CA Identity Portal - 12.6.8 CA Identity Portal - HomeCA Identity Portal - 12.6.8 18-Oct-2019 13/272...

18-Oct-2019Date:

CA Identity Portal - 12.6.8CA Identity Portal - Home

CA Identity Portal - 12.6.8

18-Oct-2019 3/272

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA.

If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

Copyright © 2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

CA Identity Portal - Home 4

Table of Contents

Release Notes ....................................................................................... 12CA Identity Portal Release Notes ........................................................................................................ 12

Release Notes - 12.6.08 ............................................................................................................... 12

12.6.08 ................................................................................................................................. 13

12.6.7 ................................................................................................................................... 16

12.6.6 ................................................................................................................................... 17

Release Notes - 12.6.08 Cumulative Patches .............................................................................. 22

Overview .............................................................................................................................. 22

Prerequisites for Deploying a Cumulative Patch .................................................................. 22

Download and Deployment Instructions ............................................................................... 23

CP-IP-120608-CR1-0002 - Defects Fixed ............................................................................ 25








Accessibility Features ................................................................................................................... 31

Product Enhancements ........................................................................................................ 31

Keyboard Shortcuts .............................................................................................................. 34

Overview ............................................................................................... 35Basic Capabilities ................................................................................................................................ 35

Benefits ............................................................................................................................................... 36

CA Identity Suite Architecture ............................................................................................................. 36

Plan Your Implementation ................................................................................................................... 37

Installing ................................................................................................ 39Installing CA Identity Portal ................................................................................................................. 39

CA Identity Portal Installation Process .......................................................................................... 40

Installing a Database ............................................................................................................ 40

Installing CA Identity Portal on JBoss .................................................................................. 42

Installing Identity Portal on WebLogic .................................................................................. 47

Installing Identity Portal on Tomcat ...................................................................................... 52

Installing Identity Portal on WebSphere ............................................................................... 56

Installing Identity Portal in a Cluster ..................................................................................... 61


Post-Installation Tasks .................................................................................................................. 64

CA Identity Manager Environment Validation ...................................................................... 64

Import Identity Portal Roles and Tasks into CA Identity Manager Environment .................. 64

Enable TEWS in the IM Environment ................................................................................... 64

Setting up the Workflow Interface ........................................................................................ 65

IM Environment Validation ................................................................................................... 65

Import Identity Portal Roles and Tasks into IM Environment ............................................... 65

Enable TEWS in the IM Environment ................................................................................... 66

Setting up the Workflow Interface ........................................................................................ 67

Installing CA Identity Suite Virtual Appliance ...................................................................................... 67

System Requirements for CA Identity Suite Virtual Appliance ...................................................... 68

Set Up CA Identity Suite Virtual Appliance ................................................................................... 68

Deploy CA Identity Suite Virtual Appliance ................................................................................... 69

Default Credentials to Access User Interface of Deployed Services ............................................ 70

Virtual Machine Platform Networking Configuration ...................................................................... 70

Upgrading .............................................................................................. 71Upgrading CA Identity Portal ............................................................................................................... 71

Before You Upgrade ..................................................................................................................... 71

Upgrade Steps for MySQL Database ............................................................................................ 72

Upgrade Steps for Oracle Database ............................................................................................. 72

Upgrade Steps for Microsoft SQL Server ...................................................................................... 73

Deploy the Identity Portal web archive file .................................................................................... 74

Tomcat Server ...................................................................................................................... 75

JBoss Server ........................................................................................................................ 75

WebLogic Server .................................................................................................................. 75

Update the JVM arguments .......................................................................................................... 77

Tomcat ................................................................................................................................. 77

JBoss ................................................................................................................................... 77

Weblogic .............................................................................................................................. 77

JVM Arguments .................................................................................................................... 77

Validate CA Identity Portal after Upgrade ..................................................................................... 79

Troubleshoot Log Errors ............................................................................................................... 80

Server Fails to Start ............................................................................................................. 80

Connectors Do Not Start ...................................................................................................... 83

Error after Application and Server Starts ............................................................................. 83

Integrating ............................................................................................. 84Integrating CA Identity Manager and CA Identity Governance ........................................................... 84

CA Single-Sign-On Integration ............................................................................................................ 84

Supported Single Sign-On Products ............................................................................................. 84

Background ................................................................................................................................... 84

CA SSO Prerequisites ................................................................................................................... 85


CA SSO Integration Prerequisites ........................................................................................ 85

Enable Support for HTTP Delete Verb in CA SSO .............................................................. 86

CA Identity Portal Realm Protection ..................................................................................... 87

Required CA SSO Headers ................................................................................................. 88

IIS Error Page Handling ....................................................................................................... 88

TEWS Security Settings ....................................................................................................... 89

SSO for CA Identity Governance and Identity Portal .................................................................... 90

Integrating CA Identity Manager with CA Single Sign-On using CA Identity Suite Virtual Appliance ......

90

Install Java Cryptography Extension (JCE) Unlimited Strength .................................................... 90

Edit the ra.xml file .......................................................................................................................... 91

Disable the Native Authentication Filter ........................................................................................ 91

Set Up CA Identity Manager and CA Identity Portal Web Services Interface ..................................... 92

Administrating ....................................................................................... 94Administrating CA Identity Portal ......................................................................................................... 94

Introduction ................................................................................................................................... 94

Architecture .......................................................................................................................... 95

System Administration ......................................................................................................... 95

Identity Portal Additional Features ................................................................................................ 96

Password Management ....................................................................................................... 96

Drafts .................................................................................................................................... 96

Identity Portal Functionality ........................................................................................................... 97

Functionality Overview ......................................................................................................... 97

Dynamic Modules ................................................................................................................. 98

Access .................................................................................................................................. 99

My Requests ...................................................................................................................... 100

Tasks .................................................................................................................................. 101

Certification Campaigns ..................................................................................................... 103

Settings .............................................................................................................................. 105

My Identity .......................................................................................................................... 106

Passwords .......................................................................................................................... 106

Notifications ........................................................................................................................ 106

Dashboard .......................................................................................................................... 106

Mobile ................................................................................................................................. 107

Applications Launchpad ..................................................................................................... 107

CA Identity Suite Administration .................................................................................................. 107

Setting up the Workpoint Interface ..................................................................................... 108

Access Catalog .................................................................................................................. 120

Administration .................................................................................................................... 123

Advanced Authentication ................................................................................................... 128

Analytics Dashboard .......................................................................................................... 129

Apps ................................................................................................................................... 133

Backend Management ....................................................................................................... 134


Branding ............................................................................................................................. 145

Connectors ......................................................................................................................... 146

Localize CA Identity Portal ................................................................................................. 156

Managed Objects ............................................................................................................... 158

Modules .............................................................................................................................. 160

Profiles ............................................................................................................................... 163

Risks .................................................................................................................................. 164

Services ............................................................................................................................. 167

Templates .......................................................................................................................... 167

UI Configuration ................................................................................................................. 168

Understanding Scoping ...................................................................................................... 170

Administrating CA Identity Suite Virtual Appliance (vApp) ................................................................ 171

Using The Login Shell ................................................................................................................. 172

Available aliases: ............................................................................................................... 172

Available privileged commands (sudo): ............................................................................. 176

Required Network Ports .............................................................................................................. 177

Log Files Location ....................................................................................................................... 177

Supported Custom Files .............................................................................................................. 178

Uploading and Replicating Custom Files ........................................................................... 178

Replacing the vApp Web UI SSL Certificate ............................................................................... 179

External Data-source management (vApp 12.6.8 CR2 only) ...................................................... 179

Adding an external data source ......................................................................................... 179

Custom JVM arguments (vApp 12.6.8 CR2 only) ....................................................................... 180

Customizing the JVM startup arguments ........................................................................... 180

Custom host records (vApp 12.6.8 CR2 only) ............................................................................. 181

Modifying Identity Manager branding (vApp 12.6.8 CR2 only) .................................................... 182

Configuring .......................................................................................... 183Configuring CA Identity Portal ........................................................................................................... 183

Actions ........................................................................................................................................ 183

Create User ........................................................................................................................ 183

TEWS Settings for Identity Portal Without SSO .......................................................................... 183

Identity Portal and IDM without Provisioning ............................................................................... 184

Encrypt Admin User Password on Tomcat ................................................................................. 186

Configuring jgroups TCP Unicast ................................................................................................ 186

Approval Workflow ...................................................................................................................... 187

Viewing Approvers' Details ................................................................................................ 187

Implementation ................................................................................................................... 187

Parallel Approvers .............................................................................................................. 188

Scoping ....................................................................................................................................... 189

Module Action Scoping ...................................................................................................... 189

Permission Scoping ........................................................................................................... 189

Understanding Bulk Configuration .............................................................................................. 189

Example – ACCESS REQUEST ........................................................................................ 190


How to Configure Bulk Onboarding .................................................................................... 191

Users’ Pictures ............................................................................................................................ 191

Configuring CA Identity Suite Virtual Appliance ................................................................................ 191

Configure an External Data Source ............................................................................................ 192

Add an External Data Source ............................................................................................ 192

Remove an External Data Source ...................................................................................... 193

CA Identity Manager Management Console Security Considerations ........................................ 193

Modify Admin Credentials in CA Identity Portal Management Console ...................................... 194

Modify CA Identity Manager Application Log Level ..................................................................... 195

Configure Time and Network Time Protocol ............................................................................... 196

Modify CA Identity Manager Environment Base URL ................................................................. 197

Configure Email for CA Identity Manager .................................................................................... 197

Building ............................................................................................... 198CA Identity Governance Client Tools ................................................................................................ 198

Connector Xpress .............................................................................................................................. 198

Provisioning Reference ..................................................................................................................... 198

User Console Design ........................................................................................................................ 198

Programming ....................................................................................... 199CA Identity Manager Programming Guide for Java ........................................................................... 199

Connector Programming Reference .................................................................................................. 199

Programming CA Identity Governance .............................................................................................. 199

CA Identity Portal Developer Guide .................................................................................................. 199

Plugins ........................................................................................................................................ 200

Plugin Components ............................................................................................................ 200

Plugin Execution Types ...................................................................................................... 201

Plugin Samples .................................................................................................................. 201

Developing a Java Plugin ................................................................................................... 207

Target Permission Rule Expression ............................................................................................ 207

Custom Objects .................................................................................................................. 207

Form Handlers ............................................................................................................................ 209

Form Events Order ............................................................................................................. 209

API Context ........................................................................................................................ 211

Prop Context ...................................................................................................................... 212

Hotel Reservation Form Example ...................................................................................... 213

Javadoc for CA Identity Portal Plugins .............................................................................................. 221

Programming CA Identity Portal ........................................................................................................ 221

Configuring Plugins ..................................................................................................................... 221

Calling a FormServerFunction Plugin from Form Handler ................................................. 222

Service Account APIs .................................................................................................................. 222


End User License Agreement (EULA) ................................................ 228

Predefined Use Cases ........................................................................ 240Contractor Life Cycle ......................................................................................................................... 240

Employee Life Cycle .......................................................................................................................... 240

Self Service ....................................................................................................................................... 240

Contractor Life Cycle ......................................................................................................................... 241

Change Manager ........................................................................................................................ 242

Convert Contractor to Employee ................................................................................................. 242

Create Contractor ........................................................................................................................ 243

Create Contractor from Feed ...................................................................................................... 244

Create Multiple Contractors ........................................................................................................ 246

Extend Contractor ....................................................................................................................... 247

Modify Contractor ........................................................................................................................ 247

Terminate Contractor .................................................................................................................. 248

Termination Events ............................................................................................................ 248

Termination and Post Termination Events ......................................................................... 249

Deployment ....................................................................................................................................... 250

Employee Life Cycle .......................................................................................................................... 251

Convert Employee to Contractor ................................................................................................. 251

Create Multiple Employees ......................................................................................................... 252

Modify Employee ......................................................................................................................... 253

Terminate Employee ................................................................................................................... 254

Termination Events ............................................................................................................ 254

Termination and Post Termination Events ......................................................................... 255

Self Service ....................................................................................................................................... 256

Set My Security Questions .......................................................................................................... 256

Modifying the security questions self service use case ...................................................... 256

Platform Support Matrix ...................................................................... 262CA Identity Portal Platform Support Matrix ........................................................................................ 262

Software Requirements ............................................................................................................... 262

Supported Operating Systems ........................................................................................... 262

Supported Application Servers ........................................................................................... 262

Supported Databases ........................................................................................................ 263

Supported Back-ends ......................................................................................................... 264

Supported Single-Sign-On Option ...................................................................................... 264

Supported Web Clients (Browsers) .................................................................................... 264

Hardware Requirements ............................................................................................................. 264

Network Requirements ................................................................................................................ 265

DNS Requirements ..................................................................................................................... 266

CA Identity Suite Virtual Appliance Platform Support Matrix ............................................................. 266


Supported Virtualization Platforms .............................................................................................. 266

Supported Web Clients (Browsers) – Virtual Appliance Web UI ................................................. 266

Third Party Software Acknowledgements ........................................... 267CA Identity Portal Third-Party Software Acknowledgements ............................................................ 267

CA Identity Suite Virtual Appliance Third-Party Software Acknowledgements ................................. 271


18-Oct-2019 11/272

CA Identity Portal - Home


18-Oct-2019 12/272

Release NotesThis section contains the following topics:

CA Identity Portal Release Notes

CA Identity Portal Release NotesThis section covers the Release Notes for release 12.6.08 and its cumulative releases.

To view and download Cumulative Releases and Cumulative Patches, please ensure you are logged in.

Release Notes - 12.6.08Release Notes - 12.6.08 Cumulative PatchesAccessibility Features

Release Notes - 12.6.08Contents

12.6.08New Features

Suggest Additional EntitlementsAnalytics Dashboard

Product EnhancementsMy Requests Page EnhancementsEntitlement Tree EnhancementsCertification Campaign EnhancementsAdvanced Authentication EnhancementsEnable a languageAdditional Modules in Mobile Web Application

Known IssueCA Identity Portal Connector to CA Identity Manager Fails to Start on Enabling Web Services

12.6.7


18-Oct-2019 13/272

12.6.7New Features

Internationalization SupportImproved Certification CampaignsStrong AuthenticationWorkPoint XML Binding

New CertificationsProduct EnhancementsUpgrade Considerations

Supported Upgrade PathsUpgrade Changes from Older VersionsBranding

Limitations12.6.6

New FeaturesForgotten Password ResetDeep Linking, Timeout recoveryRegistrationAppsMy Identity ModuleSettingsDraftsBrandingDynamic ModulesFormsAdmin UICampaignsConnectorsAccess ModuleApprovalsStrong AuthenticationNew CertificationsMobileRequest Tracking

Known IssuesLimitations

12.6.08

New Features

Suggest Additional Entitlements

Suggestions are prompted to the user while creating an Access Request according to the rules defined in the Admin UI.

Note: For more information, see Suggest Additional Entitlements


18-Oct-2019 14/272

Analytics Dashboard

This release of CA Identity Portal provides an analytics dashboard to view the statistics related to an entitlement. You can view the statistics for an entitlement for a specific period.

Note: For more information, see Analytics Dashboard.

Product Enhancements

My Requests Page Enhancements

You can export all details of the requests to a Microsoft Excel file. Also, you can cancel a request only if the status of the request is In Progress.

Note: For more information, see My Requests.

Entitlement Tree Enhancements

You can rearrange the list of applications in the Entitlement Tree. You can have only one level of hierarchy in the right pane, but can have more than one level of hierarchy in the middle pane.

Note: For more information, see the section Managing the permissions model in the Access Catalog article.

Certification Campaign Enhancements

You can share your work with another user.

Note: For more information, see the section Certification Features in the Certification Campaigns article.

You can customize the way the tasks are displayed in the UI by selecting the number of entries to display in a page filter the tasks based on status, and other options

Note: For more information, see the section Customize Certification Campaign Views in the Certification Campaigns article.

Advanced Authentication Enhancements

Protect approval tasks with second factor authentication - The user is prompted to use second factor authentication while approving or rejecting an approval task. On mobile, second factor authentication is now available on login.

Enable a language

You can enable a language only after the translation is completed.

Note: For more information, see Localize CA Identity Portal.

Additional Modules in Mobile Web Application

The following modules are now available for use in the mobile web application:

Access

Modules


18-Oct-2019 15/272

1.

2.

3.

4.

5.

6.

7.

8.

Branding (administrated from the Branding configuration screen in the Admin UI).

Known Issue

CA Identity Portal Connector to CA Identity Manager Fails to Start on Enabling Web Services

Valid for Weblogic 12.1.3 and lower

Symptom:

The CA Identity Portal connector to CA Identity Manager fails to start if the “IM Portal WebServices” functionality is enabled.

The following error appears in the server log:

ErrorCode: 1203, ErrorFamily: GENERAL, Message: com.idmlogic.sigma.backend.InitConnectorException: Failed to start Adapter: [ .com.idmlogic.sigma.connector.caCaimAdapter.…Caused by: java.lang.RuntimeException: java.lang.NoSuchMethodError: .rs.javax.wscore.Response.readEntity(Ljava/lang/Class;)Ljava/lang/Object;…Caused by: java.lang.NoSuchMethodError: .rs.core.Response.readEntity(Ljavajavax.ws/lang/Class;)Ljava/lang/Object;

Solution:

Edit the file weblogic.xml so that the application libraries are considered over the Weblogic provided libraries.

Follow the steps:

Navigate to the CA Identity Portal web archive (sigma.war) location. By default, the sigma.war file is located in the CA Identity Portal installation home folder.For example:

C:\CA\CA Identity Suite

Locate the CA Identity Portal web archive file sigma.war.

Extract the file weblogic.xml from the file sigma.war.The file weblogic.xml is placed in the following folder:

sigma.war/WEB-INF

Open the file weblogic.xml.

Add the following line at the end in the <prefer-application-packages> section:

<package-name> .rs.*</package-name>javax.ws

Delete the following line

<resource-name>META-INF/services/ .rs.ext.RuntimeDelegate</resource-javax.wsname>

Copy the updated weblogic.xml file to the sigma.war archive.

Redeploy the sigma.war using the Weblogic Administration Console on each node that runs CA Identity Portal.

http://com.idmlogic.sigma.connector.ca/

http://javax.ws/

http://javax.ws/

http://javax.ws/

http://javax.ws/


18-Oct-2019 16/272

12.6.7

New Features

Internationalization Support

Added full localization support for the entire CA Identity Portal interface. Localization support provides the ability to translate the data model (Entitlement Catalog, Modules, etc) and the static screen elements. The entire translation can be performed through the Admin UI. The product is now shipped with localization for English, Spanish, French, Brazilian Portuguese, and Italian. For more information about how to localize the dynamic pages, see the section Localize CA Identity

.Portal

Improved Certification Campaigns

Added support for approval tasks in Certification Campaigns.

Strong Authentication

Added support for strong authentication on mobile.

WorkPoint XML Binding

Support for WorkPoint XML binding interface for CA Identity Manager 12.6.07.

New Certifications

Added support for Windows 2012, 2012 R2

Added support for MS-SQL 2012 SP2

Added support for Java 7 & Java 8

Added support for JBoss 6.4.0 (Java 8)

Added support for WebLogic 12.1.3 (Java 8)

Product Enhancements

The following enhancements have been made to the product:

My Profile and Settings modules can now be configured as part of the Profile modules.

Improved look and feel for the user interface.

Upgrade Considerations

Supported Upgrade Paths

You can upgrade to this release of CA Identity Portal from the version CA Identity Portal 1.6. If you have a version lower than 1.6, then first upgrade to version 1.6 and then upgrade to the current release.

https://docops.ca.com/ca-identity-portal/12-6-07/EN/administrating/administrating-ca-identity-portal/ca-identity-suite-administration/localize-ca-identity-portal

https://docops.ca.com/ca-identity-portal/12-6-07/EN/administrating/administrating-ca-identity-portal/ca-identity-suite-administration/localize-ca-identity-portal


18-Oct-2019 17/272

Upgrade Changes from Older Versions

The CA Identity Manager connector interfaces with WorkPoint server. All previous versions of the product supported only the EJB implementation of this interface. This version supports the XML binding interface. For information about how to enable the XML binding interface, see the section WorkPoint Changes in in the CA Identity Manager Upgrade Considerationsdocumentation.

In this release, the Portal WorkPoint interface requires a jar file supplied by the product, called to be copied to the workpoint jars folder along with all the other sigma-workpoint.jarrequired jars. For more information, see the section .Setting up the Workpoint Interface

Branding

This release includes enhancement to the CA Identity Portal look and feel. After upgrade, you must reset the branding to default, to view the new look and feel.

For the complete upgrade procedure, see the section .Upgrading CA Identity Portal

Limitations

Save Bulk Request as Draft in access request is not supported.

CA Identity Portal does not enforce to enter a comment when rejecting a Campaign task even when the campaign is configured in CA Identity Governance to enforce a comment when rejecting the Campaign task.

User Ids with “\” – Access Request is not supported for users that include “\”.

JBOSS CLI port must be configured to 9990 during the installation – CA Identity Portal installer port connectivity to JBOSS is hard coded and assumes port 9990 (default CLI port on JBoss) for CLI connectivity. There might be cases where the port must be modified, that is, when both CA Identity Portal and CA Identity Manager are installed on the same physical server, both using JBOSS as application. In this case, CA Identity Portal port must use the port 9990 (at least during the installation phase).

12.6.6

New Features

The following new features were added in CA Identity Portal 12.6.6:

Forgotten Password Reset

Added support for forgotten password reset backend validation errors. Errors are now propagated to the interface.

Deep Linking, Timeout recovery

The application now supports going directly to a module URL.

Timeout session will be prompted with a login page and redirected back to the same module the user used to be.

https://wiki.ca.com/display/CIM/.Upgrade+Considerations+v12.6.6#id-.UpgradeConsiderationsv12.6.6

https://wiki.ca.com/display/CIS/.Setting+up+the+Workpoint+Interface+v12.6.7

https://wiki.ca.com/display/CIS/.Upgrading+CA+Identity+Portal+v12.6.7


18-Oct-2019 18/272

Registration

New look to registration.

Apps

Changed name from Links to Apps

New dedicated module for apps.

Added capability to save favorite apps.

My Identity Module

The module is a new module available to all users which presents them an My Identityaggregated view of the information relevant for them. The information includes:

View user personal details, and control the details that are viewed.

View current Access

View latest activity which contains approvals and requests.

View user's account

Users can reset their password.

Reset password of the account should give a complexity response.

View user risks, risks will not be visible if disabled.

Settings

The module is a new module available to all users which enables them to:Settings

Reset their password – This will reset the password in the main connector. The capability will be available if exposed by backend.

Register their available authenticators and view their status.

Set delegators.

Drafts

Ability to save draft for access request.

Branding

Enhanced the elements that can be branded.

Dynamic Modules

Created a new module of type This module enables managers for Team Management.example the ability to quickly act on their subordinates without the need to search for them.

Added the capability to define a pre-defined search.


18-Oct-2019 19/272

Forms

Add server types: , , . removed unused types.sensitive (viewable) sensitive(not viable) internal

Add OOTB validators:

Date picker - min date, max date

Multi-text - at least X values, Maximum X values

Number Bar - min, max

Password - Complexity validations

Text - Number range validations, regex validation

Add Email, Number Bar, Relations, selectable-list-prop

Add server format for Date picker

Admin UI

New Admin UI look. Added support for Categories, and ability to change admin themes.

Add quick links between elements.

Added sitemap

Add ability to import elements.

Add "Copy" option

Add capability to change main connector.

Add notification for misconfigurations.

Add "Batch Delete" capability.

Added Support for IE10+ and Firefox.

Campaigns

New look for campaigns module.

Added file attachment capability.

Added consult capability.

Added advanced search capability.

Support account campaign and introduced account view.

Connectors

Added capability to configure - User Input and matching attribute to control the behavior of the connector on login and the relationship between connectors.


18-Oct-2019 20/272

Access Module

Introduced Endpoint Account management capability in access request including suspending, resuming and resetting password of user’s account.

New Look

Aligned current view as part of "add systems" tabs

New cart look and ordering. Added risk indication in cart.

New request summary view.

Improved permission hierarchy view

Improved tree items indication

Introduced icons to tree elements

Added Support for Access Roles

Added UI Scoping configurations

ability to show current of only what the user can request

Added ability to comment on the request (on top of the ability to comment on each permission).

Approvals

Added ability to search on historical approvals. This enables a user to search and view his past decisions on work items.

New timeline look.

Strong Authentication

Ability to require second factor authentication when requesting the following elements:

Access requests model elements

Invocations

Registration of other second factor

Login

Ability to perform authenticate with a second factor authenticator when challenged

Ability to access request for new authenticators through an AuthMinder connector

Ability to register an authenticator.

Introduced Templates – templates enables sending messages in a pre-defined format. This is used to enable OTP authenticator to send an email with temporary password.


18-Oct-2019 21/272

New Certifications

Added support for Websphere 8.5.5

Added support for IM 12.6 SP6

Added support for GM 12.6 SP3

Added support for Authminder 7.1

Mobile

Added support to view and use the application Launchpad in the mobile device.

Added Registration capability

Support for more form props.

Added campaign violations and comments capability.

Request Tracking

New look

Search by comment

Known Issues

This section describes the known issues in CA Identity Portal 12.6.6:

Special characters in User ID

Users with User ID that includes a backslash (\) cannot be used in Access Request nor in the Module Action Request.

Deep Linking on IE8 Not Supported

The functionality that enables navigating to a specific Dynamic Module Action’s form by entering the URL is not supported on Internet Explorer 8.

Exception in the server log when running on Jboss

When you install CA Identity Portal on JBoss EAP 6.1, loading the main CA Identity Manager connector throws an exception in the server. The exception is visible only in the server log and does not affect the functionality.

Forms Handlers in Mozilla Firefox

Saving your changes in forms props’ handlers does not work in Mozilla Firefox browser. As a workaround you can edit the handlers using Google Chrome or Internet Explorer 11 browsers.

Email Templates – Message body

The formatting of an email message configured in a Template does not affect the format of the email’s content.

Clear ‘Login Data’ Cache


18-Oct-2019 22/272

Clear ‘Login Data’ Cache

When clearing the ‘Login Data’ cache through the admin UI, all active sessions on the node fail to function and the user log in again.

New profile Dynamic module link are not saved

When creating a new profile and selecting the profile to enable access to dynamic modules, the link to the modules is not saved. To workaround the issue you ca save the new profile, then click edit on the profile and associate the dynamic modules to the profile and save again.

Limitations

This section describes the limitation on CA Identity Portal 12.6.6:

Certification Campaign Violations

Certification Violations displayed in certification campaign are only those related to both entities of the campaign task.

Strong Authentication on Mobile

The Strong Authentication feature (2 Factor Authentication) on login is not supported on nd

mobile.

Release Notes - 12.6.08 Cumulative PatchesOverview

To apply a Cumulative Patch, verify that the latest Cumulative Release is applied to the deployment.

Fixes in a prior 12.6.08 Cumulative Patch will automatically be available in the latest 12.6.08 Cumulative Patch.

This page contains the following subsections:CP-IP-120608-CR1-0002 - Defects FixedCP-IP-120608-CR1-0003 - Defects FixedCP-IP-120608-CR1-0001 - Defects FixedCP-IP-120608-CR1-0004 - Defects FixedCP-IP-120608-CR1-0005 - Defects FixedCP-IP-120608-CR1-0006 - Defects FixedCP-IP-120608-CR1-0007 - Defects FixedCP-IP-120608-CR1-0008 - Defects Fixed

See for prior patches.Old Cumulative Patches

Prerequisites for Deploying a Cumulative PatchBefore applying a Cumulative Patch, take a backup of your database. We recommend that you use the latest Identity Portal Server Cumulative Patch.


18-Oct-2019 23/272

Download and Deployment InstructionsSee the Deployment Instructions in the table below for each Cumulative Patch. Also review the list of Defects Fixed for any Additional Deployment Instructions for specific fixes. Click the Patch Number link in the table below to download the CA Identity Portal 12.6.08 Cumulative Patch.

Each Cumulative Patch is provided in a compressed tarball format (tar.gz). On Linux systems, use "tar -zxvf <filename>". On Windows, the latest versions support extracting compressed Winziptarballs or other similar tools such as do likewise. Alternatively, use cygwin to open a shell on 7zipyour Windows desktop to use "tar -zxvf <filename>".

Latest Identity Portal Server Cumulative Patch

Patch Number

Applies To

Provided Files

Deployment Instructions Defects Fixed

CP-IP-120608-CR1-0008

12.6.08 CR1

sigma.war

Back up the currently deployed sigma.war file and remove (un-deploy) it from your application server.

Deploy the provided sigma.war file on your application server. For details on how to deploy the Identity Portal web archive file on different application servers , or click herefollow the deployment instructions of your application server vendor.

You can verify the new sigma.war was deployed successfully by browsing to the url " {hostname:port}/sigma/rest

" while the Portal is up and running./available

The version number that is displayed in the result should be 82.

Click Here

Old Cumulative Patches

Patch Number

Applies To

Provided Files


CP-IP-120608-CR1-0007

12.6.08 CR1

sigma.war






Click Here

http://www.winzip.com/win/en/tar-file.html

http://www.7-zip.org/

ftp://ftp.ca.com/pub/CAIdentityPortal/cumulative_releases/CumulativePatches/IP_1_6_2_CR1/cp-ip-120608-cr1-0008.tar.gz









18-Oct-2019 24/272

Patch Number

Applies To

Provided Files


CP-IP-120608-CR1-0006

12.6.08 CR1

sigma.war






Click Here

CP-IP-120608-CR1-0005

12.6.08 CR1

sigma.war






Click Here

CP-IP-120608-CR1-0004

12.6.08 CR1

sigma.war






Click Here














18-Oct-2019 25/272

Patch Number

Applies To

Provided Files


CP-IP-120608-CR1-0003

12.6.08 CR1

sigma.war






Click Here

CP-IP-120608-CR1-0002

12.6.08 CR1

sigma.war



Click Here

CP-IP-120608-CR1-0001

12.6.08 CR1

sigma.war



Click Here

CP-IP-120608-CR1-0002 - Defects FixedThe following defects have been fixed in this Cumulative Patch:

Support Ticket

Engineering Ticket

Problem Summary Root Cause and Additional

Deployment Instructions

Associated Risk

626644 DE263811 Out of the box modules (Tasks, Access, My Requests and Campaigns) are always available in the mobile app.

The Profile configuration that controls which module is available was not applied on the mobile app.

Low















18-Oct-2019 26/272

Support Ticket

Engineering Ticket



Associated Risk

635529 DE266327 Submitting a form with mandatory internal property fails although a value was submitted.

The validation on the server side was defective regarding intenral form properties.

Low


Support Ticket

Engineering Ticket



Associated Risk

582152 DE264607 CSV file values that include a comma are submitted as split values

Elimination of double quotes in CSV file sent to the server

Low

514973 DE241820 Clickjacking vulnerability Missing X-Frame-Options header

Low

523715 DE241378 Clicking Ctrl+8 in public pages doesn't type the character '*'.

Ctrl+8 was the shortkey activating the 508 compliance colors contrast

Low

Internal DE264601 Analytics module displayes the requests submission timeline wrong - requests are displayed later of earlier than the real time of submission

Time presentation in the Analytics module does not ignore the local UTC

Low

Internal DE227247 Enabling security (setting 'sage.security.disable' to false) in IG causes failure on login and fetching campaigns

Can't get the user login name when authorization is active in IG using the User context

Low

Internal DE202698 Link Attributes are not being displayed in Certification Campaigns task details screen

Data was not wired correctly on the UI side

Low

448753 DE187022 Internet Explorer 'remembers' failed forgotten password attempts and fails any successful second try

No cache busting were set on these pages and Internet Explorer cached the answers

Low

436081 DE183614 IM with IIS proxy returns HTTP error 411 when the IP connector tries to fetch the roles definitions from IM

Missing Content-Length header

Low



18-Oct-2019 27/272

Support Ticket

Engineering Ticket



Associated Risk

Internal DE265906 Identity Portal is displayed in a different locale than the one the browser uses as its default locale although the locale is configured in the Portal's Localization section.

Identity Portal uses a different locale naming convention than the convetnion used by browsers, therefore locales don't match their equivalent names in the browser (e.

g. "fr _ CA" instead of "fr - CA", "iw" instead of "he", etc.).

Low

647431 DE269220 Locale two-letters code names are not written in uppercase.Date picker component is always displayed in English, even when a different locale is chosen.The time and dates that appear in the Latest Activity section of My Profile module are not localized correctly.

Datepicker component is used without enabling localization.Time display formats in Latest Activity are hard-coded.

Low


Support Ticket

Engineering Ticket



Associated Risk

597659 DE267949 The approval actions (Approve / Reject) display names are not translated in the Portal when the current locale has a region component (e.g. "pt ", "fr ")._BR _CA

The action display name recieved from Identity Manager has a different locale name which is the language without the region component. The Portal's method that were to recognize it as the correct locale was defective.

Low


Support Ticket

Engineering Ticket



Associated Risk

614160 DE273130 User attributes with physical name that starts with a capital letter are displayed in the Additional Informtaion tab of Approval Tasks with

This problem is related to the way the wsdl file is compiled - generated attributes' name always starts with a lowercase letter. This behavior causes the attribute's name in the Roles and Tasks xml of the IM environment to mismatch the attribute's name in the

Low


18-Oct-2019 28/272

Support Ticket

Engineering Ticket



Associated Risk

their physical name instead of their screen display name.

compiled wsdl. Ignoring letter case while mapping the attribute's wsdl generated name to its display name solved the issue.

658271 DE273123 Dynamic localization (the translation of non-static strings) is not loaded after login through SiteMinder login page. It is only after refreshing the browser that the dynamic translation appears.

When using SSO, the user doesn't pass through the Portal's login page which is where the cookie of the locale is being set.

Low

Internal DE200110 User information tooltip in form Relations property doesn't display the user info. Instead, it displays the list of group members.

Entities were mistakenly swaped causing the tooltip to display the Group information instead of the User informtaion, and vice versa.

Low

474343 DE203118 LDAP search strings generated by the Portal can become very complex and overload the LDAP.

To reduce load on directory when performing user/group searches, four search strategies were introduced: All, Exact, Split Queries and Longest. For more information about the search strategies please see the "Search

".Strategy Guide

Low

Internal DE232125 Same results are fetched in advanced User / Group search when moving between results pages.

Pagination in Advanced search result was defective.

Low

495770 DE224134 Approve Reverse New Account task causes NullPointerException error when Identity Portal tries to fetch approval work items.

The Portal fails to recieve the user information from the ApproveReverseSyncNewAccount tab.

Low

Internal DE224279 Advanced Search cannot be executed in dynamic modules of type "Create and Manage" because the searchable attributes are missing.

The method for getting the searchable attributes weren't wired correctly in the onboard and manage module.

Low

Internal DE279564 The condition is ignored when executing the search.

Low


18-Oct-2019 29/272

Support Ticket

Engineering Ticket



Associated Risk

Search condition (filter) in User Selector form property doesn't work.

Internal DE177201 Changing the value of a User Selector form property doesn't update the displayed user information in the selection tooltip, it keeps displaying the user infotmation of the previous selection.

Tooltip is not being refreshed after the selected value has changed.

Low

Internal DE248760 User cannot add comment when approving several approval tasks in bulk.

Added support for commenting on multiple approval task submitted in bulk.

Low

Internal DE279952 Reassinging approval tasks in bulk doesn't work.

The server doesn't support reassigning multiple approval tasks at once. Adding support for Bulk reassigning of approval tasks.

Low

Internal DE279956 Configuring a Search Condition (filter) in a Dynamic Module's search configuration does not affect the results of the Predefined Search. Results that should be filtered out are being displayed.

The Predefined Search uses a different search method which doesn't consider the filter.

Low

685063 DE279988 Certification data not visible - the user see the campaign name but when he clicks it an error occurs and the user cannot see the certification tasks.

Invoking a different method in IG's web service to handle the exception thrown by it.

Low


Support Ticket

Engineering Ticket



Associated Risk

689605 DE280655 Entitlement Tree does not save changes in the Applications order.

If Applications do not have an order, then the algorithm rearranging the order fails to set the new order. A

Low


18-Oct-2019 30/272

Support Ticket

Engineering Ticket



Associated Risk

Therefore the administrator cannot rearrange the Applications in the tree.

new option to 'Reset model' was added to allow the administrator to reset the order of all items before saving the new order.

712130 DE285704 Incorrect time display in the Latest Activity tab of My Profile screen.

The string "Last Saturday" that appears in the Latest Activity tab of My Profile screen is parsed incorrectly and displayed as if the date is "Last S" and the hour is "urday".

Low

722325 DE287670 Exporting requests to Excel spreadsheet with Search Filter does not work.

"Search query does not support random access" error.

Low

Internal DE288554 Viewing the content of a CSV form property in My Requests screen does not work.

This functionality did not work when the CSV property was configured with "Accept illegal rows" and "csv row limit" options.

Low

Internal DE288552 When change password functionality is not set in the IM admin task's configuration, this functionality was still available in the CA Identity Portal.

Unlock operation was mapped to change password configuration.

Low

Internal DE288559 Approval items are not displayed because an error occurs when a reverse sync approval item that is included in the items list does not contain task name.

Handle the case when Work Item description does not contain the Task Name.

Low


Support Ticket

Engineering Ticket



Associated Risk

00669797 DE285609 The Target Permission name drop-down list is disabled (in the Target Permissions configuration screen), it doesn't open.

The list of available target permission names is huge (e.g. 8000 elements), which makes the rendering of the drop-down list stuck. Limiting the number of displayed elements in the list to resolve the issue.

Low

00703572 DE283780 Forgotten Password task doesn't display the temporary password to

Low


18-Oct-2019 31/272

Support Ticket

Engineering Ticket



Associated Risk

the user, although the Q&A process was completed successfully.

When TEWS uses a different language other than English, depends on the IDM server's locale, the Identity Portal server fails to parse the TEWS messages.

00732899 DE305207 Requests in My Requests screen appear with status Failed although they're not.

The same root cause as in DE283780 above.

Low

00760286 DE297033 Empty Resource names in Certification Campaigns screen.

Resource names appear empty if one of their values is empty.

Low

00782081 DE305103 Cross Site Scripting vulnerability.

Html element. Low

00699133 DE292056 Loading the Access module (Current and Applications tabs) takes too long.

Scope calculation inefficiency when many Provisioning Roles are configured.

Low

Accessibility FeaturesCA Technologies is committed to making sure that all customers, regardless of ability, can successfully use its products and supporting documentation to accomplish vital business tasks. This section outlines the accessibility features that are part of CA Identity Suite.

Product EnhancementsCA Identity Suite offers accessibility enhancements in the following areas:

Display

Sound

Keyboard

Mouse

Custom Controls (if any)

Note: The following information applies to Windows-based and Macintosh-based applications. Java applications run on many host operating systems, some of which already have assistive technologies available to them. For these existing assistive technologies to provide access to programs written in JPL, they need a bridge between themselves in their native environments and the Java Accessibility support that is available from within the Java virtual machine (or Java VM). This bridge has one end in the Java VM and the other on the native platform, so it will be slightly different for each platform it bridges to. Sun is currently developing both the JPL and the Win32 sides of this bridge.


18-Oct-2019 32/272

Display

To increase visibility on your computer display, you can adjust the following options:

Font style, color, and size of items

Defines font color, size, and other visual combinations.

Screen resolution

Defines the pixel count to enlarge objects on the screen.

Cursor width and blink rate

Defines the cursor width or blink rate, which makes the cursor easier to find or minimize its blinking.

Icon size

Defines the size of icons. You can make icons larger for visibility or smaller for increased screen space.

High contrast schemes

Defines color combinations. You can select colors that are easier to see.

Sound

Use sound as a visual alternative or to make computer sounds easier to hear or distinguish by adjusting the following options:

Volume

Sets the computer sound up or down.

Text-to-Speech

Sets the computer's hear command options and text read aloud.

Warnings

Defines visual warnings.

Notices

Defines the aural or visual cues when accessibility features are turned on or off.

Schemes

Associates computer sounds with specific system events.

Captions

Displays captions for speech and sounds.


18-Oct-2019 33/272

Keyboard

You can make the following keyboard adjustments:

Repeat Rate

Defines how quickly a character repeats when a key is struck.

Tones

Defines tones when pressing certain keys.

Sticky Keys

Defines the modifier key, such as Shift, Ctrl, Alt, or the Windows Logo key, for shortcut key combinations. Sticky keys remain active until another key is pressed.

Mouse

You can use the following options to make your mouse faster and easier to use:

Click Speed

Defines how fast to click the mouse button to make a selection.

Click Lock

Sets the mouse to highlight or drag without holding down the mouse button.

Reverse Action

Sets the reverse function controlled by the left and right mouse keys.

Blink Rate

Defines how fast the cursor blinks or if it blinks at all.

Pointer Options

Let you do the following:

Hide the pointer while typing

Show the location of the pointer

Set the speed that the pointer moves on the screen

Choose the pointer's size and color for increased visibility

Move the pointer to a default location in a dialog box

Custom Controls

Describe any custom controls here.


18-Oct-2019 34/272

Keyboard ShortcutsThe following table lists the keyboard shortcuts that CA Identity Suite supports:

Keyboard Description

Ctrl+X Cut

Ctrl+C Copy

Ctrl+K Find Next

Ctrl+F Find and Replace

Ctrl+V Paste

Ctrl+S Save

Ctrl+Shift+S Save All

Ctrl+D Delete Line

Ctrl+Right Next Word

Ctrl+Down Scroll Line Down

End Line End

Shift+8 Displays the buttons in the UI with contrast

Left Arrow / Right Arrow

To traverse the main menu options such as My Profile, Dashboard, Tasks, and so on.

Ctrl+Up Arrow / Down Arrow

To move up and down in the entitlement tree.


18-Oct-2019 35/272

OverviewThis section contains the following topics:

Basic CapabilitiesBenefitsCA Identity Suite ArchitecturePlan Your Implementation

Basic CapabilitiesCA Identity Suite is a comprehensive set of utilities that enable organizations to manage user identities and perform audit and role modeling activities effectively. The tools are delivered through a simple, intuitive front-end that offers business users easy access request and certification features.

CA Identity Portal

Secure user login and authentication

Self-service access requests and provisioning

Self-service response to certification requests

Self-management of user profile information

Lightweight, web-based interface that requires no specialist knowledge

Identity Management

Role-based access control and delegation

Business policy administration and application

Enforcement of segregation of duties requirements

Smooth on-boarding and off-boarding

Identity Governance

Entitlements cleanup

Role discovery and role modeling

Audit and business compliance checks

Certification of entitlements


18-Oct-2019 36/272

BenefitsCA Identity Suite delivers comprehensive identity management and access governance capabilities for business users in a unified, easy to use interface. The intuitive self-service console improves business user productivity by delivering identity and entitlement features in a common business language. The interface uses a familiar shopping-cart experience for requesting access to new systems.

The product includes administrative features that help minimize administrative overhead and improve audit and compliance performance through centralized policy enforcement. CA Identity Suite leverages advanced provisioning and governance technology, while offering business users a lightweight, intuitive interface that users can access on a variety of devices.

CA Identity Suite brings the following benefits:

Business ease of use

Feature rich and user friendly access requests

Single-pane view, rather than multiple applications

Minimal training required for business users

Advanced technology

CA leading identity management and governance technology

Extensive connectivity (40+ built-in connectors)

SCIM (System of Cross-Domain Identity Management)

Reduced IT effort and increased productivity with Xpress Technologies:

Config Xpress

ConnectorXpress

Policy Xpress

Discovery Xpress

CA Identity Suite ArchitectureCA Identity Suite includes three components:

CA Identity Portal

CA Identity Manager

CA Identity Governance


18-Oct-2019 37/272

1.

2.

3.

CA Identity Portal administrators are responsible for installing, hosting, and managing all the CA products that form the CA Identity Suite solution.

The following diagram summarizes the architecture of a typical CA Identity Suite implementation.

Plan Your ImplementationDepending on your business needs, you may want to use some or all of the features of CA Identity Portal. The product contains the following components:

CA Identity Manager


CA Identity Portal

To use the identity management and governance features, and the portal interface, implement all components.

Follow these steps:

Install CA Identity Manager.For more information about implementing CA Identity Manager, see the CA Identity

.Manager Implementation and Installation Guides

Install CA Identity Governance.For more information about implementing CA Identity Governance, see the CA Identity Governance and Guides.Implementation Installation

https://docops.ca.com/display/CIM12607/Installing


https://wiki.ca.com/display/CG12603/Planning+Your+Implementation

https://wiki.ca.com/display/CG12603/Installing


18-Oct-2019 38/272

3.

1.

2.

Install CA Identity Portal.For more information about installing CA Identity Portal, see the Installing CA Identity

.Portal

To use the identity management features and the portal interface only, implement CA Identity Manager and CA Identity Portal only. Select this option if you do not need to perform compliance or segregation of duties checks.

Follow these steps:

Install CA Identity Manager.For more information about implementing CA Identity Manager, see the CA Identity

.Manager Implementation and Installation Guides

Install CA Identity Portal.For more information about installing CA Identity Portal, see the CA Identity Suite

.Installation Guide




18-Oct-2019 39/272

InstallingThis section contains the following topics:

Installing CA Identity PortalInstalling CA Identity Suite Virtual Appliance

Installing CA Identity PortalCA Identity Portal is a web-based business-ready identity and access management application. CA Identity Portal provides a business logic layer that leverages and aggregates functionality from existing Identity Management products, such as CA Identity Manager (CA IDM) and Identity Governance (CA IG). CA Identity Portal is designed for the non-technical business end user and delivers an intuitive all-inclusive interface in the form of a single page web application.

From a components perspective, CA Identity Portal is a Java web application that is deployed on a supported application server or servlet container. CA Identity Portal requires a database for its configuration and persistence stores. CA Identity Portal interfaces with the organization's existing IDM platforms (such as CA Identity Manager) through CA Identity Portal backend connectors. CA Identity Portal communicates with the IDM backend platforms using the exposed public APIs of these backend systems (for example, Web Services (TEWS) & Workpoint APIs for CA IDM, and web services API for CA GM).

CA Identity Portal can be deployed in a single node configuration or in a multi node cluster configuration. A CA Identity Portal cluster configuration does not depend on the application server cluster abilities and can exist even if the application server itself is not deployed in a cluster mode.

CA Identity Portal can be deployed with basic authentication, where user credentials (user id, password) are validated to a main CA Identity Portal backend connector (for example CA IDM). Alternatively, CA Identity Portal can be integrated with CA SSO to deliver a single sign-on experience to the end user.

This section contains the following topics:CA Identity Portal Installation ProcessPost-Installation Tasks


18-Oct-2019 40/272

1.

2.

CA Identity Portal Installation ProcessCA Identity Portal installation differs slightly according to the application server on which it is installed. Please follow the specific instructions for your application server.

The following steps give a general overview of the installation process:

Install the pre-requisites

Install and prepare a Database

Install a JDK

Install and prepare an Application Server

JBoss

WebLogic

Tomcat

WebSphere

Add 3 Party Jars to the Application Server (application server specific)rd

Install CA Identity Portal (using the CA Identity Portal installer)

Perform .Post-Installation Tasks

This section contains the following topics:Installing a DatabaseInstalling CA Identity Portal on JBossInstalling Identity Portal on WebLogicInstalling Identity Portal on TomcatInstalling Identity Portal on WebSphereInstalling Identity Portal in a Cluster

Installing a DatabaseInstall and prepare a database. Following databases are supported:

Oracle DatabaseMySQL DatabaseMS SQL Database

Oracle Database

Follow these steps:

Install a supported version of the Oracle database. We recommend that the database is run on a separate server other than the CA Identity Portal application server.

