To use Access Manager as the authentication service for Identity Governance, you must configure Access Manager to use the OAuth 2.0 protocol and you must define or add an attribute in the identity store for Access Manager to use to store authentication information. You can perform these steps before installing Identity Governance. If you use OSP as the authentication service and you want to move to Access Manager, you must perform these steps at that time.
Access Manager integrates with Identity Governance through the use of the OAuth 2.0 protocol to allow for secure communication between the two products. OAuth 2.0 allows you to use different authentication methods beyond the name/password method. For more information, see Understanding How Access Manager Uses OAuth and OpenID Connect
in the Access Manager 4.5 Administration Guide.
You must configure Access Manager to use OAuth 2.0 before starting the Identity Governance installation. You must also use an LDAP-based bootstrap administrator and add a special attribute to the identity store to store authentication information from Access Manager.
Use the following checklist to complete the configuration tasks in the identity store and Access Manager before starting the Identity Governance installation or if you want to stop using OSP as your authentication service.
Checklist Items |
|
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
You can integrate Identity Governance and Access Manager during the installation of Identity Governance. You must select to use an LDAP-based bootstrap administrator and you provide connection information to Access Manager during the install. In the Installing Identity Governance section contains the details for the configuration. For more information, see Section 6.4, Identity Governance Installation Worksheet.
After you have completed the Identity Governance installation and if you are using Active Directory as the identity service, you must change the Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the Access Manager 4.5 Administration Guide.
Log in to the Access Manager administration console as an administrator.
Click Devices > Identity Server.
Click the Shared Settings tab, then click the Attributes Sets tab.
Click the Identity Governance object.
Identity Governance: If you used the default values during the Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.
Access Manager: If during the Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.
Click Mapping.
Click Ldap Attribute:entryDN [LDAP Attribute Profile].
Select Local attribute.
Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].
Click OK.
Click Apply, then click OK.
Click Servers, then click Update All.
On the OSP server, restart Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
If you installed Identity Governance using OSP as the authentication service and now you want to use Access Manager, Identity Governance allows you to do that without having to uninstall Identity Governance. To make the change it is a process that does require multiple steps.
The process is different if you have OSP, Identity Governance, and Identity Reporting installed on separate server. For more information, see Section 4.3.4, Integrating Identity Governance and Access Manager After the Identity Governance Installation in a Distributed Environment. Use the following information to switch from OSP to Access Manager if you have OSP and Identity Governance installed on the same server.
Ensure that you have completed all of the Access Manager integration steps before proceeding. For more information, see Section 4.3.1, Access Manager and the Identity Service Integration Checklist for OAuth 2.0.
Stop Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Verify that the single sign-on settings are populated.
Launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
Click the IG SSO Clients tab.
Click Show Advanced Options.
Ensure that all of the fields except for Identity Governance Client > Additional mapped LDAP attributes are populated. If any fields are missing information, add the information for your environment.
Click OK even if you didn’t make any changes to save the configuration and the Identity Governance Configuration Update utility automatically closes.
Verify that the ism-configuration.properties contains four response-types = client_credentials.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Search for response-types = client_credentials. There should be four.
If there are not four entries, repeat Step 3.
Change the authentication settings to use Access Manager.
Launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
Click the Authentications tab.
(Conditional) Select OAuth server uses TLS.
Select Access Manager is the OAuth provider.
Populate the following fields with the Access Manager information.
Specify the fully qualified DNS name of your Access Manager server.
Specify the port for Access Manager. By default is 443.
Browse to and select the LDAP bootstrap administrator you created in Step 1.
Click Configure Access Manager now.
Use the following information to configure Identity Governance to work with Access Manager:
Specify the fully qualified DNS name of the Access Manager administration console.
Specify the port for the Access Manager administration console.
Specify the fully qualified DN of an Access Manager administrator user.
Specify the password for the Access Manager administrator.
Ensure that this option is selected to automatically update the Access Manager Identity Server with the Identity Governance information.
Browse to and select the bootstrap administrator that you created with the NAM_OAUTH2_ADMIN Access Manager role in Step 7.
Specify the password for the bootstrap administrator.
Click OK to save the changes.
Review and accept the certificate presented.
After the configuration work is completed, click OK on the Notification message.
Select the IG SSO Client tab and notice that the Client IDs and Secrets have been updated.
Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.
(Conditional) If you are using Active Directory as the identity service, change the Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the Access Manager 4.5 Administration Guide.
Log in to the Access Manager administration console as an administrator.
Click Devices > Identity Server.
Click the Shared Settings tab, then click the Attributes Sets tab.
Click the Identity Governance object.
Identity Governance: If you used the default values during the Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.
Access Manager: If during the Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.
Click Mapping.
Click Ldap Attribute:entryDN [LDAP Attribute Profile].
Select Local attribute.
Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].
Click OK.
Click Apply, then click OK.
Click Servers, then click Update All.
Ensure that the ism-configuration.properties file lists the protocol as secure.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Search for com.netiq.idm.osp.url.host.
If it is not set to https change it from http to https.
Save and close the file.
(Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.
Launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
When it displays the fields, click OK.
Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.
Change additional settings in the Identity Governance Configuration utility.
