Configure Common Tomcat for SBM SSO

To use a typical Deployment Automation installation with SBM, update configuration files to enable Common Tomcat to find and use the correct SBM SSO installation.

Before you begin

Before you can use SBM Single Sign-On (SSO) with Deployment Automation, make sure to meet the following requirements:

  • You have SBM installed. For details, see the SBM documentation.

  • You enabled SSO in SBM. For details, see the SBM documentation.
  • Your Deployment Automation server is installed on the same machine as Common Tomcat.

Back to top

Configure Common Tomcat for SSO

To configure your application server for SBM SSO:

  1. On the Deployment Automation server, stop the Common Tomcat service.

  2. Navigate to the Deployment Automation's Common Tomcat conf directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\8.5\alfssogatekeeper\conf

    Open the gatekeeper-core-config.xml file and change the host and port parameters:

    <parameter name="SecurityTokenService"
    Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/idp/services/Trust<parameter>

    <parameter name="SecurityTokenServiceExternal"
    Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/idp/services/Trust</parameter>

    <parameter name="FederationServerURL"
    Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/idp/login</parameter>

    Replace the following placeholder variables:

    Variable Replace with
    $HTTP_OR_HTTPS Either HTTP or HTTPS.
    $HOSTNAME The host name for your SBMSSO server.
    $PORT The port for your SBMSSO server.

    The default HTTP port number for the SBMSSO server is 8085.
    The default HTTPS port number for the SBMSSO server is 8243.
    Example:

    <parameter name="SecurityTokenService" Type="xsd:anyURI">
    HTTPS://myserver:8243/idp/services/Trust<parameter>

    <parameter name="SecurityTokenServiceExternal" Type="xsd:anyURI">HTTPS://myserver:8243/idp/services/Trust</parameter>

    <parameter name="FederationServerURL" Type="xsd:anyURI">
    HTTPS://myserver:8243/idp/login</parameter>

    Caution: For the gatekeeper core configuration, you use the SBMSSO HTTP or HTTPS port number. Be careful not to confuse it with the port numbers for Deployment Automation, which are by default 8080 (HTTP) and 8443 (HTTPS).

  3. Navigate to your Deployment Automation server's profile directory, for example:

    C:\Users\<username>\.microfocus\da\conf\server
    or
    /opt/MicroFocus/da/<username>/.microfocus/da/conf/server

    Modify the da_config.xml file to set the ssoEnabled property to true:

    <ssoConfig>

    <ssoEnabled>true</ssoEnabled>

    </ssoConfig>

  4. On the Deployment Automation server, start the Common Tomcat service.
  5. To verify the configuration, open the Deployment Automation user interface through your implementation's URL, for example, http://<serverName>:<port>/da.

Note: If you have enabled SSO, to login in to Deployment Automation, you must add the host name to the list of SSO protected hosts. Launch SBM Configurator and open the Authentication tab. On the SSO Protected Hosts tab, add the DA host name.

Troubleshooting

If you get the following error when signing on:

ALF SSO Gatekeeper error has occurred: Error obtaining security token.

Detail

Validation of WS-Federation token failed with code 40:Token issuer not allowed.

Use one of these solutions to resolve the error:

Solution 1 Update your SSO STS certificates. For more information, see Knowledge Base item S140637.
Solution 2

Copy the keystore.jks and truststore.jks files from the SBM's Common Tomcat conf directory, for example:

<SBM installation location>\Common\tomcat\server\default\alfssogatekeeper\conf

to the Deployment Automation's Common Tomcat conf directory, for example:

C:\Program Files\Micro Focus\common\tomcat\8.5\alfssogatekeeper\conf

Replace the keystore.jks and truststore.jks files with the ones you copied from SBM.

Back to top

Configure Common Tomcat for SSO with FIPS support

For systems that require FIPS 140-2 compliance, enable FIPS support in SBM. To work with Deployment Automation, the FIPS mode requires an SSO certificate with a 2048-bit or longer RSA key.

Note: If you don't have a security certificate with an RSA key of at least 2048 bits, generate one. For details, see the SSH documentation.

You can also generate a 2048-bit RSA certificate in SBM. In SBM Configurator, navigate to (Advanced) Security > Secure SBM and click Generate All. For details on FIPS compliance in SBM, see the SBM documentation.

To configure your application server for SBM SSO with FIPS support:

  1. Complete steps 1–4 from the earlier section Configure Common Tomcat for SSO.

  2. Copy the keystore.jks and truststore.jks files from the SBM's Common Tomcat conf directory, for example:

    <SBM installation location>\Common\tomcat\server\default\alfssogatekeeper\conf

    to the Deployment Automation's Common Tomcat conf directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\8.5\alfssogatekeeper\conf

    Replace the keystore.jks and truststore.jks files with the ones you copied from SBM.

  3. Enable FIPS mode in SBM:
    1. In SBM Configurator, navigate to (Advanced) Security > Secure SBM.
    2. In the Security Requirements section, select Enable FIPS 140-2 compliance.
    3. Click Apply.
  4. On the Deployment Automation server, restart the Common Tomcat service.
  5. To verify the configuration, open the Deployment Automation user interface through your implementation's URL, for example, http://<serverName>:<port>/da.

Back to top

Reconfigure for SSO after upgrades

If you have configured Single Sign-On (SSO) with one version of Common Tomcat and have upgraded Deployment Automation to a version that uses a different version, you need to configure Common Tomcat for SSO again. This includes setting the parameters in the gatekeeper-core-config.xml file. Otherwise, the SSO login will fail.

To set the parameters, copy over the corresponding strings from earlier version of the gatekeeper-core-config.xml file. Copying and replacing the entire file from the earlier Common Tomcat installation does not work.

Back to top

Next steps: