In some installation scenarios, you must take additional steps to prepare OSP for use with Identity Governance. For example, running OSP in an environment without Identity Manager or using Active Directory as your LDAP authentication server require some additional steps. Also, if you did not enable auditing during the installation process and want to enable it for OSP, you must run some additional steps.
When you run OSP on a different Tomcat server than Identity Governance, and you do not have Identity Manager in your environment, you must ensure that the Configuration Update utility has the appropriate values to run OSP. The Configuration Update utility (configupdate.sh or configupdate.bat) contains the settings that allow OSP to function as well as settings for Identity Governance. After installing Identity Governance, you must update several settings in both utilities. For more information, see SSO Clients Parameters
in the NetIQ Identity Manager Setup Guide for Linux.
Create a backup copy of the ism-configuration.properties file.
Linux: Default location in /opt/netiq/idm/apps/tomcat/conf
Windows: Default location in C:\opt\netiq\idm\apps\tomcat\conf
In a text editor, open the configupdate.sh.properties or configupdate.bat.properties.to update values.
Linux: Default location in /opt/netiq/idm/apps/configupdate
Windows: Default location in c:\netiq\idm\apps\configupdate
In the file, modify the properties to the following values:
Change is_prov to false
(Conditional) Change use_ssl to false, if your LDAP server is not set up for SSL communication
(Option) Change use_console to true, if you want to run the utility in console mode, otherwise change use_console to false for opening the Configuration Update utility in GUI mode
Save and close the file.
Update settings in the Configuration Update utility.
Launch the Configuration Update utility.
Linux: Default location in the /opt/netiq/idm/apps/configupdate
./configupdate.sh edition=none
Windows: Default location in C:\netiq\idm\apps\configupdate
configupdate.bat edition=none
NOTE:Adding edition=none on the command line avoids needing to modify this value within configupdate.sh.properties or the configupdate.bat.properties file. It also avoids certain unnecessary fields that the Configuration Update utility would otherwise require values for in order to save.
Select SSO Clients.
Under Reporting, specify values for the following parameters:
NOTE:Regardless whether you use Identity Reporting, the utility requires values in these fields.
OAuth client ID
For example, rpt.
OAuth client secret
URL link to landing page
For example, http://123.456.78.90:8180/#/landing
URL link to Identity Governance
For example, http://123.456.78.90:8080/#/nav
OSP Oauth redirect url
For example, http://123.456.78.90:8180/IDMRPT/oauth.html
Under DCS Driver, specify values for the following parameters:
NOTE:Regardless whether you use Identity Reporting, the utility requires values in these fields.
OAuth client ID
For example, dcsdriver.
OAuth client secret
To save your changes, select OK.
Update the settings for Identity Vault and Authentication, as needed.
(Conditional) If this is the first time you run the Configuration Update utility, under Authentication, go to Advanced Settings and enter the Bootstrap administrator password. By doing this, the adminusers.txt file is not overwritten or deleted. If you do not do this, you will not be able to login as Bootstrap administrator when you restart Tomcat.
To use Active Directory for your LDAP authentication server, you need to update the settings using the Configuration Update utility.
Ensure that you have prepared the Configuration Update utility for OSP. For more information, see Section 6.2.1, Ensuring the Configuration Update Utility Can Run OSP.
Stop Tomcat, if it is running. For examples, see Stopping, Starting, and Restarting Tomcat.
Launch the Configuration Update utility.
Linux: Default location in the /opt/netiq/idm/apps/configupdate
./configupdate.sh edition=none
Windows: Default location in C:\netiq\idm\apps\configupdate
configupdate.bat edition=none
NOTE:Adding edition=none on the command line avoids needing to modify this value within configupdate.sh.properties or configupdate.bat.properties file. It also avoids certain unnecessary fields that the Configuration Update utility would otherwise require values for in order to save.
Select Reporting > Identity Vault Settings > Identity Vault User Identity > Login Attribute.
For Login Attribute, specify the attribute in Active Directory that you want to use for logging in to Identity Governance. For example, sAMAccountName.
NOTE:This value is case-sensitive.
To save your change, select OK.
Update settings in the Identity Governance Configuration utility:
Launch the Identity Governance Configuration utility.
Linux: Default location in /opt/netiq/idm/apps/idgov/bin
./configutil -password database_password
Windows: Default location in c:\netiq\idm\apps\idgov\bin
configutil -password database_password
Select Security Settings.
For Auth Matching Rules, add the same attribute from Active Directory that you specified for Login Attribute in Step 5.
Do not delete dn. For example, the setting should now list dn and sAMAccountName.
Select Save.
Continue with the post-installation tasks, as required.
If during the OSP installation process you did not enable auditing, you can enable it at anytime. For more information, see Enabling Auditing after the Installation.