39.2 Configuring Identity Governance for Integration

For proper integration, you must link Identity Governance to the Identity Manager Home page for the identity applications. You can also choose to use the same authentication server that the identity applications use to verify login attempts. This process includes the following activities:

39.2.1 Adding a Link for Identity Manager Home in the Identity Governance Menu

This section describes how to add a link in Identity Governance so users can easily switch to Identity Manager Home.

  1. Log in to Identity Governance with an account that has the Global Administrator authorization.

  2. Select Configration > General Settings.

  3. For Home Page URL, specify the URL for Identity Manager Home. For example, https://myserver:8543/idmdash#/landing.

  4. Select Save.

  5. Refresh the browser for change to take effect.

39.2.2 Using the Same Authentication Server as Identity Manager

This section describes how to configure Identity Governance to use the same authentication server as Identity Manager identity applications for verifying users who log in. This section assumes that, when you installed Identity Governance, you did not specify the Identity Manager authentication server. For example, you might have installed Identity Governance before adding Identity Manager to your environment.

NOTE:Identity Applications use https communication by default. You should create a wildcard certificate on one of the servers and copy the certificate on all the servers.

For example, the wildcard certificate *.example.com is created on OSP server.

  1. Add this certificate to the keystoreFile on all the servers.

  2. Restart Tomcat on all the servers.

Ensure that keystoreFile is updated in the server.xml.

<Connector port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" keystoreFile="conf/tomcat.ks" keystorePass="novell" sslEnabledProtocols="TLSv1.2" />

  1. Stop Tomcat.

    systemctl stop identity_tomcat.service

  2. Navigate to the /opt/netiq/idm/apps/idgov/bin directory and run the ./configutil.sh -password <passwd> command.

  3. In the configuration utility (configutil), navigate to the Authentication Server Details tab and perform the following steps:

    1. De-select the Same as IG Server check box.

    2. Specify the authentication server details that is deployed with Identity Applications in the Protocol, Host Name, and Port fields.

    3. Set the value for the Authentication Source parameter from File to Identity Vault and then specify the LDAP user DN in the Name field. Specify the complete DN of the user. For example, cn=uaadmin,ou=sa,o=data.

      (Conditional) If you are using Identity Governance 3.6, then you must use the LDAP bootstrap user.

      (Conditional) If you are using Identity Governance 3.5.x, then setting the LDAP bootstrap user is optional based on the authentication method you used.

    4. Specify the values for the Client ID and Redirect URL under the OAuth SSO Client parameter.

      NOTE:The values for these settings must match the values that you specify for Identity Governance in the Identity Applications Configuration update utility.

    5. Click Save and close the configuration utility.

  4. In the configuration utility (configutil), navigate to the Security Settings tab and make a note of the Client ID for all the clients.

    NOTE:The values for these settings must match the values that you specify for Identity Governance in the Identity Applications Configuration update utility.

  5. Navigate to /opt/netiq/idm/apps/configupdate directory and run the ./configupdate.sh command.

  6. In the configuration update utility (configupdate), navigate to the Authentication tab and perform the following steps:

    1. Specify the authentication server details that is deployed with Identity Applications.

    2. Click Show Advanced.

    3. (Conditional) If you are using Identity Governance 3.6, you must select the LDAP user check box under the Identity Governance Bootstrap Administrator settings.

    4. (Conditional) If you are using Identity Governance 3.5.x and the authentication method is set to Kerberos or SAML 2.0, then you must select the LDAP user check box under the Identity Governance Bootstrap Administrator settings. If the authentication method is set to Name and Password, you can select the file-based user or LDAP user as your bootstrap administrator.

    5. Click OK.

    6. (Conditional) If the Tomcat certificate of the server where Identity Applications is deployed has not been installed into the trust store, then you must accept the certificate. Ensure that Tomcat is running on the Identity Applications server.

  7. Start Tomcat.

    systemctl start identity_tomcat.service

39.2.3 Registering Identity Applications Server

You should register Identity Applications server details on Identity Governance server that allows Identity Applications to access Identity Governance through Identity Manager Dashboard.

Perform the following steps to register Identity Applications server:

  1. Log in to Identity Governance server as an administrator.

  2. Stop Tomcat.

    systemctl stop identity_tomcat.service

  3. Launch the configuration update utility in the console mode.

    For example,

    /opt/netiq/id/apps/idgov/bin/configutil.sh -password $db_password -console

  4. Run the following command to register the CORS client.

    ap GLOBAL com.netiq.iac.CORSclient $URL_OF_RBPM_MACHINE

    For example, ap GLOBAL com.netiq.iac.CORSclient https://myserver.mydomain.com:8543

  5. Verify the value using the following command.

    dc com.netiq.iac.CORSclient

Before adding the Identity Governance widgets in the Identity Manager dashboard, you must configure the Identity Governance URL from the Identity Governance settings page.

  1. Log in to Identity Manager Dashboard as an administrator.

  2. Select Configuration > Identity Governance.

For more information, see Configuring the Identity Governance Settings.