CA Service Catalog Post Installation Tasks

As part of implementing CA Service Catalog, review the following manual post-installation tasks and perform the tasks that apply:
casm172
As part of implementing CA Service Catalog, review the following manual post-installation tasks and perform the tasks that apply:
After installing CA Service Catalog, you must increase the
db.max.conn.pool.size
property value in the
USM_Home/config.properties
file to:
db.max.conn.pool.size = 1000
if the CA Service Catalog is installed after installing CA SDM and
xFlow Interface
, then run ‘Integrate Pre-installed Solution Components.
Update MaxKeepAliveRequests
If you installed CA EEM 12.6.0.5 in a clustered setup and have updated the MaxKeepAliveRequests property in the Apache proxy.conf file to meet the CA EEM installation requirements. Now, reset the MaxKeepAliveRequests property to its original value.
The installation or upgrade program backs up your existing CA EEM data to the following location:
USM_HOME
\conf-backup\upgrade-eem-backup.xml
Assign the Service Delivery Administrator Role to a User
Typically, the CA Service Catalog installation creates a user named
spadmin
and assigns it the Service Delivery administrator role. This user has complete control of the Catalog system. By default, the user name and the password are the same.
However, if
all
of the following conditions exist, then the installation
cannot
create this user.
  • You have installed CA Service Catalog for the first time (
    not
    upgraded).
  • CA EEM is already installed.
  • CA EEM is already configured to use an external store, such as Microsoft Active Directory.
In this case, assign the Service Delivery Administrator role to another user. Doing so enables this user to log in to CA Service Catalog using the Service Delivery Administrator role. You can also assign the Service Delivery Administrator role to additional users. Doing so is optional but is beneficial if redundancy is important in your organization.
Follow these steps:
  1. Open the CA Service Catalog command prompt by clicking Start, Programs, CA, Service Catalog, Service Catalog Command Prompt.
  2. Enter the following command at the CA Service Catalog command prompt:
    ant add-spadmin-user
    For a list of ant commands and their descriptions, open a command window and enter
    ant -p
    .
  3. Follow the prompts to add the spadmin administrator role to a specific user, using the following information:
    • If CA EEM
      is
      configured to use an external directory (such as Microsoft Active Directory), specify an existing user name.
    • The command utility creates the user in the CA Service Catalog user database if both of the following conditions exist:
      • CA EEM is
        not
        configured to use an external directory.
      • The user name that you specify is new.
    • The command utility does
      not
      prompt you for the password of the new or updated user.
    • If CA EEM
      is
      configured to use an external directory, the password is defined and stored in the external directory.
    • The new password is the same as the user name, if both of the following conditions exist:
      • CA EEM is
        not
        configured to use an external directory.
      • The user name that you specify is new.
  4. If necessary, cancel and rerun the ant add-spadmin-user command to correct any errors.
  5. Verify that the new or updated user can log in to CA Service Catalog as a Service Delivery Administrator and can perform the spadmin functions.
  6. (Optional) Instruct the new user to change the password.
You have assigned the Service Delivery Administrator role to a user.
Change Your Password
Changing the password is especially recommended for the user named spadmin (the Service Delivery administrator). In addition, you can also change it at any time, for various security-related reasons.
Follow these steps:
  1. Log in to CA Service Catalog with your current user name and password.
  2. Click
    Profile
    .
  3. Click the
    Change Password
    button at the top right of the page.
  4. Enter your old and new passwords in the fields provided.
  5. Click
    OK
    .
You have changed your password.
Create Users and Services
Once you have installed CA Service Catalog:
  • Set up users, user groups, business units, and accounts.
  • Create and customize services that users can request from the catalog.
  • Configure the processes for managing, approving, and billing for requested services.
Do not add users, delete users, or change user information using CA EEM. We recommend that you use CA Service Catalog for managing users. CA EEM is then updated accordingly.
Reset the JMS Port Number
Reset the JMS port number only if you specified 7777 as the CA Service Catalog startup or shutdown port when you ran the installation program. We recommend that you do
not
use port 7777 as the startup or shutdown port. Port 7777 is reserved for Java Messaging Service (JMS).
If you must use port 7777 for the startup or shutdown port, reset the JMS port number after you have finished running the setup utility. Otherwise, port conflicts occur, and the product does not function correctly.
Follow these steps:
  1. Open the file that is named
    USM_HOME/config.properties
    in a text editor.
  2. Update the value of the jms.port property to a new value.
  3. Restart the Windows service named CA Service Catalog.
You have reset the JMS port number.
Install and Integrate Additional Process Automation Tools
For best performance, CA Service Catalog requires a process automation tool. You can use CA Process Automation to automate processes in CA Service Catalog. Even though you can
install
CA Process Automation at any time, we recommend that you install CA Process Automation with CA Service Catalog using the
CA Service Management
Installer.
If you install two or more instances of CA Service Catalog, implement clustering
before
you integrate CA Service Catalog with CA Process Automation.
Configure AdoptOpenJDK 11.0.3
The CA Service Catalog installation program automatically installs the Java Runtime Environment (JRE). We recommend that you use the JRE version 11.0.3 that is installed by CA Service Catalog. You can configure CA Service Catalog to use or replace the JRE version, if required, as follows.
Follow these steps:
  1. Install the JRE version 11.0.1, if not already installed.
    For example, install the JRE version from https://adoptopenjdk.net/or one of its affiliated sites.
  2. Open the Service Delivery Command Prompt from the CA Service Catalog section of the Windows Start menu. Enter the following command:
    ant upgrade-jre
  3. Close all CA Service Catalog Windows services when prompted.
  4. Enter the path name where you have installed the new JRE version.
  5. Enter the new JRE version number. For example, 11.0.3.
    Wait for the CA Service Catalog system to verify that it supports the new JRE version.
    If you receive a failure message, check the file Build.xml under Catalog home and check for statement
    new.jre.is.supported
    .
    Check the JRE version again. If it remains unchanged even after you complete the upgrade process, change it manually.
  6. Perform steps 2, 3, and 4 again. If there is a failure, try using a different JRE version that is supported by CA Service Catalog
    The 64-bit JRE, jvm.dll is located in
    %USM_HOME%\embedded\jdk
    \bin\server
    Close the command prompt.
  7. Restart all CA Service Catalog Windows services and verify that you can log into CA Service Catalog.
    If services fail to start, check the folder path
    %USM_HOME%\embedded\jdk\
    bin
    . Create a folder and name it as
    Server
    . Copy the contents of the
    Client
    folder in the
    Server
    folder. Check the service catalog.log in
    %USM_HOME%\embedded\jdk\
    bin\server\jvm.dll
    .
    You can log in and access CA Service Catalog using a different version of JRE.
Enhance Security
To enhance security in your CA Service Catalog implementation,
consider
making the following configuration changes:
  • Disable the Apache JServ Protocol (AJP) port, port 8009 while performing the initial setup, if you are
    not
    implementing clustering.
    To disable AJP, edit the USM_HOME\view\conf\server.xml file and verify that the AJP tags are commented out.
  • Reduce the timeout of CA Service Catalog user sessions. By default, sessions time out after 60 minutes of inactivity.
    To reduce the timeout, log in to CA Service Catalog, click Administration, Configuration, User Default. Adjust the
    Session Timeout
    parameter.
  • Configure the CA EEM password policies to be more secure, if CA EEM is
    not
    configured to use an external directory.
    Specifically, consider locking user accounts after three to five failed login attempts. To set this value, log in to CA EEM and click Configure, EEM Server, Password Policies.
  • Update the list of roles that can run web services. By default, only the Certificate user and users with the service provider (SP) administrator role can run web services.
    To change this list, log in to CA EEM with the Application set to Service Catalog. Click Manage Access Policies, Policies, Access Policies, USM_Resource. Edit the policy whose permissions you want to update, and add the resource that is named usm_webservice__all to that policy.
    For more information about editing these policies, see your CA EEM documentation.
  • Enable Secure Socket Layer (SSL) for web services so that passwords are not sent in plain text when you use the log In (String, String, String) method. If SSL is not available, consider using the logIn Token(String) method instead. This method takes a CA EEM artifact as a parameter and is encrypted.
