstallOptions.txt The SSOSilentInstallOptions.txt file contains: -P installlocation=c:\sso\atriumsso -A featureatriumsso -J ATRIUMSSO_TOMCAT_SHUTDOWN_PORT=8005 -J ATRIUMSSO_TOMCAT_HTTP_PORT=8080 -J ATRIUMSSO_INSTALL_TOMCAT=true -J ATRIUMSSO_TOMCAT_HTTPS_PORT=8443 -J ATRIUMSSO_SERVER_PASSWORD=DES\:3996ba109b2b3f035fb4200116c2339a78e cec52023308de -J ATRIUMSSO_SERVER_PASSWORD_2=DES\:3996ba109b2b3f035fb4200116c2339a7 8ecec52023308de -J ATRIUMSSO_COOKIE_DOMAIN=bmc.com -J ATRIUMSSO_HOST_NAME=atrium-sso-vm4.bmc.com Upgrading BMC Atrium SSO You can upgrade a previous installation of BMC Atrium SSO by using the installer provided with BMC Atrium SSO. Chapter 2 Installing and configuring BMC Atrium SSO 29
BMC Atrium Single Sign-on 7.6.04 NOTE BMC recommends that you backup BMC Atrium SSO before proceeding with an upgrade. The procedure for upgrading BMC Atrium SSO is the same for both Windows and UNIX. To upgrade BMC Atrium SSO 1 On the target computer, start the BMC Atrium SSO installation utility. 2 When prompted, choose to upgrade BMC Atrium SSO and agree to the license agreement. 3 When the upgrade is complete, review the summary information. 4 To view the upgrade logs, click View Log. 5 To close the dialog, click Done. Stopping and restarting BMC Atrium SSO This section describes how to stop and restart BMC Atrium SSO on Windows and UNIX. Stopping and restarting on Windows To stop and restart BMC Atrium SSO on Windows 1 From the desktop of the application server host, use the Control Panel to go to the Administrator Tools' Component Services dialog box. 2 Expand the Services folder. 3 Select BMC Atrium SSO. 4 Click Stop. 5 To restart BMC Atrium SSO, click Start. Stopping and restarting on UNIX or Linux To stop and restart BMC Atrium SSO on UNIX or Linux Ensure that your Java processes are stopped before restarting BMC Atrium SSO. Start the UNIX or Linux services by performing the following steps: 1 Navigate to the installationdirectory/atriumsso/bin directory. 2 To shut down the services, type the following command: shutdown-servers.sh 30 Administration Guide
Uninstalling BMC Atrium SSO 3 To start the services, type the following command: startup-servers.sh Uninstalling BMC Atrium SSO During installation, the uninstaller is installed with BMC Atrium SSO. Running the uninstaller removes BMC Atrium SSO from the system. Running the uninstaller on Windows To uninstall BMC Atrium SSO from a Windows platform, use the Add or Remove Programs control panel. To run the uninstaller program 1 From the control panel, select Add or Remove Programs. 2 Select BMC Atrium Single Sign-On in the list. 3 Click Change or Remove Programs once it is displayed. This last action launches the uninstaller program. NOTE Because of varying Windows system dependencies, a reboot might be required to completely the uninstall BMC Atrium SSO. Running the uninstaller on Solaris or Linux To run the uninstaller on Oracle Solaris or Linux, the uninstaller must be launched from within a graphical environment, for example, from the console or through an X-Windows server. To run the uninstaller program 1 Change the working directory to the installation directory. The following is the default directory: $ cd /opt/sso 2 Run the UninstallAtriumSSO script. $./UninstallAtriumAsso If the GUI environment is properly setup, the uninstaller program launches and walks the user through the steps to remove BMC Atrium SSO. IMPORTANT Be sure to select the BMC Atrium SSO component, otherwise the uninstaller will remove the server. Chapter 2 Installing and configuring BMC Atrium SSO 31
BMC Atrium Single Sign-on 7.6.04 3 Manually delete the BMC Atrium SSO log file artifacts. These log files are left in the file system regardless of the reboot. Uninstaller invocation error If the GUI environment is incorrectly set up, an invocation error similar to the following occurs when you run the installer.: Invocation of this Java Application has caused an InvocationTargetException. This application will now exit. (LAX) Stack Trace: java.awt.headlessexception: No X11 DISPLAY variable was set, but this program performed an operation which requires it. at java.awt.graphicsenvironment.checkheadless(unknown Source) at java.awt.window.<init>(unknown Source) at java.awt.frame.<init>(unknown Source) at java.awt.frame.<init>(unknown Source) at javax.swing.jframe.<init>(unknown Source) at com.zerog.ia.installer.lifecyclemanager.g(dashoa8113) at com.zerog.ia.installer.lifecyclemanager.h(dashoa8113) at com.zerog.ia.installer.lifecyclemanager.a(dashoa8113) at com.zerog.ia.installer.main.main(dashoa8113) at sun.reflect.nativemethodaccessorimpl.invoke0(native Method) at sun.reflect.nativemethodaccessorimpl.invoke(unknown Source) at sun.reflect.delegatingmethodaccessorimpl.invoke(unknown Source) at java.lang.reflect.method.invoke(unknown Source) at com.zerog.lax.lax.launch(dashoa8113) at com.zerog.lax.lax.main(dashoa8113) This Application has Unexpectedly Quit: Invocation of this Java Application has caused an InvocationTargetException. This application will now exit. (LAX) 32 Administration Guide
3 Using Chapter CA certificates The following topics are provided:! Certificates overview (page 34)! Using the keytool utility (page 34)! Obtaining and importing CA certificates (page 35)! Adding another CA certificate (page 38)! Creating new keystores (page 38) Chapter 3 Using CA certificates 33
BMC Atrium Single Sign-on 7.6.04 Certificates overview The default Tomcat server used by BMC Atrium SSO uses a keystore and a truststore for secure (HTTPS/TLS) communications. These files are stored in the following directory: installdir/bmc Software/AtriumSSO/tomcat/conf The initial keystore created during the installation uses a self-signed certificate. This certificate causes browsers and other programs to warn users about the insecure nature of the certificate each time the user authenticates. The certificate warning can be prevented by doing one of the following:! Permanently importing the self-signed certificate into the user s truststore.! Obtaining and importing a signed identity certificate from a trusted Certificate Authority (CA). The CA vouches for the authenticity of the server s identity when the user visits the BMC Atrium SSO for authentication. In this case, the user has an established trust relationship with the CA and this relationship is extended to BMC Atrium SSO after a digitally signed identity certificate is imported. By default, BMC Atrium SSO is installed with a self-signed certificate. Although valid, this certificate causes warning messages when users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA. Using the keytool utility The keytool utility is used to obtain a digitally signed identity certificate to replace the self-signed certificate. This utility is available with Oracle JDKs and BMC Atrium SSO. The keytool utility must be available within the shell command environment to generate a CSR or to import a CA signed certificate. To verify that the keytool utility is available 1 Open a shell command window. 2 At the command prompt, type keytool, and press Enter. NOTE The keytool utility from Oracle JDK Java 1.5 or 1.6 can also be used. If the keytool utility is available, a help message is generated that shows the keytool options. The following is the help output relevant to generating the CSR: -certreq [-v] [-protected] [-alias <alias>] [-sigalg <sigalg>] [-file <csr_file>] [-keypass <keypass>] 34 Administration Guide
Obtaining and importing CA certificates [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg>]]... [-providerpath <pathlist>] 3 If the tool is available, proceed with the instructions for generating a CSR and importing signed certificates. If the tool is not available, update the command shell environment to include the following path: installationdirectory/bmc Software/AtriumSSO/jdk/bin Obtaining and importing CA certificates By default, BMC Atrium SSO is installed with a self-signed certificate. Although valid, this certificate causes warning messages when users access the server to perform authentication. The warning messages occur because the certificate is not signed by a CA. To obtain and import a CA signed identity certificate 1 Generate a Certificate Signing Request (CSR). The CSR must be sent to a CA to be digitally signed and returned. The CA signs the CSR using a private key which validates the server s identity and returns a signed identity certificate. 2 Import the CA certificate into BMC Atrium SSO Tomcat keystore. 3 Stop and restart the Tomcat server. 4 Update all integrated application truststores with the new public key. NOTE The new CA certificate will not take effect until the restart occurs. Generating CSRs in Windows To generate a Certificate Signing Request (CSR) 1 On the command line, change the working directory to: installationdirectory/bmc Software/AtriumSSO/tomcat/conf 2 From the conf directory, issue the following command: keytool -certreq -alias tomcat -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE Chapter 3 Using CA certificates 35
BMC Atrium Single Sign-on 7.6.04 The supplied password is the default for BMC Atrium SSO Tomcat. Another password might need to be supplied if the keystore has been replaced with a locally-generated file. The command generates and displays the CSR on the shell window screen: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBmDCCAQECAQAwWDEZMBcGA1UECxMQQXRyaXVtU1NPIFNlcnZlcjEVMBMGA1UECh MMQk1DIFNv ZnR3YXJlMSQwIgYDVQQDExtpQk1DLUpCSEJCSzEuYWRwcm9kLmJtYy5jb20wgZ8wDQ YJKoZIhvcN AQEBBQADgY0AMIGJAoGBAJABuagV7e12Yu3m0LmNWEmVE4HXrdaB+uOyZFyKLZxO2e +WX3r9vc9q al5vqse1yme6ml53b9sws2rwa5d8xdpw8ppqe3dqqdf3qddzfxq18mmzafrasbv6y2 Tj0Oad10Uf c8nuxycvkncmdhzkabahutoxuhfygyzycgfdd/ jtagmbaaggadanbgkqhkig9w0baqufaaobgqax oncbnvnbynhd02qoixep4emd9hlfjjvjhtas6syibmed00mq/ BD5iV1TewwkmvJRn1BjmzGXNO1c xbasqahn9l0+hp4x6awfrijtq9goj4d9y2wb5l6sesgnctnvbhdsmr0aeblpcr7nvj 4vgQsZ9xLj EfQB8idnyyimIfoqqQ== -----END NEW CERTIFICATE REQUEST----- The toolkit command output must be sent to the CA for a digital signature. After the signed identity certificate is returned, the next step is to import the signed identity certificate into the keystore where it replaces the current self-signed certificate. NOTE The Common Name (CN) of the certificate cannot be modified because the CN must match the host name of the server. If the names do not match, the browser issues a warning that the server is trying to impersonate another site. Importing CA certificates in Windows To import a CA certificate, use the keytool -importcert option. -importcert [-v] [-noprompt] [-trustcacerts] [-protected] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg>]]... [-providerpath <pathlist>] To execute the import 1 On the command line, change to: 36 Administration Guide
Obtaining and importing CA certificates installationdirectory/bmc Software/AtriumSSO/tomcat/conf 2 Run the keytool utility with the following parameters: keytool -importcert -alias tomcat -storepass internal4bmc -file signed.cert -keystore keystore.p12 -storetype PKCS12 -providername JsafeJCE 3 If the keystore has been altered from the default password created during installation, update the password. 4 Change the name of the CA certificate file to the actual value. 5 After successfully importing the signed certificate file into the keystore, restart the server. NOTE The new CA certificate will not take effect until the restart occurs. Generating CSRs in UNIX To obtain CA signed certificate for BMC Atrium SSO, you generate a CSR. To generate a CSR 1 Run the following keytool command: keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr - keystore keystore.p12 -storetype PKCS12 -providername JsafeJCE 2 The CSR is automatically sent to the CA. The CA returns the signed certificate which is a verification of the server s identity. 3 Import the returned CA signed certificate into the BMC Atrium SSO Tomcat keystore. This must be done to provide secure communications. Importing CA certificates in UNIX To import the certificate 1 Run the following keytool command: keytool -import -alias tomcat -keystore keystore.p12 -file cert.txt -storetype PKCS12 -providername JsafeJCE 2 To use the new CA signed certificate, stop and restart the server. Chapter 3 Using CA certificates 37
BMC Atrium Single Sign-on 7.6.04 Adding another CA certificate Adding another certificate is necessary when CAC authentication is used, the Department of Defense (DoD) issues new CA certificates, or you are using SSL with LDAP for authentication. By default, the BMC Atrium SSO truststore already contains the current certificates for CAC. The procedures for adding another CA certificate are the same as for importing a CA certificate. IMPORTANT Replacing the self-signed certificate on the BMC Atrium SSO server invalidates the certificates that have already been accepted by users. In addition, you will be required to install the new certificate into the truststore of all integrated BMC applications. Creating new keystores To create a new keystore 1 Create a new keystore by using a new password to secure the certificate as follows: keytool -genkey -alias tomcat -keyalg RSA -keystore tomcatinstallationdirectory/keystore 2 After the keystore has been created, update the server.xml file with the new password for the keystore. For details, see the Tomcat documentation at http://tomcat.apache.org/tomcat-6.0-doc/ ssl-howto.html#ssl and Tomcat). Locating the keystore and truststores With the BMC Atrium SSO default installation, the keystore and truststores are in the following locations:! Keystore: <installdir>/tomcat/conf/keystore.p12! Tomcat truststore: <installdir>/tomcat/conf/cacerts.p12! JVM truststore: <installdir>/jvm/jre/lib/security/cacerts Creating a keystore example The following is an example of how to create a new keystore: 38 Administration Guide
Creating new keystores C:\apache-tomcat-6.0.20>keytool -genkey -alias tomcat -keyalg RSA -keystore C:/apache-tomcat-6.0.20/keystore Enter keystore password: What is your first and last name? [Unknown]: sample.bmc.com What is the name of your organizational unit? [Unknown]: BMC Atrium SSO What is the name of your organization? [Unknown]: BMC Software, Inc. What is the name of your City or Locality? [Unknown]: Austin What is the name of your State or Province? [Unknown]: TX What is the two-letter country code for this unit? [Unknown]: US Is CN=sample.bmc.com, OU=BMC Atrium SSO, O="BMC Software, Inc.", L=Austin, ST=TX, C=US correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password): Chapter 3 Using CA certificates 39
BMC Atrium Single Sign-on 7.6.04 40 Administration Guide
4 Authentication Chapter chaining The following topics are provided:! Authentication chaining overview (page 42)! Authentication chaining example (page 42) Chapter 4 Authentication chaining 41
BMC Atrium Single Sign-on 7.6.04 Authentication chaining overview An Authentication Chain is the object used by BMC Atrium SSO for specifying how authentication is to be performed. A chain can be a single authentication module or a combination of multiple authentication modules. Chaining allows different modules to act as a single authority. At its simplest form, an authentication chain consists of only a single authentication module. A chain can also be a complex combination of multiple authentication modules joined to validate the credentials that are used to authenticate a user. Through chaining, different modules can be merged to appear as a single authority. For example, if two organizations merge to form a new, single organization, then the authentication system from each organization could be used as a module within a single chain.! The effect of combining these modules into this single chain is that the users only provide credentials to a single authority.! The chain can be configured to check each of the modules until the user is authenticated.! This chaining creates the perception of a merged authority despite the reality of multiple, disparate systems that are actually employed. Authentication chains allow the combination of authentication modules to process authentication requests. One of the best uses for combining modules is to merge different authentication schemes to appear as a single authentication scheme. For example, when two departments have their own LDAP servers, these two servers could be put into a single chain and users would appear to validate against a single authority. Authentication chaining example The processing of the chain to determine the overall status of authentication is controlled by the criteria specified for each of modules in the chain. The following figure illustrates authentication chaining where authentication modules are tried in an ordered sequence. Figure 4-1: Authentication chaining 42 Administration Guide
Authentication chaining example The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user. See Adding modules to chains on page 122. In the chaining process for the above example illustration, three LDAP servers combined into a single authority, would be: 1 Check with LDAP A! Pass: Stop processing and accept user! Fail: Proceed to next 2 Check with LDAP B! Pass: Stop processing and accept user! Fail: Proceed to next 3 Check with LDAP C! Pass: Stop processing and accept user! Fail: Stop processing and reject user With this configuration, the first LDAP server is presented the user credentials for authentication. If the authentication succeeds, then processing stops with the user being authenticated. If the user is not within the first LDAP server, then the credentials are passed to the second LDAP server. Each server is checked in the sequence specified until either the user passes and is considered successfully authenticated, or the user fails to authenticate and is rejected. Chapter 4 Authentication chaining 43
BMC Atrium Single Sign-on 7.6.04 44 Administration Guide
5 Using Chapter LDAP for authentication The following topics are provided:! Setting up LDAP to use for authentication (page 46)! Configuring the LDAP module (page 46)! Enabling LDAP authentication (page 49) Chapter 5 Using LDAP for authentication 45
BMC Atrium Single Sign-on 7.6.04 Setting up LDAP to use for authentication BMC Atrium SSO provides support for using external Lightweight Directory Access Protocol (LDAP) servers for authentication. To set up LDAP to use for authentication 1 Configure the LDAP module. 2 If you enabled SSL Access to LDAP Server on the LDAP configuration page, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Using CA certificates for more information. 3 Enable LDAP authentication. Configuring the LDAP module The configuration and use of the LDAP module is described for a single BMC Atrium SSO server. By default, a single LDAP module is created and configured as part of the LDAP chain. The LDAP module must be configured for the enterprise environment. To configure the LDAP module 1 Navigate to the Authentication tab: Access Control > BmcRealm link > Authentication 2 Click the Module Instances link 3 Click the LDAP link. 4 Enter your LDAP configuration parameters and click Save. LDAP configuration parameters LDAP configuration parameters are entered on the LDAP Realm Attributes page. The LDAP page has the following options:! Save to save your modifications! Reset to remove your modifications and stay on the LDAP page.! Back to Authentication to navigate back to the Authentication tab. 46 Administration Guide
Configuring the LDAP module Table 5-1: LDAP module parameters Parameters Primary LDAP Server Secondary LDAP Server DN to Start User Search DN for Root User Bind Attributes Used to Retrieve User Profile Attributes Used to Search for a User to be Authenticated User Search Filter Description (Required) Enter the host s Full Qualified Domain Name (FQDN) for the primary LDAP server is required. If the LDAP server is not listening on the default port (389), suffix the host name value with a colon (:) and port number that the LDAP server is using: <host name value (FQDN)>:<port> The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server. If the secondary server is not listening on the default LDAP port, suffix the host name with a colon (:) and the port that is being used. <host name value (FQDN)>:<port> The amount of time that the server uses the secondary server before attempting to re-connect with the primary server can be configured. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an Object search is specified, then the DN should be the DN of the node containing the users. Enter the starting locations within the LDAP directory for performing user searches. For each starting point, enter the login name (DN). (Required) The DN is the login name that is used to connect to the LDAP server. A root user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user, the password, and the password confirmation. Attributes can be specified to retrieve user profiles. (Required) Attributes are used to identify the DN to be used for authentication within the LDAP servers. The attributes specified are used to search for the DN for the user to be authenticated. Enter an attribute to identify user names in the LDAP servers. The default attribute is uid, but if a different value is used (such as givenname), then update this value to the environment-specific attribute. More than one attribute can be used to uniquely identify a user. For example, along with a unique user ID, the user's phone number or e-mail address could also be used. In this way, users could use their phone numbers or email accounts when authenticating, instead of relying solely upon a user ID. The attribute-value pairs further refines the user search for authentication. This field can be left blank (default). Chapter 5 Using LDAP for authentication 47
BMC Atrium Single Sign-on 7.6.04 Table 5-1: LDAP module parameters Parameters Search Scope SSL Access to LDAP Server Return User DN To DataStore LDAP Server Check Interval Description (Required) The Search Scope determines the level that the LDAP directory searches for users to authenticate. A search scope level must be selected.! OBJECT level searches the contents of the nodes specified in the search list.! ONELEVEL level searches the specified nodes and one level below.! SUBTREE level searches the specified nodes and all sub-levels (default). The SSL Access to LDAP Server field is enabled to use SSL to connect to the LDAP servers. In addition, before communications can be established, the certificates for the LDAP servers (primary and secondary) must be loaded into the JVM truststore and the BMC Atrium SSO Tomcat truststore. If client authentication is required, the BMC Atrium SSO server s certificate might need to be imported into the LDAP server s truststore. For more information on the default truststore location, see Locating the keystore and truststores (page 38). If you are using CA signed certificates for all servers, then the root certificate, and any intermediate signer certificates, can be used to complete the trust relationships instead of the server's certificates. Note: BMC recommends that the certificates be configured before enabling LDAP authentication. See Using CA certificates for more information. If the external LDAP server uses the same structure as the internal data store, the Return User DN to Data is enabled. This condition is atypical so this option is normally not checked. When a primary LDAP server is unavailable, authentication is switched to the secondary LDAP server. The interval specifies the delay before the primary LDAP status is re-checked for availability. Enter the number of minutes before the primary LDAP status is rechecked. The default is 15 minutes.! If the interval delay value is too low, performance issues occur if BMC Atrium SSO continuously tries to reconnect (unsuccessfully). 48 Administration Guide
Enabling LDAP authentication Table 5-1: LDAP module parameters Parameters User Creation Attribute Authentication Level Description User creation attributes allows attributes from the external LDAP servers to be provided as attributes from the internal data store. By defining the mappings, user account data (such as telephone numbers or e-mail addresses) can be provided to BMC products. The attribute mapping is created with an internal attribute, a vertical bar (' '), and then the external attribute. The following internal attributes are available for mapping:! Email: The user s email address! Phonenumber: The user s phone number! Address: The user s mailing address! Firstname: The first name of the user! Lastname: The last name of the user! Fullname: The full name of the user, usually including middle initial BMC Atrium SSO does not employ authentication levels. Note: Do not change the Authentication Level (the default is 0) for the LDAP Module. Enabling LDAP authentication After the LDAP module is configured, specify that the LDAP module is to be used for authentication. This task involves specifying LDAP Chain as the organizational choice for authentication. NOTE Configure only the BmcRealm to use external LDAP servers. IMPORTANT If you enabled SSL Access to LDAP Server on the LDAP module configuration page, import the certificates and restart the Tomcat server. See Using CA certificates for more information. To configure LDAP realm authentication 1 On the Authentication tab for the BmcRealm, click All Core Settings. A new page is displayed. At the top of this new page is a series of radio buttons. The buttons are used to select how the user profile is handled when a user is authenticated. 2 In the User Profile field, click either Dynamic or Ignored.! Dynamic specifies that a local SSO user profile is created after a successful authentication, if it does not already exist.! Dynamic with User Alias specifies that a local SSO user profile and user alias is created for each successful authentication. Chapter 5 Using LDAP for authentication 49
BMC Atrium Single Sign-on 7.6.04! Ignored specifies that no local SSO user profile is created or required for authentication.! Required specifies that a local SSO user profile with the same user ID is required for authentication to be successful. 3 Click Save. 4 Click Back to Authentication. 5 On the BmcRealm Authentication page, select LDAP Chain from the Organization Authentication Configuration drop down menu. 6 On the BmcRealm Authentication page, select LDAP Chain from the Administrator Authentication Configuration drop down menu. 7 Click Save. 50 Administration Guide
6 Using Chapter AR Server for authentication The following topics are provided:! Setting up AR to use for authentication (page 52)! Configuring the AR module (page 52)! Enabling AR authentication (page 53)! Enabling the AR data store (page 54)! Troubleshooting AR System module (page 56) Chapter 6 Using AR Server for authentication 51
BMC Atrium Single Sign-on 7.6.04 Setting up AR to use for authentication The Action Request (AR) authentication module allows BMC Atrium SSO to use the user accounts within an BMC Remedy AR System server for authentication. This module is normally used in conjunction with the AR data store to retrieve group information and other user attributes from the AR server. To use AR for authentication 1 Configure the AR module. 2 Enable AR authentication. 3 Enable AR data store. Configuring the AR module The AR authentication module allows BMC Atrium SSO to use user accounts within an BMCAR Server for authentication purposes. This module should be used in conjunction with the AR data store. To configure the AR module 1 Navigate to the Authentication tab: Access Control > BmcRealm link > Authentication 2 Click the Module Instances link. 3 Click the AR link. 4 Enter the AR configuration information and Save. AR configuration parameters AR configuration information is entered on the AR Server Realm Attributes page. The AR page has the following options:! Save to save your modifications! Reset to remove your modifications and stay on the AR page.! Back to Authentication to navigate back to the Authentication tab. 52 Administration Guide
Enabling AR authentication Table 6-1: AR module parameters Parameters AR Server Host Name AR Server Port Number Default Authentication String Allow AR Guests Authentication Level Description (Required) Provide the Full Qualified Domain Name (FQDN) for the server where AR Server is located The full host name includes the domain name of the computer and the individual name of the server. For example, the domain is bmc.com and the host name is sample. (Required) AR Server Port Number is the location where the AR Server is listening. Note: Enter a value of 0 if the AR Server is using port mapping. This string is only used when the AR module is placed downstream in a chain from another authentication module which prompts the user only for a name and password. In this scenario, this value is used to authenticate the user by reusing the credentials provided by the user along with this authentication string. If enabled, allows unknown or invalid users to authenticate as guests to the AR Server. (Required) Authentication Level is used to identify the level of authentication provided by the AR module. In normal BMC Atrium SSO usage, this value is ignored and should be left with the default value 0. Enabling AR authentication After the AR module is configured, specify that the AR module be used for user authentication. This task involves specifying the AR Chain as the organizational choice for authentication. 1 On the BmcRealm Authentication page, select AR Chain from the Organization Authentication Configuration drop down menu. 2 On the BmcRealm Authentication page, select AR Chain from the Administrator Authentication Configuration drop down menu. 3 Click Save. 4 On the BmcRealm Authentication tab, click All Core Settings. A new page is displayed. At the top of this new page are a series of radio buttons which are used to select how the user profile is handled when a user is authenticated. 5 In the User Profile field, click either Dynamic or Ignored.! Dynamic specifies that a local SSO user profile is created after a successful authentication, if it does not already exist. Chapter 6 Using AR Server for authentication 53
BMC Atrium Single Sign-on 7.6.04! Dynamic with User Alias specifies that a local SSO user profile and user alias is created for each successful authentication.! Ignored specifies that no local SSO user profile is created or required for authentication.! Required specifies that a local SSO user profile with the same user ID is required for authentication to be successful. 6 Click Save. Enabling the AR data store The AR data store plug-in allows group information associated with AR Server users to be retrieved and provided to BMC products. The data store is designed to be used with the AR authentication module because it provides additional information for users authenticated against the AR Server. NOTE The AR data store provides read-only access to AR Server. The data store provides the following capabilities:! Read-only access to the user information stored in AR Server.! Displays user and group lists and memberships. The following capabilities are not provided:! User management functionality! Assigning group information that is retrieved from the AR Server to users that exist in another data store (for example, the internal data store)! Saving changes involving information retrieved from the AR Server Accessing the AR data store configuration page To configure the AR data store, you must have the server location and an administrator account. The AR data store information is provided on the Data Store configuration page. To access the Data Stores page 1 Navigate to: Access Control > BmcRealm link > Data Stores tab If a data store exists 1 Click the data store link to configure the data store. 54 Administration Guide
Enabling the AR data store 2 Configure the AR data store. 3 Click Save. If a data store does not exist 1 Click New. 2 In the Name field, enter a name for a new data store. 3 In the Type field, click AR Server as the data store type. 4 To configure the data store, click Next. 5 Click Finish. Configuring the AR data store The AR Data Store configuration page is used for both editing an existing data store s parameters and for creating a new AR data store. The AR Data Stores configuration page has the following options:! Save to save your modifications! Reset to remove your modifications and stay on the LDAP page.! Back to Data Stores to navigate back to the Authentication tab. After configuration is finished, the data store is immediately available to provide group information to users who are authenticating with the AR Authentication module. Table 6-2: AR data store parameters Parameters AR Server Host Name AR Server Port Number Administrator Name Description (Required) Provide the Fully Qualified Domain Name (FQDN) of the AR Server host server. The full host name includes the domain name of the machine along with the individual name of the server. In this example, the domain is bmc.com and the host name is sample. (Required) Provide the port number where the AR Server is listening. Enter a value of 0 if the AR Server is using port mapping. (Required) Provide the user name of an AR Server account that has administrator privileges, the password for the AR Server administrator account, and the password confirmation. Note: Empty or blank passwords for the AR administrator are not supported, however, a single space character can be used. For example, the default AR administrator account is Demo with no password. Authentication Pool Size Provide the authentication string that is needed when the Administrator account is used to connect with the AR Server. (Required) The Pool Size is the maximum number of connections the data store uses to service data requests for the AR Server. Chapter 6 Using AR Server for authentication 55
BMC Atrium Single Sign-on 7.6.04 Table 6-2: AR data store parameters Parameters Linger Time AR Server Plug-in Description (Required) Linger Time is the amount of time (in milliseconds) that a connection is allowed to remain unused in the pool before being closed. (Required) The AR Server Plug-in parameter is the class that implements this plug-in and must not be changed. Note: Do not change the AR Server Plug-in parameter. New data store configuration example Figure 6-1: New Data Store configuration example Troubleshooting AR System module This section contains information on troubleshooting your AR System authentication module. 56 Administration Guide
Troubleshooting AR System module The following are common errors associated with your AR System authentication module:! User has no profile in this organization! Error saving user or group edits User has no profile in this organization If the User Profile for the BmcRealm is set to Required instead of Dynamic or Ignored, the following error message occurs when logging into a BMC product: User has no profile in this organization To modify the User Profile setting, see Enabling AR authentication. Error saving user or group edits An exception error occurs when you try to update user attributes or assign groups to users with information that was retrieved from the AR Server. The AR Server data store provides read-only access to the user and group information. The error indicates that a search base entry does not exist. Chapter 6 Using AR Server for authentication 57
BMC Atrium Single Sign-on 7.6.04 58 Administration Guide
7 Using Chapter Active Directory for authentication The following topics are provided:! Setting up Active Directory for authentication (page 60)! Configuring the Active Directory module (page 60)! Enabling Active Directory authentication (page 63) Chapter 7 Using Active Directory for authentication 59
BMC Atrium Single Sign-on 7.6.04 Setting up Active Directory for authentication The BMC Atrium SSO system provides support for using external Active Directory (AD) servers for authentication. To set up Active Directory to use for authentication 1 Configure the Active Directory module. 2 If you enabled SSL Access to Active Directory Server on the Active Directory configuration page, import the certificates and restart the Tomcat server before enabling Active Directory authentication. See Using CA certificates for more information. 3 Enable Active Directory authentication. Configuring the Active Directory module The configuration and use of the Active Directory module is described for a single BMC Atrium SSO server. By default, a single Active Directory module is created and configured as part of the Active Directory chain. The Active Directory module must be configured for the enterprise environment. To configure the Active Directory module 1 Navigate to the Authentication tab: Access Control > BmcRealm link > Authentication tab 2 Click the Module Instances link 3 Click the ActiveDirectory link. 4 Enter Active Directory configuration information and Save. Active Directory configuration information Active Directory configuration information is entered on the Active Directory Realm Attributes page. The Active Directory page has the following options:! Save to save your modifications! Reset to remove your modifications and stay on the Active Directory page.! Back to Authentication to navigate back to the Authentication tab. 60 Administration Guide
Configuring the Active Directory module Table 7-1: Active Directory module parameters Parameters Primary Active Directory Server Secondary Active Directory Server DN to Start User Search DN for Root User Bind Attributes Used to Retrieve User Profile Attributes Used to Search for a User to be Authenticated User Search Filter Description (Required) Enter the host s Full Qualified Domain Name (FQDN) for the primary Active Directory server is required. If the Active Directory server is not listening on the default port (389), suffix the host name value with a colon (:) and port number that the Active Directory server is using: hostnamevalue(fqdn):port The secondary Active Directory server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server. If the secondary server is not listening on the default Active Directory port, suffix the host name with a colon (:) and the port that is being used. hostnamevalue(fqdn):port The amount of time that the server uses the secondary server before attempting to re-connect with the primary server can be configured. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an Object search is specified, then the DN should be the DN of the node containing the users. Enter the starting locations within the Active Directory directory for performing user searches. For each starting point, enter the login name (DN). (Required) The DN is the login name that is used to connect to the Active Directory server. A root user must have privileges to perform searches on the primary and secondary Active Directory servers. Enter the DN for the root user, the password, and the password confirmation. Attributes can be specified to retrieve user profiles. (Required) Attributes are used to identify the DN to be used for authentication within the Active Directory servers. The attributes specified are used to search for the DN for the user to be authenticated. Enter an attribute to identify user names in the Active Directory servers. The default attribute is uid, but if a different value is used (such as givenname), then update this value to the environment-specific attribute. More than one attribute can be used to uniquely identify a user. For example, along with a unique user ID, the user's phone number or e-mail address could also be used. In this way, users could use their phone numbers or email accounts when authenticating, instead of relying solely upon a user ID. The attribute-value pairs further refines the user search for authentication. This field can be left blank (default). Chapter 7 Using Active Directory for authentication 61
BMC Atrium Single Sign-on 7.6.04 Table 7-1: Active Directory module parameters Parameters Search Scope SSL Access to Active Directory Server Return User DN To DataStore Active Directory Server Check Interval Description (Required) The Search Scope determines the level that the Active Directory directory searches for users to authenticate. A search scope level must be selected.! OBJECT level searches the contents of the nodes specified in the search list.! ONELEVEL level searches the specified nodes and one level below.! SUBTREE level searches the specified nodes and all sub-levels (default). The SSL Access to Active Directory Server field is enabled to use SSL to connect to the Active Directory servers. In addition, before communications can be established, the certificates for the Active Directory servers (primary and secondary) must be loaded into the JVM truststore and the BMC Atrium SSO Tomcat truststore. If client authentication is required, the BMC Atrium SSO server s certificate might need to be imported into the Active Directory server s truststore. For more information on the default truststore location, see Locating the keystore and truststores (page 38). If you are using CA signed certificates for all servers, then the root certificate, and any intermediate signer certificates, can be used to complete the trust relationships instead of the server's certificates. Note: BMC recommends that the certificates be configured before enabling Active Directory authentication. See Using CA certificates for more information. If the external Active Directory server uses the same structure as the internal data store, the Return User DN to Data is enabled. This condition is atypical so this option is normally not checked. When a primary Active Directory server is unavailable, authentication is switched to the secondary Active Directory server. The interval specifies the delay before the primary Active Directory status is re-checked for availability. Enter the number of minutes before the primary Active Directory status is re-checked. The default is 15 minutes.! If the interval delay value is too low, performance issues occur if BMC Atrium SSO continuously tries to reconnect (unsuccessfully). 62 Administration Guide
Enabling Active Directory authentication Table 7-1: Active Directory module parameters Parameters User Creation Attribute Authentication Level Description User creation attributes allows attributes from the external Active Directory servers to be provided as attributes from the internal data store. By defining the mappings, user account data (such as telephone numbers or e-mail addresses) can be provided to BMC products. The attribute mapping is created with an internal attribute, a vertical bar (' '), and then the external attribute. The following internal attributes are available for mapping:! Email: The user s email address! Phonenumber: The user s phone number! Address: The user s mailing address! Firstname: The first name of the user! Lastname: The last name of the user Fullname: The full name of the user, usually including middle initial BMC Atrium SSO does not employ authentication levels. Note: Do not change the Authentication Level (the default is 0) for the Active Directory Module. Enabling Active Directory authentication After the Active Directory module is configured, specify that the Active Directory module be used for authentication. This task involves specifying Active Directory Chain as the organizational choice for authentication. NOTE Configure only the BmcRealm to use external Active Directory servers. IMPORTANT If you enabled SSL Access to Active Directory Server on the Active Directory configuration page, import the certificates and restart the Tomcat server. See Using CA certificates for more information. To configure Active Directory realm authentication 1 On the BmcRealm Authentication tab, click All Core Settings. A new page is displayed. At the top of this new page are a series of radio buttons. The button are used to select how the user profile is handled when a user is authenticated. 2 In the User Profile field, click either Dynamic or Ignored.! Dynamic specifies that a local SSO user profile is created after a successful authentication, if it does not already exist. Chapter 7 Using Active Directory for authentication 63
BMC Atrium Single Sign-on 7.6.04! Dynamic with User Alias specifies that a local SSO user profile and user alias is created for each successful authentication.! Ignored specifies that no local SSO user profile is created or required for authentication.! Required specifies that a local SSO user profile with the same user ID is required for authentication to be successful. 3 Click Save. 4 Click Back to Authentication. 5 On the BmcRealm Authentication page, select ActiveDirectory Chain from the Organization Authentication Configuration drop down menu. 6 On the BmcRealm Authentication page, select ActiveDirectory Chain from the Administrator Authentication Configuration drop down menu. 7 Click Save. 64 Administration Guide
8 Using Chapter RSA SecurID for authentication The following topics are provided:! Setting up SecurID to use for authentication (page 66)! Specifying the sdconf.rec location (page 66)! Enabling RSA SecurID authentication (page 67)! Modifying the rsa_api.properties file (page 68) Chapter 8 Using RSA SecurID for authentication 65
BMC Atrium Single Sign-on 7.6.04 Setting up SecurID to use for authentication RSA SecurID provides a two-factor authentication scheme for user authentication. This approach uses a password that has a very short life span, typically one minute. By combining a passcode with a hardware generated token value, users are authenticated with this short-span password. This method of authentication narrows the opportunity for exploitation by anyone who manages to eavesdrop on the TLS confidential communications. NOTE After authentication, the combination passcode + token is no longer valid. To use SecurID Chain for user authentication, the module must first be configured with information about the RSA Access Manager server. After being configured, SecurID Chain is enabled for authentication use. To use SecurID for authentication 1 Specify the location of the sdconf.rec file. 2 Configure the SecurID module. 3 Enable SecurID authentication. Specifying the sdconf.rec location There two methods to specify the location for the sdconf.rec file which is used configure the SecurID module:! Configure BMC Atrium SSO to rely on a RSA SecurID server for user authentication.! Reconfigure the SecurID module to load the sdconf.rec file from another location. Configuring to rely on an RSA SecurID server To configure BMC Atrium SSO to rely on an RSA SecurID server for user authentication 1 Copy the sdconf.rec file retrieved from the RSA SecurID server into the BMC Atrium SSO server at the following location: installationdirectory/bmc Software/BMC Atrium SSO/tomcat/webapps/ BMC Atrium SSO/WEB-INF/config/BMC Atrium SSO/auth/ace/data 66 Administration Guide
Enabling RSA SecurID authentication Reconfiguring the SecurID module To reconfigure the SecurID module to load the sdconf.rec file from another location 1 Copy the sdconf.rec file retrieved from the RSA SecurID server to the BMC Atrium SSO server at the following location: installationdirectory/bmc Software/BMC Atrium SSO/tomcat/webapps/ BMC Atrium SSO/WEB-INF/config/BMC Atrium SSO/auth/ace/data 2 Navigate to the following location: Access Control > BmcRealm link > Authentication 3 Click the Module Instances link. 4 Click the SecurID link. The SecurID Realm Attributes configuration page displays where the you can modify the module attributes. 5 In the ACE Server Configuration Path field, enter the full path for the new location of the sdconf.rec file. The configuration path is used to specify the location of the sdconf.rec file used to contact the RSA SecurID server. 6 (Optional) In the Authentication Level field enter a new value (0 is the default). The authentication level can be used as an alternative mechanism of providing access (For more details regarding this feature, see the OpenSSO documentation). 7 Click Save. 8 (Optional) Edit the rsa_api.properties file for additional configuration. For more information, see Modifying the rsa_api.properties file. Enabling RSA SecurID authentication After modification are complete, all subsequent user authentications are performed against the RSA Access Manager server. To configure SecurID authentication 1 Navigate to the Authentication tab: Access Control > BmcRealm link > Authentication tab 2 On the BmcRealm Authentication tab, click All Core Settings. A new page is displayed. At the top of this new page are a series of radio buttons which are used to select how the user profile is handled when a user is authenticated. 3 In the User Profile field, click either Dynamic or Ignored. Chapter 8 Using RSA SecurID for authentication 67
BMC Atrium Single Sign-on 7.6.04! Dynamic specifies that a local SSO user profile is created after a successful authentication, if it does not already exist.! Dynamic with User Alias specifies that a local SSO user profile and user alias is created for each successful authentication.! Ignored specifies that no local SSO user profile is created or required for authentication.! Required specifies that a local SSO user profile with the same user ID is required for authentication to be successful. 4 Click Save. 5 Click Back to Authentication. 6 On the BmcRealm Authentication tab, select SecurID Chain from the Organization Authentication Configuration drop down menu. 7 Click Save. Modifying the rsa_api.properties file Additional configuration of the SecurID module communications with the RSA Access Manager is available by editing the rsa_api.properties file. Table 8-1: SecurID authentication files and locations RSA SecurID authentication file name rsa_api.properties sdconf.rec Node Secret sdstatus.12 Locations installationdirectory/bmc Software/BMC Atrium SSO/tomcat/webapps/BMC Atrium SSO/WEB-INF/ config/bmc Atrium SSO/auth/ace/data The above location is the default, however, the path is configurable on the SecurID authentication module configuration. installationdirectory is the base configuration directory specified during BMC Atrium SSO configuration. Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file. Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file. Located in the same directory as rsa_api.properties (default), but is configurable through the rsa_api.properties file. The properties of primary importance (and their default values) are:! SDCONF_FILE (FILE)! SDCONF_LOC 68 Administration Guide
Modifying the rsa_api.properties file configurationdirectory/uri/auth/ace/data/sdconf.rec! SDSTATUS_TYPE (FILE)! SDSTATUS_LOC configurationdirectory/uri/auth/ace/data/sdstatus! SDNDSCRT_TYPE (FILE)! SDNDSCRT_LOC configurationdirectory/uri/auth/ace/data/secured! RSA_LOG_FILE configurationdirectory/uri/debug/rsa_api.log! RSA_LOG_LEVEL (INFO; other values are OFF, DEBUG, WARN, ERROR, FATAL)! RSA_DEBUG_FILE, if RSA_ENABLE_DEBUG=YES configurationdirectory/uri/debug/rsa_api_debug.log Chapter 8 Using RSA SecurID for authentication 69
BMC Atrium Single Sign-on 7.6.04 70 Administration Guide
9 Using Chapter CAC for authentication The following topics are provided:! CAC configuration overview (page 72)! Modifying the Tomcat server (page 72)! Importing DoD CA certificates (page 73)! Validating CAC certificates (page 74)! Specifying CAC users (page 76)! Enabling CAC Chain (page 78)! Troubleshooting CAC authentication (page 78) Chapter 9 Using CAC for authentication 71
BMC Atrium Single Sign-on 7.6.04 CAC configuration overview The Common Access Cards (CAC) support within BMC Atrium SSO leverages the Certificate module of OpenSSO. To simplify the user experience, many of the required steps to use the Certificate module have already been performed. To use CAC for authentication 1 Modifying the Tomcat server 2 Importing DoD CA certificates 3 Validating CAC certificates 4 Specifying CAC users 5 Enabling CAC Chain Beyond the scope of this document is acquiring CAC cards, the DoD CA certificates, and the installation and configuration of card readers and middleware software for these card readers. The administrator who is configuring BMC Atrium SSO for CAC authentication is assumed to be familiar with these topics. BMC Atrium SSO supports using CAC cards through the ActivClient software from ActivIdentity. See the ActivClient documentation for the configuration steps needed for clients to use CAC cards, card readers, and browser setup. Modifying the Tomcat server Before selecting the CAC Chain to use for authentication, the Tomcat server hosting the BMC Atrium SSO application must be configured to ask clients for certificates and the Tomcat server s truststore must be set up with the root certificates for the CAC cards and the OCSP server. To modify the Tomcat server for CAC Chain authentication 1 Stop the BMC Atrium SSO Tomcat server. 2 Edit the following file: installationdirectory/bmc Software/BMC Atrium SSO/tomcat/conf/ server.xml 3 Search the file to find the Connector definition used to configure the server's HTTP and HTTPS communications. The tag is similar to the following: <Connector port="8443" protocol="http/1.1" SSLEnabled="true" maxthreads="150" scheme="https" secure="true" clientauth="false" sslprotocol="tls" keystorefile="c:\program Files\BMC Software\BMC Atrium SSO\tomcat/conf/keystore" keystorepass="internal4bmc" truststorefile="c:\program Files\BMC Software\BMC Atrium SSO\tomcat/conf/cacerts" 72 Administration Guide
Importing DoD CA certificates truststorepass="changeit" /> 4 Change the clientauth attribute from false to want clientauth="want". The clientauth attribute enables Tomcat to ask for client certificates. IMPORTANT Do not set the clientauth attribute to true because this setting breaks certain BMC Atrium SSO-to-Agent communications. After the change, the Connector tag is similar to the following: <Connector port="8443" protocol="http/1.1" SSLEnabled="true" maxthreads="150" scheme="https" secure="true" clientauth="want" sslprotocol="tls" keystorefile="c:\program Files\BMC Software\BMC Atrium SSO\tomcat/conf/keystore.p12" keystorepass="internal4bmc" truststorefile="c:\program Files\BMC Software\BMC Atrium SSO\tomcat/conf/cacerts.p12" truststorepass="changeit" /> Importing DoD CA certificates The DoD CA certificates appropriate for your CAC cards must be imported into the BMC Atrium SSO server's truststore before using CAC for authentication. Importing the certificates allows the server to send the appropriate query to the client to return the correct certificate. Refer to the documentation from the supplier of your CAC cards for the location where the current root certificates can be acquired. The server's truststore (named cacerts.p12) is located in the installationdirectory/bmc Software/BMC Atrium SSO/tomcat/conf. The following instructions uses the Oracle keytool utility to import the certificate, but another tool could also be used. To import certificates 1 Add the bin directory to the PATH environment variable. When BMC Atrium SSO is installed with its own Tomcat server, a JDK is installed with the server. When using this JDK, the DoD certificate can be imported into the server's truststore by using the keytool command (keytool.exe on Windows), located within the JDK's bin directory. This bin directory needs to be added to the PATH environment variable if it is not already a part of that variable. 2 To add the location, run the following commands: UNIX: export PATH=<installationLocation>/BMC Software/BMC Atrium SSO/ jdk/bin:$path Chapter 9 Using CAC for authentication 73
BMC Atrium Single Sign-on 7.6.04 Windows: set PATH=<installationLocation>\BMC Software\BMC Atrium SSO\jdk\bin;%PATH% 3 Use the keytool utility to copy the DoD CA certificate file into the following directory: installationdirectory/bmc Software/BMC Atrium SSO/tomcat/conf 4 Use the keytool utility to import the certificate into the truststore using the following parameters: keytool -importcert -keystore cacerts -file DOD_CA19.car -alias DOD_CA19 -storetype PKCS12 -providername JsafeJCE NOTE In this example, the certificate file name, DOD_CA19.cer, may not be appropriate for your use. 5 Enter the password (the default is changeit). 6 Accept the certificate at the prompt. 7 If SSL is used to communicate with an external LDAP server, import that server s certificate into the truststore.! Use the keytool utility to import the LDAP server s certificate into the BMC Atrium SSO truststore.! If the LDAP server requires a client certificate, export the BMC Atrium SSO certificate and import it into the LDAP server s truststore before enabling CAC Chain.! If CA signed certificates are used for LDAPs, import the CA signed certificate and any intermediate signing certificates into the truststores instead. 8 Restart the Tomcat server. Validating CAC certificates CAC certificates can be validated by configuring BMC Atrium SSO to use either OCSP responder certificates or a Certificate Revocation Lists (CRL). BMC does not recommended using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists. These lists can grow to be very large which affects the network and server when retrieving the data. Using OCSP responder to validate certificates Once the users root certificates have been imported into the cacerts.p12 file, import the OCSP responder certificate. 74 Administration Guide
Validating CAC certificates To configure BMC Atrium SSO to use OCSP responder 1 Navigate to the Servers and Sites tab: Configuration > Servers and Sites 2 Click the server link. 3 Click the Security tab. 4 Click the Online Certificate Status Protocol Check link 5 Verify that alias for this certificate is DoDocspCertificate, otherwise the nickname specified for the server configuration must be updated to the correct value. The alias (nickname) is used to store the OCSP responder certificate in the truststore. 6 Verify that the Responder URL field is correct for the installation site. If not, update the URL. NOTE If a responder URL is not specified, the value within the certificate is used. Using CRL to validate certificates Instead of relying upon OCSP (the recommended approach for validating CAC certificates), BMC Atrium SSO can be configured to use a Certificate Revocation List (CRL). To configure BMC Atrium SSO to use CRL 1 Navigate to the Authentication tab: Access Control > BmcRealm link > Authentication tab 2 Click Module Instances. 3 Click CAC. 4 In the OCSP Validation field, deselect Enabled (if selected). 5 In the Issuer DN Attribute Used to Search LDAP for CRLs field, enter the DN. 6 In the HTTP Parameters for CRL Update field, enter the parameters. 7 In the Match CA Certificate to CRL field, click Enabled. 8 Click Save. Contact the CA signed certificate administrator for the following parameters and values:! Issuer DN Attribute Used to Search LDAP for CRLs value. This value is used to access the server where the CRL is stored.! HTTP Parameters for CRL Update parameters. These parameters are used to contact the servlet for the CRL. Chapter 9 Using CAC for authentication 75
BMC Atrium Single Sign-on 7.6.04 Specifying CAC users BMC Atrium SSO can be configured to allow any valid CAC card access or it can be configured to allow a known subset authentication. This section describes the following methods for specifying CAC user:! Allowing any user access with a valid CAC card! Allowing a subset of users access through the internal data store! Allowing a subset of user access through an external LDAP server Allowing any user access with a valid CAC card To allow any user with a valid CAC card access 1 Navigate to the Authentication tab: Access Control > BmcRealm link > Authentication tab 2 Click All Core Settings. 3 Click Dynamic or Ignore. 4 Click Save. Allowing a subset of users access through the internal data store The set of known users that are allowed access can be specified by using the internal data store. To allow access by using the internal data store 1 Verify that the User Profile is set as Required. 2 Create the users that need access in the internal data store. To set the User Profile 1 Navigate to the Authentication tab: Access Control > BmcRealm link > Authentication tab 2 Click All Core Settings. 3 Click Required. 4 Click Save. To create a new user in the internal data store 1 Navigate to the Subjects tab: Access Control > BmcRealm link > Subjects tab 2 Click New. 76 Administration Guide
Specifying CAC users 3 Enter the new user ID. The ID of the new user must match the Common Name (CN) of the owner of the CAC card. 4 Enter the user information. 5 Enter the default password into the Password and Password (confirm) fields. The password field must be specified, although with CAC authentication, it is ignored. 6 In the User Status field, verify that Active is selected (default). 7 Click OK. Allowing a subset of user access through an external LDAP server The set of known users that are allowed access can be specified by using an external LDAP server where the users certificates are stored. To configure BMC Atrium SSO to use an external LDAP server, follow the directions in this section. To configure BMC Atrium SSO to use an external LDAP server 1 Navigate to the Authentication tab: Access Control > BmcRealm link > Authentication tab 2 Click Module Instances. 3 Click CAC. 4 In the Match Certificate in LDAP field, click Enabled. 5 In the Subject DN Attribute Used to Search LDAP for Certificates field, enter the attribute from the Subject DN of the certificate that is used to search the LDAP server for certificates. The default value is CN. 6 In the LDAP Server Where Certificates are Stored field, enter the LDAP server information. The host name must end with a colon (:) followed by the port number for the LDAP server. 7 In the LDAP Search Start DN field, enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP server, the user must have sufficient privileges to perform the search. 8 In the LDAP Server Principal User field, enter the DN of the user with search privileges in the LDAP server. 9 In the LDAP Server Principal Password field, enter the password for this user and repeat this password in the LDAP Server Principal Password (confirm) field to confirm the first entry. Chapter 9 Using CAC for authentication 77
BMC Atrium Single Sign-on 7.6.04 10 If you plan to use SSL for communication with the LDAP server, in the Use SSL for LDAP Access field, click Enabled. If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium SSO truststore so that SSL can connect with the LDAP server. 11 Click Save. Enabling CAC Chain After the BMC Atrium SSO and the CAC module have been configured, CAC Chain must be selected for user authentication. Log on to the administrator console by using the administrator account and the password specified during the installation of BMC Atrium SSO. To select the CAC Chain 1 Navigate to the Authentication tab: Access Control > BmcRealm link > Authentication tab 2 Click All Core Settings. A new page is displayed. At the top of this new page is a series of radio buttons. These buttons are used to select how the user profile is handled when a user is authenticated. 3 If using the internal data store for user selection, in the User Profile field, click either Dynamic or Ignored. If you are not using the internal data store for user selection, in the User Profile field, click Dynamic.! Dynamic specifies that a local SSO user profile is created after a successful authentication, if the user profile does not already exist.! Ignored specifies that no local SSO user profile is created or required for authentication. 4 Click Save. 5 Click Back to Authentication. 6 On the Authentication page, select CAC Chain from the Administration Authentication Configuration drop down menu. 7 Click Save. Troubleshooting CAC authentication Use the information in this section to help correct issues that might arise associated with URL certificate authentication and OCSP verification failure. 78 Administration Guide
Troubleshooting CAC authentication URL certificate authentication not enabled OCSP verify failed If the BMC Atrium SSO \WEB-INF\config\Atrium SSO\debug\Authentication directory contains the following error messages, then the CAC certificate was not passed in from the client. Ensure that the certificates, or the correct certificates, were imported into the cacerts file. amauthcert:11/18/2009 01:17:37:922 PM CST: Thread[http-8443-6,5,main] ERROR: Certificate: cert passed in URL not enabled for this client amauthcert:11/18/2009 01:17:37:922 PM CST: Thread[http-8443-6,5,main] ERROR: Certificate: exiting validate with exception com.sun.identity.authentication.spi.authloginexception: URL certificate authentication not enabled. at com.sun.identity.authentication.modules.cert.cert.process(cert.jav a:383) at com.sun.identity.authentication.spi.amloginmodule.wrapprocess(amlo ginmodule.java:866) at com.sun.identity.authentication.spi.amloginmodule.login(amloginmod ule.java:926) at sun.reflect.generatedmethodaccessor57.invoke(unknown Source)... If you receive the following errors, verify that you imported the OCSP certificates into the cacerts.p12 file: amauthcert:11/18/2009 02:45:58:004 PM CST: Thread[http-8443-3,5,main] ERROR: CertPath:verify failed. amauthcert:11/18/2009 02:45:58:004 PM CST: Thread[http-8443-3,5,main] ERROR: X509Certificate:CRL / OCSP verify failed. Chapter 9 Using CAC for authentication 79
BMC Atrium Single Sign-on 7.6.04 80 Administration Guide
Chapter 10 Using an external LDAP data store The following topics are provided:! External LDAP server overview (page 82)! Creating a new data store (page 82)! Modifying an existing data store (page 85)! Troubleshooting an external LDAP data store (page 85) Chapter 10 Using an external LDAP data store 81
BMC Atrium Single Sign-on 7.6.04 External LDAP server overview This section describes the process and options available to an BMC Atrium SSO administrator when using an external LDAP server to provide group and attribute values for authenticated users. Users and groups cannot be managed from the BMC Atrium SSO server because the LDAP server access is read-only. Configuring an external data store is primarily needed when access to group membership information is required. The LDAP authentication module can be used to retrieve user attributes without configuring an external data store. For more information, see Using LDAP for authentication. An external LDAP server is used to augment the information available to BMC products. For more information about the configuration options available with the LDAP data store, see the OpenSSO documentation. Creating a new data store To use an external LDAP server as a data store, you either create a new data store or modify an existing data store to access the LDAP server. To create a new data store 1 Navigate to the BmcRealm Data Stores tab: Access Control > BmcRealm link > Data Stores tab 2 Click New. 3 Enter the name for the new data store. 4 Click the type of data store that you want to create.! Active Directory, Active Directory Application Mode (ADAM), Generic LDAPv3, and Sun DS are equivalent LDAP data store types.! The main difference between the data stores is the initial default data supplied for the data store configuration.! An AR Server data store is not an LDAP type. For information on creating and configuring an AR Server data store, see Using AR Server for authentication. 5 Click Next. After the data store is created, you are routed to the data store configuration page where you can configure the attributes that the data store uses to access the LDAP server. 6 In the LDAP Server field, select the current value and click Remove. 7 Provide the LDAP server parameters. These parameter allow to access the LDAP server. 8 Modify or verify LDAP user and group data attributes. 82 Administration Guide
Creating a new data store a In the LDAPv3 Plug-in Supported Types and Operations field, remove the existing entries and add the following entries:! user=read! group=read b In the LDAP Users Search Filter field, verify that the search filter is applicable for the users within the LDAP server. c If the default class specified is not used by user entries in the server, then searches will fail. d In the LDAP Groups Container Value field, verify that the value is correct. e In the LDAP User Attributes field, add or remove attributes as needed. f Verify that the attributes reflect attributes that can be used with the user entries in the LDAP server. Note that the following internal attributes are also available for mapping:! Email: The user s email address! Phonenumber: The user s phone number! Address: The user s mailing address! Firstname: The first name of the user! Lastname: The last name of the user! Fullname: The full name of the user, usually including middle initial g Remove attributes that are never used and those that are not needed for the mapping function. 9 Click Save. LDAP server configuration parameters Table 10-1: LDAP server configuration parameters Parameter LDAP Server LDAP Bind DN LDAP Bind Password Description LDAP Server specifies the host and port for the LDAP server. The initial value supplied is for the internal LDAP server, and should not be re-used. If the server is listening on the default port, then the port value does not need to be supplied. DN is the login name that is used to connect to the LDAP server. The combination of the LDAP Bind DN and password sets up an account to connect with the LDAP server. LDAP Organization DN LDAP Organization DN is the root of the LDAP tree. This DN is used as the starting point to perform searches for users and groups. Chapter 10 Using an external LDAP data store 83
BMC Atrium Single Sign-on 7.6.04 Table 10-1: LDAP server configuration parameters Parameter LDAP SSL LDAP Connection Pool Maximum Size LDAP Connection Pool Minimum Size Description If you are using SSL with LDAP, verify that:! BMC Atrium SSO public certificates are imported into the LDAP server s truststore.! LDAP server s public certificate is imported into the BMC Atrium SSO server s truststore. For more information, see Using CA certificates. The connection pool attributes adjust the performance of BMC Atrium SSO and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values. The connection pool attributes adjust the performance of BMC Atrium SSO and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values. LDAP user attributes Table 10-2: LDAP user data attributes Attribute Attribute Name of User Status User Status Active Value User Status Inactive Value LDAPv3 Plug-in Supported Types and Operations LDAP Users Search Attribute LDAP Users Search Filter LDAP Groups Container Naming Attribute LDAP Groups Container Value Description Contains the attribute used for identifying the status of the account. Identifies the value of the attribute when the account is active. Identifies the value of the attribute when the account is inactive. Identifies the type of access that the data store provides to BMC Atrium SSO. This data store provides read-only access to BMC Atrium SSO. The entries must reflect read-only. Specifies the attributes containing the user ID of the account that is being searched. Remove the attributes that are never used and attributes that are used for the mapping function. Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail. Defines the LDAP attribute used to distinguish the container holding the groups. Specifies the value for LDAP Groups Container Naming Attribute. If groups are not within a container (relative to the user), then these values should be blank. 84 Administration Guide
Modifying an existing data store Table 10-3: LDAP user data attributes LDAP group data attributes Attribute LDAP Groups Search Attribute LDAP Groups Search Filter LDAP People Container Naming Attribute LDAP People Container Value LDAP Groups Attributes Attribute Name for Group Membership Attribute Name of Unique Member Description Contains the name of the attribute which holds the name of the group. This attribute value will be used in searches for user groups. Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable, update the filter with the correct objectclass name. Defines the LDAP attribute used to distinguish the container holding the people. Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values should be blank. Contains only attributes available with the LDAP server. Remove attributes that will never be part of a group entry. Specifies the attribute of the user which identifies the group to which the user belongs. The value of this field is used to map with the value from the Attribute Name of Unique Member field to form the user-group membership relationship Modifying an existing data store To edit an already existing data store for the BmcRealm 1 Navigate to the Data Stores tab: Access Control > BmcRealm link > Data Stores tab 2 Click the DSname link. In this case, DSname is the name of the data store that you want to modify. After the link is selected, the configuration page for the data store is displayed. 3 Click Save. NOTE The BMC Atrium SSO server does not need to be re-booted after altering the configuration. After the alterations are committed, the changes go into effect immediately. Troubleshooting an external LDAP data store Use the information in this section to help correct issues that might arise with configuring to use an external LDAP data store. Chapter 10 Using an external LDAP data store 85
BMC Atrium Single Sign-on 7.6.04 No users in User tab If there are no users in the User tab: 1 Verify that the LDAP Users Search Filter field value is correct for the LDAP server. Specifically, the default filter must contain a class which is part of the LDAP structure. 2 If values were specified for the LDAP People Container Naming Attribute and LDAP People Container Value fields, remove those values (leave those fields blank). No groups in Group tab If there are no groups in the Group tab: 1 Check that the LDAP Group Search Filter field value is correct (the class selected is used in LDAP server). 2 Verify that the LDAP Groups Container Naming Attribute and LDAP Groups Container Value information are both correct. Alternatively, try blank values (no characters). 86 Administration Guide
Chapter 11 Configuring FIPS-140 mode The following topics are provided:! FIPS-140 overview (page 88)! Prerequisites for converting to FIPS-140 mode (page 88)! Before converting to FIPS-140 mode (page 89)! Converting to FIPS-140 mode (page 89)! Converting back to normal mode (page 94)! Changing the FIPS-140 network ciphers (page 96) Chapter 11 Configuring FIPS-140 mode 87
