ALM SoftwareVersion:12.55 External Authentication Configuration Guide GotoHELP CENTERONLINE http://admhelp.microfocus.com/alm DocumentReleaseDate:May2018|SoftwareReleaseDate:August2017 Legal Notices Disclaimer Certainversionsofsoftwareand/ordocuments(“Material”)accessibleheremaycontainbrandingfromHewlett-PackardCompany (nowHPInc.)andHewlettPackardEnterpriseCompany. AsofSeptember1,2017,theMaterialisnowofferedbyMicroFocus,a separatelyownedandoperatedcompany. AnyreferencetotheHPandHewlettPackardEnterprise/HPEmarksishistoricalinnature, andtheHPandHewlettPackardEnterprise/HPEmarksarethepropertyoftheirrespectiveowners. Warranty TheonlywarrantiesforproductsandservicesofMicroFocusanditsaffiliatesandlicensors(“MicroFocus”)aresetforthinthe expresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutingan additionalwarranty.MicroFocusshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.Theinformation containedhereinissubjecttochangewithoutnotice. RestrictedRightsLegend ContainsConfidentialInformation.Exceptasspecificallyindicatedotherwise,avalidlicenseisrequiredforpossession,useor copying.ConsistentwithFAR12.211and12.212,CommercialComputerSoftware,ComputerSoftwareDocumentation,andTechnical DataforCommercialItemsarelicensedtotheU.S.Governmentundervendor'sstandardcommerciallicense. CopyrightNotice ©Copyright2002-2018MicroFocusoroneofitsaffiliates. TrademarkNotices Adobe™isatrademarkofAdobeSystemsIncorporated. Microsoft®andWindows®areU.S.registeredtrademarksofMicrosoftCorporation. UNIX®isaregisteredtrademarkofTheOpenGroup. OracleandJavaareregisteredtrademarksofOracleand/oritsaffiliates. ALM(12.55) Page2of47 ExternalAuthenticationConfigurationGuide ALM Contents ALM 1 Chapter1:ExternalAuthenticationOverview 5 SmartCardAuthenticationOverview 5 SingleSign-On Overview 6 Chapter2:ExternalAuthenticationRoadmap 7 Chapter3:Prerequisites 8 ConfigureProxyAuthentication 10 ConfigureWebServerasReverseProxy 10 ConfiguringIIS asareverseproxy 10 ConfiguringApacheasareverseproxy 12 Chapter4:WebServerConfiguration 14 ConfigureWebServerforSSL Offloading 15 ForApache 15 ForIIS 15 ConfigureWebServerforSSLTerminationonALMServer 15 ForApache 16 ForIIS 16 Chapter5:SmartCardConfiguration 17 AccessALM 18 PrepareCertificates 18 ConfigureApacheasaSecureReverseProxy 19 ConfigureApachetoRequireaClientCertificate 21 ConfiguretheApacheSSLProxyServertoWorkwithSmartCard 21 ConfigureIISasaSecureReverseProxy 22 ConfigureIIStoRequireaClientCertificate 22 Chapter6:SingleSign-OnConfiguration 24 Chapter7:VerificationChecklist 26 Chapter8:ALMConfiguration 27 ConfigureSiteAdministration 28 VerifyExternalAuthentication 30 ALM(12.55) Page3of47 ExternalAuthenticationConfigurationGuide ALM ConfigureSmartCardAuthenticationforPerformanceCenter 30 ConfigureSSOforPerformanceCenter 31 ConfigureSmartCardAuthenticationforAPIs 32 ConfigureSSOforAPIs 33 SpecialConfigurationsforSmartCardAuthentication 34 SpecialConfigurationsforSSO 34 ConfigureExternalAuthenticationforRemoteMachines 36 Chapter9:Limitations 37 Chapter10:Troubleshooting 39 Chapter11:ExternalAuthenticationSiteParameters 42 SendUsFeedback 46 ALM(12.55) Page4of47 Chapter 1: External Authentication Overview ALMsupportsexternalauthentication,whereareverseproxypositionedinfrontofALMisconfigured tosupportexternalauthentication.Oncetheuserisauthenticatedbythereverseproxy,the authenticateduserdetailsarepassedtoALM,whichcompletestheauthenticationandauthorization process. Forexample,auserwhopassesthereverseproxyauthenticationbutdoesnotexistinALMwillbe