1 2 Previous Next 25 Replies Latest reply on Jan 25, 2019 11:01 AM by Timothy Mobley

    Mid Tier Not Directing to RSSO

    Timothy Mobley
      Share:|

      I have just set up RSSO for Kerberos authentication according to the BMC document, Jean Christophe's Blog and John McKnight's accompanying YouTube video found here. In the RSSO admin console, under Realm, in addition to the default (*) realm, I created a new Realm with Kerberos authentication (AR bypass also enabled). I confirmed these KDC/SPN settings are correct by clicking the 'Test' button and it says "Kerberos Connection Successful" in green . I then checked my browser settings (in Group Policy) per the BMC document linked above. All of these settings appear to be correct, however when I close the browser, run gpupdate and reopen the browser to my Remedy logon page, it just shows the default Remedy logon page. with User Name, Password and Authentication instead of passing it on to RSSO with Kerberos. Obviously I was missing something. Since I installed RSSO on the Mid Tier, I ran the integration with the Mid Tier, per this BMC document. The installation was successful, but - after rebooting the Mid Tier server (and thus Tomcat as well) - it still only displays the default logon page.

       

      [Side-note - I had previously started configuring an RSSO realm for Certificate-based authentication, and had set the clientAuth attribute in server.xml to want. When I switched to Kerberos authentication, I also changed the clientAuth value back to its original setting of false.]

       

      My last thought was that the missing piece was the RSSO Agent. While I thought these settings were configured during the RSSO Integration with Mid Tier, maybe there was something I had to manually configure. During the integration installation, for both the public and service RSSO URL I had put https://midtierservername.domain.com:443/rsso. However, looking at the last paragraph of this BMC document, I am not sure this was correct. It says in a scenario where "Remedy SSO is deployed in the same Tomcat with Mid Tier.... Then, in the rsso-agent.properties file, the property sso-service-url must not be configured with URL using the specific hostname." Rather it should use localhost instead of the server name.

       

      However, I am having trouble locating the rsso-agent.properties file to make this change. Any other tips or suggestions on troubleshooting this problem is much appreciated. The end goal is to have people open the URL for Remedy (https://midtierserver.domain.com/arsys/shared/login.jsp) and be automatically logged-in to Remedy using Kerberos and the same credentials they logged into the computer with.

        • 1. Re: Mid Tier Not Directing to RSSO
          Stefan Hall

          I'll involve our RSSO expert, he can certainly help you. Patrick Rauhut

          • 2. Re: Mid Tier Not Directing to RSSO
            Timothy Mobley

            Thank you Stefan. One update from my post - ran through these steps for Manually Integrating RSSO with the Mid Tier and did find rsso-agent.properties in the folder where it should be. So that mystery is solved, but I still can't get it to use Kerberos authentication to login. I think I must have an URL wrong somewhere but don't know where.

            • 3. Re: Mid Tier Not Directing to RSSO
              Patrick Rauhut

              Hello Timothy,

               

              • If you use an external rsso server (that should be the case for the MidTier) both urls in the rsso-agent.properties file should point to the rsso server ("http(s)://rsso.example.com/rsso") and not localhost.
              • Did you configure the "application domains" for your realm?
                The application domains should contain the fqdns your costumers use. For example if your costumer goes to "midtier.example.com", your application domains should contain that value. The agent queries what realm to use based on the domain.

               

              We've done our integrations as documented here:

              Manually integrating Remedy SSO with BMC applications - Documentation for Remedy Single Sign-On 18.08 - BMC Documentatio…

              and it's working like a charm.

               

              I hope that contains a solution

               

              Kind regards

              Patrick

              1 of 1 people found this helpful
              • 4. Re: Mid Tier Not Directing to RSSO
                Timothy Mobley

                Patrick Rauhut, thank you for the info. Based on your advice, I edited both external & internal URLS to be https://rsso.mymidtierservername.domain.com/rsso. (Is that correct to put the "rsso" before the midtier server name, or is that just an example?) I then restarted Tomcat and reopened the browser. However, there was no change - still not using RSSO/Kerberos.

                 

                BMC documentation didn't give clear instructions on configuring application domains, so there is a good possibility I have that wrong. For my application domain, I had simply domainname.com   ...So I changed that to midtierservername.domain.com. However, this also yields the same results.

                 

                [Edit: I forgot to mention that I had previously worked through the Mid Tier section of the document link you provided, and confirmed that everything is as it should be according to that document.]

