To ensure that the Identity Governance driver communicates securely with the Identity Governance database, you can configure a TLS/SSL connection. You must enable SSL for both the database and the driver.
This section provides information for creating an SSL server certificate that the PostgreSQL and Oracle database platforms can use for secure communication with the Identity Governance driver.
On the server where you deployed Identity Governance, stop Tomcat.
Log in to the PostgreSQL server for Identity Governance.
Stop Postgres.
To generate a passphrase-protected certificate, enter the following command:
openssl req -new -text -out cert.req
To remove the passphrase so the server can start the postmaster automatically, enter the following command:
openssl rsa -in privkey.pem -out cert.pem
To convert the certificate into a self-signed certificate, enter the following command:
openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert
Copy the following files to the data directory of the PostgreSQL installation:
cp cert.pem $PGDATA/server.key
cp cert.cert $PGDATA/server.crt
where $PGDATA = /opt/netiq/idm/apps/postgresql/data/
To change the permission of the files, navigate to the /opt/netiq/idm/apps/postgresql/data/ directory and enter the following commands:
chown postgres:postgres server.key chown postgres:postgres server.crt chmod 600 server.key
In a text editor, change the SSL setting in the $PGDATA/postgresql.conf file to on. For example:
ssl=on ssl_cert_file = '/opt/netiq/idm/apps/postgresql/data/server.crt' # (change requires restart) ssl_key_file = '/opt/netiq/idm/apps/postgresql/data/server.key' # (change requires restart)
Save and close the file.
Start Postgres.
(Optional) To verify that SSL communication is enabled for Postgres, complete the following steps:
Enter $ ./opt/netiq/idm/apps/postgres/bin/psql -U postgres -h localhost.
Verify that the output is similar to the following content:
psql (9.0.3) SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help.
Add the server.crt that you created in Step 7 to the cacert. For example, enter the following command:
keytool -import -trustcacerts -alias ar -file server.crt -keystore /opt/netiq/idm/apps/jre/lib/security/cacerts
Start Tomcat.
Ensure that you update the Identity Governance databases to recognize the secured connection.
For more information, see Enabling the Identity Governance Databases for SSL Communication.
To enable SSL in Oracle, you must have a certificate for the Oracle Server signed by a certificate authority (CA).
Download and unpack the SSL helper scripts named ssl.ca-0.1.tar.gz.
Create a certification request using Oracle Wallet Manager (/opt/oracle/product/11gR1/db/owm) using the following commands:
su –oracle owm
Select Wallet > New.
Enter your password, then select Yes to create folders for the wallet.
Fill in the requested information, then select OK.
Highlight the certification request, then select Operations > Export Certificate Request.
Save the file with the extension .csr in the folder where you extracted ssl.ca-0.1.tar.gz then save the wallet.
Create a self-signed root certificate by running the new-root-ca.sh script in the ssl.ca-0.1 folder that you extracted in the previous step to create a file called ca.crt.
To run the script that creates the self-signed server certificate, enter the following command:
./sign-server-cert.sh CerReq
Import the ca.crt into the Oracle wallet as a trusted certificate and import the certificate-request-filename.crt as a user certificate.
Enable auto-login and save the wallet so that it is now ready for use.
To configure Oracle advanced security and listener configuration on the database server, run the following commands:
su – oracle netmgr
Select Profile > Select Network Security > SSL.
Ensure that the sqlnet.ora and listener.ora files mention the WALLET.
(Conditional) If the SSL_CLIENT_AUTHENTICATION parameter is not set, the default setting is TRUE and clients are required to present a certificate during the SSL handshake. If you do not need client authentication, disable it with the following parameter added to the end of the $TNS_ADMIN/listener.ora and $TNS_ADMIN/sqlnet.ora files: SSL_CLIENT_AUTHENTICATION=FALSE
Restart the listener:
lsnrctl stop lsnrctl start
Ensure that you update the Identity Governance databases to recognize the secured connection.
For more information, see Enabling the Identity Governance Databases for SSL Communication.
To use TLS/SSL connections, the three Identity Governance databases need the server certificate information. This section applies to both Oracle and PostgreSQL platforms.
Enable SSL functionality in the database platform.
For more information, see Preparing PostgreSQL for SSL Communication or Preparing Oracle for SSL Communication.
Log in to the server where you deployed Identity Governance.
Stop Tomcat:
/etc/init.d/idmapps_tomcat_init stop
Add the SSL server certificate that you created for the database platform to the cacert. For example:
keytool -import -trustcacerts -alias ar -file server.crt -keystore /opt/netiq/idm/apps/jre/lib/security/cacerts
keytool -import -trustcacerts -alias aroracle -file ca.crt -keystore /opt/netiq/idm/apps/jre/lib/security/cacerts
In a text editor, open the server.xml file.
For the three Identity Governance databases listed in the file, specify the URL for the SSL server certificate. For example:
url="jdbc:postgresql://hostname:5432/database_username?ssl=true"
url="jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = hostname)(PORT = 2484))(CONNECT_DATA =(SERVER = DEDICATED) (SERVICE_NAME = name))(SECURITY=(SSL_SERVER_CERT_DN='CN=OracleDB,OU=IN,O=IN,L=IN,ST=IN,C=IN')))"
By default, the databases have the usernames arops, ardcs, and arwf.
Start Tomcat:
/etc/ini.d/idmapps_tomcat_init start
Ensure that you update the to recognize the secured connection.
For more information, see Enabling the Identity Governance Driver for SSL Communication.
The Identity Governance driver can communicate securely with the Identity Governance databases. Ensure that you also enable SSL communication in the databases. For more information, see Preparing PostgreSQL for SSL Communication or Preparing Oracle for SSL Communication.
Log in to the server where you installed the Identity Governance driver and the Remote Loader.
Stop the Remote Loader. For example, enter the following command:
rdxml -config /home/ARShim.conf -u
In a text editor, open the Remote Loader conf file for the driver, by default ARshim.conf.
Add the content of the SSL server certificate to the file. For example:
-description ARDriver
-commandport 8000
-connection "port=8090 rootfile=path/server.crt"
-trace 5
-tracefile "/opt/netiq/ar.log"
-tracefilemax 100M
-class "com.novell.nds.dirxml.driver.arshim.AccessReviewDriverShim"-description ARDriver
-commandport 8000
-connection "port=8090 rootfile=path/ca.crt"
-trace 5
-tracefile /tmp/remoteloader.log
-class com.novell.nds.dirxml.driver.arshim.AccessReviewDriverShimSave and close the file.
Add the server certificate to the Remote Loader Java certs. For example:
keytool -import -trustcacerts -alias ar -file server.crt -keystore /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts
keytool -import -trustcacerts -alias aroracle -file ca.crt -keystore /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts
Start the Remote Loader. For example, enter the following command:
rdxml -config /home/ARShim.conf
In the AR Driver configuration, verify that the setting for Identity Governance Database Connection URL resembles one of the following values:
url="jdbc:postgresql://hostname:5432/database_username?ssl=true"
jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = hostname)(PORT = 2484))(CONNECT_DATA =(SERVER = DEDICATED) (SERVICE_NAME = name))(SECURITY=(SSL_SERVER_CERT_DN='CN=OracleDB,OU=IN,O=IN,L=IN,ST=IN,C=IN')))
By default, the databases have the usernames arops, ardcs, and arwf.
Restart the Identity Governance driver.