Share This:

With the introduction of TrueSight 11.00 released October 2017 comes the integration with Remedy Single Sign-on. Up until now the only SSO integration with TrueSight was with Atrium Single Sign-on.

 

There are many advantages of using Remedy Single Sign-On with TS instead of Atrium Single Sign-On, some of which include

 

  • High Availability & Fail over
  • More authentication mechanisms including Kerberos, Certificate, SAML
  • Smaller footprint on the server side and application side (agent)
  • Authentication chaining mode

 

In this post we'll take a look at installing and configuring the TS Presentation Server and Infra Structure Manager 11.00 with Remedy Single sign-on 9.1.03.01

 

INSTALLERS

 

You can download both TrueSight and RSSO from BMC EPD. The required versions are TrueSight Presentation Server & Infrastructure Manager 11.00 & Remedy Single sign-on 9.1.3.01

There are two different installers for RSSO

  • BMCRemedySSO-9.1.03.001 which is the Stand Alone Install of RSSO (supports Oracle, MSSQL databases)
  • Remedy_Single_Sign-On_for_TrueSight_Version_11.0_Windows Integrated Install (supports only PostgreSQL database)
  • TrueSight_Presentation_Server_11.0.00
  • TrueSight_Infra_Mgmt_11.0_CoreComponents

 

Which RSSO installer should you use?

This questions depends on how you are intending to deploy RSSO. In summary the recommendation would be to use the RSSO standalone install. The standalone installer has much more room to expand as requirements gets larger i.e. More users on the system, other BMC applications like Remedy, ADDM, BAO, DashBoards & Analytics. If there are no plans to deploy other applications with RSSO and the userbase is going to stay consistent, then installing Remedy Single Sign-On for TrueSight Version 11 would be sufficient.

 

Stand Alone install VS Integrated Install

  • Stand Alone install supports Oracle and MSSQL as its database's, while the integrated install only supports Postgres
  • Stand Alone Install easily grows with your requirements (users and applications)
  • Integrated install is a black box install and is generally faster to deploy than the standalone install. The stand Alone install requires tomcat pre-installed & separate database, while the integrated install includes Tomcat, Java & postgres database
  • Integrated installer is only recommended for TrueSight applications
  • Both Stand Alone install and integrated install has fail over capabilities, but Oracle's and MSSQL's fail over and load balancing is considered more advance than postgres

 

 

In the following section we'll look at installing both the Stand Alone RSSO Install and the Integrated RSSO install.

 

STAND ALONE INSTALL

 

Things to know before running the installation. It is recommended to install RSSO on its own server in a production environment. During the install you will be asked for

  • Database server name (IP)
  • Admin user for database either system or sa. This will only be used at install time only since the installer will need to create the RSSO_USER database user and its tables.

        if you do not have access to the admin user account you can pre create the database, see Manually configure database for Remedy SSO , if at all possible its better to let the installer

        create the RSSO_USER database user and the tables

  • Apache Tomcat install location (you will need to have installed & configured Tomcat before running the installation latest stable version of Tomcat 7.x but 8.x and above is recommended) Its advisable to have tomcat using SSL see PPT attached "ConfiguringRSSOforHTTPS.pptx"
  • If you are going to be using a Load Balancer for RSSO confirm the LB url with the LB administrators

 

Stand Alone Install Walk Through (Screen shots where needed)

 

Run the installer from BMCRemedySSO-9.1.03.001

 

1. EULA - Read and click agree

 

2. Location where you want the RSSO server files installed

 

3. Select "Install BMC Remedy Single-Sign-on 9.1.03.001

 

4. Location of Tomcat Webserver (Which should have been installed and configured already)

5. Database connection details

 

6. Database user name. Here you have the option of using an admin account to create the RSSO_USER database user or use Existing user which should have been created and configured in advance see Manually configure database for Remedy SSO . The admin user in this case "sa" will be used to create the RSSO_USER account and tables only used during the install phase. Supply RSSO_USER database user password (note this is the DB user not the admin user used to login to RSSO admin console)

 

 

7. Cookie domain name. This is picked up automatically from the server's FQDN. If this is incorrect check to see if there are multiple NICs on the server and confirm which NIC should really be in use. RSSO is reliant on domain names to function correctly as its used to verify client calls, creating sessions & Tokens (can be changed after installation)

 

 

8. Install summary. Click "Installed" to continue.

 

Where to specify the ports?

The installer uses the ports configured with tomcat. Default ports for TC is 8080 HTTP & 8443 HTTPS

 

Warning and errors during the install. If the installer finishes with warning this is generally OK (the warning is likely to be tomcat taking a little while longer to start up)

If you get any errors with this installs and it fails, open a support case with BMC support (Atrium CMDB team) attach the install logs which can be found in the %temp% (windows) or /tmp (linux)

 

 

Integrated RSSO Install Walk Through (Screen shots where needed)

 

Run the installer from Remedy_Single_Sign-On_for_TrueSight_Version_11.0

 

1. EULA - Read and click agree

 

2.  Location where you want the RSSO server files installed

3. Database information, will install PostgresSQL locally or you have the option to connect to an external Postgres database

4. Enter the Postgres database details. Passwords for the postgres admin User and rsso_user database user

5. Enter HTTPS & HTTP ports for the tomcat webserver if selecting another port run "netstat -an" to ensure the port is not in use. Default HTTP 88, Default HTTPS 448

 

 

6. Cookie domain name. This is picked up automatically from the server's FQDN. If this is incorrect check to see if there are multiple NICs on the server and confirm which NIC should really be in use. RSSO is reliant on domain names to function correctly as its used to verify client calls, creating sessions & Tokens (can be changed after installation)

 

 

7. Install summary. Click "Installed" to continue.

 

Warning and errors during the install. If the installer finishes with warning this is generally OK (the warning is likely to be tomcat taking a little while longer to start up)

If you get any errors with this installs and it fails, open a support case with BMC support (Truesight team) attach the install logs which can be found in the %temp% (windows) or /tmp (linux)

 

 

Verifying RSSO Server Installation

 

Once the install is done run through the following process to verify the installation

 

Windows OS: For the stand alone install check  the tomcat server is running. For the integrated install check the following service is configured and running "BMC Remedy Single Sign-On Server"

 

Linux OS: Check the tomcat process is running with "ps -ef | grep tomcat"

 

Login to the RSSO web admin console https://rssoserver.fqdn.com/rsso/admin/# The default user name and password is

User: Admin

Password: RSSO#Admin#

you can change the default password in the RSSOAdmin console. Check to see if the TrueSight default users and group have been created in RSSO Admin console "Local User Management" tab

 

 

Installing TrueSight 11.00 walkthrough (sso related screen shots shown only)

 

The first Truesight component that needs to be installed is the Presentation Server (TSOM). Things to know before running the installation.

  • RSSO server Fully Qualified domain name
  • RSSO Tomcat port HTTP or HTTPS
  • If RSSO Tomcar is running HTTPS copy the Tomcat Server certificate to the machine where TSOM will be installed (during the install you will import this if RSSO server is a standalone install)

 

If RSSO was installed with the RSSO integrated installer you don't necessarily need to import the server certificate during the installation, you can do this after the install (see "importing RSSO server certificates after install" section below)

 

Presentation Server install (TSOM)

 

Run the installer TrueSight_Presentation_Server_11.0.00

 

1. EULA - Read and click agree

 

2. Ensure the FQDN of the server name is filled out (not short name) RSSO is reliant on domain names to function correctly as its used to verify client calls, creating sessions & Tokens

 

3.   Enter the FQDN of the RSSO server & port TC is running on. HTTPS is recommended (see PPT attached "ConfiguringRSSOforHTTPS.pptx")

      Enter the RSSO admin user password default is RSSO#Admin#. You will be asked if you want to import the RSSO SSL Certificate if you have the RSSO server certificate click "yes"

      and browse to it, its recommended to do the import here so you won't have to manually do it later. If you are running RSSO with the Integrated install and have not signed the RSSO

      server SSL certificate you can choose no, since the default server certificate is installed with TSOM. You can install the RSSO server certificate after the install manually (see          "importing certificates after install" section below)

 

4. Review installation summary and install

 

 

Importing RSSO server certificates after install

If the RSSO server certificate was not imported during the install, it must manually be done after the install. The following steps goes through this process by using the keytool utility

to import the RSSO Server certificate into the TSOM truststore

 

Set the following environment variables

 

#Microsoft Windows

set PATH=<Presentation Server Installation Directory>\truesightpserver\modules\jre\bin;%PATH%

#Unix

export PATH=<Presentation Server Installation Directory>/truesightpserver/modules/jre/bin:$PATH

 

1. Obtain the RSSO Server certificate and place it in \truesightpserver\modules\jre\lib\security directory

2. backup the TSOM trustore file \truesightpserver\modules\jre\lib\security\cacerts

3. Open a command prompt and cd to the \truesightpserver\modules\jre\lib\security directory

4. run the following keytool command

     keytool -import -alias remedysso -file rssoservercert.cer -keystore cacerts -storepass changeit

a message saying "Trust this certificate? [no]: " will appear type "Yes"

When the certificate has been imported successfully, a message saying "Certificate was added to keystore" will be displayed

5. To confirm the certifiate was imported correctly run the following keytool command

  keytool -list -keystore cacerts -storetype JKS -storepass changeit -alias remedysso

the result of the keytool list command should be similar to

 

#

6. Restart the TSOM service

 

 

Infrastructure Manager Server install (TSIM)

 

Run the installer TrueSight_Infra_Mgmt_11.0_CoreComponents

 

