CA Service Catalog Post Installation Tasks

As part of implementing CA Service Catalog, review the following post-installation tasks and perform the tasks that apply: 
casm171
As part of implementing CA Service Catalog, review the following post-installation tasks and perform the tasks that apply:
 
After installing CA Service Catalog, you must increase the
db.max.conn.pool.size
property value in the
USM_Home/config.properties
file to:
db.max.conn.pool.size = 1000 
Update MaxKeepAliveRequests
If you installed CA EEM 12.51 in a clustered setup and have updated the MaxKeepAliveRequests property in the Apache proxy.conf file to meet the CA EEM installation requirements. Now, reset the MaxKeepAliveRequests property to its original value.
The installation or upgrade program backs up your existing CA EEM data to the following location:
USM_HOME
\conf-backup\upgrade-eem-backup.xml
Assign the Service Delivery Administrator Role to a User
Typically, the CA Service Catalog installation creates a user named 
spadmin 
and assigns it the Service Delivery administrator role. This user has complete control of the Catalog system. By default, the user name and the password are the same.
However, if 
all 
of the following conditions exist, then the installation 
cannot 
create this user.
  • You have installed CA Service Catalog for the first time (
    not 
    upgraded).
  • CA EEM is already installed.
  • CA EEM is already configured to use an external store, such as Microsoft Active Directory.
In this case, assign the Service Delivery Administrator role to another user. Doing so enables this user to log in to CA Service Catalog using the Service Delivery Administrator role. You can also assign the Service Delivery Administrator role to additional users. Doing so is optional but is beneficial if redundancy is important in your organization.
Follow these steps:
  1. Open the CA Service Catalog command prompt by clicking Start, Programs, CA, Service Catalog, Service Catalog Command Prompt.
  2. Enter the following command at the CA Service Catalog command prompt:
    ant add-spadmin-user
    For a list of ant commands and their descriptions, open a command window and enter
    ant -p
    .
  3. Follow the prompts to add the spadmin administrator role to a specific user, using the following information:
    • If CA EEM 
      is 
      configured to use an external directory (such as Microsoft Active directory), specify an existing user name.
    • The command utility creates the user in the CA Service Catalog user database, if both of the following conditions exist:
      • CA EEM is 
        not 
        configured to use an external directory.
      • The user name that you specify is new.
    • The command utility does 
      not 
      prompt you for the password of the new or updated user.
    • If CA EEM 
      is 
      configured to use an external directory, the password is defined and stored in the external directory.
    • The new password is the same as the user name, if both of the following conditions exist:
      • CA EEM is 
        not 
        configured to use an external directory.
      • The user name that you specify is new.
  4. If necessary, cancel and rerun the ant add-spadmin-user command to correct any errors.
  5. Verify that the new or updated user can log in to CA Service Catalog as a Service Delivery Administrator and perform the spadmin functions.
  6. (Optional) Instruct the new user to change the password.
You have assigned the Service Delivery Administrator role to a user.
Change Your Password
Changing the password is especially recommended for the user named spadmin (the Service Delivery administrator). In addition, you can also change it at any time, for various security-related reasons.
Follow these steps:
  1. Log in to CA Service Catalog with your current user name and password.
  2. Click
    Profile
    .
  3. Click the
    Change Password
    button at the top right of the page.
  4. Enter your old and new passwords in the fields provided.
  5. Click
    OK
    .
You have changed your password.
Create Users and Services
Once you have installed CA Service Catalog:
  • Set up users, user groups, business units, and accounts.
  • Create and customize services that users can request from the catalog.
  • Configure the processes for managing, approving, and billing for requested services.
For more information about how to perform these tasks, see Manage Business Units and Tenant AdministrationManage Users and Assign RolesManage Services, and Service Accounting.
Do not add users, delete users, or change user information using CA EEM. We recommend that you use CA Service Catalog for managing users. CA EEM is then updated accordingly.
Reset the JMS Port Number
Reset the JMS port number only if you specified 7777 as the CA Service Catalog startup or shutdown port when you ran the installation program. We recommend that you do 
not 
use port 7777 as the startup or shutdown port. Port 7777 is reserved for Java Messaging Service (JMS).
If you must use port 7777 for the startup or shutdown port, reset the JMS port number after you have finished running the setup utility. Otherwise, port conflicts occur, and the product does not function correctly.
Follow these steps:
  1. Open the file that is named
    USM_HOME/config.properties
    in a text editor.
  2. Update the value of the jms.port property to a new value.
  3. Restart the Windows service named CA Service Catalog.
You have reset the JMS port number.
Install and Integrate Additional Process Automation Tools
For best performance, CA Service Catalog requires a process automation tool. You can use CA Process Automation to automate processes in CA Service Catalog. Even though you can 
install 
CA Process Automation at any time, we recommend that you install CA Process Automation with CA Service Catalog using the
CA Service Management
 Installer.
If you install two or more instances of CA Service Catalog, implement clustering
before
you integrate CA Service Catalog with CA Process Automation.
Configure JRE 1.8.0_45 
The CA Service Catalog installation program automatically installs the Java Runtime Environment (JRE). We recommend that you use the JRE version 
1.8.0_45
 that is installed by CA Service Catalog. You can configure CA Service Catalog to use or replace the JRE version, if required, as follows.
Follow these steps:
  1. Install the JRE version 1.8.0_45, if not already installed. 
    For example, install the JRE version from www.java.com or one of its affiliated sites.
  2. Open the Service Delivery Command Prompt from the CA Service Catalog section of the Windows Start menu. Enter the following command:
    ant upgrade-jre
  3. Close all CA Service Catalog Windows services when prompted.
  4. Enter the path name where you have installed the new JRE version.
  5. Enter the new JRE version number. For example, 1.8.0_45.
    Wait for the CA Service Catalog system to verify that it supports the new JRE version.
    If you receive a failure message, check the file Build.xml under Catalog home and check for statement
    new.jre.is.supported
    .
    Check the JRE version again. If it remains unchanged even after you complete the upgrade process, change it manually.
  6. Perform steps 2, 3, and 4 again. In case of failure, try using a different JRE version that is supported by CA Service Catalog.
     For 32 bit JRE, change the path of jvm.dll from
    <available file=${new.jre.dir}/bin.server" property="new.jre.has.server" /> to <available file="${new.jre.dir}/bin" property="new.jre.has.server" />
    .
    The 64-bit JRE, jvm.dll is located in
    C:\Program Files\Java\jre1.8.0_45\bin\server
    and the 32-bit JRE is located in
    C:\Program Files (x86)\Java\jre1.8.0_45\bin\client
    .
    Close the command prompt.
  7. Restart all CA Service Catalog Windows services and verify that you can log into CA Service Catalog.
    If services fail to start, check the folder path
    C:\Program Files\Java\jre1.8.0_45\bin
    . Create a folder and name it as
    Server
    . Copy the contents of the
    Client
    folder in the
    Server
    folder. For 32-bit JRE, jvm is located in
    C:\Program Files (x86)\Java\jre1.8.0_45\bin\client
    . Check the service catalog.log in
    C:\Program Files (x86)\Java\jre1.8.0_45\bin\server\jvm.dll
    .
    You can log in and access CA Service Catalog using a different version of JRE.
Enhance Security
To enhance security in your CA Service Catalog implementation, 
consider 
making the following configuration changes:
  • Disable the Apache JServ Protocol (AJP) port, port 8009 while performing the initial setup, if you are 
    not 
    implementing clustering.
    To disable AJP, edit the USM_HOME\view\conf\server.xml file and verify that the AJP tags are commented out.
  • Reduce the timeout of CA Service Catalog user sessions. By default, sessions time out after 60 minutes of inactivity. 
    To reduce the timeout, log in to CA Service Catalog, click Administration, Configuration, User Default. Adjust the 
    Session Timeout
     parameter.
  • Configure the CA EEM password policies to be more secure, if CA EEM is 
    not 
    configured to use an external directory. 
    Specifically, consider locking user accounts after three to five failed login attempts. To set this value, log in to CA EEM and click Configure, EEM Server, Password Policies.
  • Update the list of roles that can run web services. By default, only the Certificate user and users with the service provider (SP) administrator role can run web services. 
    To change this list, log in to CA EEM with the Application set to Service Catalog. Click Manage Access Policies, Policies, Acess Policies, USM_Resource. Edit the policy whose permissions you want to update, and add the resource that is named usm_webservice__all to that policy.
