6.6 Configuring Identity Applications

6.6.1 Configuring the Settings for the Identity Applications

The Identity Applications Configuration utility helps you manage the settings for the User Application drivers and the identity applications. The installation program for the identity applications invokes a version of this utility so that you can more quickly configure the applications. You can also modify most of these settings after installation.

The file to run the Configuration utility (configupdate.sh) is located by default in the /opt/netiq/idm/apps/configupdate directory:

NOTE:

  • You should run the configudate.sh from the configupdate directory only. Running the configupdate.sh from a custom location will result in failures.

  • In a cluster, the configuration settings must be identical for all members of the cluster.

This section explains the settings in the configuration utility. The settings are organized by tabs. If you install Identity Reporting, the process adds parameters for Reporting to the utility.

Running the Identity Applications Configuration Utility

  1. In configupdate.sh.properties, ensure that the following options are configured correctly:

    edit_admin="true"
    use_console="false"

    NOTE:You should configure the value of -use_console to be true only if you want to run the utility in console mode.

  2. Save and close configupdate.sh.properties.

  3. At the command prompt, perform the following command to run the configuration utility:

    ./configupdate.sh

    NOTE:You might need to wait a few minutes for the utility to start up.

User Application Parameters

When configuring the identity applications, this tab defines the values that the applications use when communicating with the Identity Vault. Some settings are required for completing the installation process.

By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:

Identity Vault Settings

This section defines the settings that enable the identity applications to access the user identities and roles in the Identity Vault. Some settings are required for completing the installation process.

Identity Vault Server

Required

Specifies the hostname or IP address for your LDAP server. For example: myLDAPhost.

LDAP port

Specifies the port on which the Identity Vault listens for LDAP requests in clear text. The default value is 389.

LDAP secure port

Specifies the port on which the Identity Vault listens for LDAP requests using Secure Sockets Layer (SSL) protocol. The default value is 636.

If a service already loaded on the server (before you install eDirectory) uses the default port, you must specify a different port.

Identity Vault Administrator

Required

Specifies the credentials for the LDAP Administrator. For example, cn=admin. This user must already exist in the Identity Vault.

The identity applications use this account to make an administrative connection to the Identity Vault. This value is encrypted, based on the master key.

Identity Vault Administrator Password

Required

Specifies the password associated the LDAP Administrator. This password is encrypted, based on the master key.

Use Public Anonymous Account

Specifies whether users who are not logged in can access the LDAP Public Anonymous Account.

Secure Administrator Connection

Specifies whether RBPM uses SSL protocol for all communication related to the admin account. This setting allows other operations that do not require SSL to operate without SSL.

NOTE:This option might have adverse performance implications.

Secure User Connection

Specifies whether RBPM uses TLS/SSL protocol for all communication related to the logged-in user's account. This setting allows other operations that do not require TLS/SSL to operate without the protocol.

NOTE:This option might have adverse performance implications.

Identity Vault DNs

This section defines the distinguished names for containers and user accounts that enable communication between the identity applications and other Identity Manager components. Some settings are required for completing the installation process.

Root Container DN

Required

Specifies the LDAP distinguished name of the root container. This is used as the default entity definition search root when no search root is specified in the directory abstraction layer. For example, o=mycompany.

User Container DN

Required

When showing the advanced options, the utility displays this parameter under Identity Vault User Identity.

Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. The following considerations apply to this setting:

  • Users in this container (and below) are allowed to log in to the identity applications.

  • If you have started Tomcat hosting the identity applications, you cannot change this setting with the configupdate.sh file.

  • This container must include the User Application Administrator that you specified as you set up the User Application driver. Otherwise, the specified account cannot execute workflows.

Group Container DN

Required

When showing the advanced options, the utility displays this parameter under Identity Vault User Groups.

Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the group container. The following considerations apply to this setting:

  • Entity definitions within the directory abstraction layer use this DN.

  • If you have started Tomcat hosting the identity applications, you cannot change this setting with the configupdate.sh file.

User Application Driver

Required

Specifies the distinguished name of the User Application driver.

For example, if your driver is UserApplicationDriver and your driver set is called myDriverSet, and the driver set is in a context of o=myCompany, specify cn=UserApplicationDriver,cn=myDriverSet,o=myCompany.

User Application Administrator

Required

Specifies an existing user account in the Identity Vault that has the rights to perform administrative tasks for the specified user container for User Application. The following considerations apply to this setting:

  • If you have started Tomcat hosting the User Application, you cannot change this setting with the configupdate.sh file.

  • To change this assignment after you deploy the User Application, use the Administration > Security pages in the User Application.

  • This user account has the right to use the Administration tab of the User Application to administer the portal.

  • If the User Application Administrator participates in workflow administration tasks exposed in iManager, Designer, or the User Application (Requests & Approvals tab), you must grant this administrator appropriate trustee rights to object instances contained in the User Application driver. For more information, see the User Application Administration Guide for details.

Provisioning Administrator

Specifies an existing user account in the Identity Vault that will manage Provisioning Workflow functions available throughout the User Application.

To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application.

Compliance Administrator

Specifies an existing account in the Identity Vault that performs a system role to allow members to perform all functions on the Compliance tab. The following considerations apply to this setting:

  • To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.

  • During a configuration update, changes to this value take effect only if you do not have a valid Compliance Administrator assigned. If a valid Compliance Administrator exists, then your changes are not saved.