  • Install antivirus software on the filestore computer, if you are using a filestore (a single location for shared files). We recommend that you use a filestore.
  • Harden CA Service Catalog computers.
    Hardening
    is the process of securing a computer by removing or disabling components or access points, to render the computer less vulnerable to outside attacks. Hardening can include disabling all ports on a computer initially and afterwards manually enabling individual ports as needed. Other basic hardening steps include the following: Limit the number of users permitted access to a computer, strengthen password and access control, install intrusion-detection software, and close ports.
Set Up Single Location for Shared Files
If you have installed Catalog Component on multiple computers (either clustered or non-clustered), we recommend that you set up a single location for shared files. Shared files can include documents, reports, images of services, data mediation files, customizations, and forms.
By default, the location for shared files is the
USM_HOME\filestore
folder on
every
Catalog Component computer. This folder contains several subfolders. However, for optimal efficiency, you can specify
one
location on a single computer that all Catalog Component computers share. This single location is named the
central filestore
or
filestore
. The computer on which the filestore resides can have Catalog Component installed. However, Catalog Component is not required on that computer.
If you have installed Catalog Component on multiple computers and you do not set up a filestore, then verify that the individual filestores on all Catalog Component computers is synchronized.
If you have installed Catalog Component on a single computer, this entire process does not apply, so you can skip it.
Modify the Plugin Properties File
In the Service Catalog, you can add your own plugins. The plugin properties file is in the fileStore. You can access any file from the filestore by accessing an URL: http://localhost:8080/usm/FileStore/custom/locale/icusen/forms/plugin.properties
The plugin properties file contains sensitive information like database, passwords, and so on. If you want to restrict access to any such sensitive information, you can modify the
ESAPI.properties
file. To enable restriction regarding file browsing, set the
ISENABLED
value to
true
for the following. The default value is
false
.
  • filestroreValidation.ISENABLED
    =
    True
  • filestroreValidation.FILEPATTREN=
    For file pattern, you can provide values like properties, xml, or Java.
    • To block read access to properties files, configure the following:
      filestroreValidation.FILEPATTREN=properties
    • To block read access to xml files, configure the following:
      filestroreValidation.FILEPATTREN=xml
      You can block only one type of file. You cannot block a Java file if you have already blocked an XML file.
  • filestroreValidation.FILEPATH=
    If you want to prevent access to any file from a particular folder, you can configure this attribute. For example, if you want to prevent access to any file in the
    USMHOME/FileStore/custom/locale/icusen/forms
    folder, configure the following:
    //custom//locale//icusen//forms
  • filestroreValidation.FILENAME=
    To prevent access to any specific file with or without a parent folder, you can configure this attribute:
    filestroreValidation.FILENAME= custom_form.xml
Retain the Default Location for Shared Files
Setting up a single location for shared files helps improve the accuracy and efficiency of sharing files between computers.
Follow these steps:
  1. Verify that all computers on which CA Service Catalog is installed have a trusted domain relationship. This trusted relationship enables user accounts and global groups to be used in a domain other than the domain where the accounts are defined.
  2. Start the CA Service Catalog service with the login credentials of the Windows user that has read/write access to the shared location. If necessary, change the login credentials for the CA Service Catalog service to meet these requirements, as follows:
    1. Select
      Administrative Tools
      ,
      Services
      .
    2. Right-click the service, click
      Properties
      , click the
      Log On tab
      , and enter the login credentials.
    3. Save the changes and restart the service.
  3. Share the U
    SM_HOME\filestore
    folder on the first CA Service Catalog computer as the filestore for all CA Service Catalog computers.
Set Up a Custom Location for Shared Files
You can create a custom location for shared files.
Follow these steps:
  1. Share the folder to use as the filestore.
  2. Verify that the Windows operating system users who are updating the filestore have read/write access to this folder.
  3. Use the UNC path in the format \\
    computer-name
    \
    folder-name
    to specify the location of the filestore.
