CA Service Catalog Post Installation Tasks

As part of implementing CA Service Catalog, review the following manual post-installation tasks and perform the tasks that apply:
casm173
As part of implementing CA Service Catalog, review the following manual post-installation tasks and perform the tasks that apply:
After installing CA Service Catalog, you must increase the
db.max.conn.pool.size
property value in the
USM_Home/config.properties
file to:
db.max.conn.pool.size = 1000
if the CA Service Catalog is installed after installing CA SDM and
xFlow Interface
, then run ‘Integrate Pre-installed Solution Components.
After upgrading to CA Service Catalog 17.3, perform the following post-install steps
:
  1. (Mandatory) Update the
    server.xml
    file in USM_HOME\view\conf location. Add the below attributes to
    HTTP
    and
    HTTPS
    connector tags to allow below characters which are mandatory for the application to work.
    relaxedPathChars="[]|{}^\`"<>" relaxedQueryChars="[]|{}^\`"<>"
    For example:
    <!-- Define a HTTP/1.1 Connector on port XXXX --> <Connector port="XXXX" disableUploadTimeout="true" URIEncoding="UTF-8" .. .. relaxedPathChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" /> <!-- Define a SSL HTTP/1.1 Connector on port XXXX --> <Connector port="XXXX" disableUploadTimeout="true" URIEncoding="UTF-8" .. .. relaxedPathChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" />
    Tomcat
    server.xml
    allows special characters in Hex code format in
    relaxedPathChars
    and 
    relaxedQueryChars
    . For more information, see the special characters and their respective Hex codes:
    Special Character Name
    Special Character
    Hex Code
    Backslash
    \
    &#x5c;
    Grave accent
    `
    &#x60;
    Double quotes
    "
    &quot;
    Less than
    <
    &lt;
    Greater than
    >
    &gt;
  2. Open USM_HOME\view\conf\viewService.conf file to edit as an Administrator and search for:
    wrapper.java.additional.23=-Xverify:none
    1. Add the following entries after
      wrapper.java.additional.23=-Xverify:none
      #trust these packages for serialize for upgraded activemq wrapper.java.additional.24=-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=java.lang,javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.ca,com.ca.usm.billing.ServiceManager,wv,sun
      While adding the entry "wrapper.java.additional.
      24
      ", maintain the step sequence.
    2. Save the file.
    3. Restart the CA Service Catalog services.
  3. (Optional) If Service Catalog is accessed from applications like ServicePoint, SharePoint and so on, you must perform this step. Open the "
    web.xml
    " file located at
    USM_HOME%\view\webapps\usm\WEB-INF
    and update the respective parameter values for the parameter name "cors.allowed.origins" and "cors.support.credentials". For example, if you are using Catalog Widgets in Unified Self Service and ServicePoint:
    • Search the parameter name "
      cors.allowed.origins
      " and update the respective parameter value as shown here.
      Hostname in the below URL address must be provided in lower case.
      <param-name>cors.allowed.origins</param-name> <param-value>http://<usshostname>:<ussport>,http://<servicepointhostname>:<servicepointport></param-value>
    • Search the parameter name "
      cors.support.credentials
      " and update the respective parameter value to true as shown here.
      <param-name>cors.support.credentials</param-name> <param-value>true</param-value>
      Retain the
      default configuration in web XML, if no other application is accessing catalog:
      <param-name>cors.allowed.origins</param-name> <param-value>*</param-value>
      <param-name>cors.support.credentials</param-name> <param-value>false</param-value>
Update the Login Logo file for Shared Filestore
After successful installation of CA Service Catalog 17.3, if you have a shared filestore, you need to merge the
logon.css
file from USM_HOME\ filestore\themes\common\css\ to your filestore location. Changes for logo are found in
.loginlogoimage class
. This is required to avoid multiple overlap of login logo files.
In case, if you notice overlapping of login logo files after making the above changes, try clearing your browser cache.
Update MaxKeepAliveRequests
If you installed CA EEM 12.6.0.5 in a clustered setup and have updated the MaxKeepAliveRequests property in the Apache proxy.conf file to meet the CA EEM installation requirements. Now, reset the MaxKeepAliveRequests property to its original value.
The installation or upgrade program backs up your existing CA EEM data to the following location:
USM_HOME
\conf-backup\upgrade-eem-backup.xml
Assign the Service Delivery Administrator Role to a User
Typically, the CA Service Catalog installation creates a user named
spadmin
and assigns it the Service Delivery administrator role. This user has complete control of the Catalog system. By default, the user name and the password are the same.
However, if
all
of the following conditions exist, then the installation
cannot
create this user.
  • You have installed CA Service Catalog for the first time (
    not
    upgraded).
  • CA EEM is already installed.
  • CA EEM is already configured to use an external store, such as Microsoft Active Directory.
In this case, assign the Service Delivery Administrator role to another user. Doing so enables this user to log in to CA Service Catalog using the Service Delivery Administrator role. You can also assign the Service Delivery Administrator role to additional users. Doing so is optional but is beneficial if redundancy is important in your organization.
Follow these steps:
  1. Open the CA Service Catalog command prompt by clicking Start, Programs, CA, Service Catalog, Service Catalog Command Prompt.
  2. Enter the following command at the CA Service Catalog command prompt:
    ant add-spadmin-user
    For a list of ant commands and their descriptions, open a command window and enter
    ant -p
    .
  3. Follow the prompts to add the spadmin administrator role to a specific user, using the following information:
    • If CA EEM
      is
      configured to use an external directory (such as Microsoft Active Directory), specify an existing user name.
    • The command utility creates the user in the CA Service Catalog user database if both of the following conditions exist:
      • CA EEM is
        not
        configured to use an external directory.
      • The user name that you specify is new.
    • The command utility does
      not
      prompt you for the password of the new or updated user.
    • If CA EEM
      is
      configured to use an external directory, the password is defined and stored in the external directory.
    • The new password is the same as the user name, if both of the following conditions exist:
      • CA EEM is
        not
        configured to use an external directory.
      • The user name that you specify is new.
  4. If necessary, cancel and rerun the ant add-spadmin-user command to correct any errors.
  5. Verify that the new or updated user can log in to CA Service Catalog as a Service Delivery Administrator and can perform the spadmin functions.
  6. (Optional) Instruct the new user to change the password.
You have assigned the Service Delivery Administrator role to a user.
(Optional) Apache Tomcat Server – AJP Connector Configuration
Perform the following steps if you have configured CA Service Catalog with Apache Tomcat Load balancer:
  1. Navigate to where Apache Tomcat is installed and open the
    worker.properties
    file.
  2. Add secret to each worker node in the
    worker.properties
    file as shown below :
    worker.<JVMRoute>.secret= <Secret_value>
    For example:
    worker.COMPUTER2_USMView.secret= <xxxx>
    This attribute must be specified with a
    non-null
    ,
    non-zero length
    value. For more details refer to APJ Connector.
  3. Restart Apache Tomcat server.
Apache Tomcat Server (Tomcat 8.5.43)
Perform the following steps on the Apache Tomcat Server (Tomcat 8.5.43):
  1. Open server.xml file in each CA Server Catalog node in USM_HOME/view/conf
  2. Locate and update the AJP connector in server.xml file by adding the following attributes:
    <Connector port="8009" enableLookups="false" redirectPort="8443" tomcatAuthentication="false" maxThreads="400" minSpareThreads="25" maxSpareThreads="100" protocol="AJP/1.3"
    address="0.0.0.0"
    requiredSecret=<Secret_value> />
    Replace the <Secret_value> with the value that you have provided in
    worker.properties
    file of Apache server.
  3. Restart Tomcat server.
  4. Perform the above steps on all CA Service Catalog servers.
Apache Tomcat Server (Tomcat 8.5.51 or higher)
Perform the following steps on the Apache Tomcat server (Tomcat 8.5.51 or higher):
  1. Open server.xml file in each CA Server Catalog node in USM_HOME/view/conf.
  2. Locate and update the AJP connector in "server.xml" file by adding the following attributes:
    <Connector port="8009" enableLookups="false" redirectPort="8443" tomcatAuthentication="false" maxThreads="400" minSpareThreads="25" maxSpareThreads="100" protocol="AJP/1.3"
    address="0.0.0.0"
    secret=<Secret_value> />
    Replace the <Secret_value> with the value that you have provided in
    worker.properties
    file of Apache server.
