News & comment
● How secure are passwords?
posted by Danny Kellett on 20th November 2012
How secure are passwords? Read this interesting article - how many passwords in BMC or HP ITSM are re-used elsewhere?
● SSO Plugin for SAP Business Objects
posted by John B on 28th October 2012
The SSO Plugin 3.6 Authentication Service provides an integration to SAP Business Objects. Previous releases of SSO Plugin automated the provision of users/groups from BMC and HP ITSM to SAP Business Objects, however organisations have requested a standalone deployment of SSO Plugin for SAP Business Objects.
This functionality brings SSO Plugin's robust integrations (such as Integrated Windows Authentication, SAML, OpenID, X509, native CA SiteMinder and RSA Access Manager / ClearTrust) to the Business Objects platform.
● SSO Plugin 3.6
posted by John B on 1st October 2012
We're pleased to announce a beta release of SSO Plugin 3.6, available to download today. The full release notes contain detailed changes, and a summary is as follows:
SAML Artifact Profile
The SAML Artifact Profile is supported in this release, allowing SSO Plugin to take part in more complicated SAML integrations with IDPs that support Artifacts.
BMC ITSM self-service
Administrators know how difficult it is to keep the ITSM application up to date with users joining the organisation. Administrators have to run nightly LDAP queries that consume vast amounts of server resources, often resulting in few changes to the database.
The product now boasts ITSM self service registration facilities for users who do not have an ITSM account. The user is required to enter a few pieces of information (first and last name, an email address and a phone number), and the product automatically creates an account and provisions access.
BMC ITSM does not offer this functionality and there are no third party tools to achieve anything similar.
BMC ITSM Incident integration
The product previously had the ability to raise an incident when a user could not access ITSM via SSO. This has been improved to allow different types of incident to be raised for different error scenarios, ie allowing Kerberos/NTLM incidents to be routed to one team, and ITSM user account configuration issues to another.
Simplifying configuration for BMC AR System
Simplification of the AR System integration through removing the Mid Tier and WUT shared keys. The SSO Administration Console has also been improved.
Native CA SiteMinder and RSA Access Manager (ClearTrust) modules
The most common method of deploying integrations to SiteMinder and Access Manager is to deploy an Apache front end to the Java web server running SSO Plugin. This release adds native modules to SSO Plugin, allowing the product to integrate directly with SiteMinder or Access Manager and removing the need for Apache.
LDAP integration
The product can integrate with any LDAP, allowing a basic single-sign on across multiple products solution for those who wish to remove multiple logins but have not yet agreed on a full login-less SSO strategy.
● SAML for the Juniper Networks
posted by John B on 15th September 2012
SSO Plugin 3.5.17 provides support for the Juniper virtual appliances after one of the world's largest outsources worked with JSS to validate SSO Plugin with a Juniper SA-4500 appliance.
John Baker commented:
Everybody believes SAML "just works". It doesn't. Every time someone presents a new SAML Identity Provider to us, we find some deviation/interpretation of the SAML standard that requires addressing. In this case, our expertise in single-sign on allowed us to quickly integrate SSO Plugin and deliver a solution.
● HP Service Manager and SAP Business Objects
posted by Danny Kellett on 2nd August 2012
Administrators dislike managing multiple user repositories. It's time consuming, costly and error prone.
We've been asked to provide a demonstration of how the JSS SSO Plugin can automate the provision of access to SAP Business Objects from HP Service Manager.
We've produced a video of this functionality, with an audio commentary.
And for those who may not have seen how easy it is to deploy a secure SSO solution for HP Service Manager, this video may be of interest.
We welcome any feedback on our product and integrations, so please do not hesitate to get in touch. And as ever, an evaluation of the JSS SSO Plugin, with inclusive professional services, is available at no cost with no obligation to purchase.
For those without audio support, a written commentary to the video can be found here.
● Allowing large Kerberos tokens in Tomcat
posted by John B on 18th July 2012
Kerberos tokens are sent by the browser. By default, Tomcat has a hard coded limit of 4Kb for an HTTP header, and if the Kerberos token exceeds 4Kb then Tomcat returns status code 400 without passing the request to the product. The standard BMC Tomcat distribution has been known to have 8Kb set, which is inadequate.
Open the Tomcat server.xml file (in the conf directory) and look for the HTTP connector:
<Connector port="8080" protocol="HTTP/1.1"
and add a maxHttpHeaderSize attribute, which is given a value in bytes (6500 is almost 64Kb):
<Connector port="8080" protocol="HTTP/1.1" maxHttpHeaderSize=”65000”
Restart Tomcat and check the product still works as expected.
● SSO Plugin, Active Directory integration and load balancers
posted by John B on 7th July 2012
When using a load balancer / F5 / VIP with a group of web servers, there are extra steps to configure Kerberos through the load balancer hostname.
Kerberos relies on a service principal name (SPN) being present in the Active Directory, mapping a hostname to a service account. Setting up SPNs has been documented above but the golden rule is as follows: An SPN for a hostname can only exist once; if it exists more than once, it is ignored.
In a situation where there are multiple web servers, each with a service account, it is impossible to set up an SPN for a load balancer hostname against each service account, Assume JSS-SSO-P1/2 are two computer service accounts that are configured with two web servers, the following is invalid:
setspn -A HTTP/lbhostname.mydomain.com JSS-SSO-P1 setspn -A HTTP/lbhostname.mydomain.com JSS-SSO-P2
The solution is to create a separate service account for Kerberos only, and configure Kerberos independently of NTLM on each web server.
The Kerberos account can be a normal user account and assuming it is called JSS-SSO-KERB, the Active Directory administrator can enable Kerberos as follows:
setspn -A HTTP/lbhostname.mydomain.com JSS-SSO-KERB setspn -A HTTP/lbhostname JSS-SSO-KERB
Please note, both the short hostname and fully qualified hostnames are set up to ensure that it works whether a user types "http://lbhostname" or "http://lbhostname.mydomain.com" into a brower.
To re-configure each web server, select built-in Kerberos/NTLM, leave the NTLM set up as is (ie JSS-SSO-P1 on one web server, and JSS-SSO-P2 on the other) and configure both with the JSS-SSO-KERB service account in the Kerberos setup.
The individual computer accounts can also be configured with an SPN for the individual Java web server hosts. Assuming the two individual Java web server hosts are called itsm1 and itsm2, the SPNs would be set up as follows:
setspn -A HTTP/itsm1.mydomain.com JSS-SSO-P1 setspn -A HTTP/itsm2.mydomain.com JSS-SSO-P2
HTTPS URLs
When setting up an SPN for the URL https://lbhostname.mydomain.com, the syntax for setspn is still HTTP/lbhostname.mydomain.com, ie the HTTP/ part of the setspn command does not change.
Example configuration
If you have two Java web servers behind a load balancer:
Create two computer accounts, JSS-SSO-P1 and JSS-SSO-P2.
Create a third user account, JSS-SSO-PK and set the load balancer hostname as an SPN against this account.
Go to the SSO Plugin configuration page on the first Java web server and configure built-in Kerberos/NTLM custom settings.
Check Permit Kerberos, set the client type to acceptor and enter the JSS-SSO-PK account details.
Check Permit NTLM and enter the JSS-SSO-P1 account details.
Go to the SSO Plugin configuration page on the second Java web server and configure built-in Kerberos/NTLM custom settings.
Repeat step 4.
Repeat step 5 but use the JSS-SSO-P2 account.
● SSO Plugin for Kinetic Calendar
posted by John B on 20th June 2012
Kinetic Calendar, the popular calendar tool for BMC AR System, can now be integrated with SSO Plugin (3.5.13).