Deployment Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
Single Sign-On setup
Download this chapter
Single Sign-On setupSingle Sign-On setup
Download the complete book
Deployment Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)Deployment Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1) (PDF - 5 MB)
 Feedback

Contents

Single Sign-On setup

Single Sign-On

The Single Sign-On (SSO) feature allows end users to log in to Windows, and then use the following IM and Presence applications without having to sign in again:
  • Cisco Unified CM IM and Presence User Options
  • Cisco Unified CM IM and Presence Administration
  • Cisco Unified IM and Presence Serviceability
  • Cisco Unified IM and Presence Reporting
  • IM and Presence Disaster Recovery System
  • Cisco Unified Real-Time Monitoring Tool (RTMT) for IM and Presence Service
  • Cisco Unified IM and Presence Operating System Administration

Note

Cisco highly recommends that you configure the SSO feature in the same sequence that the tasks are provided in this chapter.

Single Sign-On system requirements

The SSO feature requires the following third-party applications:
  • Microsoft Windows Server 2003 or Microsoft Windows Server 2008
  • Microsoft Active Directory
  • ForgeRock Open Access Manager (OpenAM) Version 9.0

Note

The SSO feature uses Active Directory and OpenAM in combination to provide SSO access to client applications.

The following configuration requirements must be met:

  • Active Directory must be deployed in a Windows domain-based network configuration, not just as an LDAP server.
  • The OpenAM server must be accessible on the network to all client systems and the Active Directory server.
  • The Active Directory (Domain Controller) server, Windows clients, IM and Presence servers, and OpenAM server must be in the same domain.

    Note

    See the third-party product documentation for more information about the requirements above.

  • DNS must be enabled in the domain.
  • The clocks of all the entities participating in SSO must be synchronized.

Java installation

You must install Java as part of the Single-Sign On configuration taskflow. Keep in mind that the default keystore password "changeit" used throughout this chapter can be replaced with a keystore password of your choice; If you do replace this password, you will need to continue using the new password wherever "changeit" is used in the remainder of this chapter.

Install Java using Linux platform

Install Java SDK on the OpenAM server.


Note

It is assumed throughout these instructions that it is the 'root' user performing these tasks and executing these commands. If another user performs these actions, adjust operations accordingly.

Procedure
    Step 1   Download the latest version of Java:http:/​/​www.oracle.com/​technetwork/​java/​javase/​downloads/​index.html
    Step 2   Run the downloaded file to install Java.
    Step 3   Define JAVA_HOME, JRE_HOME environmental variables in your user profile (.bash_profile). Here is an example:

    Example:
    export JAVA_HOME=/usr/java/jdk1.6.0_20 (or whatever version is being used)
export JRE_HOME=/usr/java/jdkl6.0_20/jre
    Step 4   Tomcat must be enabled for SSL and therefore requires a Java keystore and a security certificate. There are two options depending on your security requirements:
    Option Description
    Use a self-signed security certificate for Tomcat

    Proceed with step 5
    Use a Certificate Authority (CA) signed security certificate for Tomcat

    Proceed with step 10
    Step 5   Create the Java keystore. Execute the following command on the terminal. The default keystore password is changeit:

    Example:
    '$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 1825 -ext BC:c=ca:true'

    The keytool command with -ext option requires Java JDK 7. Using the -ext option with the above value results in a Tomcat certificate with the Certificate Authority (CA) flag set to true. The CA flag must be set to true or the Cisco Unified IM and Presence Operating System Administration interface may fail to upload the certificate into the tomcat-trust trust store. For more information, see Import OpenAM certificate into IM and Presence.

    Step 6   When prompted to enter first and last name, enter the FQDN (hostname.domainname) of your OpenAM server.

    You are prompted to enter your organization unit name, organization name, city or locality, state or province, and two-letter country code.

    Step 7   When prompted for a Tomcat password, enter the default keystore password changeit.

    Keystore is created under the root directory (/root/.keystore).

    Step 8   It is possible to view the Tomcat certificate in the keystore using the following command:

    Example:
    $JAVA_HOME/bin/keytool -list -v -alias tomcat
    Step 9   If you chose to use a self-signed security certificate for Tomcat, you can skip to the end of this procedure and consider this task complete.
    Step 10   Create a Java keystore to store Certificate Authority (CA)-signed security certificates for Tomcat. Execute the following command on the terminal. The default keystore password is changeit.

    Example:'$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 1825'
    Step 11   You can view the Tomcat certificate in the keystore using the following command:

    Example:$JAVA_HOME/bin/keytool -list -v -alias tomcat
    Step 12   When prompted to enter first and last name, enter the FQDN (hostname.domainname) of your OpenAM server.

    You are prompted to enter your organization unit name, organization name, city or locality, state or province, and two-letter country code.

    Step 13   When prompted for a Tomcat password, enter the default keystore password changeit

    Keystore is created under the root directory (/root/.keystore).

    Step 14   Generate a certificate signing request (CSR) for this Tomcat instance. Execute the following command on the terminal. This command creates the CSR and writes it to a file called certreq.csr.

    Example:'$JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr'
    Step 15   Submit the CSR to your Certificate Authority, request the Certificate Authority to sign the CSR and create a certificate. Copy the new certificate, the Certificate Authority's signing or root certificate and any other intermediate signing certificates (if applicable) to the OpenAM server. Refer to the Certificate Authority documentation for instructions on how to complete these tasks.
    Step 16   Import the Certificate Authority's signing or root certificate and any other intermediate signing certificates (if applicable) into the Tomcat java keystore that was created in step 10. Execute the following command on the terminal and answer 'yes' to the prompt, 'Trust this certificate?'.

    Example:'$JAVA_HOME/bin/keytool -import -alias root -trustcacerts -file <filename_of_the_Certificate Authority_certificate>'

    Repeat this command for each intermediate certificate (if applicable) and note the -alias option must updated with a value unique to the keystore. For example, '$JAVA_HOME/bin/keytool -import -alias inter01 -trustcacerts -file <filename_of_the_intermediate_signing_certificate>'.

    Step 17   You can view the Certificate Authority signing certificate in the keystore using the following command:

    Example:$JAVA_HOME/bin/keytool -list -v -alias root
    Step 18   Import the new certificate into the Tomcat Java keystore that was created in step 10. Execute the following command on the terminal.

    Example:'$JAVA_HOME/bin/keytool -import -alias tomcat -file <new_certificate_filename>'
    Step 19   You can view the new Tomcat certificate in the keystore using the following command. Note that the issuer of this new Tomcat certificate is the Certificate Authority.

    Example:$JAVA_HOME/bin/keytool -list -v -alias tomcat
    Related Tasks

    Install Java using Windows platform

    Procedure
      Step 1   Download the latest version of Java: http:/​/​www.oracle.com/​technetwork/​java/​javase/​downloads/​index.html
      Step 2   Run the downloaded file to install Java.
      Step 3   Tomcat needs to be enabled for SSL and therefore requires a Java keystore and a security certificate. There are two possible approaches, depending on your security requirements.
      Option Description
      Use a self-signed security certificate for Tomcat

      Proceed with step 4
      Use a Certificate Authority (CA) signed security certificate for Tomcat

      Proceed with step 9
      Step 4   Create the Java keystore. Open a command prompt and execute the following command. The default keystore password is changeit.