BMC Atrium Single Sign-on 7.6.04 FIPS-140 overview When operating in FIPS-140 mode with default networking ciphers, the Internet Explorer browser must be capable of supporting 256-bit Advanced Encryption Standard (AES) encryption. Otherwise, the browser cannot connect with BMC Atrium SSO for administrator or user authentication purposes. FireFox 3+ is able to operate at this level. Internet Explorer might not be able to support 256-bit AES depending on the version. You can check your browser cipher capabilities at the following URL: http:// www.fortify.net/sslcheck.html. This web site provides the encryption status of your browser. The FIPS-approved cryptography module used by BMC Atrium SSO for FIPS-140 compliance is the RSA CryptoJ library version 4.1.5. The following table shows the algorithms used in normal mode and FIPS-140 mode. Table 11-1: FIPS mode algorithms Purpose Normal FIPS-140 Encryption DES AES-256 Hash MD5, SHA1, SHA256, SHA1, SHA256, SHA512 SHA512 Network protocol TLS 1.0 TLS 1.0 Network ciphers Any TLS TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521, TLS_DHE_DSS_WITH_AES_256_CBC_SHA Random SHA1PRNG FIPS186PRNG Prerequisites for converting to FIPS-140 mode Before performing the system modifications that allow BMC Atrium SSO to operate in FIPS-140 mode, you need the following:! RSA CryptoJ FIPS cryptography module! Unlimited strength Java policy files Contact BMC Support for access to the RSA CryptoJ FIPS cryptography module. This library file must be installed into the server JVM, replacing the current version which is not certified. 88 Administration Guide
Before converting to FIPS-140 mode BMC Atrium SSO uses Oracle JVM 1.6.0_23. The unlimited policy files for this JVM are available for download from the following URL: http://java.sun.com/ javase/downloads/index.jsp. Before converting to FIPS-140 mode When operating in FIPS-140 mode, BMC Atrium SSO blocks contact with products which are not also operating in a FIPS-140 compliant mode. Before performing the switch to FIPS-140 mode:! Verify that the integrated BMC products are capable of operating in a FIPS-140 compliant mode and are capable of making the reconfiguration that is required to continue operating with BMC Atrium SSO.! If you plan to integrate additional products with BMC Atrium SSO after the switch to FIPS-140 mode is complete, be sure that these products can be integrated with the server. IMPORTANT Perform a system backup before switching to (or from) FIPS-140 mode. An unexpected hardware or software failure during the conversion can corrupt the server configuration. Converting to FIPS-140 mode The following is a summary of the steps for switching BMC Atrium SSO into FIPS- 140 mode: 1 Installing unlimited strength policy files 2 Installing the cryptography library 3 Enabling FIPS-140 mode Installing unlimited strength policy files BMC Atrium SSO uses Oracle JVM version 1.6.0_23. By default, this JVM is installed with strong encryption policy files allowing for limited strength settings for encryption algorithms. These limitations prevent BMC Atrium SSO from running in FIPS-140 mode. To overcome this limitation, the Unlimited Strength Jurisdiction Policy Files must be downloaded from Oracle and installed into the BMC Atrium SSO JVM. WARNING BMC Atrium SSO and all integrated products must be shut down before installing the unlimited strength policy files. 1 Shut down all BMC Atrium SSO integrated products. Chapter 11 Configuring FIPS-140 mode 89
BMC Atrium Single Sign-on 7.6.04 BMC Atrium SSO cannot be in use during the conversion to FIPS-140 mode. If possible, a firewall should be employed to block all remote access to the server. 2 Stop BMC Atrium SSO. 3 Access the following URL: http://java.sun.com/javase/downloads/index.jsp. 4 Download the archive that contains the unlimited strength policy files. 5 Extract the contents of the files. 6 Make a backup copy of the currently installed strong strength policy files. 7 Copy the unlimited strength policy files into the BMC Atrium SSO JVM. BMC Atrium SSO JVM location (default) The JVM is located in the following default location:! (Windows) C:\Program Files\BMC Software\AtriumSSO\jdk\jre\lib\security! (UNIX) /opt/bmc/atriumsso/jdk/jre/lib/security BMC Atrium SSO JVM location (non-default) If BMC Atrium SSO has been installed in a non-default location, the location of the JVM can be determined by using the following pattern:! (Windows) installdirectory\atriumsso\jdk\jre\lib\security! (UNIX) installdirectory/atriumsso/jdk/jre/lib/security In this case, installdirectory is the base directory selected during the server installation. BMC Atrium SSO JVM location (external Tomcat server) For BMC Atrium SSO servers using an external Tomcat server, the location of the JVM was determined by the administrator that configured the Tomcat server. Regardless of the JVM location, the following templates indicate the correct location:! (Windows) jdkdir\jre\lib\security! (UNIX) jdkdir/jre/lib/security In this case, jdkdir is the base directory of the JDK used to run BMC Atrium SSO. Installing the cryptography library For cryptographic functions in normal mode, BMC Atrium SSO uses the JVM and a version of the RSA CryptoJ library that is not certified for FIPS-140 operation. However, when placed into FIPS-140 mode, the server reconfigures the JVM to use the RSA CryptoJ provider as the primary provider. In addition, the cryptography needs of the server exclusively uses this provider. 90 Administration Guide
Converting to FIPS-140 mode For the server to start in FIPS-140 mode successfully, the FIPS-140 certified version of the RSA CryptoJ library must be installed into the JVM, replacing the uncertified version. The versions of the library can be externally identified by the names of the libraries:! Normal mode: cryptoj.jar! FIPS-140 mode: cryptojfips.jar NOTE Contact BMC Software support for instructions on accessing the FIPS-140 version of the library. To install the cryptography library 1 Make a backup copy of the cryptoj.jar file. You might need to restore BMC Atrium SSO to normal encryption mode. 2 Copy the cryptojfips.jar file onto the file system of the computer hosting BMC Atrium SSO. 3 Copy the cryptojfips.jar file to the server s JVM library directory. 4 Remove the cryptoj.jar file. his is an important step to prevent a collision of the two libraries. JVM library file location (default) The JVM library is located in the following default location:! (Windows) C:\Program Files\BMC Software\AtriumSSO\jdk\jre\lib\ext! (UNIX) /opt/bmc/atriumsso/jdk/jre/lib/ext JVM library file location (non-default) If BMC Atrium SSO server has been installed in a non-default location, determine the location of the JVM library using the following pattern:! (Windows) installdirectory\atriumsso\jdk\jre\lib\ext! (UNIX) installdirectory/atriumsso/jdk/jre/lib/ext In this case, installdirectory is the base directory selected during the server installation. JVM library file location (external Tomcat server) For BMC Atrium SSO servers utilizing an external Tomcat server, the location of the JVM was determined by the administrator that configured the Tomcat server. Regardless of the JVM location, the following templates indicate the correct location:! (Windows) jdkdir\jre\lib\ext Chapter 11 Configuring FIPS-140 mode 91
BMC Atrium Single Sign-on 7.6.04 Enabling FIPS-140 mode! (UNIX) jdkdir/jre/lib/ext In this case, jdkdir is the base directory of the JDK used to run BMC Atrium SSO. After restarting BMC Atrium SSO with the required JVM modifications in place, the server s configuration can be updated to trigger the change of cryptography. Before performing this next step, be sure that the following JVM modifications have been performed:! Unlimited strength policy files installed.! The library cryptojfips.jar file is installed in library directory.! The library cryptoj.jar file has been removed from the library directory To enable FIPS-140 mode 1 Restart BMC Atrium SSO. 2 Log on the Administrator console. 3 Navigate to: Configuration tab > Servers and Sites sub-tab > HostName link > Security tab > Federal Information Processing Standards In this case, HostName is a hyperlink similar to: https://sample.bmc.com:8443/atriumsso 4 To enable FIPS-140 mode, set FIPS Mode. 5 To commit the change, click Save. WARNING After the configuration has been successfully saved, the conversion process starts. This process cannot be interrupted. Do not stop BMC Atrium SSO, log on with another Administrator console, log off the current Administrator console, or initiate any other interactions with the server. This process takes approximately 10 to 20 seconds, depending upon the computer hardware. Be sure that the background task validation process posts a successful conversion message before proceeding to the next step. 6 Monitor the log files for the completion of the cryptography conversion. For more information on how to monitor the conversion, see Monitoring FIPS-140 mode conversion (page 93). 7 After the conversion process completes, stop and start the server. 8 Verify that the server is properly operating in FIPS-140 mode by viewing the BMC Atrium SSO log file (for example, atsso.0.log) 92 Administration Guide
Converting to FIPS-140 mode Monitoring FIPS-140 mode conversion Before starting the conversion, the background task validates that the JVM has been correctly modified and is capable of running in FIPS-140 mode. If the JVM test fails, the task logs an error message indicating the JVM inadequacies and the conversion aborts. In addition, when BMC Atrium SSO is installed on an external Tomcat server, the background task verifies that the required Tomcat and JVM configuration files exist. Log messages The conversion task communicates through the BMC Atrium SSO log file (for example, atsso.0.log). the log file contains messages to signify the start of the conversion, any errors, and the completion of the process. See Logging for more information. Using the default installation locations as an example, the log file is located at:! (Windows) C:\Program Files\BMC Software\AtriumSSO\tomcat\temp! (UNIX) /opt/bmc/atriumsso/tomcat/conf Conversion to FIPS-140 mode messages When starting the conversion to FIPS-140 mode, the initial message displayed is: BMCSSG1599I=Switching Atrium SSO server to FIPS-140 mode When the conversion process successfully finishes, it posts this message: BMCSSG1601I=Switch of Atrium SSO server to FIPS-140 mode completed Reconfiguring integrated products All products which were configured with BMC Atrium SSO prior to conversion to FIPS-140 mode must be reconfigured to operate in FIPS-140 compliant mode. These integrated products cannot use BMC Atrium SSO for authentication until they are synchronized with BMC Atrium SSO. Troubleshooting FIPS-140 conversion If the conversion process fails 1 From the current Administrator console, restore FIPS mode back to normal mode. 2 Save the configuration change. 3 Address the cause of the failure. If any errors occurred during the conversion, they are posted after the initial BMCSSG1599I message. Chapter 11 Configuring FIPS-140 mode 93
BMC Atrium Single Sign-on 7.6.04 4 Retry the FIPS-140 conversion after resolving the cause of the previous attempts failure. Converting back to normal mode Converting BMC Atrium SSO to operate in normal mode, (for example, without FIPS-140 cryptography) is the same process as converting the server to FIPS-140 mode, except the JVM doesn't need to modified prior to triggering the conversion. NOTE Create a backup of the current server in case of a failure (hardware or software) during the conversion and the server's configuration becomes corrupted. To convert back to normal mode 1 Enabling normal mode. 2 Restoring the original encryption files and non-fips-140 library. 3 Reconfiguring integrated products. Enabling normal mode To enable normal mode 1 Shut down all integrated products. If possible, use a firewall to block external access to BMC Atrium SSO. 2 Log on the Administrator console. 3 Navigate to: Configuration tab > Servers and Sites sub-tab > HostName link > Security tab > Federal Information Processing Standards In this case, HostName is a hyperlink similar to: https://sample.bmc.com:8443/atriumsso 4 De-select FIPS Mode. 5 To commit the change, click Save. WARNING Once the configuration has been successfully saved, the conversion process is triggered in the background. This process cannot be interrupted. Do not stop BMC Atrium SSO, log on with another Administrator console, log off the current Administrator console, or initiate any other interactions with the server. 94 Administration Guide
Converting back to normal mode This process usually takes around 10 to 20 seconds, depending upon the computer hardware. Restoring the original encryption files and non-fips-140 library IMPORTANT Be sure that the background task validation process posts a successful conversion message before restoring the original encryption files and non-fips-140 library. At this point, the server must be stopped to restore the original strong encryption files and non-fips-140 library. To restore the original encryption files and non-fips140 library 1 Stop BMC Atrium SSO. 2 Restore the strong encryption file. 3 Restore the non-fips library. 4 Restart BMC Atrium SSO. 5 Verify that the server is properly operating in normal mode by viewing the BMC Atrium SSO log file (e.g. atsso.0.log) Reconfiguring integrated products All integrated products must be reconfigured to operate in normal mode. These integrated products cannot use BMC Atrium SSO for authentication until they are synchronized with BMC Atrium SSO. Monitoring normal mode conversion After saving the configuration change, the conversion process alters the encrypted data within the server. Until the process completes, BMC recommends that you monitor the security page in case the process fails. Log messages The conversion task communicates through the BMC Atrium SSO log file (for example, atsso.0.log). the log file contains messages to signify the start of the conversion, any errors, and the completion of the process. For more information, see Logging on page 99. Using the default installation locations as an example, the log file is located at:! (Windows) C:\Program Files\BMC Software\AtriumSSO\tomcat\temp! (UNIX) /opt/bmc/atriumsso/tomcat/conf Chapter 11 Configuring FIPS-140 mode 95
BMC Atrium Single Sign-on 7.6.04 Conversion to normal mode messages When starting the conversion from FIPS-140 mode to normal mode, the initial message displayed is: BMCSSG1598I=Switching Atrium SSO server to normal mode (not FIPS- 140 mode) When the conversion process successfully finishes, it posts this message: BMCSSG1600E=Switch of Atrium SSO server to normal mode completed Changing the FIPS-140 network ciphers 96 Administration Guide The ciphers that the Transport Layer Security (TLS) protocol uses can be adjusted by editing the BMC Atrium SSO server.xml file. This file is located at the following default locations:! (Windows) C:\Program Files\BMC Software\AtriumSSO\tomcat\conf! (UNIX) /opt/bmc/atriumsso/tomcat/conf Modifying the server.xml file To modify the server.xml file 1 Make a backup copy of the server.xml file. 2 Open the server.xml file in your favorite text editor. 3 Search for the Connector tag with the attribute scheme="https". 4 Modify the cipher attribute by adding or removing items. Multiple ciphers example In the following example, the FIPS-140 version of the server.xml file has multiple ciphers: <!-- FIPS140 --> <Connector port="@tomcat_https_port@" protocol="http/1.1" SSLEnabled="true" maxthreads="150" scheme="https" secure="true" clientauth="false" sslprotocol="tls" ciphers="tls_rsa_with_aes_256_cbc_sha, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521, TLS_DHE_DSS_WITH_AES_256_CBC_SHA" keystorefile="c:\program Files\BMC Software\AtriumSSO\tomcat/conf/keystore.p12"
Changing the FIPS-140 network ciphers Single cipher example keystorepass="internal4bmc" keystoretype="pkcs12" keystoreprovider="jsafejce" truststorefile="c:\program Files\BMC Software\AtriumSSO\tomcat/conf/cacerts.p12" truststorepass="changeit" truststoretype="pkcs12" truststoreprovider="jsafejce" /> In the following example, the FIPS-140 version of the server.xml file has a single cipher (TLS_RSA_WITH_3DES_EDE_CBC_SHA). <!-- FIPS140 --> <Connector port="@tomcat_https_port@" protocol="http/1.1" SSLEnabled="true" maxthreads="150" scheme="https" secure="true" clientauth="false" sslprotocol="tls" ciphers="tls_rsa_with_3des_ede_cbc_sha" keystorefile="c:\program Files\BMC Software\AtriumSSO\tomcat/conf/keystore.p12" keystorepass="internal4bmc" keystoretype="pkcs12" keystoreprovider="jsafejce" truststorefile="c:\program Files\BMC Software\AtriumSSO\tomcat/conf/cacerts.p12" truststorepass="changeit" truststoretype="pkcs12" truststoreprovider="jsafejce" /> Chapter 11 Configuring FIPS-140 mode 97
BMC Atrium Single Sign-on 7.6.04 98 Administration Guide
Chapter 12 Logging The following topics are provided:! Logging overview (page 100)! Support utility (page 100)! Log file locations (page 101)! Managing BMC Atrium SSO logging (page 102)! Using JEE agents for logging (page 103)! Manually removing JEE agents (page 106)! Using Java agents (page 108)! Logging overview (page 100)! Support utility (page 100)! Log file locations (page 101)! Managing BMC Atrium SSO logging (page 102)! Using JEE agents for logging (page 103)! Manually removing JEE agents (page 106)! Using Java agents (page 108) Chapter 12 Logging 99
BMC Atrium Single Sign-on 7.6.04 Logging overview BMC Atrium SSO (default) supports logging on both the server and agents. Logging is used for:! Auditing purposes! General debugging of connection issues The logging system supports rotation of the agent audit log files. By default, these log files are not used or rotated because audit logging also occurs on the server. If rotation is disabled, the file system might be consumed with log files. NOTE The logging system can be modified for each component of BMC Atrium SSO. Support utility Support utility location BMC Atrium SSO as a distributed system creates log files placed in many locations. The locations for the log files generally depend on the component of the system (server or agents). To help gather log files and other information that is critical to providing quality support, a Java utility is available that has many of the components. This utility requires a modern Java 6 JVM. The server and the web agent places the jar support utility in a pre-defined location. Products which use the Thick Agents for integration do not have a predefined location, but instead rely on a product-specific location. The location within the server is: installationdirectory/tomcat/webapps/atriumsso/web-inf/tools The location within the agent is: container/atssoagents/bin! installationdirectory is the location where BMC Atrium SSO has been installed.! container is the base directory of the JEE container in which the agent has been installed. Running the support utility To run the support utility 1 On the command line, navigate to the directory containing the jar support utility. 2 Enter the following jar command: 100 Administration Guide
Log file locations java -jar atssosupport.jar After the utility completes, all of the gathered information is stored in the atssosupport.zip file. Log file locations Log directory BMC Atrium SSO has two main logging directories:! installationdirectory/tomcat/webapps/atriumsso/web-inf/config/ atriumsso/log! installationdirectory/tomcat/webapps/atriumsso/web-inf/config/ atriumsso/debug Of the log and debug directory component files, the files that are most commonly used to resolve BMC Atrium SSO issues are the Authentication and CoreSystem log files. These files contain the error entries about failures to communicate with the authentication modules, with the exception of RSA SecurID. RSA SecurID also uses the rsa_api.log and rsa_api_debug.log for additional logging. Additional server log files are located at:! installationdirectory/tomcat/logs! installationdirectory/tomcat/temp The install program log files are in the temporary file system:! <tmp>/atriumsso_install_log.txt! <tmp>/atriumssoinstalledconfiguration.xml! <tmp>/atriumssoinstallingconfiguration.xml The log directory contains log files that are useful for auditing purposes. Each component of BMC Atrium SSO creates two files within this directory, one for successful entries and the other for error entries. The following components typically have files in this logging directory:! amauthentication! amconsole! ampolicy! IDFF! WSFederation! ampolicydelegation! amsso Chapter 12 Logging 101
BMC Atrium Single Sign-on 7.6.04 Debug directory The debug directory contains additional log files that are geared towards problem resolution. The following BMC Atrium SSO components typically have files in this logging directory:! Authentication! CoreSystem! Entitlement! IdRepo! Session! rsa_api_debug.log! rsa_api.log Managing BMC Atrium SSO logging Many logging attributes of BMC Atrium SSO are configurable through the administrator console. Many attributes can be customized. The attributes that are commonly modified are:! Maximum log file size (default 100,000,000 bytes)! Number of history files (1 file)! Log file location (default): installationdirectory/tomcat/webapps/atriumsso/web-inf/config/ atriumsso/log! Logged data attributes There are additional attributes that can be configured, for example, signing the logs or changing logging information storage from file format to a database table. Modifying logging attributes To modify logging attributes 1 Navigate to the following Logging link: Configuration tab > System tab > Logging link 2 Configure the logging attributes. 3 Click Save. For more information on logging parameters, refer to the OpenSSO documentation. 102 Administration Guide
Using JEE agents for logging Adjusting logging levels To enable detailed logging for BMC Atrium SSO 1 Navigate to the Debugging page: Configuration > Servers and Sites > serverlink > General tab 2 In the Debugging section, select your logging level from the drop down menu.! Error (default) The logging level is typically kept at this default.! Message generates the most verbose logs but severely impacts server performance. The message level should only be used when an issue is being worked on. 3 Click Save. 4 Restart the server for the logging changes to take effect. Logging with RSA SecurID For RSA SecurID, additional debug logging is available by modifying the rsa_api.properties file. To modify the rsa_api.properties file 1 Navigate to the following directory: installationdirectory/tomcat/webapps/atriumsso/web-inf/config/ atriumsso/auth/ace/data 2 Edit the rsa_api.properties file. 3 Change the RSA_ENABLE_DEBUG property from NO to YES. Changing this property increases the volume of debugging information supplied by the RSA SecurID module. 4 Access the rsa_api_debug.log file in the debug logging directory for this information. Using JEE agents for logging JEE agents are embedded within web applications to provide authentication. The agents are as varied as the JEE containers. The log file locations are also variable. However, the gathering of support information has been normalized regardless of the container. The support utility is located at: container/atssoagents/bin In this case, container is the base directory of the JEE container where the agent has been installed. Chapter 12 Logging 103
BMC Atrium Single Sign-on 7.6.04 Adjusting logging levels For example, for the Tomcat server, the location is the CATALINA_HOME directory, and for WebSphere, the location is the AppServer directory. See the support utility section for information on running this utility. With BMC Atrium SSO, the configuration of the JEE agents are centralized. To change the logging level, you update the specific J2EE agent. To change the logging level 1 Navigate to the following section: Access Control > Top-level Realm > Agents > J2EE > agent link > Global tab > General section In this case, the agent link is the name of the agent based on the host and port of the server where the agent is installed. For example: BMCJEEAgent@sample.bmc.com:8080 or Agent audit logging /arsys@sample.bmc.com:8080 Within this section is a series of radio buttons. These buttons are used to specify the logging level for the agent. 2 Click the radio button for the logging level.! Error (default) The logging level is typically kept at this default.! Message generates the most verbose logs but severely impacts server performance. The message level should only be used when an issue is being worked on. By default, the audit logs for agents are not used. To turn on auditing at the agent level 1 Navigate to the Audit section: Access Control > Top-level Realm link > Agents tab > J2EE tab > agent link > Global > Audit The following audit attributes can be modified:! Type of access that is logged (allow, deny, and so on).! Size of the audit logs! Rotation of the audit logs! Location of the logging (agent or server). 104 Administration Guide
