Professional Documents
Culture Documents
July 2006
BMC, the BMC logo, all other BMC product or service names, BMC Software, the BMC Software logos, and
all other BMC Software product or service names, are registered trademarks or trademarks of BMC
Software, Inc. All other trademarks belong to their respective companies.
BMC Software, Inc., considers information included in this documentation to be proprietary and
confidential. Your use of this information is subject to the terms and conditions of the applicable end user
license agreement or nondisclosure agreement for the product and the proprietary and restricted rights
notices included in this documentation.
For license information about the OpenSource files used in the licensed program, please read
OpenSourceLicenses.pdf. This file is in the \Doc folder of the distribution CD-ROM and in the
documentation download portion of the product download page.
Contacting Us
If you need technical support for this product, contact Customer Support by email at
support@remedy.com. If you have comments or suggestions about this documentation, contact
Information Development by email at doc_feedback@bmc.com.
Introduction
Many forces in the marketplace today are leading companies to rethink how
they control access to applications within their environment. The traditional
prompt for user name and password is not meeting the needs of these
customers.
One key example is the mixed application environment. When users are
accessing a series of related applications, how do they move from application
to application without having to re-enter their user information for each
application? How can they seamlessly flow between applications in a secure
and safe way? Single sign-on technologies allow for this type of interaction.
Another example is improved security. Some customers are looking at a
more secure method for connecting. This might be using the secure card
technology or a biometric validation methodology. The goal is to require
additional data that is more personal and more difficult to duplicate. In these
cases and others, the key is to change the way that applications gather
credentials but to still allow access to the system with the same capabilities
and security as if the application had been started in the traditional way.
The focus of this white paper is to discuss the mechanisms within the BMC®
Remedy® Action Request System® (AR System) environment for addressing
these types of requirements. The discussion starts with an overview of the
approach and philosophy of how to solve the problem. It continues with
details of the work required in clients to implement this capability and the
work required on the server to complete the implementation and ensure
security within the environment.
Everything discussed in this paper is available with AR System 7.0. The
concepts apply to 7.0 and later releases of the system. Details of parameters
and calls might change slightly between releases, so verify the interfaces with
the version of the system you are using. Some portions of this
implementation are available in earlier versions of the system (for example,
Web client and AR System server plug-in support is available in 6.3), but for
full support for all aspects, you must be using version 7.0.
The following sections discuss what is needed within each piece of the
product.
Important: The alternate logic must be registered with the system and the
appropriate Java file in place, or it will not be found. See the following
section for details about how to register the alternate authenticator.
Authenticator
The plug-in to the mid tier consists of three routines: init, destroy, and
getAuthenticatedCredentials. You must implement these routines in Java
and then register them for your code to be called. Remember to copy the Java
file to the appropriate location according to your definition so that it can be
found.
init()
The authenticator should use the init() routine to perform initializations.
The routine is called one time at startup of the mid tier.
After the mid tier instantiates an instance of the authenticator by using
reflection, it builds an object of type java.util.Properties using the
properties specified in the file that the
arsystem.authenticator.config.file entry indicates in the
config.properties file. This file is a map of the name-value order pairs. For
example:
arsystem.authenticator.config.file=myauthenticator.properties
If any of the parameters that can be externalized are needed during the
authenticator initialization process, they should be placed in a separate file.
The file name must be registered in the config.properties file under the
arsystem.authenticator.config.file entry.
destroy()
When the mid tier is being unloaded from the application server, it calls the
destroy() method of the authenticator. Any cleanup of resource usage
should be done here.
getAuthenticatedCredentials()
The getAuthenticatedCredentials() method is the main method of the
plug-in. This method is called for each user who connects to the system.
The implementation of this method is divided into two cases (depending on
the SSO environment configuration):
When the mid tier is deployed behind a proxy—The mid tier is deployed
in an SSO environment where each request that reaches the mid tier is
guaranteed to have been authenticated. The
getAuthenticatedCredentials() method is called only when the mid tier
must retrieve the user credentials to establish a session for the user. Here,
the method must return the UserCredentials object. The object’s value is
used to establish a session for the user, and then it is wrapped and passed,
as is, to the AR System server when the mid tier constructs a request on
behalf of the user.
If the returned UserCredentials object is in an invalid format (for
example, missing the user name), the mid tier will default to the
DefaultAuthenticator, the normal login mechanism of the mid tier.
When the mid tier is not deployed behind a proxy—The mid tier is
deployed so that it must route unauthenticated requests to a configured
SSO service. It has the additional responsibility of routing the pre-session
establishment requests to the SSO service. This is achieved by
synchronizing the mid tier with the configured authenticator.
The mid tier will invoke the getAuthenticatedCredentials() method
only when it needs to establish a session for the user.
In the context of pre-session establishment, when the user request arrives,
the mid tier calls the getAuthenticatedCredentials() method, passing
both the HttpServletRequest and HttpServletResponse objects.
At this point, the authenticator examines the HttpServletRequest object
to see whether the SSO token is embedded inside the
HttpServletRequest. (The embedding protocol is specific to the SSO
environment.)
If the token is embedded, the method extracts the information, constructs
a UserCredentials object, and returns this object as the return value.
If the token is not embedded, the method embeds the routing information
to the SSO service in the HttpServletResponse object and returns null.
When the mid tier receives null, it routes the HttpServletResponse object
to the Servlet container so that the user request is redirected to the SSO
service.
After the SSO service has authenticated the user, it embeds the SSO token in
the HttpServletRequest object, reconstructs the original request, and routes
it back to the mid tier. At this point, the behavior is the same as described in
the first case.
This is the default authenticator that displays the login screen. It will be used
if you do not have an alternate authenticator defined.
Only one registration is permitted for the instantiation of the mid tier, so
only a single alternate authenticator mechanism is allowed for an instance of
the mid tier.
Note: This discussion applies to BMC Remedy User and BMC Remedy Alert.
BMC Remedy Administrator always requires a login and will not support
an “auto-login” mode because the tool allows changing of the definitions
of the system. The login to that tool acts as a verification of the identity of
the user.
BMC Remedy User and BMC Remedy Alert include a hook that allows you
to specify a DLL that will be called instead of the login page at startup. This
DLL can do whatever work you want—interact with other systems, open
windows, perform calculations, and so on.
This DLL returns the user’s login information, which would have come from
the login page. If the DLL is not present or if there is a problem getting the
information, see “Fallbacks and the default login page” on page 10.
At startup, the login page is launched (unless the user preference has been set
to remember login information). Whenever the login page is launched at
startup, BMC Remedy User and BMC Remedy Alert will look for the
ARSSOInfo.dll DLL with two methods exposed: ARGetSSOLoginCredentials
and ARGetSSOServerInformation. (The second method is optional).
ARGetSSOLoginCredentials
The following method provides credentials for the user.
void ARGetSSOLoginCrendentials(
ARSSOUserCredentialsStruct *pUserCredentialStruct)
The method should load data into the structure for return to the AR System.
This call must be implemented in the DLL.
The goal of this method is to return a user name and additional information
such as a password or a key for the user. This password or key should be
dynamic and tied into the authentication method you will use on the server
to validate this user.
Note: BMC Remedy User allocates all memory for the structure. The fields
are initialized before the method is called. The DLL is responsible for
updating the appropriate fields in the structure. The DLL must not
allocate memory for this structure (but it can allocate and free any
temporary storage it might need for processing), and the DLL must not
write data outside the length limits of the fields.
Following is an example:
struct ARSSOUserCredentialsStruct
{
char* m_szARUserName;
char* m_szARPassword;
char* m_szARAuthenticationString;
BOOL m_bARUsingPreferenceServer;
int m_nARNumberOfServers;
};
ARGetSSOServerInformation (optional)
The following method is optional:
void ARGetSSOServerInformation(
ARSSOServerInformation *pServerInfo)
If the user wants to provide only login credentials and does not want to
provide server list information, this method is not needed. If the method is
not present, the system will use the default mechanism of looking at the local
configuration file to determine which servers to connect to. If the server
count field from the ARGetSSOLoginCredentials specifies a count of the
number of servers of greater than 0, this method is required.
Treat the parameter as an array of items with each item having the structure
described. The size of the array is determined by the server count returned in
the ARGetSSOLoginCredentials method. The server identified in the first
element of the list is treated as the preference server if the login credentials
have indicated a preference server is being used.
Note: BMC Remedy User allocates all memory for the structure. The fields
are initialized before the method is called. The DLL is responsible for
updating the appropriate fields in the structure. The DLL must not
allocate memory for this structure (but it can allocate and free any
temporary storage it might need for processing), and the DLL must not
write data outside the length limits of the fields.
Following is an example:
struct ARSSOServerInformation
{
char* m_szARServerName;
int m_nARTCPNum;
int m_nARRPCNum;
};
Note: If the mechanism you are using does not allow you to get the real user
name for the AR System but is an identifier for the name, you can look at
the user name alias functionality of the AR System. This functionality
enables you to have one name as the name used for login and a different
name being the user that is visible in the system. For more information,
see the BMC Remedy Action Request System 7.0 Configuring guide.
