The Identity Applications Configuration utility helps you manage the settings for the User Application drivers and the identity applications. The installation program for the identity applications invokes a version of this utility so that you can more quickly configure the applications. You can also modify most of these settings after installation.
The file to run the Configuration utility (configupdate.bat) is located by default in an installation subdirectory for the identity applications (C:\NetIQ\idm\apps\UserApplication).
NOTE:In a cluster, the configuration settings must be identical for all members of the cluster.
This section explains the settings in the configuration utility. The settings are organized by tabs. If you install Identity Reporting, the process adds parameters for Reporting to the utility.
Open the configupdate.properties file in a text editor and verify that the following options are configured:
edit_admin="true"
use_console="false"
At the command prompt, run the configuration utility (configupdate.bat).
NOTE:You might need to wait a few minutes for the utility to start up.
When configuring the identity applications, this tab defines the values that the applications use when communicating with the Identity Vault. Some settings are required for completing the installation process.
By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:
This section defines the settings that enable the identity applications to access the user identities and roles in the Identity Vault. Some settings are required for completing the installation process.
Required
Specifies the hostname or IP address for your LDAP server. For example: myLDAPhost.
Specifies the port on which the Identity Vault listens for LDAP requests in clear text. The default value is 389.
Specifies the port on which the Identity Vault listens for LDAP requests using Secure Sockets Layer (SSL) protocol. The default value is 636.
If a service already loaded on the server (before you install eDirectory) uses the default port, you must specify a different port.
Required
Specifies the credentials for the LDAP Administrator. For example, cn=admin. This user must already exist in the Identity Vault.
The identity applications use this account to make an administrative connection to the Identity Vault. This value is encrypted, based on the master key.
Required
Specifies the password associated the LDAP Administrator. This password is encrypted, based on the master key.
Specifies whether users who are not logged in can access the LDAP Public Anonymous Account.
Specifies whether RBPM uses SSL protocol for all communication related to the admin account. This setting allows other operations that do not require SSL to operate without SSL.
NOTE:This option might have adverse performance implications.
Specifies whether RBPM uses TLS/SSL protocol for all communication related to the logged-in user's account. This setting allows other operations that do not require TLS/SSL to operate without the protocol.
NOTE:This option might have adverse performance implications.
This section defines the distinguished names for containers and user accounts that enable communication between the identity applications and other Identity Manager components. Some settings are required for completing the installation process.
Required
Specifies the LDAP distinguished name of the root container. This is used as the default entity definition search root when no search root is specified in the directory abstraction layer. For example, o=mycompany.
Required
When showing the advanced options, the utility displays this parameter under Identity Vault User Identity.
Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. The following considerations apply to this setting:
Users in this container (and below) are allowed to log in to the identity applications.
If you have started Tomcat hosting the identity applications, you cannot change this setting with the configupdate.bat file.
This container must include the User Application Administrator that you specified as you set up the User Application driver. Otherwise, the specified account cannot execute workflows.
Required
When showing the advanced options, the utility displays this parameter under Identity Vault User Groups.
Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the group container. The following considerations apply to this setting:
Entity definitions within the directory abstraction layer use this DN.
If you have started Tomcat hosting the identity applications, you cannot change this setting with the configupdate.bat file.
Required
Specifies the distinguished name of the User Application driver.
For example, if your driver is UserApplicationDriver and your driver set is called myDriverSet, and the driver set is in a context of o=myCompany, specify cn=UserApplicationDriver,cn=myDriverSet,o=myCompany.
Required
Specifies an existing user account in the Identity Vault that has the rights to perform administrative tasks for the specified user container for User Application. The following considerations apply to this setting:
If you have started Tomcat hosting the User Application, you cannot change this setting with the configupdate.bat file.
To change this assignment after you deploy the User Application, use the Administration > Security pages in the User Application.
This user account has the right to use the Administration tab of the User Application to administer the portal.
If the User Application Administrator participates in workflow administration tasks exposed in iManager, Designer, or the User Application (Requests & Approvals tab), you must grant this administrator appropriate trustee rights to object instances contained in the User Application driver. For more information, see the User Application Administration Guide for details.
Specifies an existing user account in the Identity Vault that will manage Provisioning Workflow functions available throughout the User Application.
To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application.
Specifies an existing account in the Identity Vault that performs a system role to allow members to perform all functions on the Compliance tab. The following considerations apply to this setting:
To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.
During a configuration update, changes to this value take effect only if you do not have a valid Compliance Administrator assigned. If a valid Compliance Administrator exists, then your changes are not saved.
Specifies the role that allows members to create, remove, or modify all roles, and grant or revoke any role assignment to any user, group, or container. It also allows its role members to run any report for any user. The following considerations apply to this setting:
By default, the User Application Admin is assigned this role.
To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.
During a configuration update, changes to this value take effect only if you do not have a valid Roles Administrator assigned. If a valid Roles Administrator exists, then your changes are not saved.
Specifies the role that gives members the full range of capabilities within the Security domain. The following considerations apply to this setting:
The Security Administrator can perform all possible actions for all objects within the Security domain. The Security domain allows the Security Administrator to configure access permissions for all objects in all domains within RBPM. The Security Administrator can configure teams, and also assign domain administrators, delegated administrators, and other Security Administrators.
To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.
Specifies the role that gives members the full range of capabilities within the Resource domain. The following considerations apply to this setting:
The Resources Administrator can perform all possible actions for all objects within the Resource domain.
To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.
Specifies the role that gives members the full range of capabilities within the Configuration domain. The following considerations apply to this setting:
The RBPM Configuration Administrator can perform all possible actions on all objects within the Configuration domain. The RBPM Configuration Administrator controls access to navigation items within RBPM. In addition, the RBPM Configuration Administrator configures the delegation and proxy service, the provisioning user interface, and the workflow engine.
To change this assignment after you deploy the identity applications, use the Administration > Administrator Assignments page in the User Application.
Specifies the Reporting Administrator. By default, the installation program lists this value as the same user as the other security fields.
This section defines the values that enable the identity applications to communicate with a user container in the Identity Vault. Some settings are required for completing the installation process.
The utility displays these settings only when you select Show Advanced Options.
Required
When not showing the advanced options, the utility displays this parameter under Identity Vault DNs.
Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. The following considerations apply to this setting:
Users in this container (and below) are allowed to log in to the identity applications.
If you have started Tomcat hosting the identity applications, you cannot change this setting with the configupdate.bat file.
This container must include the User Application Administrator that you specified as you set up the User Application driver. Otherwise, the specified account cannot execute workflows.
Specifies the depth of scope that Identity Vault users can search the container.
Specifies the object class of the LDAP user. Usually the class is inetOrgPerson.
Specifies the LDAP attribute that represents the user’s login name. For example, cn.
Specifies the LDAP attribute used as the identifier when looking up users or groups. This is not the same as the login attribute, which is used only during login. For example, cn.
(Optional) Specifies the LDAP attribute that represents the user’s group membership. Do not use spaces when specifying the name.
This section defines the values that enable the identity applications to communicate with a group container in the Identity Vault. Some settings are required for completing the installation process.
The utility displays these settings only when you select Show Advanced Options.
Required
When not showing the advanced options, the utility displays this parameter under Identity Vault DNs.
Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the group container. The following considerations apply to this setting:
Entity definitions within the directory abstraction layer use this DN.
If you have started Tomcat hosting the identity applications, you cannot change this setting with the configupdate.bat file.
Specifies the depth of scope that Identity Vault users can search for the group container.
Specifies the object class of the LDAP group. Usually the class is groupofNames.
(Optional) Specifies the user’s group membership. Do not use spaces in this name.
Specifies whether you want to use dynamic groups.
You must also specify a value for Dynamic Group Object Class.
Applies only when you select Use Dynamic Groups.
Specifies the object class of the LDAP dynamic group. Usually the class is dynamicGroup.
This section defines the path and password for the JRE keystore. Some settings are required for completing the installation process.
Required
Specifies the full path to your keystore (cacerts) file of the JRE that Tomcat uses to run. You can manually enter the path or browse to the cacerts file. The following considerations apply to this setting:
In environments, you must specify the installation directory of RBPM. The default value is set to the correct location.
The installation program for the identity applications modifies the keystore file. On Linux, the user must have permission to write to this file.
Required
Specifies the password for the keystore file. The default is changeit.
This section defines the values that enable email notifications, which you can use for email-based approvals. For more information, see the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.
Specifies the name or IP address of Tomcat that hosts the identity applications. For example, myapplication serverServer.
This value replaces the $HOST$ token in e-mail templates. The installation program uses this information to create a URL to provisioning request tasks and approval notifications.
Specifies the port number of Tomcat that hosts the identity applications.
This values replaces the $PORT$ token in e-mail templates that are used in provisioning request tasks and approval notifications.
Specifies the secure port number of Tomcat that hosts the identity applications.
This value replaces the $SECURE_PORT$ token in e-mail templates used in provisioning request tasks and approval notifications.
Specifies a non-secure protocol included in the URL when sending user email. For example, http.
This value replaces the $PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications.
Specifies the secure protocol included in the URL when sending user email. For example, https.
This value replaces the $SECURE_PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications.
Specifies the email account that the identity applications use to send email notifications.
Specifies the IP address or DNS name of the SMTP email host that the identity applications use for provisioning emails. Do not use localhost.
Specifies whether you want the server to require authentication.
You must also specify the credentials for the email server.
Applies only when you enable Server requires authentication.
Specifies the name of a login account for the email server.
Applies only when you enable Server requires authentication.
Specifies the password of an login account for the mail server.
Specifies whether you want to secure the contents of email messages during transmission between the mail servers.
Specifies the path to the image that you want to include in email notifications. For example, http://localhost:8080/IDMProv/images.
Specifies whether you want to add a digital signature to outgoing messages.
If you enable this option, you must also specify settings for the keystore and signature key.
Applies only when you enable Sign email.
Specifies the full path to the keystore (cacerts) file that you want to use for digitally signing an email. You can manually enter the path or browse to the cacerts file.
For example, C:\NetIQ\idm\apps\jre\lib\security\cacerts.
Applies only when you enable Sign email.
Specifies the password for the keystore file. For example, changeit.
Applies only when you enable Sign email.
Specifies the alias of the signing key in the keystore. For example, idmapptest.
Applies only when you enable Sign email.
Specifies the password that protects the file containing the signature key. For example, changeit.
This section defines the values for the trusted keystore for the identity applications. The utility displays these settings only when you select Show Advanced Options.
Specifies the path to the Trusted Key Store that contains all trusted signers’ certificates. If this path is empty, the identity applications get the path from System property javax.net.ssl.trustStore. If the System property cannot provide the path, the installation program defaults to jre\lib\security\cacerts.
Specifies the password for the Trusted Key Store. If you leave this field is empty, the identity applications gets the password from System property javax.net.ssl.trustStorePassword. If the System property cannot provide the path, the installation program defaults to changeit.
This password is encrypted, based on the master key.
Specifies whether the trusted store path uses a Java keystore (JKS) or PKCS12 for digital signing.
This section defines the values that allows Identity Manager to communicate with Sentinel for auditing events. The utility displays these settings only when you select Show Advanced Options.
Lists the custom public key certificate that you want the OAuth server to use to authenticate audit messages sent to Sentinel.
Specifies the path to the custom private key file that you want the OAuth server to use to authenticate audit messages sent to Sentinel.
The utility displays these settings only when you select Show Advanced Options.
Specifies the Uniform Resource Identifier (URI) to use when the client installation uses the On-Line Certificate Status Protocol (OCSP). For example, http://host:port/ocspLocal.
The OCSP URI updates the status of trusted certificates online.
Specifies the fully qualified name of the authorization configuration file.
During installation, specifies whether you want the installation program to create indexes on the manager, ismanager, and srvprvUUID attributes. After installation, you can modify the settings to point to a new location of the indexes. The following considerations apply to this setting:
Without indexes on these attributes, identity applications users can experience impeded performance of the identity applications.
You can create these indexes manually by using iManager after you install the identity applications.
For best performance, you should create the index during installation.
The indexes must be in Online mode before you make the identity applications available to users.
To create or delete an index, you must also specify a value for Server DN.
Applies only when you want to create or delete an Identity Vault index.
Specifies the eDirectory server where you want the indexes to be created or removed.
You can specify only one server at a time. To configure indexes on multiple eDirectory servers, you must run the RBPM Configuration utility multiple times.
Specifies whether you want to reset RBPM security when the installation process completes. You must also redeploy the identity applications.
Specifies the URL of the Identity Manager Reporting Module. For example, http://hostname:port/IDMRPT.
Specifies the name of the customized theme that you want to use for displaying the identity applications in the browser.
Specifies the value that you want to use in the layout pattern for the CONSOLE and FILE appenders in the idmuserapp_logging.xml file. The default value is RBPM.
Specifies whether you want to change the context name for RBPM.
You must also specify the new name and DN of the Roles and Resource driver.
Applies only when you select Change RBPM Context Name.
Specifies the new context name for RBPM.
Applies only when you select Change RBPM Context Name.
Specifies the DN of the Roles and Resource driver.
These parameters apply only during installation.
This section helps you to define the values for container objects or create new container objects.
Specifies the Container Object Types that you want to use.
Specifies the container: locality, country, organizationalUnit, organization, or domain.
You can also define your own containers in iManager and add them under Add a new Container Object.
Specifies the name of the Attribute Type associated with the specified Container Object Type.
Specifies the LDAP name of an object class from the Identity Vault that can serve as a new container.
