Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

This is a hands on guide to set SSL & SSO(trusted-sign

advertisement 
This is a hands on guide to set SSL & SSO(trusted-sign-on) with Service Manager
Testing environments
Windows 2003
> SM 7.11.281
> Oracle 10g
> jre1.5.0_15, jdk1.5.0_15
> Apache 2.2.17
> Tomcat 5.5.26
> Tomcat-Apache connector mod_jk-1.2.31-httpd-2.2.3.so(for win32)
> Win32 domain authentication module mod_auth_sspi-1.0.4-2.2.2.zip
> Internet explorer 6
References
- SM7 Single Sign-On Authentication1(KM472182).pdf
- AD AND SSO Configuration (KM779302).docx
KM779302 AD AND
SSO Configuration.docx
- SC-SM SSL Certificates Creator v1.2.exe
Solution
1. download requred files (refer to KM779302)
A. download sc-sm ssl certificate SC-SM SSL Certificates Creator v1.2.exe
B. download Java 1.5.0_15
C. download Tomcat 5.5.26
D. download Apache http server 2.2.17
E. download Tomcat-Apache httpd connector module
** if not matched version, you may see some errors when starting Apache.
in that case, you can check error messages in windows event manager.
F. download Win32 domain authentication
G. ensure Application server is as part of a domain.
** SM server and pc client should be registered in domain.
if you just make test environment, 1) install DNS 2) install Active Directory
2. Service Manager configuration
1) sm.cfg
sm -httpPort:13080 -sslConnector:0
sm -httpPort:13081 -sslConnector:1 -httpsPort:13443 -ssl:1
2) sm.ini
trustedsignon:1
keystoreFile:server.keystore
keystorePass:changeit
truststoreFile:cacerts
truststorePass:changeit
ssl_trustedClientsJKS:trustedclients.keystore
ssl_trustedClientsPwd:changeit
ssl_reqClientAuth:2
3. Creating X509 certificates for SSL encryption ( refer to KM779302 )
1) execute SC-SM SSL Certificates Creator.exe
2) change java path in tso_srv_svlt.bat, tso_cln_svlt.bat
set JAVA_HOME="C:\Program Files\Java\jre1.5.0_15"
3) change password in tso_srv_svlt.bat, tso_cln_svlt.bat in order to test easily
set CAROOT_PASSWD=changeit
set CACERT_PASSWD=changeit
set SERVER_KEYSTORE_PASSWD=changeit
set CLIENT_KEYSTORE_PASSWD=changeit
set TRUSTEDCLIENTS_KEYSTORE_PASSWD=changeit
4) execute tso_srv_svlt.bat
## if many trail of execution tso_srv_svlt.bat,
## you should rename or delete cacerts on C:\Program Files\Java\jre1.5.0_15\lib\security
>tso_srv_svlt.bat
Answer of "what is your first and last name" should be full domain name including SM server
hostname.
5) execute tso_cln_svlt.bat
>tso_clin_svlt.bat { full domain name including client host }
Answer of "what is your first and last name의" should be full domain name including hostname.
4. Configure SM7 Server-SSL encryption
1) copy /TSO-servlet/certs/cacerts
--> C:\Program Files\HP\Service Manager
7.11\Server\RUN
2) copy /TSO-servlet/certs/trustedclients.keystore --> C:\Program Files\HP\Service Manager
7.11\Server\RUN
** if new client is added, you should update the trustedclients.keystore file which contains new
client in RUN folder.
3) copy /TSO-servlet/key/sm711ora10.eric.com.keystore --> C:\Program Files\HP\Service
Manager 7.11\Server\RUN
4) copy /TSO-servlet/key/server.keystore
--> C:\Program Files\HP\Service Manager
7.11\Server\RUN
5. Configure SM7 esclipse client-SSL encryption
1) copy /TSO-servlet/certs/cacerts
--> C:\Program Files\HP\Service Manager
7.11.228\Client\plugins\com.hp.ov.sm.client.common_7.11.228
2) copy /TSO-servlet/key/sm711ora10.eric.com.keystore --> C:\Program Files\HP\Service
Manager 7.11.228\Client\plugins\com.hp.ov.sm.client.common_7.11.228
3) Test SSL among SM server - SM eclipse client
- launch eclipse client
- configure SSL information
> Windows > setup environment
>> CA cerficate file
>> Client Key store file
>> Client Key store password
- create new connection
server host name : sm711ora10.eric.com
port:13081
Advanced tab > use SSL encryption
6. Configure trusted-sign-on in SM eclipse client
1) create same account in SM , it should be same of login name in both SM and OS account.
