Search Contact Login

News & comment tagged ‘blog’

blog, iis, iwa, sso plugin

The risks of an IIS front end

posted by John B on 5th November 2011

Why are organisations using a Microsoft IIS front end to Tomcat?

The standard BMC Mid Tier deployment has encouraged the use of Microsoft IIS as a front end to Apache Tomcat. For the majority of people, this adds no value to the deployment because IIS is doing nothing more than passing requests to Tomcat.

The illusion of SSO

IIS can perform Integrated Windows Authentication and force browsers to authenticate, providing a solution that has the appearance of SSO. Sadly, it's not quite that simple because it leaves open the prospect for a third party (ie attacker) connecting directly to Tomcat and passing any random username.

The problem with this approach is that the SSO tokens sent by the browser are not being authenticated in the Java web server.

It has come to our attention that some BMC resellers - including one BMC Elite Partner - are misleading customers into believing this is a good solution as their primary aim is to sell consulting days instead of a quality solution.

SSO without IIS

Whilst SSO Plugin supports an IIS front end, we actively encourage the use of the SSO Plugin built-in Active Directory integration. This integration will bind SSO Plugin directly to the Active Directory so the SSO tokens sent by the browser can be validated with the AD, bringing the security into the Java web server.

The use of built-in Active Directory integration also removes the need for IIS, and hence simplifies the solution.

With fewer components to go wrong, and a more secure solution, why would you want to deploy SSO for Windows in any other way?

How to switch from IIS to built-in Active Directory authentication

Switching is not a difficult task but there is a pre-requisite. Each SSO Plugin installation requires a computer service account in the Active Directory, as per Microsoft design, so it can process SSO tokens sent by browsers.

There are two ways of obtaining an account:

  • A script called set-service-account.cmd is provided in the SSO Plugin installation set, which will create the account in user friendly fashion. This has to be run by the Active Directory administrator.

  • For those who do not want to run the script, manual steps are provided in the configuring Mid Tier and Web Tier installation guide.

Once an account has been achieved, simply go to the SSO Plugin setup page and follow these instructions:

1. Select the built-in Active Directory authentication type.
2. Enter the fully qualified hostname of an Active Directory, and not a load balancer hostname - multiple ADs can be provided via a comma-separated list.
3. Enter the fully qualified Windows DNS domain name. This can be discovered by opening a command prompt and typing net config workstation.
4. Enter the computer service account name and password.
5. Press set configuration and test the solution.

If there are any questions or concerns, contact the JSS support team.

Please note: The instructions detailed above are at a very high level and are no substitute to reviewing the extremely thorough documentation provided with SSO Plugin.

arsystem, blog, overlays

Overlays, the Marmite of the AR System.

posted by Danny Kellett on 16th October 2011

So you either love them or hate them. They are here to stay so it is important to understand them. Here are some helpful notes from JSS to the community.

What are overlays?

Quote Doug Mueller doug_mueller@bmc.com
“The goal of the feature is to allow you to isolate out-of-the-box application definitions from your enhancements/customizations. The result of this is better understanding of the application changes and extensions made and the ability to dramatically improve the upgrade, and subsequent recustomize, operation.”

So BMC have all their out-of-the-box (OOTB) definitions loaded into the Base Development Mode. Then as a customer, you create your definitions in Best Practice Customization layer. In theory this should prevent an issue where both you and BMC have the same workflow object name and one overwrites the other.

So technically, here are some bullet points you should be aware of:
• Overlays are copies of AR Server objects with a special relationship to their original objects.
• Overlays look like normal objects with a special suffix in their name “__o”
• Overlaid objects are used in place of the original object at runtime by the server and clients.
• Dev studio works on the overlay with the “Best Practice Customization” mode.

Extract from BMC Remedy Action Request 7.6.04 Application Development and Developer Studio guide: BMC recommends that you do not create or modify objects in Base Development mode. If you do, your changes can be lost when AR System applications and servers are upgraded. However, you must use Base Development mode to modify origin objects.

