Enable SSO in Service Manager

Hi guys,

 I have a bussiness need to enable sso in SM 9.X i had read documents more in this but i applied SSO with SSL from the following Dcoument. 

Configuring HP Service Manager to Use the SSL-based Trusted Sign-On and LW-SSO

Now My questions:

 

1- What are the ways that enable SSO in general IN SM?

2- I have applied all the steps in SSL-based Trusted Sign-On but it didn't work with me 

My problem: how could i enable SSO in SM  ?

 

 

Thanks in Advance 

Mohamed Shahboub

Technical Service Management

 

Top Replies

  • You may Check this 

    https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM1288853

    It shows a the officail way to do that.

    first test if it works with windows client then for web it is something else.

    take it step by step.

     

    Regards,

    A.Sol

     

  • Hi, 

      I have implemented the steps in the previuse URL then i do the following 

     

    1- adding these conf data in sm.ini

    "

    keystoreFile:server.keystore
    keystorePass:serverkeystore
    ssl:1
    ssl_reqClientAuth:1
    ssl_trustedClientsJKS:trustedclients.keystore
    ssl_trustedClientsPwd:trustedclients
    trustedsignon:1
    truststoreFile:cacerts
    truststorePass:caroot

    "

    2- Copy The certs files to RUN/ beside  sm.ini

    3- Test with MY Local Client:

          - Copy HP\Service Manager 9.40\Client\plugins\com.hp.ov.sm.client.common_9.40.0015\cacerts

          - Copy Client certs (My LocalMachine) \HP\Service Manager 9.40\Client\plugins\com.hp.ov.sm.client.common_9.40.0015\EGCAOPSVLT109.Egypt.TE-Data.core.keystore

    4- Check Login data (Attched Image)

     Log Data after trying Connect

     

    "

