Share:|

This post shares some thoughts on how to configure BMC Cloud Lifecycle Management (CLM 3.1) and LDAP integration with BMC Remedy AR System 8.0.

 

In this post, I’ll describe how to take advantage of the AREA LDAP integration to manage end user passwords in a single location.   It is important to note the administrator accounts used to connect different components of BMC Cloud Lifecycle Management will be set up independently, and NOT uses the LDAP integration, but that is a single account that can and should be treated differently.  The value here is leveraging your centralized account information so users have access using existing authentication information.

 

The topics I’ll cover are:

  1. Review of Administrator account configuration within CLM / updating the Demo password in OSGI, BSA-CMDB, BBNA-CMDB configuration
  2. Understanding ARSystem LDAP login methodology and configuration choices
  3. CLM requirements, Enterprise CMDB requirements, etc.
  4. Walk through example of user accessing SOI”

 

Lightweight Directory Access Protocol (LDAP) provides a standard method for accessing information from a central directory. A common use for LDAP is user authentication. After a user is set up in the LDAP directory, he or she can use the same user name and password to log in to any application that supports the LDAP protocol.

 

1.0 AREA LDAP PLUG-IN AND ITS CONFIGURATIONS

 

The AR System External Authentication (AREA) LDAP plug-in enables you to authenticate AR System users against external LDAP directory services. This section describes how to configure the AREA LDAP plug-in and your AR System server to use LDAP authentication.

 

1.1 Prerequisite for CLM

 

1.1.1 A valid people record (at Enterprise AR) should be there for a user with blank password

 

1.1.2 Set Demo password

The Demo account is used by BMC CSM services to communicate with AR system (Cloud AR/DB). Demo is a service account and we recommend defining its password locally.Please find below steps to set the Demo password and note the password dependencies:

 

Password Change Dependency:

When changing of the password for the Demo account, the same password needs to be updated in other applications and configurations. Also check if there are any external applications or resources that use any of the accounts and passwords you are changing.

 

1.jpg

In above table “x” indicates the components where a newly set Demo password needs to be configured too.

 

Note:

  • If changing the Demo user password, you have to contact BMC Support to obtain an encrypted password to be used in later sections to update the Demo password in the CSM Platform OSGI as well.
    • Log into BMC Remedy User tool using the Demo user or a user for which the password needs to be changed
    • Click Change Password quick link

2.jpg

Provide correct Current Password and enter New Password

 

3.jpg

Click Save button. The password is also updated at the Cloud AR/DB using DSO.

 

Update Demo password in BBNA CMDB Integration

As per password dependency matrix, change Demo password in the BBNA >System parameter

4.jpg

Update Demo password in BSA CMDB Integration

 

1) Go to Configuration -> Atrium Integration -> Configuration

5.jpg

2) Update new AR Demo password if changed in the previous section for AR and click on test connection to verify the connection.

6.jpg

3) Click on save button.

 

Updating CLM Platform (OSGI) with Demo user changed password

 

Note:

At the current time, you must contact BMC Support to obtain encrypted passwords for the new passwords above to be updated in the CLM Platform (OSGI) server if you changed Demo password:

 

1) Once the encrypted passwords for CLM Platform’s configuration JSON files are obtained, log in to CLM Platform Manager server

2) Stop the BMC CSM services

3) Go to <installation dir>/BMCCloudLifeCycleManagement/Platform_Manager/configuration directory.

4) Edit cloudservices.json fileTo locate the encrypted passwords within the JSONs, search the files for "isPassword" : true . The first attributeValue after that is a password. The JSON fragment below is an example of how the Demo is stored in the JSON. The "x+IJYzkzRt8tjHGnMJaJhA==" is the part you need to change with the new encrypted value for the Demo.

 

{

"cloudClass" : "com.bmc.cloud.model.beans.AccessAttributeValue",

"accessAttribute" : {

"cloudClass" : "com.bmc.cloud.model.beans.AccessAttribute",

"datatype" : "String",

"description" : "Database(AR) Server Password",

"guid" : "49f9d4d8-a805-4e04-b778-3be3ffbd17ad",

"isOptional" : false,

"isPassword" : true,

"length" : 255,

"modifiableWithoutRestart" : false,

"name" : "password"

    },

"attributeValue" : "x+IJYzkzRt8tjHGnMJaJhA==",

"description" : "Database(AR) Server Password",

"guid" : "075b5338-2470-49fc-b3a6-7528ade43703",

"name" : "password"

  }

 

If a Demo password is not set previously then change: "attributeValue" : "", to "attributeValue" : "x+IJYzkzRt8tjHGnMJaJhA==",

 

Here are the 2 locations in “Cloudservices.json” file where you would like to update the encrypted password of Demo:

 

a. "description" : "Database(AR) Server Password" = Cloud AR/DB Demo password

b. "description" : "Database(AR) Password" = Cloud AR/DB Demo Password

 

Note: Restart the BMC CSM services after performing changes

 

1.2 AREA LDAP-Functionality Overview

First, there are a few important points to note about validating passwords against an LDAP Server

  • Cross-Reference-Blank-Password configuration must be set
  • The user must exist in User form with Blank Password
  • All user information is stored within the AR System except the password
  • LDAP is only used to validate the password

 

1.3 Configuring AREA LDAP

  • Open AR System Administration: Console form and switch to “AREA Configuration”. The settings you specify in the form are saved in the ar.cfg or ar.conf

7.jpg

  • Before configuring the AREA LDAP plug-in, set up user and group information in an LDAP directory service. Then, use the following procedure to enter the settings into the AREA LDAP Configuration form.
  • Here is the sample configuration screenshot which you can refer

AREA_LDAP.png

Refer following documentation portal link to get more information on above fields:

Configuring the AREA LDAP plug-in

 

Note:

Use your BMC support credentials to access this link.

 

After above configuration switch to “AR System Administration: Server Information”->EA tab

EA-Tab.png

  • To configure AR System servers to work with the AREA LDAP plug-in, use the EA (external authentication) tab in the AR System Administration: Server Information form. External authentication (including chaining) works only if you do the following in the EA tab:
    • Set RPC to 390695
    • Select Cross Reference Blank Password (as you would like to authenticate an user which is already configure in Remedy user form with blank password

 

1.4 Specifying authentication chaining mode

 

You can specify the order in which internal and external authentication methods are attempted by specifying a value for the Authentication Chaining Mode field.

 

ModeDescription
OffDisables authentication chaining.
ARS - AREAAR System attempts to authenticate the user by using the User form and then the AREA plug-in.
AREA - ARSAR System attempts to authenticate the user by using the AREA plug-in and then the User form.
ARS - OS - AREAAR System attempts to authenticate the user by using the User form, then windows or UNIX authentication, and then the AREA plug-in.
ARS - AREA - OSAR System attempts to authenticate the user by using the User  form, then the AREA plug-in, and then Windows or UNIX  authentication.

                          

Note:

Keep the "Authentication Chaining Mode" to "Off". Plugin will automatically communicate with AD to authenticate an user in case of "Cross Reference Blank Password" is checked.

 

1.5 AREA LDAP Login Methodology:  

          

The AREA LDAP plug-in performs the following steps to authenticate a user:

 

  • Bind to the AREA Host as the user defined in the Distinguished Name field
  • Perform a query using the Host Name, Port Number, User Base, and User Filter fields ( If a user is not found, return an invalid user error, otherwise continue)
  • Return the Distinguished Name of the user as well as all available attributes these attributes may be used to assign email address, license information, etc.
  • Bind as the Distinguished Name found in step 3 with password passed from the AR Client ( If Bind fails, return error (ARERR [623] Authentication failed), otherwise continue)

 

1.6 Create user account in Remedy (Enterprise AR)

 

  • Configure an user account locally in Remedy people form with blank password (so that it can be  authenticate in LDAP) for a company which is already on-boarded in Cloud Portal
  • Have this user a “Fixed” license (All cloud user should have a fixed license)
  • Define “Application Permissions” and “Access Restrictions” for an user

 

Here is a sample configuration for a user “arai”:

10.jpg

Note:

  • This user should have been configured in AD (Active Directory) too with password details.
  • Configure AREA LDAP at Cloud DB/AR too with same information. Refer section# 1.3
  • AREA LDAP configuration at Cloud DB/AR requires for a user to run CLM Use Case successfully as user authentication happens at Cloud DB/AR side.
  • User information will be DSO’ed to Cloud DB/AR with blank password as soon as you create it at Enterprise AR side.

 

1.7 Submitting SOI request with recently configure User

11.jpg

  • Login with recently configured user using MidTier with password configured in LDAP
  • AR-plugin use to communicate with AD to authenticate this user. We have attached a sample “ARPlugin.log” log file, which captures flow of verifying user credentials, for your reference.
  • Based on the “Application Permission”, user will be able to see an application links:

12.jpg

  • Submit a SOI request with this user and if AREA LDAP is configured at Cloud DB/AR, the SOI request will be successful as shown below:

 

13.jpg

In this post, I covered the configuration points and suggestions for creating BMC Cloud Lifecycle Management and LDAP integration.  I hope it was helpful.  I would like to hear from you.  Are there other ways the feature has been particularly helpful, or limitations that prevented it from meeting your needs?  If so, please add comments below.