so, when I use firefox...
I open the browser and hit the mid-tier address
the certificate box shows up
I select my cert
I enter the pin
Then it seems the browser is sent into a loop... Firefox shows:
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept
Looking at the authentication debug log, I see many lines of "Session Valid / Already authenticated" messages
however in the session debug log, I see many exceptions thrown that are indicating "Invalid Session ID" as the error message.
It seems contrary to me...
This type of problem occurs when there is trouble accessing the cookie. The mid-tier and SSO server must be in the same domain that was specified for the cookie domain when Atrium SSO was installed (or a sub-domain of that value). When integrating mid-ter with Atrium SSO, FQDN must be used in the URL parameters. Also, check the agent configuration in the Admin Console to make sure the FQDN Virtual Host Map is correctly mapping from a simple host name to the FQDN.
Working on this cookie issue, I went back to square one. checking all the settings for the FQDN. I looked at the command line for the deployer script. It turns out that the --web-app-url did not have the FQDN in it. After calling myself dumb, I unstalled the agent using the deployer script. I reinstalled the agent after adding the FQDN to the cmd line. it looked like it went successfully. I started the tomcat server. went to the mid-tier page and... BMCSSG1323I: Agent installation not detected. NOOOOOOOOO! I broke it! damn! Would there happen to be a secret debug switch for the deployer?
Some of the things I have done...
Stopped the service
got rid of the atsso lck and tmp files
renamed the atsso directory (it was recreated on the next install attempt)
So any thoughts on my step backwards?
If the deployer execution finished without any error messages then the integration with the SSO server was successful. If there were any troubles, the simplest cleanup is to simply delete the atssoAgents folder from tomcat and the agent configuration in the admin console.
This error message means the agent in the mid-tier isn’t able to find the atssoAgents which should be in the tomcat folder (a sibling directory to bin, conf, logs, etc.). The location is taken from the --container-base-dir parameter.
There should be a atsso.log.* file in the tomcat temp directory which contains additional information about where the agent was looking.
Adam, When you say "Agent configuration from the admin console" do you mean the SSO admin console ->BMCRealm ->Agents tab?
If so, that's interesting because I have not since starting this project seen anything configured in that area.
Is this one of the missing pieces? I don't recall seeing anything in the admin guide about this tab.
We are so close to making this work I can taste it...
Last night, I uninstalled the SSO server and the mid-tier as well. A fresh start.
I installed the SSO server 7.6.04 SP1 and applied the latest patch.
I performed the configurations according to the latest documentation
I installed the mid-tier and chose the SSO integration option during the installer. That didn't go as smoothly as hoped.
Looking at the post install log, the deployer failed to run be cause it threw an exception. Ok, no problem. I ran the deployer manually. Success.
Now, to be sure that everything was where it should be, I went through the integration guide again for the mid-tier to SSO manual instructions. The only thing that was wrong was that the filter and filter mapping in the web.xml file were still commented out. Maybe this is due to the deployer installation failure. No problem. I fixed the file.
Restarted SSO tomcat service
Restarted Mid-tier tomcat service
Waited patiently for a few minutes
Opened my browser and went to the mid-tier URL
It asked for my cert and pin
and redirected me into the mid-tier - wow...
I'm presented with [ARERR 623] Authentication failed
I think (hope) this is the last hurdle
Striking forward with reckless abandon, I created an agent entry under J2EE with what seemed to be the correct values.
It worked. Thanks all around to Jim, Adam and Shrihari for helping me (an SSO first timer) through this.
I was magically transported into the mid-tier and placed at the IT Homepage.
I will post a followup message today with all the steps and lessons learned for the good of the community.