Using JEE agents for logging NOTE If server logging is selected (remote), performance degrades because the logging information is transported through the network to BMC Atrium SSO. Log file rotation WebSphere log file locations! installationdirectory/appserver/atssoagents/installer-logs! installationdirectory/appserver/atssoagents/agents_001! installationdirectory/appserver/profiles/<appsrv>/logs The Agents_001 might increment when BMC Atrium SSO integration is enabled or disabled. Tomcat log file locations! catalinahome/logs! catalinahome/temp! catalinahome/atssoagents/installer-logs (optional)! catalinahome/atssoagents/agents_001 (optional) Audit logs size and whether the audit logs are rotated are modified by editing the web agent Rotate Local Audit Log properties:! com.sun.identity.agents.config.local.log.rotate! com.sun.identity.agents.config.local.log.size The local logs are rotated automatically since by default, the Rotate Local Audit Log property is enabled. When this property is not enabled, the local log file is not rotated. Debug log file location The following web agent property, specified in the OpenSSOAgentBootstrap.properties file, indicates the location of the debug file:! com.sun.identity.agents.config.local.logfile NOTE This agent property might not be available with all agent deployments. This property is not available through the OpenSSO Enterprise console. Because a local audit file is created during agent installation, the location of that file is assigned to this bootstrap file property. Chapter 12 Logging 105
BMC Atrium Single Sign-on 7.6.04 Local audit log rotation size The Local Audit Log Rotation Size property value for a web agent indicates the maximum number of bytes the debug file can hold. This agent property can be set through the OpenSSO Enterprise console. The Local Audit Log Rotation Size property value, com.sun.identity.agents.config.local.log.size, is located on the Global tab. NOTE This agent property may not be available with all agent deployments. This property controls the log file size. A new log file is created when the current log file reaches a specific size. The file size should be a minimum of 3000 bytes. The default size is 10 megabytes. Log file index When a new log file is created, an index number is appended to the name of the log file. The appended number indicates the chronological order in which information of a given size was filed to its respective log file. There is no limit to the number of log files that can be rotated.! amagent-1! amagent-2 In this case, amagent represents the fully qualified path name to the log files excluding the appended number. The numbers 1 and 2 represent appended numbers. Manually removing JEE agents This section describes how to manually remove a JEE agent from BMC Atrium SSO. These steps only involve BMC Atrium SSO configuration. Additional steps might be required for full removal. Removing JEE agents from BMC Atrium SSO To remove a JEE agent from BMC Atrium SSO 1 From BMC Atrium SSO, Delete User (if it exists). 2 Navigate to the J2EE tab: Access Control > Top-level Realm link > Agents tab > J2EE tab 3 Select the agent you want to delete. 4 Click Delete. 106 Administration Guide
Manually removing JEE agents Removing JEE agents from WebSphere To remove a JEE agent from WebSphere 1 Stop WebSphere Application Server (WAS). 2 Delete installationdirectory/appserver/atssoagents. 3 Delete installationdirectory/appserver/.amagentlocator. 4 Edit WASHome \AppServer\profiles\AppSrv01\config\cells\<cell>\nodes\<node>\serv ers\server1\server.xml a Navigate to process:server > processdefinitions > jvmentries. b Remove from attribute genericjvmarguments the system property declarations (for example, -Dcom.iplanet.services.debug.level=on). c A sub tag of jvmentries, classpath, contains the classpath for the JVM. Remove the BMC Atrium SSO/OpenSSO entries. 5 Restart WAS. Removing JEE agents from Tomcat To remove a JEE agent from Tomcat 1 Stop Tomcat. 2 Delete catalinahome/atssoagents. The following steps may not be applicable, depending on the agent used by the web application: 3 Delete catalinahome/.amagentlocator. 4 Edit catalinahomeconf/server.xml/. a Remove the realm definition. For example: Realm classname="com.sun.identity.agents.tomcat.v6.amtomcatrealm" debug="99"/> 5 Edit catalinahomebin/setclasspath.sh (or catalinahomebin/ setclasspath.bat). a Delete the inclusion of setagentclasspath.sh (or setagentclasspath.bat) b Delete catalinahomebin/setagentclasspath.bat 6 Restart Tomcat. Chapter 12 Logging 107
BMC Atrium Single Sign-on 7.6.04 Removing JEE agents from JBoss or WebLogic To remove a JEE agent from JBoss or WebLogic 1 Stop the relevant application server. 2 Delete directory/atssoagents. 3 Restart the relevant application server. Using Java agents The Java agent, also referred to as the thick agent, is embedded within the desktop and server programs. Due to differing environments, the details of the log file and support utility locations are product-dependent. However, there are a few common threads across these products:! The support utility placement within desktop or server programs is applicationdependent.! The ATSSO_LOGGING_LEVEL environment variable can be enabled with the Java logging levels. For example, INFO, FINE, FINER, and so on.! The default logging location is the temporary file system for the user running the program.! On UNIX systems, the location is: /tmp.! On Windows, this location could be C:\Documents and Settings\user\Local Settings\Temp.! Regardless of locations, the default logging file is atsso.0.log with rollover log files of atsso.0.log.#, where # is a number from 1 to 9. 108 Administration Guide
Chapter 13 Managing users and groups The following topics are provided:! Managing users (page 110)! Managing groups (page 114) Chapter 13 Managing users and groups 109
BMC Atrium Single Sign-on 7.6.04 Managing users Adding users BMC Atrium SSO provides basic user and group management features with the internal LDAP server. These features allow an administrator to manage users, groups, and memberships in the groups. BMC Atrium SSO is configured to use an internal LDAP for user authentication (default). While not recommended for large-scale deployments, the internal database can be used for small deployments, demonstrations, and other Proof-Of- Concept (POC) work. For larger deployments, BMC recommends that you use an external authentication server, such as another LDAP server. From the User page, the administrator can create, delete, and manage group memberships. To access the User page, navigate to the following location Access Control > BmcRealm link > Subjects tab > User tab New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system. NOTE If special characters, such as comma (, ), semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash (\) must precede the special character. For example, Baldwin\,bob. When creating a new user, each field that is marked with an asterisk is a required field. To add a new user 1 Navigate to the User tab: Access Control > BmcRealm link > Subjects tab > User tab 2 Click New. 3 In the ID field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in. 4 Enter the user s last name and full name. 5 Enter an initial default password (which the user changes) and confirm this default password. An initial password must be provided when creating the account. Once created, the user can log into BMC Atrium SSO and update the password and their personal information through the following URL: https://fqdnhostname:port/bmc Atrium SSO?realm=BmcRealm 110 Administration Guide
Managing users Searching for users Deleting users 6 In the User Status field, verify that the Active radio button is selected (default). 7 Click OK. The name attributes (First, Full, and Last) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product. If the number of users in the Available list is too large to find the user that you want to modify, use the search function. The asterisk (*) returns all user accounts. Enter part of the user ID to refine the user account list. For example, the pattern, b*, returns users starting with the letter "b" (caseinsensitive) such as "bob" and "Baldwin". User accounts can only be deleted if BMC Atrium SSO is using the internal LDAP server for user authentication needs. To delete users 1 Navigate to the User tab: Access Control > BmcRealm link > Subjects tab > User tab 2 Select the check box next to each user account in the User list that should be deleted. 3 Click Delete. 4 Click Save. Modifying user accounts User accounts can be edited and disabled (blocked access) from the Edit User page. This page is accessible by clicking on the user name link in the User list. Changing user passwords To change a user s password 1 Navigate to the User tab: Access Control > BmcRealm link > Subjects tab > User tab 2 Select the user link that you want modify. 3 In the Password field, click Edit. This action launches another page where the user s password can be changed. 4 Click OK. Chapter 13 Managing users and groups 111
BMC Atrium Single Sign-on 7.6.04 Disabling and enabling user accounts The user account can be disabled or enabled by changing the selection of User Status radio buttons. To enable a user account 1 Navigate to the User tab: Access Control > BmcRealm link > Subjects tab > User tab 2 Select the user link that you want modify. 3 In the User Status field, click the Active radio button. To disable a user account 1 Navigate to the User tab: Access Control > BmcRealm link > Subjects tab > User tab 2 Select the user link that you want modify. 3 In the User Status field, click the Inactive radio button. When a user account is disabled, the user cannot authenticate without losing any of the user attributes, such as group memberships. A user loses group memberships when the user account is deleted. Adding and removing group memberships A user is added to a group from the Group tab, however, the Group tab can be accessed from the Edit User page. To add a group membership to a user account 1 Navigate to the User tab: Access Control > BmcRealm link > Subjects tab > User tab 2 Select the user link that you want modify. 3 Click the Group tab. 4 Select a group from the Available list. 5 Click Add. Alternatively, click Add All to add all of the available groups to the user account. 6 Click Save. IMPORTANT Be selective when adding users to a group, such the Predefined groups, so that elevated privileges are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to perform searches and BmcAgents has privileges to read configuration information. 112 Administration Guide
Managing users To remove a group membership from a user account 1 Navigate to the User tab: Access Control > BmcRealm link > Subjects tab > User tab 2 Select the user link that you want modify. 3 Click the Group tab. 4 Select a group from the Available list. 5 Click Remove. Alternatively, click Remove All to remove all of the available groups from the user account. 6 Click Save. Viewing user sessions To view user sessions 1 Log on to the Administrator console. 2 Select the Sessions tab. Terminating user sessions To terminate an active user session 1 Log on to the Administrator console. 2 Select the Sessions tab. 3 Select the check box associated with the user session that you want to terminate. 4 Click Invalidate Session. IMPORTANT Care should be exercised to not accidentally terminate the session that is used to access the console or sessions that are used by BMC agents. These agent sessions use the following naming convention: BMCJEEAgent@host:port or uri@host.port Terminating these sessions will, at best, close the console the administrator is using or, at worst, prevent users from accessing the BMC products that the agent is protecting. Chapter 13 Managing users and groups 113
BMC Atrium Single Sign-on 7.6.04 Managing groups Predefined groups BMC Software products can use the group membership capabilities of the BMC Atrium SSO system to provide authorization of users as well as authentication. If a BMC Software product does use the group memberships of the BMC Atrium SSO system, then that product's documentation must be consulted to determine which groups to privileges mapping. To access the Group page, navigate to the following location Access Control > BmcRealm link > Subjects tab > Group tab BMC Atrium SSO provides predefined groups to help with the Administrator privileges that some BMC Software products might require. For example, the BmcSearchAdmin group provides privileges that allow a user to connect to the server to perform identity searches. NOTE Care should be exercised when assigning this group as these elevated privileges allow greater access to BMC Atrium SSO than is normally provided. Creating groups Deleting groups To create a new group 1 Navigate to the Group page: Access Control > BmcRealm link > Subjects tab > Group tab 2 Click New. 3 Enter a new, unique name for the group. 4 Click OK. Normally, BMC products install the groups that they need managed into BMC Atrium SSO as part of their installation. However, a situation might arise in which a group might need to be created (or re-created). When you delete a group, the group is removed from BMC Atrium SSO. Users that are members of the group also have their group membership removed. IMPORTANT Deleting groups that have been installed by other BMC products is not recommended. Doing so might cause the product to malfunction or block access to the product itself. 114 Administration Guide
Managing groups To delete a group 1 Navigate to the Group page: Access Control > BmcRealm link > Subjects tab > Group tab 2 Select the check box for the group that you want to delete. 3 Click Delete. If too many groups are visible within the Group list to efficiently find the groups that you want to delete, use the search function to filter out undesired groups. For example, by changing the search filter to "D", the group IDs that start with the letter "d" (case-insensitive) are displayed. Adding users to groups Multiple users can be assigned to a group from the Group page. To assign a group membership 1 Navigate to the Group page: Access Control > BmcRealm link > Subjects tab > Group tab 2 Click on the group name link. 3 Click the User tab. 4 Select a user from the Available list. 5 Click Add. Alternatively, you can add all of the users by clicking Add All. 6 Click Save. The membership change is immediately put into effect. IMPORTANT Care should be exercised when adding users to a group, such as the Predefined groups, so that elevated privileges are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to perform searches and BmcAgents has privileges to read configuration information. Removing users from groups Users can be removed from a group from the Group page. To remove a user from a group 1 Navigate to the Group page: Access Control > BmcRealm link > Subjects tab > Group tab 2 Click on the group name link. 3 Click the User tab. Chapter 13 Managing users and groups 115
BMC Atrium Single Sign-on 7.6.04 4 Select a user from the Selected list. Alternatively, you can remove all of the users from the group by clicking the Remove All button. 5 Click Remove. 6 Click Save. The membership change is immediately put into effect. To remove all users from a group 1 Navigate to the Group page: Access Control > BmcRealm link > Subjects tab > Group tab 2 Click on the group name link. 3 Click the User tab. 4 Click Remove All. 5 Click Save. The membership change is immediately put into effect. 116 Administration Guide
Chapter 14 Other Administrator Tasks The following topics are provided:! Configuring session parameters (page 118)! Cleaning up BMC product agents (page 118)! Managing authentication modules (page 119)! Managing authentication chains (page 120) Chapter 14 Other Administrator Tasks 117
BMC Atrium Single Sign-on 7.6.04 Configuring session parameters The following parameters are configurable for BMC Atrium SSO:! Maximum Session Time (default is 120 minutes)! Idle Time (default is 30 minutes)! Maximum Sessions (default is 5)! Maximum Caching Time (default is 3 minutes) To modify session parameters 1 Navigate to the Dynamic Attributes tab: Configuration tab > Global tab > Session link > Dynamic Attributes tab 2 Modify your attributes. 3 Click Save. Any committed changes takes effect immediately. A server restart is not necessary. Cleaning up BMC product agents If a product has become unusable and the uninstall utility can no longer be used to perform an orderly cleanup and de-integration with BMC Atrium SSO, you might need to perform a manual cleanup. NOTE If all products within the JEE server no longer need authentication or you want to permanently block access from the JEE server, deleting the agent accounts effectively terminates access by the agent. To do so, both the J2EE agent and the user must be deleted from the root realm. The names for the agent and user are based on the host name and port of the URL for the BMC product server where the agent resides. This name uses the following template: BMCJEEAgent@host:port or uri@host.port! host is the FQDN of the host.! port is the main port number.! uri is the URI of the application. 118 Administration Guide
Managing authentication modules Deleting agent accounts To delete an agent account 1 Navigate to the J2EE in the Top Level Realm: Access Control > Top Level Realm link > Agents > J2EE 2 In the Agents list, select the check box for the J2EE agent that you want to delete. 3 Click Delete. 4 Click the Sessions tab. 5 Click the check box for the user session that has the same name as the J2EE agent (if one exists). 6 Click Invalidate Session. Managing authentication modules Creating Modules The basic building block of authentication in BMC Atrium SSO is the authentication module. These modules specify the type of authentication (LDAP, RSA SecurID, and so on.) as well as deployment-specific values such as host names and port numbers. To access the Module Instances page, navigate to Access Control > BmcRealm link > Authentication > Module Instances link Module instances can be created, edited, and deleted from the Module Instances table.! New creates a new module instance.! Delete removes the selected module instance.! Clicking the module name navigates you to a page where you can modify the module instance. To create a new module 1 Navigate to the module instance page: Access Control > BmcRealm link > Authentication > Module Instances link 2 Click New. 3 Type a unique name for the module instance. The name should be composed of alphanumeric characters and a few punctuation characters such as the underscore, but no spaces, commas, or ampersands. 4 Select the type of new module instance. Chapter 14 Other Administrator Tasks 119
BMC Atrium Single Sign-on 7.6.04 Editing modules 5 Click OK to create an unconfigured instance and return to the Authentication page. 6 Edit the module. See Editing modules. The module s configuration must be edited before it can be used within an authentication chain. To edit a module 1 Navigate to the Module Instance page: Access Control > BmcRealm link > Authentication > Module Instances link 2 Click the name of the module instance. A page is launched that allows you to configure module attributes. NOTE See the sections on configuring that particular type of module. For example, Using LDAP for authentication Deleting modules To delete a module 1 Remove the module from all authentication chains. See Editing chains on page 121 for the information on removing a module from an authentication chain. 2 Navigate to the module instance page: Access Control > BmcRealm link > Authentication > Module Instances link 3 Select the module instance check box. 4 Click Delete. NOTE Failure to remove the module from all authentication chains generates an error similar to the following: An error occurred trying to remove MarketingLDAP: Authentication instance Marketing LDAP is currently being used. Managing authentication chains Authentication chain manipulation in BMC Atrium SSO occurs on the Authentication Chaining page. 120 Administration Guide
Managing authentication chains Creating chains Editing chains To navigate to the Authentication Chaining page Access Control > BmcRealm link> Authentication > Authentication Chaining link To create a new authentication chain 1 Navigate to the Authentication Chaining page: Access Control > BmcRealm link> Authentication > Authentication Chaining link 2 Click New. This action launches a new page as shown in the following figure: 3 Type the name for this new chain into the Name field 4 Click OK. 5 On the properties page, configure the module instance for the new chain. The chain s properties page launches after the new chain is created. See Editing chains for information on manipulating the modules within the chain. On the chain properties page, the Modules table allows you to add, remove, and reorder the modules, as well as select the criteria used to affect the flow of processing and to determine the overall authentication status of the chain. To edit a chain 1 Navigate to the Authentication Chaining page: Access Control > BmcRealm link> Authentication > Authentication Chaining link 2 Click the Authentication Chaining link. 3 Click the link of the authentication chain that you want to edit. Alternatively, after creating a new chain, the properties page for the chain is automatically displayed. 4 Click Save. NOTE Currently, BMC Atrium SSO does not use the Successful Login URL field. BMC recommends that these fields be left blank to prevent negative impact to the BMC Atrium SSO server. Deleting chains Before deleting a chain, verify that BmcRealm is not actively using the chain for authentication. Chapter 14 Other Administrator Tasks 121
BMC Atrium Single Sign-on 7.6.04 To check the authentication chain that is being used 1 Navigate to the BMCRealm Authentication page: Access Control > BmcRealm link > Authentication 2 Verify the name of the chain that is displayed in Organization Authentication Configuration field. This is the chain that is currently being used. 3 If the chain that you want to delete is being used, change the Organization Authentication Configuration field to a different chain. NOTE If the chain is in use when it is deleted, an alternate chain is randomly selected. To delete a chain 1 Navigate to the BMCRealm Authentication page: Access Control > BmcRealm link > Authentication 2 Click the Authentication Chaining link. 3 Select the check box of the chain you want to delete. 4 Click Delete. Adding modules to chains To add a new module instance to the chain 1 Navigate to the Authentication Chaining page: Access Control > BmcRealm link> Authentication > Authentication Chaining link 2 Click Add. A new row is appended to the module instances table configured with default values. 3 In the Instance column, click the drop down menu to change the default module value.! Alternatively, in the Criteria column, click the drop down menu to change the default module value. The criteria for a module alters the authentication status of the chain. The criteria categories are Required, Requisite, Sufficient, and Optional.! Required: This module must authenticate the user. Regardless of pass or fail, processing of the chain continues.! Requisite: This module must authenticate the user. When authentication fails, processing of the chain aborts.! Sufficient: This module might authenticate the user. If authentication passes, processing of the chain stops, otherwise processing continues. 122 Administration Guide
Managing authentication chains! Optional: This module might authenticate the user. Processing continues regardless of success or failure. The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user. The fields within the Options columns are used to pass extra configuration items to the authentication module when used within the chain, such as enabling debug logging. BMC Atrium SSO does not currently use this feature. Refer to the applicable OpenSSO documents for further information. Deleting modules from chains To delete a module instance from a chain 1 Navigate to the Authentication Chaining page: Access Control > BmcRealm link> Authentication > Authentication Chaining link 2 Select the name of the chain that you want to remove. 3 On the chain's property page, select the check box of each module instance that you want to remove. 4 Click Remove to delete the module instance from the chain. Editing a module instance in a chain To change a module instance within a chain 1 Navigate to the Authentication Chaining page: Access Control > BmcRealm link> Authentication > Authentication Chaining link 2 In either the Instance or Criteria column, click the drop down menu to select a new value. 3 Click Save. Reordering modules in chains Instead performing numerous add and remove operations on the module table to switch the order that the module instances are processed, use the Reorder option. On this page, module instances can be selected and moved up or down the chain. The selected module instance can be moved to the top or bottom of the list by clicking Move to Top or Move to Bottom. To reorder the modules in a chain 1 Navigate to the Authentication Chaining page: Access Control > BmcRealm link> Authentication > Authentication Chaining link Chapter 14 Other Administrator Tasks 123
BMC Atrium Single Sign-on 7.6.04 2 Click the name of the chain that you want to alter. 3 Click Reorder. 4 Click the Module Instance that you want to move. 5 Click on Move Up, Move Down, Move to Top, or Move to Bottom to change the order in which the module instances are processed. 6 To update the re-ordering of the module instance, click OK. 124 Administration Guide
