HP Cloud Service Automation and HP Virtualization Performance Viewer Integration with HP

Technical white paper | HP Cloud Service Automation and HP Virtualization Performance Viewer integration with HP Single Sign on

Technical white paper

HP CSAand HP vPVintegration with HP SSO

Table of Contents

Apply Hotfix for HP CSA 4.01

Configuration Changes in HP CSA4.01 Hotfix

Apply Hotfix for HP vPV 1.2.0

Configuration Changes on HP vPV 1.2.0 Hotfix

Configuring HP CSA and HP vPV

Known Issues

For More Information

Purpose

HP Cloud Service Automation (HP CSA) orchestrates the deployment of infrastructure to provide private cloud, public cloud or hybrid cloud for the end users. HP Virtualization Performance Viewer (HP vPV)helps end users to monitor the resources utilization and forecast in the virtualized and cloud environment. HP CSA and HP vPV are both web based solutions which require users to login to view or perform the corresponding activities. The same user who logs into HP CSA to deploy the infrastructure would also like to monitor the performance of the infrastructure deployed without having to re-login to HP vPV. This is achieved by integrating HP CSA and HP vPV both with single sign-on.

NOTE:Support for single sign-on requires the HP CSA and HP vPV servers to belong to the same domain.

The user who logs into HP CSA to deploy the infrastructure will be able to monitor the infrastructure without having to re-login to HP vPV. But user who has logged into HP vPV and not HP CSA will have to login to HP CSA specifically. The logout of HP vPV will not logout of the HP CSA MPP portal for that user and organization.

This document has detailed steps to configure HP CSA4.01 to support single sign-on integration with other HP applications via HP SSO. Supporting single sign-on integration with HP CSA 4.01 is broadly classified into following categories.

•Apply Hotfix for HP CSA 4.01

•Configuration Changes on HP CSA4.01 Hotfix

•Apply Hotfix for HP vPV

•Configuration Changes on HP vPV 1.2.0 Hotfix

•Configuring HP CSA and HP vPV

Apply Hotfix for HP CSA 4.01

The HP CSA hotfix to add support for HP Single Sign-On (HP SSO) updates two components of the CSA system: Identity Management (IdM) and Marketplace Portal (MPP).The hotfix is a consolidated fix which contains the changes for both the components.

Following are the activities to be performed to apply the hotfix.

1. Take back-up of the files and folders mentioned below

$CSA_HOME\portal -All files and folders inside the portal folder

$CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war

-All files inside the idm-service.war folder

$CSA_HOME\jboss-as-7.1.1.Final\modules\org\apache\httpcomponents\main

- httpclient-4.1.2.jar

- httpcore-4.1.4.jar

1. Stop the HP CSA service and HP Marketplace Portal service after making sure that, new subscriptions are not being created, and that existing subscriptions are not being modified.
2. Extract the contents of the QCCR1D182605.zip file to a temporary location. Some of the file paths might be too long for the Windows zip utility, so you may need to use something like 7zip.

Update MPP:

1. Navigate to the $CSA_HOME directory.
2. Rename the 'portal' directory to portal-old.
3. Copy the 'portal' directory from the temporary location to $CSA_HOME.
4. Open the $CSA_HOME\portal directory in a command shell (e.g C:\Program Files\Hewlett-Packard\CSA\portal)
5. Run the following commands:

cd <CSA_HOME>\portal
..\node.js\node.exe bin\setup.js
..\node.js\node.exe bin\install_mpp.js

1. Navigate to the $CSA_HOME\portal\conf directory and rename mpp.json to mpp.json.orig.
2. Copy the following files from under $CSA_HOME\portal-old\node_modules\mpp-server\conf to $CSA_HOME\portal\conf
3. mpp_keystore
4. keyfile
5. mpp.json

NOTE:If there are multiple MPP portals deployed, repeat update MPP steps for each portal.HP Marketplace Portal service will be started after running the above commands. Make sure the service is re-started after all the configurations are complete.

