Administer > Configure CSA > Identity Management Configuration

Appendix: Identity Management component Configuration

If you are using the Identity Management component, the identity service and its components require configuration. Because it is a Spring Framework application, most of its configuration is defined in the applicationContext.xml file, and SYSTEM_RESOURCE_CONFIG table in IDM database. The applicationContext.properties file only contains database information.

You should make most common configuration changes to the applicationContext.properties file. To avoid service disruptions, only advanced users who understand the Spring Framework should change the applicationContext.xml file.

You must also configure the Java Relying Party Library.

Note You should always make a copy of a configuration file before editing it.

External Configuration

Selected settings are pulled from the applicationContext.properties file, which you can override by an external properties file set as a JVM argument: -Didm.properties="<external_properties_filename>". You can add this JVM argument to the JAVA_OPTS environment variable or by editing the standalone.conf file on Linux in PERSISTENT_VOLUME_PATH/jboss-as/bin/ to add it to JAVA_OPTS for the CSA JBoss container.

The table below describes the properties that are set in the properties file. These properties are required.

If you are integrating with Keystone, the idm.keystone* properties must match the Keystone network location, transport user credentials, and so on. All idm.csa* properties and all ConvergedLdapAuthConfig properties (which are listed in the ConvergedLdapAuthConfig section below) must match the CSA network location and transport user credentials.

See Add or edit CSA properties for details.

Property Name Description
idm.ssl.requireValidCertificate Flag indicating whether valid certificates are required: true or false
idm.csa.protocol The protocol used to access the CSA instance: http or https
idm.csa.hostname The hostname or IP address of the CSA server
idm.csa.port The port number used by the CSA server
idm.csa.username The username for the CSA integration account
idm.csa.password The password for the CSA integration account. For improved security, this value should be encrypted.
idm.encryptedSigningKey The shared signing key for all token factory objects. For improved security, this value should be encrypted.
idm.keystone.enabled

Flag indicating whether secondary authentication through Keystone is enabled: true or false.

  • Set to true when you want to generate secondary authentication tokens via keystone authentication from your registered OpenStack providers.
  • Set to false when attempting to use CAC or Siteminder for authentication. If idm.keystone.enabled is set to true in these cases, the keystone authentication will not function correctly.

    The following idm.keystone properties need not be configured as these values will be ignored:

	idm.keystone.protocol = http
	idm.keystone.hostname = keystone
	idm.keystone.port = 5000
	idm.keystone.servicePath = v3
	idm.keystone.domainName = Default
	idm.keystone.transportUsername = consumer
	idm.keystone.transportPassword = encrypted
	idm.keystone.transportProject = CSA_CONSUMER

Configure Seeded Authentication

The top-level configuration file for seeded authentication in the Identity Management component is specified by the configFile property of the SeededAuthenticationProvider bean defined in the applicationContext.xml configuration file.

In the default configuration, this file is seededorgs.properties, but it can be changed. Each line in this file contains a key-value pair. The key is a CSA organization ID, and the value is the name of another properties file Identity Management component users for that organization.

Notes:

  • This seeded authentication configuration only applies to Identity Management component seeded users.
  • CSA does not support adding new seeded users to the Identity Management component configuration for any CSA organizations.
  • CSA does not support modifying the Identity Management component configuration to use existing seeded users with any new CSA organizations.

By default, the following organizations in the Identity Management component are configured to use the specified files.

Organization User File
CONSUMER consumer-users.properties

You can define additional Identity Management component organizations or change the user file associated with any organization. Each line in each user file contains a key-value pair. The key is the username, and the value is a comma-separated list of the password, granted authorities, and an optional flag indicating whether the account is enabled. For improved security, the entire value should be encrypted. Following is an example of a line from an Identity Management component user file that defines a user named consumer with the password cloud and granted the SERVICE_CONSUMER and ROLE_REST authorities.

consumer=cloud,SERVICE_CONSUMER,ROLE_REST,enabled

Configure the Java Relying Party Library

The Java Relying Party Library is a set of classes provided by the identity service that abstract and simplify invoking the service from Java applications, such as CSA. You modify the properties listed in this section in the PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/csa.war/WEB-INF/applicationContext.xml file. The tokenFactory property value should be the same for all AuthenticationProvider beans (listed in the Internal Configuration section below) in the identity service and in the Java Relying Party library.

IdentityServiceConfig

Configures the connection to the identity service.

Class: com.hp.ccue.identity.rp.IdentityServiceConfig

Property Name Description
protocol The protocol (http or https) to use to connect to the identity service
hostname The hostname or IP address of the server running the identity service
port The port number where the identity service is running, typically 8444
servicePath The path on the server to the identity service, typically idm-service

IdentityAuthenticationProvider

Abstracts the invocation of the identity service to perform authentication.

