Share this page
Configure Common Tomcat for SBM SSO
To use a typical Deployment Automation installation with SBM, update configuration files to enable Common Tomcat to find and use the correct SBM SSO installation.
Before you begin
Before you can use SBM Single Sign-On (SSO) with Deployment Automation, ensure that the following prerequisites are fulfilled:
-
You have SBM installed.
-
You enabled SSO in SBM.
For details, see the SBM documentation.
- Your Deployment Automation server is installed on the same machine as Common Tomcat.
Configure Common Tomcat for SSO
When you have your Deployment Automation and SBM environments ready, you can configure SBM SSO in Common Tomcat.
To configure your application server for SBM SSO:
-
On the Deployment Automation server, stop the Common Tomcat service.
-
Navigate to the Deployment Automation's Common Tomcat conf directory, for example:
C:\Program Files\Micro Focus\common\tomcat\<version>\alfssogatekeeper\conf
Open the gatekeeper-core-config.xml file and change the host and port parameters:
<parameter name="SecurityTokenService"
Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/idp/services/Trust<parameter>
<parameter name="SecurityTokenServiceExternal"
Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/idp/services/Trust</parameter>
<parameter name="FederationServerURL"
Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/idp/login</parameter>Replace the following placeholder variables:
Variable Replace with $HTTP_OR_HTTPSEither HTTP or HTTPS. $HOSTNAMEThe host name for your SBMSSO server. $PORTThe port for your SBMSSO server.
The default HTTP port number for the SBMSSO server is 8085.
The default HTTPS port number for the SBMSSO server is 8243.
Example:<parameter name="SecurityTokenService" Type="xsd:anyURI">
HTTPS://myserver:8243/idp/services/Trust<parameter><parameter name="SecurityTokenServiceExternal" Type="xsd:anyURI">HTTPS://myserver:8243/idp/services/Trust</parameter>
<parameter name="FederationServerURL" Type="xsd:anyURI">
HTTPS://myserver:8243/idp/login</parameter>Caution: For the gatekeeper core configuration, you use the SBMSSO HTTP or HTTPS port number. Be careful not to confuse it with the port numbers for Deployment Automation, which are by default 8080 (HTTP) and 8443 (HTTPS).
-
Navigate to your Deployment Automation server's profile directory, for example:
-
Windows: C:\Users\<username>\.microfocus\da\conf\server
-
UNIX/Linux: /opt/MicroFocus/da/<username>/.microfocus/da/conf/server
<ssoConfig>
<ssoEnabled>true</ssoEnabled>
</ssoConfig>
Modify the da_config.xml file to set the ssoEnabled property to true:
-
- On the Deployment Automation server, start the Common Tomcat service.
-
To verify the configuration, open the Deployment Automation user interface through your implementation's URL, for example, http://<serverName>:<port>/da.
Note: If you have enabled SSO, to login in to Deployment Automation, you must add the host name to the list of SSO protected hosts. Launch SBM Configurator and open the Authentication tab. On the SSO Protected Hosts tab, add the DA host name.
Troubleshooting
If you get the following error when signing on:
ALF SSO Gatekeeper error has occurred: Error obtaining security token.
Detail
Validation of WS-Federation token failed with code 40:Token issuer not allowed.
Use one of these solutions to resolve the error:
| Solution 1 | Update your SSO STS certificates. For more information, see Knowledge Base item S140637. |
| Solution 2 |
Copy the keystore.jks and truststore.jks files from the SBM's Common Tomcat conf directory, for example: <SBM installation location>\Common\tomcat\server\default\alfssogatekeeper\conf to the Deployment Automation's Common Tomcat conf directory, for example: C:\Program Files\Micro Focus\common\tomcat\9.0\alfssogatekeeper\conf Replace the keystore.jks and truststore.jks files with the ones you copied from SBM. |
Configure Common Tomcat for SSO with FIPS support
For systems that require FIPS 140-2 compliance, enable FIPS support in SBM. To work with Deployment Automation, the FIPS mode requires an SSO certificate with a 2048-bit or longer RSA key.
Note: If you don't have a security certificate with an RSA key of at least 2048 bits, generate one. You can generate a 2048-bit RSA certificate in SBM. In SBM Configurator, navigate to (Advanced) Security > Secure SBM and click Generate All. For details on FIPS compliance in SBM, see the SBM documentation.
To configure Common Tomcat for SBM SSO with FIPS support:
-
Complete steps 1–4 in Configure Common Tomcat for SSO.
-
Copy the keystore.jks and truststore.jks files from the SBM's Common Tomcat conf directory, for example:
<SBM installation location>\Common\tomcat\server\default\alfssogatekeeper\conf
to the Deployment Automation's Common Tomcat conf directory, for example:
C:\Program Files\Micro Focus\common\tomcat\9.0\alfssogatekeeper\conf
Replace the keystore.jks and truststore.jks files with the ones you copied from SBM.
-
Enable FIPS mode in SBM:
-
In SBM Configurator, navigate to (Advanced) Security > Secure SBM.
-
In the Security Requirements section, select Enable FIPS 140-2 compliance.
-
Click Apply.
-
- On the Deployment Automation server, restart the Common Tomcat service.
-
To verify the configuration, open the Deployment Automation user interface through your implementation's URL, for example, http://<serverName>:<port>/da.
Reconfigure for SSO after upgrades
If you have set up SSO with one version of Common Tomcat and have upgraded Deployment Automation to a version that uses a different version, you need to configure Common Tomcat for SSO again.
This reconfiguration includes setting the parameters in the gatekeeper-core-config.xml file. Otherwise, the SSO login fails.
To set the parameters, copy over the corresponding strings from earlier version of the gatekeeper-core-config.xml file. Copying and replacing the entire file from the earlier Common Tomcat installation does not work.
Next steps:
