This section explains the procedure to configure Single Sign-On environments, when upgrading from earlier versions to this version.
The procedure for configuration differs according to the authentication method used for the earlier version. Refer to the following list:
Authentication methods for earlier versions
Internal authentication in ServerView Resource Coordinator VE (hereinafter RCVE)
(Authentication is not executed using Single Sign-On)
Authentication using Single Sign-On in RCVE
Internal authentication in ROR
Authentication using directory service in ROR
Authentication using Single Sign-On in ROR
Internal authentication in ROR VE
Authentication using Single Sign-On in ROR VE
Number | Configuration Procedure | A | B | C | D | E | F | G |
|---|---|---|---|---|---|---|---|---|
1 | Installing Resource Orchestrator | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
2 | Registering CA Certificates of ServerView Operations Manager 1 | Yes | - | Yes | Yes (*1) | - | Yes | - |
3 | Registering CA Certificates of ServerView Operations Manager 2 | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
4 | Registering CA Certificate of Individually Configured OpenDS or Active Directory 1 (*1) | Yes | - | Yes | - | - | Yes | - |
5 | Registering CA Certificate of Individually Configured OpenDS or Active Directory 2 (*1) | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
6 | Registering Administrators (Privileged Users) | Yes | - | Yes | - | - | Yes | - |
7 | Setup | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
8 | Login on the ROR Console | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
9 | License Setup | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
10 | Moving Information in the Directory Service Used in Earlier Versions | - | Yes | - | Yes | Yes | - | - |
11 | Registering Users in the Directory Service | Yes | - | Yes | - | - | Yes | - |
12 | Registering Directory Service Connection Information in Resource Orchestrator | Yes | - | Yes | - | - | Yes | - |
13 | Changing Already Registered Directory Service Connection Information | - | - | - | Yes | - | - | - |
14 | Role Allocation to Tenant Administrator | - | - | Yes | Yes | Yes | Yes | - |
15 | Configuration after Installation | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
16 | Importing a Certificate to a Browser | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Yes: Required, - : Not Required
*1: This procedure is necessary when using OpenDS or an Active Directory that was configured individually.
Installing Resource Orchestrator
Refer to "Chapter 4 Upgrading from Earlier Versions" in the "Installation Guide VE".
Registering CA Certificates of ServerView Operations Manager 1
Refer to "4.5.6.1 Registering CA Certificates of ServerView Operations Manager 1".
Registering CA Certificates of ServerView Operations Manager 2
Refer to "4.5.6.2 Registering CA Certificates of ServerView Operations Manager 2".
Registering CA Certificate of Individually Configured OpenDS or Active Directory 1
Refer to "4.5.6.3 Registering CA Certificate of Individually Configured OpenDS or Active Directory 1".
Registering CA Certificate of Individually Configured OpenDS or Active Directory 2
Refer to "4.5.6.4 Registering CA Certificate of Individually Configured OpenDS or Active Directory 2".
Registering Administrators (Privileged Users)
For details, refer to "4.5.4 Registering Administrators".
Setup
Set up the manager. Refer to "2.1.4 Setup" in the "Installation Guide CE".
Login on the ROR Console
Refer to "7.1 Login".
License Setup
Refer to "License Setup" in "7.1 Login".
Moving Information in the Directory Service Used in Earlier Versions
Refer to "4.5.6.5 Moving Information in the Directory Service Used in Earlier Versions".
Registering Users in the Directory Service
Refer to "4.5.6.6 Registering Users in the Directory Service".
Registering Directory Service Connection Information in Resource Orchestrator
Refer to "4.5.6.7 Registering Directory Service Connection Information in Resource Orchestrator".
Changing Already Registered Directory Service Connection Information
Refer to "4.5.6.8 Changing Already Registered Directory Service Connection Information".
Allocating Roles to Tenant Administrator
For details, refer to "4.5.6.9 Allocating Roles to Tenant Administrator".
