Configuring Common Tomcat for SSO

To use a typical Deployment Automation installation with SBM, you must update configuration files to enable Common Tomcat to find and use the correct SBM SSO installation.

Before you can use SSO with Deployment Automation, you must have SBM installed and SSO must be enabled. You must have the Deployment Automation server installed on the same machine as the Common Tomcat.

  1. On the Deployment Automation server, stop the Common Tomcat service.
  2. Navigate to the Common Tomcat conf directory. For example:

    C:\Program Files\Micro Focus\common\tomcat\8.5\alfssogatekeeper\conf

  3. In gatekeeper-core-config.xml, change the following parameters as necessary to replace the host and port values. Replace the placeholder variables shown here and in the default file as $HTTP_OR_HTTPS, $HOSTNAME and $PORT, with either HTTP or HTTPS, and the host name and port for your SBM SSO server. The default HTTP port number for the SBM SSO server is 8085, and the default HTTPS port number for the SBM SSO server is 8243.
    • <parameter name="SecurityTokenService" Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/idp/services/Trust<parameter>
    • <parameter name="SecurityTokenServiceExternal" Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/idp/services/Trust</parameter>
    • <parameter name="FederationServerURL" Type="xsd:anyURI">$HTTP_OR_HTTPS://$HOSTNAME:$PORT/idp/login</parameter>

    For example:

    <parameter name="SecurityTokenService" Type="xsd:anyURI">
    HTTPS://myserver:8243/idp/services/
    Trust<parameter>             
     
    <parameter name="SecurityTokenServiceExternal" Type="xsd:anyURI">
    HTTPS://myserver:8243/idp/services/
    Trust</parameter>
                  
    <parameter name="FederationServerURL" Type="xsd:anyURI">
    HTTPS://myserver:8243/idp/login
    </parameter>
                        
    CAUTION:
    For the gatekeeper core configuration, you use the SBM SSO HTTP or HTTPS port number. Be careful not to confuse this with the port numbers for Deployment Automation, which are by default 8080 and 8443 for HTTP and HTTPS respectively.
  4. Navigate to your Deployment Automation server profile directory. For example:

    C:\Users\username\.microfocus\da\conf\server

    or

    /opt/MicroFocus/da/username/.microfocus/da/conf/server

  5. Modify the da_config.xml to set the ssoEnabled property to true as follows:
    <ssoConfig>
        <ssoEnabled>true</ssoEnabled>
    </ssoConfig>                    
  6. On the Deployment Automation server, start the Common Tomcat service.
  7. Verify the configuration by invoking the Deployment Automation user interface through your implementation's URL, such as http://sdaserver:8080/da. If when attempting to sign on, you receive the following error, you will need to update your SSO STS certificates.

    ALF SSO Gatekeeper error has occurred: Error obtaining security token.

    Detail

    Validation of WS-Federation token failed with code 40:Token issuer not allowed.

    See Knowledgebase item S140637 for more information.

    Note: If you have enabled SSO, to login into DA you must add the hostname to the list of SSO protected hosts. Launch SBM Configurator and open the Authentication tab. On the SSO Protected Hosts tab add the DA hostname.

Reconfiguring for SSO After Upgrades

If you have configured Single Sign-On (SSO) with one version of Common Tomcat and have upgraded Deployment Automation to a version that uses a different version, you must configure Common Tomcat for SSO again, including setting the parameters in the gatekeeper-core-config.xml file. Otherwise, the SSO login will fail.

You must set these parameters by copying over the corresponding strings from earlier version of the gatekeeper-core-config.xml file. Copying and replacing the entire file from the earlier Common Tomcat installation does not work.