Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Cloud Service Automation4.80

Administer > Configuration > Cloud Service Management Console Properties

Appendix: Cloud Service Management Console Properties

This section lists and describes the properties that can be configured for the Cloud Service Management Console, which are located in one of the following files:

CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/classes/csa.properties
CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/web.xml
CSA_HOME/jboss-as/standalone/deployments/csa.war/offerings/config.json

where

CSA_HOME is the directory in which CSA is installed

The following areas contain properties that can be configured (for many properties, default values are provided):

Authentication
Action Selection Wizard
Security banner
Email notifications
Marketplace Portal URL
Dashboard
Security
CSA keystore
Service request processor scheduler
Auditing
Process execution manager
Lifecycle engine
Approval engine scheduler
LDAP cache scheduler
Clustering
Dynamic property
Group Approval
Marketplace Portal
FIPS 140-2 on Windows
Common Access Card
Single Sign-On
Process executor delegate
Miscellaneous
Operations Orchestration
CSA 3.x API authentication
Topology designer
Elasticsearch
Microservices
Secure connections
LDAP access point
Service design, service offering, and catalog content archive verification
HPE ITOC Integration
Session timeout
REST

For information about Codar properties, see the Codar documentation.

After modifying the csa.properties file, restart CSA. See Restart CSA for instructions.

Authentication

These properties are used for authentication.

These properties are configured in csa.properties.

Property	Description
csa.provider.hostname	Required. The fully-qualified domain name of the system on which CSA is running. If you change this hostname, you must update the value of the `idm.csa.hostname` property in the `CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext.properties` file.
csa.provider.port	Required. The port used to connect to the system on which CSA is running. If you change this port, you must update the value of the `idm.csa.port` property in the `CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext.properties` file.
csa.provider.rest.protocol	Required. The protocol used by the REST API to connect to the system on which CSA is running. This attribute must be set to https. If you change this protocol, you must update the value of the `idm.csa.protocol` property in the `CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext.properties` file.
csa.orgName.identifier	Required. The provider organization identifier assigned to the organization who is providing this instance of the Cloud Service Management Console. This attribute must be set to CSA-Provider.

Action Selection Wizard

These properties are used for the Action Selection Wizard.

These properties are configured in csa.properties.

Property	Description
csa.cache.default.timeout.seconds	The `csa.properties` key that controls the cache timeout. Default: 300 seconds
csa.oo.content.root.lifecycle.action	Comma-separated root folder names from Operations Orchestration for the Action Selection Wizard when used in the Lifecycle Action and User Operations areas. Default: `=/Library/CSA Content Pack/CSA3.2/Providers,/Library/CSA Content Pack/CSA3.2/CSA Import and Migration Pack`
csa.oo.content.root.external.approval	Comma-separated root folder names from Operations Orchestration for the Action Selection Wizard when used in the Approvals area. Default: `=/Library/CSA Content Pack/CSA3.2/External Approval System/Service Manager/Actions`
csa.oo.content.root.resource.pool.sync	Comma-separated root folder names from Operations Orchestration for the Action Selection Wizard when used in the Resource Pool area. Default: `=/Library/CSA Content Pack/CSA3.2/Providers/Infrastructure/vCenter/Resource Pool Sync/Actions`

Security banner attributes

The attributes in the following table are used by the Cloud Service Management Console to enable or disable the display of a disclaimer upon logging in to the Cloud Service Management Console and a color-coded banner that appears at the top and bottom of the Cloud Service Management Console.

These properties are configured in csa.properties.

Attribute Description

csa.provider.agency

By default, this attribute is commented out. When this attribute is commented out or does not contain a valid value, the login disclaimer and color-coded banners are not displayed for the Cloud Service Management Console.

If you want to enable the login disclaimer and color-coded banners, uncomment this attribute and set the value to GOVERNMENT. If set to any other value, the login disclaimer and color-coded banners are not displayed.

To edit the disclaimer page, edit the CSA_HOME/jboss‑as/standalone/deployments/csa.war/static/template/disclaimerNote.jsp file.

To edit the disclaimer content, edit the CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/classes/msgs/messages_en.properties file. To locate the disclaimer content in this file, search for message property entries beginning with csa.security.warning.

csa.provider.contentType

By default, this attribute is commented out. This attribute defines the color and content that displays in the security banner. The security banners appear at the top and bottom of the Cloud Service Management Console.

The following values are shipped with CSA:

UNCLASSIFIED. The banner is light green and contains no content. An example is shown below.
UNCLASSIFIED_FOUO. For official use only. The banner is light green and displays the text "FOUO." An example is shown below.
FOUO
UNCLASSIFIED_NOFORN. Not releasable to foreign nationals. The banner is light green and displays the text "NOFORN." An example is shown below.
NOFORN
CONFIDENTIAL. The banner is light blue and displays the text "CONFIDENTIAL." An example is shown below.
CONFIDENTIAL
CONFIDENTIAL_FOUO. The banner is light blue and displays the text "CONFIDENTIAL-FOUO." An example is shown below.
CONFIDENTIAL-FOUO
CONFIDENTIAL_NOFORN. The banner is light blue and displays the text "CONFIDENTIAL-NOFORN." An example is shown below.
CONFIDENTIAL-NOFORN
SECRET. The banner is red and displays the text "SECRET." An example is shown below.
SECRET
TOPSECRET. The banner is orange and displays the text "TOPSECRET." An example is shown below.
TOPSECRET

To edit the banner content, edit the CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/classes/msgs/messages_en.properties file. To locate the banner content in this file, search for message property entries beginning with csa.security.label.

Email notifications

These properties are used to define email notifications.

This property is configured in csa.properties.

Property Description

csa.notification.type

Property	Description
csa.notification.type	Defines the type of email notification: html/text. `html` enables custom HTML notifications. `text` enables the legacy text-based notification. Default: `html`
csa.notification.cacheTemplates	The notification templates will be cached so that I/O performance is improved while sending notifications. If any notification template used by CSA is changed, then the changes will not be seen in later notifications unless the CSA service is restarted. The value of `csa.notification.cacheTemplates` may be set to false during development of custom notifications so that a service restart is not required every time a notification template is changed. Default: true

Defines the type of email notification: html/text.

html enables custom HTML notifications.
text enables the legacy text-based notification.

Default: html

csa.notification.cacheTemplates

The notification templates will be cached so that I/O performance is improved while sending notifications. If any notification template used by CSA is changed, then the changes will not be seen in later notifications unless the CSA service is restarted.

The value of csa.notification.cacheTemplates may be set to false during development of custom notifications so that a service restart is not required every time a notification template is changed.

Default: true

Marketplace Portal URL

This property is used to define the URL of the Marketplace Portal for an organization and is displayed in the Cloud Service Management Console.

This property is configured in csa.properties.

Property Description

csa.subscriber.portal.url

Property	Description
csa.subscriber.portal.url	The URL used to access the Marketplace Portal of an organization and is displayed in the Organization URL field in the General Information section of an organization's page in the Cloud Service Management Console. You can use specific values or one or more of the following variables: {protocol} - The protocol used to connect to the Marketplace Portal. This is either http or https. The variable value is the same protocol used to access the Cloud Service Management Console. {host} - The fully-qualified domain name or IP address of the system on which the Marketplace Portal is installed. The variable value is the same host on which the Cloud Service Management Console is installed. {orgName} - The organization's name. The variable value is the Organization Identifier displayed in the General Information section of an organization's page. The Organization Identifier is based on the value entered in the Organization Display Name field. The port configured for the Marketplace Portal in this property should match the `port` attribute value configured in the `CSA_HOME/portal/conf/mpp.json` file. If a variable's value is incorrect, you can enter a specific value in place of the variable. For example, `https://{host}:8089/org/{orgName}` or `{protocol}://csa_system.xyz.com:8089/#/login/marketing` Default: `{protocol}://{host}:8089/org/{orgName}`

The URL used to access the Marketplace Portal of an organization and is displayed in the Organization URL field in the General Information section of an organization's page in the Cloud Service Management Console.

You can use specific values or one or more of the following variables:

{protocol} - The protocol used to connect to the Marketplace Portal. This is either http or https. The variable value is the same protocol used to access the Cloud Service Management Console.
{host} - The fully-qualified domain name or IP address of the system on which the Marketplace Portal is installed. The variable value is the same host on which the Cloud Service Management Console is installed.
{orgName} - The organization's name. The variable value is the Organization Identifier displayed in the General Information section of an organization's page. The Organization Identifier is based on the value entered in the Organization Display Name field.

The port configured for the Marketplace Portal in this property should match the port attribute value configured in the CSA_HOME/portal/conf/mpp.json file.

If a variable's value is incorrect, you can enter a specific value in place of the variable. For example,
https://{host}:8089/org/{orgName} or
{protocol}://csa_system.xyz.com:8089/#/login/marketing

Default: {protocol}://{host}:8089/org/{orgName}

Dashboard

This property is used to control whether the Dashboard Mashup Widgets can be edited.

This property is configured in csa.properties.

Property Description

csa.ui.organizations.dashboardwidgets.enableEditingMashup

Property	Description
csa.ui.organizations.dashboardwidgets.enableEditingMashup	This property is disabled by default in a fresh install, which prevents the administrator from modifying organization widgets. This property controls whether the administrator only sees the widgets, or has the ability to edit the widgets. `false` disables editing the Mashup Widgets, they can only be seen. If the administrator tries to edit the Mashup Widget, a pop-up message appears stating that support for adding and editing Mashup Widgets is currently disabled. `true` enables editing the Mashup Widgets. Default: `false`

This property is disabled by default in a fresh install, which prevents the administrator from modifying organization widgets. This property controls whether the administrator only sees the widgets, or has the ability to edit the widgets.

false disables editing the Mashup Widgets, they can only be seen. If the administrator tries to edit the Mashup Widget, a pop-up message appears stating that support for adding and editing Mashup Widgets is currently disabled.
true enables editing the Mashup Widgets.

Default: false

Security

These properties are used to configure security settings for the Cloud Service Management Console.

Most of these properties are configured in csa.properties, and also in offerings/config.json for enableSecurityWarning.

Property	Description
securityAdminPassword	Required. The encrypted password used by the CSA built-in `admin` user (defined in the `CSA_HOME/jboss‑as/standalone/deployments/idm-service.war/WEB-INF/classes/provider-users.properties` file). The admin user account is used for initial login to the Cloud Service Management Console and can also be used to authenticate REST API calls. The password should be encrypted (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. If you change this password, you must also update the password of any REST API calls that use this password. For more information about the REST APIs, refer to the Cloud Service Automation API Quick Start Guide and Cloud Service Automation API Guide.
securityCsaReporting UserPassword	Required. The encrypted password used by the CSA built-in `csaReportingUser` user (defined in the `CSA_HOME/jboss‑as/standalone/deployments/idm-service.war/WEB-INF/classes/provider-users.properties` file). The csaReportingUser user account is used when a subscription is ordered or modified and a field for the subscription includes a dynamically generated list. The dynamically generated list is a subscriber option property configured to use a dynamic query. The dynamic query uses this account to access CSA to determine the values that will appear in the list. This account has read-only access to Cloud Service Automation. The password should be encrypted (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. If you change this password, you must also update the password of any REST API calls that use this password. For more information about the REST APIs, see the Cloud Service Automation API Guide.
securityTransport UserName	Required. The CSA built-in user used to authenticate REST API calls between the Marketplace Portal and Cloud Service Management Console (it should not be used to log in to the Cloud Service Management Console). If you change this username, you must update the value of the `idm.csa.username` property in the `CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext.properties` file. For more information about the integration user account, see Change CSA Built-In User Accounts. For more information about the REST APIs, see the Cloud Service Automation API Guide.
securityTransportPassword	Required. The encrypted password used by the CSA built-in `csaTransportUser` user (defined in the `CSA_HOME\jboss‑as\standalone\deployments\csa.war\WEB-INF\applicationContext-security.xml` file). The csaTransportUser user account is used to authenticate REST API calls between the Marketplace Portal and Cloud Service Management Console (it should not be used to log in to the Cloud Service Management Console). The password should be encrypted (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. If you change this password, you must update the value of the `idm.csa.password` property in the `CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext.properties` file. For more information about the integration user account, see Change CSA Built-In User Accounts. For more information about the REST APIs, see the Cloud Service Automation API Guide.
securityOoInbound UserPassword	Required. The encrypted password used by the CSA built-in `ooInboundUser` user (defined in the `CSA_HOME/jboss‑as/standalone/deployments/idm-service.war/WEB-INF/classesprovider-users.properties` file). The ooInboundUser user account is used by Operations Orchestration to authenticate REST API calls with CSA (it should not be used to log in to the Cloud Service Management Console). The password should be encrypted (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. If you change this password, you must also update and use the same password for the `CSA_REST_CREDENTIALS` system account in Operations Orchestration (located in the Configuration folder of the Public Repository).
securityCdaInbound UserPassword	Required. The encrypted password used by the CSA built-in `cdaInboundUser` user (defined in the `CSA_HOME/jboss‑as/standalone/deployments/idm-service.war/WEB-INF/classes/provider-users.properties` file). The `cdaInboundUser` user account is used by Continuous Delivery Automation to authenticate REST API calls with CSA (it should not be used to log in to the Cloud Service Management Console). The password should be encrypted (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. If you change this password, you must also update and use the same password in Continuous Delivery Automation. For more information about this user account, see Change CSA Built-In User Accounts.
securityIdmTransport UserPassword	Required. The encrypted password used by the CSA built-in `idmTransportUser` user (defined in the `CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/applicationContext-security.xml` file). The `idmTransportUser` user account is used to authenticate REST API calls (it should not be used to log in to the Cloud Service Management Console). The password should be encrypted (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. If you change this password, you must also update the following passwords (you must use the same password): the `idmTransportUser` property in the `CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/classes/integrationusers.properties` file. the `password` attribute in the `idmProvider` section of the `CSA_HOME/portal/conf/mpp.json` file (this password uses a different password encryption utility; see Encrypt a Marketplace Portal Password for more information about encrypting the `password` attribute). the password of any REST API calls that use this password. For more information about this user account, see Change CSA Built-In User Accounts.
securityCatalog AggregationTransport UserPassword	Required. The encrypted password used by the CSA built-in `csaCatalogAggregationTransportUser` user (defined in the `CSA_HOME/jboss‑as/standalone/deployments/csa.war/WEB-INF/applicationContext-security.xml` file). The csaCatalogAggregationTransportUser user account is used to authenticate catalog aggregation REST API calls with CSA (it should not be used to log in to the Cloud Service Management Console). The password should be encrypted (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. If you change this password, you must also update the password using the catalog aggregation registration REST APIs. For more information about this user account, see Change CSA Built-In User Accounts.
securityEncrypted SigningKey	CSA's encrypted signing key used to encrypt and decrypt authentication data passed between CSA and the Identity Management component. If you change this key, you must also update the `idm.encryptedSigningKey` property in the `CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext.properties` file. The key should be encrypted (see Encrypt a password for instructions about how to encrypt this key). The encrypted key is preceded by `ENC` without any separating spaces and is enclosed in parentheses.
com.hp.csa.service.ssl. certificate.validation	Required. Determines if certificate validation, hostname verification, and certificate authentication are performed by CSA when making a secure connection (only using HTTPS) with an application or a component of CSA. Examples of an application include Operations Orchestration or a resource provider. Examples of a component of CSA include the Marketplace Portal and the Identity Management component. Other non-HTTP connections that have been configured to be secure are not affected by this property. For example, secure connections to the database, LDAP server, or SMTP server are not affected. Note If CSA is running in a FIPS-compliant environment, this property is not used. In a FIPS-compliant environment, certificate validation, hostname verification, and certificate authentication will always be performed when making a secure connection with CSA. By default, this property is set to false. That is, when CSA establishes a secure connection with another application or component, the connection will only be encrypted. No validation, verification, or authentication is performed. This mode should only be used during post-installation configuration or when troubleshooting problems with certificates. This mode should NOT be used in a production environment. When set to true, when CSA establishes a secure connection with another application or component, the following occurs: The connection will be encrypted Certificate validation - Checks that the certificate used by the application/component has not expired Hostname verification - Checks that the certificate hostname matches the URL hostname of the application/component to which CSA is connecting Certificate authentication - Checks that the certificate or the root certificate used to sign the certificate has been imported into CSA's JRE truststore (for example, `CSA_JRE_HOME/lib/security/cacerts`) Default: false
com.hp.ccue.consumption disallowedExtensions	A comma-delimited list of the file extensions that designate the types of documents or files that cannot be uploaded to the Cloud Service Management Console. Default: exe,bat,com,cmd
csa.additionalSupported ExtensionsForImport	A comma-delimited list of the file extensions that designate the types of documents or files that can be uploaded to the Cloud Service Management Console. The file extensions listed can be the sole extension of the file or the start of the file extension followed by one or more characters. For example, listing `txt` as a file extension will match both `mydocument.txt` and `mydocument.txt_3491767613`. Files can be uploaded using the Cloud Service Management Console, the content archive tool, or the import API. Refer to the Cloud Service Management Console Help, Cloud Service Automation API Guide, or Cloud Service Automation Content Archive Tool for more information about using these features. The following extensions are automatically supported (and do not need to be defined by this property): jpg, jpeg, jpe, jfif, svg, tif, tiff, ras, cmx, ico, pnm, pbm, pgm, ppm, rgb, xbm, xpm, xwd, png, gif, bmp, cod, ief, json, xml, jsp, jspf. Default: (no default defined) Example: txt,log
csa.maxFileUploadSize	The maximum size of a file, in megabytes (MB), that can be uploaded to the CSA system using the Cloud Service Management Console. If this property is not listed or is not set in the `csa.properties` file, the default maximum size of 50 MB is used. Default: 50 (MB)
csa.war.images.directory.byteLimit	A total size limit for all images or icons that are uploaded into `CSA_HOME/jboss-as/standalone/deployments/csa.war/images`. The limit is used to prevent exhausting of server disk space through image upload in UI. Unit: bytes. Default: 500000000 bytes (500 MB)
csa.war.images.directory.smallFileByteOverhead	Used when computing space occupied by existing `image/icon` files (see above `csa.war.images.directory.byteLimit`). For each file in the images directory, a value of this property is added to its size to account for the overhead of small files on the file system. Unit: bytes. Default: 4096 bytes
enableSecurityWarning	Enables/disables the security warning messages for files that are uploaded or downloaded in the Cloud Service Management Console. Value is true or false. enableSecurityWarning is in the `CSA_HOME/jboss-as/standalone/deployments/csa.war/offerings/config.json` file. Default: true

CSA keystore

These properties are used to configure information about Cloud Service Automation's keystore.

These properties are configured in csa.properties.

Property Description

csaTruststore

Property	Description
csaTruststore	Required. The CSA keystore that stores trusted Certificate Authority certificates. Default: No default specified Example Windows: `C:\Program Files\HPE\CSA\openjre\lib\security\cacerts` Linux: `/usr/local/hpe/csa/openjre/lib/security/cacerts` Note On Windows, use only forward slashes (/) as your path separators.
csaTruststorePassword	Required. The encrypted password of the CSA keystore (see Encrypt a password for instructions on encrypting passwords). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. Default: ENC(<encrypted_value>) where the default value of <encrypted_value> is the encrypted value of "changeit".

Required. The CSA keystore that stores trusted Certificate Authority certificates.

Default: No default specified

Example

Windows: C:\Program Files\HPE\CSA\openjre\lib\security\cacerts

Linux: /usr/local/hpe/csa/openjre/lib/security/cacerts

Note On Windows, use only forward slashes (/) as your path separators.

csaTruststorePassword

Required. The encrypted password of the CSA keystore (see Encrypt a password for instructions on encrypting passwords). An encrypted password is preceded by ENC without any separating spaces and is enclosed in parentheses.

Default: ENC(<encrypted_value>)
where the default value of <encrypted_value> is the encrypted value of "changeit".

Service request processor scheduler

These properties are used to configure the service request processor scheduler. The service request processor scheduler validates a consumer's requests, initiates the approval process, if configured, and maintains a request's status.

These properties are configured in csa.properties.

Property	Description
serviceRequestProcessorScheduler.maxInstancesToProcess	Optional. The maximum number of service requests the service request processor can process when it checks the start and end dates of submitted subscriptions. Default: 100
serviceRequestProcessorScheduler.period	Optional. How often, in milliseconds, the service request processor checks the start and end dates of submitted subscriptions. Default: 5000 (5 seconds)

Property

Description

serviceRequestProcessorScheduler.maxInstancesToProcess

Optional. The maximum number of service requests the service request processor can process when it checks the start and end dates of submitted subscriptions.

Default: 100

serviceRequestProcessorScheduler.period

Optional. How often, in milliseconds, the service request processor checks the start and end dates of submitted subscriptions.

Default: 5000 (5 seconds)

Auditing

These properties are used to configure auditing.

These properties are configured in csa.properties.

Property Description

csaAuditEnabled

Property	Description
csaAuditEnabled	Optional. Enable or disable auditing, which tracks user activities and system-generated events. Messages are logged to the `CSA_AUDIT_EVENT` table in the database. Default: true (enabled)
jboss.shutdown. log.location	Required. This property is set during installation and must not be changed. The location of the JBoss log file that records when the CSA service was stopped. Used for auditing purposes. Default: `CSA_HOME/jboss‑as/bin/shutdown.log` Note On Windows, use only forward slashes (/) as your path separators.
csa.origin.ip.header	Optional. Defines a custom HTTP header used to capture the originating IP address of a REST API call. If this property is disabled (commented out) or not set to a value, the standard HTTP header X-Forwarded-For is used to capture the originating IP address. If the originating IP address is not captured by either this custom or the standard header, CSA fetches the originating IP address from the incoming request. The originating IP address is used for auditing. CSA sets the following precedence when capturing the originating IP address of a REST API call: Uses the custom HTTP header (if defined) Uses the X-Forwarded-For header Fetches from the incoming request If this property is set to a custom HTTP header, CSA checks if this custom HTTP header is defined (set to the originating IP address) in the REST API call. If this property is not set or if the custom header is not defined, CSA checks if the X-Forwarded-For header is defined in the REST API call. If the X-Forwarded-For header is not defined, CSA fetches the originating IP address from the incoming request. CSA does not validate the captured value (if the value is an IP address and if it is a valid IP address). The following is a list of CSA REST API types and which ones do and do not capture the originating IP address: Legacy CSA 3.x APIs: originating IP address IS CAPTURED Consumer (Consumption) APIs that include onBehalf parameter in the Response Content Type (i.e. Consumer APIs that use the POST, PUT, or DELETE methods): originating IP address IS CAPTURED Consumer (Consumption) APIs that do not include onBehalf parameter in the Response Content Type (i.e. Consumer APIs that use the GET method): originating IP address IS NOT CAPTURED Management (Consumption) APIs: originating IP address IS NOT CAPTURED The originating IP address is stored in the ORIGIN_IP field of the RPT_AUDIT_EVENT_V view and the ORIGIN_IP column of the CSA_AUDIT_EVENT table. If the originating IP address is not captured, the field or column is empty. Default: (disabled)

Optional. Enable or disable auditing, which tracks user activities and system-generated events. Messages are logged to the CSA_AUDIT_EVENT table in the database.

Default: true (enabled)

jboss.shutdown.
log.location

Required. This property is set during installation and must not be changed. The location of the JBoss log file that records when the CSA service was stopped. Used for auditing purposes.

Default: CSA_HOME/jboss‑as/bin/shutdown.log

Note On Windows, use only forward slashes (/) as your path separators.

csa.origin.ip.header

Optional. Defines a custom HTTP header used to capture the originating IP address of a REST API call. If this property is disabled (commented out) or not set to a value, the standard HTTP header X-Forwarded-For is used to capture the originating IP address. If the originating IP address is not captured by either this custom or the standard header, CSA fetches the originating IP address from the incoming request. The originating IP address is used for auditing.

CSA sets the following precedence when capturing the originating IP address of a REST API call:

Uses the custom HTTP header (if defined)
Uses the X-Forwarded-For header
Fetches from the incoming request

If this property is set to a custom HTTP header, CSA checks if this custom HTTP header is defined (set to the originating IP address) in the REST API call. If this property is not set or if the custom header is not defined, CSA checks if the X-Forwarded-For header is defined in the REST API call. If the X-Forwarded-For header is not defined, CSA fetches the originating IP address from the incoming request. CSA does not validate the captured value (if the value is an IP address and if it is a valid IP address).

The following is a list of CSA REST API types and which ones do and do not capture the originating IP address:

Legacy CSA 3.x APIs: originating IP address IS CAPTURED
Consumer (Consumption) APIs that include onBehalf parameter in the Response Content Type (i.e. Consumer APIs that use the POST, PUT, or DELETE methods): originating IP address IS CAPTURED
Consumer (Consumption) APIs that do not include onBehalf parameter in the Response Content Type (i.e. Consumer APIs that use the GET method): originating IP address IS NOT CAPTURED
Management (Consumption) APIs: originating IP address IS NOT CAPTURED

The originating IP address is stored in the ORIGIN_IP field of the RPT_AUDIT_EVENT_V view and the ORIGIN_IP column of the CSA_AUDIT_EVENT table. If the originating IP address is not captured, the field or column is empty.

Default: (disabled)

Process execution manager

These properties are used to configure the process execution manager. The process execution manager starts internal actions and Operations Orchestration flow actions, checks the status of process instances, and performs callback once the actions are completed.

These properties are configured in csa.properties.

Property	Description
com.hp.csa.ProcessExecutor.THREAD_WAKEUP_TIME	Optional. How often, in milliseconds, the process execution manager starts new process instances (which start Operations Orchestration flows) and checks the status of process instances. Default: 5000 (5 seconds)
com.hp.csa.ProcessExecutor.THREAD_POOL_CORE_SIZE	Optional. The maximum number of threads used to run process instances. Default: 2
com.hp.csa.PEM.PARAM_PROCESS_INSTANCE_ID	Optional. The token that stores the process instance ID and is used when CSA starts an Operations Orchestration flow. Default: `CSA_PROCESS_ID`
com.hp.csa.PEM.PARAM_CONTEXT_ID	Optional. The token that stores the artifact ID of the artifact that owns the action that executes the Operations Orchestration flow. Default: `CSA_CONTEXT_ID`

Lifecycle engine

These properties are used to configure the lifecycle engine. The lifecycle engine processes service instances and executes lifecycle actions.

These properties are configured in csa.properties.

Property	Description
com.hp.csa.LifecycleExecutor.THREAD_WAKEUP_TIME	Optional. How often, in milliseconds, the lifecycle engine checks for service components that it needs to transition. Default: 5000 (5 seconds)
com.hp.csa.LifecycleExecutor.THREAD_POOL_SIZE	Optional. The maximum number of threads used to transition service components. Default: 2

Property

Description

com.hp.csa.LifecycleExecutor.THREAD_WAKEUP_TIME

Optional. How often, in milliseconds, the lifecycle engine checks for service components that it needs to transition.

Default: 5000 (5 seconds)

com.hp.csa.LifecycleExecutor.THREAD_POOL_SIZE

Optional. The maximum number of threads used to transition service components.

Default: 2

Approval engine scheduler

These properties are used to configure the approval engine scheduler. The approval engine scheduler checks each approver's response to a pending approval process to see if the process can be marked as completed and updates the decision and status of an approval process, as needed.

This property is configured in csa.properties.

Property	Description
com.hp.csa.ApprovalDecisionMaker.THREAD_POOL_SIZE	Optional. The maximum number of threads used to process approvals. Default: 4
com.hp.csa.ApprovalDecisionMaker.THREAD_WAKEUP_TIME	Optional. How often, in milliseconds, the approval engine scheduler checks for completion of an approval process to determine if an approval process should be approved or denied. Default: 5000 (5 seconds)

Property

Description

com.hp.csa.ApprovalDecisionMaker.THREAD_POOL_SIZE

Optional. The maximum number of threads used to process approvals.

Default: 4

com.hp.csa.ApprovalDecisionMaker.THREAD_WAKEUP_TIME

Optional. How often, in milliseconds, the approval engine scheduler checks for completion of an approval process to determine if an approval process should be approved or denied.

Default: 5000 (5 seconds)

LDAP cache scheduler

These properties are used to configure the LDAP cache scheduler. The LDAP cache scheduler checks the age of the user group cache and deletes it if it has expired.

For users who can log in to the Cloud Service Management Console or Marketplace Portal, certain actions require authorization (verification if the user belongs to a group). When authorization is requested for a user, CSA checks for group membership by using the cache. If the cache does not exist, LDAP is queried for the user's user groups which are temporarily cached to the database. After a configured expiration time, the cache is deleted. During a single session, the cache may be deleted and refreshed as needed.

These properties are configured in csa.properties.

Property Description

com.hp.csa.UserGroupExecutor.THREAD_WAKEUP_TIME

Property	Description
com.hp.csa.UserGroupExecutor.THREAD_WAKEUP_TIME	Optional. How often, in minutes, the LDAP cache scheduler checks for user group caches that have expired. This number should be less than the value configured for `com.hp.csa.UserGroupExecutor. CACHE_EXPIRATION_TIME`. Default: 20
com.hp.csa.UserGroupExecutor.CACHE_EXPIRATION_TIME	Optional. How long, in minutes, LDAP user groups for a user are temporarily cached in the database before they are deleted. This time should be greater than the value configured for `com.hp.csa.UserGroupExecutor. THREAD_WAKEUP_TIME`. Default: 30
com.hp.csa.UserGroupExecutor. UserGroupDeletionBatchSize	Optional. The maximum number of user IDs that are deleted in a single batch from the cache. This number cannot be larger than 1,000. Default: 250

Optional. How often, in minutes, the LDAP cache scheduler checks for user group caches that have expired. This number should be less than the value configured for com.hp.csa.UserGroupExecutor. CACHE_EXPIRATION_TIME.

Default: 20

com.hp.csa.UserGroupExecutor.CACHE_EXPIRATION_TIME

Optional. How long, in minutes, LDAP user groups for a user are temporarily cached in the database before they are deleted. This time should be greater than the value configured for com.hp.csa.UserGroupExecutor. THREAD_WAKEUP_TIME.

Default: 30

com.hp.csa.UserGroupExecutor.
UserGroupDeletionBatchSize

Optional. The maximum number of user IDs that are deleted in a single batch from the cache. This number cannot be larger than 1,000.

Default: 250

Clustering

This property is used to configure clustering.

This property is configured in csa.properties.

Property Description

deploymentMode

Property	Description
deploymentMode	Required. The mode in which CSA is running (single or clustered). When set to `single`, CSA runs in standalone mode (on a single instance) and all CSA services are run on this instance. When set to `clustered`, CSA runs in a clustered environment and all CSA services run on only one node (which is selected by the cluster as the singleton-service provider). Default: single
com.hp.csa.LockMonitorService.LOCK_TIMEOUT	Default timeout in milliseconds for the background thread that checks if processes have stale locks. Individual entities may have their own timeout.
com.hp.csa.LockMonitorService.NODE_TIMEOUT	Default timeout in milliseconds for entities that have been locked by a cluster node that is no longer responsive (such as. the locking node has shut down or cannot connect to the cluster).

Required. The mode in which CSA is running (single or clustered). When set to single, CSA runs in standalone mode (on a single instance) and all CSA services are run on this instance. When set to clustered, CSA runs in a clustered environment and all CSA services run on only one node (which is selected by the cluster as the singleton-service provider).

Default: single

com.hp.csa.LockMonitorService.LOCK_TIMEOUT

Default timeout in milliseconds for the background thread that checks if processes have stale locks. Individual entities may have their own timeout.

com.hp.csa.LockMonitorService.NODE_TIMEOUT

Default timeout in milliseconds for entities that have been locked by a cluster node that is no longer responsive (such as. the locking node has shut down or cannot connect to the cluster).

Dynamic property

These configuration properties are used to limit the amount of time to retrieve data and the amount of data retrieved when using a dynamic property. A dynamic property is a Dynamic Query value entry method for a subscriber option property that defines what information is retrieved. A dynamic property allows the Service Designer to list a dynamic set of values that change based on the user context (for example, the organization to which the user belongs).

These properties are configured in csa.properties.

Property	Description
DynamicPropertyFetch.READ_TIMEOUT	Optional. How long, in milliseconds, CSA attempts to fetch or retrieve data for dynamic properties. Default: 30000 (30 seconds)
DynamicPropertyFetch.RESPONSE_SIZE	Optional. The maximum amount of data, in bytes, that can be retrieved for dynamic properties. Default: 50000

Property

Description

DynamicPropertyFetch.READ_TIMEOUT

Optional. How long, in milliseconds, CSA attempts to fetch or retrieve data for dynamic properties.

Default: 30000 (30 seconds)

DynamicPropertyFetch.RESPONSE_SIZE

Optional. The maximum amount of data, in bytes, that can be retrieved for dynamic properties.

Default: 50000

Group approval

This configuration property is used when configuring a group approval template.

This property is configured in csa.properties.

Property	Description
csa.group.numberOfApprovers	Optional. The maximum number of members in an LDAP group used for approvals. For reasonable performance, do not specify more than ten (10) members. Default: 10

Property

Description

csa.group.numberOfApprovers

Optional. The maximum number of members in an LDAP group used for approvals. For reasonable performance, do not specify more than ten (10) members.