Roles Administrator

Specifies the role that allows members to create, remove, or modify all roles, and grant or revoke any role assignment to any user, group, or container. It also allows its role members to run any report for any user. The following considerations apply to this setting:

  • By default, the User Application Admin is assigned this role.

  • To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.

  • During a configuration update, changes to this value take effect only if you do not have a valid Roles Administrator assigned. If a valid Roles Administrator exists, then your changes are not saved.

Security Administrator

Specifies the role that gives members the full range of capabilities within the Security domain. The following considerations apply to this setting:

  • The Security Administrator can perform all possible actions for all objects within the Security domain. The Security domain allows the Security Administrator to configure access permissions for all objects in all domains within RBPM. The Security Administrator can configure teams, and also assign domain administrators, delegated administrators, and other Security Administrators.

  • To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.

Resources Administrator

Specifies the role that gives members the full range of capabilities within the Resource domain. The following considerations apply to this setting:

  • The Resources Administrator can perform all possible actions for all objects within the Resource domain.

  • To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.

RBPM Configuration Administrator

Specifies the role that gives members the full range of capabilities within the Configuration domain. The following considerations apply to this setting:

  • The RBPM Configuration Administrator can perform all possible actions on all objects within the Configuration domain. The RBPM Configuration Administrator controls access to navigation items within RBPM. In addition, the RBPM Configuration Administrator configures the delegation and proxy service, the provisioning user interface, and the workflow engine.

  • To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.

RBPM Reporting Administrator

Specifies the Reporting Administrator. By default, the installation program lists this value as the same user as the other security fields.

Identity Vault User Identity

This section defines the values that enable the identity applications to communicate with a user container in the Identity Vault. Some settings are required for completing the installation process.

The utility displays these settings only when you select Show Advanced Options.

User Container DN

Required

When not showing the advanced options, the utility displays this parameter under Identity Vault DNs.

Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. The following considerations apply to this setting:

  • Users in this container (and below) are allowed to log in to the identity applications.

  • If you have started Tomcat hosting the identity applications, you cannot change this setting with the configupdate.sh file.

  • This container must include the User Application Administrator that you specified as you set up the User Application driver. Otherwise, the specified account cannot execute workflows.

User Search Scope

Specifies the depth of scope that Identity Vault users can search the container.

User Object Class

Specifies the object class of the LDAP user. Usually the class is inetOrgPerson.

Login Attribute

Specifies the LDAP attribute that represents the user’s login name. For example, cn.

Naming Attribute

Specifies the LDAP attribute used as the identifier when looking up users or groups. This is not the same as the login attribute, which is used only during login. For example, cn.

User Membership Attribute

(Optional) Specifies the LDAP attribute that represents the user’s group membership. Do not use spaces when specifying the name.

Identity Vault User Groups

This section defines the values that enable the identity applications to communicate with a group container in the Identity Vault. Some settings are required for completing the installation process.

The utility displays these settings only when you select Show Advanced Options.

Group Container DN

Required

When not showing the advanced options, the utility displays this parameter under Identity Vault DNs.

Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the group container. The following considerations apply to this setting:

  • Entity definitions within the directory abstraction layer use this DN.

  • If you have started Tomcat hosting the identity applications, you cannot change this setting with the configupdate.sh file.

Group Container Scope

Specifies the depth of scope that Identity Vault users can search for the group container.

Group Object Class

Specifies the object class of the LDAP group. Usually the class is groupofNames.

Group Membership Attribute

(Optional) Specifies the user’s group membership. Do not use spaces in this name.

Use Dynamic Groups

Specifies whether you want to use dynamic groups.

You must also specify a value for Dynamic Group Object Class.

Dynamic Group Object Class

Applies only when you select Use Dynamic Groups.

Specifies the object class of the LDAP dynamic group. Usually the class is dynamicGroup.

Identity Vault Certificates

This section defines the path and password for the JRE keystore. Some settings are required for completing the installation process.

Keystore Path

Required

Specifies the full path to your keystore (cacerts) file of the JRE that Tomcat uses to run. You can manually enter the path or browse to the cacerts file. The following considerations apply to this setting:

  • In environments, you must specify the installation directory of RBPM. The default value is set to the correct location.

  • The installation program for the identity applications modifies the keystore file. On Linux, the user must have permission to write to this file.

Keystore Password

Required

Specifies the password for the keystore file. The default is changeit.

Email Server Configuration

This section defines the values that enable email notifications, which you can use for email-based approvals.

Notification Template Host

Specifies the name or IP address of Tomcat that hosts the identity applications. For example, myapplication serverServer.

This value replaces the $HOST$ token in e-mail templates. The installation program uses this information to create a URL to provisioning request tasks and approval notifications.

Notification Template Port

Specifies the port number of Tomcat that hosts the identity applications.

This values replaces the $PORT$ token in e-mail templates that are used in provisioning request tasks and approval notifications.

Notification Template Secure Port

Specifies the secure port number of Tomcat that hosts the identity applications.

This value replaces the $SECURE_PORT$ token in e-mail templates used in provisioning request tasks and approval notifications.

Notification Template Protocol

Specifies a non-secure protocol included in the URL when sending user email. For example, http.

This value replaces the $PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications.

Notification Template Secure Protocol

Specifies the secure protocol included in the URL when sending user email. For example, https.

