SRM 6.0.0.0 | CIAM Environment Setup Configuration for Single sign-on (SSO)
Summary: Steps to generate a secret key and configure the CIAM server environment for Linux (vApp and Binary) and Windows Binary SRM deployments.Instructions
Follow the steps below on the SRM Frontend CLI/PuTTY to configure and start the CIAM service.
Steps for vApp/Linux Binary:
1.Log in to the SRM Frontend VM using PuTTY session
2.Navigate to <SRM-INSTALLED-PATH>/APG/bin folder and create "my_config.env" configuration file, then copy and paste the below properties and save the file
CIAM_SERVER_ADDR=localhost:8000DB_HOST=localhost:8000DB_PORT=5432DB_USER=admincmfaDB_PASSWORD=DB_NAME=pacificdbDB_TYPE=sqliteDB_MAX_CON=100DB_MAX_IDLE_CON=10CRL_CACHE_SIZE=50MAX_CRL_URLS=15MAX_CRL_FILE_SIZE=20DB_FOLDER=db
3.Navigate to <SRM-INSTALLED-PATH>/APG/bin and change the permissions of "ciam-service-plain" and "generate-secret.sh"
# chmod 777 ciam-service-plain
# chmod 777 generate-secret.sh
4.Generate the secret key required to start the CIAM service in a secure mode
# <SRM-INSTALLED-PATH>/APG/bin/generate-secret.sh
5.Set the environment variables for the CIAM service
# export CIAM_CLIENT_NAME=<username>
# export CIAM_CLIENT_SECRET=<generated key from step 4>
Ex:
# export CIAM_CLIENT_NAME=admin
# export CIAM_CLIENT_SECRET=ytWlcSZTntLSmXU9/HUuclnQe17sAEdaQlDqPra2eGE=
6.Copy and use the secret key to generate the config file required for starting the CIAM service
# echo <generated key from step 4> | <SRM-INSTALLED-PATH>/APG/bin/ciam-service-plain -mode=encrypt-config -config=<SRM-INSTALLED-PATH>/APG/bin/my_config.env
Ex:
# echo ytWlcSZTntLSmXU9/HUuclnQe17sAEdaQlDqPra2eGE= | /opt/APG/bin/ciam-service-plain -mode=encrypt-config -config=/opt/APG/bin/my_config.env
7.Start the CIAM service using the secret key and the config file generated above, outside your runtime environment, using the command below:
# echo <generated key from step 4> | <SRM-INSTALLED-PATH>/APG/bin/ciam-service-plain -mode=start -config=<SRM-INSTALLED-PATH>/APG/bin/config_enc.env
Ex:
# echo ytWlcSZTntLSmXU9/HUuclnQe17sAEdaQlDqPra2eGE= | /opt/APG/bin/ciam-service-plain -mode=start -config=/opt/APG/bin/config_enc.env
OR
Run the CIAM service in the background using the command below:
# nohup bash -c 'echo <generated from step 4> | <SRM-INSTALLED-PATH>/APG/bin/ciam-service-plain -mode=start -config=config_enc.env' &
Ex:
# nohup bash -c 'echo ytWlcSZTntLSmXU9/HUuclnQe17sAEdaQlDqPra2eGE= | /opt/APG/bin/ciam-service-plain -mode=start -config=config_enc.env' &
Note:
- The CIAM service must be in running state for SSO to function.
- CIAM_CLIENT_NAME - CIAM client identifier for CIAM server
- config_enc.env - encrypted configuration file created at step 6
- Execution logs will be available under <SRM-INSTALLED-PATH>/APG/bin/
- The SSO settings are stored in a temporary database (SQLite), so the configuration must be entered manually one time. After clicking SAVE, the configuration parameters will not be visually displayed in the SRM SSO settings UI.
- Since the DB used is temporary, the SSO must be reconfigured if any of the below activities are performed:
- System Reboot
- SRM upgrade or patch
- Temporary DB cleared or migrated
Refer to the SRM Administration Guide under "Troubleshooting CIAM Service" for detailed reconfiguration steps.
Steps for Windows Binary:
1.Log in to the SRM Frontend server remotely.
