1) Is SSL necessary to implement a single sign-on feature? 2) We've combination of MS Server 2008 R2 which runs Apache (as a web tier). Is IIS "must" to have a SSO feature or are Windows workstation and Apache able to do the user recognizion alone?
Any recently updated manual/guide to build succesful SSO in welcome. I've read many threads and guides, but they're often SM7.11 era or older. Which means IIS has changed since as well as Service Manager itself...
The guide from the forums is still accurate for IIS 7.0(Server 2008 R2). However instead of tabs just click on the menu item you would normally right click on and the properties will load in the main portion of the window, along with some additional on the right side panel. They are named close to eachother if they are not the same as IIS 6.0(older versions of IIS release). The scripts you just need to make are at the end. The reason SSL is recommended is because you are passing usernames and passwords between locations. You can also setup a certificate(self-signed or verified) for IIS and that will help with the Web-tier too.
The service manager help file "Configure LW-SSO for Service Manager" was useful to get the client sso working. Also to know what the ini configuratio nsettings and commands do, the help "List: SSL Parameters" will be of great service.
Thanks, ffennitsuj. I've that document already. Maybe somebody could update that document to match it with IIS7?
One question regarding that document - already at a step is a phrase "Make sure you have set up SM properly with a web client running using Tomcat/IIS 6.0 with ISAPI filter".
Currently we connect to Service Manager web tier on Apache Tomcat. Does this document expect that before implementing changes that I should be able to login to Service Manager (using username/password) which is running still in Apache Tomcat, but connection is handled by IIS7?
And if so, is there a documentation how to do this and how to test that Service Manager on IIS7 works?
You should be able to connect to ServiceManager before following these directions through the web-portal and eclipse client.
For the directions I have attached them. I am assuming you are talking strictly about steps 10 and 11 which is why those are the only two I added.
To be fully honest these directions are accurate. They worked for me for SSL and SSO. Yes I had to make some accomodations by reading the "Help" information on SSL parameters, but you cant get away with not understanding the system and just following directions.
Other important notes about implementing on SM 9.21 vs 7: The application-context.xml will effect the web-portal login/authentication. If the web-page says it cannot display this page when this is turned on it's because you have to add your account that you are currently logged in to for your domain, to the system. The sm.ini will have sslConnector:0, I set it to 1 for it to work. I did not do the "isapi filter" directions. They just broke my system. Skip to the sm.cfg wit the stipulation to ignore the "initstring password" if you didnt set one up. At this point I follow the LW-SSO directions from the help. In these directions the webui enabled="false" instead of true. We also skipped step 5 as it didnt work with SSO because it changes the web-login authentication.
So in short make sure your ServiceManager is working before following these directions. You may have to have already known and setup accounts, the default admin(I believe is falcon). Then, run these directions, then if the eclipse login isnt working try the help guide "Configure LW-SSO in Service Manager" with my stipulations and you should be working.
(Well, I thought I wrote yesterday one more reply but here I go again)
Again thanks for your reply. You wrote:
"I did not do the "isapi filter" directions. They just broke my system. Skip to the sm.cfg wit the stipulation to ignore the "initstring password" if you didnt set one up."
Well, actually my first question was about the first step on the instructions but thanks for updating other steps. First step tells that I should have already running Apache/IIS system with ISAPI filter before attempting single signon tweaks. Could you please tell is this ISAPI filter really needed? When I checked LW-SSO instructions from Service Manager help it wasn't mentioned at all?
I'm a bit puzzled with all these instructions which seem to vary quite a lot? Has anybody succeeded to make a single signon work with instuctions listed in SM920 help document "Configuring HP Service Manager to Use the SSL-based Tusted Sign-On and LW-SSO"?
We configured our isapi filter at a different time. I did not configure it using the directions from the forum guide. The red marks changes so the isapi filter should be fine with the "default" settings. MSDN has a good read about ISAPI and what it does. But so you know "ISAPI filters always run on an IIS server." So whether or not you use it it will be available for later use. I did read the guide from the Help but I got a better understanding from the guide previouslly attached.
Please, can you tell me how make it the SSO implementation? We follow the documents on our labs without success. We have a Win Server 2008 with IIS 6.0, and we can't see activity on (by example) the isapi_redirect log file...