39.3 Configuring Identity Manager for Integration

To ensure proper integration, you must install Identity Applications version 4.8 with Identity Governance version 3.6.0 or 3.5.0. This procedure assumes that you have configured single sign-on for the identity applications.

Configuring Identity Manager for Integration When Identity Manager is Installed for the First Time

Perform the following steps if you are configuring Identity Manager for integration when Identity Manager is installed for the first time.

  1. On the server where you installed Identity Applications, log in as an administrator.

  2. Navigate to the /opt/netiq/idm/apps/configupdate directory.

  3. Modify the configupdate.sh.properties file and update the following details:

    • Update the Identity Governance version in the apps_versions parameter. The supported versions are 3.6.0 and 3.5.0, where 3.5.0 includes all versions of 3.5.x. The entries are a comma-separated list. For example, app_versions="ua#4.8.0,rpt#6.5.0,ig#3.6.0"

    • Add the entry for ig to the list of applications in the sso_apps parameter. The entries are a comma-separated list. For example, sso_apps=ua,rpt,ig

  4. Run the configuration update utility.

    ./configupdate.sh

  5. Navigate to the Authentication tab and click Show Advanced Options.

  6. (Conditional) If you are using Identity Governance 3.6, you must select the LDAP user check box under the Identity Governance Bootstrap Administrator settings.

  7. (Conditional) If you are using Identity Governance 3.5.x and the authentication method is set to Kerberoes or SAML 2.0, then you must select the LDAP user check box under the Identity Governance Bootstrap Administrator settings. If the authentication method is set to Name and Password, you can select the file-based user system or the LDAP user as your bootstrap administrator.

  8. Navigate to the IG SSO Clients tab.

  9. (Conditional) If you want to change the authentication server for Identity Governance after installation, specify the values based on the settings that you specified in Step 3 and Step 4 of the Using the Same Authentication Server as Identity Manager section.

    The following considerations apply to these settings:

    • (Conditional) If you are using Identity Governance 3.6, the default OAuth client ID is ig.

      NOTE:The client secret is specified during the Identity Governance installation. You can change the client ID and client secret after installation.

      Specify the following details for Identity Governance Client:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Identity Governance to the authentication server. The default value is ig.

      • OAuth Redirect URI: The OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, https://myserver.host:8443/oauth.html. By default, the configuration update utility provides some of this URL. However, you must ensure that you add the server and port information.

      Specify the following details for Identity Governance Utility Client:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Identity Governance Utility to the authentication server. The default value is iac.

      • OAuth client secret: Specifies the password for the single sign-on client for the Identity Governance utility client.

      Specify the following details for Request Client:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Request to the authentication server. The default value is cx.

      • OAuth Redirect URI: The OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, https://myserver.host:8443/cx/oauth.html. By default, the configuration update utility provides some of this URL. However, you must ensure that you add the server and port information.

      Specify the following details for Data Connectivity Service:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Data Connectivity Service to the authentication server. The default value is iac-daas.

      • OAuth client secret: Specifies the password for the single sign-on client for the Data Connectivity Service client.

      Specify the following details for General Service:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for General Service to the authentication server. The default value is iac-service.

      • OAuth client secret: Specifies the password for the single sign-on client for the General Service client.

      Specify the following details for Data Transformation and Processing Service:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Data Transformation and Processing Service to the authentication server. The default value is iac-dtp.

      • OAuth client secret: Specifies the password for the single sign-on client for the Data Transformation and Processing Service client.

      Specify the following details for Workflow Service:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Workflow Service to the authentication server. The default value is wf.

      • OAuth client secret: Specifies the password for the single sign-on client for the Workflow Service client.

    • (Conditional) If you are using Identity Governance 3.5.x, the default OAuth client ID is iac.

      NOTE:The client secret is specified during the Identity Governance installation. You can change the client ID and client secret after installation.

      Specify the following details for Identity Governance Client:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Identity Governance to the authentication server. The default value is iac.

      • OAuth client secret: Specifies the password for the single sign-on client for the Identity Governance client.

      • OAuth Redirect URI: The OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, https://myserver.host:8443/oauth.html. By default, the configuration update utility provides some of this URL. However, you must ensure that you add the server and port information.

      Specify the following details for Request Client:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Request to the authentication server. The default value is cx.

      • OAuth client secret: Specifies the password for the single sign-on client for the Request client.

      • OAuth Redirect URI: The OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, https://myserver.host:8443/cx/oauth.html. By default, the configuration update utility provides some of this URL. However, you must ensure that you add the server and port information.

      Specify the following details for Data Connectivity Service:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Data Connectivity service to the authentication server. The default value is iac-daas.

      • OAuth client secret: Specifies the password for the single sign-on client for the Data Connectivity Service client.

      Specify the following details for General Service:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for General Service to the authentication server. The default value is iac-service.

      • OAuth client secret: Specifies the password for the single sign-on client for the General Service client.

      Specify the following details for Data Transformation and Processing Service:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Data Transformation and Processing Service to the authentication server. The default value is iac-dtp.

      • OAuth client secret: Specifies the password for the single sign-on client for the Data Transformation and Processing Service client.

      Specify the following details for Workflow Service:

      • OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Workflow Service to the authentication server. The default value is wf.

      • OAuth client secret: Specifies the password for the single sign-on client for the Workflow Service client.

  10. (Conditional) If you are installing Identity Governance for the first time, specify the following details during the Identity Governance installation:

    • For the authentication server details, specify the Identity Manager OSP server details.