      Example:
      C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -genkey -alias tomcat -keyalg RSA -validity 1825 –keystore c:\keystore -ext BC:c=ca:true

      The -keystore option must specify the file path to the new keystore file. For example, in the above command the new keystore file is c:\keystore.

      Note   

      The keytool command with -ext option requires Java JDK 7. Using the -ext option with the above value results in a Tomcat certificate with the CA flag set to true. The CA flag must be set to true or the Cisco Unified IM and Presence Operating System Administration interface may fail to upload the certificate into the tomcat-trust trust store. For more information, see Import OpenAM certificate into IM and Presence.

      Step 5   When prompted to enter the first name and last name, enter the FQDN (hostname.domainname) of your OpenAM server.

      You are also prompted to enter your organization unit name, organization name, city or locality, state or province, and two-letter country code.

      Step 6   When prompted for a Tomcat password, enter the default keystore password changeit. The Keystore file is created with the following file path: c:\keystore.
      Step 7   You can view the Tomcat certificate in the keystore using the following command:

      Example: C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -list -v -alias tomcat -keystore c:\keystore
      Step 8   If you chose to use a self-signed security certificate for Tomcat, proceed to the end. You have completed this task.
      Step 9   Create a Java keystore to store Certificate Authority (CA)-signed security certificates for Tomcat. Open a command prompt and execute the following command. The default keystore password is changeit:

      Example: C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -genkey -alias tomcat -keyalg RSA -validity 1825 -keystore c:\keystore
      Step 10   When prompted to enter the first name and last name, enter the FQDN (hostname.domainname) of your OpenAM server.

      You are also prompted to enter your organization unit name, organization name, city or locality, state or province, and two-letter country code.

      Step 11   When prompted for a Tomcat password, enter the default keystore password changeit. The keystore is created at the file path specified in the keytool command (C:\keystore).
      Step 12   You can view the Tomcat certificate in the keystore using the following command:

      Example: C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -list -v -alias tomcat -keystore c:\keystore
      Step 13   Generate a certificate signing request (CSR) for this Tomcat instance. Execute the following command on the terminal. This command creates the CSR and writes it to a file called certreq.csr.

      Example: C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore c:\keystore
      Step 14   Submit the CSR to your Certificate Authority, request the Certificate Authority to sign the CSR and create a certificate. Copy the new certificate, the Certificate Authority's signing or root certificate and any other intermediate signing certificates (if applicable) to the OpenAM server. Refer to Certificate Authority documentation for instructions on how to complete these tasks.
      Step 15   Import the Certificate Authority's signing or root certificate and any other intermediate signing certificates (if applicable) into the Tomcat java keystore that was created in step 9. Execute the following command on the terminal and answer 'yes' to the prompt, 'Trust this certificate?'.

      Example: C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -import -alias root -trustcacerts -file <filename_of_the_CA_root_certificate> -keystore c:\keystore

      Repeat this command for each intermediate certificate (if applicable) and note the -alias option must updated with a value unique to the keystore. For example, C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -import -alias root inter01 -trustcacerts -file <filename_of_the_intermediate_signing_certificate> -keystore c:\keystore.

      Step 16   You can view the Certificate Authority signing certificate in the keystore using the following command:

      Example: C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -list -v -alias root -keystore c:\keystore
      Step 17   Import the new certificate into the Tomcat java keystore that was created in step 9. Execute the following command on the command prompt.

      Example: C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -import -alias tomcat -file <new_certificate_filename> -keystore c:\keystore
      Step 18   You can view the new Tomcat certificate in the keystore using the following command. Note that the issuer of this new Tomcat certificate is the Certificate Authority.

      Example: C:\>"c:\Program Files\Java\jdkl.6.020\bin\keytool.exe" -list -v -alias tomcat -keystore c:\keystore
      Related Tasks

      Tomcat installation

      Install Tomcat using Linux platform

      Procedure
        Step 1   Download the latest version of Apache Tomcat: http:/​/​tomcat.apache.org/​index.html

        Download the zip/tar archives specific to your processor architecture (32bit/64bit).

        Step 2   Extract the apache-tomcat-<latest version>.tar.gz archive. In this document, it is extracted under the root home directory (\root):
        Step 3   Increase the JVM heap size on Tomcat by defining and setting the CATALINA_OPTS environmental variable in your user profile (.bash_profile). Set CATALINA_OPTS by adding the following line to your user profile (.bash_profile): export CATALINA_OPTS="- Xms512m -Xmx1024m -xx:MaxPermSize=256m.

        Ensure to source the .bash_profile script before starting Tomcat to ensure the environmental variables are set beforehand.

        Step 4   Open the server.xml file under /root/apache-tomcat-<latest version>/conf directory and Comment out the 8080 connector port. Enter the code as follows:

        Example:
        <!--<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout-"20000"
redirectPort-"8443" /> -->
        Step 5   Uncomment the 8443 connector port: Remove <!– – code at the beginning and – –> at the end of the 8443 connector. Enter the code as follows:

        Example:
        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
        Step 6   Save the server.xml file after making the above changes.
        Step 7   Start the Tomcat service by executing startup.sh under /root/apache-tomcat-<latest version>/bin directory.
        Note   

        By default, Tomcat expects the keystore file to be located in the OS home directory of the user that is running Tomcat (for example, /root/.keystore, assuming the user root started the Tomcat process). Ensure that the user who created the keystore file in the section Install Java using Linux platform starts the Tomcat process.

        Step 8   Launch a browser and go to https:/​/​localhost:8443/​tomcat.gif

        If your certificate is self-signed, your browser notifies you. Instruct the browser to import the certificate and proceed. Tomcat is configured when the Tomcat logo appears.

        Install Tomcat using a Windows platform

        Procedure
          Step 1   Download the latest version of Apache Tomcat: http:/​/​tomcat.apache.org/​index.html

          Download the Tomcat service installer (32bit/64bit Windows Service Installer - apache-tomcat-<latest version>.exe).

          Step 2   Install the apache-tomcat-<latest version>.exe. In this example, Tomcat is installed under c:\Program Files\Apache Software Foundation\Tomcat <latest version>.
          Step 3   Set the JAVA-HOME, JRE_HOME and JAVA_OPTS environment variables by creating a file called setenv.bat under c:\Program Files\Apache Software Foundation\Tomcat <latest version>\bin and set the above variables.