                • 5. Re: Mid Tier Not Directing to RSSO
                  Stefan Hall

                  Hi Timothy Mobley,

                  there seems a typo at your external&internal URLs, they should point to your RSSO server. Your RSSO server runs on https or http on which port? Both URLs should be http://your-rsso-server.domain.com:port/rsso (no midtier name required).

                   

                  What does "doesn't work" actually mean?  Do you see the RSSO login page or the AR server login page?

                  If it is the AR login page, something is wrong with your manual RSSO midtier integration.

                   

                  Good Luck

                  Stefan

                  • 6. Re: Mid Tier Not Directing to RSSO
                    Timothy Mobley

                    Thanks for your thoughts, Stefan Hall. I have RSSO installed on the same server as the Mid Tier (sharing the same server so it can run Tomcat). So the RSSO server and the Mid Tier URLs are the same thing. Is this a problem?

                     

                    I mean that I see the AR server login page (not RSSO). I'll double-check my manual RSSO midtier integration settings, but I'm not confident I'll recognize the problem when I see it.

                     

                    [Edit: I double-checked the following manual Mid Tier RSSO Integration settings...

                    Edited config.properties to use RSSOAuthenticator

                    Copied rsso-authenticator-plugin-all.jar and rsso-agent-all.jar to <MT>/WEB-INF/lib

                    Copied & edited rsso-agent.properties (but as I've mentioned, I'm not clear on the internal/external URLs)

                    Verified web.xml file - everything looked good except init-param - I can't find the log4j.rsso-webagent.properties file (is this important?)]

                    • 7. Re: Mid Tier Not Directing to RSSO
                      Carl Wilson

                      Hi,

                      there is no issue running RSSO and Mid Tiers on the same server, you just need to observe the port conflicts with the Tomcat installs.

                      This means that if you have 2 x Tomcat installed, you need to change the Shutdown, Connector and AJP ports.

                       

                      Example (server.xml configuration snippets):

                       

                      Tomcat Instance 1 (RSSO):

                       

                      <Server port="8007" shutdown="SHUTDOWN">

                       

                      <Connector port="8090" protocol="HTTP/1.1"

                                     connectionTimeout="20000"

                                     redirectPort="8443" />

                       

                          <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

                       

                      Tomcat Instance 2 (MT):

                       

                      <Server port="8008" shutdown="SHUTDOWN">

                       

                      <Connector port="8080" protocol="HTTP/1.1"

                                     connectionTimeout="20000"

                                     redirectPort="8443" />

                       

                          <Connector port="8010" protocol="AJP/1.3" redirectPort="8443" />

                       

                      If you follow the instructions in the "manually integrating" article, then once you have the correct files in place then you can update them accordingly.

                      As you have the Mid Tier and RSSO on the same server, the URL's should be similar to the below:

                       

                      Mid Tier and RSSO URL Examples:

                       

                       

                      As you can see, they use the same URL but with different ports and context.

                       

                      The internal/external URL's will be the same if you are using only one RSSO server e.g. http://bmcmt.mps.com:8090/rsso.

                      If using a LB with a different DNS, you would put the LB name into the external (e.g. http://mt.mps.com/rsso) , and the local RSSO server name into the internal value.

                       

                      Make sure you have also done the ARS configuration, as this has a link back to the RSSO server in its configuration - therefore all associated firewall ports need to be opened.

                       

                      Best to add the log4j.rsso-webagent.properties file as it is referenced when the application starts (you can get it from the install files).

                       

                      Below is a diagram of the different scenarios for RSSO connectivity and configuration files (HTTP/HTTPS/HTTPS with LB's):

                       

                       

                      Cheers

                      Carl

                      1 of 1 people found this helpful
                      • 8. Re: Mid Tier Not Directing to RSSO
                        Timothy Mobley

                        First, thank you Carl Wilson for the very thorough reply - I am still working my way through your response. However, I have one quick question - I have Mid Tier and RSSO on the same server and using the same install of Tomcat (only one instance of Tomcat). Can I still make the edits to server.xml you suggested in the same file?

                         

                        Also, I'm not sure why but this morning I am unable to login to the RSSO Admin console and get "Incorrect username and password" even though I know it is correct. Any thoughts on why this might be?

                         

                        Thanks again for your help!

                        • 9. Re: Mid Tier Not Directing to RSSO
                          Carl Wilson

                          Hi Timothy,

                          if you are using the one Tomcat container, then the port observations/conflicts do not apply as both web apps are deployed in the one container.