This value replaces the $SECURE_PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications.

Notification SMTP Email From

Specifies the email account that the identity applications use to send email notifications.

SMTP Server Name

Specifies the IP address or DNS name of the SMTP email host that the identity applications use for provisioning emails. Do not use localhost.

Server requires authentication

Specifies whether you want the server to require authentication.

You must also specify the credentials for the email server.

User name

Applies only when you enable Server requires authentication.

Specifies the name of a login account for the email server.

Password

Applies only when you enable Server requires authentication.

Specifies the password of an login account for the mail server.

Use SMTP TLS

Specifies whether you want to secure the contents of email messages during transmission between the mail servers.

Email Notification Image Location

Specifies the path to the image that you want to include in email notifications.

When the Identity Applications server and the email server are both set to use secure connection, make sure that the following conditions are met:

  • The certificate used to establish a secure connection between the Identity Applications server and the email server is a trusted CA certificate

  • Use https in the image path. For example, https://localhost:8543/IDMProv/images

If Identity Applications is operating on a server that uses http for plain text communication, replace https with http in the image path. An example of the image path: http://localhost:8080/IDMProv/images

Sign email

Specifies whether you want to add a digital signature to outgoing messages.

If you enable this option, you must also specify settings for the keystore and signature key.

Keystore Path

Applies only when you enable Sign email.

Specifies the full path to the keystore (cacerts) file that you want to use for digitally signing an email. You can manually enter the path or browse to the cacerts file.

For example, /opt/netiq/idm/apps/jre/lib/security/cacerts.

Keystore Password

Applies only when you enable Sign email.

Specifies the password for the keystore file. For example, changeit.

Alias of signature key

Applies only when you enable Sign email.

Specifies the alias of the signing key in the keystore. For example, idmapptest.

Signature key password

Applies only when you enable Sign email.

Specifies the password that protects the file containing the signature key. For example, changeit.

Trusted Key Store

This section defines the values for the trusted keystore for the identity applications. The utility displays these settings only when you select Show Advanced Options.

Trusted Store Path

Specifies the path to the Trusted Key Store that contains all trusted signers’ certificates. If this path is empty, the identity applications get the path from System property javax.net.ssl.trustStore. If the System property cannot provide the path, the installation program defaults to jre/lib/security/cacerts.

Trusted Store Password

Specifies the password for the Trusted Key Store. If you leave this field is empty, the identity applications gets the password from System property javax.net.ssl.trustStorePassword. If the System property cannot provide the path, the installation program defaults to changeit.

This password is encrypted, based on the master key.

Trusted Store Type

Specifies whether the trusted store path uses a Java keystore (JKS) or PKCS12 for digital signing.

NetIQ Sentinel Digital Signature Certificate & Key

This section defines the values that allows Identity Manager to communicate with Sentinel for auditing events. The utility displays these settings only when you select Show Advanced Options.

Sentinel Digital Signature Certificate

Lists the custom public key certificate that you want the OAuth server to use to authenticate audit messages sent to Sentinel.

Sentinel Digital Signature Private Key

Specifies the path to the custom private key file that you want the OAuth server to use to authenticate audit messages sent to Sentinel.

Miscellaneous

The utility displays these settings only when you select Show Advanced Options.

OCSP URI

Specifies the Uniform Resource Identifier (URI) to use when the client installation uses the On-Line Certificate Status Protocol (OCSP). For example, http://host:port/ocspLocal.

The OCSP URI updates the status of trusted certificates online.

Authorization Config Path

Specifies the fully qualified name of the authorization configuration file.

Identity Vault Indexes

To improve the performance of the identity applications, you can create value indexes for manager, ismanager, and srvprvUUID attributes. 

You can create value indexes by using the Configuration utility or iManager after completing the identity applications installation. The following considerations apply to this setting:

  • Without indexes on these attributes, identity applications users can experience impeded performance of the identity applications.

  • You can create these indexes manually by using iManager after you install the identity applications.

  • For best performance, you should create the index during installation.

  • The indexes must be in Online mode before you make the identity applications available to users.

  • To create an index, select Create in the Server DN setting and specify a value for Server DN. Click OK and then restart the Identity Vault for the changes to take effect.

  • To delete an index, select Delete in the Server DN setting and specify a value for Server DN. Click OK and then restart the Identity Vault for the changes to take effect.

Server DN

Applies only when you want to create or delete an Identity Vault index.

Specifies the eDirectory server where you want the indexes to be created or removed.

You can specify only one server at a time. To configure indexes on multiple eDirectory servers, you must run the RBPM Configuration utility multiple times.

Reinitialize RBPM Security

Specifies whether you want to reset RBPM security when the installation process completes. You must also redeploy the identity applications.

IDMReport URL

Specifies the URL of the Identity Manager Reporting Module. For example, http://hostname:port/IDMRPT.

Custom Themes Context Name

Specifies the name of the customized theme that you want to use for displaying the identity applications in the browser.

Log Message Identifier Prefix

Specifies the value that you want to use in the layout pattern for the CONSOLE and FILE appenders in the idmuserapp_logging.xml file. The default value is RBPM.

Change RBPM Context Name

Specifies whether you want to change the context name for RBPM.

You must also specify the new name and DN of the Roles and Resource driver.

RBPM Context Name

Applies only when you select Change RBPM Context Name.

Specifies the new context name for RBPM.