Update IDM:

1. Delete the $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war directory after ensuring the backup of this directory is taken.
2. Copy the idm-serive.war directory from the temporary location to $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments.
3. Delete any deployment files like $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war.deployed and $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war.failed of idm-service.war from $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments directory.
4. Create a new file $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war.dodeploy at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments directory.

Update Apache Components:

1. Copy the directory jboss-as-7.1.1.Final\modules\org\apache\httpcomponents\main from the temporary location to $CSA_HOME\jboss-as-7.1.1.Final\modules\org\apache\httpcomponents\main directory. Ensure backup of the files are taken as mentioned in the backup instructions. Overwrite the files if it prompts.

Following are the activities to be performed after applying the hotfix.

1. After the changes have been applied, verify that no change is missed.
2. Clear the browser cache.
3. Start the HP CSA service and re-start HP Marketplace Portal service. Examine server.log to verify that the changes are deployed correctly.

Configuration Changes in HP CSA4.01 Hotfix

HP SSO configuration is mainly dependent on the 4 files: web.xml, applicationContext-security.xml, applicationContext-v0.xml, and hpssoConfig.xml. The above mentioned files have other configuration also including HP SSO configuration. The HP SSO configuration sections are highlited with a comment in the configuration files.

Make sure following files have been backed up before applying the hotfix as part of the hotfix applying process.

Files in $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF directory

1. web.xml
2. hpssoConfig.xml

Files in $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\spring directory

1. applicationContext.properties
2. applicationContext.xml
3. applicationContext-common.xml
4. applicationContext-security.xml
5. applicationContext-v0.xml

Stop HP CSA service and HP Marketplace Portal service.

web.xml Changes:

The web.xml file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF of the HP CSA install directory.

In the web.xml file, the only configuration is the location of the HP SSO configuration file location.

Update hpssoConfig.xml file’s path in the highlighted section of the web.xml file. If the web.xml file before the hotfix contained any specific changes to the environment, please re-apply the changes copying from the backed up web.xml file.

web.xml
...
<!-- START HP SSO Configuration -->
<listener>
<listener-class>com.hp.hpsso.HpSsoContextListener</listener-class>
</listener>
<context-param
<param-name>com.hp.sw.bto.ast.security.lwsso.conf.fileLocation</param-name>
param-value>C:\Program Files\Hewlett-Packard\CSA\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\hpssoConfig.xml</param-value>
</context-param
<!-- END HP SSO Configuration -->
...

hpssoConfig.xml Changes:

The hpssoConfig.xml file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\ of the HP CSA install directory.

The hpssoConfig.xml file contains the HP SSO configuration. The web.xml file contains the name and location of the hpssoConfig.xml as highlighted previously.This file can be renamed and placed anywhere and correspondingly web.xml has to be modified to reflect the name and location.

All applications that support HP SSO needs to have the same cryptography and signing settings as mentioned in hpssoConfig.xml. The domain name specified in this hpssoConfig.xml should be the same as the domain name mentioned in the other applications supporting HP SSO. All the applications should be in the same domain.

Replace the domain name place holder highlighted below in the hpssoConfig.xml file. The applied hotfix already contains the place holder.

The initString place holder in the crypto tag has to be updated to reflect the same initString which is part of the other applications’ HP SSO configuration. Update the highlighted place holders below to be same as the HP SSO configurations in other applications.