Create a dedicated schema for CA Identity Portal. The schema user should have the following DB Roles:

CONNECT


18-Oct-2019 41/272

2.

3.

1.

2.

3.

4.

a.

CONNECT

RESOURCE

Record the database user and password to be specified in the CA Identity Portal installer.

MySQL Database

Follow these steps:

Install a supported version of the MySQL database. We recommend that the database is run on a separate server other than the CA Identity Portal application server.

Create a dedicated database instance for CA Identity Portal. Create a user with schema owner privileges on the CA Identity Portal schema and grant remote access to this user.

Record the database user and password to be specified in the CA Identity Portal installer.

Enable the "READ-COMMITTED" Transaction Isolation mode on the database:

On the MySQL server machine, locate the “my.ini” MySQL configuration fileExample:

C:\ProgramData\MySQL\MySQL Server 5.5\my.ini

It is possible that the MySQL service was configured to run with a different INI file.Make sure that you locate the file that is actually used by the MySQL service.

If MySQL is running on Windows, inspect the "Path to executable" Example:parameter in the Services panel for MySQL Service.


18-Oct-2019 42/272

4.

b.

c.

d.

1.

2.

3.

4.

5.

Look for the section and add the following line: [mysqld]

transaction-isolation = READ-COMMITTED

Restart the MySQL database service.

Verify that the global setting took effect by running the following SQL query against the database (using MySQL command line client or any other tool):

SHOW GLOBAL VARIABLES LIKE 'tx_isolation'

MS SQL Database

Follow these steps:

Install a supported version of the MS SQL database. We recommend that the database is run on a separate server other than the CA Identity Portal application server.

Set MS SQL Server Security to: " ".SQL Server and Windows Authentication mode

Create a dedicated database instance for CA Identity Portal.

Create a Login User (SQL Server authentication) with schema owner privilege on the CA Identity Portal Database schema (record the user name and password).

Configure TCP/IP connectivity for the SQL Server (record the TCP port to which the server is bound).

Installing CA Identity Portal on JBossThe following process describes how to install CA Identity Portal on JBoss.

Install JDK

Install a supported (JDK).Java Development Kit

Note: If installing on Linux, make sure that the JDK bin folder is the user's environment path. To verify this, type "java –version" on the command prompt and make sure that the JDK runtime is invoked.

Install the Application Server

Install a JBoss application server.supported

Setup JDK for the JBoss Application Server

Make sure that the application server is configured to run with the you installed (not the JDKJRE).

To verify that JBoss starts with a JDK, set a system wide environment variable: JAVA_HOME and point it to the JDK home.

Alternatively, you can modify the JBoss standalone.bat/.sh script and declare the JAVA_HOME variable at the beginning of the file:

Example:

On Windows:

set JAVA_HOME=c:\Java\jdk1.7.0_45


18-Oct-2019 43/272

1.

2.

3.

4.

set JAVA_HOME=c:\Java\jdk1.7.0_45

On Linux:

export JAVA_HOME=/usr/java/jdk1.7.0_45

Setup the JVM memory parameters for the JBoss Application Server

Make sure that the application server is configured to run with sufficient resources, such as heap size and perm size.

The memory parameters used by JBoss are configured in JBOSS HOME/bin/standalone.conf.bat.

Change the following line according to CA Identity Portal recommendation:

set "JAVA_OPTS=-Xms64M -Xmx512M -XX:MaxPermSize=256M"

Example:

set "JAVA_OPTS=-Xms2048M -Xmx2048M -XX:MaxPermSize=1024M"

Validate the JBoss Application Server Installation

Verify that the application server starts correctly (using the standalone server start script).By default, JBoss only binds to the loopback interface (127.0.0.1). To bind JBoss to all interfaces (so that it can be accessed from outside the hosting server), invoke the standalone start up script with the following parameters:–b=0.0.0.0–bmanagement=0.0.0.0Example:

standalone.bat -b=0.0.0.0 -bmanagement=0.0.0.0

Verify that JBoss started with the JDK. JBoss log must show a line pointing to your JDK.Example:

java.home = c:\Program Files\Java\jdk1.7.0_45\jre

Record the application server base directory to be supplied to the CA Identity Portal installer.

Verify that the JBoss command line client is working properly. Run the following from the command line (run the command using the same user that was used to install the Application Server):On Windows:

<JBOSS HOME>\bin\jboss-cli.bat --connect --commands=version,quit

On Linux:

<JBOSS HOME>\bin\jboss-cli.sh --connect --commands=version,quit

The output should provide information about the running JBoss instance.

Create a JBoss Administrative User

Create a JBoss administrative user and make sure that you can log in to the JBoss Management Console using the user you created (you must provide this admin user credentials during the installation of CA Identity Portal).

Following is the JBoss Admin Console URL (when browsing from the JBoss server itself):

http://localhost:9990/console/



18-Oct-2019 44/272


To create a JBoss Admin User, run the following command from the JBoss bin folder:

On Windows:

<JBOSS HOME>\bin\add-user.bat

On Linux:

<JBOSS HOME>\bin\add-user.sh

Example:

C:\jboss-eap-6.4\bin>add-user.batWhat type of user do you wish to add?a) Management User (mgmt-users.properties)Enter the details of the new user to add.Realm (ManagementRealm) :Username : jbossadminPassword : ********Re-enter Password : ********About to add user 'jbossadmin' for realm 'ManagementRealm'Is this correct yes/no? yesAdded user 'jbossadmin' to file 'C:\jboss-eap-6.4\standalone\configuration\mgmt-users.properties'Added user 'jbossadmin' to file 'C:\jboss-eap-6.4\domain\configuration\mgmt-users.properties'Is this new user going to be used for one AS process to connect to another AS process?e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.yes/no? yes

Setup the JDBC Driver - JBoss

Download the Database JDBC Driver for Your Database

You need to download a JDBC driver specific to your database vendor. Save it on the server, you will need to refer to this file during the installation.

Oracle database

CA Identity Portal requires the latest Oracle JDBC driver for Java Runtime v.6 (ojdbc6.jar).Download this driver distribution from the Oracle Web Site.

MS SQL database

CA Identity Portal requires MS SQL JDBC Driver v4.xDownload this driver distribution from the Microsoft Web Site (http://www.microsoft.com/en-us

)./download/details.aspx?displaylang=en&id=11774

MySQL database

CA Identity Portal requires driver version 5.1.x and above

Example:

mysql-connector-java-5.1.25-bin

Download this driver from:http://dev.mysql.com/downloads/connector/j/


http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11774


http://dev.mysql.com/downloads/connector/j/

18-Oct-2019 45/272

1.

2.

3.

4.

5.

Update JBoss Logging Module - JBoss EAP 6.4 only

To install IP 1.6.2 on JBoss EAP 6.4, you need to replace the JBoss logging jar file defined in JBoss logging module with a newer version used by Identity Portal:

Stop JBoss

Browse to:

<JBOSS_HOME>\modules\system\layers\base\org\jboss\logging\main

Replace this jar file: jboss-logging-3.1.4.GA-redhat-2.jar With this one: jboss-logging-3.3.0.Final.jarThe file can be found in JBoss official repository:https://repository.jboss.org/nexus/content/groups/public/org/jboss/logging/jboss-logging/3.3.0.Final/jboss-logging-3.3.0.Final.jaror can be found in IP war file itself: sigma.war\WEB-INF\lib

Modify module.xml file:Change the reference of the jar to match the new one; e.g.

<module xmlns="urn:jboss:module:1.1" name="org.jboss.logging"> <resources> <resource-root path="jboss-logging-3.3.0.Final.jar"/>  </resources> <dependencies> <module name="org.jboss.logmanager"/> </dependencies></module>

Restart JBoss to make sure the change takes effect with no errors

Run the CA Identity Portal Installer - JBoss

Note:

If installing on Linux, make sure to run the CA Identity Portal installer using the same user that was used to install the Application Server.

If installing on Linux, make sure that the JDK bin folder is in the user's environment path. To verify type "java –version" on the command prompt and make sure that the JDK runtime is invoked.

The CA Identity Portal installer supports installation on JBoss in "Standalone" server mode. To achieve a CA Identity Portal cluster configuration, run the CA Identity Portal installer on several separate JBoss deployments in "Standalone" mode.

The CA Identity Portal installer may fail to start on Windows with Java8 ("windows error 2 occurred" message is displayed). To start the installer, open Windows command line and type:

<installer_exe> LAX_VM <Java_exe_full_path>

Example:

SIGMA_Installer.exe LAX_VM "C:\Program Files\Java\jre6\bin\java.exe"

https://repository.jboss.org/nexus/content/groups/public/org/jboss/logging/jboss-logging/3.3.0.Final/jboss-logging-3.3.0.Final.jar

https://repository.jboss.org/nexus/content/groups/public/org/jboss/logging/jboss-logging/3.3.0.Final/jboss-logging-3.3.0.Final.jar


18-Oct-2019 46/272

1.

2.

3.

4.

5.

6.

7.

8.

a.

b.

c.

d.

e.

9.

10.

The CA Identity Portal installer may fail to start on Windows2012 R2. To start the installer right click on the CA Identity Portal exe file, select Properties > Compatibility tab. Check 'Run this program in compatibility mode' for your windows version and click Apply.

For a CA Identity Portal cluster installation, rerun this installation procedure on each CA Identity Portal application server node.

Follow these steps:

Verify that the installation prerequisites described in the previous steps have been met.

Start the JBoss application server (if not already started).

Run the CA Identity Portal installer on the computer where the CA Identity Portal application server is installed.

Choose the installation mode: select "Install All" for a Wizard based installation.

Accept the license agreement.

Supply the path to the installed JDK home folder. C:\Program Files\Java\jdk1.7.0_80Example:

Select the Application Server type: JBoss

Enter the JBoss application server information:

JBoss HostThis is the hostname used to connect to the JBoss management console (default is: localhost).

JBoss Admin PortThis is the TCP port to which the JBoss management console is bound (default is: 9990).

User NameThe user name for the JBoss administrative user you created used to access the JBoss management console.

PasswordThe password for the JBoss administrative user you created used to access the JBoss management console.

JBoss Server Home FolderPath to the JBoss home folder (for example: c:\jboss-eap-6.4).

Choose and enter a UserID and Password to be used as the CA Identity Portal Administrator.This username and password pair will be created in the Application Server security realm.

Make sure that you choose a complex password (at least 9 characters long, Note:including a capital letter, number and a non-alphanumeric character (For example: Pizass1).

Choose a folder location for the CA Identity Portal client log files. C:\CA Identity Portal\LogsExample:

This folder will be created, in case it does not exist.Note:


18-Oct-2019 47/272

11.

12.

13.

14.

15.

16.

17.

a.

b.

c.

i.

ii.

Select a database type to be used for the CA Identity Portal configuration & runtime store (MySQL, MS SQL, Oracle).

Specify database connection and credential information. Specif y the location of the database JDBC driver (JAR file) downloaded in the previous section.

Choose to configure the workpoint jar files folder. If 'yes' is selected, CA Identity Portal installer will extract the relevant workpoint jar files to the local system. Choose the CA-IM version to work with and the local workpoint jar files folder. Make sure that the local folder exists before proceeding the installation.

Choose to install the included CA Identity Portal General Release version or provide a patched version, in the form of a CA Identity Portal web archive.

Choose a CA Identity Portal home folder (where the tools and sample files will be installed).


Review and approve the summary of installation. Click "Install" to perform the actual installation.

Validate the installation results:

If the application server is not running, start the application server now.

Review application server log file for start up errors.

Note: If your database schema is new, then the following error message appears in the log:

UIDATA: invalid identifier

This is a known issue and can be ignored.

Check that the CA Identity Portal Administration UI is up.

Go to the page:http://<application server host>:port/sigma/admin

http://localhost:8080/sigma/adminExample:

Provide the Administrator Username and Password you CA Identity Portalset during the installation.

Proceed to the section.Post-Installation Tasks

Installing Identity Portal on WebLogicInstall a JDKInstall the Application ServerSet Up a JDK for the WebLogic Application ServerSet Up a MS SQL Server Driver in the WebLogic Application ServerVerify the WebLogic Application Server Start UpRun the CA Identity Portal Installer – WebLogicValidate the Installation Results


18-Oct-2019 48/272

1.

2.

3.

4.

Install a JDK



Install the Application Server

Install a WebLogic application server.supported

Note:

The CA Identity Portal installer requires WebLogic to be configured in a cluster configuration with one admin server and one managed server.at least

WebLogic Node Manager must be configured and used to start and stop the managed server/s on which CA Identity Portal is to be installed.

Set Up a JDK for the WebLogic Application Server

Make sure that the application server is configured to run with the you installed (not the JRE).JDKLook for the following lines in the WebLogic "<managed_server _name>.out" log:

starting WebLogic with Java version:java version "1.7.0_80"Java(TM) SE Runtime Environment (build 1.7.0_80-b06)Java HotSpot(TM) 64-Bit Server VM (build 20.45-b01, mixed mode)Starting WLS with line:C:\PROGRA~1\Java\JDK17~1.0_4\bin\java -client ...

Set Up a MS SQL Server Driver in the WebLogic Application Server

To setup MS SQL Server driver in WebLogic v12.1.1:

Place the sqljdbc4.jar file in the following location:

<WEBLOGIC HOME>\profiles\default\sys_manifest_classpath

Edit the jdbcdrivers.xml file available in the following location:

<WEBLOGIC HOME>\server\lib\

Add the following lines at the end of the <Driver> section:

<Driver Database="MS SQL Server 2008" Vendor="Microsoft" Type="Type 4" DatabaseVersion="2008 and later" ForXA="false" ClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver" URLHelperClassname="weblogic.jdbc.utils.MSSQL2005JDBC4DriverURLHelper" TestSql="SELECT 1"> <Attribute Name="DbmsName" Required="false" InURL="true"/> <Attribute Name="DbmsHost" Required="true" InURL="true"/> <Attribute Name="DbmsPort" Required="true" InURL="true" DefaultValue="1433"/> <Attribute Name="DbmsUsername" Required="true" InURL="false"/> <Attribute Name="DbmsPassword" Required="true" InURL="false"/> </Driver>

Restart the admin server


18-Oct-2019 49/272

1.

2.

3.

1. a.

b.

c.

1.

2.

Verify the WebLogic Application Server Start Up

Verify that the application server starts correctly when started using the WebLogic Node (by starting the managed server from the WebLogic Administration Console).Manager

Record the application server base directory to be specified in the CA Identity Portal installer.Example:

D:\Oracle\wlserver_12.1

Make sure that you have an administrative user to login to the WebLogic Administrative Console. This user will be required for the CA Identity Portal installation.

Run the CA Identity Portal Installer – WebLogic

Note:


If installing on Linux, make sure that the JDK bin folder is in the user's environment path. To verify type "java –version" on the command prompt and make sure the JDK runtime is invoked.

The CA Identity Portal installer may fail to start on Windows with Java8 ("windows error 2 occurred" message is displayed). To start the installer open Windows command line and type the following command:


Example:



If using MySQL database, make sure that the database supports transaction-isolation = READ-COMMITTED:

Login to the database machine and browse to MySQL home folder, locate the my.ini configuration file.Example:

C:\ProgramData\MySQL\MySQL Server 5.5\my.ini

Update the my.ini configuration file: Look for the [mysqld] section and add the following line: transaction-isolation = READ-COMMITTED

Restart the MySQL database service.

Follow these steps:

Verify the installation prerequisites described in the previous steps have been met.


18-Oct-2019 50/272

2.

3.

4.

5.

6.

7.

8.

a.

b.

c.

d.

e.

9.

10.

11.

12.

13.

Start the WebLogic Admin server (if not already started) and make sure that you can access the Admin server web console. Make sure that all the server nodes to which you plan deploying CA Identity Portal are stopped.

Run the CA Identity Portal installer on the computer where the CA Identity Portal WebLogic Admin server is running

If WebLogic is running in "Production Mode", log out of the Administration Console Note:before running the CA Identity Portal installer.



Specify the path to the installed JDK home folder.Example:

C:\Program Files\Java\jdk1.7.0_80

Select the Application Server type: WebLogic

Enter the WebLogic application server information:

WebLogic Host - Hostname used to connect to the WebLogic management console (default is: localhost).

Port - TCP port to which the WebLogic Web Administration console is bound (default is: 7001).

User Name - User name for the WebLogic administrative user you created when WebLogic was installed.

Password - Password for the WebLogic administrative user you created used to access the WebLogic Administrator console.

WebLogic Server Home Folder - Path to the WebLogic home folder (for example: C:\Oracle\Middleware\wlserver_12.1).

Select the Deployment Targets:

Review the information displayed by the installer. A list of WebLogic server nodes, clusters should be displayed.For example:

The following targets are available:1. AdminServer2. sigma_node13. sigma_node24. sigma_cluster

In most cases, we recommend selecting the cluster as the deployment target for CA Identity Portal.

Choose a folder location for the CA Identity Portal client log files. This folder will be created, in case it does not exist.Note:


18-Oct-2019 51/272

13.

14.

15.

16.

17.

18.

19.

1.

2.

a.

b.

3.

4.

a.

b.


Make sure that you choose a complex password (at least 9 characters long, Note:including a capital letter, number and a non-alphanumeric character (For example: Pizass1).


Specify the database connection and credential information. The installer does not verify connectivity and credentials to the database. Make Note:

sure that the connection details and credentials are valid.





Review and approve the summary of installation. Click to perform the actual Installinstallation.

On WebLogic v12.1.3 and later, set the server endorsed folder:

Browse to the following location:

<WEBLOGIC HOME>\oracle_common\modules\endorsed

Example:

C:\Oracle\Middleware\Oracle_Home\oracle_common\modules\endorsed

Rename the following jar files to make sure that they are not loaded by the server (add .old suffix for instance):

In Windows, you may need to stop the WebLogic server to release the lock on the Note:files.

Javax-xml-bind.jar

Javax-xml-ws.jar

Browse to the following location:

<IDENTITY PORTAL HOME>/jdk-endorsed-jars

Copy the following jar files listed below to the following location:

<WEBLOGIC HOME>\oracle_common\modules\endorsed

geronimo-jaxws_2.2_spec-1.1.jar

jaxb-api-2.2.6.jar


18-Oct-2019 52/272

5.

1.

2.

3.

Restart the WebLogic server

Validate the Installation Results

Start the WebLogic server node now.

Review application server log file for startup errors.




Check that the CA Identity Portal Administration UI is up.Browse to the following page:

http://<application server host>:port/sigma/admin

Example:

http://localhost:7003/sigma/admin

Provide the Administrator Username and Password you set during the CA Identity Portalinstallation.


Installing Identity Portal on TomcatInstall a JDKInstall TomcatSetup a JDK for TomcatVerify Tomcat Server Start UpSet Up the JDBC Driver and Bitronix Transaction Manager – Tomcat

Download the Database JDBC Driver for your DatabaseInstalling BITRONIX Transaction Manager on Tomcat

Run the CA Identity Portal Installer - Tomcat

Install a JDK



Install Tomcat

Install a Tomcat application server.supported

Note: On a Windows OS, install Apache Tomcat using the Apache Tomcat automatic installer (apache-tomcat-7.0.50.exe), which also registers Tomcat as a Windows Service (Do not use the ZIP distribution).



18-Oct-2019 53/272

1.

2.

1.

Setup a JDK for Tomcat

Make sure that Tomcat is configured to run with the you installed (not the JRE).JDK

Example: When installing Tomcat on a Windows OS, during the Tomcat installation process you are required to supply the path to a Java SE JRE. At this point you should point the installer to the Java JDK home directory rather than to the JRE home directory.

Verify Tomcat Server Start Up

Verify the application server starts correctly (by reviewing the logs and browsing to the root site).

Browse to the following page.Example:

http://localhost:8080/

Record the application server base directory to be supplied to the CA Identity Portal installer.Example:

C:\Program Files\Apache Software Foundation\Tomcat 7.0

Set Up the JDBC Driver and Bitronix Transaction Manager – Tomcat

Download the Database JDBC Driver for your Database


Oracle database

CA Identity Portal requires the latest Oracle JDBC driver for Java Runtime v.6 (ojdbc6.jar).Download this driver distribution from the Oracle website.

MS SQL database

CA Identity Portal requires MS SQL JDBC Driver v4.Download this driver distribution from the Microsoft website (http://www.microsoft.com/en-us

)./download/details.aspx?displaylang=en&id=11774

MySQL database

CA Identity Portal requires driver version 5.1.x and above.

Example: mysql-connector-java-5.1.25-bin

Download this driver from:http://dev.mysql.com/downloads/connector/j/

Installing BITRONIX Transaction Manager on Tomcat

Unlike JBoss or WebLogic, Tomcat does not include a JTA Transaction Manager functionality that is required by CA Identity Portal. When using Tomcat, you need to download and install Bitronix, which is an open-source JTA Transaction Manager. CA Identity Portal supports the Bitronix Transaction Manager (BTM) version 2.1.3.

Download the BTM distribution from:http://repo1.maven.org/maven2/org/codehaus/btm/btm-dist/2.1.3/btm-dist-2.1.3.zip



http://dev.mysql.com/downloads/connector/j/

http://repo1.maven.org/maven2/org/codehaus/btm/btm-dist/2.1.3/btm-dist-2.1.3.zip


18-Oct-2019 54/272

1.

2.

1.

2.

3.

4.

5.

6.

7.

8.

a.

b.


Unzip the BTM distribution and copy the following jars to your Tomcat folder (lib Example:C:\Tomcat 7.0\lib)

<BTM Distro Root>\lib\slf4j-api-1.6.4.jar<BTM Distro Root>\lib\slf4j-jdk14-1.6.4.jar<BTM Distro Root>\lib\geronimo-jta_1.1_spec-1.1.1.jar<BTM Distro Root>\integration\btm-tomcat55-lifecycle-2.1.3.jar<BTM Distro Root>\btm-2.1.3.jar

Run the CA Identity Portal Installer - Tomcat

Note:


If installing on Linux, make sure that the JDK bin folder is in the user's environment path. To verify type "java –version" on the command prompt and make sure that the JDK runtime is invoked.

The CA Identity Portal installer may fail to start on Windows with Java8 ("windows error 2 occurred" message is displayed). To start the installer, open Windows command line and type the following command:


Example:



Follow these steps:


Stop the Tomcat server before you run the CA Identity Portal installer.

Run the CA Identity Portal installer on the computer where Tomcat is installed.




C:\Program Files\Java\jdk1.7.0_80

Select the Application Server type: Tomcat

Enter the Tomcat application server information:

For Windows installation, enter the Windows Service name for the Tomcat (default is: Tomcat7).

For Linux installation, enter the Tomcat home folder



18-Oct-2019 55/272

9.

10.

11.

12.

13.

14.

15.

16.

17.

a.

b.

c.


Choose a folder location for the CA Identity Portal client log files.Example:

C:\CA Identity Portal\Logs

Note: This folder will be created, in case it does not exist.


Specify the database connection and credential information. Specify the location of the database JDBC driver (JAR file) downloaded in the previous section.

The installer does not verify connectivity and credentials to the database. Make Note:sure that the connection details and credentials are valid.






Validate the installation results

If the application server is not running, start the application server now.





Check that the CA Identity Portal Administration UI is up.Browse to the following page:

http://<application server host>:port/sigma/admin

Example:


Provide the Administrator Username and Password you set CA Identity Portalduring the installation.



18-Oct-2019 56/272

1.

2.

3.

4.

5.

6.

7.

8.


Installing Identity Portal on WebSphereInstall WebSphereSet Up the JDK PathPrepare WebSphere for CA Identity Portal Installation

Set Deployment Manager Heap SizeEnable WAS Administrative SecurityDownload the Database JDBC Driver for your Database

Run the CA Identity Portal Installer – WebSphereWebSphere Post Installation

Configure Application Level SecurityRestart the WebSphere Application ServerStart the CA Identity Portal Enterprise ApplicationValidate the Installation Results

Install WebSphere

Install a WAS application server (IBM JDK comes built-in with WAS).supported

Set Up the JDK Path

Note:

Make sure that the JDK bin folder is the user's environment path.

To verify this, type "java –version" on the command prompt and make sure the JDK runtime is indeed invoked.

Prepare WebSphere for CA Identity Portal Installation

Note: The CA Identity Portal Installer supports only a non-clustered deployment of WAS.

Set Deployment Manager Heap Size

Follow these steps:

Open the Integrated Solutions Console.

On the left-hand side, expand the System Administration heading and click "Deployment manager".

Under "Server Infrastructure", expand the "Java and Process Management" heading and click "Process Definition".

Under "Additional properties", select "Java Virtual Machine".

In the "Maximum Heap Size" text box, specify 1024:

Click OK.

Click Save.

Restart the deployment manager for the changes to take effect.


18-Oct-2019 57/272

Enable WAS Administrative Security

Make sure that the WAS Global Security is enabled and that the WAS Admin Console is username/password protected. When creating a new WAS profile, select "Enable administrative security".

You need to specify the WAS Admin Console credentials in the CA Identity Portal installer.

Download the Database JDBC Driver for your Database


Oracle database

CA Identity Portal requires the latest Oracle JDBC driver for Java Runtime v.6 (ojdbc6.jar).Download this driver distribution from the Oracle website and place this driver in a folder of your choice on the WAS server.

MS SQL database

CA Identity Portal requires MS SQL JDBC Driver v4.Download this driver distribution from the Microsoft website (http://www.microsoft.com/en-us

)./download/details.aspx?displaylang=en&id=11774Place the driver in a folder of your choice on the WAS server.

MySQL database

MySQL is not supported with WAS.

Run the CA Identity Portal Installer – WebSphere

Note:


The CA Identity Portal installer may fail to start on Windows with Java8 ("windows error 2 occurred" message is displayed). To start the installer open Windows command line and type the following command:





18-Oct-2019 58/272

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

a.

b.

c.

d.

11.

12.

Example:



Follow these steps:


Start the WAS App server (if not already started) .

Make sure that you can access the server administration web console using the admin credentials you defined when you created the WAS profile.

Logout of the WAS Admin Console before running the CA Identity Portal installer.

Run the CA Identity Portal installer on the computer where the CA Identity Portal WAS server is running.




C:\IBM\WebSphere\AppServer\java

Select the Application Server type: WebSphere

Enter the WebSphere application server information:

User NameThe user name for the WebSphere administrative console user.

PasswordThe password for the WebSphere administrative user.

HTTP PortThe HTTP port for the WAS Web Container default host (default is 9080).

WebSphere Server Home FolderPath to the WebSphere home folderExample:

C:\IBM\WebSphere\AppServer).

Select the Deployment Targets:Review the information displayed by the installer.A list of WebSphere server targets should be displayed. Each line represents a deployment target.Example:

The following targets are available:server1,WIN-351QF93LN34Node01,WIN-351QF93LN34Node01Cel

Select the WebSphere Virtual Host Target:


18-Oct-2019 59/272

12.

13.

14.

15.

16.

17.

18.

19.

20.

1.

2.

3.

Select the WebSphere Virtual Host Target:Review the information displayed by the installer.A list of WebSphere virtual hosts should be displayed.Each line represents a virtual host target.Example:

The following targets are available:admin_hostdefault_host

Choose a folder location for the CA Identity Portal client log files.Example:

C:\CA Identity Portal\Logs

Note: This folder will be created, in case it does not exist.

Select a database type to be used for the CA Identity Portal configuration & runtime store (MS SQL, Oracle).

MySQL is not supported with WAS.Note:

Specify the database connection and credential information. Specify the location of the database JDBC driver (JAR file) downloaded in the previous section.

The installer does not verify connectivity and credentials to the database. Make Note:sure that the connection details and credentials are valid.

Specify the path to the database JDBC driver jar file you downloaded in the prerequisites steps.






Proceed to the "WebSphere Post Installation" section.

WebSphere Post Installation

Configure Application Level Security

To protect the CA Identity Portal Admin UI with a username and password, follow the steps below.Skipping this section, will leave the CA Identity Portal Admin UI unprotected.

Under WAS console, select Security, Security domains, and click New.

Type the name sigmaSecurity, and click OK.

Click on the new security realm to configure it.


18-Oct-2019 60/272

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

Depending on the location of the Sigma application, define the scope as Cell, Clusters or Nodes.

Under Security Attributes, expand Application Security and select the Customize for this domain radio button, and select the Enable application security check box.

Expand User Realm, and select Customize for this domain, select the "local operating system" and click Configure.

Enter a realm name: sigma realm.

In the Custom properties table add com.ibm.WebSphere.registry.UserRegistry (Name) and local (Value).

Click Apply.

Click OK.

Click Save.

Select Applications, Application Types, WebSphere enterprise applications, and click Sigma

Click Security role to user/group mapping.

Select SigmaAdministrators and click on Map Users.

Click the Search button to display the available user IDs for this realm You may need to increase the "Display a maximum of" to display more than 20 Note:

search results.

Add the user(s) to the right pane (named "Selected:"), then click OK.

Verify that the "Mapped users" section is populated with the user you chose.

Click OK.Wait for the application to restart, this may take a few minutes.

Try to access the Sigma admin console from a new browser window that is not logged into the WAS console.Example:

)http://WAS_SRV_ADDRESS:PORT/sigma/admin

Enter the username and password corresponding to the user(s) which are member(s) of the SigmaAdministrators role and make sure that you can login to the Sigma application admin console.

Restart the WebSphere Application Server

Restart the WebSphere server instance for the latest changes to take effect.

Start the CA Identity Portal Enterprise Application

After you restarted the server, using the WAS Admin Console, navigate to "Applications", "WebSphere Enterprise Applications"Start the "sigma" application, in case it is not already started.

http://WAS_SRV_ADDRESSPORT


18-Oct-2019 61/272

1.

2.

1.

Validate the Installation Results





Check that the CA Identity Portal Administration UI is up.Browse to: http://<application server host>:port/sigma/adminFor example: http://localhost:9080/sigma/admin


Installing Identity Portal in a ClusterDeploy a CA Identity Portal ClusterDeploy a CA Identity Portal Cluster to WebLogicCopy the CA Identity Portal Keystore File from the 1st Node to All the Other Server NodesLoad Balancing a CA Identity Portal Cluster

You can deploy CA Identity Portal in a cluster. A CA Identity Portal cluster is a collection of two or more application server nodes running the CA Identity Portal application and sharing a common CA Identity Portal store (database).

Deploy a CA Identity Portal Cluster

To deploy CA Identity Portal in a cluster on JBoss, Tomcat or WebSphere, follow the installation steps outlined in . Repeat the procedure outlined for your application Installing CA Identity Suiteserver on each standalone server in the cluster.

Deploy a CA Identity Portal Cluster to WebLogic

CA Identity Portal uses the native WebLogic Cluster.On WebLogic, the CA Identity Portal installer deploys CA Identity Portal to the WebLogic Admin server. The Admin server in turn deploys CA Identity Portal to the various WebLogic cluster managed servers.

Copy the CA Identity Portal Keystore File from the 1 st Node to All the Other Server Nodes

Note:

This procedure needs to be followed for all application server types (Tomcat, JBoss, WebLogic, WebSphere).

This procedure should be performed immediately after the installation of CA Identity Portal is completed and before any configuration is done in the CA Identity Portal Admin Interface.

CA Identity Portal uses a symmetric encryption key to encrypt sensitive values in the configuration store. The encryption key is generated by the CA Identity Portal installer. All nodes in the CA Identity Portal cluster must use the same key.


https://wiki.ca.com/display/CIS/.Post-Installation+Tasks+v12.6.5


18-Oct-2019 62/272

1.

2.

3.

Locate the sigma keystore file "sigma.keystore" on the first node on which you installed sigma. This is usually located under: "<CA Identity Portal_HOME>\CA Identity Portal\sigma-keystore-tool\sigma.keystore".

Copy that file to all the other nodes, overwriting the files on those nodes (in that same location).

Restart the nodes.

Load Balancing a CA Identity Portal Cluster

NLB VIP Characteristics for a CA Identity Portal cluster are as follows:

Relay: CA Identity Portal Application server HTTP/S port (for example TCP/8080).

Load Balancing Scheme: IP-stickiness (either based on source ip or jsession cookie).

Health Monitor:

Basic HTTP monitor sampling on the CA Identity Portal application server HTTP port (for example 8080 on JBoss).

Sampled URL should be: /sigma/rest/availableValid response should include the following string:

available: true

Cluster Requirements

When CA Identity Portal is deployed in a cluster, CA Identity Portal nodes use Java Groups technology to communicate and replicate configuration and state. CA Identity Portal does this to enhance performance and simplify the process of committing/announcing a configuration change to all the nodes in the CA Identity Portal cluster.

This is not a mandatory requirement (although it is a recommended best practice). In case the requirement is not addressed in a given CA Identity Portal cluster deployment, see the note at the end of this section for guidelines regarding running CA Identity Portal in such an environment.

By default the CA Identity Portal Java Groups discovery relies on UDP Multicast. UDP Multicast works only if the CA Identity Portal cluster nodes reside on the same network switch. In case the CA Identity Portal nodes reside on different network switches, enable layer 2 Multicast spoofing on the network switches.

Alternatively, in case layer 2 Multicast spoofing cannot be enabled and the CA Identity Portal nodes must reside on separate networks, CA Identity Portal can be configured to use TCP Unicast to overcome the broadcast limitations of network segmentation. See Appendix D for instructions about how to configure a TCP Unicast cluster.

This article contains the following sections:

Selecting a Multicast Address

By default, the CA Identity Portal installer uses the following multicast address: 228.6.7.9

Verify that this address is not currently being used. To know how to verify, see Testing jgroups Multicast.


18-Oct-2019 63/272

1.

2.

3.

4.

5.

6.

7.

1.

2.

However, in case you are installing several CA Identity Portal environments on the same physical network (for example a Development and a QA environment), use a different multicast address for each installation/CA Identity Portal cluster. Otherwise, you run the risk of CA Identity Portal nodes from the QA environment joining the CA Identity Portal Development cluster and vice versa.

Example:

228.6.7.9The CA Identity Portal environment nodes use the multicast address: DevelopmentThe 228.6.7.10CA Identity Portal environment nodes use the multicast address: QA

Testing jgroups Multicast

Perform the following procedure to verify that the multicast address is not being used.

Follow these steps:

Download the "jgroups-3.3.1.Final.jar"JAR file from the JGroups web site:http://sourceforge.net/projects/javagroups/files/JGroups/3.3.1.Final/

Copy the "jgroups-3.3.1.Final.jar" file to each of the CA Identity Portal application servers to a folder of your choice.

Open a command prompt to that folder.

Run the jgroups Receiver Test on the 1 node (Java Runtime needs to be installed):st

java -cp jgroups-3.3.1.Final.jar org.jgroups.tests.McastReceiverTest -mcast_addr 228.6.7.9 -port 46656

Run the jgroups Sender Test on the 2 node:nd

java -cp jgroups-3.3.1.Final.jar org.jgroups.tests.McastSenderTest -mcast_addr 228.6.7.9 -port 46656

Type a custom message in the sender console and press Enter.The message must be displayed in the receiver console on the other node.

Switch receiver and sender sides and try again to validate that both the directions work.

What to do if jgroups discovery is not possible?

In some unique cases of network deployments, the CA Identity Portal cluster requirements cannot be met. In these cases, the following should be taken into consideration when working with the product:

After performing configuration changes through the CA Identity Portal Admin UI, browse to the CA Identity Portal Admin UI on each node in the cluster and flush (Clear) the cache (In the Admin UI, navigate to Tools, Cache). Then refresh the Admin UI browser page to verify that the configuration changes are reflected on each node.

Cache based optimization in CA Identity Portal is available on a per node basis. For example, if a certain user search has been performed on a specific node in the cluster, the result set is cached only on the node (and not replicated to the other cluster nodes).

Note: In some cases, IPv6 addresses might interfere with Java Groups operations. If you experience issues with the CA Identity Portal cluster, add the following parameter to the server startup for each CA Identity Portal node:

-Djava.net.preferIPv4Stack=true

http://sourceforge.net/projects/javagroups/files/JGroups/3.3.1.Final/


18-Oct-2019 64/272

1.

2.

1.

2.

3.

4.

5.

6.

1.

-Djava.net.preferIPv4Stack=true

Post-Installation TasksThis article details the tasks that you must perform after installing CA Identity Portal:

CA Identity Manager Environment ValidationImport Identity Portal Roles and Tasks into CA Identity Manager EnvironmentEnable TEWS in the IM EnvironmentSetting up the Workflow Interface

CA Identity Manager Environment ValidationUsing the Identity Manager Management Console, export the IM Environment Role and Task Settings.

Save this export as a backup of the environment before proceeding to the next step.

Import Identity Portal Roles and Tasks into CA Identity Manager EnvironmentLocate the CA Identity Portal-CORE-RoleDefinitions.xml file in the CA Identity Portal Home Folder:<CA Identity Portal_HOME>\CA Identity Portal\config\CA Identity Portal-CORE-RoleDefinitions.xml)For example:C:\CA Identity Portal\config\CA Identity Portal-CORE-RoleDefinitions.xml

Connect to the IM Management Console.

Select the IME you want to integrate with CA Identity Portal.

Click Roles and Task Settings.

Click Import, Browse and select the CA Identity Portal-CORE-RoleDefinitions.xml.

Restart the IM environment (IME).

Note: In case the IDM environment you plan to integrate CA Identity Portal with does not have Provisioning configured (a provisioning directory is not configured for the environment), you will need to modify some of the CA Identity Portal service tasks that you imported with the CA Identity Portal Role Definitions XML.Follow instructions in Appendix C – CA Identity Portal & IDM without Provisioning.

Enable TEWS in the IM EnvironmentConfigure TEWS for CA Identity Portal without CA SSO integration.

Follow these steps:

Using the CA Identity Manager Management Console, locate the environment (IME) you want CA Identity Portal to integrate with. Under "Environment Advanced Settings - Web Services", enable Execution for "Web Services" as shown below:


18-Oct-2019 65/272

1.

2.

1.

2.

1.

2.

1.

Restart the environment.

Note: For configuration of TEWS for CA Identity Portal and CA SSO integration, please see the CA section.Single-Sign-On Integration

For CA Identity Manager 12.6.6 and above, complete the following steps:

Modify the Onboard Accounts admin task.

Deselect the Enable Web Services option on the profile tab to prevent it from being exposed to TEWS

Setting up the Workflow InterfaceSee the section for instructions on how to configure CA Identity Administrating CA Identity SuitePortal to interface with Workpoint on your IM server.

IM Environment ValidationFollow these steps:

Using the Identity Manager Management Console, export the IM Environment Role and Task Settings.

Save this export as a backup of the environment before proceeding to the next step.

Import Identity Portal Roles and Tasks into IM EnvironmentLocate the CA Identity Portal-CORE-RoleDefinitions.xml file in the CA Identity Portal Home Folder:<CA Identity Portal_HOME>\CA Identity Portal\config\CA Identity Portal-CORE-

RoleDefinitions.xml)


18-Oct-2019 66/272

1.

2.

3.

4.

5.

6.

1.

2.

RoleDefinitions.xml)For example:C:\CA Identity Portal\config\CA Identity Portal-CORE-RoleDefinitions.xml

Connect to the IM Management Console.

Select the IME you want to integrate with CA Identity Portal.

Click Roles and Task Settings.

Click Import, Browse and select the CA Identity Portal-CORE-RoleDefinitions.xml.

Restart the IM environment (IME).

Note: In case the IDM environment you plan to integrate CA Identity Portal with does not have Provisioning configured (a provisioning directory is not configured for the environment), you will need to modify some of the CA Identity Portal service tasks that you imported with the CA Identity Portal Role Definitions XML.Follow instructions in Appendix C – CA Identity Portal & IDM without Provisioning.

Enable TEWS in the IM EnvironmentConfigure TEWS for CA Identity Portal without CA SSO integration.

Follow these steps:

Using the CA Identity Manager Management Console, locate the environment (IME) you want CA Identity Portal to integrate with. Under "Environment Advanced Settings - Web Services", enable Execution for "Web Services" as shown below:

Restart the environment.

Note: For configuration of TEWS for CA Identity Portal and CA SSO integration, please see the CA section.Single-Sign-On Integration



18-Oct-2019 67/272

1.

2.


Modify the Onboard Accounts admin task.

Deselect the Enable Web Services option on the profile tab to prevent it from being exposed to TEWS

Setting up the Workflow InterfaceSee the section for instructions on how to configure CA Identity Administrating CA Identity SuitePortal to interface with Workpoint on your IM server.

Installing CA Identity Suite Virtual ApplianceThe CA Identity Suite Virtual Appliance (vApp) lets you install and deploy Identity Management and Governance products and their associated services quickly with minimal effort. The vApp image is provided in an Open Virtualization Architecture format (OVA) that is compatible with modern Virtualization platforms (see the Platform Support Matrix).

The vApp features a flexible and modular design that provides multiple environment types (Demo, Development, Staging and Production) and support for High Availability (HA). The vApp is based on a Linux O/S, using Wildfly as the application server and Oracle (Express Edition) as an embedded database (applicable for non-production environments only).

The vApp includes the following additional features:

Web-based interface allowing configuration, administration, and monitoring.

Proxy server providing load-balancing and high-availability for the web applications.

Easy installation of Windows-based tools such as Workpoint designer, Connector Xpress, and so on.

Easy access to logs of all components.

This version of the vApp includes the following CA Identity Suite components:

CA Identity Manager 12.6 SP8

CA Identity Governance 12.6 SP5

CA Identity Portal 1.6.2 CR-1

CA Directory 12.6 SP8

Oracle database 11g Express Edition


System Requirements for CA Identity Suite Virtual ApplianceSet Up CA Identity Suite Virtual ApplianceDeploy CA Identity Suite Virtual Appliance


18-Oct-2019 68/272

1.

System Requirements for CA Identity Suite Virtual Appliance

The Virtual Appliance deployment model enables the various components of the CA Identity Suite to be deployed all in a single virtual appliance or distributed across multiple appliances. Sizing of the virtual appliances varies from customer to customer based on load and demand. The following parameters are provided as a guide. Ultimately, a CA Services Architect will make the determination as to the best production grade deployment based on quality assurance and load testing during the deployment project.

Following are the minimum requirements:

10 GB RAM

4 virtual CPUs

50 GB disk space

Following are the recommended requirements:

16 GB RAM

4 virtual CPUs

200 GB disk space

Note: The recommended requirements assume a distribution of components on several virtual appliance machines.

The number of instances of the virtual appliance will depend on the projected usage by each customer. The flexibility of the virtual appliance enables deployment of the separate services to different appliance instances for optimal performance.

Note: To provision to Windows based endpoints (such as Active Directory), a server running the Windows operating system is required for the installation of the CA Connector server (see the Virtual Appliance on-line help for more information).

Note: The initial release of the CA Identity Suite Virtual Appliance is intended for new installations. CA understands that existing customers may want to migrate to the virtual appliance version of the CA solution. The next product release will include general guidance & procedures to support such migrations. Contact CA Support for further guidance on the status of the procedures and preparation steps for migrations.

Set Up CA Identity Suite Virtual ApplianceImport the vApp file into your Virtualization platform and complete the required configuration that is detailed in this procedure to deploy the products and services that you want.

You have to log in to the website to download the vApp file.CA Support

Follow these steps:

Download the vApp .ova file from the CA Support website. DVD12080659E.ovaExample:

http://www.ca.com/support

http://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/technical-document-index/ca-identity-suite-12-6-sp8-latest-cumulative-release-download.html


18-Oct-2019 69/272

2.

3.

4.

5.

6.

7.

1.

2.

3.

4.

5.

a.

6.

Import the .ova file into your corresponding Virtualization platform.

Power on the virtual machine.The CA IMAG Virtual Appliance initialization page is displayed in virtualization platform console.

Login with the following default credentials:User: configPassword: config

Follow the initialization wizard in order to initialize the virtual appliance.

After the initialization process, you will be displayed with the Virtual Appliance web management console URL.

Using a supported web browser (see the Platform Support Matrix for supported browsers), browse to the web management console to proceed with the Virtual Appliance configuration.

Deploy CA Identity Suite Virtual ApplianceUse the web management console to complete the remaining configuration and deploy the products and services you want.

Important! See the CA Identity Suite Virtual Appliance Platform Support Matrix for supported browsers.

Follow these steps:

Open a browser.

Specify the IP address in the address bar.The virtual appliance has a self-signed certificate. So, you are prompted with an alert.

Ignore the alert and proceed to view the CA Identity Suite vApp login page.

Provide the config user credentials to log in to the web management console and click Login.The home page shows the available configuration types.

Click a configuration type that you want to deploy.

For Demonstration and Proof of Concept purposes consider using either the Demo or Sandbox options.

The Demo and sandbox types allow you to use an embedded database.Note:When using an external database (for sandbox,non-production and production), Oracle and MS SQL databases are supported.The Production and Non-Production types also require you to set up for High Availability.

Once a configuration type is chosen, for example Demo, the solution deployment page is displayed.


18-Oct-2019 70/272

7.

8.

Drag-and-drop the services that you want in to the virtual machine section.As you place components in the virtual appliance instance, the memory bar shows projected memory usage.

Click Deploy.The selected services are deployed.

Default Credentials to Access User Interface of Deployed Services

Use the following credentials to access the Management Console and User Console of the deployed services:

User Interface Username Password

Connector Server Management Console admin CAIMAG1

CA Identity Governance Management Console AD1\EAdmin CAIMAG1

CA Identity Manager Management Console admin CAIMAG1

CA Identity Portal Management Console sigma CAIMAG1!

CA Identity Manager User Console imadmin test

CA Identity Portal User Console imadmin test

Virtual Machine Platform Networking ConfigurationReview the following points about networking configuration for the CA identity Suite Virtual Appliance:

Once a server running CA Identity Suite Virtual Appliance is assigned with an IP address, that IP address is hard-coded in the operating system configuration and should not be changed.

By default, the network adapter in the CA IMAG Virtual Appliance is set to “NAT” mode.

We recommend that “portable” setups of the Virtual Appliance (for example, running on a portable computer or a computer without a stable network connection) keep using the NAT mode or switch to the host-only mode. These network modes are managed by a “Virtual” network adapter on the host computer that retains the same network segment and works even if no physical network connection is available.

To configure NAT or Host-only network mode in a VMWare workstation, right-click the Virtual Machine, select Edit Settings, and modify the Network Adapter setting to NAT.

When using the vApp image on an enterprise-grade Virtualization platform with a stable physical network connection that retains the same network segment, configure the platform to have the vApp image connect to the “Bridged” network.


18-Oct-2019 71/272

1.

2.

3.

1.

2.

3.

4.

5.

6.

7.

UpgradingThis section contains the following topics:

Upgrading CA Identity Portal

Upgrading CA Identity PortalThis article describes how to upgrade CA Identity Portal to version 1.6.2. The only upgrade path is from CA Identity Portal version 1.6.1 to 1.6.2.

To perform the upgrade you will need the following files. All the files are included in the upgrade package.

Database scripts – Scripts are located in the folder according to the Database Scriptsdatabase type being used.

Sigma files – This folder contains the file to be deployed on the application sigma.warserver and to be extracted to the IM Connector workpoint Jars sigma-workpoint.jarfolder.

