CA Service Management

Architecture: CA Service Desk 14.1 conventional configuration (one primary and one secondary) running on Windows 2008 and remote DB running on Solaris-Oracle 11gr2. It is an upgraded test environment from 12.9.

Installed USS yesterday pointing to the same DB Server.

Now I got few questions about USS configurations:

1. ca_contact has all the production data however I can't find them through USS. can't login. Only CASMADMIN can login. I read about synchronizing the contacts in USS documents but I don't find the option to synchronizing them without Catalog and PAM. Our contacts created on daily basis through Service Desk interface not through LDAP import. so how do I synch them?

BTW they got valid email address and userids

2. So in our Service Desk environment we have contacts created manually from the interface and using windows authentication (pass through) folks log into SD. We expect the same type of behavior from USS as well. I would like to know how can I configure SSO without having EEM in place.

Sudip,

While some of the USS data gets populated to the "cdb" tables in the mdb, it actually uses its own database. The separate database is typically called "USS_mdb". USS maintains it's own contact records. You will need to log into the USS control panel and you can connect USS to an LDAP environment and import contacts. Please be aware that USS tries to match the USS record to a ServiceDesk record using the userid and email address. If those values don't match between the USS record and the Service Desk record it won't match them.

I know there are methods are using Single Sign On with EEM and Siteminder, I'm not sure if it's possible using a connector to perform the single sign on. Does anybody else have any ideas?

Hey Alex,

We have 4 ADs and contacts are distributed among them. some contacts are present in all of them. I could import the contacts from all the ADs and assign roles in USS accordingly. since this is like poc phase not all the users will have access to the USS. However it would be amazing if there was any command line interface (like pdm_userload of SD) to load the contacts into USS or even web services. out of 4 ADs 1 AD belongs to state department so..

now regarding SSO i really need a way to get that done. siteminder is not an option. We are not gonna purchase it just to have SSO for USS.

Documentation says:

Configure CA EEM With NTLM Authentication

Configure the CA EEM with NTLM authentication for a logged in domain user to silently (SSO) log in to Unified Self-Service.

Follow these steps:

1. Ensure the following considerations:
   • Unified Self-Service server and CA Service Catalog server must be in the same domain where you want to use the windows authentication. CA EEM server must be configured with Active Directory of the same domain.

is it true that USS to work with EEM and NTLM we must have Catalog?

No SDM is using Windows authentication - IIS pass through

ca_contact.userid field contains their userids which is their windows login ids.

creation of contact is manual process here. not everyone with windows login can have access to SDM. it goes through an access request process and access has been provided based on their job functions.

Im about to try USS for first time. Did you find out how you load contacts? Mike

Hi Mike,

If you enable native USS-LDAP option, it allows you to import the users at that time. If USS is set to use EEM and EEM with LDAP, a USS user can be auto created upon the very first time they login to USS. 

Above two are the main options that i have seen being attempted or used so far. 

_R

Alex,

for SSO either if not supported by CA this is possible to use the native ntlm setup of liferay itself.:)

depending of your environment you will have to trick/extend  the NtlmFilter.class and  NtlmPostFilter.class to remove limitations around supported browser.

(I can provide already modified class upon demand for those that don't know howto modify those)

This perform SSO and transparent logon outside of EEM or SiteMinder smoothly

1/ Configure the NTLM properties in the liferay console

2/ Edit the \OSOP\portal-ext.properties: and set NTLM filter to true:

com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true

com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true

set the autologin hook:

auto.login.hooks=com.liferay.portal.security.auth.NtlmAutoLogin

add the ntlm properties at the end of the files;

Add ntlm properties:

ntlm.auth.enabled=true <set to true to enable ntlm auth>

ntlm.auth.domain=<set the domain that you need to connect to>

ntlm.auth.domain.controller=<comma separated list of DC IP address for that domain>

ntlm.auth.domain.controller.name=<hostname of the domain controller>

ntlm.auth.service.account=<computer account for that domain>

ntlm.auth.service.password= <password of the computer account>

For SSO to work you need to access specific URL constructed as below to be the landing page of your users after your root:

https://<your root url>/c/portal/login

(Tips: add c/portal/login as home URL in portal settings =>general so you users don't have to care of it )

this can be combine with ldap and EEM for full setup (contact import and SSO fail down)

As usual customization not supported by CA

Hope this help

/J