Transcript
CA Risk Authentication
Installation Guide for Windows 8.0
This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the “Documentation”), is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice. The manufacturer of this Documentation is CA. Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors. Copyright © 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contact CA Technologies Contact CA Support For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources: ■
Online and telephone contact information for technical assistance and customer services
■
Information about user communities and forums
■
Product and documentation downloads
■
CA Support policies and guidelines
■
Other helpful resources appropriate for your product
Providing Feedback About Product Documentation If you have comments or questions about CA Technologies product documentation, you can send a message to
[email protected]. To provide feedback about CA Technologies product documentation, complete our short customer survey which is available on the CA Support website at http://ca.com/docs.
Contents Chapter 1: Introduction
9
System Architecture ................................................................................................................................................... 10 Use Web Tier for Network or Internet ................................................................................................................ 10 Application Tier for Application Server ............................................................................................................... 11 Data Tier for Storage ........................................................................................................................................... 12 Communication between CA Risk Authentication Components ................................................................................ 12
Chapter 2: How to perform a Fresh Installation
13
Select a Deployment Model ....................................................................................................................................... 15 Deploy on a Single System .................................................................................................................................. 16 Deploy on Distributed Systems ........................................................................................................................... 19 Deploy on a High Availability Environment ......................................................................................................... 23 Hardware Requirements ............................................................................................................................................ 25
Chapter 3: System Requirements
27
Software Requirements ...................................................................................................................................... 27
Chapter 4: Pre-Installation Tasks
27
Configure Database Server ......................................................................................................................................... 28 Configure Microsoft SQL Server .......................................................................................................................... 29 Configure Oracle Server ...................................................................................................................................... 30 Configure MySQL Server ..................................................................................................................................... 32 Set Up the Data Store and Database Information ...................................................................................................... 33 Configure UTF- Support on Client Systems ......................................................................................................... 34 HSM Requirements ............................................................................................................................................. 34 Requirements for Java-Dependent Components ....................................................................................................... 35
Chapter 5: How to Deploy CA Risk Authentication on a Single System
37
Perform a Complete Installation ................................................................................................................................ 42 Run the Database Scripts .................................................................................................................................... 48 Verify the Database Setup .................................................................................................................................. 49 How to Prepare an Application Server ....................................................................................................................... 49 Set Java Home ..................................................................................................................................................... 50 Copy Database Access Files to Application Server .............................................................................................. 51 Copy the JDBC JAR Files to Application Server .................................................................................................... 54
Contents 5
Create Enterprise Archive Files ........................................................................................................................... 56 Deploy the Administration Console ........................................................................................................................... 58 Log in to Administration Console ........................................................................................................................ 59 Perform the Bootstrapping Task for the System ........................................................................................................ 60 Start the CA Risk Authentication Server Service ................................................................................................. 62 CA Risk Authentication Case Management Service ............................................................................................ 62 Deploy User Data Service (UDS) ................................................................................................................................. 63 Deploy User Behavior Profiling Application ............................................................................................................... 64 Deploy the Sample Application .................................................................................................................................. 65 Verify the Installation .......................................................................................................................................... 66 How to Use the Sample Application for Risk Evaluation ............................................................................................ 67 Apply the Post-Installation Checklist .......................................................................................................................... 70
Chapter 6: How to Deploy CA Risk Authentication on Distributed System
71
Install on the First System .......................................................................................................................................... 76 Run the Database Scripts ........................................................................................................................................... 84 How to Prepare the Application Server ..................................................................................................................... 85 Set Java Home ..................................................................................................................................................... 85 Copy Database Access Files to the Application Server ........................................................................................ 86 Copy JDBC JAR Files to the Application Server .................................................................................................... 90 Create Enterprise Archive Files ........................................................................................................................... 92
Chapter 7: Deploy the Administration Console
93
Log in to Administration Console ............................................................................................................................... 95
Chapter 8: Perform the Bootstrapping Tasks
95
Start CA Risk Authentication Server Service............................................................................................................... 98 Start CA Risk Authentication Case Management Service ........................................................................................... 98 Verify CA Risk Authentication Server Installation ...................................................................................................... 98
Chapter 9: Deploy User Data Service
98
Chapter 10: Deploy User Behavior Profiling Application
99
Chapter 11: Install CA Risk Authentication on the Second System
101
Deploy the Sample Application on the Second System............................................................................................ 102
6 Installation Guide for Windows
Chapter 12: Configure Sample Application to Communicate with CA Risk Authentication Server
102
Chapter 13: Use the Sample Application for Risk Evaluation Operations
104
Perform Risk Evaluation and Post Evaluation for a First-Time User......................................................................... 105 Create User Account ................................................................................................................................................ 106 Perform Risk Evaluation and Post Evaluation for a Known User .............................................................................. 107 Edit the Default Profile and Perform Risk Evaluation............................................................................................... 108
Chapter 14: Apply the Post-Installation Checklist
109
Chapter 15: Silent Mode Installation
109
Silent Mode Installation Guidelines ......................................................................................................................... 110 Default Properties File.............................................................................................................................................. 110 Primary Database Details .................................................................................................................................. 112 Backup Database Details ................................................................................................................................... 113 Encryption Details ............................................................................................................................................. 114 How to Perform the Silent Installation ..................................................................................................................... 115
Chapter 16: How to Deploy the User Behavioral Profiling Model
117
Verify Prerequisites .................................................................................................................................................. 121 Database Configuration............................................................................................................................................ 122 Configure Microsoft SQL Server ........................................................................................................................ 123 Configure Oracle Server .................................................................................................................................... 124 Configure MySQL Server ................................................................................................................................... 126 Run the Database Scripts ......................................................................................................................................... 127 Verify the Database Setup ........................................................................................................................................ 127 Deploy the User Behavioral Profiling Software ........................................................................................................ 128 Configure CA Advanced Authentication for User Behavioral Profiling Model ......................................................... 130 Configure a Rule to Apply the New User Behavioral Profiling Model ...................................................................... 131 Verify the User Behavioral Profiling Model .............................................................................................................. 132 User Behavioral Profiling Model Removal ............................................................................................................... 132 Disable the User Behavioral Profiling Model .................................................................................................... 133 Uninstall User Behavioral Profiling ................................................................................................................... 134
Chapter 17: CA Risk Authentication Configuration for Oracle RAC
135
Update the arcot-db-config-for-common-2.0.sql Script .......................................................................................... 135 Update the arcotcommon.ini File ............................................................................................................................ 136 Update the Database Connection Details ................................................................................................................ 137
Contents 7
Chapter 18: Application Server Configuration for Database Connection Pooling
138
Enable Database Connection Pooling ...................................................................................................................... 138 Enable LDAP Connection Pooling ............................................................................................................................. 145 JBoss Application Server........................................................................................................................................... 149 Enable Apache Tomcat Security Manager ............................................................................................................... 150
Appendix A: Deploy Administration Console on IBM WebSphere
153
Chapter 19: CA Risk Authentication Configuration for SDKs and Web Services
157
Configure CA Risk Authentication API ...................................................................................................................... 158 Configure Java APIs .................................................................................................................................................. 159 Configure CA Risk Authentication Web Services ...................................................................................................... 160 Configure Device ID and DeviceDNA ........................................................................................................................ 162
Chapter 20: Add Custom Actions
165
Appendix B: Troubleshoot CA Risk Authentication Errors
169
Installation Errors ..................................................................................................................................................... 171 Database-Related Errors .......................................................................................................................................... 175 CA Risk Authentication Server Errors ....................................................................................................................... 179 SDK Errors ................................................................................................................................................................. 180
Chapter 21: How to Uninstall CA Risk Authentication
180
Drop the CA Risk Authentication Schema ................................................................................................................ 182 Uninstall CA Risk Authentication Server .................................................................................................................. 183 Perform Post Uninstall Tasks .................................................................................................................................... 184
8 Installation Guide for Windows
Chapter 1: Introduction CA Risk Authentication is an adaptive authentication solution that evaluates each online transaction by examining a wide range of collected data against the out-of-the-box rules. CA Risk Authentication then assigns each transaction a risk score and advice; the higher the risk score, the greater the possibility of a fraud. This risk score can be used to approve or decline the transaction, or ask for extra authentication, or alert a customer service representative. CA Risk Authentication is configurable, and offers the flexibility to modify the configuration parameters of any of the risk evaluation rules, keeping with the business policies and risk-mitigation requirements. It gives the flexibility to modify the default risk score, scoring configuration, and scoring priorities of individual rules and selectively enable or disable the execution of one or more rules. Besides the pre-configured out-of-the-box rules, the Rule Builder capability enables to create new rules on the fly. This guide provides information for planning the deployment of CA Risk Authentication based on different solution requirements. Each scenario consists of multiple components that interact with each other and other systems in an enterprise or multiple-network systems. Important! This guide contains the terms Arcot, WebFort , RiskFort, WebFort, RiskMinder and AuthMinder in some of its code objects and other artifacts. The term ArcotID is now called as AuthID. In addition, some of the topics in this guide do not follow the standard formatting guidelines.
Chapter 1: Introduction 9
System Architecture
System Architecture You can install CA Risk Authentication on a single system or you can distribute its components across multiple systems. However to ensure maximum security and integrity of data and transactions, the the three-tier architecture in the following illustration: ■
Web Tier (see page 10)
■
Application Tier (see page 11)
■
Data Tier (see page 12)
Use Web Tier for Network or Internet This layer comprises the HTML content and interacts directly with the user over a network or the Internet. The CA AuthMinder Utility Script (ArcotDeviceDNA.js), which is a client-side Java script must be included in your application. This is served to the end-user browser, through the web servers that reside in this layer. This script enables you to do the following: ■
Sets the Device ID on the end-user device
■
Collects the Machine FingerPrint (MFP), DeviceDNA, and Device ID information.
Note: To use the utility script, see Collecting Device ID and DeviceDNA in CA Risk Authentication Java Developer’s Guide.
10 Installation Guide for Windows
System Architecture
Application Tier for Application Server This layer constitutes all application server components in the system, such as CA Risk Authentication Server, UDS, Administration Console and the CA Risk Authentication SDKs. The following list explains the work of each server component: Note: All components in this layer can be installed on one system or can be distributed across multiple systems. ■
CA Risk Authentication Server: This server component processes risk evaluation requests from your application through CA Risk Authentication SDKs.
■
Case Management Queuing Server: This server component schedules and dispatches cases to Customer Support Representatives (CSRs), and then manages the life-cycle of these cases.
■
Administration Console: The web-based console is used for configuring server instances like, communication mode between CA Risk Authentication components, business rules and the corresponding data; and for managing organizations, administrators, and users.
■
User Data Service: The abstraction layer provides access to user and organization-related data from different types of user repositories like, relational databases (RDBMSs) and directory servers (LDAPs).
■
Risk Evaluation SDK: This server component looks into APIs and web services that your application can invoke risk-analysis requests to CA Risk Authentication Server.
■
Risk Evaluation Web Service: This web-based interface enables interaction over a network between CA Risk Authentication Server and your application. It consists of the web services that can be invoked by your web application to perform risk evaluation.
■
User Management Web Service: These Web services can be invoked by your application to forward requests to User Data Service for enrolling users, and for managing user details in CA Risk Authentication.
■
Sample Application: Sample Application demonstrates the usage of CA Risk Authentication Java APIs and how your application can be integrated with CA Risk Authentication. Sample Application can also be used to verify if CA Risk Authentication is installed successfully; and if it is able to perform risk-evaluation operations.
■
User Behavior Profiling Application: The User Behavioral Profiling model measures the similarity or dissimilarity of the current transaction to prior access by the same user, or that of their peer group in cases of insufficient data.
Chapter 1: Introduction 11
Communication between CA Risk Authentication Components
Data Tier for Storage This layer comprises the instances of relational databases that store the configuration, user, and historical data that is used by CA Risk Authentication to analyze each transaction. In addition, this layer also constitutes all directory servers (LDAPs) that you have configured for storing user details. If you use any Hardware Security Modules (HSMs) for encrypting sensitive user data, the HSM is also a part of this layer.
Communication between CA Risk Authentication Components The following diagram illustrates the communication modes supported by CA Risk Authentication and its components.
12 Installation Guide for Windows
Communication between CA Risk Authentication Components
The default mode of communication between components is TCP. The CA Risk Authentication Server supports SSL communication (two-way and one-way communication) with the following components to ensure integrity and confidentiality of the data being exchanged during each transaction: ■
Case Management Queuing Server
■
CA Risk Authentication Database
■
User Data Service
■
CA Risk Authentication SDK (Risk Evaluation)
■
Sample Application
■
Evaluation Callout
■
Scoring Callout
Note: CA Risk Authentication enables to customize the Evaluation Rule based on your business requirements. This custom rule is known as Evaluation Callout. CA Risk Authentication also enables to customize Scoring Logic, which is known as Scoring Callout. For more information, see CA Risk Authentication Administration Guide.
Chapter 2: How to perform a Fresh Installation
Chapter 2: How to perform a Fresh Installation 13
Communication between CA Risk Authentication Components
This scenario guides you on selecting a deployment model, and determine which CA Risk Authentication components and prerequisite software to install on each system. The following illustration defines the tasks should be performed to install CA Risk Authentication: Note: In this guide, System refers to a physical device and Server refers to software that is run on the system.
14 Installation Guide for Windows
Select a Deployment Model
Perform the following steps: 1.
Select a Deployment Model (see page 15)
2.
Configure Database Server. (see page 28)
3.
Set up Database Store and Database Information. (see page 33)
4.
Perform a Single System Deployment. For more information, refer to Perform a Single System Deployment.
5.
Perform a Distributed Systems Deployment. For more information, refer to Perform to Distributed System Deployment.
6.
Configure CA Risk Authentication SDKs and Web Services (see page 157).
Select a Deployment Model CA Risk Authentication Server is the primary component that you must install. The server provides the risk evaluation service, which includes transaction risk evaluation. Your applications that must use CA Risk Authentication Server can integrate with it by using Java SDKs or web services shipped with it. CA Risk Authentication also requires an SQL database for storing server configuration data, user-specific preferences, and usage data. Typically, all CA Risk Authentication components are installed on a single system. However, in production deployments and staging environments, you install CA Risk Authentication Server on the same system. The shipped SDKs or web services are installed on a different system or systems that contain the application that users log in to. CA Risk Authentication is also shipped with a Sample Application, which can be used to verify if CA Risk Authentication was installed properly; and to perform risk evaluation. Sample Application also serves as a code sample for integrating CA Risk Authentication with the existing applications. CA Risk Authentication supports the following deployment scenarios: ■
Single-System Deployment - For development or testing environments
■
Distributed-System Deployment - For production or staging environments
■
High-Availability Deployment - For high availability and scalability, production, or staging environments
Chapter 2: How to perform a Fresh Installation 15
Select a Deployment Model
Deploy on a Single System In a single-system deployment, all components of CA Risk Authentication and the application which users log in to, are installed on a single system. The database may be on the same system where CA Risk Authentication is installed, or on a different system. It is possible to use both Java SDKs and Web services in a single-system deployment. The prerequisite software for these components is identical. The simplest way to perform a single-system deployment is to select the Complete Installation option while running the CA Risk Authentication installer. If you plan to perform a single-system deployment, perform the following steps: a.
Install a database server on the system which has CA Risk Authentication Server. You can use an existing database on a separate system.
b.
Use Sample Application, or write My Own Web application. Important! Do not use Sample Application in production deployments. You build your own web application by using Sample Application as a code-reference.
c.
Use Java SDKs or Web services to integrate with My Own Web application.
Java SDKs The following diagram illustrates CA Risk Authentication Server and Java SDKs deployed on a single system.
16 Installation Guide for Windows
Select a Deployment Model
Chapter 2: How to perform a Fresh Installation 17
Select a Deployment Model
Note: The use of a web server to deliver HTML pages for the application server is optional and is transparent to CA Risk Authentication. In production deployments, this approach is typically used to improve the application server performance and security. For more details, see the documentation on Application Server. Web Services The following figure illustrates CA Risk Authentication Server and Web services on a single system. Note: Install CA Risk Authentication Server on the target system and generate the requisite client stubs because, all web services are now built into the CA Risk Authentication Server module itself. No further configuration is required.
18 Installation Guide for Windows
Select a Deployment Model
Deploy on Distributed Systems The distributed model is a web-based applications whose components are distributed across the web tier, application tier, and data tier, and require a secure zone between its web servers and application servers. The following are the reasons for deploying CA Risk Authentication in a distributed model: ■
High availability (fail over and load balancing)
■
High performance
■
Increase in throughput
In a distributed-system deployment, CA Risk Authentication components are installed on different servers. This is done for security, performance, and to enable multiple applications for using the risk-evaluation functionality. For example, the most common deployment is to install CA Risk Authentication Server on one system and one or more web applications on additional systems. To perform a distributed-system deployment, you must select the Custom installation option in the CA Risk Authentication installer. Deploying on a Single Application with Java SDKs The following diagram illustrates CA Risk Authentication using Java SDKs with a single application.
Chapter 2: How to perform a Fresh Installation 19
Select a Deployment Model
20 Installation Guide for Windows
Select a Deployment Model
Note: You can install Administration Console and UBP on any individual system, every system, or on a system that is not listed in the diagrams. Deploying Multiple Applications with Java SDKs The following figure illustrates CA Risk Authentication deployment using Java SDK with multiple applications.
Chapter 2: How to perform a Fresh Installation 21
Select a Deployment Model
Deploying Single Application with Web Services The following figure illustrates CA Risk Authentication deployment using web services on a single application.
22 Installation Guide for Windows
Select a Deployment Model
Deploy on a High Availability Environment In a high-availability deployment, CA Risk Authentication components are installed on more than one server to provide high availability and scalability. The diagrams illustrate several possible options for which prerequisites and CA Risk Authentication components is installed on multiple systems. Add a server instance when your transaction rate exceeds the permissible threshold (as decided by your organizational policies), then you must add a server instance. The following CA Risk Authentication components allow mostly multiple instances to function: ■
CA Risk Authentication Servers: Multiple instances are supported. The number depends on the transaction rate you want to achieve.
■
Case Management Queuing Servers: Multiple instances are supported. The number depends on the transaction rate you want to achieve.
■
Administration Consoles: Multiple instances are supported. The number depends on the number of administrators in the system who log in to the Console simultaneously.
■
UDS Servers: Currently, only one is supported.
■
SDKs: Multiple instances are supported. This number depends on the number of your application instances that you plan to support.
The following illustrations show you how to achieve your deployment decision: High Availability Deployment Using Java SDK The following figure illustrates multiple-instance deployment using Java SDK.
Chapter 2: How to perform a Fresh Installation 23
Select a Deployment Model
High Availability Deployment Using Web Services The following figure illustrates multiple-instance deployment using Web services.
24 Installation Guide for Windows
Hardware Requirements
Hardware Requirements The minimum hardware requirements for installing include: ■
■
Requirements for CA Strong Authentication and CA Risk Authentication with database on a single system: ■
RAM: 2 GB
■
Hard Drive Space: 10 GB
■
Processor: 2.4 GHz
Requirements for CA Strong Authentication and CA Risk Authentication with database on a separate system: ■
RAM: 1 GB
■
Hard Drive Space: 300 MB
■
Processor: 2.4 GHz
Note: Hardware resource requirements vary substantially for different applications and usage patterns. it is recommended that you load-test your site to determine the optimal memory that is required for the installation. While load-testing, keep in mind that some operating system utilities for monitoring memory can overstate memory usage (partially because of the representation of shared memory.) The preferred method for determining memory requirements is by monitoring the improvement in performance after adding more RAM/physical memory in the load test. See your platform vendor documentation for information about how to configure memory and processor resources for testing purposes.
Chapter 2: How to perform a Fresh Installation 25
Chapter 3: System Requirements This section contains the following topics: Software Requirements (see page 27)
Software Requirements The following sections provide information about software requirements:
CA Risk Authentication Component-Specific Prerequisites The prerequisite software is determined by the CA Risk Authentication components to be installed on a system. See "Planning the Deployment" to determine what CA Risk Authentication components to install for each deployment type. The following table lists the prerequisite software that is required by each CA Risk Authentication component: Prerequisite Component
Database Server
JDK
Application Server
CA Risk Authentication Server
+
Case Management Queuing Server
+
Administration Console
+
+*
+
User Data Service
+
+*
+
Risk Evaluation Java SDK
+*
+
User Management Web Service
+*
+
Administration Web Service
+*
+
Transaction Web Service
+*
+
Sample Application
+*
+
* The JDK depends on the application server you are using.
Chapter 4: Pre-Installation Tasks Chapter 3: System Requirements 27
Configure Database Server
Before you install CA Risk Authentication and its components, ensure that your computer meets all the system requirements. For information on hardware and software requirements, see the Platform Support Matrix. This chapter has the following sections required for this installation: ■
Configure Database Server (see page 28)
■
How to Set Up Data Store and Database Information (see page 33)
Configure Database Server Before installing, set up a database used for storing user information, server configuration data, audit log data, and other information. CA Risk Authentication supports a primary database and a backup database that can be used during failover and fail-back in high-availability deployments. Configure the database connectivity in the following ways: ■
During CA Risk Authentication installation, the database is configured when the installer automatically edits the arcotcommon.ini file with the database information you supply.