Default: 10

Marketplace Portal

These properties are the default values displayed in the Cloud Service Management Console that are used to configure the Marketplace Portal for an organization. The values configured in the Cloud Service Management Console take precedence over the values set in this properties file. See Appendix: Marketplace Portal Attributes for descriptions of the attributes that can be configured for the Marketplace Portal.

These properties are configured in csa.properties.

Property	Description
csa.consumer. featuredCategory	Optional. The default value of the Featured Category field displayed in the Cloud Service Management Console of a selected organization. This value may be overwritten in the Cloud Service Management Console. The value configured in the Cloud Service Management Console takes precedence over this value. This is the category that is used when displaying service offerings in the Marketplace Portal. The value entered for this attribute is the name of a category configured in the Cloud Service Management Console but is in all capitalized letters and replaces any spaces with an underscore (_). For example, if you configure a category named e-mail Servers and want to feature this category, you would set this attribute to E-MAIL_SERVERS. ACCESSORY APPLICATION_SERVERS - Default. APPLICATION_SERVICES BACKUP_SERVICES CRM DATABASE_SERVERS FILE_SERVERS HARDWARE MAIL_SERVICES NETWORK_SERVICES PLATFORM_SERVICES SIMPLE_SYSTEM SOFTWARE WEB_HOSTING_SERVICES For more information about the featured services, refer to the Marketplace Portal Help. Default: APPLICATION_SERVERS
csa.consumer. endDatePeriod	Optional. The default value of the Subscription End Date field displayed in the Cloud Service Management Console of a selected organization. This value may be overwritten in the Cloud Service Management Console by a lower value. The value configured in the Cloud Service Management Console takes precedence over this value. This is the maximum length of a subscription, in months, if a requested end date is specified. When a subscriber selects a requested start date and requests an end date, the length of the subscription cannot be longer than the value of this property. The maximum allowed value is 12 months. For example, if the subscriber selects a requested start date of June 15, 2015, based on the default value of this property, the requested end date cannot be later than June 14, 2016. If no end date is selected, this value is ignored. Default: 12 (months)
csa.consumer. legalNoticeUrl	Optional. The default value of the Privacy Statement Link field displayed in the Cloud Service Management Console of a selected organization. This value may be overwritten in the Cloud Service Management Console. The value configured in the Cloud Service Management Console takes precedence over this value. This is a link to an organization's privacy statement and, when enabled in the Cloud Service Management Console, appears on the login page below the copyright statement. Default: The online privacy statement.
csa.consumer. termsOfUseUrl	Optional. The default value of the Terms and Conditions Link field displayed in the Cloud Service Management Console of a selected organization. This value may be overwritten in the Cloud Service Management Console. The value configured in the Cloud Service Management Console takes precedence over this value. This is a link to an organization's terms and conditions statement and, when enabled in the Cloud Service Management Console, appears when a subscriber is ordering a service. Default: The terms of use statement.

FIPS 140-2 configuration on Windows

These configuration properties are used to configure CSA on Windows to be compliant with FIPS 140-2.

Note The csaTruststore and csaTruststorePassword properties are repeated here because you may need to update them for FIPS 140-2 configuration. These properties are configured in a different section of the csa.properties file.

These properties are configured in csa.properties.

Property	Description
useExternalProvider	Required if enabling FIPS 140-2 compliance mode. To enable, set this property to true. To disable, set this property to false or comment it out. When enabled, CSA uses the RSA BSAFE libraries to encrypt and decrypt passwords. If a password was encrypted using different libraries (for example, if the password was encrypted before this property is enabled), the resulting decrypted password will not be valid. If you cannot connect to the database after you have configured CSA for FIPS 140-2 compliance, try re-encrypting the database password in the database properties file. Default: commented out/disabled
securityProviderName	Required if FIPS 140-2 compliance mode is enabled. The name of the FIPS 140-2 compliant provider. By default, CSA uses the RSA BSAFE provider and this property should be set to JsafeJCE.
keySize	Optional. The key size used for CSA encryption. By default, the key size is 128. If you manually enter a different key size when encrypting a password, uncomment this property and configure the value to the key size used to encrypt the passwords. Note All passwords must be encrypted using the same key size. By default, the password encryption utility encrypts all passwords using a key size of 128 (even if you do not specify a key size when running the utility).
keystore	Required if FIPS 140-2 compliance mode is enabled. The absolute path to and file name of the CSA encryption keystore. This is the keystore that supports PKCS #12 and stores the key used by CSA to encrypt and decrypt data in CSA. Example (this example uses the same example name from the Create a CSA Encryption Keystore section in the Cloud Service Automation FIPS 140-2 Compliance Configuration Guide): `CSA_HOME/jboss-as/standalone/configuration/csa_encryption_keystore.p12` Note On Windows, use only forward slashes (/) as your path separators.
keyAlias	Required if FIPS 140-2 compliance mode is enabled. The alias used to identify the CSA encryption key in the CSA encryption keystore. Example (this example uses the same example name from the Create a CSA Encryption Keystore section in the Cloud Service Automation FIPS 140-2 Compliance Configuration Guide): `csa_encryption_key`
keystorePasswordFile	Required if FIPS 140-2 compliance mode is enabled. The absolute path to and file name of the CSA encryption keystore password. This is a temporary file that stores the CSA encryption keystore password in clear text. This file is required to start the CSA service and is automatically deleted when the service is started. The password file must contain only the following content: `keystorePassword=<CSA encryption keystore password>` where `<CSA encryption keystore password>` is the CSA encryption keystore password in clear text. Note On Windows, use only forward slashes (/) as your path separators.
encryptedKeyFile	Required if FIPS 140-2 compliance mode is enabled. The location of the CSA encrypted symmetric key. Example (this example uses the same example name from the Create a CSA Encryption Keystore section in the Cloud Service Automation FIPS 140-2 Compliance Configuration Guide): `CSA_HOME/jboss-as/standalone/configuration/key.dat` Note On Windows, use only forward slashes (/) as your path separators.
csaTruststore	Required. The CSA keystore that stores trusted Certificate Authority certificates. Note This property is located in another section of the `csa.properties` file. Its description is repeated here as its value should be updated when CSA has been configured to be compliant with FIPS 140‑2. Example (this example uses the same example name of the CSA server truststore from the Create a CSA Encryption Keystore section in the Cloud Service Automation FIPS 140-2 Compliance Configuration Guide): `CSA_HOME/jboss-as/standalone/configuration/csa_server_truststore.p12` Note On Windows, use only forward slashes (/) as your path separators.
csaTruststorePassword	Required. The encrypted password of the CSA keystore (see Encrypt a password for instructions on encrypting passwords). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. Default: ENC(<encrypted_value>) where the default value of <encrypted_value> is the encrypted value of "changeit". Note This property is located in another section of the `csa.properties` file. Its description is repeated here as its value should be updated when CSA has been configured to be compliant with FIPS 140‑2. This is the <CSA server truststore password> from the Create a CSA Encryption Keystore section in the Cloud Service Automation FIPS 140-2 Compliance Configuration Guide):

Common Access Card

These properties are used to enable integration between Common Access Card (CAC) and CSA and to extract a user name from the subjectDN X.509 attribute.

These properties are configured in csa.properties.

Property Description

enableCAC

Property	Description
enableCAC	Optional. Enable integration between CAC and CSA, where the CAC is used as an approval mechanism. To enable, this property must be uncommented and set to `true`. To disable, either comment out the property or set it to `false`. Default: `false` (disabled)
csa.cac.regex	The regular expression used to extract a user name from the `subjectDN X.509` attribute. If this property is not set, then the default for `regex` is `CN=(.?)`. This property need not be set if the property `csa.cac.x509Attribute` is set to `"san"`. Note To retrieve the data between the parentheses from the `subjectDN X.509` attribute, use the filter `csa.cac.regex=\\((.?)\\)`.
idm.cac.regex	The regular expression used to extract a user name from the `subjectDN X.509` attribute. If this property is not set, then the default for `regex` is `CN=(.?)`. This property need not be set if the property `idm.cac.x509Attribute` is set to `"san"`. Note To retrieve the data between the parentheses from the `subjectDN X.509` attribute, use the filter `csa.cac.regex=\\((.?)\\)`.

Optional. Enable integration between CAC and CSA, where the CAC is used as an approval mechanism. To enable, this property must be uncommented and set to true. To disable, either comment out the property or set it to false.

Default: false (disabled)

csa.cac.regex

The regular expression used to extract a user name from the subjectDN X.509 attribute. If this property is not set, then the default for regex is CN=(.*?). This property need not be set if the property csa.cac.x509Attribute is set to "san".

Note To retrieve the data between the parentheses from the subjectDN X.509 attribute, use the filter csa.cac.regex=\\((.*?)\\).

idm.cac.regex

Note To retrieve the data between the parentheses from the subjectDN X.509 attribute, use the filter csa.cac.regex=\\((.*?)\\).

Single Sign-On

This property is used to enable integration between CA SiteMinder and CSA. SSO can be used when launching an application, such as HPE IT Business Analytics, from the Cloud Service Management Console.

This property is configured in csa.properties.

Property Description

enableSSO

Property	Description
enableSSO	Enables SSO post install if you want to enable Siteminder SSO. This property must be uncommented and set to `true` to enable integration between CA SiteMinder and CSA, where SiteMinder is used for single sign-on. In all other cases, either comment out this property or set it to `false` to disable it. Default: `false`(disabled)

Enables SSO post install if you want to enable Siteminder SSO.

This property must be uncommented and set to true to enable integration between CA SiteMinder and CSA, where SiteMinder is used for single sign-on. In all other cases, either comment out this property or set it to false to disable it.

Default: false(disabled)

Process executor delegate

These properties are used to configure the process executor delegate. The process executor delegate handles processing of the process instances. It discovers the ready instances, submits them to different thread pools for processing based on process definition and model type (sequenced or topology).

These properties are configured in csa.properties.

Property	Description
com.hp.csa.service.process. ProcessExecutorDelegate. INTERNAL_POOL_SIZE	Optional. The maximum number of threads used for processing internal executors (for example, clone patterns). Default: 2
com.hp.csa.service.process. ProcessExecutorDelegate. EXTERNAL_POOL_SIZE	Optional. The maximum number of threads used for processing external executors (for example, Operations Orchestration). Default: 2
com.hp.csa.service.process. ProcessExecutorDelegate. CALLBACK_POOL_SIZE	Optional. The maximum number of threads used by the callback pool. Default: 2
com.hp.csa.service.process. ProcessExecutorDelegate. MONITOR_POOL_SIZE	Optional. The maximum number of threads used by the monitor pool. Default: 2

Miscellaneous

The following are miscellaneous properties that do not fall under any specific category.

These properties are configured in csa.properties.

Property	Description
com.hp.csa.aosMonitor. THREAD_WAKEUP_TIME	Optional. How often, in milliseconds, the background thread monitors plug-in processes. Default: 20000
com.hp.csa.TimeoutChecker. THREAD_WAKEUP_TIME	Optional. How often, in milliseconds, the background thread monitors for processes that have timed out. Default: 300000
com.hp.csa.ExportSvcOffering.THREAD_WAKEUP_TIME	Defines the background service wakeup time to export non-posted offerings, subscriptions and instances into elasticsearch. When the CSA service starts, the background service wakes up. If there are no records to be exported to elasticsearch then the background services dies immediately. Otherwise the background service exports records into elasticsearch in the batches of the property defined in com.hp.csa.ExportSvcOffering.FETCH_SIZE. The background service continues to run until it processes all the non-posted records available in the CSA database. If the background service is not running, it wakes-up again according to the time defined in this property. The value of this property should be in milliseconds.
com.hp.csa.ExportSvcOffering.FETCH_SIZE	Defines the number of records to be processed at a time. The SQL used to fetch the records from the CSA database, uses this property value to limit the number of records that can be fetched from the database and then exported to elasticsearch.
com.hp.csa.plugin.cloudos.util.TokenCache.TIMEOUT	Identity Management component token cache timeout, in milliseconds. Every REST call to CSA (such as for provisioning) is authenticated by Identity Management. CSA uses trustId to get the authentication token from Identity Management. Because these REST calls can be more frequent, this property allows you to define the cache timeout to prevent enormous sizes during the REST call’s authentication lifecycle. Default value: 300000 (5 minutes) Value 0 disables cache
com.hp.csa.import.BUILD_ARTIFACT_RELATIONSHIP	Disables the artifact relationship section of the import/preview results.
loggerEnabled	Enables the logging filter for the legacy REST APIs, so that the requesting user and artifact information is logged.
csa.productPerspective	Determines which version of CSA has been installed: Enterprise or Codar.
jdbc.dialect	Holds explicitly set Hibernate dialect for a given database. Recommended values for the databases are: MSSQL: org.hibernate.dialect.SQLServer2008Dialect Oracle: org.hibernate.dialect.Oracle10gDialect PostgreSQL: org.hibernate.dialect.PostgreSQLDialect

Operations Orchestration

These properties are used to integrate with Operations Orchestration.

These properties are configured in csa.properties.

The following properties configure the interaction between the Cloud Service Management Console and Operations Orchestration. In the subscription event overview section of the (Undefined variable: CSAVariables.tabOperations) area in the Cloud Service Management Console, selecting the Process ID opens Operations Orchestration to the detailed page of the selected process when these properties are configured.

Property	Description
OOS_URL	The URL used to access Operations Orchestration Central. This is the Operations Orchestration used for provisioning topology designs. For example, `https://<hostname>:8445`. This property is automatically set during installation. If you are using the embedded Operations Orchestration that is included with CSA, this property is set using the values entered for the Fully qualified domain name on Windows or the Fully Qualified Hostname on Linux and HPE OO Port fields during installation. If you are using a standalone/external Operations Orchestration, this property is set using the values entered for the HPE OO Hostname and HPE OO Port fields during installation.
OOS_USERNAME	The username used to log in to Operations Orchestration Central. This property is automatically set during installation using the value entered for the HPE OO User Name field during installation.
OOS_PASSWORD	The encrypted password used by the user defined in `OOS_USERNAME` to log in to Operations Orchestration Central. This property is automatically set during installation using the value entered for the HPE OO Password field during installation.
embedded.oo.root.dir	Location of the embedded Operations Orchestration when it is installed with CSA. This property is generated when embedded Operations Orchestration is installed during the CSA installation. This property is the only indicator of embedded Operations Orchestration, which is important mainly for uninstallation and upgrades. This property cannot be edited.

The following properties configure background services to monitor Operations Orchestration.

Property	Description
com.hp.csa.oo.OOClient.SOCKET_TIMEOUT	Optional. How long, in milliseconds, CSA keeps a socket open for SOAP-based communication with Operations Orchestration. Default: 60000
com.hp.csa.OosMonitor.THREAD_WAKEUP_TIME	Optional. How often, in milliseconds, the background thread monitors Operations Orchestration processes. Default: 60000
com.hp.csa.service.process.OosMonitorDelegate.MONITOR_POOL_SIZE	Optional. The maximum number of threads used by the monitor pool. Default: 2
OOS_MASTER_OOFLOW_CONTENT_LOCATION	The location in Operations Orchestration where CSA generates topology design-based master Operations Orchestration flows and related subflows. The folder structure must use forward slashes. Default: Library/CSA/Topology_Generated_Flows

CSA 3.x API authentication

These properties are used to configure authentication for the CSA 3.x API.

These properties are configured in csa.properties.

Property Description

xAuthToken

Property	Description
xAuthToken	Optional. An optional token in the Authorization header used for HTTP basic authentication by the CSA 3.x API. If the token is sent, it is used to authenticate the userIdentifier parameter in the REST API. For more information about the CSA API,see the Cloud Service Automation API Quick Start Guide. Default: X-Auth-Token
integrationAccountUserList	Required. A comma-delimited list of users who are authorized to exercise the CSA 3.x API. The username in the Authorization header used for HTTP basic authentication must match one of the users in this list. By default, the following CSA built-in users are configured: admin, csaCatalogAggregationTransportUser, csaReportingUser, csaTransportUser, ooInboundUser, and cdaInboundUser. You can also add LDAP users (identified by the User ID) to this list. For example, if you use email addresses for the User ID, you could add `user1@xyz.com` to the list. For more information about the CSA API, see the Cloud Service Automation API Quick Start Guide. Default: admin,csaReportingUser,ooInboundUser, cdaInboundUser,csaTransportUser, csaCatalogAggregationTransportUser

Optional. An optional token in the Authorization header used for HTTP basic authentication by the CSA 3.x API. If the token is sent, it is used to authenticate the userIdentifier parameter in the REST API. For more information about the CSA API,see the Cloud Service Automation API Quick Start Guide.

