Configuring Common Tomcat for SSO

To use a typical Deployment Automation installation with SBM, you must update configuration files to enable Common Tomcat to find and use the correct SBM SSO installation.

Before you can use SSO with Deployment Automation, you must have SBM installed and SSO must be enabled. You must have the Deployment Automation server installed on the same machine as the Common Tomcat.

  1. On the Deployment Automation server, stop the Common Tomcat service.
  2. Navigate to the Common Tomcat conf directory. For example:

    C:\Program Files\Micro Focus\common\tomcat\8.0\alfssogatekeeper\conf

  3. In gatekeeper-core-config.xml, change the following parameters as necessary to replace the host and port values. Replace the placeholder variables shown here and in the default file as $HTTP_OR_HTTPS, $HOSTNAME and $PORT, with either HTTP or HTTPS, and the host name and port for your SBM SSO server. The default HTTP port number for the SBM SSO server is 8085, and the default HTTPS port number for the SBM SSO server is 8243.
    • <parameter name="SecurityTokenService" Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/TokenService/services/Trust<parameter>
    • <parameter name="SecurityTokenServiceExternal" Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/TokenService/services/Trust</parameter>
    • <parameter name="FederationServerURL" Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/ALFSSOLogin/login</parameter>

    For example:

    <parameter name="SecurityTokenService" Type="xsd:anyURI">
    <parameter name="SecurityTokenServiceExternal" Type="xsd:anyURI">
    <parameter name="FederationServerURL" Type="xsd:anyURI">
    For the gatekeeper core configuration, you use the SBM SSO HTTP or HTTPS port number. Be careful not to confuse this with the port numbers for Deployment Automation, which are by default 8080 and 8443 for HTTP and HTTPS respectively.
  4. Navigate to your program installation directory. For example: ..\Users\username\.microfocus\da\conf\server
  5. Modify the da_config.xml to set the ssoEnabled property to true as follows:
  6. On the Deployment Automation server, start the Common Tomcat service.
  7. Verify the configuration by invoking the Deployment Automation user interface through your implementation's URL, such as http://sdaserver:8080/da. If when attempting to sign on, you receive the following error, you will need to update your SSO STS certificates.

    ALF SSO Gatekeeper error has occurred: Error obtaining security token.


    Validation of WS-Federation token failed with code 40:Token issuer not allowed.

    See Knowledgebase item S140637 for more information.

Upgrading Common Tomcat

If you upgrade Deployment Automation from a version that uses Common Tomcat 7.0 to one that uses Common Tomcat 8.0, you must perform the steps in Configuring Common Tomcat for SSO again, including setting the parameters in the gatekeeper-core-config.xml file.

Set these parameters by copying over the corresponding strings from the old gatekeeper-core-config.xml file. Copying and replacing the entire file from the old Common Tomcat installation does not work.