Applicable to ENA v18.0 P04 and ENA v17.0 P12 upwards. If you are using an earlier version of ENA, please see this article.
To configure an Entuity server for RSSO
RSSO client version and RSSO server version compatibility
To normalize usernames reported by the RSSO integration
To map multiple groups to the all users group or admin group
To configure RSSO for OAuth2 authentication
To exclude javascript from the RSSO agent
Known issue with Remote Terminal SSH
Entuity integrates with BMC Remedy Single Sign On (RSSO), which enables you to sign in to Entuity and all BMC products that use the RSSO with a single login.
Note, when Entuity is configured for external authentication, you will need to add the following to the [lcm] section in entuity.cfg, in order to resolve the error 'No permission to execute this task' when running Config Mgmt. The specified user must be a member of the local admins group:
[lcm]
defaultAdminUser=newAdmin
RSSO client version and RSSO server version compatibility:
Entuity is supplied with the RSSO client version 20.02.00. Your RSSO client version should not be greater than the RSSO server version. Please contact Entuity support if your RSSO server version is less than 20.x in order to obtain a compatible RSSO client.
To configure an Entuity server for RSSO:
You must be a member of the Administrators user group to configure an Entuity server for RSSO. Note, all remote servers must also be configured for RSSO for consolidation to work correctly.
entuity_home/lib/TomCat/logs/directory
Step 1
- In the Main Menu, click Administration. This will open the Administration page.
- Click and open the Account Management page.
- Create the user groups that match the groups of the users you want to import from the RSSO. Please note, a user's group membership should be configured by an administrator on the RSSO server.
Step 2
- Make a copy of <ENTUITY_HOME>/integ/RSSO/TEMPLATE.rsso-agent.properties, and remove TEMPLATE from the name.
Step 3
- Edit the rsso-agent.properties file and change the values of the variables to suit your environment. In particular, make sure the following variables reflect your environment:
agent-id a unique identifier for the Entuity installation. Usually the URL of the Entuity installation. sso-external-url the RSSO's URL for login redirection. Note, you must use a fully qualified domain name. sso-service-url the RSSO's URL for service calls. Note, you must a fully qualified domain name. cookie_name the name of the cookie as configured on the RSSO server General --> Advanced section. admin_group the RSSO group to map to Entuity's Administrators group, or blank if no mapping is required. all_users_group the RSSO group to map to Entuity's All Users group, or blank if no mapping is required. api_realm the realm to use for RESTful API calls. msp-deployment set to true if you have multiple realms configured in your RSSO server. msp-always-show-domain-entry-page set to true to prompt the user for a realm when logging in. - Leave the following fields unchanged, or commented out:
- context-included
- logout-urls
- excluded-url-pattern
- token-status-cache-timeout
- skip-filter
- preauth-type
- action-path-mask
- redirect-mode
Step 4
- Run the setup script in the following directory, depending on your OS. This will copy the rsso-agent.properties file to the correct place in the Entuity installation.
- Windows - setup.bat
- Linux - setup.sh
Step 5
- Restart the Entuity server, i.e. run stopeye, wait for the installation to shut down, and then run starteye.
To normalize usernames reported by the RSSO integration:
Usernames reported by RSSO include additional long numeric IDs. In Entuity, you can normalize usernames so that they are stripped of excessive information to make them more user-friendly and to ensure that they fit within display limits.
- Navigate to the TEMPLATE.rsso-agent.properties file.
- At the bottom of the file, in the section:
whether to perform specific user-name and realm normalization
change the line:
If true
- the numeric id in the username of the form <user-name>.<numericId> will be removed
- the realm of the form <domain>@<domain> will be simplified to just <domain>
normalize_user_name=false
normalize_user_names=false
to
normalize_user_names=true - Re-run setup.bat or setup.sh, depending on your platform.
To map multiple groups to the all users group or admin group:
You can map multiple RSSO groups to the all_users_group or admin_group in the rsso-agent.properties file.
To specify more than one RSSO group, use a comma separated list, e.g.:
all_users_group=group1, group2, group 3
To specify all RSSO users, use a *, e.g.:
all_users_group=*
To configure RSSO for OAuth2 authentication:
Entuity supports the OAuth2 authentication. To configure, please see the following instructions:
- In RSSO, navigate to the OAuth2 tab.
- Click Clients.
- In the Redirect URIs field, include both http and https protocols.