    • Specify the LDAP user details when prompted for the Bootstrap administrator details.

    NOTE:Based on the Identity Governance version that you are using (3.6 or 3.5.x), you can choose whether LDAP user is required or not. For more information, see Step 6 and Step 7.

  11. (Conditional) If you have already installed Identity Governance, log in to the server where Identity Governance is installed and update the configuration values in the configuration utility (configutil) and configuration update utility (configupdate). For more information, see Step 3 through Step 6 of the Using the Same Authentication Server as Identity Manager section.

  12. Delete the localhost folder in the tomcat/work/Catalina directory.

  13. Delete all the files and folders in the /opt/netiq/idm/apps/tomcat/temp directory.

  14. Restart Tomcat on the Identity Governance server.

    systemctl restart identity_tomcat.service

  15. Restart Tomcat on the Identity Applications server.

    systemctl restart netiq-tomcat.service

  16. Add a link to Identity Governance from the Identity Manager Home page:

    1. Log in to the Identity Manager dashboard.

    2. Navigate to the Applications page.

    3. Click Manage Applications and add the Identity Governance tile to the home page and modify the widget to add the Identity Governance URL.

Configuring Session-timeout for Identity Manager and Identity Governance Integrated Setup

In Identity Manager and Identity Governance integrated setup, both Identity Applications and Identity Governance are browser-based applications, each having a distinct session time out property and value. The value represents the amount of time users can leave a page unattended in their web browser before the server displays a session-time-out warning.

The Identity Applications session time out value is represented by the com.netiq.idm.session-timeout property, whereas the Identity Governance session time out is represented by the com.netiq.idm.osp.oauth.public.refreshTokenTTL property. You must configure value for both these properties in the ism-configuration.properties file after Identity Manager and Identity Governance integration.

To set the session time out, perform the following actions:

  1. Login in to the Identity Applications server.

  2. Navigate to the /opt/netiq/idm/apps/tomcat/conf/ location.

  3. Open the ism-configuration.properties file in a text editor and add the two properties namely, com.netiq.idm.session-timeout and com.netiq.idm.osp.oauth.public.refreshTokenTTL with appropriate values.

  4. Save the file and restart the Tomcat service.

NOTE:To keep the session-timeout warning same for both the applications, it is recommended that the value you set for com.netiq.idm.osp.oauth.public.refreshTokenTTL must be 120 seconds less than the value provided for the com.netiq.idm.session-timeout property.

Configuring Identity Manager for Integration When Identity Manager and Identity Governance are Upgraded

Perform the following steps to configure Identity Manager for integration when Identity Manager is upgraded to 4.8 version.

  1. (Conditional) If the uaconfig-ig-defs.xml or uaconfig-ig36-defs.xml file exists in the /opt/netiq/idm/apps/tomcat/conf directory, move (or delete) it to a different location, for example, /home directory.

  2. (Conditional) If you are upgrading to Identity Governance 3.6 version from 3.5.x version, perform the following steps:

    1. Navigate to the /opt/netiq/idm/apps/tomcat/conf directory.

    2. Back up the ism-configuration.properties file.

    3. Open the ism-configuration.properties file with a text editor and delete the following properties:

      • com.netiq.iac.redirect.url

      • com.netiq.cx.clientPass._attr_obscurity

      • com.netiq.cx.clientPass

      • com.netiq.idm.osp.fileauthsrc.filename

      • com.netiq.idm.osp.fileauthsrc.path

      • com.netiq.iac.bootstrapadmin.authsrc

    4. Save and close the ism-configuration.properties file.

  3. On the server where Identity Applications is running, navigate to the /opt/netiq/idm/apps/configupdate directory.

  4. Modify the configupdate.sh.properties file and update the following details:

    • Update the Identity Governance version in the apps_versions parameter. The supported versions are 3.6.0 and 3.5.0, where 3.5.0 includes all versions of 3.5.x. The entries are a comma-separated list. For example, app_versions="ua#4.8.0,rpt#6.5.0,ig#3.6.0"

    • Add the entry for ig to the list of applications in the sso_apps parameter. The entries are a comma-separated list. For example, sso_apps=ua,rpt,ig

  5. Launch configuration update utility by running the ./configupdate.sh command and perform the following steps:

    1. (Conditional) If the configuration settings are reset to the default values during upgrade, you must change the settings manually.

    2. (Conditional) If you are using Identity Governance 3.6, you must select the LDAP user check box under the Identity Governance Bootstrap Administrator settings.

    3. Navigate to the IG SSO clients Tab and modify the values as per the considerations listed in Step 9.

    4. Navigate to the IDM SSO clients tab and verify the settings.

    5. Click OK.

  6. Delete the localhost folder in the /opt/netiq/idm/apps/tomcat/work/Catalina directory.

  7. Delete all the files and folders in the /opt/netiq/idm/apps/tomcat/temp directory.

  8. Delete or back up all the files in the /opt/netiq/idm/apps/tomcat/logs directory.

  9. Restart Tomcat on the Identity Governance server.

    systemctl restart identity_tomcat.service

  10. Restart Tomcat on the Identity Applications server.

    systemctl restart netiq-tomcat.service

  11. On the server where Identity Applications is running, launch the configuration update utility again. If you are presented with any certificates, review and accept the certificates.

  12. (Conditional) If you accepted certificates in step 11, restart Tomcat on both Identity Manager and Identity Governance servers.