This section explains how to switch the authentication method from internal authentication to Single Sign-On.

1. Stop the manager.

   For details on how to stop the manager, refer to "2.1 Starting and Stopping Managers".

2. Register the directory service connection information with Resource Orchestrator.

   Use the rcxadm authctl sync command to register the directory service connection information.
   For details on the rcxadm authctl sync command, refer to "5.4 rcxadm authctl" in the "Reference Guide (Command/XML) CE".

3. Register CA certificates of ServerView Operations Manager with Resource Orchestrator.

   In addition, import the certificates into the ServerView SSO authentication server.
   For details, refer to "8.10.1.1 Confirming Certificates" and "8.10.1.2 Registering Certificates".

4. Restart the manager.

   For details on how to start the manager, refer to "2.1 Starting and Stopping Managers".

5. Register the user in the directory service.

   • When using Active Directory

     1. Export the user information registered with Resource Orchestrator in LDIF format.

        Example

        >rcxadm user list -format ldif > myusers.ldif <RETURN>

     2. Modify the user information ldif file exported in step 1 according to the actual environment.

        Modify the base name of each entry according to the base name of Active Directory.

     3. Execute the ldifde command to register the ldif file modified in step 2 in Active Directory.

        Example

        >ldifde -i -e -k -t 636 -f myusers.ldif <RETURN>

        For details on the ldifde command, refer to the documents for Active Directory.

        The registered user password defaults to the following value:

        rcxuser@123

     4. Change the password of the user registered in step 3 to an appropriate value.

        Use the functions provided by Active Directory to do so.

     5. For Single Sign-On operation with ServerView Operations Manager, it is necessary to define users for ServerView Operations Manager also.

        Add the user definition to ServerView Operations Manager referring to the following manual and configure Single Sign-On.

        - "Integrating ServerView user management into Microsoft Active Directory" in "User Management in ServerView"

   • When using the directory service provided with ServerView Operations Manager

     1. Export the user information and user group information registered with Resource Orchestrator in LDIF format.

        Example

        >rcxadm user list -format ldif > myusers.ldif <RETURN>

        The ldif file for Active Directory is output.

     2. If the ldif file contains the following user IDs, delete them.

        - Administrator

        - Operator

        - Monitor

        - UserManager

        As these users are registered as the initial users for ServerView Operations Manager, it is not necessary to register them in this procedure. User IDs are not case sensitive. Therefore, if there are user IDs for which only the case is different, they will become the same user ID.

     3. Modify the user information ldif file exported in step 1 for use in the directory service provided with ServerView Operations Manager.

        a. Modify the base name of each entry according to the base name of the directory service.

        b. Delete the following attributes:

        - samAccountName

        - userAccountControl

        - unicodePwd

        c. Add the following attributes to the user entry:

        - sn

        - uid (the same value as the cn attribute value)

        - userPassword

        d. Modify the objectclass attribute as follows:

        - Modify the "user" to "inetOrgPerson".

        e. Modify "cn=Users" in "cn=User_name,cn=Users,dc=fujitsu,dc=com" to "ou=Users".

        Example

        Before editing (the ldif file for Active Directory)

        # User dn: cn=user01,cn=Users,dc=example,dc=local # modify "cn=Users" to "ou=Users". changetype: add objectclass: user # Modify to "objectclass: inetOrgPerson". cn: user01 samAccountName: user01 # Delete this line. userAccountControl: 512 # Delete this line. unicodePwd:: IgByAGMAeAB1AHMAZQByAEAAMQAyADMAIgA= # Delete this line. # Add sn, uid, and userPassword attributes.

        After editing (the ldif file for use in the directory service provided with ServerView Operations Manager)

        # User dn: cn=user01,ou=Users,dc=fujitsu,dc=com changetype: add objectclass: inetOrgPerson cn: user01 sn: user01 uid: user01 userPassword: mypassword

     4. Use the client function provided by the directory service to register the ldif file modified in step 3 in the directory service.

        
        

        - ServerView Operations Manager V7.0 or earlier

        Configure the installation directory of the Java Runtime Environment (JRE) for the environment variable JAVA_HOME before executing the ldapmodify command.

        [Windows]

        >"OpenDJ installation folder\bat\ldapmodify.bat" -p port number -f ldif file -D administrator user DN -w password <RETURN>

        [Linux]

        # "OpenDJ installation folder/bin/ldapmodify" -p port number -f ldif file -D administrator user DN -w password <RETURN>

        
        

        - ServerView Operations Manager V7.1 or later

        [Windows]

        >"ApacheDS installation folder\bin\ldapmodify.exe" -h host name -p port number -f ldif file -D administrator user DN -w password <RETURN>

        
        

        Directory service user registration does not require SSL communication. By default, the directory service provided with ServerView Operations Manager uses the port 1473 for performing non-SSL communication.

        When executing the command, the message "The directory name is invalid" may be displayed.
        Open the "User Management wizard" in ServerView Operations Manager and check if the Resource Orchestrator user is displayed.
        If the Resource Orchestrator user is displayed, there is no problem.

        For details on the connection settings of the directory service provided with ServerView Operations Manager and the "User Management wizard", refer to the following manuals:
        ServerView Operations Manager README
        For ServerView Operations Manager V7.0 or earlier:
        "ServerView user management with OpenDJ" in "User Management in ServerView 6.30"
        For ServerView Operations Manager V7.1 or later:
        "ServerView user management with ApacheDS" in "User Management in ServerView 7.10"

        Example

        - ServerView Operations Manager V7.0 or earlier

        >"C:\Program Files\Fujitsu\ServerView Suite\opends\bat\ldapmodify.bat" -p 1473 -f myusers.ldif -D "cn=Directory Manager" -w admin -c <RETURN>

        - ServerView Operations Manager V7.1 or later

        >"C:\Program Files (x86)\Fujitsu\ServerView Suite\apacheds\bin\ldapmodify.exe" -h localhost -p 1473 -f myusers.ldif -D "uid=admin,ou=system" -w admin -c <RETURN>

     5. For Single Sign-On operation with ServerView Operations Manager, configure the user defined for ServerView Operations Manager as the user information for Resource Orchestrator.

        For details on how to register user information, refer to "Chapter 3 Configuring Users and Customizing Roles" in the "User's Guide for Infrastructure Administrators (Resource Management) CE".

     6. When a Resource Orchestrator user logs into ServerView Operations Manager, the user definition for ServerView Operations Manager is necessary as well. For details, refer to "12.2.3 Single Sign-On When Using the ServerView Operations Manager Console" in the "Design Guide CE".