    From Apache Tomcat 8.5.51 onwards, the attribute name "requiredSecret" is changed to "secret". 
  3. Restart Tomcat Server.
  4. Perform the above steps on all CA Service Catalog servers.
Change Your Password
Changing the password is especially recommended for the user named spadmin (the Service Delivery administrator). In addition, you can also change it at any time, for various security-related reasons.
Follow these steps:
  1. Log in to CA Service Catalog with your current user name and password.
  2. Click
    Profile
    .
  3. Click the
    Change Password
    button at the top right of the page.
  4. Enter your old and new passwords in the fields provided.
  5. Click
    OK
    .
You have changed your password.
Create Users and Services
Once you have installed CA Service Catalog:
  • Set up users, user groups, business units, and accounts.
  • Create and customize services that users can request from the catalog.
  • Configure the processes for managing, approving, and billing for requested services.
For more information about how to perform these tasks, see Service Accounting.
Do not add users, delete users, or change user information using CA EEM. We recommend that you use CA Service Catalog for managing users. CA EEM is then updated accordingly.
Reset the JMS Port Number
Reset the JMS port number only if you specified 7777 as the CA Service Catalog startup or shutdown port when you ran the installation program. We recommend that you do
not
use port 7777 as the startup or shutdown port. Port 7777 is reserved for Java Messaging Service (JMS).
If you must use port 7777 for the startup or shutdown port, reset the JMS port number after you have finished running the setup utility. Otherwise, port conflicts occur, and the product does not function correctly.
Follow these steps:
  1. Open the file that is named
    USM_HOME/config.properties
    in a text editor.
  2. Update the value of the jms.port property to a new value.
  3. Restart the Windows service named CA Service Catalog.
You have reset the JMS port number.
Install and Integrate Additional Process Automation Tools
For best performance, CA Service Catalog requires a process automation tool. You can use CA Process Automation to automate processes in CA Service Catalog. Even though you can
install
CA Process Automation at any time, we recommend that you install CA Process Automation with CA Service Catalog using the
CA Service Management
Installer.
If you install two or more instances of CA Service Catalog, implement clustering
before
you integrate CA Service Catalog with CA Process Automation.
Upgrade JRE (AdoptOpenJDK) 11.0.3 or later
The CA Service Catalog installation program automatically installs the Java Runtime Environment (JRE). We recommend that you use the JRE version 11.0.3 that is installed by CA Service Catalog. You can configure CA Service Catalog to use or replace the JRE version, if required, as follows.
Follow these steps:
  1. Upgrade JRE version 11.0.3 or later from AdoptOpenJDK or one of its affiliated sites. Select
    Windows
    ,
    x64-bit
    and download JRE zip file. Copy the zip file to the Service Catalog server and extract it.
  2. Launch Service Catalog command prompt from the installed location of Service Catalog (USM_HOME\usm.cmd). Enter the following command:
    ant upgrade-jre
    Ignore "unable to locate
    tools.jar"
    warning message.
  3. Stop CA Service Catalog services, when prompted.
  4. Enter folder path where you have extracted JRE:
    For example: C:\OpenJDK11U-jre_x64_windows_hotspot_11.0.6_10
  5. Enter JRE version number. For example, 11.0.6.
  6. After successful upgrade, restart all CA Service Catalog services.
Enhance Security
To enhance security in your CA Service Catalog implementation,
consider
making the following configuration changes:
  • Disable the Apache JServ Protocol (AJP) port, port 8009 while performing the initial setup, if you are
    not
    implementing clustering.
    To disable AJP, edit the USM_HOME\view\conf\server.xml file and verify that the AJP tags are commented out.
  • Reduce the timeout of CA Service Catalog user sessions. By default, sessions time out after 60 minutes of inactivity.