          Example: 
          set JAVA_HOME=c:\Program Files\Java\jdkl.6.0_20
set JRE_HOME=c:\Program Files\Java\jdkl.6.0_20\jre
set JAVA_OPT=%JAVA_OPTS% -xMS512m -xMX1024m
          Step 4   Open the server.xml file under c:\Program Files\Apache Software Foundation\Tomcat <latest version>\conf folder.
          Step 5   Comment out the 8080 connector port. Enter the code as follows:

          Example:
          <!--<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort-"8443" /> -->
          Step 6   Uncomment the 8443 connector port. Remove the <!- - code at the beginning and - -> at the end of the 8443 connector. In this 8443 connector, two more attributes have been added: keystoreFile (location of the keystore file that was created in section Install Java using Windows platform. In this example, it was created under C:\keystore) and keystoreType. Because we have the keystore created with the default password changeit, you do not need to set the keystorePass attribute. Enter the code as follows:

          Example:
          <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="c:\keystore"
keystoreType="JKS"/>
          Step 7   Save the server.xml file after making the above changes.
          Step 8   Start the Tomcat service from the services.msc utility or from Administrative Tools > Services > Apache Tomcat <latest version> > Start.
          Step 9   Launch a browser and go to https://localhost:8443/tomcat.gif. If your certificate is self-signed, your browser notifies you. Instruct the browser to import the certificate and proceed. Tomcat is configured when the Tomcat logo appears.
          What to Do Next

          Provision active directory for Single Sign-On

          Provision active directory for Single Sign-On

          Procedure
            Step 1   Log in to the Active Directory (AD) server.
            Step 2   From the Start menu, go to Programs > Administration Tools and select Active Directory Users and Computers.
            Step 3   Go to Users > New > Users and create a new user with the OpenSSO Enterprise hostname as the User ID.

            The OpenSSO Enterprise hostname should not include the domain name.

            Step 4   Disable the User must change password at next login option.
            Step 5   Create a keytab file on the AD server using the following command from the command prompt.

            Example:
            ktpass -princ HTTP/<hostname>.<domainname>@<DCDOMAIN> -pass <password> -mapuser <userName> -out <hostname>.HTTP.keytab -ptype KRB5_NT_PRINCIPAL -target <DCDOMAIN>

            Where <userName> is the OpenSSO Enterprise hostname entered in step 3.

            For example: 
            ktpass -princ HTTP/sso.cisco.com@CISCO.COM -pass cisco123 -mapuser sso -out sso.HTTP.keytab -ptype KRB5_NT_PRINCIPAL -target CISCO.COM
            Step 6   After successful creation of the keytab file, copy the keytab file to a location on the OpenAM server; this path will later be specified in OpenAM configuration.

            For OpenAM configured on Linux, you can create a directory under root and copy the above keytab file. For example, /root/keytab/examplehost.HTTP.keytab.

            For OpenAM configured on Windows, you can create a directory under C:\> and copy the above keytab file. For example, c:/keytab/examplehost.HTTP.keytab.

            What to Do Next

            OpenSSO Enterprise War on Apache Tomcat

            OpenSSO Enterprise War on Apache Tomcat

            Deploy OpenSSO Enterprise War on Apache Tomcat on Linux

            Procedure
              Step 1   Go to the ForgeRock site below and download the stable release OpenAM Release 9 / February 7, 2010(20100207): http:/​/​www.forgerock.com/​downloads.html
              Step 2   Copy the openam_954.zip to the OpenAM server to any location and unzip it.
              Step 3   Stop the Tomcat service if it is running on this OpenAM server.
              Step 4   After unzipping, copy the opensso.war file under opensso/deployable-war directory and paste it under /root/apache-tomcat-7.0.0/webapps directory.

              In this example, and the remainder of this chapter, it is assumed that the OpenAM war file is called opensso.war. This is an important consideration because the sample URLs specified in this document make that same assumption. Keep this in mind if you decide to use a war filename other than opensso.war.

              Step 5   Start the Tomcat service by executing startup.sh under /root/apache-tomcat-<latest version>/bin directory.
              What to Do Next

              Set up OpenSSO Enterprise using GUI Configurator

              Deploy OpenSSO Enterprise War on Apache Tomcat on Windows

              Procedure
                Step 1   Go to the ForgeRock site below and download the stable release OpenAM Release 9 / February 7, 2010(20100207): http:/​/​www.forgerock.com/​downloads.html
                Step 2   Copy the openam_release9_20100207.zip to the OpenAM server to a specific location and unzip it.
                Step 3   Select Administrative Tools > Services > Apache Tomcat <latest version> > Stop to stop the Tomcat service if it is running on this OpenAM server.
                Step 4   After unzipping, copy the opensso.war file under opensso/deployable-war directory and paste it under c:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps folder.

                In this example, it is assumed that the OpenAM war file is called opensso.war. If you are following the example deployment in this document, Cisco recommends that you use this filename. The war filename is used in URLs and directories referred to later in this chapter.

                Step 5   Select Administrative Tools > Services > Apache Tomcat <latest version> > Start to start the Tomcat service.
                What to Do Next

                Set up OpenSSO Enterprise using GUI Configurator

                Set up OpenSSO Enterprise using GUI Configurator

                Here is an example of how to configure OpenSSO. If you have an existing OpenAM server or a solid understanding of OpenAM, you can configure the server differently.

                OpenAM server and policy agents require FQDNs for the hostname of the machines on which you will perform your installations. You cannot use a hostname like "localhost" and cannot use numeric IP addresses like "192. 168.1.2" as hostname either, because this will cause problems during installation, configuration, and usage.

                In order to access OpenAM, a web browser must be installed, for example, Mozilla Firefox. When accessing OpenAM for the first time, you should use FQDN of OpenAM server in the URL. For example, https://hostexample.corp.com:8443/opensso. When you access OpenSSO Enterprise for the first time, you are directed to the Configurator to perform initial configuration of the OpenSSO Enterprise. The Configuration Options window appears when you access the OpenSSO for the first time. Select the Create Default Configuration link.

                You specify and confirm passwords for the OpenSSO Enterprise administrator (amAdmin) and the default policy agent user (UrlAccessAgent). The default policy agent user is not used later in this example configuration; amAdmin is used each time you log in to OpenAM to change the configuration.

                If a problem occurs during the configuration, the Configurator displays an error message. If possible, correct the error and retry the configuration. Also, check the web container log files and the install.log which, if created, will be in the configuration directory. The configuration directory is <default>/opensso, where <default> refers to the default OpenAM configuration directory (for example, /root/opensso on Linux platforms or C:\opensso on Windows platforms). These logs might contain information about the cause of a configuration problem.

                By default, OpenSSO configuration is stored under /root/opensso directory on Linux platforms and under C:\opensso on Windows platforms.

                Procedure
                  Step 1   Open the Web browser and navigate to your deployed OpenSSO Web application.
                  Step 2   Select Proceed to log in and enter the amAdmin and password.
                  Step 3   Go to the Access Control tab, and select the /(Top Level Realm).
                  Step 4   Select Authentication > Core > All Core Settings.
                  Step 5   Set the User Profile to Ignored.
                  Step 6   Click Save to save the configuration.
                  What to Do Next

                  Set up policies on OpenSSO server

                  Set up policies on OpenSSO server

                  Table 1 Required Policy Rules for the IM and Presence Single Sign-On Feature
                  Service Type Name Resource Name Action
                  URL Policy Agent (with resource name) <hostname>-01 https://<IMP FQDN>/* Enable GET, Value = Allow Enable POST , Value = Allow
                  <hostname>-02 https://<IMP FQDN>/*?*
                    <hostname>-03 https://<IMP FQDN>/*?*?*
                  <hostname>-04 https://<IMP FQDN>:8443/*
                  <hostname>-05 https://<IMP FQDN>:8443/*?*
                  <hostname>-06 https://<IMP FQDN>:8443/*?*?*
                  Applying the policy rules as defined in this procedure means that the IM and Presence Administration/User interfaces can only be accessed with the Web Browser using the following URL formats:
                  • https://<IMP FQDN> - for example, https://IMP-Node-01.cisco.com
                  • https://<IMP FQDN>:8443 - for example https://IMP-Node-01.cisco.com:8443/

                  It is NOT possible to access the IM and Presence Administration/User interface using a URL that only specifies a hostname such as https://<IMP HOSTNAME> (for example, https://IMP-Node-01/).