hpssoConfig.xml
<!--hpssoConfig is root element. required-->
hpssoConfig
<!--
creation tag is optional. If the server you are configuring is the authentication point, it means it is the server that creates the lwsso tokens, then this tag is required. Without this tag the configured server cannot issue tokens.
Inline attributes:
useHTTPOnly- whether to create lwsso token only for HTTP request - TODO!!!
secureHTTPCookie
tokenGlobalTimeout - time is seconds to laps since token's creation for the token to become invalid,even if the user was active the whole time
tokenIdleTimeout- time in minutes to laps since token's creation for the token to become invalid, If the user's session was idle.
divideRatio - time in minutes. tokens and their decrypted value are cached so as to speed up the requests handling. Divide ratio means, when a cached token should be cleared from the cache and be decrypted anew. HPSSO uses the formula: tokenIdleTimeout/divideRatio
-->
<creation tokenGlobalTimeout="1440" tokenIdleTimeout="1440">
<!-- lwsso is required -->
<lwsso
<!-- domain is required
HPSSO 1.0 version supports a single domain only.
All servers using HPSSO should have the same domain
and it should be denoted in this tag
-->
creationDomains
<domain>domain.com</domain>
</creationDomains
</lwsso
</creation>
<!-- Required
In line attributes:
httpConnectionTimeOut - stands for time in minutes to wait for an http connection to be acquired
(if HP SSO is to generate http requests, for example, for authenticating an integration user).
-->
<global httpConnectionTimeOut="1">
<!-- lwsso tag is required as a nested tag of global
- If the configured server is protected by a lwssovalidator, or issuing lwsso tokens
-->
<lwsso
<!-- crypto is required.
It defines how to encrypt the tokens and how to decrypt
them
All inline attributes have default values (denoted
here) save initString.
initString - is the key for decryption of the lwsso
token. This is the shared secret of all servers
protected by lwsso and connected to the same
authentication point server; therefore, it
must be identical in all configurations of all servers
in the system.
(all other values are defaults)
-->
<crypto initString="Init string must be replaced for production"cipherType="symmetricBlockCipher" engineName="AES"
paddingMode="CBC" keySize="256" encodingMode="Base64Url" algorithmPaddingName="PKCS7Padding"
checkIntegrity="disabled" cryptoSource="lw" directKeyEncoded="false" directKeyEncoding="Hex"
jcePbeAlgorithmName="PBEWithHmacSHA1" jcePbeMacAlgorithmName="PBEWithHmacSHA1"
macAlgorithmName="SHA1" macKeySize="256" macPbeCount="20" macType="hmac"
pbeCount="20" pbeDigestAlgorithm="SHA1"/>
<!-- Optional tag. however, if configured, then it must
be configured on all entities in the system.-->
<!--
<sign lookForKeyStoreInClasspath="false" algorithmName="SHA256withRSA" keyStorePassword="topazPwd"
privateKeyPassword="mercuryPwd" keyStorePath="C:\MSM" privateKeyDefaultAliasName="lwsso"
certificateDefaultAliasName="lwsso" keyStoreName="lwsso" keyStoreType="JKS"
providerName="Default Provider Name" />
-->
</lwsso
<!--
securityAttributes UUID="UUID" USERNAME="USERNAME" USERFIRSTNAME="USERFIRSTNAME" USERLASTNAME="USERLASTNAME"
TOKEN_DIVIDE_RATIO="TOKEN_DIVIDE_RATIO" CUSTOMERID="CUSTOMERID" TOKENID="TOKENID"
TOKEN_GLOBAL_TIMEOUT="TOKEN_GLOBAL_TIMEOUT" LOCALE="LOCALE" AUTHORIZED_TENANTS="AUTHORIZED_TENANTS"
CREATION_DOMAIN="CREATION_DOMAIN" MULTI_DOMAIN_TOKEN_LOGOUT_APPS="MULTI_DOMAIN_TOKEN_LOGOUT_APPS"
SECURE_COOKIE="SECURE_COOKIE" IS_HTTP_ONLY_COOKIE="IS_HTTP_ONLY_COOKIE"
TOKEN_CREATION_TIME="TOKEN_CREATION_TIME" TOKEN_IDLE_TIMEOUT="TOKEN_IDLE_TIMEOUT" ROLES="ROLES"
GROUPS="GROUPS"
-->
<securityAttributesuuidHeader="UUID"
userNameHeader="HPSSO.userNameHeader"
