Upgrade > Upgrade tasks > Update and Restart CSA

Update and Restart CSA

The following tasks must be completed before CSA can be restarted:

Recustomize SSL/Security

If you generated or copied SSL certificates that are used by CSA, you must copy these files to the appropriate directory in CSA 4.80.0002.

Note If the automatically generated self-signed certificate for CSA has expired, you may still be able to use the Cloud Service Management Console. However, you will not be able to use the Marketplace Portal or Identity Management component unless you disable the strictSSL attribute in the Marketplace Portal's configuration file. If SSL must be enabled, you can generate another self-signed certificate or a Certificate Authority-signed certificate. If you generate a new certificate, you MUST import that certificate into CSA's JRE. Refer to the Configure SSL for Client Browsers section in the Cloud Service Automation Configuration Guide for more information.

The following is a list of files that you may have customized for SSL/security and the actions required when you upgrade CSA:

File Action
certificate files Required. Manually copy certificate files that do not use the .crt extension that are used by CSA from the backup directory to the CSA 4.80.0002 directory (see table below for more information).
cacerts Required.

Keystore file defined by the certificate-key-file property of the connector attribute in standalone.xml

 Required (if not using the default keystore file). Manually copy the custom keystore file back from the location outside of the Windows: %CSA_HOME% or the Linux: $CSA_HOME installation directory where you manually backed it up.

standalone.xml

 Required (if not using the default keystore file). Manually copy the custom keystore file back from the location outside of the Windows:%CSA_HOME%; or the Linux: $CSA_HOME installation directory where you manually backed it up.

Files, Actions, and Locations

certificate files
Action Required. Manually copy certificate files that do not use the .crt extension that are used by CSA from the backup directory to the CSA 4.80.0002 directory. Files that use the .crt extension are automatically restored. If you saved .crt files in a different directory, you must manually copy these files back after upgrade.
File Location in CSA 4.80.0002

Windows: %CSA_HOME%\jboss-as\standalone\configuration\

Linux: $CSA_HOME/jboss-as/standalone/configuration/
Backed Up CSA 4.6x or 4.7x File Location in CSA 4.80.0002

Windows: %CSA_HOME%\_CSA_4_80_0_installation\Backup\security\

Linux: $CSA_HOME/_CSA_4_80_0_installation/Backup/security/

cacerts
Action Required. <CSA_JRE_HOME> is the directory in which the JRE that is used by CSA is installed.
File Location in CSA 4.80.0002

Windows: <csa_jre>\lib\security\

Linux: <csa_jre>/lib/security/

where <csa_jre> is the directory in which the JRE (used exclusively by CSA) is installed.
Backed Up CSA 4.6x or 4.7x File Location in CSA 4.80.0002 This file is not backed up.

Keystore file defined by the certificate-key-file property of the connector attribute in standalone.xml
Action

Required (if not using the default keystore file). Manually copy the keystore file back from the location outside of the Windows: %CSA_HOME%; or the Linux: $CSA_HOME installation directory where you manually backed it up.

If you are using the default keystore file (Windows: C:\Program Files\HPE\CSA\jboss-as\standalone\configuration\.keystore; or Linux:/usr/local/hpe/csa/jboss-as/standalone/configuration/.keystore), no action is required (the default keystore file is automatically backed up and restored).
File Location in CSA 4.80.0002

The file and its location are determined by the value defined by certificate-key-file. By default, the value is: Windows: C:\Program Files\HPE\CSA\jboss-as\standalone\configuration\.keystore ; or

Linux: /usr/local/hpe/csa/jboss-as/standalone/configuration/.keystore
Backed Up CSA 4.6x or 4.7x File Location in CSA 4.80.0002

If you are using a custom keystore file, this file is not backed up.

The default keystore file is backed up to:

Windows: %CSA_HOME%\_CSA_4_80_0_installation\Backup\security\keystores\; or

Linux: $CSA_HOME/_CSA_4_80_0_installation/Backup/security/keystores/

standalone.xml
Action If this file was customized, manually copy the custom keystore file back from the location outside of the CSA installation directory where you manually backed it up.
File Location in CSA 4.80.0002

Windows: %CSA_HOME%\jboss-as\standalone\configuration\

Linux: $CSA_HOME/jboss-as/standalone/configuration/
Backed Up CSA 4.6x or 4.7x File Location in CSA 4.80.0002

Windows: %CSA_HOME%\_CSA_4_80_0_installation\Backup\standalone\configuration\

Linux: $CSA_HOME/_CSA_4_80_0_installation/Backup/standalone/configuration/

Backup - Windows: C:\csabackup\ Linux: /tmp/csabackup/

Import Certificates into CSA's Truststore

Prior to running the upgrade installer, you should have exported the SSL certificate from the truststore of CSA version 4.6x or 4.7x. Import this certificate and other application's certificates into the truststore of CSA version 4.80.0002. Do the following:

  1. If you did not export the SSL certificate from the truststore of CSA version 4.6x or 4.7x, the truststore has been backed up to the directory:

    Windows: %CSA_HOME%\_CSA_4_80_0_installation\Backup\security\keystores\

    Linux: $CSA_HOME/_CSA_4_80_0_installation/Backup/security/keystores/

    Follow the instructions in the Initial Setup section of this document to export CSA's SSL certificate from the backed up truststore (you will need to modify the location of the truststore in the command).