Launch the Identity Governance Configuration utility using the database password. For more information, see Section 14.1.3, Using the Identity Governance Configuration Utility.
Click the Authentication tab.
In the OAuth Server section, make the following changes:
Deselect this option.
(Conditional) Change the protocol from http to https if it is not already at https.
Specify the fully qualified DNS name of the Access Manager server.
Specify the port for the Access Manager server. The default value is 443.
Click Save to save the changes, then close the utility.
Update the ism-configuration.properties file.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Add the following entry:
com.netiq.iac.authserver.url.logout = ${com.netiq.idm.osp.url.host}/nidp/app/logout
Save and close the file.
Clean up Apache Tomcat.
Delete the following cache directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost
Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost
Delete all of the files and sub-folders in the temp directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/temp
Windows: c:\netiq\idm\apps\tomcat\temp
Delete or move any Apache Tomcat log files. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/logs
Windows: c:\netiq\idm\apps\tomcat\logs
Start Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Log in to Identity Governance to test and see if the authentication are now going through Access Manager.
Identity Governance allows to switch your authentication service from OSP to Access Manager without having to reinstall Identity Governance. If you have OSP, Identity Governance. and Identity Reporting installed on separate servers, you must use the following procedure to make the change. The steps are different that if you have all of the components installed on one server. If you have all of the component installed on one server, see Section 4.3.2, Integrating Identity Governance and Access Manager During the Installation of Identity Governance.
Ensure that you have completed all of the Access Manager integration steps before proceeding. For more information, see Section 4.3.1, Access Manager and the Identity Service Integration Checklist for OAuth 2.0.
On the OSP server, change the authentication service to Access Manager.
Stop Apache Tomcat on the OSP, Identity Governance, and Identity Reporting servers. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Verify that the single sign-on settings are populated.
Launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
Click the IG SSO Clients tab.
Click Show Advanced Options.
Ensure that all of the fields except for Identity Governance Client > Additional mapped LDAP attributes are populated. If any fields are missing information, add the information for your environment.
Click OK even if you didn’t make any changes to save the configuration and the Identity Governance Configuration Update utility automatically closes.
Verify that the ism-configuration.properties contains four response-types = client_credentials.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Search for response-types = client_credentials. There should be four.
If there are not four entries, repeat Step 2.a.a.
Change the authentication settings to use Access Manager.
Launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
Click the Authentications tab.
(Conditional) Select OAuth server uses TLS.
Select Access Manager is the OAuth provider.
Populate the following fields with the Access Manager information.
Specify the fully qualified DNS name of your Access Manager server.
Specify the port for Access Manager. By default is 443.
Browse to and select the LDAP bootstrap administrator you created in Step 1.
Click Configure Access Manager now.
Use the following information to configure Identity Governance to work with Access Manager:
Specify the fully qualified DNS name of the Access Manager administration console.
Specify the port for the Access Manager administration console.
Specify the fully qualified DN of an Access Manager administrator user.
Specify the password for the Access Manager administrator.
Ensure that this option is selected to automatically update the Access Manager Identity Server with the Identity Governance information.
Browse to and select the bootstrap administrator that you created with the NAM_OAUTH2_ADMIN Access Manager role in Step 7.
Specify the password for the bootstrap administrator.
Click OK to save the changes.
Review and accept the certificate presented.
After the configuration work is completed, click OK on the Notification message.
Select the IG SSO Client tab and notice that the Client IDs and Secrets have been updated.
Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.
Ensure that the ism-configuration.properties file lists the protocol as secure.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Search for com.netiq.idm.osp.url.host.
If it is not set to https change it from http to https.
Save and close the file.
(Conditional) If you are using Active Directory as the identity service, change the Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the Access Manager 4.5 Administration Guide.
Log in to the Access Manager administration console as an administrator.
Click Devices > Identity Server.
Click the Shared Settings tab, then click the Attributes Sets tab.
Click the Identity Governance object.
Identity Governance: If you used the default values during the Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.
Access Manager: If during the Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.
Click Mapping.
Click Ldap Attribute:entryDN [LDAP Attribute Profile].
Select Local attribute.
Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].
Click OK.
Click Apply, then click OK.
Click Servers, then click Update All.
(Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.
Launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
When it displays the fields, click OK.
Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.
On the Identity Governance server change the authentication service to be Access Manager.
On the Access Manager server, access the OAuth Client IDs and Secrets.
On the Identity Governance server launch a browser and access the Access Manager administration console.
On the Dashboard under Identity Servers, select IDPCluster.
Click the OAuth & OpenID Connect tab, then click the Client Applications tab.
Leave the Client Applications tab open because it contains the client IDs and secrets for the Identity Governance applications that you created in Step 7. You use add this information to the Identity Governance configuration.
Add the client IDs and secrets from Access Manager to the Identity Governance configuration.
Launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
Click the OAuth SSO Client tab.
Copy the Client ID and Secret for each Identity Governance application listed in Access Manager. Use the following table correlate the names in Identity Governance to the names in Access Manager.
IMPORTANT:Ensure that you copy the Client ID not the Client Application Name.
