10.1 Running the Identity Governance Configuration Utility

The Identity Governance Configuration Utility allows you to modify settings for Identity Governance, such as the URL for Identity Governance, the authentication server, OSP, and email notifications. You can also specify an external provisioning system for workflows and the settings for collection and publication.

You can run this utility in GUI or console mode from the Identity Governance installation location. To script changes to the configuration of Identity Governance, use the console mode option.

In the command line, navigate to the installation directory for Identity Governance. by default . Enter one of the following commands:

  • Linux: Default location of /opt/netiq/idm/apps/idgov, then enter one of the following commands:

    • Console mode: ./bin/configutil.sh -password db_password -console

    • GUI mode: ./bin/configutil.sh -password db_password

  • Windows: Default location of c:\netiq\idm\apps\idgov, then enter one of the following from a command prompt:

    • Console mode: configutil.bat -password db_password -console

    • GUI mode: configutil.bat -password db_password

The utility provides settings under the following tabs:

10.1.1 Identity Governance Server Details

This tab allows you to display your organization’s branding instead of the default branding displayed when your users run Identity Governance.

NOTE:In early versions of Identity Governance (formerly named Access Review), this tab included values for the login page, such as protocol, host name, and port. Starting with Access Review 1.5, those values are on the Authentication Server Details tab.

10.1.2 Authentication Server Details

This tab defines the values for the LDAP authentication server, OSP authentication service, and bootstrap administrator. This tab provides the following groups of settings:

For more information, see Understanding Authentication for Identity Governance.

OAuth Server

This section represents the values for the LDAP authentication server.

Same as IG Server

Specifies whether the authentication server runs on the same computer as Identity Governance.

Protocol

Applies only when the authentication server and the Identity Governance server run on different computers.

Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.

Host Name

Applies only when the authentication server and the Identity Governance server run on different computers.

Specifies the DNS name or IP address of the LDAP authentication server. Do not use localhost.

Port

Applies only when the authentication server and the Identity Governance server run on different computers.

Specifies the port that you want the server to use for communication with client computers. The default is 8080. To use SSL, the default is 8443.

OAuth SSO Client

This section represents the values for OAuth authentication services to Identity Governance.

IG Client ID

Specifies the client ID of Identity Governance with which it is registered to OSP.

IG Client Secret

Specifies the client password of Identity Governance with OSP.

IG Redirect URL

Specifies the URL used by OSP to redirect to the Identity Governance login page if authentication token is valid.

IG Request Client ID

Specifies the client ID of Identity Governance Access Request with which it is registered to OSP.

IG Request Client Secret

Specifies the client password of Identity Governance Access Request with OSP.

IG Request Redirect URL

Specifies the URL used by OSP to redirect to the Identity Governance Access Request page if authentication token is valid.

Bootstrap Admin

This section represents the values for the bootstrap administrator. For more information, see Understanding the Bootstrap Administrator for Identity Governance.

Bootstrap Admin

Specifies the name of the bootstrap administrator account. The default value is igadmin.

(Conditional) When connecting to an existing Identity Manager authentication server, specify the full DN of a unique identity that already exists and can access Identity Manager Home as a bootstrap administrator. For example, cn=uaadmin,ou=sa,o=data.

NOTE:The name of this account must be unique. Do not duplicate any accounts in the adminusers.txt file or in the container source or subtrees that you use for authentication.

Authentication Source

Specifies whether the credentials for the bootstrap admin reside in an Identity Vault (LDAP authentication server) or a text file.

(Conditional) If you specify File, you must also specify values for Directory and Filename that correspond to the file that stores your bootstrap admin information. The default location is .

  • Linux: Default location of /opt/netiq/idm/apps/idgov/osp

  • Windows: Default location of c:\netiq\idm\apps\idgov\osp

10.1.3 Security Settings

This tab defines the values for authentication matching and Identity Governance services.

Auth Matching Rules

Specifies how Identity Governance authenticates login requests and grants the appropriate permissions to users. Enter one or more rules that Identity Governance uses to compare attributes in the SUSER table, such as dn, with attributes retrieved from OSP. Specify the matching rules using properties named iac.auth.matching.rule.N.attrs where N specifies the order that Identity Governance uses the rule to match users, such as 1, 2, 3, and so on.

Keep in mind the following points:

  • For best results, add an index for the matching rule attributes.

  • Identity Governance evaluates only collected attribute values for the matching rules, not edited values.

  • When an attribute value is a string, Identity Governance performs an exact case match by default.

IMPORTANT:Set all matching rule attributes with the following list and search options in the Identity Governance User (identity) schema:

  • Display in lists and detail views

  • Available in catalog searches. Changes take effect after publication.

For more information, see Adding or Editing Attributes to Extend the Schema.

Auth Attribute Map

Specifies the mapping of SUSER attributes to OSP attributes using a comma-separated list of attribute name pairs. Use the format SUSER attribute:OSP attribute. For example, dn:name,lastName:last_name,firstName:first_name,emails:email maps the SUSER attributes of dn, lastName, firstName, and emails to the OSP attributes of name, last_name, first_name, and email.

IG Client ID

Specifies the name that you want to use to identify Identity Governance to each service listed.

IG Client Secret

Specifies the password for the corresponding client ID.

Enable test client for utilities

Specifies that you want to use test IDs to run utilities that interact with Identity Governance without creating client IDs for each utility.

10.1.4 Network Topology Settings

This tab defines network connection settings that Identity Governance uses to connect to the single Tomcat instance or to the load balancer if you are running Identity Governance in a cluster. If you select https for the protocol, the Keystore File and Keystore Password fields become active.