Role Driver DN

Applies only when you select Change RBPM Context Name.

Specifies the DN of the Roles and Resource driver.

Container Object

These parameters apply only during installation.

This section helps you to define the values for container objects or create new container objects.

Selected

Specifies the Container Object Types that you want to use.

Container Object Type

Specifies the container: locality, country, organizationalUnit, organization, or domain.

You can also define your own containers in iManager and add them under Add a new Container Object.

Container Attribute Name

Specifies the name of the Attribute Type associated with the specified Container Object Type.

Add a New Container Object: Container Object Type

Specifies the LDAP name of an object class from the Identity Vault that can serve as a new container.

Add a New Container Object: Container Attribute Name

Specifies the name of the Attribute Type associated with the new Container Object Type.

Reporting Parameters

When configuring the identity applications, this tab defines the values for managing Identity Reporting. The utility adds this tab when you install Identity Reporting.

By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:

Email Delivery Configuration

This section defines the values for sending notifications.

SMTP Server Hostname

Specifies the DNS name or IP address of the email server than you want Identity Reporting to use when sending notification. Do not use localhost.

SMTP Server Port

Specifies the port number for the SMTP server.

SMTP Use SSL

Specifies whether you want to use TLS/SSL protocol for communication with the email server.

Server Needs Authentication

Specifies whether you want to use authentication for communications with the email server.

SMTP User Name

Specifies the email address that you want to use for authentication.

You must specify a value. If the server does not require authentication, you can specify an invalid address.

SMTP User Password

Applies only when you specify that the server requires authentication.

Specifies the password for the SMTP user account.

Default Email Address

Specifies the email address that you want Identity Reporting to use as the origination for email notifications.

Report Retention Values

This section defines the values for storing completed reports.

Report Unit, Report Lifetime

Specifies the amount of time that Identity Reporting keeps completed reports before deleting them. For example, to specify six months, enter 6 in the Report Lifetime field and then select Month in the Report Unit field.

Location of Reports

Specifies a path where you want to store the report definitions. For example, /opt/netiq/IdentityReporting.

Modify Locale

This section defines the values for the language that you want Identity Reporting to use. Identity Reporting uses the specific locales in searches. For more information, see the Administrator Guide to NetIQ Identity Reporting.

Role Configuration

This section defines the values for the authentication sources that Identity Reporting uses to generate reports.

Add Authentication Source

Specifies the type of authentication source that you want to add for reporting. Authentication sources can be

  • Default

  • LDAP Directory

  • File

Outbound Proxy

Applies only when you use Identity Manager 4.8.1 or later versions.

This section defines the values to use reverse proxy server that Identity Reporting uses to download reports.

Use Proxy

Specifies the option to use Reverse Proxy server for reporting.

  • Hostname or IP address

  • Port

  • Use TLS

    Applies only when you want to use TCP as your network protocol.

Authentication Parameters

When configuring the identity applications, this tab defines the values that Tomcat uses to direct users to the identity application and password management pages.

By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:

Authentication Server

This section defines settings for the identity applications to connect to the authentication server.

OAuth server host identifier

Required

Specifies the relative URL of the authentication server that issues tokens to OSP. For example, 192.168.0.1.

OAuth server TCP port

Specifies the port for the authentication server.

OAuth server is using TLS/SSL

Specifies whether the authentication server uses TLS/SSL protocol for communication.

Optional TLS/SSL truststore file

Applies only when you select OAuth server is using TLS/SSL and the utility is showing the advanced options.

Optional TLS/SSL truststore password

Applies only when you select OAuth server is using TLS/SSL and the utility is showing the advanced options.

Specifies the password used to load the keystore file for the TLS/SSL authentication server.

NOTE:If you do not specify the keystore path and password, and the trust certificate for the authentication server is not in the JRE trust store (cacerts), the identity applications fail to connect to the authentication service that uses TLS/SSL protocol.

Authentication Configuration

This section defines settings for the authentication server.

LDAP DN of Admins Container

Required

Specifies the distinguished name of the container in the Identity Vault that contains any administrator User objects that OSP must authenticate. For example, ou=sa,o=data.

Duplicate resolution naming attribute

Specifies the name of the LDAP attribute used to differentiate between multiple eDirectory User objects with the same cn value. The default value is mail.

Restrict authentication sources to contexts

Specifies whether searches in the user and administrator containers in the Identity Vault are restricted to only User objects in those containers or searches should also include subcontainers.

Session Timeout (minutes)

Specifies the number of minutes of inactivity in a session before the server times out the user’s session. The default value is 20 minutes.

Access token lifetime (seconds)

Specifies the number of seconds an OSP access token remains valid. The default value is 60 seconds.

Refresh token lifetime (hours)

Specifies the number of seconds an OSP refresh token remains valid. The refresh token is used internally by OSP. The default value is 48 hours.

Authentication Method

This section defines the values that enable OSP to authenticate users who log in to the browser-based components of Identity Manager.

Method

Specifies the type of authentication that you want Identity Manager to use when a user logs on.

  • Name and Password: OSP verifies authentication with the Identity Vault.

  • Kerberos: OSP accepts authentication from both a Kerberos ticket server and the identity vault.

  • SAML 2.0: OSP accepts authentication from both a SAML identity provider and the identity vault.

Enable reCAPTCHA

Applies only when you specify Name and Password.