Configuration after Installation
Refer to "Chapter 6 Configuration after Installation".
Importing a Certificate to a Browser
Refer to "7.4 Importing a Certificate to a Browser".
Use the following procedure to register CA certificates to Resource Orchestrator.
Copy the keystore of Resource Orchestrator.
[Windows]
Files to Copy
Installation_folder\SVROR\Manager\runtime\jre6\lib\security\cacerts
Copy Destination
Installation_folder\SVROR\Manager\runtime\jre6\lib\security\cacerts.org
[Linux]
Files to Copy
/opt/FJSVrcvmr/runtime/jre6/lib/security/cacerts
Copy Destination
/opt/FJSVrcvmr/runtime/jre6/lib/security/cacerts.org
Note
Ensure that the keystore of Resource Orchestrator is copied, as it will be necessary when changing the directory service.
Import the CA certificate (keystore) of ServerView Operations Manager to the keystore of Resource Orchestrator.
The CA certificate (keystore) of ServerView Operations Manager is stored in the following location:
[Windows]
ServerView Suite_installation_folder\jboss\server\serverview\conf\pki\keystore
[Linux]
/opt/fujitsu/ServerViewSuite/jboss/server/serverview/conf/pki/keystore
Example
[Windows]
>C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\bin\keytool.exe -importkeystore -srckeystore " C:\Program Files\Fujitsu\ServerView Suite \jboss\server\serverview\conf\pki\keystore" -destkeystore "C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\lib\security\cacerts" <RETURN> |
[Linux]
# /opt/FJSVrcvmr/runtime/jre6/bin/keytool -importkeystore -srckeystore /opt/fujitsu/ServerViewSuite/jboss/server/serverview/conf/pki/keystore -destkeystore /opt/FJSVrcvmr/runtime/jre6/lib/security/cacerts <RETURN> |
After executing the command, enter the password.
The password for the keystore of Resource Orchestrator is set to "changeit" by default.
The following messages will be displayed when import is successfully completed.
Check the "Another name" section.
Enter destination keystore password: changeit |
Execute the keytool command, and check if the CA certificate has been correctly imported.
For the -alias option, specify the "another name" checked in 3.
Example
[Windows]
>C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\bin\keytool.exe -list -alias Another_name -keystore " C:\Fujitsu\ROR\Manager\runtime\jre6\lib\security\cacerts" <RETURN> |
[Linux]
# /opt/FJSVrcvmr/runtime/jre6/bin/keytool -list -alias Another_name -keystore /opt/FJSVrcvmr/runtime/jre6/lib/security/cacerts <RETURN> |
Use the following procedure to register CA certificates to Resource Orchestrator.
Copy the keystore of Resource Orchestrator.
[Windows]
Files to Copy
Installation_folder\IAPS\JDK5\jre\lib\security\cacerts
Copy Destination
Installation_folder\IAPS\JDK5\jre\lib\security\cacerts.org
[Linux]
Files to Copy
/opt/FJSVawjbk/jdk5/jre/lib/security/cacerts
Copy Destination
/opt/FJSVawjbk/jdk5/jre/lib/security/cacerts.org
Note
Ensure that the keystore of Resource Orchestrator is copied, as it will be necessary when changing the directory service.
Import the CA certificate (keystore) of ServerView Operations Manager to the keystore of Resource Orchestrator.
The CA certificate (keystore) of ServerView Operations Manager is stored in the following location:
[Windows]
ServerView Suite_installation_folder\jboss\server\serverview\conf\pki\keystore
[Linux]
/opt/fujitsu/ServerViewSuite/jboss/server/serverview/conf/pki/keystore
Example
[Windows]
>C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\bin\keytool.exe -importkeystore -srckeystore " C:\Program Files\Fujitsu\ServerView Suite \jboss\server\serverview\conf\pki\keystore" -destkeystore "C:\Fujitsu\ROR\IAPS\JDK5\jre\lib\security\cacerts"<RETURN> |
[Linux]
# /opt/FJSVrcvmr/runtime/jre6/bin/keytool -importkeystore -srckeystore /opt/fujitsu/ServerViewSuite/jboss/server/serverview/conf/pki/keystore -destkeystore /opt/FJSVawjbk/jdk5/jre/lib/security/cacerts <RETURN> |
After executing the command, enter the password.