    For more information about editing these policies, see your CA EEM documentation.
  • Enable Secure Socket Layer (SSL) for web services so that passwords are not sent in plain text when you use the logIn(String,String,String) method. If SSL is not available, consider using the logInToken(String) method instead. This method takes a CA EEM artifact as a parameter and is encrypted.
  • Install antivirus software on the filestore computer, if you are using a filestore (a single location for shared files). We recommend that you use a filestore.
  • Harden CA Service Catalog computers.
    Hardening 
    is the process of securing a computer by removing or disabling components or access points, to render the computer less vulnerable to outside attacks. Hardening can include disabling all ports on a computer initially and afterwards manually enabling individual ports as needed. Other basic hardening steps include the following: Limit the number of users permitted access to a computer, strengthen password and access control, install intrusion-detection software, and close ports.
Set Up Single Location for Shared Files
If you have installed Catalog Component on multiple computers (either clustered or non-clustered), we recommend that you set up a single location for shared files. Shared files can include documents, reports, images of services, data mediation files, customizations, and forms.
By default, the location for shared files is the
USM_HOME\filestore
folder on 
every 
Catalog Component computer. This folder contains several subfolders. However, for optimal efficiency, you can specify 
one 
location on a single computer that all Catalog Component computers share. This single location is named the
 central filestore 
or 
filestore
. The computer on which the filestore resides can have Catalog Component installed. However, Catalog Component is not required on that computer.
If you have installed Catalog Component on multiple computers and you do not set up a filestore, then verify that the individual filestores on all Catalog Component computers are synchronized.
If you have installed Catalog Component on a single computer, this entire process does not apply, so you can skip it.
Modify the Plugin Properties File
In Service Catalog, you can add your own plugins. The plugin properties file is in the fileStore. You can access any file from the filestore by accessing an URL: http://localhost:8080/usm/FileStore/custom/locale/icusen/forms/plugin.properties
The plugin properties file contains sensitive information like database, passwords, and so on. If you want to restrict access to any such sensitive information, you can modify the
ESAPI.properties
file. To enable restriction regarding file browsing, set the
ISENABLED
value to
true
for the following. The default value is
false
.
  • filestroreValidation.ISENABLED
    =
    True 
  • filestroreValidation.FILEPATTREN=
    For file pattern, you can provide values like properties, xml, or Java. 
    • To block read access to properties files, configure the following: 
      filestroreValidation.FILEPATTREN=properties
    • To block read access to xml files, configure the following: 
      filestroreValidation.FILEPATTREN=xml
      You can block only one type of file. You cannot block a Java file if you have already blocked an XML file.
  • filestroreValidation.FILEPATH=
    If you want to prevent access to any file from a particular folder, you can configure this attribute. For example, if you want to prevent access to any file in the 
    USMHOME/FileStore/custom/locale/icusen/forms
    folder, configure the following: 
    //custom//locale//icusen//forms 
  • filestroreValidation.FILENAME=
    To prevent access to any specific file with or without a parent folder, you can configure this attribute:
    filestroreValidation.FILENAME= custom_form.xml
Retain the Default Location for Shared Files
Setting up a single location for shared files helps improve the accuracy and efficiency of sharing files between computers.
Follow these steps:
  1. Verify that all computers on which CA Service Catalog is installed have a trusted domain relationship. This trusted relationship enables user accounts and global groups to be used in a domain other than the domain where the accounts are defined.
  2. Start the CA Service Catalog service with the login credentials of the Windows user that has read/write access to the shared location. If necessary, change the login credentials for the CA Service Catalog service to meet these requirements, as follows:
    1. Select
      Administrative Tools
      ,
      Services
      .
    2. Right-click the service, click
      Properties
      , click the
      Log On tab
      , and enter the login credentials.
    3. Save the changes and restart the service.
  3. Share the U
    SM_HOME\filestore
    folder on the first CA Service Catalog computer as the filestore for all CA Service Catalog computers.
Set Up a Custom Location for Shared Files
You can create a custom location for shared files.
Follow these steps:
  1. Share the folder to use as the filestore.
  2. Verify that the Windows operating system users who are updating the filestore have read/write access to this folder.
  3. Use the UNC path in the format \\
    computer-name
    \
    folder-name
     to specify the location of the filestore.