    To reduce the timeout, log in to CA Service Catalog, click Administration, Configuration, User Default. Adjust the
    Session Timeout
    parameter.
  • Configure the CA EEM password policies to be more secure, if CA EEM is
    not
    configured to use an external directory.
    Specifically, consider locking user accounts after three to five failed login attempts. To set this value, log in to CA EEM and click Configure, EEM Server, Password Policies.
  • Update the list of roles that can run web services. By default, only the Certificate user and users with the service provider (SP) administrator role can run web services.
    To change this list, log in to CA EEM with the Application set to Service Catalog. Click Manage Access Policies, Policies, Access Policies, USM_Resource. Edit the policy whose permissions you want to update, and add the resource that is named usm_webservice__all to that policy.
    For more information about editing these policies, see your CA EEM documentation.
  • Enable Secure Socket Layer (SSL) for web services so that passwords are not sent in plain text when you use the log In (String, String, String) method. If SSL is not available, consider using the logIn Token(String) method instead. This method takes a CA EEM artifact as a parameter and is encrypted.
  • Install antivirus software on the filestore computer, if you are using a filestore (a single location for shared files). We recommend that you use a filestore.
  • Harden CA Service Catalog computers.
    Hardening
    is the process of securing a computer by removing or disabling components or access points, to render the computer less vulnerable to outside attacks. Hardening can include disabling all ports on a computer initially and afterwards manually enabling individual ports as needed. Other basic hardening steps include the following: Limit the number of users permitted access to a computer, strengthen password and access control, install intrusion-detection software, and close ports.
Set Up Single Location for Shared Files
If you have installed Catalog Component on multiple computers (either clustered or non-clustered), we recommend that you set up a single location for shared files. Shared files can include documents, reports, images of services, data mediation files, customizations, and forms.
By default, the location for shared files is the
USM_HOME\filestore
folder on
every
Catalog Component computer. This folder contains several subfolders. However, for optimal efficiency, you can specify
one
location on a single computer that all Catalog Component computers share. This single location is named the
central filestore
or
filestore
. The computer on which the filestore resides can have Catalog Component installed. However, Catalog Component is not required on that computer.
If you have installed Catalog Component on multiple computers and you do not set up a filestore, then verify that the individual filestores on all Catalog Component computers is synchronized.
If you have installed Catalog Component on a single computer, this entire process does not apply, so you can skip it.
Modify the Plugin Properties File
In the Service Catalog, you can add your own plugins. The plugin properties file is in the fileStore. You can access any file from the filestore by accessing an URL: http://<localhost>:8080/usm/FileStore/custom/locale/icusen/forms/plugin.properties
The plugin properties file contains sensitive information like database, passwords, and so on. If you want to restrict access to any such sensitive information, you can modify the
ESAPI.properties
file. To enable restriction regarding file browsing, set the
ISENABLED
value to
true
for the following. The default value is
false
.
  • filestroreValidation.ISENABLED
    =
    True
  • filestroreValidation.FILEPATTREN=
    For file pattern, you can provide values like properties, xml, or Java.
    • To block read access to properties files, configure the following:
      filestroreValidation.FILEPATTREN=properties
    • To block read access to xml files, configure the following:
      filestroreValidation.FILEPATTREN=xml
      You can block only one type of file. You cannot block a Java file if you have already blocked an XML file.
  • filestroreValidation.FILEPATH=
    If you want to prevent access to any file from a particular folder, you can configure this attribute. For example, if you want to prevent access to any file in the
    USMHOME/FileStore/custom/locale/icusen/forms
    folder, configure the following:
    //custom//locale//icusen//forms
  • filestroreValidation.FILENAME=
    To prevent access to any specific file with or without a parent folder, you can configure this attribute:
    filestroreValidation.FILENAME= custom_form.xml
Retain the Default Location for Shared Files
Setting up a single location for shared files helps improve the accuracy and efficiency of sharing files between computers.
Follow these steps:
  1. Verify that all computers on which CA Service Catalog is installed have a trusted domain relationship. This trusted relationship enables user accounts and global groups to be used in a domain other than the domain where the accounts are defined.