There are specific configuration requirements for each supported database (Microsoft SQL Server, Oracle, or MySQL). Note: For JBoss Application Server, follow the below steps while configuring a backup database: a.
Edit module.xml in
\modules\system\layers\base\sun\jdk\main with the following statements
Restart the application server. Important! To protect the database server, use a firewall or any other access control mechanism and set to the same time-zone as all dependent products.
28 Installation Guide for Windows
Configure Database Server
Configure Microsoft SQL Server This section provides the following configuration procedure for SQL Server: Note: See the SQL Server documentation for detailed information about performing the tasks listed in this section. Follow these steps: 1.
Verify that SQL Server is configured to use the SQL Server and Windows Authentication mode for Server authentication. Right-click the server in the Object Explorer window and select the Security page. CA Risk Authentication cannot connect to the database if SQL Server is configured to Windows Authentication Mode.
2.
3.
Create a database by the following criteria: ■
The recommended name is arcotdb.
■
The database size must be configured to grow automatically.
Create a DB user (CH4_SQL) by performing the following steps: a.
In the SQL Server Management Studio, go to ; expand the Security folder, and then click Login. Note: The refers to the host name or IP address of the SQL Server where you created your database.
b.
Right-click the Login folder, and click New Login.
c.
Enter the Login name (recommended name is arcotuser).
d.
Set the parameter to Authentication to SQL Server Authentication.
e.
Specify Password and Confirm password for the login.
f.
Ensure that you specify other password settings on this page according to the password policies in your organization.
g.
Make the database (arcotdb) you created as the default database.
h.
Perform the mapping of the users to this login section.
i.
Map the user (SQL 2005) for the default database, to db_owner (in the Database role membership for: section).
Chapter 4: Pre-Installation Tasks 29
Configure Database Server
Configure Oracle Server This section provides the configuration information for creating Oracle database server. Prerequisites: 1.
2.
Run CA Risk Authentication on Oracle with two table-spaces. The reasons to have two table-spaces are as follows: ■
Use the first table-space for configuration data, audit logs, and user information. This table-space can be the default user table-space in the CA Risk Authentication database.
■
Run the reports on the second table-space. We recommend that you use a separate table-space to run the reports.
Use CA Risk Authentication Database Configuration Script. The script automatically creates the table-space for reports, if the database user running the script has sufficient permissions to create a table-space. If the user does not have the required permissions, the db administrator must manually create this table-space and delete the section for creating reports in the script. arcot-db-config-for-common-8.0.sql
Important! The parameters for creating the reports table-space in the arcot-db-config-for-common-8.0.sql database script can be changed according to the preferences of the db administrator. However, the table-space name must be ARReports to generate reports successfully. To create an Oracle server, perform the following steps: 1.
Create a new database that stores information in the UTF-8 character set. This allows CA Risk Authentication to use international characters including double-byte languages. To enable UTF-8 support for your Oracle database perform the following steps: a.
Log in to the Oracle database server as SYS or SYSTEM.
b.
Run the following command: sys.props$ set value$='UTF8'
(where name='NLS_NCHAR_CHARACTERSET' Or name = 'NLS_CHARACTERSET') c. 2.
Restart the database and verify whether the character set is configured to UTF-8.
Create a database user: a.
Create a user (recommended name is arcotuser), with a schema in the new database arcotdb.
b.
Set the quota of user to at least 5 GB to 10 GB for a development or test deployment.
30 Installation Guide for Windows
Configure Database Server
Note: If the deployment is for the production environment, staging, or other intensive testing, see Database Reference to determine the quota that is required for a user. c.
Grant the DBA role to the user.
Chapter 4: Pre-Installation Tasks 31
Configure Database Server
Configure MySQL Server This section provides the following configuration information for MySQL. Follow these steps: 1.
To check whether your MySQL installation supports InnoDB storage engine, use the SHOW ENGINES command. Note: CA Risk Authentication uses the InnoDB storage engine of MySQL. If the output of this command shows that InnoDB is not supported, enable support for InnoDB. For information to enable support for InnoDB, see the MySQL Documentation.
2.
If you are running MySQL on any non-Windows platform, set the lower_case_table_names variable to 1. Note: For more information, see the MySQL Documentation.
3.
To create a database, perform the following steps: a.
Open a MySQL command window.
b.
To create the database schema, run the following command: CREATE SCHEMA '' DEFAULT CHARACTER SET utf8;
c.
To create the database user, run the following command: CREATE USER '' identified by '';
4.
Create a user with the following criteria: a.
Create a user (recommended name is arcotuser) in the new database arcotdb.
b.
Grant the following privileges to the user:
32 Installation Guide for Windows
■
Object rights:
–
SELECT
–
INSERT
–
UPDATE
–
DELETE
–
EXECUTE
■
DDL rights:
–
CREATE
–
ALTER
–
CREATE ROUTINE
–
ALTER ROUTINE
–
DROP
■
Other rights:
Set Up the Data Store and Database Information
–
GRANT OPTION
Set Up the Data Store and Database Information Before you proceed with the CA Risk Authentication installation, set up the CA Risk Authentication data store, the Database Client, and gather the required database information. Ensure that the correct JDK version and application server are installed. Enable the UTF-8 support on the systems (for example, CA Risk Authentication Server, Administration Console, and User Data Service) where you plan to install CA Risk Authentication components that communicate with the database server. This section depicts the steps to do so. Follow these steps: 1.
Install the required language package. See the vendor documentation for more information about how to do this.
2.
Navigate to the following location: Start -> Settings -> Control Panel -> Regional and Language Options The Regional and Language Options dialog appears.
3.
Activate the Languages tab.
4.
Select the following options: ■
Install files for complex script and right-to-left languages (including Thai)
■
Install files for East Asian Language
5.
Click Apply to save the changes.
6.
Click OK to close the dialog.
Chapter 4: Pre-Installation Tasks 33
Set Up the Data Store and Database Information
Configure UTF- Support on Client Systems To enable the UTF-8 support on the systems (Example: CA Risk Authentication Server, Administration Console, and User Data Service) where you plan to install components that communicate with the database server, perform the following steps. Follow these steps: 1.
Install the required language package. See the vendor documentation for more information about how to do this.
2.
Navigate to the following location: Start, Settings, Control Panel, Regional and Language Options
3.
Activate the Languages tab.
4.
Select the following options: ■
Install files for complex script and right-to-left languages (including Thai)
■
Install files for East Asian Language
5.
Click Apply.
6.
Click OK.
HSM Requirements This section applies only when you are using HSMs. If you are planning to use HSM to store encryption keys, then set up the following components before installation: ■
HSM Server
■
HSM Client
■
At least one 3DES key created in HSM (You will need this 3DES key for encrypting information in the database). Important! Ensure that you have safely written down the labels of the 3DES keys. You need them later for encrypting information in the database.
See your platform vendor documentation for more information.
34 Installation Guide for Windows
Requirements for Java-Dependent Components
Requirements for Java-Dependent Components Install the following components required by Administration Console, CA Risk Authentication Java SDKs, and Web services: ■
JDK Note: If you perform a fresh installation of JDK, then you must set the JAVA_HOME environment variable. The PATH variable must point to $JAVA_HOME\bin\. If you fail to do so, then Administration Console and other JDK-dependent components might fail to start.
■
Application Server
Chapter 4: Pre-Installation Tasks 35
Chapter 5: How to Deploy CA Risk Authentication on a Single System
Chapter 5: How to Deploy CA Risk Authentication on a Single System 37
Requirements for Java-Dependent Components
To install the CA Risk Authentication components, use the CA Risk Authentication 8.0 InstallAnywhere Wizard. This wizard supports Complete and Custom installation types. Note: To install and configure CA Risk Authentication on a single computer, use the Complete option when you run the installer. The following illustration shows the tasks to perform for installing CA Risk Authentication 8.0:
38 Installation Guide for Windows
Requirements for Java-Dependent Components
Chapter 5: How to Deploy CA Risk Authentication on a Single System 39
Requirements for Java-Dependent Components
Perform the following tasks: 1.
Perform a Complete Installation (see page 42)
2.
Verify the Database Setup (see page 49)
3.
Run the Database Scripts (see page 48)
4.
Prepare an Application Server (see page 49)
5.
Deploy the Administration Console (see page 58)
6.
Log in to Administration Console (see page 59)
7.
Perform the Bootstrapping Tasks for the System (see page 60)
8.
Start the CA Risk Authentication Server Service (see page 62)
9.
Start CA Risk Authentication Case Management Service (see page 62)
10. Deploy UDS (see page 63) 11. Deploy User Behavior Profiling Application (see page 64) 12. Deploy the Sample Application (see page 65) 13. (Optional) Deploy User Behavior Profiling Application (see page 64) 14. Verify the Installation (see page 66) 15. How to Use Sample Application for Risk Evaluation (see page 67) 16. Apply Post-Installation Checklist (see page 70) Important! Consider the following points while installing CA Risk Authentication on a single system: ■
Verify that the does not contain any special characters (such as ~ ! @ # $ % ^ & * ( ) _ + = , -* + ’ ").
■
The MySQL database name must not contain dot(.) characters.
■
Currently, you cannot modify or repair CA Risk Authentication components by using the installer. You must uninstall the component and then re-install it.
■
Do not close the installer window, if the installation is in progress. If at any time during the installation (especially during the last stages), you click the Cancel button to abort the installation, then the installer may not remove all the directories that it has created so far. You must manually clean up the installation directory, \Arcot Systems\, and its subdirectories.
■
If you run the installer on a system that already contains an instance of an existing ARCOT_HOME, then: ■
You are not prompted for an installation directory.
■
You are not prompted for the database setup. The installer uses the existing database.
■
You are not prompted to set up encryption.
40 Installation Guide for Windows
Requirements for Java-Dependent Components
■
You can install and use CA Strong Authentication along with CA Risk Authentication. Both products use certain common components, which are copied during the installation of either product. If you have already installed CA Strong Authentication and you are now starting the CA Risk Authentication installation procedure, the CA Risk Authentication installer can detect the presence of the common components that were copied during the CA Strong Authentication installation. The CA Risk Authentication installer then displays the screens for performing a custom installation.
This section contains the following topics: Perform a Complete Installation (see page 42) How to Prepare an Application Server (see page 49) Deploy the Administration Console (see page 58) Perform the Bootstrapping Task for the System (see page 60) Deploy User Data Service (UDS) (see page 63) Deploy User Behavior Profiling Application (see page 64) Deploy the Sample Application (see page 65) How to Use the Sample Application for Risk Evaluation (see page 67) Apply the Post-Installation Checklist (see page 70)
Chapter 5: How to Deploy CA Risk Authentication on a Single System 41
Perform a Complete Installation
Perform a Complete Installation To install and configure CA Risk Authentication use a single user account for installation from the Administrators group. Otherwise, the critical steps in the installation, do not complete successfully, though the installation may complete without any errors. Perform a Complete installation to install all of the components of the CA Risk Authentication package. These components include CA Risk Authentication Server and the scripts that are required for setting up the database. Follow these steps: 1.
Navigate to the directory where the CA Risk Authentication-8.0-Windows-Installer.exe file is located and double-click the file.
2.
Click Next.
3.
Read the license agreement, select the I accept the terms of the License Agreement option, and click Next. The installer now checks if other CA products exist on the system. If the installer detects an existing CA product installation (an existing ARCOT_HOME), then: ■
You are not prompted for an installation directory.
■
You are not prompted for the database and encryption setup. The installer uses the existing database and encryption settings. As a result, you can move to Step 6, though the configuration is disabled. You do not have to perform Step 10 as the screens of it do not get displayed.
4.
Click Next.
5.
Select Complete to Install and click Next.
6.
Depending on the type of database you have, select one of the following, and click Next: ■
Microsoft SQL Server Note: If you are using a SQL database, verify that the ODBC Driver version you are using is the same as the one mentioned in Preparing for Installation.
■
Oracle Database Note: CA Risk Authentication is certified to work with Oracle Real Application Clusters (Oracle RAC). To use Oracle RAC on CA Risk Authentication Installation, select Oracle Database in this step, perform the next step (Step 7), and then perform the steps in Configuring CA Risk Authentication for Oracle RAC (W).
■
MySQL
Based on your database choice the following screens get displayed: 7.
Complete the following information:
42 Installation Guide for Windows
Perform a Complete Installation
■
Microsoft SQL Server: ODBC DSN Defines the value by which the installer creates the DSN. CA Risk Authentication Server then uses this DSN to connect to the CA Risk Authentication database. The recommended value to enter is arcotdsn. Server Specifies the host name or IP address of the CA Risk Authentication datastore. Default Instance Syntax: Example: demodatabase Named Instance Syntax: \ Example: demodatabase\instance1 User Name Specifies the database user name. The user must have the create session and DBA rights. Note: The User Name for the Primary and Backup DSNs must be different. Password Specifies the password associated with the User Name. This password is specified by the database administrator. Database Specifies the name of the MS SQL database instance. Port Number Specifies the port number at which the database listens to the incoming requests. Default Port:1433
■
Oracle Server: ODBC DSN Specifies the value by which the installer creates the DSN. CA Risk Authentication Server then uses this DSN to connect to the CA Risk Authentication database. The recommended value to enter is arcotdsn. User Name Specifies the database user name for CA Risk Authentication to access the database. This name is specified by the database administrator.
Chapter 5: How to Deploy CA Risk Authentication on a Single System 43
Perform a Complete Installation
The user must have the create session and DBA rights. Note: The User Name for the Primary and Backup DSNs must be different. Password Specifies the password associated with the User Name you specified in the previous field. This password is specified by the database administrator. Service ID Specifies the Oracle System Identifier (SID) that refers to the instance of the Oracle database running on the server. Port Number Specifies the port at which the database listens to the incoming requests.. Default: 1521 Host Name Specifies the host name or IP address of the CA Risk Authentication datastore. Syntax: Example: demodatabase
44 Installation Guide for Windows
Perform a Complete Installation
■
MySQL Server: DBC DSN Specifies the value by which the installer creates the DSN. CA Risk Authentication Server then uses this DSN to connect to the CA Risk Authentication database. The recommended value to enter is arcotdsn. Server Specifies the host name or IP address of the CA Risk Authentication datastore. Default Instance Syntax: Example: demodatabase Named Instance Syntax: \ Example: demodatabase\instance1 User Name Specifies the database user name for CA Risk Authentication to access the database. This name is specified by the database administrator. The user must have the create session and DBA rights. Note: The User Name for the Primary and Backup DSNs must be different. Password Specifies the password associated with the User Name you specified in the previous field. This password is specified by the database administrator Database Specifies the name of the MySQL database instance. Port Number Specifies the port at which the database listens to the incoming requests. Default: 3306
8.
After you specify the database details, test if you can successfully connect to the database by clicking the Test Data Source button and verify the result of the same in the field below the button.
9.
Click Next.
10. Select the encryption mode and enter the information that is used for encryption. Master Key Specifies the password for the Master Key which is used to encrypt the data stored in the database.
Chapter 5: How to Deploy CA Risk Authentication on a Single System 45
Perform a Complete Installation
Default Value: MasterKey Note: If you want to change the value of Master Key after the installation, then regenerate securestore.enc with a new Master Key value. See Changing Hardware Security Module Information After the Installation for more information. Configure HSM (Optional) Specifies if you will use a Hardware Security Module (HSM) to encrypt the sensitive data. If you do not select this option, then, by default, the data is encrypted by using the Software Mode. PIN Identifies the password to connect to the HSM. Choose Hardware Module Specifies one of the following HSMs: –
Luna HSM
–
nCipher netHSM
HSM Parameters Set the following HSM information: Shared Library: The absolute path to the PKCS#11 shared library corresponding to the HSM. For Luna (cryptoki.dll) and for nCipher netHSM (cknfast.dll), specify the absolute path and name of the file. Storage Slot Number: The HSM slot where the 3DES keys used for encrypting the data are available. –
For Luna, the default value is 0.
–
For nCipher netHSM, the default value is 1.
Note: The HSM parameter values are recorded in arcotcommon.ini, which is available in \Arcot Systems\conf\. To change these values after installation, edit this file, as discussed in Configuration Files and Options. Click Next. 11. Review the information in the Pre-Installation Summary screen, and click Next. 12. Click Install to begin the installation process. The Microsoft Visual C++ 2010 x86 Redistributable Setup screen appears. This screen appears only if the current system where you are installing CA Risk Authentication does not have Microsoft Visual C++ 2010 x86. 13. On the Microsoft Visual C++ 2010 x86 Redistributable Setup screen, perform the following steps: a.
46 Installation Guide for Windows
Select I have read and accept the license terms, and click Install.
Perform a Complete Installation
The Installation Progress screen appears. This may take a few seconds. After some time the Installation Is Complete screen appears. b.
Click Finish to close the Microsoft Visual C++ 2010 x86 Redistributable Setup dialog box and continue with the installation.
The Installing CA Risk Authentication screen appears. After some time the Installation Complete screen appears. 14. Click Done to complete the CA Risk Authentication installation. Note: After the installation is completed, perform the post-installation tasks that are discussed in Performing Post-Installation Tasks.
Installation Logs After installation, you can access the installation log file (CA_CA Risk Authentication_Install_.log) in the directory. For example, if you had specified the C:\Program Files directory as the installation directory, then the installation log file is created in the C:\Program Files directory. If the installation fails for some reason, then error messages are recorded in this log file.
Chapter 5: How to Deploy CA Risk Authentication on a Single System 47
Perform a Complete Installation
Run the Database Scripts To create the database tables, run the required database scripts. Follow these steps:: Important! Before you run the scripts, verify that you are logged in as the same database user that you created in the section, Configure Database Server. 1.
Navigate to the following directory: \Arcot Systems\dbscripts\
2.
3.
Navigate to one of the following subdirectories based on the database that you are using: ■
For Oracle: oracle\
■
For Microsoft SQL: mssql\
■
For MySQL: mysql\
Run the scripts in the following order: a.
arcot-db-config-for-common-8.0.sql Important! If you have installed CA Strong Authentication, do not run arcot-db-config-for-common-8.0.sql because you have already run it while installing CA Strong Authentication.
b.
arcot-db-config-for-riskfort-8.0.sql
c.
(Optional) only if you must create the 3D Secure Channel) arcot-db-config-for-3dsecure-8.0.sql
d.
(Optional) only if you are using User Behavior Profiling, run the following command: arcot-db-config-for-userprofiling-2.0.sql
Note: Running the script is one-time job. If you run the script every time, you may get errors like; table already exist, or insertions failed due to duplicate records.
48 Installation Guide for Windows
How to Prepare an Application Server
Verify the Database Setup After you run the required database scripts, verify the CA Risk Authentication schema. Follow these steps:: 1.
Log in to the CA Risk Authentication database as the user who installed the database. Note: If you are following the upgrade path, then log in to the database as the user who upgraded the database.
2.
Run the following query: SELECT SERVERNAME, VERSION FROM ARRFSERVERS;
You must see the following output as a result of the preceding query: SERVERNAME VERSION ------------------------- ---------------CA Risk Authentication 8.0 CA Risk Authentication CaseManagement 8.0
3.
Log out of the database console.
How to Prepare an Application Server The User Data Service (UDS) and Administration Console are Web-based components of Risk Authentication and bayou must deploy them on any of the following supported application servers: ■
Apache Tomcat
■
IBM WebSphere
■
Oracle WebLogic
■
JBoss Application Server
Before you deploy the WAR files for these web applications on the application server, copy the files that are required by UDS and Administration Console to the appropriate location on your application server. This section depicts the steps to copy the required crypto files to your application server and to deploy the WAR files of these web applications. 1.
Set Java Home
2.
Copy Database Access to Application Server
3.
Copy JDBC JAR Files to Application Server
4.
Create Enterprise Archive Files
Chapter 5: How to Deploy CA Risk Authentication on a Single System 49
How to Prepare an Application Server
Set Java Home The section provides the setup for Java Home environment. Follow these steps: 1.
Verify that you set the JAVA_HOME environment variable. The JAVA_HOME must be your application server JAVA_HOME.
2.
Add %JAVA_HOME%\bin\ to the PATH variable.
50 Installation Guide for Windows
How to Prepare an Application Server
Copy Database Access Files to Application Server UDS and Administration Console use the following files to access the CA Risk Authentication database securely: ■
arcot-crypto-util.jar available at: \Arcot Systems\java\lib\
■
ArcotAccessKeyProvider.dll available at: \Arcot Systems\native\win\<32bit-or-64bit>\
As a result, copy these files to the appropriate location on the application server where you have deployed the CA Risk Authentication components. The following subsections provide information about copying these files for:
Apache Tomcat Follow these steps: 1.
Copy arcot-crypto-util.jar to \jre\lib\ext\. Specifies the JAVA_HOME used by your Apache Tomcat instance.
