This table includes the configuration parameters available when you click Show Advanced Options.
Table A-2 User Application Configuration: All Options
Type of Setting |
Option |
Description |
---|---|---|
Identity Vault Settings |
Identity Vault Server |
Required. Specify the hostname or IP address for your LDAP server. For example: myLDAPhost |
LDAP Port |
Specify the non-secure port for your LDAP server. For example: 389. |
|
Secure LDAP Port |
Specify the secure port for your LDAP server. For example: 636. |
|
Identity Vault Administrator |
Required. Specify the credentials for the LDAP Administrator. This user must already exist. The User Application uses this account to make an administrative connection to the Identity Vault. This value is encrypted, based on the master key. |
|
Identity Vault Administrator Password |
Required. Specify the LDAP Administrator password. This password is encrypted, based on the master key. |
|
Use Public Anonymous Account |
Allows users who are not logged in to access the LDAP Public Anonymous Account. |
|
LDAP Guest |
Allows users who are not logged in to access permitted portlets. This user account must already exist in the Identity Vault. To enable LDAP Guest, you must deselect Use Public Anonymous Account. To disable Guest User, select Use Public Anonymous Account. |
|
LDAP Guest Password |
Specify the LDAP Guest password. |
|
Secure Administrator Connection |
Select this option to require that all communication using the admin account be done using a secure socket. (This option can have adverse performance implications). This setting allows other operations that don't require SSL to operate without SSL. |
|
Secure User Connection |
Select this option to require that all communication done on the logged-in user's account be done using a secure socket. (This option can have severe adverse performance implications). This setting allows other operations that don't require SSL to operate without SSL. |
|
Identity Vault DNs |
Root Container DN |
Required. Specify the LDAP distinguished name of the root container. This is used as the default entity definition search root when no search root is specified in the directory abstraction layer. |
User Application Driver DN |
Required. Specify the distinguished name of the User Application driver. For example, if your driver is UserApplicationDriver and your driver set is called myDriverSet, and the driver set is in a context of o=myCompany, you type a value of: cn=UserApplicationDriver,cn=myDriverSet, o=myCompany |
|
User Application Administrator |
Required. An existing user in the Identity Vault who has the rights to perform administrative tasks for the User Application user container specified. This user can use the Administration tab of the User Application to administer the portal. If the User Application Administrator participates in workflow administration tasks exposed in iManager, Novell Designer for Identity Manager, or the User Application (Requests & Approvals tab), you must grant this administrator appropriate trustee rights to object instances contained in the User Application driver. Refer to the User Application: Administration Guide for details. To change this assignment after you deploy the User Application, you must use the Administration > Security pages in the User Application. You cannot change this setting via configupdate if you have started the application server hosting the User Application. |
|
Provisioning Administrator |
The Provisioning Administrator manages Provisioning Workflow functions available throughout the User Application. This user must exist in the Identity Vault prior to being designated the Provisioning Administrator. To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application. |
|
|
Compliance Administrator |
The Compliance Administrator is a system role that allows members to perform all functions on the Compliance tab. This user must exist in the Identity Vault prior to being designated as the Compliance Module Administrator. During a configupdate, changes to this value only take effect if you do not have a valid Compliance Administrator assigned. If a valid Compliance Administrator exists, then your changes are not saved. To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application. |
|
Roles Administrator |
This role allows members to create, remove, or modify all roles, and grant or revoke any role assignment to any user, group, or container. It also allows its role members to run any report for any user. By default, the User Application Admin is assigned this role. To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application. During a configupdate, changes to this value only take effect if you do not have a valid Roles Administrator assigned. If a valid Roles Administrator exists, then your changes are not saved. |
Security Administrator |
This role gives members the full range of capabilities within the Security domain. The Security Administrator can perform all possible actions for all objects within the Security domain. The Security domain allows the Security Administrator to configure access permissions for all objects in all domains within the Roles Based Provisioning Module. The Security Administrator can configure teams, and also assign domain administrators, delegated administrators, and other Security Administrators. To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application. |