  2. Import the CSA certificate into the new CSA truststore. Do the following:

    1. Run the following commands:

      Windows:

      <csa_jre>\bin\keytool ‑importcert ‑keystore <csa_jre>\lib\security\cacerts ‑alias <alias> ‑file <filename> ‑storepass changeit

      %CSA_HOME%\openjre\bin\keytool ‑importcert ‑keystore %CSA_HOME%\openjre\lib\security\cacerts ‑alias <alias> ‑file <filename> ‑storepass changeit

      Linux:

      $CSA_JRE_HOME/bin/keytool ‑importcert ‑keystore $CSA_JRE_HOME/lib/security/cacerts ‑alias <alias> ‑file <filename> ‑storepass changeit

      $CSA_HOME/openjre/bin/keytool ‑importcert ‑keystore $CSA_HOME/openjre/lib/security/cacerts ‑alias <alias> ‑file <filename> ‑storepass changeit

      where <CSA_JRE_HOME> is the directory in which the JRE that is used by CSA is installed., <alias> is the name used by the CSA server keystore to identify the SSL certificate, and <file_name> is the filename given to the certificate file to be imported.

      For example, run the following command where the alias used to identify the certificate is csa, and the file the certificate is named csa.cert and is saved in the current directory:

      Windows:

      <csa_jre>\bin\keytool ‑importcert ‑keystore <csa_jre>\lib\security\cacerts ‑alias csa ‑file .\csa.cert ‑storepass changeit

      %CSA_HOME%\openjre\bin\keytool ‑importcert ‑keystore <csa_jre>\openjre\lib\security\cacerts ‑alias csa ‑file .\csa.cert ‑storepass changeit

      Linux:

      $CSA_JRE_HOME/bin/keytool ‑importcert ‑keystore $CSA_HOME/lib/security/cacerts ‑alias csa ‑file ./csa.cert ‑storepass changeit

      $CSA_HOME/openjre/bin/keytool ‑importcert ‑keystore $CSA_HOME/openjre/lib/security/cacerts ‑alias csa ‑file ./csa.cert ‑storepass changeit

    2. At the prompt to import the certificate, type yes.

  3. Import the Operations Orchestration certificate into the new CSA truststore. Do the following:

    1. If the root certificate of Operations Orchestration's Certificate Authority is stored in a file on this system, import that file. Otherwise, export Operations Orchestration's certificate from Operations Orchestration's truststore:

      1. On the system running Operations Orchestration, open a command prompt and change the directory to %ICONCLUDE_HOME% (Windows) or $ICONCLUDE_HOME (Linux).

      2. Run the following command:

        Windows:

        .\jre1.6\bin\keytool exportcert alias pas file C:\oo.crt keystore .\Central\conf\rc_keystore storepass bran507025

        Linux:

        ./jre1.6/bin/keytool ‑exportcert ‑alias pas ‑file /tmp/oo.crt ‑keystore ./Central/conf/rc_keystore ‑storepass bran507025

        where C:\oo.crt and /tmp/oo.crt are examples of filenames and locations used to store the exported root certificate (you can choose a different filename and location).

      3. If Operations Orchestration is not running on the same system as CSA, copy oo.crt from the Operations Orchestration system to the system running CSA (in this example, the file is copied to Windows:C:\ Linux:/tmp).

    2. On the system running CSA, run the following commands:

      Windows:

      <csa_jre>\bin\keytool ‑importcert ‑alias pas ‑file C:\oo.crt ‑keystore <csa_jre>\lib\security\cacerts ‑storepass changeit

      %CSA_HOME%\openjre\bin\keytool ‑importcert ‑alias pas ‑file C:\oo.crt ‑keystore %CSA_HOME%\openjre\lib\security\cacerts ‑storepass changeit

      Linux:

      $CSA_JRE_HOME/bin/keytool ‑importcert ‑alias pas ‑file /tmp/oo.crt ‑keystore $CSA_JRE_HOME/lib/security/cacerts ‑storepass changeit

      $CSA_HOME/openjre/bin/keytool ‑importcert ‑alias pas ‑file /tmp/oo.crt ‑keystore $CSA_HOME/openjre/lib/security/cacerts ‑storepass changeit

      where

      <CSA_JRE_HOME> is the directory in which the JRE that is used by CSA is installed.
      3. When prompted to trust the certificate, type yes.The manual certificate import procedure is mandatory, especially when one or more Operations Orchestration instances are used by CSA for sequence designs. These particular Operations Orchestration instances are not specified during the CSA installation or upgrade process.
      The import of any certificate used by an Operations Orchestration instance which was specified during installation is performed automatically by installer.

