Table of Contents
Table of Contents 1
Introduction 2
CSA configurations for SSO 2
Configuration on HP VPV 8
VPV reports on MPP 10
Known Issues 13
Troubleshooting issues 13
For more information 14
Introduction
HP Cloud Service Automation (HP CSA) orchestrates the deployment of infrastructure to provide private cloud, public cloud or hybrid cloud for the end users. HP Virtualization Performance Viewer (HP vPV) helps end users to monitor the resources utilization and forecast in the virtualized and cloud environment. HP CSA and HP vPV are both web based solutions which require users to login to view or perform their corresponding activities. A HP CSA user subscribed to cloud infrastructure would like to monitor the performance of the infrastructure deployed without having to re-login to HP vPV. This is achieved by integrating HP CSA and HP vPV using single sign-on.
CSA configurations for SSO
web.xml
The web.xml file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF of the HP CSA install directory.
Update hpssoConfig.xml file’s path in the highlighted section of the web.xml file.
OOTB hpssoConfig.xml is bundled in location $CSA_HOME\ jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\hpssoConfig.xml
web.xml...
<context-param
<param-name>com.hp.sw.bto.ast.security.lwsso.conf.fileLocation</param-name>
param-value>C:\Program Files\Hewlett-Packard\CSA\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\hpssoConfig.xml</param-value>
</context-param
...
hpssoConfig.xml
The hpssoConfig.xml file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\ of the HP CSA install directory.
All applications that are integrated with HP SSO needs to have the same cryptography and signing settings as mentioned in hpssoConfig.xml. The domain name specified in this hpssoConfig.xml should be the same as the domain name mentioned in the other applications supporting HP SSO. All the applications should be in the same domain.
Replace the domain name place holder highlighted below in the hpssoConfig.xml file.
The initString place holder in the crypto tag has to be updated to reflect the same initString which is part of the other applications’ HP SSO configuration. Update the highlighted place holders below to be same as the HP SSO configurations in other applications.
hpssoConfig.xml<!-- hpssoConfig is root element. required-->
creationDomains
<domain>domain.com</domain>
</creationDomains
…
…
<crypto initString="Init string must be replaced for production" cipherType="symmetricBlockCipher" engineName="AES"
paddingMode="CBC" keySize="256" encodingMode="Base64Url" algorithmPaddingName="PKCS7Padding"
checkIntegrity="disabled" cryptoSource="lw" directKeyEncoded="false" directKeyEncoding="Hex"
jcePbeAlgorithmName="PBEWithHmacSHA1" jcePbeMacAlgorithmName="PBEWithHmacSHA1"
macAlgorithmName="SHA1" macKeySize="256" macPbeCount="20" macType="hmac"
pbeCount="20" pbeDigestAlgorithm="SHA1"
/>
…
…
applicationContext-security.xml
The applicationContext-security.xml file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\spring of the HP CSA install directory.
The applicationContext-security.xml file contains most of the HP SSO integration configuration. Check for these entries and uncomment them.
applicationContext-security.xml<!-- START HP SSO Configuration -->
security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
security:http-basic />
</security:http
security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">
security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
security:http-basic />
</security:http
<bean id="hpssoFederatingProvider" class="com.hp.ccue.identity.filter.certificate.CertificateLdapAuthenticationProvider">
<property name="config" ref="csaAuthConfig" />
<property name="templateFactory" ref="csaTemplateFactory" />
</bean>
security:authentication-manager id="hpssoAuthManager">
security:authentication-provider ref="hpssoFederatingProvider" />
</security:authentication-manager
<bean id="hpssoProvidedFilter" class="com.hp.hpsso.api.HpSsoFilter" />
<bean id="hpssoIntegrationFilter" class="com.hp.ccue.identity.filter.hpsso.HpSsoFilter">
<constructor-arg ref="hpssoAuthManager" />
<property name="generateTokenUtil" ref="generateTokenUtil" />
<property name="tokenFactory" ref="tokenFactory"/>
<property name="loginRedirectionHandler" ref="loginRedirectionHandler"/>
</bean>
<!-- END HP SSO Configuration -->
applicationContext-security.xml
<!-- START Certificate Authentication / SiteMinder SSO / HP SSO Configuration -->
<bean id="loginRedirectionHandler" class="com.hp.ccue.identity.filter.LoginRedirectionHandler">
<property name="tokenService" ref="tokenService"/>
</bean>
<bean name="generateTokenUtil" class="com.hp.ccue.identity.util.GenerateResponseTokenUtil" />
<!-- END Certificate Authentication / SiteMinder SSO / HP SSO Configuration -->
applicationContext-v0.xml
The applicationContext-v0.xml file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\spring of the HP CSA install directory.
