Administer > Configuration > Common Access Card > Configure the Identity Management component

Configure the Identity Management component

To configure the Identity Management component, complete the following steps:

Note If you wish to configure CAC without HP SSO, do the following in this order:

  1. Follow the instructions to manually disable HP SSO, see "Disable HP Single Sign-On (HPSSO)" in Integrate with HP Single Sign-On.
  2. Continue to follow the steps below, but you should skip steps 4a and 4f. These steps are only relevant when HP SSO is used in CSA (HP SSO is enabled by default).
  1. Extract the user name from the certificate using the username extraction mechanism.

    The username extraction mechanism depends on the format of your certificate. The user name extracted from the certificate should match the user names configured in the LDAP configuration configured in CSA. CSA enables you to extract the user name using the SubjectDN and Subject Alternative Name (SAN) mechanisms. To configure the username extraction mechanism you must make the changes to the following properties in the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext.properties file:

    Property Description
    idm.cac.x509Attribute

    The name of the X.509 certificate attribute from which the user name will be extracted.

    Set this property to subjectDN or san or subjectDN,san. If this property is set to contain both attributes such as subjectDN,san or san,subjectDN, then username will be extracted from the subjectDN attribute only if the SAN attribute is not present in the certificate. If this property is not set, then the default value for the property is "subjectDN".

    Uncomment this property #idm.cac.x509Attribute=subjectDN

    idm.cac.regex

    The regular expression used to extract a user name from the subjectDN X.509 attribute. If this property is not set, then the default for regex is CN=(.*?). This property need not be set if the property idm.cac.x509Attribute is set to "san".

    Note To retrieve the data between the parentheses from the subjectDN X.509 attribute, use the filter csa.cac.regex=\\((.*?)\\).

    idm.cac.san.type

    The type of the subject alternative name. The allowed types are othername and rfc822name. If this property is not set, then the default value for the property is otherName. This property need not be set if idm.cac.x509Attribute is set to "subjectDN".

    idm.cac.default_tenant_org

    Name of the default organization to use with CAC if no organization is defined in the request.

    Uncomment this property #idm.cac.default_tenant_org=CONSUMER

  2. Navigate to the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring directory.
  3. Make a backup copy of the applicationContext-security.xml file.
  4. Edit the CSA_HOME/jboss-as/standalone/deployments/
    idm-service.war/WEB-INF/spring/applicationContext-security.xml
    file:

    1. (Skip this step if HP SSO has been disabled manually.) If you are not using HP SSO, locate and uncomment the content below the line START Certificate Authentication with subjectAlternativeName (with HP SSO) so that it appears as follows:

      <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
          <security:http-basic />
          <security:csrf disabled="true" />
          <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
          <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
          <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST"/>
          <security:custom-filter position="X509_FILTER" ref="cacX509AuthenticationFilter" />
          <security:custom-filter ref="cacFilter" before="LAST" />
          <security:custom-filter ref="noPromptFilter" position="LAST" />
      </security:http>
      <bean id="cacFilter" class="com.hp.ccue.identity.filter.certificate.CertificateFilter">
          <property name="generateTokenUtil" ref="generateTokenUtil" />
          <property name="tokenFactory" ref="tokenFactory" />
          <property name="tokenWriter" ref="hpssoTokenWriter" />
          <property name="loginRedirectionHandler" ref="loginRedirectionHandler" />
          <property name="authenticationFactory" ref="authnFactory" />
          <property name="persistenceService" ref="persistenceService"/>
          <property name="rolesPopulator" ref="csaRolesPopulator"/>
          <property name="userAndRepFactory" ref="ldapUserAndRepFactory"/>
          <property name="tenantFactory" ref="tenantFactory"/>
          <property name="defaultTenantOrganization" value="${idm.cac.default_tenant_org}" />
      </bean> 
    2. Locate the line START Certificate Authentication (beans) and uncomment the bean definitions below this comment so that it appears as follows:

      Note To retrieve the data between the parentheses for <property name="regex" value="${idm.cac.regex:CN=(.*?),}" />, use the filter <property name="regex" value="${idm.cac.regex:\\((.*?)\\)}" />.

      <!--START Certificate Authentication (beans) -->
           <bean id="cacX509AuthenticationFilter" 
      class="org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter">
      
                <property name="authenticationManager" ref="authManager" />
                <property name="principalExtractor" ref="customX509Extractor" />
           </bean>
      
           <bean id="customX509AttrPreAuthAuthProvider" 
      class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
                <property name="preAuthenticatedUserDetailsService" 
      ref="customAuthenticationUserDetailsService" />
           </bean>
           <bean id="customAuthenticationUserDetailsService" 
      class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                <property name="userDetailsService" ref="cacUserDetailsService" />
           </bean>
           <bean id="customX509Extractor" 
      class="com.hp.ccue.identity.filter.certificate.CustomX509PrincipalExtractor">
                <property name="x509Attribute" value="${idm.cac.x509Attribute:subjectDN}" />
                <property name="regex" value="${idm.cac.regex:CN=(.*?),}" />
                <property name="sanType" value="${idm.cac.san.type:OtherName}" />
                <property name="UPNResolver" ref="userPrincipalNameResolver" />
           </bean>
      
      <!-- Uncomment a userPrincipalNameResolver implementation for extracting the user principal name -->
      <!--
           <bean id="userPrincipalNameResolver" 
      class="com.hp.ccue.identity.filter.certificate.DefaultUserPrincipalNameExtractor" />
      -->
           <bean id="userPrincipalNameResolver" 
      class="com.hp.ccue.identity.filter.certificate.CsaBouncyCastleUpnExtractor" />

       

    3. Locate the line <security:authentication-providerref="customX509AttrPreAuthAuthProvider"/> and uncomment this line so that it appears as below:

      <!-- START Certificate Authentication with subjectAlternativeName -->
      
           <security:authentication-provider ref="customX509AttrPreAuthAuthProvider"/>
      
      <!-- END Certificate Authentication with subjectAlternativeName -->
    4. Locate the line <--START Simplified Logout Configuration--> and uncomment the section below the line so that it appears as follows:

      <!-- START Simplified Logout Configuration -->
      
         <security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">
      	<security:csrf disabled="true" />
      	<security:custom-filter ref="simpleLogoutRedirect" position="FIRST"/>
      	<security:http-basic />
      </security:http>
      <!--<security:http pattern="/idm/v0/logout/close" use-expressions="true" auto-config="false">
      	<security:csrf disabled="true" />
      	<security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER"/>
      	<security:http-basic />
      	</security:http>-->
      <bean id="simpleLogoutRedirect" class="com.hp.ccue.identity.filter.RedirectFilter">
      	<property name="url" value="/idm/v0/logout/close"/>
      </bean>
      
      <!-- END Simplified Logout Configuration -->
    5. Locate the line <--START Certificate Authentication / SiteMinder SSO / HP SSO Configuration--> and uncomment the section below this line so that it appears as follows:

      <!-- START Certificate Authentication / SiteMinder SSO / HP SSO Configuration -->
      
          <bean class="com.hp.ccue.identity.filter.LoginRedirectionHandler" id="loginRedirectionHandler">
              <property name="tokenService" ref="tokenService"/>
          </bean>
         
          <bean class="com.hp.ccue.identity.utilities.GenerateResponseTokenUtil" name="generateTokenUtil">
              <property name="tenantFactory" ref="tenantFactory"/>
              <property name="userFactory" ref="userFactory"/>
              <property name="authenticationResponseFactory" ref="authenticationResponseFactory"/>
              <property name="roles">
                  <list>
                     <value>ROLE_REST</value>
                  </list>
              </property>
          </bean>
      
      <!-- END Certificate Authentication / SiteMinder SSO / HP SSO Configuration -->
    6. (Skip this step if SSO has been disabled manually). Search for START HP SSO ONLY Configuration and comment out the section below:

      <security:http auto-config="false" pattern="/idm/v0/login" use-expressions="true">
          <security:csrf disabled="true"/>
          <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
          <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
          <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
          <security:custom-filter before="FORM_LOGIN_FILTER" ref="noPromptFilter"/>
          <security:http-basic/>
      </security:http>
      
      <security:http auto-config="false" pattern="/idm/v0/logout" use-expressions="true">
          <security:csrf disabled="true"/>
          <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
          <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
          <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
          <security:http-basic/>
      </security:http>
  5. Edit the CSA_HOME/jboss-as/standalone/deployments/
    idm-service.war/WEB-INF/spring/applicationContext.xml
    file:

    1. Comment out activeDirectoryAuthProvider and ldapAuthProvider so that they appear as follows:

      Note Ignore this step if it is already done.

      <bean id="multiTenantAuthProvider"
      class="com.hp.ccue.identity.authn.MultiTenantAuthenticationProvider">
         <property name="providers">
           <list>
             <!-- <ref bean="activeDirectoryAuthProvider"/> -->
             <!-- <ref bean="ldapAuthProvider"/> -->
             <ref bean="seededAuthProvider"/>
          </list>
         </property>
         ......................
      </bean>