BSM Connector can use lightweight single sign-on (LW-SSO) for the user authentication strategy, which allows the BSM Connector users to be managed in the same way as the OMi users and groups. LW-SSO is the recommended strategy for OMi. The BSM Connector installation program enables LW-SSO authentication by default.
You can configure LW-SSO authentication either when you configure BSM Connector using the bsmc-conf
command or later on using the command lwsso-conf
. For details on how to use bsmc-conf
, see BSM Connector Installation and Upgrade Guide.
This section describes how to configure LW-SSO authentication for an existing BSM Connector installation using lwsso-conf
:
Prerequisite: Obtain the following information from OMi:
OMi domain name. You need to know the domain name of the OMi gateway server to which BSM Connector sends data (for example, example.com
).
If the OMi gateway servers and the BSM Connector run in different subdomains, for example, deu.example.com
and ind.example.com
, specify only the name of the parent domain, which is example.com
in this example.
BSM Connector and the OMi gateway server to which it is reporting must run in the same top-level domain.
LW-SSO token key. Obtain the token key defined in OMi as follows:
In the OMi user interface, navigate to the Users and Permissions manager:
Administration > Users > Authentication Management
In the Single Sign-On Configuration group, view the value of the Token Creation Key (initString) setting.
Record the value so it will be available to you later in this procedure.
Click Configure to open the Authentication Wizard.
Click Single Sign-On to view the Single Sign-On panel, and select Lightweight for the Single Sign-On Authentication mode.
Generate the Token Creation Key (initString). Record the value so it will be available to you later in this procedure.
Define the domain or subdomains that are participating in the LW-SSO configuration:
BSM Connector groups and roles. Define the groups and roles that are allowed to log into the BSM Connector:
In the OMi user interface, navigate to the Infrastructure Settings manager:
Administration > Setup and Maintenance > Infrastructure Settings
Click Foundations and select Single Sign-On in the drop-down list.
Set Add user groups information to LW-SSO token to true.
The default group for BSM Connector is BSMC_ADMINS.
Set Add user roles information to LW-SSO token to true.
Use the lwsso-conf
command to configure LW-SSO:
lwsso-conf.[bat|sh] -lwsso_key <lwssoKey> [-lwsso_domain <lwssoDomainName>] [-lwsso_groups <group0> [<group1> ...]]
where:
-lwsso_key <lwssoKey>
is the token key (init string) generated in the OMi.
Note: Single-sign on can only work if the token key that you type here is exactly the same as the token key on the OMi server.
-lwsso_domain <lwssoDomainName>
specifies the domain of the associated OMi gateway server.
-lwsso_groups <group0> [<group1> ...]
specifies the OMi users and roles that will have access to BSM Connector. Separate individual groups with spaces (for example, -lwsso_groups BSMC_ADMINS SUPERUSER
).
Restart ovc:
ovc -restart
This section describes security warnings relevant to LW-SSO configuration. For more information about LW-SSO, see the Platform Administration Guide.
Confidential initString parameter in LW-SSO security.
LW-SSO uses symmetric encryption to validate an LW-SSO token. The initString parameter within the configuration is used for initialization of the secret key. An application creates a token, and each application that uses the same initString parameter validates the token.
Caution:
It is not possible to use LW-SSO without setting the initString parameter.
The initString parameter is confidential information and should be treated as such in terms of publishing, transporting, and persistency.
The initString should be shared only between applications integrating with each other using LW-SSO.
The minimum length of the initString is 12 characters.
LW-SSO should be disabled unless it is specifically required.
Symmetric encryption implication.
LW-SSO uses symmetric cryptography for issuing and validating LW-SSO tokens. Therefore, any application using LW-SSO can issue a token to be trusted by all other applications sharing the same initString. This potential risk is relevant when an application sharing the initString either resides or is accessible in an untrusted location.