Specifies whether you want to enable reCAPTCHA on the login page.

reCAPTCHA provides an additional layer of security by requesting users to confirm that they are not a robot. It displays images that users must select based on a matching criteria. If a response succeeds, Access Manager authenticates the user’s authentication credentials. If a response fails, Access Manager does not authenticate the user credentials, and redirects to the login page.

Enable two-factor authentication

Applies only when you specify Name and Password.

Specifies whether you want to enable two-factor authentication.

This requires some configuration to be done in the Second Factor tab. For more information, see Second Factor Parameters.

Mapping attribute name

Applies only when you specify Kerberos or SAML.

Specifies the name of the attribute that maps to the Kerberos ticket server or SAML representations at the identity provider.

Enable fallback reCAPTCHA

Applies only when you specify Kerberos.

Specifies whether you want to enable reCAPTCHA with the fallback username and password when Kerberos cannot be used.

Number of attempts before required

Applies only when you select the Enable fallback reCAPTCHA check box.

Specifies the number of unsuccessful login attempts before reCAPTCHA is enabled. Setting the value to zero indicates that the reCAPTCHA is always required.

Site Key

Applies only when you select the Enable fallback reCAPTCHA check box.

Specifies the reCAPTCHA site key value obtained from the Google reCAPTCHA website.

Private Key

Applies only when you select the Enable fallback reCAPTCHA check box.

Specifies the reCAPTCHA private key value obtained from the Google reCAPTCHA website.

Enable fallback two-factor authentication

Applies only when you specify Kerberos.

Specifies whether you want to enable two-factor authentication with the fallback username and password when Kerberos cannot be used.

This requires some configuration to be done in the Second Factor tab. For more information, see Second Factor Parameters.

Use logout landing page

Applies only when you specify Kerberos.

Specifies if you want to enable a landing page rather than redirecting to the login page after a successful logout.

Landing Page

Applies only when you specify SAML.

  • None: Specifies that the landing page will not be used. Select this option if the IDP URL is indicated.

  • Internal: Specifies that the internal OSP landing page will be used.

  • External: Specifies that you will be redirected to an external OSP landing page.

URL

Applies only when you select External in the Landing page field.

Specifies the URL of the external landing page.

Metadata source

Applies only when you specify SAML.

Specifies the source of the IDP metadata. You can either load the metadata from a URL or copy a previously obtained metadata.

Metadata URL

Applies only when you specify URL in the Metadata URL field.

Specifies whether you want to load the metadata from the URL and save it to the configuration before you exit the application.

Load on save

Applies only when you specify URL in the Metadata URL field.

Specifies the URL that OSP uses to redirect the authentication request to SAML.

IDP Metadata

Applies only when you specify Copy/Paste in the Metadata URL field.

Specifies the data you want to paste, that is obtained from the SAML IDP.

Configure Access Manager on exit

Applies only when you specify Copy/Paste in the Metadata URL field.

Specifies whether you want to automatically configure a SAML service provider definition in Access Manager.

Password Management

This section defines the values that enable users to modify their passwords as a self-service operation.

Password Management Provider

Specifies the type of password management system that you want to use.

User Application (Legacy): Uses the password management program that Identity Manager traditionally has used. This option also allows you to use an external password management program.

Forgotten Password

This check box parameter applies only when you want to use SSPR.

Specifies whether you want users to recover a forgotten password without contacting a help desk.

You must also configure the challenge-response policies for the Forgotten Password feature. For more information, see the NetIQ Self Service Password Reset Administration Guide.

Forgotten Password

This menu list applies only when you select User Application (Legacy).

Specifies whether you want to use the password management system integrated with the User Application or an external system.

  • Internal: Use the default internal Password Management functionality, ./jsps/pwdmgt/ForgotPassword.jsp (without the http(s) protocol at the beginning). This redirects the user to the Forgot Password functionality built into the User Application, rather than to an external WAR.

  • External: Use an external Forgot Password WAR to call back the User Application through a web service. You must also specify the settings for the external system.

Forgotten Password Link

Applies only when you want to use an external password management system.

Specifies the URL that points to the Forgot Password functionality page. Specify a ForgotPassword.jsp file in an external or internal password management WAR.

Forgotten Password Return Link

Applies only when you want to use an external password management system.

Specifies the URL for the Forgot Password Return Link that the user can click after performing a forgot password operation.

Forgotten Password Web Service URL

Applies only when you want to use an external password management system.

Specifies the URL that the External Forgot Password WAR will use to call back to the User Application to perform core forgot password functionalities. Use the following format:

https://<idmhost>:<sslport>/<idm>/
pwdmgt/service
Sentinel Digital Signature Certificate and Key

This section defines the values that allows Identity Manager to communicate with Sentinel for auditing events.

Sentinel Digital Signature Certificate

Specifies a custom public key certificate that you want the OSP server to use to authenticate audit messages sent to the audit system.

For information about configuring certificates for Novell Audit, see “Managing Certificates” in the Novell Audit Administration Guide.

Sentinel Digital Signature Private Key

Specifies the path to the custom private key file that you want the OSP server to use to authenticate audit messages sent to the audit system.

SSO Clients Parameters

When configuring the identity applications, this tab defines the values for managing single sign-on access to the applications.

By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:

IDM Dashboard

This section defines the values for the URL that users need to access the Identity Manager Dashboard, which is the primary login location for the identity applications.

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for the Dashboard to the authentication server. The default value is idmdash.

OAuth client secret

Required

Specifies the password for the single sign-on client for the Dashboard.

OSP OAuth redirect URL

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/idmdash/oauth.html.

IDM Administrator

This section defines the values for the URL that users need to access the Identity Manager Administrator page.

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for the Identity Manager Administrator to the authentication server. The default value is idmadmin.

OAuth client secret

Required

Specifies the password for the single sign-on client for the Identity Manager Administrator.

OSP OAuth redirect URL

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/idmadmin/oauth.html.

RBPM

This section defines the values for the URL that users need to access the User Application.

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for the User Application to the authentication server. The default value is rbpm.

OAuth client secret

Required

Specifies the password for the single sign-on client for the User Application.

URL link to landing page

Required

Specifies the relative URL to use to access the Dashboard from the User Application. The default value is /landing.

OSP OAuth redirect URL

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/IDMProv/oauth.

RBPM to eDirectory SAML configuration

Required

Specifies the RBPM to Identity Vault SAML settings required for SSO authentication.

Reporting

This section defines the values for the URL that users need to access Identity Reporting. The utility display these values only if you add Identity Reporting to your Identity Manager solution.

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for the Identity Reporting to the authentication server. The default value is rpt.

OAuth client secret

Required

Specifies the password for the single sign-on client for Identity Reporting.

URL link to landing page

Required

Specifies the relative URL to use to access the Dashboard from Identity Reporting. The default value is /idmdash/#/landing.

If you installed Identity Reporting and the identity applications in separate servers, then specify an absolute URL. Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/IDMRPT/oauth.

OSP OAuth redirect url

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/IDMRPT/oauth.

IDM Data Collection Service

This section defines the values for the URL that users need to access the Identity Manager Data Collection Service.

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for Identity Manager Data Collection Service to the authentication server. The default value is idmdcs.

OAuth client secret

Required

Specifies the password for the single sign-on client for the Identity Manager Data Collection Service.

OSP OAuth redirect URL

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/idmdcs/oauth.html.

DCS Driver

This section defines the values for managing the Data Collection Services driver.

OAuth client ID

Specifies the name that you want to use to identify the single sign-on client for the Data Collection Service driver to the authentication server. The default value for this parameter is dcsdrv.

OAuth client secret

Specifies the password for the single sign-on client for the Data Collection Service driver.

Self Service Password Reset

This section defines the values for the URL that users need to access SSPR.

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for SSPR to the authentication server. The default value is sspr.

OAuth client secret

Required

Specifies the password for the single sign-on client for SSPR.

OSP OAuth redirect URL

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/sspr/public/oauth.html.

Second Factor Parameters

Ensure that you have created the methods, chain, and events in Advanced Authentication before proceeding. You must configure OSP to accept the authentications from Advanced Authentication.

By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:

AAF Administrator

This section defines settings for the Advanced Authentication Administrator:

Admin name (Repository\name)

Required

Specifies the repository-qualified name of the Advanced Authentication administrator account that OSP uses to interface with Advanced Authentication. Typically, the account is in the LOCAL repository.

The default Advanced Authentication administrator account is named admin. If you used this account, then the Admin name value is:

LOCAL\admin (repository name + \ + user name)

Admin Password

Required

Specifies the password for the Advanced Authentication administrative user you specified above.

AAF User Repository

This section define settings for the Advanced Authentication user repository:

User repository name

Required

Specifies the name of the repository in Advanced Authentication you created. This repository corresponds to the Identity Vault for Identity Manager.

AAF Servers

This section defines settings for the Advanced Authentication servers:

Allow test TLS certificate

Required

Specifies whether you want to ignore an invalid test certificate subject from the AAF server. This applies only for initial configuration and testing.

Click Add, then specify the DNS name or IP address of the Advanced Authentication server. If you use a different port than 443, specify that port as well.

(Conditional) If you have clustered the Advanced Authentication server, then click Add again, and specify each DNS name or IP address for each server in the cluster.

Show tuning parameters

Required

Specifies whether you want to enable the tuning parameters.

Logout session cleanup (minutes): Applies only if you have selected the Show tuning parameters check box.

Specifies the duration after which the active AAF logon sessions are considered for timeout and cleanup issues.

Heartbeat interval (milliseconds): Applies only if you have selected the Show tuning parameters check box.

Specifies the duration after which the heartbeat request is sent to an AAF server to check for availability.

AAF Endpoint

This section define settings for the Advanced Authentication endpoints:

Create new endpoint

Required

Specifies whether you want to create a new endpoint for two-factor authentication.

Identifier: Applies only if you have not selected the Create new endpoint check box.

Specifies the endpoint identifier as configured in AAF administration.

Secret: Applies only if you have not selected the Create new endpoint check box.

Specifies the endpoint secret as configured in AAF administration.

Name: Applies only if you have selected the Create new endpoint check box.

Specifies the name of the new endpoint used for identifying the endpoint in the AAF administration pages.

Description: Applies only if you have selected the Create new endpoint check box.

Specifies the description for the new endpoint that you specified above.

Second Factor Conditions

This section defines settings for the second factor conditions.

All users, all the time

Required

Specifies whether you want to enable all users to provide a second factor authentication at all times.

User Login Condition: Applies only if you have not selected the All users, all the time check box.