2.Navigate to <SRM-INSTALLED-PATH>\APG\ bin folder and create "my_config.env" configuration file (using cmd prompt >> notepad my_config.env), then copy and paste the below properties and save the file.
CIAM_SERVER_ADDR=localhost:8000DB_HOST=localhostDB_PORT=5432DB_USER=admincmfaDB_PASSWORD=DB_NAME=pacificdbDB_TYPE=sqliteDB_MAX_CON=100DB_MAX_IDLE_CON=10CRL_CACHE_SIZE=50MAX_CRL_URLS=15MAX_CRL_FILE_SIZE=20DB_FOLDER=db
3. Open the Windows command prompt and navigate to <SRM-INSTALLED-PATH>\APG\bin folder to generate the secret key required to start the CIAM service in a secure mode
# generate-secret.cmd
4. Set the environment variables for the CIAM service
# set CIAM_CLIENT_NAME=<username>
# set CIAM_CLIENT_SECRET=<generated from step 3>
Ex:
# set CIAM_CLIENT_NAME=admin
# set CIAM_CLIENT_SECRET=ytWlcSZTntLSmXU9/HUuclnQe17sAEdaQlDqPra2eGE=
5. Copy and use the secret key to generate the config file required for starting the CIAM service
# echo <generated key from step 3> | ciam-service-plain.exe -mode=encrypt-config -config=my_config.env
6. Start the CIAM service using the secret key and the config file generated above
# start cmd /c "echo <generated key from step 3> | ciam-service-plain.exe -mode=start -config=config_enc.env"
OR
Run the CIAM service in the background using the command below:
# start cmd /c "echo <generated key step 3> | ciam-service-plain.exe -mode=start -config=config_enc.env“ >> ciam.log
Note:
- The CIAM service must be in running state for SSO to function.
- CIAM_CLIENT_NAME - CIAM client identifier for CIAM server
- config_enc.env - encrypted configuration file created at step 6
- Execution logs will be available under <SRM-INSTALLED-PATH>/APG/bin/
- The SSO settings are stored in a temporary database (SQLite), so the configuration must be entered manually one time. After clicking SAVE, the configuration parameters will not be visually displayed in the SRM SSO settings UI.
- Since the DB used is temporary, the SSO must be reconfigured if any of the below activities are performed:
- System Reboot
- SRM upgrade or patch
- Temporary DB cleared or migrated
Refer to the SRM Administration Guide under "Troubleshooting CIAM Service" for detailed reconfiguration steps.
Affected Products
SRM
Related Articles
SRM 6.0.0.0 | Automated Script to Copy MYSQL libraries to System Directories and Copy apg-services script file to systemd
Summary : This script will copy the required MySQL Libraries and apg-services script file to System directories for SRM/SMR Binary Linux ( RHEL and SUSE ) deployments . The script should be executed at SRM/SMR Pre-upgrade level. Steps to Execute the ...SRM 5.x :: How do I configure SRM to change authentication from LDAP to LDAPS
Summary: What are the steps to configure SRM to change the authentication from LDAP to LDAPS Detailed Article Instructions Below are the steps to configure SRM to change the authentication from LDAP to LDAPS over SSL port 636 1. Log in to the SRM ...SRM 4.7: Scheduled Report Remote Location SSH transfer fails with "Cannot negotiate, proposals do not match" error
Summary : The transfer of scheduled reports to remote hosts using SSH fails due to incompatible key exchange algorithms offered by the SRM client and remote ssh server. Detailed Article Symptoms: SRM may fail to transfer Scheduled Reports to Remote ...ViPR SRM Windows binary 5.x: Backend services may fail to start automatically
Summary: Backend services may fail to start automatically due to elongated start-up times of the MySQL service. Add the mysql service as a dependency to the APGBackendApg1 service to fix the issue. Detailed Article Symptoms: The Backend (apg) service ...HCLSRM - Automation for Increasing Boot Partition Size by Migrating to a New Partition
Detailed Article Pre-Requisite: "In the vSphere client, provision an additional disk of at least 1 GB for each SRM VM that requires increased boot space." Symptoms Legacy SRM installations, such as those starting from SRM 3.x and subsequently ...