- Copy the oauth-client-id and oath-client-secret fields that are generated when adding a client on the RSSO server, and add them to the rsso-agent.properties file, e.g.:
#
You will also need to append |.*\\dwr to the following:
# OAuth 2 Configuration
#
oauth-client-id=2cf64d45-8a48-481e-b782-7b245a63c113
oauth-client-secret=MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCen8dBcM2UzyhmiBXgbEqB6msnwzJffdfGc/wTiJdBuAX+zgZXRYuZtcrFikdnGnoDN1FTCNB40Fuye86jc68ftTne1aTsagpdv1JcwSGKHd4XU5iquZfNux40vNZc6DSO/VGV+3zO4+RxC62yzFmqMgYNGY0yTeLNmvXIEcn9pd+1Ai9C0mq11eBQEgsa7HMfJuPzsOTFC9rbFMWOFHYR/I9VuRJODSxHNCYzhQ0MV/I8+/BmC8Q3mk0Xhzp4MSLBeWbwdmug3u0vIiJ+TF4LCjU9hQqabI0wq3QJkGUIUniD5+2eBHcBmlQrlfZmEOJ+TjK0b+Fw2hoWeTC2jeJPAgMBAAECggEABpX5ruThFDmZotApoFy+pzA1bLw0/jP6Xnn4UFNOfGMIlLC3IK55glNC7Pq1xjkaMcH9NWZbSXjVJc7wIGcwMS/UDEVwiIRKk+PappE6NELTMsK8xvHXtKn9MhFZERhu/jTUS1basrhRhsQGXTMQ0fkruSWDcEA9l23EoJ7kdQx6QCvyq/nuMzYi6qeXkW3bqF4cWtvrGLY2/8CI1C2qsptiFa1qI1bAOlRv3czBFnr90XQ5fh2rTAUuQTR2nIm+kDKdAllW0A2e2t0xutXaeu4Y9nEyIIbyO9ybHyBFvCZu0eaEn8JDbqWEIE7a1sSpmA+45qumlWa3hRwJkAV3qQKBgQDUzubHeJKx1UpFUp54575oO9OfJPN1BlbtgwwILArCRkGgWBMQYBIyIvwN8xcD3pDQPhNKP/rWO7+L0JXPGLIcfC6ibn5ucVTueid1a+VzfHVN05M/FqBoSi/pVlKsWf988y60bhN1nTHQyy7js6As4t8+0d6bxdmfcTadUa/JMwKBgQC+0ZQI3gs1DaxtqWMt/91PpDeibE2rhcHX/Xnd9nRPYilSblAgh6Di5TcKll0Ec9y+afil7bH2ApVj0P1KibS8g9c20niV2HixOyMTbnRXJjBu789OmT3Rp6Zx+0WLGuFVSgkM8TLYeXzbREYJOuhZVnDWfoFZI2Zg4hRRV5ladQKBgQDUH4DuqAMhfEfSHe6U+ftUDv58jeqXZcBUc+IUa0I2MK3N1Lz7/6djjnfMt9jjJIEY8idsRaYU0e22wi3yBt3Tgv1BL/6avCE6rUyTwP8wRIjxEMqfgkBWdEyZvFAgOH1w4T5W37pJ7GzxgPa2RiCNXX/GMJBCmc65HbKg0gH0/QKBgDHG6h8GDVZhosFYlo7BWDIWXIz6Q6ii09ZMQSYtzFmI+c6PCEf0GXwW3yzb3Jf0wXjKnBpszyeltOK8+dYf5g3nNpUOgnZUaeeRzayb+61gQPIvjJysTPwMB9dj/Ng0wuNE1OeTY/gkePWZ8csmmsXzTqwlhAiEu4g6caJmf5KhAoGAHT0EpsNFk+7e+W60ggDBkROaAsFUcU4xRwinABC4Txg97vC8Ot0y7ve+iVcxt23PDgvMLGsufLUMLcOazwcRs98uMwGUeUfJWuBiXLnzCHC2BMEuyEtcZw9rcFJpUetM+4OzJ9WALywtGT4tWY2Sw+ae5gvXGSa5w36S4zgbKEo=excluded-url-pattern=line
To exclude javascript from the RSSO agent:
The excluded-url-pattern has been updated to include .*\\.js in the RSSO agent properties template file. To add this exclusion:
- On a system integrated with RSSO, navigate to the integ/TEMPLATE.rsso-agent.properties file.
- Copy excluded-url-pattern.
- Add this to the deployed rsso-agent.properties file in the entuity_home/lib/TomCat/webapps/webUI/WEB-INF/classes/ directory.
- Restart tomcat.
To disable RSSO:
In the integ/RSSO directory, there are two scripts that disable RSSO. These are:
- uninstall.sh
- uninstall.bat
To disable RSSO, you simply run the appropriate script for the platform you are using, with no parameters.
Known issue with Remote Terminal SSH
There is a known issue whereby Remote Terminal SSH does not work when accessing a device on a remote server when RSSO is enabled.
To fix this, users should make a change to the template file integ/RSSO/TEMPLATE.rsso-agent.properties. If you have already enabled RSSO, then you will need to make the same changes to your deployed rsso-agent.properties file on the polling servers in your installation. The change is as follows:
In the file entuity_home/lib/TomCat/webapps/webUI/WEB-INF/classes/rsso-agent.properties, append the following:
|*/remoteTerminal.*
to the line beginning with:
excluded-url-pattern
e.g.:
excluded-url-pattern=.*\\.xml|.*\\.png|.*\\.css|.*\\.svg|.*\\.dwr|.*\\.rb|.*/rpcServices\\.do|.*/api/.*|.*/servlet/TextAuthServlet.*|.*/oemData|.*/bppmData|.*/logout\\.do|.*/remoteTerminal.*
Comments
0 comments
Please sign in to leave a comment.