|
Resources Administrator |
This role gives members the full range of capabilities within the Resource domain. The Resources Administrator can perform all possible actions for all objects within the Resource domain. To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application. |
|
RBPM Configuration Administrator |
This role gives members the full range of capabilities within the Configuration domain. The RBPM Configuration Administrator can perform all possible actions on all objects within the Configuration domain. The RBPM Configuration Administrator controls access to navigation items within the Roles Based Provisioning Module. In addition, the RBPM Configuration Administrator configures the delegation and proxy service, the provisioning user interface, and the workflow engine. To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application. |
|
RBPM Reporting Admin |
Points to the Reporting Administrator. By default, the installer sets this value to the same user as the other security fields. |
|
Reinitialize RBPM Security |
Check box that allows you to reset security. |
|
IDMReport URL |
URL that points to the user interface for the Identity Reporting Module. |
|
Identity Vault User Identity |
User Container DN |
Required. Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. Users in this container (and below) are allowed to log in to the User Application. You cannot change this setting via configupdate if you have started the application server hosting the User Application. IMPORTANT:Be sure the User Application Administrator specified during User Application driver set up exists in this container if you want that user to be able to execute workflows. |
User Container Scope |
This defines the search scope for users. |
|
User Object Class |
The LDAP user object class (typically inetOrgPerson). |
|
Login Attribute |
The LDAP attribute (for example, CN) that represents the user’s login name. |
|
Naming Attribute |
The LDAP attribute used as the identifier when looking up users or groups. This is not the same as the login attribute, which is used only during login, and not during user/group searches. |
|
User Membership Attribute |
Optional. The LDAP attribute that represents the user’s group membership. Do not use spaces in this name. |
|
Identity Vault User Groups |
Group Container DN |
Required. Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the group container. Used by entity definitions within the directory abstraction layer. You cannot change this setting via configupdate if you have started the application server hosting the User Application. |
Group Container Scope |
This defines the search scope for groups. |
|
Group Object Class |
The LDAP group object class (typically groupofNames). |
|
Group Membership Attribute |
The attribute representing the user’s group membership. Do not use spaces in this name. |
|
Use Dynamic Groups |
Select this option if you want to use dynamic groups. |
|
Dynamic Group Object Class |
The LDAP dynamic group object class (typically dynamicGroup). |
|
Identity Vault Certificates |
Keystore Path |
Required. Specify the full path to your keystore (cacerts) file of the JRE that the application server application server is using to run, or else click the small browser button and navigate to the cacerts file. The User Application installation modifies the keystore file. On Linux or Solaris, the user must have permission to write to this file. WebSphere note The keystore path field needs to be set to the installation directory of RBPM, not the location of the JDK cacerts file as in JBoss installations. The default value is set to the correct location. |
Keystore Password Confirm Keystore Password |
Required. Specify the cacerts password. The default is changeit. |
|
Trusted Key Store |
Trusted Store Path |
The Trusted Key Store contains all trusted signers’ certificates. If this path is empty, the User Application gets the path from System property javax.net.ssl.trustStore. If the path isn’t there, it is assumed to be jre/lib/security/cacerts. |
Trusted Store Password |
If this field is empty, the User Application gets the password from System property javax.net.ssl.trustStorePassword. If the value is not there, changeit is used. This password is encrypted, based on the master key. |
|
Keystore Type JKS |
Indicates what type of digital signing you want to use. If this field is checked, this indicates that the trusted store path is of type JKS. |
|
Keystore Type PKCS12 |
Indicates what type of digital signing you want to use. If this field is checked, this indicates that the trusted store path is of type PKCS12. |
|
Novell Audit Digital Signature and Certificate Key |
|
Contains the digital signature key and certificate for the audit service. |
|
Novell Audit Digital Signature Certificate |
Displays the digital signature certificate for the audit service. |
|
Novell Audit Digital Signature Private Key |
