After you have installed the authentication service, Identity Governance, and optionally Identity Reporting, there are additional configuration tasks you must perform to allow your authorized users to start using Identity Governance. Plus, there are additional administration tasks to perform to complete the installation of these components.
Identity Governance provides different administration utilities: Identity Governance Configuration utility, Identity Governance Configuration Update utility, and the Identity Governance application and the Identity Reporting application, if you installed Identity Reporting. Use the following information to access the different administration utilities.
Identity Governance is a web application that you access through a web browser. You access the URL you defined during the installation. The default URL for Identity Governance is:
Non-secure: http://dns-name-Identity-Governance-server:8080
Secure: https://dns-name-Identity-Governance-server:8443
You must login with the bootstrap administrator account until you have collected and published user data and assigned a published user as a Global Administrator account. For more information, see Adding Identity Governance Users and Assigning Authorizations
in the Identity Governance User and Administration Guide.
Identity Governance 3.6 or later versions change the behavior of the Identity Governance application. If you are logged in and your access token times out, you see a popup message that requires you to re-authenticate or log out of the application. If you re-authenticate, Identity Governance displays the login screen in a separate window or browser tab. You must log in again to continue working in the Identity Governance application.
Identity Reporting is a web application that you access through a web browser. The default Identity Reporting URL is https://mycompany.mydomain.com:8443/IDMRPT.
To be able to log in to Identity Reporting, you must have the Reporting Administrator authorization, and you must assign a data source to Identity Reporting to use its features. For more information, see Section 9.4.1, Assigning the Report Administrator Authorization.
The Workflow Administration Console is a web application that you access through a web browser. The default URL is https://mycompany.mydomain.com:8443/wfconsole.
You can log into the Workflow Administration console using any login account, but to access all its features, you must have the Workflow Administrator authorization automatically granted to Bootstrap and Global administrators. For more information, see Understanding Authorizations in Workflow Service.
The Identity Governance Configuration utility allows you to modify settings specifically for Identity Governance, such as the URL for Identity Governance.
The Identity Governance Configuration utility also allows to perform the following administration tasks:
Specify an external provisioning system for workflows. For more information, see Using Workflows to Fulfill the Changeset
in the Identity Governance User and Administration Guide.
Configure the settings for data collection and publication. For more information, see Collecting Identities
and Publishing the Collected Data
in the Identity Governance User and Administration Guide.
Configure the settings to perform a bulk update of data. For more information, see Understanding Bulk Data Update
in the Identity Governance User and Administration Guide.
You can run the Identity Governance Configuration utility in two different modes. The default mode provides a user interface with menu options to configure the different features and components of Identity Governance. The console mode is a command line option used only under the direction of Technical Support.
Use the following information to run the Identity Governance Configuration utility.
The default mode of the Identity Governance Configuration utility provides an interface which requires graphics to be enabled on the server running the utility. The utility provides menus that allow you to change the configuration setting you defined during the installation and to perform some administration tasks as well.
The Identity Governance Configuration utility default installation location is:
Linux: /opt/netiq/idm/apps/idgov/bin
Windows: c:\netiq\idm\apps\idgov/bin
To run the Identity Governance Configuration utility you must access the utility from a command prompt as root on a Linux server or as a user with administrative privileges on a Windows server. Enter the following from the Identity Governance Configuration utility installation directory:
Linux: ./configutil.sh -password database_password
Windows: configutil.bat -password database_password
The Identity Governance Configuration utility console mode enables you to make uncommon, specific, or extensive changes to the application configuration that can potentially damage the application data.
Identity Governance uses configuration properties to define new features and to control what Identity Governance does with the application data. There are two different configuration types:
Node: Node configuration properties reside in properties files Identity Governance places on the local file system of the Identity Governance server.
Global: Global configuration properties reside in database tables that Identity Governance places in the database so that the information is the same for each Identity Governance node in a cluster.
When you run the utility in console mode, you are presented with a cursor and you must know the commands you want to use, the correct format of the commands, the correct property name, and the parameter to make any changes in console mode.