Roles and Tasks – This folder contains an XML file with service tasks that needs to be imported to the IM environment.


Before You UpgradeMake sure that you perform the following procedure before you perform the upgrade procedure for any of the supported databases.

Follow these steps:

Upgrade to CA Identity Portal 1.6.1 if not already on this version.

Stop the Portal application server.

Backup and delete the application server log files.

Start the application server.

Make sure the Portal/Sigma application starts.

In case errors appear in the log or the application server did not start, make note of the errors, and if possible, resolve any errors.

Make sure that the application has started and is functioning as expected before proceeding with the upgrade procedure.


18-Oct-2019 72/272

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

Upgrade Steps for MySQL DatabasePerform the following procedure to upgrade CA Identity Portal for MySQL database.

Follow these steps:

Perform full DB backup.

Log in to CA Identity Manager Management Console.

Perform a backup of the IME Environment configuration.

Ensure that the application server is up and running.

Import the service tasks role definition XML located in the upgrade package under "Roles folder named .and Tasks" "SIGMA-CORE-RoleDefinitions_upg162.xml"

Locate the file in the before.sql , supplied with the upgrade package, Database Scripts folder; o \mysql scripts pen the script and replace PORTAL_SCHEMA with the existing

schema name.

Using a MySQL command line client or another database client tool, execute the entire script (as root) and v alidate that the script was executed with no errors.

Update the Java start up parameters, for instructions on how to perform this, please refer to .Update the JVM arguments

Deploy the sigma.war file located in the upgrade package under the folder to Sigma filesyour application server. For instruction how to perform this deployment refer to Deploy

. the Identity Portal web archive file In case of a cluster, perform the procedure on all nodes in the cluster.

Locate the after.sql script in the , supplied with the upgrade package, Database folder; Scripts\mysql scripts open the script and replace PORTAL_SCHEMA with the

existing schema name.

Using a MySQL command line client or another database client tool, execute the entire script (as root) and v alidate that the script was executed with no errors.

Restart the application server/s.

CA Identity Portal Browse to the page. Make sure to clear your browser cache to ensure you are viewing the latest version.

In case Endpoint are configured, some additional configurations are required to be set in order for Endpoints to work, please refer to the Endpoint screen under CA Identity Portal Admin console, and set new configuration.

Perform use case specific tests to make sure the application behaves as expected.

Upgrade Steps for Oracle DatabasePerform the following procedure to upgrade CA Identity Portal for Oracle database.


18-Oct-2019 73/272

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

1.

2.

3.

4.

Follow these steps:






Connect to the Oracle database.

Locate the file in the before.sql , supplied with the upgrade package, Database Scripts folder .Using the execute the file \Oracle Scripts Application user credentials before.sql

on your schema.


Deploy the sigma.war file located in the upgrade package under the folder to Sigma filesyour application server. For instructions about how to perform this deployment refer to

. Deploy the Identity Portal web archive file In case of a cluster, perform the procedure on all nodes in the cluster.

Locate the after.sql script in the Database Scripts\Oracle scripts folder.

Using the execute the file on your schema. Application user credentials after.sql Validate that the script executed with no errors.

Restart the application servers.

Browse to the CA Identity Portal page. Make sure to clear your browser cache to ensure you are viewing the latest version.


Perform use case specific tests to make sure the application behaves as expected.

Upgrade Steps for Microsoft SQL ServerPerform the following procedure to upgrade CA Identity Portal for Microsoft SQL Server.

Follow these steps:






18-Oct-2019 74/272

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.



Connect to MS-SQL database.

Locate the in the before.sql script, supplied with the upgrade package, Database Scripts folder.\ms-sql scripts

Open the script and replace PORTAL_SCHEMA with the existing schema name.

Execute the script on your schema. Validate that the script completed with no before.sqlerrors.


Please make sure that "-D sigma.persistance.xml.location=classpath:sigma-persistence.xml" is set.

Deploy the sigma.war file located in the upgrade package under the folder to Sigma filesyour application server. For instructions about how to perform this deployment, refer to

. In case of a cluster, perform the procedure on Deploy the Identity Portal web archive fileall nodes in the cluster.

Locate in the the after.sql script , supplied with the upgrade package, Database Scripts .\ms-sql scripts folder

Open the script and replace PORTAL_SCHEMA with the existing schema name

Execute the file on your schema. Validate that the script completed with no after.sqlerrors.

Restart the servers.

Browse to the CA Identity Portal page. Make sure to clear your browser cache to ensure you are viewing the latest version.


Perform use case specific tests to make sure the application behaves expected.

Deploy the Identity Portal web archive fileDeploy the file on all the supported applications servers..sigma.war

Tomcat ServerJBoss ServerWebLogic Server


18-Oct-2019 75/272

1.

2.

3.

4.

5.

6.

1.

2.

3.

4.

5.

6.

7.

1.

2.

3.

4.

Tomcat ServerStop the Tomcat server.

Navigate to TOMCAT_HOME\webapps folder.

Backup the existing war file.

Delete the existing war file and the folder called sigma.

Copy the war file supplied with the upgrade package to the TOMCAT_HOME\webapps folder.

Perform this operation for all the Tomcat servers.

JBoss ServerLog in to the JBoss Admin console.

Go to: Runtime, Server, Manage Deployments.

Remove the current CA Identity Portal war deployment.

To deploy the sigma.war file, click .Add

Select the new sigma.war file.

Click .Enable

Review the server log files.

WebLogic ServerLog in to the WebLogic management console.

Go to Environment, Servers.

Select the tab.Control

Shutdown all the Server nodes running CA Identity Portal.


18-Oct-2019 76/272

4.

5.

6.

7.

8.

9.

10.

11.

Shutdown all the Server nodes running CA Identity Portal.

Go to .Deployments

Delete the existing CA Identity Portal deployment.

Click add select the new sigma.war file.Install

Select and leave all other options as default.Install this deployment as an application

If on cluster deployment, select to deploy on all cluster nodes.

Click .Finish

Start the CA Identity Portal server nodes.


18-Oct-2019 77/272

Update the JVM argumentsTo deploy CA Identity Portal, modify the JVM arguments set on your application server:

TomcatTo update the JVM arguments set on Tomcat on platform, right click on Windows Apache Tomcatservice > . Click on tab, and edit the arguments set in text area.Configure Java Java Options

To update the JVM arguments set on Tomcat on platform, edit the <TOMCAT_HOME>/binLinux/setenv.sh file: set the CATALINA_OPTS value with the relevant JVM arguments. JVM Note:arguments are set with , i.e. to set argument with the value , type: -D sigma.app.server bitronix -

Restart the server to make sure the changes take effect.Dsigma.app.server=bitronix

JBossTo update the JVM arguments set on JBoss, browse to ; (e.g. JBoss Administration Consolelocalhost:8080) > Click on .Administration Console

Click on tab > and edit the relevant JVM arguments.Configuration System Properties

Restart the server to make sure the changes take effect.

WeblogicTo update the JVM arguments set on Weblogic, browse to ; (e.Weblogic Administration Consoleg. localhost:7001/console) > Click on > . Select the server on which CA Environment ServersIdentity Portal is installed.

Click on tab > Edit the arguments set on text area.Server Start Arguments

Note: JVM arguments are set with , i.e. to set argument with the value -D sigma.app.server, type: weblogic -Dsigma.app.server=weblogic

Restart the server to make sure the changes take effect.

JVM ArgumentsMake sure the following JVM arguments are set (remove any redundant arguments):

Argument Name Argument Value Description

sigma.app.server For Tomcat:bitronixFor JBoss:jbossFor Weblogic:weblogic

Specifies the application server on which CA Identity Portal is running;

used for several reasons, such as endorsed libraries etc.

sigma.cluster.mode multicast Used to configure JGroups multicast/unicast - please refer to Appendix D for further details

sigma.portal.cache.infinispan.jgroups_cfg

sigma-portal-jgroups-multicast.xml

Used to configure JGroups multicast/unicast - please refer to Appendix D for further details


18-Oct-2019 78/272


sigma.hibernate.cache.infinispan.jgroups_cfg

sigma-hibernate-jgroups-multicast.xml

Used to configure JGroups multicast/unicast - please refer to Appendix D for further details

sigma.persistance.xml.location

For MySQL/MS SQLServer 2008 databases:classpath:sigma-persistence.xmlFor MS SQL Server 2012/2014 databases:classpath:sigma-persistence-mssql.xmlFor Oracle database:classpath:sigma-persistence-oracle.xml

Used to define the types of persistence objects managed by CA Identity Portal

-XX:MaxPermSize 1024m (or more, limited by the machines memory size)

-D is not required; specifies the JVM maximal perm size allocated for CA Identity Portal

-Xms 2048m (or more, limited by the machines memory size)

-D is not required; specifies the JVM initilal heap size allocated for CA Identity Portal

-Xmx 2048m (or more, limited by the machines memory size)

-D is not required; specifies the JVM maximal heap size allocated for CA Identity Portal

sigma.resources.dir Any legit folder path; e.g. ./resources

Used to configure CA Identity Portal resources folder location

log4j.logpath Any legit folder path; e.g. ./logs

Used to configure CA Identity Portal logs folder location

sigma.encryption.keystoreLocation

sigma.keystore path;

e.g.

/IdentityPortal/sigma-keystore-tool/sigma.keystore

Used to configure CA Identity Portal keystore location

org.apache.cxf.Logger org.apache.cxf.common.logging.Log4jLogger

Specifies the logger type used by CA Identity Portal

.preferIPv4Stackjava.net true

jgroups.bind_addr localhost Optional: Used to configure JGroups multicast/unicast - please refer to Appendix D for further details

btm.root For Tomcat only:

Bitronix root folder; usually set to:

Specifies the bitronix configuration files root folder

http://djava.net/


18-Oct-2019 79/272

1.

2.


<Tomcat Home Folder>

.configurationbitronix.tm For Tomcat only:

btm-config.properties location; usually set to:

<Tomcat Home Folder>/btm-config.properties

Specifies the bitronix configuration file location (btm-config.properties)

org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH

For Tomcat only:

true

.logging.per-org.jboss.as deployment

For JBoss only:

false

.management.jboss.as blocking.timeout

For JBoss only:

1000

Validate CA Identity Portal after UpgradeWhen starting the application server as part of the installation process, it is crucial to validate that the server started successfully.

Look for the following messages in the log file to ensure successful startup before continuing to the next sections:

Validate that the missing tables are created. The log file should contain log messages similar to the following indicating the system has noticed the schema is missing tables and will create them. example of log messages:

0262: Table not found: sta_cat_comp_link[SIGMA APPENDER - FROM WEB] 2016-04-12 18:08:47,213 - INFO org.hibernate.tool.schema.extract.internal.InformationExtractorJdbcDatabaseMetaDataImpl - HHH000262: Table not found: sta_cat_comp_link[SIGMA APPENDER - FROM WEB] 2016-04-12 18:08:47,219 - INFO org.hibernate.tool.schema.extract.internal.InformationExtractorJdbcDatabaseMetaDataImpl - HHH000262: Table not found: sta_cat_data[SIGMA APPENDER - FROM WEB] 2016-04-12 18:08:47,220 - INFO org.hibernate.tool.schema.extract.internal.InformationExtractorJdbcDatabaseMetaDataImpl - HHH000262: Table not found: sta_cat_data[SIGMA APPENDER - FROM WEB] 2016-04-12 18:08:47,225 - INFO org.hibernate.tool.schema.extract.internal.InformationExtractorJdbcDatabaseMetaDataImpl - HHH000262: Table not found: sta_category[SIGMA APPENDER - FROM WEB] 2016-04-12 18:08:47,226 - INFO org.hibernate.tool.schema.extract.internal.InformationExtractorJdbcDatabaseMetaDataImpl - HHH000262: Table not found: sta_category[SIGMA APPENDER - FROM WEB] 2016-04-12 18:08:47,232 - INFO org.hibernate.tool.schema.extract.internal.InformationExtractorJdbcDatabaseMetaDataImpl - HHH000262: Table not found: sta_component[SIGMA APPENDER - FROM WEB] 2016-04-12 18:08:47,233 - INFO org.hibernate.tool.schema.extract.internal.InformationExtractorJdbcDatabaseMetaDataImpl - HHH000262: Table not found: sta_component[SIGMA APPENDER - FROM WEB] 2016-04-12 18:08:47,237 - INFO org.hibernate.tool.schema.extract.internal.InformationExtractorJdbcDatabaseMetaDataImpl - HHH000262: Table not found: sta_data[SIGMA APPENDER - FROM WEB] 2016-04-12 18:08:47,238 - INFO org.hibernate.tool.schema.extract.internal.InformationExtractorJdbcDatabaseMetaDataImpl - HHH000262: Table not found: sta_data

Validate that the application started performing a model upgrade and is setting the new

http://bitronix.tm

http://org.jboss.as

http://jboss.as


18-Oct-2019 80/272

2.

3.

4.

5.

Validate that the application started performing a model upgrade and is setting the new Portal version. Following is an example of log messages:

[SIGMA APPENDER - FROM WEB] 2016-04-12 18:09:03,254 - INFO com.idmlogic.sigma.manager.impl.StartupManagerBean - version V161 of the Portal was detected, starting upgrade procedure to 1.6.2

Validate that the application completed the data model upgrade successfully. Following is an example of log messages:

[SIGMA APPENDER - FROM WEB] 2016-04-12 18:09:03,254 - INFO com.idmlogic.sigma.manager.impl.StartupManagerBean - Successfully upgraded to version 1.6.2

Note: No errors should occur in the log between sections 2 to 3.

Validate that the application server started successfully. Look for the big "CA Identity Portal is up and running" banner in the log.

Check that the connectors start as expected, make sure that flag is set.Run on startup

Troubleshoot Log ErrorsContents:

Server Fails to StartConnectors Do Not StartError after Application and Server Starts

Server Fails to StartSymptom:Server fails to start, and the following error appears in the log:

[SIGMA APPENDER - FROM WEB] 2015-10-26 03:53:16,121 - DEBUG com.idmlogic.sigma.manager.impl.UpgradeManagerBean - , it may cause by Failed to save Portal versiondifferent server in a cluster, trying to acquire lock.javax.persistence. : could not execute statementLockTimeoutExceptionat org.hibernate.jpa.spi.AbstractEntityManagerImpl.wrapLockException(AbstractEntityManagerImpl.java:1812)at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1715)at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)at java.lang.reflect.Method.invoke(Method.java:597)at org.springframework.orm.jpa.ExtendedEntityManagerCreator$ExtendedEntityManagerInvocationHandler.invoke(ExtendedEntityManagerCreator.java:334)at com.sun.proxy.$Proxy87.flush(Unknown Source)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)at java.lang.reflect.Method.invoke(Method.java:597)at org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:257)at com.sun.proxy.$Proxy87.flush(Unknown Source)at com.idmlogic.sigma.dao.impl.SystemDataDaoImpl.saveNewTransaction

(SystemDataDaoImpl.java:28)


18-Oct-2019 81/272

(SystemDataDaoImpl.java:28)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)at java.lang.reflect.Method.invoke(Method.java:597)at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:98)at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:262)at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:95)at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)at com.sun.proxy.$Proxy202.saveNewTransaction(Unknown Source)at com.idmlogic.sigma.manager.impl.UpgradeManagerBean.upgrade(UpgradeManagerBean.java:191)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)at java.lang.reflect.Method.invoke(Method.java:597)at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:98)at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:262)at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:95)at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)at org.springframework.aop.interceptor.AbstractTraceInterceptor.invoke(AbstractTraceInterceptor.java:115)at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)at com.sun.proxy.$Proxy203.upgrade(Unknown Source)at com.idmlogic.sigma.manager.impl.StartupManagerBean.startup(StartupManagerBean.java:48)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)at java.lang.reflect.Method.invoke(Method.java:597)at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)at org.springframework.aop.interceptor.AbstractTraceInterceptor.invoke(AbstractTraceInterceptor.java:115)at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.

java:207)


18-Oct-2019 82/272

java:207)at com.sun.proxy.$Proxy208.startup(Unknown Source)at com.idmlogic.sigma.web.util.SigmaLoadListener.onApplicationEvent(SigmaLoadListener.java:34)at com.idmlogic.sigma.web.util.SigmaLoadListener.onApplicationEvent(SigmaLoadListener.java:21)at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:98)at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:333)at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:776)at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:485)at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:381)at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:293)at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:106)at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4961)at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5455)at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:634)at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1074)at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1858)at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)at java.util.concurrent.FutureTask.run(FutureTask.java:138)at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)at java.lang.Thread.run(Thread.java:662)Caused by: org.hibernate.exception.LockTimeoutException: could not execute statementat org.hibernate.dialect.MySQLDialect$1.convert(MySQLDialect.java:447)at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49)at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126)at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112)at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:190)at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:62)at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3124)at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3587)at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:103)at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:453)at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:345)at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350)at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56)at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1218)at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335)... 81 moreCaused by: java.sql.SQLException: Lock wait timeout exceeded; try restarting transactionat com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1078)at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4187)at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:4119)at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2570)at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2731)at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2815)at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2155)at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2458)at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2375)

at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2359)


18-Oct-2019 83/272

at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2359)at com.mysql.jdbc.jdbc2.optional.PreparedStatementWrapper.executeUpdate(PreparedStatementWrapper.java:875)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)at java.lang.reflect.Method.invoke(Method.java:597)at .resource.jdbc.BaseProxyHandlerClass.invoke(BaseProxyHandlerClass.bitronix.tmjava:64)at com.sun.proxy.$Proxy106.executeUpdate(Unknown Source)at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:187)... 91 moreHibernate: select as id1_87_0_, systemdata0_.version as systemdata0_.idversion2_87_0_ from systemdata systemdata0_ where =? for update.systemdata0_.id

Solution:

This error is most likely caused when you are using a MySQL database and you did not configure the isolation level READ_COMMITTED property in the Data source. For more information, see the section .Update the JVM arguments

Connectors Do Not StartSymptom:

The connectors fail to start.

Solution:

This issue is not related to the upgrade procedure but does effects the server start up. Address this issue after the entire upgrade process has completed. Inspect the error message given for the connector failure to identify the cause of the failure.

Error after Application and Server StartsSymptom:

The application and server start successfully, however the following error appears in the log:

[SIGMA APPENDER - FROM WEB] 2015-10-25 18:24:58,260 - WARN org.hibernate.engine.jdbc.spi.SqlExceptionHelper - SQL Error: 904, SQLState: 42000[SIGMA APPENDER - FROM WEB] 2015-10-25 18:24:58,260 - ERROR org.hibernate.engine.jdbc.spi.SqlExceptionHelper - ORA-00904: "UIDATA": invalid identifier[SIGMA APPENDER - FROM WEB] 2015-10-25 18:24:58,275 - DEBUG com.idmlogic.sigma.manager.impl.UpgradeManagerBean - Failed to get Sigma Modules javax.persistence.PersistenceException: org.hibernate.exception.SQLGrammarException: could not extract ResultSetat org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)

Solution:

Ignore this error. This error appears when using an Oracle database server for the first time after the upgrade.

http://bitronix.tm/

http://systemdata0_.id/

http://systemdata0_.id/


18-Oct-2019 84/272

IntegratingThis section contains the following topics:

Integrating CA Identity Manager and CA Identity GovernanceCA Single-Sign-On IntegrationIntegrating CA Identity Manager with CA Single Sign-On using CA Identity Suite Virtual ApplianceSet Up CA Identity Manager and CA Identity Portal Web Services Interface

Integrating CA Identity Manager and CA Identity Governance

For information about how to integrate CA Identity Manager and CA Identity Governance, see the .CA Identity Governance documentation

CA Single-Sign-On IntegrationThis section contains the following topics:

CA SSO PrerequisitesSSO for CA Identity Governance and Identity Portal

Supported Single Sign-On ProductsCA Identity Portal currently supports single sign-on with CA SSO. See the section Supported

, for specific CA SSO versions.Single-Sign-On Option

BackgroundWhen is used by an end user, all actions performed on the user's behalf in CA CA Identity PortalIdentity Manager (via TEWS) need to run in the user's security context in IM. In case CA Identity

is not protected by a web single sign-on solution (like CA SSO), the end user supplies a user PortalID and password to . , in turn, supplies these credentials to CA Identity Portal CA Identity PortalTEWS. In this case the TEWS Security properties need to be set to: "Enable admin_id (allow impersonation)" and "Admin Password is required" (See Screenshot 2 in Appendix B), thus running the IM tasks in the user context.

In case is protected by a web single sign-on solution, such as CA SSO, the end CA Identity Portaluser's password is unknown to . All that is known to is the CA Identity Portal CA Identity Portaluser ID and possibly the user's DN in the IM User directory. , without the user's CA Identity Portalpassword, now needs to invoke actions in IM on behalf of this user.

https://wiki.ca.com/display/CG12604/Integration+with+CA+Identity+Manager


18-Oct-2019 85/272

Several single sign-on scenarios can exist in a customer's environment, but in order for CA Identity Portal to support SSO the TEWS security framework MUST be configured for CA SSO authentication, and without "Admin Password required" (see Option 1 in the table below). In addition, must pass the appropriate CA SSO HTTP headers with the TEWS SOAP CA Identity Portalcall in order for TEWS to accept the user context.

The following table lists the most combinations of initial conditions (before CA Identity commonPortal deployment) and the effects of CA Identity Portal's single sign-on deployment for existing TEWS clients.

CA Identity Portal / Identity Manager SSO Options (before CA Identity Portal deployment)

Option CA Identity Manager

TEWS CA Identity Portal

Notes

1 CA SSO Protected

CA SSO Protected (No Admin_password)

CA SSO Protected

This is the most desired/least complex initial conditions for a CA Identity Portal single sign-on deployment. Here the customer's TEWS setup is already configured for CA Identity Portal single sign-on support.

2 CA SSO Protected

Not used at all CA SSO Protected

This is next desired/least complex initial conditions for a CA Identity Portal single sign-on deployment. Here TEWS is not used by anyone or any process (i.e. bulk load) and its configuration for CA Identity Portal will not affect other processes.

3 CA SSO Protected

Admin_Id & Password Protected

CA SSO Protected

In this case, existing customer TEWS clients (like the bulk loader client) will need to migrate from using Admin_ID and password to using CA SSO authentication. Either this or CA Identity Portal will not be CA SSO protected.

4 No CA SSO

Admin_Id & Password Protected

CA SSO Protected

In this case, existing customer TEWS clients (like the bulk loader client) will need to migrate from using Admin_ID and password to using CA SSO authentication. Either this or CA Identity Portal will not be CA SSO protected.

5 CA SSO Protected

CA SSO Protected (Admin_password is also used)

CA SSO Protected

Here the customer's TEWS setup will need to be changed to NOT use Admin_password while still using CA SSO. This might have an effect on existing TEWS clients. Either this or CA Identity Portal can NOT use single sign-on.

CA SSO PrerequisitesCA SSO Integration Prerequisites

In case CA Identity Portal is to be integrated with CA Identity Manager version 12.6 SP5 and CA Identity Portal is to be protected by CA SSO, you must also fully integrate the CA Identity

.Manager user console with CA SSO

https://wiki.ca.com/display/CIM12606/CA+SSO+Integration

https://wiki.ca.com/display/CIM12606/CA+SSO+Integration


18-Oct-2019 86/272

1.

a.

b.

c.

d.

e.

f.

2.

Enable Support for HTTP Delete Verb in CA SSOOut of the box, a CA SSO deployment is not configured to allow the HTTP DELETE verb. CA Identity Portal requires that CA SSO allows the DELETE verb for the CA SSO Realm protecting CA Identity Portal. Follow this procedure to enable the DELETE verb.

Create a Delete Action for the CA SSO Web Agent. By default, the WebAgent has only the Get, Post, and Put Actions available. To add the Delete Action, complete the following steps:

In the CA SSO Administration Console, click and select .View Agent Types

Select Agent Types in the Systems pane.

Double-click Web Agent in the Agent Type list.

In the Agent Type Properties dialog box, click Create.

Enter Delete in the New Agent Action dialog box and click OK.

Click OK again to save the new Action.

In the Rule configured to protect the CA Identity Portal realm make sure to select the verbs in the Agent Actions section:Delete, Get, Post, Put


18-Oct-2019 87/272

2.

CA Identity Portal Realm ProtectionProtect CA Identity Portal in CA SSO as you would any other web application.


18-Oct-2019 88/272

1.

2.

3.

4.

The CA Identity Portal URI to protect is "/sigma/".

However, CA SSO needs to authenticate users for CA Identity Portal using the sameauthentication directory used to protect the Identity Manager realm (for the environment CA Identity Portal is integrating with).

For example, in case CA SSO protects the Identity Manager realm with AD SSO and authorization directory mapping between AD and the IDM user store, protect the CA Identity Portal realm in exactly the same manner (using the same authentication directory and authorization mapping).

Required CA SSO HeadersCA Identity Portal relies on the out of the box CA SSO authentication and authorization HTTP headers. In case your CA SSO deployment was modified from its OOTB configuration, make sure the CA Identity Portal realm is configured to forward these specific SM headers:

sm_user

sm_userdn

sm-authtype

sm_serversessionspec

IIS Error Page HandlingIn case the CA SSO agent protecting CA Identity Portal is installed on Microsoft Internet Information Services (IIS), you need to enable "Detailed errors" in the IIS "Error Pages" settings.The following instructions are for IIS v.7.5:

Select the Site protecting CA Identity Portal.

Open the "Error Pages" Feature.

Click on "Edit Feature Settings".

Select the "Detailed error" option and click OK.


18-Oct-2019 89/272

TEWS Security SettingsWhen CA Identity Portal is protected by CA SSO, set exactly the following properties for TEWS in the CA Identity Manager environment serving CA Identity Portal.

Either "Basic" or "Other" can be selected. "Basic" means that IM will automatically configure the realm and protection in the SM policy server when the environment is started. "Other" means, the SM admin will need to configure the protection of TEWS in SM.).

TEWS settings for CA Identity Portal with SSO

Note: CA Identity Portal does not support "TEWS configured with WSS Username Token" and "WS-I WSDL Format".


18-Oct-2019 90/272

1.

2.

1.

2.

SSO for CA Identity Governance and Identity PortalThe CA Identity Governance Web Services do not implement a support for CA SSO authentication (as of 12.5 SP7). The Identity Governance Web services security implementation checks the WSS security header (UserNameToken) and authenticates (either to AD/LDAP or the Eurikify configuration). In order for CA Identity Portal to support CA SSO with Identity Governance as an endpoint the following configuration is required for the Identity Governance portal:

AD/LDAP authentication MUST be disabled in Identity Governance.

CA SSO authentication needs to be enabled in Identity Governance (otherwise users will be able to access Identity Governance with an incorrect password).

Integrating CA Identity Manager with CA Single Sign-On using CA Identity Suite Virtual Appliance

Perform the following procedures to successfully integrate CA Identity Manager with CA Single Sign-On using CA Identity Suite Virtual Appliance.

This article contains the following sections;

Install Java Cryptography Extension (JCE) Unlimited StrengthEdit the ra.xml fileDisable the Native Authentication Filter

Install Java Cryptography Extension (JCE) Unlimited Strength

Copy the required jar files to the security folder.

Follow these steps:

Download and save the following Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 zip file from the Oracle website.

jce_policy-8.zip

Use a SCP utility (e.g. WinSCP) to copy the below files from the downloaded zip file to the following location:

/opt/CA/jdk1.8.0_71/jre/lib/security

local_policy.jar

US_export_policy.jar


18-Oct-2019 91/272

1.

2.

3.

4.

5.

1.

2.

Edit the ra.xml filePrepare for the integration by reading the article Integrate CA SSO® with CA Identity Manager in the CA Identity Manager documentation at http://docops.ca.com.

Perform the following steps on every CA Identity Manager Server:

Log in to the server through command-line interface or SSH using the “config” user.

Run the Password tool to encrypt the AgentSecret and AdminSecret passwords:cd /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/PasswordTool./pwdtools.sh -JSAFE -p CLEAR-TEXT-PASSWORDThe encrypted password will be displayed with the prefix of “Encrypted value: “, see the output below for reference (the encrypted password is highlighted in yellow):

--------------------------------------------------Your JAVA_HOME is currently set to /opt/CA/jdk1.8.0_71/--------------------------------------------------Encrypting your password ...******************************************Plain Text: CLEAR-TEXT-PASSWORDEncrypted value: {PBES}:Z08nlvRQ/Q1U7wLrofK6K3Q0TTKrqI2J******************************************

Run the following command to edit the ra.xml file:

vim /opt/CA/VirtualAppliance/custom/IdentityManager/SiteMinder_config/ra.xml

Make the required changes to the following parameters:

ConnectionURL

Enabled

UserName

AdminSecret Provide the encrypted password generated by pwdtools.shNote:

AgentName

AgentSecret Provide the encrypted password generated by pwdtools.shNote:

Save the file by typing “:x” followed by <RETURN>.

Disable the Native Authentication FilterPerform the following steps on every CA Identity Manager server in the vApp solution:

Run the following alias from the command-line interface to disable the Native Authentication Filter:

DisableIdmAuthFilterSecurity

Run the following alias to restart the CA Identity Manager server:

restart_im

http://docops.ca.com.


18-Oct-2019 92/272

2.

1.

2.

3.

4.

5.

6.

7.

8.

9.

restart_im

Note: You can roll-back this action by running the following alias:

EnableIdmAuthFilterSecurity

Set Up CA Identity Manager and CA Identity Portal Web Services Interface

The CA Identity Manager and CA Identity Portal Web Services interface is a set of web services exposed by CA Identity Manager that CA Identity Portal uses for implementation of various capabilities. The capabilities include the following:

Replacement of existing service tasks for admin purposes such as configuring Endpoints, Target permission of type group.

Status updates.

Notification queue for receiving status updates from CA Identity Manager on tasks executed in CA Identity Portal.

Important! Verify that CA Identity Manager version 12.6 08 and above is installed.

Important! The Web Services interface is mandatory for leveraging the Analytics functionality.

To configure the interface, perform the following procedures:

In CA Identity Manager:

Log in to the CA Identity Manager Management console as a system manager.

Navigate to Roles and Tasks, Admin Tasks, Modify Admin Task

Search for Create Web Services Configuration.

Select the task Create Web Services Configuration.

Clear the option Hide In Menus, if selected.

Click Submit.

Navigate to System, Web Services, Create Web Services Configuration.

Specify a name and Identifier for the web services configuration. Note down the parameters specified here to configure CA Identity Portal.Note:

Select Enable.


18-Oct-2019 93/272

10.

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

Click Submit.

In CA Identity Portal:

Log in to the Admin UI.

Navigate to Backend management, Connectors. The list of Connectors appear.

Click on a connector.

In the Edit Connector page, scroll down to the IM Portal Webservices section.

Select the option Is webservices enabled?.

Specify the url and configuration id. Use the values specified in CA Identity Manager. .Note:

Click Save.

Click Restart.

Navigate to Administration, General Configuration.

Select Enable status puller.


18-Oct-2019 94/272

AdministratingThis section contains the following topics:

Administrating CA Identity PortalAdministrating CA Identity Suite Virtual Appliance (vApp)

Administrating CA Identity PortalThis section contains the following topics:

IntroductionIdentity Portal Additional FeaturesIdentity Portal FunctionalityCA Identity Suite Administration

IntroductionCA Identity Portal is a web-based business-ready identity and access management application, which serves as a business logic layer that leverages and aggregates functionality from existing identity management products, such as CA Identity Manager (CA IM) and Identity Governance (CA IG). CA Identity Portal is designed for the non-technical business end-user and delivers an intuitive, all-inclusive interface in the form of a single page web application.

CA Identity Portal interfaces with the organization's existing IM platforms (such as CA Identity Manager) through CA Identity Portal's backend connectors, and communicates with the IM backend platforms using the exposed public APIs of these backend systems (for example, Web Services (TEWS) & Workpoint APIs for CA IM, and web services API for CA IG).


18-Oct-2019 95/272

1.

2.

3.

ArchitectureCA Identity Portal's architecture is based on a layered approach:

Presentation Layer – single page web application that runs on the client side. It makes ajax/REST calls to the CA Identity Portal BL tier. This layer is written in angular.js which is Google's framework for client applications.

Business Logic Layer – JAVA application server implementing the CA Identity Portal BL language. Business level language of IAM (access, entitlements, certifications etc.). The BL layer uses functionality that the connector layer provides.

Connectors Layer – another layer in the application server that pulls, aggregates data and invoke operations on CA Identity Portal endpoints. The CA Identity Portal endpoints are the IAM platforms currently supported. Today these are: CA Identity Manager, CA Identity Governance and CA Advanced Authentication. CA Identity Portal is not a provisioning engine, it inherits that logic and functionality from IM.

CA Identity Portal can integrate with CA SSO for authentication only (SM integration is optional, not a prerequisite).

System AdministrationCA Identity Portal's administration application allows system administrators to perform the following administrative tasks:

Configuring CA Identity Portal in the organizational environment and linking it to various organizational applications (IAM - Identity and Access Management / IAG - Identity and Access Governance / AA – Advanced Authentication); refer to for more Connectorsinformation on connecting to CA Identity Portal connectors.

Defining the business logic of the CA Identity Portal system, and workflows derived from that logic.

Configuring the end-user interface based on these business logic definitions


18-Oct-2019 96/272

Configuring the end-user interface based on these business logic definitions

See the section for more information on CA Identity Portal Administrating CA Identity Portaladministration and configuration.

Note: In order to perform administrator tasks in CA Identity Portal you must be logged in with a CA Identity Portal system admin account.

Identity Portal Additional FeaturesCA Identity Portal comes with some additional features that are working out of the box and don't require configuration (though some can be modified/configured).

Password ManagementDrafts

Password ManagementCA Identity Portal comes out of the box with some password related tasks pre-configured. The tasks are: Forgotten Password Reset and Expired Password

Forgotten Password

In CA Identity Portal's login the end user has the option of clicking the link "Forgot password?", this will take the user through a public interface (meaning the user doesn't login) of challenge questions in which at the end of successful responses the user will be provided with a new temporary password. CA Identity Portal's forgotten password reset is based on the IM default configuration.

The configuration can be modified in the IM connector configuration. Refer to Forgotten section for more information.Password

Expired Password

When a user's password expires he is required to replace it at the login screen to CA Identity Portal. As part of the CA Identity Portal Core roles and tasks there's a service task (Sigma Change My Password) that is being used by default in this scenario.

The configuration can be modified in the IM connector configuration. Refer to Reset Passwordsection for more information.

Reset Password

An end user has the ability to reset his own password once already logged into the system. This will reset his IM password and any other accounts linked to it based on the definition of the endpoint. As part of the CA Identity Portal Core roles and tasks there's a service task (Sigma Change My Password) that is being used by default in this scenario.

DraftsCA Identity Portal allows the end user to save his request as draft before actually submitting it. This feature is available out of the box and doesn't require any configuration; it just needs to be included in the features of the profile.

Currently Drafts are only available in dynamic module actions and not in access requests.


18-Oct-2019 97/272

1.

2.

3.

4.

5.

6.

7.

1.

2.

a.

b.

3.

a.

b.

4.

5.

Using Drafts

When Drafts is enabled for the user and module action the user will see a button called as Draftpart of the request.

Click Draft.

Enter a name for the draft, if the name already exists you can override it.

To return to a saved draft go to Drafts icon on the right next to the localization menu, the number of existing drafts will be noted in parenthesis. For example: Drafts (0)

The list of drafts will be displayed.

A draft can be deleted or edited.

Click on a draft to open it.

Edit the request and Submit.

Identity Portal FunctionalityThis section details the functionalities that are exposed to the CA Identity Portal end user. It will help the administrator understand the features that are available to the end user and it provides quick links to the relevant administration sections so the administrator can make the required configurations.

Functionality OverviewCA Identity Portal enables you to expose a user friendly business oriented interface which performs a translation of technical IM terms to business user terms. It allows the end user to perform the following functionalities:

Access Request

Create Objects

Create User (for example: and )Onboarding Self-registration

Create Group

Manage Objects

Modify User (for example: )User Management

Modify Group

Passwords Management

Certify Existing Entitlements


18-Oct-2019 98/272

Each action the user performs (access request, user management etc.) is treated in CA Identity Portal as a request. The end user will be provided a REQUEST ID and with that he is able to track his requests in " " section. The actions can also result in an approval process, that's My Requestsdependent on the backend configuration of the task that is triggered. If the task triggered has an approval workflow configured then when a user logs into CA Identity Portal he will be able to see the approval and implementation items pending for him in " " section.Tasks

By deploying CA Identity Portal in a client environment you will improve efficiency and usage of the IAM solution and reduce security risks by providing the end users with advisory tools.

Dynamic ModulesAdministrators can configure CA Identity Portal to manage two types of objects: users and groups. The dynamic configuration though allows the administrators to reflect those objects to the end user as custom objects as well. The administrator can name the module in any name they like to reflect the type of actions that can be performed there; refer to the section Modulesfor more information.

The next sections describe the available actions.

Multi Onboard

This module template allows for creation of user objects only. The module allows for creation of users in bulk as well.

In this module the user can select single and bulk onboard actions as defined by the administrator; refer to " " and " " sections for more information.Tasks Forms

Create

This module template allows for creation of user and group objects. For example this can be used to configure a module called: Onboarding.

In this module the user can select create actions as defined by the administrator; refer to " " Tasksand " " sections for more information.Forms

Manage

This module template allows for modification of user and group objects. For example this can be used to configure a module called: User Management.

In this module the user can search and select an object (user or group) and then select modification actions as defined by the administrator; refer to " " and " " sections for Tasks Formsmore information.

Registration

This module template allows for creation of user and group objects. For example this can be used to configure a module called: Self-Registration.

In this module the user can perform public tasks (that do not require him to log into the system) as defined by the administrator; refer to " " and " " sections for more information.Tasks Forms


18-Oct-2019 99/272

1.

2.

3.

4.

5.

6.

1.

2.

Self Manage

This module template allows the modification of the logged in user. This module is intended to collect all the actions that the user can perform on himself. For example: Change My Profile, Reset My Password and etc.

In this module the user can configure only actions for manage and should assign tasks that enable him to perform actions on himself.

Team Management

This module template allows the modification on a team of users. The team is defined according to a filter criteria such as all members of IT department ("department" = "IT").

AccessUsers can request access for themselves, other users or even a request in bulk using a file upload. Access request can be for real access to connected systems, manually provisioned access to disconnected systems or non-system access such as hardware request.When a user(s) is selected (self, other or bulk) there are several tabs:

Current – displays the current access the user has. When the request is for more than one user the current access will always be blank. The list will display various types of access from provisioning roles in IM, through IM endpoint accounts to Arcot authenticators.

Applications – displays the current access plus all the available items the user can request access for. The available access is dependent on permissions defined in the backend IM system and also in an additional layer of scoping provided by CA Identity Portal. Applications can be grouped into different sections. The applications and group of applications can be searched. The list of applications is configurable; refer to "Permission

" section for more information.Model

Endpoints – displays the current endpoint accounts the user has and allow him to request for direct account permissions (for example Active Directory groups). This requires endpoint configuration; refer to " " section for more information.Endpoints

Roles – administrators can define suggestive roles in CA Identity Portal and link them to various permissions. The requester can then view a role and select permissions from that role.

Similar Users – requesters can view the access of other users and based on that decide what access they want to request. The view of the similar users section is configurable; refer to " " section for more information.UI Configuration

Favorites – requester can save items such as applications, roles and requests as favorites in order to save time when navigating to them in the future.

Request Access

The Access section is divided into three panes:

Left pane – displays the list of available objects (applications/accounts/roles etc.).


18-Oct-2019 100/272

2.

3.

Middle pane – displays the list of available permissions for the selected object. The user can select to Add/Modify/Remove permission. The available actions are configurable for the specific permission; refer to " " section for more information. For Target Permissionseach action there can be additional information for the user to fill out; refer to " " Formssection for more information.

Right pane – displays the CA Identity Portal cart which contains the selections the requester made in the permissions section in the middle pane. Request to "Add" permission is automatically added to the "Added Permissions" section in the cart and so on.

Once the user is satisfied with the selection he can Check Out and Submit his request, clear it or save it as a draft.

Risk METER

If risks is enabled, while adding permissions to the cart the risk will be calculated and be reflected using the cart icon on the risk meter. Clicking on the risk meter will display what constructed the risk. When entering the request summary view, the violations that exist due to the permissions in the cart will be displayed on top of their corresponding permission.

The user itself will be displayed in the color of his current risk.

My RequestsAny request or action the end user performs in CA Identity Portal results in a request. When a user submits such a request, a REQUEST ID is displayed. This request ID can be used to track the submitted actions. "My Requests" is available from the landing page ("Home"), from the top navigation menu or from the "Dashboard".

The "My Requests" page is divided into three panes:

My Requests - Left Pane

Displays the list of requests submitted by the user and their status. By default, the list shows the latest requests submitted by a user. If more than a single page of requests exist, page numbers are displayed at the bottom of the table. You can click the header of any column except the

column, to sort the list. A user can search the requests using the search box or advanced Statussearch:

Simple Search - type any value in the search box based on the desired filter, the filter automatically determines what the user is attempting to search for and performs the search. In case the user is attempting to search for a user, the search box provides an autocomplete option to help identify the user.

Advanced Search – click the down arrow in the search box to view the advanced search options. You can specifically define the search condition on the requests. Following are the available search conditions:

By Profile – either search in all requests, my requests or specific profile. Refer to " " Profilesconfiguration section for more information.

By requester

By target user

By date range


18-Oct-2019 101/272

1.

2.

3.

By date range

By Id

By Status

By Access Elements - Permissions (only permissions that appear in requests visible to the user are available for search) or Actions (only actions that exist in requests visible to the user are available for search)

Refresh requests - lets you refresh the list of requests at any time.

Export requests to file - lets you export all details of the requests to a Microsoft Excel file.

My Requests - Middle Pane

Displays the details of the selected request. The details contain the original request only. Modifications to a request are not visible here. One CA Identity Portal request can contain multiple request items in it (for example: multiple applications and permissions). Extended information such as: Form, Comment, Status, Violations, Last Update will be displayed on the permission\entitlement\module action level.

You can cancel a request only if the status of the request is In Progress. On cancelling a request, the status of the request is displayed as Cancelled in the left pane.

The admin task "Sigma - Cancel" is not included in the "SIGMA - TEWS Tasks" admin role by default. Therefore, users will nott be able to cancel requests since the task is not in their scope. Administrator must add the task to the users' admin role or to the "SIGMA - TEWS Tasks" role for them to be able to cancel requests.

My Requests - Right Pane

Displays the timeline of the request or the specific permission\entitlement selected in the request details (in the middle pane). The timeline details the flow of the requested item – submitter, approver, implementer etc. and the status of each step of the workflow. The user can hover over the name of the approvers and view additional information about the user (or group of users). That information is configurable; refer to " " section for more UI Configurationinformation.

TasksThe Tasks section displays all pending tasks the user has on the supported systems that were configured in CA Identity Portal. For example: pending certification campaigns in CA Identity Governance or pending work items in CA Identity Manager. "Tasks" is available from the landing page ("Home"), from the top navigation menu or from the "Dashboard". There are three available task types in CA Identity Portal:

Approvals

Implementations

Certification Campaigns


18-Oct-2019 102/272

1.

a.

b.

i.

ii.

iii.

iv.

c.

2.

a.

b.

c.

3.

Approvals

Any request or action the end user performs in CA Identity Portal can potentially result in an approval workflow. This is dependent on backend configuration in the supporting system (for example: CA Identity Manager workflow). If a workflow work item exists in the connected system CA Identity Portal will automatically display it in "Tasks". Any work item is displayed here even if it wasn't generated in CA Identity Portal. Work items generated in CA Identity Portal will have a request ID whereas work items generated directly in the backend system will not have a CA Identity Portal request ID. Work items can be approved/rejected or any other action that was defined in the backend system. Once in action is taken on an approval item it is removed from the list."Approvals" tab is divided into three panes:

Left pane – displays the list of pending work items. The list can be filtered by any of the displayed fields. A user can search on the approvals using one of the following processes:

Typing in the table top search bar his desired filter, the filter will automatically determine what the user is attempting to search for and perform the desired search.

Using the advanced search – available using the small down arrow, the user can specifically define the search condition on the approvals. Available search conditions are:

By requester

By target user

By date range

By Id

Searching in historical approvals – this feature enables users to view approvals that they already attended. To enable this feature, the user needs to check the "search in tasks archive". Once that feature is enabled the user will also be able to search by action.

Middle pane – displays the details of the selected request.

Request Information – this tab contains the original request only and only the requested item that is relevant to the approver reviewing the request.

Process Information – this tab is optional and it depends on the configuration of an approval task; refer to " " section for more information. This Task Configurationtab can be editable in case an original request needs to be modified or approvers are required to provide additional input.

Advanced Information – this tab displays the entire information in the approval task in an unedited able/raw form.

Right pane – displays the request history similarly to the timeline view of "My Requests". The timeline details the flow of the requested item – submitter, approver, implementer etc. and the status of each step of the workflow. The user can hover over the name of the approvers and view additional information about the user (or group of users). That information is configurable; refer to " " section for more information. The UI Configuration

approver can leave a comment and then click a button to perform the desired action. The


18-Oct-2019 103/272

3.

1.

2.

a.

b.

c.

d.

e.

f.

approver can leave a comment and then click a button to perform the desired action. The default actions are approve/reject but more actions are available based on the button configuration of the connected task; refer to " " section for more Task Configurationinformation.

Implementations

Implementation tasks are approval tasks that have some configuration on them telling CA Identity Portal this is actually an implementation. In CA Identity Manager this is done by setting a user data on the Workpoint activity node; refer to " " section for more Implementationinformation.When a work item is interpreted in CA Identity Portal as an implementation task instead of an approval task, all CA Identity Portal does is display the item under "Implementations" tab instead of "Approvals" and display "Implement" action button instead of the "Approve/Reject" actions. Refer to " " section for more information on what is displayed here.Approvals

Certification Campaigns

Any certification campaign pending tasks in the connected backend system will be automatically displayed here for the end user to review. For example: if a campaign was triggered in CA Identity Governance and the connected user has pending approval items in that campaign he will be able to approve/reject in this tab. Pending campaign alerts are also available from the top menu which will display the remaining days of a campaign."Certification Campaigns" tab is divided into two panes:

Left pane – displays the list of pending campaigns.

Right pane – displays the list of pending approvals for that campaign. The view can be switched between: by user, by role, by resource and account. Decisions can be saved or submitted. The approver can automatically populate decisions in the campaign by clicking on "Previous Decisions". This will only work if the user had approved/rejected the same item in a previous campaign (for example: approve John's network access). Possible actions a user can perform on a campaign task are:

Approve

Reject

Consult

Reassign

Add comment

Upload attachment

Certification CampaignsUnlike other CA Identity Portal features, Certification Campaigns are available to end users by default without any additional configurations. Certification Campaigns requires a connector to the CA Identity Governance system. Once a connector is configured and an end user has a campaign pending his attention, it will be displayed in the "Tasks" section.

Note: The certification type ‘Must comment when rejecting’ is supported in CA Identity Portal starting CA Governance Minder 12.6 SP5.


18-Oct-2019 104/272

1.

2.

3.

4.

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

a.

b.

Supported Campaigns

CA Identity Portal supports the following campaign types:

Users

Roles

Resources

Accounts

CA Identity Portal also supports the various types of workflows including custom workflows attached to the certification process.

Certification Features

CA Identity Portal supports the following features and behaviors in a certification campaign:

Different views of a campaign (By role, resource, account, or user)

Save selection

Submit selection

Reassign

Add comments – this feature can be enforced on violations on campaign definition.

Select all – this feature can be controlled on the campaign definition from CA Identity Governance.

Display violations

Display entity attributes including link attributes

Display task history (if task was reassigned).

Previous decisions – this is an internal CA Identity Portal feature which searches previous decisions made for the specific approval required in this campaign. If previous decisions were made, they will override any current decisions.

Consult and ability to respond on consultation requests.

Upload attachments.

Approval tasks

Advanced search on campaign entities.

Share my work - You can share your tasks with another user. Once the work is shared, both users can see the open tasks. Tasks disappear from the queue when one of the two users perform an approve, reject, or reassign action. To share your work, follow these steps:

Click the Options dropdown.

Select Share my work.


18-Oct-2019 105/272

15.

b.

c.

d.

1.

2.

Select Share my work.

Search for the user with whom you want to share your work.

Select the user.

Customize Certification Campaign Views

The following customization options are available for Certification Campaigns:

Control the display of an entity – each entity in the campaign can be displayed using the attributes in the campaign. For example, an administrator would like to display the user full name and title as the entity display and on hover would like to see all the other attributes. This configuration can be achieved in the connector configuration. Use the "{" and "}" to encapsulate a user attribute of the entity, static text can be used for example: {UserId}, Titile: {Title}.

DisplayYou can view up to four attributes per entity. Click the User Settings icon and select the relevant attributes that you want to display.

Group ByLets you group the view based on the attribute that you select. Click the User Settings icon and select the attribute based on which you want to group the view, from the list of values.

Import / ExportYou can Export all tasks to an Excel sheet, perform the Approve / Reject actions as required to the relevant users and add comment. Import the updated Excel sheet in to CA Identity Portal. On successful import, all the actions performed in the Excel sheet are displayed in CA Identity Portal. To import or export, follow these steps:

Click the Options dropdown.

Click Export or Import as required.

Show new tasks / Show pending submission tasks / Show submitted tasksYou can now display the tasks by status. Click the Options dropdown and select the required option.

Certify Progress BarShows the number of total tasks and the tasks by status - Pending and Submitted.

Entries Per PageLets you select the number of entries (tasks) that you want to display in a page.

20, 50, 100Values:

SettingsThe end users have a feature called "Settings" in which they can perform authentication activities such as activation of strong authenticators and resetting the IM/CA Identity Portal password.

It also offers the ability to set delegators for an "out of office" scenario. In which case workflow items in IM will be forwarded to the delegator.

Settings doesn't require any additional configuration by the administrator.


18-Oct-2019 106/272

1.

2.

3.

4.

5.

My IdentityThis dashboard is available for the end-user and aggregates many of the information available on the user itself. The functionality available is:

Profile Information

Current Access

Latest Activity

Account Information – including the ability to perform actions on the account : like reset password. The availability of the accounts in this module is derived from the Modify My

task.Endpoint Accounts

Risk information

Passwords

Forgotten Password

This feature is provided out of the box with CA Identity Portal. The end user will be able to perform the public task of forgotten password reset as long as the basic connector configuration to the Identity Management system has been performed. No need for additional admin configuration unless changes from the default behavior are required; refer to "Password

" section for more information.Management

Expired Password

This feature is provided out of the box with CA Identity Portal. The end user will perform the configured task in the connector in order to change password when it is expired as long as the basic connector configuration to the Identity Management system has been performed. No need for additional admin configuration unless changes from the default behavior are required; refer to " " section for more information.Password Management

Reset Password

This feature is provided out of the box with CA Identity Portal. The end user will be able to change his own password in Identity Manager as long as the basic connector configuration to the Identity Management system has been performed. No need for additional admin configuration unless changes from the default behavior are required; refer to " " section Password Managementfor more information.

NotificationsVarious end user notifications will be available here, for example a warning when delegation has been set up. Notifications message will only be displayed if the user has any notifications.

DashboardThe dashboard view aims to bring the various information that exist in different modules to one place. In the dashboard view a user can perform actions on tasks, campaigns and track requests.


18-Oct-2019 107/272

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

MobileCA Identity Portal comes with an OOTB Mobile Web application. No configuration is required to enable and configure this mobile application.

The application can be browsed through any mobile browser and is available at <sigma_base_url>/sigma/mobile/login.html. You could also browse to the sigma desktop application URL at <sigma_base_url>/sigma and CA Identity Portal will automatically detect that you're browsing from a mobile device and redirect you to the mobile application.

Tablet devices are directed to the mobile applications, if you would like to view the full application from your tablet device, open the navigation panel and click on the link directing to the Desktop site. The desktop site will be automatically adjusted to the tablet screen resolution.

The mobile web application has the following features enabled:

Work on pending work items.

Track Requests.

Complete certification campaigns.

Forgotten Password Reset

Reset expired password.

Application Launchpad

Self Registration.

Access

Modules

Branding (administrated from the Branding configuration screen in the Admin UI).

Applications LaunchpadThe Applications Launchpad gives the user links to access other web applications/URLs. The URLs can be either external links or static URLs. If there is Single Sign-On integration it can provide SSO to those applications. This requires administrative configuration; refer to "Apps" section for more information.

CA Identity Suite AdministrationThis section describes the configuration and administration capabilities of CA Identity Portal's administrative UI. It also explains CA Identity Portal features that do not require additional configuration.

To login to the administrative UI follow this link:http://<CA Identity Portal App Server>:<Port>/sigma/admin/When prompted for username and password, use the credentials entered during the installation process.


18-Oct-2019 108/272

1.

2.

3.

4.

5.

1.

Setting up the Workpoint InterfaceCA Identity Portal communicates with the CA Identity Manager workflow engine (WorkPoint) directly.

Follow the steps below, per your CA Identity Manager application server type to configure CA Identity Portal to interface with your CA Identity Manager workflow engine.

This section contains the following subsections:For CA Identity Manager Running on JBossFor CA Identity Manager Running on WebLogic and WebSphereConfiguration for Supported Products

Using the Workpoint XML Web Service (Available only for CA Identity Manager 12.6.7)

When using the Workpoint XML web service, the Portal communicates with the CA Identity Manager workflow server over HTTP rather than over EJB.

This configuration simplifies the configuration of the Portal IM connector.

In case a firewall separates the Portal from the CA Identity Manager server, only a single port has to be opened between the two servers (the HTTP port on which the CA Identity Manager User Console is running).

Enabling the WorkPoint Client Servlet

Stop the CA Identity Manager application server.

On the CA Identity Manager application server, locate the following file in the CA Identity Manager deployments folder.

wpClientServlet.jar.sleep

Different applications servers have different deployment folders.Example:For JBOSS, the file can be found under:

<JBOSS_HOME>\standalone\deployments\iam_im.ear\user_console.war\WEB-INF\lib\wpClientServlet.jar.sleep

For WebLogic:, the file can be found under:

<DOMAIN_HOME>\applications\iam_im.ear\user_console.war\WEB-INF\lib\wpClientServlet.jar.sleep

Rename the file as follows:

wpClientServlet.jar

Restart the application server. For WebLogic and WebSphere, redeploy the CA Identity Manager application.

If you have a cluster, make sure that these changes took effect on all nodes.

Workpoint Configuration in CA Identity Manager Connector

Configure the following parameters:

Workpoint Application Server: Choose the application server on which CA Identity Manager is running on.


18-Oct-2019 109/272

2.

3.

4.

5.

Isolation Mode: Unchecked

Workpoint client directory: <location of jar files> (you supplied this location when you ran the Portal installation)

Workpoint service method: XML

Workpoint service URL : http://<IM server IP address>:<IM User Console Port>/iam/im/wpClientServletExample:http://im1267.somecompany.com:8080/iam/im/wpClientServlet

Copy Workpoint Jars

If the product was installed using the CA Identity Portal 1.6.1 installer, then the required jars were copied to the folder location that you specified during the installation. The required Jars can also be found in the following folder.

<SIGMA Install Folder>\workpoint-jars\(IM Version)

For CA Identity Manager Running on JBoss

Contents

For CA Identity Manager Running on JBoss 5Copy Workpoint and JBoss 5 JARsWorkpoint Configuration in CA Identity Manager Connector

For CA Identity Manager Running on JBoss 6Copy Workpoint and JBoss 6 JARsCreate an Application Server User on the CA Identity Manager JBoss ServerCreate a JBoss 6 ejb Client FileWorkpoint Configuration in CA Identity Manager Connector

For CA Identity Manager Running on JBoss 5Copy Workpoint and JBoss 5 JARs

Copy the following JARs from the CA Identity Manager server to a local directory (of your choice) on the CA Identity Portal application server (in case of a CA Identity Portal cluster, copy these JARs to all the CA Identity Portal cluster nodes). This local folder will be referenced when configuring a CA Identity Manager connector in the CA Identity Portal Admin UI.

<SIGMA Install Folder>\workpoint-jars\{IM Version}\sigma-workpoint.jar<JBoss Deployment Folder>\library\wpClient.jarIAM.im<JBoss Deployment Folder>\library\wpCommon.jarIAM.im<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\jbossall-client.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\Jboss\jboss-client.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\JBoss\jboss-common-core.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\JBoss\jboss-integration.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\JBoss\jboss-javaee.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\JBoss\jboss-logging-spi.jar<CA identity base installation dir>\IAM Suite\Identity

Manager\tools\workpoint\lib\JBoss\jboss-remoting.jar

http://sigma-qa-im1267:8080/iam/im/wpClientServlet

http://IAM.im

http://IAM.im


18-Oct-2019 110/272

1.

2.

3.

4.

5.

1.

2.

3.

4.

Manager\tools\workpoint\lib\JBoss\jboss-remoting.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\JBoss\jboss-security-spi.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\JBoss\jboss-serialization.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\JBoss\jbosssx-client.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\JBoss\jnp-client.jar<CA identity base installation dir>\IAM Suite\Identity Manager\tools\workpoint\lib\JBoss\policy.jar



Workpoint Application Server: JBoss 5

Workpoint client directory: <location of jar files>

Workpoint service URL : <CA Identity Manager server IP address>

Isolation Mode: Checked

Workpoint service method: EJB

The following parameters should be left empty:

Workpoint service user id

Workpoint service user password

Workpoint user id

Workpoint user password

Other parameters should be configured according to your environment configuration.


18-Oct-2019 111/272

For CA Identity Manager Running on JBoss 6Copy Workpoint and JBoss 6 JARs


<SIGMA Install Folder>\workpoint-jars\{IM Version}\sigma-workpoint.jar<JBoss Home>\modules\system\layers\base\org\jboss\as\naming\main \Jboss-as-naming-x.x.x.jar<JBoss Home >\bin\Jboss-client.jar<JBoss Home>\Jboss-modules.jar<JBoss Home>\modules\system\layers\base\org\jboss\msc\main\jboss-msc-#.#.#.Final-redhat-1.jar<JBoss Home>\standalone\deployments\iam_im.ear\library\wpClient.jar<JBoss Home>\standalone\deployments\iam_im.ear\library\wpCommon.jar

Example:

c:\jboss\modules\system\layers\base\org\jboss\msc\main\jboss-msc-1.1.5.Final-redhat-1.jar

Create an Application Server User on the CA Identity Manager JBoss Server


18-Oct-2019 112/272

1.

2.

3.

From a command line on the CA Identity Manager server (servers in case of a cluster), run the following command:

<JBOSS_HOME>\bin\add-user.batSelect:b) Application User (application-users.properties)Choose default realm:Realm (ApplicationRealm)Enter a username of your choice (for example: sigmaejb)Username : sigmaejbSet a passwordPassword :Re-enter Password :Leave the roles selection empty:What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]:Conform user creation:Is this correct yes/no? yesSelect yes for remoting ejb:Is this new user going to be used for one AS process to connect to another AS process?e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.yes/no? yes

Create a JBoss 6 ejb Client File

Create a file with the following name:

jboss-ejb-client.properties

Place the file in the local folder to which you have copied the workpoint JARs.Copy the following code in the file:

remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED= false

.xnio.Options.remote.connection.default.connect.options.orgSASL_POLICY_NOANONYMOUS= false

= endpoint.nameclient- endpoint

remote.connections= default

remote.connection.default.protocol= remote

remote.connection.default.host= <ip-of-idm-server>

remote.connection.default.port= 4447

remote.connection.default.username= <sigma-ejb-user

>

remote.connection.default.password= <sigma-ejb-user-password

>

Replace "<ip-of-idm-server>" with the ip or FQDN of the IM server

Replace "<sigma-ejb-user " with the application server user you created in the previous > step

Replace "<sigma-ejb-user-password>" with the application server user password you

http://remote.connectionprovider.create.options.org

http://remote.connection.default.connect.options.org

http://endpoint.name


18-Oct-2019 113/272

3.

1.

2.

3.

4.

1.

2.

3.

4.

5.

Replace "<sigma-ejb-user-password>" with the application server user password you created in the previous step



Workpoint Application Server: JBoss 6





Workpoint service URL

Workpoint service user id

Workpoint service user password

Workpoint user id




18-Oct-2019 114/272

For CA Identity Manager Running on WebLogic and WebSphere

Contents

For CA Identity Manager 12.5.x-12.6.4 Running on WebLogicCopy Workpoint and WebLogic JARsWorkpoint Configuration in CA Identity Manager Connector

For CA Identity Manager 12.6.6 Running on WebLogicCopy Workpoint and WebLogic JARsWorkpoint Configuration in CA Identity Manager Connector

For CA Identity Manager Running on WebSphereCopy Workpoint JARsWorkpoint Configuration in CA Identity Manager ConnectorModify WebSphere SSL Requirement for Workpoint Interface

For CA Identity Manager 12.5.x-12.6.4 Running on WebLogicCopy Workpoint and WebLogic JARs


<SIGMA Install Folder>\workpoint-jars\{IM Version}\sigma-workpoint.jar


18-Oct-2019 115/272

1.

2.

3.

4.

5.

6.

7.

1.

2.

<SIGMA Install Folder>\workpoint-jars\{IM Version}\sigma-workpoint.jar<Weblogic Server Home>\lib\wlclient-##.jar

Example:

D:\Oracle\wlserver\server\lib

<Weblogic iam_im.ear Deployment Folder>\APP-INF\lib\wpClient.jar<Weblogic iam_im.ear Deployment Folder>\APP-INF\lib\wpCommon.jar

Example:




Workpoint Application Server: WebLogic


Workpoint service user id: <weblogic admin console user>

Workpoint service user password: <weblogic admin console password>

Workpoint service url: t3://<weblogic admin server IP>:<weblogic admin server console port>

Isolation Mode: Selected



Workpoint user id




18-Oct-2019 116/272

1.

2.

3.

4.

For CA Identity Manager 12.6.6 Running on WebLogicCopy Workpoint and WebLogic JARs


<SIGMA Install Folder>\workpoint-jars\{IM Version}\sigma-workpoint.jar<Weblogic Server Home>\lib\ Wlthint3client.jar<Weblogic iam_im.ear Deployment Folder>\APP-INF\lib\wpClient.jar<Weblogic iam_im.ear Deployment Folder>\APP-INF\lib\wpCommon.jar

Example:




Workpoint Application Server: WebLogic


Workpoint service user id: <weblogic admin console user>

Workpoint service user password: <weblogic admin console password>


18-Oct-2019 117/272

5.

6.

7.

1.

2.

1.

a.

b.

2.

3.

4.

1.

2.

3.

4.

5.

6.

1.

Workpoint service url: t3://<weblogic admin server IP>:<weblogic admin server console port>




Workpoint user id



For CA Identity Manager Running on WebSphereCopy Workpoint JARs

Copy the following JARs from the CA Identity Manager server to a local directory (of your choice) on the CA Identity Portal application server (in case of a CA Identity Portal cluster, copy these JARs to all the CA Identity Portal cluster nodes).From the <WAS_SERVER_HOME>{color}WebSphere-ear\Identity Manager\WAS_IMr12.ear file fetch the following jars:

Library\wpCommon.jar

Library\wpClient.jar

Copy from the <SIGMA Install Folder>\workpoint-jars\{IM Version} folder the sigma-workpoint.jar.

Using the WAS Admin Console configure a "Shared Library" for the "sigma" application. Point the shared library to the library to which you copied the workpoint jars in the previous step.

Restart the WebSphere application server fit the changes to take effect.



Workpoint Application Server: WebSphere

Workpoint service url: iiop://<websphere IM server IP>:<server bootstrap port, usually 2809>

Workpoint service user id: sigma

Workpoint service user password : any password




Workpoint client directory


18-Oct-2019 118/272

1.

2.

3.

1.

2.

3.

4.

Workpoint client directory

Workpoint user id



Modify WebSphere SSL Requirement for Workpoint Interface

In the WebShpere Admin Console, go to Security - Global Security - RMI\IIOP security.

Locate CSIv2 inbound communications and CSIv2 outbound communications.

Change CSIv2 Transport Layer change transport to SSL-Supported.

Restart the server.

Configuration for Supported Products

Contents

CA Identity Governance Connector ConfigurationCA Advanced Authentication Connector ConfigurationOkta Connector Configuration


18-Oct-2019 119/272

CA Identity Governance Connector Configuration

Admin Name – service admin username for CA Identity Governance. – service admin for CA Identity Governance.Admin password

– IG server IP address or FQDN.Server name – IG server port.Server port

– version of the connector, should match the version of IG. Versions GM server versionsupported : 12.5.07, 12.6.00, 12.6.01, 12.6.02

– Universe name to which the connector will connect.Universe name – master configuration under the universe.Master configuration

– model configuration under the universe.Model configuration – the display field that is used in the IG universe to describe Certification resource display field

the resource. By default the display attribute will be the IG configuration. To control the display attribute refer to the customization option in .certification campaigns

- the display field that is used in the IG universe to describe the Certification role display fieldrole. By default the display attribute will be the IG configuration. To control the display attribute refer to the customization option in .certification campaigns

- the display field that is used in the IG universe to describe the Certification user display fielduser. By default the display attribute will be the IG configuration. To control the display attribute refer to the customization option in .certification campaigns

– For Internal usage.Is testing?

CA Advanced Authentication Connector Configuration

Authentication – Host name or the IP address of AuthMinder Server.Authentication Host Name

– Port number configured for the Transaction Web services protocol.Authentication Port – To enable the SSL communication between AuthMinder Issuance SDK and Transport

AuthMinder Server set this parameter to 1SSL or 2SSL. If you change the transport mode to SSL, then you must restart AuthMinder Server.Note:

– Maximum time in milliseconds before the AuthMinder Server is Connection timeoutconsidered unreachable.

– The maximum time in milliseconds allowed for a response from AuthMinder Read timeoutServer.

Authentication - more (optional) – Path to CA certificate.Server CA Cert PEM Path – Path to Client CertificateClient Cert Key P12 Path

Password to Certificate.Client Cert Key Password – Common

- Maximum number of connections allowed in the pool from the SDK to the Max ActiveAuthMinder Server.

- The maximum number of idle connections allowed in the pool from the SDK to the Max IdleAuthMinder Server.

- The maximum amount of time (in milliseconds) that a request Maximum Wait Time (In Millis)will wait for the connection. Default -1 indicates that the thread will wait for infinite time.

- The minimum amount of time a connection might be Minimum Evictable Idle Time (In Millis)idle in the pool before it is evicted by the idle connection evictor (if any).

- The amount of time in milliseconds to wait before Time between Eviction Runs (In Millis)checking the pool to evict the idle connections.

General – the organization in authminder the connector is associated with.User organization

Issuance- Host name or the IP address of AuthMinder Server.Issuance Host Name

- Port number configured for the Transaction Web services protocol.Issuance port - To enable the SSL communication between AuthMinder Issuance SDK and Transport

AuthMinder Server set this parameter to 1SSL or 2SSL.If you change the transport mode to SSL, then you must restart AuthMinder Server.Note:

- Maximum time in milliseconds before the AuthMinder Server is considered Connection timeout


18-Oct-2019 120/272

1.

2.

- Maximum time in milliseconds before the AuthMinder Server is considered Connection timeoutunreachable.

Issuance – more– Path to CA certificate.Server CA Cert PEM Path – Path to Client CertificateClient Cert Key P12 Path Password to Certificate.Client Cert Key Password –

Password complexity - The min number of characters for auto generte passwordMinimum password length - The max number of characters for auto generte passwordMaximum password length

- Minimum alphabetic characters for auto generte passwordMinimum alphabetic characters - Minimum numberic characters for auto generte passwordMinimum numeric characters - Minimum special characters for auto generte passwordMinimum numeric characters

Okta Connector Configuration

General – shared key to access Okta API. Can be extracted from the Okta admin interface, under App key

API management. – The URL for API calls.Url

– The user attribute that should be used as user id parameter for the Okta Matching fieldconnector. Usually email.

– The category to which Okta apps are associated in the application Launchpad.Category

Access CatalogWhen an identity management solution grows, organizing the structure of the entitlements becomes a challenge. To address that process, a flexible structure needs to be deployed, which will enable users to quickly and easily locate the entitlements they need.

The CA Identity Portal Permission Model consists of the following entities:

Application groups

Applications

Permissions

Role Groups

Roles

Permission Tree

The basic entity is the permission entity. A permission is the business representation of the entitlement the user requests. Once permission is requested, CA Identity Portal translates this business representation to the technical entitlements – the target permissions (refer to Target

section for more information on creating target permissions).Permissions

The following rules define the permission model:

A permission can be linked to many target permissions. Example: The permission "Internet Access" can consist of several technical entitlements, such as DMZ access, Soft Token account and corporate LAN access.

A target permission can be linked to many permissions. Example: Active Directory Group membership, which can be a provisioning role in an IM solution and can be linked to several business permissions such as Network Access, Security Admins etc.


18-Oct-2019 121/272

3.

4.

5.

6.

7.

8.

1.

2.

3.

4.

5.

6.

7.

8.

Permission can be linked under another permission. In this case the permission will have a parent-child relationship. This relationship will ensure that a child permission cannot be granted without requesting/having the parent permission. This situation is common in profile-based applications. The basic access to the application is defined as the parent permission, while the specific profile/role in the application is defined as child permissions or sub-permissions. This behavior is enforced when defining the cart to behave in strict mode (refer to strict_mode in UI Configuration).

Every permission must be linked to an application. A permission cannot be linked to more than one application.

Application can contain multiple permissions.

A group of applications contains one or more applications.

There is no limit to the number of son permissions nesting in the permission model. In essence every son permission of a permission can have its own son permission and so on.

Permission can be grouped in a group of permissions. Grouping permissions together means they are mutually exclusive (only one can be selected during access request). The target user (that is, the user for whom the request is made for) may have only one of those permissions.

Managing the permissions model

CA Identity Portal allows the administrator to draw the permission model in the way it will be presented to user.

Follow these steps:

Click , .Access Catalog Entitlement TreeThe left panel contains the Group of Applications and Applications.

To create a new group of applications click on . A new group will be Create -Create Groupdisplayed. Double-click on it to rename.

To create an application under the group of application, select the group and click Create -.Create Application

To create permission, select the application in the left panel and click Create - Create in the middle panel.Permission

To create a group of permission click on the application and click in Create -Create Groupthe middle panel.

To add permissions to a group click and select the group name to add a permission under it.

To create nested permissions, either create a permission while selecting the parent permission, or create the permission and drag and drop it under the parent permission.

Click to commit these changes (unsaved changes will be displayed in red).Save

You can rearrange the list of applications in the Entitlement Tree. Click to save the changes Savemade to the Entitlement Tree.


18-Oct-2019 122/272

1.

2.

3.

4.

1.

2.

3.

1.

2.

3.

4.

Note: You can have only one level of hierarchy in the right pane. You can have more than one level of hierarchy in the middle pane.

Connecting Permission to Target Permission

Click , .Access Catalog Entitlement Tree

Select the permission you wish to connect.

Once a permission is selected the right panel will display the list of available target permission in the system (refer to section for more information on Target Permissionscreating target permissions). Check the target permission you wish to connect the permission to.

Click to commit these changes.Save

Configuring Entity Properties

CA Identity Portal enables administrators to enrich the permission tree with additional information in order to provide end-users more information about the permissions. This is used to help end-users finding the correct entitlement they wish. The information will be displayed with a small Info icon next to the entity.

To configure this additional information:

Select the application or permission and click on the Properties tab in the right panel.

Enter property key and value, for example: Key=Description, Value=This permission requires a security administrator to approve.


Roles

A CA Identity Portal role is a group of permissions which defines an organizational role.

CA Identity Portal roles are suggestive roles that will be displayed to the end user during access request by role

A group of roles contain one or more roles.

Managing the roles model

The roles model tree is managed in a very similar way to the permissions model.

Click , .Access Catalog RolesThe left panel contains the Group of Roles and Roles.

To create a new group of roles click on . A new group will be displayed. Create GroupDouble-click on it to rename.

To create a role under the group of roles, select the group and click .Create Role

Click to commit these changes (unsaved changes will be displayed in red).Save


18-Oct-2019 123/272

1.

2.

3.

4.

1.

2.

3.

4.

5.

6.

7.

8.

9.

1.

Connecting roles to permissions

Click , .Access Catalog Roles

Select the role you wish to connect.

Once a role is selected the right panel will display the list of available permissions from the permission tree (refer to section for more information on creating Permission Treepermissions). Check the box next to the permissions you wish to connect to the role.


Suggest Additional Entitlements

Suggestions are prompted to the user while creating an Access Request according to the rules defined in the Admin UI.

Example: If an access request is raised for a laptop, then suggestions for a mouse, monitor, or a keyboard can also be displayed.

Create suggestions in Admin UI for a target permission and define specific rules for each suggestion. When an access request is raised and if a relevant suggestion is created already, the suggestion is displayed at the bottom of the Access page in the CA Identity Portal. Add the required entitlements from the suggestion to the cart and check out to add the entitlements to the access request.

Follow these steps:


Click , .Access Catalog Suggestions

Click .New Suggestion

Specify a name for the suggestion.The Tag value is populated automatically.

Enter a message that describes the suggestion in detail. The description helps the user decide whether to accept the suggestion.

Click to add one or more permissions that you want to add to the Add Permissionssuggestion.

Select the permissions that you want and click .save

Use the filters as required to define the condition on which the suggestion should be displayed in the CA Identity Portal.

Click .Save

Administration

General Configurations

General configuration attributes for CA Identity Portal's infrastructure:

Second Factor Enabled – Select this option to enable all second factor capabilities.


18-Oct-2019 124/272

1.

2.

3.

4.

5.

a.

b.

6.

7.

8.

9.

a.

b.

c.

10.

11.

12.

13.

14.

15.

16.

17.

Second Factor Enabled – Select this option to enable all second factor capabilities.

Enable Risk – Is Risk feature enabled for CA Identity Portal. True/False.

Enable SSO – Is CA SSO protected. True/False. Changing this parameter requires a restart to all cluster servers.Note:

Require Second Factor on Login - Use this functionality to request a 2 factor nd

authentication immediately after a user logins to the system. User with no second factor authenticator will not be able to log in to the system.Note:

Debug Mode – CA Identity Portal client application is available in two modes:

minified mode - All javascript and css files are merged into one file.

regular mode - All files are downloaded in their original state to the browser.By default, debug mode is not enabled and CA Identity Portal operates in minified mode which is optimal for performance.

FileUpload Root – The Directory to where files will be uploaded.

IM USER – Set a user name that can used by IM in external calls to CA Identity Portal (this is not an actual user in IM).

IM USER Password – Set a password for the IM user to be used in external calls from IM to CA Identity Portal.

Client Logging

Logging interval – The interval in seconds which the client sends the logs.

Logging level – The Log level from 1 to 4 on which the client should work.

Logging users – The userids which require to send logging. The client will only log if his userid matches this.

Logout URL – The URL to be used when users logout of CA Identity Portal.The following default CA Identity Portal page can be configured, if required:

../app/login.html

MAX Requests to Fetch – Maximum number of requests that CA Identity Portal will fetch when users go to My Requests or Tasks.

Max Upload Size – Max size for file attachments in CA Identity Portal. Changing this parameter requires a restart to all cluster servers.Note:

Plugin Dir – The Directory where CA Identity Portal will look for custom code plugins.

Risk Rule Thresholds – Reserved for future use.

Risk Rule Thresholds Names - Reserved for future use.

SSO User ID header – The CA SSO header which contains the universeId used to authenticate to CA Identity Portal.

Temp file lifetime – The time period for which CA Identity Portal keeps temporary files. Temporary files are defined as files that have been uploaded in a form but not submitted.


18-Oct-2019 125/272

18.

19.

20.

21.

22.

Enable statistics cleaner - whether to delete old statistics data that is no longer relevant due to changes in the configurations. if this attribute is not checked the data:1) will be marked for deletion2) will not be visible in identity portal3) will not be deleted from the database.

Enable status puller - whether or not to enable IM puller mechanism. To puller mechanism queries IM periodically (every 25 seconds) for any task status updates and updates the requests statuses in the Identity Portal. When using older versions of IM (older than 12.6.8), this check-box should be disabled.

Enable Analytics - controls whether analytics data will be collected for the entire system

Day of the week - controls the first business day of the used by the analytics module.

Default behavior for data collection - controls all permissions and module actions that their analytics collections state is set to "default behavior".

Cache

CA Identity Portal has multiple types of caches for various elements used to improve performance and reduce the load on the database. On regular system operation these cache should not be changed or cleared. You can use this section to clear the various caches that are used in CA Identity Portal.

Customizing Cache properties

The portal uses builtin cache definitions to enhance performance.

To customize the various Portal cache properties (like cache size and eviction times), a sample Infinispan cache properties file is supplied with the installation.

To use the sample file, instead of the builtin cache properties, modify the Portal application server JVM startup and add the following JVM parameter:

-Dsigma.infinispan.configuration.location=file:<full path to the sample inifinispan cache properties file

If the portal is installed in “D:\CA” the JVM parameter will be as follows:

-Dsigma.infinispan.configuration.location=file:D:\CA\SIGMA\Config\infinispan-config-sample.xml

Example:

To update the JVM parameter when the Portal is installed on Tomcat on Windows, modify the Tomcat JVM options using the Tomcat Monitor Utility:


18-Oct-2019 126/272

1.

2.

3.

4.

5.

1.

2.

3.

Search Request

Search request tool allows the administrator to enter a CA Identity Portal request ID and get the backend details of the request including the task session ID of the connector task triggered by CA Identity Portal.This is mainly useful for debugging purposes. For example, if there was an issue during a provisioning process for a request and the administrator needs to identify which task triggered on the connector.

Follow these steps:

Go to tab.Administration - Search request

Enter the Request ID and click Search.

Details of the request are displayed, if they exist.

The "backendRequestId" holds the task session ID on the connector. Select it to display it next to the search button.

The task session ID can now be copied and searched for in the backend system.

Export

The export tool allows the administrator to export the objects configured in CA Identity Portal to text files in JSON format. The administrator can either select to export all objects or check specific objects to be exported.

This tool is useful for backup and migration purposes. A solution can be developed in a low environment and then exported so that it can be imported to a higher environment.

Follow these steps:

Go to tab.Administration - Export

To export all available objects, click on the bottom left side of the screen.Select All

To selectively export objects, select the object type on the left and then select the specific object(s) in the middle section.


18-Oct-2019 127/272

4.

5.

1.

2.

3.

4.

1.

2.

a.

b.

c.

The "Export Cart" on the right shows the list of selected objects to be exported.

Click Export.

Import

The import tool allows the administrator to import CA Identity Portal objects from text files in JSON format. Administrators can import files exactly as they were exported from another environment or they can modify the files or even create their own files and import them.

This tool is useful for restore and migration purposes. A solution can be developed in a low environment and then exported so it can be imported to a higher environment.

This is also useful for development purposes. For example, if a large amount of target permissions need to be configured, then you can configure just one, export it to get a good understanding of the expected format, then write some automation to generate a file with all the new target permissions. Then use the import tool to import them into the development environment.

Follow these steps:

Go to tab.Administration - Import

Click and select a file in the correct format from your file system.Choose FileCA Identity Portal shows the list of identified objects to be imported.

Click Import.If the object(s) already exist in CA Identity Portal, a warning message is displayed.

You can either close to discard the import or click .Approve all and try again

Notify Release

This tool is used to release notifications to CA Identity Portal from external systems that were not successful (for example, if there was a network issue at the time and now the CA Identity Portal request is pending).

This is useful in the scenarios that combine onboarding and access request which require a step to notify CA Identity Portal that the first step completed and it can continue with the second one.

Exercise caution while using this tool so that you don't accidentally release and notify the wrong request!

Performing a Notify Release

Go to tab.Administration - Notify Release

Enter the following parameters:

Username - Username for CA Identity Portal notifications, username can be found under General tab -> IM USER

Password - Password for CA Identity Portal notifications user.

Request Id - The backend Request ID of the onboarding task and not the CA Identity Portal request ID. Backend request ID (task session ID) can be found using the search request tool.


18-Oct-2019 128/272

2.

d.

e.

f.

3.

1.

2.

3.

a.

b.

c.

d.

1.

2.

3.

1.

Request status for release – The expected request status after the release.

User Ids – Fill in user(s) id(s) separated by commas. These are the users for who the access request will continue.

File Upload – If the notification should include a file (for example with users that were created during the onboarding), then upload a file here.

Click Submit

Advanced AuthenticationCA Identity Portal provides an integration with CA Advanced Authentication. The integration offers several capabilities:

Users can request access for themselves or for other users for 2 factor authenticators.nd

Once a user has been granted with the 2 factor authenticator, he can issue (register) nd

the authenticator from CA Identity Portal. For example, if a user has been granted with the QnA authenticator, he can register his Questions and Answers through CA Identity Portal.

CA Identity Portal administrator can define that several operation within CA Identity Portal will require 2 factor authentication. These operations include:nd

Access Request Permissions.

Module Actions.

Login

Activation/Registration of an authenticator – This capability is intended to protect the process of registration by requesting a strong authenticator.

When a user selects one of these elements that require 2 factor, he will be challenged to nd

authenticate using one of his active 2 factor authenticators.nd

All second factor authenticators are equal in their precedence, therefor authenticating through one type of second factor is equal in strength as authenticating with another. Once a user has authenticated using his 2 factor authenticator, he will not be requested to use that nd

authenticator again throughout his session.Pre-requisite:

CA Advanced Authentication solution deployed

CA Advanced Authentication connector in CA Identity Portal configured; refer to for more information.Connector Configuration

Second Factor enabled under General Configurations

Authenticators

There are 4 types of available authenticators from CA Advanced Authentication: ArcotID PKI, OTP, QNA, User Password.In order to configure an authenticator:

Go to tab. Security - Authenticators


18-Oct-2019 129/272

2.

3.

4.

5.

6.

7.

1.

2.

3.

4.

5.

6.

Click on New Authenticator.

Give the authenticator a name, tag is auto populated.

Select the Advanced Authentication connector.

Select the type of authenticator.

If second factor is required for the activation of this authenticator, then check the box for "Require second factor for activation".

Save.

Note: Arcot ID authenticator requires 3 files from the Arcot server to be placed in the CA Identity Portal resources folder under a sub folder called: ARCOT. The 3 files are: arcotclient.js and ArcotIDClient.swf and ArcotApplet.jar. The JAR and SWF files can be fetched from the Arcot sample application under the \webfort-7.1.01-sample-application\client folder. The javascript file can be located in the Arcot sample application under the \webfort-7.1.01-sample-application\javascript folder.

In order to request for authenticators they need to be added as target permissions and mapped to the entitlements tree. To configure a target permission, select the CA Advanced Authentication connector from the connectors list and select the desired authenticator in the "name" field. In the rules section of the target permission, check the box next to the desired form functions (for example, add and remove). You do not need to configure or select a form.

Authentication Rules

If it is required that the end user enters a second factor authentication while requesting for access, it can be defined as an authentication rule.In order to configure an authentication rule:

Go to tab. Security - Authentication Rules

Click on New Rule

Give the rule a name, tag is auto populated.

Select the permissions or modules actions on which you'd like second factor to be used.

Conditions can be applied on the authentication rule so that it's not applicable to all users (the default is always).

Save.

Second Factor on Login

Use this functionality to request a 2 factor authentication immediately after a user logins to the nd

system.To enable this functionality select under Require Second Factor On Login General Configurations.

Analytics DashboardThis release of CA Identity Portal provides an analytics dashboard to view the statistics related to an entitlement. You can view the statistics for an entitlement for a specific period.


18-Oct-2019 130/272

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

1.

a.

b.

c.

d.

The analytics dashboard provides details such as, the average SLA (in hours), the number of requests in graphical format for an entitlement for the selected date range. Use the Analyze button to view additional parameters such as Requester’s Region, Requestee’s Department in graphical format.


Access the Analytics DashboardConfigure the System for Data CollectionUnderstanding Analytics Views

Create an Analytics ViewAssociate Analytics View to a Permission or Module Action

Access the Analytics Dashboard

You can access the analytics dashboard from the home page of the CA Identity Portal UI.

Follow these steps:

Log in to the CA Identity Portal UI.

Click above the menu.Analytics

Enter a process name for which you want to view the data. Network AccessExample:

Select the date range.

Click .GoAll charts related to the selected process are displayed.

If necessary, click the dropdown to select related sub processes.Sub process

Use the options above the chart to change the units, to change the view, and to export the data.

Click to get more detailed charts for the selected process.Analyze

Click to view the complete workflow of the selected process.Workflow

Click any approver in the workflow diagram to view more details of all the approvers.

Configure the System for Data Collection

By default, CA Identity Portal does not collect statistical data on permission or module actions. Enable the configuration options using the Admin UI to collect the statistics.

Configure directly on the permission or module action.Permission

Navigate to the Access Catalog, Entitlement Tree.

Locate the desired permission.

In the right panel, click Analytics Views.

Click Select Analytics.


18-Oct-2019 131/272

1.

d.

e.

a.

b.

c.

2.

a.

b.

c.

d.


Using the state attribute, select whether to enable, disable, or use the system default configuration.

Module Action

Navigate to the relevant module and locate the module action.


Using the state attribute, select whether to enable, disable, or use the system default configuration.

Elements that are configured with state as “default behavior” collects data only according to the system behavior. To configure the system behavior, do the following:


Click Administration, General Configurations.

Update the value in the Default behavior for data collection dropdown as required.

If set as Enabled, data is collected for all permissions and module actions that are configured with “default behavior”

Understanding Analytics Views

Upon every request, CA Identity Portal evaluates the request and based on the configuration decides whether to collect statistical data.

If the system is configured to collect data on an element in a request (permission or module action), then the system collects the Average SLA, Max SLA, Min SLA, and Number of executions for requests containing that element. An administrator can chose to collect the data based on a specific “view”.

For example, in an organization that has a process that creates contractors in place, an administrator can see how many requests were performed by each department and the average SLA for each one of these departments, in the analytics dashboard. To view the data, configure an Analytics View which points as to where the department information is located in the Create Contractor request.

You can create an Analytics View based on one of the following elements:

Information from the requester attributes. The department the requester is associated to, the requester’s title, and so on.Example:

Information from the subject of the request. The city of the target user.Example:

Information from attributes in the form of the request (Form Property).

When configuring Analytics View, the following needs to be configured:

The permission or module action on which the Analytics View needs to be collected.

The element in the request from which the information should be collected.


18-Oct-2019 132/272

1.

2.

3.

4.

5.

6.

7.

8.

1.

2.

3.

The name which describes that information.

Following are some examples of Analytics Views:

Based on the requester’s department.

Based on the Computer Brand specified in the form in the attribute %BRAND%.

Based on the target user country.

Apply to allUse this option to associate the Analytics View on all permissions and module actions in the system. If enabled, this view cannot be linked specifically to a permission or module action, since it is already applied to all elements.

In case a form is used extensively by many elements in the system, associate the Analytics View with the form property on that form to apply to all permissions or module actions using that form.

Create an Analytics View

Use the Admin UI to create an Analytics View.

Follow these steps:


Click , .Environment Analytics Views

Click .New Analytics View

Specify a name.

If necessary, select Apply All.

Select Enabled to enable the Analytics View immediately after creation. You can enable the same at a later time too.

Select the condition based on which this Analytics View has to be created from the drop-down.

Click Save.The Analytics View is created.You can select the Analytics View for a specific entitlement from the Entitlement Tree in the Admin UI.

Associate Analytics View to a Permission or Module Action

To track the information related to a permission or a module action, associate the analytics view to a permission or module action.

Follow these steps:


Click on Access Catalog, Entitlement Tree.

Click on the desired permission.


18-Oct-2019 133/272

3.

4.

5.

6.

7.

1.

2.

3.

4.

a.

b.

1.

2.

3.

4.

5.

6.

Click on the desired permission.

On the right panel, select Analytics Views.

Click Select Analytics.A list of the available Analytics Views in the system are displayed.

If the desired view does not exist, click Create New Analytics View to create one.

Note: View that cannot be linked to the permission is filtered out automatically.

Check the views that you would like to associate the permission with. 2Maximum:

Click Save.

AppsIn most organizations a user has access to multiple applications. Using links CA Identity Portal enables building a Launch Pad to easily access these applications. Each link contains the information required for presenting, managing and redirecting to that application.

Apps configuration contains the following elements:

Name – the name of the application the link refers to. This will be the display name of the application.

URL – the URL used to connect to the application. This value can either be static, or can be dependent on a link that exists in the backend. For example, based on a launch role task that exists in Identity Manager.

Picture

Condition (optional) – display the link if the user has either:

Specific permission

Specific Profile.

Configure New App

Switch to the Tab. Click on Add Link to create a new link. Environment - Apps

Enter a for this App.Name

Select the source of the link. Use Backend Link to select from the links that exist in your configured connector. Use Custom Link to define the URL for this link yourself.

Upload an icon for the App.

Define a category for the App.

Configure the condition in which this link is available to the user. Either select to Alwaysalways show it to all users (if using a backend link the user must have this link available in the backend system), or user and select if the link is dependent on the Conditionalexistence of a permission or a profile.


18-Oct-2019 134/272

1.

2.

3.

1.

2.

3.

4.

5.

6.

Backend ManagementThis section covers the basic components of CA Identity Portal that have a direct link to its connectors.

In CA Identity Manager for example the core components are: attributes, screens, tasks, groups and provisioning roles. CA Identity Portal triggers, assigns and sets those components and in the backend management the administrator can configure the representation of those objects in CA Identity Portal.

The backend management objects should be configured in the following order as they are referencing each other:

Tasks (CA Identity Portal tasks link to connector tasks)

Forms (CA Identity Portal forms link to CA Identity Portal tasks)

Target Permissions (CA Identity Portal Target Permissions link to CA Identity Portal Forms)

Note: Target Permissions are only required to be configured for access requests and not for other modules (such as onboarding and registration).

Endpoints are also configured in Backend Management but are independent of the tasks/forms/target permissions configuration. Endpoint configuration gives CA Identity Portal a direct link to IM endpoints.

Task Configuration

In essence, tasks are IAM/IAG procedures, accessible through the connector's API. Each connector interacts with an external system using a public API. The API procedures are the way to execute business logic in that system. CA Identity Portal defines the tasks as the repository of API calls that can be used in order to define the business logic. The task name will define the API function that needs to be triggered.

When building the implementation the administrator needs to define the various API procedures, which must to be defined in CA Identity Portal in order to request various target permissions or perform other actions in the system.

Configuring Tasks

Switch to the tab. The configured Tasks will be displayed.Backend Management - Tasks

Click to add a new task.New Task

Select the which is associated with the target permission. The exposed tasks Connectorfor that connection will be available in the parameter.Name

In order for a CA IM task to be available for CA Identity Portal it needs to be Note:exposed to TEWS (Web Service). Refer to CA IM bookshelf for additional information on exposing tasks to TEWS.

To select a task start typing in the name of the task tag as it is configured on the selected connector endpoint.

If this task is intended to be triggered in bulk it will need to be a bulk loader task in Note:the connector endpoint.

Upon selection the tag will be auto populated.

Description is optional but is recommended to use in order to identify what the tasks


18-Oct-2019 135/272

6.

7.

8.

Description is optional but is recommended to use in order to identify what the tasks functionality is.

Complete the task configuration

additionOperation/removalOperation – for details see .Assigning a target permission

Select to use a direct action (CA Identity Portal will perform the directChangeassignment/removal of the permission).

When using directChange in a task to assign a target Permission of type Note:Provisioning role or Group, the provisioning role/Group tab cannot be configured to manage administrators. To remove administrators management in a tab, click on the tab edit button and uncheck "manage administrators" and uncheck "display administrators" option.

Select for indirect action (CA Identity Portal will trigger a task that execute Taskwill be responsible for the assignment/removal of the permission).

Refer to for more information.Target Permission

IsBulkTask: select true if the task is a bulk task. If a task is configured to be a bulk task it can still be used for single users but it Note:

will always run in the backend it will run in bulk mode.

BulkConf – defines the configuration used to create the bulk file to be executed. This configuration holds the mappings between the actions and the task names to be executed in the IM Connector so that CA Identity Portal can build the correct bulk load file. BulkConf requires:

Action name – the name of the action that will be set in the bulk loader file (for example: add_role). Important: start this parameter with a lower case.

Task name – the name of the task that IM will trigger for the above action (for example: Modify User).

Operations – Select the target permission and the action allowed for it (Add, Modify or Delete).

Mappings – type in any additional attributes you would like to send in the bulk loader file. First parameter is the attribute in the triggered task that will accept the attribute and the second parameter is the value to be sent. Use well known values or physical values in this field.Second Parameter is the value that can be one of the following options:

Static value - for example "IT".

Form Attribute value – a value that is fetched from one of the request forms, use the "{" to encapsulate the attribute such as "{Department}" for fetching the value from the Department form attribute.

Target Permission value – use one of the following: for target TP_NAMEpermission name, for target permission value, for TP_VALUE TP_TYPEtarget permission type.

Note: BulkConf are applicable to bulk tasks only (if is set to true).IsBulkTask

Click to finish the configuration.Save


18-Oct-2019 136/272

1.

2.

1.

2.

1.

2.

3.

4.

5.

6.

7.

Forms

CA Identity Portal Forms contain attributes which map from CA Identity Portal to the executed task. For example: if the task is of the CA IM type, each property will be a representation of a field in the IM task that you want to display in the access request screen of CA Identity Portal or a module action.

Forms are what the end user sees when they either select an action or an access request type (add/modify/remove), they can either contain various types of data or remain empty so they just trigger tasks.

CA Identity Portal Forms must be linked to a CA Identity Portal task for the following reasons:

The form will eventually trigger that task on the selected connector.

The form can display data and allow the user to edit data, that data is retrieved and set using the linked task.

Once a form is created it can be used in the following ways:

Linked to module actions. For example: a "create contractor" form which is linked to a "create user" task can be linked to an onboarding module. Refer to section for Modulesmore information on linking forms to module actions.

Linked to target permissions rules. For example: an "add permission X" form which is linked to an "assign permission" task can be linked to the Add action of the target permission's rule. Refer to section for more information Configuring Target Permissionson linking forms to target permissions.

Configuring Forms

Switch to the tab. The configured Forms will be displayed.Backend Management - Forms

Click to add a new form.New Form

Enter which is a descriptive name of the form and will be used as a reference Form Namefrom other locations in CA Identity Portal.

Form Tag will be auto populated based on the name and can be modified.

Select the which will be associated with the form. The selected task will control:Task

The fields that can be displayed on this form. For example in IM the available fields are retrieved from the profile screen in the IM linked admin task.

The backend task that will be triggered once this form is submitted in CA Identity Portal. For example in IM if the linked task is the "Modify User" task then it will be triggered with all the workflows, PXs and other backend operations defined on it.

Add properties and tabs as needed (refer to for more Configuring Form Propertiesinformation).


Note: CA Identity Portal's form generator offers a preview that gets updated in real time while editing the form, including results of handler scripts when available.


18-Oct-2019 137/272

1.

2.

3.

4.

5.

6.

7.

8.

9.

1.

2.

3.

a.

b.

c.

4.

5.

6.

7.

Configuring Form Properties

Form properties are mapped to attributes on the profile screens of the linked task to this form.

Managing form properties and tabs:

Click on to add a new property.Add Prop

Click on the X on the right side of the form property to delete an existing property.

Click anywhere on the property header to edit an existing property.

Click on the three lines symbol on the left side of the form property to drag an existing property and drop anywhere on the form to change its order.

For properties can only be organized vertically.

Form properties can be organized in tabs.

Click on to add a new tab.Add tab

Double click a tab name to edit its name.

Click on the X on the right side of the form tab to delete a tab.

Form Property Options

Property Name is also its label and is defined in the header line of a property. When first created the property is unnamed yet a name is mandatory.

Property Type – defines the behavior and display of the property. Options in this type include: text, checkbox, radio buttons, drop down list, single select list, multi select list, CSV, File Attachment, Date Picker, user selector etc.

Server Type – used to define the logic of the property. String is the default behavior, which means the selected value will be passed as is. Different types include: File (used for attachments), List, Date etc.

Hidden is a special Server Type, if Hidden is selected another parameter called "Type" becomes available.

The available types are: User IDs (value of the user id's associated with the request), Sigma Payload (value of the content of the request), Request ID and Custom.

Each selection populates a default value for it. When Custom is selected the default value is left for the administrator to configure.

Options – next to server type there are some options the administrator can select if this is a mandatory, hidden, or a read-only property.

Target Name – name of the property on the endpoint into which to pass this information or read information from.

Default Value – enter default values for this property.

Reference – give the parameter a reference name in order to access is from scripts on the form (optional).


18-Oct-2019 138/272

1.

2.

3.

Note: Each property type has its own additional options and configurations to perform. For example: drop downs have an options list, date pickers have a date format to enter etc.

Form Handlers

Each property configured in the form has three types of handlers available. Those handlers allow the administrator to write Javascripts that will be triggered depending on the type of handler. For handler scripts can be used to trigger service actions (refer to for more Service Actionsinformation) or plugins (refer to for more information).Plugins

The available handler types are:

Change Handler – trigger at any change happening to the property in run time. For example when a user types in text in a text box or when a user uploads a file to a file attachment property.

Validate Handler – trigger at the at the submission of a form

Initialization Handler – trigger on load of the property in the form. For example when a user opens a form a drop down can be populated by dynamic data at initialization of the property.

In a handler script for a specific property you can refer to other properties in the form by configuring a "Reference" parameter for them and using it in the script.Refer to CA Identity Portal developers guide for more information on form handlers and scripts. Also refer to for some sample usage of form handlers.Form Handler Examples

Form Handler Examples

Change Handler – in this example we set the full name of a user based on the first and last names as they are entered by the user. This is the Change Handler script of the first name property and in it the last name property is read then if not null it is concatenated with the current property and set in the full name property. The access to other properties is done by calling their Reference parameter in the following way: api.getProp("<ref name of a prop>"). The last name property has a similar script in it and it has a reference set to be "lastName".

function onChange(api, prop) {var last = api.getProp("lastName").value;if (last == null) {last = "";}api.getProp("fullName").value = prop.value + " " + last;}

Validate Handler – in this example a regular expression is used to validate the name of the object provided by the user. Standard Javascript RegEx functions are used to define the regular expression and test it. The CA Identity Portal elements to note in this script are the usage of the prop variable that holds the information of the prop being validated. In this script the prop.value is being tested. In order to display the error message to the user the prop.error is being used. Note the Validate function must have a return value of true or false.

function validate (api, prop) {var ptn = /^[-\s&()A-Za-z0-9]+$/;if (true === ptn.test(prop.value)) {return true;}prop.error = "Invalid object name: " + prop.value;return false;}

Initialization Handler – in this example plugin is being used to fetch data that will be used


18-Oct-2019 139/272

3.

1.

2.

a.

b.

c.

1.

2.

3.

4.

Initialization Handler – in this example plugin is being used to fetch data that will be used to initialize a drop down property. The call to get the data from the plugin is: api.server(['<plugin name>']). This specific prop is a drop down so it has options name and value. The script if using a forEach loop to push the name and value to the drop down options.

function initialize (api, prop) {api.server(['initAppList']).then( function(success) { success.returnValue.forEach(function(entry) { prop.options.push({"name":entry,"value":entry}) }); }, function(error) { });}

Endpoints

Endpoints configuration allows the user to perform actions directly on endpoint accounts without using interim objects such as provisioning roles.

For example: Active Directory groups can be assigned directly to an account without having to configure tasks/target permission/provisioning roles/entitlements catalog in CA Identity Portal and IM.

Pre-requisites for endpoint configuration:

Configure an endpoint in IM

Expose the following tasks to TEWS (then restart the connector):

Modify User Endpoint Accounts – To enable requesting access on other users.

Modify My Endpoint Accounts – To enable request access for self and enabling password reset on the account.

Modify Endpoint

Supported Endpoints

The CA CA Identity Portal Endpoint Account Management enables you to add/remove endpoint entitlements. To validate that your endpoint is supported by this functionality follow the following procedure:

Validate that the Endpoint Roles and Tasks are installed in your IM environment.

Locate the “Modify <endpoint type> Account” Task using the View admin Task.

Switch to the tabs definition.

Locate the tab which represents the Endpoint entitlement that you would like to expose. For example, in “Active Directory” the “Groups” tab represents the active directory groups entitlement.


18-Oct-2019 140/272

4.

5.

6.

7.

Validate that the tab is of the “Relationship” type.

Click Edit on the tab to view its definition.

Validate that the search screen is of “Endpoint Capability Search” Type.


18-Oct-2019 141/272

1.

2.

3.

a.

b.

c.

d.

4.

a.

b.

c.

d.

e.

f.

Configuring Endpoints

Switch to the Tab. The configured Endpoints will be Backend Management - Endpointsdisplayed.

Click to add a new endpoint.New Endpoint

GeneralThis tab configuration will give the end user the ability to see his endpoint accounts.

Select the connector in which the endpoint can be found (the IM connector)

Select the endpoint type from the available endpoints configured in IM (pre-requisite: The admin user defined in the connector configuration has the rights to execute Modify Endpoint task.)

Give the endpoint configuration a name, this name will not be displayed, it is used to describe all endpoints that have this configuration. For example: Corporate Active Directories.

Select a task to be used for displaying account information, this task is the view/modify account task for the specific endpoint being configured. For example, if configuring an AD endpoint you should use the Modify Active Directory Account or View Active Directory Account task. The system will then in turn use this task to fetch all the information about the account. Furthermore, the available attributes in the "Account Attributes" Tab will be derived from this task.

Pre-requisite: the view/modify account task needs to be exposed to TEWS in Note:IM and then created as a CA Identity Portal task. The IM task also needs to be in scope for the users to be using it (requesting for account entitlements)

EntitlementsThis tab configuration will give the end user the ability to see and modify his entitlements for the endpoint account (for example: group membership in AD)

Click on Add Entitlement.

Enter a name for this entitlement type, this will be the display name for the entitlements when an account is selected in the entitlements tree.

Select a form to be displayed and triggered when adding/removing an entitlement. You must first configure a task which will be used to add/remove that entitlement. The task used must be adequate to perform that operation. For example: task is suitable to add/remove AD Modify Active directory Accountgroups but task is not.Modify UserAfter you've configured the task link the form to that task. This version only supports empty form (form with no props) to be used for entitlements.

Select a task to view/search the entitlements (you must first configure the task in CA Identity Portal, the already configured modify account task is sufficient).

Select an entitlement type backend name – this is the entitlement object type in the connected system. For example: this will be ActiveDirectoryAccountGroups when you wish the entitlements are AD Groups.

If search filter on the entitlements is required then add search rules. Search rules enable you to define which entitlements a user can request. For example: you can configure that users from department IT are only able to request entitlements that contain the IT word in them.


18-Oct-2019 142/272

4.

f.

i.

ii.

iii.

iv.

5.

a.

b.

6.

a.

7.

Name – a descriptive name for the search rule, i.e: IT users.

Priority – Lowest priority rule will be evaluated first. This works in the first match first served.

Expression – used to define the logic on which the search will match. You can define a logic on the requester or on the target user. I.e: Requester Department Equals IT.

Filters – the filter will define the population of entitlements that user can act upon. These are basically search rules that are encapsulating what the user is searching. If left empty the user can search and request all entitlements under this category. The available filter attributes are fetched from the entitlement search screen search attributes, to add more search attributes simply modify the search screen in IM. For example: If you wish to filter available AD groups by the group description, go the Modify Active

task, switch to the tab, click on edit on the Directory Account Groupssearch screen and add more search attributes (make sure to add the attribute to the searchable attributes, and the search results).

You must always define at least one search rule. That search rule can Note:contain default configuration which will enable all users with that task in scope to request access to all users. To perform that configuration simply add a search rule, that has "true" in the expression and no search filters.

Account AttributesThis tab configuration will give the end user the ability to see additional account information when hovering over an account name in the entitlements section. The available attributes are fetched from the configured under the Account Information Task

tab.General

Click on Add Attribute.

Give the attribute a display name and select an available account attribute from the list.

Endpoint InstancesThis tab configuration will control which endpoint instances CA Identity Portal will apply this configuration on. This means that CA Identity Portal will fetch the account, display the account information and enable requesting entitlements as configured in the previous steps on the endpoint instances that are configured in this tab.

Select either All Instances or Select Instances

Click Save

Target Permissions

Target permissions are the corner stones on which the CA Identity Portal permission model is constructed. It is the technical permission that the user requests, over-layered and simplified by the CA Identity Portal permission model.

A Target Permission is the entitlement representation in the systems (i.e. IM, IG) that are connected to CA Identity Portal. Use target permission either for fetching the entitlements the user currently has, or for granting new entitlements to the user. The supported entitlements are:

Provisioning Role (IM)

Group Membership (IM)


18-Oct-2019 143/272

1.

2.

1.

2.

3.

4.

5.

6.

7.

8.

Group Membership (IM)

Attribute (IM)

Role (IG)

Resource (IG)

When designing a CA Identity Portal setup and implementation, one needs to plan and configure the relevant target permissions as detailed below.

For target permission scoping please refer to for more information.Permission Scoping

Assigning a Target Permission

Target permissions can be assigned in 2 ways:

Directly through the native implementation of the connector:

IG – Through the API native method.

IM – triggering the corresponding event (similar to assigning a provisioning role in the Provisioning Roles tab)

Indirectly through a dedicated API.

IM – through executing a task which will be responsible to assigning that task.

Configuring Target Permissions

Switch to the Target Permission Tab. The configured target permissions will be displayed.

Click to add new target permission.New

Select the which is associated with the target permission. The relevant target Connectorpermissions for that connection will be available in the parameter.Name

To select a target permission start typing in the name of the target permission as it is configured on the selected connector endpoint.

Upon selection, the of the target permission will be automatically indicated and the Typetag will be auto populated.

If a target permission is of attribute type, a value needs to be supplied.Note:

Set the required compliance settings (optional). Refer to for more Complianceinformation.

Set the required rules for this target permission. Refer to Target Permission Rules below for more information.


Target Permission Rules

Target permissions rules define a few things:

The type of access request that can be performed on permissions. The options are: Add, Modify and Remove.


18-Oct-2019 144/272

1.

2.

3.

4.

5.

The form that will be displayed for the end user when clicking on Add, Modify or Remove. Forms are linked to a task, which means the selected form both controls the screen Note:

that the user will see and also the backend task/workflow that will be triggered.

The scenario in which the configured options and forms will be displayed. Meaning multiple rules can be configured for the same target permission. For example: one rule that applies to all users from a specific department and they are allowed to request for add or remove with a specific form and with manager approval. Second rule that applies to all managers and they are allowed to request for add only with a specific form that doesn't require approval.

Target permissions must have rules configured in order to be displayed to the end user.Note:

Target Permission Rules Example

A manager can add and remove "Network access" permissions for his employee using the "Add Network Access by manager" and "Remove Network access by manager" tasks respectively. His employee can request to add the Network Access permission using the "Request your manager network access" task.

To implement this logic two rules have to be defined on the target permission which provides the network access.

Rule 1 – Manager acting on his employee. For this rule, the relationship between the requester (manager) and the target user (the employee) has to be defined. Usually these relationships are defined by an attribute in the subordinate's user profile indicating the manager. The resulting rule will look like this: should be "user.getValue("Manager") = requester.getValue("userId")created.

Once the population of the rule is configured, the next step is to define which task to execute when the Add/Modify/Delete actions are selected. In this example the "Add Network Access by manager" task will be linked to the action, and "Remove Network access by manager" will be Addlinked on the action.Remove

Rule 2 – Every employee can request the permission for himself. This is useful when the executed task is configured with a workflow, requiring an approval of a supervisor. To configure this rule define an expression which identifies the employee such as Requester['User Type'] = 'Employee'. Then configure the operation with the "Request your manager network access" task.Add

Configuring Rules

Switch to the tab. Click on a target Backend Management - Target Permissions permission to edit it.

Click to add new rule for the selected target permission.Add Rule

Give the rule a descriptive name.

Provide a priority for the evaluation of this rule (lower number has a higher priority).

Select the mode for this rule. Available modes are:

Access Rights – the selected forms will be displayed during access rights request for a single user

Bulk Access Rights – the selected forms will be displayed during access rights request for multiple users (either multi-select or bulk upload)


18-Oct-2019 145/272

5.

6.

7.

1.

Onboarding Access Rights – the selected forms will be displayed during access rights request for a single user which happens during onboarding request.

Bulk Onboarding Access Rights – the selected forms will be displayed during access rights request for multiple users which happens during onboarding request.

Click on Edit Expression to select the condition for which this rule will apply. The options are:

True – this rule will apply to all users (requesters and subjects of a request).

Use Wizard – this rule will apply to the users matching the condition defined using the wizard. For example: users from a specific department, managers of users etc.

Custom – this rule will apply to the users matching the condition defined using a custom JavaScript.For example: manager of a useruser.getValue("Manager").equals(requester.getValue("userId"))Refer to the CA Identity Portal Developer Guide for more information about building complex customer expressions

Select a form for each one of the actions that need to be available to the end user in this specific rule scenario. Only actions that have a form applied to them will be displayed in the access request. Not all actions need to be linked to forms. For example some scenarios might only require the Add action for permission.

Compliance

We use the compliance configuration to indicate which target permission should be used when evaluating compliance for the subject target permission. In some cases the target permission itself does not reside in the system which evaluates the compliance check, but a representation of it exist and should be used instead. For example: when using a target permission which is a provisioning role in Identity Manager, but we would like to perform a compliance check when requesting that provisioning role (the permission that is linked to that provisioning role) using the IG role that was created using the Identity Manager and Identity Governance integration.

To perform that configuration we would need a connector to IM and a connector to IG. We would then configure a target permission from the IM connector and another target permission (with the same name) that exist in IG. Then we would configure the compliance on the IM connector to point to the IG target permission.

For the compliance evolution to be executed we would need to define an external condition in a risk. Refer to Risks section for more information.

BrandingYou can make branding changes to the CA Identity Portal UI by changing the look and feel. By default, the home page of CA Identity Portal is displayed. If you do not want to use the default CSS, you can create a custom CSS.

Customize the CA Identity Portal Pages

You can update the attributes of all the UI elements in the CA Identity Portal pages.

Follow these steps:

Click , .Administration Branding


18-Oct-2019 146/272

1.

2.

3.

4.

5.

6.

1.

2.

3.

4.

5.

6.

7.

1.

2.

3.

4.

1.

Click , .Administration BrandingThe CA Identity Portal home page appears.

Click on any UI element that you want to update.The appropriate dialog appears on the right.

Click in the dialog to select the CSS attributes that you want.Choose CSS Attributes

To select the CSS attributes that you want, click them and then click .OKThe selected CSS attributes are added to the dialog.

Update each of the CSS attributes as required.

Click the button and button to update the related UI elements.Tasks Request TrackingYou can view the changes made in the CA Identity Portal.

Customize the Mobile Interface Pages

You can update the attributes of all the pages in the mobile.interface.

Follow these steps:

Click , .Administration Branding

Scroll to the sectionCustomize Mobile's screensThe Dashboard page appears.

Click on any mobile interface element that you want to update.The appropriate dialog appears on the right.

Click in the dialog to select the CSS attributes that you want.Choose CSS Attributes

To select the CSS attributes that you want, click them and then click .OKThe selected CSS attributes are added to the dialog.

Update each of the CSS attributes as required.

Click the button and button to update the related mobile Tasks Request Trackinginterface elements.

ConnectorsConfiguring CA Identity Portal in the organizational environment consists of creating interfaces to the organization's IM/IG's by configuring CA Identity Portal's connectors.CA Identity Portal uses connectors to communicate with IM/IG's.The connectors enable CA Identity Portal to perform the following tasks:

Authenticate/authorize users to CA Identity Portal's interface.

Fetch exiting entitlements and expose them to end user.

Request entitlements.

Update statuses or ongoing activities.

CA Identity Portal's factory settings support several types of connectors:

IM (Identity Manager) Connector – supports connectivity to the various IM versions.


18-Oct-2019 147/272

1.

2.

3.

4.

5.

1.

2.

3.

a.

b.

c.

d.

4.

5.

6.

a.

IM (Identity Manager) Connector – supports connectivity to the various IM versions.

IG (Identity Governance) Connector – supports connectivity to various IG versions.

AuthMinder (Advanced Authentication) Connector – supports connectivity to various AuthMinder versions.

Okta Connector – supports connectivity to Okta for single sign-on.This is technical preview functionality that is not supported.Note:

DB Connector – A connector to a custom database which allows you to define your own entities and save their current state.

Configuring connectors is the first task that has to be completed in CA Identity Note:Portal's setup process. Complete all required connectors before proceeding with the rest of the configuration.

Main Connector

The Main Connector identifies a connector as the authoritative source that will be used by CA Identity Portal for user authentication.It is recommended that the Main Connector will be connected to the IM/IG system which contains the most extensive information of users in the organization.

Creating a Connector

To create a connector you must have the IM/IG set-up. You will need to collect basic connectivity information on the endpoint to which you would like to connect before creating the connector. This information is typically available in the endpoint administrative management console.

Follow these steps:

Select the tab. Backend Management - Connectors

Choose the button.New Connector

Select the type of connector from the list.

For CA Identity Manager connector select: .com.idmlogic.sigma.connector.caCaimAdapter

For CA Identity Governance connector select: com.idmlogic.sigma.connector.ca.gm.GmAdapter

For CA Advanced Authentication connector select: com.idmlogic.sigma.connector..authMinder.CAAuthMinderAdapterca

For CA Identity Governance connector select: com.idmlogic.sigma.connector.okta.OktaAdapter

Fill in a name that will identify the connector.

Tag will be auto-populated based on the name, it can be modified.

Connector login source – used to define the method in which authentication credentials are collected for authentication to the backend system. Available options are:

USER_INPUT – username and password entered by the user through the login screen will be used.

http://com.idmlogic.sigma.connector.ca

http://com.idmlogic.sigma.connector.ca.gm




18-Oct-2019 148/272

6.

b.

c.

7.

8.

9.

10.

11.

1.

2.

3.

4.

MATCHING ATTRIBUTE – this configuration cannot be used for the main connector. Matching attribute is used when the connector user identifier is another attribute of the user which is not the login user identifier. For example: if a certain connector uses the email address as the user identifier and the main connector uses a unique user identifier, this connector will be configured using the MATCHING ATTRIBUTE configuration, the email attribute will be configured in the "User Matching Attribute name" field. Pre-requisites: The email attribute (per example above) must be available through the main connector and configured in the user configuration section.

MAIN CONNECTOR USER ID – used when the login credentials and the unique identifier are different. In this configuration the connector using this configuration will be authenticating using the unique identifier rather than the login credentials.

User matching attribute name – attribute to be used as the connector user identifier when MATCHING ATTRIBUTE configuration is used.

If no Main Connector is defined in the system, an option to configure this connector as the main connector will be available.

Select if you want the connector to start up whenever the server is Run on Start Uprestarted.

Fill in all the information required by the connector. An explanation of the purpose and samples of values is available next to each field.

Once completed click .Save

Upon saving the connector for the first time, the connector will not attempt to load automatically. The connector can be started manually by clicking on . If an error occurs you Startwill receive an error message in the log and the connector status will be displayed as . If the Downconnector is created successfully the connector status will be displayed as and no error Upmessage is displayed in the log.To modify the connector settings, click on the connector.

Editing an Existing Connector

Switch to the tab. Backend Management - Connectors

Click on the connector you wish to edit.

Edit the connector's settings.

Click .Save

Upon saving the connector, the configuration will be saved but the connector will not attempt to load with the new configuration. To start the connector with the new configuration, click the

button to restart the connector with the new configuration.Restart

Note: Restarting the connector will cause it to be unavailable for the duration of the restart.

CA Identity Manager Connector Configuration

CA IM connectors are defined per environment. The following parameters are used when defining a connector:


18-Oct-2019 149/272

CA IM

CA IM UserId – the identifying attribute of a user in the CA IM endpoint, which can be found in the User directory mappings in the management console.

TEWS wsdl URL – this is a mandatory attribute which contains the URL for the WSDL, which is generated for the connector environment. This parameter is case sensitive in CA IM. Typically [http://<server_address>/iam/im/TEWS6/<environment_public_name>?WSDL

Managementconsole URL – environment management console URL. Usually [http://<server_name>/iam/immange/ (make sure to include the closing "/")

Managementconsoleuser id – username to authenticate to the management console, if defined.

Management console password – password to be uses for authentication to the management console, if defined.

Environment Id – environment id number; can be found in the environment configuration in the management console.

Environment Name - environment name, can be found in the environment configuration in the management console.

Static roles and tasks XML – used as a static override for environment roles and tasks xml file, should be used only in debug mode.

Group name attribute – the identifying attribute of a group in the CA IM endpoint, which can be found in the Group directory mappings in the management console.

CAIM Admin User – service admin user for identity management.

CAIM Admin Password – service admin user password for identity management.

No compile list – the list contains task tag names from IM (comma-separated) that will not be compiled when the connector starts (black list).

TEWS client dir – directory for saving compiled classes used for TEWS.

Roles and task converter – define the version of IM for the connector. For IM supported versions up to 12.6 SP1 (including) select – com.idmlogic.caim.Converter1259. For IM supported versions from 12.6 SP2 (including) select – com.idmlogic.caim.Converter1262.

Generate Binding File – determine whether to create a binding file that tries to correct the errors in the compilation of the WSDL.

Update client url – used for cloud configuration, this configuration will override the client url defined in the TEWS WSDL with the connector configuration.

Tasks

Default search task – Sigma service task (tag) used to search for users who must be in scope.

Current Access task – Sigma service task (tag) used to get user's current access.

Login task – Sigma service task (tag) used to verify login.


18-Oct-2019 150/272

User Status attribute – the IM user attribute that contains the user status for login purpose.

Scope task – Sigma service task (tag) used to fetch the tasks in the authorized scope for this user in the system:

Scope task group field - used to describe group association field.Scope task

Scope task execution field - used to describe task field.Scope task

Scope task roles field - used to describe provisioning role field.Scope task

Scope task access roles field - used to describe access role field.Scope task

Admin task task – Sigma service task (tag) for reading information about other tasks.

Approval task search task – Sigma service task (tag) used to search for approval tasks.

IM default Task status task – IM default task (tag) used to read information about task state.

Task to query multiple tasks statuses – Sigma service task (tag) used to read information about multiple tasks state (unlike the default IM task that only allows one task).

Task to cancel requests – Sigma service task (tag) for cancelling requests.

Task statuses batch size – Limits the task statuses batch size (as configured in Task statuses ).task

Worklist task – Sigma service task (tag) used to read information about a logged in user's pending work list.

Group search task – Sigma service task (tag) used to search for groups who must be in scope.

Workpoint

Refer to section for the full workpoint configuration required.Setting up the Workpoint Interface

Workpoint application server – application server brand on which workpoint(IM) is installed, JBOSS, WEBLOGIC, WEBSPHERE are supported.For Jboss5 select Jboss5. For All other JBoss versions the recommended selection is JBoss-AS. Refer to CA Identity Portal installation guide for the required pre-requisites for this configuration.

Workpoint fetch work items strategy – the method in which CA Identity Portal will fetch work items. Either from TEWS task "View My Worklist" (default configuration) or directly from workpoint client API (which allows you to limit the number of work items retrieved)

Workpoint work item client limit – when fetching work items directly from workpoint it has a limit on the number of work items to get.

Workpoint service URL – used to define the URL used by the workpoint client to connect to the workpoint server. When workpoint is installed on JBoss, this is usually the hostname of the server. On weblogic this is usually t3://<server address>

It is important to configure FQDN resolution between the servers before defining this Note:parameter.

Workpoint service user id – application server administrative user, if defined. Usually WebLogic application server is protected by a service user.

Workpoint service user password – application server administrative user password, if


18-Oct-2019 151/272

Workpoint service user password – application server administrative user password, if defined.

Workpoint user id – user for workpoint access (any name is valid here, does not need to be an actual system user).

Workpoint user password – password for the workpoint user. This is for future use, today workpoint API doesn't support this feature.

Workpoint service method – agent connection type, usually EJB.

Workpoint DB – workpoint DB name, by default WPDS.

Workpoint client directory – location of the workpoint client jars specific for the application server.

Worklist date format – date format of a work list item. i.e: EEE MMM d HH:m:s z yyyy.

Forgotten Password

Forgotten password task – the task (tag) used to reset forgotten password in IM (by default there are two different forgotten password tasks in IM that can be used in CA Identity Portal as well).

Forgotten password answer attribute – prefix for the answer attribute as defined in IM (usually this is the forgotten password LAH attribute).

Forgotten password question attribute – prefix for the question attribute as defined in IM (usually this is the forgotten password LAH attribute).

Forgotten password attribute – the password attribute as defined in the forgotten password task.

Forgotten password confirm attribute – the confirm password attribute as defined in the forgotten password task.

Reset Password

Reset password task tag – the task (tag) being used to reset users' expired password. By default this is configured to a Sigma service task.

Reset password password attribute name – the password attribute as defined in the reset password task.

Reset password confirm password attribute name – the password confirm attribute as defined in the reset password task.

Reset password to another task tag – the task (tag) being used to reset users' expired password. By default this is configured to a Sigma service task. Reserved for future use.

Reset password to another password attribute name – the password attribute as defined in the reset password task. Reserved for future use.

Reset password to another confirm password attribute name – the password confirm attribute as defined in the reset password task. Reserved for future use.


18-Oct-2019 152/272

Accounts

My Account search task tag – the task (tag) being used to view endpoint accounts and perform account operations (such as password reset) on the user's own accounts. In order for it to work it needs to be exposed to TEWS in IM.

User's accounts search task tag – the task (tag) being used to view endpoint accounts of other users. In order for it to work it needs to be exposed to TEWS in IM.

Endpoints search task tag – the task (tag) being used to search for endpoints in the admin UI. In order for it to work it needs to be exposed to TEWS in IM and in scope for the admin user id.

User's accounts sigma service task tag – Sigma service task (tag). Required to be exposed for all users that require endpoint functionality.

Out of Office

User's out of office sigma service task tag – Sigma service task (tag) used to set out of office (delegations for workflow).

IM Portal Webservices

See the section for Set Up CA Identity Manager and CA Identity Portal Web Services Interfacedetailed instructions on setting up this interface.

- If checked, CA Identity Portal will leverage IM web services. The IM Is webservices enabled web services replace some of the functionalities used by the CA Identity Portal Service tasks. Web services also enable some advanced capabilities related to status updates.

- the url for CA identity Manager web services. URL pattern is http://<IM Server address>:url<IM Server Port>/iam/im/ws/<Env protected alias>/portal.

- the configuration id defined in CA Identity Manager web service configuration idconfiguration.

IM trust

Used to enable CA Identity Portal to leverage the trust configuration with CA Identity Manager. This trust configuration is relevant if impersonation is required.

- configuration id to be passed to CA Identity Manager.trust configuration

- secret key to be used for encryption of data to be used by the trust configuration.trust key

CA IG Connector Configuration

Admin Name– service admin username for Governence Minder.

Admin password – service admin for Governence Minder.

Server name – IG server IP address or FQDN.

Server port – IG server port.


18-Oct-2019 153/272

GM server version – version of the connector, should match the version of IG. Versions supported : 12.5.07, 12.6.00, 12.6.01, 12.6.02.

Universe name – Universe name to which the connector will connect.

Master configuration – master configuration under the universe.

Model configuration – model configuration under the universe.

Certification resource display field – the display field that is used in the IG universe to describe the resource. By default the display attribute will be the IG configuration. To control the display attribute refer to the customization option in .certification campaigns

Certification role display field - the display field that is used in the IG universe to describe the role. By default the display attribute will be the IG configuration. To control the display attribute refer to the customization option in .certification campaigns

Certification user display field - the display field that is used in the IG universe to describe the user. By default the display attribute will be the IG configuration. To control the display attribute refer to the customization option in .certification campaigns

Is testing? – For Internal usage.

CA Advanced Authentication Connector Configuration

Authentication

Authentication Host Name – Host name or the IP address of AuthMinder Server.

Authentication Port – Port number configured for the Transaction Web services protocol.

Transport – To enable the SSL communication between AuthMinder Issuance SDK and AuthMinder Server set this parameter to 1SSL or 2SSL.

If you change the transport mode to SSL, then you must restart AuthMinder Server.Note:

Connection timeout – Maximum time in milliseconds before the AuthMinder Server is considered unreachable.

Read timeout – The maximum time in milliseconds allowed for a response from AuthMinder Server.

Authentication - more (optional)

Server CA Cert PEM Path – Path to CA certificate.

Client Cert Key P12 Path – Path to Client Certificate

Client Cert Key Password Password to Certificate.–

Common

MaxActive - Maximum number of connections allowed in the pool from the SDK to the AuthMinder Server.

MaxIdle - The maximum number of idle connections allowed in the pool from the SDK to the AuthMinder Server.


18-Oct-2019 154/272

Maximum WaitTime (In Millis) - The maximum amount of time (in milliseconds) that a request will wait for the connection. Default -1 indicates that the thread will wait for infinite time.

Minimum EvictableIdleTime (In Millis) - The minimum amount of time a connection might be idle in the pool before it is evicted by the idle connection evictor (if any).

Time - The amount of time in milliseconds to wait before between Eviction Runs (In Millis)checking the pool to evict the idle connections.

General

User organization – the organization in AuthMinder the connector is associated with.

Issuance

Issuance Host Name - Host name or the IP address of AuthMinder Server.

Issuance port - Port number configured for the Transaction Web services protocol.

Transport - To enable the SSL communication between AuthMinder Issuance SDK and AuthMinder Server set this parameter to 1SSL or 2SSL.

If you change the transport mode to SSL, then you must restart AuthMinder Server.Note:

Connection timeout - Maximum time in milliseconds before the AuthMinder Server is considered unreachable.

Issuance – more

Server CA Cert PEM Path – Path to CA certificate.

Client Cert Key P12 Path – Path to Client Certificate

Client Cert Key Password Password to Certificate.–

Password complexity

Minimum password length - The min number of characters for auto generate password.

Maximum password length - The max number of characters for auto generate password.

Minimum alphabetic characters - Minimum alphabetic characters for auto generate password.

Minimum numeric characters - Minimum numeric characters for auto generate password.

Minimum numeric characters - Minimum special characters for auto generate password.

Okta Connector Configuration

Note: This is technical preview functionality that is not supported.

General

App key – shared key to access Okta API. Can be extracted from the Okta admin interface, under API management.

Url – The URL for API calls.


18-Oct-2019 155/272

Url – The URL for API calls.

Matching field – The user attribute that should be used as user id parameter for the Okta connector. Usually email.

Category – The category to which Okta apps are associated in the application Launchpad.

Search Strategy Guide

To reduce load on directory when performing user/group searches, search strategies were introduced in CA Identity Portal 1.6.2 CR1 CP 0006. This document describes the implementation of each strategy.

This document refers to the following configuration:

Searchable attributes are: %FIRST_NAME%, %LAST_NAME%, %EMAIL%

Search phrase entered by user: John Doe Chicago

The following describes the implementation based on selected strategy:

Strategy: ALLThe system will execute one query as follows:%FIRST_NAME% = *John* OR %LAST_NAME% = *John* OR %EMAIL% = *John* OR%FIRST_NAME% = *Doe* OR %LAST_NAME% = *Doe* OR %EMAIL% = *Doe* OR%FIRST_NAME% = *Chicago* OR %LAST_NAME% = *Chicago* OR %EMAIL% = *Chicago*

The system will then filter out all irrelevant results.

Strategy: EXACTThis strategy is similar to the way the system is working today.The following query is executed:(%FIRST_NAME% = *John* OR %LAST_NAME% = *John* OR %EMAIL% = *John*) AND(%FIRST_NAME% = *Doe* OR %LAST_NAME% = *Doe* OR %EMAIL% = *Doe*) AND(%FIRST_NAME% = *Chicago* OR %LAST_NAME% = *Chicago* OR %EMAIL% = *Chicago*)

Strategy: SPLITTED_QUERIESThis strategy will perform a query for each word in the search phrase and will then intersect the results to ensure that only valid results are returned.

Query 1:%FIRST_NAME% = *John* OR %LAST_NAME% = *John* OR %EMAIL% = *John*Query 2:%FIRST_NAME% = *Doe* OR %LAST_NAME% = *Doe* OR %EMAIL% = *Doe*Query 3:%FIRST_NAME% = *Chicago* OR %LAST_NAME% = *Chicago* OR %EMAIL% = *Chicago*

Results of all of these queries are then intersected at the server and duplicates are removed.

Strategy: LONGESTThe system will select the longest 2 words in the phrase and search by them.Query will look as follows:

(%FIRST_NAME% = *John* OR %LAST_NAME% = *John* OR %EMAIL% = *John*) AND


18-Oct-2019 156/272

(%FIRST_NAME% = *John* OR %LAST_NAME% = *John* OR %EMAIL% = *John*) AND(%FIRST_NAME% = *Chicago* OR %LAST_NAME% = *Chicago* OR %EMAIL% = *Chicago*)

The system will then filter out incorrect results that do not contain the word “Doe” in them.

Configuring the search strategyIn the connector configuration, under tasks tab, select the desired strategy in the “Search Strategy” property. Save and restart all connectors in your cluster.

Quoted search capability

Search was enhanced to support surrounding quotes to indicate the entire phrase will be searched as a single word. This will mean that the query above will be entered by the user as “John Doe Chicago”

The query that will be performed is:

%FIRST_NAME% = *John Doe Chicago* OR %LAST_NAME% = *John Doe Chicago* OR %EMAIL% = *John Doe Chicago*

Localize CA Identity PortalCA Identity Portal supports localization. Localization strings for the following languages are provided out of the box:

Spanish

French

Italian

Portuguese

Japanese

Korean

German

Swedish

The UI screens and UI configuration are available in the languages that are provided out of the box. You must localize the dynamic pages such as Forms and Modules even for the languages that are provided with localization out of the box.

The default language is the language that the user views in the system if:

A different language was not selected previously, or browser cookies were cleared.

Browser locale cannot be resolved or browser locale is not a configured language in the system.

If the elements in the system do not contain the translated value in the language the user is currently at.



18-Oct-2019 157/272

1.

2.

3.

4.

5.

6.

7.

1.

2.

3.

4.

5.

6.

7.

Add a Language

You can add one of the four languages that are contain localized strings out of the box or any language that does not contain localized strings, from the list of languages that is displayed in the Admin UI. When you add a translated language, the static pages are automatically translated using the translation provided out of the box.

Important! For any language that you add other than the ones that are translated out of the box, you must translate even the static pages (UI screens and UI configuration).

Follow these steps:


Navigate to , .Administration Localization

Click .Add

Select a language that you want to add.

Select if you want to make the language that you are adding now to Configure as defaultbe the default language.

Clear the option so that the language is not displayed in the CA Identity Portal Enableuntil all the pages are translated.Enable the language only after the translation is completed.

Click .DoneThe language that you added is listed next to the default languages in the Localization page.

Localize a Dynamic Page

You must localize the dynamic pages that were created using the primary language (Example: English). You must perform this task even for the languages that have been provided by default.

Follow these steps:



Click the dynamic page that you want to localize. ModulesExample:

Click the Module name to view the name and its attributes.

Click the language button to which you want to translate the text.

Specify the translated text in the corresponding fields.

Click .SaveYou can now view the Module page with the translated text in the CA Identity Portal.


18-Oct-2019 158/272

1.

2.

3.

4.

5.

6.

Delete a Language

You can delete a language at any time using the Admin UI.

Follow these steps:



Select the language button that you want to delete.

Click .Edit

Click .Delete Language

Click to confirm.OK

Managed ObjectsThe is the most fundamental entity in the CA Identity Portal application. The user entity is a userrepresentation of an organizational entity as it exists in the various IM/IG systems connected to CA Identity Portal.

The group entity has been introduced in CA Identity Portal version 1.5 and now allows the management of group objects as well. The group entity like the user entity is a representation of an organizational entity as it exists in the various IM/IG systems connected to CA Identity Portal.

CA Identity Portal does not save organizational users and groups' information. Instead, it fetches the information from the connected systems on demand.

The representation of the CA Identity Portal user and group is defined by mapping of attributes in CA Identity Portal to attributes in the IM/IG systems. To configure that mapping, use the User Info and Group Info sections in the admin UI.

User Info

The user information is derived from mapping the CA Identity Portal user attributes to the IM/IG attributes.

You need to map all the user attributes that you intend to use in the CA Identity Portal UI configuration and in CA Identity Portal's business logic. Search attributes availability varies depending on the connector from which the attributes are being fetched.

For example:

If a CA IM type connector exists in the system, the "First Name" attribute of the CA Identity Portal user can be connected to the %FIRST_NAME% attribute in the CA IM connector. This means that once a user entity is used in CA Identity Portal, the First Name will be fetched from the %FIRST_NAME% attribute of the CA IM connector from. The CA IM service task that is used to fetch attributes is configured in the connector as the parameter. The default Default search taskservice task is SigmaViewUser. The user attributes are fetched from the search screen of this service task and not from the profile screen. If you'd like to search on this user attribute in CA Identity Portal you also need to make this attribute searchable in the IM search screen.


18-Oct-2019 159/272

1.

2.

3.

4.

1.

2.

3.

Configuring User Info

Switch to the tab. The configured attributes will be Environment - User Informationdisplayed.

To create a new attribute, click on the button. For each attribute you'll need to Newsupply a name for that attribute (the CA Identity Portal attribute name), select the connector (from the list of system defined connectors) from which to fetch the information, and select the attribute in the connector to map the attribute to.

If the attribute is configured as searchable in the connected system then CA Identity Portal will allow you to check the box and make the attribute "Searchable" in CA Identity Portal as well. Refer to User Search below for additional information.

Click to commit the changes made.Save

In order to change the existing configuration, simply modify the attributes displayed on the screen and save.

Note: For additional attributes in the user info you must first expose those attributes in the connected task on the endpoint then restart that connector.

User Search

CA Identity Portal allows searching for users in the CA Identity Portal system. This option is available in various modules such us:

Searching for a user to request access for.

Searching for another user when filling a form.

Searching for a similar user in order to compare entitlements.

The CA Identity Portal search is a free text search. The search will look in a set of defined attributes for the keyword(s) entered by the user. To define these attributes, select the "Searchable" checkbox next to the attribute in the User Info tab.

Group Info

The group information is derived from mapping the CA Identity Portal group attributes to the IM/IG attributes.

Group information is optional and need to be configured only if group objects are managed in CA Identity Portal.

You need to map all the group attributes that you intend to use in the CA Identity Portal UI configuration and in CA Identity Portal's business logic.

For example:

If a CA IM type connector exists in the system, the "Group Name" attribute of the CA Identity Portal group can be connected to the %GROUP_NAME% attribute in the CA IM connector. This means that once a group entity is used in CA Identity Portal, the Group Name will be fetched from the % GROUP_NAME% attribute of the CA IM connector from. The CA IM service task that is

used to fetch attributes is configured in the connector as the parameter. The Group search task


18-Oct-2019 160/272

1.

2.

3.

4.

1.

2.

3.

1.

2.

3.

a.

i.

used to fetch attributes is configured in the connector as the parameter. The Group search taskdefault service task is SigmaViewGroup. The group attributes are fetched from the search screen of this service task and not from the profile screen. If you'd like to search on this group attribute in CA Identity Portal you also need to make this attribute searchable in the IM search screen.

Configuring Group Info

Switch to the tab. The configured attributes will be Environment - Group Informationdisplayed.

To create a new attribute, click on the button. For each attribute you'll need to Newsupply a name for that attribute (the CA Identity Portal attribute name), select the connector (from the list of system defined connectors) from which to fetch the information, and select the attribute in the connector to map the attribute to.

If the attribute is configured as searchable in the connected system then CA Identity Portal will allow you to check the box and make the attribute "Searchable" in CA Identity Portal as well.

Click to commit the changes made.Save

In order to change the existing configuration, simply modify the attributes displayed on the screen and save.

Note: For additional attributes in the group info you must first expose those attributes in the connected task on the endpoint then restart that connector.

ModulesModules are used to enable users' request activities which are not related to access requests (entitlements assignment). Activities of this type may include:

Profile changes – changing an object's name and attributes (such as: user name, user's manager, group name etc.)

Onboarding entities – used usually to onboard users, create groups.

Execute generic requests – these are usually requests that are used to trigger a business process flow.

Modules names and objects are flexible and therefore they are referred to as Dynamic Modules.

Note: CA Identity Portal's pre 1.5 versions had onboarding and user management features which have been deprecated in version 1.5. Instead those features are optional and configurable as Dynamic Modules.

Creating a Module

Switch to the tab.Environment - Modules

Click on the button.New Module


General


18-Oct-2019 161/272

3.

a.

i.

ii.

1.

2.

3.

4.

5.

6.

7.

iii.

1.

2.

b.

i.

ii.

iii.

iv.

Name – the new module descriptive name as it will appear at the top navigation bar for the end user. Tag is automatically populated based on the name and be modified.

Template – select the type of module to be created. Once a template is selected, other tabs become available in the configuration of a module with parameters specific for that module template. The following module templates are available:

Create Only – only expose create actions to the end user without going through search screen to search for the object. For example: Onboarding.

Manage Only – only expose management actions to the end user which requires going through search screen to search for the object first. For example: User Management.

Create and Manage – expose both create and management actions to the end user. This will require search for the object for the manage actions or clicking the button for the create Create Newactions. For example: Vendor Management

Multi Onboard (Bulk and Single)

Registration – perform self-registration tasks through IM public tasks

Self Manage – like Manage Only, but the user doesn't get to search and select other users, instead the requester is automatically selected

Team Management – similar to Self Manage only here it auto selects the users defined in the search condition

Object Type – select the type of object that will be the subject of requests in this module. The available object types are:

USER

GROUP

Template Info – template specific information, the options may change between the different templates.

Allow user to save draft – even if the draft feature is turned on in the profile management you can still control the draft option per module.

Header – the module header that will appear within the module once a module is selected.

Search text box place holder – text to be displayed within the search box. This is only applicable for templates that include object management (such as "Manage Only").


18-Oct-2019 162/272

3.

b.

iv.

v.

c.

i.

ii.

iii.

iv.

d.

i.

ii.

iii.

iv.

e.

4.

Enable "Continue to Access Rights" – allow the requester to continue to access request as part of the onboarding request. This feature is only applicable in the template.Multi Onboard

Allow the user to submit action (without request access rights) – allow the requester to Submit an onboarding request without continuing to access request. This feature is only applicable in the template.Multi Onboard

Actions – the actions that will appear for the end user within this module

Click on to add a new actionAdd

Enter a display name as it will appear for the end user. Tag will be auto-populated and can be modified.

Category – a name to identify the category on which the task runs. For multi onboarding action this is either SINGLE or BULK which identifies to where this task will be displayed. For other templates the category is free text.

Form – select the form to be displayed for this action. The form is linked to a task so this is also the task that will be triggered upon request.

Note: When the template is for create and manage you first need to select which action is being created – "Actions for Create" or "Actions for Manage". When the action is of type "create" please refer to for more information.Create User

Search – search parameters, this tab is only applicable for templates that include object management (such as "Manage Only")

Results Text – add text and/or User/Group info parameters that you would like to be displayed in the Upper and Lower search results.

Predefined search – defined the default search that will be performed upon entering the page. use either static value or the value of another attribute to define the search for example: search attribute equals ManagerID, userInfo field equals UserId will retrieve all the subordinates for the user.

Search Condition – filter the search results based on an object attribute.

More Info – when search results are displayed each object has an option for a "More Info" tooltip. The tooltip content is configurable here based on user/group info.

Landing page icon – new modules will automatically appear in the top navigation bar but by default they don't have a landing page icon. Select a landing page icon if you'd like this module to be available from the home page.

Click to commit.Save

Note: In order for a new module to be visible to user it needs to be added to at least one profile. Refer to section for additional information.Profiles


18-Oct-2019 163/272

1.

2.

3.

4.

a.

b.

5.

a.

b.

i.

ii.

iii.

1.

2.

iv.

v.

6.

7.

ProfilesCA Identity Portal Profiles define what modules and features are exposed to the user when they log into CA Identity Portal. If no profiles are defined (default settings) the user that logs in won't see any module.

It is recommended to create a default profile for all users with basic functionality exposed.

Profiles also control what type of requests can be seen under "My Requests" section. The default view is the requests that user himself submitted but additional views can be defined using Profiles which allows the user to see track requests made by other people. This is a useful administrative view for application owners, managers etc.

Configuring Profiles

Go to tab.Environment - Profiles

The existing profiles are displayed, they can be edited or deleted.

Click on New Profile.


Name – the profiles display name (if this profile is used for request tracking then this will be the name displayed for the user under "My Requests")

Tag will be auto populated based on the name

Members scope

Apply to all users – this profile configuration will apply to all users in the system

Configure members rule – this profile will apply only to the users defined in this rule

Click on Add Rule

Select if or of the rules will applyAll Any

Select the type of condition:

Target Permission Condition

Group – this will allow to define a sub group of rules

Select the condition ( or )Contains All Contains

Select the target permission(s)

Features – select the features that will be available to the users that the member scope applies for.


18-Oct-2019 164/272

7.

8.

a.

b.

c.

i.

ii.

d.

e.

i.

ii.

iii.

iv.

f.

1.

2.

3.

4.

Modules – select the modules that will be available to the users that the member scope applies for.

If you create a dynamic module it will appear here on the list, In order to expose it Note:to users you will need to identify or create the right profile and check the box for the newly created dynamic module.

Request Tracking Scope – use this section if you want this profile to be added to the users' "My Requests" module to allow them to view other people's requests.