                  Procedure
                    Step 1   From the Access Control tab, select / (Top Level Realm).
                    Step 2   From the Policies tab, add a new policy.
                    Step 3   Enter the Policy Name (for example, IMPPolicy) and click OK

                    IMPPolicy is only a suggested value. Any valid name value can be used. This value will not be required later in this configuration

                    Step 4   Select the new policy, IMPPolicy, for editing.

                    In editing the policy, three sections must be updated: Rules, Subjects, and Conditions. The six rules that need to be added are outlined in the table above.

                    Step 5   Add the rules as follows:
                    1. Under the Rules section, click New.
                    2. Select Service Type as URL Policy Agent (with resource name)
                    3. In the field provided, enter the suggested rule Name from the above table, replacing <hostname> with the actual hostname of the IM and Presence node.
                    4. In the field provided, enter the corresponding Resource Name for this rule, replacing <IMP FQDN> with the actual Fully Qualified Domain Name of the IM and Presence node.
                    5. Enable the GET action with a value of Allow.
                    6. Enable the POST action with a value of Allow.
                    7. Click Finish to complete the rule update.
                    8. Click Save to save the policy update.
                    9. Repeat this entire step for each rule in the above table.

                    This set of six rules must be added for each IM and Presence node that is enabled for Single Sign-On.

                    Step 6   A single Subject must be added to the policy. Add the Subject as follows:
                    1. Under the Subjects section, click New.
                    2. Select Subject Type as Authenticated Users.
                    3. Enter IMPSubject as the Name value.

                      IMPSubject is only a suggested value. Any valid name value can be used. This value will not be required later in this configuration.

                    4. Click Finish to complete the Subject update.
                    5. Click Save to save the policy update.

                    Only a single Subject is required for this policy even if multiple IM and Presence nodes are enabled for Single Sign-On.

                    Step 7   A single Condition must be added to the policy. Add the Condition as follows:
                    1. Under the Conditions section, click New.
                    2. Select Condition Type as Active Session Time.
                    3. Enter IMPTimeOutCondition as the Name value.

                      IMPTimeOutCondition is only a suggested value. Any valid name value can be used. This value will not be required later in this configuration.

                    4. Enter 120 as the Maximum Session Time.
                    5. Ensure the Terminate Session field is set to No.
                    6. Click Finish to complete the Subject update.
                    7. Click Save to save the policy update.

                    Note that only a single Condition is required for this policy, even if multiple IM and Presence nodes are enabled for SSO.

                    What to Do Next

                    Set up SSO module instance

                    Set up SSO module instance

                    This single module instance can be shared by multiple IM and Presence nodes configured for SSO as long as the same Active Directory domain is used throughout the deployment. Deployment scenarios involving more than one Active Directory domain are not covered in this documentation

                    Procedure
                      Step 1   Copy the keytab files to the OpenAM server that you created in Provision active directory for Single Sign-On.
                      Step 2   Log in to the OpenSSO Enterprise administration console as amAdmin.
                      Step 3   Choose Access Control > Top Level Realm > Authentication > Module Instances.
                      Step 4   In the Module Instances window, click New.
                      Step 5   Enter a name for the new login module instance (for example, IMPKRB) and select Windows Desktop SSO.
                      Step 6   Click OK.

                      This module instance name will be used later when enabling SSO on the IM and Presence server.

                      Step 7   In the Module Instances window, select the name of the new login module (for example, IMPKRB) and provide the following information:
                      • Service Principal—HTTP/openAMhostname.domain.com@DOMAIN.COM. Here is an example using the openAM server name and domain: HTTP/openamhost.example.com@EXAMPLE.COM
                      • Keytab File Name—c:\keystore\openAMhostname.HTTP.keytab (on Windows platform) or /root/keytab/openAMhostname.HTTP.keytab (on Linux platorm)
                      • Kerberos Realm—DOMAIN.COM -domain for OpenAM server (for example, EXAMPLE.COM)
                      • Active Directory / Kerberos Server Name—kerberos.example.com

                        If multiple Kerberos Domain Controllers exist for failover purposes, all Kerberos Domain Controllers can be set using a colon (:) as the separator.

                      • Return Principal with Domain Name—False. Leave the Enabled check box unchecked.
                      • Authentication Level—22
                      Step 8   Click Save.

                      The module instance is created and called IMPKRB.

                      Set up J2EE agent profile on OpenSSO server

                      Perform the following steps in OpenSSO Enterprise Console. The key steps of this task are to create an agent name and an agent password.


                      Note

                      One J2EE Agent is required per IM and Presence node. If multiple nodes are to be configured for Single Sign-On, a J2EE agent must be created for each additional node.

                      Procedure
                        Step 1   Log in to OpenSSO Enterprise administration console using the credentials specified in section Set up OpenSSO Enterprise using GUI Configurator.
                        Step 2   Select the Access Control tab.
                        Step 3   Select the name of the realm to which the agent will belong, such as the following: /(Top Level Realm).
                        Step 4   Select the Agents tab.
                        Step 5   Select the J2EE tab.
                        Step 6   Select New in the Agent section.
                        Step 7   Enter values for the following fields:
                        • Name - Enter the name or identity of the agent (for example, <hostname>-j2ee-agent).
                          Note   

                          The Agent name will be used later when you enable SSO on IM and Presence. For example, “enter the name of the profile configured for this policy agent.”

                        • Password - Enter the agent password.
                          Note   

                          You will be asked for this password when you enable SSO on IM and Presence.

                        • Server URL field - Enter the OpenSSO Enterprise server URL. For example, https://<OpenAM FQDN>:8443/opensso.
                        • Agent URL field - Enter the URL for the agent application. For example, https://<IM and Presence FQDN>:8443/agentapp.
                          Note   

                          "agentapp" will be used later in the example given for enabling SSO on IM and Presence.

                        Step 8   Select Create.

                        A J2EE Agent with the name of <hostname-j2ee-agent> is created.

                        Step 9   Select the J2EE agent created above.
                        Step 10   Select the Application tab.
                        Step 11   Under Login Processing, enter the Login Form URIs for each web GUI application on IM and Presence as follows:
                        • Cisco Unified CM IM and Presence Administration: /cupadmin/WEB-INF/pages/logon.jsp
                        • Cisco Unified IM and Presence Serviceability: /ccmservice/WEB-INF/pages/logon.jsp
                        • Cisco Unified IM and Presence Reporting: /cucreports/WEB-INF/pages/logon.jsp
                        • Cisco Unified IM and Presence OS Administration: /cmplatform/WEB-INF/pages/logon.jsp
                        • IM and Presence Disaster Recovery System: /drf/WEB-INF/pages/logon.jsp
                        • Real-Time Monitoring Tool (RTMT): /ast/WEB-INF/pages/logon.jsp
                        • Cisco Unified CM IM and Presence User Options–/cupuser/WEB-INF/pages/logoncontrol.jsp
                        Step 12   Click Save.
                        Step 13   From the OpenAM Services tab, under Login URL, add OpenSSO Login URL as https://<OpenSSO FQDN>:8443/opensso/UI/Login?module=<SSO_Module>.