Specifies the name of the Attribute Type associated with the new Container Object Type.
When configuring the identity applications, this tab defines the values for managing Identity Reporting. The utility adds this tab when you install Identity Reporting.
By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:
This section defines the values for sending notifications.
Specifies the DNS name or IP address of the email server than you want Identity Reporting to use when sending notification. Do not use localhost.
Specifies the port number for the SMTP server.
Specifies whether you want to use TLS/SSL protocol for communication with the email server.
Specifies whether you want to use authentication for communications with the email server.
Specifies the email address that you want to use for authentication.
You must specify a value. If the server does not require authentication, you can specify an invalid address.
Applies only when you specify that the server requires authentication.
Specifies the password for the SMTP user account.
Specifies the email address that you want Identity Reporting to use as the origination for email notifications.
This section defines the values for storing completed reports.
Specifies the amount of time that Identity Reporting keeps completed reports before deleting them. For example, to specify six months, enter 6 in the Report Lifetime field and then select Month in the Report Unit field.
Specifies a path where you want to store the report definitions. For example, C:\NetIQ\idm\apps\IdentityReporting.
This section defines the values for the language that you want Identity Reporting to use. Identity Reporting uses the specific locales in searches. For more information, see the Administrator Guide to NetIQ Identity Reporting.
This section defines the values for the authentication sources that Identity Reporting uses to generate reports.
Specifies the type of authentication source that you want to add for reporting. Authentication sources can be
Default
LDAP Directory
File
When configuring the identity applications, this tab defines the values that Tomcat uses to direct users to the identity application and password management pages.
By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:
This section defines settings for the identity applications to connect to the authentication server.
Required
Specifies the relative URL of the authentication server that issues tokens to OSP. For example, 192.168.0.1.
Specifies the port for the authentication server.
Specifies whether the authentication server uses TLS/SSL protocol for communication.
Applies only when you select OAuth server is using TLS/SSL and the utility is showing the advanced options.
Applies only when you select OAuth server is using TLS/SSL and the utility is showing the advanced options.
Specifies the password used to load the keystore file for the TLS/SSL authentication server.
NOTE:If you do not specify the keystore path and password, and the trust certificate for the authentication server is not in the JRE trust store (cacerts), the identity applications fail to connect to the authentication service that uses TLS/SSL protocol.
This section defines settings for the authentication server.
Required
Specifies the distinguished name of the container in the Identity Vault that contains any administrator User objects that OSP must authenticate. For example, ou=sa,o=data.
Specifies the name of the LDAP attribute used to differentiate between multiple eDirectory User objects with the same cn value. The default value is mail.
Specifies whether searches in the user and administrator containers in the Identity Vault are restricted to only User objects in those containers or searches should also include subcontainers.
Specifies the number of minutes of inactivity in a session before the server times out the user’s session. The default value is 20 minutes.
Specifies the number of seconds an OSP access token remains valid. The default value is 60 seconds.
Specifies the number of seconds an OSP refresh token remains valid. The refresh token is used internally by OSP. The default value is 48 hours.
This section defines the values that enable OSP to authenticate users who log in to the browser-based components of Identity Manager.
Specifies the type of authentication that you want Identity Manager to use when a user logs on.
Name and Password: OSP verifies authentication with the identity vault.
Kerberos: OSP accepts authentication from both a Kerberos ticket server and the identity vault. You must also specify a value for Mapping attribute name.
SAML 2.0: OSP accepts authentication from both a SAML identity provider and the identity vault. You must also specify values for Mapping attribute name and Metadata URL.
Applies only when you specify Kerberos or SAML.
Specifies the name of the attribute that maps to the Kerberos ticket server or SAML representations at the identity provider.
Applies only when you specify SAML.
Specifies the URL that OSP uses to redirect the authentication request to SAML.
This section defines the values that enable users to modify their passwords as a self-service operation.
Specifies the type of password management system that you want to use.
User Application (Legacy): Uses the password management program that Identity Manager traditionally has used. This option also allows you to use an external password management program.
This check box parameter applies only when you want to use SSPR.
Specifies whether you want users to recover a forgotten password without contacting a help desk.
You must also configure the challenge-response policies for the Forgotten Password feature. For more information, see the NetIQ Self Service Password Reset Administration Guide.
This menu list applies only when you select User Application (Legacy).
Specifies whether you want to use the password management system integrated with the User Application or an external system.
Internal: Use the default internal Password Management functionality, ./jsps/pwdmgt/ForgotPassword.jsp (without the http(s) protocol at the beginning). This redirects the user to the Forgot Password functionality built into the User Application, rather than to an external WAR.
