Step 3 - Perform CA Service Catalog Post-Installation Tasks

As part of implementing CA Service Catalog, review the following post-installation tasks and perform the tasks that apply:
casm1401
As part of implementing CA Service Catalog, review the following post-installation tasks and perform the tasks that apply:
Post-Install Steps when Upgrading to Tomcat 7.0.76.x (Mandatory)
After you upgrade to Tomcat 7.0.76.x version, perform the following steps:
  1. Navigate to the following location: <USM_HOME>\view\conf and edit the viewService.conf file.
  2. In the Java Additional Parameters section, add the following parameters towards the end:
    wrapper.java.additional.xx=-Dtomcat.util.http.parser.HttpParser.requestTargetAllow=|
    Where, xx is the serial number of the list of parameters in the section. For example, wrapper.java.additional.23=-Dtomcat.util.http.parser.HttpParser.requestTargetAllow=|
  3. Save and close the file.
  4. Restart the CA Service Catalog services
Update MaxKeepAliveRequests
If you installed CA EEM 12.51 in a clustered setup, you updated the MaxKeepAliveRequests property in the Apache proxy.conf file to meet the CA EEM installation requirements. Now, reset the MaxKeepAliveRequests property to its original value.
The installation or upgrade program backs up your existing CA EEM data to the following location:
USM_HOME
\conf-backup\upgrade-eem-backup.xml
Assign the Service Delivery Administrator Role to a User
Typically, the CA Service Catalog installation creates a user named
spadmin
and assigns it the Service Delivery administrator role. This user has complete control of the Catalog system. By default, the user name and the password are the same.
However, if
all
of the following conditions exist, then the installation
cannot
create this user.
  • You have installed CA Service Catalog for the first time (
    not
    upgraded).
  • CA EEM is already installed.
  • CA EEM is already configured to use an external store, such as Microsoft Active Directory.
In this case, assign the Service Delivery Administrator role to another user. Doing so enables this user to log in to CA Service Catalog using the Service Delivery Administrator role. You can also assign the Service Delivery Administrator role to additional users. Doing so is optional but is beneficial if redundancy is important in your organization.
Follow these steps:
  1. Open the CA Service Catalog command prompt by clicking Start, Programs, CA, Service Catalog, Service Catalog Command Prompt.
  2. Enter the following command at the CA Service Catalog command prompt:
    ant add-spadmin-user
    For a list of ant commands and their descriptions, enter ant -p.
  3. Follow the prompts to add the spadmin administrator role to a specific user, using the following information:
    • If CA EEM
      is
      configured to use an external directory (such as Microsoft Active directory), specify an existing user name.
    • The command utility creates the user in the CA Service Catalog user database, if both of the following conditions exist:
      • CA EEM is
        not
        configured to use an external directory.
      • The user name that you specify is new.
    • The command utility does
      not
      prompt you for the password of the new or updated user.
    • If CA EEM
      is
      configured to use an external directory, the password is defined and stored in the external directory.
    • The new password is the same as the user name, if both of the following conditions exist:
      • CA EEM is
        not
        configured to use an external directory.
      • The user name that you specify is new.
  4. If necessary, cancel and rerun the ant add-spadmin-user command to correct any errors.
  5. Verify that the new or updated user can log in to CA Service Catalog as a Service Delivery Administrator and perform the spadmin functions.
  6. (Optional) Instruct the new user to change the password as explained in the following section.
You have assigned the Service Delivery Administrator role to a user.
Change Your Password
Changing the password is especially recommended for the user named spadmin (the Service Delivery administrator). In addition, you can also change it at any time, for various security-related reasons.
Follow these steps:
  1. Log in to CA Service Catalog with your current user name and password.
  2. Click Profile.
  3. Click the Change Password button at the top right of the page.
  4. Enter your old and new passwords in the fields provided.
  5. Click OK.
You have changed your password.
Create Users and Services
Once you have installed CA Service Catalog:
  • Set up users, user groups, business units, and accounts.
  • Create and customize services that users can request from the catalog.
  • Configure the processes for managing, approving, and billing for requested services.
Do not add users, delete users, or change user information using CA EEM. We recommend that you use CA Service Catalog for managing users. CA EEM is then updated accordingly.
Reset the JMS Port Number
Reset the JMS port number only if you specified 7777 as the CA Service Catalog startup or shutdown port when you ran the installation program. We recommend that you do
not
use port 7777 as the startup or shutdown port. Port 7777 is reserved for Java Messaging Service (JMS).
If you must use port 7777 for the startup or shutdown port, reset the JMS port number after you have finished running the setup utility. Otherwise, port conflicts occur, and the product does not function correctly.
Follow these steps:
  1. Open the file that is named USM_HOME/config.properties in a text editor.
  2. Update the value of the jms.port property to a new value.
  3. Restart the Windows service named CA Service Catalog.
You have reset the JMS port number.
