Configure Single Sign-On

If you have integrated Single Sign-On (SSO) between CSA and another application (such as Operations Orchestration), you must configure SSO on the CSA node.

  1. Open the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/hpssoConfig.xml file in a text editor.

  2. Locate the following content:

    <onFailure>
        .
        .
        .
       <action name="redirectToAP">
          <targetUrl>https://[CSA_NODE_HOSTNAME]:[CSA_NODE_PORT]/csa/login</targetUrl>
       </action>

  3. Replace [CSA_NODE_HOSTNAME] and [CSA_NODE_PORT] as follows:

    For Load balancer:

    Replace [CSA_NODE_HOSTNAME] with LOAD_BALANCER_HOSTNAME) and the virtual host port for the CSA nodes (LOAD_BALANCER_CSA_HTTPS_PORT). For example:

    <onFailure>
        .
        .
        .
       <action name="redirectToAP">
          <targetUrl>https://load_balancer.xyz.com:8443/csa/login</targetUrl>
       </action>

    For Apache load balancer:

    Replace [CSA_NODE_HOSTNAME] with APACHE_LOAD_BALANCER_HOSTNAME) and the virtual host port for the CSA nodes (APACHE_LOAD_BALANCER_CSA_HTTPS_PORT). For example:

    <onFailure>
        .
        .
        .
       <action name="redirectToAP">
          <targetUrl>https://apache_load_balancer.xyz.com:8443/csa/login</targetUrl>
       </action>

  4. Locate the initString value in the crypto element. The initString setting for CSA must be the same value for all nodes in the cluster and any applications (such as Operations Orchestration) that are integrated with Single Sign-On. The initString value represents a secret key and should be treated as such in your environment.
  5. Copy the initString value to the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/hpssoConfig.xml file on all other nodes in the cluster.
  6. Copy the initString value to the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/hpssoConfig.xml file on this and all other nodes in the cluster.

  7. Configure this initString value in any applications that are integrated with CSA using Single Sign-On, including Operation Orchestration.

Workflow Designer Configuration - SSO

  1. Open the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/hpssoConfig.xml file on first CSA node in text editor and locate the initString value in crypto element.

    Example:

    <crypto initString="2kDcHB0eOHrHcAGeArIPr7TNfuivOpKqjj29SwKOQIoI" cipherType="symmetricBlockCipher" engineName="AES"
    paddingMode="CBC" keySize="256" encodingMode="Base64Url" algorithmPaddingName="PKCS7Padding" checkIntegrity="disabled"
    cryptoSource="lw" directKeyEncoded="false" directKeyEncoding="Hex" jcePbeAlgorithmName="PBEWithHmacSHA1"
    jcePbeMacAlgorithmName="PBEWithHmacSHA1" macAlgorithmName="SHA1" macKeySize="256" macPbeCount="20" macType="hmac"
    pbeCount="20" pbeDigestAlgorithm="SHA1"/>

    If not already done, copy this initString to CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/hpssoConfig.xml of all other CSA nodes.

    Create encrypted version of initString with encrypt-password script. When prompted for password, provide the initString to the script:

    sh# cd $CSA_HOME/workflow-designer/designer/bin
    sh# ./encrypt_password
    Password (typing will be hidden):
    Confirm password (typing will be hidden):
    {ENCRYPTED}xxts33/07Dtyz0iZ3eOQhzFVuqXvZ7KK6wDNm1A4E5+byAxlDZ+lHzwNRPvLgqXf
    sh#
  2. Edit the file CSA_HOME/workflow-designer/designer/var/securitysecured.properties on every CSA node.

  3. Add/Edit the lwsso.initString property with the encrypted initString from encrypt-password sript:

    #This is for limit the size of single CP upload, default 200MB
    upload.max.fileSize.limit = 209715200
    #This is for limit the number of parallel CP creation
    max.parallel.cp.creation = 30
    #This is for limit the number of parallel CP upload
    max.parallel.cp.upload = 50
    is.secured.cookie = true
    lwsso.initString = {ENCRYPTED}xxts33/07Dtyz0iZ3eOQhzFVuqXvZ7KK6wDNm1A4E5+byAxlDZ+lHzwNRPvLgqXf
  4. Edit file CSA_HOME/workflow-designer/designer/tomcat/conf/server.xml on every CSA node. Locate Engine element and add jvmRoute property with unique node name for every workflow-designer node:

    Engine element in server.xml file:
    <Engine defaultHost="localhost" name="Catalina">
     
    On first node change to:
    <Engine defaultHost="localhost" name="Catalina" jvmRoute="ood1">
     
    On second node change to:
    <Engine defaultHost="localhost" name="Catalina" jvmRoute="ood2">
    ...
  5. Restart workflow-designer on every node using command: CSA_HOME/workflow-designer/designer/bin/designer restart