firstNameHeader="HPSSO.USERFIRSTNAME" lastNameHeader="HPSSO.USERLASTNAME"
tokenDivideRatioHeader="HPSSO.TOKEN_DIVIDE_RATIO" customerIdHeader="HPSSO.CUSTOMERID"
tokenIdHeader="HPSSO.TOKENID" tokenGlobalTimeoutHeader="HPSSO.TOKEN_GLOBAL_TIMEOUT"
localeHeader="HPSSO.LOCALE" authorizedTenetsHeader="HPSSO.AUTHORIZED_TENANTS"
creationDomainHeader="HPSSO.CREATION_DOMAIN"
multiDomainTokenLogoutAppsHeader="HPSSO.MULTI_DOMAIN_TOKEN_LOGOUT_APPS"
secureCookieHeader="HPSSO.SECURE_COOKIE" isHttpOnlyCookieHeader="HPSSO.IS_HTTP_ONLY_COOKIE"
tokenCreationTimeHeader="HPSSO.TOKEN_CREATION_TIME"
tokenIdleTimeOutHeader="HPSSO.TOKEN_IDLE_TIMEOUT" rolesHeader="ROLES"
groupHeader="GROUPS"/>
<!-- optional
This tag defines how tokens are cached.
Attributes:
manager - which type of caching to do? HP SSO single
point cache or WEB_CONTAINER that uses the web server
session. ALL - mean the tokens are cached in both
places. Recommended is the HPSSO option
refresh - time to laps is minutes since token first
cache time till it is cleared from the cache.
Recommended value is twice the formula
expirationTime/divideRatio
-->
<sessionManager manager="HPSSO" refresh="30"/>
</global>
<!-- validation tag is required-->
<validation>
<!-- defines which URL are to be considered as log out
URLs.
request for a logout URL is always valid. However, before
passing on the request, the user's token is
invalidated
-->
<logoutURLs
<!-- Can hold a specific URL or a java like regular
expression, to cover a group of URLs-->
url>.*/logout</url>
</logoutURLs
<!-- defines which URL are to be considered as not
protected by HPSSO.
A request to a non-secured URL is always valid.
-->
<nonSecureURLs
<!-- Can hold a specific URL or a java like regular
expression, to cover a group of URLs-->
</nonSecureURLs
<!-- defines what HPSSO does upon invalidation of a request
There are 4 types of actions that can be performed:
1. redirect to the authentication point
2. redirect to a regular URL (can be the
authentication point, but will be handled
differently)
3. return an error status code (default)
4. delete security context
Each action can be configured on which URLs it is
applicable.
Alternatively one may configure on which URLs it is
NOT applicable.
-->
<onFailure
<!-- delete security context from session or request:
This is the default behavior on the authentication
point server (the HP SSO master)
-->
<action name="deleteSecurityContext">
<value>403</value>
<targetUrl>403</targetUrl
<includeUrls
<url>/*</url
</includeUrls
</action>
</onFailure
<!--
Required tag. List of validators to be applied on incoming
request. The order of the validators determines
the order of execution. The validators are applied to the
incoming request in the order in which they appear
in the configuration file.
If a validator fails and it is configured as mandatory,
then the request is deemed as invalid by HP SSO
and the consecutive validators are not executed.
If none of the validators in mandatory, then all of them
will be executed: If at least one of the
validators validates the request, then the request will
pass through. Alternatively, if at least one of the
validators fails, then the error of the first failure will
be surfaced by HP SSO as the root cause of the
failure.
all validators share one attribute *isMandatory* It is not
required to specify the inMandatory attribute.
By default its value is false.
"checkMDLogin": if validator fails request, do you want to
check if user is logged in on different domain?
Usually set "true" for lwssovalidator, and "false" for
returnStatusCode, but it's upon you.
-->
<validators
<custom isMandatory="false">
<class>com.hp.ccue.identity.hpsso.HpSsoValidator</class>
</custom>
</validators
</validation>
</hpssoConfig

