There maybe some instances where you need to point RSSO enables applications to a new or test RSSO server. These applications include Remedy AR server/Midtier, TrueSight, BMC Atrium Orchestrater and BMC Discovery (ADDM)
When would I need to do this?
There maybe some instances where you need to point an already integrated application to a new RSSO server, some of these reasons can include
- Decommissioning of an old environment where an RSSO server is installed
- Troubleshooting purposes where in one environment Authentication is not working as expected and you want to spin up a new RSSO server to see if the same problem exists
- Upgrading the RSSO webserver (tomcat) you have tested and all is working as expected and you want to point the agents to this new server
- Server/Domain name changes, where RSSO was initially installed on a particular FQDN and there is a requirement to change the cookie domain and or server FQDN
- You need to quickly test new Authentications in RSSO
- You need to test a new configuration of RSSO without having to reinstall or running the application integrations again and don't want to make any changes to a working RSSO system
RSSO enabled application will have different methods of pointing to a new RSSO server. The goal here is to make this process as efficient as possible with limited downtime for the application itself. Applications that do not make use of the internal RSSO user store, such as Remedy Midtier & MyIT is relatively easy, while other applications such as BOA & Truesight extra work need to be done since maybe the internal users might not be in RemedySSO so will need to be created (users such as bppmws_internal & service_admin for Truesight)
To carry out any of these procedures you will have had to integrate the agent application with RSSO in the first place with the same version of the new RSSO server. You will need to have installed a new RSSO server that you want to point the applications to. Ensure you are able to ping and telnet to the new RSSO server from the application. Telnet on the http or https port of the new RSSO sever by its fully qualified domain name.
ping newrssoserver.domain.com i.e ping rssolb.bmc.com
telnet newrssoserver.domain.com <port> i.e telnet rssolb.bmc.com:8443
Example in this Blog
In this blog we are going to point our applications from a single server RSSO system to a load balanced enabled environment
Single server: https://clm-pun-028217.bmc.com:8443/rsso
Remedy Midtier & Remedy AR Server
To point AR server and midtier to an new RSSO server is relatively easy. Once the new RSSO server is up and running, there are just two configuration files which needs changing
On the AR server <AR_SERVER_INSTALL_PATH\ARSystem\Conf\rsso.cfg
On The Midtier <MIDTIER_INSTALL_PATH\WEB-INF\classes\rsso-agent.properties
Both of these files have the has the URLs to the RSSO service URL & the midtier's rsso-agent.properties file also hold the sso external url (The user facing url) for more information on what these urls are for see RSSOAgent docs page . These urls will need to be changed to point to the new RSSO server.
AR rsso.cfg file: Its recommended you back up this file before making any changes to it.
Edit the rsso.cfg file in a text editor. If you are intending to make quick changes from the new server back to the old one then just comment out the SSO-SERVICE-URL parameter
red lines denote the previous setting & green the new entry
# RSSO internal url - HTTP url to RSSO. Use HTTP instead of HTTPS protocol to avoid problems with handshake.
# uncomment the line below if you find the issue that RSSO authenticated users have no groups because of a bug in some old AR versions (e.g. AR 8.0/8.1)
# AR-USER-GROUPS-FIX: true
After making the changes. Restart the AR server service
Midtier rsso-agent.properties file: Its recommended you back up this file before making any changes to it.
Edit the rsso-agent.properties file in a text editor If you are intending to make quick changes from the new server back to the old one then just comment out the sso-service-url parameter & sso-external-url (the whole file will not be listed here only where the changes needs to be made)
# If this property set to true the application context name will not be excluded for checking excluded url pattern
# RSSO webapp external url for redirection
# To support multiple RSSO webapps, set the value to a comma separated string: each represents a 'domain to server url' mapping, with the format of <domain>:<url>, e.g. domain1:https://server1:8443/rsso,domain2:https://server2:8443/rsso
# RSSO webapp internal url for service call. Use HTTP instead of HTTPS protocol to avoid problems with handshake.
# To support multiple RSSO webapps, set the value to a comma separated string, each represents a 'domain to server url' mapping, with the format of <domain>:<url>, e.g. domain1:http://server1:8080/rsso,domain2:http://server2:8080/rsso
If you have different internal "sso-service-url" & external "sso-external-url" make sure they are updated correctly.
