Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
Identity Management configuration
If you are using the Identity Management component, the identity service and its components require configuration. Because it is a Spring Framework application, most of its configuration is defined in the applicationContext.xml file, although key attributes are externalized to the applicationContext.properties file. Both files are in
CSA_HOME\jboss-as\standalone\deployments\idm-service.war\WEB-INF\spring\.
You should make most common configuration changes to the applicationContext.properties file. To avoid service disruptions, only advanced users who understand the Spring Framework should change the applicationContext.xml file.
You must also configure the Java Relying Party Library.
Note You should always make a copy of a configuration file before editing it.
The following sections describe configuring the identity service and its components:
Configure seeded authentication
Configure Java Relying Party Library
External configuration
Selected settings are pulled from the applicationContext.properties file, which you can override by an external properties file set as a JVM argument: -Didm.properties=". You can add this JVM argument to the <external_properties_filename>"JAVA_OPTS environment variable. Or you can edit the standaloneconf.bat file on Windows or standalone.conf file on Linux in
CSA_HOME\jboss-as\bin\ to add the JVM argument to JAVA_OPTS for the Codar JBoss container.
The table below describes the properties that are set in the properties file. These properties are required (although if you set the idm.keystone.enabled property to false, all other idm.keystone* properties in this table are ignored).
If you are integrating with Keystone, the idm.keystone* properties must match the Keystone network location, transport user credentials, and so on. All idm.csa* properties and all ConvergedLdapAuthConfig properties (which are listed in ConvergedLdapAuthConfig) must match the Codar network location and transport user credentials.
| Property Name | Description |
|---|---|
idm.ssl.requireValidCertificate
|
Flag indicating whether valid certificates are required: true or false |
idm.csa.protocol
|
The protocol used to access the Codar instance: http or https |
idm.csa.hostname
|
The hostname or IP address of theCodar server |
idm.csa.port
|
The port number used by theCodar server |
idm.csa.username
|
The user name for theCodar integration account |
idm.csa.password
|
The password for theCodar integration account. For improved security, this value should be encrypted. |
idm.encryptedSigningKey
|
The shared signing key for all token factory objects. For improved security, this value should be encrypted. |
idm.keystone.enabled
|
Flag indicating whether secondary authentication through Keystone is enabled: true or false |
idm.keystone.required
|
Flag indicating whether successful secondary authentication through Keystone is required for authentication to succeed: true or false |
idm.keystone.protocol
|
The protocol used to access the Keystone instance: http or https |
idm.keystone.hostname
|
The hostname or IP address of the Keystone server |
idm.keystone.port
|
The port number used by the Keystone server. Typically 5000. |
idm.keystone.servicePath
|
The service path where the Keystone service listens. The typical value is v3. |
idm.keystone.domainName
|
The OpenStack domain name to use for all authentication on the Keystone server. The typical value is Default. |
idm.keystone.transportUsername
|
The user name for the integration account used to communicate with Keystone and perform Helion OpenStack® or OpenStack operations. |
idm.keystone.transportPassword
|
The password for the integration account used to communicate with Keystone and perform Helion OpenStack® or OpenStack operations. For improved security, this value should be encrypted. |
idm.keystone.transportProject
|
The Keystone project name for the integration account. All Keystone users must belong to a project whose name exactly matches the Codar organization ID used to log in — including case (for example, a Keystone project name of project_name will not match an Codar organization ID of PROJECT_NAME. |
Configure seeded authentication
The top-level configuration file for seeded authentication is specified by the configFile property of the SeededAuthenticationProvider bean defined in the applicationContext.xml configuration file. In the default configuration, this file is seededorgs.properties, but it can be changed. Each line in this file contains a key-value pair. The key is an Codar organization ID, and the value is the name of another properties file that contains the users for that organization. By default, the following organizations are configured to use the specified files.
| Organization | User File |
|---|---|
CSA_CONSUMER
|
csa-consumer-users.properties
|
You can define additional organizations or change the user file associated with any organization. Each line in each user file contains a key-value pair. The key is the user name, and the value is a comma-separated list of the password, granted authorities, and an optional flag indicating whether the account is enabled. For improved security, the entire value should be encrypted. Following is an example of a line from a user file that defines a user named consumer with the password cloud and granted the SERVICE_CONSUMER and ROLE_REST authorities.
consumer=cloud,SERVICE_CONSUMER,ROLE_REST,enabled
Configure blacklist
The blacklist contains users whom the identity service should never attempt to authenticate. In general, these are the Codar transport users and seeded Codar provider organization users, but you can edit this list. In the file, the blacklisted user name is associated with a Boolean value that indicates whether the user name is actually on the blacklist. A user might be temporarily removed from the blacklist by setting the Boolean value to false, but the value should generally be true. Following is the general format of each line in the file.
<username>= true
In the default configuration, the file contains the following contents.
admin = true
csaTransportUser = true
ooInboundUser = true
csaReportingUser = true
cdaInboundUser = true
csaCatalogAggregationTransportUser = trueThis file should be updated to reflect any changes to the set of Codar transport users or seeded Codar provider organization users.
Configure Java Relying Party Library
The Java Relying Party Library is a set of classes provided by the identity service that abstract and simplify invoking the service from Java applications, such as Codar. You modify the properties listed in this section in the
CSA_HOME\jboss-as\standalone\deployments\csa.war\WEB-INF\applicationContext-security.xml file. The tokenFactory property value should be the same for all AuthenticationProvider beans (listed in Internal configuration) in the identity service and in the Java Relying Party library.
IdentityServiceConfig
Configures the connection to the identity service.
Class: com.hp.ccue.identity.rp.IdentityServiceConfig
| Property Name | Description |
|---|---|
protocol
|
The protocol (http or https) to use to connect to the identity service |
hostname
|
The hostname or IP address of the server running the identity service |
port
|
The port number where the identity service is running, typically 8444 |
servicePath
|
The path on the server to the identity service, typically idm-service |
IdentityAuthenticationProvider
Abstracts the invocation of the identity service to perform authentication.
Class: com.hp.ccue.identity.rp.IdentityAuthenticationProvider
| Property Name | Description |
|---|---|
templateFactory
|
Creates the RestTemplate object that facilitates performing REST calls |
configuration
|
Network configuration of the identity service to connect to perform authentication: an IdentityServiceConfig object |
tokenFactory
|
The token factory to validate returned tokens |
tenantHeaderName
|
The name of the HTTP header where the tenant name is passed. The default is HP-Tenant-Name |
HeaderAuthenticationProvider
Performs authentication based on a token passed in an HTTP header.
Class: com.hp.ccue.identity.rp.HeaderAuthenticationProvider
| Property Name | Description |
|---|---|
headerName
|
The name of the HTTP header where the token is transferred |
tokenValidator
|
The TokenValidator object to use to validate tokens |
Internal configuration
The applicationContext.xml file defines the configuration of the classes in the identity service. The tokenFactory property value should be the same for all AuthenticationProvider beans (listed in the sections below) in the identity service and in the Java Relying Party library.
Note
Modify this file only if you cannot express the necessary configuration change in the applicationContext.properties file. The applicationContext.xml file must follow the syntax rules specified by the Spring Framework. In the following tables, the default values are used if no values are provided in the configuration file. You can configure items marked as externalized in the applicationContext.properties file.
InfinispanTokenStore
Defines the persistence mechanism for request tokens. Most attributes of this object define how the identity service behaves in high availability (HA) or clustered deployments.
Class: com.hp.ccue.identity.ha.InfinispanTokenStore
| Property Name | Description |
|---|---|
lifetimeSeconds
lifetimeMinutes
lifetimeHours
|
Required. Time (in seconds, minutes, or hours) that an entry is permitted to remain in the token store. These properties determine the amount of time that the login page is valid. The lifetime as installed is 60 minutes. More permissive organizations should use a larger value; more restrictive organizations should use a smaller value. Default value: (None) Externalized: No |
clusterEnabled
|
Required in a clustered environment. A flag indicating whether clustering should be enabled: Default value: Externalized: No |
clusterConfigFile
|
Required in a clustered environment. The file name of the Default value: (None) Externalized: No |
configFile
|
Required in a clustered environment. The file name of the Infinispan XML configuration file. The settings in this configuration file override the values in the Default value: (None) Externalized: No |
JwtTokenFactory
Defines how tokens are created.
Class: com.hp.ccue.identity.domain.JwtTokenFactory
| Property Name | Description |
|---|---|
lifetimeMinutes
|
Required. The lifetime of the token, in minutes. The lifetime as installed is 30 minutes. Reducing this value will render tokens invalid faster and thus requires a more-frequent token refresh, which might reduce performance. Increasing this value allows tokens to last longer, which might allow someone who has intercepted a valid token to access the system for a period of time. Default value: (None) Externalized: No |
defaultTypeName
|
Optional. Default type of JWT token to create: Default value: Externalized: No |
signingKey
|
Required if Default value: (None) Externalized: |
refreshEnabled
|
Optional. Boolean value indicating whether token refresh is enabled: Default value: Externalized: No |
ConvergedLdapAuthConfig
Defines the configuration for connecting to an Codar server to get LDAP configuration information. The idm.csa* external properties (which are listed in the External Configuration section above) and all ConvergedLdapAuthConfig properties must match the Codar network location and transport user credentials.
Class: com.hp.ccue.identity.ldap.ConvergedLdapAuthConfig
| Property Name | Description |
|---|---|
providerProtocol
|
Required if using ActiveDirectory or LDAP. Default value: (None) Externalized: |
providerHostname
|
Required if using ActiveDirectory or LDAP. Hostname or IP address of the Codar server Default value: (None) Externalized: |
providerPort
|
Required if using ActiveDirectory or LDAP. Port number used by the Codar server Default value: (None) Externalized: |
securityTransportUsername
|
Required if using ActiveDirectory or LDAP. Username for the Codar integration account Default value: (None) Externalized: |
securityTransportPassword
|
Required if using ActiveDirectory or LDAP. Password for theCodar integration account Default value: (None) Externalized: |
ConvergedActiveDirectoryAuthenticationProvider and ConvergedLdapAuthenticationProvider
Performs authentication with Active Directory and LDAP authentication mechanisms.
Class: com.hp.ccue.identity.ldap.ConvergedActiveDirectoryAuthenticationProvider, com.hp.ccue.identity.ldap.ConvergedLdapAuthenticationProvider
| Property Name | Description |
|---|---|
config
|
Required if using ActiveDirectory or LDAP. The Default value: (None) Externalized: No |
tokenFactory
|
Required if using ActiveDirectory or LDAP. The token factory for creating identity tokens in response to successful authentications Default value: (None) Externalized: No |
SeededAuthenticationProvider
Performs seeded authentication.
Class: com.hp.ccue.identity.seeded.SeededAuthenticationProvider
| Property Name | Description |
|---|---|
configFile
|
Required if using seeded authentication. Typically Default value: (None) Externalized: No |
tokenFactory
|
Required if using seeded authentication. The token factory for creating identity tokens in response to successful authentications Default value: (None) Externalized: No |
IdentityAuthenticationProvider
Performs integration account authentication.
Class: com.hp.ccue.identity.seeded.IntegrationAuthenticationProvider
| Property Name | Description |
|---|---|
configFile
|
Required. Typically Default value: (None) Externalized: No |
tokenFactory
|
Required. The token factory for creating identity tokens in response to successful authentications Default value: (None) Externalized: No |
MultiTenantAuthenticationProvider
Connects to mechanism-specific authentication providers.
Class: com.hp.ccue.identity.authn.MultiTenantAuthenticationProvider
| Property Name | Description |
|---|---|
providers
|
Required. List of Default value: (None) Externalized: No |
secondaryEnabled
|
Required if using Keystone. Flag that indicates whether the secondary authentication path (Keystone) is enabled Default value: Externalized: |
secondaryProvider
|
Required if using Keystone. Reference to Authentication provider bean to use for secondary authentication path. The Keystone authentication provider is the only one that supports this type of usage. Default value: (None) Externalized: No |
secondaryRequired
|
Required if using Keystone. Flag that indicates whether secondary (Keystone) authentication must succeed in order for authentication to be considered a success. Default value: Externalized: |
IdentityServiceImpl
The identity service implementation object.
Class: com.hp.ccue.identity.service.IdentityServiceImpl
| Property Name | Description |
|---|---|
provider
|
Required. Reference to the Default value: (None) Externalized: No |
tokenFactory
|
Required. The token factory for creating identity tokens in response to successful authentications Default value: (None) Externalized: No |
blacklist
|
A map associating usernames to Boolean values indicating whether they are blacklisted Default value: (None) Externalized: No |
blacklistFile
|
The file containing the blacklist Default value: Externalized: No |
queryService
|
Required. The persistence service that provides all persistence operations. Default value: (None) Externalized: No |
trustFactory
|
Required. The Default value: (None) Externalized: No |
IdentityController
The controller object that provides the REST API for the identity service.
Class: com.hp.ccue.identity.service.IdentityController
| Property Name | Description |
|---|---|
identityService
|
Required. The Default value: (None) Externalized: No |
KeystoneAuthenticationProvider
Uses Keystone (if used) to perform authentication.
Class: com.hp.ccue.identity.keystone.KeystoneAuthenticationProvider
| Property Name | Description |
|---|---|
templateFactory
|
Required. Creates the Default value: (None) Externalized: No |
configuration
|
Required. Network configuration of the Keystone service to connect to in order to perform authentication: a Default value: (None) Externalized: No |
tokenFactory
|
Required. The token factory to validate returned tokens Default value: (None) Externalized: No |
KeystoneConfig
Identifies the Keystone endpoint for authentication.
| Property Name | Description |
|---|---|
protocol
|
Optional if the default value is not acceptable. The protocol to access Keystone Default value: Externalized: |
hostname
|
Required. Optional if the default value is not acceptable. The hostname or IP address of the Keystone server Default value: (None) Externalized: |
port
|
Optional if the default value is not acceptable. The port number for Keystone on Default value: Externalized: |
servicePath
|
Optional if the default value is not acceptable. The service path to the Keystone API on the Keystone server Default value: Externalized: |
domainName
|
Optional if the default value is not acceptable. The Keystone domain name under which all operations are performed Default value: Externalized: |
transportUsername
|
Required. The username for the Keystone transport user Default value: (None) Externalized: |
transportPassword
|
Required. The password for the Keystone transport user Default value: (None) Externalized: |
transportProject
|
Required. The project for the Keystone transport user Default value: (None) Externalized: |
KeystoneSecondaryAuthenticationProvider
Uses Keystone (if used) to perform authentication.
Class: com.hp.ccue.identity.keystone.KeystoneSecondaryAuthenticationProvider
| Property Name | Description |
|---|---|
keystoneConfigurations
|
Required. Associative array mapping configuration identifiers to Default value: (None) Externalized: No |
configurationFile
|
Required. Filename for properties file that contains Keystone configurations. Default value: (None) Externalized: No |
tokenFactory
|
Required. The token factory to validate returned tokens. Default value: (None) Externalized: No |
templateFactory
|
Required. Creates the Default value: (None) Externalized: No |
RestTemplateFactoryImpl
Configures how REST services are invoked.
Class: com.hp.ccue.identity.rest.RestTemplateFactoryImpl
| Property Name | Description |
|---|---|
fipsEnabled
|
A flag that indicates whether the template factory should ignore settings that interfere with FIPS 140-2 compliance Default value: Externalized: No |
wrapEnabled
|
A flag that indicates whether the template factory should wrap JSON output in its specified root value or assume that incoming JSON is wrapped in the root value. This setting depends on the REST service being invoked. For template factories used to invoke Codar REST APIs, it should be set to Default value: Externalized: No |
requireValidCertificate
|
A flag that indicates whether the template factory should perform certificate validation and hostname verification ( Default value: Externalized: |
TrustFactory
Configures how the Identity Management component trusts are created and validated.
Class: com.hp.ccue.identity.domain.impersonation.TrustFactory
| Property Name | Description |
|---|---|
lifetime
|
Required. The lifetime of a trust. Default value: 90 (days) Externalized: No |
lifetimeMinutes
|
Required. Alternate setter for trust lifetime, expressed in minutes (write only). Default value: (None) Externalized: No |
lifetimeHours
|
Required. Alternate setter for trust lifetime, expressed in hours (write only). Default value: (None) Externalized: No |
lifetimeDays
|
Required. Alternate setter for trust lifetime, expressed in days (write only). Default value: (None) Externalized: No |
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to clouddocs@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: