Configuring Tomcat for SSO

To use a typical Deployment Automation installation with SBM, you must update configuration files to enable Serena Common Tomcat to find and use the correct SBM SSO installation.

Before you can use SSO with Deployment Automation, you must have SBM installed and SSO must be enabled. You must have the Deployment Automation server installed on the same machine as the Serena Common Tomcat.

  1. On the Deployment Automation server, stop the Serena Common Tomcat service.
  2. Navigate to the application server conf directory. For example: ..\Serena\..\common\tomcat\8.0\alfssogatekeeper\conf
  3. In gatekeeper-core-config.xml, change the following parameters as necessary to replace the host and port values. Replace the placeholder variables shown here and in the default file as $HTTP_OR_HTTPS, $HOSTNAME and $PORT, with either HTTP or HTTPS, and the host name and port for your SBM SSO server. The default HTTP port number for the SBM SSO server is 8085, and the default HTTPS port number for the SBM SSO server is 8243.
    • <parameter name="SecurityTokenService" Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/TokenService/services/Trust<parameter>
    • <parameter name="SecurityTokenServiceExternal" Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/TokenService/services/Trust</parameter>
    • <parameter name="FederationServerURL" Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/ALFSSOLogin/login</parameter>

    For example:

    <parameter name="SecurityTokenService" Type="xsd:anyURI">
    HTTPS://myserver:8243/TokenService/services/
    Trust<parameter>             
     
    <parameter name="SecurityTokenServiceExternal" Type="xsd:anyURI">
    HTTPS://myserver:8243/TokenService/services/
    Trust</parameter>
                  
    <parameter name="FederationServerURL" Type="xsd:anyURI">
    HTTPS://myserver:8243/ALFSSOLogin/login
    </parameter>
                        
    CAUTION:
    For the gatekeeper core configuration, you use the SBM SSO HTTP or HTTPS port number. Be careful not to confuse this with the port numbers for Deployment Automation, which are by default 8080 and 8443 for HTTP and HTTPS respectively.
  4. Navigate to your program installation directory. For example: ..\Users\username\.serena\ra\conf\server
  5. Modify the serena_ra_config.xml to set the ssoEnabled property to true as follows:
    <ssoConfig>
        <ssoEnabled>true</ssoEnabled>
    </ssoConfig>                    
  6. On the Deployment Automation server, start the Serena Common Tomcat service.
  7. Verify the configuration by invoking the Deployment Automation user interface through your implementation's URL, such as http://sdaserver:8080/serena_ra. If when attempting to sign on, you receive the following error, you will need to update your SSO STS certificates.

    ALF SSO Gatekeeper error has occurred: Error obtaining security token.

    Detail

    Validation of WS-Federation token failed with code 40:Token issuer not allowed.

    See the Serena Knowledgebase item S140637 for more information.

Upgrading Tomcat

If you upgrade Deployment Automation from a version that uses Tomcat 7 to one that uses Tomcat 8, you must perform the steps in Configuring Tomcat for SSO again, including setting the parameters in the gatekeeper-core-config.xml file.

Set these parameters by copying over the corresponding strings from the old gatekeeper-core-config.xml file. Copying and replacing the entire file from the old Tomcat installation does not work.