17.3 Configuring Data Collection

17.3.1 Prerequisites

Complete the following prerequisites before configuring data collection from Identity Governance:

  • Download and install Python 2.7.61 or later. This prerequisite is applicable only if you want to run the fact configuration utility on Windows or older versions of Linux machines. RHEL 7.6 and later already have the appropriate version of Python.

  • Add the Python executable to the PATH environment variable in the computer where you configure data collection.

  • Enable entity change events collection. For more information, see Configuring the Collection of Entity Change Events.

  • Ensure to enable ingestion of backdated data to database. For more information, see Tuning Ingestion of Backdated Events.

17.3.2 Configuring One-Way SSL Between Identity Governance and Transformation Hub

If you want to configure one-way authenticated SSL communication between Identity Governance and Transformation Hub, perform the following:

  1. Retrieve the CDF root CA certificate as described in Retrieving CDF Root CA.

  2. Copy the CDF root CA certificate file to a temporary location in the Identity Governance server machine.

  3. Log in to the Identity Governance server machine as a user with root access on a Linux server or administrative privileges on a Windows server. From a command prompt, change to the installation directory of the Java keytool utility.

    The default installation directory is:

    • Linux: /opt/netiq/idm/apps/jre/bin

    • Windows: c:\netiq\idm\apps\jre\bin

  4. Using the keytool utility, import the CDF root CA certificate to a truststore file:

    1. Run the following command:

      • Linux: ./keytool -import -file <cert_file> -alias <alias> -keystore <trust_store_file>

      • Windows: .\keytool -import -file <cert_file> -alias <alias> -keystore <trust_store_file>

    2. When prompted, specify a password for the truststore. Note the password; you will need it again in a later step.

    3. When you are asked to trust the certificate, enter Yes.

  5. Using the keytool utility, create a KeyStore file:

    1. Run the following command:

      • Linux: ./keytool -keystore <key_store_file> -alias <alias> -dname "CN=<ig_server_fqdn>,OU=<organizational_unit_name>,O=<organization_name>,L=<city_name>,ST=<state_name>,C=<two_letter_country_code>" -validity <validity_in_days> -genkeypair -keyalg RSA

      • Windows: .\keytool -keystore <key_store_file> -alias <alias> -dname "CN=<ig_server_fqdn>,OU=<organizational_unit_name>,O=<organization_name>,L=<city_name>,ST=<state_name>,C=<two_letter_country_code>" -validity <validity_in_days> -genkeypair -keyalg RSA

      NOTE: In the dname option, the FQDN, OU, O, L, ST, and C values must be appropriate for your company and location. For example, -dname "CN=ig.mf.com,OU=IG,O=MF,L=Sunnyvale,ST=CA,C=US"

    2. When prompted, specify a password for the KeyStore. Note the password; you will need it again in a later step.

    3. When prompted for the key password, press Enter if you want the key password to be same as the KeyStore password. Note the password; you will need it again in a later step.

  6. As mentioned in step 8 of the Creating Custom Metrics section of the Identity Governance User and Administration Guide, use the Identity Governance Configuration Utility to configure the following properties in the Identity Governance server:

    Property

    Value

    com.netiq.iac.kafka.publisher.truststore.location

    Absolute path of the truststore file created in Step 4

    com.netiq.iac.kafka.publisher.truststore.password

    The truststore password specified in Step 4b

    com.netiq.iac.kafka.publisher.keystore.location

    Absolute path of the KeyStore file created in Step 5

    com.netiq.iac.kafka.publisher.keystore.password

    The keystore password specified in Step 5b

    com.netiq.iac.kafka.publisher.key.password

    The key password specified in Step 5c

17.3.3 Configuring Mutual SSL Between Identity Governance and Transformation Hub

If client authentication is enabled in Transformation Hub, perform the following steps to configure mutual authenticated SSL between Identity Governance and Transformation Hub:

  1. On the Identity Governance Server:

    1. Log in to the Identity Governance Server machine as a user with root access on a Linux server or administrative privileges on a Windows server.

    2. Set the environment variables for the static values used by keytool:

      Linux:

      export IG=<identity governance server hostname>

      export STORES=<directory where keystore and truststore will be created>

      export CA_CERT=ca.cert.pem

      Windows:

      set IG=<identity governance server hostname>

      set STORES=<directory where keystore and truststore will be created>

      set CA_CERT=C:\Temp\ca.cert.pem

    3. (Conditional) Create the STORES directory if it does not exist:

      Linux:

      mkdir ${STORES}

      Windows:

      mkdir %STORES%

    4. From a command prompt, change to the installation directory of the keytool utility. The default installation directory is:

      Linux:

      /opt/netiq/idm/apps/jre/bin

      Windows:

      c:\netiq\idm\apps\jre\bin

    5. Using the keytool utility, create the Identity Governance key pair in a keystore file:

      1. Execute the command:

        Linux:

        ./keytool -genkeypair -alias ${IG} -keystore ${STORES}/${IG}.keystore.jks -dname "CN=<ig_server_fqdn>,OU=<organizational_unit_name>,O=<organization_name>,L=<city_name>,ST=<state_name>,C=<two_letter_country_code>" -validity <validity_in_days>

        Windows:

        .\keytool -genkeypair -alias %IG% -keystore %STORES%\%IG%.keystore.jks -dname "CN=<ig_server_fqdn>,OU=<organizational_unit_name>,O=<organization_name>,L=<city_name>,ST=<state_name>,C=<two_letter_country_code>" -validity <validity_in_days>

        NOTE:In the dname, the FQDN, OU, O, L, ST and C values must be appropriate for your company and location. For example, -dname "CN=ig.mf.com,OU=IG,O=MF,L=Sunnyvale,ST=CA,C=US"

      2. When prompted, specify a password for the keystore. Save the password. You will need it again in a later step.

      3. When prompted for the key password, press Enter if you want the key password to be same as the keystore password. Save the password. You will need it again in a later step.

    6. List the keystore entries and verify that you have minimum one private key:

      Linux:

      ./keytool -list -keystore ${STORES}/${IG}.keystore.jks -storepass <keystore password>

      Windows:

      .\keytool -list -keystore %STORES%\%IG%.keystore.jks -storepass <keystore password>

    7. Create a Certificate Signing Request (CSR):

      Linux:

      ./keytool -certreq -alias ${IG} -keystore ${STORES}/${IG}.keystore.jks -file ${STORES}/${IG}-cert-req -storepass <keystore password> -keypass <key password>

      Windows:

      .\keytool -certreq -alias %IG% -keystore %STORES%\%IG%.keystore.jks -file %STORES%\%IG%-cert-req -storepass <keystore password> -keypass <key password>

  2. On the Transformation Hub Server:

    1. Ensure that the CDF root CA certificate and root CA key used by Transformation Hub are available in /tmp directory with the following names:

      /tmp/ca.cert.pem

      /tmp/ca.key.pem

    2. Set the environment variables for the static values used by keytool:

      export CA_CERT=/tmp/ca.cert.pem

      export CA_KEY=/tmp/ca.key.pem

      export IG_CERT_CA_TMP=/opt/ig_cert_ca_tmp

      export IG=<identity governance server hostname>

    3. Create a temporary directory on the Transformation Hub master server:

      mkdir $IG_CERT_CA_TMP

  3. Copy the ${STORES}/${IG}-cert-req file from a Linux based Identity Governance server or %STORES%\%IG%-cert-req file from a Windows based Identity Governance Server to the IG_CERT_CA_TMP directory in the Transformation Hub master server created in step 2c

  4. On the Transformation Hub Server, create the signed certificate using the openssl utility:

    /bin/openssl x509 -req -CA ${CA_CERT} -CAkey ${CA_KEY} -in ${IG_CERT_CA_TMP}/${IG}-cert-req -out ${IG_CERT_CA_TMP}/${IG}-cert-signed -days <validity_in_days> -CAcreateserial -sha256

  5. On the Identity Governance server:

    1. Copy the ${IG_CERT_CA_TMP}/${IG}-cert-signed and /tmp/ca.cert.pem certificates from the Transformation Hub server to the ${STORES} directory on the Linux based Identity Governance server or %STORES% directory on the Windows based Identity Governance server.

    2. Change to the installation directory of the keytool utility. The default installation directory is:

      Linux:

      /opt/netiq/idm/apps/jre/bin

      Windows:

      c:\netiq\idm\apps\jre\bin

    3. Import the CDF root CA certificate to the truststore:

      1. Execute the command:

        Linux:

        ./keytool -importcert -file ${STORES}/${CA_CERT} -alias CARoot -keystore ${STORES}/${IG}.truststore.jks

        Windows:

        .\keytool -importcert -file %STORES%\%CA_CERT% -alias CARoot -keystore %STORES%\%IG%.truststore.jks

      2. When prompted, specify a password for the truststore. Note the password as you will need it again in a later step

      3. When you are asked to trust the certificate, enter Yes.

    4. Import the CDF root CA certificate to the keystore:

      1. Execute the command:

        Linux:

        ./keytool -importcert -file ${STORES}/${CA_CERT} -alias CARoot -keystore ${STORES}/${IG}.keystore.jks -storepass <keystore password>

        Windows:

        .\keytool -importcert -file %STORES%\${CA_CERT} -alias CARoot -keystore %STORES%\%IG%.keystore.jks -storepass <keystore password>

      2. When you are asked to trust the certificate, enter Yes.

    5. Import the signed certificate to the keystore:

      Linux:

      ./keytool -importcert -file ${STORES}/${IG}-cert-signed -alias ${IG} -keystore ${STORES}/${IG}.keystore.jks -storepass <keystore password>

      Windows:

      .\keytool -importcert -file %STORES%\%IG%-cert-signed -alias %IG% -keystore %STORES%\%IG%.keystore.jks -storepass <keystore password>

    6. Note the keystore and truststore file paths:

      Linux:

      echo ${STORES}/${IG}.truststore.jks

      echo ${STORES}/${IG}.keystore.jks

      Windows:

      echo %STORES%\%IG%.truststore.jks

      echo %STORES%\%IG%.keystore.jks

    7. Set the value of the following properties in the Identity Governance server by using Identity Governance Configuration Utility. For more information about using the configuration utility, see the Identity Governance Configuration Utility.

      Property

      Value

      com.netiq.iac.kafka.publisher.truststore.location

      Absolute path of the truststore file

      com.netiq.iac.kafka.publisher.truststore.password

      Truststore password

      com.netiq.iac.kafka.publisher.keystore.location

      Absolute path of the KeyStore file

      com.netiq.iac.kafka.publisher.keystore.password

      Keystore password

      com.netiq.iac.kafka.publisher.key.password

      Key password

    8. Delete the following files:

      CAUTION:The following files should be deleted to prevent the distribution of security certificates that could be used to authenticate against the Transformation Hub. These files are very sensitive and should not be distributed to other machines.

      Linux:

      rm ${STORES}/${CA_CERT}

      rm ${STORES}/${IG}-cert-signed

      rm ${STORES}/${IG}-cert-req

      Windows:

      del %STORES%\%CA_CERT%

      del %STORES%\%IG%-cert-signed

      del %STORES%\%IG%-cert-req

  6. On the Transformation Hub server:

    CAUTION:The following files should be deleted to prevent the distribution of security certificates that could be used to authenticate against the Transformation Hub. These files are very sensitive and should not be distributed to other machines.

    rm ${CA_CERT}

    rm ${CA_KEY}

    rm ${IG_CERT_CA_TMP}/${IG}-cert-signed

    rm ${IG_CERT_CA_TMP}/${IG}-cert-req

17.3.4 Creating Fact Configuration Files

Identity Intelligence provides a script that creates the necessary files to enable data collection from Identity Governance. When you run the script for the first time, you must specify all the necessary details of Transformation Hub, such as host, port, protocol, and database schema (only for MSSQL and Oracle).

You must also specify the interval (in hours) at which Identity Governance collects and publishes data from its data source. The interval represents the elapsed time between when changes to the identity or resource occurs in the data source and when the data is collected and published in Identity Governance. If Identity Governance is configured to collect data from its data source at scheduled intervals, there will be a time lag before you see the changes in Identity Intelligence. As data must be first collected by Identity Governance and then it must be sent to Identity Intelligence through facts.

These details are stored in the ig-facts-configuration-tool/fact.conf file and will be used for subsequent execution of the script.

To modify any of the configuration details, you must edit the information in the fact.conf file and run the script again.

  1. Log in to the Identity Intelligence server either as the root or a non-root user.

  2. Change to the directory where you downloaded the ig-facts-configuration-tool.tar utility file.

    For information about downloading the utility file, see Downloading Identity Intelligence.

  3. Execute the tar -xvf ig-facts-configuration-tool.tar command to unzip the file.

  4. Change to ig-facts-configuration-tool directory:

    cd ig-facts-configuration-tool

  5. Run the script:

    python ig_facts.py

    The script creates the following files in the ig-facts-configuration-tool/output directory:

    • entity_reconciliation_id_attribute_payload.json

    • account_domain_attribute_payload.json

    • facts_creation.json

  6. Copy these files to the Identity Governance server.

  7. Continue with Mapping Attributes for Data Reconciliation.

17.3.5 Mapping Attributes for Data Reconciliation

Identity Intelligence does data reconciliation based on certain unique fields for each entity type. When you run the fact configuration utility, it creates the entity_reconciliation_id_attribute_payload.json file to enable data reconciliation and the account_domain_attribute_payload.json files to get the account domain of the data source. Therefore, you must import these files into Identity Governance. These files create the following attributes and you must map the appropriate values for these attributes:

  • entity_reconciliation_id: You can either use the entity_reconciliation_id field or use any of the attributes available in the Identity Intelligence schema for Identity entity reconciliation. For more information, see Reconciling Data for the Identity Entity.

    If you want to use entity_reconciliation_id, map this field with the appropriate attribute in Identity Governance.

  • Account Domain: Map the domain name of the data source by extracting it from the distinguished name.

    To extract domain name from the distinguished name, Identity Intelligence provides domainExtraction.js transformation script, which is available in the configuration utility.

To map the newly added attributes:

  1. Log in to Identity Governance as a Global Administrator.

  2. Import the identity attribute:

    1. Click Data Administration > Identity Attributes > Import Attributes.

    2. Browse to select the entity_reconciliation_id_attribute_payload.json file that you copied from Identity Intelligence.

    3. Click Import.

  3. (Conditional) If you want to use entity_reconciliation_id for identity reconciliation, map the entity_reconciliation_id attribute on every Identity source as follows:

    1. Click Data Sources > Identities.

    2. Select the appropriate Identity source.

    3. Click Identity source name > Collect Identity.

    4. Specify the appropriate attribute that must be used for identity data reconciliation in entity_reconciliation_id.

  4. Import the account attribute:

    1. Click Data Administration > Account Attributes > Import Attributes.

    2. Browse to select the account_domain_attribute_payload.json file that you copied from Identity Intelligence.

    3. Click Import.

  5. Map the Account domain attribute on every Account source as follows:

    1. Click Data Sources > Applications.

    2. Select the appropriate Account source.

    3. Click Account source name > Collect Connected Account.

    4. Click the script icon of Account Domain.

    5. Click Or upload a script file and uploaded the domainExtraction.js transformation script.

      For more information, see the Creating Identity and Application Sources section in the Identity Governance Administrator Guide.

  6. Continue with Collecting Metrics from Identity Governance.

17.3.6 Collecting Data from Identity Governance

To initiate data collection, you must collect metrics from Identity Governance:

  1. Log in to Identity Governance as a Global Administrator.

  2. Import the custom metrics:

    1. Click Configuration > Analytics and Role Mining Settings > Metrics Collection > Import Custom Metrics.

    2. Browse to select the facts_creation.json file that you copied from Identity Intelligence.

    3. Click Import.

    You can see the list of newly created facts prefixed with an asterisk (*).

  3. Select the required facts and click Actions > Collect metrics > Collect Now.

  4. Continue with Reverting Backdated Events Configuration.