Default: X-Auth-Token

integrationAccountUserList

Required. A comma-delimited list of users who are authorized to exercise the CSA 3.x API. The username in the Authorization header used for HTTP basic authentication must match one of the users in this list.

By default, the following CSA built-in users are configured: admin, csaCatalogAggregationTransportUser, csaReportingUser, csaTransportUser, ooInboundUser, and cdaInboundUser. You can also add LDAP users (identified by the User ID) to this list. For example, if you use email addresses for the User ID, you could add user1@xyz.com to the list.

For more information about the CSA API, see the Cloud Service Automation API Quick Start Guide.

Default: admin,csaReportingUser,ooInboundUser,
cdaInboundUser,csaTransportUser,
csaCatalogAggregationTransportUser

Topology Designer

These properties are used to configure the features of topology designs.

These properties are configured in csa.properties.

Property Description

Property	Description
TopologyDesignProvisioning. TIMEOUT	Optional. The amount of time, in seconds, CSA attempts to provision or de-provision a topology design that is not based on an Helion OpenStack® provider (topology design provisioning and de-provisioning is orchestrated by interacting with resource providers corresponding to the components used in the design). If the time is exceeded, in the Operations area of the Cloud Service Management Console, the subscription (to a service offering that is created from a topology design that is not based on an Helion OpenStack® provider) will show a Subscription Status of `Failed` and a Service Instance Status of `Failed`. If you select the Events tab of the subscription, the event will show a Status of `Timeout`. If you select the Topology tab of the subscription, the topology view will show the status of the components in the service instance as their respective status just before the timeout occurred. It is recommended that this value be set to the same value as the Operations Orchestration flow timeout value. Default: 7200 (2 hours)
OrchestratedTopologyDesignProvisioning. ProviderSelection.Enabled	Optional. Enable or disable resource environment and provider selection by the subscriber in the Marketplace Portal for service offerings based on topology designs that are not based on an Helion OpenStack® provider. For more information, refer to the Cloud Service Management Console Help. Default: true (enabled)

TopologyDesignProvisioning.
TIMEOUT

Optional. The amount of time, in seconds, CSA attempts to provision or de-provision a topology design that is not based on an Helion OpenStack® provider (topology design provisioning and de-provisioning is orchestrated by interacting with resource providers corresponding to the components used in the design).

If the time is exceeded, in the Operations area of the Cloud Service Management Console, the subscription (to a service offering that is created from a topology design that is not based on an Helion OpenStack® provider) will show a Subscription Status of Failed and a Service Instance Status of Failed. If you select the Events tab of the subscription, the event will show a Status of Timeout. If you select the Topology tab of the subscription, the topology view will show the status of the components in the service instance as their respective status just before the timeout occurred.

It is recommended that this value be set to the same value as the Operations Orchestration flow timeout value.

Default: 7200 (2 hours)

OrchestratedTopologyDesignProvisioning.
ProviderSelection.Enabled

Optional. Enable or disable resource environment and provider selection by the subscriber in the Marketplace Portal for service offerings based on topology designs that are not based on an Helion OpenStack® provider. For more information, refer to the Cloud Service Management Console Help.

Default: true (enabled)

Elasticsearch

These properties are used to integrate global search with CSA.

These properties are configured in csa.properties.

Property	Description
csa.provider.es.exists	Required. Enable or disable the global search feature on this CSA node. If enabled, additional microservice properties may be configured. To enable the global search feature, set this property to yes. In a FIPS 140-2 compliant environment on Windows, this property must be set to no. Default: yes (enabled)
csa.provider.es.authUser	Required if `csa.provider.es.exists` is enabled (set to yes). The user used by the Elasticsearch service to authenticate requests coming from CSA. It is recommended that you create a user specifically for this purpose. If the CSA built-in `consumer` user is disabled or another user is used, either another built-in user or LDAP user must be configured. If using a built-in user, this user must have the `SERVICE_CONSUMER` role configured. If using an LDAP user, this user must be assigned to the Service Consumer role. Default: consumer
csa.provider.es.authPassword	Required if `csa.provider.es.exists` is enabled (set to yes). The encrypted password of the `csa.provider.es.authUser` user. The password should be encrypted (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. Default: <encrypted password of the consumer user>
csa.provider.es.authOrganization	Required if `csa.provider.es.exists` is enabled (set to yes). The name of the organization to which the `csa.provider.es.authUser` user belongs. The organization is used only for authentication purposes. The Elasticsearch service will index the service offerings, service instances, or subscriptions for all organizations. However, global search results for a Marketplace Portal user will be limited to the service offerings, service instances, or subscriptions of the organization to which the user belongs and to which the user has access. If the CSA built-in `CONSUMER` organization is disabled or removed, the `csa.provider.es.authUser`, `csa.provider.es.authPassword`, and `csa.provider.es.authOrganization` properties must be updated to use a valid user and organization. Default: `CONSUMER`
csa.provider.es.idmURL	Required if `csa.provider.es.exists` is enabled (set to yes). The URL used to generate Identity Management component tokens for Elasticsearch service authentication. If a CSA cluster is configured for high availability using a load balancer, `localhost` must be changed to the hostname or IP address of the system on which the load balancer is running. Default: `https://localhost:8444/idm-service`

Microservices

These properties are used to configure the HPE Search Service, which creates the indices for Elasticsearch. The Elasticsearch property, csa.provider.es.exists, must be enabled for these properties to take effect.

These properties are configured in csa.properties.

Property Description

csa.provider.msvc.hostname

Property	Description
csa.provider.msvc.hostname	Required if `csa.provider.es.exists` is enabled (set to yes). The fully-qualified domain name of the system on which the HPE Search Service is running or localhost. Default: localhost
csa.provider.msvc.port	Required if `csa.provider.es.exists` is enabled (set to yes). The port used to connect to the system on which the HPE Search Service is running. Default: 9000
csa.provider.msvc.rest.protocol	Required if `csa.provider.es.exists` is enabled (set to yes). The protocol used by the REST API to connect to the system on which the HPE Search Service is running. Default: https

Required if csa.provider.es.exists is enabled (set to yes). The fully-qualified domain name of the system on which the HPE Search Service is running or localhost.

Default: localhost

csa.provider.msvc.port

Required if csa.provider.es.exists is enabled (set to yes). The port used to connect to the system on which the HPE Search Service is running.

Default: 9000

csa.provider.msvc.rest.protocol

Required if csa.provider.es.exists is enabled (set to yes). The protocol used by the REST API to connect to the system on which the HPE Search Service is running.

Default: https

LDAP access point

This property is used to enable or disable access to the LDAP access point configuration in the Cloud Service Management Console.

This property is configured in csa.properties.

Property	Description
csa.ldapReadOnly	Required. Enable or disable access to the LDAP access point configuration in the Cloud Service Management Console. By default, the property is set to false and the CSA administrator can configure the LDAP access point of any organization from the Cloud Service Management Console (the LDAP access point is typically configured when an organization is created in the Cloud Service Management Console). LDAP configuration includes fields for the LDAP Server Information, LDAP Attributes, and User Login Information in the Cloud Service Management Console. The LDAP access point is used by CSA for authentication and authorization. For security reasons, you may not want to allow the CSA administrator to configure the LDAP access point from the Cloud Service Management Console. You can disable access to the LDAP access point fields for all organizations from the Cloud Service Management Console by setting this property to true (disabling access makes the LDAP configuration fields read-only in the Cloud Service Management Console). By disabling this access, only the system administrator or other privileged users on the CSA system can update the LDAP access point using the LDAP Configuration Tool. Refer to the LDAP Configuration Tool guide for more information about the LDAP Configuration Tool. To enable access to the LDAP access point configuration in the Cloud Service Management Console, set this property to false. To disable access to the LDAP access point configuration in the Cloud Service Management Console, set this property to true. Default: false

Property

Description

csa.ldapReadOnly

Required. Enable or disable access to the LDAP access point configuration in the Cloud Service Management Console.

By default, the property is set to false and the CSA administrator can configure the LDAP access point of any organization from the Cloud Service Management Console (the LDAP access point is typically configured when an organization is created in the Cloud Service Management Console). LDAP configuration includes fields for the LDAP Server Information, LDAP Attributes, and User Login Information in the Cloud Service Management Console. The LDAP access point is used by CSA for authentication and authorization.