2.
Copy ArcotAccessKeyProvider.dll to \jre\bin\.
3.
Restart the application server.
IBM WebSphere Follow these steps: 1.
Log in to WebSphere Administration Console.
2.
Click Environment, and click Shared Libraries. a.
From the Scope drop-down, select a valid visibility scope. Include the target server or node on which the application is deployed.
b.
Click New.
c.
Enter the Name. Example: ArcotJNI.
d.
Enter the Classpath. This path must point to the location where the arcot-crypto-util.jar file is present and must also include the file name. Example: C:\Program Files\Arcot Systems\java\lib\arcot-crypto-util.jar.
e.
Enter the JNI Library path. This path must point to the location where the ArcotAccessKeyProvider.dll file is present.
Chapter 5: How to Deploy CA Risk Authentication on a Single System 51
How to Prepare an Application Server
3.
Click Apply.
4.
Configure the server-level class loaders.
5.
a.
Navigate to Servers, Server Types, WebSphere Application Servers.
b.
Under Application Servers, access the settings page of the server.
c.
Click Java and Process Management. Click Class Loader.
d.
Click New.
e.
Select default Classes loaded with parent class loader first, and click OK.
f.
Click the auto-generated Class Loader ID.
g.
Click Shared Library References.
h.
Click Add and select ArcotJNI. Click Apply.
i.
Save the changes.
Copy ArcotAccessKeyProvider.dll to \jre\bin\. Here, represents the JAVA_HOME used by your IBM WebSphere instance.
6.
Restart the application server.
Oracle WebLogic Follow these steps: 1.
Copy ArcotAccessKeyProvider.dll to \jre\bin\. Here, represents the JAVA_HOME used by the Oracle WebLogic instance.
2.
Copy arcot-crypto-util.jar to \jre\lib\ext\. Note: Ensure that you use the appropriate used by WebLogic.
3.
Log in to WebLogic Administration Console.
4.
Navigate to Deployments.
5.
Enable the Lock and Edit option.
6.
Click Install. Navigate to the directory that contains the arcot-crypto-util.jar file.
7.
Click Next.
8.
Click Next to display the Summary page.
9.
Click Finish.
10. Activate the changes. 11. Restart the application server.
JBoss Application Server
52 Installation Guide for Windows
How to Prepare an Application Server
Follow these steps: 1.
Copy ArcotAccessKeyProvider.dll to \jre\bin\. Here, represents the JAVA_HOME used by your JBoss Application Server instance.
2.
3.
Create a folder structure as \modules\advauth-admin-libs\main\ and copy the following JARs from \java\lib to this folder: ■
arcot-crypto-util.jar.
■
bcprov-jdk15-146.jar
Create a file with the name module.xml in the same folder location (\modules\advauth-admin-libs\main) with the following codes:
4.
Restart the application server.
Chapter 5: How to Deploy CA Risk Authentication on a Single System 53
How to Prepare an Application Server
Copy the JDBC JAR Files to Application Server CA Risk Authentication requires the following JDBC JAR files for the supported databases: ■
Oracle 10g: Oracle JDBC Driver (10.2.0.1.0)
■
Oracle 11g: Oracle JDBC Driver (11.2.0.2.0)
■
Microsoft SQL Server: MSSQL JDBC Driver (1.2.2828)
■
MySQL: MySQL JDBC Driver (5.1.22)
The following sections walk you through the steps for copying the JDBC JAR required for your database:
Apache Tomcat Follow these steps: 1.
Navigate to the location where you have downloaded the file.
2.
Copy the file to the following directory:
3.
■
On Apache Tomcat 5.5.x: \common\lib\
■
On Apache Tomcat 6.x and 7.x: \lib\
Restart the server.
IBM WebSphere Follow these steps: 1.
Log in to the WebSphere Administration Console.
2.
Click Environment, and click Shared Libraries. Do the following steps: a.
From the Scope list, select a valid visibility scope. Include the target server or node on which the application is deployed.
b.
Click New.
c.
Enter the Name. Example: JDBCJAR.
d.
Specify the Classpath. Important! This path must point to the location where the file is present and must include the file name.
e. 3.
Click Apply.
Configure server-level class loaders, and do the following steps: a.
Navigate to Servers, Server Types, WebSphere Application Servers.
b.
Under Application Servers, access the settings page.
54 Installation Guide for Windows
How to Prepare an Application Server
4.
c.
Click Java and Process Management. Click Class Loader.
d.
Click New.
e.
Select default Classes loaded with parent class loader first. Click OK.
f.
Click the auto-generated Class Loader ID.
g.
Click Shared Library References.
h.
Click Add, and select JDBCJAR. Click Apply.
i.
Save the changes.
Restart the application server.
Oracle WebLogic Follow these steps: Note: If you are using Oracle database, then do not perform the configurations that are mentioned in this section, because WebLogic supports Oracle database by default. 1.
Copy the file to \lib\ext\. Here, represents the JAVA_HOME used by your Oracle WebLogic instance.
2.
Log in to the WebLogic Administration Console.
3.
Navigate to Deployments.
4.
Enable the Lock and Edit option.
5.
Click Install and navigate to the directory that contains the required file.
6.
Click Next.
7.
Click Next to display the Summary page.
8.
Click Finish.
9.
Activate the changes.
10. Restart the application server.
JBoss Application Server Follow these steps: 1.
Create a folder structure as \modules\advauth-jdbc-driver\main\ and copy JDBC Jar file in this folder location.
2.
Create a file in with the name module.xml at the following location: \modules\advauth-jdbc-driver\main\
3.
Add the following codes to the file:
Chapter 5: How to Deploy CA Risk Authentication on a Single System 55
How to Prepare an Application Server
4.
Edit the tag ‘’with JDBC Jar file name. Example:sqljdbc.jar
5.
Restart the application server.
Create Enterprise Archive Files Valid on Oracle WebLogic 10.1 Most enterprise Application Servers support bundling the related JAR or WAR files from one vendor (Example: CA) to a single enterprise application (or archive). As a result, all the related JARs or WARs can be deployed together, and can be loaded by a class loader. This archive also contains an application.xml file, which is generated automatically and describes how to deploy each bundled module. Provide the default WAR files to deploy UDS and Administration Console. However if necessary, you can also change the format of these files to Enterprise ARchive (EAR) and then deploy the EAR files. One of following subsections helps you to either generate separate EAR files for both UDS and Administration Console, or to generate a single EAR file that contains both web archives. To create a separate EAR file each for UDS and Administration Console, do the following steps: 1.
Open the Command Prompt window.
2.
Navigate to the \Arcot Systems\tools\common\bundlemanager\ directory.
3.
To create the EAR file, run the following command: java -jar bundle-manager.jar -ear -warList
The preceding command generates individual EAR files that are available at: \Arcot Systems\java\webapps\
56 Installation Guide for Windows
How to Prepare an Application Server
To create a single EAR file that contains UDS and Administration Console Web archives, do the following steps: 1.
Open the Command Prompt window.
2.
Navigate to the \Arcot Systems\tools\common\bundlemanager\ directory.
3.
To create the EAR file, run the following command: java -jar bundle-manager.jar -ear -warList arcotadmin.war arcotuds.war
The preceding command generates a single EAR file that is available at: \Arcot Systems\java\webapps\
Chapter 5: How to Deploy CA Risk Authentication on a Single System 57
Deploy the Administration Console
Deploy the Administration Console The Administration Console is a browser-based interface that enables you to customize the server configurations and manage the deployed system. Note: If you deploy the Administration Console on IBM WebSphere 7.0, 8.0 or 8.5, then see the instructions in appendix, Deploy Administration Console on IBM WebSphere. To manage CA Risk Authentication by using Administration Console, verify that the Administration Console can access the system where the CA Risk Authentication Server is installed by its hostname. Follow these steps:: 1.
Deploy arcotadmin.war in the appropriate directory on the application server. Note: The deployment procedure depends on the application server that you are using. See your application server vendor documentation for detailed instructions. Example: In the case of Apache Tomcat, you must deploy the WAR file at \webapps\.
2.
(For 32-bit WebSphere Only): Configure reload of the Admin class when the application files are updated. Perform the following steps: a.
Navigate to Application, Enterprise Applications, and then access the Admin settings page.
b.
Under Class loader order, select the Classes loaded with local class loader first (parent last) option.
c.
Under WAR class loader policy, select the Single class loader for application.
d.
Click Apply.
e.
Restart the Admin application.
3.
Restart the application server.
4.
To verify that the console is successfully deployed, do the following steps: a.
Navigate to the following location: \Arcot Systems\logs\
b.
Open the arcotadmin.log file in any editor and locate the following lines: ■
2.0.3
■
Arcot Administration Console Configured Successfully.
Note: These lines indicate that your Administration Console was deployed successfully. c.
Also ensure that the log files do not contain any FATAL and WARNING messages.
d.
Close the file.
58 Installation Guide for Windows
Deploy the Administration Console
Log in to Administration Console When you log in to Administration Console for the first time, use the Master Administrator (MA) credentials that are configured automatically in the database during the deployment. Follow these steps: 1.
Launch the Administration Console on a Web browser window. The default URL for Administration Console is: http://:/arcotadmin/masteradminlogin.htm Example: In case of Apache Tomcat, the default host is localhost and port is 8080.
2.
Log in by using the default Master Administrator account credentials as follows: ■
User Name: masteradmin
■
Password: master1234!
Chapter 5: How to Deploy CA Risk Authentication on a Single System 59
Perform the Bootstrapping Task for the System
Perform the Bootstrapping Task for the System Bootstrapping is a wizard-driven process that walks you through these setup tasks. Other administrative links are enabled only after you perform these tasks. Before you start using Administration Console to manage CA Risk Authentication, perform the following mandatory steps to initialize the system: ■
Change the default Master Administrator password
■
Configure the Global Key label
■
Specify the configuration settings for the out-of-the-box organization
When you deploy Administration Console, an organization is created automatically. This organization is referred to as Default Organization (DEFAULTORG). As a single-organization system, the Default Organization itself can be used without creating any organizations. When you first log in to Administration Console as the Master Administrator (MA), the Summary screen for the Bootstrap wizard screen appears. Follow these steps: 1.
Click Begin to start the process. The Change Password screen appears.
2.
Specify the Current Password, New Password, Confirm Password, and click Next.
3.
On the Configure a Global Key Label page do the following steps: ■
Enter the Global Key Label, and click Next. CA Risk Authentication enables you to use hardware- or software-based encryption of your sensitive data. (You can enable hardware-based encryption by using arcotcommon.ini file, while software-based encryption is enabled by default.) Irrespective of hardware or software encryption, Global Key Label is used for encrypting user and organization data. If you are using hardware encryption, then this label serves only as a reference (or pointer) to the actual 3DES key stored in the HSM device, and therefore must match the HSM key label. However in case of software-based encryption, this label acts as the key. Important! After you complete the bootstrapping process, you cannot update this key label.
■
Enter the Storage Type to indicate whether the encryption key is stored in the database (Software) or the HSM (Hardware).
4.
Click Next to continue.
5.
Under the Default Organization Configuration section, enter the following parameters: Display Name
60 Installation Guide for Windows
Perform the Bootstrapping Task for the System
Specifies the descriptive name of the organization. This name appears on all other Administration Console pages and reports. Administrator Authentication Mechanism Specifies one of the mechanism that is used to authenticate administrators that belong to the Default Organization. Administration Console supports the following three types of authentication methods for the administrators: LDAP User Password: If you select this optionf then the administrators are authenticated by using their credentials that are stored in the directory service. Note: If this mechanism is used for authenticating administrators, then deploy UDS, as discussed in the section, Deploy User Data Service (UDS). Basic: If you select this option, then the built-in authentication method that is provided by Administration Console is used for authenticating the administrators. CA Strong Authentication Password: If you select the CA Strong Authentication Password option here, then the credentials are issued and authenticated by the AuthMinder Server. For this, the CA AuthMinder Server must be installed. Note: For information about installing and configuring CA Strong Authentication, see the CA Strong Authentication Installation and Deployment Guide. 6.
Under the Key Label Configuration section, specify the following values: Use Global Key Specifies the default Global Key. Deselect this option if you want to override the Global Key Label you specified in the preceding step and specify a new label for encryption. Key Label Specifies the new key label, if you deselected the Use Global Key option. Storage Type Identifies whether the encryption key is stored in the database (Software) or the HSM (Hardware).
7.
Click Finish to complete the bootstrapping process.
8.
Click Continue to proceed with other configurations by using Administration Console.
Chapter 5: How to Deploy CA Risk Authentication on a Single System 61
Perform the Bootstrapping Task for the System
Start the CA Risk Authentication Server Service Follow these steps: 1.
Click the Start button on your desktop window.
2.
Navigate to Settings, Control Panel, Administrative Tools, Services.
3.
Locate and double-click CA Risk Authentication Service.
4.
Click Start in the service window.
Note: If you want to stop CA Risk Authentication Server, then follow the Steps 1 and 3, and click Stop on the service window.
CA Risk Authentication Case Management Service Follow these steps: 1.
Click Start - Settings, Control Panel, Administrative Tools, Services.
2.
Double-click the CA Risk Authentication Case Management Service.
3.
Click Start on the service window.
Note: If you want to stop the CA Risk Authentication Case Management Service, then follow the Steps 1 and 3, and click Stop on the service window.
62 Installation Guide for Windows
Deploy User Data Service (UDS)
Deploy User Data Service (UDS) CA Risk Authentication can access user data from a RDBMS or directly from an LDAP server by using the User Data Service (UDS). The USD is an abstraction layer that provides CA Risk Authentication seamless access to the third-party data repositories deployed by your organization. Follow these steps: 1.
Deploy arcotuds.war on the application server. This file is available at: \Arcot Systems\java\webapps\
Example: In the case of Apache Tomcat, deploy the WAR file at \webapps\. Note: The deployment procedure depends on the application server that you are using. See the application server vendor documentation for detailed instructions. 2.
(WebSphere Only) Configure to reload the UDS class when the application files are updated. Follow these steps: a.
Navigate to Applications, Application Types, WebSphere Enterprise Applications and access the UDS settings screen.
b.
Under Class loader order, select the Classes loaded with local class loader first (parent last) option.
c.
Under WAR class loader policy, select the Single class loader for application.
d.
Click Apply.
3.
Restart the application server.
4.
Verify if UDS is deployed successfully. Follow these steps: Note: The arcotuds.log file is used for logging UDS-related information. a.
Navigate to the following location: \Arcot Systems\logs\
b.
Open the arcotuds.log file in any editor and locate the following line: ■
User Data Service (Version: 2.0.3) initialized successfully.
This line indicates that UDS was deployed successfully. c.
Ensure that the log files do not contain any FATAL and WARNING messages.
d.
Close the file.
Chapter 5: How to Deploy CA Risk Authentication on a Single System 63
Deploy User Behavior Profiling Application
Deploy User Behavior Profiling Application The User Behavioral Profiling (UBP) model measures the similarity or dissimilarity of the current transaction to prior access by the same user, or that of their peer group in cases of insufficient data. CA Risk Authentication communicates with the UBP application to get the similarity score and include it in the risk evaluation score. You need the ca-userprofiling-2.0-application.war file to deploy UBP. Follow these steps: 1.
Deploy ca-userprofiling-2.0-application.war on the application server. This file is available at the following location: \Arcot Systems\java\webapps\
Example: For Apache Tomcat, deploy the WAR file at \webapps\. Note: The deployment procedure depends on the application server that you are using. For more information, see Application Server Vendor documentation. 2.
(For WebSphere) Configure to reload the UDS class when the application files are updated. a.
Navigate to Application, Enterprise Applications, UDS Settings.
b.
Select the Class loader order, Classes loaded with local class loader first (parent last) option.
c.
Select the WAR Class loader policy, Single class loader.
d.
Copy bcprov-jdk15-146 jar file from /sdk/java/lib/external to the the following location: /lib/ext folder
Note: Here, JRE_HOME is the jre installation used by WebSphere application server. e.
Click Apply.
(For WebLogic: Refer to WebLogic documentation on how to use third party JDBC drivers) 3.
Restart the application server.
4.
Verify if UDS is deployed successfully: Note: The arcotuds.log file is used for logging UDS-related information. a.
Navigate to the following location: \Arcot Systems\logs\
b.
Open the ubp_logfile.log file in any editor and locate the following statement:
c.
Verify that the log files do not contain any FATAL and WARNING messages.
64 Installation Guide for Windows
Deploy the Sample Application
d.
Close the file.
Deploy the Sample Application The Sample Application is used to verify if CA Risk Authentication is installed and configured properly. In addition, it demonstrates the following operations: ■
The typical CA Risk Authentication workflows
■
The basic operations (invocation and post-processing) of CA Risk Authentication APIs
■
Integration of your application with CA Risk Authentication
Important! Do not use the Sample Application in production deployments. We recommend that you build your own web application by using Sample Application as a code-reference. Sample Application is automatically installed as a part of Complete installation of CA Risk Authentication. Follow these steps: 1.
Deploy the ca-riskauth-8.0-sample-application.war file from the following location: \Arcot Systems\samples\java\
2.
If required, restart the application server.
3.
Access Sample Application on web browser. The following URL is the default URL for Sample Application: http://:/ca-riskauth-8.0-sample-applicati on/index.jsp
Chapter 5: How to Deploy CA Risk Authentication on a Single System 65
Deploy the Sample Application
Verify the Installation Follow these steps: 1.
Navigate to the following location: \Arcot Systems\logs\
2.
3.
Open the arcotriskfortstartup.log file in any editor and locate the following lines: ■
STARTING CA Risk Authentication 8.0
■
CA Risk Authentication Service READY
Open the arcotriskfortcasemgmtserverstartup.log file in any editor and locate the following lines: ■
STARTING CA Risk Authentication Case Management Service 8.0
■
CA Risk Authentication Case Management Service READY
Note: Ensure that the log files do not contain any FATAL and WARNING messages.
66 Installation Guide for Windows
How to Use the Sample Application for Risk Evaluation
How to Use the Sample Application for Risk Evaluation This section describes how Sample Application are used for risk-evaluation operations. Each operation in Sample Application is designed to run without error when CA Risk Authentication is installed and functional. Sample Application demonstrates the following operations that CA Risk Authentication Server can perform: ■
Perform Risk Evaluation and Post Evaluation for a First-Time User
■
Create Users
■
Perform Risk Evaluation and Post Evaluation for a Known User
■
Edit the Default Profile and Performing Risk Evaluation
Perform Risk Evaluation and Post Evaluation for a First-Time User Follow these steps: 1.
Verify that the Sample Application is open (on a web browser). The following URL is the default one for Sample Application: http://:/CA Risk Authentication-8.0-sample-application/index.jsp
2.
Click Evaluate Risk.
3.
Enter the name of the user (who you want to evaluate) in the User Name field.
4.
If necessary, enter the name of the organization to which the user belongs in the User Organization field.
5.
If necessary, enter the Channel from which the transaction originated.
6.
Click Evaluate Risk to open the Risk Evaluation Results page. This page displays the Risk Score, the associated Risk Advice, and lists the rules that are configured for the specified organization. For a first-time user, the result is ALERT.
7.
Click Next Step to open the Post Evaluation page and perform post-evaluation on the specified user profile. By using Post evaluation, your application provides feedback to CA Risk Authentication Server about the current user and the device they are using. CA Risk Authentication updates user and device attributes and the user-device association based on this feedback, and accordingly assesses the risk that is associated with the transactions for the user in future.
8.
Select the result of secondary authentication by selecting the appropriate option from the Result of Secondary Authentication list.
9.
Enter the name for the user name-device association in the Association Name field.
Chapter 5: How to Deploy CA Risk Authentication on a Single System 67
How to Use the Sample Application for Risk Evaluation
10. Click Post Evaluate to complete the process, and to display the result in the Post Evaluation Results section. Create Users Follow these steps: 1.
2.
To create a GA account, do the following steps: a.
Log in to Administration Console as the MA.
b.
Ensure that the Users and Administrators tab is active.
c.
On the left-hand-side menu, click the Create Administrator link.
d.
Specify the required information and click Next.
e.
On the Create Administrator page, select Global Administrator.
f.
Enter the Password and Confirm Password.
g.
Select the All Organizations option in the Manages section.
h.
Click Create.
i.
Click Logout in the top-right-hand corner of the page to log out as the MA.
Log in to Administration Console as a Global Administrator (GA) or an Organization Administrator (OA). The URL is as follows: http://:/arcotadmin/adminlogin.htm
3.
Follow the instructions that are displayed to change your password.
4.
Activate the Manage Users and Administrators subtab under the Users and Administrators tab.
5.
Navigate to Manage Users and Administrators (left-hand-side menu), and click Create User.
6.
On the Create User page do the following steps: a.
Enter a unique user name, their organization name, and optionally, other user information in the User Details section.
b.
If necessary, enter other user information in the corresponding fields.
c.
Select the required User Status.
d.
Click Create User.
The "Successfully created the user" message appears if the specified user is added to the database. 7.
Return to the Sample Application page.
