News & comment
● The risks of an IIS front end
posted by John B on 5th November 2011
Why are organisations using a Microsoft IIS front end to Tomcat?
Vendors (BMC, HP) often encourage customers to use Microsoft IIS as a front end to Apache Tomcat. For the majority of people, this adds no value to the deployment because IIS is doing nothing more than passing requests to Tomcat.
The illusion of SSO
IIS can perform Integrated Windows Authentication and force browsers to authenticate, providing a solution that has the appearance of SSO. Sadly, it's not quite that simple because it leaves open the prospect for a third party (ie attacker) connecting directly to Tomcat and passing any random username.
The problem with this approach is that the SSO tokens sent by the browser are not being authenticated in the Java web server.
It has come to our attention that some vendor partner companies are misleading customers into believing this is a good solution as their primary aim is to sell consulting days instead of a quality solution.
SSO without IIS
Whilst SSO Plugin supports an IIS front end, we actively encourage the use of the SSO Plugin built-in Active Directory integration. This integration will bind SSO Plugin directly to the Active Directory so the SSO tokens sent by the browser can be validated with the AD, bringing the security into the Java web server.
The use of built-in Active Directory integration also removes the need for IIS, and hence simplifies the solution.
With fewer components to go wrong, and a more secure solution, why would you want to deploy SSO for Windows in any other way?
How to switch from IIS to built-in Active Directory authentication (on a Windows server)
SSO Plugin 3.6 introduces native Integrated Windows Authentication (IWA), so simply select the integration option in the web interface and the product will support the required NTLMv2 part of the IWA protocol.
An optional Active Directory account can be specified to enable the Kerberos protocol - the "nice to have" part of IWA.
How to switch from IIS to built-in Active Directory authentication (non-Windows)
When the Java web server is not running on a Windows server, there is a pre-requisite. Each SSO Plugin installation requires a computer service account in the Active Directory, as per Microsoft design, so it can process SSO tokens sent by browsers.
There are two ways of obtaining an account:
A script called set-service-account.cmd is provided in the SSO Plugin installation set, which will create the account in user friendly fashion. This has to be run by the Active Directory administrator.
For those who do not want to run the script, manual steps are provided in the configuring Mid Tier and Web Tier installation guide.
Once an account has been achieved, simply go to the SSO Plugin setup page and follow these instructions:
1. Select the built-in Active Directory authentication type.
2. Enter the fully qualified hostname of an Active Directory, and not a load balancer hostname - multiple ADs can be provided via a comma-separated list.
3. Enter the fully qualified Windows DNS domain name. This can be discovered by opening a command prompt and typing net config workstation.
4. Enter the computer service account name and password.
5. Press set configuration and test the solution.
If there are any questions or concerns, contact the JSS support team.
Please note: The instructions detailed above are at a very high level and are no substitute to reviewing the extremely thorough documentation provided with SSO Plugin.
● Overlays, the Marmite of the AR System.
posted by Danny Kellett on 16th October 2011
So you either love them or hate them. They are here to stay so it is important to understand them. Here are some helpful notes from JSS to the community.
What are overlays?
Quote Doug Mueller doug_mueller@bmc.com
“The goal of the feature is to allow you to isolate out-of-the-box application definitions from your enhancements/customizations. The result of this is better understanding of the application changes and extensions made and the ability to dramatically improve the upgrade, and subsequent recustomize, operation.”
So BMC have all their out-of-the-box (OOTB) definitions loaded into the Base Development Mode. Then as a customer, you create your definitions in Best Practice Customization layer. In theory this should prevent an issue where both you and BMC have the same workflow object name and one overwrites the other.
So technically, here are some bullet points you should be aware of:
• Overlays are copies of AR Server objects with a special relationship to their original objects.
• Overlays look like normal objects with a special suffix in their name “__o”
• Overlaid objects are used in place of the original object at runtime by the server and clients.
• Dev studio works on the overlay with the “Best Practice Customization” mode.
Extract from BMC Remedy Action Request 7.6.04 Application Development and Developer Studio guide: BMC recommends that you do not create or modify objects in Base Development mode. If you do, your changes can be lost when AR System applications and servers are upgraded. However, you must use Base Development mode to modify origin objects.
Customization Type explanations
Unmodified Objects
These are objects that exist in the base development mode. E.g. (BMC OOTB)
Overlay Objects
This is an overlay of an existing object in the base development
Custom Objects
These are objects created in the Best Practice mode e.g. customer objects. These do not exist in the Base Development mode (OOTB BMC)
Best Practice Customization Mode (BPC)
• This is the default mode of the Dev Studio
• OOTB objects are read only. If you want to modify you have to create an overlay.
• New objects created in this mode are listed as “Custom” objects in Dev Studio
• Objects that are stored as data e.g. Templates, Skins, Flashboards, DSO etc can be modified in BPC mode.
• Deployable applications cannot be created or edited in BPC mode.
But it’s still read only!