Restart the Midtier Tomcat Service
To verify this works go to the midtier URL and try to login. Open the RSSO admin console of the new RSSO server and go to the "Sessions" tab, you should see the user listed there.
If you want to back out the changes either replace the changed files above with a back up version or comment out the changes and un-comment the original entries, then restart the services.
BMC TrueSight (TSOM)
To point TSOM to an new RSSO server there are a few steps that we need to go through.
- Export and import users & groups from the source RSSO server to the new target RSSO server
- Import the new RSSO server certificate into the TSOM trust store
- Run the tssh command on the TSOM server to point to the new RSSO server
Exporting & Importing users & groups
We can export the internal RSSO users from the source RSSO server's database. Export the entries from the "LocalUser" "Role" & "RoleLocalUser" tables on the source RSSO server.
The quickest way to to do is to speak to the database admins and ask them to export the entries from the two tables from the source RSSO server and import it to the new target RSSO server. If you have access to the database you can run the following DefaultTSOMUsers&GroupsMSSQL.sql file (attached for MSSQL Server), the .sql file are the default users & Groups
that are initially created with the TSOM installer. LDAP users and groups will not be in the RSSO Database as the user store is external. Once the users & groups have been imported
login to the RSSO admin console and confirm the Users & Roles are listed in "Local User Management" tab.
Importing the new RSSO Certificate in to TSOM
If both RSSO and TSPS are using SSL (HTTPS) we need to import the new RSSO server certificate into the TSOM truststore. The TSOM default trust store "cacerts" can be found on the TSOM server in "\BMC Software\TrueSightPServer\truesightpserver\modules\jre\lib\security" the password is "changeit"
Once you have the RSSO server certificate, you can use something like Keystore Explorer to import the certificate into the trust store or use the java keytool command below from the command line.
If java is not in the system path you will need to add the full path to the keytool command "\Java\jre1.8.0_141\bin\keytool.exe"
keytool -importcert -alias <*Give a Friendly Alias Name> -keystore cacerts -storepass changeit -file <path to RSSO server certificate>
*Alias name can be any name, but normally its a name that specify either what the certificate is or the server name the certificate comes from
keytool -importcert -alias rssolb -keystore cacerts -storepass changeit -file rssolb.cer
You will be asked "Trust this certificate?" type "Yes" if the import is successful a message "Certificate was added to keystore" will be shown.
TSSH Command to point to new RSSO Server
The final part to point TSOM to the new RSSO installer is to set the "bmc.sso.servername" property using the tssh command on the TSOM server. Assuming that ports and passwords are the same on the new target RSSO server and the old source RSSO server you will only need to change the "bmc.sso.servername" property. If properties are different then you will need to them to change them using the tssh command before restarting the TSOM server.
tssh properties set <Property> <New value>
Fllow these steps to change the TSOM RSSO properties (in this instance only server name will changed)
- Open command line and cd in to "\BMC Software\TrueSightPServer\truesightpserver\bin"
- Run the following command "tssh properties set bmc.sso.servername <new server FQDN>" i.e "tssh properties set bmc.sso.servername rssolb.bmc.com"
- If there are other properties that need changing you can do so following the "tssh properties set <property.name> <New Value>
- Check the changed parameter by running "tssh properties list"
- tssh server stop
- tssh server start
Once the TSOM server has restarted fully. Open a browser and go to the TSOM url, you should then be redirected to the new RSSO server for Authentication. If you have already configured
an authentication in RSSO you should be able to login. You can add the local Authentication to RSSO and login with the default TSOM admin account and password (admin/admin12345), you can then confirm the session in the RSSO admin console "Sessions" tab.