Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Cloud Service Automation4.90

Configure the Identity Management component

To configure the Identity Management component, complete the following steps:

Note If you wish to configure CAC without HP SSO, do the following in this order:

Follow the instructions to manually disable HP SSO, see "Disable HP Single Sign-On (HPSSO)" in Integrate with HP Single Sign-On.
Continue to follow the steps below, but you should skip steps 4a and 4f. These steps are only relevant when HP SSO is used in CSA (HP SSO is enabled by default).

Extract the user name from the certificate using the username extraction mechanism.

The username extraction mechanism depends on the format of your certificate. The user name extracted from the certificate should match the user names configured in the LDAP configuration configured in CSA. CSA enables you to extract the user name using the SubjectDN and Subject Alternative Name (SAN) mechanisms. To configure the username extraction mechanism you must make the changes to the following properties in the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext.properties file:

Property	Description
idm.cac.x509Attribute	The name of the `X.509` certificate attribute from which the user name will be extracted. Set this property to `subjectDN` or `san` or `subjectDN,san`. If this property is set to contain both attributes such as `subjectDN,san` or `san,subjectDN`, then username will be extracted from the `subjectDN` attribute only if the SAN attribute is not present in the certificate. If this property is not set, then the default value for the property is `"subjectDN"`. Uncomment this property `#idm.cac.x509Attribute=subjectDN`
idm.cac.regex	The regular expression used to extract a user name from the `subjectDN X.509` attribute. If this property is not set, then the default for `regex` is `CN=(.?)`. This property need not be set if the property `idm.cac.x509Attribute` is set to `"san"`. Note To retrieve the data between the parentheses from the `subjectDN X.509` attribute, use the filter `csa.cac.regex=\$(.?)\$`.
idm.cac.san.type	The type of the subject alternative name. The allowed types are `othername` and `rfc822name`. If this property is not set, then the default value for the property is `otherName`. This property need not be set if `idm.cac.x509Attribute` is set to `"subjectDN"`.
idm.cac.default_tenant_org	Name of the default organization to use with CAC if no organization is defined in the request. Uncomment this property `#idm.cac.default_tenant_org=CONSUMER`

Navigate to the CSA_HOME/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring directory.
Make a backup copy of the applicationContext-security.xml file.

Edit the CSA_HOME/jboss-as/standalone/deployments/ idm-service.war/WEB-INF/spring/applicationContext-security.xml file:

(Skip this step if HP SSO has been disabled manually.) If you are not using HP SSO, locate and uncomment the content below the line START Certificate Authentication with subjectAlternativeName (with HP SSO) so that it appears as follows:

<security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
    <security:http-basic />
    <security:csrf disabled="true" />
    <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
    <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
    <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST"/>
    <security:custom-filter position="X509_FILTER" ref="cacX509AuthenticationFilter" />
    <security:custom-filter ref="cacFilter" before="LAST" />
    <security:custom-filter ref="noPromptFilter" position="LAST" />
</security:http>

<bean id="cacFilter" class="com.hp.ccue.identity.filter.certificate.CertificateFilter">
    <property name="generateTokenUtil" ref="generateTokenUtil" />
    <property name="tokenFactory" ref="tokenFactory" />
    <property name="tokenWriter" ref="hpssoTokenWriter" />
    <property name="loginRedirectionHandler" ref="loginRedirectionHandler" />
    <property name="authenticationFactory" ref="authnFactory" />
    <property name="persistenceService" ref="persistenceService"/>
    <property name="rolesPopulator" ref="csaRolesPopulator"/>
    <property name="userAndRepFactory" ref="ldapUserAndRepFactory"/>
    <property name="tenantFactory" ref="tenantFactory"/>
    <property name="defaultTenantOrganization" value="${idm.cac.default_tenant_org}" />
</bean>

Locate the line START Certificate Authentication (beans) and uncomment the bean definitions below this comment so that it appears as follows:

Note To retrieve the data between the parentheses for <property name="regex" value="${idm.cac.regex:CN=(.*?),}" />, use the filter <property name="regex" value="${idm.cac.regex:\$(.*?)\$}" />.

<!--START Certificate Authentication (beans) -->
     <bean id="cacX509AuthenticationFilter" 
class="org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter">

          <property name="authenticationManager" ref="authManager" />
          <property name="principalExtractor" ref="customX509Extractor" />
     </bean>

     <bean id="customX509AttrPreAuthAuthProvider" 
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
          <property name="preAuthenticatedUserDetailsService" 
ref="customAuthenticationUserDetailsService" />
     </bean>

     <bean id="customAuthenticationUserDetailsService" 
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
          <property name="userDetailsService" ref="cacUserDetailsService" />
     </bean>

     <bean id="customX509Extractor" 
class="com.hp.ccue.identity.filter.certificate.CustomX509PrincipalExtractor">
          <property name="x509Attribute" value="${idm.cac.x509Attribute:subjectDN}" />
          <property name="regex" value="${idm.cac.regex:CN=(.*?),}" />
          <property name="sanType" value="${idm.cac.san.type:OtherName}" />
          <property name="UPNResolver" ref="userPrincipalNameResolver" />
     </bean>

<!-- Uncomment a userPrincipalNameResolver implementation for extracting the user principal name -->
<!--
     <bean id="userPrincipalNameResolver" 
class="com.hp.ccue.identity.filter.certificate.DefaultUserPrincipalNameExtractor" />
-->

     <bean id="userPrincipalNameResolver" 
class="com.hp.ccue.identity.filter.certificate.CsaBouncyCastleUpnExtractor" />

Locate the line <security:authentication-providerref="customX509AttrPreAuthAuthProvider"/> and uncomment this line so that it appears as below:

<!-- START Certificate Authentication with subjectAlternativeName -->

     <security:authentication-provider ref="customX509AttrPreAuthAuthProvider"/>

<!-- END Certificate Authentication with subjectAlternativeName -->

Locate the line <--START Simplified Logout Configuration--> and uncomment the section below the line so that it appears as follows:

<!-- START Simplified Logout Configuration -->

   <security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">

	<security:csrf disabled="true" />

	<security:custom-filter ref="simpleLogoutRedirect" position="FIRST"/>

	<security:http-basic />

</security:http>

<!--<security:http pattern="/idm/v0/logout/close" use-expressions="true" auto-config="false">

	<security:csrf disabled="true" />

	<security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER"/>

	<security:http-basic />

	</security:http>-->

<bean id="simpleLogoutRedirect" class="com.hp.ccue.identity.filter.RedirectFilter">

	<property name="url" value="/idm/v0/logout/close"/>

</bean>


<!-- END Simplified Logout Configuration -->

Locate the line <--START Certificate Authentication / SiteMinder SSO / HP SSO Configuration--> and uncomment the section below this line so that it appears as follows:

<!-- START Certificate Authentication / SiteMinder SSO / HP SSO Configuration -->

    <bean class="com.hp.ccue.identity.filter.LoginRedirectionHandler" id="loginRedirectionHandler">
        <property name="tokenService" ref="tokenService"/>
    </bean>
   
    <bean class="com.hp.ccue.identity.utilities.GenerateResponseTokenUtil" name="generateTokenUtil">
        <property name="tenantFactory" ref="tenantFactory"/>
        <property name="userFactory" ref="userFactory"/>
        <property name="authenticationResponseFactory" ref="authenticationResponseFactory"/>
        <property name="roles">
            <list>
               <value>ROLE_REST</value>
            </list>
        </property>
    </bean>

<!-- END Certificate Authentication / SiteMinder SSO / HP SSO Configuration -->

(Skip this step if SSO has been disabled manually). Search for START HP SSO ONLY Configuration and comment out the section below:

<security:http auto-config="false" pattern="/idm/v0/login" use-expressions="true">
    <security:csrf disabled="true"/>
    <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
    <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
    <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
    <security:custom-filter before="FORM_LOGIN_FILTER" ref="noPromptFilter"/>
    <security:http-basic/>
</security:http>

<security:http auto-config="false" pattern="/idm/v0/logout" use-expressions="true">
    <security:csrf disabled="true"/>
    <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
    <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
    <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
    <security:http-basic/>
</security:http>

Edit the CSA_HOME/jboss-as/standalone/deployments/ idm-service.war/WEB-INF/spring/applicationContext.xml file:
1. Comment out activeDirectoryAuthProvider and ldapAuthProvider so that they appear as follows:
  
  Note Ignore this step if it is already done.
  
  <bean id="multiTenantAuthProvider" class="com.hp.ccue.identity.authn.MultiTenantAuthenticationProvider"> <property name="providers"> <list>   <ref bean="seededAuthProvider"/> </list> </property> ...................... </bean>

Send Help Center feedback