Administering Web SSO Users

This section provides procedures to administer Web SSO users. Sun OTP 2.0 provides you the ability to administer Web Single Sign On (SSO) using the browser user interface (BUI) and the command-line interface (CLI). You can create new Web SSO users, change the password of existing users, and remove existing users.

The following topics are discussed:

• Adding Web SSO User

• Changing the Password of Existing Web SSO User

• Removing Web SSO User

Adding Web SSO User

You can add new Web SSO users.

This task creates user accounts for Sun OTP application provisioning service, Sun OTP system management service, and Sun OTP security service with the provided credentials. The timeout value for each user session on server is two hours.

To Create a Role

You need to manually create a user role before assigning the role to the Web SSO user. You need to create a role on all the cluster hosts and on all the zones, if applicable.

1. Log in as root (su - root) to the Sun OTP host.

2. Create a new role account.

   For example, create a role by name ssorole.

   roleadd -s /bin/pfksh -d /export/home/ssorole -K defaultpriv=basic -P "Cluster Management,Web Console Management,Cluster Operation,Sun Cluster Commands,All" ssorole

   ---

   Note –

   It is mandatory to add a profile to the role that you create. Else, you will not be able to perform the administration task on a cluster. For more information on the roleadd command, see the roleadd man page.

   ---

3. Change the password for the new role.

   For example

   passwd ssorole

   Enter the new password for the role and confirm the password.

4. Create a home directory for the role.

   mkdir /export/home/ssorole

   chown ssorole:other /export/home/ssorole

5. Restart the name service cache daemon for the new role to take effect.

   Perform this step after all the above steps are performed on all the cluster hosts and on all the zones, if applicable.

   svcadm restart system/name-service-cache

To Add Web SSO User Using GUI

Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Add User and click run.

   The SynchronizeWebSSOUsers plan run screen appears.

5. Type the host name in the target host field.

6. Type the Web SSO user name in the WebSSO login name field.

7. Type the password in the WebSSO password field.

8. Confirm the password in the Retype WebSSO password field.

9. Type the user role in the User role field.

   You need to manually create a role before assigning it to the Web SSO user.

   If there is no user role, do not specify any value for this field.

10. Click run plan (includes preflight).

To Add Web SSO User Using the CLI

• The ssocli command needs to be executed on the same server which was used for the deployment.

• Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

1. Log in as root (su - root) to the provisioning server.

2. Type the following command to add Web SSO user.

   /opt/SUNWotp/cli/ssocli add -u ssousername -f oldpasswordfile -c clusterhostset -r role -i

   ssousername is the Web SSO user name.

   oldpasswordfile is the file that contains the old or initial password on the first line.

   clusterhostset is the cluster host set.

   role is the role of the Web SSO user. You need to manuallycreate a role before assigning it to the Web SSO user.

   If there is no user role, do not specify any value for role.

   For example

   /opt/SUNWotp/cli/ssocli add -u ssouser -f /tmp/pass -c cl-sso -r manager -i

Changing the Password of Existing Web SSO User

You can change the password of sn existing Web SSO user account.

To Change the Password of Existing Web SSO User Using GUI

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Change User Password and click run.

   The ChangeWebSSOPassword plan run screen appears.

5. Type the host name in the target host field.

6. Type the Web SSO user name in the WebSSO login name field.

7. Type the old password in the Old WebSSO password field.

8. Type the new password in the New WebSSO password field.

9. Confirm the new password in the Retype New WebSSO password field.

10. Click run plan (includes preflight).

To Change the Password of Existing Web SSO User Using the CLI

• The ssocli command needs to be executed on the same server which was used for the deployment.

• Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

1. Log in as root (su - root) to the provisioning server.

2. Type the following command to change the password.

   /opt/SUNWotp/cli/ssocli password -u ssousername -f oldpasswordfile -n newpasswordfile -c clusterhostset

   ssousername is the Web SSO user name.

   oldpasswordfile is the file that contains the old or initial password on the first line.

   newpasswordfile is the file that contains the new password on the first line.

   clusterhostset is the cluster host set.

   For example

   /opt/SUNWotp/cli/ssocli password -u ssouser -f /tmp/oldpass -n /tmp/newpass -c cl-sso

Removing Web SSO User

You can remove Web SSO users.

To Remove Web SSO User Using GUI

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Remove User and click run.

   The RemoveWebSSOUsers plan run screen appears.

5. Type the host name in the target host field.

6. Type the Web SSO user to remove in the WebSSO login name field.

7. Click run plan (includes preflight).

To Remove Web SSO User Using the CLI

• The ssocli command needs to be executed on the same server which was used for the deployment.

• Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

1. Log in as root (su - root) to the provisioning server.

2. Type the following command to remove Web SSO user.

   /opt/SUNWotp/cli/ssocli remove -u ssousername -c clusterhostset

   ssousername is the Web SSO user name.

   clusterhostset is the cluster host set.

   For example

   /opt/SUNWotp/cli/ssocli remove -u ssouser -c cl-sso