Administer > Configuration > User Administration > Change CSA Built-In User Accounts

Change CSA Built-In User Accounts

CSA ships with built-in user accounts. The user accounts are used to authenticate REST API calls and for initial setup and experimentation with the product. For security reasons, you may want to disable or change the passwords associated with these accounts (do not change the usernames).

Note Do not create users in your LDAP directory that match the built-in users provided by CSA: csaCatalogAggregationTransportUser, csaReportingUser,ooInboundUser, and codarintegrationUse. Creating the same users in LDAP may allow the CSA built-in users unintended access to the Cloud Service Management Console or give the LDAP users unintended privileges.

Note: When you change or create passwords, you can use these special characters: ~ `! @ # $ % * ( ) _ - + = { } [ ] \ / : ; [space] ?

CSA does not support these characters: ^ & | " . > , <

Cloud Service Management Console User Accounts

The following users are shipped with CSA and are used with the Cloud Service Management Console:

admin User: Cloud Service Management Console
Username admin
Default Password cloud
Default Role ROLE_REST
Usage This account is used to initially log in to the Cloud Service Management Console to configure the provider organization.
To Disable

Edit the CSA_HOME/jboss‑as/standalone/
deployments/idm-service.war/WEB-INF/classes/provider-users.properties
file. Update the admin property to disable this user account. For example, set admin to the following value (this value should be encrypted):

cloud,DIAGNOSTICS_ADMIN,SUPPLIER_VIEWER,CONTENT_ADMIN,LICENSE_ADMIN,SUPER_IDM_ADMIN,ROLE_REST,disabled

Note This property not only determines if the account is enabled, it also contains the password and the roles that control access to CSA.

By default, the unencrypted value of this property is: cloud,ROLE_REST,enabled

See Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

To Change Password

If you change the password to this account, you must update the value of the password in the provider-users.properties file and the securityAdminPassword property in the csa.properties file (you must use the same password). You must also update and use the same password for every REST API call that uses the password.

Updating the admin property in provider-users.properties

Edit the CSA_HOME/jboss-as/standalone/deployments/
idm-service.war/WEB-INF/classes/provider-users.properties
file. Update the password portion of the admin value and encrypt the entire value, including the roles and account status (see Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

Note This property not only contains the password, but also the roles that control access to CSA and if the account is enabled.
By default, the unencrypted value of this property is: cloud,ROLE_REST,enabled

Updating the securityAdminPassword property in csa.properties

Edit the CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/classes/csa.properties file (where

CSA_HOME is the directory in which CSA is installed

) and update the value of the securityAdminPassword property.

Regenerate the newpassword for admin in the below format:

For IDM Configuration (in file provider-users.properties) following value should be encrypted:
newpassword,DIAGNOSTICS_ADMIN,SUPPLIER_VIEWER,CONTENT_ADMIN,LICENSE_ADMIN,SUPER_IDM_ADMIN,ROLE_REST,enabled

For csa.properties – Password should be encrypted as: “newpassword”
Example: encrypt "cloud"

After modifying the csa.properties file, restart CSA. See Restart CSA for instructions.


consumerAdmin User: Marketplace Portal

Username consumerAdmin
Default Password cloud
Default Role CONSUMER_ORGANIZATION_ADMINISTRATOR
Usage This account is used to initially log in to the Cloud Service Management Console to configure and manage the sample CSA Consumer organization.
To Disable

Edit the CSA_HOME/jboss‑as/standalone/deployments/idm-service.war/WEB-INF/classes/consumer-users.properties file. Update the consumerAdmin property to disable this user account. For example, set consumerAdmin to the following value (this value should be encrypted):

cloud,CONSUMER_ORGANIZATION_ADMINISTRATOR,disabled

Note This property not only determines if the account is enabled, it also contains the password and the roles that control access to CSA.

