SSO & SSL on SM7.x with Apache & Tomcatx ‏520 KB

oralwideΔιακομιστές

17 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

776 εμφανίσεις















This is a hands on guide to set SSL & SSO(trusted
-
sign
-
on) with Service Manager

Testing environments


Windows 2003


> SM 7.11.281


> Oracle 10g


> jre1.5.0_15, jdk1.5.0_15


> Apache 2.2.17


> Tomcat 5.5.26


> Tomcat
-
Apache
connector mod_jk
-
1.2.31
-
httpd
-
2.2.3.so(for win32)


> Win32 domain authentication module mod_auth_sspi
-
1.0.4
-
2.2.2.zip


> Internet explorer 6

References


-

SM7 Single Sign
-
On Authentication1(KM472182).pdf


-

AD AND SSO Configuration (KM779302).docx

KM779302 AD AND
SSO Configuration.docx


-

SC
-
SM SSL Certificates Creator v1.2.exe




Solution



1. download requred files (refer to KM779302)


A. download sc
-
sm ssl certificate

SC
-
SM SSL Certificates Creator v1.2.exe


B. download Java 1.5.0_15


C. download Tomcat 5.5.26


D. download Apache
http server 2.2.17


E. download Tomcat
-
Apache httpd connector module



** if not matched version, you may see some errors when starting Apache.



in that case, you can check error messages in windows event manager.


F. download Win32 domain authenticatio
n


G. ensure Application server is as part of a domain.



** SM server and pc client should be registered in domain.



if you just make test environment, 1) install DNS 2) install Active Directory






2. Service Manager configuration


1) sm.cfg



sm

-
httpPort:13080
-
sslConnector:0



sm
-
httpPort:13081
-
sslConnector:1
-
httpsPort:13443
-
ssl:1


2) sm.ini



trustedsignon:1



keystoreFile:server.keystore



keystorePass:changeit



truststoreFile:cacerts



truststorePass:changeit



ssl
_trustedClientsJKS:trustedclients.keystore



ssl_trustedClientsPwd:changeit



ssl_reqClientAuth:2



3. Creating X509 certificates for SSL encryption ( refer to KM779302 )


1) execute SC
-
SM SSL Certificates Creator.exe


2) change java path in tso_
srv_svlt.bat, tso_cln_svlt.bat



set JAVA_HOME="C:
\
Program Files
\
Java
\
jre1.5.0_15"


3) change password in tso_srv_svlt.bat, tso_cln_svlt.bat in order to test easily



set CAROOT_PASSWD=changeit


set CACERT_PASSWD=changeit


set SERVER_KEYSTORE_PASSWD=c
hangeit


set CLIENT_KEYSTORE_PASSWD=changeit


set TRUSTEDCLIENTS_KEYSTORE_PASSWD=changeit


4) execute tso_srv_svlt.bat



## if many trail of execution tso_srv_svlt.bat,



##


you should rename or delete cacerts on C:
\
Program Files
\
Java
\
jre1.5.0_15
\
lib
\
security



>tso_srv_svlt.bat



Answer of "what is your first and last name" should be full domain name including SM server
hostname.


5) execute tso_cln_svlt.bat



>tso_clin_svlt.bat { full domain name including client host }



Answer of "what is y
our first and last name

" should be full domain name including hostname.







4. Configure SM7 Server
-
SSL encryption


1
) copy /TSO
-
servlet/certs/cacerts

--
> C:
\
Program Files
\
HP
\
Service Manager
7.11
\
Server
\
RUN


2) copy /TSO
-
servlet/certs/
trustedclients.keystore

--
> C:
\
Program Files
\
HP
\
Service Manager
7.11
\
Server
\
RUN



** if new client is added, you should update the trustedclients.keystore file which contains new
client in RUN folder.


3) copy /TSO
-
servlet/key/sm711ora10.eric.com.keystor
e

--
> C:
\
Program Files
\
HP
\
Service
Manager 7.11
\
Server
\
RUN


4) copy /TSO
-
servlet/key/server.keystore

--
> C:
\
Program Files
\
HP
\
Service Manager
7.11
\
Server
\
RUN






5. Configure SM7 esclipse client
-
SSL encryption


1) copy /TSO
-
servlet/certs/cacerts


--
> C:
\
Program Files
\
HP
\
Service Manager
7.11.228
\
Client
\
plugins
\
com.hp.ov.sm.client.common_7.11.228