Perform Risk Evaluation and Post Evaluation for a Known User Follow these steps: 1.
On the Main Page of Sample Application, click Evaluate Risk.
68 Installation Guide for Windows
How to Use the Sample Application for Risk Evaluation
2.
Enter the name of the user that you created in the section, Creating Users.
3.
Enter the user’s organization.
4.
If necessary, enter the Channel from which the transaction originated.
5.
Click Evaluate Risk. The Risk Advice typically is INCREASEAUTH.
6.
Click Store DeviceID to store the specified type of Device ID information on the end user's device.
7.
Click Next Step to perform Post Evaluation as follows:
8.
■
Select the Result of Secondary Authentication from the list.
■
Edit the Association Name, if necessary.
Click Post Evaluate to display the final advice. If you repeat Step 1 through Step 5, the Risk Advice changes to ALLOW on the Risk Evaluation Results page.
Edit the Default Profile and Performing Risk Evaluation Using Sample Application, you can change the DeviceDNA, IP address, and the Device ID of the computer that you are using to simulate various scenarios. To edit the default profile of a user, Follow these steps: 1.
On the Main Page of Sample Application, click Evaluate Risk.
2.
Enter the user name whose profile you want to edit in the User Name field.
3.
Enter the user’s organization in the User Organization field.
4.
Click Edit Inputs.
5.
Change the values of one or more of the fields, as required from the populated list.
6.
Click Evaluate Risk.
7.
Click Next Step to open the Post Evaluation page and perform post-evaluation on the specified user profile.
8.
Select the result of secondary authentication by selecting the appropriate option from the Result of Secondary Authentication list.
9.
Click Post Evaluate to complete post-evaluation and display the result of the same.
Note: To ensure secure communication between the components, you can configure them to support SSL (Secure Socket Layer) transport mode. For more information, see "Configure SSL" in the CA Risk Authentication Administration Guide. Important! After you complete all these post-installation tasks, perform the SDK and Web services configuration tasks that are discussed in Configure CA Risk Authentication SDKs and Web Services.
Chapter 5: How to Deploy CA Risk Authentication on a Single System 69
Apply the Post-Installation Checklist
Apply the Post-Installation Checklist Complete the following checklist with the installation and setup information for CA Risk Authentication. This information is useful when you perform various administrative tasks. Your Information
Example Entry
ARCOT_HOME
C:\Program Files\Arcot Systems
SYSTEM INFORMATION Host Name
my-bank
User Name
administrator
Password
password1234!
Configured Components
CA Risk Authentication Server Administration Console User Data Service
ADMINISTRATION CONSOLE INFORMATION Host Name
localhost
Port
8080
Master Administrator Password
mypassword1234!
USER DATA SERVICE INFORMATION Host Name
localhost
Port
8080
Application Context Root
arcotuds
70 Installation Guide for Windows
Your Entry
Chapter 6: How to Deploy CA Risk Authentication on Distributed System
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 71
Apply the Post-Installation Checklist
Use the CA Risk Authentication 8.0 InstallAnywhere Wizard to install the CA Risk Authentication components. This Wizard supports Complete and Custom installation types. To install and configure CA Risk Authentication in a distributed environment, use the Custom option when you run the installer. The following illustration shows the tasks to perform for installing CA Risk Authentication 8.0:
72 Installation Guide for Windows
Apply the Post-Installation Checklist
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 73
Apply the Post-Installation Checklist
Perform the following tasks: 1.
Install on the First System (see page 76)
2.
Run the Database Scripts (see page 84)
3.
How to Prepare the Application Server (see page 85)
4.
Deploy the Administration Console (see page 93)
5.
Log in to Administration Console (see page 95)
6.
Perform the Bootstrapping Tasks (see page 95)
7.
Start CA Risk Authentication Server Service (see page 98)
8.
Start CA Risk Authentication Case Management Service (see page 98)
9.
Verify CA Risk Authentication Server Installation (see page 98)
10. Deploy User Data Service (see page 98) 11. Deploy User Behavior Profiling Application (see page 64) 12. Install CA Risk Authentication on the Second System (see page 101) 13. Deploy the Sample Application on the Second System (see page 102) 14. Configure Sample Application to Communicate with CA Risk Authentication Server (see page 102) 15. Use Sample Application for Risk Evaluation Operations (see page 104) 16. Apply Post-Installation Checklist (see page 70) Important! Keep the following points in mind while installing CA Risk Authentication on a single system or in a distributed environment: ■
Ensure that the does not contain any special characters, such as ~ ! @ # $ % ^ & * ( ) _ + = , -* + ’ ".
■
The MySQL database name should not contain dot(.) characters.
■
Currently, you cannot modify or repair the CA Risk Authentication components by using the installer. You must uninstall the component and then re-install it.
■
Do not close the installer window, if the installation is in progress. If at any time during the installation (especially during the last stages), you click the Cancel button to abort the installation, then the installer may not remove all the directories that it has created so far. You must manually clean up the installation directory, \Arcot Systems\, and its subdirectories.
■
If you run the installer on a system that already contains an instance of an existing ARCOT_HOME, then: ■
74 Installation Guide for Windows
You are not prompted for an installation directory.
Apply the Post-Installation Checklist
■
You are not prompted for the database setup. The installer uses the existing database.
■
You are not prompted to set up encryption.
This section contains the following topics: Install on the First System (see page 76) Run the Database Scripts (see page 84) How to Prepare the Application Server (see page 85)
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 75
Install on the First System
Install on the First System In a distributed system installation you install the CA Risk Authentication Server on the first system. We recommend Custom Installation for advanced users as it allows selected components installation. For successful installation, the user account that you plan to use for the installation must belong to the Administrators group. Note: Verify that all prerequisite software components are installed and the database is set up, as described in Prepare for Installation. Follow these steps: 1.
Navigate to the directory where the CA Risk Authentication-8.0-Windows-Installer.exe file is located and double-click the file.
2.
Click Next to continue.
3.
Select I accept the terms of the License Agreement option. Click Next. Note: The installer checks if any other CA product is installed on the computer. If it does not find an existing CA product installation, then you are prompted for an installation directory. If the installer detects an existing CA product installation (an existing ARCOT_HOME), then: ■
You are not prompted for an installation directory.
■
If you are not prompted for the database and encryption setup, the installer uses the existing database and encryption settings. As a result, you will see the screen in Step 8.
4.
Enter the installation directory location and click Next.
5.
Select Custom, and click Next.
6.
Deselect the following components that are not required. By default, all components are selected. Example: To install CA Risk Authentication Server, Case Management Queuing Server, and Administration Console (without the SDKs and Sample Application), User Behavior Profiling Application select the following options: a.
Risk Evaluation Server
b.
Case Management Queuing Server
c.
Administration Console
d.
User Data Service
76 Installation Guide for Windows
Install on the First System
e.
User Behavior Profiling Application
Note: To install Sample Application, select the CA Risk Authentication SDKs and Sample Application options, and then proceed with the installation. The following table gives the information on the components: Component
Description
Risk Evaluation Server
It installs the core Processing engine (CA Risk Authentication Server) that serves the following requests from Administration Console: ■
Risk Evaluation
■
Configuration
In addition, this component also installs the following Web services that have been built into the server:
Case Management Queuing Server
■
Risk Evaluation Web Service: Provides the web-based programming interface for risk evaluation with CA Risk Authentication Server.
■
User Management Web Service: Provides the web-based programming interface for the creation and management of users.
■
Administration Web Service: Provides the web-based programming interface used by Administration Console.
It installs the core Queuing engine (Case Management Queuing Server) that allocates cases to the Customer Support Representatives (CSRs) who work on these cases. Note: At any given point in time, all instances of Administration Console can only connect to this single instance of Case Management Queuing Server.
CA Risk Authentication SDKs and Sample Application
It provides programming interfaces (in form of APIs and Web services) that can be invoked by your application to forward risk evaluation requests to CA Risk Authentication Server. This package comprises the following sub-components: ■
Risk Evaluation SDK: Provides the Java programming interface for risk evaluation with CA Risk Authentication Server.
■
Sample Application: Demonstrates the usage of CA Risk Authentication Java APIs. It can be used to verify if CA Risk Authentication was installed successfully, and if it is able to perform risk evaluation requests.
Refer to Configuring CA Risk Authentication SDKs and Web Services for more information.
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 77
Install on the First System
Component
Description
Administration Console
This provides the Web-based interface for managing CA Risk Authentication Server and risk evaluation-related configurations.
User Data Service
It installs UDS that acts as an abstraction layer for accessing different types of user repositories, such as relational databases (RDBMSs) and directory servers (LDAPs.)
User Behavior Profiling
It measures the similarity or dissimilarity of the current transaction to prior access by the same user, or that of their peer group in cases of insufficient data.
Note: If you did not select the Evaluation Server option on this screen, then screens in Step 7 and Step 9 does not appear. Select Next to continue. 1.
Select the database type from: Microsoft SQL Server, Oracle Database, or MySQL. Click Next. Note: If you are using Microsoft SQL Server database, ensure that the ODBC Driver version is the same as the one mentioned in the Configuring Database Server Chapter.
2.
Enter the database details on your database selection: ■
If you selected Microsoft SQL Server, fill in the following details given in the table: Parameter
Description
ODBC DSN
The installer creates the DSN by using this value. CA Risk Authentication Server then uses this DSN to connect to the database. The recommended value to enter is arcotdsn. Note: Database Source Name (DSN) specifies the information that is required to connect to a database by using an ODBC driver. This information includes database name, directory, database driver, User ID, and password.
78 Installation Guide for Windows
Install on the First System
Parameter
Description
Server
The host name or IP address of the CA Risk Authentication datastore. Default Instance ■
Syntax:
■
Example: demodatabase
Named Instance
User Name
■
Syntax: \
■
Example: demodatabase\instance1
The database user name for CA Risk Authentication to access the database. This name is specified by the database administrator. (MS SQL Server, typically, refers to this as login.) This user must have the create session and DBA rights. Note: The User Name for the Primary and Backup DSNs must be different.
■
Password
The password associated with the User Name you specified in the previous field and which is used by CA Risk Authentication to access the database. This password is specified by the database administrator.
Database
The name of the MS SQL database instance.
Port Number
The port at which the database listens to the incoming requests. The default port is 1433. However, if you would like to specify another port, enter the port value in this field.
If you selected Oracle Database, fill the following information in the fields. Parameter
Description
ODBC DSN
The installer creates the DSN by using this value. CA Risk Authentication Server then uses this DSN to connect to the CA Risk Authentication database. The recommended value to enter is arcotdsn. Note: Database Source Name (DSN) specifies the information that is required to connect to a database by using an ODBC driver. This information includes database name, directory, database driver, User ID, and password.
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 79
Install on the First System
Parameter
Description
User Name
The database user name for CA Risk Authentication to access the database. This name is specified by the database administrator. (MS SQL Server, typically, refers to this as login.) This user must have the create session and DBA rights. Note: The User Name for the Primary and Backup DSNs must be different.
■
Password
The password associated with the User Name you specified in the previous field and which is used by CA Risk Authentication to access the database. This password is specified by the database administrator.
Service ID
The Oracle System Identifier (SID) that refers to the instance of the Oracle database running on the server.
Port Number
The port at which the database listens to the incoming requests. The default port at which an Oracle database listens is 1521. However, if you would like to specify another port, enter the port value in this field.
Host Name
The host name or IP address of the CA Risk Authentication datastore. ■
Syntax:
■
Example: demodatabase
If you selected MySQL, then fill in the following information: Parameter
Description
ODBC DSN
The installer creates the DSN by using this value. CA Risk Authentication Server then uses this DSN to connect to the CA Risk Authentication database. The recommended value to enter is arcotdsn. Note: Database Source Name (DSN) specifies the information that is required to connect to a database by using an ODBC driver. This information includes database name, directory, database driver, User ID, and password.
80 Installation Guide for Windows
Install on the First System
Parameter
Description
Server
The host name or IP address of the CA Risk Authentication datastore. Default Instance ■
Syntax:
■
Example: demodatabase
Named Instance
User Name
■
Syntax: \
■
Example: demodatabase\instance1
The database user name for CA Risk Authentication to access the database. This name is specified by the database administrator. This user must have the create session and DBA rights. Note: The User Name for the Primary and Backup DSNs must be different.
Password
The password associated with the User Name you specified in the previous field and which is used by CA Risk Authentication to access the database. This password is specified by the database administrator.
Database
The name of the MySQL database instance.
Port Number
The port at which the database listens to the incoming requests. The default port at which an MySQL database listens is 3306. However, if you would like to specify another port, enter the port value in this field.
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 81
Install on the First System
1.
To test if you can successfully connect to the database, click the Test Data Source button and verify the result. Click Next to continue.
2.
Specify the following information for encryption setup: Master Key Specifies the password for the Master Key, which is stored at \Arcot Systems\conf\securestore.enc and is used to encrypt the data stored in the database. By default, this value is set to MasterKey. Note: If you want to change the value of Master Key after the installation, then you must regenerate securestore.enc with a new Master Key value. See Changing Hardware Security Module Information After the Installation for more information. Configure HSM Identifies if you use a Hardware Security Module (HSM) to encrypt the sensitive data. If you do not select this option, then by default, the data is encrypted by using the Software Mode. PIN Specifies the password to connect to the HSM. Choose Hardware Module Specifies HSMs that you plan to use between two options, Luna HSM and nCipher netHSM. HSM Parameters Specifies the following HSM information: ■
Shared Library: The absolute path to the PKCS#11 shared library corresponding to the HSM. For Luna (cryptoki.dll) and for nCipher netHSM (cknfast.dll), specify the absolute path and name of the file.
■
Storage Slot Number: The HSM slot where the 3DES keys used for encrypting the data are available. For Luna, the default value is 0. For nCipher netHSM, the default value is 1.
3.
Click Next.
4.
Click Install to begin the installation process. Note: The Microsoft Visual C++ 2010 x86 Redistributable Setup screen appears, if the current system where you are installing CA Risk Authentication does not have Microsoft Visual C++ 2010 x86.
82 Installation Guide for Windows
Install on the First System
On the Microsoft Visual C++ 2010 x86 Redistributable Setup screen do the following steps: a.
Select the I have read and accept the license terms option, and click Install.
b.
Click Finish. Continue with the CA Risk Authentication installation.
5.
Click Done.
Note: After the installation is completed, perform the post-installation tasks that are discussed in the following sections.
Installation Logs After you complete the installation, you can access the installation log file (Arcot_RiskFort_Install_.log) in the directory. Example: If you had specified the C:\Program Files directory as the installation directory, then the installation log file is created in the C:\Program Files directory. If the installation fails for some reason, then error messages are recorded in this log file.
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 83
Run the Database Scripts
Run the Database Scripts To run the database scripts, perform the following steps: Important! Before you run the, verify that you are logged in as the same database user that you created in section, Configuring Database Server. Follow these steps: 1.
Navigate to the following directory: \Arcot Systems\dbscripts\
2.
3.
Based on the database that you are using, navigate to the following subdirectories: ■
For Oracle: oracle\
■
For Microsoft SQL Server: mssql\
■
For MySQL: mysql\
Run the scripts in the following order: a.
arcot-db-config-for common-2.0.sql Important! If you have installed CA Strong Authentication 8.0, do not run arcot-db-config-for-common-2.0.sql.
b.
arcot-db-config-for-riskfort-8.0.sql
c.
(Optional) only if you want to create the 3D Secure Channel) arcot-db-config-for-3dsecure-8.0.sql.
d.
(Optional) only if you are using User Behavior Profiling, run the following command: arcot-db-config-for-userprofiling-2.0.sql
Verify the Database Setup After you run the required database scripts, verify that the CA Risk Authentication schemas are working correctly. Follow these steps: 1.
Log in to the CA Risk Authentication database as the user who installed the database. Note: If you are following the upgrade path, then log in to the database as the user who upgraded the database.
2.
Run the following query: SELECT SERVERNAME, VERSION FROM ARRFSERVERS;
You must verify the following output as a result: SERVERNAME -------------------------
84 Installation Guide for Windows
VERSION ----------------
How to Prepare the Application Server
RiskFort RiskFortCaseManagement
3.
8.0 8.0
Log out from the database console.
How to Prepare the Application Server Two components of CA Risk Authentication, User Data Service (UDS) and Administration Console, are web-based and are deployed on any of the following supported application servers: ■
Apache Tomcat
■
IBM WebSphere
■
Oracle WebLogic
■
JBoss Application Server
Before you deploy the WAR files for these web applications on the application server of your choice, copy the files that UDS and Administration Console require to the appropriate location on your application server. This section walks you through the steps to copy the required crypto files to your application server and to deploy the WAR files of these web applications: 1.
Set Java Home (see page 85)
2.
Copy Database Access Files to the Application (see page 86)
3.
Copy JDBC JAR Files to the Application Server (see page 90)
4.
Create Enterprise Archive Files (see page 92)
Set Java Home Follow these steps: 1.
Verify that you set the JAVA_HOME environment variable. This JAVA_HOME must be your application server JAVA_HOME.
2.
Add %JAVA_HOME%\bin\ to the PATH variable. If you fail to do so, then Administration Console, UDS, and other JDK-dependent components may fail to start.
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 85
How to Prepare the Application Server
Copy Database Access Files to the Application Server UDS and Administration Console use the following files to access the database securely: ■
arcot-crypto-util.jar available at: \Arcot Systems\java\lib\
■
ArcotAccessKeyProvider.dll available at: \Arcot Systems\native\win\<32bit-or-64bit>\
You copy these files to the appropriate location on the application server where you have deployed the CA Risk Authentication components.
Apache Tomcat To copy the files, perform the following steps: 1.
Copy arcot-crypto-util.jar to \jre\lib\ext\. Note: Here, represents the JAVA_HOME used by your Apache Tomcat instance.
2.
Copy ArcotAccessKeyProvider.dll to \jre\bin\.
3.
Restart the application server.
86 Installation Guide for Windows
How to Prepare the Application Server
IBM WebSphere To copy the files, perform the following steps: 1.
Log in to WebSphere Administration Console.
2.
Click Environment, and click Shared Libraries. a.
Select a valid visibility scope. The scope must include the target server or node on which the application is deployed.
b.
Click New.
c.
Enter the Name. Example: ArcotJNI.
d.
Specify the Classpath. This path must point to the location where the arcot-crypto-util.jar file is present and must include the file name. Example: C:\Program Files\Arcot Systems\java\lib\arcot-crypto-util.jar.
e.
Enter the JNI Library path. This path must point to the location where the ArcotAccessKeyProvider.dll file is present.
3.
Click Apply to save the changes.
4.
Configure the server-level class loaders.
5.
Navigate to Servers, Server Types, WebSphere Application Servers.
6.
a.
Under Application Servers, access the settings page of the server.
b.
Click Java and Process Management and then click Class Loader.
c.
Click New.
d.
Select default Classes loaded with parent class loader, and click OK.
e.
Click the auto-generated Class Loader ID.
f.
On the class loader Configuration page, click Shared Library References.
g.
Click Add, select ArcotJNI, and then click Apply.
h.
Save the changes.
Copy ArcotAccessKeyProvider.dll to \jre\bin\. Here, represents the JAVA_HOME used by your IBM WebSphere instance.
7.
Restart WebSphere.
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 87
How to Prepare the Application Server
Oracle WebLogic To copy the files, perform the following steps: 1.
Copy ArcotAccessKeyProvider.dll to \jre\bin\. Here, represents the JAVA_HOME used by your Oracle WebLogic instance.
2.
Copy arcot-crypto-util.jar to \jre\lib\ext\. Note: Ensure that you use the appropriate used by WebLogic.
3.
Log in to WebLogic Administration Console.
4.
Navigate to Deployments.
5.
Enable the Lock and Edit option.
6.
Click Install and navigate to the directory that contains the arcot-crypto-util.jar file.
7.
Click Next to open the Application Installation Assistant.
8.
Click Next to open the Summary page.
9.
Click Finish.
10. Activate the changes. 11. Restart the server.
88 Installation Guide for Windows
How to Prepare the Application Server
JBoss Application Server To copy the files, perform the following steps: 1.
Copy ArcotAccessKeyProvider.dll to \jre\bin\. Note: Here, represents the JAVA_HOME used by your JBoss Application Server instance.
2.
3.
Create a folder structure as \modules\advauth-admin-libs\main\; and copy the following JARs from \java\lib to this folder : ■
arcot-crypto-util.jar.
■
bcprov-jdk15-146.jar
Create a file with the name module.xml in the same folder location (\modules\advauth-admin-libs\main\) with the following codes:
4.
Restart the application server.
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 89
How to Prepare the Application Server
Copy JDBC JAR Files to the Application Server CA Risk Authentication requires the following JDBC JAR files for the supported databases: ■
Oracle 10g: Oracle JDBC Driver (10.2.0.1.0)
■
Oracle 11g: Oracle JDBC Driver (11.2.0.2.0)
■
Microsoft SQL Server: MSSQL JDBC Driver (1.2.2828)
■
MySQL: MySQL JDBC Driver (5.1.22)
The following sections walk you through the steps for copying the JDBC JAR required for your database to the following application server:
Apache Tomcat To copy the required JDBC JAR file, do the following: 1.