Appendix A Policy file additions for external Tomcat installations This appendix contains additions to make to the Tomcat policy file. The following topics are provided:! Adding to the policy file (page 126) Appendix A Policy file additions for external Tomcat installations 125
BMC Atrium Single Sign-on 7.6.04 Adding to the policy file To configure the policy file for external Tomcat installations, add the following lines to the policy file: // // AtriumSSO additions for tomcat 5/6 // grant { permission java.net.socketpermission "*", "listen,connect,accept,resolve"; permission java.util.propertypermission "*", "read, write"; permission java.lang.runtimepermission "modifythreadgroup"; permission java.lang.runtimepermission "setfactory"; permission java.lang.runtimepermission "accessclassinpackage.*"; permission java.util.logging.loggingpermission "control"; permission java.lang.runtimepermission "shutdownhooks"; permission javax.security.auth.authpermission "getloginconfiguration"; permission javax.security.auth.authpermission "setloginconfiguration"; permission javax.security.auth.authpermission "modifyprincipals"; permission javax.security.auth.authpermission "createlogincontext.*"; permission java.io.filepermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.propertypermission "java.util.logging.config.class", "write"; permission java.security.securitypermission "removeprovider.sun"; permission java.security.securitypermission "insertprovider.sun"; permission javax.security.auth.authpermission "doas"; permission java.util.propertypermission "java.security.krb5.realm", "write"; permission java.util.propertypermission "java.security.krb5.kdc", "write"; permission java.util.propertypermission "java.security.auth.login.config", "write"; permission java.util.propertypermission "user.language", "write"; permission javax.security.auth.kerberos.servicepermission "*", "accept"; permission javax.net.ssl.sslpermission "sethostnameverifier"; permission java.security.securitypermission "putproviderproperty.iaik"; permission java.security.securitypermission "removeprovider.iaik"; permission java.security.securitypermission "insertprovider.iaik"; permission java.lang.runtimepermission "setdefaultuncaughtexceptionhandler"; permission javax.management.mbeanserverpermission "newmbeanserver"; permission javax.management.mbeanpermission "*", "registermbean"; permission java.lang.runtimepermission "createclassloader"; permission java.lang.runtimepermission "accessdeclaredmembers"; permission java.lang.runtimepermission "setcontextclassloader"; 126 Administration Guide
Adding to the policy file permission java.lang.reflect.reflectpermission "suppressaccesschecks"; permission javax.security.auth.authpermission "getsubject"; permission javax.management.mbeantrustpermission "register"; permission javax.management.mbeanpermission "*", "*" ; permission java.lang.management.managementpermission "monitor"; permission javax.management.mbeanserverpermission "creatembeanserver"; permission java.util.propertypermission "javax.xml.soap.metafactory", "write"; permission java.util.propertypermission "javax.xml.soap.messagefactory", "write"; permission java.util.propertypermission "javax.xml.soap.soapconnectionfactory","write"; permission java.util.propertypermission "javax.xml.soap.soapfactory", "write"; permission java.net.netpermission "getproxyselector"; permission java.security.securitypermission "getproperty.authconfigprovider.factory"; permission java.security.securitypermission "setproperty.authconfigprovider.factory"; permission javax.security.auth.authpermission "doasprivileged"; permission javax.security.auth.authpermission "modifypubliccredentials"; permission java.security.securitypermission "insertprovider.xmldsig"; permission java.security.securitypermission "putproviderproperty.wss_transform"; permission java.security.securitypermission "insertprovider.wss_transform"; permission java.security.securitypermission "getproperty.ocsp.*"; }; Appendix A Policy file additions for external Tomcat installations 127
BMC Atrium Single Sign-on 7.6.04 128 Administration Guide
B Error Appendix messages This appendix lists the BMC Atrium SSO errors. The following topic is provided:! Error Messages (page 130) Appendix B Error messages 129
BMC Atrium Single Sign-on 7.6.04 Error Messages The following table lists the BMC Atrium SSO errors and messages. Table B-1: Error messages Error Number Message BMCSSG0000E Undefined error message. Contact BMC Software, Inc. BMCSSO1000E Undefined error message. Contact BMC Software, Inc. BMCSSO1001I OpenSSO agent configuration override is on. BMCSSO1002E Cannot find config.properties in directory specified (%s) BMCSSO1003I BMC Atrium SSO agent is disabled. BMCSSO1004I No disabled user id specified, and user not already authenticated. Using user id "nobody". BMCSSO1005E Failed to configure logging: %s BMCSSO1006E Destination directory for templates does not exist: %s BMCSSO1007E Destination directory for templates is not a directory: %s BMCSSO1008E Required parameter not specified for configuration (%s). Internal Error. Contact BMC Software, Inc. BMCSSG1009E Failed to generated configuration for OpenSSO Agent. BMCSSO1010E BMC Atrium SSO security not configured. BMCSSO1011E BMC Atrium SSO security improperly configured. Internal error. Contact BMC Software, Inc. BMCSSG1012E BMC Atrium SSO security not integrated with server. Internal error. Contact BMC Software, Inc. BMCSSO1013E Failed internal agent configuration. Internal error. Contact BMC Software, Inc. BMCSSO1014E Failed internal agent configuration. Internal error. Contact BMC Software, Inc. BMCSSO1015E Agent configuration file (%s) already exists. Either delete agent or use replace agent. BMCSSO1016W Failed to get canonicalized host name. BMCSSO1017E Agent configuration file (%s) must be located within WEB-INF directory structure. BMCSSO1018E Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc. BMCSSO1019E Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc. BMCSSO1020E Failed agent confidentiality algorithm (%s). Contact BMC Software, Inc. BMCSSG1021E Cannot delete agent because configuration file specified does not exist. BMCSSG1022E Cannot delete agent because configuration file does not contain BMC Atrium SSO server information. 130 Administration Guide
Error Messages Error Number Message BMCSSG1023E Error while processing deployer command (%s): %s BMCSSG1024E Failed to register agent with BMC Atrium SSO server (%s). BMCSSG1025E BMC Atrium SSO agent already registered with BMC Atrium SSO server. Must either replace or delete this agent. BMCSSG1026E File system location of container lib could not be identified. Specify through the property BMC Atrium SSO.container.lib.dir. BMCSSG1027E Failure generating or updating agent config.properties file (%s). BMCSSG1028E The web.xml file specified could not be found. Verify agent file system location supplied. BMCSSG1029W Agent configuration was disabled. Re-enabling security. BMCSSG1030E The web.xml file is not configured for FORM login. Please change the configuration to FORM login for BMC Atrium SSO Agent configuration. BMCSSG1031E Failed administrator logon: %s BMCSSG1032E Failed agent logon: %s BMCSSG1033E Failed to find agent configuration file. BMCSSG1034E Parsing error while processing file %s. BMCSSG1035E Could not access configuration template file (%s). Internal error. Contact BMC Software, Inc. BMCSSG1036E Could not find configuration template file. Internal error. Contact BMC Software, Inc. BMCSSG1037E Failed to create container control. Internal error. Contact BMC Software, Inc. BMCSSG1038E Failed to create container control for unknown type(%s). Internal error. Contact BMC Software, Inc. BMCSSG1039E Administrative function (%s) failed. Internal error. Contact BMC Software, Inc. BMCSSG1040E Tomcat cookie adjustment failed. Internal error. Contact BMC Software, Inc. BMCSSG1041E Failed to bounce container. Internal error. Contact BMC Software, Inc. BMCSSG1042E Invalid hostname specified for BMC Atrium SSO URL (%s). Must use FQDN. BMCSSG1043E Failed to resolve configuration path (%s) to canonical. BMCSSG1044E Failed domain lookup of hostname supplied for BMC Atrium SSO URL. BMCSSG1045E Failed to find configurator template. Internal Error. Contact BMC Software, Inc. BMCSSG1046E Failed to load configurator template. Internal Error. Contact BMC Software, Inc. BMCSSG1047E Failed to load configurator template. Internal Error. Contact BMC Software, Inc. BMCSSG1048E Failed to execute configurator. Appendix B Error messages 131
BMC Atrium Single Sign-on 7.6.04 Error Number Message BMCSSG1049E Execution of configurator failed with status code(%s). BMCSSG1050E Configuration of CAC was interrupted. BMCSSG1051E Configuration of CAC failed (%s). BMCSSG1052E Setup of administrative tool was interrupted. BMCSSG1053E Setup of administrative tool failed (%s). BMCSSG1054E Setup of administrative tool finished with non-zero result code (%s). BMCSSG1055E Invalid URL specified for BMC Atrium SSO server (%s). BMCSSG1056E BMC Atrium SSO configuration failed (%s). BMCSSG1057I Successfully configured BMC Atrium SSO server. BMCSSG1058E Invalid container home specified for BMC Atrium SSO server (%s). BMCSSG1059E Administrative password cannot be null or empty. BMCSSG1060E LDAP port specified is out of range (%d), must be 1..65534. BMCSSG1061E Failed to find executable jar file within classpath (%s). BMCSSG1062E Failed to connect with BMC Atrium SSO container. Container must be running with BMC Atrium SSO.war deployed before configuration. BMCSSG1063E Invalid URL type (%s). BMCSSG1064E Error connecting with BMC Atrium SSO container (%s)- is it running? BMCSSG1065E Failed to create temporary file for configuration (%s). BMCSSG1066E Failed to write to temporary file for configuration (%s). BMCSSG1067E Failed reconfiguration of BMC Atrium SSO server. BMCSSG1068E Invalid cookie domain specified (%s). BMCSSG1069E Failed to rewrite server URL to include proper context URI. BMCSSG1070E Agent password or name is empty/null. Internal error. Contact BMC Software, Inc. BMCSSG1071E Administrator password or name is empty/null. Internal error. Contact BMC Software, Inc. BMCSSG1072E Failed to create agent profile (response code: %s). BMCSSG1073E Configuration for agents failed (%s). BMCSSG1074E Configuration for agents was interrupted. BMCSSG1075E Failed to create cache dir. BMCSSG1076E Failed to create authentication context (%s). Is the BMC Atrium SSO server running? BMCSSG1077E Failed to begin login (%s). BMCSSG1078E Default BMC Atrium SSO server not specified with environment variable. BMCSSG1079E Badly formed URL for default BMC Atrium SSO server. BMCSSG1080E Failed to retrieve SSOToken (%s). 132 Administration Guide
Error Messages Error Number Message BMCSSG1081E Failed to retrieve idle time (%s). BMCSSG1082E Failed to retrieve max idle time (%s). BMCSSG1083E Failed to retrieve max session time (%s). BMCSSG1084E Failed to retrieve principal (%s). BMCSSG1085E Failed to retrieve time left (%s). BMCSSG1086E Failed to logout (%s). BMCSSG1087E Failed to register for token events (%s). BMCSSG1088E Failed to get token event type (%s). BMCSSG1089E Failed to validate SSO token (%s). BMCSSG1090E Administrative password must be at least 8 characters in length. BMCSSG1091E Token cache too large to load (%d). BMCSSG1092E Failed to read fully from cache file (%s). BMCSSG1093E Failed to delete cache. BMCSSG1094E Failed to convert to XML. Internal Error. Contact BMC Software, Inc. BMCSSG1095E Failed to create lock on cache (%s). BMCSSG1096E Interrupted during create lock on cache (%s). BMCSSG1097E Failed to extract data from possibly corrupted cache (%s). BMCSSG1098E Failed to write to cache (%s). BMCSSG1099E Failed to write to cache (%s). Internal Error. Contact BMC Software, Inc. BMCSSG1200E Default BMC Atrium SSO server is not specified. BMCSSG1201E Default BMC Atrium SSO server URL is not specified correctly (%s). BMCSSG1202E Failed to retrieve SSOToken using token id. Is server certificate in truststore? (%s). BMCSSG1203E Login failed (%s). BMCSSG1204E Must authenticate a user before requesting token. BMCSSG1205E Failed to retrieve token (%s). BMCSSG1206E System callback handler is not specified. BMCSSG1207E Failed to load class for callback handler. BMCSSG1208E Failed to create an instance of the class for callback handler (%s). BMCSSG1209E Unknown UIHandler specified: %s BMCSSG1210E Failure during login (%s). BMCSSG1211E Failure during login (%s). BMCSSG1212W Please enter a value for the password. BMCSSG1213E Failed to logout from BMC Atrium SSO server (%s). BMCSSG1214E Failed to abort from BMC Atrium SSO server (%s). BMCSSG1215E Invalid naming URL: %s Appendix B Error messages 133
BMC Atrium Single Sign-on 7.6.04 Error Number Message BMCSSG1216E Invalid BMC Atrium SSO URL specified (%s). BMCSSG1217E Already logged into BMC Atrium SSO server. Logout before trying to login again. BMCSSG1218E Context must be reset before being used for another login. BMCSSG1219E Failed to find userid within Principal (%s). BMCSSG1220E Failed to create context from token (%s). BMCSSG1221E Improper response received from BMC Atrium SSO server (%d). BMCSSG1222E Failed to connect with BMC Atrium SSO server. BMCSSG1223E Invalid security provider specified (%s). BMCSSG1224E Invalid security algorithm specified (%s). BMCSSG1225E Could not resolve hostname for BMC Atrium SSO server (%s). BMCSSG1226E Failed to access user specified keystore file (%s): %s BMCSSG1227E Failed to execute keytool to generate certificate. BMCSSG1228E Keytool finished with non-zero status code (%d). BMCSSG1229E Keystore password not specified. BMCSSG1230E Keystore password not specified. BMCSSG1231E Trying to use insecure communications protocol HTTP instead of HTTPS. Must use HTTPS for server URL (%s). BMCSSG1232E Could not find configuration utility. Has BMC Atrium SSO war file been deployed? BMCSSG1233E Could not connect using HTTPS and keystore specifications. BMCSSG1234E Failed to create TLS socket factory for HTTPS communications (%s). BMCSSG1235E Specified insecure HTTP protocol for BMC Atrium SSO but configuration is blocking usage. BMCSSG1236E Failed to initialize HTTPS protocol using keystore specified (%s). BMCSSG1237E Failed to initialize HTTPS protocol using certificate file specified (%s). BMCSSG1238E Configuration for HTTPS protocol is incomplete- a keystore or certificate is required. BMCSSG1239E Error while loading keystore specified for web agent deployment and configuration. BMCSSG1240E Error while loading server certificate specified for web agent deployment and configuration. BMCSSG1241E Failed to connect with BMC Atrium SSO server for HTTPS certificate download (%s). BMCSSG1242E Failed to retrieve certificate from BMC Atrium SSO server for HTTPS configuration. BMCSSG1243E Failed to write retrieved certificate to cache (%s). BMCSSG1244E Failed to use HTTPS certificates for agent delete (%s). 134 Administration Guide
Error Messages Error Number BMCSSG1245W BMCSSG1246E BMCSSG1247E BMCSSG1248E BMCSSG1250E BMCSSG1251E BMCSSG1252E BMCSSG1253E BMCSSG1254E BMCSSG1255E BMCSSG1256E BMCSSG1257E BMCSSG1258E BMCSSG1259E BMCSSG1260E BMCSSG1261E BMCSSG1262E BMCSSG1263E BMCSSG1264E BMCSSG1265E BMCSSG1266E BMCSSG1267E BMCSSG1268E BMCSSG1269E BMCSSG1270E BMCSSG1271E BMCSSG1272E BMCSSG1273E BMCSSG1274E BMCSSG1275E BMCSSG1276E BMCSSG1277E Message Specified insecure HTTP protocol for BMC Atrium SSO server (%s). Failed to load users keystore (%s). Failed to create keystore manager(%s). Failed to add new certificate to keystore(%s). Failed to lock file for keystore update (%s). Failed to unlock file after keystore update (%s). Login failed. Verify user credentials and try again. Failed to create LDAP chain (%s). Failed to load keystore (%s). Invalid token specified for BMC Atrium SSO server connection. Alias cannot be null. Internal error. Contact BMC Software, Inc. Failed to update keystore because of failure to delete original keystore file. Failed to rename new keystore to replace original keystore. Failed to load keystore from file (%s). Failed to read data from file (%s). Keystore has been corrupted. If keystore specified, then keystore type and password must also be provided. No keystore available for private keys. Failed to setup trust manager (%s). Failed to bounce container after configuration step (%s). Authentication callback failed to provide credentials (%s). BMC Atrium SSO URL is not specified through environment or system properties. Invalid BMC Atrium SSO URL specified (%s). A realm must be specified when connecting with BMC Atrium SSO (cannot be null). A callback handler must be specified when connecting with BMC Atrium SSO (cannot be null). Failed to find UID within DN (%s). Empty DN provided for principal. Failed to load JVM KeyStore(%s). Missing store password for keystore file. Malformed forwarding URL received (%s). Failed to configure SecurID module (%s). Failed creating ActiveDirectory chain (%s). Failed adding ActiveDirectory module to ActiveDirectory chain (%s). Appendix B Error messages 135
BMC Atrium Single Sign-on 7.6.04 Error Number BMCSSG1278E BMCSSG1279E BMCSSG1280E BMCSSG1281E BMCSSG1282E BMCSSG1283E BMCSSG1284E BMCSSG1285E BMCSSG1286E BMCSSG1287E BMCSSG1288E BMCSSG1289E BMCSSG1290E BMCSSG1291E BMCSSG1292E BMCSSG1293I BMCSSG1294E BMCSSG1295E BMCSSG1296E BMCSSG1297E BMCSSG1298E BMCSSG1299E BMCSSG1300E BMCSSG1301E BMCSSG1302E BMCSSG1303E BMCSSG1304E BMCSSG1305E BMCSSG1306E BMCSSG1307E BMCSSG1308E Message Failed creating ActiveDirectory module (%s). Failed updating LDAP module (%s). Failed updating AD module (%s). Failed to create directory for file lock (%s). Keytool finished with non-zero status code (%d). Failed to execute keytool to export certificate. Keytool finished with non-zero status code (%d). Failed to connect with Identity REST services (%s). Not connected with Identity REST services. Internal Error. Contact BMC Software, Inc. Failed to fetch attributes from server (%s). Failed to retrieve client host name(%s). Failed to parse LDAP value (%s). Failed to deserialize group file (%s). Groups file (%s) does not exist. Failed to upload groups to server (%s). User canceled login. Authentication failed for unknown reason. Failed to find class (%s) in launching jar. Internal Error. Contact BMC Software, Inc. Failed to parse jar file URL (%s). Internal Error. Contact BMC Software, Inc. Failed to locate jar entry in jar URL (%s). Internal Error. Contact BMC Software, Inc. Failed to get jar URL (%s). Internal Error. Contact BMC Software, Inc. Agent zip directory (%s) not found in jar file directory (%s). Internal Error. Contact BMC Software, Inc. Agent action option must be specified (install, migrate, uninstall). Failed to create temporary response file (%s). When truststore option is specified, the password, type and alias must also be specified. Truststore specified does not exist(%s). JEE container base directory specified does not exist (%s). JEE container base directory specified is not a directory (%s). Couldn't find websphere agent zip (%s). Websphere server instance configuration directory doesn't exist (%s). Couldn't create temporary server certificate file (%s). 136 Administration Guide
Error Messages Error Number BMCSSG1309E BMCSSG1310E BMCSSG1311E BMCSSG1312E BMCSSG1313E BMCSSG1314E BMCSSG1315E BMCSSG1316E BMCSSG1317I BMCSSG1318I BMCSSG1319E BMCSSG1320E BMCSSG1321E BMCSSG1322I BMCSSG1323I BMCSSG1324E BMCSSG1325E BMCSSG1326E BMCSSG1327E BMCSSG1328E BMCSSG1329E BMCSSG1330E BMCSSG1331E BMCSSG1332E BMCSSG1333E BMCSSG1334E BMCSSG1335E BMCSSG1336E BMCSSG1337E BMCSSG1338E BMCSSG1339E BMCSSG1340E Message Failed to load response file from input stream (%s). Internal Error. Contact BMC Software, Inc. Failed to open response file source file (%s). Internal Error. Contact BMC Software, Inc. Failed to load response file from string (%s). Internal Error. Contact BMC Software, Inc. Failed to open response file (%s). Internal Error. Contact BMC Software, Inc. Failed to write into response file (%s). Internal Error. Contact BMC Software, Inc. Missing value for variable (%s). Internal Error. Contact BMC Software, Inc. Failed to generate random sequence (%s). Failed to create temporary file (%s). Successfully finished execution. Deployer execution completed. Failed deployer execution. Failed to load agent configuration (%s). Failed to save agent configuration (%s). Detected agent installation. Agent installation not detected. Agent installation detected, but failed to instantiate (%s). Agent installation detected, but failed to instantiate (%s). Failed to parse deployer options (%s). Failed to access template file (%s). Failed to find worker for task. Internal Error. Contact BMC Software, Inc. Invalid parameter values. Subscript execution failed (%s) (formerly code BMCSDG1330E). Failed to create agent installation directory (%s). Failed to connect with BMC Atrium SSO server (%s). JEE container cannot be running during installation. Please stop the server and retry agent installation. BMC Atrium SSO server (%s) cannot be contacted. It must be running during agent installation. Failed to netstat for JEE container ports (%s). Failed to create agent account (%s). Failed to create logout url (%s). Failed to create BMC Agent (%s). Failed to convert agent data (%s). Agent installation finished with errors (formerly code BMCSDG1340E). Appendix B Error messages 137
BMC Atrium Single Sign-on 7.6.04 Error Number Message BMCSSG1341E Agent already installed and configured for URL (%s). Use "-- force" option to override. BMCSSG1342E Unknown agent specified for URL (%s). Use "--force" option to override. BMCSSG1343E Failed to update BMC Agent after uninstall (%s). BMCSSG1344E JEE truststore specified does not exist (%s). BMCSSG1345E JVM truststore specified does not exist (%s). BMCSSG1346E JEE password must be specified when JEE truststore is specified. BMCSSG1347E JVM password must be specified when JVM truststore is specified. BMCSSG1348E Couldn't find tomcat agent zip (%s). BMCSSG1349E BMC Atrium SSO filter experienced internal error processing security: %s BMCSSG1350E BMC Atrium SSO cannot be contacted. Contact security administrator. BMCSSG1351E Failed to create BmcRealm (%s). BMCSSG1352E Failed to create temporary file for property update (%s): %s BMCSSG1353E Failed to open stream to new property file (%s). BMCSSG1354E Failed adding LDAP module to LDAP chain (%s). BMCSSG1355E Failed to write to new property file (%s). BMCSSG1356E Failed to update keystore for login(%s). BMCSSG1357E Failure during server certificate acceptance (%s). BMCSSG1358E Failure during server certificate acceptance (%s). BMCSSG1359E Used declined certificate from server (%s). BMCSSG1360E Failure checking server certificate against keystore (%s). BMCSSG1361E Wow, couldn't generate a unique filename for old file (%s). BMCSSG1362E Failed to rename old configuration file. BMCSSG1363E Server presented certificate unusable for server verification. CN must be hostname. BMCSSG1364E Failed setting auth level on in DataStore module (%s). BMCSSG1365E Failed to set CAC server configuration (%s). BMCSSG1366E Failed to create CAC module (%s). BMCSSG1367E Failed to set OCSP on in CAC module (%s). BMCSSG1368E Failed to create CAC chain (%s). BMCSSG1369E Failed to add CAC module to CAC chain (%s). BMCSSG1370E Failed to rollback to old configuration file. BMCSSG1371E Failed to create access to keystores (%s). BMCSSG1372E Failed to load MS-CAPI (%s). BMCSSG1373E A certificate is required for login, but none found. Is CAC card inserted? 138 Administration Guide
Error Messages Error Number BMCSSG1374E BMCSSG1375E BMCSSG1376E BMCSSG1377E BMCSSG1378E BMCSSG1379E BMCSSG1380E BMCSSG1381E BMCSSG1382E BMCSSG1383E BMCSSG1284E BMCSSG1385E BMCSSG1386E BMCSSG1387E BMCSSG1388E BMCSSG1389E BMCSSG1390E BMCSSG1391E BMCSSG1392E BMCSSG1393E BMCSSG1394E BMCSSG1395E BMCSSG1396E BMCSSG1397E BMCSSG1398E BMCSSG1399E BMCSSG1400E BMCSSG1401E BMCSSG1402E BMCSSG1403E BMCSSG1404E BMCSSG1405E BMCSSG1406E BMCSSG1407E BMCSSG1408E BMCSSG1409E BMCSSG1410E BMCSSG1411E Message Failed to prepare script for unix execution (%s). Failed registering SecurID authentication module (%s). Failed creating SecurID service (%s). Failed to connect with BMC Atrium SSO server (%s). Failed to connect with BMC Atrium SSO server (%s). Failed to logout from BMC Atrium SSO server (%s). Failed to commit log in with BMC Atrium SSO server (%s). Failed to create SecurID module (%s). Failed to create SecurID chain (%s). Failed to add SecurID module to SecurID chain (%s). Failed to get encoding for certificate (%s). Failed to deserialize subjects file (%s). Subjects file (%s) does not exist. Failed to serialize subjects file (%s). BMC Atrium SSO URL specified is invalid (%s). File to import doesn't exist (%s). Failed subject import(%s). Failed subject export(%s). The GET operation is not supported for this service. The POST operation is not supported for this service. The PUT operation is not supported for this service. The DELETE operation is not supported for this service. Failed to return JSON message for exception (%s). Unsupported media type requested from REST services (%s). Failed to convert exception to JSON object (%s). Failed to add info to JSON object (%s). Failed to add FIPS info to JSON object (%s). Missing required parameter for REST service (%s). Missing required parameters for REST service (%s). Failure performing identity search (%s). Failure creating JSON object for identity search (%s). Invalid URI specified for remote notification (%s). Failed to register for token notifications (%s). Invalid tokenid passed for notifications (%s). A URI must be specified for notifications. At least one tokenid must be specified to register for notifications. Notification URI already registered to receive notifications. The URI specified is not registered for notifications (%s). Appendix B Error messages 139