2) copy /TSO
-
servlet/key/sm711ora10.eric.com.keystore

--
> C:
\
Program Files
\
HP
\
Service
Manager 7.11.228
\
Client
\
plugins
\
com.hp.ov.sm.client.common_
7.11.228


3) Test SSL among SM server
-

SM eclipse client



-

launch eclipse client



-

configure SSL information



> Windows > setup environment



>> CA cerficate file



>> Client Key store file



>> Client Key store password



-

create new
connection



server host name : sm711ora10.eric.com



port:13081



Advanced tab > use SSL encryption

6. Configure trusted
-
sign
-
on in SM eclipse client



1) create same account in SM , it should be same

of login name

in both SM and

OS account.



*

no need to be same password in SM and OS side



* when

only general login, SM check the password in SM side



2) create new connection




trusted sign on



2.1) server host name : sm711ora10.eric.com



port:13081



advanced tab > SSL encrypt
ion ( enable )



2.2) server host name : sm711ora10.eric.com



port:13080



advanced tab > SSL encryption ( disable )



** actually, SSL is not mandatory in TSO login with thick client(eclipse client)





** when needs trouble shooting, m
onitor sm.log

7. install JDK 1.5




-

prerequisite of Apache and Tomcat


C:
\
Program Files
\
Java
\
jdk1.5.0_15



8. install Tomcat 5.5.26


C:
\
Program Files
\
Apache Software Foundation
\
Tomcat 5.5

9. install SM7 webclient


-

deploy war file


-

change
hostname and port in C:
\
Program Files
\
Apache Software Foundation
\
Tomcat
5.5
\
webapps
\
sm7
\
WEB
-
INF
\
web.xml


-

test connection
http://sm711ora10.eric.com/sm7



10. install SM7ssl webclient


-

deploy : create sm7ss
l module by present war ( with renaming )


-

change configuration in C:
\
Program Files
\
Apache Software Foundation
\
Tomcat
5.5
\
webapps
\
sm7ssl
\
WEB
-
INF
\
web.xml



isCustomAuthentication=false



serverhost <= hostname with domain name , sm711ora10.eric.com



s
erverport <= ssl port , 13081



ssl true


-

copy ssl certification file



cacerts
-
> /sm7ssl/WEB
-
INF



client certification file ( sm711ora10.eric.com.keystore )
-
> /sm7ssl/WEB
-
INF


-

test



http://
sm711ora10.eric.com:8080/sm7



http://sm711ora10.eric.com:8080/sm7ssl

11. install Apache 2.2.8


C:
\
Program Files
\
Apache Software Foundation
\
Apache2.2




test
-
>
http://sm711ora10.eric.com

12. install Tomcat
-
apache connector ( refer to KM779302 )


1) copy mod_jk
-
1.2.31
-
httpd
-
2.2.3.so to C:
\
Program Files
\
Apache Software
Foundation
\
Apache2.2
\
modules


2) create C:
\
Program Files
\
Apache Software Foundation
\
Apache
2.2
\
conf
\
mod_jk.conf


3) add line into C:
\
Program Files
\
Apache Software Foundation
\
Apache2.2
\
conf
\
httpd.conf



include conf/mod_jk.conf


4) create C:
\
Program Files
\
Apache Software Foundation
\
Apache2.2
\
conf
\
workers.properties




5) change C:
\
Program

Files
\
Apache Software Foundation
\
Tomcat 5.5
\
conf
\
server.xml


6) test



http://sm711ora10.eric.com/sm7



http://sm711ora10.eric.com/sm7ssl

13. install mod_
auth_sspi module ( in order to setup trusted
-
sign
-
on of windows )


1) copy mod_auth_sspi.so to C:
\
Program Files
\
Apache Software
Foundation
\
Apache2.2
\
modules
\
mod_auth_sspi.so


2) add lines into C:
\
Program Files
\
Apache Software Foundation
\
Apache2.2
\
conf
\
http
d.conf