  4. Start the Catalog Component service with the logon credentials of the Windows user who requires access to the folder.
  5. Select Administration, Configuration, Filestore Information.
  6. Perform the following steps:
    1. Click the
      Edit
      icon for the Filestore Location variable.
    2. In the Filestore Location field, specify the UNC path name of the shared drive you defined in a previous step, for example: \\big-computer\Shared_USM\filestore or \\big-computer\filestore.
    3. Click
      Update Configuration
      .
    4. Click
      Test
      to verify the validity of the share.
      This test returns a successful connection test message if the filestore can be used to store files that are uploaded by users.
      Testing the filestore is mandatory.
  7. Perform the action that applies:
    • If the test succeeds, copy the entire contents of the
      USM_HOME\filestore
      folder to the new location.
    • If the test fails, reconfigure the share. Also, verify that all the CA Service Catalog services that are accessing the share have the same, valid credentials.
  8. Recycle all CA Service Catalog services on all computers.
Verify that Browser Security Settings Permit Login
This topic applies 
only 
if you are using Internet Explorer to access CA Service Catalog. Your browser security settings can prevent you from seeing the user name and password prompts when you attempt to log in to CA Service Catalog. Therefore, verify your browser security settings to ensure that you can access CA Service Catalog.
Follow these steps:
  1. Open Internet Explorer on the computer you want to use for accessing CA Service Catalog.
  2. Enter the URL to start CA Service Catalog in the browser address field, in the following format:
    http:/
    /
    computer-name:port number
    /usm/
    • computer-name 
      Specifies the name of the computer that you want to log in to.
    • port number 
      Specifies the CA Service Catalog port number of that computer.
  3. Verify that you see the CA Service Catalog login page, including the user name and password prompts.
    If
    Yes
    , this verification procedure is complete, and you can skip the remaining steps.
    If
    No
    , complete the remaining steps.
  4. On the Internet Explorer browser, open
    Internet Options
    , click
    Security
    , and perform
     one 
    of the following steps:
    • Change the security level for the Local Intranet to Medium-High or Medium
    • Add the login URL for CA Service Catalog to your Trusted sites
  5. Close and reopen your browser.
  6. Enter the URL to start CA Service Catalog in the browser address field. Verify that you see the CA Service Catalog login page with the user name and password prompts.
You have verified your browser security settings to ensure that you can access CA Service Catalog.
Post-Install Steps when Upgrading to Tomcat 8.5.12.x (Mandatory)
After you upgrade to Tomcat 8.5.12.x version, perform the following steps:
  1. Navigate to the following location: 
    <USM_HOME>\view\conf and edit the viewService.conf
    file.
  2. In the Java Additional Parameters section, add the following parameters towards the end:
    wrapper.java.additional.xx=-Dtomcat.util.http.parser.HttpParser.requestTargetAllow=|
    Where, xx is the serial number of the list of parameters in the section. For example, wrapper.java.additional.23=-Dtomcat.util.http.parser.HttpParser.requestTargetAllow=|
  3. Save and close the file.
  4. Restart the CA Service Catalog services.
We do not support the Tomcat versions 8.5.9, 8.5.10 and 8.5.11 as they have known issues. For more information, see Supportability Matrix.
 Efficient Tomcat Access Log Rotatable (Optional)
It is recommended that you change the Tomcat Rotatable Access to
True
. This is to prevent considerable or huge growth of Tomcat access log file and to prevent eventual slowdown of Tomcat Web Server.
Perform the following steps: 
  1. Navigate to
    %USM_HOME%\view\conf\ location
    and
     o
    pen the server.xml file in Edit as an Administrator.
  2. Search for:
    prefix="tomcat_view" suffix=".log" pattern="common" resolveHosts="false" rotatable="false"/>
  3. Replace it to:
    prefix="tomcat_view" suffix=".log" pattern="common" resolveHosts="false" rotatable="true"/>
  4. Save and close the file.
  5. Restart the CA Service Catalog Services.
Configure CA Service Catalog with CA EEM over TLS 1.2
To configure CA Service Catalog with CA EEM over TLS 1.2, Enable TLS 1.2 in CA EEM 12.6.