Configure service provider

Prerequisite: Preparation.

This section describes how to configure OpenText Application Quality Management's service provider (SP) by completing the Service Provider Settings step.

After completing this step, you can find the SP configuration file in the following repository: {Repository}\sa\DomsInfo\osp\basic.properties.

Properties

In the Service Provider Settings > Properties tab, complete the following configurations:

Field (* Required) Description
*Service Provider Host Name

  • If no proxy or load balancer is used, keep the SP host name the same as the server domain name, because SP is by default deployed on the server.

  • If a proxy or load balancer is already set for the server, enter the domain name of the proxy or load balancer.
*Service Provider Port
  • If no proxy or load balancer is used, keep the SP port number the same as the server port number.
  • If a proxy or load balancer is already set for the server, enter the port number of the proxy or load balancer. You can find the port number in the server log. For details about how to see SSO logs, see FAQ.
*Service Provider Https Enabled

  • If no proxy or load balancer is used, enable HTTPs for SP if the server enables HTTPs, and disable HTTPs for SP if the server disables HTTPs.

  • If a proxy or load balancer node is already set for the server, enable HTTPs for SP if the proxy or load balancer enables HTTPs, and disable HTTPs for SP if the proxy or load balancer disables HTTPs.
*Enable Local Authentication

This option controls whether or not OpenText Application Quality Management users that are set as local users can log in to OpenText Application Quality Management locally under SSO mode.

  • No. Under SSO mode, local authentication is not supported. Only users with real IdP IDs can access the system.
  • Yes. Under SSO mode, local authentication is also supported. Both local users and users with real IdP IDs can access the system.

For details about setting local users, see Update user details.

Note: The My Profile tab provides a shortcut to configure your IdP ID and identity key. See Set up your profile.
*SSO Token Secret

The SSO token secret is a credential granted from SP to OpenText Application Quality Management and its value should be reserved in SP in advance.

OpenText Application Quality Management is required to carry this credential when it sends requests to its SP for SSO token generation.

Back to top

SSO Certificate

The SSO certificate is used to encrypt and decrypt the SAML requests and responses between the SP and IdPs.

Overview

You can provide the certificate either by uploading the keystore file or by entering the certificate information manually. After uploading the certificate, you can view its details or upload a different certificate.

Note: For details about how to create an SAML certificate, see FAQ.

Upload a keystore file

To provide your certificate by uploading a keystore file:

  1. Open Service Provider Settings > SSO Certificate.
  2. In the Certificate Submission Type filed, select Upload Keystore File.

  3. In the Choose File to Upload field, select the keystore file that contains the certificate.

    Make sure the certificate in the keystore file contains both the private key and the public key.

    The following table lists the supported keystore types and the corresponding supported keystore file extensions.

    Supported keystore types Supported file extensions
    JKS

    • .jks

    • .ks
    JCEKS

    • .jce
    PKCS12

    • .p12

    • .pfx
  4. Enter the keystore and key password.
  5. Enter the alias of the certificate that is used in the keystore file.
  6. Click Save.

Enter certificate information manually

To provide your certificate by entering the certificate information manually:

  1. Click Service Provider Settings > SSO Certificate.
  2. In the Certificate Submission Type filed, select Manually Enter.
  3. Enter the keystore and certificate passwords, certificate chain, and private key.
  4. Click Save.

Upload a different certificate

After uploading the certificate, you can view its details or upload a different certificate.

The SSO Certificate tab displays the alias and expiration date of the certificate. To view more details, click the View Certificate link.

To upload a different certificate:

  1. Delete the current certificate.

    Method Details
    Delete certificate using the wizard

    To delete the current certificate using the SSO Configuration wizard:

    1. In the Service Provider Settings > SSO Certificate tab, click Delete.

    2. In the Delete Certificate dialog box, provide the keystore and certificate passwords, and click Delete.

    3. Refresh the page.
    Delete certificate from the repository

    Delete the current certificate from the following directory:

    {Deploy Directory}\ALM\repository\sa\DomsInfo\osp\.
  2. Upload the new certificate.
  3. Restart the server. If the system is deployed in a cluster environment, restart every node.
  4. If you have shared SP metadata with your IdP, obtain the updated SP metadata and share it with your IdP again.

Back to top

FAQ

Q: How to create an SSO certificate for OpenText Application Quality Management?

A: You can create a self-signed certificate or a certificate signed by an authorized organization, depending on your organization's security policy. OpenText recommends that you get a certificate from an authorized organization so that you can get a safer certificate.

If your organization doesn’t require very high security policies, you can generate a self-signed SSL certificate:

  1. Open a command prompt or terminal and run this command:

    keytool-genkey-keyalgRSA -alias <alias> -keystoreselfsigned.jks-validity <days> -keysize2048

    where <alias> indicates the name for the certificate; <days> indicates the number of days for which the certificate will be valid.

  2. Enter a password for the keystore file. Note down this password as you need it when configuring the server.

  3. When prompted for the first name and last name, enter the domain name of the server.

  4. Enter the other details, such as Organizational Unit, Organization, City, State, and Country.

  5. Confirm that the information entered is correct.

  6. When prompted with "Enter key" password for <tomcat>, press Enter to use the same password as the keystore file password.

  7. Run this command to verify the content of the keystore file:

    keytool-list -v -keystoreselfsigned.jks

  8. When prompted, enter the keystore file password.

The certificate you generate is named as selfsigned.jks. Do not modify its extension name. Verify that the "Owner" and "Issuer" are the same. Keep the alias, key password and keystore file password in your secure place because you will need them in the SSO Configuration Tool for uploading or deleting the certificate.

If you organization requires high security policies, you can generate a more secure keystore and submit a signing request to an authorized organization, such as CA.

The following is an example:

  1. Open a command prompt or terminal and run this command to generate a keystore file with a key pair:

    keytool -genkeypair -alias <key alias> -keyalg <alg> -keysize <size> -keystore <keystore file name> -storepass <keystore password> -keypass <key pair password>

    where <key alias> is the alias name for the key entry; <alg> is the key algorithm, normally RSA; <size> is the key size, normally 2048; <keystore file name> is the name of the keystore file to create; <keystore password> is the password for the keystore; <key pair password> is the password for the key pair.

  2. Note down the key password, keystore password, and alias, and keep them secret because they will be used when uploading keystore file in the SSO Configuration Tool.

  3. When prompted, provide the truthful information such as First Name, Last Name, Organization Unit, and City.

  4. Run the following command to verify the keystore:

    keytool -list -v -keystore <keystore file name> -storepass <keystore password>

  5. Run the following command to generate a request.csr file which will be sent to CA:

    keytool -certreq -alias <key alias> -file request.csr -keystore <keystore file name> -storepass <key pair password>

  6. Submit the generated .CSR file to CA for signing.

  7. Import the signed certificate into keystore.

    The certificates provided by CA could be in different formats. The certificate in the .p7b format is mostly recommended.

    Run the following command to import the .p7b file into the keystore:

    keytool -import -trustcacerts -alias <key alias> -file <your .p7b file> -keystore <keystore file name>

Q: How to get SSO logs?

A: Follow the steps below to get SSO logs:

  1. Open the SP configuration file in the repository: {Repository}\sa\DomsInfo\osp\basic.properties.
  2. Set "logging.level=ALL".

  3. Restart the system and login again.

  4. Check the directory of java.io.tmpdir in the server log. All the osp-* files in that directory are SSO log files.

Back to top

Next steps: