To use Access Manager as the authentication service for Identity Governance, you must configure Access Manager to use the OAuth 2.0 protocol, and you must define or add an attribute in the identity store for Access Manager to use to store authentication information. You can perform these steps before installing Identity Governance. If you use OSP as the authentication service and you want to move to Access Manager, you must perform these steps at that time.
Access Manager integrates with Identity Governance through the use of the OAuth 2.0 protocol to allow for secure communication between the two products. OAuth 2.0 allows you to use different authentication methods beyond the name/password method. For more information, see OAuth and OpenID Connect
in the NetIQ Access Manager 5.0 Administration Guide.
You must configure Access Manager to use OAuth 2.0 before starting the Identity Governance installation. You must also use an LDAP-based bootstrap administrator and add a special attribute to the identity store to store authentication information from Access Manager.
Use the following checklist to complete the configuration tasks in the identity store and Access Manager before starting the Identity Governance installation or if you want to stop using OSP as your authentication service.
Checklist Items |
|
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
You can integrate Identity Governance and Access Manager during the installation of Identity Governance. You must select to use an LDAP-based bootstrap administrator and you provide connection information to Access Manager during the install. Installing Identity Governance contains the details for the configuration. For more information, see Section 6.4, Identity Governance Installation Worksheet.
After you have completed the Identity Governance installation and if you are using Active Directory as the identity service, you must change the Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the NetIQ Access Manager 5.0 Administration Guide.
Log in to the Access Manager administration console as an administrator.
Click Devices > Identity Server.
Click the Shared Settings tab, then click the Attributes Sets tab.
Click the Identity Governance object.
Identity Governance: If you used the default values during the Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.
Access Manager: If during the Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.
Click Mapping.
Click Ldap Attribute:entryDN [LDAP Attribute Profile].
Select Local attribute.
Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].
Click OK.
Click Apply, then click OK.
Click Servers, then click Update All.
On the OSP server, restart Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
If you installed Identity Governance using OSP as the authentication service and now you want to use Access Manager, Identity Governance allows you to do that without having to uninstall Identity Governance. To make the change it is a process that does require multiple steps.
The process is different if you have Access Manager, Identity Governance, Identity Reporting, and Workflow Engine installed on separate server. For more information, see Section 4.3.4, Integrating Identity Governance and Access Manager After the Identity Governance Installation in a Distributed Environment. Use the following information to switch from OSP to Access Manager if you have OSP and Identity Governance installed on the same server.
Ensure that you have completed all of the Access Manager integration steps before proceeding. For more information, see Section 4.3.1, Access Manager and the Identity Service Integration Checklist for OAuth 2.0.
Stop Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Verify that the single sign-on settings are populated.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the IG SSO Clients tab.
Click Show Advanced Options.
Ensure that all of the fields except for Identity Governance Client > Additional mapped LDAP attributes are populated. If any fields are missing information, add the information for your environment.
Click OK even if you didn’t make any changes to save the configuration and the Identity Governance Configuration Update utility automatically closes.
Verify that the ism-configuration.properties contains four response-types = client_credentials.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Search for response-types = client_credentials. There should be four.
If there are not four entries, repeat Step 3.
Change the authentication settings to use Access Manager.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the Authentications tab.
(Conditional) Select OAuth server uses TLS.
Select Access Manager is the OAuth provider.
Populate the following fields with the Access Manager information.
Specify the fully qualified DNS name of your Access Manager server.
Specify the port for Access Manager. By default is 443.
Browse to and select the LDAP bootstrap administrator you created in Step 1.
Click Configure Access Manager now.
Use the following information to configure Identity Governance to work with Access Manager:
Specify the fully qualified DNS name of the Access Manager administration console.
Specify the port for the Access Manager administration console.
Specify the fully qualified DN of an Access Manager administrator user.
Specify the password for the Access Manager administrator.
Ensure that this option is selected to automatically update the Access Manager Identity Server with the Identity Governance information.
Browse to and select the bootstrap administrator that you created with the NAM_OAUTH2_ADMIN Access Manager role in Step 7.
Specify the password for the bootstrap administrator.
Click OK to save the changes.
Review and accept the certificate presented.
After the configuration work is completed, click OK on the Notification message.
Select the IG SSO Client tab and notice that the Client IDs and Secrets have been updated.
Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.
(Conditional) If you are using Active Directory as the identity service, change the Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the NetIQ Access Manager 5.0 Administration Guide.
Log in to the Access Manager administration console as an administrator.
Click Devices > Identity Server.
Click the Shared Settings tab, then click the Attributes Sets tab.
Click the Identity Governance object.
Identity Governance: If you used the default values during the Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.
Access Manager: If during the Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.
Click Mapping.
Click Ldap Attribute:entryDN [LDAP Attribute Profile].
Select Local attribute.
Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].
Click OK.
Click Apply, then click OK.
Click Servers, then click Update All.
Ensure that the ism-configuration.properties file lists the protocol as secure.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Search for com.netiq.idm.osp.url.host.
If it is not set to https change it from http to https.
Save and close the file.
(Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
When it displays the fields, click OK.
Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.
Change additional settings in the Identity Governance Configuration utility.
Launch the Identity Governance Configuration utility using the database password. For more information, see Section 15.1.4, Using the Identity Governance Configuration Utility.
Click the Authentication tab.
In the OAuth Server section, make the following changes:
Deselect this option.
(Conditional) Change the protocol from http to https if it is not already at https.
Specify the fully qualified DNS name of the Access Manager server.
Specify the port for the Access Manager server. The default value is 443.
Click Save to save the changes, then close the utility.
Update the ism-configuration.properties file.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Add the following entry:
com.netiq.iac.authserver.url.logout = ${com.netiq.idm.osp.url.host}/nidp/app/logout
Save and close the file.
Clean up Apache Tomcat.
Delete the following cache directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost
Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost
Delete all of the files and sub-folders in the temp directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/temp
Windows: c:\netiq\idm\apps\tomcat\temp
Delete or move any Apache Tomcat log files. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/logs
Windows: c:\netiq\idm\apps\tomcat\logs
Start Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Log in to Identity Governance to test if the authentication is now going through Access Manager.
Identity Governance allows you to switch your authentication service from OSP to Access Manager without having to reinstall Identity Governance. If you have OSP, Identity Governance, Identity Reporting, and Workflow Engine installed on separate servers, you must use the following procedure to make the change. The steps are different than if you have all of the components installed on one server. If you have all of the components installed on one server, see Section 4.3.2, Integrating Identity Governance and Access Manager During the Installation of Identity Governance.
Ensure that you have completed all of the Access Manager integration steps before proceeding. For more information, see Section 4.3.1, Access Manager and the Identity Service Integration Checklist for OAuth 2.0.
On the OSP server, change the authentication service to Access Manager.
Stop Apache Tomcat on the OSP, Identity Governance, Identity Reporting, and Workflow Engine servers. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Verify that the single sign-on settings are populated.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the IG SSO Clients tab.
Click Show Advanced Options.
Ensure that all of the fields except for Identity Governance Client > Additional mapped LDAP attributes are populated. If any fields are missing information, add the information for your environment.
Click the External Workflow tab.
(Conditional) Ensure that all the above fields are populated. If any fields are missing information, add the information for your environment.
Click OK even if you didn’t make any changes to save the configuration and the Identity Governance Configuration Update utility automatically closes.
Verify that the database contains four or six response-types = client_credentials.
On the Identity Governance server, create the following script using the path and file name of your choice:
set-backup-dir <path>
set-backup-file-name <filename>
backup
Execute the script:
/opt/netiq/idm/apps/idgov/bin/configutil.sh -password <password> -script <script>
Open the backup file and look for the instances of client_credentials.
Search for the following entries once you open the backup file for Identity Governance:
com.netiq.iac.dc_server.response-types
com.netiq.iac.dtp_server.response-types
com.netiq.iac.general-service.response-types
com.netiq.iac.wf_server.response-types
(Conditional) Search for the following entries once you open the backup file for the Workflow Engine:
com.netiq.iac.standaloneworkflow.response-types
com.netiq.workflow.response-types
Change the authentication settings to use Access Manager.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the Authentication tab.
(Conditional) Select OAuth server uses TLS.
Select Access Manager is the OAuth provider.
OAuth server host identifier.
Specify the fully qualified DNS name of your Access Manager server.
Specify the port for Access Manager. By default is 443.
Browse to and select the LDAP bootstrap administrator you created in Step 1.
Click Configure Access Manager now.
Click Show Advanced Options button.
Use the following information to configure Identity Governance to work with Access Manager:
Specify the fully qualified DNS name of the Access Manager administration console.
Specify the port for the Access Manager administration console.
Specify the fully qualified DN of an Access Manager administrator user.
Specify the password for the Access Manager administrator.
Ensure that this option is selected to automatically update the Access Manager Identity Server with the Identity Governance information.
Browse to and select the bootstrap administrator that you created with the NAM_OAUTH2_ADMIN Access Manager role in Step 7.
Specify the password for the bootstrap administrator.
Click OK to save the changes.
Review and accept the certificate presented.
After the configuration work is completed, click OK on the Notification message.
(Conditional) Select the External Workflow tab and notice that the Client IDs and Secrets have been updated.
Select the IG SSO Client tab and notice that the Client IDs and Secrets have been updated.
Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.
Ensure the com.netiq.idm.osp.url.host property is set correctly with a secure protocol.
On the Identity Governance server, create a script with the following content:
display-configs com.netiq.idm.osp.url.host
Execute the script.
/opt/netiq/idm/apps/idgov/bin/configutil.sh -password <password> -script <script>
(Conditional) If you need to update the value, create and execute the following script with your expected protocol, server, and host. The script prints the final value after the change.
set-property com.netiq.idm.osp.url.host https://<Access Manager DNS name>
display-configs com.netiq.idm.osp.url.host
set-property com.netiq.iac.authserver.host https://<Access Manager DNS name>
display-configs: com.netiq.iac.authserver.host
set-property com.netiq.client.authserver.url.logout https://<Access Manager DNS name>/nidp/app/logout
display-configs com.netiq.client.authserver.url.logout
Save and close the file.
(Conditional) If you are using Active Directory as the identity service, change the Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the NetIQ Access Manager 5.0 Administration Guide.
Log in to the Access Manager administration console as an administrator.
Click Devices > Identity Server.
Click the Shared Settings tab, then click the Attributes Sets tab.
Click the Identity Governance object.
Identity Governance: If you used the default values during the Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.
Access Manager: If during the Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.
Click Mapping.
Click Ldap Attribute:entryDN [LDAP Attribute Profile].
Select Local attribute.
Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].
Click OK.
Click Apply, then click OK.
Click Servers, then click Update All.
(Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
When it displays the fields, click OK.
Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.
On the Identity Governance server change the authentication service to be Access Manager.
At the Access Manager URL, access the OAuth Client IDs and Secrets.
On the Identity Governance server launch a browser and access the Access Manager administration console.
On the Dashboard under Identity Servers, select IDPCluster.
Click the OAuth & OpenID Connect tab, then click the Client Applications tab.
Leave the Client Applications tab open because it contains the client IDs and secrets for the Identity Governance applications that you created in Step 7. Add this information to the Identity Governance configuration.
Verify that the client IDs and secrets from Access Manager have made it to the Identity Governance configuration. Because the properties are stored in the OSP database, and Configupdate on both OSP and IG servers have connection information for connecting to that database, the entries should already be populated.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the IG SSO Clients tab.
Copy the Client ID and Secret for each Identity Governance application listed in Access Manager. Use the following table to correlate the names in Identity Governance to the names in Access Manager.
IMPORTANT:Ensure that you copy the Client ID not the Client Application Name.
Identity Governance Application Name |
Access Manager Application Name |
---|---|
Identity Governance |
iac |
Request Client |
cx_client |
Data Connectivity Service |
iac_dc_server |
General Service |
iac_general_service |
Data Transformation and Processing Service |
iac_dtp_server |
Workflow Service |
iac_wf_server |
Form Builder Client |
form_builder |
Identity Governance Client |
iac_ig_web |
In the Identity Governance Configuration Update utility ensure that the authentication settings are set to Access Manager values.
Click the Authentication tab.
(Conditional) Select OAuth server uses TLS.
Select Access Manager is the OAuth provider.
Populate the following fields with the Access Manager information.
Specify the fully qualified DNS name of your Access Manager server.
Specify the port for Access Manager. By default is 443.
Browse to and select the LDAP bootstrap administrator you created in Step 1.
Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.
Ensure that the ism-configuration.properties file lists the protocol as secure.
Open the ism-configuration.properties file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
Search for com.netiq.idm.osp.url.host.
If it is not set to https change it from http to https.
Save and close the file.
(Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
When it displays the fields, click OK.
Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.
On the Identity Governance server change additional settings in the Identity Governance Configuration utility.
Launch the Identity Governance Configuration utility using the database password. For more information, see Section 15.1.4, Using the Identity Governance Configuration Utility.
Click the Authentication tab.
In the OAuth Server section, make the following changes:
(Conditional) Change the protocol from http to https if it is not already at https.
Specify the fully qualified DNS name of the Access Manager server.
Specify the port for the Access Manager server. The default value is 443.
In the Bootstrap Admin section, update the Name field to contain the fully qualified DN name of the bootstrap administrator you created in Step 1.
Click Save to save the changes, then close the utility.
On the Identity Governance server clean up Apache Tomcat.