Install and Integrate Additional Process Automation Tools
For best performance, CA Service Catalog requires a process automation tool. You can use CA Process Automation to automate processes in CA Service Catalog. Even though you can
install
CA Process Automation at any time, we recommend that you install CA Process Automation with CA Service Catalog using the CA Service Management Installer.
If you install two or more instances of CA Service Catalog, implement clustering
before
you integrate CA Service Catalog with CA Process Automation.
Configure JRE 1.8.0_45 
The CA Service Catalog installation program automatically installs the Java Runtime Environment (JRE). We recommend that you use the JRE version 
1.8.0_45
that is installed by CA Service Catalog. You can configure CA Service Catalog to use or replace the JRE version, if required, as follows.
Follow these steps:
  1. Install the JRE version 1.8.0_45, if not already installed.
    For example, install the JRE version from www.java.com or one of its affiliated sites.
  2. Open the Service Delivery Command Prompt from the CA Service Catalog section of the Windows Start menu. Enter the following command:
    ant upgrade-jre
  3. Close all CA Service Catalog Windows services when prompted.
  4. Enter the path name where you have installed the new JRE version.
  5. Enter the new JRE version number. For example, 1.8.0_45.
    Wait for the CA Service Catalog system to verify that it supports the new JRE version.
    If you receive a failure message, check the file Build.xml under Catalog home and check for statement
    new.jre.is.supported
    .
    Check the JRE version again. If it remains unchanged even after you complete the upgrade process, change it manually.
  6. Perform steps 2, 3, and 4 again. In case of failure, try using a different JRE version that is supported by CA Service Catalog.
     For 32 bit JRE, change the path of jvm.dll from
    <available file=${new.jre.dir}/bin.server" property="new.jre.has.server" /> to <available file="${new.jre.dir}/bin" property="new.jre.has.server" />
    .
    The 64-bit JRE, jvm.dll is located in
    C:\Program Files\Java\jre1.8.0_45\bin\server
    and the 32-bit JRE is located in
    C:\Program Files (x86)\Java\jre1.8.0_45\bin\client
    .
     
    Close the command prompt.
  7. Restart all CA Service Catalog Windows services and verify that you can log into CA Service Catalog.
    If services fail to start, check the folder path
    C:\Program Files\Java\jre1.8.0_45\bin
    . Create a folder and name it as
    Server
    . Copy the contents of the
    Client
    folder in the
    Server
    folder. For 32-bit JRE, jvm is located in
    C:\Program Files (x86)\Java\jre1.8.0_45\bin\client
    . Check the service catalog.log in
    C:\Program Files (x86)\Java\jre1.8.0_45\bin\server\jvm.dll
    .
    You can log in and access CA Service Catalog using a different version of JRE.
If you are upgrading from an earlier version of JRE to JRE 1.8.0_<subversions till 45>, for example: 1.8.0_45 and you encounter issues while upgrading, perform the following steps for a better upgrade experience:
  1. Edit the build.xml file from 
    %USM_HOME% (for example: C:\Program Files\CA\Service Catalog)
  2. Search for the following:
    <matches pattern="^(1.7.0_)([1][2-9]|[2-9][0-9])$" string="${new.jre.version}" />
    OR search for ^(1.7.0_)
  3. Replace it with the following:
    <matches pattern="^(1.[7-8].0_)([0-9][0-9])$" string="${new.jre.version}" />
    Save and try to upgrade JRE version above 1.8 up to 1.8.0_45
    You have now successfully upgraded to JRE 1.8.0_45.
Enhance Security
To enhance security in your CA Service Catalog implementation,
consider
making the following configuration changes:
  • Disable the Apache JServ Protocol (AJP) port, port 8009 while performing the initial setup, if you are
    not
    implementing clustering.
    To disable AJP, edit the USM_HOME\view\conf\server.xml file and verify that the AJP tags are commented out.
  • Reduce the timeout of CA Service Catalog user sessions. By default, sessions time out after 60 minutes of inactivity.
    To reduce the timeout, log in to CA Service Catalog, click Administration, Configuration, User Default. Adjust the
    Session Timeout
    parameter.
  • Configure the CA EEM password policies to be more secure, if CA EEM is
    not
    configured to use an external directory.
    Specifically, consider locking user accounts after three to five failed login attempts. To set this value, log in to CA EEM and click Configure, EEM Server, Password Policies.
  • Update the list of roles that can run web services. By default, only the Certificate user and users with the service provider (SP) administrator role can run web services.
    To change this list, log in to CA EEM with the Application set to Service Catalog. Click Manage Access Policies, Policies, Acess Policies, USM_Resource. Edit the policy whose permissions you want to update, and add the resource that is named usm_webservice__all to that policy.
    For more information about editing these policies, see your CA EEM documentation.