This tab also defines runtime instance settings.

10.1.5 Miscellaneous Settings

This tab defines additional settings for your configuration. Some fields are self explanatory and some should not be changed. This tab provides the following groups of settings:

Miscellaneous

Do not change the settings in this section except for the Default Locale, if needed.

Collection and Publication Batch Sizes

These settings allow an administrator to tune the size of the record chunks that Identity Governance uses for the data collection and publication operations to achieve optimal performance in each environment.

Collection and Publication Settings

Do not clear Clean DAAS Configuration post collection. The Max supported Depth of permission relations field prevents loops of relationship mappings in deeply nested permissions environments. The default setting should be best for most environments.

Identity Manager Integration

If you also have Identity Manager installed, these settings help you integrate Identity Governance with Identity Manager.

Enable integration using Identity Manager Driver for Identity Governance

Requires the Identity Manager Driver for Access Review (Access Review driver)

Specifies whether you want to integrate the permissions and permission assignment tasks in the Identity Governance catalog with the role and resource catalog in Identity Manager.

For more information, see Understanding Synchronization and Reflection.

Exclude Identity Manager permissions from review when they provision any native permissions in the same review

Specifies whether you want to review Identity Manager permissions that duplicate native permissions along with the native permissions in a review.

Data Production Timeouts

These settings allow an administrator to tune the timeout values for various data production operations to achieve optimal performance in each environment. The timeout values are expressed in milliseconds. The default values should suffice for the majority of installations.

Heartbeat interval (com.netiq.iac.dataProduction.heartbeat.interval)

The interval between heartbeat updates for data production jobs. The default is 2 minutes (120000 ms).

Job idle cutoff timeout (com.netiq.iac.dataProduction.cutoff.timeout)

The amount of time, after the last heartbeat update, that a running job is deemed to be in an idle state where the data production processing has halted. The default is 6 hours (21600000 ms).

Orphaned job idle add-on timeout (com.netiq.iac.dataProduction.orphan.addon.timeout)

The additional amount of time, combined with the Job idle cutoff timeout, that will pass before a runtime instance can detect and clean up data production jobs with a different runtime identifier that have an idle state. The default is 1 hour (3600000 ms), which combined with the default cutoff timeout sets up an overall 7 hour default.

10.1.6 Bulk Data Update Settings

This tab defines settings that you use to submit multiple attribute updates to objects in the catalog by using a CSV file. For more information about performing bulk data updates, see Editing Attribute Values in Bulk.

Base Folder

Create a folder on your Identity Governance server for update files. Specify that full path name of that folder in this field. You must also create sub-folders named input and output. The Identity Governance service must have read/write access permission on both of these folders. Identity Governance creates the CSV data template files in the output folder, and you submit edits by copying the updated template in the input folder.

Batch Size

(Optional) Specifies the maximum number of CSV data rows processed at one time. This option is useful for tuning the memory usage of the Bulk Update process. The default value is 1000.

When you place the csv file in the input directory, Identity Governance changes the extension name of the file as it process the file. Here are the different extensions and process the file goes through during the bulk process:

File Extension Name

Process

.csv

Identity Governance start the bulk process. It is the name on the file when you add it into the input directory.

.ph1

Phase 1 of the bulk process.

.fail

If the bulk process fails, the file name becomes .fail.

.done

If the bulk process completed, the name becomes .done.

10.1.7 Workflow Settings

This tab defines settings that you use to automate external provisioning and notifications. This tab provides the following groups of settings:

External Provisioning System

To use an external provisioning system, specify the URL, User ID, and Password that Identity Governance needs to connect to the system. For example:

URL
http://$test:8180/IDMProv
User ID
globaladmin
Password
adminpassword

For more information, see Using Workflows to Fulfill the Changeset.

Notification System

This section represents the values that Identity Governance uses to send email notifications.

Mail Server

Specifies the IP address or DNS name and port for the mail server. For example, 12.345.675.90:25.

From Address

Specifies the email address that you want Identity Governance to use as the origination for email notifications.

NOTE:If you are using a Gmail SMTP server for your mail server, Gmail ignores this value and uses the actual Gmail address as the origination for email notifications.

Enable SMTP TLS

Specifies to use secure email delivery.

User ID

Specifies the email address that you want to use for authenticating Identity Governance to the mail server.

Password

Specifies the password associated with the specified User ID.

Enable persistent notification message queue

Specifies whether you want to use message queuing functionality.

Message Queue

This section represents the values for the message queue for email notifications. The queue can use TLS/SSL protocol for secure communication.

JMS broker URI

Specifies the Uniform Resource Identifier (URI) for the Java Message Service (JMS) that the mail server uses. For example, tcp://12.345.675.90:61616.

(Conditional) In a clustered environment, add failover: to the prefix, then specify the host name or IP address and port for each ActiveMQ server. Use commas to separate the server values. For example, failover:tcp://amq1.mycompany.com:61616,tcp://amq2.mycompany.com:61616.

SSL

Specifies whether you want to use TLS/SSL protocol for secure communication when sending notifications.

Queue Keystore

Applies when you want to use the SSL protocol.

Specifies the path and filename of the keystore file that contains the authentication server trust certificate for the mail server.

Queue Keystore Password

Applies when you want to use the SSL protocol.

Specifies the password used to load the keystore file.

Queue Trust Store

Applies when you want to use the SSL protocol.

Specifies the path to the Trusted Key Store that contains all trusted signers’ certificates.

Queue Trust Store Password

Applies when you want to use the SSL protocol.

Specifies the password for the Trusted Key Store.