This option should be used when you want to define characteristics of the
user (such as email address, licensing, group information) in AR System but
have authentication occur outside. So, you can have authorization within the
AR System User form but authentication outside.
Behavior Setting
Use the default behavior as in pre-6.3 release (that is, 0
authenticate either with AR System or with AREA depending
on the settings of other configuration options).
Use AR System internal authentication first, then use external 1
authentication via the AREA plug-in.
Use external authentication via the AREA plug-in first, then 2
use AR System internal authentication.
Separate from this setting is the idea of having multiple AREA plug-ins to
authenticate against many different external sources. In all cases of the
chaining in the table, authentication via the AREA plug-in includes
situations with one plug-in and those having multiple plug-ins.
For those situations having multiple AREA plug-ins, the system can be set up
to use the AREA plug-in hub. The AREA plug-in hub provides a sequential
chaining of multiple AREA plug-ins. From the AR System perspective, there
is one AREA plug-in—the AREA hub. That hub then traverses the various
plug-ins registered with it until it gets a successful authentication or runs out
of plug-ins to try.
The use and configuration of the AREA plug-in hub is documented in the
BMC Remedy Action Request System 7.0 Integrating with Plug-ins and Third
Party Products guide.
Any AREA plug-in that interacts with an external environment will count
any failed validation against that environment as a bad authentication
attempt. This is even though there might be a successful validation against
another plug-in in the chain. The net effect can be a problem. If logins are
allowed using numerous mechanisms, you should attempt the most
common or the ones with no lockout early in the list so you do not lock out
an account through checks against one environment when the user is logging
in using a different environment.
The AR System option to limit the number of bad password attempts has a
bad attempt recorded only if the login fails all of the tests. This means that
when you want to include AR System authentication in the authentication
chain, configure the chaining to try the AR System authentication first. This
is because a failure there will not count against you if some other
authentication works, and, if AR System authentication succeeds, you
prevent the bad attempts against other authentication mechanisms.
Code samples
You can use the following sample code to help you create AREA plug-ins for
Windows or the Web.
struct ARSSOServerInformation
{
char * m_szARServerName;
int m_nARTCPNum;
int m_nARRPCNum;
};
struct ARSSOUserCredentialsStruct
{
char* m_szARUserName;
char* m_szARPassword;
char* m_szARAuthenticationString;
bool m_bARUsingPreferenceServer;
int m_nARNumberOfServers;
};
extern "C"
{
__declspec(dllexport) void ARGetSSOLoginCrendentials(ARSSOUserCredentialsStruct
*pUserCredentialStruct)
Code samples W 19
White Paper
extern "C"
{
__declspec(dllexport) void ARGetSSOServerInformation(ARSSOServerInformation
*pServerInfo)
strcpy(pServerInfo[1].m_szARServerName, "ServerName2");
}
import java.io.IOException;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.remedy.arsys.session.Authenticator;
import com.remedy.arsys.session.UserCredentials;
/**
* This is an example of a simplistic authenticator. It assumes that your SSO
* solution embeds the credentials in the Http request header as is true in most
* SSO solutions. The key (for extraction of the Http header) of course is
* specific to your solution. What we use here is only for illustration purposes.
*
*/
public class MyAuthenticator implements Authenticator {
//Http header constants specific to your SSO solution. We illustrate here:
private static final String USER = "my-sso-provider-username";
//NOTE: generally passwords are never passed around b/c of security risks.
private static final String PW = "my-sso-provider-password";
/**
* @see com.remedy.arsys.session.Authenticator#init(java.util.Map)
*/
public void init(Map cfg) {
//perform any SSO specific initialization here such as encryption set up.
}
/**
* @see com.remedy.arsys.session.Authenticator#destroy()
*/
public void destroy() {
//perform any resource clean up here.
}
/**
* @see
com.remedy.arsys.session.Authenticator#getAuthenticatedCredentials(javax.servlet.http.H
ttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
public UserCredentials getAuthenticatedCredentials(
HttpServletRequest request, HttpServletResponse response)
throws IOException {
String user = request.getHeader(USER);
String pw = request.getHeader(PW);
String authStr = request.getHeader(AUTH_STRING);
//1. check to see if user is auth'd by SSO, ie, has username and token.
if ((user!=null&&user.length()>0) && (authStr!=null&&authStr.length()>0)) {
return new UserCredentials(user.toLowerCase(), pw, authStr);
}
else { //2. user not auth'd; return null.
return null;
}
}
Code samples W 21
White Paper
*65712*
*65712*
*65712*
*65712*
*65712*