deniedaccesstoALM.Auserwhopassesthereverseproxyauthenticationbutdoesnothave permissionstoenterspecificpartsofALM,willbedeniedaccesstothosepartsofALM,suchasSite AdministrationorLabManagement.Otherwise,theloginprocesswillcompleteandtheuserwillenter ALM. Thisguidecontainsinformationaboutexternalauthenticationsystems,suchasSmartCard AuthenticationandSingleSign-on,andhowtoconfigurethesesystemstoworkwithALM. Smart Card Authentication Overview Smartcardsarephysicaldevicesusedtoidentifyusersinsecuresystems.Thesecardscanbeusedto storecertificatesthatverifytheuser'sidentityandallowaccesstosecureenvironments.Currently,ALM supportsonetypeofsmartcardauthentication,CAC (CommonAccessCard). ALMcanbeconfiguredtousethesecertificatesinplaceofthestandardmodelofeachusermanually enteringausernameandpassword.Youcandefineamethodofextractingtheusernamefromthe certificatestoredoneachcardorusethesystemdefaults. WhenALMisconfiguredtoworkwithsmartcards,userscanonlyloginusingasmartcard.Theoption oflogginginbymanuallytypinginyourusernameandpasswordislockedforallusers. Thefollowingfigureillustratesthesmartcardauthenticationtopology(theWebserveriseitherApache orIIS): ALM(12.55) Page5of47 ExternalAuthenticationConfigurationGuide Chapter1:ExternalAuthenticationOverview   Single Sign-On Overview Singlesign-on(SSO)isasession/userauthenticationprocessthatpermitsausertoenteronenameand passwordtoaccessmultipleapplications.Theprocessauthenticatestheuserforalltheapplicationsto whichtheuserhasbeengivenrights.Thiseliminatesfurtherpromptswhentheuserswitches applicationsduringaparticularsession.Currently,ALMsupportsonetypeofSSOauthentication, SiteMinder. Note:ForMicroFocustoolssuchasUFT,ALMsupportsonlySiteMinderbasicauthentication. ALM(12.55) Page6of47 Chapter 2: External Authentication Roadmap Theexternalauthenticationroadmapincludesthefollowingphases: Phase Description Prerequisites Gathertheinformationyouneedtoconfigureexternalauthentication forusewithALM. Fordetails,see"Prerequisites"onpage 8. Configure the Web Server Configurethewebserver,eitherApacheorIIS,forfullSSL or SSL offloading. Fordetails,see"WebServerConfiguration"onpage 14. SmartCard Configuration Configurethewebserverforsmartcardauthentication. Fordetails,see"SmartCardConfiguration"onpage 17. Single Sign-On Configurethewebserverforsinglesign-onauthentication. Configuration Fordetails,see"SingleSign-OnConfiguration"onpage 24. Verification Checklist Verifythatallofthenecessarystepshavebeensuccessfully implementedtouseexternalauthenticationwithALM. Fordetails,see"VerificationChecklist"onpage 26. Configure External ConfigureALM toworkwithexternalauthentication. Authentication in ALM Fordetails,see"ALMConfiguration"onpage 27. ALM(12.55) Page7of47 Chapter 3: Prerequisites 1. EnsurethattheALM serverisinstalledandrunning. 2. Ensurethatthewebserver,eitherApacheorIIS,isinstalledandrunning. Note:ItisrecommendedtoinstallthewebserverandtheALM serveronseparatemachines. 3. Configurethewebserverasareverseproxyserver.Fordetails,see"ConfigureWebServeras ReverseProxy"onpage 10. 4. DisableIPv6stackontheALMserverhostusingtheoperatingsystem'snetworktool.Thiswill improvecommunicationperformancebetweentheIPv6clientandtheALMserver.(Jetty5.xdoes notsupportIPv6.) 5. DeterminehowtheuserswilllogintoALMusingexternalauthentication(forexample,usingan emailaddress),andensurethatthisinformationispresentintheuserdetailsinSiteAdministration. Attheendofthisprocess,thesiteadministratormustbeabletologintoALMusingexternal authentication.OnlythencanotheruserslogintoALM usingexternalauthentication. 