                        SSO_Module should be the same value as the one created in Set up SSO module instance. For example, https://OpenAM-01.corp.com:8443/opensso/UI/Login?module=IMPKRB.

                        Step 14   In the text area, remove all URLs other than the Login URL. Only the Login URL specified in the previous step should be listed in the text area.
                        Step 15   Click Save.

                        Setting the OpenAM session timeout

                        The OpenAM session timeout must be set to a value that is lower than the Web application session idle timeout parameter set on the IM and Presence server.

                        Procedure
                          Step 1   Access the IM and Presence Administration CLI.
                          Step 2   Execute the following command to determine the IM and Presence Web application session idle timeout value: show webapp session timeout
                          Step 3   Open the OpenAM server GUI and select Configuration > Global > Session > Dynamic attributes > Maximum Idle Time.
                          Step 4   Enter a value in the Maximum Idle Time field that is one minute less than the IM and Presence Web application session idle timeout value.

                          Import OpenAM certificate into IM and Presence

                          Communication between IM and Presence and OpenAM must be secure for Single Sign-On to operate successfully. As a result, you must upload the necessary security certificates to the IM and Presence tomcat-trust store so that IM and Presence trusts the OpenAM server. The required procedure is dependent on the security configuration used when creating the Java keystore for the OpenAM Server in section Java installation:
                          • Use a self-signed security certificate for Tomcat
                          • Use a CA signed security certificate for Tomcat

                          Note

                          For information about importing certificates, see Cisco Unified System Maintenance Guide for IM and Presence.

                          Procedure
                            Step 1   Sign in to OpenAM (https://<OpenAM FQDN>:8443/opensso) from your Web browser (for example, Mozilla Firefox).
                            Step 2   Select Tools > Page info > Security > View Certificate.
                            Step 3   Depending on the security configuration used in section Java installation:
                            Option Description
                            Use a self-signed security certificate for Tomcat

                            Proceed with step 4
                            Use a Certificate Authority (CA) signed security certificate for Tomcat

                            Proceed with step 13
                            Step 4   In the Certificate Viewer window, click the Details tab to access certificate information.
                            Step 5   Click Export and save the certificate to your desktop
                            Step 6   After getting the self-signed OpenAM server certificate, sign in to Cisco Unified IM and Presence Operating System Administration and choose Security > Certificate Management.
                            Step 7   Click Upload Certificate/Certificate Chain.
                            Step 8   From the Certificate Name drop-down list in the Upload Certificate dialog box, choose tomcat-trust.
                            Step 9   From the Upload File field, browse for the saved self-signed OpenAM certificate.
                            Step 10   Click Upload File to upload the certificate. The self-signed OpenAM certificate will be added to the IM and Presence Tomcat-truststore.

                            If a "Certificate cannot be added to the trust store because it is not a valid CA root or Intermediate cert" warning displays, ensure the self-signed certificate for the OpenAM server was created using the -ext BC:c=c:true switch. For more information, refer to the Java installation section.

                            Step 11   Restart the Tomcat service using the following CLI command: utils service restart Cisco Tomcat
                            Step 12   If you chose to use a self-signed security certificate for Tomcat, you have completed this task.
                            Step 13   In the Certificate Viewer window, click the Details tab to access certificate information.
                            Step 14   Click Export/Save to file the root and any intermediate signing certificates. The signed OpenAM certificate is not required.
                            Step 15   After saving the root and intermediate certificates, sign in to Cisco Unified IM and Presence Operating System Administration and choose Security > Certificate Management.
                            Step 16   Click Upload Certificate/Certificate Chain.
                            Step 17   From the Certificate Name drop-down list in the Upload Certificate dialog box, choose tomcat-trust.
                            Step 18   From the Upload File field, browse for the saved root certificate.
                            Step 19   Click Upload File to upload the certificate. The root certificate will be added to the IM and Presence Tomcat-truststore.
                            Step 20   Repeat step 16-19 for each saved intermediate certificate.
                            Step 21   Restart the Tomcat service using the following CLI command: utils service restart Cisco Tomcat.
                            What to Do Next

                            Client browser setup for Single Sign-On

                            Client browser setup for Single Sign-On

                            To use SSO for a browser-based client application, you must configure the web browser. The following sections describe how to configure client browsers to use SSO.

                            Configure Internet Explorer for Single Sign-On

                            The SSO feature supports Windows clients running Internet Explorer Version 6.0 and later. Perform the following procedure to configure Internet Explorer to use SSO.

                            Procedure
                              Step 1   Select Tools > Internet Options > Advanced tab.
                              Step 2   Select Enable Integration Windows Authentication.
                              Step 3   Click OK.
                              Step 4   Restart Internet Explorer.
                              Step 5   Select Tools > Internet Options > Security > Local Intranet and click Custom Level....
                              Step 6   Under User Authentication, select Automatic Logon Only in Intranet Zone.
                              Step 7   Click OK.
                              Step 8   Click Sites.
                              Step 9   Select Automatically detect intranet network.
                              Step 10   Click Advanced.
                              Step 11   Fill in the Add this web site to the zone: field with the FQDN of the OpenAM server in the following format: https://OpenAM_FQDN.
                              Step 12   Click Add.
                              Step 13   Click Close.
                              Step 14   Click OK.
                              Step 15   Uncheck Enable Protected Mode.
                              Step 16   Restart Internet Explorer.
                              Step 17   Open the Windows Registry Editor and choose one of the following options:
                              Option Description
                              For Windows XP or Windows 2008

                              Select Start > Run and type regedit.
                              For Windows Vista and Windows 7.0

                              Select Start and type regedit. For Windows Vista, you then need to click Continue.
                              Step 18   Under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\, add new DWORD (32-bit) value called SuppressExtendedProtection and set the value to hexadecimal 0x02.

                              The DWORD can only be set by an administrator.

                              Step 19   Right-click on the newly created DWORD, select Modify...
                              Step 20   Set the following values:
                              • Base: hexadecimal
                              • Value data: 002
                              The newly created DWORD appears in the LSA directory list as follows:
                              • Name: SuppressExtendedProtection
                              • Type: REG_DWORD
                              • Value: 0x00000002 (2)
                              What to Do Next

                              At this point it is possible to validate the SSO Module. Log into Windows as a user, open the Web Browser, and access the following URL: https://<openam-FQDN>:8443/opensso/UI/Login?module=<SSO_Module>. In this example, openam-FQDN is the FQDN of the OpenAM server, opensso is the name of the OpenAM Web application, and SSO_Module is the name of the WindowsDesktopSSO module. You should see a screen notifying you that login was successful.

                              Import OpenAM certificate into IM and Presence

                              Configure Firefox for Single Sign-On

                              The SSO feature supports Windows clients running Firefox version 3.0 and later.