By default, the unencrypted value of this property is:
cloud,CONSUMER_ORGANIZATION_ADMINISTRATOR,enabled

See Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

For consumerAdmin (in file consumer-users.properties) following value should be encrypted:

newpassword,CONSUMER_ORGANIZATION_ADMINISTRATOR,enabled						
To Change Password

Edit the CSA_HOME/jboss‑as/standalone/deployments/idm-service.war/WEB-INF/classes/consumer-users.properties file. Update the password portion of the consumerAdmin value and encrypt the entire value, including the roles and account status (see Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

Note This property not only contains the password, but also the roles that control access to CSA and if the account is enabled.

By default, the unencrypted value of this property is:
cloud,CONSUMER_ORGANIZATION_ADMINISTRATOR,enabled



csaCatalogAggregationTransportUser User: Cloud Service Management Console
Username csaCatalogAggregationTransportUser
Default Password cloud
Usage This account is used to authenticate REST API calls.
To Disable Do not disable this account.
To Change Password

If you change the password to this account, you must update the value of the securityCatalogAggregationTransportUserPassword property in csa.properties. You must also update the password using the catalog aggregation registration REST APIs.

Edit the CSA_HOME/jboss‑as/standalone/
deployments/csa.war/WEB-INF/classes/csa.properties
file (where

CSA_HOME is the directory in which CSA is installed

) and update the value of the securityCatalogAggregationTransportUserPassword property. Determine a suitable new password (see Encrypt a password for instructions). An encrypted password is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

After modifying the csa.properties file, restart CSA. See Restart CSA for instructions.


csaReportingUser User: Cloud Service Management Console
Username csaReportingUser
Default Password cloud
Default Roles ROLE_REST, ROLE_DYNAMIC
Usage This account is used when a subscription is ordered or modified and a field for the subscription includes a dynamically generated list. The dynamically generated list is a subscriber option property configured to use a dynamic query. The dynamic query uses this account to access CSA to determine the values that will appear in the list. This account has read-only access to CSA .
To Disable Do not disable this account.
To Change Password

If you change the password to this account, you must update the value of the password in the provider-users.properties file and the securityCsaReportingUserPassword property in the csa.properties file (you must use the same password). You must also update and use the same password for every REST API call that uses the password.

Updating the csaReportingUser property in provider-users.properties

Edit the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/classes/provider-users.properties file. Update the password portion of the csaReportingUser value and encrypt the entire value, including the roles and account status (see Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

Note This property not only contains the password, but also the roles that control access to CSA and if the account is enabled.
By default, the unencrypted value of this property is:
cloud,ROLE_REST,ROLE_DYNAMIC,enabled

Updating the securityCsaReportingUserPassword property in csa.properties

Edit the CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/classes/csa.properties file (where

CSA_HOME is the directory in which CSA is installed

) and update the value of the securityCsaReportingUserPassword property.

Regenerate the newpassword for csaReportingUser in the below format:

For IDM Configuration (in file provider-users.properties) following value should be encrypted:
newpassword,ROLE_REST,ROLE_DYNAMIC,enabled

For csa.properties – Password should be encrypted as: “newpassword”
Example: encrypt "cloud"

After modifying the csa.properties file, restart CSA. See Restart CSA for instructions.


csaTransportUser User: Cloud Service Management Console
Username csaTransportUser
Default Password csaTransportUser
Usage This account is used to authenticate REST API calls.
To Disable Do not disable this account.
To Change Password

If you change the password to this account, you must update the value of the securityTransportPassword property in the csa.properties file and the idm.csa.password property in the applicationContext.properties file (you must use the same password). You must also update and use the same password for every REST API call that uses the password.

Updating the securityTransportPassword property in csa.properties

Edit the CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/classes/csa.properties file (where

CSA_HOME is the directory in which CSA is installed

) and update the value of the securityTransportPassword property. Determine a suitable new password (see Encrypt a password for instructions). An encrypted password is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

Updating the idm.csa.password property in applicationContext.properties

Edit the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext.properties file and update the value of the idm.csa.password property.

Regenerate the newpassword for csaTransportUser in the below format:

For IDM Configuration (in file provider-users.properties) following value should be encrypted:
newpassword,ROLE_REST,enabled

For csa.properties – Password should be encrypted as: “newpassword”
Example: encrypt "cloud"

After modifying and saving the changes to the files, restart CSA. See Restart CSA for instructions.


idmTransportUser User: Cloud Service Management Console
Username idmTransportUser
Default Password idmTransportUser
Default Roles ROLE_ADMIN, PERM_IMPERSONATE
Usage This account is used to authenticate REST API calls.
To Disable Do not disable this account.
To Change Password

If you change the password to this account, you must update the value of the securityIdmTransportUserPassword property in the csa.properties file, the idmTransportUser property in the integrationusers.properties file, and the password attribute in the idmProvider section of the mpp.json file (you must use the same password) and you must clear the JBoss server and web browser caches. You must also update and use the same password for every REST API call that uses the password.

Updating the securityIdmTransportUserPassword property in csa.properties

Edit the CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/classes/csa.properties file (where

CSA_HOME is the directory in which CSA is installed

) and update the value of the securityIdmTransportUserPassword property. Determine a suitable new password (see Encrypt a password for instructions). An encrypted password is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

For idmTransportUser (in file provider-users.properties) following value should be encrypted:

newpassword,ROLE_ADMIN,PERM_IMPERSONATE,enabled

Updating the idmTransportUser property in integrationusers.properties

Note This property not only contains the password, but also the roles that control access to CSA and if the account is enabled.

By default, the unencrypted value of this property is:
idmTransportUser,ROLE_ADMIN,PERM_IMPERSONATE,enabled

Edit the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/classes/integrationusers.properties file and update the value of the idmTransportUser property. Use the same password that you used for the securityIdmTransportUserPassword property in the csa.properties file and encrypt the entire value of the idmTransportUser property, including the roles and account status (see Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

 

Updating the password attribute in mpp.json

Edit the CSA_HOME/portal/conf/mpp.json file (where

CSA_HOME is the directory in which CSA is installed

) and update the value of the password attribute in the idmProvider section and the keyfile attribute. Use the same password that you used for the securityIdmTransportUserPassword property in the csa.properties file and encrypt this password using the password utility that is provided by the Marketplace Portal:

  1. Open a command prompt and navigate to the CSA_HOME/portal/bin directory. For example, on Windows the directory is C:\Program Files\HPE\CSA\portal\bin and on Linux the directory is /usr/local/hpe/csa/portal/bin.

  2. Run the following command:

    Windows:

    ..\..\node.js\node passwordUtil

    Linux:

    ../../node.js/node passwordUtil

    When prompted, enter the name and location of the keyfile to generate (for example, ../conf/keyfile) and the password to encrypt.

  3. An encrypted password is displayed. Copy the encrypted password to the password attribute value in the idmProvider section. An encrypted password is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value. For example ENC(3oKr7eAo25bEn3Zn2t9wIA==)

  4. Copy the keyfile name and location to the keyfile attribute.

Clearing the JBoss server and web browser caches

After modifying and saving the changes to the files, clear the JBoss server and web browser caches.

To clear the JBoss server cache, remove the contents from the CSA_HOME/jboss-as/standalone/tmp directory.

See Clear the web browser cache for information about how to clear the web browser cache.

Restarting CSA

After making these changes, restart CSA. See Restart CSA for instructions about how to restart CSA and the Marketplace Portal.

ooInboundUser User: Cloud Service Management Console
Username ooInboundUser
Default Password cloud
Default Role ROLE_REST
Usage This account is used by Operations Orchestration to authenticate REST API calls with CSA.
To Disable Do not disable this account.
To Change Password

If you change the password to this account, you must update the value of the password in the provider-users.properties file and the securityOoInboundUserPassword property in the csa.properties file (you must use the same password). You must also update and use the same password for every REST API call that uses the password.

Updating the ooInboundUser property in provider-users.properties

Edit the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/classes/provider-users.properties file. Update the password portion of the ooInboundUser value and encrypt the entire value, including the roles and account status (see Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

Note This property not only contains the password, but also the roles that control access to CSA and if the account is enabled.

By default, the unencrypted value of this property is:
cloud,ROLE_REST,enabled

You must also update and use the same password for the CSA_REST_CREDENTIALS system account in Operations Orchestration (located in the Configuration folder of the Public Repository).