The applicationContext-v0.xml file configures to write the HP SSO token to the HP SSO cookie.
Check and Un-comment the following configurations present in the file
applicationContext-v0.xml...
<!-- START HP SSO Configuration -->
<bean id="hpssoTokenWriter" class="com.hp.ccue.identity.hpsso.HpSsoCookieTokenWriter">
<property name="tokenStore" ref="tokenStore" />
<property name="tokenService" ref="tokenService" />
<property name="tokenFactory" ref="tokenFactory" />
</bean>
<!-- END HP SSO Configuration -->
<!--Authentication API -->
<bean id="authenticationApiController" class="com.hp.ccue.identity.web.api.AuthenticationController">
<property name="tokenService" ref="tokenService"/>
<property name="identityService" ref="identityService"/>
<!-- START HP SSO Configuration -->
<property name="tokenWriter" ref="hpssoTokenWriter" />
<!-- END HP SSO Configuration -->
</bean>
...
applicationContext.properties
The applicationContext.properties file is available at $CSA_HOME\jboss-as-7.1.1.Final\standalone\deployments\idm-service.war\WEB-INF\spring of the HP CSA install directory.
Update the hostname in the applicationContext.properties file to match the environment.
Replace the idm.csa.hostname place holder highlighted below in the applicatonContext.properties file.
applicationContext.properties...
# Properties of CSA server that manages organization LDAP configurations
idm.csa.protocol = https
idm.csa.hostname = CSA FQDN>
...
VPV URL on CSA
Let’s create a URL link on consumer organization in CSA to connect VPV. The URL link will appear as a widget on Market place portal dashboard for CSA consumers. On accessing the link, a separate browser window will display resource consumption and forecasting metrics for CPU and Memory.
Consider you have created a consumer organization “Engineering” in Organizations section.
Add VPV URL link as shown in Fig: 1
URL to configure VPV: http://<VPVFQDN>:8081/PV/?CTX=CSA&CSA_ORG=<OrganizationId
VPVFQDN: Fully Qualified Domain name(FQDN) of VPV server. Note: IP Address should not be used in this URL.
Replace OrganizationId with CSA Consumer Organization name. For example “Engineering” in this case.
Fig: 1 – Add a VPV URL link to Engineering organization that displays a widget on MPP dashboard.
Configuration on HP VPV
Configure VCENTER data source
Login to VPV as an administrator and add a VCENTER data source as shown Fig: 2
VPV URL: http://<VPV-FQDN>:<PORT>/PV
Fig: 2 – Configure VCENTER data source on VPV
The vCenter provider added to HP VPV should be same vCenter which is used as a provider by HP CSA to deploy virtual machines.
Configure CSA end point in VPV
VPV would need CSA server details to retrieve user subscription and organization details.
Provide CSA URL and credentials in VPV as shown in Fig: 3
Fig: 3 – Configure CSA end point
CSA URL: CSA management URL
User Name: User having admin privileges to access CSA artifacts
Server Component Type: Base component type name for a Server. Leave it blank if using OOTB server component in your service designs
Hostname Property: Property name on the component which identifies hostname of the server instance. Leave it blank if using hostname as property on the component
OVPMconfig configuration on VPV
LDAP settings are mentioned in this configuration file. For more advanced settings Refer to Virtualization Performance Viewer Guide.
OVPMconfig is located under: /var/opt/OV/conf/perf/OVPMconfig.ini
OVPMconfig.ini...
[LDAP]
PVADMIN=<LDAP Admin user>
LDAPHOST=<FQDN OR IP of LDAP server>
SEARCHBASE=<Base distinguished name. The Base DN is the top level of the LDAP directory that is used as the basis of a search. E.g. DC=hp,DC=com>
USERSEARCHQUERY=<Specifies the general form of the LDAP query used to identify users during login. E.g. (&(objectClass=user)(sAMAccountName=$USERID$))>
DOMAIN=<domain name of the LDAP server>
PVGROUP=<usergroup
LDAPTYPE=<AD or openLDAP
;USE_SSL=false
;BIND_DN=<DN of a user in case of Group validation in OpenLDAP
;BIND_DN_PASSWORD=<Encrypted Password of the user in case of Group validation in OpenLDAP
;SSL_KEYSTORE=<Absolute path of keystore file>
;*******************************************************
...
SSO configuration on VPV
Configuration file: /opt/OV/www/webapps/PV/WEB-INF/classes/lwssofmconf.xml
The domain name and crypto settings like initString should be the same as what is configured in the hpssoConfig.xml file in HP CSA. Update the highlighted lines to match the environment and the HP SSO configurations made on other applications like HP CSA supporting HP SSO
lwssofmconf.xml...
<validation>
<in-ui-lwsso
<lwssoValidation id="ID000001">
<domain>mention the domain here for e.g. (hp.com)</domain>
<crypto cipherType="symmetricBlockCipher"
engineName="AES" paddingModeName="CBC" keySize="256"
encodingMode="Base64Url"
initString="mention the init string here"</crypto>
</lwssoValidation
</in-ui-lwsso
</validation>
...
Restart tomcat
Restart tomcat using the command: /opt/OV/bin/ovc –restart <name>
Example: /opt/OV/bin/ovc –restart ovtomcatB
VPV reports on MPP
Login into CSA Market Place Portal(MPP) as an Organization user. Click on the Resource Consumption VPV link to launch resource consumption report.
Fig: 4 Resource Consumption VPV link on Market place portal
Fig: 5 Resource consumption report
Known Issues
Issue / Consumer Logging out on VPV does not logout on HP MPPDescription / Consider customer launches VPV reports from MPP. VPV reports are opened on a different browser displaying resource consumption reports. Customer logs out on VPV report page. Customer session is still active on CSA MPP page
Workaround / No workaround available.
MPP browser maintains SSO session cookie and logging out on VPV report page does not terminate session on MPP browser server.
Issue / HP CSA cannot support FIPS 140-2 with HP SSO enabled
Description / HP CSA cannot support FIPS 140-2 with HP SSO enabled
Workaround / No workaround available.
HP SSO does not comply with the FIPS 140-2, so the initialization string in the encryption configuration is stored in clear text.
Troubleshooting issues
Problem / Unable to launch VPV reports from MPPCause / 1. CSA and VPV server are in different timezone
2. Firewall on VPV is enabled
Solution / CSA and VPV server are in different timezone
Set VPV timezone to match timezone on MPP server
1. Login into VPV server http://<VPVFQDN>:5480/
2. Credentials are root/*******
3. System->Timezone
4. Select the timezone and Save
Firewall on VPV is enabled
Disable firewall on VPV server to allow MPP communication to VPV. Execute the following commands on VPV server
· service iptables save
· service iptables stop
· chkconfig iptables off
· service iptables status
For more information
For help visit the HP Live Network Portal at https://hpln.hp.com/group/cloud-service-automation
To access other toolkits to design and extend cloud services running on HP CloudSystem, go to hp.com/go/csdevelopers.
HP software product manuals and documentation for the following products can be found at h20230.www2.hp.com/selfsolve/manuals. You will need an HP Passport to sign in and gain access.
• HP Cloud Service Automation
• HP ArcSight
• HP Operations Orchestration
• HP Server Automation
• HP SiteScope
• HP Universal CMDB
To help us improve our documents, please send feedback to .
Learn more at
hp.com/go/CSA