applicationContext-security.xmlChanges:

The applicationContext-security.xml file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\spring of the HP CSA install directory.

The applicationContext-security.xml file contains most of the HP SSO integration configuration.

The applied hotfix already contains these changes. Before applying the hotfix if this file contained any changes specific to the environment then re-apply the changes by copying from the backed up applicationContext-security.xml.

applicationContext-security.xml
...
<!-- START HP SSO Configuration -->
security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
security:http-basic />
</security:http
security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">
security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
security:http-basic />
</security:http
<bean id="hpssoFederatingProvider" class="com.hp.ccue.identity.filter.certificate.CertificateLdapAuthenticationProvider">
<property name="config" ref="csaAuthConfig" />
<property name="templateFactory" ref="csaTemplateFactory" />
</bean>
security:authentication-manager id="hpssoAuthManager">
security:authentication-provider ref="hpssoFederatingProvider" />
</security:authentication-manager>
<bean id="hpssoProvidedFilter" class="com.hp.hpsso.api.HpSsoFilter" />
<bean id="hpssoIntegrationFilter" class="com.hp.ccue.identity.filter.hpsso.HpSsoFilter">
<constructor-arg ref="hpssoAuthManager" />
<property name="generateTokenUtil" ref="generateTokenUtil" />
<property name="tokenFactory" ref="tokenFactory"/>
<property name="loginRedirectionHandler" ref="loginRedirectionHandler"/>
</bean>
<!-- END HP SSO Configuration -->
...
<!-- START Certificate Authentication / SiteMinder SSO / HP SSO Configuration -->
<bean id="loginRedirectionHandler" class="com.hp.ccue.identity.filter.LoginRedirectionHandler">
<property name="tokenService" ref="tokenService"/>
</bean>
<bean name="generateTokenUtil" class="com.hp.ccue.identity.util.GenerateResponseTokenUtil" />
<!-- END Certificate Authentication / SiteMinder SSO / HP SSO Configuration -->

applicationContext-v0.xml Changes:

The applicationContext-v0.xml file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\spring of the HP CSA install directory.

The applicationContext-v0.xml file configures to write the HP SSO token to the HP SSO cookie.

The applied hotfix already contains these changes. Before applying the hotfix if this file contained any changes specific to the environment then re-apply the changes by copying from the backed up applicationContext-v0.xml.

applicationContext-v0.xml
...
<!-- START HP SSO Configuration -->
<bean id="hpssoTokenWriter" class="com.hp.ccue.identity.hpsso.HpSsoCookieTokenWriter">
<property name="tokenStore" ref="tokenStore" />
<property name="tokenService" ref="tokenService" />
<property name="tokenFactory" ref="tokenFactory" />
</bean>
<!-- END HP SSO Configuration -->
<!--Authentication API -->
<bean id="authenticationApiController" class="com.hp.ccue.identity.web.api.AuthenticationController">
<property name="tokenService" ref="tokenService"/>
<property name="identityService" ref="identityService"/>
<!-- START HP SSO Configuration -->
<property name="tokenWriter" ref="hpssoTokenWriter" />
<!-- END HP SSO Configuration -->
</bean>
...

applicationContext.properties Changes:

The applicationContext.properties file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\spring of the HP CSA install directory.

Update the hostname in the applicationContext.properties file to match the environment.

Replace the idm.csa.hostnameplace holder highlighted below in the applicatonContext.properties file. The applied hotfix already contains the place holder

applicationContext.properties
...
# Applies to REST invocation of both CSA and Keystone. If set to true, requires standard Java certificate validation
# and hostname verification to pass; if false, ignores certificate validation and hostname verification to simplify
# less rigorous deployments.
idm.ssl.requireValidCertificate = false
# Properties of CSA server that manages organization LDAP configurations
idm.csa.protocol = https
idm.csa.hostname = localhost
idm.csa.port = 8444
idm.csa.username = csaTransportUser
idm.csa.password = ENC(REtzeMhhAKGpZi7pFkdN8G89E2XcY6z8dmY5n5RodOw=)
idm.encryptedSigningKey=ENC(dzFE1yZw8E7x8xHklRqnHg==)
...

Before applying the hotfix if applicationContext.properties, applicationContext.xml and applicationContext-common.xml contained any changes specific to the environment then update the files with the changes by copying from the backed up files.