Navigate to the location where you have downloaded the file.
2.
Copy the file to the following directory:
3.
■
On Apache Tomcat 5.5.x: \common\lib\
■
On Apache Tomcat 6.x and 7.x: \lib\
Restart the application server.
IBM WebSphere To copy the required JDBC JAR file do the following: 1.
Log in to the WebSphere Administration Console.
2.
Click Environment, and click Shared Libraries. Perform the following steps: a.
From the Scope list, select a valid visibility scope. The scope must include the target server or node on which the application is deployed.
b.
Click New.
c.
Enter the Name, say, JDBCJAR.
d.
Specify the Classpath. Important! This path must point to the location where the file is present and must include the file name.
e. 3.
Click Apply.
To configure server-level class loaders, do the following steps: a.
Navigate to Servers, Server Types, WebSphere Application Servers .
b.
Under Application Servers, access the settings page of the server for which the configuration is performed.
90 Installation Guide for Windows
How to Prepare the Application Server
c.
Click Java and Process Management, and Class Loader.
d.
Click New.
e.
Select default Classes loaded with parent class loader first. Click OK.
4.
f.
Click the auto-generated Class Loader ID.
g.
Click Shared Library References.
h.
Click Add, select JDBCJAR, and click Apply.
i.
Save the changes.
Restart the application server.
Oracle WebLogic To copy the required JDBC JAR file do the following steps: Note: If you are using Oracle database, then do not perform the configurations that are mentioned in this section, because WebLogic supports Oracle database by default. 1.
Copy the file to \lib\ext\. Here, represents the JAVA_HOME used by your Oracle WebLogic instance.
2.
Log in to the WebLogic Administration Console.
3.
Navigate to Deployments.
4.
Enable the Lock and Edit option.
5.
Click Install and navigate to the directory that contains the required file.
6.
Click Next to display the Application Installation Assistant page.
7.
Click Next to display the Summary page.
8.
Click Finish.
9.
Activate the changes.
10. Restart the application server.
JBoss Application Server To copy the required JDBC JAR file, do the following steps: Follow these steps: 1.
Create a folder structure as \modules\advauth-jdbc-driver\main\ and copy JDBC Jar file in this folder location.
Chapter 6: How to Deploy CA Risk Authentication on Distributed System 91
How to Prepare the Application Server
2.
Create a file in with the name module.xml at the following location: \modules\advauth-jdbc-driver\main\
3.
Add the following codes to the file:
4.
Edit the tag ‘’with JDBC Jar file name. Example:sqljdbc.jar
Restart the application server.
Create Enterprise Archive Files Valid on Oracle WebLogic 10.1 By default, WAR files are provided to deploy UDS and Administration Console. If necessary, you can also change the format of these files to Enterprise ARchive (EAR) and then deploy the EAR files. You can generate separate EAR files for both UDS and Administration Console, or you can generate a single EAR file that contains both Web archives.
Generate Separate EAR Files Follow these steps: 1.
Open the Command Prompt window.
2.
Navigate to the \Arcot Systems\tools\common\bundlemanager\ directory.
3.
To create the EAR file, run the following command: java -jar bundle-manager.jar -ear -warList
The command generates individual EAR files that are available at: \Arcot Systems\java\webapps\
92 Installation Guide for Windows
How to Prepare the Application Server
Generate a Single EAR File Do the following steps: 1.
Open the Command Prompt window.
2.
Navigate to the \Arcot Systems\tools\common\bundlemanager\ directory.
3.
To create the EAR file, run the following command: java -jar bundle-manager.jar -ear -warList arcotadmin.war arcotuds.war
The command generates a single EAR file that is available at: \Arcot Systems\java\webapps\
Chapter 7: Deploy the Administration Console The Administration Console is a browser-based interface to CA Risk Authentication that enables you to customize the server configurations and manage the deployed system. To manage CA Risk Authentication verify that the Administration Console can access the system where CA Risk Authentication Server is installed by its hostname. Note: If you deploy the Administration Console on IBM WebSphere 7.0, 8.0 or 8.5, see the instructions in Appendix section Deploy Administration Console on IBM WebSphere. Follow these steps:: 1.
Deploy arcotadmin.war in the appropriate directory on the application server.
Note: The deployment procedure depends on the application server that you are using. See your application server vendor documentation for detailed instructions. Example: In the case of Apache Tomcat, you must deploy the WAR file at \webapps\.
Chapter 7: Deploy the Administration Console 93
How to Prepare the Application Server
2.
(32-bit WebSphere): Configure reload of the Admin class when the application files are updated. a.
Navigate to Application, Enterprise Applications, and access the Admin settings page.
b.
Under Class loader order, select the Classes loaded with local class loader first (parent last) option.
c.
Under WAR class loader policy, select the Single class loader for application.
d.
Click Apply.
e.
Restart the Admin application.
3.
Restart the application server.
4.
To verify that the console is successfully deployed, do the following steps: a.
Navigate to the following location: \Arcot Systems\logs\
b.
Open the arcotadmin.log file in any editor and locate the following lines: ■
2.0.3
■
Administration Console Configured Successfully.
Note: These lines indicate that your Administration Console is deployed successfully. c.
Ensure that the log files do not contain any FATAL and WARNING messages.
d.
Close the file.
94 Installation Guide for Windows
Log in to Administration Console
Log in to Administration Console When you log in to Administration Console for the first time, use the Master Administrator (MA) credentials that are configured automatically in the database during the deployment. Follow these steps:: 1.
Launch the Administration Console in a Web browser window. The default URL for Administration Console is: http://:/arcotadmin/masteradminlogin.htm
Note: The host and port information that you specify in the preceding URL must be of the application server where you deployed Administration Console. Example: For Apache Tomcat, the default host is localhost and port is 8080. 2.
Log in by using the default Master Administrator account credentials. The credentials are: ■
User Name: masteradmin
■
Password: master1234!
Chapter 8: Perform the Bootstrapping Tasks
Chapter 8: Perform the Bootstrapping Tasks 95
Log in to Administration Console
Bootstrapping is a wizard-driven process that walks you through these setup tasks. Other administrative links are enabled only after you perform the bootstrapping tasks. Before you proceed with Performing Bootstrapping Tasks, you must understand the related concept of Default Organization. Default Organization When you deploy the Administration Console, an organization is created automatically. This organization is referred to as Default Organization (DEFAULTORG). As a single-organization system, the Default Organization itself can be used without creating any other organizations. Before you start using the Administration Console to manage CA Risk Authentication, perform the following mandatory tasks to initialize bootstrapping the system: ■
Change the default Master Administrator password
■
Configure the Global Key label
■
Specify the configuration settings for the out-of-the-box organization
Follow these steps: 1.
Click Begin.
2.
Enter the Current Password, New Password, Confirm Password, and click Next.
3.
Enter the following fields: Global Key Label. Specifies encryption key used for encrypting user and organization data, irrespective of hardware or software encryption. CA Risk Authentication enables you to use hardware- or software-based encryption of your sensitive data. You can enable hardware-based encryption by using the arcotcommon.ini file, while software-based encryption is enabled by default. If you are using hardware encryption, then this label serves only as a reference (or pointer) to the actual 3DES key stored in the HSM device, and therefore must match the HSM key label. In case of software-based encryption, this label acts as the key. Caution: After you complete the bootstrapping process, you cannot update this key label. Storage Type Specifies the option to indicate whether the encryption key is stored in the database (Software) or the HSM (Hardware).
4.
Click Next to continue.
5.
Enter the following parameters for the Default Organization, and click Next: Display Name
96 Installation Guide for Windows
Log in to Administration Console
Specifies the descriptive name of the organization. This name appears on all other Administration Console pages and reports. Administrator Authentication Mechanism: Specifies the mechanism that is used to authenticate administrators who belong to the Default Organization. Administration Console supports three types of authentication methods for the administrators to log in and they are as follows: LDAP User Password Specifies the administrators are authenticated by using their credentials that are stored in the directory service. If this mechanism is used for authenticating administrators, then deploy UDS as discussed in Deploying User Data Service (UDS). Basic Specifies the built-in authentication method that is provided by Administration Console is used for authenticating the administrators. WebFort Password Specifies the credentials are issued and authenticated by the CA Strong Authentication Server. To use this option, install CA Strong Authentication. For information about installing and configuring CA Strong Authentication, see the CA Strong Authentication Installation and Deployment Guide. 6.
Enter the following information, and click Next: Use Global Key Specifies the selected option by default. Deselect this option if you want to override the Global Key Label you specified in the preceding step, and then specify a new label for encryption. Key Label Specifies the new key label that you want to use for the Default Organization, if you deselected the Use Global Key option. Storage Type Indicates whether the encryption key is stored in the database (Software) or the HSM (Hardware).
7.
Click Finish.
8.
(Optional) Click Continue to proceed with other configurations by using Administration Console.
Chapter 8: Perform the Bootstrapping Tasks 97
Start CA Risk Authentication Server Service
Start CA Risk Authentication Server Service To start CA Risk Authentication Server do the following steps: 1.
Click the Start button on your desktop window.
2.
Navigate to Settings, Control Panel, Administrative Tools, Services.
3.
Locate and double-click CA Risk Authentication Service.
4.
Click Start in the service window.
Start CA Risk Authentication Case Management Service To start CA Risk Authentication Case Management Service, do the following steps: 1.
Click the Start button on your desktop window.
2.
Navigate to Settings, Control Panel, Administrative Tools, Services.
3.
Locate and double-click the CA Risk Authentication Case Management Service.
4.
Click Start from the service window.
Verify CA Risk Authentication Server Installation To verify if the server started correctly, do the following steps: 1.
Navigate to the following location: \Arcot Systems\logs\
2.
3.
Open the arcotriskfortstartup.log file on any editor and locate the following lines: ■
STARTING CA Risk Authentication 8.0
■
CA Risk Authentication Service READY
Open the arcotriskfortcasemgmtserverstartup.log file on any editor and locate the following lines: ■
STARTING CA Risk Authentication Case Management Service 8.0
■
CA Risk Authentication Case Management Service READY
Note: Verify that the log files do not contain any FATAL and WARNING messages.
Chapter 9: Deploy User Data Service
98 Installation Guide for Windows
Verify CA Risk Authentication Server Installation
CA RiskMinder can access user data from a relational database (RDBMS) or directly from an LDAP server by using UDS, which is an abstraction layer that provides RiskMinder seamless access to the third-party data repositories deployed by your organization. Follow these steps:: 1.
Deploy arcotuds.war on the application server. This file is available at: \Arcot Systems\java\webapps\
For example, in the case of Apache Tomcat, you must deploy the WAR file at \webapps\. Note: The deployment procedure depends on the application server that you are using. See the application server vendor documentation for detailed instructions. 2.
(For WebSphere Only) Configure to reload the UDS class when the application files are updated. a.
Navigate to Applications, Application Types, WebSphere Enterprise Applications and access the UDS settings screen.
b.
Under Class loader order, select the Classes loaded with local class loader first (parent last) option.
c.
Under WAR class loader policy, select the Single class loader for application.
d.
Click Apply to save the changes.
3.
Restart the application server.
4.
Verify if UDS was deployed successfully: Note: The arcotuds.log file is used for logging UDS-related information. a.
Navigate to the following location: \Arcot Systems\logs\
b.
Open the arcotuds.log file in any editor and locate the following line: ■
User Data Service (Version: 2.0.3) initialized successfully.
This line indicates that UDS was deployed successfully. c.
Also ensure that the log files do not contain any FATAL and WARNING messages.
d.
Close the file.
Chapter 10: Deploy User Behavior Profiling Application
Chapter 10: Deploy User Behavior Profiling Application 99
Verify CA Risk Authentication Server Installation
The User Behavioral Profiling (UBP) model measures the similarity or dissimilarity of the current transaction to prior access by the same user, or that of their peer group in cases of insufficient data. CA Risk Authentication communicates with the UBP application to get the similarity score and include it in the risk evaluation score. You need the ca-userprofiling-2.0-application.war file to deploy UBP. Follow these steps: 1.
Deploy ca-userprofiling-2.0-application.war on the application server. This file is available at the following location: \Arcot Systems\java\webapps\
Example: For Apache Tomcat, deploy the WAR file at \webapps\. Note: The deployment procedure depends on the application server that you are using. For more information, see Application Server Vendor documentation. 2.
(For WebSphere) Configure to reload the UDS class when the application files are updated. a.
Navigate to Application, Enterprise Applications, UDS Settings.
b.
Select the Class loader order, Classes loaded with local class loader first (parent last) option.
c.
Select the WAR Class loader policy, Single class loader.
d.
Copy bcprov-jdk15-146 jar file from /sdk/java/lib/external to the the following location: /lib/ext folder
Note: Here, JRE_HOME is the jre installation used by WebSphere application server. e.
Click Apply.
(For WebLogic: Refer to WebLogic documentation on how to use third party JDBC drivers) 3.
Restart the application server.
4.
Verify if UDS is deployed successfully: Note: The arcotuds.log file is used for logging UDS-related information. a.
Navigate to the following location: \Arcot Systems\logs\
b.
Open the ubp_logfile.log file in any editor and locate the following statement:
c.
Verify that the log files do not contain any FATAL and WARNING messages.
d.
Close the file.
100 Installation Guide for Windows
Verify CA Risk Authentication Server Installation
Chapter 11: Install CA Risk Authentication on the Second System After installing CA Risk Authentication Server and Administration Console, install the other remaining components on the second system. The specific components to install are determined when you performed your planning explained in Chapter Plan for Deployment. Follow these steps: 1.
Copy the installer file CA Risk Authentication-8.0-Windows-Installer.exe on the second system.
2.
Double-click the installer to run it.
3.
Follow the installer instructions from Step 2 in Installing on the First System (see page 76) until you reach the Choose Install Set screen.
4.
Select the components. Note: Typically, install the Java SDKs for Risk Evaluation and Sample Application.
5.
Follow the steps from Step 7 to Step 13 in Installing on the First System (see page 76) to complete the installation.
Chapter 11: Install CA Risk Authentication on the Second System 101
Deploy the Sample Application on the Second System
Deploy the Sample Application on the Second System Perform the steps to deploy the Sample Application on the second system.This is a post-installation task where you have installed Java SDKs and web services. Important! Do not use the Sample Application in a production deployments. We recommend that you build your own web application by using Sample Application as a code-reference. Sample Application can be used to verify if CA Risk Authentication is installed and configured properly. In addition, it demonstrates: ■
The typical CA Risk Authentication workflows
■
The basic operations (invocation and post-processing) of CA Risk Authentication APIs
■
Integration of your application with CA Risk Authentication
Note: If you did not install Sample Application during the installation, then you can install only Sample Application by running the installer again and by selecting the SDKs and Sample Application options and proceed with the installation. Follow these steps:: 1.
Deploy the CA Risk Authentication-8.0-sample-application.war file from the following location: \Arcot Systems\samples\java\
2.
If necessary, restart the application server.
3.
Access Sample Application in a Web browser window. The default URL for Sample Application is: http://:/ca-riskauth-8.0-sample-applicati on/index.jsp
Chapter 12: Configure Sample Application to Communicate with CA Risk Authentication Server
102 Installation Guide for Windows
Deploy the Sample Application on the Second System
The CA Risk Authentication.risk-evaluation.properties file provides the parameters for the Java SDK and Sample Application to read CA Risk Authentication Server information. Therefore, after deploying Sample Application, you must now configure it to communicate with CA Risk Authentication Server. This file is only available after you deploy the CA Risk Authentication Sample Application WAR file, CA Risk Authentication-8.0-sample-application.war. Follow these steps:: 1.
Navigate to the CA Risk Authentication.risk-evaluation.properties file on your application server. In Apache Tomcat, this file is available at following location: \WEB-INF\classes\properti es\
Indicates the directory path where you deployed the CA Risk Authentication application WAR files. 2.
Open the riskfort.risk-evaluation.properties file in an editor window and set the value for the following parameters: ■
HOST.1
■
PORT.1
A default value is specified for the remaining parameters in the file. You can change these values, if necessary. 3.
(Optional) Perform this step only if you configured SSL-based communication in Configuring SSL. Set the following parameters: ■
TRANSPORT_TYPE=SSL (By default, this parameter is set to TCP.)
■
CA_CERT_FILE= For example, specify one of the following values: ■
CA_CERT_FILE=/certs/.pem
■
CA_CERT_FILE=\\certs\\.pem
Important! In the absolute path that you specify, verify that you use \\ or / instead of \. This is because the change may not work if you use the conventional \ that is used in Microsoft Windows for specifying paths. 4.
Save the changes and close the file.
5.
To ensure that these changes are reflected, restart the application server.
Chapter 12: Configure Sample Application to Communicate with CA Risk Authentication Server 103
Deploy the Sample Application on the Second System
Chapter 13: Use the Sample Application for Risk Evaluation Operations This section describes the risk-evaluation operations that can be performed by using Sample Application. Each operation in Sample Application is designed to run without error when CA Risk Authentication is installed and functional. Sample Application demonstrates the following operations that CA Risk Authentication Server can perform: ■
Perform Risk Evaluation and Post Evaluation for a First-Time User (see page 105)
■
Create Users (see page 106)
■
Perform Risk Evaluation and Post Evaluation for a Known User (see page 107)
■
Edit the Default Profile and Perform Risk Evaluation (see page 108)
104 Installation Guide for Windows
Perform Risk Evaluation and Post Evaluation for a First-Time User
Perform Risk Evaluation and Post Evaluation for a First-Time User To perform risk evaluation on the default profile of a user, do the following steps: 1.
Verify that Sample Application is open in a Web browser window. The following URL is the default URL for Sample Application: http://:/ca-riskauth-8.0-sample-applicati on/index.jsp
2.
Click Evaluate Risk.
3.
Enter the following information: User Name Specifies the name of the user who you want to be evaluated. User Organization Specifies the organization to which the user belongs to. Channel Specifies the Channel from which the transaction originated. This is an optional field.
4.
Click Evaluate Risk. Note: The Evaluate Risk Result page displays the Risk Score, the associated Risk Advice, and lists the rules that are configured for the specified organization. For a first-time user, the result is ALERT.
5.
Click Next Step to perform post-evaluation on the specified user profile. By using post-evaluation, your application provides feedback to CA Risk Authentication Server about the current user and the device they are using. CA Risk Authentication updates the user and device attributes and the user-device association based on this feedback, and assesses the risk associated with the transactions for the user in future.
6.
Select the result of secondary authentication from the Result of Secondary Authentication list.
7.
Enter the name for the user name-device association in the Association Name field.
8.
Click Post Evaluate to complete the post evaluation process and to display the result of the same in the Post Evaluation Results section.
Chapter 13: Use the Sample Application for Risk Evaluation Operations 105
Create User Account
Create User Account To create a user, perform the following steps: 1.
2.
Create a GA account by doing the following steps: a.
Log in to Administration Console as the MA.
b.
Ensure that the Users and Administrators tab is active.
c.
From the left-hand side menu, click the Create Administrator link.
d.
Enter the details, and click Next.
e.
Select Global Administrator from the Role list.
f.
Enter the Password and Confirm Password.
g.
Select the All Organizations option in the Manages section.
h.
Click Create.
i.
Click Logout from the top right-hand corner of the page.
Log in to Administration Console as a Global Administrator (GA) or an Organization Administrator (OA). The following URL is for Administration Console page: http://:/arcotadmin/adminlogin.htm
3.
Follow the instructions that are displayed to change your password.
4.
Activate the Manage Users and Administrators, under the Users and Administrators tab.
5.
From the left pane, Manage Users and Administrators, click Create User.
6.
Enter the following details on the Create User page:
7.
a.
Enter a unique user name, their organization name, and optionally, other user information in the User Details section.
b.
(Optional) Enter other user information in the corresponding fields on the page.
c.
Select the User Status.
d.
Click Create User.
Return to the CA Risk Authentication Sample Application page.
106 Installation Guide for Windows
Perform Risk Evaluation and Post Evaluation for a Known User
Perform Risk Evaluation and Post Evaluation for a Known User To perform Risk Evaluation and post Evaluation for a known user, perform the following steps: 1.
On the Main Page of Sample Application, click Evaluate Risk.
2.
Enter the following details: User Name Specifies the name of the user that you created for Creating Users. User Organization Specifies the organization to which the user belongs to. Channel Specifies the Channel from which the transaction originated. This is an optional field.
3.
Click Evaluate Risk. The Risk Advice typically is INCREASEAUTH.
4.
Click Store DeviceID to store the specified type of Device ID information on the end user's device.
5.
Click Next Step to perform Post Evaluation:
6.
■
Select the Result of Secondary Authentication from the list.
■
Edit the Association Name, if necessary.
Click Post Evaluate to display the final advice. Note: If you repeat Step 1 through Step 5, the Risk Advice changes to ALLOW on the Risk Evaluation Results page.