6. IfyouareusingLDAP,importtheLDAP users. Recommended ALM configuration: Forthelistofsupportedsystemenvironments,refertotheReadme. Note:ThesupportedenvironmentinformationintheReadmeisaccurateforthecurrentALM release,buttheremaybesubsequentupdates.Forthemostup-to-datesupported environments,seehttp://admhelp.microfocus.com/alm/specs/alm-qc-system-requirements.htm. Web Serversystemrequirements: OperatingSystem WebServer Windows IIS7.5 l Apache2.2or l later ALM(12.55) Page8of47 ExternalAuthenticationConfigurationGuide Chapter3:Prerequisites OperatingSystem WebServer Linux Apache2.4orlater Makesureyouhavethefollowinginformationaboutthehostonwhichyouareconfiguringsmartcard authenticationorSSO:Serverhostname,serveroperatingsystemtype,andwebservertype(IISor Apache). Note:WerecommendconfiguringthefirewallsotheonlyserversallowedtologintotheJetty portarethereverseproxy'smachine(IISorApache)orthePCservermachine. Segmented networksconfiguration: ALMiscertifiedinthefollowingtopology: WhenALMclientsarelocatedinadifferentnetworksegmentfromtheALMserverandrequirea forwardproxytoaccessoutsidethesegment,theALMserverisbehindthereverseproxyorload balancer,andbothproxiesrequireBasicorNTLMauthentication,followingaretherequirementsfor theproxies: Theforwardproxyandthereverseproxymustreturndifferenterrorcodes. l Theforwardproxymustsupportthe407errorcodeandthereverseproxymustsupportthe401 l errorcode. Theforwardproxymustpasstheauthenticationheadersforward. l ALM(12.55) Page9of47 ExternalAuthenticationConfigurationGuide Chapter3:Prerequisites Note:Youmayexperienceproblemsifyourtopologydoesnotmeettheserequirements. Configure Proxy Authentication ALMwascertifiedwiththefollowingformsofauthentication: Forwardproxy:NTLMandBasic.Ifforwardproxyrequiresauthentication,youmustpre-configure l proxyauthenticationcredentialsintheWebgateCustomizationtool(orAPI)topreventongoing authenticationrequests. Reverseproxy:Clientauthentication(inaSmartCardenvironment)andBasicauthentication. l YoucanusetheWebgateCustomizationtooltoconfiguretheproxyandidentifytheauthentication credentialsitrequires,aswellasanyrequiredfrontendwebservercredentials.GotoHelp > ALM Tools > Webgate Customizationtoaccessthetool.OntheProxySettingstab,selectthetypeofproxyserver andenterProxyUsername,ProxyPassword,andDomain. Configure Web Server as Reverse Proxy ToenhancethesecurityofyourALMdeployment,itisrecommendedtoplacetheALMserverbehinda securereverseproxy,eitheranApacheorIISwebserver.Suchconfigurationisalsorequiredtosupport externalauthentication. Configuring IIS asareverse proxy TointegrateALMwithawebserver,youconfigurethewebservertoredirectrequeststotheALM ApplicationServer.YouconfigurethewebservertoworkinproxyHTTPmode.   Toconfigure IIS towork as a reverse proxy: Note:ThefollowinginstructionsapplytoIIS7.0andlater. 1. UsingServerManager,installtheIISserverusingdefaultsettings.Youdonotneedtoenableany otherextensions. 2. InstalltheURLrewritepackagefromhttp://www.iis.net/downloads/microsoft/url-rewrite. 3. InstallApplicationRequestRouting(ARR)forIISfrom http://www.iis.net/downloads/microsoft/application-request-routing. Note:YoumayneedtodisableInternetExplorerESCandrunInternetExplorerasan administrator. Ifyouhavenodirectaccesstotheinternetfromyourserver,youcanobtaintheARR3.0 standaloneversionthatcontainseverythingyouneed,includingtheURLrewritepackage, ALM(12.55) Page10of47