                              Procedure
                                Step 1   Open Firefox and enter the following URL page: about:config
                                Step 2   Scroll down to network.negotiate-auth.trusted-uris and set it to your domain (for example, corp.com).
                                What to Do Next

                                At this point it is possible to validate the SSO Module. Log into Windows as a user, open the Web Browser, and access the following URL: https://<openam-FQDN>:8443/opensso/UI/Login?module=<SSO_Module>. In this example, openam-FQDN is the FQDN of the OpenAM server, opensso is the name of the OpenAM Web application, and SSO_Module is the name of the WindowsDesktopSSO module. You should see a screen notifying you that login was successful.

                                Import OpenAM certificate into IM and Presence

                                Configure Windows registry

                                To achieve SSO for the Real-Time Monitoring Tool (RTMT), you must create the following new registry key on your Desktop client (Windows XP or Windows 7): allowtgtsessionkey of type REG_DWORD with value set to 1. The allowtgtsessionkey must be set by an administrator.

                                This new registry key should be stored at either of the locations below, depending on your Operating system:

                                • Windows XP: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
                                • Windows Vista/Windows 7: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

                                Access Permissions for Single Sign-On

                                Ensure that you have configured the appropriate access permissions before enabling or disabling SSO.

                                Configure access permissions before enabling SSO

                                It is important to understand the user access permissions that should be in place before and after Single Sign-On is enabled. Understanding the permissions can help avoid situations in which users have incorrect permissions when accessing the IM and Presence applications.

                                Table 2 Prerequisites for Enabling Single-Sign On
                                Application Notes

                                Cisco Unified CM IM and Presence Administration (Cisco Unified CM IM and Presence Administration, IM and Presence Serviceability, IM and Presence Reporting)

                                Before enabling SSO, ensure that an end user who is a member of the necessary User Groups exists in order to facilitate administration access.

                                The default administrator application user created at the time of installation would have the following:

                                Groups:
                                • Standard Audit Users
                                • Standard IM and Presence Super Users
                                • Standard RealtimeAndTraceCollection
                                Roles:
                                • Standard AXL API Access
                                • Standard Audit Log Administration
                                • Standard CCM Admin Users
                                • Standard CCMADMIN Administration
                                • Standard CUReporting
                                • Standard RealtimeAndTraceCollection*
                                • Standard SERVICEABILITY Administration

                                Any end user that is a member of the above User Groups with those Roles will have full access rights to IM and Presence, similar to that of the default administrator.

                                To view the default application user on IM and Presence, select Cisco Unified CM IM and Presence Administration > User Management > Find. Select the default application user (that was created during install) to view their details.

                                To assign an end user to these groups on IM and Presence, select Cisco Unified CM IM and Presence Administration > User Management > Access Control Groups > Find. Select a group and click the Add End Users button. Search for the desired end user, select the user, and click Add Selected.

                                Cisco Unified IM and Presence User Options

                                Ensure that the end users are members of the Standard CCM End User group on the corresponding CUCM node.

                                Cisco Unified IM and Presence Operating System Administration (IM and Presence Operating System Administration, IM and Presence DRS)

                                Normally, the default administrator application user does not have access to these Web applications. These Web applications are only accessible by the Cisco Unified IM and Presence Operating System administrator. This administrator has access to the Administration CLI in addition to these Web applications.

                                After SSO is enabled for these applications, the applications are accessible by any end user that has the same permissions as the default administrator application user.

                                Real-Time Monitoring Tool

                                Before enabling SSO, ensure that an end user exists that is a member of the necessary user groups to allow administrative access to the Real-Time Monitoring Tool.

                                Refer to the note for Cisco Unified CM IM and Presence Administration above.

                                Configure access permissions before disabling SSO

                                If SSO is disabled for any IM and Presence Web application that supports SSO, all users accessing that application need to provide a username and password. Cisco recommends that if you are an IM and Presence administrator intending to disable SSO for any IM and Presence Web applications, ensure that users can access the application after SSO is disabled. This is important to avoid inadvertently locking out the active IM and Presence administration account

                                Table 3 Prerequisites for Disabling Single Sign-On
                                Application Notes

                                Cisco Unified CM IM and Presence Administration (Cisco Unified CM IM and Presence Administration, IM and Presence Serviceability, IM and Presence Reporting)

                                Before disabling SSO, ensure that an application user exists with a known username/password and that this user is a member of the necessary User Groups.

                                The default administrator application user created at the time of installation would have the following:

                                Groups
                                • Standard Audit Users
                                • Standard IM and Presence Super Users
                                • Standard RealtimeAndTraceCollection
                                Roles:
                                • Standard AXL API Access
                                • Standard Audit Log Administration
                                • Standard CCM Admin Users
                                • Standard CCMADMIN Administration
                                • Standard CUReporting
                                • Standard RealtimeAndTraceCollection*
                                • Standard SERVICEABILITY Administration

                                Any application user that is a member of the above User Groups with those Roles will have full access rights to IM and Presence if SSO is disabled.

                                To view the application users on IM and Presence, select Cisco Unified CM IM and Presence Administration > User Management > Find. Select a user to view their details.

                                Cisco Unified IM and Presence User Options

                                Ensure that passwords exist for the end users and that they are aware of their password values. This information is required by each end user to access the application in question.

                                Cisco Unified IM and Presence Operating System Administration (IM and Presence Operating System Administration, IM and Presence DRS)

                                Before disabling SSO, ensure that an OS Administration user exists with a known username/password and that this user has access to the Cisco Unified IM and Presence Operating System Administration CLI. After SSO is disabled, this user has access rights to the Cisco Unified IM and Presence Operating System Administration GUIs.

                                Real-Time Monitoring Tool

                                Before disabling SSO, ensure that an application user with a known username/password exists and that this user has the same access rights as the user specified for Cisco Unified CM IM and Presence Administration(Cisco Unified CM IM and Presence Administration, IM and Presence Serviceability, and IM and Presence Reporting).

                                Enable Single Sign-On

                                Enable Single Sign-On using the GUI

                                This Cisco Unified IM and Presence Operating System Administration application is split into three components:
                                • Status
                                • Server Settings
                                • Select Applications

                                Status

                                A warning message displays indicating that the change in SSO settings causes Tomcat to restart.

                                The following error messages may display when enabling the SSO application:
                                • Invalid Open Access Manager (OpenAM) server URL-This error message displays when you give an invalid OpenAM server URL.
                                • Invalid profile credentials-This error message displays when you give a wrong profile name or wrong profile password or both.
                                • Security trust error-This error message displays when the OpenAM certificate has not been imported.

                                Note

                                If you get any of the above error messages while enabling SSO, then the status changes to the above error.

                                Server Settings

                                The server settings are editable only when SSO is disabled for all applications.

                                Select Applications

                                You can enable or disable SSO on any of the following applications:

                                • Cisco Unified CM IM and Presence Administration–Enables SSO for Cisco Unified CM IM and Presence Administration, Cisco Unified IM and Presence Serviceability, and Cisco Unified IM and Presence Reporting.
                                • Cisco Unified IM and Presence User Options–Enables SSO for End User Options.
                                • Cisco Unified IM and Presence Operating System Administration–Enables SSO for Cisco Unified IM and Presence Operating System Administration and Disaster Recovery System.
                                • RTMT–Enables the web application for the Real-Time Monitoring Tool.
                                Procedure
                                  Step 1   Navigate to the Cisco Unified IM and Presence Operating System Administration page and select Security > Single Sign On.
                                  Step 2   Enter the following URL of the Open Access Manager (OpenAM) server: https://hostexample.corp.com:8443/opensso
                                  Step 3   Enter the relative path where the policy agent should be deployed. The relative path must be alphanumeric. See Set up J2EE agent profile on OpenSSO server.
                                  Step 4   Enter the name of the profile that is configured for this policy agent. See Set up J2EE agent profile on OpenSSO server.
                                  Step 5   Enter the password of the profile name. See Set up J2EE agent profile on OpenSSO server.
                                  Step 6   Enter the login Module instance name that is configured for Windows Desktop SSO. See Set up SSO module instance.
                                  Step 7   Click Save.
                                  Step 8   In the Confirmation dialog box, click OK to restart Tomcat.