The infrastructure manager installer will not ask information about RSSO, this information is stored on the TSOM server where TSIM will be registered as a component. There is a section in the TSIM install where the installer asks to "Confirm your localhost Fully Qualified Domain Name (FQDN) ensure the FQDN is used and not the short DNS name

 

 

Logging into TSOM

 

1. Open a browser and enter the URL for TSOM

2. The browser will redirect you to RSSO with a final url of something like

     https://RSSOSERVER.bmc.com:448/rsso/start?goto=https%3A%2F%2TSOMSERVER.bmc.com%3A444%2F&tenant=*@*  this is expected and working as designed

3. login with the default TS user admin account default is

     User: admin

    Password: admin12345

4. Once logged in successfully you will see the TSOM default page

5. Open the RSSO admin console in a new tab and login with the RSSO Admin user default is

     User: Admin

     Password: RSSO#Admin#

6 On the RSSO admin console got to the session tab you should see the admin user listed in the sessions list

Logging into TSIM

 

You won't be able to login to TSIM until you have registered the TSIM server as a component in TSOM

 

1. Open a browser and enter the URL for TSIM

2. You will be asked to enter your application domain with out of the box configuration use " * " (you will configure this to your domain name at a later stage)

3. The browser will redirect you to RSSO with a final url of something like

     https://RSSOSERVER.bmc.com:448/rsso/start?goto=https%3A%2F%2TSIMSERVER.bmc.com%3A444%2F&tenant=*@*  this is expected and working as designed

4. login with the default TS user admin account default is

     User: admin

     Password: admin12345

If you have installed RSSO integrated install you will now be able to login to TSIM .

5. Once logged in successfully you will see the TSIM default page

6 On the RSSO admin console go to the session tab, you should see the admin user listed in the sessions list

 

If you have installed RSSO as a stand alone server and try to login to TSIM you will see the following error when you try to login

This is because the TSOM server certificate is not in the TSIM keystore. To resolve this you will need to import the TSOM certificate in to the TSIM keystore.

 

Before doing the import  add  jre/bin to the PATH environment variable

 

#Microsoft Windows

set PATH=<Infrastructure Management Server Installation Directory>\pw\jre\bin;%PATH%

#Unix

export PATH=<Infrastructure Management Server Installation Directory>/pw/jre/bin:$PATH

 

Importing TSOM Certificate into TSIM Keystore

 

The following procedure uses the java keytool utility to import the TSOM server certificate into the TSIM keystore.

 

Obtain the TSOM server certificate and place it on the TSIM server in \BMC Software\TrueSight\pw\pronto\conf directory

 

1. Backup the pnserver.ks file from \BMC Software\TrueSight\pw\pronto\conf directory

2. open a command prompt and go to the \BMC Software\TrueSight\pw\pronto\conf directory directory

3. Run the following command to see what certificates is in the pnserver.ks keystore  

keytool -list -keystore pnserver-update.ks -storetype JKS -storepass get2net This will list certificates in the keystore

If the keytool list command output returns an entry similar to

 

truesightserver, Oct 12, 2017, trustedCertEntry,

Certificate fingerprint (SHA1): 63:DC:89:F1:87:C1:87:2F:F8:85:6B:7E:B4:F6:1F:76:

30:1D:D3:5E

 

This means the truesightserver certificate from TSOM is already in the keystore. Out of the box with TSOM 11.00 the certificate is not there. If the certificate is there then there is no need to import it again, unless you are getting the  "Initialization of connection is in progress, or the connectivity was lost between the Infrastructure Management Server and the Presentation Server" error when login in to TSIM, so you will need to delete the certificate by running the following keytool command

keytool.exe -delete -alias truesightserver -keystore pnserver-update.ks -storepass get2net

 

4. Run the following keystore command to import the TSOM certificate into the TSIM keystore

 

keytool -importcert -trustcacerts -alias truesightserver -keystore pnserver.ks -file <TSOM certificate> -storetype JKS -storepass get2net

i.e

keytool -importcert -trustcacerts -alias truesightserver -keystore pnserver.ks -file presentationserver.cer -storetype JKS -storepass get2net

 

A message of  "Trust this certificate? [no]:" will appear, type "yes"

 

If the certificate was imported successfully you will get a "Certificate was added to keystore" message

 

5. If you have the CAroot certificate and or intermediate certificates they can be imported into the keystore also by running the keytool import command

keytool -importcert -trustcacerts -alias truesightserver -keystore pnserver.ks -file <CA/Intermid certificate> -storetype JKS -storepass get2net

 

6. Restart the TSIM service.

 

7. The browser will redirect you to RSSO with a final url of something like

     https://RSSOSERVER.bmc.com:448/rsso/start?goto=https%3A%2F%2TSIMSERVER.bmc.com%3A444%2F&tenant=*@*  this is expected and working as designed

8. login with the default TS user admin account default is

     User: admin

     Password: admin12345

9. Once logged in successfully you will see the TSIM default page