Updating the securityOoInboundUserPassword property in csa.properties

If you change the password to this account, you must update the value of the securityOoInboundUserPassword property in csa.properties. You must also update and use the same password for the CSA_REST_CREDENTIALS system account in Operations Orchestration (located in the Configuration folder of the Public Repository).

Edit the CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/classes/csa.properties file (where

CSA_HOME is the directory in which CSA is installed

) and update the value of the securityOoInboundUserPassword property. Use the same encrypted password that you entered for the ooInboundUser property in the provider-users.properties file.

Regenerate the newpassword for ooInboundUser in the below format:

For IDM Configuration (in file provider-users.properties) following value should be encrypted:
newpassword,ROLE_REST,enabled

For csa.properties – Password should be encrypted as: “newpassword”
Example: encrypt "cloud"

After modifying the csa.properties file, restart CSA. See Restart CSA for instructions.

cdaInboundUser User: Cloud Service Management Console
Username cdaInboundUser
Default Password CDA2CSAIntegration!
Default Role ROLE_REST
Usage This account is used by Continuous Delivery Automation (Continuous Delivery Automation) to authenticate REST API calls with CSA.
To Disable Do not disable this account.
To Change Password

If you change the password to this account, you must update the value of the password in the provider-users.properties file and the securityCdaInboundUserPassword property in the csa.properties file (you must use the same password). You must also update and use the same password for every REST API call that uses the password.

Updating the cdaInboundUser property in provider-users.properties

Edit the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/classes/provider-users.properties file. Update the password portion of the cdaInboundUser value and encrypt the entire value, including the roles and account status (see Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

Note This property not only contains the password, but also the roles that control access to CSA and if the account is enabled.

By default, the unencrypted value of this property is:
CDA2CSAIntegration!,ROLE_REST,enabled

Updating the securityCdaInboundUserPassword property in csa.properties

If you change the password to this account, you must update the value of the securityCdaInboundUserPassword property in csa.properties. You must also update and use the same password in Continuous Delivery Automation.

Edit the CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/classes/csa.properties file (where

CSA_HOME is the directory in which CSA is installed

) and update the value of the securityCdaInboundUserPassword property. Use the same encrypted password that you entered for the cdaInboundUser property in the provider-users.properties file.

After modifying the csa.properties file, restart CSA. See Restart CSA for instructions.

Marketplace Portal User Account

The following is a sample user that ships with CSA and is used to access the Marketplace Portal:

consumer User: Marketplace Portal
Username consumer
Default Password cloud
Default Roles SERVICE_CONSUMER, ROLE_REST
Usage This account is used to initially log in to and experiment with the Marketplace Portal (LDAP does not have to be configured). This user belongs to the "CSA consumer internal group" and is a member of the "CSA Consumer" organization (both the group and organization are provided as samples).
To Disable

Edit the CSA_HOME/jboss‑as/standalone/
deployments/idm-service.war/WEB-INF/classes/consumer-users.properties
file. Update the consumer property to disable this user account. For example, set consumer to the following value (this value should be encrypted):

cloud,SERVICE_CONSUMER,ROLE_REST,disabled

Note This property not only determines if the account is enabled, it also contains the password and the roles that control access to CSA.

By default, the unencrypted value of this property is:
cloud,SERVICE_CONSUMER,ROLE_REST,enabled

See Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

To Change Password

Edit the CSA_HOME/jboss‑as/standalone/deployments/idm-service.war/WEB-INF/classes/consumer-users.properties file. Update the password portion of the consumer value and encrypt the entire value, including the roles and account status (see Encrypt a password for instructions about how to encrypt this value). The encrypted value is preceded by ENC without any separating spaces and is enclosed in parentheses. Ensure there is no blank space at the end of the value.

For consumer (in file consumer-users.properties) following value should be encrypted:

newpassword,CONSUMER,SUPPORT,ROLE_REST,enabled

Note This property not only contains the password, but also the roles that control access to CSA and if the account is enabled.

By default, the unencrypted value of this property is:
cloud,SERVICE_CONSUMER,ROLE_REST,enabled