Configuring › How to Enhance Security

How to Enhance Security

To enhance security in your CA Service Catalog implementation, consider making the following configuration changes:

• Disable the Apache JServ Protocol (AJP) port, port 8009 while performing the initial setup, if you are not implementing clustering.

  To do so, edit the USM_HOME\view\conf\server.xml file and verify that the AJP tags are commented out.

• Reduce the timeout of CA Service Catalog user sessions. By default, sessions time out after 60 minutes of inactivity.

  To do so, log in to CA Service Catalog, click Administration, Configuration, User Default. Adjust the Session Timeout parameter at your discretion.

• Configure the CA EEM password policies to be more secure, if CA EEM is not configured to use an external directory.

  Specifically, consider locking user accounts after three to five failed login attempts. To set this value, log in to CA EEM and click Configure, EEM Server, Password Policies.

• Update the list of roles that can run web services. By default, only the Certificate user and users with the service provider (SP) administrator role can run web services.

  To change this list, log in to CA EEM with the Application set to Service Catalog. Click Manage Access Policies, Policies, Acess Policies, USM_Resource. Edit the policy whose permissions you want to update, and add the resource named usm_webservice__all to that policy.

  Note: For details about editing these policies, see your CA EEM documentation.

• Enable Secure Socket Layer (SSL) for web services so that passwords are not sent in plain text when you use the logIn(String,String,String) method. If SSL is not available, consider using the logInToken(String) method instead. This method takes an CA EEM artifact as a parameter and is encrypted.
• Install antivirus software on the filestore computer, if you are using a filestore (a single location for shared files). We strongly suggest that you use a filestore.
• Harden CA Service Catalog computers.

  Hardening is the process of securing a computer by removing or disabling components or access points, to render the computer less vulnerable to outside attacks. Hardening may include disabling all ports on a computer initially and afterwards manually enabling individual ports as needed. Other basic hardening steps include the following: Limit the number of users permitted access to a computer, strengthen password and access control, install intrusion-detection software, and close ports.

  If you have hardened CA Service Catalog computers, verify that the required ports are open on these computers.

Other security-related instructions that apply to specific tasks or integrations are mentioned where applicable in the CA Service Catalog documentation.