Displays the digital signature private key. This key is encrypted, based on the master key. |
Access Manager Settings |
Simultaneous Logout Enabled |
If this option is selected, the User Application supports simultaneous logout of the User Application and either Novell Access Manager or iChain. The User Application checks for a Novell Access Manager or iChain cookie on logout and, if the cookie is present, reroutes the user to the ICS logout page. |
Simultaneous Logout Page |
The URL to the Novell Access Manager or iChain logout page, where the URL is a hostname that Novell Access Manager or iChain expects. If ICS logging is enabled and a user logs out of the User Application, the user is rerouted to this page. |
|
Email Server Configuration |
NotificationTemplate HOST |
Specify the application server hosting the Identity Manager User Application. For example: myapplication serverServer This value replaces the $HOST$ token in e-mail templates. The URL that is constructed is the link to provisioning request tasks and approval notifications. |
Notification Template PORT |
Used to replace the $PORT$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
Notification Template SECURE PORT |
Used to replace the $SECURE_PORT$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
Notification Template PROTOCOL |
Refers to a non-secure protocol, HTTP. Used to replace the $PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
Notification Template SECURE PROTOCOL |
Refers to a secure protocol, HTTPS. Used to replace the $SECURE_PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
Notification SMTP Email From: |
Specify e-mail from a user in provisioning e-mail. |
|
SMTP Server Name: |
Specify the SMTP e-mail host that provisioning e-mail is using. This can be an IP address or a DNS name. |
|
Password Management |
|
|
Use External Password WAR |
This feature enables you to specify a Forgot Password page residing in an external Forgot Password WAR and a URL that the external Forgot Password WAR uses to call back the User Application through a Web service. If you select Use External Password WAR, you must supply values for Forgot Password Link, Forgot Password Return Link, and Forgot Password Web Service URL. If you do not select Use External Password WAR, Identity Manager uses the default internal Password Management functionality, ./jsps/pwdmgt/ForgotPassword.jsp (without the http(s) protocol at the beginning). This redirects the user to the Forgot Password functionality built into the User Application, rather than to an external WAR. |
|
Forgot Password Link |
This URL points to the Forgot Password functionality page. Specify a ForgotPassword.jsp file in an external or internal password management WAR. |
|
|
Forgot Password Return Link |
Specify the Forgot Password Return Link so the user can click after performing a forgot password operation. |
Forgot Password Web Service URL |
This is the URL that the External Forgot Password WAR will use to call back to the User Application to perform core forgot password functionalities. The format of the URL is: https://<idmhost>:<sslport>/<idm>/ pwdmgt/service |
|
Miscellaneous |
Session Timeout |
The application session timeout. |
OCSP URI |
If the client installation uses the On-Line Certificate Status Protocol (OCSP), supply a Uniform Resource Identifier (URI). For example, the format is http://host:port/ocspLocal. The OCSP URI updates the status of trusted certificates online. |
|
Authorization Config Path |
Fully qualified name of the authorization configuration file. |
|
|
Create Identity Vault Index |
Select this check box, if you want the installation utility to create indexes on the manager, ismanager, and srvprvUUID attributes. Without indexes on these attributes, User Application users can experience impeded performance of the User Application, particularly in a clustered environment. You can create these indexes manually by using iManager after you install the User Application. See Section 9.3.1, Creating Indexes in eDirectory. For best performance, the index creation should be complete. The indexes should be in Online mode before you make the User Application available. |
|
Remove Identity Vault Index |
Removes indexes on manager, ismanager, and srvprvUUID attributes. |
|
Server DN |
Select the eDirectory server where the indexes should be created or removed. NOTE:To configure indexes on multiple eDirectory servers, you must run the configupdate utility multiple times. You can only specify one server at a time. |
Container Object |
Selected |
Select each Container Object Type to use. |
Container Object Type |
Select from the following standard containers: locality, country, organizationalUnit, organization, and domain. You can also define your own containers in iManager and add them under Add a new Container Object. |
|
Container Attribute Name |
Lists the Attribute Type name associated with the Container Object Type. |
|
Add a New Container Object: Container Object Type |
Specify the LDAP name of an object class from the Identity Vault that can serve as a container. |
|
Add a New Container Object: Container Attribute Name |
Supply the attribute name of the container object. |