# for SSL authentication



### SspiAuth Module ###


LoadModule sspi_auth_module modules/mod_auth_sspi.so


<Location "/sm7ssl">



AllowOverride None



Options None



Order allow,deny



Allow from all



AuthType SSPI



SS
PIAuth On



SSPIDomain sm711ora10.eric.com



SSPIAuthoritative On



SSPIOfferBasic Off



SSPIPerRequestAuth On



require valid
-
user


</Location>


3) setup third party SSO



modify C:
\
Program Files
\
Apache Software Foundation
\
Tomcat 5.5
\
we
bapps
\
sm7ssl
\
WEB
-
INF
\
classes
\
application
-
context.xml



before



/**=httpSessionContextIntegrationFilter,anonymousProcessingFilter


after







/**=httpSessionContextIntegrationFilter,preAuthenticationFilter,anonymousProcessing
Filter

14. configure Internet Explorer


-

IE > internet option > Security tab > Sites > all checked, > advanced .. > adding
"sm711ora10.eric.com"


-

IE > internet option > Security tab > Custom Level > User Authentication
-

Logon
-

Automatic
Logon with cur
rent username and password

15. Test Trusted Sign On (SSO) via IE


-

verify login to SM via windows client, by same account of OS


-

http://sm711ora10.eric.com/sm7ssl

16. Implemented environment


Windows 200
3


> SM 7.11.281


> Oracle 10g


> jre1.5.0_15, jdk1.5.0_15


> Apache 2.2.17


> Tomcat 5.5.26


> Tomcat
-
Apache connector mod_jk
-
1.2.31
-
httpd
-
2.2.3.so(for win32)


> Win32 domain authentication module mod_auth_sspi
-
1.0.4
-
2.2.2.zip


> Internet explorer 6




r
elated/configured files


C:
\
Program Files
\
Apache Software Foundation
\
Apache2.2
\
conf
\
httpd.conf


C:
\
Program Files
\
Apache Software Foundation
\
Apache2.2
\
conf
\
mod_jk.conf


C:
\
Program Files
\
Apache Software Foundation
\
Apache2.2
\
conf
\
workers.properties


C:
\
Progra
m Files
\
Apache Software Foundation
\
Apache2.2
\
modules
\
mod_jk.so


C:
\
Program Files
\
Apache Software Foundation
\
Apache2.2
\
modules
\
mod_auth_sspi.so




C:
\
Program Files
\
Apache Software Foundation
\
Tomcat 5.5
\
conf
\
server.xml


C:
\
Program Files
\
Apache Software Found
ation
\
Tomcat 5.5
\
webapps
\
sm7ssl
\
WEB
-
INF
\
web.xml


C:
\
Program Files
\
Apache Software Foundation
\
Tomcat 5.5
\
webapps
\
sm7ssl
\
WEB
-
INF
\
cacerts


C:
\
Program Files
\
Apache Software Foundation
\
Tomcat 5.5
\
webapps
\
sm7ssl
\
WEB
-
INF
\
sm711ora10.eric.com.keystore


C:
\
Program F
iles
\
Apache Software Foundation
\
Tomcat 5.5
\
webapps
\
sm7ssl
\
WEB
-
INF
\
classes
\
application
-
context.xml




C:
\
Program Files
\
HP
\
Service Manager 7.11
\
Server
\
RUN
\
sm.cfg


C:
\
Program Files
\
HP
\
Service Manager 7.11
\
Server
\
RUN
\
sm.ini


C:
\
Program Files
\
HP
\
Service Manager

7.11
\
Server
\
RUN
\
cacerts


C:
\
Program Files
\
HP
\
Service Manager 7.11
\
Server
\
RUN
\
trustedclients.keystore


C:
\
Program Files
\
HP
\
Service Manager 7.11
\
Server
\
RUN
\
server.keystore




C:
\
Program Files
\
HP
\
Service Manager
7.11.228
\
Client
\
plugins
\
com.hp.ov.sm.client.co
mmon_7.11.228
\
cacerts


C:
\
Program Files
\
HP
\
Service Manager
7.11.228
\
Client
\
plugins
\
com.hp.ov.sm.client.common_7.11.228
\
sm711ora10.eric.com.keystore