External: Use an e external Forgot Password WAR to call back the User Application through a web service. You must also specify the settings for the external system.
Applies only when you want to use an external password management system.
Specifies the URL that points to the Forgot Password functionality page. Specify a ForgotPassword.jsp file in an external or internal password management WAR.
Applies only when you want to use an external password management system.
Specifies the URL for the Forgot Password Return Link that the user can click after performing a forgot password operation.
Applies only when you want to use an external password management system.
Specifies the URL that the External Forgot Password WAR will use to call back to the User Application to perform core forgot password functionalities. Use the following format:
https://<idmhost>:<sslport>/<idm>/ pwdmgt/service
This section defines the values that allows Identity Manager to communicate with Sentinel for auditing events.
Specifies a custom public key certificate that you want the OSP server to use to authenticate audit messages sent to the audit system.
For information about configuring certificates for Novell Audit, see “Managing Certificates” in the Novell Audit Administration Guide.
Specifies the path to the custom private key file that you want the OSP server to use to authenticate audit messages sent to the audit system.
When configuring the identity applications, this tab defines the values for managing single sign-on access to the applications.
By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:
This section defines the values for the URL that users need to access the Identity Manager Dashboard, which is the primary login location for the identity applications.
Required
Specifies the name that you want to use to identify the single sign-on client for the Dashboard to the authentication server. The default value is idmdash.
Required
Specifies the password for the single sign-on client for the Dashboard.
Required
Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.
Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/idmdash/oauth.html.
This section defines the values for the URL that users need to access the Identity Manager Administrator page.
Required
Specifies the name that you want to use to identify the single sign-on client for the Identity Manager Administrator to the authentication server. The default value is idmadmin.
Required
Specifies the password for the single sign-on client for the Identity Manager Administrator.
Required
Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.
Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/idmadmin/oauth.html.
This section defines the values for the URL that users need to access the User Application.
Required
Specifies the name that you want to use to identify the single sign-on client for the User Application to the authentication server. The default value is rbpm.
Required
Specifies the password for the single sign-on client for the User Application.
Required
Specifies the relative URL to use to access the Dashboard from the User Application. The default value is /landing.
Required
Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.
Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/IDMProv/oauth.
Required
Specifies the RBPM to eDirectory SAML settings required for SSO authentication.
This section defines the values for the URL that users need to access Identity Reporting. The utility display these values only if you add Identity Reporting to your Identity Manager solution.
Required
Specifies the name that you want to use to identify the single sign-on client for the Identity Reporting to the authentication server. The default value is rpt.
Required
Specifies the password for the single sign-on client for Identity Reporting.
Required
Specifies the relative URL to use to access the Dashboard from Identity Reporting. The default value is /idmdash/#/landing.
If you installed Identity Reporting and the identity applications in separate servers, then specify an absolute URL. Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/IDMRPT/oauth.
Required
Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.
Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/IDMRPT/oauth.
This section defines the values for the URL that users need to access the Identity Manager Data Collection Service.
Required
Specifies the name that you want to use to identify the single sign-on client for Identity Manager Data Collection Service to the authentication server. The default value is idmdcs.
Required
Specifies the password for the single sign-on client for the Identity Manager Data Collection Service.
Required
Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.
Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/idmdcs/oauth.html.
This section defines the values for managing the Data Collection Services driver.
Figure 11-2
Specifies the name that you want to use to identify the single sign-on client for the Data Collection Service driver to the authentication server. The default value for this parameter is dcsdrv.
Specifies the password for the single sign-on client for the Data Collection Service driver.
This section defines the values for the URL that users need to access SSPR.
Required
Specifies the name that you want to use to identify the single sign-on client for SSPR to the authentication server. The default value is sspr.
Required
Specifies the password for the single sign-on client for SSPR.
Required
Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.
Use the following format: protocol://server:port/path. For example, https://192.168.0.1:8543/sspr/public/oauth.html.
This section defines the values for managing the CEF Auditing parameters.
Specifies whether you want to use CEF for auditing events in Identity Applications.
Specifies the DNS name or the IP address of the auditing server.
Specifies the port of the auditing server.
Specifies the network protocol used by the auditing server to receive CEF events.
Applies only when you want to use TCP as your network protocol.
Specifies if the auditing server is configured to use TLS with TCP.
Specifies the location of the cache directory before the CEF events are sent to the auditing server.
NOTE:Ensure that the novlua permissions are set for the cache directory. Otherwise, you cannot access the IDMDash and IDMProv applications. Also, none of the OSP events will be logged in the cache directory. For example, you can change the permission and ownership of the directory using the chown novlua:novlua /<directorypath> command, where <directorypath> is the cache file directory path.