Click on Add Rule

Select if All or Any of the rules will apply

Select the type of condition:

Object

Group – this will allow to define a sub group of rules

Select the condition ( or )Contains All Contains

Select the type of objects in scope:

Permission

Target Permission

Application

Module Action

Select the specific object(s)

RisksCA Identity Portal provides a real-time context-based RISK ANALYZER & SIMULATOR. It's based on an advanced, robust rules engine that calculates user risk score in real time.

It offers an easy-to-use, configurable user-centric Risk Model that identifies areas of risk within the organization caused by users with high risk scores. It also enables organizations to strategically prioritize security and compliance activities to focus proactive controls on the areas of higher risk, as follows:

Calculates and displays users' risk scores and Alerts whenever it detects a risky user

Updates risk scores continually based on changes to user access privileges, user attributes and other relevant compensating factors

Simulates in real time the user's risk score changes in the context of access requests, including permissions requested in the cart

Implements three levels of preventive controls across IAM processes, based on risk and violation types and levels, when high-risk users or violating transactions are detected:

First level - Informative – alert on violation

Second level – collect justification from the user in order to continue request


18-Oct-2019 165/272

4.

5.

6.

1.

2.

3.

1.

2.

3.

1.

2.

3.

4.

a.

b.

c.

d.

i.

ii.

iii.

e.

Second level – collect justification from the user in order to continue request

Third level – prevent the user from continuing with his action

Displays violations (and justifications) to approver to support approver's decision

Audits violations and tracks them throughout the end-to-end process

Enabling Risks

In order to start using risks it first needs to be enabled in CA Identity Portal:

Go to tab. Administration - General Configuration

Check the box for to enable it or uncheck to disable it.Enable Risk

Click Save.

The maximum risk level is configured as part of the UI Configurations:

Go to tab.UI Configuration

Set the parameter " " (default is 1000).risk_max_level

Click Save.

Configuring Risks

Go to tab. -Security Risks

Existing risks are displayed and can be edited/deleted.

Click on Configure New Risk.

Define base parameters for the risk.

Name – logical name of the risk.

Tag is automatically filled out based on the name.

Score – define the risk score for this risk (take into consideration the maximum risk level defined in the UI Configuration).

Risk Behavior – define the behavior of CA Identity Portal when a risk is identified. There are three different types of available behaviors:

Informative – a notification will be displayed for the user but he will be allowed to continue with the request

Requires justification – a notification will be displayed for the and if he wants to continue with the request he will be required to enter a justification for the request

Enforcive – a notification will be displayed and the user will not be allowed to continue with the request


18-Oct-2019 166/272

4.

e.

5.

a.

b.

c.

d.

e.

i.

ii.

f.

i.

ii.

iii.

g.

i.

ii.

iii.

iv.

v.

vi.

vii.

Message – the message that will be displayed for the user when the risk is identified

Define the conditions(s) for the risk

Select if all of the rules or any of the rules bellow must apply for the risk to be identified

To add another rule click on Add Condition

Select the parameter to evaluate for the rule, based on the parameter the rule configuration changes

Group – Use group to define another layer of nesting in the condition. For example (GROUP: Condition A AND Condition B) OR Condition C.

User's permissions

Select the condition for the permissions

Select the permissions

User's attribute

Select the attribute

Select the condition for the attribute

Enter a string for the condition

Violations from external source

When using this type of condition CA Identity Portal will transform the permissions in the cart, to the target permissions that they are linked, then transform them to a list of compliance target permissions and send them to evaluation in the external systems.

The external systems are all systems that are able to perform compliance check that CA Identity Portal has connector to (i.e. Identity Governance).

These systems will return violation if they exist.

This rule will then filter the violations according to the definition in the condition filter. For example if we defined to only show violations that are related to Permission X, all violation that do not include Permission X will be discarded.

If "include violations with external entitlements" is checked then violation that include items that CA Identity Portal is not familiar with (not mapped as target permission) will not be ignored.

Only violations that are related to permissions in the Cart will be used.

If a violation is fetched it will be displayed under this rule. So in turn, the user will be displayed with this risk message, and all the violations fetched from the external system underneath it.


18-Oct-2019 167/272

5.

g.

viii.

1.

2.

3.

4.

a.

b.

c.

d.

5.

1.

2.

3.

The violations fetched from external source will inherit the behavior from the risk fetching them. The score they receive is the risk that fetched them.

Services

Service Actions

Service actions can be referred to as internal service tasks in CA Identity Portal. They are configured almost the same way as module actions but they are not visible to end users. Instead they are referred to from scripts within other forms and are mainly used to retrieve data using service tasks on the connectors. For example: on the CA IM connected system build a service task that calculates and returns information then link it to a service action and call it from a script on one of the forms.

Configuring Service Actions

Before configuring a service action, the task and form need to be configured so they can be linked to the service action.

Switch to tab.Services - Service Actions

Click the button, the existing Service Actions are displayed.Manage Service Action

Click Add.

Enter the required parameters:

Display Name, Tag is auto populated based on the display name.

Category is optional.

Select the managed object type for the task (user, group or none).

Select the form that is linked to the service task.

Click Save.

Plugins

Plugins are either Java or RhinoJS (server-side JavaScript) code executed on the CA Identity Portal server that can be used to enrich the business logic configured in CA Identity Portal.Examples of using plugins:

Fetching available form prop values from external database.

Validating a file's content.

Performing complex validation logic.

Refer to for more information about using Plugins.CA Identity Suite Developer Guide

TemplatesTemplates is a communication mechanism from CA Identity Portal to the end-user. Current version supports email templates that enable business logic within the application to send emails to the user.

Note: Version 1.6 supports only email templates associated with One Time Password


18-Oct-2019 168/272

1.

2.

3.

a.

b.

c.

d.

e.

f.

4.

5.

1.

2.

3.

1.

2.

Note: Version 1.6 supports only email templates associated with One Time Password Authenticator to send the user it's temporary password.

To configure Templates:

Switch to tab.Environment - Templates

Click on .New Template

Enter the required parameters.

Name as the template descriptive name.

Tag (Auto populated)

Connector – the associated connector for which the template is serving.

Template Name – the functionality of template.

Sender class name – the communication method with the user.

Configure Template specific parameters. For example email information for sending mail.

Variables can be used in the email message, they are referred to by typing and then the {available variables appear. For example when sending the user's one time password the variable to be used is: {data.USER_OTP}.

Click Save.

UI ConfigurationThe UI Configuration tab allows you to define the information displayed in various places throughout the CA Identity Portal application. The following is configurable:

The presentation of user information in various places in the application. For example: display the "First Name" and "Last Name" in the search results of the Access Rights search.

The messages displayed to users in case no items are available. For example: in the Tasks module, if no pending approvals are awaiting, the user can be prompted with a configured message such as "No pending approval, have a nice day"

Implementation specific information, such as:

System unique identifiers – used to instruct users to search bulk files.

Predefined search – For example, how to search for the user's (organizational) subordinates.

UI Configuration

Switch to the tab.Environment - UI Configuration


18-Oct-2019 169/272

2.

3.

4.

5.

1.

2.

3.

1.

2.

Configure each of the parameters as desired or click on for CA Identity Portal Use defaultto set the parameter to its default configuration. For first time use a Reset to defaultbutton is available at the bottom of the screen, this will reset all parameters to CA Identity Portal defaults.

The configurable parameters are displayed on the screen. The available User attributes are listed to at the bottom under . By hovering over each of the fields the User Infoapplication context, which this parameter refers to, will be displayed.

To simplify the configuration you can type the "{" key and the system will display the available user attributes that are defined in the system.

To save the UI Configuration click on .Save

Note: In case you supplied a user attribute which is not defined, the system will display it in the list on the right under In addition, you'll be prompted with a message of Not configured.undefined attributes in the user Info tab.

User Related

Search_result – When clicking on Access -> User search -> Searching for a user. The upper part of each search result will be the parameters configured in this attribute.

– When clicking on Access -> User search -> Searching for a user. The Search_result_bottombottom part of each search result will be the parameters configured in this attribute.

– In Tasks -> Approval or Implementation table the requester display attributes.Approval_details - In Tasks -> Approval or Implementation table the target user display attributes.Approval_table

– When using a user selector prop, after the user is selected, the User_selector_displaynamedisplay name that is displayed on the form.

– The approvals target user display name in the dashboard view.Dashboard_approvals– These attributes control the display of the user in multiple places:User_dialog_info1/2/3

In Access -> Search a user -> hover on a user from the search result, when clicking on the more info link a user tooltip will be displayed, these parameters control that.

In User selector prop -> when selecting a user from the results, the user details will be displayed on the right.

On My requests and approval timeline when hovering on a user -> a tooltip with the user details will be displayed.

approval_details_requester – In Tasks/Implementation, in the middle pane the requester information.

– In Tasks/Implementation, in the right pane the information of the pending penders_displayapprover.

– The attributes a requester can uniquely identify the users in a bulk Bulk_upload_attributesrequest file.

– Default is false, if set to true the requester won't see current permissions of strict_cart_modeanother user if the requester doesn't have the permission to request them.

– Default is false, if set to true the requester won't see current hide_non_scoped_current_permspermissions of another user if the requester doesn't have the permission to request them.

– The default parameter to control what to display when showing a user. User_displaynameUsed in:

Hello message in the upper dashboard.


18-Oct-2019 170/272

2.

3.

4.

5.

6.

When displaying the user in the access rights (after selecting the user to request access for).

Right panel display when selecting multiple users in access search.

The selected user in the similar user table in the top of the middle pane.

Display of the user in the risk summary dialog.

Display of the users in the bulk dialog in approvals.

no_current – Message to be displayed in access rights module when user has no current permissions.

– Message to be displayed in campaigns view when there are no campaigns.no_campaigns – Message to be displayed to the user when there are no requests.No_requests

– Message to be displayed to the user when he has no implementation No_implementationpending.

– In dashboard when clicking on request in the right pane, if the request is not No_penderspending to anyone, this message will be displayed.

- Defined the predefined search that is performed when the user Namedquery_<subordinates>enters the access search. Structure should be <logged_in_user_attribute>,<attribute to search in>. For example, if we define UserId,Manager then it will search the userId at all users Manager attribute which will return all the user subordinates.

– The max value to be displayed in the risk meter.Risk_max_level – In Access view, click on Add Systems, switch to similar user view, the search Similar_user_table

results will be displayed in a table defined in this parameter. – In modules that are defined to be operate on object type USER. When Users_info_table

searching for a user a more info link will be displayed on each search result, when hovering on that link a tooltip with this configuration will be displayed ONLY if nothing is configured in the more info configuration in the module configuration.

– This parameter controls the behavior of the cart in the access rights module.Strict_cart_mode

Note: Other attributes might appear in admin UI configuration. These attributes are deprecated and are saved for backward compatibility.

Group Related

group_displayname – The default display of the group object. – The display in the Tasks Approval/Implementation table in a case the approval approval_table

is for a group object. – The display of the target object in the middle pane in the tasks if the approval approval_details

is for a group object. – In modules that are defined to be operate on object type GROUP. When group_info_table

searching for a group a more info link will be displayed on each search result, when hovering on that link a tooltip with this configuration will be displayed ONLY if nothing is configured in the more info configuration in the module configuration.

Understanding ScopingBefore diving into specific configurations in CA Identity Portal, it is important to understand CA Identity Portal's scoping mechanism.

Administrative roles are used in identity management for managing individual business requirements. A role defines what operations can be performed by a user.


18-Oct-2019 171/272

These operations define the ability of a user to acquire access (or requesting one) for different entitlement or business flows in the organization.

When a user logs in to CA Identity Portal, this information is pulled by CA Identity Portal connectors. CA Identity Portal then calculates and translates this information and allows the user to request access or trigger flows only to what they are allowed to.This calculation is performed in several scenarios:

After selecting a user in the access module - CA Identity Portal calculates which permissions the logged in user is allowed to request for the selected user.

In dynamic modules – CA Identity Portal calculates what invocations operations (operations of type USER and GROUP) are within the logged-in user scope on the selected user.

CA Identity Portal offers an additional layer of scoping in the access module which can be configured in the target permission's rule. Refer to for more information.Target Permission RulesFor specific scoping configurations refer to .Scoping

Administrating CA Identity Suite Virtual Appliance (vApp)

On logging into the web UI, a Dashboard is displayed. The Dashboard lets you monitor the services, view the application URLs, download external tools and view the Setup menu for additional configuration.


Using The Login ShellAvailable aliases:Available privileged commands (sudo):

Required Network PortsLog Files LocationSupported Custom Files

Uploading and Replicating Custom FilesReplacing the vApp Web UI SSL CertificateExternal Data-source management (vApp 12.6.8 CR2 only)

Adding an external data sourceRemoving an external data source

Custom JVM arguments (vApp 12.6.8 CR2 only)Customizing the JVM startup arguments

Custom host records (vApp 12.6.8 CR2 only)Modifying Identity Manager branding (vApp 12.6.8 CR2 only)


18-Oct-2019 172/272

Using The Login ShellAfter the initial CLI (text-based) configuration of the vApp - the login shell for the user is configavailable for use (vApp 12.6.8 CR2 only).When using vApp 12.6.8 CR1 - the login shell is only available after a deployment operation has started (from the Web-UI).

Available aliases:The following aliases (command shortcuts) are available in the vApp login shell:

s

Perform a solution health status check and display the console-based output Note: the output is immediately set as the login banner

compressLogs

Compresses all application an vApp log files to a tar.gz archive file that resides in the home directory (e.g. /home/config/vApp_logs_<hostname>_<date>.tgz)

selectTimeZone

Allows configuring the server time-zone

setTimeAndDate

Allows configuring the server date and time

resetInternalDB

Resets the embedded (Oracle 11g Express) database state (deleting all IDM, IP and IG environment data and configurations, while restoring them to the “clean” vApp state)

upgrade_vapp

Upgrades the Virtual Appliance with the given upgrade package name

rollback_vapp

Rolls back a previously installed upgrade

set_log_level_ip

Sets the application log level of Identity Portal

set_log_level_ig

Sets the application log level of Identity Governance

set_log_level_cs

Sets the application log level of the JCS

CreateIDMAuthDir


18-Oct-2019 173/272

Creates the IDM Authentication Directory (in case it failed to create automatically during the deployment)

Note: Only valid when using an external database with the vApp.

EnableIdmMgmtConsoleSecurity

Enables the IDM User Console Authentication Filter Security

DisableIdmMgmtConsoleSecurity

Disables the IDM User Console Authentication Filter Security

DisableIdmAuthFilterSecurity

Enables the IDM Management Console Security

EnableIdmAuthFilterSecurity

Disables the IDM Management Console Security

measure_io_performance

Measures disk write throughput by writing a 1GB sized file (zero-padded) to a temporary directory on the “/” partition

configureExternalDataSources

Synchronizes defined custom data-sources property files from ”/opt/CA/VirtualAppliance/custom/<APP>/ dataSources” across all nodes and applies them to all nodes running either the Identity Portal or Identity Manager applications

removeJBossDatasource

Removes a defined custom data-sources referenced as an argument pointing to a property file located in ”/opt/CA/VirtualAppliance/custom/<APP>/ dataSources” across all nodes running either the Identity Portal or Identity Manager applications

restart_ig

Restart Identity Governance application

restart_jcs

Restart the Connector Server

restart_rs

Restart Report Server application

restart_im

Restart Identity Manager application

restart_ip

Restart Identity Portal application


18-Oct-2019 174/272

restart_oracle

Restart the internal Oracle 11g Express database (if deployed)

restart_ps

Restart the Provisioning Server

start_dxserver

Start all CA directory DSAs

start_ig

Start Identity Governance application

start_jcs

Start the Connector Server

start_rs

Start Report Server application

start_im

Start Identity Manager application

start_ip

Start Identity Portal application

start_oracle

Start the internal Oracle 11g Express database (if deployed)

start_ps

Start the Provisioning Server

stop_dxserver

Stop all CA directory DSAs

stop_ig

Stop Identity Governance application

stop_jcs

Stop the Connector Server

stop_rs

Stop Report Server application

stop_im


18-Oct-2019 175/272

Stop Identity Manager application

stop_ip

Stop Identity Portal application

stop_oracle

Stop the internal Oracle 11g Express database (if deployed)

stop_ps

Stop the Provisioning Server

tail_cs_log

Monitor the Connector Server log

tail_ig_log

Monitor Identity Governance application log

tail_rs_log

Monitor Report Server application log

tail_im_log

Monitor Identity Manager application log

tail_ip_log

Monitor Identity Portal application log

tail_ps_log

Monitor the Provisioning Server log

tdl

Monitor the vApp deployment log

tvl

Monitor the vApp main log

twl

Monitor the vApp web-server log

view_cs_log

View the Connector Server log

view_ig_log

View Identit Governance application log


18-Oct-2019 176/272

view_rs_log

View Report Server application log

view_im_log

View Identity Manager application log

view_ip_log

View Identity Portal application log

view_ps_log

View the Provisioning Server log

vdl

View the vApp deployment log

vvl

View the vApp main log

vwl

View the vApp web-server log

Available privileged commands (sudo):The following commands are available to be executed with elevated privileges using "sudo" (by prefixing them with the "sudo" command) as the config user:

poweroff

shutdown

reboot

All init scripts in /etc/init.d/

/opt/CA/wildfly-portal/bin/add-user.sh

/opt/CA/wildfly-idm/bin/add-user.sh

/opt/CA/wildfly-ig/bin/add-user.sh

vim /etc/ntp.conf

date

mount (vApp 12.6.8 CR2 only)


18-Oct-2019 177/272

Required Network PortsThe following network port requirements are for the vApp only:

Note: Review the CA Identity Suite documentation for products (CA Identity Manager, CA Identity Governance, CA Identity Portal) specific requirements

Application / Service

From To Destination Port

Details

SSH All vApp servers

All vApp servers

TCP/22 For remote administration using SSH (optional)

SSH (remote administration)

Customer network

All vApp servers

TCP/22 Mandatory – for vApp internal health checks


All vApp servers

All vApp servers


CA Identity Manager

All vApp servers

All vApp servers


CA Identity Portal

All vApp servers

All vApp servers


Web UI and Embedded Proxy / Load-Balancer

Customer network

All vApp servers

TCP/80, TCP/443

Mandatory – for customers to access the applications (Identity Portal, Identity Manager, Identity Governance) – handled by an internal proxy/load-balancer listening on ports 80 and 443

Log Files LocationThe vApp includes symbolic-links to all applications / services log files and directories in the /opt

directory./CA/VirtualAppliance/logsThe default location of log files of all the applications / services are listed here (these are the actual files referenced by the symbolic links):

CA Identity Portal

/opt/CA/wildfly-portal/standalone/log/server.log

CA Identity Manager

/opt/CA/wildfly-idm/standalone/log/server.log


/opt/CA/wildfly-ig/standalone/log/eurekify.log

Provisioning Server

/opt/CA/IdentityManager/ProvisioningServer/logs/im_ps.log

Connector Server


18-Oct-2019 178/272

1.

2.

3.

4.

Connector Server

/opt/CA/IdentityManager/ConnectorServer/jcs/logs/jcs_daily.log

vApp main log

/opt/CA/VirtualAppliance/logs/ca_vapp_main.log

vApp deployment log

/opt/CA/VirtualAppliance/logs/ca_vapp_deployment.log

vApp web-server log

/opt/CA/VirtualAppliance/logs/ca_vapp_webui.log

Supported Custom FilesThe following CA Identity Suite components support custom files:

CA Identity Portal

Resources – for shared logos, background, user pictures and language files

Plugins – for custom java-based server-side plugins

CA Identity Manager

user_console\lib folder - for Custom Connector Role Definitions

custom folder - for custom IDM components such as Event Listener, LAH’s, etc.

SiteMinder folder – contains SiteMinder ra.xml file (see IDM Integration with SSO section)

Uploading and Replicating Custom FilesWhen using the vApp, use a SCP utility (such as “WinSCP”) to upload any custom files to the /opt/CA/VirtualAppliance/custom/ directory, under the corresponding sub-directory:

/opt/CA/VirtualAppliance/custom/IdentityManager/opt/CA/VirtualAppliance/custom/IdentityPortal/opt/CA/VirtualAppliance/custom/apache-ssl-certificates

Note: When CA Identity Manager or CA Identity Portal are installed in a , perform the clusterfollowing additional steps:

Upload or create the custom file on .one node

Open a CLI or SSH terminal on the same node.

Change to the directory where the files were created or uploaded.

Run the following script to synchronize the custom files to all other nodes. This performs a “push” replication from the current node to all other nodes.

vapp_sync


18-Oct-2019 179/272

1.

2.

Replacing the vApp Web UI SSL CertificateThe following directory contains the SSL certificates used by the built-in vApp management Web-UI,

/opt/CA/VirtualAppliance/custom/apache-ssl-certificates

You can replace the following files with your own generated SSL certificates in Apache HTTP server compatible format:

localhost.crt (public key)

localhost.key (private key)

Notes:

Verify that you keep a backup of the certificates before replacing them

After replacing the certificates, run the following command to reload the web server on every server on which the certificates were replaced. The server will start with the replaced certificates:

sudo /etc/init.d/httpd reload

Note: if the certificate pair is missing/invalid, an error message is displayed on the console.

External Data-source management (vApp 12.6.8 CR2 only)

The vApp supports configuring external data-sources on the Identity Manager and Identity Portal application servers. Both Oracle and MS SQL server are supported.

Adding an external data sourceCreate the data-source property file in the following location:For Identity Manager: /opt/CA/VirtualAppliance/custom/IdentityManager/dataSourcesFor Identity Portal: /opt/CA/VirtualAppliance/custom/IdentityPortal/dataSources

Use the following format when creating the file:

IMAG_PACKAGE= or IP IM DB_TYPE= or MSSQL ORACLE DATASOURCE_NAME=my-ds DB_URL=jdbc:sqlserver://host:port orjdbc:oracle:thin:@host:port:sid orjdbc:oracle:thin:@//host:port/service_name DB_USER=username DB_PASSWORD=password

For example, Identity Portal with Oracle data-source, with SID specification:

IMAG_PACKAGE=IPDB_TYPE=ORACLEDATASOURCE_NAME=test-dsDB_URL=jdbc:oracle:thin:@10.0.0.163:1521:xe

DB_USER=test_user

sqlserver://hostport


18-Oct-2019 180/272

2.

3.

4.

5.

6.

1.

2.

1.

DB_USER=test_userDB_PASSWORD=1234

Run the following alias:


The data-sources are automatically created/updated.

The following message appears in the application server log file. Indicating the JNDI data-source name:

INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread) JBAS010400: Bound data source [ ]java:jboss/datasources/jdbc/my-test-ds

You can reference this data-source within Java/Rhino code using the following syntax:

var dataSource = initialContext.lookup("java:jboss/datasources/jdbc/test-ds");

Removing an external data sourceRun the alias, with a parameter referencing an absolute path to removeJBossDatasourcea data-source property file created in the previous sectionfor example:

removeJBossDatasource /opt/CA/VirtualAppliance/custom/IdentityPortal/dataSources/my-ds.prop

The following message appears in the application server log file. Indicating the removal of the data-source:

INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread) JBAS010409: Unbound data source [ ]java:jboss/datasources/jdbc/test-ds

Custom JVM arguments (vApp 12.6.8 CR2 only)The vApp comes with suggested default JVM configuration for Identity Manager, Identity Governance and Identity Portal application servers, these JVM arguments include static values as well as dynamic values such as minimum and maximum heap size set based on the deployment type (e.g. Demo, Production. etc.)

For example, the following JVM arguments are set for Identity Manager deployed in DEMO mode:

-Xms512m -Xmx2048m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -XX:+UseLargePages -Djava.security.egd=file:/dev/./urandom

Customizing the JVM startup argumentsThe vApp support customizing the JVM startup arguments.

- changing the JVM arguments may cause the application server to fail startup or to Warningexperience run-time issues during normal operation or stress performance. In case of such issues - please revert to the out of the box JVM suggested configuration by commenting out the lines in the jvm-args.conf file and restarting the application server.

Perform the following steps in order to modify the out of the box JVM arguments:

Login to the target server via SSH/CLI as the userconfig


18-Oct-2019 181/272

1.

2.

3.

4.

5.

6.

1.

2.

3.

4.

5.

Login to the target server via SSH/CLI as the userconfig

Edit the file for the relevant product:jvm-args.conf

/opt/CA/VirtualAppliance/custom/IdentityManager/jvm-args.conf/opt/CA/VirtualAppliance/custom/IdentityGovernance/jvm-args.conf/opt/CA/VirtualAppliance/custom/IdentityPortal/jvm-args.conf

Un-comment the following line, or duplicate it and un-comment the copied line:From:

#JAVA_OPTS=...

To:

JAVA_OPTS=...

Make the necessary changes to the JVM arguments specified after the "=" character

Save the file

Restart the application server by running the corresponding alias for the product:restart_imrestart_igrestart_ip

Custom host records (vApp 12.6.8 CR2 only)The vApp uses the /etc/hosts file to store common host names for internal use.You should prefer to use DNS names instead of adding records to the /etc/hosts file.In case editing the /etc/hosts file is required, perform the following steps on every vApp host which requires custom host mapping:

Login the the vApp server using SSH/CLI

Create or edit the following file:

/opt/CA/VirtualAppliance/custom/hosts

Add the custom host records in a format equivalent to the /etc/hosts format, for example:

192.168.1.54 myhost01192.168.1.58 myhost02192.168.1.160 myhost03

Run the following command:

configureCustomHostRecords

View the /etc/hosts file and notice the following block was added/modified to reflect the custom hosts block:

# CA VAPP CUSTOM HOSTS - START192.168.1.54 myhost01192.168.1.58 myhost02192.168.1.160 myhost03# CA VAPP CUSTOM HOSTS - END


18-Oct-2019 182/272

1.

2.

3.

4.

5.

6.

Modifying Identity Manager branding (vApp 12.6.8 CR2 only)

Refer to the following section for guidance on modifying the branding for Identity Manager: How to Create a Skin

In order to edit a skin in a vApp-based IDM, follow the instructions below for every IDM node

Navigate to the following location

cd /opt/CA/VirtualAppliance/custom/IdentityManager/branding/imcss

Create your own skin. This is normally done by copying an existing template skin directory and modifying the contents, for example:

cd /opt/CA/VirtualAppliance/custom/IdentityManager/branding/imcsscp -rp neteauto/ my-custom-skin

Make the necessary modifications to the skin

Navigate to the following location

/opt/CA/VirtualAppliance/custom/IdentityManager/branding

Edit the file and reference the new skin, for example:index.jsp

<skin:update> <skin:skin name="my-custom-skin" filename="/app/imcss/my-custom-skin/my-custom-skin.properties" /> <skin:skin name="idm" filename="/app/imcss/idm/idm.properties" /> <skin:skin name="neteauto" filename="/app/imcss/neteauto/neteauto.properties" /> <skin:skin name="horizontal" filename="/app/imcss/horizontal/horizontal.properties" /> <skin:skin name="horizontal2" filename="/app/imcss/horizontal2/horizontal2.properties" /></skin:update>

Save the file

https://docops.ca.com/display/CIS1268/How+to+Create+a+Skin

https://docops.ca.com/display/CIS1268/How+to+Create+a+Skin


18-Oct-2019 183/272

ConfiguringThis section contains the following topics:

Configuring CA Identity PortalConfiguring CA Identity Suite Virtual Appliance

Configuring CA Identity PortalContent in this section describes the configurations that you can perform in CA Identity Portal:

ActionsTEWS Settings for Identity Portal Without SSOIdentity Portal and IDM without ProvisioningEncrypt Admin User Password on TomcatConfiguring jgroups TCP UnicastApproval WorkflowScopingUnderstanding Bulk ConfigurationUsers’ Pictures

ActionsCreate User

When CA Identity Portal attempts to trigger a module action of type create it will not accept any search screens. CA Identity Manager's default Create User task comes with a search screen to perform "Copy From" action. In that scenario CA Identity Portal will fail in triggering the create user task. The administrator will need to remove the "Copy From" search screen from the create user task that was mapped into CA Identity Portal.

TEWS Settings for Identity Portal Without SSOTEWS settings for CA Identity Portal without SSO


18-Oct-2019 184/272

1.

2.

Identity Portal and IDM without ProvisioningIn case the IDM environment you plan to integrate CA Identity Portal with does not have Provisioning configured (a provisioning directory is not configured for the environment), you will need to modify some of the CA Identity Portal service tasks that you imported with the CA Identity Portal Role Definitions XML.

Modify the "Sigma View User' Admin Task Tabs section and the "Provisioning removeRoles" and "Provisioning Roles Indirect" tabs.

Modify the "CA Identity Portal Admin Scope" Admin Task Profile Screen.Select: Tabs->Profile->Browse Screen (SigmaAdminScope)->Edit


18-Oct-2019 185/272

2.

3.

4.

5.

6.

7.

Edit the "|provisioningRoles|" field.

Delete the "Initialization Javascript".

Apply and submit the changes.

Modify the "CA Identity Portal – TEWS Tasks" Admin Role.Remove the existing Member Policy.

Create a new Member Policy with only Groups and User scoping.


18-Oct-2019 186/272

7.

8.

9.

1.

2.

3.

4.

Submit the changes.

Stop and start the CA Identity Portal application server.

Encrypt Admin User Password on TomcatFollow these steps:

First edit the REALM in the $CATALINA_HOME/conf/server.xml. Add the attribute of digest="HASH_TYPE" The values for HASH_TYPE can be sha, md5 or md2.

Execute the following to generate the HASH of the password:$CATALINE_HOME/bin/digest.sh -a HASH_TYPE PASSWORD

Replace the password for the user in question in the $CATALINA_HOME/conf/tomcat_users.xml file

Restart Tomcat

Configuring jgroups TCP UnicastBy default, the CA Identity Portal jgroups cluster uses UDP multicast. Some network deployment block multicast messages.To support the CA Identity Portal cluster in such environments (for example when the CA Identity Portal nodes reside on different network segments), the CA Identity Portal jgroups cluster may be configured to use TCP unicast instead of UDP multicast.To configure TCP multicast, update the following JVM arguments at the application server level:

Argument Name UDP mutlicast (default)

TCP unicast TCP unicast (for MS SQL Server)

sigma.cluster.mode multicast unicast unicast

sigma.portal.cache.infinispan.jgroups_cfg

sigma-portal-jgroups-multicast.xml

sigma-portal-jgroups-uniicast.xml

sigma-portal-jgroups-uniicast-mssql.xml

sigma.hibernate.cache.infinispan.jgroups_cfg

sigma-hibernate-jgroups-multicast.xml

sigma-hibernate-jgroups-unicast.xml

sigma-hibernate-jgroups-unicast-mssql.xml

.preferIPv4Stackjava.net true true true

http://djava.net/


18-Oct-2019 187/272

1.

2.

a.

b.

3.

Note: In some situations, you may want to disable the CA Identity Portal cluster (for example, in development environment where many developers are running the CA Identity Portal in the same network).

To do this, set the following JVM argument, and restart the application server:

jgroups.bind_addr=localhost

Optional jgroups JVM arguments (for advanced tuning):

jgroups.tcp.address

sigma.portal.jgroups.tcp.port

sigma.portal.jgroups.udp.mcast_addr

sigma.portal.jgroups.udp.mcast_port

sigma.hibernate.jgroups.tcp.port

sigma.hibernate.jgroups.udp.mcast_addr

sigma.hibernate.jgroups.udp.mcast_port

Note: For further details on these arguments, see the jgroups project documentation.

Approval WorkflowViewing Approvers' Details

CA Identity Portal displays the details of the next approver in a request on its timeline. In CA Identity Manager this information is read from the Assignees tab of the approval task. So in order for the requester to be able to see the next approver in the timeline under "My Requests" the administrator must add the assignees tab to the approval task and make sure it's exposed to TEWS web services.

Note: The Assignees tab exists by default on all approval tasks; this is relevant for custom approval tasks.

ImplementationCA Identity Portal can identify pending work items either as approvals (default) or implementations. In order for a work item to enter the implementations queue a hint needs to be configured on that node.

To configure the hint in CA Identity Manager:

Open workpoint designer and edit the workflow process that will be used in the task.

Add User Data element of type Text

Name: IS_IMPLEMENTATION_NODE

Value: true

Save the changes.


18-Oct-2019 188/272

3.

1.

2.

1.

2.

a.

b.

3.

a.

b.

4.

Save the changes.

Example:

Parallel ApproversThere can be a scenario in which multiple approvers exist at the same time in one backend task. For example:

The workflow was configured in CA Identity Manager on the event "Assign Provisioning Role" and in CA Identity Portal multiple permissions that are mapped to that same task were triggered in one request. Therefore multiple workflow jobs were triggered in parallel.

The workflow that was configured in CA Identity Manager is custom and has parallel approvers.

In those examples by default CA Identity Portal would display in the request timeline all of the pending approval for each of the permissions since it does not know which approval belongs to which permission. In order for CA Identity Portal to match permission to approver hints need to be configured on those nodes.

To configure the hint in CA Identity Manager:

Open workpoint designer and edit the workflow process that will be used in the task.

On the approval node add User Data element of type Text

Name: CA Identity Portal_TARGET_PERM_TYPE

Value: depends on the type of permission, can be ROLE/ATTRIBUTE/GROUP

Add another User Data element of type Text

Name: CA Identity Portal_TARGET_PERM_NAME

Value: the name of the target permission

Save the changes.

Notes:

Usually this type of data is dynamic therefore it is required to fetch it from IM using an agent, then setting it dynamically as user data.

If one node should accommodate multiple permissions on the same activity then just add a counter suffix to the name of the user data.

Example for the agent code with a suffix:


18-Oct-2019 189/272

1.

2.

1.

ThisActivityInstData.setUserData("CA Identity Portal_TARGET_PERM_TYPE"+suffix,"ROLE");ThisActivityInstData.setUserData("CA Identity Portal_TARGET_PERM_NAME"+suffix,provRole);//where provRole is a variable containing the provisioning role name

ScopingModule Action Scoping

Module action is mapped to a form which is mapped to a task. In order for a logged in user to see an action the backend task must be in his scope. In CA Identity Manager it means the Admin Task must be part of an Admin Role that the logged in user is a member of and that has a valid scope.

Note: To be sure the scoping is correct, try to run the Admin Task from CA Identity Manager directly using the end user's account. If it's not available there it won't be available in CA Identity Portal.

Permission ScopingPermission is mapped to a target permission which is then mapped to a form and a task. In order for a logged in user to see permissions in the permission tree the backend task of the target permission must be in his scope exactly the same way that Module Action Scoping work.

Permissions could have another condition to their scoping:

If the backend task has been configured as "execute task" then Admin Task scoping is the only scoping.

If the backend task has been configured as "direct change" then CA Identity Portal also checks the scoping on the target permission itself. When the target permission if a provisioning role there's an additional layer of scoping to check. For example: provisioning roles can only be assigned by administrators, so the requesting user must be an administrator of the provisioning role.

Note: In order for CA Identity Portal to read the permission scoping of a provisioning role, the administrator should uncheck the box for "Manage Administrators" on the Provisioning Roles tab of the backend Admin Task used to assign this permission.

Understanding Bulk ConfigurationA bulk request can be submitted in 2 different ways, either by selecting access module and searching for users and selecting more than one user or by using the bulk file to select users. Both of these methods will cause the user to enter the access rights module in a bulk mode.

After the user completes the add/modify/remove permissions to his cart and fill the necessary form information associated with these permissions, he can proceed to submit the request.

In case one (or more) of the permissions are linked to a task which is defined as bulk, a bulk file will be generated using the bulk configuration in the task.

Bulk configuration works as following:

Each target permission and action (Add/Remove/Modify) that exist in the cart will be searched in the BulkConf configuration.


18-Oct-2019 190/272

2.

a.

b.

c.

1.

2.

3.

For each match found, a line in the bulk file will be created for each user in the request. The line will contains the following information:

The action name – the corresponding action the user and attributes to be set in the task.

The userId – a line per action per user in the request.

Action Mappings – these are the attributes that will be passed to the executed task the first parameter is the attribute name and the second parameter is the value. As mentioned above the value can be fetched either from one of the forms in request, either be static value or it could be the name/value/type of the target permission that triggered this action.

Example – ACCESS REQUESTThis is a snapshot of an existing configuration

Permission A is linked to . has only one rule and in Target Permission A Target Permission Aits rule an Add Form is mapped to . has no attributes and is linked to task Form A Form Acalled BulkTask.

Permission B is linked to . has only one rule and in Target Permission B Target Permission Bits rule an Add Form is mapped to . has one attribute in it and it mapped to Form B Form Bbackend screen attribute called through a task called ScreenAttributeB BulkTask.

Permission A is linked to . has only one rule and in Target Permission A Target Permission Aits rule an Modify Form is mapped to . has no attributes and is linked to Form C Form Ctask called BulkTask.

Since the 2 permission are linked to the same bulk task, they will only trigger this task once.

Let's assume this is the bulkconf configuration:BulkTask

# Action Name

Task Operation Mappings

Target Permission

Action Key Value

1 add_tp1 Assign Target Permission A to user

Target Permission A

ADD Department IT

2 modify_tp modify User Target Permission A

MODIFY %END_DATE%

{ScreenAttributeB}

3 add_tp2 Generic assign Role task Target Permission B

ADD %ROLE% {{TP_NAME}}

In case a user logs in and request access for and in the access request he selects userA and userBto add and add the bulk file will look as follows:Permission A Permission B.

action,%USER_ID%,Department,%ROLE%add_tp1,userA,IT,add_tp1,userB,IT,add_tp2,userA,,Target Permission Badd_tp2,userB,,Target Permission B

In case a user logs in and request access for and and in the access request he selects userC userD


18-Oct-2019 191/272

1.

2.

a.

b.

3.

4.

5.

6.

In case a user logs in and request access for and and in the access request he selects userC userDto modify and in the form he enters the value "12/31/2014" and also selects to add permission A

the bulk file will looks as follows:permission B

action,%USER_ID%,%END_DATE%,%ROLE%modify_tp,userC,12/31/2014,modify_tp,userD,12/31/2014,add_tp2,userC,,Target Permission Badd_tp2,userD,,Target Permission B

How to Configure Bulk OnboardingIn order to perform bulk onboarding, perform the following configuration:

Create a task in sigma and map it to a bulk loader task.

Configure the bulfconf with only action name and task name. For example:

Action name: create_user

Task Name: Create User

Create a form mapped to the task above. In the form create one prop of type "CSV" and map it to a backend Name called "FileContent" (Note: this prop should not be available in a list, you'll need to type it yourself)

You can configure on the CSV prop the mandatory header fields this file should have, for example in bulk onboarding you might want to put: action, %USER_ID%, %FIRST_NAME%, %LAST_NAME%, %FULL_NAME% this will make sure that when the user loads the file it gets validated that it has all of these fields.

Create a new Module (or use and existing one) of type Create, and map this form to a new create action.

Make sure the bulk task is in scope for your requester.

For the above configuration the following file could be used if the user uploads:

action,%USER_ID%,%FIRST_NAME%,%LAST_NAME%,%FULL_NAME%create_user,John.S,John,Smith,John Smithcreate_user,Kim.L,Kim,Larry,Kim Larry

Users’ PicturesUsers have profile pictures in CA Identity Portal, the files are identified by CA Identity Portal in this format: <user ID>.jpgThe files should be placed in a folder called "USERPIC" inside the CA Identity Portal resources folder defined during the CA Identity Portal installation.

Configuring CA Identity Suite Virtual AppliancePerform the following configuration changes to the vApp as required.


Configure an External Data Source

Add an External Data Source


18-Oct-2019 192/272

1.

2.

Add an External Data SourceRemove an External Data Source

CA Identity Manager Management Console Security ConsiderationsModify Admin Credentials in CA Identity Portal Management ConsoleModify CA Identity Manager Application Log LevelConfigure Time and Network Time ProtocolModify CA Identity Manager Environment Base URLConfigure Email for CA Identity Manager

Configure an External Data SourceThe vApp supports configuring external data-sources on the CA Identity Manager and CA Identity Portal application servers. Both Oracle and MS SQL server are supported.

When deploying the vApp in the Sandbox or Custom mode, you can optionally configure an external database instead of the embedded database. When deploying the vApp in the Non Production or Production mode, you must configure an external database.

Add an External Data SourcePerform the following procedure to add an external data source while deploying vApp.

Follow these steps:

Create the data-source property file in the following location:For CA Identity Manager:

/opt/CA/VirtualAppliance/custom/IdentityManager/dataSources

For CA Identity Portal:

/opt/CA/VirtualAppliance/custom/IdentityPortal/dataSources

Use the following format when creating the file:

IMAG_PACKAGE=IP or IMDB_TYPE=MSSQL or ORACLEDATASOURCE_NAME=my-dsDB_URL=jdbc:sqlserver://<host>:<port>orjdbc:sqlserver://<host>:<port>\;DatabaseName=<database name>or jdbc:oracle:thin:@<host>:<port>:<sid> or jdbc:oracle:thin:@//<host>:<port/<service name>DB_USER=<username>DB_PASSWORD=<password>

Examples:CA Identity Portal with Oracle data source, with SID specification:

IMAG_PACKAGE=IPDB_TYPE=ORACLEDATASOURCE_NAME=test-dsDB_URL=jdbc:oracle:thin:@10.0.0.163:1521:xeDB_USER=test_userDB_PASSWORD=1234

CA Identity Manager with SQL server data source, with specific database name specification:

IMAG_PACKAGE=IM


18-Oct-2019 193/272

2.

3.

4.

1.

IMAG_PACKAGE=IMDB_TYPE=MSSQLDATASOURCE_NAME=some-dsDB_URL=jdbc:sqlserver://db-cluster-01.corp.company.com:1433\;DatabaseName=vappip14DB_USER=vappuserDB_PASSWORD=123456

Run the following alias:


Note: Starting from CA Identity Suite Virtual Appliance 14.0 CP1, the above command has been replaced with the following command:

addJBossDatasource <DS FILE NAME>

This command specified as a command line parameter creates or updates a single data source.

The data sorces are automatically created/updated.The following message appears in the application server log file. Indicating the JNDI data-source name:

INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread) JBAS010400: Bound data source [java:jboss/datasources/jdbc/my-test-ds]

You can reference this data-source within Java/Rhino code using the following syntax

var dataSource = initialContext.lookup("java:jboss/datasources/jdbc/test-ds");

Remove an External Data SourcePerform the following step to remove an external data source from your vApp deployment:

Run the following alias with a parameter referencing an absolute path to the data-source property file created while adding the external data source:

removeJBossDatasource

Example:

removeJBossDatasource /opt/CA/VirtualAppliance/custom/IdentityPortal/dataSources/my-ds.prop

The following message appears in the application server log file indicating the removal of the data-source:

INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread) JBAS010409: Unbound data source [java:jboss/datasources/jdbc/test-ds]

CA Identity Manager Management Console Security Considerations

When the vApp is deployed with an external database, the CA Identity Manager environment is created on-the-fly without Management Console security. As a result, any user can access the management console without authentication. To overcome this issue, enable CA Identity Manager Management Console security.

Follow these steps:

Login to the CLI/SSH console of any Identity Manager node using the “config” user.


18-Oct-2019 194/272

1.

2.

3.

4.

5.

a.

b.

1.

2.

3.

1.

2.

Login to the CLI/SSH console of any Identity Manager node using the “config” user.

Run the Password tool to encrypt the desired password:

cd /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/PasswordTool./pwdtools.sh -JSAFE -p CLEAR-TEXT-PASSWORD

Insert the desired user name and the encrypted password into the database:

Run the below SQL statement on the database on the schema / database instance used by Identity Manager:

Insert into .IM_AUTH_USER (USER_NAME,PASSWORD,DISABLED,ID) <SCHEMA NAME>values (' ',' ','0',0);<USER NAME> <ENCRYPTED PASSWORD>

Note: Modify the emphasized values in the SQL statement to match the schema name, user name, and encrypted password (as generated by the PasswordTool).Example:

Insert into IDM.IM_AUTH_USER (USER_NAME,PASSWORD,DISABLED,ID) values ('admin','{PBES}:pDlNMkpQppY=','0',0);

On every CA identity Manager node:

Run the following alias from the console:

EnableIdmMgmtConsoleSecurity

Run the following alias to restart CA Identity Manager:

restart_im

The CA Identity Manager Management Console is now secured.

Modify Admin Credentials in CA Identity Portal Management Console

CA Identity Portal on the Vapp is shipped with a default user named “ ” that is a member of “sigma” Application Group which grants it access to the Admin UI.SigmaAdministrators

The vApp lets you do the following:

Disable the default user.

Define a new user as a member of the “ ” Application Group. This SigmaAdministratorsuser will be granted access to the Admin UI.

You can define multiple users at a time that have this access level, but at least one Note:user has to be configured or otherwise the Admin UI will not be accessible.

Change the user’s password.

To perform the above steps on every CA identity Portal node, follow these steps:

Login to the command-line interface using the “config” user


sudo /opt/CA/wildfly-portal/bin/add-user.sh

The following question is displayed:


18-Oct-2019 195/272

2.

3.

4.

a.

b.

c.

d.

1.

2.

3.

4.


“What type of user do you wish to add?”

Respond with “b” (Application User)The following question is displayed:

“Username:”

Respond to the question with either of the following:

Type “sigma” (or any previously defined user) to change the password or disable the existing user

Type a different username to create a new user.A user can access the CA Identity Portal Admin UI only if the user is a member of the “SigmaAdministrators” Application Group.

Respond with “SigmaAdministrators” to the following question:

”What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none): ”


Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.

Respond to the question with “nYou can now login to the CA Identity Portal Admin UI with the newly created user.

Modify CA Identity Manager Application Log LevelCA Identity Manager shipped with the vApp supports a “logging.jsp” page allowing control of logging configurations in run-time. This page is available on the following URI:/iam/im/logging.jsp.

By default, the logging.jsp page cannot be accessed by any user. To access the page, configure a WIldfly user as a member of the “IAMAdmin” application. By default, the application does not have any users.

You can control access to the logging.jsp page by adding a user to the “IAMAdmin” application group.

Follow these steps:

Login to the command-line interface using the “config” user.


sudo /opt/CA/wildfly-idm/bin/add-user.sh

The following question is displayed: “What type of user do you wish to add?”

Respond with “b” (Application User)The following question is displayed:

“Username:”



18-Oct-2019 196/272

4.

a.

b.

c.

d.

1.

2.

3.

4.


Type any previously defined user to add access for an existing user

Type a different username to create a new user. A user can access the logging.jsp page only if the user is a member of the “IAMAdmin” Application Group.

Respond with “IAMAdmin” to the following question:

”What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none): ”


Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.

Respond to the question with “n”.You can now access the logging.jsp page using the following URL (replace “<IDM_NODE_ADDRESS>” with the IDM server’s IP address):

http://<IDM_NODE_ADDRESS>:8080/iam/im/logging.jsp

Configure Time and Network Time ProtocolRun the following alias to change the date and time of the computer.

setTimeAndDate

Alternatively, you can use the date alias to modify the system date and time using the Linux “date” command syntax.

Run the following alias to change the time-zone.

selectTimeZone

Run the date alias to verify that the time-zone has been set correctly:

Example:

Sun Aug 21 17:57:00 EST YYYY

To configure Network Time Protocol (ntp) on all servers in the vApp solution, do the following:

Run the following command to edit the ntp configuration:

sudo /usr/bin/vim /etc/ntp.conf

Make the required changes.See the following guide for the format of the ntp.conf file:Red Hat Enterprise Linux 6 Deployment Guide - 2.2.2. Network Time Protocol Setup

Run the following command to restart the ntp service:

sudo /etc/init.d/ntpd restart

Run the following command to trace NTP synchronization state:

ntpq –p


18-Oct-2019 197/272

1.

2.

3.

4.

5.

6.

7.

Modify CA Identity Manager Environment Base URLThe default vApp CA Identity Manager environment (“identityEnv”) comes pre-populated with a default Base URL. Modify the base URL to match the actual IP address of one of the CA Identity Manager servers in the deployment.

Follow these steps:

Login to the CA Identity Manager Management Console of any one server in the deployment.

Click Environments.

Click identityEnv.

Modify the IP address of any one CA Identity Manager server in the deployment, in the following base URL:

http: // :8080/iam/im<IP_Address>

Example:

http: //150.9.30.100:8080/iam/im

Click Save.

Click Restart Environment.

On all other CA Identity Manager nodes, login to the Management Console and restart the environment.

Configure Email for CA Identity ManagerThe files listed below are available in following location:

/opt/CA/VirtualAppliance/custom/IdentityManager

email.propertiesDefines SMTP host and port

IDM_from_address.propertiesDefines the IM "sender" address

WorkPoint_email.propertiesDefines various WorkPoint email properties (when it is the WorkPoint process that is sending the emails and not CA Identity Manager)


18-Oct-2019 198/272

BuildingThis section contains the following topics:

CA Identity Governance Client ToolsConnector XpressProvisioning ReferenceUser Console Design

CA Identity Governance Client ToolsCA Identity Governance Client Tools is a local application that provides discovery and analytical tools to manage users and resources, databases, perform audits and role discovery, and more.

For more information, see the .CA Identity Governance documentation

Connector XpressConnector Xpress is a utility for managing dynamic connectors, mapping dynamic connectors to endpoints, and establishing routing rules for endpoints. You can use it to configure dynamic connectors to allow provisioning and management of SQL databases and LDAP directories.

For more information, see the .CA Identity Governance documentation

Provisioning ReferenceFor information about advanced provisioning operations, see the CA Identity Manager

.documentation

You can also use this search box to search for CA Identity Manager documentation topics:

Search

User Console DesignWhen you create an environment, CA Identity Manager creates a default User Console that you use to manage the environment. You can customize several elements of the User Console to address your existing business needs.

For more information see the .CA Identity Manager documentation

https://docops.ca.com/ca-identity-governance/12-6-05/EN/client-tools

https://docops.ca.com/ca-imag-connectors/1-0/EN/dynamic-connectors-connector-xpress/connector-xpress

https://docops.ca.com/ca-identity-manager/12-6-8/EN/reference

https://docops.ca.com/ca-identity-manager/12-6-8/EN/reference

https://docops.ca.com/ca-identity-manager/12-6-8/EN/configuring/user-console-design


18-Oct-2019 199/272

ProgrammingThis section contains the following topics:

CA Identity Manager Programming Guide for JavaConnector Programming ReferenceProgramming CA Identity GovernanceCA Identity Portal Developer GuideJavadoc for CA Identity Portal PluginsProgramming CA Identity Portal

CA Identity Manager Programming Guide for Java

CA Identity Manager Programming Guide for Java provides detailed information about CA Identity Manager architecture and APIs.

You can also use this search box to search for CA Identity Manager installation documentation topics:

Search

Connector Programming ReferenceFor information about CA IAM Connector Server and connectors, see the following documents:

Connector Programming Reference

CA Identity Management & Governance Connectors.

Programming CA Identity GovernanceFor information about CA Identity Governance programming options, see the CA Identity

.Governance documentation

You can also use this search box to search for CA Identity Governance documentation topics:

Search

CA Identity Portal Developer GuideThis section contains the following topics:

PluginsTarget Permission Rule ExpressionForm Handlers

https://docops.ca.com/ca-identity-manager/12-6-8/EN/programming/programming-guide-for-java

https://docops.ca.com/ca-identity-manager/12-6-8/EN/programming/connector-programming-reference

https://wiki.ca.com/display/IMGC10

https://wiki.ca.com/display/CIM12606/Connector+Programming+Reference

https://docops.ca.com/ca-identity-governance/12-6-05/EN/programming

https://docops.ca.com/ca-identity-governance/12-6-05/EN/programming


18-Oct-2019 200/272

1.

2.

3.

Form Handlers

PluginsPlugins are either Java or RhinoJS (server-side JavaScript) code executed on the CA Identity Portal server that can be used to enrich the business logic configured in CA Identity Portal.

Examples of plugin usage:

Fetching available form prop values from external database.

Validating a file's content.

Performing complex validation logic.

Plugin Components

Arguments

The Plugin execution function can contain as many arguments as needed. The code calling this plugin passes on all arguments that the plugin accepts.

BasePlugin

The Java Plugin extends the BasePlugin class. The BasePlugin class contains the base implementations of methods of initialization and fetching plugin parameters.

Initialization Parameters

Initialization parameters are key-value pairs defined in the plugin configuration that can be fetched using the getInitParamValues(String key) function, which is inherited from the BasePlugin implementation. The function returns a String with the value defined in the plugin configuration.

For example:

SMTP server address 10.0.0.72

SMTP server port 25

PluginContext

PluginContext is an interface that enables to retrieve run-time elements. Currently the PluginContext supports only one method: List<BaseSigmaModelPluginElement>getExecutionEntities().In FormServerFunction plugins contains only one element List<BaseSigmaModelPluginElement>which is the form that executed this Plugin. BaseSigmaModelPluginElement exposes two methods which are getId() and getName().

SigmaServices

SigmaServices is an interface which enables access to certain elements of the CA Identity Portal model and services that CA Identity Portal offers. Refer to for available methods of this Javadocinterface.


18-Oct-2019 201/272

initPlugin Method

This method is triggered every time a plugin is initialized. Use this method to perform initialization actions such as setting parameters, etc.

Plugin Execution Types

Java Plugins

A Java Plugin is a java class(es) that can be deployed as .class file or as .jar files in the CA Identity Portal Plugins directory. The plugin directory path is configured under the General Configuration

on the Plugin Dir parameter in the admin UI.Tab

All plugins are loaded by CA Identity Portal on startup, if you deployed a new plugin to the plugin directory when the application is already running use the <Identity_Portal_url>/rest/admin

URL to reload all available classes in the plugin directory./plugins/refresh

Important: In cluster configuration, plugin classes should be deployed on each of the servers, and the refresh functionality (if used) should be executed on both servers. The Plugin directory path is configured for all servers, so make sure to create a path the can be created on all cluster servers and locate the files there.

The Java class plugin needs to extend the BasePlugin class and must contain a function of the plugin that will serve as the execution start point. That function contain the must

annotation before it. This function can return any type of object and @ExportedServerFunction receive any type of arguments in correspondence to the handler call arguments passed to it.

RhinoJS Plugin

The RhinoJS Plugin is a server-side JavaScript code that is written in the plugin configuration in the admin UI. Changes in this code of the plugin will be effected immediately.

The JavaScript function must be named with the plugin name.

Plugin SamplesBasic Java Sample with all components:

package

com.idmlogic.sigma.plugin.sample;

import com.idmlogic.sigma.plugin.BasePlugin;

import com.idmlogic.sigma.plugin.PluginException;

import com.idmlogic.sigma.plugin.annotations.ExportedServerFunction;

import com.idmlogic.sigma.plugin.model.User; /**

* This is a sample java plugin * must implement BasePlugin Plugin


18-Oct-2019 202/272

*

*/

public

class

JavaPluginSample extends

BasePlugin { /*

* Sample method that accepts 2 arguments

*/

@ExportedServerFunction

public

String foo(Integer foo1, String foo2) throws

PluginException{ // Doing something with the accepted parameters String retval =

new String();

for (

int i = 0 ; i < foo1 ; i++){ foo1 +=foo2; } // use of services to get a user object Sigma

User user = sigmaServices .getUser( "Some user Id" ); // Using

context to get information on the entities related this plugin plugin

String name = pluginContext .getExecutionEntities().get(0).getName();

return retval + user.getUserId() + " " + name ; } @Override

public

void

initPlugin() { @SuppressWarnings ( "unused"

)


18-Oct-2019 203/272

) String connectionString = getInitParamValues( "connectionString" ); /*

* code for opening DB connection using fetched connection string

* * */ } }

Sample of RhinoJS Plugin:

function validateForm (

value ,

type )

{

var val =

new

java .

lang .

String (

value );

if

(

type .

equals (

"email"

)) {

if

(

value .

indexOf (

"@"

)> 0

&& val .

endsWith


18-Oct-2019 204/272

endsWith (

".com"

)) {

return

true

;

}

else

{

return

false

;

}

}

if

(

type .

equals (

"phone"

)) {

var pattern =

java .

util .

regex .

Pattern .

compile (

"\\d{3}-d{7}"

);

var matcher =

pattern .

matcher (

value

);


18-Oct-2019 205/272

);

if

(

matcher .

matches ())

{

return

true

;

}

else

{

return

false

;

}

}

return

false

;

}

Calling the plugin from validation Handler in a form:

Validate handler (

api ,

prop )

{

var a =

api .

server ([

'validateForm' ,

prop .

value ,

api


18-Oct-2019 206/272

1.

2.

api .

getProp (

"prop1"

).value

]);

return

a .

done (

function (

data )

{

var answer =

data .

returnValue ;

if

(!

answer )

{

prop .

errors =

["this is not a valid email"

];

}

return

answer ;

});

}

Important Notes:

Code from Plugin is returned in an object. For example if the returned value is "true", the JavaScript object will be like { "returnValue" : "true" }


18-Oct-2019 207/272

2.

1.

2.

3.

4.

5.

6.

7.

1.

2.

1.

2.

3.

1.

When calling using the api.server() call, the call is asynchronous. This means that the code inside the a.done() will be executed only when a successful response from the server (plugin code) occurs. To avoid asynchronous problems use the return keyword to make sure this code is caught by the calling method. Also make sure this code returns a Boolean value.

Developing a Java PluginFollow these steps:

From the CA Identity Portal deployed war, extract the sigma.plugin-0.0.2-SNAPSHOT.jar file. The jar can be found in "sigma.war\WEB-INF\lib".

Add that jar to your eclipse project.

Create a new java class which extends BasePlugin (BasePlugin is inherited from the sigma-plugin jar).

Make sure to implement all required methods.

Add the Annotation on the method you wish to be triggered in @ExportedServerFunction the plugin.

Once the plugin is completed, copy the complied class to the plugin directory configured in the CA Identity Portal server.

Configure the plugin in the Admin UI.

Target Permission Rule ExpressionA target permission can contain multiple rules. These rules are evaluated when CA Identity Portal calculates the scoping for which permissions can be requested by the user. The evaluation process is performed in two steps. First the following parameters are checked:

The rule mode – only rules matching the mode of the request the user is at are evaluated.

The rule expression.

If those parameters are matched the linked permission operation is allowed in correspondence to the Add/Remove/Modify form connector scope.

The rule expression is written in Server-Side JavaScript code (RhinoJS). Use the button to select one of the following configuration options:

True – the expression will always be valid.

Wizards – construct the expression using a drop down wizard.

Custom – write the expression yourself.

Custom ObjectsThe following objects are available in the Rule scope (note all start in lowercase):

user – Target user object in the access request.


18-Oct-2019 208/272

1.

2.

3.

4.

1.

2.

3.

user – Target user object in the access request.

users – Target users' array in case of bulk access request. In case of a single access request, the single user is in index 0.

requester – The user object of the requester of the target permission.

targetPermission – The targetPermission object itself.

Evaluated expression must return a Boolean result (example: "return true"). In case of a single statement, it is possible to omit the return keyword.

The user and requester objects contain all the user attributes as configured in the user info configuration in the CA Identity Portal Admin UI. Since these are JavaScript objects, referencing the attribute should be done as follows:

Referencing the User's First Name value.

user. "FirstName"getValue( )

Referencing the User's Cell Phones value; returns a list of values.

user "Cell Phones".getValues( )

Referencing the targetPermission Name.

targetPermission.getName()

Summary of Available Methods per Object:

Object Name Method Name

Method Description Return Value

User getUserId() Returns the userId String

User/Group getData() Returns all available attributes on the user/group

Map<String, List<String>>

User/Group getValue(String key)

Gets the attribute name, returns the attribute value

String, null if value or attribute does not exist

User/Group getValues(String key)

Returns the attribute value (multi-value)

List<String>

Users Get(index) Java Collection get method User

TargetPermission getName() Get the current Target Permission Name

String

TargetPermission getValue() Get the current Target Permission Value

String

TargetPermission getType() Get the current Target Permission Type

String

The following sample returns true only if all users are from department IT:

for

( var

i =0 i users size() i ; < . ; ++) {

if

users ( .get(i).getValue(


18-Oct-2019 209/272

3.

4.

1.

2.

3.

users ( .get(i).getValue("Department"

users ) && ! .get(i).getValue("Department"

equals ). ("IT"

)) {

return

false; }}

return

true;

Checking a self request:

requester .getValue("userId") equals user . ( .getValue(

"userId" ))

Form HandlersForm handlers enable you to build a JavaScript logic to control the behavior of the form. The handlers are running the browser and can manipulate the DOM.

A handler can be configured on each prop and is available in 3 events:

Initialization – this handler will be triggered when the form is opened.

onChange – this handler will be triggered every time there is a change to the prop value.

Validation – this handler will be triggered when the form is submitted, the handler must return true or false, and only when all props validation handler return true the form is submitted.

Form Events OrderWhen a form is loaded, all props are created with their definition values from the admin UI.

Before the form is available for changing by the user, a call to fetch the initialization values from the backend system is made. This call tries to fetch existing values of the backend prop and initialize the form prop with those values.

After initialization values are populated (if they exist) the initialization handler is triggered. The initialization handlers are trigger on all props in the order they are configured.

When all initialization handlers are completed the form is available for editing by the user.

Change handlers are also set and are watching the changes that occur on the props they are configured on. Each change to the value of the prop will trigger its own change handler.

Validation handlers are used to validate the content of the prop or other form props. These handlers must return true or false value.


18-Oct-2019 210/272

Asynchronous Calls

The api.server() is an asynchronous call and is used to call a plugin in the CA Identity Portal server and get a result to be used in the form. It is crucial to notice that when using asynchronous calls their return code (promise) will be executed only when they return but the rest of non-asynchronous code of the handler will be executed before that, even if it is syntactically written after it. This is even more important when using these type of calls on validation handler since the result of the validation is dependent on the asynchronous call response the validation will fail since the non-asynchronous code will not return anything and the handler will complete.

The next example shows the execution order of the code when using asynchronous call such as api.server:

function

validate api prop( , ) // your code here

api server done . (......). ( function

success data( ){ ////promise code – will get called when the server returns an answer

if'a' ( ==

'a' ){

return

true; } ///only executed when the api.server returns information

}) //code will be performed before the above promise code is executed

return

false

;

We can see that in the above example the result will always be false, since the promise code will be executed at a later stage.

Moving the "return false" response inside the promise will not help in this case because the handler code will complete before the promise code occurs and therefore fail as no response was supplied.

The proper way to write validation code with asynchronous calls is:

function

validate api prop( , ) // your code here

return

api server done . (......). (


18-Oct-2019 211/272

api server done . (......). ( function

success data( ){ ////promise code – will get called when the server returns an answer

if'a' ( ==

'a' ){

return

true; }

else {

return

false; }///only executed when the api.server returns information}) //code will be performed before the above promise code is run

In this example we have returned the asynchronous call which will cause the function waiting for this handler to wait for the promise code.

API ContextThe API context exists in every Form Handler. This context exposes several methods which comes in handy when writing a handler code.

The following methods are available under the API context:

api.getProp("<prop reference name>")Fetches another prop in the form using the reference Name assigned to it under the prop configuration. By fetching another prop we can control its value, available options, label, visibility, and so on.

api.getRequester()Fetches the logged in user with the user details.

api.prompt("message")Prompts a message window to the user. The message format content supports HTML tags.

api.server(['<plugin name>','arg0', 'arg1', ….])Calls a server plugin available in the form context. Plugin must be linked to the form which is trying to initiate it.

api.service("service action name")Calls the service actions defined under the modules section. These tasks fetch initialization data. This method is useful when building a custom logic in the backend system and fetch the result into the form. For example, building a task which displays in the initialization the entire groups in the system. Using the api.service() call, call that task and return all the fields defined in the form as object to the handler.


18-Oct-2019 212/272

api.getSubject()Returns an array of the managed objects in the context of the form. The managed object types are either user or group. If no managed object exists, an empty array will be returned. For example, a form in access request will return the users that are the subject of the request. An onboarding form for a user will return an empty array since the user does not exist yet.

api.getEntitlement()Returns a value only if used within forms in the Access Module. The method will return the permission name which the form is associated to.

api.getLocale()Returns the current locale of CA Identity Portal.

Prop ContextEach handler associated with the prop is injected with a prop context. The prop context enables extracting and manipulating the prop itself. The api.getProp() method enables fetching other form prop context for the same purpose.

The following table defines the available prop attributes per prop type:

Prop Type Value(single-value)

Values(Multi-value)

Options Label Message

CSV

Checkbox

Date Picker

Drop-Down

Email

File Attachment

Message

Multi-Select list

Multi-Text

Multi-User

Number Bar

Password

Radio Buttons


18-Oct-2019 213/272

1.

2.

3.

4.

5.

Relations

Single Select

Sub Form

Text

Text Area

User Selector

Use:

prop.value to extract/update to the value attribute if available.

prop.value = "john";

prop.values to extract/update the values attribute if available.

prop.values = ["john","dave"];

prop.options to add/change the available options, if available.Options is array of object, each object contains the name attribute which contains the display name of the options and the value attribute which contains the value send to the server.

//add new optionvar newOption = {"name": "new options display", "value": "new option server value"};prop.options.push(newOption);

prop.label to extract/update the prop label.

prop.label = "pretty prop label";

prop.message to update the message prop text.

prop.message = "This is a text <b> message </b>";

Hotel Reservation Form ExampleThis example takes you step by step through building a form and using the handlers and plugins capabilities. For this purpose we will create a hotel reservation form.

Selecting Country and City

The user will start with selecting from a drop-down menu the Country and City in which the hotel is located. For the purpose of this example, we assume that the list of available countries and the cities is static and stored in the prop itself.

Note: The following examples use the library to perform JavaScript manipulation underscore.json objects. Underscore commands can be identified by the "." prefix of the method. The underscore.js library is available in the form handler's context in CA Identity Portal.

First, we create 2 props:

http://underscorejs.org


18-Oct-2019 214/272

1.

2.

First, we create 2 props:

Country prop of type dropdown, we also added reference name "Country" so that we can reference it from other props.

City prop of type dropdown, we also added reference name "City".

We did not set the possible options for each prop in the prop itself since they should dynamically change according to selection.

We created an initialization handler for the Country prop to populate the available options in the prop. The code looks like this:

function

initialize api prop ( , ) { //define a map with countries and cities

var

map = [ { name :"Israel" , cities : [ "Tel Aviv" , "Jerusalem"

] }, { name :"Russia" , cities : [ "Moscow" , "St Petersburg"

] }, { name :

"Spain"


18-Oct-2019 215/272

"Spain" , cities : [ "Madrid" , "Barcelona"

] } ]; // Iterate over the countries and add each country to the country prop.

// The format of an option is an object, containing name and value.

map forEach . ( function

country ( ) { prop options push. . ({ name country name: . , value country name: . }); }); // Save an array of countries in the prop api.

// This way we expose this array to other handlers of this prop,

// such as change handler and validation handler

api countries map. = ; }

Now we would like to populate the City prop with the proper options once a value is selected. We need to make sure that if the Country value is changed we also clear the City value. We also make sure to remove the definition from the city prop (we have set that as default in ReadOnlythe admin UI).

The change handler code looks like this:

function

onChange api prop ( , ) { // Use 'findWhere' function of Underscore liberary to find the selected country

var

country _ findWhere api countries name prop value= . ( . , { : . });

if country (! )

return ;

// Change city prop not to be readOnly, and load the cities of the selected country

var

cityProp api getProp = . ('city' ); cityProp readOnly . =

false ;

// enable editing this prop

cityProp value . ='' ;


18-Oct-2019 216/272

;// clean previous selections if exist // initialize the options available to the prop, by the selected country

cityProp options . = []; country cities forEach . . (

functioncity ( ) {

cityProp options push. . ({ name city: , value city: }); });}

The user then has two drop-down menus available - Country and City. The options available in the City drop-down menu change based on the selected country.

Selecting the Number of Rooms

Now we want to add a drop-down menu which allows the user to select the number of rooms they would like to reserve but only after they had selected a country and a city.

We would like the availability to come from an external source (such as the reservation system of the hotel) so we would like to call a JavaScript Plugin and retrieve the amount of available rooms.

We use this code on the change handler:

function

onChange api prop( , ){ // If no value was selected, do not perform any action.

ifprop value (! . )

return; // Activate and execute plug-in function called "numberOfRooms"

api server . (["numberOfRooms" prop value then, . ]). (

function

data( ){ // validate that the server's response is actually a number

ifdata ( &&

typeof data returnValue . =="number" ){

var maxRooms data returnValue= . ;

var roomsProp api getProp = . ("rooms" ); roomsProp hidden . =

false; roomsProp value undefined. = ; roomsProp options . =[];


18-Oct-2019 217/272

for

( var

i =1 i maxRooms i; <= ; ++){

roomsProp options push. . ({ name i value i: , :});}}},

functionerror( ){

console log error. ( ); // Here you can handle server errors, and indicate to the user

// that something is wrong.

// this might happen when the server code (plug-in) has errors in it.

});}

This code uses the plugin called numberOfRooms coded in JavaScript. Here is a snippet of the plugin (for the purpose of the example we just build a random number return).

Selecting Arrival and Departure Date

After rooms have been selected, we would like the arrival and departure date to be collected. By now, we know that we can display them by having a piece of code in the change handler of the rooms attribute.

Function onChange(api, prop) {

ifprop value( . ){

api getProp . ('arrival'

hidden ). = false

; api getProp . ('departure'

hidden ). =

false


18-Oct-2019 218/272

false;}}

Now we would like to add a validation of the submitted form, which checks the submitted dates and sends them to the server. To do that, we will need to build a plugin. Here is an example:

We will now make sure to call this validation code from the validation handler of one of the props.

Here is a sample code:

Function validate(api, prop) {

var

arrival = new

Date api getProp ( . ('arrival'

value). );

var departure =

new Date prop value( . );

return api server . (["validateDates" arrival valueOf departure valueOf, . (), . ()])done . (

functionresult( ){

var

valid result returnValue= . ;

ifvalid ( ===

true


18-Oct-2019 219/272

true){

return valid; }

else{ prop errors [result returnValue]. = . ;

return

false;}});}

Note that if the validation is incorrect and returns false, we populate the prop.errors array with a message that will be displayed under the invalid prop.

This is how it will be displayed to the user:

We could also use the api.prompt() function in the validate handler to display a message in a prompt dialog to the user. We also added the api.getRequester() method to fetch the requester information. For example:

function

validate api prop( , ){

var arrival =

new Date api getProp ( . ('arrival'

value). );

var departure =

new Date prop value( . );

return


18-Oct-2019 220/272

return api server . (["validateDates" arrival valueOf departure valueOf, . (), . ()])done . (

functionresult( ){

var

valid result returnValue= . ;

ifvalid ( ===

true){

return valid; }

else{ prop errors [result returnValue. = . ]; api prompt . ("hey " api getRequester userData . (). ['FirstName'

][0 ]

" "

api getRequester userData . (). ['LastName'

][0 ] " You tried to submit this form but an error occured during validation," + " error message : " result returnValue+ . );

return

false

;}});}

This is how it will be displayed to the user:


18-Oct-2019 221/272

1.

2.

3.

1.

2.

3.

Javadoc for CA Identity Portal PluginsThis Javadoc reference documents the API specification for CA Identity Portal Plugins.

To view the documentation, complete the following steps:

Download.

Save and extract locally.

Double-click index.html to open the Javadoc reference.

Programming CA Identity PortalThis section covers the following topics:

Configuring PluginsService Account APIs

Configuring PluginsFollow these steps:

Log in to the admin UI.

Switch to the Plugins Tab.

Click on the button.New Plugin

https://docops.ca.com/download/attachments/328567562/plugins%20javadoc.zip?version=1&modificationDate=1439393084938&api=v2


18-Oct-2019 222/272

3.

4.

5.

6.

7.

8.

9.

a.

b.

c.

10.

1.

2.

Click on the button.New Plugin

Give the Plugin a name. The function you want to call in the class must match the plugin name.Important:

Add initParams as key-value pairs if needed.

Select the Type of Plugin. The only available type is FormServerFunction which means that the plugin can only be executed from a Form.

Select the Forms in which this plugin can be used.

Select the execution Type: Java for java code plugin, JavaScript for server-side JavaScript code (RhinoJS).

If Java is selected, click the method text box and the available Java classes appear. If you cannot find the Java class you are looking for:

Check that you have put your Java code in the plugin directory defined in the general configuration. If you are working in a cluster environment, verify that you have copied the code to all servers.

Check that your code has the required annotation. See the . Java Plugin Section

Use the refresh url to reload the plugins. See the . Java Plugin Section

If JavaScript is selected, put your code in the JavaScript editor.

Calling a FormServerFunction Plugin from Form HandlerPlugins can be triggered from client form handlers (refer to handlers section for more information).

The is used in the form handler to call api.server([<plugin_name>, arg1, arg2, arg3 …])asynchronously to the Plugin code defined in the sigma admin UI.

The Plugin code return value is returned in an Object with a single value parameter called returnValue.

Service Account APIsCA Identity Portal exposes several API methods, which enable external processes to fetch or update the CA Identity Portal requests. These APIs are mostly helpful when there are external processes returning information to the user who requested the request and append it as part of the request.

Use cases:

Access Request that created accounts would like to return the list of accounts created in a provisioned system.

Information that opened ticket to a ticketing system. The ticketing system would like to update the information in the request.

To update the request use the following REST service information:


18-Oct-2019 223/272

REST Call Name updateRequestInfo

Description Update an existing request with more information, the update can be performed to various elements in the request

URL <Identity_Portal_url>/rest/request/updateRequestInfo

HTTP Method POST

Request body content type

Application/json

Request body content Sample

{[{"backendRequestId": "144233-54657f4a3-abc4566-4552a","requestId": 41,"requestTargetPermissionId": 33,"requestPermissionId": 27,"infoToAppend": "add this text to all of the above elements","protectedValue": false},{"backendRequestId": "144233-54657add-f4a3-abc4566","requestId": 43,"requestTargetPermissionId": 35,"requestPermissionId": 27,"infoToAppend": "add another text to all of the above elements","protectedValue": false}]}

Request body content

Sample explanation(Important: At least one of the first 4 parameter is

)necessary

backendRequestId This is the backend task session id – if this parameter is send the information will be linked to the element linked to task session.

requestId The CA Identity Portal request Id, when using this parameter the information will be linked to the top level of the request

requestTargetPermissionId This is the target permission instance in the request, the id of it can be viewed in the CA Identity Portal basket. When using this parameter the information will be linked to all associated permissions.

requestPermissionId This is the permission instance in the request, the id of it can be viewed in the CA Identity Portal basket. When using this parameter the information will be linked to permissions.

infoToAppend The information to add to the request

protectedValue Boolean for whether to encrypt that data in the DB.

Success return status

Http OK(200)

The API is only exposed to a service account which is configured in the General Configuration Tab. Refer to for more CA Identity Portal Administration Guide General Configuration sectioninformation about service account.


18-Oct-2019 224/272

To perform login you will need to perform form authentication to CA Identity Portal. The following code is an example how to use java to perform login to CA Identity Portal using org.apache.commons.httpclient.HttpClient.

private void login (

String username ,

String password )

throws

HttpException ,

IOException ,

LoginException {

log .

debug (

"Logging into Sigma"

);

String loginUrl =

this

.

sigmaUrl +

this

.

loginSuffix ;

log .

debug (

"Login URL is: " +

loginUrl );

PostMethod postMethod =

new

PostMethod (

loginUrl );

NameValuePair []

postData =

new

NameValuePair [


18-Oct-2019 225/272

2

];

postData [

0 ]

=

new

NameValuePair (

"j_username" ,

username );

postData [

1 ]

=

new

NameValuePair (

"j_password" ,

password );

postMethod .

addParameters (

postData );

int loginResult =

this

.

httpclient .

executeMethod (

postMethod );

log .

debug (

"Login post returned Http Status: [" +

loginResult +

"]"


18-Oct-2019 226/272

);

if

(

loginResult !=

302 )

{

log .

error (

"Error logging into Sigma with username: [" +

username +

"]"

);

throw

new

LoginException (

"Error Logging into Sigma: " +

postMethod .

getResponseBodyAsString ());

}

Header locationHeader =

postMethod .

getResponseHeader (

"Location"

);

if

(!

locationHeader .

getValue ().

substring (

locationHeader .

getValue ().

lastIndexOf (

"/"


18-Oct-2019 227/272

"/"

)).startsWith (

"/app"

)) {

log .

error (

"Error logging into Sigma with username: [" +

username +

"]"

);

throw

new

LoginException (

"Error Logging into Sigma"

);

}

postMethod .

releaseConnection ();

log .

debug (

"Login successful"

);

}

After the HTTP client is logged in, you can use it to POST method to the APIs exposed.


18-Oct-2019 228/272

End User License Agreement (EULA)CA End User License Agreement (the "Agreement") for the CA software product that is being installed as well as the associated documentation and any SDK, as defined below, included within the product ("the Product").

Carefully read the following terms and conditions regarding your use of the Product before installing and using the Product. Throughout this Agreement, you will be referred to as "You" or "Licensee."

By installing or using the Product, or by selecting the "I accept the terms of the License Agreement" radio button below, and then clicking on the "Next" button, you are

(I) Representing that you are not a minor, and have full legal capacity and have the authority to bind yourself and your employer, as applicable, to the terms of this Agreement;(II) Consenting on behalf of yourself and/or as an authorized representative of your employer, as applicable, to be bound by this Agreement.

By selecting the "I do NOT accept the terms of the License Agreement" radio button below, and then clicking on the "Cancel" button, the installation process will cease.

1. CA, Inc. (or the CA entity respectively identified after Section 15 below for the country / countries in which the Product is being supplied), (“CA”) provides Licensee with one (1) copy of the Product, for use in accordance with such (a) quantity and (b) CA published criteria for measuring the usage of the Product (such as, but not limited to, MIPS, CPUs, tiers, servers, or users), designated as the authorized use limitation ("Authorized Use Limitation") on any Order Form (defined below) or CD sleeve included within the Product box. CA licenses the Product to Licensee on a limited, non-exclusive, non-transferable basis only for internal business use during the Term and other terms and conditions of (a) any CA Order Form or Registration Form which has been signed or otherwise contracted between Licensee and a CA affiliate; or (b) a License Program Certificate which is provided by CA to Licensee, as applicable, referencing and incorporating the terms of this Agreement (each hereafter referred to as the "Order Form").

2. If the Product is an alpha or beta version of the program, hereinafter referred to as the "beta program" or "beta version" and not generally available to date, CA does not guarantee that the generally available release will be identical to the beta program or that the generally available release will not require reinstallation. Licensee agrees that if it registers for support or if otherwise required by CA, Licensee shall provide CA with specific information concerning Licensee’s experiences with the operation of the Product. Licensee agrees and acknowledges that the beta version of the Product (a) is to be used only for testing purposes and not to perform any production activities unless CA shall have otherwise approved in writing and (b) has not been tested or debugged and is experimental and that the documentation may be in draft form and will, in many cases, be incomplete. Licensee agrees that CA makes no representations regarding the completeness, accuracy or Licensee’s use or operation of the beta version of the Product. BETA PRODUCTS ARE PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR REPRESENTATIONS OF TITLE OR NON-INFRINGEMENT. If Licensee is also a tester of the beta version of the Product (as defined by the beta testing or pre-release testing agreement (“Beta Testing Agreement”) that was agreed to by Licensee during the registration process before obtaining the beta version of the Product), Licensee agrees that the terms of this Agreement are in addition to, and do not supersede, the terms of the Beta Testing Agreement.


18-Oct-2019 229/272

3. If the Product is being licensed on a trial or evaluation basis, Licensee agrees to use the Product solely for evaluation purposes, in accordance with the usage restrictions set forth in Section 1, for a thirty-day evaluation period unless a different period is otherwise noted (the "Trial Period"). At the end of the Trial Period, Licensee’s right to use the Product automatically expires and Licensee agrees to de-install the Product and return to CA all copies or partial copies of the Product or certify to CA in writing that all copies or partial copies of the Product have been deleted from Licensee’s computer libraries and/or storage devices and destroyed. If Licensee desires to continue its use of the Product beyond the Trial Period, Licensee may contact CA or a CA affiliate to acquire a license to the Product for the applicable fee. LICENSEE’S USE OF THE PRODUCT DURING THE TRIAL PERIOD IS ON AN "AS IS" BASIS WITHOUT ANY WARRANTY, AND CA DISCLAIMS ALL WARRANTIES INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AS WELL AS ANY EXPRESS WARRANTIES PROVIDED ELSEWHERE IN THIS AGREEMENT.

4. If the Product includes a Software Development Kit ("SDK"), the terms and conditions of this paragraph apply solely for the use of the SDK. The SDK may include software, APIs and associated documentation. The SDK is provided solely for Licensee's internal use to develop software that enables the integration of third party software or hardware with the Product, or to develop software that functions with the Product, such as an agent. Licensee’s use of the SDK is restricted solely to enhance Licensee’s internal use of the Product. No distribution rights of any kind are granted to Licensee regarding the Product. In addition to the limitations on use set forth in Section 8, below, Licensee may not reproduce, disclose, market, or distribute the SDK or the documentation or any applications containing any executable versions of the SDK to third parties, on the internet, or use such executables in excess of the applicable Authorized Use Limitation. If there is a conflict between the terms of this section and the terms of any other section in this Agreement, the terms of this section will prevail solely with respect to the use of the SDK.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND NOTWITHSTANDING ANYTHING CONTAINED HEREIN TO THE CONTRARY, THE SDK IS PROVIDED AND LICENSED "AS IS" WITHOUT WARRANTY OF ANY KIND.

5. Payment of the fees specified on the Order Form or as agreed between Licensee and an authorized reseller of CA or any of the CA affiliates, shall entitle Licensee to use the Product for the term specified on the Order Form (the "Term"), which use may include the right to receive maintenance services therefore for the period set forth on the Order Form. All fees payable hereunder shall be payable as stated in the Order Form, or if not stated, shall be payable net thirty (30) days from the CA invoice date. Licensee will install each new release of the Product delivered to Licensee. After the initial Term, continued usage and/or maintenance of the Product as provided herein shall be subject to the payment by Licensee of the fees described on the Order Form. If You are acquiring licenses of the Product from an authorized CA reseller, the terms of this Agreement governing payments, pricing and discounts shall not apply as such terms are between You and your chosen CA reseller. Any terms that may appear on a Licensee purchase order (including without limitation pre-printed terms), or as part of Licensee’s order with an authorized CA reseller, that conflict or vary from the terms and conditions of this Agreement shall not apply to the Product and shall be deemed null and void. Notwithstanding the foregoing, with respect to any Product that relies on continuous content updates, such as signature files and security updates, Licensee shall be entitled to such content updates for a period of one (1) year from the effective date of the license.

6. If maintenance is provided by CA or a CA affiliate, it shall be renewed annually as specified in the Order form. All fees are net of applicable taxes. Licensee agrees to pay any tariffs, duties or taxes imposed or levied by any government or governmental agency including, without limitation, federal, state and local, sales, use, value added and personal property taxes, (other than franchise and income taxes for which CA is responsible) upon a presentation of invoices by

CA or a CA affiliate, as applicable. Any claimed exemption from such tariffs, duties or taxes must


18-Oct-2019 230/272

CA or a CA affiliate, as applicable. Any claimed exemption from such tariffs, duties or taxes must be supported by proper documentary evidence delivered to CA. Any invoice which is unpaid by Licensee when due shall be subject to an interest charge equal to the lower of 1.5% per month or the highest applicable legal rate.

7. Licensee may install and deploy the Product in the territory specified in the Order Form up to the Authorized Use Limitation. Licensee may permit its Authorized End Users access to the Product for Licensee’s and its Affiliates’ internal business wherever located, provided that Licensee hereby expressly agrees that a breach by an Authorized End User shall be considered to be a breach by and the responsibility of Licensee. Licensee may relocate the Product to a new Licensee location within the territory specified in the Order Form upon prior written notice. For purposes hereof, “Authorized End Users” means Licensee, its Affiliates and their employees and independent contractors (but excluding any outsourcer, facilities management providers, managed service provider, or application service provider) that are bound by terms and conditions no less restrictive than those contained herein and are acting on behalf of Licensee and not a third party; “Affiliate” with respect to Licensee means any legal entity in which the Licensee directly or indirectly Controls; and “Control” means ownership or control of greater than 50% of an entity’s shares or control of the board of such entity by force of law or contract, or the equivalent. If Licensee desires to use the Product beyond such restrictions, it shall notify CA or the CA affiliate the Licensee has procured the Product from, and Licensee will be invoiced for and shall pay the applicable fees for such expanded use.

8. The Product, including any source or object code that may be provided to Licensee hereunder, as well as documentation, appearance, structure and organization, is the proprietary property of CA and/or its licensors, if any, and may be protected by copyright, patent, trademark, trade secret and/or other laws. Title to the Product, or any copy, modification, translation, partial copy, compilation, derivative work or merged portion of any applicable SDK, shall at all times remain with CA and/or its licensors. Licensee agrees that CA may use any feedback provided by Licensee related to the Product for any CA business purpose, without requiring consent including reproduction and preparation of derivative works based upon such feedback, as well as distribution of such derivative works. Usage rights respecting the Product may not be exchanged for any other CA product. The Product is licensed as a single product. Its component parts may not be separated for use. Licensee and its Authorized End Users will keep the Product and the terms of this license strictly confidential and use its best efforts to prevent and protect the Product from unauthorized disclosure or use. Licensee may not (i) disclose, de-compile, disassemble nor otherwise reverse engineer the Product except to the extent the foregoing restriction is expressly prohibited under applicable law; (ii) create any derivative works based on the Product; (iii) use the Product to provide facilities management, outsourcing, service bureau, hosted services, cloud services, on demand services or like activity whereby Licensee, without a CA license authorizing such purpose, operates or uses the Product for the benefit of a third party; or (iv) permit the use of the Product by any third party, except as authorized by CA in writing. Licensee shall not release the results of any benchmark testing of the Product to any third party without the prior written consent of CA. Licensee will not transfer, assign, rent, lease, use, copy or modify the Product, in whole or in part, or permit others to do any of the foregoing with regard to the Product without CA’s prior written consent, except to the extent the foregoing restriction is expressly prohibited under applicable law. Licensee will not remove any proprietary markings of CA or its licensors. Licensee may make a reasonable number of copies of the Product for disaster recovery “cold standby”, backup and archival purposes; provided that use of such copies is limited to testing Licensee’s disaster recovery procedures and effectiveness and as is necessary during any reasonable period subsequent to the occurrence of an actual disaster during which Licensee cannot operate the Product. If this license terminates for any reason, Licensee shall certify to CA in writing that all copies and partial copies of the Product have been deleted from all computers and storage devices and are returned to CA or destroyed and are no longer in use. Licensee acknowledges that the Product is subject to control under European and U.S. law, including the Export Administration Regulations (15 CFR 730-774) and agrees to comply with all applicable import and export laws and regulations. Licensee agrees that the Product will not be exported, reexported or transferred in violation of U.S. law or used for any purpose connected with chemical, biological or nuclear weapons or missile applications, nor be transferred or resold, if Licensee has knowledge or reason to know that the Product is intended


18-Oct-2019 231/272

transferred or resold, if Licensee has knowledge or reason to know that the Product is intended or likely to be used for such purpose. The Product and any accompanying documentation have been developed entirely at private expense and are "commercial item(s)" and "commercial computer software" as those terms are defined in Federal Acquisition Regulation Subpart 2.101 “Definitions.” The Product is exempt from disclosure under the Freedom of Information Act (FOIA), 5 U.S.C. §552(b) under one or more exemptions to that Act (or a similar U.S. state statute, as applicable). Any Product previously delivered to You may not be delivered again. Any Product not previously delivered to Licensee will be delivered to Licensee or its chosen reseller following receipt by CA of an acceptable order. The Product shall be delivered either by electronic delivery (“ESD”) or, if CA or a CA affiliate respectively requires delivery in tangible media, CPT, as defined in INCOTERMS 2010, from CA’s or such CA affiliate’s shipping point. CA or the CA affiliate from which Licensee is procuring the Product agrees to be responsible for all customs duties and clearances and title to any CA hardware if included will pass upon point of delivery to carrier at CA’s or such CA affiliate’s shipping location. In the event of electronic delivery, no tangible personal property will be delivered. Such electronic delivery may not automatically provide for an exemption from applicable sales or use tax. Any operating system identified as "Generic" or "GA" denotes such operating systems for which the Product is made generally available by CA in accordance with CA current published specifications.. Acceptance is waived and deemed to have occurred at the earliest of point of physical shipment or delivery of keys/access codes for electronic delivery. CA Inc. is the manufacturer of the Product.CA reserves the right, on notice to You, to conduct an audit remotely or onsite of Licensee and/or Your Affiliates facilities to verify compliance by Licensee and its Authorized End Users with the terms of this Agreement. CA agrees that such audit shall be conducted during regular business hours at Your offices and CA shall endeavor to conduct such audit so as not to interfere unreasonably with Your activities and/or use an independent third party to conduct the audit subject to terms of non-disclosure if required. This Agreement shall be governed by and interpreted in accordance with the laws of the State of New York, without regard to its choice of law provisions, and any action arising under or relating to the Agreement shall lie within the exclusive jurisdiction of the State and Federal Courts located in Suffolk County, New York.

9. CA warrants that it can enter into this Agreement and that it will indemnify Licensee, or, at its option, settle any third party claim that CA is not so authorized or that Licensee’s use of the Product as authorized hereby infringes any United States patent or copyright within the jurisdictions where Licensee is authorized to use the Product at the time of delivery. CA also warrants that its distributed Product will operate materially in accordance with its published specifications set forth within the documentation for a period of ninety (90) days after delivery of the Product to Licensee, provided that CA’s only responsibility will be to use reasonable efforts, consistent with industry standards, to cure any defect. If, within a reasonable time after receiving Licensee’s written notice of breach of either of the above warranties, CA is unable to cause the Product to operate (a) without infringing a third party’s intellectual property rights, or (b) materially in accordance with CA’s written specifications, then CA may terminate the license and provide or arrange for a pro-rata refund to Licensee or its authorized CA reseller of the license fees and or the support and maintenance fees paid. In the event of such termination, the pro-rata refund shall be calculated on (i) the number of months left remaining on the Term of the applicable Order Form or (ii) if the Product is licensed under a perpetual license, using (only for purposes of a refund calculation) an amortization schedule of three (3) years. The warranties set forth in this Section do not apply to beta, trial, evaluation or demonstration versions of the Product, or to Software Development Kits. CA shall have no liability to indemnify or to remedy a warranty claim: (i) in the event the allegation of infringement or warranty claim is a result of a modification of the Product except a modification by CA, (ii) if the Product is not being used in accordance with CA’s specifications, related documentation and guidelines, (iii) if the alleged infringement or warranty claim would be avoided or otherwise eliminated by the use of a CA published update or patch, (iv) if the alleged infringement or warranty claim is a result of use of the Product in combination with any third party product, or (v) if the applicable fees due for the Product have not been paid or Licensee is otherwise in breach of this Agreement. The indemnifications contained herein shall not apply and CA shall have no liability in relation to any Product produced by CA at the specific direction of Licensee. THE FOREGOING PROVISIONS STATE THE ENTIRE LIABILITY AND OBLIGATIONS OF CA REGARDING CLAIMS OF INFRINGEMENT, AND THE EXCLUSIVE REMEDY AVAILABLE TO LICENSEE WITH RESPECT TO ANY ACTUAL OR ALLEGED


18-Oct-2019 232/272

THE EXCLUSIVE REMEDY AVAILABLE TO LICENSEE WITH RESPECT TO ANY ACTUAL OR ALLEGED INFRINGEMENT OR MISAPPROPRIATION OF ANY INTELLECTUAL PROPERTY OR OTHER PROPRIETARY RIGHTS.

10. EXCEPT AS SET FORTH ABOVE, TO THE FULL EXTENT PERMITTED BY APPLICABLE LAW:

(I) NO OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE MADE BY CA;(II) IN NO EVENT WILL CA BE LIABLE TO LICENSEE OR ANY OTHER PARTY FOR ANY CLAIM FOR LOSS, INCLUDING TIME, MONEY, GOODWILL, AND CONSEQUENTIAL OR INDIRECT DAMAGES, WHICH MAY ARISE FROM THE USE, OPERATION OR MODIFICATION OF THE PRODUCT, EVEN IF CA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN THE EVENT THAT THE ABOVE LIABILITY LIMITATION IS FOUND TO BE INVALID UNDER APPLICABLE LAW, THEN CA’S LIABILITY FOR SUCH CLAIM SHALL BE LIMITED TO THE AMOUNT OF THE LICENSE FEE ACTUALLY PAID FOR THE PRODUCT BY LICENSEE. NO THIRD PARTY, INCLUDING AGENTS, DISTRIBUTORS, OR AUTHORIZED CA RESELLERS IS AUTHORIZED TO MODIFY ANY OF THE ABOVE WARRANTIES OR MAKE ANY ADDITIONAL WARRANTIES ON BEHALF OF CA. CA DOES NOT WARRANT THAT THE PRODUCT WILL MEET LICENSEE’S REQUIREMENTS OR THAT USE OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE.

11. Licensee may assign this Agreement only if Licensee complies with CA’s then prevailing policies respecting assignment of licenses, which includes a requirement that the scope of use of the Product not be expanded beyond the business of Licensee and the business of Licensee’s majority-owned subsidiaries.

12. If Licensee breaches any term of this Agreement or if Licensee becomes insolvent or if bankruptcy or receivership proceedings are initiated by or against Licensee, CA shall have the right to withhold its own performance hereunder and/or to terminate this Agreement immediately and, in addition to all other rights of CA, all amounts due or to become due hereunder, if any, will immediately be due and payable to CA or the CA affiliate the Licensee was procuring the Product from.

13. If Licensee fails to pay the applicable maintenance fee, then Licensee may reinstate maintenance thereafter by paying to CA or the respective CA affiliate a fee equal to 150% of CA’s then prevailing maintenance fee for each year for which the maintenance fee has not been paid.

14. If a court holds that any provision of this Agreement to be illegal, invalid or unenforceable, the remaining provisions shall remain in full force and effect. No waiver of any breach of this Agreement shall be a waiver of any other breach, and no waiver shall be effective unless made in writing and signed by an authorized representative of the waiving party. Any questions concerning this Agreement should be referred to CA, Inc., One CA Plaza, Islandia, NY 11749, Attention: Worldwide Law Department.