The password for the keystore of Resource Orchestrator is set to "changeit" by default.
The following messages will be displayed when import is successfully completed.
Check the "Another name" section.
Enter destination keystore password: changeit |
Execute the keytool command, and check if the CA certificate has been correctly imported.
For the -alias option, specify the "another name" checked in 3.
Example
[Windows]
>C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\bin\keytool.exe -list -alias Another_name -keystore " C:\Fujitsu\ROR\IAPS\JDK5\jre\lib\security\cacerts"<RETURN> |
[Linux]
# /opt/FJSVrcvmr/runtime/jre6/bin/keytool -list -alias Another_name -keystore /opt/FJSVawjbk/jdk5/jre/lib/security/cacerts <RETURN> |
Import the server certificate to ServerView Operations Manager. For details, refer to "6.3.5 Importing a Certificate to ServerView SSO Authentication Server".
When using a directory service that was individually configured, import the CA certificate of the directory service to the keystore of Resource Orchestrator.
When using a directory service other than OpenDS that comes with ServerView Operations Manager, import the CA certificate of the directory service to the keystore of Resource Orchestrator.
The CA certificate format is the DER encoded binary X.509 (CER) format.
Example
When Using Active Directory
>C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\bin\keytool.exe -importcert -alias rcve_ldap -trustcacerts -file c:\myserver.serverview.local_svsca.crt -keystore "C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\lib\security\cacerts" |
When Using OpenDS
>C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\bin\keytool.exe -importkeystore -srckeystore "C:\win32app\OpenDS-2.2.0\config\keystore" -destkeystore C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\lib\security\cacerts |
When using a directory service that was individually configured, import the CA certificate of the directory service to the keystore of Resource Orchestrator.
When using a directory service other than OpenDS that comes with ServerView Operations Manager, import the CA certificate of the directory service to the keystore of Resource Orchestrator.
The CA certificate format is the DER encoded binary X.509 (CER) format.
Example
When Using Active Directory
>C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\bin\keytool.exe -importcert -alias rcve_ldap -trustcacerts -file c:\myserver.serverview.local_svsca.crt -keystore "C:\Fujitsu\ROR\IAPS\JDK5\jre\lib\security\cacerts" |
When Using OpenDS
>C:\Fujitsu\ROR\SVROR\Manager\runtime\jre6\bin\keytool.exe -importkeystore -srckeystore "C:\win32app\OpenDS-2.2.0\config\keystore" -destkeystore C:\Fujitsu\ROR\IAPS\JDK5\jre\lib\security\cacerts |
When performing user management using a directory service in ServerView Resource Orchestrator V2.3.0, move the resource information in the directory server to the management information in Resource Orchestrator.
Move the following information:
User group information and belonging users
For the user information, the same user name must be registered in both the directory server and the management information in Resource Orchestrator. Single Sign-On is used for authentication to log on to Resource Orchestrator. Manage the user passwords using the directory service used for Single Sign-On.
Role definitions
Access scope and roles
Execute the rcxadm authctl export command to move the information. Move the information as an OS administrator. For details on the rcxadm authctl export command, refer to "1.7.10 rcxadm authctl" in the "Reference Guide (Resource Management) CE".
Register a user to the directory service.
When Using Active Directory
Export the user information which is registered in Resource Orchestrator as files in the LDIF format.
Example
>rcxadm user list -format ldif > myusers.ldif <RETURN> |
Modify the user information exported as the ldif file in 1. for the actual environment.
Modify the base names of entries based on the base name of the Active Directory.
Execute the ldifde command to register the ldif file modified in 2. with Active Directory.
