Highlighted
Absent Member.. Absent Member..
Absent Member..
841 views

Enable SSO in Service Manager

Jump to solution

Hi guys,

 I have a bussiness need to enable sso in SM 9.X i had read documents more in this but i applied SSO with SSL from the following Dcoument. 

Configuring HP Service Manager to Use the SSL-based Trusted Sign-On and LW-SSO

Now My questions:

 

1- What are the ways that enable SSO in general IN SM?

2- I have applied all the steps in SSL-based Trusted Sign-On but it didn't work with me 

My problem: how could i enable SSO in SM  ?

 

 

Thanks in Advance 

Mohamed Shahboub

Technical Service Management

 

Thanks,
Mohamed Shahboub

ITSM Consultant
0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Enable SSO in Service Manager

Jump to solution

First you need to determine if SSL is even working before configuring SSO. In the sm.ini you pasted I saw this 'ssl_reqClientAuth:1' and that will not work for SSO. For SSO it needs to be ssl_reqClientAuth:2 - which is Dual Handshake SSL with TrustedClients. 

What you need to do to determine where the failiure is occuring is below (note if you're using the Windows client just have SSL enabled and not Trusted SIgn On. We're just testing SSL connections for now)

1. Edit the sm.ini
2. Add the following parameter: debughttp:1
3. Set ssl_reqClientAuth:0 (which is Single Handshake SSL)
4. Restart SM server
5. Attempt to login to SM 
6. Does it work or fail?
7. If the login fails with Single Handshake SSL then the server certificates are incorrect.
8. If the login succeeds then look in the sm.log file for SSL Connection Accepted. If you see that then Single Handshake works.
9. Go back to the sm.ini file and set ssl_reqClientAuth:1 (Dual Handshake SSL)
10. Restart SM
11. Attempt to login
12. If it works then Dual Handshake SSL works meaning the client certificates and server certificates are valid
13. If this fails then your client certificates are the ones with the problem and need to be resolved
14. If step 12 showed this as working then edit the sm.ini and set ssl_reqClientAuth:2
15. Restart SM
16. Login 
17. If this breaks then Dual Handshake is working, but the TrustedClients keystore does not have an entry for the client that is logging into SM and this needs to be resolved.


View solution in original post

0 Likes
4 Replies
Highlighted
Established Member..
Established Member..

Re: Enable SSO in Service Manager

Jump to solution

You may Check this 

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM1288853

It shows a the officail way to do that.

first test if it works with windows client then for web it is something else.

take it step by step.

 

Regards,

A.Sol

 

Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: Enable SSO in Service Manager

Jump to solution

Hi, 

  I have implemented the steps in the previuse URL then i do the following 

 

1- adding these conf data in sm.ini

"

keystoreFile:server.keystore
keystorePass:serverkeystore
ssl:1
ssl_reqClientAuth:1
ssl_trustedClientsJKS:trustedclients.keystore
ssl_trustedClientsPwd:trustedclients
trustedsignon:1
truststoreFile:cacerts
truststorePass:caroot

"

2- Copy The certs files to RUN/ beside  sm.ini

3- Test with MY Local Client:

      - Copy HP\Service Manager 9.40\Client\plugins\com.hp.ov.sm.client.common_9.40.0015\cacerts

      - Copy Client certs (My LocalMachine) \HP\Service Manager 9.40\Client\plugins\com.hp.ov.sm.client.common_9.40.0015\EGCAOPSVLT109.Egypt.TE-Data.core.keystore

4- Check Login data (Attched Image)

 Log Data after trying Connect

 

"