Class: com.hp.ccue.identity.rp.IdentityAuthenticationProvider

Property Name Description
templateFactory Creates the RestTemplate object that facilitates performing REST calls
configuration Network configuration of the identity service to connect to perform authentication: an IdentityServiceConfig object
tokenFactory The token factory to validate returned tokens
tenantHeaderName The name of the HTTP header where the tenant name is passed. The default is HPE-Tenant-Name

HeaderAuthenticationProvider

Performs authentication based on a token passed in an HTTP header.

Class: com.hp.ccue.identity.rp.HeaderAuthenticationProvider

Property Name Description
headerName The name of the HTTP header where the token is transferred
tokenValidator The TokenValidator object to use to validate tokens

Internal Configuration

The applicationContext.xml file defines the configuration of the classes in the identity service. The tokenFactory property value should be the same for all AuthenticationProvider beans (listed in the sections below) in the identity service and in the Java Relying Party library.

Note Modify this file only if you cannot express the necessary configuration change in the applicationContext.properties file. The applicationContext.xml file must follow the syntax rules specified by the Spring Framework. In the following tables, the default values are used if no values are provided in the configuration file. You can configure items marked as externalized in the applicationContext.properties file.

JwtTokenFactory

Defines how tokens are created.

Class: com.hp.ccue.identity.domain.JwtTokenFactory

Property Name Description
lifetimeMinutes

Required. The lifetime of the token, in minutes. The lifetime as installed is 30 minutes. Reducing this value will render tokens invalid faster and thus requires a more-frequent token refresh, which might reduce performance. Increasing this value allows tokens to last longer, which might allow someone who has intercepted a valid token to access the system for a period of time.

Default value: (None)

Externalized: No

defaultTokenTypeName

Optional. Default type of JWT token to create: PLAINTEXT, SIGNED, or ENCRYPTED

Default value: PLAINTEXT

Externalized: No

signingKey

Required if defaultTypeName is set to SIGNED. This is a Base64-encoded byte array representing the key used to sign signed tokens. If defaultTypeName is set to SIGNED, this value must be the same for all components that validate tokens. For improved security, this item should be encrypted.

Default value: (None)

Externalized: idm.encryptedSigningKey

refreshEnabled

Optional. Boolean value indicating whether token refresh is enabled: true or false. The recommended value is true.

Default value: true

Externalized: No

ConvergedLdapAuthConfig

Defines the configuration for connecting to a CSA server to get LDAP configuration information. The idm.csa* external properties (which are listed in the External Configuration section above) and all ConvergedLdapAuthConfig properties must match the CSA network location and transport user credentials.

Class: com.hp.ccue.identity.ldap.ConvergedLdapAuthConfig

Property Name Description
providerProtocol

Required if using ActiveDirectory or LDAP. http or https, depending on the protocol used by the CSA instance

Default value: (None)

Externalized: idm.csa.protocol

providerHostname

Required if using ActiveDirectory or LDAP. Hostname or IP address of the CSA server

Default value: (None)

Externalized: idm.csa.hostname

providerPort

Required if using ActiveDirectory or LDAP. Port number used by the CSA server

Default value: (None)

Externalized: idm.csa.port

securityTransportUsername

Required if using ActiveDirectory or LDAP. Username for the CSA integration account

Default value: (None)

Externalized: idm.csa.username

securityTransportPassword

Required if using ActiveDirectory or LDAP. Password for theCSA integration account

Default value: (None)

Externalized: idm.csa.password

ConvergedActiveDirectoryAuthenticationProvider and ConvergedLdapAuthenticationProvider

Performs authentication with Active Directory and LDAP authentication mechanisms.

Class: com.hp.ccue.identity.ldap.ConvergedActiveDirectoryAuthenticationProvider, com.hp.ccue.identity.ldap.ConvergedLdapAuthenticationProvider

Property Name Description
config

Required if using ActiveDirectory or LDAP. The ConvergedLdapAuthConfig that represents theCSA server to use to get the LDAP configuration for each organization

Default value: (None)

Externalized: No

tokenFactory

Required if using ActiveDirectory or LDAP. The token factory for creating identity tokens in response to successful authentications

Default value: (None)

Externalized: No

SeededAuthenticationProvider

Performs seeded authentication.

Class: com.hp.ccue.identity.seeded.SeededAuthenticationProvider

Property Name Description
configFile

Required if using seeded authentication. Typically seededorgs.properties, which is the file that defines the seeded organizations

Default value: (None)

Externalized: No

tokenFactory

Required if using seeded authentication. The token factory for creating identity tokens in response to successful authentications

Default value: (None)

Externalized: No

IdentityAuthenticationProvider

Performs integration account authentication.

Class: com.hp.ccue.identity.seeded.IntegrationAuthenticationProvider

Note The IntegrationAuthenticationProvider property is available in the applicationContext-security.xml file.

