The Identity Governance Configuration Utility allows you to modify settings for Identity Governance, such as the URL for Identity Governance, the authentication server, OSP, and email notifications. You can also specify an external provisioning system for workflows and the settings for collection and publication.
You can run this utility in GUI or console mode from the Identity Governance installation location. To script changes to the configuration of Identity Governance, use the console mode option.
In the command line, navigate to the installation directory for Identity Governance. by default . Enter one of the following commands:
Linux: Default location of /opt/netiq/idm/apps/idgov, then enter one of the following commands:
Console mode: ./bin/configutil.sh -password db_password -console
GUI mode: ./bin/configutil.sh -password db_password
Windows: Default location of c:\netiq\idm\apps\idgov, then enter one of the following from a command prompt:
Console mode: configutil.bat -password db_password -console
GUI mode: configutil.bat -password db_password
The utility provides settings under the following tabs:
This tab allows you to display your organization’s branding instead of the default branding displayed when your users run Identity Governance.
NOTE:In early versions of Identity Governance (formerly named Access Review), this tab included values for the login page, such as protocol, host name, and port. Starting with Access Review 1.5, those values are on the Authentication Server Details tab.
This tab defines the values for the LDAP authentication server, OSP authentication service, and bootstrap administrator. This tab provides the following groups of settings:
For more information, see Understanding Authentication for Identity Governance.
This section represents the values for the LDAP authentication server.
Specifies whether the authentication server runs on the same computer as Identity Governance.
Applies only when the authentication server and the Identity Governance server run on different computers.
Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.
Applies only when the authentication server and the Identity Governance server run on different computers.
Specifies the DNS name or IP address of the LDAP authentication server. Do not use localhost.
Applies only when the authentication server and the Identity Governance server run on different computers.
Specifies the port that you want the server to use for communication with client computers. The default is 8080. To use SSL, the default is 8443.
This section represents the values for OAuth authentication services to Identity Governance.
Specifies the client ID of Identity Governance with which it is registered to OSP.
Specifies the client password of Identity Governance with OSP.
Specifies the URL used by OSP to redirect to the Identity Governance login page if authentication token is valid.
Specifies the client ID of Identity Governance Access Request with which it is registered to OSP.
Specifies the client password of Identity Governance Access Request with OSP.
Specifies the URL used by OSP to redirect to the Identity Governance Access Request page if authentication token is valid.
This section represents the values for the bootstrap administrator. For more information, see Understanding the Bootstrap Administrator for Identity Governance.
Specifies the name of the bootstrap administrator account. The default value is igadmin.
(Conditional) When connecting to an existing Identity Manager authentication server, specify the full DN of a unique identity that already exists and can access Identity Manager Home as a bootstrap administrator. For example, cn=uaadmin,ou=sa,o=data.
NOTE:The name of this account must be unique. Do not duplicate any accounts in the adminusers.txt file or in the container source or subtrees that you use for authentication.
Specifies whether the credentials for the bootstrap admin reside in an Identity Vault (LDAP authentication server) or a text file.
(Conditional) If you specify File, you must also specify values for Directory and Filename that correspond to the file that stores your bootstrap admin information. The default location is .
Linux: Default location of /opt/netiq/idm/apps/idgov/osp
Windows: Default location of c:\netiq\idm\apps\idgov\osp
This tab defines the values for authentication matching and Identity Governance services.
Specifies how Identity Governance authenticates login requests and grants the appropriate permissions to users. Enter one or more rules that Identity Governance uses to compare attributes in the SUSER table, such as dn, with attributes retrieved from OSP. Specify the matching rules using properties named iac.auth.matching.rule.N.attrs where N specifies the order that Identity Governance uses the rule to match users, such as 1, 2, 3, and so on.
Keep in mind the following points:
For best results, add an index for the matching rule attributes.
Identity Governance evaluates only collected attribute values for the matching rules, not edited values.
When an attribute value is a string, Identity Governance performs an exact case match by default.
IMPORTANT:Set all matching rule attributes with the following list and search options in the Identity Governance User (identity) schema:
Display in lists and detail views
Available in catalog searches. Changes take effect after publication.
For more information, see Adding or Editing Attributes to Extend the Schema.
Specifies the mapping of SUSER attributes to OSP attributes using a comma-separated list of attribute name pairs. Use the format SUSER attribute:OSP attribute. For example, dn:name,lastName:last_name,firstName:first_name,emails:email maps the SUSER attributes of dn, lastName, firstName, and emails to the OSP attributes of name, last_name, first_name, and email.
Specifies the name that you want to use to identify Identity Governance to each service listed.
Specifies the password for the corresponding client ID.
Specifies that you want to use test IDs to run utilities that interact with Identity Governance without creating client IDs for each utility.