Identity Governance Application Name |
Access Manager Application Name |
---|---|
Identity Governance |
iac |
Request Client |
cx client |
Data Connectivity Service |
iac_dc_server |
General Service |
iac_general-service |
Data Transformation and Processing Service |
iac_dtp_server |
Workflow Service |
iac_wf_server |
In the Identity Governance Configuration Update utility ensure that the authentication settings are set to Access Manager values.
Click the Authentications tab.
(Conditional) Select OAuth server uses TLS.
Select Access Manager is the OAuth provider.
Populate the following fields with the Access Manager information.
Specify the fully qualified DNS name of your Access Manager server.
Specify the port for Access Manager. By default is 443.
Browse to and select the LDAP bootstrap administrator you created in Step 1.
Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.
Ensure that the ism-configuration.properties file lists the protocol as secure.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Search for com.netiq.idm.osp.url.host.
If it is not set to https change it from http to https.
Save and close the file.
(Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.
Launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
When it displays the fields, click OK.
Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.
Update the ism-configuration.properties file on the Identity Governance server with information from the OSP server.
On the OSP server, open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Find the following entry:
com.netiq.idm.osp.oauth.auth-params =
Copy the entry and the value for this entry.
On the Identity Governance server, open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Add the entry that you copied in Step 4.c to the Identity Governance ism-configuration.properties file.
Add the following entry to the Identity Governance ism-configuration.properties file:
com.netiq.iac.authserver.url.logout = ${com.netiq.idm.osp.url.host}/nidp/app/logout
Save and close the OSP and the Identity Governance ism-configuration.properties files.
On the Identity Governance server change additional settings in the Identity Governance Configuration utility.
Launch the Identity Governance Configuration utility using the database password. For more information, see Section 14.1.3, Using the Identity Governance Configuration Utility.
Click the Authentication tab.
In the OAuth Server section, make the following changes:
(Conditional) Change the protocol from http to https if it is not already at https.
Specify the fully qualified DNS name of the Access Manager server.
Specify the port for the Access Manager server. The default value is 443.
In the Bootstrap Admin section, update the Name field to contain the fully qualified DN name of the bootstrap administrator you created in Step 1.
Click Save to save the changes, then close the utility.
On the Identity Governance server clean up Apache Tomcat.
Delete the following cache directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost
Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost
Delete all of the files and sub-folders in the temp directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/temp
Windows: c:\netiq\idm\apps\tomcat\temp
Delete or move any Apache Tomcat log files. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/logs
Windows: c:\netiq\idm\apps\tomcat\logs
On the Identity Governance server only, start Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Test authentication to only Identity Governance to ensure that the changes worked.
Make the following changes to the Identity Reporting server to use Access Manager instead of OSP.
On the Identity Reporting server change the authentication service to be Access Manager.
On the Access Manager server, access the OAuth Client IDs and Secrets.
On the Identity Reporting server launch a browser and access the Access Manager administration console.
On the Dashboard under Identity Servers, select IDPCluster.
Click the OAuth & OpenID Connect tab, then click the Client Applications tab.
Leave the Client Applications tab open because it contains the client IDs and secrets for the Identity Governance applications that you created in Step 7. You use add this information to the Identity Governance configuration.
Add the client IDs and secrets from Access Manager to the Identity Reporting server configuration.
Launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
Click the OAuth SSO Client tab.
Copy the Client ID and Secret for the Identity Reporting application listed in Access Manager as rpt to the Reporting application.
IMPORTANT:Ensure that you copy the Client ID not the Client Application Name.
In the Identity Governance Configuration Update utility ensure that the authentication settings are set to Access Manager values.
Click the Authentications tab.
(Conditional) Select OAuth server uses TLS.
Select Access Manager is the OAuth provider.
Populate the following fields with the Access Manager information.
Specify the fully qualified DNS name of your Access Manager server.
Specify the port for Access Manager. By default is 443.
Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.
On the Identity Reporting server ensure that the ism-configuration.properties file lists the protocol as secure.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Search for com.netiq.idm.osp.url.host.
If it is not set to https change it from http to https.
Save and close the file.
(Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.
On the Identity Reporting server, launch the Identity Governance Configuration Update utility. For more information, see Section 14.1.4, Using the Identity Governance Configuration Update Utility.
When it displays the fields, click OK.
Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.
Update the ism-configuration.properties file on the Identity Reporting server with information from the OSP server.
On the OSP server, open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Find the following entry:
com.netiq.idm.osp.oauth.auth-params =
Copy the entry and the value for this entry.
On the Identity Reporting server, open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Add the entry that you copied in Step 4.c to the Identity Reporting ism-configuration.properties file.
Save and close the OSP and the Identity Governance ism-configuration.properties files.
On the Identity Reporting server clean up Apache Tomcat.
Delete the following cache directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost
Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost
Delete all of the files and sub-folders in the temp directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/temp
Windows: c:\netiq\idm\apps\tomcat\temp
Delete or move any Apache Tomcat log files. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/logs
Windows: c:\netiq\idm\apps\tomcat\logs
On the Identity Reporting server only, start Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Test authentication to only Identity Governance to ensure that the changes worked.