BMC Atrium Single Sign-on 7.6.04 Error Number Message BMCSSG1412E The URI specified was terminated due to failure to retrieve notifications in a timely manner (%s). BMCSSG1413E The URL specified for remote HTTP client failed to parse (%s): %s BMCSSG1414E Failed to create JSON message for notification (%s). BMCSSG1415E Received unsuccessful result code (%s) from HTTP send: %s BMCSSG1416E Test remote connection failed (%s). BMCSSG1417W Reverse remote client is not connected to receive messages (%s). BMCSSG1418E Invalid hostname specified for remote client (%s). BMCSSG1419E Failed to create TLS context (%s). BMCSSG1420E Failed to create reader/writers for socket notifications (%s). BMCSSG1421E Failed to build JSON object (%s). BMCSSG1422E Failed REST call to BMC Atrium SSO server (%s). BMCSSG1423E Internal error, no response code returned (%s). BMCSSG1424E Failed REST call with exception(%s): %s. BMCSSG1425E Internal error, no principal within session token (%s). BMCSSG1426E Internal error, no groups within session token (%s). BMCSSG1427E Internal error, no field %s within session token (%s). BMCSSG1428E Only agents and administrators can register for notifications on non-owner sessions. BMCSSG1429E Invalid URL specified (%s). BMCSSG1430E Failed to get BMC Atrium SSO server URL from notification (%s). BMCSSG1431E Failed to parse session notification from server (%s). BMCSSG1432E Error opening notification socket (%s). BMCSSG1433E Timed-out opening notification socket (%s). BMCSSG1434E Failed to create TLS socket (%s). BMCSSG1435E Failed to acquire FQDN for local host (%s). BMCSSG1436E Failed to compose URI for notifications (%s). BMCSSG1437E Failed to use reverse messenger with server (%s). BMCSSG1438E Failed to retrieve server version from info reply (%s). BMCSSG1439E Failed to retrieve server build date from info reply (%s). BMCSSG1440E BMC Atrium SSO server release is too old- does not support remote notification. BMCSSG1441E The URI specified was not registered for notification events (%s). BMCSSG1442E Failed to create messenger for reverse protocol (%s). BMCSSG1443E Invalid client certificate presented for notification (%s). BMCSSG1444E Failed to create dynamic client certificate (%s). BMCSSG1445E Unknown user attribute specified for export (%s). 140 Administration Guide
Error Messages Error Number BMCSSG1446E BMCSSG1447E BMCSSG1448E BMCSSG1449E BMCSSG1450E BMCSSG1451E BMCSSG1452E BMCSSG1453E BMCSSG1454I BMCSSG1455I BMCSSG1456E BMCSSG1457E BMCSSG1458E BMCSSG1459E BMCSSG1460E BMCSSG1461E BMCSSG1462E BMCSSG1463E BMCSSG1464E BMCSSG1465E BMCSSG1466E BMCSSG1467E BMCSSG1468E BMCSSG1469E BMCSSG1470E BMCSSG1471E BMCSSG1472E BMCSSG1473E BMCSSG1474E BMCSSG1475E BMCSSG1476E BMCSSG1477E BMCSSG1478E BMCSSG1479E BMCSSG1480E Message Failed to connect with BMC Atrium SSO internal LDAP server (%s). Failed to create unload directory (%s). Failure during configuration dump (%s). Failure during properties dump (%s). Invalid server URL specified (%s). Dump directory does not exist(%s). Invalid dump directory (%s). Failure loading configuration (%s). Successfully unloaded BMC Atrium SSO data. Successfully loaded BMC Atrium SSO data. Failed to unload BMC Atrium SSO data (%s). Failed to load BMC Atrium SSO data (%s). Failed to unload group data (%s). Failed to unload user data (%s). Failed to find amserver.jar for update (%s). Failed to access updated amserver.jar from classpath. Internal error. Contact BMC Software, Inc. Failed to write data to amserver.jar (%s). Failed to open temporary file for updated jar contents (%s). Failed to rename old amserver.jar to %s. Failed to rename new file to amserver.jar. Failed to stop SSO container (%s). Failed to start SSO container (%s). Failed to access LDAP config (%s). Failed to save modified LDAP config (%s). Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc. Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc. Failed agent confidentiality algorithm (%s). Internal error. Contact BMC Software, Inc. Failed to stop service for child process (%s). Unable to access LDAP configuration (%s). Internal error. Contact BMC Software, Inc. Missing property from configuration file (%s). Failed to connect agent due to unsupported callback type. Failed to retrieve cookie name from server (%s). Failed to access configuration file (%s). Failed to load from configuration file (%s). Failed to open configuration file (%s). Appendix B Error messages 141
BMC Atrium Single Sign-on 7.6.04 Error Number BMCSSG1481E BMCSSG1482E BMCSSG1483E BMCSSG1484E BMCSSG1485E BMCSSG1486E BMCSSG1487E BMCSSG1488E BMCSSG1489E BMCSSG1490E BMCSSG1491E BMCSSG1492E BMCSSG1493E BMCSSG1494E BMCSSG1495E BMCSSG1496E BMCSSG1497E BMCSSG1498E BMCSSG1499E BMCSSG1500E BMCSSG1501E BMCSSG1502E BMCSSG1503E BMCSSG1504E BMCSSG1505E BMCSSG1506E BMCSSG1507E BMCSSG1508E BMCSSG1509E BMCSSG1510E BMCSSG1511E BMCSSG1512E BMCSSG1513E BMCSSG1514E Message Failed to store to configuration file (%s). Failed to store secret key in keystore (%s). Failed to generate secret key (%s). Failed to encrypt with secret key (%s). Configuration directory name is not specified in system property (%s). Configuration directory does not exist (%s). Web application configuration directory does not exist (%s). Configuration file does not exist (%s). Failed to find Tomcat v6 bin directory (%s). Failed to access script file for JEE Agent integration (%s). Failed to find Tomcat v6 bin directory (%s). Failed to access script file for JEE Agent integration (%s). Agent configuration directory for webapp already exists. If agent not currently deployed, delete directory and try again (%s). Failed to create script file for JEE Agent integration (%s). Failed to connect with BMC Atrium SSO server for token attributes (%s). Incompatible message type received from BMC Atrium SSO server for token attributes (%s). Failed to delete agent from BMC Atrium SSO server (%s). Failed to delete agent user account from SSO server (%s). Failed to decode agent password (%s). Entry in keystore does not refer to secret key (%s). Failed to get secret key (%s). Failed to get agent token id (%s). Failed to get cookie name from server (%s). Failed to get FIPS mode from server reply (%s). Failed to get FIPS mode from server (%s). BMC Atrium SSO server is operating in FIPS mode but this agent is not in FIPS mode. BMC Atrium SSO server is not operating in FIPS mode but this agent is in FIPS mode. BMC Atrium SSO server is currently not available. Failed to convert URL to URI (%s). Failed to compose notification URL (%s). Failed to access agent attribute (%s) from server (%s). Exceeded redirection limit. Failed to decode cookie (%s). Required identity event attribute missing (%s). 142 Administration Guide
Error Messages Error Number BMCSSG1515E BMCSSG1516E BMCSSG1517E BMCSSG1518E BMCSSG1519E BMCSSG1520E BMCSSG1521E BMCSSG1522E BMCSSG1523E BMCSSG1524E BMCSSG1525E BMCSSG1526E BMCSSG1527E BMCSSG1528E BMCSSG1529E BMCSSG1530E BMCSSG1531E BMCSSG1532E BMCSSG1533E BMCSSG1534E BMCSSG1535E BMCSSG1536E BMCSSG1537E BMCSSG1538E BMCSSG1539E BMCSSG1540E BMCSSG1541E BMCSSG1542E BMCSSG1543E BMCSSG1544E BMCSSG1545E BMCSSG1546E BMCSSG1547E BMCSSG1548E BMCSSG1549E Message Failed to get repository for identity listener (%s). Required token event attribute missing (%s). Failed to download and configure agent (%s). Agent was renamed- local configuration must be updated. Agent was deleted- local configuration must be updated. Failed to get time from server reply (%s). Failed to create TLS socket factory (%s). Failed to start web receiver thread (%s). Failed to find Tomcat v5 bin directory (%s). Failed to access script file for JEE Agent integration (%s). Failed to create script file for JEE Agent integration (%s). Unable to get servlet context path. Use atsso.context.path in servlet init parameter. Unknown contain type specified (%s). Failed to find WebSphere script. Internal error. Contact BMC Software, Inc. Failed to parse command line options for WebSphere7 (%s). Instance directory specified does not exist (%s). Failed to load WebSphere script (%s). Internal error. Contact BMC Software, Inc. Failed to execute WebSphere script (%s). WebSphere script failed. Failed to store support utility program. Failed to parse command line options for JBoss (%s). Failed to find run.conf file (%s). Failed to connect with BMC Atrium SSO server (%s). Is it running? Are the credentials correct? Failed creating AR service (%s). Failed to configure AR module (%s). Failed creating AR module (%s). Failed creating AR chain (%s). Failed adding AR module to AR chain (%s). Failed authentication with AR server (%s). Failed to connect with AR server. Unsupported type for operation with AR Server data source. Failed to get groups for user (%s). AR Server data source only supports group memberships. AR Server host name not configured. AR Server port number not configured. Appendix B Error messages 143
BMC Atrium Single Sign-on 7.6.04 Error Number Message BMCSSG1550E Failed to create new agent account (%s) in BMC Atrium SSO server. Delete agent in administrator console and try again. BMCSSG1551E Failed adding DataStore module to AR chain (%s). BMCSSG1552E Data store failed to connect to AR Server using administrator account. BMCSSG1553I AR authentication allowed guest login but that option is blocked. BMCSSG1554E Failed to convert file for UNIX execution. BMCSSG1555E Failed to load provider for keystore type (%s). BMCSSG1556E Failed to load provider for truststore type (%s). BMCSSG1557E Failed to load keystore (%s). BMCSSG1558E Failed to load truststore (%s). BMCSSG1559E Failed to transfer public certificate to truststore (%s). BMCSSG1560E Failed to save truststore (%s). BMCSSG1561E Failed to remove old truststore. BMCSSG1562E Failed to replace old truststore. BMCSSG1563E BMC Atrium SSO server is in FIPS mode but RSA library is not FIPS compliant. BMCSSG1564E Failed to load specified provider class (%s): %s BMCSSG1565E Failed initializing to non-fips mode (%s). BMCSSG1566E Failed initializing to setup socket factory for LDAP (%s). BMCSSG1567E Failed to create socket for LDAP (%s). BMCSSG1568E Failed to initialize service. BMCSSG1569E Invalid parameter. BMCSSG1570E Failed to initialize service (%s). BMCSSG1571E Failed to initialize to receive notifications of FIPS service changes (%s). BMCSSG1572E BMC Atrium SSO server FIPS configuration is out of sync with server environment. BMCSSG1573E Not enforced file specified doesn't exist. BMCSSG1574E Failed to extract agent certificate from keystore (%s). BMCSSG1575E Source file name for conversion cannot be null. BMCSSG1576E Source type for conversion cannot be null. BMCSSG1577E Destination type for conversion cannot be null. BMCSSG1578E Failed to create temporary file for conversion (%s). BMCSSG1579E Destination file already exists. BMCSSG1580E Failed to open source keystore (%s). BMCSSG1581E Failed to create destination keystore (%s). BMCSSG1582E Failed to load destination keystore (%s). BMCSSG1583E Failed to get item from source keystore (%s). BMCSSG1584E Failed to move items into destination keystore (%s). 144 Administration Guide
Error Messages Error Number BMCSSG1585E BMCSSG1586E BMCSSG1587E BMCSSG1588E BMCSSG1589E BMCSSG1590E BMCSSG1591E BMCSSG1592E BMCSSG1593E BMCSSG1594E BMCSSG1595E BMCSSG1596E Message Failed to save destination keystore (%s). Failed to open destination keystore (%s). Failed to delete old destination keystore (%s). Failed to rename new destination keystore (%s). Failed to capture BMC Atrium SSO server certificate (%s). Unload directory doesn't exist. Failed to parse Tomcat server.xml; Failed to setup truststore (%s). BMC Atrium SSO server is running in FIPS140 mode, but the SDK is not configured for FIPS140. BMC Atrium SSO server is not running in FIPS140 mode, but the SDK is configured for FIPS140. Upgrade utility failed to connect with BMC Atrium SSO Server. Failed to open server defaults (%s). Appendix B Error messages 145
BMC Atrium Single Sign-on 7.6.04 146 Administration Guide
Third-party product terms The following terms apply to third-party products that are included with or in a BMC Software product as described in the BMC Software, Inc., License Agreement that is applicable to the BMC Software product. Sun Microsystems, Inc. Binary Code License Agreement for the JDK 5.0 Sun Microsystems, Inc. Binary Code License Agreement for the JAVA 2 PLATFORM STANDARD EDITION DEVELOPMENT KIT 5.0 SUN MICROSYSTEMS, INC. ('SUN') IS WILLING TO LICENSE THE SOFTWARE IDENTIFIED BELOW TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS BINARY CODE LICENSE AGREEMENT AND SUPPLEMENTAL LICENSE TERMS (COLLECTIVELY 'AGREEMENT'). PLEASE READ THE AGREEMENT CAREFULLY. BY DOWNLOADING OR INSTALLING THIS SOFTWARE, YOU ACCEPT THE TERMS OF THE AGREEMENT. INDICATE ACCEPTANCE BY SELECTING THE 'ACCEPT' BUTTON AT THE BOTTOM OF THE AGREEMENT. IF YOU ARE NOT WILLING TO BE BOUND BY ALL THE TERMS, SELECT THE 'DECLINE' BUTTON AT THE BOTTOM OF THE AGREEMENT AND THE DOWNLOAD OR INSTALL PROCESS WILL NOT CONTINUE. 1. DEFINITIONS. 'Software' means the identified above in binary form, any other machine readable materials (including, but not limited to, libraries, source files, header files, and data files), any updates or error corrections provided by Sun, and any user manuals, programming guides and other documentation provided to you by Sun under this Agreement. 'Programs' mean Java applets and applications intended to run on the Java 2 Platform Standard Edition (J2SE platform) platform on Java-enabled general purpose desktop computers and servers. 2. LICENSE TO USE. Subject to the terms and conditions of this Agreement, including, but not limited to the Java Technology Restrictions of the Supplemental License Terms, Sun grants you a non-exclusive, non-transferable, limited license without license fees to reproduce and use internally Software complete and unmodified for the sole purpose of running Programs. Additional licenses for developers and/or publishers are granted in the Supplemental License Terms. 3. RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property rights is retained by Sun and/or its licensors. Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software. You acknowledge that Licensed Software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility. Sun Microsystems, Inc. disclaims any express or implied warranty of fitness for such uses. No right, title or interest in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement. Additional restrictions for developers and/or publishers licenses are set forth in the Supplemental License Terms. 4. LIMITED WARRANTY. Sun warrants to you that for a period of ninety (90) days from the date of purchase, as evidenced by a copy of the receipt, the media on which Software is furnished (if any) will be free of defects in materials and workmanship under normal use. Except for the foregoing, Software is provided 'AS IS'. Your exclusive remedy and Sun's entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for Software. Any implied warranties on the Software are limited to 90 days. Some states do not allow limitations on duration of an implied warranty, so the above may not apply to you. This limited warranty gives you specific legal rights. You may have others, which vary from state to state. 5. DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. 6. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the amount paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated warranty fails of its essential purpose. Some states do not allow the exclusion of incidental or consequential damages, so some of the terms above may not be applicable to you. 7. TERMINATION. This Agreement is effective until terminated. You may terminate this Agreement at any time by destroying all copies of Software. This Agreement will terminate immediately without notice from Sun if you fail to comply with any provision of this Agreement. Either party may terminate this Agreement immediately should any Software become, or in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right. Upon Termination, you must destroy all copies of Software. 8. EXPORT REGULATIONS. All Software and technical data delivered under this Agreement are subject to US export control laws and may be subject to export or import regulations in other countries. You agree to comply strictly with all such laws and regulations and acknowledge that you have the responsibility to obtain such licenses to export, re-export, or import as may be required after delivery to you. 9. TRADEMARKS AND LOGOS. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA, JINI, FORTE, and iplanet trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, and iplanet-related trademarks, service marks, logos and other brand designations ('Sun Marks'), and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http://www.sun.com/policies/trademarks. Any use you make of the Sun Marks inures to Sun's benefit. 10. U.S. GOVERNMENT RESTRICTED RIGHTS. If Software is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the Government's rights in Software and accompanying documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-dod acquisitions). 11. GOVERNING LAW. Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply. 12. SEVERABILITY. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the
provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will immediately terminate. 13. INTEGRATION. This Agreement is the entire agreement between you and Sun relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party. SUPPLEMENTAL LICENSE TERMS These Supplemental License Terms add to or modify the terms of the Binary Code License Agreement. Capitalized terms not defined in these Supplemental Terms shall have the same meanings ascribed to them in the Binary Code License Agreement. These Supplemental Terms shall supersede any inconsistent or conflicting terms in the Binary Code License Agreement, or in any license contained within the Software. A. Software Internal Use and Development License Grant. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software 'README' file, including, but not limited to the Java Technology Restrictions of these Supplemental Terms, Sun grants you a non-exclusive, non-transferable, limited license without fees to reproduce internally and use internally the Software complete and unmodified for the purpose of designing, developing, and testing your Programs. B. License to Distribute Software. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software README file, including, but not limited to the Java Technology Restrictions of these Supplemental Terms, Sun grants you a non-exclusive, non-transferable, limited license without fees to reproduce and distribute the Software, provided that (i) you distribute the Software complete and unmodified and only bundled as part of, and for the sole purpose of running, your Programs, (ii) the Programs add significant and primary functionality to the Software, (iii) you do not distribute additional software intended to replace any component(s) of the Software, (iv) you do not remove or alter any proprietary legends or notices contained in the Software, (v) you only distribute the Software subject to a license agreement that protects Sun's interests consistent with the terms contained in this Agreement, and (vi) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software. C. License to Distribute Redistributables. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software README file, including but not limited to the Java Technology Restrictions of these Supplemental Terms, Sun grants you a non-exclusive, non-transferable, limited license without fees to reproduce and distribute those files specifically identified as redistributable in the Software 'README' file ('Redistributables') provided that: (i) you distribute the Redistributables complete and unmodified, and only bundled as part of Programs, (ii) the Programs add significant and primary functionality to the Redistributables, (iii) you do not distribute additional software intended to supersede any component(s) of the Redistributables (unless otherwise specified in the applicable README file), (iv) you do not remove or alter any proprietary legends or notices contained in or on the Redistributables, (v) you only distribute the Redistributables pursuant to a license agreement that protects Sun's interests consistent with the terms contained in the Agreement, (vi) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Software. D. Java Technology Restrictions. You may not create, modify, or change the behavior of, or authorize your licensees to create, modify, or change the behavior of, classes, interfaces, or subpackages that are in any way identified as 'java', 'javax', 'sun' or similar convention as specified by Sun in any naming convention designation. E. Distribution by Publishers. This section pertains to your distribution of the Software with your printed book or magazine (as those terms are commonly used in the industry) relating to Java technology ('Publication'). Subject to and conditioned upon your compliance with the restrictions and obligations contained in the Agreement, in addition to the license granted in Paragraph 1 above, Sun hereby grants to you a non-exclusive, nontransferable limited right to reproduce complete and unmodified copies of the Software on electronic media (the 'Media') for the sole purpose of inclusion and distribution with your Publication(s), subject to the following terms: (i) You may not distribute the Software on a stand-alone basis; it must be distributed with your Publication(s); (ii) You are responsible for downloading the Software from the applicable Sun web site; (iii) You must refer to the Software as JavaTM 2 Platform Standard Edition Development Kit 5.0; (iv) The Software must be reproduced in its entirety and wit hout any modification whatsoever (including, without limitation, the Binary Code License and Supplemental License Terms accompanying the Software and proprietary rights notices contained in the Software); (v) The Media label shall include the following information: Copyright 2006, Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. Sun, Sun Microsystems, the Sun logo, Solaris, Java, the Java Coffee Cup logo, J2SE, and all trademarks and logos based on Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. This information must be placed on the Media label in such a manner as to only apply to the Sun Software; (vi) You must clearly identify the Software as Sun's product on the Media holder or Media label, and you may not state or imply that Sun is responsible for any third-party software contained on the Media; (vii) You may not include any third party software on the Media which is intended to be a replacement or substitute for the Soft ware; (viii) You shall indemnify Sun for all damages arising from your failure to comply with the requirements of this Agreement. In addition, you shall defend, at your expense, any and all claims brought against Sun by third parties, and shall pay all damages awarded by a court of competent jurisdiction, or such settlement amount negotiated by you, arising out of or in connection with your use, reproduction or distribution of the Software and/or the Publication. Your obligation to provide indemnification under this section shall arise provided that Sun: (a) provides you prompt notice of the claim; (b) gives you sole control of the defense and settlement of the claim; (c) provides you, at your expense, with all available information, assistance and authority to defend; and (d) has not compromised or settled such claim without your prior written consent; and (ix) You shall provide Sun with a written notice for each Publication; such notice shall include the following information: (1) title of Publication, (2) author(s), (3) date of Publication, and (4) ISBN or ISSN numbers. Such notice shall be sent to Sun Microsystems, Inc., 4150 Network Circle, M/S USCA12-110, Santa Clara, California 95054, U.S.A, Attention: Contracts Administration. F. Source Code. Software may contain source code that, unless expressly licensed for other purposes, is provided solely for reference purposes pursuant to the terms of this Agreement. Source code may not be redistributed unless expressly provided for in this Agreement.
