CA Service Management

 View Only
  • 1.  First time USS

    Posted Jan 14, 2016 02:56 PM

    Architecture: CA Service Desk 14.1 conventional configuration (one primary and one secondary) running on Windows 2008 and remote DB running on Solaris-Oracle 11gr2. It is an upgraded test environment from 12.9.


    Installed USS yesterday pointing to the same DB Server.


    Now I got few questions about USS configurations:


    1. ca_contact has all the production data however I can't find them through USS. can't login. Only CASMADMIN can login. I read about synchronizing the contacts in USS documents but I don't find the option to synchronizing them without Catalog and PAM. Our contacts created on daily basis through Service Desk interface not through LDAP import. so how do I synch them?

    BTW they got valid email address and userids



    2. So in our Service Desk environment we have contacts created manually from the interface and using windows authentication (pass through) folks log into SD. We expect the same type of behavior from USS as well. I would like to know how can I configure SSO without having EEM in place.

  • 2.  Re: First time USS

    Broadcom Employee
    Posted Jan 14, 2016 03:17 PM



    While some of the USS data gets populated to the "cdb" tables in the mdb, it actually uses its own database. The separate database is typically called "USS_mdb". USS maintains it's own contact records. You will need to log into the USS control panel and you can connect USS to an LDAP environment and import contacts. Please be aware that USS tries to match the USS record to a ServiceDesk record using the userid and email address. If those values don't match between the USS record and the Service Desk record it won't match them.


    I know there are methods are using Single Sign On with EEM and Siteminder, I'm not sure if it's possible using a connector to perform the single sign on. Does anybody else have any ideas?

  • 3.  Re: First time USS

    Posted Jan 15, 2016 11:00 AM

    Hey Alex,


    We have 4 ADs and contacts are distributed among them. some contacts are present in all of them. I could import the contacts from all the ADs and assign roles in USS accordingly. since this is like poc phase not all the users will have access to the USS. However it would be amazing if there was any command line interface (like pdm_userload of SD) to load the contacts into USS or even web services. out of 4 ADs 1 AD belongs to state department so..


    now regarding SSO i really need a way to get that done. siteminder is not an option. We are not gonna purchase it just to have SSO for USS.

    Documentation says:


    Configure CA EEM With NTLM Authentication

    Configure the CA EEM with NTLM authentication for a logged in domain user to silently (SSO) log in to Unified Self-Service.

    Follow these steps:

    1. Ensure the following considerations:
      • Unified Self-Service server and CA Service Catalog server must be in the same domain where you want to use the windows authentication. CA EEM server must be configured with Active Directory of the same domain.



    is it true that USS to work with EEM and NTLM we must have Catalog?

  • 4.  Re: First time USS

    Broadcom Employee
    Posted Jan 15, 2016 11:38 AM



    Are you using SDM with EEM already? If not, how are you authenticating these users from all four domains?


    If you are using EEM, is EEM set to use multiple ADs?


    How do the user records exist in ca_contact table, I'm interested in  "userid" field of ca_contact.



    USS's screenname  (in User_  table) normally should match  ca_contact.userid.  



  • 5.  Re: First time USS

    Posted Jan 15, 2016 11:47 AM

    No SDM is using Windows authentication - IIS pass through


    ca_contact.userid field contains their userids which is their windows login ids.


    creation of contact is manual process here. not everyone with windows login can have access to SDM. it goes through an access request process and access has been provided based on their job functions.

  • 6.  Re: First time USS

    Broadcom Employee
    Posted Jan 15, 2016 11:56 AM

    Thank you for the info.  Can you check into whether there a global forest encompassing all the domains in picture? 


    I'm not sure why IIS would allow the pass through unless it knows all the domains somehow.





  • 7.  Re: First time USS

    Broadcom Employee
    Posted Feb 09, 2016 04:50 PM

    Im about to try USS for first time. Did you find out how you load contacts? Mike

  • 8.  Re: First time USS

    Broadcom Employee
    Posted Feb 11, 2016 09:07 PM

    Hi Mike,

    If you enable native USS-LDAP option, it allows you to import the users at that time. If USS is set to use EEM and EEM with LDAP, a USS user can be auto created upon the very first time they login to USS. 

    Above two are the main options that i have seen being attempted or used so far. 


  • 9.  Re: First time USS

    Posted Feb 23, 2016 06:13 PM


    for SSO either if not supported by CA this is possible to use the native ntlm setup of liferay itself.:)

    depending of your environment you will have to trick/extend  the NtlmFilter.class and  NtlmPostFilter.class to remove limitations around supported browser.

    (I can provide already modified class upon demand for those that don't know howto modify those)


    This perform SSO and transparent logon outside of EEM or SiteMinder smoothly


    1/ Configure the NTLM properties in the liferay console

    2/ Edit the \OSOP\ and set NTLM filter to true:



    set the autologin hook:

    add the ntlm properties at the end of the files;

    Add ntlm properties:

    ntlm.auth.enabled=true <set to true to enable ntlm auth>

    ntlm.auth.domain=<set the domain that you need to connect to>

    ntlm.auth.domain.controller=<comma separated list of DC IP address for that domain><hostname of the domain controller>

    ntlm.auth.service.account=<computer account for that domain>

    ntlm.auth.service.password= <password of the computer account>


    For SSO to work you need to access specific URL constructed as below to be the landing page of your users after your root:

    https://<your root url>/c/portal/login

    (Tips: add c/portal/login as home URL in portal settings =>general so you users don't have to care of it )


    this can be combine with ldap and EEM for full setup (contact import and SSO fail down)


    As usual customization not supported by CA

    Hope this help