Specifies that you can define certain expressions and conditions for Identity Manager to use the second factor authentication.

Second Factor Authentication Methods

This section define settings for the Advanced Authentication methods.

Specifies whether you want to enable the second factor authentication for different methods.

To disable the second factor authentication for a method, deselect the check box next to the method name.

Identity Manager uses the relative priority of second factor methods if a user has enrolled in more than one method.

CEF Auditing Parameters

This section defines the values for managing the CEF auditing parameters for the single sign-on client.

Send audit events

Specifies whether you want to use CEF for auditing events.

Destination host

Specifies the DNS name or the IP address of the auditing server.

Destination port

Specifies the port of the auditing server.

Network protocol

Specifies the network protocol used by the auditing server to receive CEF events.

Use TLS

Applies only when you want to use TCP as your network protocol.

Specifies if the auditing server is configured to use TLS with TCP. Select Use TLS > Show Advanced Options, and provide the Identity Manager Keystore file name and the Identity Manager Keystore password.

Intermediate event store directory

Specifies the location of the cache directory before the CEF events are sent to the auditing server. If you are providing an intermediate event store directory of your choice, you must first ensure that the permissions and ownership are changed to novlua for that directory. To change the permission of the directory, run the following commands:

chown novlua:novlua <directory_path>

chmod 755 <directory_path>

where <directory_path> is the path to the intermediate event store directory.

For complete documentation on configuring CEF auditing, see Configuring Identity Applications in NetIQ Identity Manager - Configuring Auditing in Identity Manager.

6.6.2 Specifying a Location for the Permission Index

When you install the identity applications, the process creates a permission index for Tomcat. If you do not specify a location for the index, the installation creates a folder in a temporary directory. For example, /opt/netiq/idm/apps/tomcat/temp/permindex on Tomcat.

In a test environment, the location usually does not matter. However, in a production or staging environment, you might not want to place the permission index in a temporary directory.

To specify a location for the index:

  1. Stop Tomcat.

  2. In a text editor, open the ism-configuration.properties file.

  3. At the end of the file, add the following text:

    com.netiq.idm.cis.indexdir = path/permindex

    For example:

    com.netiq.idm.cis.indexdir = /opt/netiq/idm/apps/tomcat/temp/permindex
  4. Save and close the file.

  5. Delete the existing permindex folder in the temporary directory.

  6. Start Tomcat.

To enable the permission index for clustering, see Section 18.0, Sample Identity Applications Cluster Deployment Solution on Tomcat Application Server.

6.6.3 Deploying REST APIs for Identity Applications

The identity applications components incorporate several REST APIs that enable different features within Identity Applications. The REST services use OAUTH2 protocol to provide authentication. You can invoke these APIs using a browser or curl command in scripts to automate the administrative tasks. The REST APIs and the corresponding documentation are available in the idmappsdoc.war file. The war is automatically deployed when Identity Applications are installed. For more information, see the REST API documentation.

To access the REST API documentation on the server where identity applications are installed, specify https://<identity applications servername>:<Port>/idmappsdoc, in the address bar of your browser. For example: https://192.168.0.1:8543/idmappsdoc.

NOTE:To export the workflow database tables, add the below entry in the ism-configuration.properties file:

com.microfocus.workflow.migration.tables = <list-of-tables-to-exported-comma-separated>

For example:

com.microfocus.workflow.migration.tables = afmodel,afform, afprocess,afdocument,afactivity,afactivitytimertasks,afbranch,afcomment,afprovisioningstatus,afquorum,afworktask,configuration,email_approval_token,localization,processed_eba_mails

6.6.4 Configuring the Oracle Database With Identity Applications

Perform the following steps to configure the Oracle database:

  1. Download and install the latest version of the Oracle database.

    The default SID for the database is orcl.

  2. Create the database instance:

    1. From the command line, run the following command to launch the Database Configuration Assistor.

      dbca

    2. In the Global Database Name field, specify the database name. For example, idappsdb.

  3. Create the database user:

    1. Log in to the Oracle SQL developer tool.

    2. Run the following commands:

      CREATE USER idmadmin IDENTIFIED BY <password>;

      GRANT CONNECT, RESOURCE to idmadmin;

      ALTER USER idmadmin quota 100M on USERS;

      where,

      idmadmin represents the user account, and

      <password> represents the user password.

  4. Repeat steps 2 and 3 to configure the Workflow Engine database.

NOTE:When you are configuring Identity Applications with Oracle database, ensure that you use the same details as specified in the above section.

6.6.5 Accessing the Oracle Database Using Oracle Service Name

You can connect to the Oracle database by using Oracle System ID (SID) and Oracle Service Name. If you want to access the database by using a service name, complete the identity applications installation to one database instance by connecting through SID. After the installation is completed, perform the following actions:

  1. Create a service name in the Oracle database by running the following command:

    alter system set service_names='SERVICE1' scope=both sid='*'; 

    where SERVICE 1 is the name of the Oracle service.

    NOTE:You can specify the service name in uppercase or lowercase. It is not case-sensitive.

  2. Define the service name in Tomcat’s server.xml file by modifying the Oracle data source details in the file:

    url="jdbc:oracle:thin:@IP:PORT/service1"
  3. Restart Tomcat.