Chapter 13: Use the Sample Application for Risk Evaluation Operations 107
Edit the Default Profile and Perform Risk Evaluation
Edit the Default Profile and Perform Risk Evaluation Use Sample Application to change the DeviceDNA, IP address, and the Device ID of the computer that you are using to simulate various scenarios. Follow these steps: 1.
On the Main Page of Sample Application, click Evaluate Risk.
2.
Enter the following information: User Name Specifies the name of the user that you created for Creating Users. User Organization Specifies the organization to which the user belongs to. Channel Specifies the Channel from which the transaction originated. This is an optional field.
3.
Click Edit Input.
4.
Change the values for one or more of the required fields: ■
My User Name
■
My Org
■
My Channel
■
Machine Finger Print of My Device
■
Short Form of Machine Finger Print of My Device
■
IP Address of My Machine
■
Device ID of My Machine
5.
Click Evaluate Risk.
6.
Click Next Step, and perform postevaluation on the specified user profile.
7.
Select the result of secondary authentication option from the Result of Secondary Authentication list.
8.
Click Post Evaluate to complete postevaluation and display the result of the same.
Note: To ensure secure communication between the CA Risk Authentication components, you can configure them to support SSL (Secure Sockets Layer) transport mode. For more information, see "Configuring SSL" from the guide CA Risk Authentication 8.0 Administration Guide.
108 Installation Guide for Windows
Edit the Default Profile and Perform Risk Evaluation
Chapter 14: Apply the Post-Installation Checklist Complete the following checklist with the installation and setup information for CA Risk Authentication. This information is useful when you perform various administrative tasks. Your Information
Example Entry
ARCOT_HOME
C:\Program Files\Arcot Systems
Your Entry
SYSTEM INFORMATION Host Name
my-bank
User Name
administrator
Password
password1234!
Configured Components
CA Risk Authentication Server Administration Console User Data Service
ADMINISTRATION CONSOLE INFORMATION Host Name
localhost
Port
8080
Master Administrator Password
mypassword1234!
USER DATA SERVICE INFORMATION Host Name
localhost
Port
8080
Application Context Root
arcotuds
Chapter 15: Silent Mode Installation After you install a CA Risk Authentication, you can install the component again using silent mode of installation. A silent installation completes the installation without user interaction.
Chapter 14: Apply the Post-Installation Checklist 109
Silent Mode Installation Guidelines
Silent Mode Installation Guidelines Review the following guidelines before starting a silent installation: ■
Back up the default properties file before modifying it.
■
Do not add extra spaces between a parameter name, the equal sign (=), and the parameter value.
■
Save the file after you change it.
Important! Do not use “-r” option with the installer executable to generate a response file to be used for silent installation. Only the default properties file that comes with initial installation should be used.
Default Properties File To modify the parameters in a default properties file, use a text editor. The default parameters reflect the information that was entered during the initial installation. The default properties file has the parameters that are associated with sensitive information. For example, parameters related to database password, Master Key and HSM pin. Fill them with appropriate values. CA Risk Authentication Property file The CA Risk Authentication properties file has the following default name and location: Name installer.properties Location risk_auth_home\
risk_auth_home Specifies the CA Risk Authentication installation path
110 Installation Guide for Windows
Default Properties File
Modify the CA Risk Authentication Installer Properties Files Modify the CA Risk Authentication installer properties file to define installation variables. The following default parameters specify the information that you entered during the initial CA Risk Authentication installation: CHOSEN_FEATURE_LIST Specifies a comma-separated list of features that are installed. Valid values: RFSRV - CA Risk Authentication Server Server that authenticates, provisions, manages configuration and server instance. RFCASE - Case Management Queuing Server Serves cases to work on for outbound callers. At any given time, all instances of Administration Console connect to one common instance of Case Management Queuing Server only. RFSDK - CA Risk Authentication Java SDK and WS Java SDK and Web Services that enables issuance, authentication, and configuration requests to the CA Risk Authentication Server. ADMIN - Administration Console Web-based console for managing server configurations. UDS: User Data Service The abstraction layer for accessing different types of user repositories, such as relational databases (RDBMSs) and directory servers (LDAPs). UBP: User Behavioral Profiling The model that predicts user behavior and promotes security.
USER_INSTALL_DIR_SILENT Specifies the location of CA Risk Authentication installation ARCOT_DBTYPE_SILENT Specifies the type of the database that is configured. Valid values: oracle, mssqlserver, mysql
Chapter 15: Silent Mode Installation 111
Default Properties File
Primary Database Details Primary Database has the following database related details: ARCOT_CONFIG_PRIMARY_DB_SILENT Specifies if the primary database is configured or not. Valid values: true, false ARCOT_PRIMARY_DSN_NAME_SILENT= Specifies the Data Source Name for the database. ARCOT_PRIMARY_DATABASE_SILENT Specifies the name of the database instance. ARCOT_PRIMARY_SID_SILENT Specifies the SID for an Oracle database. For other database types this is left blank. ARCOT_PRIMARY_TNS_SERVICE_NAME_SILENT Specifies the TNS Service name for an Oracle database. For other database types this is left blank. ARCOT_PRIMARY_HOST_NAME_SILENT Specifies the hostname of the Database server ARCOT_PRIMARY_PORT_SILENT Specifies the port number of the given database instance ARCOT_PRIMARY_USER_NAME_SILENT Specifies the database username ARCOT_PRIMARY_PASSWORD_SILENT Specifies the password for the given database username ARCOT_CONFIG_BACKUP_DB_SILENT Specifies if the backup database is configured or not. Valid values: true, false
112 Installation Guide for Windows
Default Properties File
Backup Database Details Backup Database has the following database related details: ARCOT_BACKUP_DSN_NAME_SILENT Specifies the Data Source Name for the database. ARCOT_BACKUP_DATABASE_SILENT Specifies the name of the database instance. ARCOT_BACKUP_SID_SILENT Specifies the SID for an Oracle database. For other database types, this is left blank. ARCOT_BACKUP_TNS_SERVICE_NAME_SILENT Specifies the TNS Service name for an Oracle database. For other database types, this is left blank. ARCOT_BACKUP_HOST_NAME_SILENT Specifies the hostname of the Database server. ARCOT_BACKUP_PORT_SILENT Specifies the port number of the given database instance. ARCOT_BACKUP_USER_NAME_SILENT Specifies the database username. ARCOT_BACKUP_PASSWORD_SILENT Specifies the password for the given database username.
Chapter 15: Silent Mode Installation 113
Default Properties File
Encryption Details The encryption details for the database are as follows: Encryption method: software/hardware ARCOT_ENC_TYPE_SILENT Specifies the method of encryption. Valid values: software, nfast, chrysalis. ARCOT_ENC_DEVICE_NAME_SILENT Specifies the device name for hardware encryption. ARCOT_KEY_LABEL_SILENT Specifies the Master Key Label. ARCOT_HSM_PIN_SILENT Specifies the HSM pin. ARCOT_HSM_SHARED_LIBRARY_SILENT Specifies the full path for HSM shared library. ARCOT_HSM_STORAGE_SLOT_SILENT Specifies the Storage Slot Number for HSM.
114 Installation Guide for Windows
How to Perform the Silent Installation
How to Perform the Silent Installation Run an unattended installation to install the CA Risk Authentication without user interaction. Follow these steps: 1.
Review the unattended installation guidelines.
2.
Copy the CA Risk Authentication properties file from the CA Risk Authentication host system.
3.
Copy the CA Risk Authentication installation media to the same location as the properties file.
4.
Modify the CA Risk Authentication installer properties file.
5.
Run the CA Risk Authentication installer. Run the following command from the directory to which you copied the CA Risk Authentication installation executable and the properties file: installation_media -f installer.properties -i silent
Installation_media Specifies the CA Risk Authentication installation executable. Note: If the properties file is not in the same directory as the installation media, specify its location. Use double quotes if the argument contains spaces. -i silent Specifies that the installer run silently. Example: installation_media -f "C:\Program Files\CA\Arcot Systems \installer.properties" -i silent
The installation begins. The installer uses the parameters that you specified in the properties file to install the CA Risk Authentication. 6.
Verify the CA Risk Authentication installation.
Chapter 15: Silent Mode Installation 115
Chapter 16: How to Deploy the User Behavioral Profiling Model This section describes how a Master Administrator installs, configures and deploys User Behavioral Profiling. CA Risk Authentication detects cases where stronger authentication is required and evaluates parameters of the current transaction against customer preset rules. The calling software uses the risk score that is provided by the evaluation to decide if additional authentication is required before allowing the user to proceed.
Chapter 16: How to Deploy the User Behavioral Profiling Model 117
How to Perform the Silent Installation
User Behavioral Profiling measures the similarity or dissimilarity of the current transaction to prior access by the same user, or that of their peer group in cases of insufficient data. User Behavioral Profiling installation and deployment on CA Advanced Authentication is illustrated below:
118 Installation Guide for Windows
How to Perform the Silent Installation
Chapter 16: How to Deploy the User Behavioral Profiling Model 119
How to Perform the Silent Installation
To install and deploy User Behavioral Profiling, perform the following steps: 1.
Verify Deployment Prerequisites (see page 122)
2.
Configure the Database (see page 122)
3.
Run the Database Scripts (see page 127)
4.
Verify the Database Setup (see page 127)
5.
Deploy the User Behavioral Profiling Software
6.
Configure CA Advanced Authentication for User Behavioral Profiling (see page 130)
7.
Configure a Rule to Apply User Behavioral Profiling Model (see page 131)
8.
Verify User Behavioral Profiling Model (see page 132)
120 Installation Guide for Windows
Verify Prerequisites
Verify Prerequisites Before you configure User Behavioral Profiling, verify the following prerequisites: Hardware and Software requirements 4 servers are required for the User Behavioral Profiling implementation. The hardware and software requirements are: CA Advanced Authentication User Behavioral Profiling Server ■
CPU – 2x 2.0-GHz AMD Opteron 6128
■
Memory – 4 GB
■
HDD1 – 40 GB
■
Microsoft Windows 2008 R2 SP1
CA CA Strong Authentication/CA CA Risk Authentication Server ■
CPU – 2x 2.0-GHz AMD Opteron 6128
■
Memory – 4 GB
■
HDD1 – 40 GB
■
Microsoft Windows 2008 R2 SP1
Active Directory Server ■
CPU – 2x 2.0-GHz AMD Opteron 6128
■
Memory – 3 GB
■
HDD1 – 40 GB
■
Microsoft Windows 2008 R2 SP1 ■
Active Directory Domain Service
■
DNS
Database Server ■
CPU - 4x 2.0-GHz AMD Opteron 6128
■
Memory – 6 GB
■
HDD1 – 32 GB (OS)
■
HDD2 – 16 GB (SWAP)
■
HDD3 – 40 GB
■
Microsoft SQL Server 2008 R2 64-bit
Third-Party Components
Chapter 16: How to Deploy the User Behavioral Profiling Model 121
Database Configuration
Java SDK Verify the current version of Java is 1.6 or greater on the CA Advanced Authentication User Behavioral Profiling. To upgrade to version 1.7 or to install the Java component, follow the steps that are provided in the ORACLE Java download site. Environment Variables To execute the application at Java Location set the environment components. Follow these steps: 1.
Navigate to system properties of the computer.
2.
In the advanced tab click Environment Variables and set the system variables.
3.
To set the New System Variable, set the JAVA_HOME system variable value to \Program Files (x86)\Java\jdk1.7.0_51. Note: The folder name (jdk1.7.0_51 in this example) is different if you download a different JDK release. Verify that the variable value represents the correct folder.
4.
To set the Edit System Variable, update the PATH system variable value by adding \%JAVA_HOME%\jre\bin after the path.
5.
From a command prompt window, type Java then press Enter.
6.
If Java was correctly added to the PATH system variable, you see usage information about java. Note: Server restart is required to update the system variable.
Database Configuration Before installing, set up a database used for storing user information, server configuration data, audit log data, and other information. CA Risk Authentication supports a primary database and a backup database that can be used during failover and fail-back in high-availability deployments. Configure the database connectivity in the following ways: During CA Risk Authentication installation, the database is configured, when the installer automatically edits the arcotcommon.ini file with the database information you supply. There are specific configuration requirements for each supported database (Microsoft SQL Server, Oracle, or MySQL). Important! To protect the database server, use a firewall or any other access control mechanism and set to the same time-zone as all dependent products.
122 Installation Guide for Windows
Database Configuration
Configure Microsoft SQL Server This section provides the following configuration procedure for SQL Server: Note: See the SQL Server documentation for detailed information about performing the tasks listed in this section. Follow these steps: 1.
Verify that SQL Server is configured to use the SQL Server and Windows Authentication mode for Server authentication. Right-click the server in the Object Explorer window and select the Security page. CA Risk Authentication cannot connect to the database if SQL Server is configured to Windows Authentication Mode.
2.
3.
Create a database by the following criteria: ■
The recommended name is arcotdb.
■
The database size must be configured to grow automatically.
Create a DB user (CH4_SQL) by performing the following steps: a.
In the SQL Server Management Studio, go to ; expand the Security folder, and then click Login. Note: The refers to the host name or IP address of the SQL Server where you created your database.
b.
Right-click the Login folder, and click New Login.
c.
Enter the Login name (recommended name is arcotuser).
d.
Set the parameter to Authentication to SQL Server Authentication.
e.
Specify Password and Confirm password for the login.
f.
Ensure that you specify other password settings on this page according to the password policies in your organization.
g.
Make the database (arcotdb) you created as the default database.
h.
Perform the mapping of the users to this login section.
i.
Map the user (SQL 2005) for the default database, to db_owner (in the Database role membership for: section).
Chapter 16: How to Deploy the User Behavioral Profiling Model 123
Database Configuration
Configure Oracle Server This section provides the configuration information for creating Oracle database server. Prerequisites: 1.
2.
Run CA Risk Authentication on Oracle with two table-spaces. The reasons to have two table-spaces are as follows: ■
Use the first table-space for configuration data, audit logs, and user information. This table-space can be the default user table-space in the CA Risk Authentication database.
■
Run the reports on the second table-space. We recommend that you use a separate table-space to run the reports.
Use CA Risk Authentication Database Configuration Script. The script automatically creates the table-space for reports, if the database user running the script has sufficient permissions to create a table-space. If the user does not have the required permissions, the db administrator must manually create this table-space and delete the section for creating reports in the script. arcot-db-config-for-common-8.0.sql
Important! The parameters for creating the reports table-space in the arcot-db-config-for-common-8.0.sql database script can be changed according to the preferences of the db administrator. However, the table-space name must be ARReports to generate reports successfully.
124 Installation Guide for Windows
Database Configuration
Follow these steps: 1.
Create a new database that stores information in the UTF-8 character set. This allows CA Risk Authentication to use international characters including double-byte languages. To enable UTF-8 support for your Oracle database perform the following steps: a.
Log in to the Oracle database server as SYS or SYSTEM.
b.
Run the following command: sys.props$ set value$='UTF8'
(where name='NLS_NCHAR_CHARACTERSET' Or name = 'NLS_CHARACTERSET') c. 2.
Restart the database and verify whether the character set is configured to UTF-8.
Create a database user: a.
Create a user (recommended name is arcotuser), with a schema in the new database arcotdb.
b.
Set the quota of user to at least 5 GB to 10 GB for a development or test deployment. Note: If the deployment is for the production environment, staging, or other intensive testing, see Database Reference to determine the quota that is required for a user.
c.
Grant the DBA role to the user.
Chapter 16: How to Deploy the User Behavioral Profiling Model 125
Database Configuration
Configure MySQL Server This section provides the following configuration information for MySQL. Follow these steps: 1.
To check whether your MySQL installation supports InnoDB storage engine, use the SHOW ENGINES command. Note: CA Risk Authentication uses the InnoDB storage engine of MySQL. If the output of this command shows that InnoDB is not supported, enable support for InnoDB. For information to enable support for InnoDB, see the MySQL Documentation.
2.
If you are running MySQL on any non-Windows platform, set the lower_case_table_names variable to 1. Note: For more information, see the MySQL Documentation.
3.
To create a database, perform the following steps: a.
Open a MySQL command window.
b.
To create the database schema, run the following command: CREATE SCHEMA '' DEFAULT CHARACTER SET utf8;
c.
To create the database user, run the following command: CREATE USER '' identified by '';
4.
Create a user with the following criteria: a.
Create a user (recommended name is arcotuser) in the new database arcotdb.
b.
Grant the following privileges to the user:
126 Installation Guide for Windows
■
Object rights:
–
SELECT
–
INSERT
–
UPDATE
–
DELETE
–
EXECUTE
■
DDL rights:
–
CREATE
–
ALTER
–
CREATE ROUTINE
–
ALTER ROUTINE
–
DROP
■
Other rights:
Run the Database Scripts
–
GRANT OPTION
Run the Database Scripts To create the database tables, run the required database scripts shipped with CA Risk Authentication. Important! Before you run the scripts, verify that you are logged in as the same database user that you created in the section, Configure Database Server. Follow these steps: 1.
Navigate to the following directory: \Arcot Systems\dbscripts\
2.
3.
Navigate to one of the following subdirectories based on the database that you are using: ■
For Oracle: oracle\
■
For Microsoft SQL: mssql\
■
For MySQL: mysql\
Run the script arcot-db-config-for-userprofiling-2.0.sql
Verify the Database Setup After you run the required database scripts, verify the CA Risk Authentication schema. Follow these steps: 1.
Log in to the CA Risk Authentication database as a user with SYSDBA privileges.
2.
Run the following query: SELECT * from dbo.XUBPData
You must see the following output as a result of the preceding query: USERNAME ORGNAME PARAMNAME DATA -------- ------- --------- ----
3.
Log out of the database console.
Chapter 16: How to Deploy the User Behavioral Profiling Model 127
Deploy the User Behavioral Profiling Software
Deploy the User Behavioral Profiling Software Deploy the User Behavioral Profiling Software to run on the database. User behavioral Profiling can be deployed on a single system or a distributed system. Follow these steps: 1.
Stop the CA Risk Authentication Service.
2.
Stop the application server. Note: For Installation on a distributed system, during installation select 'Custom' option and select 'User Behavior Profiling'.
3.
Deploy the Administration Console.
The Administration Console is a browser-based interface that enables you to customize the server configurations and manage the deployed system. To deploy the Administration Console WAR file on your application server and verify if it was successfully deployed, follow these steps: 1.
Deploy arcotadmin.war in the appropriate directory on the application server. Note: The deployment procedure depends on the application server that you are using. See your application server vendor documentation for detailed instructions. Example: In the case of Apache Tomcat, you must deploy the WAR file at \java\webapps\.
2.
3.
(For 32-bit WebSphere Only): Configure reload of the Admin class when the application files are updated. Perform the following steps: a.
Navigate to Application, Enterprise Applications, and then access the Admin settings page.
b.
Under Class loader order, select the Classes loaded with local class loader first (parent last) option.
c.
Under WAR class loader policy, select the Single class loader for application.
d.
Click Apply.
e.
Restart the Admin application.
Deploy Administration Console on the Application Server from any of the the following environments: http://repo1.maven.org/maven2/org/jboss/logging/jboss-logging-j dk/2.1.1.GA/ http://repo1.maven.org/maven2/org/jboss/logging/jboss-logging-s pi/2.1.1.GA/ http://repo1.maven.org/maven2/org/jboss/logging/jboss-logging-l og4j/2.1.1.GA/
4.
Restart the application server.
5.
To verify that the console is successfully deployed, do the following steps:
128 Installation Guide for Windows
Deploy the User Behavioral Profiling Software
a.
Navigate to the following location: \Arcot Systems\logs\
b.
Open the arcotadmin.log file in any editor and locate the following lines: ■
2.0.3
■
CA Advanced Authentication Configured Successfully.
Note: These lines indicate that your Administration Console was deployed successfully. c.
Also ensure that the log files do not contain any FATAL and WARNING messages.
d.
Close the file.
Chapter 16: How to Deploy the User Behavioral Profiling Model 129
Configure CA Advanced Authentication for User Behavioral Profiling Model
Configure CA Advanced Authentication for User Behavioral Profiling Model To use the User Behavioral Profiling model you configure CA Advanced Authentication. Follow these steps: 1.
Log in to the CA Advanced Authentication UI as the Master Administrator.
2.
Click the Services and Server Configuration tab.
3.
Click Model Configuration.
4.
Update the Predictive Model URL (primary: http://:(appserver_port>/ca-userprofiling-2.0-application/U BPServlet)) to the primary server running your User Behavioral Profiling.
5.
Update the Predictive Model URL (backup) to the backup server running User Behavioral Profiling, if one exists. Note: If you are not running a backup instance of User Behavioral Profiling, set both URLs the same.
6.
Click Upload Model Configuration.
7.
To enable User Behavioral Profiling at the organization level, log out from the Administrative UI as Master Administrator and log in as Global Administrator.
8.
Navigate to the Organizations tab.
9.
Click Search and select the organization on which User Behavioral Profiling is implemented.
10. Select CA Risk Authentication tab and select Model Configuration. 11. Select the Ruleset that is defined for this organization and select the Enable Model option. 12. Click Save. 13. Move these changes into production and refresh the Server Cache. You have completed the changes for enabling User Behavioral Profiling into your organization.
130 Installation Guide for Windows
Configure a Rule to Apply the New User Behavioral Profiling Model
Configure a Rule to Apply the New User Behavioral Profiling Model You configure a rule to verify that each transaction is inspected by the User Behavioral Profiling Model. If a rule is not defined, transactions go through the User Behavioral Profiling Model but the response is invisible. You configure a rule to apply the new User Behavioral Model. Follow these steps: 1.
Log in to CA Advanced Authentication UI as the Global (or) Organization Administrator.
2.
Click Organizations tab.
3.
Click Search.
4.
Click the organization on which you have implemented the User Behavioral Profiling Model.
5.
Navigate to the Risk Authentication tab and select Rules and Scoring Management.
6.
Select the Ruleset for your organization.
7.
Click Add a new rule.
8.
Name the rule and give it a Mnemonic (shortest name of a rule) and a Description.
9.
Select the Data Element MODEL_SCORE and click the required Operator. Note: Set a value when you want the Model Score to trigger a rule and take the transaction to secondary authentication. Model score can have any of the operators - GREATER_THAN, LESS_THAN, GREATER_OR_EQUAL, LESS_OR_EQUAL, EQUAL_TO, NOT_EQUAL_TO, IN_LIST, IN_CATEGORY, for a defined value. After the rule is configured, it is fired based upon the operator selected.
10. Click Add to populate the Rule being developed field. 11. Click Create after the rule is populated. You are notified that the new rule is successfully created. 12. Click enable next to your new rule and set a Risk Score value. 13. To prioritize this new rule against the other rules in place for this ruleset, set the appropriate priority. 14. Click Save. 15. Click Migration to Production menu item and select the appropriate ruleset for your organization and click Migrate. 16. Refresh the cache. You have submitted your rule to engage the newly added User Behavioral Profiling Model into your organization.
Chapter 16: How to Deploy the User Behavioral Profiling Model 131
Verify the User Behavioral Profiling Model
Implementation of User Behavioral Profiling for CA Advanced Authentication is complete.
Verify the User Behavioral Profiling Model In this steps you verify that the User Behavioral Profiling Model is functioning as expected. Follow these steps: 1.
Log in as Global Administrator.
2.
Navigate to Reports, click Analyze Transaction Report.
3.
Enter the criteria and click Submit.
4.
Under Model Score Attribute the scores are displayed. As you generate more data for this user, your model score is so adjusted. An increasing model score shows that the User Behavioral Profiling Model is working as expected.
User Behavioral Profiling Model Removal Removing User Behavioral Profiling involves disabling or uninstalling the model based on the requirement.
132 Installation Guide for Windows
User Behavioral Profiling Model Removal
Disable the User Behavioral Profiling Model Before you remove the User Behavioral Profiling Model from your environment you must disable it. Follow these steps: 1.
Log in to the CA Advanced Authentication Console as a Global Administrator.
2.
Click Organizations tab.
3.
Click Search and select the organization where the User Behavioral Profiling Model is implemented.
4.
Navigate to the CA Risk Authentication tab and select Model Configuration.
5.
Select the Ruleset that is defined for this organization.
6.
Click the Enable Model checkbox.
7.
Click Save.
8.
Click Migration to Production menu item and select the appropriate ruleset for your organization.
9.
Click Migrate to migrate these new changes into production.
10. Navigate to the Search Organizations menu and click Search. 11. Select the organization that you are working on and click Refresh Cache. 12. Click OK. You have removed the User Behavioral Profiling Model from your organization’s Ruleset.
Chapter 16: How to Deploy the User Behavioral Profiling Model 133
User Behavioral Profiling Model Removal
Uninstall User Behavioral Profiling The uninstallation of User Behavioral Profiling Model involves dropping the User Behavioral Profiling Model Schema and then uninstalling the User Behavioral Profiling Model. Follow these steps: 1.
Navigate to the following directory: \Arcot Systems\dbscripts\
2.
Based on the database type that you use, navigate to one of the following subdirectories: ■
For Oracle: \Arcot Systems\dbscripts\oracle\
■
For Microsoft SQL Server: \Arcot Systems\dbscripts\mssql\
■
For MySQL: \Arcot Systems\dbscripts\mysql\
3.
Run the scripts in the following order to drop all database tables of CA Risk Authentication and related components: a.
4.
Run drop-arcot-db-config-for-userprofiling-2.0.sql.
Shut down the following servers: a.
CA Risk Authentication Server.
b.
CA Risk Authentication Case Management Service.
c.
Any application servers where other CA Risk Authentication components are deployed.
5.
Close Administration Console.
6.
Verify that all INI and other CA Risk Authentication configuration files are closed.
7.
Click Start, Settings, Control Panel, Add/Remove Programs to open the Add or Remove Programs window.
8.
Select CA Risk Authentication then click Change/Remove.
9.
The Uninstall CA Risk Authentication window appears.
10. Select Uninstall CA Risk Authentication.exe. 11. In the uninstall wizard, select Uninstall Specific features. 12. Click Next and select Only User Behavioral Profiling. 13. Select Uninstall. 14. Click Done to complete the process. The User Behavioral Profiling Model is successfully removed from database.
134 Installation Guide for Windows
Update the arcot-db-config-for-common-2.0.sql Script
Chapter 17: CA Risk Authentication Configuration for Oracle RAC Perform the steps in this section if you want to use Oracle RAC with CA Risk Authentication 8.0.
Update the arcot-db-config-for-common-2.0.sql Script You run database scripts as a arcot-db-config-for-common-2.0.sql script post-installation task. Before you run this script, modify it for Oracle RAC. Follow these steps: 1.
To determine the Oracle RAC shared datafile path, log in to the database and run the following command: SELECT file_name, tablespace_name FROM dba_data_files
The following is sample output of this command: +DATA\qadb\datafile\users.259.797224649 +DATA\qadb\datafile\undotbs1.258.797224649 +DATA\qadb\datafile\sysaux.257.797224647
USERS UNDOTBS1 SYSAUX
2.
Open the arcot-db-config-for-common-2.0.sql file. This file is in the install_location\Arcot Systems\dbscripts\oracle\ directory.
3.
Search for the following line in the file: filename varchar2(50) := 'tabspace_arreports_'|| to_char(current_timestamp, 'YYYY-MM-DD-HH24-MI-SS') || '.dat';
4.
Replace that line with the following line: filename varchar2(100) := '+shared_location/service_name/datafile/tabspace_arreports_'|| to_char(current_timestamp, 'YYYY-MM-DD-HH24-MI-SS') || '.dat';
In the new line: a.
Replace shared_location with the shared datafile path that you determined by running the command given in the first step.
b.
Replace service_name with the service name of the Oracle RAC installation.
The following is a sample line: filename varchar2(100) := '+DATA/forwardinc/datafile/tabspace_arreports_'|| to_char(current_timestamp, 'YYYY-MM-DD-HH24-MI-SS') || '.dat';
5.
Save and close the script file, and then run it.
Chapter 17: CA Risk Authentication Configuration for Oracle RAC 135
Update the arcotcommon.ini File
Update the arcotcommon.ini File The arcotcommon.ini file contains the parameters for database and instance settings. To use Oracle RAC you specify the JDBC URL in the format supported by Oracle RAC in the arcotcommon.ini file. Follow these steps: 1.
Open the arcotcommon.ini file in a text editor. This file is in the install_location\Arcot Systems\conf\ directory.
2.
Specify a value for the URL parameter in the [arcot/db/primarydb] section and, if required, in the [arcot/db/backupdb] section of the INI file. Enter the URL in the following format: URL.1=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HO ST=host_name)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=service_name)(SERVER=DE DICATED)))
For example: URL.1=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HO ST=172.30.250.18)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=forwardinc)(SERVER= DEDICATED)))
Note: If Oracle RAC is client configured, then include all the nodes in this format. 3.
If the database user that you specified while running the CA Strong Authentication installer is different from the database user in Oracle RAC, then change the database user credentials in the arcotcommon.ini file.
4.
Use the DBUtil utility to change the database user credentials in the securestore.enc file. DBUtil is available in the ARCOT_HOME\tools\win directory.
5.
Save and close the arcotcommon.ini file.
136 Installation Guide for Windows
Update the Database Connection Details
Update the Database Connection Details To establish a connection between CA Risk Authentication and Oracle RAC, you must create an ORA file and define the address for connecting to the RAC. Follow these steps: 1.
Create a *.ora file on the system on which you have installed CA Strong Authentication. For example, C:\Program Files (x86)\tns.ora.
2.
Add the following lines in the new file: section_name = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = host_name_or_IP_address)(PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = service_name) ) )
For example: fwdincrac = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 172.30.250.18)(PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = forwardinc) ) )
Note: If Oracle RAC is client configured, then include all the nodes in this format. 3.
Save the file.
4.
Modify the DSN that you created during the installation.
5.
For the required DSN, clear all the parameters in the Standard Connection section. This makes the TNSNames Connection section editable.
6.
Add the following parameters to this section: TNSNamesFile=ARCOT_HOME\ora_file_name ServerName=section_name
For example: TNSNamesFile= C:\Program Files (x86)\tns.ora ServerName=fwdincrac
Chapter 17: CA Risk Authentication Configuration for Oracle RAC 137
Enable Database Connection Pooling
7.
Save and close the file.
Chapter 18: Application Server Configuration for Database Connection Pooling Setting up a new connection for each request can lead to an overhead and can bring down the performance of the system. By implementing database connection pooling, you can avoid the overhead of creating a new database connection every time a CA Risk Authentication component deployed on your application server requires access to the database.
Enable Database Connection Pooling This section walks you through the steps to set up database connection pooling on the application server, where you have deployed CA Risk Authentication components. Apache Tomcat This section provides the steps to enable Apache Tomcat for JNDI-based database operations. Follow these steps:: 1.
Install the Apache Tomcat application server and test the installation by using the following URL: http://localhost:8080/
2.
Open the server.xml file present in the /conf/ directory.
138 Installation Guide for Windows
Enable Database Connection Pooling
3.
Collect the following information required to define a data source: JNDI Name Specifies the JNDI name used by CA Risk Authentication. Important! This name must match with the AppServerConnection PoolName.N in arcotcommon.ini (without the java:comp/env/ prefix). User ID Specifies the database user ID. Password Specifies the database password. JDBC Driver Class Specifies The JDBC driver class name. Example: oracle.jdbc.driver.OracleDriver JDBC URL Specifies the JDBC URL for the database server. For example if you are using the Oracle driver, then URL will be: jdbc:oracle:thin:::
4.
Add the following entry to define the data source within the tag:
Chapter 18: Application Server Configuration for Database Connection Pooling 139
Enable Database Connection Pooling
5.
Open the context.xml file available in the \conf\ directory.
6.
Add the following entry to define the datasource within the tag:
7.
To enable database connection pooling, download the following files from the corresponding third-party source. Then, copy these files to the following directories: \common\lib\ folder (on Apache Tomcat 5.x) or \lib\ directory (on Apache Tomcat 6.x and 7.x).
■
commons-dbcp-1.2.2.jar
■
ojdbc14-10.2.0.1.0.jar (for Oracle database)
■
sqljdbc.jar (Microsoft JDBC driver for MS SQL Server 2005 - version 1.2.2828)
■
mysql-connector-java-5.1.22-bin.jar (for MySQL database)
IBM WebSphere This section provides the steps to enable IBM WebSphere for JNDI-based database operations. Follow these steps:: 1.
Log in to WebSphere Administration Console.
2.
Select Resources and expand the JDBC node.
3.
Click JDBC Providers.
4.
In the Preferences section, click New to create an appropriate JDBC provider based on the database that you are using.
5.
Perform the following tasks to create the JDBC Provider. Note: For more information, refer to following link: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere. base.iseries.doc/info/iseries/ae/tdat_ccrtprov.html
140 Installation Guide for Windows
Enable Database Connection Pooling
6.
7.
8.
Specify the Database Type and Provider Type. a.
Select Connection pool data source from the Implementation Type drop-down list.
b.
Enter a Name for the JDBC provider. You can also enter a Description for the JDBC Provider.
c.
Click Next.
d.
Enter the absolute path for the JAR file.
e.
Click Next.
f.
After reviewing the summary of the information that you have entered, click Finish to complete the JDBC provider configuration.
Set the CLASSPATH for the JDBC provider that you created in Step 5. a.
Click Resources and expand the JDBC node.
b.
Click JDBC Providers.
c.
Click the JDBC Provider that you created in Step 5.
d.
Set the Class Path for the JDBC JAR.
e.
Click Apply to save the changes.
Create a Data Source, as follows: a.
Go to Resources, and then click JDBC.
b.
Under JDBC, open Data Sources and click New. Perform the following steps to create a data source:
c.
Specify the Data source name.
d.
Specify the JNDI name. Note: This name must match with the value of AppServerConnection PoolName.N in arcotcommon.ini.
Chapter 18: Application Server Configuration for Database Connection Pooling 141
Enable Database Connection Pooling
e.
Click Next.
f.
Select an existing JDBC provider created in Step 3.
g.
Click Next.
h.
Depending on the database, enter the following information: ■
For Oracle: Specify the Value for JDBC URL. This URL would be of the following type: jdbc:oracle:thin:@::
Select the Data store helper class name. ■ For MS SQL Server: jdbc:sqlserver://:;databaseName=;selectMethod=cursor ■ For MySQL: jdbc:mysql://:/
9.
i.
Click Next.
j.
Click Next to view the Summary screen, and then click Finish.
Click the data source created in Step 8.
10. In the Related Items section, click JAAS - J2C authentication data. 11. Click New to create a new credential. 12. Enter login credentials that are used to connect to the database and save the credential. 13. Click Apply, and then click OK to save the changes made. 14. Click Data Sources and select the data source that you created in Step 8. 15. Under Security Settings, Component-managed authentication alias, select the JAAS credential that you created in Step 12 and click Apply, and then OK. 16. Click Data Sources and select the check box for the data source you created in Step 8. 17. Click Test connection to verify that you have specified the connection correctly. Note: This test only checks the connection to the database server, not necessarily the correct definition of the data source.
142 Installation Guide for Windows
Enable Database Connection Pooling
Oracle WebLogic This section walks you through the steps to enable Oracle WebLogic for JNDI-based database operations. Follow these steps:: 1.
Log in to WebLogic Administration Console.
2.
Click the Lock & Edit button in the Change Center, if it is not already done.
3.
Navigate to Services, JDBC, and the Data Sources.
4.
Under JDBC, open Data Sources and click New.
5.
Set the following JNDI and the database information: a.
Set Name = ArcotDB Note: This name must match with the value of AppServerConnection PoolName.N in arcotcommon.ini.
b.
Set JNDI Name = ArcotDB
c.
Select the required Database Type, for example Oracle.
d.
Select the required Database Driver, for example Oracle Thin Driver.
6.
Click Next, retain the default values and click Next again.
7.
In the Connection Properties page that appears, set the database connection details. For example, the values for Oracle can be: ■
Database Name = SID or service name of the database server
■
Host Name = Host name or the IP address of the database server
■
Port = 1521 or any other port the database server is running
■
Database User Name = Database account user name that can create the database connections
■
Password / Confirm Password = Password for the specified Database User Name
8.
Click Next.
9.
Click Test Configuration to verify the database information that you specified.
10. Click Next and set the preferred data source target server for the WebLogic server instance. 11. Click Finish. 12. Click the Activate button in the Change Center to enable the data source settings that you configured in the preceding steps.
Chapter 18: Application Server Configuration for Database Connection Pooling 143
Enable Database Connection Pooling
JBoss Application Server This section walks you through the steps to enable JBoss Application Server for JNDI-based database operations. Follow these steps:: 1.
Navigate to the location where you have deployed the WAR files, for example: \server\default\deploy\
2.
Create a data source descriptor file called arcotdatabase-ds.xml.
3.
Collect the following information required to define a data source in the arcotdatabase-ds.xml file: ■
JNDI Name: The JNDI name used by CA Risk Authentication components. This name must match with the AppServerConnection PoolName.N in arcotcommon.ini (without the java:comp/env/ prefix).
■
User ID: The database user ID.
■
Password: The database password.
■
JDBC Driver Class: The JDBC driver class name. For example, oracle.jdbc.driver.OracleDriver.
■
JDBC URL: The JDBC URL for the database server. For example, if you are using Oracle driver, then the URL will be: jdbc:oracle:thin:::.
■
Exception Sorter Class: The class for implementing the org.jboss.resource.adapter.jdbc.ExceptionSorter interface, which determines whether the exception indicates a connection error. Use this parameter for Oracle database only. Set it to org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter.
4.
Open the arcotdatabase-ds.xml in a text editor.
5.
Add the following content: SampleDS
6.
Save and close the file.
144 Installation Guide for Windows
Enable LDAP Connection Pooling
Enable LDAP Connection Pooling It covers the configuration steps for the following application servers. Apache Tomcat To create a LDAP connection pool, do the following steps: 1.
Install the Apache Tomcat application server and test the installation by using the following URL: http://localhost:8080/
2.
Navigate to the following location: \conf\
3.
Open the catalina.properties file in a text editor.
4.
Add the following entries to the file: ■
com.sun.jndi.ldap.connect.pool.protocol=plain ssl
■
com.sun.jndi.ldap.connect.pool.authentication=simple
■
com.sun.jndi.ldap.connect.pool.maxsize=64
■
com.sun.jndi.ldap.connect.pool.prefsize=32
■
com.sun.jndi.ldap.connect.pool.timeout=240000
■
com.sun.jndi.ldap.connect.pool.initsize=8
5.
Save and close the file.
6.
Restart the application server.
IBM WebSphere Perform the following steps to create a LDAP connection pool: 1.
Log in to WebSphere Administration Console.
2.
Navigate to Servers, Server Types, WebSphere application servers.
3.
Click the Server that you want to configure.
4.
In the Server Infrastructure section, click Java and Process Management.
5.
Click the Process Definition link.
6.
In the Additional Properties section, click Java Virtual Machine.
7.
In the Additional Properties section, click Custom Properties.
8.
Click New to add custom properties.
9.
Add the configurations listed in the following table as name-value pairs in the General Properties section. You have to repeat the process for every name-value pair.
Chapter 18: Application Server Configuration for Database Connection Pooling 145
Enable LDAP Connection Pooling
Name
Value
com.sun.jndi.ldap.connect.pool.maxsize
64
com.sun.jndi.ldap.connect.pool.prefsize
32
com.sun.jndi.ldap.connect.pool.initsize
8
com.sun.jndi.ldap.connect.pool.timeout
240000
com.sun.jndi.ldap.connect.pool.protocol
plain ssl
com.sun.jndi.ldap.connect.pool.authentication
simple
146 Installation Guide for Windows
Enable LDAP Connection Pooling
10. Click Apply. 11. Restart WebSphere. Oracle WebLogic
Include LDAP Options in Startup Script This section provides the steps to include the LDAP connection pool parameters in WebLogic server startup script: 1.
Log in to the system
2.
Create a backup copy of the WebLogic Server startup script. This script is available at the following location: domain-name\bin\startWebLogic.cmd
3.
Open the script in a text editor.
4.
Add the following entries in the section that is used to start the WebLogic server. ■
-Dcom.sun.jndi.ldap.connect.pool.maxsize=64
■
-Dcom.sun.jndi.ldap.connect.pool.prefsize=32
■
-Dcom.sun.jndi.ldap.connect.pool.initsize=8
■
-Dcom.sun.jndi.ldap.connect.pool.timeout=240000
■
-Dcom.sun.jndi.ldap.connect.pool.protocol="plain ssl"
■
-Dcom.sun.jndi.ldap.connect.pool.authentication=simple
The following code snippet shows a sample script with LDAP connection pool parameters: @REM START WEBLOGIC echo starting weblogic with Java version: %JAVA_HOME%\bin\java %JAVA_VM% -version if "%WLS_REDIRECT_LOG%"=="" ( echo Starting WLS with line: echo %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS% %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -Dcom.sun.jndi.ldap.connect.pool.maxsize=64 -Dcom.sun.jndi.ldap.connect.pool.prefsize=32 -Dcom.sun.jndi.ldap.connect.pool.initsize=8 -Dcom.sun.jndi.ldap.connect.pool.timeout=240000 -Dcom.sun.jndi.ldap.connect.pool.protocol="plain ssl" -Dcom.sun.jndi.ldap.connect.pool.authentication=simple -Dweblogic.Name=%SERVER_NAME% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS% ) else (
Chapter 18: Application Server Configuration for Database Connection Pooling 147
Enable LDAP Connection Pooling
echo Redirecting output from WLS window to %WLS_REDIRECT_LOG% %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS% >"%WLS_REDIRECT_LOG%" 2>&1 )
5.
Save and close the file.
6.
Restart WebLogic Server.
Specify LDAP Pool Options Using Managed Server 1.