IMPORTANT:The proper format of the commands is to have the commands, parameters, and values separated by a space. The console mode only recognizes spaces. It does not recognize parentheses or commas.
Table 15-1 contains the list of commands that are currently used in the documentation.
WARNING:Identity Governance utility console mode enables you to make uncommon, specific, or extensive changes to the application configuration that can potentially damage the application data. Run the utility in console mode only under the guidance of Technical Support.
Table 15-1 Identity Governance Configuration Utility Console Mode Commands
Command |
Parameter Name |
Parameter Value |
Description |
---|---|---|---|
display-configs |
prefix-filter |
|
Displays all the known configuration keys and values. If you use the prefix-filter parameter, you can filter the configuration keys and values by a known prefix. For example: display-configs ism Displays all of the properties that start with ism. |
add-property |
configuration-type (optional) property-key property-value |
NODE or GLOBAL some.key some value |
Adds a property with the node or global configuration type and adds the value you specify. For example: add-property com.netiq.iac.access.request.enabled false Disables the Access Request service for Identity Governance. |
set-property |
property-key property-value |
some.key some value |
Updates the value of an existing property that is identified with the property-key. For example: set-property com.netiq.iac.analytics.roles.technical.MaxPermSize 10000 Sets the maximum permission size as 10000. |
exit |
|
|
Exits from the console mode and from the Identity Governance Configuration utility. |
The Identity Governance Configuration utility console mode does not require graphics on the server to run. The utility allows you to add and modify properties that reside in properties files stored on the local file system or in the database to add a new feature or change the behavior of Identity Governance. The console mode allows you to make uncommon, specific, or extensive changes to the application configuration that can potentially damage the application data.
WARNING:The Identity Governance Configuration utility console mode enables you to make uncommon, specific, or extensive changes to the application configuration that can potentially damage the application data. Run the utility in console mode only under the guidance of Technical Support.
To use the Identity Governance Configuration utility in console mode:
Access the installation directory for the utility from a command prompt as user with root access on a Linux server or administrative privileges on a Windows server. The default installation directory is:
Linux: /opt/netiq/idm/apps/idgov/bin
Windows: c:\netiq\idm\apps\idgov/bin
From the command line, enter:
Linux: ./configutil.sh -password database_password -console
Windows: configutil.bat -password database_password -console
Use the information in Table 15-1, Identity Governance Configuration Utility Console Mode Commands to issue the commands properly.
When you have performed the required changes, type exit to exit console mode and the Identity Governance Configuration utility.
Three of the Identity Governance components use the Identity Governance Configuration Update utility to change settings instead of using the Identity Governance Configuration utility. There is a separate utility because the Identity Governance Configuration utility allows more granular and scripted functionality for manipulating properties than the Identity Governance Configuration Update utility can currently offer. The three components that use the Identity Governance Configuration Update utility are:
One SSO Provider (OSP)
Identity Reporting
Auditing
If the path to the Identity Governance Configuration Update utility is unknown to the current installer, then the installer will prompt you to specify its location during the installation of Identity Governance. The default location is:
Linux: /opt/netiq/idm/apps/configupdate/configupdate.sh
Windows: C:\netiq\idm\apps\configupdate\configupdate.bat
You can run the Identity Governance Configuration Update utility in console mode or guided mode. The console mode provides menu-based options to walk through to update the settings. You would use the Identity Governance Configuration Update utility in console mode if your Linux server did not have graphical capabilities (X server).
To run the Identity Governance Configuration Update utility access the configupdate directory from a command prompt.
Linux: Enter the following at the command prompt:
Guided: ./configupdate.sh --use-console false
Console: ./configupdate.sh --use-console true
Windows: Enter the following at the command prompt:
Guided: configupdate.bat --use-console false
Console: configupdate.bat --use-console true
The Identity Governance Configuration Update utility console mode is different from the Identity Governance Configuration utility console mode. The Identity Governance Configuration Update utility provides menu-based options to update the settings in the three products. The Identity Governance Configuration Update utility does not have command options like the Identity Governance Configuration utility does.