Identity Governance handles user account information, permissions, and other sensitive data. You want to ensure that all communication channels between Identity Governance and the other components are secure using the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol. This ensures that any data that Identity Governance gathers for reviews, reports, or any other activity is secure from eavesdropping or tampering from external sources.
Use the following information to understand the different communication paths and how to secure them for secure communication with Identity Governance.
Use the TLS/SSL protocol to secure the following types of network connections:
HTTPS: Provides secure end-user access to and from Identity Governance. You would configure the application server (Apache Tomcat) to communicate over https instead of http.
LDAPS: Ensures that the communication between the authentication provider and the identity service is secure. You would configure OSP or Access Manager to use the certificates from the LDAP directory to communicate securely with the LDAP directory for the authorized users.
JDBC: Ensures that the communication between Identity Governance and the database server is secure.
SMTP: Ensures that the email notifications Identity Governance, Identity Reporting, and Workflow Engine sends are secure.
By default, the Identity Governance installer does not enable secure communications. You must enable it during the installation or after the installation. You enable the secure communications by selecting https when you define the application server and the identity service.
If you have configured the components for secure communication using TLS/SSL, the Identity Governance installer imports the correct certificates from these locations to the trust store for Identity Governance when you select to communicate over TLS/SSL. We highly recommend that you configure these components to communicate over TLS/SSL in a production environment. Use the following information to enable TLS/SSL communication for these products before starting the OSP, Identity Governance, or the Identity Reporting installations.
If you do install OSP, Identity Governance, Identity Reporting, or Workflow Engine without configuring these components to communicate securely using TLS/SSL, you can configure secure communication at a later time using the configuration utilities. For more information, see Section 12.1, Configuring SSL/TLS Communication after the Installation.
Each server that has OSP, Identity Governance, Identity Reporting, and Workflow Engine installed must have Apache Tomcat configured for https communication to provide secure communication between all of the separate Identity Governance components.
If you use Access Manager instead of OSP as the authentication service, the Identity Governance installer assumes Access Manager is configured to communicate over its default “https”. The Identity Governance installer prompts you for the ports for the Access Manager Identity Server and the Access Manager administration console. The Identity Governance installer automatically retrieves the certificates from Access Manager before prompting you to accept them into the Identity Governance keystore.
To configure the application server to use TLS/SSL, you configure Apache Tomcat to use TLS/SSL. We highly recommend that you configure Apache Tomcat to use https with either TLSv1.2 or TLS1.1. Any prior version of TLS should not be used. For more information, see Securing Tomcat.
To configure the identity service to use TLS/SSL, you configure the LDAP server that contains the authorized Identity Governance users to use LDAPS. For more information, see:
Active Directory: Step by Step Guide to Setup LDAPS on Windows Server
eDirectory:
Authentication and Security
in the eDirectory Administration Guide
To configure the database for your environment to communicate securely, you must configure the database to communicate over JDBC using TLS/SSL. For more information, see:
Microsoft SQL:
Enabling Encrypted Connections to the Database Engine
PostgreSQL:
Secure TCP/IP Connections with SSL
Vertica:
TLS Protocol
To provide secure emails for email notifications you must configure the SMTP server for secure communications. Follow the documentation for your specific SMTP server to enable secure communications before starting the installation.
To provide secure communications between OSP, Identity Governance, Identity Reporting and Workflow Engine with the audit server, you must configure the audit server to communicate over TLS/SSL. The OSP, Identity Governance, and the Identity Reporting installers can import the trusted certificate from the audit server during the installation. See the documentation for your audit server on how to enable secure communications with external applications.