This tab defines network connection settings that Identity Governance uses to connect to the single Tomcat instance or to the load balancer if you are running Identity Governance in a cluster. If you select https for the protocol, the Keystore File and Keystore Password fields become active.
This tab also defines runtime instance settings.
This tab defines additional settings for your configuration. Some fields are self explanatory and some should not be changed. This tab provides the following groups of settings:
Do not change the settings in this section except for the Default Locale, if needed.
These settings allow an administrator to tune the size of the record chunks that Identity Governance uses for the data collection and publication operations to achieve optimal performance in each environment.
Do not clear Clean DAAS Configuration post collection. The Max supported Depth of permission relations field prevents loops of relationship mappings in deeply nested permissions environments. The default setting should be best for most environments.
If you also have Identity Manager installed, these settings help you integrate Identity Governance with Identity Manager.
Requires the Identity Manager Driver for Access Review (Access Review driver)
Specifies whether you want to integrate the permissions and permission assignment tasks in the Identity Governance catalog with the role and resource catalog in Identity Manager.
For more information, see Understanding Synchronization and Reflection.
Specifies whether you want to review Identity Manager permissions that duplicate native permissions along with the native permissions in a review.
These settings allow an administrator to tune the timeout values for various data production operations to achieve optimal performance in each environment. The timeout values are expressed in milliseconds. The default values should suffice for the majority of installations.
The interval between heartbeat updates for data production jobs. The default is 2 minutes (120000 ms).
The amount of time, after the last heartbeat update, that a running job is deemed to be in an idle state where the data production processing has halted. The default is 6 hours (21600000 ms).
The additional amount of time, combined with the Job idle cutoff timeout, that will pass before a runtime instance can detect and clean up data production jobs with a different runtime identifier that have an idle state. The default is 1 hour (3600000 ms), which combined with the default cutoff timeout sets up an overall 7 hour default.
This tab defines settings that you use to submit multiple attribute updates to objects in the catalog by using a CSV file. For more information about performing bulk data updates, see Editing Attribute Values in Bulk.
Create a folder on your Identity Governance server for update files. Specify that full path name of that folder in this field. You must also create sub-folders named input and output. The Identity Governance service must have read/write access permission on both of these folders. Identity Governance creates the CSV data template files in the output folder, and you submit edits by copying the updated template in the input folder.
(Optional) Specifies the maximum number of CSV data rows processed at one time. This option is useful for tuning the memory usage of the Bulk Update process. The default value is 1000.
When you place the csv file in the input directory, Identity Governance changes the extension name of the file as it process the file. Here are the different extensions and process the file goes through during the bulk process:
File Extension Name |
Process |
---|---|
.csv |
Identity Governance start the bulk process. It is the name on the file when you add it into the input directory. |
.ph1 |
Phase 1 of the bulk process. |
.fail |
If the bulk process fails, the file name becomes .fail. |
.done |
If the bulk process completed, the name becomes .done. |
This tab defines settings that you use to automate external provisioning and notifications. This tab provides the following groups of settings:
To use an external provisioning system, specify the URL, User ID, and Password that Identity Governance needs to connect to the system. For example:
http://$test:8180/IDMProv
globaladmin
adminpassword
For more information, see Using Workflows to Fulfill the Changeset.
This section represents the values that Identity Governance uses to send email notifications.
Specifies the IP address or DNS name and port for the mail server. For example, 12.345.675.90:25.
Specifies the email address that you want Identity Governance to use as the origination for email notifications.
NOTE:If you are using a Gmail SMTP server for your mail server, Gmail ignores this value and uses the actual Gmail address as the origination for email notifications.
Specifies to use secure email delivery.
Specifies the email address that you want to use for authenticating Identity Governance to the mail server.
Specifies the password associated with the specified User ID.
Specifies whether you want to use message queuing functionality.
This section represents the values for the message queue for email notifications. The queue can use TLS/SSL protocol for secure communication.
Specifies the Uniform Resource Identifier (URI) for the Java Message Service (JMS) that the mail server uses. For example, tcp://12.345.675.90:61616.
(Conditional) In a clustered environment, add failover: to the prefix, then specify the host name or IP address and port for each ActiveMQ server. Use commas to separate the server values. For example, failover:tcp://amq1.mycompany.com:61616,tcp://amq2.mycompany.com:61616.
Specifies whether you want to use TLS/SSL protocol for secure communication when sending notifications.
Applies when you want to use the SSL protocol.
Specifies the path and filename of the keystore file that contains the authentication server trust certificate for the mail server.
Applies when you want to use the SSL protocol.
Specifies the password used to load the keystore file.
Applies when you want to use the SSL protocol.
Specifies the path to the Trusted Key Store that contains all trusted signers’ certificates.
Applies when you want to use the SSL protocol.
Specifies the password for the Trusted Key Store.