  • Enable Secure Socket Layer (SSL) for web services so that passwords are not sent in plain text when you use the logIn(String,String,String) method. If SSL is not available, consider using the logInToken(String) method instead. This method takes a CA EEM artifact as a parameter and is encrypted.
  • Install antivirus software on the filestore computer, if you are using a filestore (a single location for shared files). We recommend that you use a filestore.
  • Harden CA Service Catalog computers.
    Hardening
    is the process of securing a computer by removing or disabling components or access points, to render the computer less vulnerable to outside attacks. Hardening can include disabling all ports on a computer initially and afterwards manually enabling individual ports as needed. Other basic hardening steps include the following: Limit the number of users permitted access to a computer, strengthen password and access control, install intrusion-detection software, and close ports.
Set Up Single Location for Shared Files
If you have installed Catalog Component on multiple computers (either clustered or non-clustered), we recommend that you set up a single location for shared files. Shared files can include documents, reports, images of services, data mediation files, customizations, and forms.
By default, the location for shared files is the USM_HOME\filestore folder on
every
Catalog Component computer. This folder contains several subfolders. However, for optimal efficiency, you can specify
one
location on a single computer that all Catalog Component computers share. This single location is named the
central filestore
or
filestore
. The computer on which the filestore resides can have Catalog Component installed. However, Catalog Component is not required on that computer.
If you have installed Catalog Component on multiple computers and you do not set up a filestore, then verify that the individual filestores on all Catalog Component computers are synchronized.
If you have installed Catalog Component on a single computer, this entire process does not apply, so you can skip it.
Retain the Default Location for Shared Files
Setting up a single location for shared files helps improve the accuracy and efficiency of sharing files between computers.
Follow these steps:
  1. Verify that all computers on which CA Service Catalog is installed have a trusted domain relationship. This trusted relationship enables user accounts and global groups to be used in a domain other than the domain where the accounts are defined.
  2. Start the CA Service Catalog service with the login credentials of the Windows user that has read/write access to the shared location. If necessary, change the login credentials for the CA Service Catalog service to meet these requirements, as follows:
    1. Select Administrative Tools, Services.
    2. Right-click the service, click Properties, click the Log On tab, and enter the login credentials.
    3. Save the changes and restart the service.
  3. Share the USM_HOME\filestore folder on the first CA Service Catalog computer as the filestore for all CA Service Catalog computers.
Set Up a Custom Location for Shared Files
You can create a custom location for shared files.
Follow these steps:
  1. Share the folder to use as the filestore.
  2. Verify that the Windows operating system users who are updating the filestore have read/write access to this folder.
  3. Use the UNC path in the format \\
    computer-name
    \
    folder-name
    to specify the location of the filestore.
  4. Start the Catalog Component service with the logon credentials of the Windows user who requires access to the folder.
  5. Select Administration, Configuration, Filestore Information.
  6. Perform the following steps:
    1. Click the Edit icon for the Filestore Location variable.
    2. In the Filestore Location field, specify the UNC path name of the shared drive you defined in a previous step, for example: \\big-computer\Shared_USM\filestore or \\big-computer\filestore.
    3. Click Update Configuration.
    4. Click Test to verify the validity of the share.
      This test returns a successful connection test message if the filestore can be used to store files that are uploaded by users.
      Testing the filestore is mandatory.
  7. Perform the action that applies:
    • If the test succeeds, copy the entire contents of the USM_HOME\filestore folder to the new location.
    • If the test fails, reconfigure the share. Also, verify that all the CA Service Catalog services that are accessing the share have the same, valid credentials.
  8. Recycle all CA Service Catalog services on all computers.
Verify that Browser Security Settings Permit Login
This topic applies
only
if you are using Internet Explorer to access CA Service Catalog. Your browser security settings can prevent you from seeing the user name and password prompts when you attempt to log in to CA Service Catalog. Therefore, verify your browser security settings to ensure that you can access CA Service Catalog.
Follow these steps:
  1. Open Internet Explorer on the computer you want to use for accessing CA Service Catalog.
  2. Enter the URL to start CA Service Catalog in the browser address field, in the following format:
    http:/
    /
    computer-name:port number
    /usm/
    • computer-name
      Specifies the name of the computer that you want to log in to.
    • port number
      Specifies the CA Service Catalog port number of that computer.
  3. Verify that you see the CA Service Catalog login page, including the user name and password prompts.
    If Yes, this verification procedure is complete, and you can skip the remaining steps.
    If No, complete the remaining steps.
  4. In Internet Explorer, open Internet Options, click Security, and perform
    one
    of the following steps:
    • Change the security level for the Local Intranet to Medium-High or Medium
    • Add the login URL for CA Service Catalog to your Trusted sites
  5. Close and reopen your browser.
  6. Enter the URL to start CA Service Catalog in the browser address field. Verify that you see the CA Service Catalog login page with the user name and password prompts.
You have verified your browser security settings to ensure that you can access CA Service Catalog.