Configure Identity Management component

If you are using the Identity Management component, to configure the Identity Management component for FIPS 140-2 compliance, do the following:

  1. Update the applicationContext.xml file.
  2. Re-encrypt passwords.
  3. Update the idm-security.properties file.

Note The examples in this section explain how to configure the Identity Management component that is installed on the same instance as HP Codar, where HP Codar is configured in a standalone environment. If your environment is different, files may be located in a different directory.

In the following instructions, CSA_HOME is the directory in which Codar is installed (for example, C:\Program Files\Hewlett-Packard\Codar/usr/local/hp/csa) and CSA_JRE_HOME is the directory in which the JRE used by HP Codar has been installed.

Update the applicationContext.xml File

The applicationContext.xml file for the Codar Console must be updated to be FIPS 140-2 compliant. Do the following:

  1. Open the CSA_HOME\jboss-as\standalone\deployments\
    idm-service.war\WEB-INF\spring\applicationContext.xml    CSA_HOME/jboss-as/standalone/deployments/
    idm-service.war/WEB-INF/spring/applicationContext.xml     file in a text editor.

  2. Locate the START Standard Mode Configuration comment and comment out the following content that appears between the START Standard Mode Configuration and END Standard Mode Configuration comments:

    <bean id="simpleEncryptionConfiguration" class="com.hp.csa.security.CSASimplePBEConfig" init-method="init">
    </bean>

    <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
      <property name="config" ref="simpleEncryptionConfiguration" />
    </bean>

    <bean id="propertyConfigurer" class="org.jasypt.spring.properties.
    EncryptablePropertyPlaceholderConfigurer">
      <constructor-arg ref="configurationEncryptor" />
      <property name="locations">
        <list>
          <value>classpath:csa.properties</value>
          <value>classpath:swagger.properties</value>
        </list>
      </property>
    </bean>

  3. Locate the START FIPS Mode Configuration comment that appears immediately after the Standard Mode Configuration section and uncomment the following content that appears between the START FIPS Mode Configuration and END FIPS Mode Configuration comments:

    <bean id="configurationEncryptor" class="com.hp.csa.security.util.CSASecurityHelper" />

    <bean id="propertyConfigurer" class=
    "com.hp.csa.security.CSAEncryptablePropertyPlaceholderConfigurer">
      <constructor-arg ref="configurationEncryptor" />
      <property name="locations">
        <list>
          <value>/WEB-INF/spring/applicationContext.properties</value>
        </list>
      </property>
    </bean>

  4. Locate the START FIPS Mode Configuration comment for the csaTemplateFactory bean and uncomment the following content that appears between the START FIPS Mode Configuration and END FIPS Mode Configuration comments:

    <property name="fipsEnabled" value="true" />

  5. Locate the START FIPS Mode Configuration comment for the keystoneTemplateFactory bean and uncomment the following content that appears between the START FIPS Mode Configuration and END FIPS Mode Configuration comments:

    <property name="fipsEnabled" value="true" />

  6. Save and close the file.

Re-Encrypt Passwords

This section describes how to generate and replace the passwords used by the Identity Management component. You will be generating new passwords using FIPS 140-2 compliant utilities.

Generate and replace the passwords for the following Identity Management component properties:

  • idm.csa.password
  • idm.encryptedSigningKey
  • idm.keystone.transportPassword
  • consumer
  • idmTransportUser

Note The default password values for these properties are provided in the steps below (they will appear in parentheses after the property name).

To generate and replace existing passwords used by the Identity Management component, do the following:

  1. Open a command prompt and change to the CSA_HOME\Tools\PasswordUtil directory. For example:

    Windows:

    C:\Program Files\Hewlett-Packard\Codar\Tools\PasswordUtil

    Linux:

    /usr/local/hp/codar/Tools/PasswordUtil

  2. Generate a password by running the following command (this example uses the same example names from Create HP Codar encryption keystore):

    "CSA_JRE_HOME\bin\java" -jar passwordUtil-standalone.jar encrypt <password> JsafeJCE ../../jboss-as/standalone/configuration/codar_encryption_keystore.p12 < Codar encryption keystore password> codar_encryption_key
    ../../jboss-as/standalone/configuration/key.dat


    Note The path separators used in the passwordUtil-standalone.jar script options are forward slashes (/). You can also use double backward slashes (\\) as your path separators.

    The encrypted value of the password is displayed.

    If you used different names for the keystore, alias, or encrypted symmetric key file, here is an example of the command without using the example names:

    "CSA_JRE_HOME\bin\java" -jar "CSA_HOME\Tools\PasswordUtil\passwordUtil-standalone.jar" encrypt <password> JsafeJCE < Codar encryption keystore>
    < Codar encryption keystore password>
    < Codar encryption keystore alias>
    <location and name of the encrypted symmetric key>



    Note If you use path separators in the passwordUtil-standalone.jar script options, use either a single forward slash (/) or double backward slashes (\\) as your path separator.

  3. Open the CSA_HOME\jboss-as\standalone\deployments\
    idm-service.war\WEB-INF\spring\applicationContext.properties    CSA_HOME/jboss-as/standalone/deployments/
    idm-service.war/WEB-INF/spring/applicationContext.properties     file in a text editor and do the following:

    1. Update the idm.csa.password (csaTransportUser) property. idm.csa.password must be the same password you configured for the securityTransportPassword property (which is configured in the csa.properties file). See Encrypt HP Codar passwords again for more information about encrypting the securityTransportPassword password property.

    2. Update the idm.encryptedSigningKey (cloud) property. idm.encryptedSigningKey must be the same password you configured for the securityEncryptedSigningKey property (which is configured in the csa.properties file). See Encrypt HP Codar passwords again for more information about encrypting the securityEncryptedSigningKey password property.

    3. If you are using Keystone, update the idm.keystone.transportPassword property. idm.keystone.transportPassword must be the password you configured for the user defined by the idm.keystone.transportUsername property and is located above the idm.keystone.transportPassword property.

    4. Save and close the file.

  4. Open the CSA_HOME\jboss-as\standalone\deployments\
    idm-service.war\WEB-INF\classes\csa-consumer-users.properties    CSA_HOME/jboss-as/standalone/deployments/
    idm-service.war/WEB-INF/classes/csa-consumer-users.properties     file in a text editor and do the following:

    1. Update the consumer (cloud,SERVICE_CONSUMER,ROLE_REST,enabled) and consumerAdmin (cloud,SERVICE_CONSUMER,ROLE_REST,ROLE_ADMIN,enabled) properties.

      Note This property not only contains the password, but also the roles that control access to Codar and if the account is enabled.

      This entire value must be encrypted.

    2. Save and close the file.

  5. Open the CSA_HOME\jboss-as\standalone\deployments\
    idm-service.war\WEB-INF\classes\csa-provider-users.properties    CSA_HOME/jboss-as/standalone/deployments/
    idm-service.war/WEB-INF/classes/csa-provider-users.properties     file in a text editor and do the following:

    1. Update the admin (cloud,ROLE_REST,enabled), csaReportingUser (cloud,ROLE_REST,ROLE_DYNAMIC,enabled), cdaInboundUser (CDA2CSAIntegration!,ROLE_REST,enabled), and ooInboundUser (cloud,,ROLE_REST,enabled) properties.

      Note This property not only contains the password, but also the roles that control access to Codar and if the account is enabled.

      This entire value must be encrypted.

    2. Save and close the file.

  6. Open the CSA_HOME\jboss-as\standalone\deployments\
    idm-service.war\WEB-INF\classes\integrationusers.properties    CSA_HOME/jboss-as/standalone/deployments/
    idm-service.war/WEB-INF/classes/integrationusers.properties     file in a text editor and do the following:

    1. Update the idmTransportUser (idmTransportUser,ROLE_ADMIN,PERM_IMPERSONATE,enabled) property.

      Note This property not only contains the password, but also the roles that control access to Codar and if the account is enabled.

      This entire value must be encrypted.

      The password in the idmTransportUser value must be the same password you configured for both the securityIdmTransportUserPassword property (configured in the csa.properties file) and the password attribute (configured in the idmProvider section of the mpp.json file). See Encrypt HP Codar passwords again for more information about encrypting the securityIdmTransportUserPassword password property. See for more information about encrypting the password attribute.

    2. Save and close the file.

Update the idm-security.properties File

Enable the FIPS 140-2 security settings in the idm-security.properties file. Do the following:

  1. Open the CSA_HOME\jboss-as\standalone\deployments\
    idm-service.war\WEB-INF\classes\idm-service.properties    CSA_HOME/jboss-as/standalone/deployments/
    idm-service.war/WEB-INF/classes/idm-service.properties     file in a text editor.

  2. Verify that the FIPS 140-2 property values in this file are the same values that are configured in the CSA_HOME\jboss-as\standalone\deployments\csa.war\
    WEB-INF\classes\csa.properties    CSA_HOME/jboss-as/standalone/deployments/csa.war/
    WEB-INF/classes/csa.properties     file. You should have already copied these values (see Configure HP Codar properties for more information about these properties).
  3. Save and close the file.

Send Help Center feedback