Example
>ldifde -i -e -k -t 636 -f myusers.ldif <RETURN> |
For details on the ldifde command, refer to the Active Directory documentation.
Registered user passwords are reset as follows.
rcxuser@123 |
Change the user passwords registered in 3. to appropriate values. Use the Active Directory functions, and change the password.
When performing Single Sign-On operations with ServerView Operations Manager, user definitions are necessary for ServerView Operations Manager. For details on how to add user definitions for ServerView Operations Manager, perform settings for Single Sign-On referring to the following manual:
"Integrating ServerView User Management into Microsoft Active Directory" of the "ServerView Suite User Management in ServerView"
When Using OpenDS
Export the user and user group information which are registered in Resource Orchestrator as files in the LDIF format.
Example
>rcxadm user list -format ldif > myusers.ldif <RETURN> |
The ldif file for the Active Directory is output.
Modify the user information exported as the ldif file in 1. for OpenDS.
Modify the base names of entries based on the base name of the directory service.
Delete the following attributes.
samAccountName
userAccountControl
unicodePwd
Add the following attributes to user entries.
sn
uid (same value as the cn attribute)
userPassword
Modify the values of the objectclass attribute.
Change "user" to "inetOrgPerson".
Change "cn=Users" in the "cn=User_name,cn=Users,dc=fujitsu,dc=com" to "ou=Users".
Example
Before editing (ldif file for Active Directory)
# User dn: cn=user01,cn=Users,dc=example,dc=local # Change cn=Users to ou=Users. changetype: add objectclass: user # Change to objectclass: inetOrgPerson. cn: user01 samAccountName: user01 # Delete this line. userAccountControl: 512 # Delete this line. unicodePwd:: IgByAGMAeAB1AHMAZQByAEAAMQAyADMAIgA= # Delete this line. # Add sn,uid, and userPassword attributes. |
After editing (ldif file for OpenDS)
# User dn: cn=user01,ou=Users,dc=fujitsu,dc=com changetype: add objectclass: inetOrgPerson cn: user01 sn: user01 uid: user01 userPassword: mypassword |
Use the directory service client function to register the ldif file modified in 3. with the directory service.
Set the Java SE 6 path for the environment variables JAVA_HOME, before executing the ldapmodify command of OpenDS.
For details on the command, refer to each directory service manual.
[Windows]
>"OpenDS_installation_folder\bat\ldapmodify.bat" -p Port_number -f ldif_file -D Administrator_user_DN -w Password <RETURN> |
[Linux]
# "OpenDS_installation_folder/bin/ldapmodify" -p Port_number -f ldif_file -D Administrator_user_DN -w Password <RETURN> |
SSL communications are not required when registering a user in OpenDS. The default value of the port number when not using SSL communications is "1473" in the OpenDS provided with ServerView Operations Manager.
For details on how to configure connection settings of the OpenDS provided with ServerView Operations Manager, refer to README and the manuals of "ServerView Suite User Management in ServerView".
Example
>"C:\Program Files\Fujitsu\ServerView Suite\opends\bat\ldapmodify.bat" -p 1473 -f myusers.ldif -D "cn=Directory Manager" -w admin -c <RETURN> |
When performing Single Sign-On operations with ServerView Operations Manager, specify users who are defined in ServerView Operations Manager as the user information of Resource Orchestrator.
For details on how to register the user information, refer to "Appendix C User Management Using Directory Service" of the "Operation Guide CE".
When users of Resource Orchestrator log in to ServerView Operations Manager, user definitions are necessary for ServerView Operations Manager. For details on how to add user definitions for ServerView Operations Manager, perform settings for Single Sign-On referring to the following manual:
"Integrating ServerView User Management into Microsoft Active Directory" of the "ServerView Suite User Management in ServerView"
For OpenDS, perform settings for Single Sign-On referring to the setting procedure of Active Directory.
Register the directory service connection information for performing Single Sign-On in Resource Orchestrator.
Check directory service connection information.
Connection Information | Description |
|---|---|
IP address | IP address for the directory server to connect to. |
Port number | Port number for SSL communication with the directory server to connect to. When using the OpenDS provided with ServerView Operations Manager, the default value is 1474. |
Base name (DN) | Base name (DN) for the directory server to connect to. When using the OpenDS provided with ServerView Operations Manager, the default value is "dc=fujitsu,dc=com". |
Directory server administrator name (DN) | Directory server administrator name (DN) for the directory server to connect to. When using the OpenDS provided with ServerView Operations Manager, the default value is "cn=Directory Manager". |
Directory server administrator password | Password for the directory server to connect to. When using the OpenDS provided with ServerView Operations Manager, refer to the following manual. ServerView Operations Manager manuals "ServerView user management with OpenDS" in "ServerView Suite User Management in ServerView" |
Use the following procedure to register the directory service connection information in Resource Orchestrator.
Stop the manager.
For information on stopping managers, refer to "7.2 Starting and Stopping the Manager".
Register the directory service connection information for performing Single Sign-On.
Execute the rcxadm authctl command and register the directory service connection information.
For details on the rcxadm authctl command, refer to "1.7.10 rcxadm authctl" of the "Reference Guide (Resource Management) CE".
Example
Example when using Active Directory
>rcxadm authctl register -ip 192.168.1.1 -port 636 -base dc=example,dc=local -bind cn=Administrator,cn=Users,dc=example,dc=local -method SSL -passwd mypasswd <RETURN> |
Example when using the OpenDS Provided with ServerView Operations Manager
>rcxadm authctl register -ip 192.168.1.1 -port 1474 -base dc=fujitsu,dc=com -bind "cn=Directory Manager" -method SSL -passwd admin <RETURN> |
Start the manager.
For information on starting managers, refer to "7.2 Starting and Stopping the Manager".
Change the already registered directory service connection information from authentication by the directory service to Single Sign-On operations.
Stop the manager.
For information on stopping managers, refer to "7.2 Starting and Stopping the Manager".
Change the directory service connection information to Single Sign-On operations.
Execute the rcxadm authctl command and change the directory service connection information.
For details on the rcxadm authctl command, refer to "1.7.10 rcxadm authctl" of the "Reference Guide (Resource Management) CE".
>rcxadm authctl modify -auth serverview |
Start the manager.
For information on starting managers, refer to "7.2 Starting and Stopping the Manager".
Allocate appropriate roles to the users operating as tenant administrators, tenant operators, or tenant monitors among users operating on the earlier versions.
Use the following procedure to allocate roles to users.
Output the user information in files in the XML format.
>rcxadm user list -format xml > myusers.xml |
For details on the rcxadm user command, refer to "1.6.1 rcxadm user" of the "Reference Guide (Resource Management) CE".
Edit the XML files.
Delete the information of other users from the XML file, so that only users operating as tenant administrators, tenant operators, and tenant monitors remain.
Define the tenant administrator roles to allocate to.
Add the following information:
Mail address
First name
Family name
For details on the XML definition of tenant administrators, refer to "2.8.1 Tenant Management Roles and Tenant User Role" in the "Reference Guide (Resource Management) CE".
Example
Example of the XML definition in which the tenant administrator role of "tenantA" is allocated to the user "john"
<?xml version="1.0" encoding="utf-8"?>
<Users>
<User name="john">
<Roles>
<Role name="tenant_admin">
<Scopes>
<Scope>tenantA</Scope>
</Scopes>
</Role>
</Roles>
<MailAddress>john@mail.example.com</MailAddress>
<ActualName>
<FirstName>john</FirstName>
<LastName>fujitsu</LastName>
</ActualName>
</User>
</Users> |
Allocate the tenant administrator roles to the user by specifying the XML file edited in the rcxadm user command.
>rcxadm user modify -file my_tenantadmins.xml |