    Feb 01, 2016 15:25:49 GMT 02:00 [DEBUG] SOAPClient.init() - external_lb: false
    Feb 01, 2016 15:25:49 GMT 02:00 [DEBUG] SOAPClient.init() - sslEncrypt : false
    Feb 01, 2016 15:25:49 GMT 02:00 [DEBUG] SOAPClient.init() - endpoint : URL
    Feb 01, 2016 15:25:49 GMT 02:00 [DEBUG] SOAP.transact started
    Feb 01, 2016 15:25:50 GMT 02:00 [DEBUG] |SOAP.transact finished in 180 ms
    Feb 01, 2016 15:25:50 GMT 02:00 [DEBUG] SOAP.transact started
    Feb 01, 2016 15:26:11 GMT 02:00 [ERROR] SOAP message send failure
    Feb 01, 2016 15:26:11 GMT 02:00 [ERROR] Connection timed out: connect
    java.net.ConnectException: Connection timed out: connect
    at java.net.DualStackPlainSocketImpl.connect0(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
    at java.net.PlainSocketImpl.connect(Unknown Source)
    at java.net.SocksSocketImpl.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
    at sun.security.ssl.BaseSSLSocketImpl.connect(Unknown Source)
    at sun.net.NetworkClient.doConnect(Unknown Source)
    at sun.net.www.http.HttpClient.openServer(Unknown Source)
    at sun.net.www.http.HttpClient.openServer(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.New(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
    at com.hp.ov.sm.client.common.soap.SCSOAPConnectionImpl.send(SCSOAPConnectionImpl.java:181)
    at com.hp.ov.sm.client.common.soap.SCSOAPConnectionImpl.call(SCSOAPConnectionImpl.java:107)
    at com.hp.ov.sm.client.common.soap.BaseSoapClient.internalDoSoapTransact(BaseSoapClient.java:318)
    at com.hp.ov.sm.client.common.communications.SOAPClient.internalDoSoapTransact(SOAPClient.java:1137)
    at com.hp.ov.sm.client.eclipse.user.controller.TopazClient.internalDoSoapTransact(TopazClient.java:1358)
    at com.hp.ov.sm.client.common.soap.SoapReq.run(SoapReq.java:264)
    at com.hp.ov.sm.client.common.soap.BaseSoapClient.syncExecInCurrentThread(BaseSoapClient.java:419)
    at com.hp.ov.sm.client.common.soap.BaseSoapClient.doSyncRequest(BaseSoapClient.java:439)
    at com.hp.ov.sm.client.common.soap.SoapReq.syncExec(SoapReq.java:114)
    at com.hp.ov.sm.client.common.communications.SOAPClient.transact(SOAPClient.java:1036)
    at com.hp.ov.sm.client.common.communications.SOAPClient.connect(SOAPClient.java:277)
    at com.hp.ov.sm.client.eclipse.user.controller.TopazClient.connect(TopazClient.java:263)
    at com.hp.ov.sm.client.eclipse.user.controller.TopazClient.startController(TopazClient.java:625)
    at com.hp.ov.sm.client.eclipse.user.launching.ConnectConfigDelegate$ControllerRunner.run(ConnectConfigDelegate.java:61)
    at org.eclipse.ui.internal.UILockListener.doPendingWork(UILockListener.java:164)
    at org.eclipse.ui.internal.UISynchronizer$3.run(UISynchronizer.java:158)
    at org.eclipse.swt.widgets.RunnableLock.run(RunnableLock.java:35)
    at org.eclipse.swt.widgets.Synchronizer.runAsyncMessages(Synchronizer.java:135)
    at org.eclipse.swt.widgets.Display.runAsyncMessages(Display.java:4140)
    at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3757)
    at org.eclipse.ui.internal.Workbench.runEventLoop(Workbench.java:2701)
    at org.eclipse.ui.internal.Workbench.runUI(Workbench.java:2665)
    at org.eclipse.ui.internal.Workbench.access$4(Workbench.java:2499)
    at org.eclipse.ui.internal.Workbench$7.run(Workbench.java:679)
    at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:332)
    at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:668)
    at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:149)
    at com.hp.ov.sm.client.eclipse.rcp.RcpClient.run(RcpClient.java:47)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.eclipse.equinox.internal.app.EclipseAppContainer.callMethodWithException(EclipseAppContainer.java:587)
    at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:198)
    at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:110)
    at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:79)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:344)
    at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:179)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:622)
    at org.eclipse.equinox.launcher.Main.basicRun(Main.java:577)
    at org.eclipse.equinox.launcher.Main.run(Main.java:1410)

    "

    Any Solution suggested 

  • Can you please send us here your sm.ini and sm.cfg files

    remove any senstive data like password things.

     

    Thanks,

    A.Sol

  • Verified Answer

    First you need to determine if SSL is even working before configuring SSO. In the sm.ini you pasted I saw this 'ssl_reqClientAuth:1' and that will not work for SSO. For SSO it needs to be ssl_reqClientAuth:2 - which is Dual Handshake SSL with TrustedClients. 

    What you need to do to determine where the failiure is occuring is below (note if you're using the Windows client just have SSL enabled and not Trusted SIgn On. We're just testing SSL connections for now)

    1. Edit the sm.ini
    2. Add the following parameter: debughttp:1
    3. Set ssl_reqClientAuth:0 (which is Single Handshake SSL)
    4. Restart SM server
    5. Attempt to login to SM 
    6. Does it work or fail?
    7. If the login fails with Single Handshake SSL then the server certificates are incorrect.
    8. If the login succeeds then look in the sm.log file for SSL Connection Accepted. If you see that then Single Handshake works.
    9. Go back to the sm.ini file and set ssl_reqClientAuth:1 (Dual Handshake SSL)
    10. Restart SM
    11. Attempt to login
    12. If it works then Dual Handshake SSL works meaning the client certificates and server certificates are valid
    13. If this fails then your client certificates are the ones with the problem and need to be resolved
    14. If step 12 showed this as working then edit the sm.ini and set ssl_reqClientAuth:2
    15. Restart SM
    16. Login 
    17. If this breaks then Dual Handshake is working, but the TrustedClients keystore does not have an entry for the client that is logging into SM and this needs to be resolved.