  2. Start the CA Service Catalog service with the login credentials of the Windows user that has read/write access to the shared location. If necessary, change the login credentials for the CA Service Catalog service to meet these requirements, as follows:
    1. Select
      Administrative Tools
      ,
      Services
      .
    2. Right-click the service, click
      Properties
      , click the
      Log On tab
      , and enter the login credentials.
    3. Save the changes and restart the service.
  3. Share the U
    SM_HOME\filestore
    folder on the first CA Service Catalog computer as the filestore for all CA Service Catalog computers.
Set Up a Custom Location for Shared Files
You can create a custom location for shared files.
Follow these steps:
  1. Share the folder to use as the filestore.
  2. Verify that the Windows operating system users who are updating the filestore have read/write access to this folder.
  3. Use the UNC path in the format \\
    computer-name
    \
    folder-name
    to specify the location of the filestore.
  4. Start the Catalog Component service with the logon credentials of the Windows user who requires access to the folder.
  5. Select Administration, Configuration, Filestore Information.
  6. Perform the following steps:
    1. Click the
      Edit
      icon for the Filestore Location variable.
    2. In the Filestore Location field, specify the UNC path name of the shared drive you defined in a previous step, for example: \\big-computer\Shared_USM\filestore or \\big-computer\filestore.
    3. Click
      Update Configuration
      .
    4. Click
      Test
      to verify the validity of the share.
      This test returns a successful connection test message if the filestore can be used to store files that are uploaded by users.
      Testing the filestore is mandatory.
  7. Perform the action that applies:
    • If the test succeeds, copy the entire contents of the
      USM_HOME\filestore
      folder to the new location.
    • If the test fails, reconfigure the share. Also, verify that all the CA Service Catalog services that are accessing the share have the same, valid credentials.
  8. Recycle all CA Service Catalog services on all computers.
Verify that Browser Security Settings Permit Login
This topic applies
only
if you are using Internet Explorer to access CA Service Catalog. Your browser security settings can prevent you from seeing the user name and password prompts when you attempt to log in to CA Service Catalog. Therefore, verify your browser security settings to ensure that you can access CA Service Catalog.
Follow these steps:
  1. Open Internet Explorer on the computer you want to use for accessing CA Service Catalog.
  2. Enter the URL to start CA Service Catalog in the browser address field, in the following format:
    http:/
    /
    computer-name:port number
    /usm/
    • computer-name
      Specifies the name of the computer that you want to log in to.
    • port number
      Specifies the CA Service Catalog port number of that computer.
  3. Verify that you see the CA Service Catalog login page, including the user name and password prompts.
    If
    Yes
    , this verification procedure is complete, and you can skip the remaining steps.
    If
    No
    , complete the remaining steps.
  4. On the Internet Explorer browser, open
    Internet Options
    , click
    Security
    , and perform
    one
    of the following steps:
    • Change the security level for the Local Intranet to Medium-High or Medium
    • Add the login URL for CA Service Catalog to your Trusted sites
  5. Close and reopen your browser.
  6. Enter the URL to start CA Service Catalog in the browser address field. Verify that you see the CA Service Catalog login page with the user name and password prompts.
You have verified your browser security settings to ensure that you can access CA Service Catalog.
Efficient Tomcat Access Log Rotatable (Optional)
It is recommended that you change the Tomcat Rotatable Access to
True
. This is to prevent considerable or huge growth of Tomcat access log file and to prevent eventual slowdown of Tomcat Web Server.
Perform the following steps:
  1. Navigate to
    %USM_HOME%\view\conf\ location
    and
    o
    pen the server.xml file in Edit as an Administrator.
  2. Search for:
    prefix="tomcat_view" suffix=".log" pattern="common" resolveHosts="false" rotatable="false"/>
  3. Replace it to:
    prefix="tomcat_view" suffix=".log" pattern="common" resolveHosts="false" rotatable="true"/>
  4. Save and close the file.
  5. Restart the CA Service Catalog Services.
Configure CA Service Catalog with CA EEM over TLS 1.2
To configure CA Service Catalog with CA EEM over TLS 1.2, Enable TLS 1.2 in CA EEM 12.6