For security reasons, you may not want to allow the CSA administrator to configure the LDAP access point from the Cloud Service Management Console. You can disable access to the LDAP access point fields for all organizations from the Cloud Service Management Console by setting this property to true (disabling access makes the LDAP configuration fields read-only in the Cloud Service Management Console). By disabling this access, only the system administrator or other privileged users on the CSA system can update the LDAP access point using the LDAP Configuration Tool. Refer to the LDAP Configuration Tool guide for more information about the LDAP Configuration Tool.

To enable access to the LDAP access point configuration in the Cloud Service Management Console, set this property to false. To disable access to the LDAP access point configuration in the Cloud Service Management Console, set this property to true.

Default: false

Service Design, Service Offering, and Catalog Content archive verification

This property is used to enable or disable service design, service offering, and catalog content archive verification.

This property is configured in csa.properties.

Property	Description
csa.security.enable	Required. Enable or disable service design, service offering, and catalog content archive verification. By default, the property is set to false (verification is disabled), allowing the Cloud Service Management Console or Content Archive Tool to import a service design, service offering, or catalog content archive directly without verification. When the property is set to true (verification is enabled), CSA verifies the digital signature of the content archive, validates the date of the certificate used to sign the content archive, and verifies that the content in the content archive has not been modified after it was signed. If the content archive fails one of these validation or verification checks, the content archive will not be imported into CSA. When enabled, all imported service design, service offering, or catalog content archives must be signed. Refer to Signing the Content Archive for the steps required to sign a content archive. Note Verifying service designs and catalogs before they are imported is done using the Cloud Service Management Console or the Content Archive Tool. Verifying service offerings before they are imported is done using the Content Archive Tool. Caution Verification cannot be enabled for importing a service design, service offering, or catalog content archive using the REST APIs. A service design, service offering, or catalog content archive imported using the REST APIs will always be imported directly. Verification can only be enabled for the Cloud Service Management Console or the Content Archive Tool. Default: false

Property

Description

csa.security.enable

Required. Enable or disable service design, service offering, and catalog content archive verification.

By default, the property is set to false (verification is disabled), allowing the Cloud Service Management Console or Content Archive Tool to import a service design, service offering, or catalog content archive directly without verification.

When the property is set to true (verification is enabled), CSA verifies the digital signature of the content archive, validates the date of the certificate used to sign the content archive, and verifies that the content in the content archive has not been modified after it was signed. If the content archive fails one of these validation or verification checks, the content archive will not be imported into CSA.

When enabled, all imported service design, service offering, or catalog content archives must be signed. Refer to Signing the Content Archive for the steps required to sign a content archive.

Note Verifying service designs and catalogs before they are imported is done using the Cloud Service Management Console or the Content Archive Tool. Verifying service offerings before they are imported is done using the Content Archive Tool.

Caution Verification cannot be enabled for importing a service design, service offering, or catalog content archive using the REST APIs. A service design, service offering, or catalog content archive imported using the REST APIs will always be imported directly. Verification can only be enabled for the Cloud Service Management Console or the Content Archive Tool.

Default: false

HPE CSA-ITOC Integration version 1 (v1)

These properties are used to enable integration between CSA and IT Operations Compliance (ITOC).

These properties are configured in csa.properties.

Property	Description
csa.ITOC.Integration.enabled	Optional. Enable or disable integration between CSA and ITOC. To enable, this property must be uncommented and set to true. To disable, either comment out the property or set it to false. Default: (disabled)
csa.ITOC.Notification.BaseUri	Required if integration between CSA and ITOC is enabled. To enable, this property must be uncommented and set to the endpoint of the ITOC instance. The endpoint is the URL for connecting to the ITOC instance where <protocol> is the protocol used to communicate with the ITOC instance (for example, http or https), <itoc_host> is the hostname of the ITOC instance, and <port> is the port used to connect to the system on which ITOC is running. Default: (disabled)
csa.ITOC.Notification.username	Required if integration between CSA and ITOC is enabled. To enable, this property must be uncommented and set to the username used to log in to the ITOC instance. Default: (disabled)
csa.ITOC.Notification.password	Required if integration between CSA and ITOC is enabled. To enable, this property must be uncommented and set to the encrypted password used by the user defined in `csa.ITOC.Notification.username` to log in to the ITOC instance. (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. Default: (disabled)
csa.ITOC.Notification.tenant	Required if integration between CSA and ITOC is enabled. To enable, this property must be uncommented and set to the tenant group to which the user defined in `csa.ITOC.Notification.username` belongs. Default: (disabled)

HPE CSA-ITOC Integration version 2 (v2)

Property	Description
csa.ITOC.IntegrationV2.enabled	Optional. Enable or disable integration v2 between CSA and ITOC. To enable, this property must be uncommented and set to true. To disable, either comment out the property or set it to false. Default: (disabled)
csa.ITOC.IntegrationV2.ITOCBaseUri	Required if integration v2 between CSA and ITOC is enabled. To enable, this property must be uncommented and set to the endpoint of the ITOC instance. The endpoint is the URL for connecting to the ITOC instance where <protocol> is the protocol used to communicate with the ITOC instance (for example, http or https), <itoc_host> is the hostname of the ITOC instance, and <port> is the port used to connect to the system on which ITOC is running. Default: (disabled)
csa.ITOC.IntegrationV2.public.<user>=<password>	Required if integration v2 between CSA and ITOC is enabled. To enable, this property must be uncommented and set to the ITOC integration credentials. It is used to access ITOC public tenant to get the list of policies and maintenance windows. Username is part of the configuration key and encrypted password is value of the configuration key. (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. Default: (disabled)
csa.ITOC.IntegrationV2.<tenant>.<user>=<password>	Required if integration v2 between CSA and ITOC is enabled. To enable, this property must be uncommented and and set to integration credentials for each consumer tenant of ITOC. Tenant is part of the configuration key, username is part of the configuration key and encrypted password is value of the configuration key. (see Encrypt a password for instructions). An encrypted password is preceded by `ENC` without any separating spaces and is enclosed in parentheses. Default: (disabled)
csa.ITOC.IntegrationV2.timeout=10000	Required if integration v2 between CSA and ITOC is enabled. To enable, this property must be uncommented and set to connection timeout in milliseconds. Default: (disabled)

Session Timeout

This property is used to configure the Cloud Service Management Console session.

This property is configured in web.xml.

Property	Description
session-timeout	Optional. The amount of inactivity, in minutes, that causes the Cloud Service Management Console session to time out. Default: 60

Property

Description

session-timeout

Optional. The amount of inactivity, in minutes, that causes the Cloud Service Management Console session to time out.

Default: 60

REST

These properties are used to configure the REST response.

These properties are configured in csa.properties.

Property Description

Property	Description
rest.restrict.fields	A comma separated list of the fields that are not included in the REST response. By default the rest.restrict.fields property includes these fields: createdBy, updatedBy, createdOn, updatedOn, description, iconUrl, and categoryType. For details see "Values for the restrict parameter" in the Cloud Service Automation API Guide.
rest.restrict	Enable or disable the fields specified in the rest.restrict.fields property to be excluded/included in the output of the REST response. If set to true, the fields are excluded in the output of the REST response. If set to false, the fields are included in the output of the REST response. Default: `false` For details see "Values for the restrict parameter" in the Cloud Service Automation API Guide.
rest.excludedoc	Enable or disable the document field to be excluded/included in the output of the REST response. If set to true, the document field is excluded in the output of the REST response. If set to false, the document field is included in the output of the REST response. Default: `false` For details see "Values for the excludedoc parameter" in the Cloud Service Automation API Guide.

rest.restrict.fields

A comma separated list of the fields that are not included in the REST response. By default the rest.restrict.fields property includes these fields: createdBy, updatedBy, createdOn, updatedOn, description, iconUrl, and categoryType.

For details see "Values for the restrict parameter" in the Cloud Service Automation API Guide.

rest.restrict

Enable or disable the fields specified in the rest.restrict.fields property to be excluded/included in the output of the REST response.

If set to true, the fields are excluded in the output of the REST response.

If set to false, the fields are included in the output of the REST response.

Default: false

For details see "Values for the restrict parameter" in the Cloud Service Automation API Guide.

rest.excludedoc

Enable or disable the document field to be excluded/included in the output of the REST response.

If set to true, the document field is excluded in the output of the REST response.

If set to false, the document field is included in the output of the REST response.

Default: false

For details see "Values for the excludedoc parameter" in the Cloud Service Automation API Guide.

Send Help Center feedback