15. In the event Licensee acquires a license for the Product outside of the United States, the following Sections will apply to the use of the Product:

Notwithstanding the terms of the last sentence of Section 8, the laws of the country in which Licensee acquires a license for the Product shall govern this Agreement, except as otherwise provided below:

Europe, Middle East and Africa

1. In EMEA the CA entity that is the licensor is CA Europe Sàrl (“CA Europe”). CA Europe Sàrl is the licensor for Products which have been made available to Licensee by way of license from CA Europe Sàrl through a local CA subsidiary in EMEA or through an authorized CA reseller. The CA

support and maintenance, if any, is being provided by a local CA subsidiary or by an authorized


18-Oct-2019 233/272

support and maintenance, if any, is being provided by a local CA subsidiary or by an authorized CA reseller.

2. EMEA means Europe, Middle East and Africa.

3. Section 9, third sentence and fifth sentence shall only apply to third party rights infringement. Section 9, second sentence is deleted and replaced with:“CA Europe also warrants that the Product will operate materially in accordance with the applicable specifications set forth within the documentation of the Product subject always to Licensee’s compliance with the terms of this Agreement. If CA Europe has breached this warranty Licensee’s remedy is for CA Europe, in consultation with Licensee, to either (i) use reasonable efforts consistent with industry standards to cure the defect, or (ii) replace the Product with one that materially complies with the documentation. If the defect cannot be cured within a reasonable period of time or if the rectification of the defect or replacement has finally failed, Licensee shall have (i) in case of a subscription license the right to reasonably reduce the fees agreed and/or terminate immediately for cause, if the legal or statutory requirements are met; (ii) in case of a perpetual license, at its option, the right (1) to rescind or reduce the fees agreed in the applicable transaction document and (2) claim damages or to claim reimbursement of futile expenditures. The right to claim damages or futile expenditures shall be subject to the limitations of liability set forth below in section 10. In case of a perpetual license the warranty claims stated herein shall become time-barred within ninety (90) days after delivery of the Product. Warranty remedies are conditioned upon (i) any error or defect complained of is reasonably reproducible by CA Europe, (ii) the Product is not modified and is being used in accordance with the documentation, and (iii) the breach is not attributable in whole or in part to any non-CA product(s) or service(s). The above warranties are the sole warranties provided by CA Europe. No other warranties, including that the Product is error free, whether express or implied, including, without limitation, the implied warranties of satisfactory quality, non-infringement, or suitability and/or the warranty of fitness for a particular purpose are made by CA Europe or its suppliers. If Licensee claims under this warranty section, Licensee is not entitled or eligible to seek the same warranty remedies from any other CA affiliate.”

4. Section 10 is deleted and replaced with:

“10.1 CA Europe’s liability shall, regardless of the reason for the liability, be unlimited in cases of death or bodily injury or injury of health and damages caused by gross negligence or willful default of CA Europe or the grossly negligent or willful default of CA Europe’s legal representatives or persons whom CA Europe occupies with the performance of its contractual obligations and in cases of liability under the Product Liability Act (“Produktehaftpflichtgesetz”).10.2 In case of slight negligence CA Europe shall, regardless of the reason for the liability, only be liable, if CA Europe violates an obligation, which is essential for the execution of the Agreement and in the fulfillment of which the other party regularly trusts. In this case, CA Europe’s liability to Licensee will be limited to damages which have been foreseeable and which can typically arise in connection with this Agreement.10.3 Further to the above CA Europe’s liability to the Licensee for indirect, special and consequential damages (including, without limitation, loss of profits, loss of business, loss of opportunity or loss of goodwill) shall be limited to damages which have been foreseeable and which can typically arise in connection with this Agreement.10.4 It is the parties’ understanding that the foreseeable damages that can typically arise in connection with the licenses granted in this Agreement in the meaning of sections 10.2 and 10.3 above shall be limited to a maximum of the fees paid or owed for the then current initial or renewal Term for which the Licensee has procured the Product.10.5 The liability for loss of data shall be limited to the typical recovery efforts in the case of regular and adequate data back-up.10.6 The remedies provided in this Agreement are the exclusive remedies of the parties.”

5. The following sections are added to this Agreement:


18-Oct-2019 234/272

“Force Majeure. Except for payment obligations and obligations pertaining to non-disclosure, notwithstanding any contrary provision in this Agreement, neither Party will be liable for any action taken, or any failure to take any action required to be taken, in the event and to the extent that the taking of such action or such failure arises out of causes beyond a party’s control, including, without limitation, war, civil commotion, act of God, strike or other stoppage (whether partial or total) of labor, any law, decree, regulation or order of any government or governmental body (including any court or tribunal).”

“Licensee Data. If Licensee transfers any personal data to CA Europe as a requirement pursuant to any Product, then Licensee represents that (i) it is duly authorized to provide personal data to CA Europe and it does so lawfully in compliance with relevant legislation, (ii) CA Europe and any entity within the CA group of companies (each a "CA entity") or its subcontractors can process such data for the purposes of performing its obligations and (iii) CA Europe may disclose such data to any CA entity and its subcontractors for this purpose and may transfer such data to countries outside of the country of origin. CA, Inc. is Safe Harbour certified and the CA entities have committed to comply with relevant data protection/privacy legislation.”

6. The laws of Switzerland (excluding its conflict of laws provisions) shall govern the construction and enforceability of this Agreement. The parties agree that any action arising under or relating to this Agreement shall lie within the exclusive jurisdiction of the Swiss courts located in Zürich. The United Nations Convention on Contracts for the International Sale of Goods will not apply to this Agreement.

7. Any questions concerning this Agreement for EMEA should be referred to CA Europe Sàrl located at Building A, Lake Geneva Centre, Route de la Longeraie 9, 1110 Morges, Switzerland, Attention: Worldwide Law Department.

ArgentinaThe CA subsidiary that is the licensor is CA Argentina S.A.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Argentina. Any dispute hereunder shall be determined by the Tribunales de la Cuidad de Buenos Aires.

The last sentence of Section 14 is deleted and replaced with:Any questions concerning this Agreement should be referred to CA de Argentina S.A, Avenida Alicia Moreau de Justo, 400, 2 piso, 1107, Buenos Aires – At.: Finance Department.

AustraliaThe CA subsidiary that is the licensor is CA (Pacific) Pty. Ltd (ABN 20 001 146 345).

The following is added to each of the end of Sections 2, 3 and 10:Although CA specifies that there are no warranties, Licensee may have certain rights under the Competition and Consumer Act 2010 and other state and territory legislation which may not be excluded but may be limited. To the full extent permitted by law CA excludes all terms not expressly set out in the express terms of this Agreement, and limits any terms imposed by the Competition and Consumer Act 2010 and other state and territory legislation to the full extent permitted by the applicable legislation.

The last sentence of Section 8 is deleted and replaced with:The laws of the State or Territory in which the transaction is performed govern this Agreement.

The following is added to Section 10:Where CA is in breach of a condition or warranty implied by the Competition and Consumer Act 2010 or other state and territory legislation, CA's liability is limited, in the case of goods, to the repair or replacement of the goods, or payment for the repair or replacement of the goods, and in the case of services, the supplying of the services again or payment for the re-supply of the services, as CA may elect. Where that condition or warranty relates to a right to sell, quiet


18-Oct-2019 235/272

services, as CA may elect. Where that condition or warranty relates to a right to sell, quiet possession or clear title, in respect of goods or if the goods supplied by CA are of a kind ordinarily acquired for personal, domestic or household use or consumption, then none of the limitations in this Section apply.

BrazilThe CA subsidiary that is the licensor is CA Programas de Computador, Participaçðes e Serviços Ltda.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Brazil. Any dispute hereunder shall be determined by a court of the São Paulo City Hall.

The last sentence of Section 14 is deleted and replaced with:Any questions concerning this Agreement should be referred to CA Programas de Computador, Participaçðes e Serviços Ltda., Avenida das Nações Unidas, 12901 – 6 andar – Torre Norte – São Paulo – SP, 04578-000, At.: Worldwide Law Department.

CanadaThe CA subsidiary that is the licensor is CA Canada Company.

The last sentence of Section 8 is deleted and replaced with:The laws in the Province of Ontario shall govern this Agreement.

ChileThe CA subsidiary that is the licensor is CA de Chile, S.A.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Chile. Any dispute hereunder shall be determined by the Tribunales Ordinarios de la Cuidad de Santiago.

The last sentence of Section 14 is deleted and replaced with:Any questions concerning this Agreement should be referred to CA de Chile, S.A, Avenida Providencia 1760, piso 15 – Edificio Palladio, oficina 1501 - 6640709 Providencia - Santiago – At.: Finance Department.

ChinaThe CA subsidiary that is the licensor is CA (China) Co., Ltd.

The second sentence of Section 6 is deleted and replaced with:All fees are inclusive of VAT.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of the People’s Republic of China, without regard to its choice of law provisions. Any dispute hereunder shall be determined by a competent court located in Beijing.

ColombiaThe CA subsidiary that is the licensor is CA Software de Colombia S.A.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Colombia. Any dispute hereunder shall be determined by the Tribunales Ordinarios de la Cuidad de Bogotá.

The last sentence of Section 14 is deleted and replaced with:Any questions concerning this Agreement should be referred to CA Software de Colombia S.A, Edificio Grupo Santander Central Hispano Torre 2 - Oficina 401 Carrera 7 - Nº 99-53 - Bogotá D.C. - Colombia – At.: Finance Department.


18-Oct-2019 236/272

Hong KongThe CA subsidiary that is the licensor is CA (Hong Kong) Limited which is also its principal place of business at Suites 2301 2306, 23rd Floor, Dah Sing Financial Centre, 108 Gloucester Road, Wanchai, Hong Kong.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Hong Kong. The courts of Hong Kong will have sole and exclusive jurisdiction with respect to any disputes arising out of this Agreement.

The following is added at the end of Section 10: The aforementioned liability limitation and the aforementioned maximum liability amount will not affect or prejudice the statutory rights of the licensee under the sale of goods ordinance, the supply of services (implied terms) ordinance or the control of exemption sections ordinance, nor will they limit or exclude any liability for death or personal injury solely caused by CA's negligence.

IndiaThe CA subsidiary that is the licensor is CA (India) Technologies Private Limited.

The last sentence of Section 8 is deleted and replaced with:This Agreement and the terms hereof shall be governed and construed in accordance with the laws of India and the courts of Mumbai shall have sole and exclusive jurisdiction with respect to any disputes arising out of this Agreement. In the event the Product is delivered electronically, the said Product shall be made available by CA for downloading from a server situated in a country other than India.

Indonesia (refer to Singapore)

JapanThe CA subsidiary that is the licensor is CA Japan, Ltd.

The third sentence of Section 6 is deleted and replaced with:Licensee agrees to pay any tariffs, duties or taxes imposed or levied by any government or governmental agency other than the taxes for which CA is responsible upon a presentation of invoices by CA.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of the country of Japan, without regard to its choice of law provisions. Any dispute hereunder shall finally be determined by Tokyo District Court located in Tokyo Japan.

The last sentence of Section 14 is deleted and replaced with:Any questions concerning this Agreement should be referred to CA Japan, Ltd., 2-7-9, Hirakawa-cho, Chiyoda-ku, Tokyo, 102-0093, Japan, Attention: Worldwide Law Department.

KoreaThe CA subsidiary that is the licensor is CA Korea Inc., Ltd.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Republic of Korea, without regard to its choice of law provisions.

The last sentence of Section 14 is deleted and replaced with:Any questions concerning this Agreement should be referred to CA Korea Inc., Ltd, City Air Tower (18th Fl.), 159-9, Samsung-Dong, Kangnam-Ku, Seoul 135-973 Korea, Attention: Worldwide Law Department.

Malaysia


18-Oct-2019 237/272

MalaysiaThe CA subsidiary that is the licensor is CA (Malaysia) Sdn. Bhd.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Malaysia. The courts of Malaysia will have sole and exclusive jurisdiction with respect to any disputes arising out of this Agreement.

The following is added to Section 10:Although CA specifies that there are no other warranties, Licensee may have certain rights under the Consumer Protection Act 1999 and the warranties are only limited to the extent permitted by the applicable legislation.

MexicoThe CA subsidiary that is the licensor is CA Software de México S.A. de C.V.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of México. Any dispute hereunder shall be determined by the Tribunales de la Cuidad de México.

The last sentence of Section 14 is deleted and replaced with:Any questions concerning this Agreement should be referred to CA Software de México S.A. de C.V, Av. Miguel de Cervantes Saavedra 193, Suite 502, Col. Granada, Mexico City, MX 11500 – At.: Finance Department.

New ZealandThe CA subsidiary that is the licensor is CA Pacific (NZ) Ltd.

Notwithstanding the final sentence of Section 6, the applicable interest charge on invoices unpaid by Licensee is 1.5% per month.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of New Zealand. The courts of New Zealand will have sole and exclusive jurisdiction with respect to any disputes arising out of this Agreement.

The following is added to Section 10:Although CA specifies that there are no warranties, Licensee may have certain rights under the Consumer Guarantees Act 1993 or other legislation which cannot be excluded or limited. The Consumer Guarantees Act 1993 will not apply in respect of any goods or services which CA supplies, if Licensee acquires the goods and services for the purposes of a business as defined in that Act. Where the Product is not acquired for the purposes of a business as defined in the Consumer Guarantees Act 1993, the limitations in this Section are subject to the limitations in that Act.

The following is added to Section 12:CA’s rights under this Section shall also apply if any resolution is passed or proceedings are commenced for the liquidation or winding up of Licensee.

PeruThe CA subsidiary that is the licensor is CA de Peru S.A.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Peru. Any dispute hereunder shall be determined by the Tribunales Ordinarios de La Cuidad de Lima.


18-Oct-2019 238/272

The last sentence of Section 14 is deleted and replaced with:Any questions concerning this Agreement should be referred to CA de Peru S.A, Avenida Paseo de La Republica, 3211, Piso 11, San Isidro, Lima 27, Peru – At.: Finance Department.

PhilippinesThe CA subsidiary that is the licensor is Philippine Computer Associates International, Inc.

The first eight sentences of Section 8 are deleted and replaced with:Title to the Product and all modifications thereto shall remain with CA. The Product is a trade secret and the proprietary property of CA or its licensors. Licensee agrees that CA may use any feedback provided by Licensee related to the Product for any CA business purpose, without requiring consent including reproduction and preparation of derivative works based upon such feedback, as well as distribution of such derivative works. Usage rights respecting the Product may not be exchanged for any other CA product. Licensee and its employees will keep the Product and the terms of this Agreement strictly confidential. To the maximum extent permitted by applicable law, Licensee will not disclose, de-compile, disassemble nor otherwise reverse engineer the Product.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of the Philippines. The courts of Makati City will have sole and exclusive jurisdiction with respect to any disputes arising out of this Agreement.

Section 12 is deleted and replaced with:If Licensee breaches any term of this Agreement or if Licensee becomes insolvent or if bankruptcy or receivership proceedings are initiated by or against Licensee, CA shall have the right to withhold its own performance hereunder and/or to terminate this Agreement immediately upon notice and, in addition to all other rights of CA, all amounts due or to become due hereunder will immediately be due and payable to CA.

SingaporeThe CA subsidiary that is the licensor is CA (Singapore) Pte. Ltd.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Singapore. The courts of Singapore will have sole and exclusive jurisdiction with respect to any disputes arising out of this Agreement.

The following is added to the end if Section 9:To the full extent permitted by applicable law, CA disclaims all implied conditions or warranties of satisfactory quality or fitness for purpose.

TaiwanThe CA subsidiary that is the licensor is CA (Taiwan) Limited whose registered office is situated at 17F/B, No. 167, Tun Hwa North Road, Taipei City 105, Taiwan.

The second sentence of Section 6 is deleted and replaced with:All fees are exclusive of VAT.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Taiwan, without regard to its choice of law provisions. Any dispute hereunder shall be determined by Taipei District Court.

ThailandThe CA subsidiary that is the licensor is CA Sales (Thailand) Co., Ltd.

The last sentence of Section 8 is deleted and replaced with:


18-Oct-2019 239/272

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Thailand. The courts of Thailand will have sole and exclusive jurisdiction with respect to any disputes arising out of this Agreement.

VenezuelaThe CA subsidiary that is the licensor is Computer Associates (CAI) de Venezuela, CA.

The last sentence of Section 8 is deleted and replaced with:This Agreement shall be governed by and interpreted in accordance with the laws of Venezuela. Any dispute hereunder shall be determined by the Tribunales Ordinarios de la Cuidad de Caracas.

The last sentence of Section 14 is deleted and replaced with:Any questions concerning this Agreement should be referred to Computer Associates (CAI) de Venezuela, CA, Avenue Francisco de Miranda, Centro Lido, Torre B, pisso 5, officina B-51, El Rosal, Caracas 1060, Venezuela – At.: Finance Department.

16. If the Product contains third party software, and the licensor requires the incorporation of specific license terms and conditions for such software into this Agreement, those specific terms and conditions, which are hereby incorporated by this reference, are located below this Agreement.

Licensee acknowledges that this license has been read and understood and by selecting the "I accept the terms of the License Agreement " radio button, licensee accepts its terms and conditions. Licensee also agrees that this license (including any order form referencing this Agreement and any terms relating to third party software which are set forth below this Agreement) constitutes the complete Agreement between the parties regarding this subject matter and that it supersedes any information licensee has received relating to the subject matter of this Agreement, except that this Agreement (excluding the third party terms below) will be superseded by any written Agreement, executed by both licensee and CA, granting licensee a license to use the product. This Agreement may only be amended by a written Agreement signed by authorized representatives of both parties.

Select the "I accept the terms of the License Agreement" radio button, and then click on the "Next" button to accept the terms and conditions of this Agreement as set forth above and proceed with the installation process.

Select the "I do NOT accept the terms of the License Agreement" radio button and then click on the "Cancel" button to halt the installation process.


18-Oct-2019 240/272

Predefined Use CasesThe predefined use cases are a set of commonly used use cases that can be deployed as a part of the Identity Manager , with a few followup steps in the Identity Portal installation post installation

.steps

Currently included use cases:

Contractor Life CycleCreate Contractor

Create Multiple Contractor

Modify Contractor

Change contractor to employee

Terminate Contractor

Extend Contractor

Change Manager

Create Contractor from Feed

Employee Life CycleCreate Multiple Employee

Convert employee to contractor

Terminate Employee

Modify Employee

Change Manager

Create Employee from Feed

Self ServiceSet my security questions

In addition, all use cases can be deployed together

https://docops.ca.com/display/CIS/Installing+CA+Identity+Manager

https://docops.ca.com/display/CIS/Post+installation

https://docops.ca.com/display/CIS/Post+installation


18-Oct-2019 241/272

1.

a.

b.

c.

2.

3.

4.

5.

6.

a.

b.

7.

Contractor Life CycleContractors are temporary full or part time workers, usually with a preset termination date, and usually with very limited changes in position, job title or any other identity information. Some organization will onboard those users from an HR system, in a similar manner to employees, other will on-board the users based on requests or feeds.

The contractor life cycle actions are accessible from the icon Contractor lifecycle managementfrom the main screen, or from the menuContractor lifecycle management

The contractor life cycle covers the changes that happen to the contractor through the following phases

Contractor information is provided from a feed (pre-hire)

Setup of user ID and initial password

Provisioning accounts

Enabling the user and the account on the start date

Onboarding of employee who become contractor

Modify Contractor information

Alerting manager on pending end date

Extending contract end date

Termination or retirement according to contract end date

Removing accounts and permissions for the user

Archiving and optionally deleting the identity.

Termination by changing the contractor into a employee

This cycle is covered by the following sub use cases

Create Contractor

Create Multiple Contractors


18-Oct-2019 242/272

Modify Contractor

Convert contractor to employee

Terminate Contractor

Extend Contractor

Change Manager


Change ManagerTo change contractor manager, search for the contractor from the Contractor lifecycle

, and select the action.management module Change Manager

In the form, you can change the buttonChange Manager Manager by clicking on Select User

Upon submit, the system will send approval workflow to the selected manager.

The request can be tracked in the module.My Requests

Convert Contractor to EmployeeTo convert a contractor to employee, search for the contractor from the Contractor lifecycle

, and select the action.management module Convert Contractor To Employee

A warning will be presented that the user will be converted.

https://docops.ca.com/display/CIS/.Modules+v12.6.6

https://docops.ca.com/display/CIS/.My+Requests+vOrion



18-Oct-2019 243/272

1.

2.

3.

4.

By Clicking on submit, an approval request will be send to the manager.

Create ContractorNew contractor(s) can be using the button in the Create New Contractor lifecycle management

, and selecting .module Create New Contractor

In the form, fill in theCreate New Contractor

Contractors name

email (optional)

Start and end date or start date and duration

Manager


18-Oct-2019 244/272

Upon submit, the system will generate a user ID and initial password, and send them to the manager selected.

The request can be tracked in the moduleMy Requests

Create Contractor from FeedTo Create multiple contractor by feed, click on "Create New" button from the Contractor lifecycle

, and select the action.management module Create Multiple Contractor

In the form, you can upload CSV file with usersCreate Multiple Contractor



18-Oct-2019 245/272

In the Upload form, you can click on the "Browse" button to upload the required CSV file,

You can also click the link "Download a sample templates" to download a sample of CSV file.

CSV feed includes the following attributes:

action

%USER_ID%

%EMPLOYEE_NUMBER%

%FIRST_NAME%

%LAST_NAME%

%MIDDLE_NAME%


18-Oct-2019 246/272

1.

2.

3.

%MIDDLE_NAME%

%MANAGER_EMPLOYEE_NUMBER%

%ACTIVATION_DATE%

%EXPIRATION_DATE%

Upon submit, the system will send approval workflow to the selected manager, including temporary password.


Create Multiple ContractorsCreating multiple new contractors from a CSV file can be done using the button in Create Newthe , and selecting .Contractor lifecycle management module Create Multiple Contractors

From the screen, click on the Upload Content to upload a CSV file Create Multiple Contractorswith new contractors to create. A sample CSV file can be downloaded from the same screen

The sample CSV:

%USER_ID%,%FIRST_NAME%,%LAST_NAME%,%MIDDLE_NAME%,%ACTIVATION_DATE%,%EMPLOYEE_NUMBER%,%EXPIRATION_DATE%,%MANAGER_EMPLOYEE_NUMBER%

none,First Name,Last Name,Middle Name/Initial,Start Date,Employee ID,End Date,Managers Employee ID

Notes for the CSV file data:

User ID should be set to none, as it will be created internally.

Employee ID is optional

Use managers employee ID and not managers user ID


https://docops.ca.com/display/CIS/.Dynamic+Modules+v12.6.6


18-Oct-2019 247/272

1.

2.

3.

Extend ContractorTo Extend a contractor expiration date, search for the contractor from the Contractor lifecycle

, and select the action.management module Extend Contractor

In the form, you can change the or add days to the current End date Extend Contractor End date by using drop down:Contact Period

You can choose 4 period of time:

30 Days

60 Days

90 Days

120 Days



Modify ContractorContractor(s) can be modified in the by selecting Contractor lifecycle management module

.Modify Contractor

In the form, you can modify theModify Contractor

First name

Last Name

Full Name





18-Oct-2019 248/272

4.

5.

6.

7.

8.

9.

1.

2.

Manager

Email

Address

Phone Number

City

Country



Terminate ContractorTermination Events

Manual termination from Identity PortalAutomatic, time based termination that occurs when the contractor end date has arrived

Termination and Post Termination EventsEvents on terminationPost termination eventsUser Archiving

Termination EventsContract termination can occur in two cases:

Manual termination from Identity Portal

Automatic, time based termination that occurs when the contractor end date has arrived



18-Oct-2019 249/272


To terminate a contractor immediately, search for the contractor from the Contractor lifecycle , and select the action.management module Terminate Contractor

A warning will be presented that the user will be disabled.

Clicking on submit will terminate the contractor immediately.

Automatic, time based termination that occurs when the contractor end date has arrived

The system will check, on a daily basis, the contractors termination date, and will send a notification to the contractors manager 30 days and 14 days prior to termination data. This notification allows the manager to extend the contract, if needed.

If the contract has not been extended by the contractors end date, the contractor will be terminated

Termination and Post Termination Events

Events on termination

When a contractor is terminated, the following events will happen

User access will be disabled

All provisioning roles, with the exception of the provisioning roles that explicitly excluded, will be removed.

User Status will be changed from active to terminated


18-Oct-2019 250/272

1.

2.

3.

4.

5.

6.

a.

b.

c.

d.

e.

7.

8.

a.

b.

c.

Post termination events

Six months (180 days) after contractor termination the user status will be changed from terminated to archived

User Archiving

One year (365 days) after user archiving, the user record will be deleted. In effect, the user status will be changed to deleted.

DeploymentThe predefined use cases include components in the CA Directory, Identity Manager and Identity Portal.

The steps required for deployment of the use cases.

Install CA Directory on the server to host the user store and Identity Manager.

Install Identity Manager on the same server, and select Predefined Use Cases option in the Identity Manager installer

Validate the installation by logging into the environment on http://idmserver:port/iam/im/identityEnv using the user and password imadmin test

Install Identity Portal

download the use case configuration json files from http://idpserver:port/usecasescreator

Login to the Identity Portal admin UI at http://idpserver:port/sigma/admin

From the Administration menu, select Import and click on Upload a file to load a json file

Load the Initial settings file

Validate the Identity Manager connector in the Backend Management, and start it.

Load the Use case files, in no particular order, or

Load the All Use Cases in One File

Validate the configuration by logging into http://idpserver:port/sigma using the user and password imadmin test

If you are planning to use any use case the includes a feed process, install the Bulk Loader Client, and down load the configuration and sample files for the following use cases:


Create Employee from Feed

Modify Employee


18-Oct-2019 251/272

1.

a.

b.

c.

2.

3.

4.

5.

a.

b.

6.

Employee Life CycleEmployees are workers who are employed full or part time, usually without a predefined termination date.

The employee life cycle covers the changes that happen to the employee through the following phases

Employee information is provided from HR (pre-hire)

Setup of user ID and initial password

Provisioning accounts

Enabling the user and the account on the start date

Onboarding of contractor who become employees

Receiving updates from HR, propagating required information to the users accounts

Adding or removing permissions according the changes in the users position, job title or any other identity information

Termination or retirement according to information provided by HR

Removing accounts and permissions for the user

Archiving and optionally deleting the identity.

Termination by changing the employee into a contractor

This cycle is covered by the following sub use cases

Create Multiple Employees

Convert Employee to Contractor

Terminate Employee

Modify Employee

Change Manager

Convert Employee to ContractorTo convert a Employee to a Contractor, search for the contractor from the Employee lifecycle

, and select the action.management module Convert Employee To Contractor




18-Oct-2019 252/272

1.


By Clicking on submit, an approval request will be send to the manager.

Create Multiple EmployeesCreating multiple new contractors from a CSV file can be done using the button in Create Newthe , and selecting .Employee lifecycle management module Create Multiple Employees

From the screen, click on the Upload Content to upload a CSV file Create Multiple Contractorswith new contractors to create. A sample CSV file can be downloaded from the same screen

The sample CSV:

%USER_ID%,%FIRST_NAME%,%LAST_NAME%,%MIDDLE_NAME%,%ACTIVATION_DATE%,%EMPLOYEE_NUMBER%,%EXPIRATION_DATE%,%MANAGER_EMPLOYEE_NUMBER%

none,First Name,Last Name,Middle Name/Initial,Start Date,Employee ID,End Date,Managers Employee ID

Notes for the CSV file data:




18-Oct-2019 253/272

1.

2.

3.

1.

2.

3.

4.

5.

6.

7.

8.

9.


Employee ID is optional

Use managers employee ID and not managers user ID

Modify EmployeeContractor(s) can be modified in the by selecting Contractor lifecycle management module

.Modify Contractor

In the form, you can modify theModify Employee

First name

Last Name

Full Name

Manager

Email

Address

Phone Number

City

Country



18-Oct-2019 254/272

1.

2.



Terminate EmployeeTermination Events

Manual termination from Identity PortalAutomatic, time based termination that occurs when the contractor end date has arrived

Termination and Post Termination EventsEvents on terminationPost termination eventsUser Archiving

Termination EventsEmployee termination can occur in two cases:


Automatic, time based termination that occurs when the Employee end date has arrived


To terminate a contractor immediately, search for the contractor from the Employee lifecycle , and select the action.management module Terminate Employee

A warning will be presented that the user will be disabled.


https://docops.ca.com/display/CIS/.Terminate+Contractor+vOrion#id-.TerminateContractorvOrion-TerminationEvents

https://docops.ca.com/display/CIS/.Terminate+Contractor+vOrion#id-.TerminateContractorvOrion-ManualterminationfromIdentityPortal

https://docops.ca.com/display/CIS/.Terminate+Contractor+vOrion#id-.TerminateContractorvOrion-Automatic,timebasedterminationthatoccurswhenthecontractorenddatehasarrived

https://docops.ca.com/display/CIS/.Terminate+Contractor+vOrion#id-.TerminateContractorvOrion-TerminationandPostTerminationEvents

https://docops.ca.com/display/CIS/.Terminate+Contractor+vOrion#id-.TerminateContractorvOrion-Eventsontermination

https://docops.ca.com/display/CIS/.Terminate+Contractor+vOrion#id-.TerminateContractorvOrion-Postterminationevents

https://docops.ca.com/display/CIS/.Terminate+Contractor+vOrion#id-.TerminateContractorvOrion-UserArchiving



18-Oct-2019 255/272

Clicking on submit will terminate the contractor immediately.

Automatic, time based termination that occurs when the Employee end date has arrived

The system will check, on a daily basis, the Employee's termination date, and will send a notification to the Employee's manager 30 days and 14 days prior to termination data. This notification allows the manager to extend employment, if needed.

If employment has not been extended by the Employee's end date, the Employee will be terminated

Termination and Post Termination Events

Events on termination

When a Employee is terminated, the following events will happen

User access will be disabled

All provisioning roles, with the exception of the provisioning roles that explicitly excluded, will be removed.

User Status will be changed from active to terminated

Post termination events

Six months (180 days) after contractor termination the user status will be changed from terminated to archived

User Archiving

One year (365 days) after user archiving, the user record will be deleted. In effect, the user status will be changed to deleted.


18-Oct-2019 256/272

1.

2.

3.

4.

5.

6.

7.

8.

Self ServiceThe Self Service use case adds a fully configured functionality self Set My security Questionsservice task to Identity Suite. This allows users to set and modify their security questions and then without the assistance an administrator or help desk.reset their passwords

The self service use case expands on out of the box functionalities such as access request from , and .catalog My Identity Certifications

Set My Security QuestionsThis allows users to set and modify their security questions and then reset their passwordswithout the assistance an administrator or help desk.

The use case is set for:

A list of 10 predefined security questions

The user needs to set 5 of those questions

The user needs to answer 3 questions correctly as part of the password recovery process

To modify the question list, number of questions and number of correct responses see Modifying .the security questions self service use case

Modifying the security questions self service use case

Configuring Identity Manager side:

Login to Identity Manager with a user that is System Manager member and Admin Rolenavigate to System->Logical Attributes->Modify Logical Attribute Handler

Edit Logical Attribute Handler and configure as follows:ForgottenPasswordHandler

Storage Multi-valued attribute-

Delimiter for question and answer - ^

Physical Attributes -Forgotten Password Questions and Answers

Logical Attributes -Number of questions - 5Name for question logical attributes - Identity Manager_QuestionName for answer logical attributes - Identity Manager_AnswerClick "Generate Attributes" button

Verification Logical Attributes -Number of verification questions -3Name for verification question logical attribute(s)-Identity Manager_Ver_QuestionName for verification answer logical attribute(s) -Identity Manager_Ver_Answer

Click "Generate Verify Attributes" button

Click Submit to save changes to LAH.

https://docops.ca.com/display/CLOUDMINDER152/Admin+Roles


18-Oct-2019 257/272

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

21.

22.

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

Now navigate to Roles and Tasks->Admin Tasks->Modify Admin Task

Search for "Forgotten Password" Admin Task and edit it.

While editing the task, switch to "Search" tab, click on "Browse" button and click on "Edit" button to edit the "Identity Manager_Forgotten_Password_Search" screen.

While editing the screen, click on "Browse" button next to "Profile Screen for Primary Verification", then click "Edit" button to edit "Identity Manager_Forgotten_Password_Verify_screen" and configure it with following fields:

User IDmapped to "User ID" attribute

First Name mapped to "First Name" attribute

Last Name mapped to "Last Name" attribute

Verification Question 1 mapped to |Identity Manager_Ver_Question1|

Verification Answer 1 mapped to |Identity Manager_Ver_Answer1|


Verification Answer 2 mapped to |Identity Manager_Ver_Answer2|


Verification Answer mapped to |Identity Manager_Ver_Answer3|3 If you chose different number of verification questions in step (I. 2. e.), configure NOTE:

additional Verification Question/Answer pairs here as well.

Click to save all changes to the task and its screens.OK->Select->OK->Select->Submit

Configuring Identity Portal side

Login to Identity Portal admin console and navigate to Backend management->and click "Restart" button next to your Identity Manager connector. Connectors

Navigate to .Backend management->Forms

Find form called " and click on it to edit.Set My Security Questions"

Make sure the form has all of the following props(attributes) configured:

Title(message with cosmetic changes)

Security Question 1 mapped to Target name and |Identity Manager_Question1|referenced as "q1"

Security Answer 1 mapped to Target name |Identity Manager_Answer1|


Security Answer mapped to Target name 2 |Identity Manager_Answer2|


18-Oct-2019 258/272

10.

11.

12.

13.

14.

15.

16.






Security Answer mapped to Target name 5 |Identity Manager_Answer5| If you wish to add or remove Question/Answer pairs, you will need to generate NOTE:

appropriate number of pairs in step (I. 2. d.)


18-Oct-2019 259/272

16.

17.

If you wish to add/remove/change predefined questions, you will need to edit each (1 to 5) dropdown props to contain these questions as options. Security Question

Example:

If the number of questions not equals to 5, you will have to edit " prop's Service"Validation handler script to accommodate for changes. Default script below:

function validate(api, prop) {

var $q = angular.element('html').injector().get('$q');

var q1 = api.getProp("q1").value;




18-Oct-2019 260/272

17.




var opts = {};

function success() { return true }

function error() { return $q.reject(); }

if ((q1==q2)||(q1==q3)||(q1==q4)||(q1==q5)){

opts = {

header: "Validation error!" ,

question: "Same question can't be used twice.",

buttons: [ {name:"Go back and check selection"}]

};

return api.prompt(opts).then(error);

}

if((q2==q3)||(q2==q4)||(q2==q5)){

opts = {




};


}

if((q3==q4)||(q3==q5)){

opts = {




};


}

if(q4==q5){

opts = {




};


}


18-Oct-2019 261/272

17.

return true;

}


18-Oct-2019 262/272

Platform Support MatrixThis section contains the following topics:

CA Identity Portal Platform Support MatrixCA Identity Suite Virtual Appliance Platform Support Matrix

CA Identity Portal Platform Support Matrix

Software RequirementsThis section describes the software prerequisites for installing CA Identity Portal.

Supported Operating Systems

OS Version Notes

Microsoft Windows Server 2008 R2 (SP1,SP2) 64 bit

Microsoft Windows Server 2012, 2012 R2 64 bit

Red Hat Enterprise Linux 6.x 64 bit

Supported Application ServersThe following are supported application servers on which CA Identity Portal can be deployed. These servers are supported on all the Operating Systems described above.

Application Server

Version Java Version

Supported IM App Server Vendor

Notes

Apache Tomcat

7.0.50 Oracle JDK 1.8.x

ALL On a Windows OS, install Apache Tomcat using the Apache Tomcat installer (apache-tomcat-7.0.50.exe). Do not use the ZIP distribution.Tomcat is not recommended for production deployments.

Wildfly 8.2.1 Oracle JDK 1.8.x

ALL Only Standalone server is supported (JBoss Native Cluster is not supported)

JBoss EAP 6.4.0 (GA)

Oracle JDK 1.8.x

ALL Only Standalone server is supported (JBoss Native Cluster is not supported)

Weblogic 12c (12.1.1)

Oracle JDK 1.7.x

Weblogic Only Native Weblogic Cluster configuration is supported (Single node cluster or more).Prior to Identity Manager 12.6 SP7, when CA Identity Portal is installed on Weblogic Identity Manager must also run on Weblogic.

Weblogic Weblogic


18-Oct-2019 263/272

Application Server

Version Java Version

Supported IM App Server Vendor

Notes

12c (12.1.3)

Oracle JDK 1.8.x

Only Native Weblogic Cluster configuration is supported (Single node cluster or more).Prior to Identity Manager 12.6 SP7, when CA Identity Portal is installed on Weblogic Identity Manager must also run on Weblogic.

Weblogic 12.2.1 Oracle JDK 1.8.x

Weblogic Only Native Weblogic Cluster configuration is supported (Single node cluster or more).Prior to Identity Manager 12.6 SP7, when CA Identity Portal is installed on Weblogic Identity Manager must also run on Weblogic.

Websphere 8.5.5 FP5, 8.5.5 FP8

Built in IBM JDK

Websphere Installer supports only a non-clustered deployment.Prior to Identity Manager 12.6 SP7, when CA Identity Portal is installed on Websphere Identity Manager must also run on Websphere.

General Notes for supported application servers:

Only 64-bit application servers are supported.

Only 64-bit Java are supported. JREs are not supported (CA Identity Portal includes JDKsruntime compile elements).

Supported DatabasesCA Identity Portal supports the following databases used for its runtime and persistent stores.

Vendor Version Notes

Oracle 11g R2 RAC is supported.Use with jdbc driverojdbc6.jar

Oracle 12c Use with jdbc driverojdbc6.jar

MySQL 5.5.x Use with jdbc drivermysql-connector-java-5.1.25.jar

MySQL 5.6 Use with jdbc drivermysql-connector-java-5.1.25.jar

MS SQL 2008 R2 Not supported when Portal is running on WeblogicUse with jdbc driversqljdbc4.jar

MS SQL 2012 SP2 Not supported when Portal is running on WeblogicUse with jdbc driversqljdbc4.jar

MS SQL 2014 Use with jdbc driversqljdbc4.jar


18-Oct-2019 264/272

Supported Back-ends


CA Identity Manager

12.5 (SP6-SP15), 12.6 (SP1-SP8)

Supported IDM Application servers: JBOSS, Weblogic, Websphere (See notes below)


12.5 (SP6 and above)12.6 (SP0-SP5)

CA Advanced Authentication

7.1.0.1, 8.1

Note:

Prior to CA Identity Manager 12.6 08, in case CA Identity Portal is installed on WebLogic or WebSphere, CA Identity Manager must also be deployed on WebLogic or WebSphere, respectively For more information, see .Workpoint Configuration

In case CA Identity Manager or CA Identity Governance are deployed in a cluster, a NLB (Network Load Balancer) VIP is required for CA Identity Portal to leverage all IDM/GM cluster nodes.

Supported Single-Sign-On Option


CA SSO r12.5, r12.51, r12.52 (All SPs)r6.0 SP6 CR9r12.0 SP3 CR11 and above

If CA Identity Portal is integrated with CA SSO, IDM must also be integrated with CA SSO.

Supported Web Clients (Browsers)

Vendor Browser Version Notes

Microsoft Internet Explorer 10, Internet Explorer 11, Microsoft Edge

On Windows Desktop OS (see note below)

Mozilla Mozilla Firefox 3.6 and above On Windows Desktop OS

Google Chrome - All versions On Windows Desktop OS

Apple Safari 6.1 and above On Mac OS

Note:

The recommended screen resolution is 1280x800 (pixels)

Hardware RequirementsThe following are recommended PRODUCTION hardware specifications for the CA Identity Portal application server nodes. For fault tolerance and performance considerations, CA Identity Portal needs to be deployed in at least a 2 node cluster (2 distinct servers).

https://wiki.ca.com/display/CIS/.Setting+up+the+Workpoint+Interface+v12.6.7


18-Oct-2019 265/272

Component (per node)

Minimum Recommended

CPU Dual Core Intel (or compatible) 2.0 GHz Xeon or similar (64 bit)

Quad Core Intel (or compatible) 2.0 GHz Xeon or similar (64 bit)

RAM 16 GB 32 GB

Local Storage 160 GB 160 GB

Database Storage 1GB Initial Size 5 GB Initial Size

Shared Storage (for uploaded files)

50 GB 100 GB

Network RequirementsThe following table summarizes the Firewall/Communications requirements between CA Identity Portal and various solution components.

From To Port & Protocol

Notes

Web Servers(SM web agents)

CA Identity Portal application Servers

CA Identity Portal Application Server HTTP port

For example: 8080 for Apache Tomcat

CA Identity Portal App Servers

CA Identity Portal Database

Database port


Identity Manager Servers

ALL TCP Ports HTTP & RMI Traffic must be allowedThe communications between the Portal and the Identity Manager server must be direct. Reverse proxies or other Layer 7 HTTP relays are not supported. Network Load Balancers are supported.


Identity Governance Servers

TCP/8080 (HTTP)

Identity Manager Servers


CA Identity Portal Application Server HTTP port


AuthMinder Servers

Default Port (9742)

Port is configurable


18-Oct-2019 266/272

Note: In case CA Identity Manager or Identity Governance are deployed in a cluster a NLB (Network Load Balancer) VIP is required for CA Identity Portal to leverage all IDM/GM cluster nodes. CA Identity Portal will be configured to point to the VIP (Virtual IP) representing the CA IDM, CA GM clusters. NLB VIP Characteristics are as follows:

Relay: all TCP ports.

Load Balancing Scheme: Round Robin (No ip-stickiness).

Health Monitor:

Basic HTTP on the IDM/GM application server HTTP port (for example 8080 on JBoss).

DNS RequirementsThe IDM Application servers FQDNs should be resolvable from all the CA Identity Portal Application server nodes. Resolution should be performed either via DNS or a local hosts file override.

CA Identity Suite Virtual Appliance Platform Support Matrix


Supported Virtualization PlatformsSupported Web Clients (Browsers) – Virtual Appliance Web UI

Supported Virtualization PlatformsThe vApp VM image is provided in an “OVA” format - certified with the following Virtualization platforms:

VMWare ESXi v5.5.0 and above

VMWare Workstation v8 and above

VMWare Fusion v7.1.3 and above

Supported Web Clients (Browsers) – Virtual Appliance Web UI

Vendor Browser Version Notes

Mozilla Mozilla Firefox 48 and above On Windows Desktop OS

Google Chrome - All versions On Windows Desktop OS

Apple Safari 9.1 and above On Mac OS


18-Oct-2019 267/272

Third Party Software AcknowledgementsThis section contains the following topics:

CA Identity Portal Third-Party Software AcknowledgementsCA Identity Suite Virtual Appliance Third-Party Software Acknowledgements

CA Identity Portal Third-Party Software Acknowledgements

This product includes the following third-party components. the document locally to Downloadreview the license agreements.

SPRING Framework 4.0.0

SPRING SECURITY 3.2

SPRING mobile 1.1.1

HIBERNATE – INFINISPAN INTEGRATION\4.3.0

HIBERNATE\4.3.0

Hibernate-jpa-2.1-api

Infinispan spring integration\5.3.0

Infinispan core\5.3.0

CXF 2.7

Jboss logging 3.1.3.GA

Jboss logging annotations 1.2.0.Beta1

Antlr 2.7.7

Jboss jandex (java annotation indexer) 1.1.0

dom4j 1.6.1

xml-apis-1.0.b2

javassist-3.18.1-GA

commons-io-1.3.2

reflections-0.9.9-RC2

Google guava-15.0

FindBugs Annotations 2.0.1

https://docops.ca.com/download/attachments/328567369/third-party_software_acknowledgements.zip?version=1&modificationDate=1449270353067&api=v2


18-Oct-2019 268/272

Jboss staxmapper 1.1.0

Apache commons pool 1.6

Jgroups 3.3.1.Final

jboss marshalling 1.3.15.GA

jboss marshalling-river 1.3.15.GA

commons math3 3.2

commons logging 1.1.1

Aop Alliance 1.0

Aspectj Runtime 1.6.6

Aspectj Weaver 1.6.6

Code Generation Library - cgilib 2.2

asm 3.1

Jackson Data Mapper 1.9.3

Jackson 1.9.3

Junit 4.8.1

Apache log4j 1.2.17

Apache velocity 1.7

commons-collections 3.2.1

commons-lang 2.4

wsdl4j 1.6.2

Apache xml-resolver-1.2

Commons XMLSchema 2.0.3

"Javamail 1.4 Specification

geronimo-javamail_1.4_spec-1.7.1"

jaxb xjc 2.1.13

jaxb impl 2.1.13

Woodstox-core-asl-4.1.4

stax2 api 3.1.1

Apache Neethi 3.0.2


18-Oct-2019 269/272

Jcsv 1.4.0

jaxb-api-2.2.6

Java API for XML Web Services - geronimo-jaxws_2.2_spec-1.1

commons-codec-1.9

JavaBeans(TM) Activation Framework 1.1.1

JSR 250: Common Annotations for the Java(TM)

saaj-api-1.3

JSR 181

axis 1.4

axis jaxrpc 1.4

commons-discovery-0.5

javaee-api-6.0

AngularJS

Twitter Bootstrap

CKEditor

Daterangepicker.js

Es5-shim.min.js

Gestures.js

Hammer.js

Jquery

Moment.js

Ng-ckeditor

ngInfiniteScroll

Ng-table

Opentip

Sanitize.js

Select2

angular-ui-sortable

Spin.js


18-Oct-2019 270/272

angular-ui-bootstrap

angular-dragdrop

angular-local-storage

angular-slider

Underscore.js

Zeroclipboard.js

angular-treeview.js

datepicker.js

jquery-scrollspy

jquery.csv

jquery.filedownload

jquery.jstree

jquery.scrollto

jquery.timeago

Angular UI Bootsrap - ui-bootstap-tpls

Ace Editor

jquery.iframe-transport

fontawsome

robotofont

jasmine.js

json.js

jquery-ui-1.10.2

jquer.ui.widget.js

query.fileupload.js

jquery-iframe-transport.js

Google guava-16.0

commons-lang 3.3.2

mail-1.4.2.jar

commons-fileupload-1.3.jar


18-Oct-2019 271/272

Bouncy Castle

Apache CXF JAX RS Bundle Jar

jquery-ui-1.10.2

typeahead.js

ui-select.js

ya-treeview.js

HTML Parser

CA Identity Suite Virtual Appliance Third-Party Software Acknowledgements

This product includes the following third-party components. the document locally to Downloadreview the license agreements.

Bootstrap 3.3.6

Bootsrap-sass

CentOS

Font Awesome

Oracle Database 11 g Express Editio

AngularJS

WildFly 8.2.0

Angular-ui

Angular-drag-and-drop-lists

Angular-materialize

backports.ssl_match_hostname

Backports_abc

certifi

Materialize-css

Moment

Python-pam

setuptools

singledispatch

https://docops.ca.com/download/attachments/355305312/Third-Party_Service_Acknowledgements.txt?version=1&modificationDate=1472668111745&api=v2


18-Oct-2019 272/272

singledispatch

Tornado

Unitest2

CA Identity Portal - 12.6.8 CA Identity Portal - HomeCA Identity Portal - 12.6.8 18-Oct-2019 13/272...

Documents

Transcript of CA Identity Portal - 12.6.8 CA Identity Portal - HomeCA Identity Portal - 12.6.8 18-Oct-2019 13/272...