Customization Type explanations

Unmodified Objects
These are objects that exist in the base development mode. E.g. (BMC OOTB)
Overlay Objects
This is an overlay of an existing object in the base development
Custom Objects
These are objects created in the Best Practice mode e.g. customer objects. These do not exist in the Base Development mode (OOTB BMC)

Best Practice Customization Mode (BPC)
• This is the default mode of the Dev Studio
• OOTB objects are read only. If you want to modify you have to create an overlay.
• New objects created in this mode are listed as “Custom” objects in Dev Studio
• Objects that are stored as data e.g. Templates, Skins, Flashboards, DSO etc can be modified in BPC mode.
• Deployable applications cannot be created or edited in BPC mode.

But it’s still read only!

If you open a BMC object form in the Developer Studio in BPC mode, you will notice there isn’t much you can do. This is Dev studios way of creating a quality gate. To modify you have to create an overlay. Right click on the form name and click Create Overlay.
This will change the Customisation Type to Overlay and put a small blue square in the icon of the list. But you still cannot modify the view until you create an overlay of the view.

Modification Order

Base Development Form (OOTB ITSM form)
- Default (Best Practice Mode) = Everything Read Only
- Overlay View (Menu > Form > Create View Overlay)
o Icon changes on the view tab
o Everything in that view becomes read/write
o Able to add / delete fields

7.7 Enhancement

Obviously this can become quite confusing. In version 7.7, BMC have taken the step to be able to take away some of the steps to allow you to create overlays automatically.

administration operation, arsystem server group, blog

AR System Server Groups: Where are my operations running?

posted by Danny Kellett on 16th October 2011

Server groups were introduced to allow AR Servers to scale linearly. This enables customers to install more than one AR Server pointing to the same database. In doing so you can configure which AR Server is hosting certain process and functions and in the event of failure, which AR Server would inherit those roles for service continuity.
Currently, there are 14 services that can be distributed among the AR Servers. The configuration form for showing this control is an administrator only access form called AR System Server Group Operation Ranking.
While all AR Servers are functioning, you can use this form to see what operating are being served by which server. But when one is not, how do you tell in real time?

The first is by using the database client.

Depending on what database you have, depends on how you connect but for this example, the SQL is the same.

SELECT servername, opflags FROM servgrp_board

An example of this results is as follows:
ServerA 1;1;1;1;1;1;1;1;1;1;1;1;1;1
ServerB 0;0;0;0;0;0;0;0;0;0;0;0;0;0

The opflags column shows a semi colon separated list of 1 or 0 with each representing an operation. In the above example, all operations are currently running on ServerA.

The list of opflags to operation is below and starts from left to right.

  1. Administration

  2. Approval Server

  3. Archive

  4. Assignment Engine

  5. Atrium Integration Engine

  6. Business Rules Engine

  7. CMDB

  8. DSO

  9. E-Mail Engine

  10. Escalation

  11. Flashboards

  12. Full Text Engine

  13. Reconciliation Engine

  14. SLM Collector

One JSS favoured way to find out what AR Server is running the Administration operation means utilising the BMC driver program.

Here are the instructions:

On windows, double click driver.exe found in the AR Server installation directory
Type init then Enter
Type log then Enter
Press Enter for the Authentication String
Type your Administrator username and Enter
Type your Administrator password and Enter
Press Enter for the Locale.charset
Press Enter for the Time Zone
Type your AR Server name as you would for the Windows User Tool, Developer Studio or Import Tool and Enter

If you are running on a TCP port then follow this next step, otherwise skip to gsi
Type ssp and Enter
Type the TCP port number of the AR Server then Enter
Press Enter for the Using Private Socket

Type gsi then Enter
Type 1 and Enter
Type 203 and Enter

In my example here at JSS, this was the result for me

ARGetServerInfo results

ReturnCode: OK
Server Info List : 1 items

Server Info Struct: SERVER GROUP ADMIN SERVER NAME
Value: (char) arsystem7604sp2a

Status List : 0 items

SSO for BMC, HP, SAP, JasperReports and more.
© 2011 Java System Solutions
All registered trademarks or trademarks belong to their respective companies

See also: DJB Labcare (UK Centrifuge sales&service), Sigma Centrifuges
Remedy 7.1 AR Error Messages