Feb 01, 2016 15:25:49 GMT+02:00 [DEBUG] ++++++ SOAPClient.init() - external_lb: false
Feb 01, 2016 15:25:49 GMT+02:00 [DEBUG] ++++++ SOAPClient.init() - sslEncrypt : false
Feb 01, 2016 15:25:49 GMT+02:00 [DEBUG] ++++++ SOAPClient.init() - endpoint : URL
Feb 01, 2016 15:25:49 GMT+02:00 [DEBUG] SOAP.transact started
Feb 01, 2016 15:25:50 GMT+02:00 [DEBUG] |SOAP.transact finished in 180 ms
Feb 01, 2016 15:25:50 GMT+02:00 [DEBUG] SOAP.transact started
Feb 01, 2016 15:26:11 GMT+02:00 [ERROR] SOAP message send failure
Feb 01, 2016 15:26:11 GMT+02:00 [ERROR] Connection timed out: connect
java.net.ConnectException: Connection timed out: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.connect(Unknown Source)
at sun.net.NetworkClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.New(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.hp.ov.sm.client.common.soap.SCSOAPConnectionImpl.send(SCSOAPConnectionImpl.java:181)
at com.hp.ov.sm.client.common.soap.SCSOAPConnectionImpl.call(SCSOAPConnectionImpl.java:107)
at com.hp.ov.sm.client.common.soap.BaseSoapClient.internalDoSoapTransact(BaseSoapClient.java:318)
at com.hp.ov.sm.client.common.communications.SOAPClient.internalDoSoapTransact(SOAPClient.java:1137)
at com.hp.ov.sm.client.eclipse.user.controller.TopazClient.internalDoSoapTransact(TopazClient.java:1358)
at com.hp.ov.sm.client.common.soap.SoapReq.run(SoapReq.java:264)
at com.hp.ov.sm.client.common.soap.BaseSoapClient.syncExecInCurrentThread(BaseSoapClient.java:419)
at com.hp.ov.sm.client.common.soap.BaseSoapClient.doSyncRequest(BaseSoapClient.java:439)
at com.hp.ov.sm.client.common.soap.SoapReq.syncExec(SoapReq.java:114)
at com.hp.ov.sm.client.common.communications.SOAPClient.transact(SOAPClient.java:1036)
at com.hp.ov.sm.client.common.communications.SOAPClient.connect(SOAPClient.java:277)
at com.hp.ov.sm.client.eclipse.user.controller.TopazClient.connect(TopazClient.java:263)
at com.hp.ov.sm.client.eclipse.user.controller.TopazClient.startController(TopazClient.java:625)
at com.hp.ov.sm.client.eclipse.user.launching.ConnectConfigDelegate$ControllerRunner.run(ConnectConfigDelegate.java:61)
at org.eclipse.ui.internal.UILockListener.doPendingWork(UILockListener.java:164)
at org.eclipse.ui.internal.UISynchronizer$3.run(UISynchronizer.java:158)
at org.eclipse.swt.widgets.RunnableLock.run(RunnableLock.java:35)
at org.eclipse.swt.widgets.Synchronizer.runAsyncMessages(Synchronizer.java:135)
at org.eclipse.swt.widgets.Display.runAsyncMessages(Display.java:4140)
at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3757)
at org.eclipse.ui.internal.Workbench.runEventLoop(Workbench.java:2701)
at org.eclipse.ui.internal.Workbench.runUI(Workbench.java:2665)
at org.eclipse.ui.internal.Workbench.access$4(Workbench.java:2499)
at org.eclipse.ui.internal.Workbench$7.run(Workbench.java:679)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:332)
at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:668)
at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:149)
at com.hp.ov.sm.client.eclipse.rcp.RcpClient.run(RcpClient.java:47)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.equinox.internal.app.EclipseAppContainer.callMethodWithException(EclipseAppContainer.java:587)
at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:198)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:110)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:79)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:344)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:622)
at org.eclipse.equinox.launcher.Main.basicRun(Main.java:577)
at org.eclipse.equinox.launcher.Main.run(Main.java:1410)

"

Any Solution suggested 

Thanks,
Mohamed Shahboub

ITSM Consultant
0 Likes
Highlighted
Established Member..
Established Member..

Re: Enable SSO in Service Manager

Jump to solution

Can you please send us here your sm.ini and sm.cfg files

remove any senstive data like password things.

 

Thanks,

A.Sol

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Enable SSO in Service Manager

Jump to solution

First you need to determine if SSL is even working before configuring SSO. In the sm.ini you pasted I saw this 'ssl_reqClientAuth:1' and that will not work for SSO. For SSO it needs to be ssl_reqClientAuth:2 - which is Dual Handshake SSL with TrustedClients. 

What you need to do to determine where the failiure is occuring is below (note if you're using the Windows client just have SSL enabled and not Trusted SIgn On. We're just testing SSL connections for now)

1. Edit the sm.ini
2. Add the following parameter: debughttp:1
3. Set ssl_reqClientAuth:0 (which is Single Handshake SSL)
4. Restart SM server
5. Attempt to login to SM 
6. Does it work or fail?
7. If the login fails with Single Handshake SSL then the server certificates are incorrect.
8. If the login succeeds then look in the sm.log file for SSL Connection Accepted. If you see that then Single Handshake works.
9. Go back to the sm.ini file and set ssl_reqClientAuth:1 (Dual Handshake SSL)
10. Restart SM
11. Attempt to login
12. If it works then Dual Handshake SSL works meaning the client certificates and server certificates are valid
13. If this fails then your client certificates are the ones with the problem and need to be resolved
14. If step 12 showed this as working then edit the sm.ini and set ssl_reqClientAuth:2
15. Restart SM
16. Login 
17. If this breaks then Dual Handshake is working, but the TrustedClients keystore does not have an entry for the client that is logging into SM and this needs to be resolved.


View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.