G. Third Party Code. Additional copyright notices and license terms applicable to portions of the Software are set forth in the THIRDPARTYLICENSEREADME.txt file. In addition to any terms and conditions of any third party opensource/freeware license identified in the THIRDPARTYLICENSEREADME.txt file, the disclaimer of warranty and limitation of liability provisions in paragraphs 5 and 6 of the Binary Code License Agreement shall apply to all Software in this distribution. H. Termination for Infringement. Either party may terminate this Agreement immediately should any Software become, or in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right. For inquiries please contact: Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: a.you must give any other recipients of the Work or Derivative Works a copy of this License; and b.you must cause any modified files to carry prominent notices stating that You changed the files; and c.you must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and d.if the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/license-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Copyright 2009 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Third-Party Product Terms The following terms apply to third-party products that are included with or in a BMC Software product as described in the BMC Software, Inc., License Agreement that is applicable to the product. Sun Microsystems, Inc. Binary Code License Agreement 1. LICENSE TO USE. Sun grants you a non-exclusive and non-transferable license for the internal use only of the accompanying software and documentation and any error corrections provided by Sun (collectively "Software"), by the number of users and the class of computer hardware for which the corresponding fee has been paid. 2. RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property rights is retained by Sun and/or its licensors. Except as specifically authorized in any Supplemental License Terms, you may not make copies of Software, other than a single copy of Software for archival purposes. Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software. Licensee acknowledges that Licensed Software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility. Sun Microsystems, Inc. disclaims any express or implied warranty of fitness for such uses. No right, title or interest in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement. 3. LIMITED WARRANTY. Sun warrants to you that for a period of ninety (90) days from the date of purchase, as evidenced by a copy of the receipt, the media on which Software is furnished (if any) will be free of defects in materials and workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy and Sun's entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for Software. 4. DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. 5. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the amount paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated warranty
fails of its essential purpose. 6. Termination. This Agreement is effective until terminated. You may terminate this Agreement at any time by destroying all copies of Software. This Agreement will terminate immediately without notice from Sun if you fail to comply with any provision of this Agreement. Upon Termination, you must destroy all copies of Software. 7. Export Regulations. All Software and technical data delivered under this Agreement are subject to US export control laws and may be subject to export or import regulations in other countries. You agree to comply strictly with all such laws and regulations and acknowledge that you have the responsibility to obtain such licenses to export, re-export, or import as may be required after delivery to you. 8. U.S. Government Restricted Rights. If Software is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the Government's rights in Software and accompanying documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-dod acquisitions). 9. Governing Law. Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply. 10. Severability. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will immediately terminate. 11. Integration. This Agreement is the entire agreement between you and Sun relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party. JAVA(TM) INTERFACE CLASSES JAVA API FOR XML-BASED RPC API CLASS FILES, VERSION 1.1 SUPPLEMENTAL LICENSE TERMS These supplemental license terms ("Supplemental Terms") add to or modify the terms of the Binary Code License Agreement (collectively, the "Agreement"). Capitalized terms not defined in these Supplemental Terms shall have the same meanings ascribed to them in the Agreement. These Supplemental Terms shall supersede any inconsistent or conflicting terms in the Agreement, or in any license contained within the Software. 1. Software Internal Use and Development License Grant. Subject to the terms and conditions of this Agreement, including, but not limited to Section 3 (Java(TM) Technology Restrictions) of these Supplemental Terms, Sun grants you a non-exclusive, non-transferable, limited license to reproduce internally and use internally the binary form of the Software, complete and unmodified, for the sole purpose of designing, developing and testing your Java applets and applications ("Programs"). 2. License to Distribute Software. In addition to the license granted in Section 1 (Software Internal Use and Development License Grant) of these Supplemental Terms, subject to the terms and conditions of this Agreement, including but not limited to Section 3 (Java Technology Restrictions), Sun grants you a non-exclusive, non-transferable, limited license to reproduce and distribute the Software in binary form only, provided that you (i) distribute the Software complete and unmodified and only bundled as part of your Programs, (ii) do not distribute additional software intended to replace any component(s) of the Software, (iii) do not remove or alter any proprietary legends or notices contained in the Software, (iv) only distribute the Software subject to a license agreement that protects Sun's interests consistent with the terms contained in this Agreement, and (v) agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses 3. Java Technology Restrictions. You may not modify the Java Platform Interface ("JPI", identified as classes contained within the "java" package or any subpackages of the "java" package), by creating additional classes within the JPI or otherwise causing the addition to or modification of the classes in the JPI. In the event that you create an additional class and associated API(s) which (i) extends the functionality of the Java Platform, and (ii) is exposed to third party software developers for the purpose of developing additional software which invokes such additional API, you must promptly publish broadly an accurate specification for such API for free use by all developers. You may not create, or authorize your licensees to create additional classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun" or similar convention as specified by Sun in any naming convention designation. 4. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA, JINI, FORTE, and iplanet trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, and iplanet-related trademarks, service marks, logos and other brand designations ("Sun Marks"), and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http://www.sun.com/policies/trademarks. Any use you make of the Sun Marks inures to Sun's benefit. 5. Source Code. Software may contain source code that is provided solely for reference purposes pursuant to the terms of this Agreement. Source code may not be redistributed unless expressly provided for in this Agreement. 6. Termination for Infringement. Either party may terminate this Agreement immediately should any Software become, or in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right. For inquiries please contact: Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, California 95054 (LFI#136499/Form ID#011801)
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0 * 1. Definitions. o 1.1. Contributor means each individual or entity that creates or contributes to the creation of Modifications. o 1.2. Contributor Version means the combination of the Original Software, prior Modifications used by a Contributor (if any), and the Modifications made by that particular Contributor. o 1.3. Covered Software means (a) the Original Software, or (b) Modifications, or (c) the combination of files containing Original Software with files containing Modifications, in each case including portions thereof. o 1.4. Executable means the Covered Software in any form other than Source Code. o 1.5. Initial Developer means the individual or entity that first makes Original Software available under this License. o 1.6. Larger Work means a work which combines Covered Software or portions thereof with code not governed by the terms of this License. o 1.7. License means this document. o 1.8. Licensable means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and all of the rights conveyed herein. o 1.9. Modifications means the Source Code and Executable form of any of the following: + A. Any file that results from an addition to, deletion from or modification of the contents of a file containing Original Software or previous Modifications; + B. Any new file that contains any part of the Original Software or previous Modification; or + o C. Any new file that is contributed or otherwise made available under the terms of this License. 1.10. Original Software means the Source Code and Executable form of computer software code that is originally released under this License. o 1.11. Patent Claims means any patent claim(s), now owned or hereafter acquired, including without limitation, method, process, and apparatus claims, in any patent Licensable by grantor. o 1.12. Source Code means (a) the common form of computer software code in which modifications are made and (b) associated documentation included in or with such code. o 1.13. You (or Your ) means an individual or a legal entity exercising rights under, and complying with all of the terms of, this License. For legal entities, You includes any entity which controls, is controlled by, or is under common control with You. For purposes of this definition, control means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. * 2. License Grants. o
2.1. The Initial Developer Grant. Conditioned upon Your compliance with Section 3.1 below and subject to third party intellectual property claims, the Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive license: + (a) under intellectual property rights (other than patent or trademark) Licensable by Initial Developer, to use, reproduce, modify, display, perform, sublicense and distribute the Original Software (or portions thereof), with or without Modifications, and/or as part of a Larger Work; and + (b) under Patent Claims infringed by the making, using or selling of Original Software, to make, have made, use, practice, sell, and offer for sale, and/or otherwise dispose of the Original Software (or portions thereof). + (c) The licenses granted in Sections 2.1(a) and (b) are effective on the date Initial Developer first distributes or otherwise makes the Original Software available to a third party under the terms of this License. + (d) Notwithstanding Section 2.1(b) above, no patent license is granted: (1) for code that You delete from the Original Software, or (2) for infringements caused by: (i) the modification of the Original Software, or (ii) the combination of the Original Software with other software or devices. o 2.2. Contributor Grant. Conditioned upon Your compliance with Section 3.1 below and subject to third party intellectual property claims, each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license: + (a) under intellectual property rights (other than patent or trademark) Licensable by Contributor to use, reproduce, modify, display, perform, sublicense and distribute the Modifications created by such Contributor (or portions thereof), either on an unmodified basis, with other Modifications, as Covered Software and/or as part of a Larger Work; and + (b) under Patent Claims infringed by the making, using, or selling of Modifications made by that Contributor either alone and/or in combination with its Contributor Version (or portions of such combination), to make, use, sell, offer for sale, have made, and/or otherwise dispose of: (1) Modifications made by that Contributor (or portions thereof); and (2) the combination of Modifications made by that Contributor with its Contributor Version (or portions of such combination). + (c) The licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date Contributor first distributes or otherwise makes the Modifications available to a third party. + (d) Notwithstanding Section 2.2(b) above, no patent license is granted: (1) for any code that Contributor has deleted from the Contributor Version; (2) for infringements caused by: (i) third party modifications of Contributor Version, or (ii) the combination of Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or (3) under Patent Claims infringed by Covered Software in the absence of Modifications made by that Contributor. * 3. Distribution Obligations. o 3.1. Availability of Source Code. Any Covered Software that You distribute or otherwise make available in Executable form must also be made available in Source Code form and that Source Code form must be distributed only under the terms of this License. You must include a copy of this License with every copy of the Source Code form of the Covered Software You distribute or otherwise make available. You must inform recipients of any such Covered Software in Executable form as to how they can obtain such Covered Software in Source Code form in a reasonable manner on or through a medium customarily used for software exchange. o 3.2. Modifications. The Modifications that You create or to which You contribute are governed by the terms of this License. You represent that You believe Your Modifications are Your original creation(s) and/or You have sufficient rights to grant the rights conveyed by this License. o
3.3. Required Notices. You must include a notice in each of Your Modifications that identifies You as the Contributor of the Modification. You may not remove or alter any copyright, patent or trademark notices contained within the Covered Software, or any notices of licensing or any descriptive text giving attribution to any Contributor or the Initial Developer. o 3.4. Application of Additional Terms. You may not offer or impose any terms on any Covered Software in Source Code form that alters or restricts the applicable version of this License or the recipients rights hereunder. You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, you may do so only on Your own behalf, and not on behalf of the Initial Developer or any Contributor. You must make it absolutely clear that any such warranty, support, indemnity or liability obligation is offered by You alone, and You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer or such Contributor as a result of warranty, support, indemnity or liability terms You offer. o 3.5. Distribution of Executable Versions. You may distribute the Executable form of the Covered Software under the terms of this License or under the terms of a license of Your choice, which may contain terms different from this License, provided that You are in compliance with the terms of this License and that the license for the Executable form does not attempt to limit or alter the recipient s rights in the Source Code form from the rights set forth in this License. If You distribute the Covered Software in Executable form under a different license, You must make it absolutely clear that any terms which differ from this License are offered by You alone, not by the Initial Developer or Contributor. You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer. o 3.6. Larger Works. You may create a Larger Work by combining Covered Software with other code not governed by the terms of this License and distribute the Larger Work as a single product. In such a case, You must make sure the requirements of this License are fulfilled for the Covered Software. * 4. Versions of the License. o 4.1. New Versions. Sun Microsystems, Inc. is the initial license steward and may publish revised and/or new versions of this License from time to time. Each version will be given a distinguishing version number. Except as provided in Section 4.3, no one other than the license steward has the right to modify this License. o 4.2. Effect of New Versions. You may always continue to use, distribute or otherwise make the Covered Software available under the terms of the version of the License under which You originally received the Covered Software. If the Initial Developer includes a notice in the Original Software prohibiting it from being distributed or otherwise made available under any subsequent version of the License, You must distribute and make the Covered Software available under the terms of the version of the License under which You originally received the Covered Software. Otherwise, You may also choose to use, distribute or otherwise make the Covered Software available under the terms of any subsequent version of the License published by the license steward. o 4.3. Modified Versions. When You are an Initial Developer and You want to create a new license for Your Original Software, You may create and use a modified version of this License if You: (a) rename the license and remove any references to the name of the license steward (except to note that the license differs from this License); and (b) otherwise make it clear that the license contains terms which differ from this License. * 5. DISCLAIMER OF WARRANTY. COVERED SOFTWARE IS PROVIDED UNDER THIS LICENSE ON AN AS IS BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED SOFTWARE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED SOFTWARE IS WITH YOU. SHOULD ANY
COVERED SOFTWARE PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED SOFTWARE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. * 6. TERMINATION. o 6.1. This License and the rights granted hereunder will terminate automatically if You fail to comply with terms herein and fail to cure such breach within 30 days of becoming aware of the breach. Provisions which, by their nature, must remain in effect beyond the termination of this License shall survive. o 6.2. If You assert a patent infringement claim (excluding declaratory judgment actions) against Initial Developer or a Contributor (the Initial Developer or Contributor against whom You assert such claim is referred to as Participant ) alleging that the Participant Software (meaning the Contributor Version where the Participant is a Contributor or the Original Software where the Participant is the Initial Developer) directly or indirectly infringes any patent, then any and all rights granted directly or indirectly to You by such Participant, the Initial Developer (if the Initial Developer is not the Participant) and all Contributors under Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice from Participant terminate prospectively and automatically at the expiration of such 60 day notice period, unless if within such 60 day period You withdraw Your claim with respect to the Participant Software against such Participant either unilaterally or pursuant to a written agreement with Participant. o 6.3. In the event of termination under Sections 6.1 or 6.2 above, all end user licenses that have been validly granted by You or any distributor hereunder prior to termination (excluding licenses granted to You by any distributor) shall survive termination. * 7. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED SOFTWARE, OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH PARTY S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. * 8. U.S. GOVERNMENT END USERS. The Covered Software is a commercial item, as that term is defined in 48 C.F.R. 2.101 (Oct. 1995), consisting of commercial computer software (as that term is defined at 48 C.F.R. 252.227-7014(a)(1)) and commercial computer software documentation as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Software with only those rights set forth herein. This U.S. Government Rights clause is in lieu of, and supersedes, any other FAR, DFAR, or other clause or provision that addresses Government rights in computer software under this License. * 9. MISCELLANEOUS. This License represents the complete agreement concerning subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This License shall be governed by the law of the jurisdiction specified in a notice contained within the Original Software (except to the extent applicable law, if any, provides otherwise), excluding such jurisdiction s conflict-of-law provisions. Any litigation relating to this License shall be subject to the jurisdiction of the courts located in the jurisdiction and venue specified in a notice contained within the Original Software, with the losing party responsible for costs, including, without limitation, court costs and reasonable attorneys fees and expenses. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not apply to this License. You agree that You alone are responsible for compliance with the United States export administration regulations (and the export control laws and regulation of any other countries) when You use, distribute or otherwise make available any Covered Software. * 10. RESPONSIBILITY FOR CLAIMS. As between Initial Developer and the Contributors, each party is responsible for claims and damages arising, directly or indirectly, out of its utilization of rights under this License and You agree to work with Initial Developer and Contributors to distribute such
responsibility on an equitable basis. Nothing herein is intended or shall be deemed to constitute any admission of liability.
*199987* *199987* *199987* *199987* *199987*