                          Suggestion would be to reinstall if you can to have RSSO in its own Tomcat container, that make troubleshooting much easier as you can work on one application at a time.

                           

                          You could try to restart Tomcat to see if you can log into the RSSO Admin console.

                           

                          Cheers

                          Carl

                          1 of 1 people found this helpful
                          • 10. Re: Mid Tier Not Directing to RSSO
                            Timothy Mobley

                            I reinstalled RSSO (still the same Tomcat) and am able to login to the Admin console again now - not sure what that was about. In looking at the rsso-agent.properties file, I'm wondering if the problem could be the agent-id? The document I was following says to use agent-id=midtier_agent, however the comments in the file itself says to put the URL for arsys, as in agent-id=http://midtier.com/arsys. I tried changing it to the latter and restarted Tomcat, but that didn't help anything.

                            • 11. Re: Mid Tier Not Directing to RSSO
                              Carl Wilson

                              Hi,

                              the agent-id is just a way to identify the RSSO agent on the machine, so there is no need to change this.

                              Again I suggest to split the RSSO install to its own Tomcat instance which makes troubleshooting much easier as you are not having to trawl logs with 2 applications involved.

                               

                              Cheers

                              Carl

                              1 of 1 people found this helpful
                              • 12. Re: Mid Tier Not Directing to RSSO
                                Stefan Hall

                                Timothy Mobley

                                So, did you manage it?

                                I tested it today and if your MT integration is correct, the RSSO login page or an error message from the RSSO server will appear, but never the AR login page.

                                 

                                So your RSSO MT integration is wrong. Why do you try this manually, there is the installer? Then you can look at the difference and learn from it.

                                1 of 1 people found this helpful
                                • 13. Re: Mid Tier Not Directing to RSSO
                                  Timothy Mobley

                                  Stefan Hall - I have been using the installer for MT integration (sorry that wasn't clear), I was just referencing the manual integration documentation to confirm the installer did what it should - which it appears it did. Per Carl's advice, I have now spun up a separate server with its own instance of Tomcat and installed RSSO on that server. Next I ran the MT integration installer on the MT server (per documentation). After restarting Tomcat on the MT, I still have the same issue where only the AR login page appears rather than redirecting to SSO.

                                   

                                  Carl Wilson, looking back at your advice on proper setup for server.xml I wanted to check with you what I am seeing now on my two Tomcat instances:

                                   

                                   

                                  Tomcat Instance 1 (RSSO):

                                   

                                  <Server port="8005" shutdown="SHUTDOWN">

                                   

                                  <Connector port="8080" protocol="HTTP/1.1"

                                                connectionTimeout="20000"

                                                redirectPort="8443" />

                                   

                                      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

                                   

                                  Tomcat Instance 2 (MT):

                                   

                                  <Server port="8006" shutdown="SHUTDOWN">

                                   

                                  <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"

                                                # no connectionTimeout or redirectPort

                                                />

                                   

                                      <Connector port="8029" protocol="AJP/1.3" redirectPort="8443" />

                                  • 14. Re: Mid Tier Not Directing to RSSO
                                    Carl Wilson

                                    Hi,

                                    looks good on the Tomcat setup, but as you have separated the Tomcat instances on to their own servers the port conflicts do not apply - they only come into play when you have more than one Tomcat instance on the same server.

                                     

                                    The things to check for when integrating are as follows, you can do this by running through the manual instructions to validate:

                                     

                                    • Required .jar and configuration files are present in the correct directories (on the later versions, these are supplied when installing the apps, but best to double check - copy from the RSSO install directory where required if missing)
                                    • Values been set correctly in the configuration files e.g. rsso-agent.properties, config.properties, etc

                                     

                                    If you are still seeing the login page, when navigating to the ".../arsys" URL, then more than likely the MT configuration file "config.properties" has not been set to use the RSSO authenticator [arsystem.authenticator=com.bmc.rsso.plugin.authenticator.RSSOAuthenticator] and is still using the default Remedy authenticator.

                                    So double check the setup for the files and configuration.

                                     

                                    Example for MT (if using Windows):

                                     

                                    Example - config.properties

                                     

                                     

                                    Example - rsso-agent.properties

                                     

                                     

                                    I have an extra config parameter (arsystem.authenticator.config.file=rsso-authenticator.properties) as this system is integrated with DWP Catalog (Service Broker), so you can ignore this one.

                                     

                                    Cheers

                                    Carl

                                    1 of 1 people found this helpful
                                    1 2 Previous Next