Step 1 - Import Users into the Database

After you install CA Service Catalog, the user database contains no data. To populate the database with user information, configure and run the LDAP utility. Running the utility populates your CA Service Catalog database with the users that you specify from your LDAP server. Run the utility at regular intervals to synchronize updates in the user database from the LDAP server to the CA Service Catalog database. You can optionally use a scheduler to synchronize.
casm172
After you install CA Service Catalog, the user database contains no data. To populate the database with user information, configure and run the LDAP utility. Running the utility populates your CA Service Catalog database with the users that you specify from your LDAP server. Run the utility at regular intervals to synchronize updates in the user database from the LDAP server to the CA Service Catalog database. You can optionally use a scheduler to synchronize.
Follow these steps:
Step 1a - Perform Transition Tasks
These tasks apply if you were previously using the CA EEM synchronization utility (syncuputil) to import and synchronize users in the CA Service Catalog user database. Examples include implementations that obtained the LDAP Importer utility by upgrading CA Service Catalog or applying a patch.
These tasks help you transition efficiently from the CA EEM synchronization utility to the LDAP Importer utility.
  • Stop using the CA EEM synchronization utility and its properties file (syncuputil.properties).
  • Remove scheduled tasks for that utility.
  • Run the LDAP Importer utility.
These tasks do
not
apply to first-time installations of CA Service Catalog.
Step 1b - Configure CA EEM to Use an External Directory
Configuring CA EEM to use an external directory is a prerequisite for using the LDAP Importer utility.
Follow these steps:
  1. Verify that the external directory contains at least one user ID that matches the user ID of a Service Delivery Administrator in CA Service Catalog:
    1. Log in to CA Service Catalog as the spadmin user and create at least one user ID with the Service Delivery Administrator role.
      This user ID must match a user name in the external directory.
    2. If CA EEM is configured for multiple active directories, create a user ID as Domain Name\userid in CA Service Catalog. Verify that the domain name is part of the principal name of the CA EEM user ID in the CA EEM active directory.
  2. Configure the User Store in CA EEM to reference all applicable Active Directory sources.
    For more information, see your CA EEM documentation.
  3. (For single sign-on) Verify that the domain name for Active Directory matches the domain name of the single sign-on user.
  4. Select Manage Identities, Users, and validate that the users returned from a search are from the external directory. If your user base is large, limit the list of users returned.
  5. Restart the CA Service Catalog service.
  6. Log in to CA Service Catalog as the Service Delivery Administrator whose user name matches a user name in the external directory.
You have configured CA EEM to use an external directory.
Step 1c - (Optional) Determine the Number and Purpose of Configuration Files
If you are using multiple domains, you can use multiple configuration files. In that case, determine the number of configuration files and the purpose of each one. For example, large organizations can use several LDAP servers, one for each business unit, region, or domain. A managed service provider can use one group of LDAP servers for their internal organization and another group for their client organizations.
In such cases, as an administrator, you can use a unique configuration file for each server. You can configure the name and settings of each file to match its purpose. For example, consider a Managed Service Provider (MSP) with three internal LDAP servers and many LDAP servers for their clients. The MSP can decide to copy and customize the default file (LDAPImporter_server1.properties) as follows:
  • Internal configuration files
    • LDAPImporter_Internal_Asia.properties
    • LDAPImporter_Internal_Europe.properties
    • LDAPImporter_Internal_NorthAmerica.properties
  • Configuration files for clients that are retail companies in Asia.
    • LDAPImporter_Client_Azerbaijan_Retail.properties
    • LDAPImporter_Client_India_Retail.properties
    • LDAPImporter_Client_Singapore_Retail.properties
Clustering alone does
not
require extra configuration files. If CA Service Catalog is clustered, verify that the properties file is available from the computers from which you run the utility.
Step 1d - Create the LDAP User
The LDAP Importer utility requires an LDAP user to connect to the LDAP server and import the LDAP users into the CA Service Catalog database. You specify the login credentials of the LDAP user in the configuration file properties for the utility.
For more information about how to create LDAP users, see your LDAP documentation.
Step 1e - Create the CA Service Catalog User
To import users from the LDAP server to CA Service Catalog, the LDAP Importer requires a CA Service Catalog user. You create a CA Service Catalog user for this purpose and specify its login credentials in the configuration file properties for the utility.
If an existing user meets the following specifications, you can use that user.
Follow these steps:
  1. Log in to the
    root
    business unit.
    Creating this user in the root business unit is required for the proper role assignment and access rights.
  2. Select Administration, Users from the main menu.
  3. Click Add.
  4. Enter the data for the new user, as follows:
    • User Name
      Specify the same user name, including case, as the LDAP user that you use to connect to the LDAP server.
      If your catalog works with multiple LDAP servers, include the domain name, for example, MyDomain\MyUser.
    • Role
      Service Delivery Administrator.
The user is added.
Step 1f - Specify the Configuration File Properties
Replace the default properties in the file with your custom values. See the comments in the file for assistance. 
The default configuration file is named LDAPImporter_server1.properties. This file resides in the USM_HOME folder. Copy and modify it to create all the custom configuration files that you require for your organization.
The configuration file includes placeholder values that you
must
customize before running the utility.
Format
Properties in the configuration file follow this format:
name
=
value
. For example, LDAP.LastSynchronizationDate=2013-12-13.
Names
must not
contain spaces. If a name contains one or more spaces, replace each space with an underscore (_).
Values
can
contain spaces and you do not need to replace spaces with underscores.
You do not need to enclose spaces or underscores in quotation marks.
LDAP Properties
  • LDAP.Base.Provider.Url=
    value
      