  4. If other applications, such as the database, LDAP, SMTP, Operations Orchestration Load Balancer, or Continuous Delivery Automation require SSL, and/or you have installed an instance of the Marketplace Portal on a remote system, you must import these applications' certificates into the truststore of CSA version 4.80.0002.

Recustomize Manually Configured Files

If you customized CSA files that are not documented as being customizable or customized CSA files with undocumented customizations, you will need to manually recustomize those files.

Caution All files that you have customized with undocumented changes in the Windows: %CSA_HOME% or the Linux: $CSA_HOME installation directory MUST BE MANUALLY RESTORED. If you followed all the steps in the Initial Setup section of this guide, you should have backed up these files before upgrading CSA.

Remount Shared File Systems

If you unmounted one or more shared file systems within the CSA installation directory before running the upgrade installer, remount these file systems after the upgrade installer has completed.

Upgrade all Organization's 5recentWidget Mashup

For security purposes, you must manually update the 5recentWidget mashup and every copy of this mashup for every organization that existed prior to upgrade. Do the following:

  1. Log in to the Cloud Service Management Console as an administrator.
  2. Click Administration.

  3. Create a temporary organization:

    1. In the left navigation frame, click the Create Organization button.
    2. Enter an organization name.
    3. Click Create.

  4. Copy the content of the 5recentWidget mashup from the temporary organization:

    1. In the left navigation frame, select the temporary organization.
    2. In the organization's navigation frame, select Dashboard Widgets.

    3. Select the 5recentWidget mashup and click edit.

    4. Copy the text from the Content field.

  5. For every organization (except the temporary organization you just created), do the following:

    1. Select the organization.
    2. In the organization's navigation frame, select Dashboard Widgets.

    3. For the 5recentWidget mashup and every mashup that is a copy of the 5recentWidget mashup that has not been customized, do the following:

      1. Select the mashup and click edit.

      2. If you have not customized the 5recentWidget mashup, paste the content from the temporary organization's 5recentWidget mashup to this organization's 5recentWidget mashup. If you made a copy of the organization's 5recentWidget mashup but did not customize it, paste the contents from the temporary organization's 5recentWidget mashup to this mashup.

      3. If you have customized the 5recentWidget mashup or made a copy of the 5recentWidget mashup and customized it, do the following:

        1. Locate the render function.
        2. Locate every occurrence of data[i].name in the function and change every occurrence of data[i].name to htmlEncode(data[i].name) (except variable declarations). In the uncustomized 5recentWidget mashup, this content appears three times, but only two occurrences need to be updated (do not update the variable declaration).

        3. Add the following functions to the mashup (the content can be copied from the temporary organization's 5recentWidget mashup):

          function htmlEncode(value){
             //create a in-memory div, set its inner text (which jQuery automatically encodes)
             //then grab the encoded contents back out. The div never exists on the page.
             return $('<div/>').text(value).html();
          }
          function htmlDecode(value){
             return $('

          ').html(value).text();
          }

      4. Click Update.

  6. After you have updated all organizations, delete the temporary organization:

    1. In the left navigation frame, select the temporary organization.
    2. In the temporary organization's navigation frame, select General Information.
    3. Click Delete.
    4. In the Delete Organization? dialog, click Yes to delete the temporary organization.

Restart the CSA Services

To start CSA on Windows, complete the following steps:

  1. If you have configured CSA to be FIPS 140-2 compliant, create a CSA encryption keystore password file. The name and location of this file must match the value configured for the keystorePasswordFile property in the CSA_HOME\jboss-as\standalone\deployments\csa.war\WEB-INF\classes\csa.properties file.

    The password file must contain only the following content: keystorePassword=<CSA encryption keystore password>

    where <CSA encryption keystore password> is the CSA encryption keystore password in clear text.

    This file is automatically deleted when the HPE Cloud Service Automation service is started.

  2. On the server that hosts CSA, navigate to Start > Administrative Tools > Services.

  3. If global search is enabled, do the following:

    1. Right-click on the Elasticsearch 1.6.1 service and select Restart.

    2. Wait for the Elasticsearch 1.6.1 service to restart, then right-click on HPE Search Service and select Restart.

      Note: if global search is disabled, skip this step.

  4. Right-click on the CSA service and select Start.

  5. Right-click on the HPE Marketplace Portal service and select Start.

  6. If you installed an embedded Operations Orchestration instance, right-click on the HPE Operations Orchestration Central service and select Start.

     

To start CSA on Linux, complete the following steps:

  1. On the server that hosts CSA, type the following:

    service csa start
    service mpp start

    Refer to the csa.provider.es.exists property in Appendix: Cloud Service Management Console Properties and type the following:

    service elasticsearch start

    By default, elasticsearch is enabled.

  2. If you installed an embedded Operations Orchestration instance, type:

    <embeddedHPEOOinstallation>/central/bin/central start

    For example, type /usr/local/hpe/csa/OO/central/bin/central start

Send Help Center feedback