* no need to be same password in SM and OS side
* when only general login, SM check the password in SM side
2) create new connection
trusted sign on
2.1) server host name : sm711ora10.eric.com
port:13081
advanced tab > SSL encryption ( enable )
2.2) server host name : sm711ora10.eric.com
port:13080
advanced tab > SSL encryption ( disable )
** actually, SSL is not mandatory in TSO login with thick client(eclipse client)
** when needs trouble shooting, monitor sm.log
7. install JDK 1.5
- prerequisite of Apache and Tomcat
C:\Program Files\Java\jdk1.5.0_15
8. install Tomcat 5.5.26
C:\Program Files\Apache Software Foundation\Tomcat 5.5
9. install SM7 webclient
- deploy war file
- change hostname and port in C:\Program Files\Apache Software Foundation\Tomcat
5.5\webapps\sm7\WEB-INF\web.xml
- test connection http://sm711ora10.eric.com/sm7
10. install SM7ssl webclient
- deploy : create sm7ssl module by present war ( with renaming )
- change configuration in C:\Program Files\Apache Software Foundation\Tomcat
5.5\webapps\sm7ssl\WEB-INF\web.xml
isCustomAuthentication=false
serverhost <= hostname with domain name , sm711ora10.eric.com
serverport <= ssl port , 13081
ssl true
- copy ssl certification file
cacerts -> /sm7ssl/WEB-INF
client certification file ( sm711ora10.eric.com.keystore ) -> /sm7ssl/WEB-INF
- test
http://sm711ora10.eric.com:8080/sm7
http://sm711ora10.eric.com:8080/sm7ssl
11. install Apache 2.2.8
C:\Program Files\Apache Software Foundation\Apache2.2
test -> http://sm711ora10.eric.com
12. install Tomcat-apache connector ( refer to KM779302 )
1) copy mod_jk-1.2.31-httpd-2.2.3.so to C:\Program Files\Apache Software
Foundation\Apache2.2\modules
2) create C:\Program Files\Apache Software Foundation\Apache2.2\conf\mod_jk.conf
3) add line into C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf
include conf/mod_jk.conf
4) create C:\Program Files\Apache Software Foundation\Apache2.2\conf\workers.properties
5) change C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\server.xml
6) test
http://sm711ora10.eric.com/sm7
http://sm711ora10.eric.com/sm7ssl
13. install mod_auth_sspi module ( in order to setup trusted-sign-on of windows )
1) copy mod_auth_sspi.so to C:\Program Files\Apache Software
Foundation\Apache2.2\modules\mod_auth_sspi.so
2) add lines into C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf
# for SSL authentication
### SspiAuth Module ###
LoadModule sspi_auth_module modules/mod_auth_sspi.so
<Location "/sm7ssl">
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthType SSPI
SSPIAuth On
SSPIDomain sm711ora10.eric.com
SSPIAuthoritative On
SSPIOfferBasic Off
SSPIPerRequestAuth On
require valid-user
</Location>
3) setup third party SSO
modify C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\sm7ssl\WEBINF\classes\application-context.xml
before
/**=httpSessionContextIntegrationFilter,anonymousProcessingFilter
after
/**=httpSessionContextIntegrationFilter,preAuthenticationFilter,anonymousProcessingFilter
14. configure Internet Explorer
- IE > internet option > Security tab > Sites > all checked, > advanced .. > adding
"sm711ora10.eric.com"
- IE > internet option > Security tab > Custom Level > User Authentication - Logon - Automatic
Logon with current username and password
15. Test Trusted Sign On (SSO) via IE
- verify login to SM via windows client, by same account of OS
- http://sm711ora10.eric.com/sm7ssl
16. Implemented environment
Windows 2003
> SM 7.11.281
> Oracle 10g
> jre1.5.0_15, jdk1.5.0_15
> Apache 2.2.17
> Tomcat 5.5.26
> Tomcat-Apache connector mod_jk-1.2.31-httpd-2.2.3.so(for win32)
> Win32 domain authentication module mod_auth_sspi-1.0.4-2.2.2.zip
> Internet explorer 6
related/configured files
C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf
C:\Program Files\Apache Software Foundation\Apache2.2\conf\mod_jk.conf
C:\Program Files\Apache Software Foundation\Apache2.2\conf\workers.properties
C:\Program Files\Apache Software Foundation\Apache2.2\modules\mod_jk.so
C:\Program Files\Apache Software Foundation\Apache2.2\modules\mod_auth_sspi.so
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\server.xml
C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\sm7ssl\WEB-INF\web.xml
C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\sm7ssl\WEB-INF\cacerts
C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\sm7ssl\WEBINF\sm711ora10.eric.com.keystore
C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\sm7ssl\WEBINF\classes\application-context.xml
C:\Program Files\HP\Service Manager 7.11\Server\RUN\sm.cfg
C:\Program Files\HP\Service Manager 7.11\Server\RUN\sm.ini
C:\Program Files\HP\Service Manager 7.11\Server\RUN\cacerts
C:\Program Files\HP\Service Manager 7.11\Server\RUN\trustedclients.keystore
C:\Program Files\HP\Service Manager 7.11\Server\RUN\server.keystore
C:\Program Files\HP\Service Manager
7.11.228\Client\plugins\com.hp.ov.sm.client.common_7.11.228\cacerts
C:\Program Files\HP\Service Manager
7.11.228\Client\plugins\com.hp.ov.sm.client.common_7.11.228\sm711ora10.eric.com.keystore
Related documents
Drupal Installation on Debian OS using LINUX commands
Drupal Installation on Debian OS using LINUX commands
Apache - Click
Apache - Click
The Apache Indians
The Apache Indians
The Apache Herald (Issue 3 - English)
The Apache Herald (Issue 3 - English)
Working with texas water
Working with texas water
OnlineBankingSecurit..
OnlineBankingSecurit..
Apache Performance Tuning
Apache Performance Tuning
Sample PowerPoint Presentation - Volunteer Centers of Michigan
Sample PowerPoint Presentation - Volunteer Centers of Michigan
Download
advertisement