  4. Verify that the service name is included in the catalina.out log file.

  5. Verify that the identity applications are properly connected to the database.

6.6.6 Manually Creating the Database Schema

When you install the identity applications, you can postpone connecting to the database or creating tables in the database. If you do not have permissions to the database, you might need to choose this option. The installation program creates a SQL file that you can use to create the database schema. You can also recreate the database tables after installation without having to reinstall. To do so, you delete the database for the identity applications and create a new database with the same name.

Using the SQL File to Generate the Database Schema

This section assumes that the installation program created a SQL file that you can execute to generate the database schema. If you do not have the SQL file, see Manually Creating the SQL File to Generate the Database Schema.

NOTE:Do not use SQL*Plus to execute the SQL file. The line lengths in the file exceed 4000 characters.

  1. Stop the Application Server.

  2. Login to the Database Server.

  3. Delete the database that is used by the identity applications.

  4. Create a new database with the same name as the one that was deleted in Step 3.

  5. Navigate to the SQL script that the installation process created, by default in the /installation_path/userapp/sql directory.

  6. (Conditional) For an Oracle database, insert a backslash (/) after the definition of the function CONCAT_BLOB. For example:

      -- Changeset icfg-data-load.xml::700::IDMRBPM
    CREATE OR REPLACE FUNCTION CONCAT_BLOB(A IN BLOB, B IN BLOB) RETURN BLOB AS
                    C BLOB;
                BEGIN
                    DBMS_LOB.CREATETEMPORARY(C, TRUE);
                    DBMS_LOB.APPEND(C, A);
                    DBMS_LOB.APPEND(C, B);
                    RETURN c;
                END;
    /
  7. Have the database administrator run the SQL script to create and configure the User Application database.

  8. Restart Tomcat.

Manually Creating the SQL File to Generate the Database Schema

You can recreate the database tables after installation without having to reinstall and without having the SQL file. This section helps you create the database schema in the event that you do not have the SQL file.

  1. Stop Tomcat.

  2. Log in to the server that hosts your identity applications database.

  3. Delete the existing database.

  4. Create a new database with the same name as the one that you deleted in Step 3.

  5. In a text editor, open the NetIQ-Custom-Install.log file, located by default at the root of the installation directory for the identity applications. For example:

    /opt/netiq/idm/apps/UserApplication
  6. Search and copy the below command from the NetIQ-Custom-Install.log file:

    /opt/netiq/common/jre/bin/java -Xms256m -Xmx256m  -Dwar.context.name=IDMProv -Ddriver.dn="cn=User Application Driver,cn=driverset1,o=system" -Duser.container="o=data" -jar /opt/netiq/idm/apps/UserApplication/liquibase.jar --databaseClass=liquibase.database.core.PostgresDatabase --driver=org.postgresql.Driver --classpath=/opt/netiq/idm/apps/postgresql/postgresql-9.4.1212jdbc42.jar opt/netiq/idm/apps/UserApplication/IDMProv.war --changeLogFile=DatabaseChangeLog.xml  --url="jdbc:postgresql://localhost:5432/idmuserappdb" --contexts="prov,newdb" --logLevel=info --logFile=/opt/netiq/idm/apps/UserApplication/db.out --username=******** --password=******** update
  7. Log in to the server where you installed the database for the identity applications.

  8. In a terminal, paste the command string that you copied.

    NOTE:The command should be updateSQL. If it is update, change the command to updateSQL.

  9. In the command, replace the asterisks (*) that represent the database username and password with the actual values required to authenticate. Also, ensure the name of the SQL file is unique.

  10. Execute the command.

  11. (Conditional) If the process generates a SQL file instead of populating the database, provide the file to your database administrator to import into the database server. For more information, see Using the SQL File to Generate the Database Schema.

  12. After the database administrator imports the SQL file, start Tomcat.

6.6.7 Configuring Single Sign-On Settings for the Identity Applications

The installation process installs an authentication service (OSP) for single sign-on access in Identity Manager. However, you can also configure the OSP authentication server to accept authentication from the Kerberos ticket server or SAML. To configure the single sign-on settings for the identity applications after installation, Configuring Single Sign-on Access in Identity Manager in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

6.6.8 Starting the Identity Applications

Ensure that you restart the Tomcat service and ActiveMQ service after you configure the identity applications.

systemctl restart netiq-tomcat.service

systemctl restart netiq-activemq.service

6.6.9 Configuration and Usage Considerations for the Identity Applications

The following considerations apply to the configurations and initial usage of the identity applications.

  • During the installation process, the installation program writes log files to the installation directory. These files contain information about your configuration. After you configure your Identity Applications environment, you should consider deleting these log files or storing them in a secure location. During the installation process, you might choose to write the database schema to a file. Since this file contains descriptive information about your database, you should move the file to a secure location after the installation process is complete.

  • (Conditional) To audit the identity applications, you must have Identity Reporting and an auditing service installed in your environment and configured to capture the events. You must also configure the identity applications for auditing.

  • Before users can access the identity applications, you must complete the following activities:

    • Ensure that all necessary Identity Manager drivers are installed.

    • Ensure that the indexes for the Identity Vault are in Online mode. For more information about configuring an index during or after installation, see Creating Value Indexes for Identity Vault.

    • Enable cookies on all browsers. The applications do not work when cookies are disabled.

  • If you have installed Identity Applications and SSPR on different servers, then you must import the SSPR trusted certificate into the idm.jks of Identity Applications server.