1 2 3 Previous Next 42 Replies Latest reply on Apr 13, 2012 3:07 PM by Mike Roper Go to original post
      • 15. Re: Atrium SSO and CAC Integration with ARS

        Hi Mike,


        There is a hotfix for the Atrium SSO 7.6.04 SP1 image that resolved a problem with OCSP. You should be able to get the latest hotfix from support which will resolve this issue, plus a few others.






        • 16. Atrium SSO and CAC Integration with ARS

          so, when I use firefox...


          I open the browser and hit the mid-tier address

          the certificate box shows up

          I select my cert

          I enter the pin


          Then it seems the browser is sent into a loop... Firefox shows:


          The page isn't redirecting properly

                    Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

            This problem can sometimes be caused by disabling or refusing to accept



          Looking at the authentication debug log, I see many lines of "Session Valid / Already authenticated" messages

          however in the session debug log, I see many exceptions thrown that are indicating "Invalid Session ID" as the error message.


          It seems contrary to me...

          • 17. Re: Atrium SSO and CAC Integration with ARS

            Hi Mike,


            This type of problem occurs when there is trouble accessing the cookie. The mid-tier and SSO server must be in the same domain that was specified for the cookie domain when Atrium SSO was installed (or a sub-domain of that value). When integrating mid-ter with Atrium SSO, FQDN must be used in the URL parameters. Also, check the agent configuration in the Admin Console to make sure the FQDN Virtual Host Map is correctly mapping from a simple host name to the FQDN.






            • 18. Atrium SSO and CAC Integration with ARS

              Working on this cookie issue, I went back to square one. checking all the settings for the FQDN. I looked at the command line for the deployer script. It turns out that the --web-app-url did not have the FQDN in it. After calling myself dumb, I unstalled the agent using the deployer script. I reinstalled the agent after adding the FQDN to the cmd line. it looked like it went successfully. I started the tomcat server. went to the mid-tier page and... BMCSSG1323I: Agent installation not detected. NOOOOOOOOO! I broke it! damn! Would there happen to be a secret debug switch for the deployer?


              Some of the things I have done...


              Stopped the service

              uninstalled again

              got rid of the atsso lck and tmp files

              renamed the atsso directory (it was recreated on the next install attempt)


              no love...


              So any thoughts on my step backwards?

              • 19. Atrium SSO and CAC Integration with ARS

                Did you remember to fix the --container-type error that you previously encountered?


                It should be --container-type tomcatv6

                • 20. Atrium SSO and CAC Integration with ARS

                  Yep, I applied all my prior "lessons learned" from my SSO journey. I've been documenting as I go. The only thing I changed was to add the rest of the domain to the --web-app-url switch.


                  Uninstalling everything and starting over is beginning to sound good.

                  • 21. Re: Atrium SSO and CAC Integration with ARS

                    Hi Mike,


                    If the deployer execution finished without any error messages then the integration with the SSO server was successful. If there were any troubles, the simplest cleanup is to simply delete the atssoAgents folder from tomcat and the agent configuration in the admin console.


                    This error message means the agent in the mid-tier isn’t able to find the atssoAgents which should be in the tomcat folder (a sibling directory to bin, conf, logs, etc.). The location is taken from the --container-base-dir parameter.


                    There should be a atsso.log.* file in the tomcat temp directory which contains additional information about where the agent was looking.




                    • 22. Atrium SSO and CAC Integration with ARS

                      Adam, When you say "Agent configuration from the admin console" do you mean the SSO admin console ->BMCRealm ->Agents tab?


                      If so, that's interesting because I have not since starting this project seen anything configured in that area.


                      Is this one of the missing pieces? I don't recall seeing anything in the admin guide about this tab.

                      • 23. Atrium SSO and CAC Integration with ARS

                        We are so close to making this work I can taste it...


                        Last night, I uninstalled the SSO server and the mid-tier as well. A fresh start.


                        I installed the SSO server 7.6.04 SP1 and applied the latest patch.

                        I performed the configurations according to the latest documentation

                        I installed the mid-tier and chose the SSO integration option during the installer. That didn't go as smoothly as hoped.

                        Looking at the post install log, the deployer failed to run be cause it threw an exception. Ok, no problem. I ran the deployer manually. Success.


                        Now, to be sure that everything was where it should be, I went through the integration guide again for the mid-tier to SSO manual instructions. The only thing that was wrong was that the filter and filter mapping in the web.xml file were still commented out. Maybe this is due to the deployer installation failure. No problem. I fixed the file.


                        Restarted SSO tomcat service

                        Restarted Mid-tier tomcat service

                        Waited patiently for a few minutes

                        Opened my browser and went to the mid-tier URL

                        It asked for my cert and pin

                        and redirected me into the mid-tier - wow...

                        I'm presented with [ARERR 623] Authentication failed


                        I think (hope) this is the last hurdle

                        • 24. Atrium SSO and CAC Integration with ARS
                          Shrihari Salem

                          Hi Mike,


                          The Agent configuration can be found under the Top Level Ream -> Agents->J2EE

                          You can then check the FQDN under it to resolve the looping issue.




                          • 25. Atrium SSO and CAC Integration with ARS



                            There are no agents configured under J2EE. Is this normal?

                            • 26. Atrium SSO and CAC Integration with ARS
                              Shrihari Salem

                              No Mike, I you have integrated your product with SSO then the agent should be present.

                              Did you check for it in the Top Level Realm?

                              • 27. Atrium SSO and CAC Integration with ARS



                                Striking forward with reckless abandon, I created an agent entry under J2EE with what seemed to be the correct values.


                                It worked. Thanks all around to Jim, Adam and Shrihari for helping me (an SSO first timer) through this.


                                I was magically transported into the mid-tier and placed at the IT Homepage.


                                I will post a followup message today with all the steps and lessons learned for the good of the community.




                                • 28. Atrium SSO and CAC Integration with ARS

                                  Shrihari, I did not check the top level realm. Looking in there now shows a J2EE agent. However until I put the agent in the BMCRealm, it didn't work. Configuration/Setup bug with the installer maybe?

                                  • 29. Re: Atrium SSO and CAC Integration with ARS



                                    Wow, that was a painful exercise. Keep up the good work!