Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Cloud Service Automation4.80.0002

Administer > FIPS Configuration > Configure CSA > Configure CSA to Use SAML

Configure CSA to Use SAML

Security Assertion Markup Language (SAML) can be used with CSA that has been configured for FIPS 140-2 compliance. Do the following:

Complete the tasks in the Cloud Service Automation Configuration Guide to configure SAML for CSA.
Edit the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\spring\applicationContext.properties file:
1. Locate the idm.wstrust.crypto.provider and idm.wstrust.crypto.keystore.type properties and set them to the following values:
  
  idm.wstrust.crypto.provider=JsafeJCE idm.wstrust.crypto.keystore.type=pkcs12
2. Locate and uncomment the idm.saml.keystore.provider property. Verify that it is set to JsafeJCE.
3. Locate the idm.saml.keystore.type property and set it to the following value:
  
  idm.saml.keystore.type=pkcs12
4. Save and exit the file.
Edit the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\spring\applicationContext-saml.xml file. Locate and comment out the following:

<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer"> <property name="sslHostnameVerification" value="allowAll"/> </bean>
Edit the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\spring\applicationContext-security.xml file:
1. Locate the START FIPS Mode Configuration comment and uncomment the following content that appears between the START FIPS Mode Configuration and END FIPS Mode Configuration comments:
  
  <property name="fipsEnabled" value="true" />
2. Locate the requireValidCertificate property after the Flag to require a valid SSL certificate and hostname verification. Set to false to support self-signed certificates or true to perform normal SSL certificate validation comment and set this value to true:
  
  <property name="requireValidCertificate" value="true"/>
3. Save and exit the file.
Generate and replace existing passwords used by the Identity Management component:
1. Open a command prompt and change to the %CSA_HOME%\Tools\PasswordUtil directory. For example:
  
  C:\Program Files\HPE\CSA\Tools\PasswordUtil
2. Generate a password by running the following command (this example uses the same example names from Create a CSA Encryption Keystore):
  
  "<csa_jre>\bin\java" -jar passwordUtil-standalone.jar encrypt <password> JsafeJCE ../../jboss-as/standalone/configuration/csa_encryption_keystore.p12 <CSA encryption keystore password> csa_encryption_key ../../jboss-as/standalone/configuration/key.dat
  
  Note The path separators used in the passwordUtil-standalone.jar script options are forward slashes (/). You can also use double backward slashes (\\) as your path separators.
  
  The encrypted value of the password is displayed.
  
  If you used different names for the keystore, alias, or encrypted symmetric key file, here is an example of the command without using the example names:
  
  "<csa_jre>\bin\java" -jar "%CSA_HOME%\Tools\PasswordUtil\passwordUtil-standalone.jar" encrypt <password> JsafeJCE <CSA encryption keystore> <CSA encryption keystore password> <CSA encryption keystore alias> <location and name of the encrypted symmetric key>
  
  Note If you use path separators in the passwordUtil-standalone.jar script options, use either a single forward slash (/) or double backward slashes (\\) as your path separator.
3. Open the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\spring\applicationContext.properties file in a text editor and update the following properties:
  - idm.wstrust.crypto.keystore.password
  - idm.wstrust.crypto.keystore.alias
  - idm.saml.keystore.password
  - idm.saml.keystore.defaultKey.name
  - idm.saml.keystore.defaultKey.password
Create a keystore that supports PKCS #12 for SAML and configure the Identity Management component to use this keystore.
1. Delete the HP Single Sign-On certificate from the existing SAML keystore:
  
  "<csa_jre>\bin\keytool" ‑delete ‑keystore %CSA_HOME%\jboss-as\standalone\ deployments\idm‑service.war\WEB‑INF\classes\security\samlKeystore.jks ‑alias idp.hpsso.com ‑storepass nalle123
2. Create a keystore that supports PKCS #12 and import only the SAML certificate into this keystore:
  
  "<csa_jre>\bin\keytool" ‑importkeystore ‑srckeystore %CSA_HOME%\jboss-as\ standalone\deployments\idm‑service.war\WEB‑INF\classes\security\ samlKeystore.jks ‑srcstoretype JKS ‑destkeystore %CSA_HOME%\jboss-as\ standalone\deployments\idm‑service.war\WEB‑INF\classes\security\ samlKeystore.p12 ‑deststoretype PKCS12 ‑srcstorepass nalle123 ‑deststorepass nalle123 ‑srckeypass nalle123 ‑destkeypass nalle123 ‑srcalias apollo ‑destalias apollo
3. Open the %CSA_HOME%\jboss-as\standalone\deployments\idm-service.war\WEB-INF\spring\applicationContext.properties file in a text editor and update the following properties to use the samlKeystore.p12 keystore:
  - idm.wstrust.crypto.keystore
  - idm.saml.keystore
Import the Marketplace Portal public certificate into the CSA server truststore:
1. Verify that you have created the CSA server truststore (for example, %CSA_HOME%\jboss-as\standalone\configuration\csa_server_truststore.p12; see Step 1: Create a CSA server keystore that Supports PKCS #12). The csaTruststore property configure in the csa.properties file is also configured with this CSA server truststore.
2. Verify that you have generated the Marketplace Portal public certificate (for example, %CSA_HOME%\portal\conf\.mpp_publicKey.pem; see the step to generate a public certificate).
3. Import the Marketplace Portal public certificate into the CSA server truststore. For example:
  
  "<csa_jre>\bin\keytool" ‑importcert ‑alias mpp ‑file %CSA_HOME%\portal\conf\.mpp_publicKey.pem ‑trustcacerts ‑keystore %CSA_HOME%\jboss-as\standalone\configuration\csa_server_truststore.p12
  
  Note If the Marketplace Portal public certificate is signed by a Certificate Authority, import the Certificate Authority certificate into the CSA server truststore instead of the Marketplace Portal public certificate.
  
  When prompted, enter the CSA server truststore password (that was configured in Step 1: Create a CSA server keystore that Supports PKCS #12).
  
  When prompted, enter yes to trust the Marketplace Portal public certificate (or Certificate Authority certificate).
Import the Identity Provider (such as AD FS [Active Directory Federation Services]) server certificate into the CSA server truststore. If necessary, contact your Identity Provider administrator to obtain the Identity Provider server certificate.

Send Help Center feedback