Log in to WebLogic Administration Console.
2.
Click the Lock & Edit button, if it is not done.
3.
In the Domain Structure pane, navigate to Environment, Servers.
4.
Click the server you want to configure.
5.
In the right pane, click Server Start.
6.
In the Arguments field, include the following space-separated JVM options: ■
-Dcom.sun.jndi.ldap.connect.pool.maxsize=64
■
-Dcom.sun.jndi.ldap.connect.pool.prefsize=32
■
-Dcom.sun.jndi.ldap.connect.pool.initsize=8
■
-Dcom.sun.jndi.ldap.connect.pool.timeout=240000
■
-Dcom.sun.jndi.ldap.connect.pool.protocol=plain ssl
■
-Dcom.sun.jndi.ldap.connect.pool.authentication=simple
7.
Click Save and then Activate Changes.
8.
Restart WebLogic Server.
148 Installation Guide for Windows
JBoss Application Server
JBoss Application Server Perform the following steps to create a LDAP connection pool: 1.
Navigate to the following location: \standalone\configuration
2.
Open standalone.xml file in a text editor.
3.
Add the following properties:
4.
Save and close the file.
5.
Restart JBoss AS.
Chapter 18: Application Server Configuration for Database Connection Pooling 149
Enable Apache Tomcat Security Manager
Enable Apache Tomcat Security Manager If you notice that CA Risk Authentication does not work on Apache Tomcat if the Java Security Manager is enabled, then to enable Tomcat Security Manager to work with CA Risk Authentication: 1.
Navigate to the following Apache Tomcat installation location: \bin\
2.
Double-click the tomcatw.exe file. The Apache Tomcat Properties dialog box appears.
3.
Activate the Java tab.
4.
In the Java Options section, add the following entries: ■
-Djava.security.manager
■
-Djava.security.policy=\conf\catalina.policy
5.
Click Apply to save the changes.
6.
Click OK to close the Apache Tomcat Properties dialog box.
7.
Navigate to the following Apache Tomcat location: \conf\
8.
Open the catalina.policy file in a text editor of your choice.
9.
Add the following code in the WEB APPLICATION PERMISSIONS section. grant { permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}arcotuds${file.sepa rator}-", "read"; permission java.util.PropertyPermission "adb.converterutil", "read"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.security.SecurityPermission "putProviderProperty.BC"; permission java.security.SecurityPermission "insertProvider.BC"; permission java.security.SecurityPermission "putProviderProperty.SHAProvider"; permission java.io.FilePermission "${arcot.home}${file.separator}-", "read,write"; permission java.net.SocketPermission "*:1024-65535", "connect,accept,resolve"; permission java.net.SocketPermission "*:1-1023", "connect,resolve"; };
10. Add the following section to grant permission for Administration Console (arcotadmin) and User Data Service (arcotuds). grant codeBase "file:${catalina.home}/webapps/arcotuds/-" { permission java.lang.RuntimePermission "getenv.ARCOT_HOME", ""; permission java.lang.RuntimePermission "accessClassInPackage.org.bouncycastle.asn1.*"; permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/webapps/arcotadmin/-" {
150 Installation Guide for Windows
Enable Apache Tomcat Security Manager
permission java.lang.RuntimePermission "getenv.ARCOT_HOME", ""; permission java.security.AllPermission; };
11. Save and close the file. 12. Restart Apache Tomcat.
Chapter 18: Application Server Configuration for Database Connection Pooling 151
Appendix A: Deploy Administration Console on IBM WebSphere If you plan to deploy Administration Console on IBM WebSphere 7.0, 8.0 or 8.5, you might see an HTTPCLIENT error when you access some Administration Console pages, such as Instance Management. In such cases, you must perform the following steps: 1.
Access the Administration Console WAR file from \Arcot Systems\java\webapps\.
2.
Copy arcotadmin.war to a temporary directory, say C:\Arcot_temp\.
3.
Extract the arcotadmin.war file contents. Of the JARs that are extracted to the C:\Arcot_temp\arcotadmin\WEB-INF\lib\ directory, the following JARs are used to create the shared library in IBM WebSphere:
4.
■
axiom-api-1.2.10.jar
■
axiom-impl-1.2.10.jar
■
axis2-java2wsdl-1.5.2.jar
■
backport-util-concurrent-3.1.jar
■
commons-httpclient-3.1.jar
■
commons-pool-1.5.5.jar
■
axiom-dom-1.2.10.jar
■
axis2-adb-1.5.2.jar
■
axis2-kernel-1.5.2.jar
■
commons-codec-1.3.jar
■
commons-logging-1.1.1.jar
■
log4j-1.2.16.jar
■
axis2-transport-http-1.5.2.jar
■
axis2-transport-local-1.5.2.jar
Log in to WebSphere Administration Console.
Appendix A: Deploy Administration Console on IBM WebSphere 153
Enable Apache Tomcat Security Manager
5.
Click Environment, and then click Shared Libraries. a.
From the Scope drop-down, select a valid visibility scope. The scope must include the target server or node on which the application is deployed.
b.
Click New.
c.
Enter the Name. Example: ArcotAdminSharedLibrary.
d.
Specify the Classpath. Enter the path and file name for all the JAR files extracted in Step 3. Example: C:/Arcot_temp/arcotadmin/WEB-INF/lib/axiom-api-1.2.10.jar
e.
Click Apply to save the changes made.
6.
Navigate to the location (\Arcot Systems\java\webapps\) where the Administration Console WAR file is located.
7.
Deploy arcotadmin.war in the application server.
8.
Configure shared library, as follows: a.
Click Applications, and then click WebSphere enterprise applications.
b.
Click arcotadmin_war.
c.
In the References section, click Shared library references.
d.
Select arcotadmin_war and click Reference shared libraries.
e.
Select the ArcotAdminSharedLibrary from the Available list and move it to the Selected list.
f.
Click OK to save the configurations.
154 Installation Guide for Windows
Enable Apache Tomcat Security Manager
9.
Configure the class loader order and policy as follows: a.
Click Applications, Application Types, and then click WebSphere enterprise applications.
b.
Click arcotadmin_war.
c.
Click Class loading and update detection link.
d.
In the Class loader order section, select the Classes loaded with local class loader first (parent last) option.
e.
In the WAR class loader policy section, select the Single class loader for application option.
f.
Click OK to save the configurations.
10. Ensure that the application is restarted. If you plan to deploy Administration Console on IBM WebSphere 8.0 and 8.5, you might see an HTTPCLIENT error when you access some Administration Console pages, such as Instance Management. In such cases, you must perform the following steps: 1.
Access the Administration Console WAR file from \Arcot Systems\java\webapps\.
2.
Copy arcotadmin.war to a temporary directory, say C:\Arcot_temp\.
3.
Extract the arcotadmin.war file contents. Of the JARs that are extracted to the C:\Arcot_temp\arcotadmin\WEB-INF\lib\ directory, the following JARs are used to create the shared library in IBM WebSphere: ■
axiom-api-1.2.10.jar
■
axiom-impl-1.2.10.jar
■
axis2-java2wsdl-1.5.2.jar
■
backport-util-concurrent-3.1.jar
■
commons-httpclient-3.1.jar
■
commons-pool-1.5.5.jar
■
axiom-dom-1.2.10.jar
Appendix A: Deploy Administration Console on IBM WebSphere 155
Enable Apache Tomcat Security Manager
■
axis2-adb-1.5.2.jar
■
axis2-kernel-1.5.2.jar
■
commons-codec-1.3.jar
■
commons-logging-1.1.1.jar
■
log4j-1.2.16.jar
■
axis2-transport-http-1.5.2.jar
■
axis2-transport-local-1.5.2.jar
4.
Log in to WebSphere Administration Console.
5.
Click Environment, and then click Shared Libraries. a.
From the Scope drop-down, select a valid visibility scope. The scope must include the target server or node on which the application is deployed.
b.
Click New.
c.
Enter the Name, for example, ArcotAdminSharedLibrary.
d.
Specify the Classpath. Enter the path and file name for all the JAR files extracted in Step 3. For example: C:/Arcot_temp/arcotadmin/WEB-INF/lib/axiom-api-1.2.10.jar
e.
Click Apply to save the changes made.
6.
Navigate to the location (\Arcot Systems\java\webapps\) where the Administration Console WAR file is located.
7.
Deploy arcotadmin.war in the application server.
8.
Configure shared library, as follows: a.
Click Applications, and then click WebSphere enterprise applications.
b.
Click arcotadmin_war.
c.
In the References section, click Shared library references.
d.
Select arcotadmin_war and click Reference shared libraries.
e.
Select the ArcotAdminSharedLibrary from the Available list and move it to the Selected list.
f.
Click OK to save the configurations.
156 Installation Guide for Windows
Enable Apache Tomcat Security Manager
9.
Configure the class loader order and policy as follows: a.
Click Applications, Application Types, and then click WebSphere enterprise applications.
b.
Click arcotadmin_war.
c.
Click Class loading and update detection link.
d.
In the Class loader order section, select the Classes loaded with local class loader first (parent last) option.
e.
In the WAR class loader policy section, select the Single class loader for application option.
f.
Click OK to save the configurations.
10. Ensure that the application is restarted.
Chapter 19: CA Risk Authentication Configuration for SDKs and Web Services This section describes the steps to configure the Application Programming Interfaces (APIs) and web services that are provided by CA Risk Authentication.
Chapter 19: CA Risk Authentication Configuration for SDKs and Web Services 157
Configure CA Risk Authentication API
Configure CA Risk Authentication API CA Risk Authentication is shipped with a set of Java APIs. Configure CA Risk Authentication APIs package enables the following operations: ■
Evaluate and assess risk
■
Generate advice
■
List user-device associations
■
Delete associations
Follow these steps: 1.
Navigate to the following location: \Arcot Systems\sdk\java\lib\arcot\
2.
Implement the core JAR i.e. Risk Evaluation SDK:arcot-riskfort-evaluaterisk.jar. In addition, you can find the following JARs that the core JAR is dependent on:
3.
■
arcot_core.jar
■
arcot-pool.jar
■
arcot-riskfort-mfp.jar
(Optional) You can implement JAR for Issuance SDK from the same location: arcot-riskfort-issuance.jar However, this API has been deprecated in this release and only has been included for backward compatibility. Note: Instead of this API, you can use the User Management Web Service. For more information, see the CA Risk Authentication Web Services Developer’s Guide.
158 Installation Guide for Windows
Configure Java APIs
Configure Java APIs This section provides the procedure to configure the Java APIs so that they can be used with your application. Important! Before you proceed, verify that the JARs required for implementing the Java APIs are installed at \Arcot Systems\sdk\java\lib\. Perform the following the steps to configure ava APIs: Note: The following steps are based on Apache Tomcat Server. The configuration process may vary depending on the application server you are using. See the Application Server documentation for detailed information about these instructions. 1.
Copy the listed JAR files from the following location: \Arcot Systems\
Enter them in the appropriate location in your directory. Example: For Apache Tomcat this location is \WEB-INF\lib\. ■
/sdk/java/lib/arcot/arcot_core.jar
■
/sdk/java/lib/arcot/arcot-pool.jar
■
/sdk/java/lib/arcot/arcot-riskfort-evaluaterisk.jar
■
/sdk/java/lib/arcot/arcot-riskfort-mfp.jar
■
/sdk/java/lib/external/bcprov-jdk15-146.jar
■
/sdk/java/lib/external/commons-lang-2.0.jar
■
/sdk/java/lib/external/commons-pool-1.5.5.jar
Example: On Apache Tomcat 5.5.x, you must copy these files to C:\Program Files\Apache Software Foundation\Tomcat 5.5.31\webapps\\WEB-INF\lib\. 2.
Configure the log4j.properties.risk-evaluation and riskfort.risk-evaluation.properties files in the following steps: ■
If the application already has a configured log4j.properties.risk-evaluation file, then merge it with the following log configuration files: \Arcot Systems\sdk\java\properties\log4j.properties.risk-evaluatio n
and \Arcot Systems\sdk\java\properties\riskfort.risk-evaluation.proper ties ■
If the application does not have the log4j.properties file configured, do the following steps:
Chapter 19: CA Risk Authentication Configuration for SDKs and Web Services 159
Configure CA Risk Authentication Web Services
a.
Rename log4j.properties.risk-evaluation to log4j.properties.
b.
Merge riskfort.risk-evaluation.properties with log4j.properties.
c.
Copy the log4j.properties file to:
\WEB-INF\classes\properties\
Example: On Apache Tomcat 5.5.x, you must copy log4j.properties to C:\Program Files\Apache Software Foundation\Tomcat 5.5.31\webapps\\WEB-INF\classes\. Note: To know more about APIs and their initialization, refer to the CA Risk Authentication Javadocs at \Arcot Systems\docs\riskfort\ Arcot-RiskFort-8.0-issuance-sdk-javadocs.zip.
Configure CA Risk Authentication Web Services To use the CA Risk Authentication Web Services, deploy the arcotuds.war file. CA Risk Authentication provides web services for managing users, organizations, administration, and for performing risk assessments. The WSDLs for these web services are available at the following location: \Arcot Systems\wsdls\
Generate Client Code Using WSDLs After CA Risk Authentication package installation, generate the client stub in the language you want to code in by using the WSDL files that are shipped with CA Risk Authentication. These WSDLs enable the web services client to communicate with CA Risk Authentication Server. Important! Before you proceed with the client code generation, verify that the CA Risk Authentication package was installed successfully and that the Server is up and running. Follow these steps: 1.
Stop the application server.
2.
Navigate to the following location: \Arcot Systems\wsdls\
3.
Use the required WSDL file (listed in the following table) to generate the client code. WSDL File
Description
admin/ArcotRiskFortAdminW Used for creating and managing rule ebService.wsdl configurations that are typically done by using Administration Console.
160 Installation Guide for Windows
Configure CA Risk Authentication Web Services
WSDL File
Description
riskfort/ArcotRiskFortEvaluat eRiskService.wsdl
Used for performing risk evaluation.
uds/ArcotUserRegistryMgmtS Used for creating and managing organizations in vc.wsdl your setup. uds/ArcotConfigRegistrySvc.w Used for creating and managing user account sdl types. uds/ArcotUserRegistrySvc.ws dl
Used for creating and managing users and user accounts.
4.
Restart the application server.
5.
In a browser window, access the end-point URLs (listed in the following table) to verify if the client can access the Web Service. Web Service
URL
ArcotRiskFortAdminWebServic http://:/services/Arcot e RiskFortAdminSvc The default port here is 7777. ArcotRiskFortEvaluateRiskServ http://:/services/RiskFort ice EvaluateRiskSvc The default port here is 7778. ArcotUserRegistryMgmtSvc
http://: /arcotuds/services/ArcotUserRegistrySvc
ArcotConfigRegistrySvc
http://: /arcotuds/services/ArcotConfigRegistrySvc
ArcotUserRegistrySvc
http://: /arcotuds/services/ArcotUserRegistryMgmtSvc
Note: For more information about generating the Java client, see the CA Risk Authentication Web Services Developer’s Guide.
Chapter 19: CA Risk Authentication Configuration for SDKs and Web Services 161
Configure Device ID and DeviceDNA
Configure Device ID and DeviceDNA CA Risk Authentication uses Device ID and DeviceDNA to register and identify the device that is used by a user during transactions. The Device ID is stored on the end user's device. The Device ID information is in encrypted format. The following options are available for storing the Device ID on the end user's device. The plugin store is the most persistent storage option. ■
Plugin store: The plugin store is a permanent store on the end user’s device. A Device ID that is placed in the plugin store cannot be deleted by common end-user actions such as clearing browser cache and deleting browser cookies. The plugin store is supported from CA Risk Authentication Client release 2.1 onward.
■
Local storage that is provided in HTML5
■
UserData store: This store is available only in Microsoft Internet Explorer
■
Cookie store: Typically, on Microsoft Windows, the Device ID is stored in one of the following folders: ■
Internet Explorer on Microsoft Windows 7 or 2008: C:\Documents and Settings\\Application Data\Microsoft\Windows\Cookies\
■
Internet Explorer on Microsoft Windows 2003 or XP: C:\Documents and Settings\\Cookies\
■
Mozilla Firefox: C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\\cookies.sqli te
■
Safari: C:\Documents and Settings\\Application Data\Apple Computer\Safari\cookies.plist
Important! From CA Risk Authentication Client version 2.0 onward, the Device ID is not stored as a Flash cookie. If you have existing Flash cookies from an earlier release, then these cookies are automatically migrated to one of the stores that is listed earlier in this section. File You Will Need for Device ID and DeviceDNA Collection When you perform a complete installation or select to install CA Risk Authentication Evaluation SDK or Web Service in the Choose Install Set screen, the following file is automatically installed: \Arcot Systems\sdk\devicedna\riskminder-client.js
This file provides the functions to get and set the Device ID and DeviceDNA.
162 Installation Guide for Windows
Configure Device ID and DeviceDNA
Enable Device ID and DeviceDNA Collection To configure for a cookie to be set on the end-user computer, include riskminder-client.js in your application pages that get or set the cookies. Follow these steps: 1.
Copy the entire devicedna directory from \Arcot Systems\sdk\ to the appropriate web application directory. Typically, the web application folder is at the following location: \
2.
Include the riskminder-client.js file in the required application pages. We assume that these files are located in a folder that is relative to the folder containing index.jsp.
Migrate Flash Cookies from Preceding Releases Flash cookies are not supported any more for storing the Device ID. However, if you have existing Flash cookies from an earlier release, then these cookies are automatically migrated to one of the supported stores on the end-user device when you complete the tasks described in Collecting Device ID and DeviceDNA in one of the following guides: ■
CA Risk Authentication Java Developer’s Guide
■
CA Risk Authentication Web Services Developer’s Guide
CA Risk Authentication supports Hardware Security Module (HSM) to secure your data. If you choose to encrypt the data by using HSM, the data stored in the database is encrypted with the key that resides in the HSM. Note: Before you proceed with the configurations explained in this section, ensure that you have set up the HSM server and client, and generated the 3DES key in the HSM. Refer to (Optional, Only If You are Using HSMs) Requirements for HSM. CA Risk Authentication uses the software (S/W) mode to encrypt data. Therefore, you must change the mode to hardware (chrysalis or nfast). You do so by using the [arcot/crypto/device] section in arcotcommon.ini. This file also provides separate sections for configuring the required HSM, which in the current release are as follows: ■
Luna HSM ([crypto/pkcs11modules/chrysalis])
■
nCipher netHSM ([crypto/pkcs11modules/nfast])
Chapter 19: CA Risk Authentication Configuration for SDKs and Web Services 163
Configure Device ID and DeviceDNA
Based on the HSM you are configuring, specify the sharedLibrary parameter in the corresponding section. After you specify the HSM information, re-create the securestore.enc file with the HSM key label, initialize the HSM, and then initialize CA Risk Authentication to use the HSM key. During the installation process, the CA Risk Authentication installer prompts you to specify this HSM-related information. However, if you want to change the HSM configurations later, such as changing the data encryption mode and configuring other HSM information that is needed by CA Risk Authentication, then perform the following steps: Follow these steps: 1.
Navigate to the following location: \Arcot System\conf\
2.
Take a backup of securestore.enc.
3.
Delete the existing securestore.enc file from \Arcot System\conf\.
4.
To change the data encryption mode from software (S/W) to hardware (chrysalis or nfast), and configure the HSM information that CA Risk Authentication needs, do the following steps: a.
Navigate to the following location: \Arcot System\conf\
b.
Open arcotcommon.ini in a text editor.
c.
In the [arcot/crypto/device] section: ■
Set the HSMDevice parameter to chrysalis for Luna HSM.
or ■
d.
Set the HSMDevice parameter to nfast for nCipher netHSM.
Depending on the HSM that you are configuring, set the sharedLibrary parameter to the location where the HSM library file is located: ■
The default location of the Luna HSM library is :\Program Files\LunaSA\cryptoki.dll.
or ■
The default location of the nCipher netHSM is :\nfast\bin\cknfast.dll.
Note: See arcotcommon.ini for more information about the other HSM configuration parameters available in this section. e.
164 Installation Guide for Windows
Save and close the arcotcommon.ini file.
Configure Device ID and DeviceDNA
5.
Navigate to the following location, where the DBUtil tool is available: \Arcot System\tools\platform\
6.
Run the DBUtil tool with the following commands: Note: The database user () that you specify in the following commands is case-sensitive. a.
dbutil -init Note: The corresponds to the 3DES key that resides in the HSM. The preceding command creates a securestore.enc file with the specified key label. The generated file in stored in the \Arcot System\conf\ location.
b.
dbutil -i Note: The is chrysalis for Luna HSM, and nfast for nCipher netHSM. The preceding command initializes the HSM.
c.
dbutil -pi -h -d Note: refers to the ODBC DSN that CA Risk Authentication Server uses to connect to the CA Risk Authentication database. refers to the password used to connect to the database. The preceding command initializes the CA Risk Authentication Server data to be encrypted by using HSM.
d.
dbutil -pi