Delete the following cache directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost
Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost
Delete all of the files and sub-folders in the temp directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/temp
Windows: c:\netiq\idm\apps\tomcat\temp
Delete or move any Apache Tomcat log files. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/logs
Windows: c:\netiq\idm\apps\tomcat\logs
On the Identity Governance server only, start Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Test authentication to Identity Governance to ensure that the changes worked.
Make the following changes to the Identity Reporting server to use Access Manager instead of OSP.
On the Identity Reporting server change the authentication service to be Access Manager.
On the Access Manager server, access the OAuth Client IDs and Secrets.
On the Identity Reporting server launch a browser and access the Access Manager administration console.
On the Dashboard under Identity Servers, select IDPCluster.
Click the OAuth & OpenID Connect tab, then click the Client Applications tab.
Leave the Client Applications tab open, because it contains the client IDs and secrets for the Identity Governance applications that you created in Step 7. You will add this information to the Identity Governance configuration.
Add the client IDs and secrets from Access Manager to the Identity Reporting server configuration.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the OAuth SSO Client tab.
Copy the Client ID and Secret for the Identity Reporting application listed in Access Manager as rpt to the Reporting application.
IMPORTANT:Ensure that you copy the Client ID not the Client Application Name.
Identity Governance Application Name |
Access Manager Application Name |
---|---|
Reporting Utility Client |
rpt |
Reporting Client |
rpt_rpt_web |
In the Identity Governance Configuration Update utility ensure that the authentication settings are set to Access Manager values.
Click the Authentications tab.
(Conditional) Select OAuth server uses TLS.
Select Access Manager is the OAuth provider.
Populate the following fields with the Access Manager information.
Specify the fully qualified DNS name of your Access Manager server.
Specify the port for Access Manager. By default is 443.
Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.
Ensure the com.netiq.idm.osp.url.host property is set correctly with a secure protocol.
On the Identity Governance server, create a script with the following content:
display-configs com.netiq.idm.osp.url.host
Execute the script.
/opt/netiq/idm/apps/idgov/bin/configutil.sh -password <password> -script <script>
(Conditional) If you need to update the value, create and execute the following script with your expected protocol, server, and host. The script prints the final value after the change.
set-property com.netiq.idm.osp.url.host https://<server>
display-configs com.netiq.idm.osp.url.host
Save and close the file.
(Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.
On the Identity Reporting server, launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
When it displays the fields, click OK.
Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.
On the Identity Reporting server clean up Apache Tomcat.
Delete the following cache directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost
Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost
Delete all of the files and sub-folders in the temp directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/temp
Windows: c:\netiq\idm\apps\tomcat\temp
Delete or move any Apache Tomcat log files. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/logs
Windows: c:\netiq\idm\apps\tomcat\logs
On the Identity Reporting server only, start Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Test authentication to Identity Governance to ensure that the changes worked.
On the Workflow Engine server change the authentication service to be Access Manager.
At the Access Manager URL, access the OAuth Client IDs and Secrets.
On the Identity Governance server launch a browser and access the Access Manager administration console.
On the Dashboard under Identity Servers, select IDPCluster
Click the OAuth & OpenID Connect tab, then click the Client Applications tab.
Leave the Client Applications tab open because it contains the client IDs and secrets for the Identity Governance applications that you created in Step 7. Add this information to the Identity Governance configuration.
Verify that the client IDs and secrets from Access Manager have made it to the Identity Governance configuration. Because the properties are stored in the OSP database, and Configupdate on both OSP and IG servers have connection information for connecting to that database, the entries should already be populated.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the IG SSO Clients tab.
Copy the Client ID and Secret for each Identity Governance application listed in Access Manager. Use the following table to correlate the names in Identity Governance to the names in Access Manager.
Add the client IDs and secrets from Access Manager to the Workflow Engine configuration.
Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the External Workflow tab.
Copy the Client ID and Secret for each Identity Governance application listed in Access Manager. Use the following table correlate the names in Workflow Engine to the names in Access Manager.
Identity Governance Application Name |
Access Manager Application Name |
---|---|
Web Client |
wfconsole |
Workflow Consumer |
workflow |
Make sure all fields have valid entries.
Update the ism-configuration.properties file on the Workflow Engine server with information from the Access Manager server.
On the Identity Governance server, export the properties similar to steps Step 2.b.a - 2.b.2 using a different backup filename.
On the Workflow Engine server, copy the following property values from those exported in step 4.a into the ism-configuration.properties file.
com.microfocus.wfe.consumer.password
com.microfocus.wfe.consumer.password._attr_obscurity
com.microfocus.wfe.consumer.userId
Repeat Step 5, Step 6, and Step 7 for the Workflow Engine server.