    Specifies the URL of the LDAP server. If the LDAP server is
    not
    using SSL, use this format:
    LDAP.Base.Provider.Url= ldap://LDAP-server-name:389
    If the LDAP server
    is using
    SSL, use this format: LDAP.Base.Provider.Url=ldaps://
    LDAP-server-name
    :636
    If the LDAP server or CA Service Catalog uses SSL, complete the SSL parameters.
  • LDAP.User.DN=
    value
    and LDAP.User.Domain=
    domain-name
    Specify the name of the LDAP user that you created earlier for accessing the LDAP database.
    The domain name is required if CA EEM is configured to use multiple domains.
    If you are using multiple LDAP servers, the domain name must match the domain name for the LDAP server in CA EEM.
  • Catalog.User=
    domain-name
    \\
    username
    Specifies the name of the CA Service Catalog user that you created earlier for importing the users from the LDAP server into the CA Service Catalog database.
    The domain name is required if CA EEM is configured to use multiple domains.
  • LDAP.User.Password=
    password
    and Catalog.User.Password=
    password
    Specify the encrypted passwords for each user in the appropriate parameter.
    To generate each encrypted password, enter the following command at the CA Service Catalog command prompt:
    USM_HOME/SCRIPTS ENCRYPTER.BAT password
    Copy each encrypted value from the command line and paste it to the appropriate entry in the configuration file.
  • InsertOrUpdateUsersAfterLastSyncDateOnly=True|False
    We recommend that you specify True
    . S
    pecify True if you plan to run the utility regularly with a scheduling tool. This setting helps run the synchronization process in optimized mode.
    Alternatively, specify False if you do
    not
    plan to run the utility regularly with a scheduling tool.
  • LDAP.LastSynchronizationDate=
    yyyy-mm-dd
    This parameter is required if you specify True for the previous parameter, InsertOrUpdateUsersAfterLastSyncDateOnly.
    We recommend that you specify this parameter when you run the file for the first time. Afterwards, this parameter is updated automatically whenever you run the utility with a scheduling tool.
    Specifying this parameter provides more efficient processing. If you use this parameter, the utility imports
    only
    users that were added or updated since the last time the utility ran. The utility processes deleted users according to your specifications for the next parameter, DeactivateMDBUsersUponLDAPUserDeletion.
Catalog Properties
  • DeactivateMDBUsersUponLDAPUserDeletion=True|False
    Specifies how to process CA Service Catalog users that were deleted from the LDAP database:
    • True
      (Recommended)
      D
      eactivates these users in the CA Service Catalog database. The user IDs are no longer available in the CA Service Catalog UI.
    • False
      Keeps these deleted users active in the CA Service Catalog database and UI.
    In either case, these deleted users cannot log in to CA Service Catalog, because they cannot be authenticated in the LDAP database.
    This setting does not apply the
    first
    time that you run the utility.
  • CatalogUser.Country.
    xx
    =
    country
    • xx
      Specifies the two-letter country code from the LDAP server.
    • country
      Specifies the country name from the MDB.
      To obtain country names from the MDB, query the ca_country table.
      If the LDAP server does not specify the country code, then the country name is set to NULL in the MDB.
    Examples:
    • CatalogUser.Country.IN=India
    • CatalogUser.Country.US=United States
  • CatalogUser.
    country
    .
    city
    =
    location
    Specifies a custom location name.
    • country
      Specifies the country name from the MDB, as explained in the previous entry.
    • city
      Specifies the city name from the LDAP server.
      If the LDAP server does not specify the city, then the city is set to NULL in the MDB. If the LDAP server does specify the city, but the city is not mapped in this parameter, then the city is set to NULL in the MDB.
    • location
      Specifies any custom location name relevant to your organization, for example, the name of a branch or unit in the
      city
      .
      If the location does not exist in the MDB, it is created.
      As a best practice, specify a location name that is known to other administrators in your organization. This location and all other user attributes appear when you view user attributes in the CA Service Catalog UI.
    Examples:
    • CatalogUser.United_States.Islandia=UnitedStates1
    • CatalogUser.United_States.New_York=UnitedStates2
  • CatalogUser.DefaultBusinessUnit=
    business-unit
    Specifies the CA Service Catalog business unit to which users are assigned when they are imported for the first time.
    Once the users are imported for the first time, their business unit assignment is the same. Only when you use the CA Service Catalog UI to change the business unit, does this value also change. This restriction applies even if you change the value of this parameter and import the users again. This restriction helps maintain the ability of users to log in to CA Service Catalog.
  • CatalogUser.DefaultRole=
    role
    Specifies the CA Service Catalog role that users are assigned when they are imported for the first time.
    Once the users are imported for the first time, their role assignment is the same. Only when you use the CA Service Catalog UI to change the role assignment, does this value also change. This restriction applies even if you change the value of this parameter and import the users again. This restriction helps maintain the ability of users to log in to CA Service Catalog.
    The following table lists the valid role names for the CatalogUser.DefaultRole parameter, according to the type of business unit.
Role
Root BU
*Node BU
**Leaf BU
spadministrator (Service Delivery Administrator)
x
 
 
servicemanager (Service Manager)
x
 
 
catadministrator (Catalog Administrator)
x
x
 
stadministrator (Super Business Unit Administrator)
 
x
 
administrator (Administrator)
x
x
x
requestmanager (Request Manager)
x
x
x
catalogenduser (Catalog User)
x
x
x
enduser (End User)
x
x
x
*
A Node BU is a child business unit that contains one or more of its own child business units.
**
A Leaf BU is a child business unit that contains no child business units of its own.
  • SSL.KeyStoreLocation=
    value
    Specifies the complete path name of the keystore file that contains the SSL Server certificates of CA Service Catalog and the LDAP server. This parameter is required if CA Service Catalog or the LDAP server use SSL. If the LDAP server uses SSL, configure the LDAP.Base.Provider.Url parameter to use SSL.  
    Delimit folder names with double backslashes (\\). The standard path name follows:
C:\\Program_Files\\CA\\Service_Catalog\\ssl.keystore
Verify that you have imported the complete chain of Certification Authority (CA) certificates for CA Service Catalog and the LDAP server into the Java keystore.
  • SSL.KeyStorePassword=
    value
    Specifies the encrypted password for the CA Service Catalog keystore file.
    To generate the encrypted password, enter the following command at the CA Service Catalog command prompt:
USM_HOME/SCRIPTS ENCRYPTER.BAT password
Copy the encrypted value from the command line and paste it to this entry.
Step 1g - Run the Utility
Run the LDAP Importer utility regularly to import users from the LDAP server into the CA Service Catalog database. As a CA Service Catalog administrator, determine how often you must run this utility. For example, large organizations or organizations with frequent personnel changes want to run the utility daily. However, other organizations with fewer personnel changes want to run the utility weekly or every two weeks.
The file name of the utility is LDAPImporter.bat. The file resides in the USM_HOME\scripts folder.
You can optionally use
any
of the following methods to run the utility regularly:
  • Run the utility manually from the command line of any CA Service Catalog computer.
  • Run the utility as a batch job at scheduled times. Use the CA Service Catalog Scheduler or any standard scheduler, such as Windows Scheduler.
    To access the CA Service Catalog Scheduler, click Administration, Tools, Scheduler. Use the following specifications when you complete the fields:
    For Action Type, select Execute Command Line.
    For Cmd Line, enter the path names of the utility and the configuration file or files. The Cmd Line field accepts a limited number of characters. If necessary, specify relative path names (from USM_HOME\view\bin) or specify folder names only, as shown in the following examples:
    ..\..\scripts\LDAPImporter.bat ..\..\scheduler.properties ..\..\scripts\LDAPImporter.bat C:\LDAPFolder\
    For more information about the CA Service Catalog Scheduler, see the Manage the Scheduler section. For more information about the Windows Scheduler, see your Windows documentation.
To run the LDAP Importer utility, enter the following command at the command prompt or in a scheduling tool:
LDAPImporter.bat properties-files
The utility processes all levels of nested groups of users. The utility imports each user and the users
above
it in organizational hierarchy, up to the top, even if the manager is not part of that group.
The utility does
not
import the users
below
the user in organizational hierarchy. For example, the utility does not import the direct reports of the user.
Logging
The log file for the utility is named LDAPImporter.log. This file resides in the USM_HOME\logs\LDAPImporter folder.
The level of logging for the utility is specified in the LDAPImporter.log4j.xml file. This file resides in the USM_HOME\scripts folder.
Examples
Examples of Running Configuration Files:
In this example, you run multiple configuration files in the USM_HOME folder:
LDAPImporter.bat USM_HOME\LDAPImporter_server1.properties USM_HOME\LDAPImporter_server2.properties USM_HOME\LDAPImporter_server3.properties
In this example, you store all LDAP server properties in the MyFolder folder. Each LDAP server properties file name within this folder must use this format: ldapimporter_
name
.properties.
LDAPImporter.bat USM_HOME\MyFolder
Examples of Specifying Configuration File Properties
In this example, you populate the root business unit (ca.com) with users whose location is New York and who have direct reports. Assign the Service Delivery Administrator role to these users.
LDAP.ImportType=User LDAP.MicrosoftAD.User.Filter = (&(objectClass=user)(!(objectClass=computer))) LDAP.User.Filter= (&(l=New York)(directReports=*)) CatalogUser.DefaultBusinessUnit=ca.com CatalogUser.DefaultRole= spadministrator
In this example, you populate the business unit that is named Europe with users who belong to the group named All Managers Europe. Assign the Super Business Unit Administrator role to these users.
LDAP.ImportType=Group LDAP.Group.Name = All Managers Europe CatalogUser.DefaultBusinessUnit=Europe CatalogUser.DefaultRole= stadministrator
Step 1h - Verify the Import
Verify that the database has been populated correctly by logging in to CA Service Catalog as a user-defined in the database. A successful login indicates that the database was populated correctly.