Administer > FIPS Configuration > Configure CSA > Configure the Identity Management Component

Configure the Identity Management component

If you are using the Identity Management component, to configure the Identity Management component for FIPS 140-2 compliance, do the following:

  1. Update the applicationContext.xml File
  2. Re-Encrypt Passwords
  3. Update the idm-security.properties File
  4. Initialize the Identity Management component Client Part in CSA

Note The examples in this section explain how to configure the Identity Management component that is installed on the same instance as CSA, where CSA is configured in a standalone environment. If your environment is different, files may be located in a different directory.

In the following instructions, %CSA_HOME% is the directory in which CSA is installed (for example, C:\Program Files\HPE\CSA) is the directory in which the JRE used by CSA has been installed.

Update the applicationContext.xml File

The applicationContext.xml file for the Cloud Service Management Console must be updated to be FIPS 140-2 compliant. Do the following:

  1. Open the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\
    spring\applicationContext.xml     file in a text editor.

  2. Locate the START Standard Mode Configuration comment and comment out the following content that appears between the START Standard Mode Configuration and END Standard Mode Configuration comments:

    <bean id="simpleEncryptionConfiguration" class="com.hp.csa.security.CSASimplePBEConfig" init-method="init">
    </bean>

    <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
      <property name="config" ref="simpleEncryptionConfiguration" />
    </bean>

    <bean id="propertyConfigurer" class="org.jasypt.spring.properties.
    EncryptablePropertyPlaceholderConfigurer">
      <constructor-arg ref="configurationEncryptor" />
      <property name="locations">
        <list>
          <value>classpath:csa.properties</value>
          <value>classpath:swagger.properties</value>
        </list>
      </property>
    </bean>

  3. Locate the START FIPS Mode Configuration comment that appears immediately after the Standard Mode Configuration section and uncomment the following content that appears between the START FIPS Mode Configuration and END FIPS Mode Configuration comments:

    <bean id="configurationEncryptor" class="com.hp.csa.security.util.CSASecurityHelper" />

    <bean id="propertyConfigurer" class=
    "com.hp.csa.security.CSAEncryptablePropertyPlaceholderConfigurer">
      <constructor-arg ref="configurationEncryptor" />
      <property name="locations">
        <list>
          <value>/WEB-INF/spring/applicationContext.properties</value>
        </list>
      </property>
    </bean>

  4. Locate the START FIPS Mode Configuration comment for the csaTemplateFactory bean and uncomment the following content that appears between the START FIPS Mode Configuration and END FIPS Mode Configuration comments:

    <property name="fipsEnabled" value="true" />

  5. Locate the START FIPS Mode Configuration comment for the keystoneTemplateFactory bean and uncomment the following content that appears between the START FIPS Mode Configuration and END FIPS Mode Configuration comments:

    <property name="fipsEnabled" value="true" />

  6. Save and close the file.

Re-Encrypt Passwords

This section describes how to generate and replace the passwords used by the Identity Management component. You will be generating new passwords using FIPS 140-2 compliant utilities.

Update the passwords for the following properties:

  • idm.encryptedSigningKey
  • idm.csa.audit.password
  • idm.keystone.transportPassword (if you are using Keystone)
  • idm.wstrust.crypto.keystore.password
  • idm.wstrust.crypto.keystore.alias
  • idm.saml.keystore.password
  • idm.saml.keystore.defaultKey.name
  • idm.saml.keystore.defaultKey.password
  • consumer
  • consumerAdmin
  • admin
  • csaReportingUser
  • ooInboundUser
  • csaTransportUser
  • codarIntegrationUser
  • csaPropelIntegrationUser
  • idmTransportUser

To generate and replace existing passwords used by the Identity Management component, do the following:

  1. Open a command prompt and change to the %CSA_HOME%\Tools\PasswordUtil directory. For example:

    C:\Program Files\HPE\CSA\Tools\PasswordUtil

  2. Generate a password by running the following command (this example uses the same example names from Create a CSA Encryption Keystore):

    "<csa_jre>\bin\java" -jar passwordUtil-standalone.jar encrypt <password> JsafeJCE ../../jboss-as/standalone/configuration/csa_encryption_keystore.p12 <CSA encryption keystore password> csa_encryption_key
    ../../jboss-as/standalone/configuration/key.dat

    Note The path separators used in the passwordUtil-standalone.jar script options are forward slashes (/). You can also use double backward slashes (\\) as your path separators.

    The encrypted value of the password is displayed.

    If you used different names for the keystore, alias, or encrypted symmetric key file, here is an example of the command without using the example names:

    "<csa_jre>\bin\java" -jar "%CSA_HOME%\Tools\PasswordUtil\passwordUtil-standalone.jar" encrypt <password> JsafeJCE <CSA encryption keystore>
    <CSA encryption keystore password>
    <CSA encryption keystore alias>
    <location and name of the encrypted symmetric key>

    Note If you use path separators in the passwordUtil-standalone.jar script options, use either a single forward slash (/) or double backward slashes (\\) as your path separator.