  4. Start the Catalog Component service with the logon credentials of the Windows user who requires access to the folder.
  5. Select Administration, Configuration, Filestore Information.
  6. Perform the following steps:
    1. Click the
      Edit
      icon for the Filestore Location variable.
    2. In the Filestore Location field, specify the UNC path name of the shared drive you defined in a previous step, for example: \\big-computer\Shared_USM\filestore or \\big-computer\filestore.
    3. Click
      Update Configuration
      .
    4. Click
      Test
      to verify the validity of the share.
      This test returns a successful connection test message if the filestore can be used to store files that are uploaded by users.
      Testing the filestore is mandatory.
  7. Perform the action that applies:
    • If the test succeeds, copy the entire contents of the
      USM_HOME\filestore
      folder to the new location.
    • If the test fails, reconfigure the share. Also, verify that all the CA Service Catalog services that are accessing the share have the same, valid credentials.
  8. Recycle all CA Service Catalog services on all computers.
Verify that Browser Security Settings Permit Login
This topic applies
only
if you are using Internet Explorer to access CA Service Catalog. Your browser security settings can prevent you from seeing the user name and password prompts when you attempt to log in to CA Service Catalog. Therefore, verify your browser security settings to ensure that you can access CA Service Catalog.
Follow these steps:
  1. Open Internet Explorer on the computer you want to use for accessing CA Service Catalog.
  2. Enter the URL to start CA Service Catalog in the browser address field, in the following format:
    http:/
    /
    computer-name:port number
    /usm/
    • computer-name
      Specifies the name of the computer that you want to log in to.
    • port number
      Specifies the CA Service Catalog port number of that computer.
  3. Verify that you see the CA Service Catalog login page, including the user name and password prompts.
    If
    Yes
    , this verification procedure is complete, and you can skip the remaining steps.
    If
    No
    , complete the remaining steps.
  4. On the Internet Explorer browser, open
    Internet Options
    , click
    Security
    , and perform
    one
    of the following steps:
    • Change the security level for the Local Intranet to Medium-High or Medium
    • Add the login URL for CA Service Catalog to your Trusted sites
  5. Close and reopen your browser.
  6. Enter the URL to start CA Service Catalog in the browser address field. Verify that you see the CA Service Catalog login page with the user name and password prompts.
You have verified your browser security settings to ensure that you can access CA Service Catalog.
Post-Install Steps when Upgrading to Tomcat 8.5.12.x (Mandatory)
After you upgrade to Tomcat 8.5.12.x version, perform the following steps:
  1. Navigate to the following location:
    <USM_HOME>\view\conf and edit the viewService.conf
    file.
  2. In the Java Additional Parameters section, add the following parameters towards the end:
    wrapper.java.additional.xx=-Dtomcat.util.http.parser.HttpParser.requestTargetAllow=|
    Where, xx is the serial number of the list of parameters in the section. For example, wrapper.java.additional.23=-Dtomcat.util.http.parser.HttpParser.requestTargetAllow=|
  3. Save and close the file.
  4. Restart the CA Service Catalog services.
As of now,
CA Service Management
does not support Tomcat versions 8.5.9, 8.5.10, 8.5.11 and versions greater than 8.5.31 as few known issues were reported on these versions. For more information, see Supportability Matrix.
Efficient Tomcat Access Log Rotatable (Optional)
It is recommended that you change the Tomcat Rotatable Access to
True
. This is to prevent considerable or huge growth of Tomcat access log file and to prevent eventual slowdown of Tomcat Web Server.
Perform the following steps:
  1. Navigate to
    %USM_HOME%\view\conf\ location
    and
    o
    pen the server.xml file in Edit as an Administrator.
  2. Search for:
    prefix="tomcat_view" suffix=".log" pattern="common" resolveHosts="false" rotatable="false"/>
  3. Replace it to:
    prefix="tomcat_view" suffix=".log" pattern="common" resolveHosts="false" rotatable="true"/>
  4. Save and close the file.
  5. Restart the CA Service Catalog Services.
Configure CA Service Catalog with CA EEM over TLS 1.2
To configure CA Service Catalog with CA EEM over TLS 1.2, Enable TLS 1.2 in CA EEM 12.6.