                                  Enable Single Sign-On using the CLI

                                  You can enable the SSO feature using the Cisco Unified IM and Presence Operating System Administration CLI by entering the command below and responding to the subsequent prompts as outlined below.

                                  The following example makes use of the parameters and values that are in other SSO procedures already provided: 

                                  admin:utils sso enable 
	*****WARNING***** 
This command will restart Tomcat for successful completion.
This command needs to be executed on all the nodes in the cluster. 
Do you want to continue (yes/no): yes 
List of apps for which SSO can be enabled: 
1) Cisco Unified CM IM and Presence Administration (CUCM IM/P Admin, CU IM/P Serviceability, CU Reporting) 
2) Cisco Unified IM and Presence Operating System Administration (CU IM/P OS Admin, IM/P DRS) 
3) RTMT 
4) Cisco Unified IM and Presence User Options (CUCM IM/P User options)
Do you want to enable SSO for Cisco Unified CM IM and Presence Administration (CUCM IM/P Admin, CU IM/P Serviceability, CU IM/P Reporting) (yes/no): yes 
Do you want to enable SSO for Cisco Unified IM and Presence Operating System Administration (CU IM/P OS Admin, IM/P DRS) 
(yes/no): yes 
Do you want to enable SSO for RTMT (yes/no):yes
Do you want to enable SSO for Cisco Unified CM IM and Presence User Options (CUCM IM/P User options) (yes/no):yes
Enter URL of the Open Access Manager (OpenAM) server: 
https://gwydlvm971.corp28.com:8443/opensso 
Enter the relative path where the policy agent should be deployed: agentapp 
Enter the name of the profile configured for this policy agent: gwydlvm396-j2ee-agent 
Enter the password of the profile name: ******** 
Enter the login module instance name configured for Windows Desktop SSO: IMPKRB
Validating connectivity and profile with Open Access Manager (OpenAM) Server: 
https://gwydlvm971.corp28.com:8443/opensso 
Valid profile
Valid module name
Enabling SSO ... This will take up to 5 minutes
SSO Enable Success

                                  Disable Single Sign-On

                                  Disable Single Sign-On using the GUI

                                  You can disable the SSO feature using the Cisco Unified IM and Presence Operating System Administration GUI by following the steps below.

                                  Procedure
                                    Step 1   Navigage to Cisco Unified OS Administration > Security > Single Sign On.
                                    Step 2   De-select all applications that were previously enabled for SSO.
                                    Step 3   Click Save.
                                    Step 4   In the Confirmation dialog box, click OK to restart Tomcat.

                                    Disable Single Sign-On using the CLI

                                    You can disable the SSO feature using the Cisco Unified IM and Presence Operating System Administration CLI by following the steps below.

                                    Procedure
                                      Step 1   Access the Cisco Unified IM and Presence Operating System Administration CLI.
                                      Step 2   Execute the following command: utils sso disable
                                      Step 3   Respond to the prompt messages accordingly to disable all currently enabled SSO applications.

                                      OpenSSO Enterprise removal

                                      Perform one of the following tasks to uninstall SSO.

                                      Uninstall OpenSSO Enterprise on Linux

                                      Procedure
                                        Step 1   Stop the Tomcat running on OpenSSO Enterprise Server by executing the following command under /root/apachetomcat-<latest version>/bin directory: shutdown.sh
                                        Step 2   Remove the following directories and all of their contents:
                                        • ConfigurationDirectory is the directory created when the OpenSSO Enterprise instance is initially configured using the Configurator. The default directory is opensso in the home directory of the user running the Configurator. If the Configurator is run by root, ConfigurationDirectory is created in the root home directory, /root.
                                        • user-home-directory.openssocfg where user-home-directory is the home directory of the user who deployed the opensso.war file. If this user is root, the directory is /.openssocfg.
                                        Step 3   Remove the opensso.war file from the webapps directory of the Tomcat. For example, /root/ apache-tomcat-<latest version>/webapps
                                        Step 4   Start the Tomcat on OpenSSO Enterprise Server by executing startup.sh under the /root/ apache-tomcat-<latest version>/bin directory.

                                        Uninstall OpenSSO Enterprise on Windows

                                        Procedure
                                          Step 1   Select Administrative Tools > Services > Apache Tomcat <latest version> > Stop to stop the Tomcat service if running on the OpenSSO Enterprise server.
                                          Step 2   Delete the opensso and .openssocfg folder from the user home directory.
                                          Step 3   Delete the opensso.war file from the webapps folder of Tomcat.

                                          Example: c:\Program Files\Apache Software Foundation\Tomcat <latest version>\webapps

                                          Step 4   Select Administrative Tools > Services > Apache Tomcat <latest version> > Start to start the Tomcat service.

                                          Setting the debug level

                                          Additional debug information can be gathered from the IM/P node by setting the log level for the J2EE Policy Agent accordingly. The log level for this component is configured on the OpenAM server itself. The default log level is Error. You can change the log level to Message to provide additional debug information. Cisco recommends that the Message log level should only be used for short periods of time as the associated log files can grow quiet large

                                          Procedure
                                            Step 1   Sign in to OpenAM (https://<OpenAM FQDN>:8443/opensso) from your Web browser (for example, Mozilla Firefox).
                                            Step 2   From the Access Control menu, choose Top Level Realm > Agents > J2EE.
                                            Step 3   Select the desired J2EE Agent.
                                            Step 4   Select the General link.
                                            Step 5   Under the Agent Debug Level, specify the desired level (Message or Error).
                                            Step 6   Click Save.
                                            Step 7   On the IM and Presence node, restart the Cisco Tomcat service.
                                            1. Access the IM and Presence Administration CLI.
                                            2. Execute the following command: utils service restart Cisco Tomcat.
                                            Step 8   Retrieve the logs using Cisco Unified Real Time Monitoring Tool for IM and Presence by browsing and downloading the logs for the Cisco SSO component.

                                            Troubleshooting Single Sign-On

                                            Security Trust Error Message

                                            Problem    When enabling the Single Sign-On feature, a 'Security trust error' message displays.
                                            Possible Cause    There may be a security certificate issue causing the IM and Presence node to not trust the OpenAM node.
                                            Solution    Ensure that the following certificates have been uploaded to the IM and Presence node and that the Tomcat service on the IM and Presence node has been restarted: OpenAM self-signed certificate if that was the chosen approach in section Java installation and Root certificate and any intermediate certificate that signed the OpenAM certificate if that was the chosen approach in section Java installation. You must also ensure that the correct OpenAM URL is being specified on the GUI or CLI when enabling SSO. The OpenAM URL must be the Fully Qualified Domain Name with the port number. For example, https://openam-01.corp28.com:8443/opensso.