If you open a BMC object form in the Developer Studio in BPC mode, you will notice there isn’t much you can do. This is Dev studios way of creating a quality gate. To modify you have to create an overlay. Right click on the form name and click Create Overlay.
This will change the Customisation Type to Overlay and put a small blue square in the icon of the list. But you still cannot modify the view until you create an overlay of the view.
Modification Order
Base Development Form (OOTB ITSM form)
- Default (Best Practice Mode) = Everything Read Only
- Overlay View (Menu > Form > Create View Overlay)
o Icon changes on the view tab
o Everything in that view becomes read/write
o Able to add / delete fields
7.7 Enhancement
Obviously this can become quite confusing. In version 7.7, BMC have taken the step to be able to take away some of the steps to allow you to create overlays automatically.
● AR System Server Groups: Where are my operations running?
posted by Danny Kellett on 16th October 2011
Server groups were introduced to allow AR Servers to scale linearly. This enables customers to install more than one AR Server pointing to the same database. In doing so you can configure which AR Server is hosting certain process and functions and in the event of failure, which AR Server would inherit those roles for service continuity.
Currently, there are 14 services that can be distributed among the AR Servers. The configuration form for showing this control is an administrator only access form called AR System Server Group Operation Ranking.
While all AR Servers are functioning, you can use this form to see what operating are being served by which server. But when one is not, how do you tell in real time?
The first is by using the database client.
Depending on what database you have, depends on how you connect but for this example, the SQL is the same.
SELECT servername, opflags FROM servgrp_board
An example of this results is as follows:
ServerA 1;1;1;1;1;1;1;1;1;1;1;1;1;1
ServerB 0;0;0;0;0;0;0;0;0;0;0;0;0;0
The opflags column shows a semi colon separated list of 1 or 0 with each representing an operation. In the above example, all operations are currently running on ServerA.
The list of opflags to operation is below and starts from left to right.
Administration
Approval Server
Archive
Assignment Engine
Atrium Integration Engine
Business Rules Engine
CMDB
DSO
E-Mail Engine
Escalation
Flashboards
Full Text Engine
Reconciliation Engine
SLM Collector
One JSS favoured way to find out what AR Server is running the Administration operation means utilising the BMC driver program.
Here are the instructions:
On windows, double click driver.exe found in the AR Server installation directory
Type init then Enter
Type log then Enter
Press Enter for the Authentication String
Type your Administrator username and Enter
Type your Administrator password and Enter
Press Enter for the Locale.charset
Press Enter for the Time Zone
Type your AR Server name as you would for the Windows User Tool, Developer Studio or Import Tool and Enter
If you are running on a TCP port then follow this next step, otherwise skip to gsi
Type ssp and Enter
Type the TCP port number of the AR Server then Enter
Press Enter for the Using Private Socket
Type gsi then Enter
Type 1 and Enter
Type 203 and Enter
In my example here at JSS, this was the result for me
ARGetServerInfo results
ReturnCode: OK
Server Info List : 1 items
Server Info Struct: SERVER GROUP ADMIN SERVER NAME
Value: (char) arsystem7604sp2a
Status List : 0 items
● SSO Plugin newsletter
posted by John B on 11th October 2011
Welcome to a newsletter from Java System Solutions, highlighting news from ourselves and the BMC market as a whole. We would welcome your feedback on feedback@javasystemsolutions.com.
Win an iPad 2
We hope you are pleased with the JSS SSO Plugin and our personalised support service. The AR System administrators who are tasked with deploying and managing SSO Plugin provide us with a lot of good feedback on the product, and we wish to offer the chance to win an iPad 2 for simply recommending our product to a colleague/friend in another organisation.
If you recommend SSO Plugin to another organisation, and tell us of this recommendation, we'll put your name into a hat with others who have done so and we'll pull one out (in February 2012) to win an iPad 2.
There is only one requirement for your recommendation to be valid: the organisation recommended must evaluate the product and provide feedback to JSS.
There are no limits on the number of recommendations an individual can make.
BMC’s biggest clients deploy the JSS SSO Plugin
Another one of BMC's largest US clients, a national health care provider, has deployed SSO Plugin to an AR System deployment comprising of 13 AR System servers and 8 Mid Tiers, serving tens of thousands of users per day.
Overlays, the Marmite of the AR System.
You either love them or hate them, but they are here to stay so it is important to understand them. Here are some helpful notes notes from JSS to the community.
More than just SSO for BMC Analytics
As JSS continue to support a range of products for seamlessly logging into your applications without repeating your login credentials, it’s also continuing to be innovative with data management and synchronisation.
After listening to their customers concerns over the requirement to duplicate all users and groups within a BMC Analytics (SAP Business Objects) deployment, the JSS development team decided that this process was time, resource and money wasted. Here is a small demonstration webcast +http://www.javasystemsolutions.com/jss/video/vi ew/SSOPlugin-BusinessObjects (what we did next).
Where are my operations running in the server group?
AR System Server Groups are fantastic for scaling and continuity management but finding which AR Server is running which operation it not that easy. Here are some options
recommended by JSS.
News from the ITSM world
Service-Now has announced its latest version with a social network built in for the enterprise IT. The idea is that customers can transform their IT operations with new chat and facebook-style wall applications by encouraging chat with end users and service providers. We have discussed the concept a number of clients and discovered this is becoming more popular.
Our opinion is that although this could show the customer base you are more tentative to their needs, our customers reported two concerns:
As a support engineer, they wouldn’t like the idea of multiple screen popups with people demanding to be served. It should be up to the business to control priority but when you have the actual person on a chat program demanding your assistance immediately, it could be hard to say no.
There was a concern of incidents getting resolved through chat and not being logged and recorded. It is important to track incidents for so many reasons, such as trending, problem management, and time/resource planning.
Good luck to Service-Now, let’s see if BMC or HP follow suit.
AR System server 7.7 News
Starting with the 7.7 release, the BMC Remedy User and BMC Remedy Alert clients are no longer installed. You can continue to use your 7.6.04 clients with the BMC Remedy AR System 7.7.00 server.
The Data Management tool gets an overhaul. The console will now be the Data Management Job Console and you will no longer need the BMC Remedy User Tool to convert and import your csv files into the AR System. We believe the main changes are around being able to create multiple jobs that can be scheduled, allow multiple users to import at the same time, handle multi-tenancy, case sensitivity correction and alias replacement.
And finally, if you wish to evaluate the JSS SSO Plugin, there's absolutely no cost or risk associated with our evaluation program. Simply fill in the contact form to receive download details. JSS provide free remote professional services to ensure your evaluation is successful, ensuring you can deploy and demonstrate SSO to your business without a single penny of investment.
● BMC's biggest clients deploy SSO Plugin
posted by Danny Kellett on 10th October 2011
One of BMC's largest US clients, a national health care provider, has put SSO Plugin into production. The deployment is one of the largest deployments to benefit from SSO Plugin, with tens of thousands of users running on 13 AR System servers and 8 Mid Tiers.
Danny Kellett demonstrated why JSS's support service is so highly regarded by working at 0230 British Summer Time to assist with the deployment, a task that was achieved in just a few hours.
Danny Kellett commented:
Deploying a component to 13 AR System servers and 8 Mid Tiers in the middle of the night is task that would worry many BMC consultants, but with SSO Plugin's mature deployment strategy, the only delay was waiting for the AR System service to restart.
No other company in the BMC market is delivering SSO deployments to BMC's largest clients, and JSS are so confident of their product and service that free professional services is provided for all SSO Plugin evaluations.
● SSO Plugin for HP Service Manager
posted by John B on 2nd October 2011
Java System Solutions are delighted to announce the first public beta of SSO Plugin for HP Service Manager.
SSO Plugin has become widely accepted as the industry standard implementation in the BMC market, providing single sign on for hundreds of thousands of users every day, and is now available for HP Service Manager (versions 7.1 and greater).
We have produced a video demonstrating the functionality available to HP Service Manager users
● SSO Plugin for BMC Analytics
posted by John B on 20th September 2011
SSO Plugin 3.4.6 has been successfully integrated with SAP Business Objects (BMC Analytics). Watch the video and learn how you can synchronise the BMC Analytics user repository with BMC ITSM.
This functionality is unique to SSO Plugin: Accept no imitations, SSO Plugin is the only product bringing BMC products together.
Contact JSS or your local BMC representative for more details of this exciting addition to the BMC product set.
● Verifying the computer service account
posted by Danny Kellett on 3rd August 2011
Is it a computer or user service account?
When setting up SSO Plugin with built-in Active Directory authentication, for full Integrated Windows Authentication functionality, a computer service account is required.
This isn't a common reqeust because most SSO products do not implement IWA properly. While we provide a script to create and configure the computer account, some AD administrators perform the task manually and decide to create a user account thinking this will be sufficient.
Typicaly, you will discover a problem when you submit the setup page and see one of the following errors:
Problem with Kerberos settings: Pre-authentication information was invalid (24)
NTLM: Username or password is incorrect.
The first step to resolution is to ensure you have been given a computer service account with these steps:
Login to your Midtier SSO Plugin configuration screen, ie goto http://midtierserver/arsys/jss-sso/setup.jsp. You should see the "Service User". Make a note of that
Ensure you are logged into the Windows domain from your desktop. Click the Start button, select Run (or if this has been hidden by your administrators then you can run this command through a cmd.exe or command prompt) and enter:
%SystemRoot%\SYSTEM32\rundll32.exe dsquery,OpenQueryWindow
Make sure there are no spaces before or after the comma.
If you see an error message "The Active Directory Domain Service is currently unavailable" then you are not logged into a domain and you will need to use the ldp.exe with a domain login name and password.
You should have the dialog as follows:
If you make sure the Find drop down is set to User, Contacts and Groups then type is your computer service account name, in this instance is JSS-SSO-SERVICE then click Find now, you should not see any results return.
If you use the Find drop down and select Computers and repeat the same information. This should reveal the computer account. If you can't see it, speak to the AD administrators.