Property Name Description
configFile

Required. Typically integrationusers.properties, which is the file that defines the seeded organizations

Default value: (None)

Externalized: No

tokenFactory

Required. The token factory for creating identity tokens in response to successful authentications

Default value: (None)

Externalized: No

MultiTenantAuthenticationProvider

Connects to mechanism-specific authentication providers.

Class: com.hp.ccue.identity.authn.MultiTenantAuthenticationProvider

Property Name Description
providers

Required. List of AuthenticationProvider objects that provide mechanism-specific authentication

Default value: (None)

Externalized: No

secondaryEnabled

Required if using Keystone. Flag that indicates whether the secondary authentication path (Keystone) is enabled

Default value: false

Externalized: idm.keystone.enabled

secondaryProvider

Required if using Keystone. Reference to Authentication provider bean to use for secondary authentication path. The Keystone authentication provider is the only one that supports this type of usage.

Default value: (None)

Externalized: No

IdentityServiceImpl

The identity service implementation object.

Class: com.hp.ccue.identity.service.IdentityServiceImpl

Property Name Description
provider

Required. Reference to the AuthenticationProvider bean to use to perform authentication. This is the MultiTenantAuthenticationProvider

Default value: (None)

Externalized: No

tokenFactory

Required. The token factory for creating identity tokens in response to successful authentications

Default value: (None)

Externalized: No

queryService

Required. The persistence service that provides all persistence operations.

Default value: (None)

Externalized: No

trustFactory

Required. The TrustFactory for validating all Trust objects.

Default value: (None)

Externalized: No

IdentityController

The controller object that provides the REST API for the identity service.

Class: com.hp.ccue.identity.service.IdentityController

Property Name Description
identityService

Required. The IdentityService object that implements the identity service. You must set the value of this to the IdentityServiceImpl instance.

Default value: (None)

Externalized: No

KeystoneAuthenticationProvider

Uses Keystone (if used) to perform authentication.

Class: com.hp.ccue.identity.keystone.KeystoneAuthenticationProvider

Property Name Description
templateFactory

Required. Creates the RestTemplate object that facilitates performing REST calls

Default value: (None)

Externalized: No

tokenFactory

Required. The token factory to validate returned tokens

Default value: (None)

Externalized: No

 

KeystoneSecondaryAuthenticationProvider

Uses Keystone (if used) to perform authentication.

Class: com.hp.ccue.identity.keystone.KeystoneSecondaryAuthenticationProvider

Property Name Description
keystoneConfigurations

Required. Associative array mapping configuration identifiers to KeystoneConfig objects defining network configurations to connect to one or more Keystone services.

Default value: (None)

Externalized: No

configurationFile

Required. Filename for properties file that contains Keystone configurations.

Default value: (None)

Externalized: No

tokenFactory

Required. The token factory to validate returned tokens.

Default value: (None)

Externalized: No

templateFactory

Required. Creates the RestTemplate object that facilitates performing REST calls.

Default value: (None)

Externalized: No

RestTemplateFactoryImpl

Configures how REST services are invoked.

Class: com.hp.ccue.identity.rest.RestTemplateFactoryImpl

Property Name Description
fipsEnabled

A flag that indicates whether the template factory should ignore settings that interfere with FIPS 140-2 compliance

Default value: false

Externalized: No

wrapEnabled

A flag that indicates whether the template factory should wrap JSON output in its specified root value or assume that incoming JSON is wrapped in the root value. This setting depends on the REST service being invoked. For template factories used to invoke CSA REST APIs, it should be set to false; for template factories used to invoke Keystone REST APIs, it should be set to true.

Default value: true

Externalized: No

requireValidCertificate

A flag that indicates whether the template factory should perform certificate validation and hostname verification (true) or ignore them (false). If this value is set to true, then the corresponding server host names for all beans that use that template factory must be given in a way that matches the certificate for that server (a fully-qualified domain name is generally required).

Default value: true

Externalized: idm.ssl.requireValidCertificate

Token Store Cleanup Service

This background service is used to cleanup expired tokens in the Identity Management component token_store database table. The service runs twice a day ( 7 PM and 7 AM ) every day by default and cleans up tokens older than one hour from the time the service starts up.

The default settings should work for most workloads. However under heavy workloads such as OO callbacks to CSA in sequenced designs, the table may need to be cleaned up more often. When there are over 50K rows in the token_store database table in a single day, the overall performance of the database and eventually CSA and Marketplace Portal are greatly impacted. This is particularly true for the Microsoft SQLserver 2012 database.

If you see the token_store table growing beyond 50K rows in a single day, modify the following cron setting in the PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext-services.xml file to run the service more often.

To modify the cron setting, complete the following steps:

  1. Open the PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext-services.xml file.
  2. Look for the following line:

    <task:scheduled ref="tokenStoreCleaner" method="cleanDbTokenStore" cron="0 0 7/12 * * *" />

  3. Change the cron setting to have the service run every 2 hours after the start of CSA:

    Change: cron="0 0 7/12 * * *

    To: cron="0 0 */2 * * *"