  3. Open the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\spring\applicationContext.properties file in a text editor and do the following:

    1. Update the idm.encryptedSigningKey property. idm.encryptedSigningKey must be the same password you configured for the securityEncryptedSigningKey property (which is configured in the csa.properties file). See Re-Encrypt CSA Passwords for more information about encrypting the securityEncryptedSigningKey password property.

    2. Update the idm.csa.audit.password property. idm.csa.audit.password must be the same password you configured for the securityTransportPassword property (which is configured in the csa.properties file). See Re-Encrypt CSA Passwords for more information about encrypting the securityTransportPassword password property.

    3. If you are using Keystone, update the idm.keystone.transportPassword property. idm.keystone.transportPassword must be the password you configured for the user defined by the idm.keystone.transportUsername property and is located above the idm.keystone.transportPassword property.

    4. If you are not using SAML, comment out the idm.wstrust.crypto.keystore.password, idm.wstrust.crypto.keystore.alias, idm.saml.keystore.password, idm.saml.keystore.defaultKey.name, and idm.saml.keystore.defaultKey.password properties.

      If you are using SAML, you will update these properties by following the steps in Configure CSA to Use SAML.

    5. Save and close the file.

  4. Open the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\classes\consumer-users.properties file in a text editor and do the following:

    1. Re-encrypt the consumer and consumerAdmin property values.

      Note The value not only contains the password, but also the roles that control access to CSA and if the account is enabled.

      This entire value must be encrypted.

      Property Value
      consumer <password>,CONSUMER,SUPPORT,ROLE_REST,enabled
      consumerAdmin <password>,CONSUMER_ORGANIZATION_ADMINISTRATOR,enabled
    2. Save and close the file.

  5. Open the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\classes\provider-users.properties file in a text editor and do the following:

    1. Re-encrypt the admin, csaReportingUser, ooInboundUser, csaTransportUser, codarIntegrationUser, and csaPropelIntegrationUser property values.

      Note The value not only contains the password, but also the roles that control access to CSA and if the account is enabled.

      This entire value must be encrypted.

      Property Value
      admin

      <password>,DIAGNOSTICS_ADMIN,SUPPLIER_VIEWER,CONTENT_ADMIN,LICENSE_ADMIN,SUPER_IDM_ADMIN,ROLE_REST,enabled

      Note The password must be the same password you configured for the securityAdminPassword property (configured in the csa.properties file).
      csaReportingUser

      <password>,ROLE_REST,ROLE_DYNAMIC,enabled

      Note The password must be the same password you configured for the securityCsaReportingUserPassword property (configured in the csa.properties file).
      ooInboundUser

      <password>,ROLE_REST,enabled

      Note The password must be the same password you configured for the securityOoInboundUserPassword property (configured in the csa.properties file).
      csaTransportUser

      <password>,ROLE_REST,enabled

      Note The password must be the same password you configured for the securityTransportPassword property (configured in the csa.properties file).
      codarIntegrationUser

      <password>,ROLE_REST,enabled

      Note The password must be the same password you configured for the securityCodarIntegrationUserPassword property (configured in the csa.properties file).
      csaPropelIntegrationUser

      <password>,ROLE_REST,SUPER_IDM_ADMIN,enabled

      Note The password must be the same password you configured for the csaPropelIntegrationUserPassword property (configured in the csa.properties file).

      See Re-Encrypt CSA Passwords for more information about encrypting passwords in the csa.properties file.

    2. Save and close the file.

  6. Open the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\classes\integrationusers.properties file in a text editor and do the following:

    1. Re-encrypt the idmTransportUser property value.

      Note The value not only contains the password, but also the roles that control access to CSA and if the account is enabled.

      This entire value must be encrypted.

      Property Value
      idmTransportUser

      <password>,ROLE_ADMIN,PERM_IMPERSONATE,enabled

      Note The password must be the same password you configured for both the securityIdmTransportUserPassword property (configured in the csa.properties file) and the password attribute (configured in the idmProvider section of the mpp.json file).

      See Re-Encrypt CSA Passwords for more information about encrypting the securityIdmTransportUserPassword password property. See Encrypt a Marketplace Portal Password for more information about encrypting the password attribute.

    2. Save and close the file.

Update the idm-security.properties File

Enable the FIPS 140-2 security settings in the idm-security.properties file. Do the following:

  1. Open the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\classes\idm-security.properties file in a text editor.

  2. Verify that the FIPS 140-2 property values in this file are the same values that are configured in the %CSA_HOME%\jboss-as\standalone\deployments\csa.war\WEB-INF\classes\csa.properties file. You should have already copied these values (see Configure CSA Properties for more information about these properties).
  3. Save and close the file.

Initialize the Identity Management component Client Part in CSA

  1. In the %CSA_HOME%\jboss-as\standalone\deployments\csa.war\WEB-INF\web.xml file, search for FIPS and uncomment the section below

    <!-- FIPS :: IDM Security Context listener -->
<!--
<listener>
<listener-class>com.hp.ccue.identity.config.SecurityContextListener</listener-class>
</listener>
-->
  2. Copy the configured idm-security.properties file from idm-service.war/WEB-INF/classes to csa.war/WEB-INF/classes.

Send Help Center feedback