                                            Invalid Profile Credentials Message

                                            Problem    When enabling Single Sign-On, an 'Invalid Profile Credentials' message displays.
                                            Possible Cause    You may be specifying the incorrect name and password for the IM and Presence node J2EE Agent.
                                            Solution    Refer to section Set up J2EE agent profile on OpenSSO server and note the name and password values that were entered. These values must be specified when enabling SSO.

                                            Module Name is Invalid Message

                                            Problem    When enabling Single Sign-On, a 'Module Name is Invalid' message displays.
                                            Possible Cause    You may be specifying the incorrect name for the SSO Module Instance.
                                            Solution    Refer to section Set up SSO module instance and review the instructions.

                                            Invalid OpenAM Access Manager (Openam) Server URL Message

                                            Problem    When enabling Single Sign-On, an 'Invalid OpenAM Access Manager (Openam) Server URL' message displays.
                                            Possible Cause    The OpenAM URL specified on the GUI or CLI when enabled SSO may not be correct.
                                            Solution    Ensure that the correct OpenAM URL is being specified on the GUI or CLI when enabling SSO. The OpenAM URL must be the Fully Qualified Domain Name with the port number. For example, https://openam-01.corp28.com:8443/opensso. You must also ensure that the OpenAM server is up and running and that the OpenAM administration GUI is accessible.

                                            Web Browser Indicates a 401 Error

                                            Problem    When you access a Single Sign-On (SSO) enabled Web application for an IM and Presence node, the Web browser indicates an HTTP 401 error code.
                                            Possible Cause    There may be a problem with the users browser settings.
                                            Solution    Refer to section Client browser setup for Single Sign-On and review the instructions.

                                            Web Browser Indicates a 403 Error or Displays a Blank Screen

                                            Problem    When I access a Single Sign On (SSO) enabled web application for an IM and Presence node, the Web browser indicates an HTTP 403 error code or I get a blank screen.
                                            Possible Cause    There may be a problem with OpenAM policy configuration for this IM and Presence node.
                                            Solution    Ensure that you have added all six policy rules for this IM and Presence node and that all policy rules have been enabled with GET/POST actions and are set to 'Allow'. You must also ensure that the Subject has been added to the policy. For more information, refer to section Set up policies on OpenSSO server.

                                            User is not Authorized to Perform this Function error

                                            Problem    After accessing the Web application and trying to access a page, the following message displays: "User is not authorized to perform this function".
                                            Possible Cause    There may be a problem with the user's assigned permissions for IM and Presence.
                                            Solution    If accessing the User Options web application is failing, ensure that the user is a member of the Standard CCM End User group on the corresponding Cisco Unified Communications Manager node. If access to any other IM and Presence Web applications is failing, ensure that the user is a member of the Standard CUP Super Users group or a group with the equivalent roles on this IM and Presence node.

                                            Web Browser Indicates an HTTP 404 Error

                                            Problem    When I access an SSO-enabled Web application for an IM and Presence node, the Web browser indicates an HTTP 404 error code.
                                            Possible Cause    There may be a problem with one of the following configurations for this IM and Presence node: OpenAM policy configuration or OpenAM J2EE Agent configuration.
                                            Solution    Ensure you are not attempting to access this IM and Presence node using a URL that contains the hostname only, this is not supported when SSO is enabled for a Web application. Refer to section Set up Policies on OpenAM Server and review the policy rules for this IM and Presence node. Refer to section Set up J2EE Agent Profile on OpenAM Server and review the steps related to Login Processing. You must also ensure that you have added the Login Processing URIs to this IM and Presence node's J2EE Agent configuration on the OpenAM server

                                            Web Browser Indicates an HTTP 500 Error or Displays a Blank Screen

                                            Problem    When I access an SSO-enabled Web application for an IM and Presence node, the Web browser indicates an HTTP 500 error code or a blank screen displays.
                                            Possible Cause    There may be a problem with OpenAM J2EE Agent configuration for this IM and Presence node.
                                            Solution    Refer to section Set up J2EE agent profile on OpenSSO server and complete the following tasks. You must ensure that you have added the Login Processing URIs for this IM/P nodes J2EE Agent and that you have added the Login URL on the OpenAM Services tab and removed all other Login URLs.

                                            Authentication Failed Message

                                            Problem    When I access an SSO-enabled Web application for an IM and Presence node, the Web browser displays an OpenAM login screen with an "Authentication failed" message.
                                            Possible Cause    There may be a problem with the WindowsDesktopSSO login module.
                                            Solution    Refer to section Set up SSO module instance and review the instructions to ensure that all the Module Instance settings are correct, the keytab file exists at the specified directory, and the user's windows PC, the Active Directory, the OpenAM Server and IM and Presence node have their clocks synchronized.

                                            Web Browser displays an OpenAM login screen

                                            Problem    When I access an SSO-enabled Web application for an IM and Presence node, the Web browser displays an OpenAM login screen.
                                            Possible Cause    There may be a problem with OpenAM J2EE Agent configuration for this IM and Presence node.
                                            Solution    Refer to section Set up J2EE Agent Profile on OpenAM Server and ensure you have added the Login URL on the OpenAM Services tab and removed all other Login URLs.

                                            Web Browser displays IM and Presence Login Screen

                                            Problem    When you access an SSO-enabled Web application for an IM and Presence node, the Web browser displays the Web applications login screen.
                                            Possible Cause    There may be a problem with OpenAM J2EE Agent configuration for this IM and Presence node.
                                            Solution    Refer to section Set up J2EE agent profile on OpenSSO server and ensure you have added the Login Processing URIs for this IM and Presence nodes J2EE Agent.

                                            Internet Explorer prompts for username and password

                                            Problem    When you access an SSO-enabled Web application for an IM and Presence node, the Internet Explorer Web browser prompts you for a username and password.
                                            Possible Cause    There may be a problem with the users browsers settings.
                                            Solution    Refer to section Client browser setup for Single Sign-On and review the instructions.

                                            User has no profile on this organization message

                                            Problem    When you access an SSO-enabled Web application for an IM and Presence node, the Web browser displays an OpenAM screen with a "user has no profile on this organization" message.
                                            Possible Cause    The OpenAM User Profile may not be set to ignored.
                                            Solution    Refer to section Set up OpenSSO Enterprise using GUI Configurator.

                                            Encounter problems enabling SSO

                                            Problem    You are unable to enable the Single Sign-On feature.
                                            Possible Cause    If the Tomcat instance on which the OpenAM server is deployed becomes unresponsive or shuts down unexpectedly, enablement of the SSO feature on IM and Presence may become affected. In order to enable SSO successfully on IM and Presence, OpenAM must be operational. IM and Presence does not monitor the OpenAM Tomcat instance. As a result, there is no IM and Presence alarm or notification generated for this occurrence.
                                            Solution    If you experience difficulty when enabling SSO from either the Cisco Unified IM and Presence Operating System Administration GUI or the IM and Presence Administration CLI, verify that Tomcat is running on the OpenAM server. If you continue to experience difficulty after verifying that Tomcat is running on the OpenAM server, restart Tomcat on the OpenAM server and try enabling SSO again.