SM 7 .01 Trusted Sign-on Configuration Service Manager has been configured for trusted sign-on functionality to address the complexity of maintaining duplicate user accounts, multiple passwords, and separate logins across applications. Activating trusted sign-on requires you either create or purchase Secure Socket Layer (SSL) certificates for the Service Manager Server, Service Manager Web Tier, and Service Manager Windows® clients. You use these certificates to create a secure network connection between the Service Manager Windowsclient and the Service Manager server, or between the Service Manager Web Tier and the Service Manager server. The connection between the user's Web browser and the Web Tier remains unchanged and requires no additional configuration in terms of importing certificates. Note: In Samba the certificates are been created. Below are the steps used for configuring Trusted Sing-On Configuration Step 1: Check the prerequisites for configuration A. Obtain the SC-SM SSL Certificates Creator.exe file from Support, or Download it from internal ftp://16.48.43.15/Service Manager/Trusted Sign-on/, Note: In Samba, we got the Certificates creator.exe from HP Support. B. Download the Java 1.5.0_12 JDK from the SUN website http://java.sun.com/products/archive/j2se/5.0_12/index.html C. Download Tomcat 5.5.26 from the Apache.org website http://tomcat.apache.org/download-55.cgi D. Download Apache http server 2.2.8 from the Apache.org website http://httpd.apache.org/download.cgi E. Download the Tomcat - Apache httpd connector module (mod_jk-1.2.26-httpd-2.2.4.so) from the Apache.org website http://tomcat.apache.org/download-connectors.cgi F. - Download the win32 domain authentication module (mod_auth_sspi-1.0.4-2.2.2) from the sourceforge.net network http://sourceforge.net/projects/mod-auth-sspi/ G. Ensure Application Server is as part of a domain, and that your internet connection is working. Step 2: Service Manager Configuration file 1 Modify the sm.ini and the sm.cfg file so that you have a different port for normal servlet (13080) and SSL servlet (13081) connections. See the entries below: ## sm.ini ## # ServiceManager Initialization file # Copyright (c) 1997-2007 HP, Inc. # 3/11/08 3:00 PM #General parameters shared_memory:32000000 log:../logs/sm.log alertlog:../logs/sm.alert.log #Connection paramaters #all httpPort, httpsPort and sslConnector parameters moved to sm.cfg !! ssl_reqClientAuth:2 trustedsignon:1 #SSL Servlet parameters keystoreFile:server.keystore keystorePass:serverkeystore ssl_trustedClientsJKS:trustedclients.keystore ssl_trustedClientsPwd:trustedclients truststoreFile:cacerts truststorePass:cacert The above entries are added along with other parameters of SM.ini file like Database connection, ldap connection etc.. ## sm.cfg ## 2 # # HP Service Manager Server Configuration File # # Used by HP Service Manager service on Windows and smstart script on Unix # to start the Service Manager server processes. # ############################################################################## # # Copyright (c) 1997-2007 HP, Inc. # All Rights Reserved # ############################################################################## # # start a Service Manager listener # sm -httpPort:13080 -sslConnector:0 sm -httpPort:13081 -sslConnector:1 -httpsPort:13443 -ssl:1 # # start background schedulers # sm system.start The above entries are added along with other parameters of SM.cfg file like SC Email, SC Auto listener values, etc. Note: - Create a new connection in the Eclipse client that points to fully qualified domain name of the machine where you installed the Service Manager 7.0x app Server, connects to port 13080, and on the Connection tab, enable the Use Login/Password checkbox. - Test your setup to see that you can create a connection from the Eclipse client to the Service Manager 7.0x server, on port 13080, non-SSL encrypted. Step 3: Creating the X509 certificates for SSL encryption Extract the files in the SC-SM SSL Certificates Creator.exe to a directory With the name \ssl In the \ssl\TSO-servlet directory, open the tso_srv_svlt.bat in a text editor and set the following parameter : 3 JAVA_HOME="<root dir of the Java JRE>", In the \ssl\TSO-servlet directory, open the tso_cln_svlt.bat in a text editor and set the following parameter : JAVA_HOME="<root dir of the Java JRE>", In the \ssl\TSO-servlet directory, open the openssl.conf file and set the Following parameters: ######################################################################## [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca dirstring_type = nobmp [ req_distinguished_name ] countryName countryName_default countryName_min countryName_max stateOrProvinceName stateOrProvinceName_default localityName localityName_default organizationName organizationName_default = Country Name (2 letter code) = SA =2 =2 = State = RIYADH = Locality Name (eg, city) = MALAZ = Organizational Name = SAMBA organizationalUnitName organizationalUnitName_default = CSD = Organizational Unit Name (eg, section) commonName commonName_max commonName_default = Common Name (eg, computer hostname) = 64 = cmlzcsdsvmn1.corp.samba.com emailAddress emailAddress_max emailAddress_default = Email Address = 40 = 1tcc.sm@samba.com 4 [ req_attributes ] challengePassword challengePassword_min challengePassword_max = A challenge password =4 = 20 [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true ######################################################################## Open a command line window and go to the \ssl\TSO-servlet directory and run the tso_srv_svlt.bat file. When prompted to fill in: Country Name, hit enter, State, hit enter, Locality Name, hit enter, Organizational Name, hit enter, Organizational Unit Name, hit enter, Common Name, hit enter, Email Address, hit enter, Trust this certificate? Type yes and hit enter What is your first and last name? type <the fully qualified domain name of this machine> and hit enter What is the name of your organizational unit? Type <the name of the organizational unit> and hit enter What is the name of your organization? Type <the name of the organization> and hit enter What is the name of your City or Locality? Type <the name of the organization's city> and hit enter What is the name of your State or Province? Type <the name of the organization's state/province> and hit enter. What is the two-letter country code for this unit? Type <fill in the 2-letter country code for the organization> and hit enter 5 Verify your entries and type yes and hit enter (RETURN if same as keystore password): hit enter Verify that in the \ssl\TSO-servlet directory 3 new folders are created, Containing the following files: \certs cacerts mycacert.pem mycacert.srl scservercert.pem \crs servercert_request.crs \key cakey.pem server.keystore From the command line in the \ssl\TSO-servlet directory, type : tso_cln_svlt.bat <the fully qualified domain name of this machine>, Run this command and when prompted to fill in : What is your first and last name? Type <the fully qualified domain name of this machine> and hit enter What is the name of your organizational unit? Type <the name of the organizational unit> and hit enter What is the name of your organization? Type <the name of the organization> and hit enter What is the name of your City or Locality? Type <the name of the organization's city> and hit enter What is the name of your State or Province? Type <the name of the organization's state/province> and hit enter What is the two-letter country code for this unit? Type <fill in the 2-letter country code for the organization> and hit enter Verify your entries and type yes and hit enter (RETURN if same as keystore password): hit enter 6 Trust this certificate? Type yes and hit enter verify that in the 3 folders in the \ssl\TSO-servlet directory, the following Files exist: \certs cacerts clientpubkey.cert mycacert.pem mycacert.srl scclientcert.pem scservercert.pem trustedclients.keystore \crs clientcert_request.crs servercert_request.crs \key cakey.pem server.keystore <the fully qualified domain name of the machine that is running the SM app server>.keystore If all these files exist and no errors were reported during the creation of these files, the certificates are ready to be used. Step 4: Configuring Service Manager 7.0x server for SSL encryption Go to \RUN directory of the Service Manager 7.0x server installation and rename the cacerts file to cacerts.orig, Copy the following files from the \ssl\TSO-servlet\certs directory to the \RUN directory of the Service Manager 7.0x server installation. i. cacerts ii. trustedclients.keystore Copy the following files from the \ssl\TSO-servlet\key directory to the \RUN directory of the Service Manager 7.0x server installation : i. server.keystore Step 5: Configuring Service Manager 7.0x Eclipse client for SSL encryption Go to the \plugins\com.hp.ov.sm.client.common_7.0x directory of the Service Manager 7.0x client installation and rename the cacerts file to cacerts.orig, 7 Copy the following files from the \ssl\TSO-servlet\certs directory to the \plugins\com.hp.ov.sm.client.common_7.0x directory of the Service Manager 7.0x client installation : i. cacerts Copy the following files from the \ssl\TSO-servlet\keys directory to the \plugins\com.hp.ov.sm.client.common_7.0x directory of the Service Manager 7.0x client installation : i. <the fully qualified domain name of this machine>.keystore, Open the Eclipse client, and create a new connection (give it a meaningful name to indicate it uses SSL encryption), that connects to port 13081, on the Connection tab enable the Use Login/Password checkbox, and on the Advanced tab, enable the Use SSL Encryption checkbox. Save the connection and close the connections windows. 8 From the Eclipse client click on the Window option in the menu bar, and select the Preferences -> option. In the Preferences window, expand the HP Service Manager tree and select the security section and set the following parameters in the security section of the Eclipse client : i. CA certificates file : <full path of the Service Manager 7.0x client install>\ plugins\com.hp.ov.sm.client.common_7.0x\cacerts ii Client keystore file : <full path of the Service Manager 7.0x client install>\ plugins\com.hp.ov.sm.client.common_7.0x\<the fully qualified domain name of this machine>.keystore iii Client keystore password : clientkeystore Click on the OK button and close the Eclipse client completely. 9 Note: For every New Windows Client Installation, system administrator has to perform Step 5, i.e copy the files “cacerts” and “cmlzcsdsvmn1.corp.samba.com.keystore” to “ $INSTALL_DIR of SM Application\Program Files\HP\Service Manager 7.01\Client\plugins\com.hp.ov.sm.client.common_7.01” and configure the above settings. Open the Eclipse client and start the newly created SSL connection that connects to port 13081 and verify that it works. 10 Note: Check the sm.log to verify that you see the message : SSL connection accepted in the log Step 6: Enabling Trusted Sign-on for Service Manager 7.0x Eclipse client (Windows Client) Create a new user in Service Manager 7.0x that has the same user name and Password (including case-sensitivity) as your Windows domain user that you used to log on to this machine Open the Eclipse client, and create a new connection (give it a meaningful name to indicate it uses Trusted Sign-on) that connects to port 13081. On the Connection tab, enable the Use Trusted Sign-on checkbox and on the Advanced tab, enable the Use SSL Encryption checkbox. Save the connection and close the Connections windows. 11 Open the Eclipse client and start the newly created Trusted Sign-on connection that connects to port 13081 and verify that it works. 12 Note: Check the sm.log and verify that you see the message Set trusted sign-on login user to <domain user> in the log. Step 7: Installation and configuration of Java JDK 1.5.0_12 Install the Java 1.5.0_12 JDK in the default directory and leave all the options default when installing. Go to the Windows System Properties, select the Advanced tab and click on the Environment Variables button and add a new variable : i. name = JAVA_HOME ii. value = <root dir of the Java JDK> Step 8: Installation and configuration of Tomcat 5.5.26 Install Tomcat 5.5.26 from the file you downloaded from the Apache.org website. From the install menu, choose component and select the Normal option. From the install menu -> install location, install in the default directory. From the install menu -> basic configuration, set the following parameters : i Select port 8080 ii. User name : Admin iii.. Password : leave it Blank 13 From the install menu -> Java Virtual Machine, set the path of the JVM to the root dir of the JRE you installed in Part 7. After installation, click on the Configure Tomcat shortcut in the Start Menu. On the Java tab, set the Java Virtual Machine to the jvm.dll of the JRE and add to the Java Classpath “ ;<Java JDK install dir>\lib\tools.jar” Step 9: Installing the Service Manager 7.0x normal web client Copy the Service Manager 7.0x .war file from the Service Manager 7.0x install files to the \webapps directory of Tomcat and rename it to sm7.war and start Tomcat After auto-deployment of the sm7.war file, a new folder has been created in the \webapps directory of Tomcat with the name sm7 Go to the webapps\sm7\WEB-INF directory and open the web.xml in a text editor. Set the following parameters : i. serverHost <Fully Qualified Domain Name of this machine> ii. serverPort <The normal port the Service Manager 7.0x server is listening on> Create a web page shortcut that points to : http://<Fully Qualified Domain Name of this machine>:8080/sm7/index.do and test to see that the normal web client is running. Note: If you see the login page of Service Manager 7.0x then the normal web client is successfully installed and running. Step 10: Installing the Service Manager 7.0x SSL web client Stop Tomcat, Copy the Service Manager 7.0x .war file from the Service Manager 7.0x install files to the \webapps directory of Tomcat and rename it to sm7ssl.war and start Tomcat After auto-deployment of the sm7ssl.war file, a new folder has been created in the \webapps directory of Tomcat with the name sm7ssl. Go to the webapps\sm7ssl\WEB-INF directory and open the web.xml in a text editor. Set the following parameters : i. isCustomAuthenticationUsed false 14 ii. serverHost <Fully Qualified Domain Name of this machine> iii. ServerPort <The SSL port the Service Manager 7.0x server is listening on> iv. ssl true v. cacerts /WEB-INF/cacerts vi. keystore /WEB-INF/<Fully Qualified Domain Name of this machine>.keystore vii. keystorePassword clientkeystore, Go to the webapps\sm7ssl\WEB-INF\classes directory and open the application-context.xml in a text editor. Set the following parameters: Change the line /**=httpSessionContextIntegrationFilter,anonymousProcessingFilter To /**=httpSessionContextIntegrationFilter,preAuthenticationFilter,anonymousProcessingFilter In the \webapps\sm7ssl\WEB-INF directory, rename the cacerts to cacerts.orig, Copy the following files from the \ssl\TSO-servlet\certs directory to the \webapps\sm7ssl\WEB-INF directory: i. cacerts Copy the following files from the \ssl\TSO-servlet\keys directory to the \webapps\sm7ssl\WEB-INF directory: i. <the fully qualified domain name of this machine>.keystore Create a web page shortcut that points to : http://<Fully Qualified Domain Name of this machine>:8080/sm7ssl/index.do andf test to see that the SSL web client is running. Note: I f you see the login page of Service Manager 7.0x then the SSL web client is Successfully installed and running, Step 11: Installing Apache 2.2.8 http server and configuring it Install Apache http server from the file that you downloaded from the Apache.org website. 15 From the install menu-> server information, set the network domain to the Qualified Domain Name and set the server name to the Fully Qualified Domain Name of this machine and set the administrator email address to your email address and select the option For All Users on Port 80 as a Service. From the install menu-> setup type, choose Typical. From the install menu->Destination Folder, install in the default directory. After installation start Apache http server to see that it is running correctly, open a web browser and go to http://<Fully Qualified Domain Name of this machine>. Note: You should see a blank web page with the words: It works! Also, make sure your Win 2003 server does not have IIS running, or Apache will not start up..!!, Stop the Apache http server. Step 12: Installing the Tomcat - Apache http server connector and configuring it Copy the mod_jk-1.2.26-httpd-2.2.4.so that you downloaded from the Apache.org website to the \modules directory of the Apache http server installation, and rename it to “mod_jk.so”. In the \conf directory of Apache http server installation, create a text file with the name “mod_jk.conf” and open the file in a text editor Copy the contents here below into the mod_jk.conf file : ########################################################## ################################################################### # Auto generated configuration. Dated: Fri Mar 01 16:50:07 PST 2002 # Edited Oct 17 02 TSD ################################################################### # # The following line instructs Apache to load the jk module # Use the mod_jk.so file, for Tomcat 5.x and greater. # The mod_jk.dll is for Tomcat 4.x and lower. # Using the wrong version will causes load errors..!! # LoadModule jk_module modules/mod_jk.so 16 #ajp13 workersfile JkWorkersFile conf/workers.properties #mod_jk log file JkLogFile logs/mod_jk.log # # Log level to be used by mod_jk # JkLogLevel error ################################################################### # SSL configuration # # # By default mod_jk is configured to collect SSL information from # the apache environment and send it to the Tomcat workers. The # problem is that there are many SSL solutions for Apache and as # a result the environment variable names may change. # # The following (commented out) JK related SSL configuration # can be used to customize mod_jk's SSL behaviour. # # Should mod_jk send SSL information to Tomcat (default is On) # JkExtractSSL Off # # What is the indicator for SSL (default is HTTPS) # JkHTTPSIndicator HTTPS # # What is the indicator for SSL session (default is SSL_SESSION_ID) # JkSESSIONIndicator SSL_SESSION_ID # # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) # JkCIPHERIndicator SSL_CIPHER # # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) # JkCERTSIndicator SSL_CLIENT_CERT # # # ################################################################### # # Root context mounts for Tomcat # #JkMount /example/*.jsp ajp13 #JkMount /example/servlet/* ajp13 JKMount /sm7/* ajp13 17 JKMount /sm7ssl/* ajp13 ######################################################### # Auto configuration for the /sm7 webapps context starts. ######################################################### # # The following line makes apache aware of the location of the /sm7 webapps context # Alias /sm7 "<Tomcat root install dir>/webapps/sm7" <Directory "<Tomcat root install dir>/webapps/sm7"> AllowOverride None Options None Order allow,deny Allow from all </Directory> # # The following line prohibits users from directly accessing WEB-INF # <Location "/sm7/WEB-INF/"> AllowOverride None deny from all </Location> # # Use Directory too. On Windows, Location doesn't work unless case matches # <Directory "<Tomcat root install dir>/webapps/sm7/WEB-INF/"> AllowOverride None deny from all </Directory> # # The following line prohibits users from directly accessing META-INF # <Location "/sm7/META-INF/"> AllowOverride None deny from all </Location> # # Use Directory too. On Windows, Location doesn't work unless case matches # <Directory "<Tomcat root install dir>/webapps/sm7/META-INF/"> AllowOverride None 18 deny from all </Directory> ####################################################### # Auto configuration for the /sm7 webapps context ends. ####################################################### ######################################################### # Auto configuration for the /sm7ssl webapps context starts. ######################################################### # # The following line makes apache aware of the location of the /sm7ssl webapps context # Alias /sm7ssl "<Tomcat root install dir>/webapps/sm7ssl" <Directory "<Tomcat root install dir>/webapps/sm7ssl"> AllowOverride None Options None Order allow,deny Allow from all </Directory> # # The following line prohibits users from directly accessing WEB-INF # <Location "/sm7ssl/WEB-INF/"> AllowOverride None deny from all </Location> # # Use Directory too. On Windows, Location doesn't work unless case matches # <Directory "<Tomcat root install dir>/webapps/sm7ssl/WEB-INF/"> AllowOverride None deny from all </Directory> # # The following line prohibits users from directly accessing META-INF # <Location "/sm7ssl/META-INF/"> AllowOverride None deny from all </Location> 19 # # Use Directory too. On Windows, Location doesn't work unless case matches # <Directory "<Tomcat root install dir>/webapps/sm7ssl/META-INF/"> AllowOverride None deny from all </Directory> ####################################################### # Auto configuration for the /sm7ssl webapps context ends. ####################################################### ########################################################### In the mod_jk.conf file replace the string <Tomcat root install dir> with the actual Tomcat root installation directory and save the file, and close it. In the \conf directory of Apache http server installation, create a text file with the name “workers.properties” and open the file in a text editor and copy the contents here below into the workers.properties file: ########################################################### ################################################################################# # # $Header: /home/cvs/jakarta-tomcat/src/etc/Attic/workers.properties,v 1.3.2.2 # 2000/10/16 01:59:22 larryi Exp $ # $Revision: 1.3.2.2 $ # $Date: 2000/10/16 01:59:22 $ # ################################################################################# # # workers.properties # # This file provides jk derived plugins with with the needed information to # connect to the different tomcat workers. # # As a general note, the characters $( and ) are used internally to define # macros. Do not use them in your own configuration!!! # # Whenever you see a set of lines such as: # x=value # y=$(x)\something # # the final value for y will be value\something # # Normaly all you will need to modify is the first properties, i.e. # workers.tomcat_home, workers.java_home and ps. Most of the configuration # is derived from these. 20 # # When you are done updating workers.tomcat_home, workers.java_home and ps # you should have 3 workers configured: # # - An ajp13 worker that connects to localhost:8009 # - A jni inprocess worker. # - A load balancer worker # # However by default the plugins will only use the ajp12 worker. To have # the plugins use other workers you should modify the worker.list property. # # # # workers.tomcat_home should point to the location where you # installed tomcat. This is where you have your conf, webapps and lib # directories. # #Apache Tomcat installation dir # workers.tomcat_home="<Tomcat root install dir>" # # workers.java_home should point to your Java JDK installation. Normally # you should have a bin and lib directories beneath it. # #Java JDK install dir # workers.java_home="<Java JDK install dir>" # # You should configure your environment slash... ps=\ on NT and / on UNIX # and maybe something different elsewhere. # ps=\ # ps=/ # #------ ADVANCED MODE -----------------------------------------------#--------------------------------------------------------------------# # #------ DEFAULT WORKER LIST -----------------------------------------#--------------------------------------------------------------------# # # The workers that your plugins should create and work with # 21 worker.list=ajp13 # #------ DEFAULT ajp13 WORKER DEFINITION -----------------------------#--------------------------------------------------------------------# # # Defining a worker named ajp13 and of type ajp13 # Note that the name and the type do not have to match. # worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 # # Specifies the load balance factor when used with # a load balancing worker. # Note: # ----> lbfactor must be > 0 # ----> Low lbfactor means less work done by the worker. worker.ajp13.lbfactor=1 # # Specify the size of the open connection cache. #worker.ajp13.cachesize # #------ DEFAULT LOAD BALANCER WORKER DEFINITION ---------------------#--------------------------------------------------------------------# # # The loadbalancer (type lb) workers perform wighted round-robin # load balancing with sticky sessions. # Note: # ----> If a worker dies, the load balancer will check its state # once in a while. Until then all work is redirected to peer # workers. worker.loadbalancer.type=lb worker.loadbalancer.balanced_workers=ajp13 # #------ DEFAULT JNI WORKER DEFINITION -------------------------------#--------------------------------------------------------------------# 22 # # Defining a worker named inprocess and of type jni # Note that the name and the type do not have to match. # worker.inprocess.type=jni # #------ CLASSPATH DEFINITION ----------------------------------------#--------------------------------------------------------------------# # # Additional class path components. # worker.inprocess.class_path=$(workers.catalina_home)$(ps)classes # # The XML parser provided with Tomcat # worker.inprocess.class_path=$(workers.catalina_home)$(ps)lib$(ps)jaxp.jar worker.inprocess.class_path=$(workers.catalina_home)$(ps)lib$(ps)parser.jar # # Tomcat's implementation # worker.inprocess.class_path=$(workers.catalina_home)$(ps)lib$(ps)jasper.jar worker.inprocess.class_path=$(workers.catalina_home)$(ps)lib$(ps)servlet.jar worker.inprocess.class_path=$(workers.catalina_home)$(ps)lib$(ps)webserver.jar # # Javac as available from Java2SE # worker.inprocess.class_path=$(workers.java_home)$(ps)lib$(ps)tools.jar # # Setting the command line for tomcat # Note: The cmd_line string may not contain spaces. # worker.inprocess.cmd_line=-config worker.inprocess.cmd_line=$(workers.catalina_home)/conf/jni_server.xml worker.inprocess.cmd_line=-home worker.inprocess.cmd_line=$(workers.catalina_home) # # The JVM that we are about to use # # This is for Java2 23 # worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)jvm.dll # # And this is for jdk1.1.X # #worker.inprocess.jvm_lib=$(workers.java_home)$(ps)bin$(ps)javai.dll # # # Setting the place for the stdout and stderr of tomcat # worker.inprocess.stdout=$(workers.catalina_home)$(ps)inprocess.stdout worker.inprocess.stderr=$(workers.catalina_home)$(ps)inprocess.stderr # # Setting the tomcat.home Java property # worker.inprocess.sysprops=tomcat.home=$(workers.catalina_home) # # Java system properties # # worker.inprocess.sysprops=java.compiler=NONE # worker.inprocess.sysprops=myprop=mypropvalue # # Additional path components. # # worker.inprocess.ld_path=d:$(ps)SQLLIB$(ps)bin # # #------ URIWORKERMAP DEFINITION -------------------------------------#--------------------------------------------------------------------# # # URI worker map settings # # [uri:/example/servlet/*] # info=Prefix mapping # [uri:/example/*.jsp] # info=Extension mapping # [uri:/sm7/servlet/*] info=Prefix mapping 24 [uri:/sm7/*.jsp] info=Extension mapping [uri:/sm7/*.do] info=Extension mapping [uri:/sm7/attachments/*] info=Extension mapping [uri:/sm7/cwc/nav.menu] info=Extension mapping [uri:/sm7ssl/servlet/*] info=Prefix mapping [uri:/sm7ssl/*.jsp] info=Extension mapping [uri:/sm7ssl/*.do] info=Extension mapping [uri:/sm7ssl/attachments/*] info=Extension mapping [uri:/sm7ssl/cwc/nav.menu] info=Extension mapping ########################################################### In the worker.properties file replace the string <Tomcat root install dir> with the actual Tomcat root installation directory and replace the string <Java JDK install dir> with the actual Java JDK installation directory. Save the file and close it. In the \conf directory of the Apache http server installation, open the httpd.conf file in a text editor and add the following parameters at the bottom : ### Tomcat 5.0 Connector #### # # All parameters that are to be loaded for mod_jk can be found # in mod_jk.conf. But they can also be defined here. include conf/mod_jk.conf save the file and close it, - go to the \conf directory of the Tomcat installation folder, and open the server.xml file in a text editor, and change the following line : <Connector port="8009" enableLookups="false" redirectPort="8443" debug="0" protocol="AJP/1.3" /> into 25 <Connector port="8009" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" debug="0" protocol="AJP/1.3" /> Save the file and close it. Step 13: Installing the mod_auth_sspi module and configuring it Open the mod_auth_sspi .zip file and from the \bin directory extract the mod_auth_sspi.so to the \modules directory of the Apache http server installation. In the \conf directory of the Apache http server installation, open the httpd.conf file in a text editor and add the following parameters at the bottom : ### SspiAuth Module ### LoadModule sspi_auth_module modules/mod_auth_sspi.so <Location "/sm7ssl"> AllowOverride None Options None Order allow,deny Allow from all AuthType SSPI SSPIAuth On SSPIDomain <MYDOMAIN> SSPIAuthoritative On SSPIOfferBasic Off SSPIPerRequestAuth On require valid-user </Location> Replace the string <MYDOMAIN> with the name of the domain this machine is part of Go to the \bin directory of the Apache http server installation and start the ApacheMonitor.exe program, this opens the Apache Service Monitor. Click on the Start ad verify that the Apache2.2 service is starting correctly at the bottom of the window you should see all the loaded modules : “ Apache/2.2.8 (Win32) mod_jk/1.2.26 mod_auth_sspi/1.0.4 “ Note: If the Apache Service Monitor is green, then Apache is correctly configured. Step 14: Configuring Internet Explorer 6.x 26 Start the Internet Explorer browser on the machine, on the menu bar click on Tools and select Internet Options Select the Security tab, select the Local Intranet content zone, and click on the Sites... button. - Add the following address to the list of trusted web sites : http://<Fully Qualified Domain Name of this machine> by click on Advance button in the next screen. 27 Add the below entire Note: Make sure that the "Require server verification (https:) for all site in this zone" option is not selected. On the Security tab page, select the Local Intranet content zone, and click on the Custom Level... button. 28 - At the bottom on the User Authentication Logon section, select the following option : Automatic logon with current username and password. Step 15: Testing the Trusted Sign-on Web client 29 Create a web page shortcut that points to : http://<Fully Qualified Domain Name of this machine>/sm7/index.do and test to see that the normal web client is running via the Apache http server. Note : If everything works, you should see the login page of Service Manager 7.0x, Create a web page shortcut that points to : http://<Fully Qualified Domain Name of this machine>/sm7ssl/index.do and test to see that the Trusted Sign-on web client is running via the Apache http server. Note: if everything works, you should log in automatically, and see the To Do Queue of Service Manager 7 30