15.1 Accessing the Application and Administration Utilities

After you have installed the authentication service, Identity Governance, and optionally Identity Reporting, there are additional configuration tasks you must perform to allow your authorized users to start using Identity Governance. Plus, there are additional administration tasks to perform to complete the installation of these components.

Identity Governance provides different administration utilities: Identity Governance Configuration utility, Identity Governance Configuration Update utility, and the Identity Governance application and the Identity Reporting application, if you installed Identity Reporting. Use the following information to access the different administration utilities.

15.1.1 How to Log in to Identity Governance

Identity Governance is a web application that you access through a web browser. You access the URL you defined during the installation. The default URL for Identity Governance is:

  • Non-secure: http://dns-name-Identity-Governance-server:8080

  • Secure: https://dns-name-Identity-Governance-server:8443

You must login with the bootstrap administrator account until you have collected and published user data and assigned a published user as a Global Administrator account. For more information, see Adding Identity Governance Users and Assigning Authorizations in the Identity Governance User and Administration Guide.

Identity Governance 3.6 or later versions change the behavior of the Identity Governance application. If you are logged in and your access token times out, you see a popup message that requires you to re-authenticate or log out of the application. If you re-authenticate, Identity Governance displays the login screen in a separate window or browser tab. You must log in again to continue working in the Identity Governance application.

15.1.2 How to Log in to Identity Reporting

Identity Reporting is a web application that you access through a web browser. The default Identity Reporting URL is https://mycompany.mydomain.com:8443/IDMRPT.

To be able to log in to Identity Reporting, you must have the Reporting Administrator authorization, and you must assign a data source to Identity Reporting to use its features. For more information, see Section 9.4.1, Assigning the Report Administrator Authorization.

15.1.3 How to Log in to the Workflow Administration Console

The Workflow Administration Console is a web application that you access through a web browser. The default URL is https://mycompany.mydomain.com:8443/wfconsole.

You can log into the Workflow Administration console using any login account, but to access all its features, you must have the Workflow Administrator authorization automatically granted to Bootstrap and Global administrators. For more information, see Understanding Authorizations in Workflow Service.

15.1.4 Using the Identity Governance Configuration Utility

The Identity Governance Configuration utility allows you to modify settings specifically for Identity Governance, such as the URL for Identity Governance.

The Identity Governance Configuration utility also allows to perform the following administration tasks:

You can run the Identity Governance Configuration utility in two different modes. The default mode provides a user interface with menu options to configure the different features and components of Identity Governance. The console mode is a command line option used only under the direction of Technical Support.

Use the following information to run the Identity Governance Configuration utility.

Using the Default Mode of the Identity Governance Configuration Utility

The default mode of the Identity Governance Configuration utility provides an interface which requires graphics to be enabled on the server running the utility. The utility provides menus that allow you to change the configuration setting you defined during the installation and to perform some administration tasks as well.

The Identity Governance Configuration utility default installation location is:

  • Linux: /opt/netiq/idm/apps/idgov/bin

  • Windows: c:\netiq\idm\apps\idgov/bin

To run the Identity Governance Configuration utility you must access the utility from a command prompt as root on a Linux server or as a user with administrative privileges on a Windows server. Enter the following from the Identity Governance Configuration utility installation directory:

  • Linux: ./configutil.sh -password database_password

  • Windows: configutil.bat -password database_password

Understanding the Console Mode of the Identity Governance Configuration Utility

The Identity Governance Configuration utility console mode enables you to make uncommon, specific, or extensive changes to the application configuration that can potentially damage the application data.

Identity Governance uses configuration properties to define new features and to control what Identity Governance does with the application data. There are two different configuration types:

  • Node: Node configuration properties reside in properties files Identity Governance places on the local file system of the Identity Governance server.

  • Global: Global configuration properties reside in database tables that Identity Governance places in the database so that the information is the same for each Identity Governance node in a cluster.

When you run the utility in console mode, you are presented with a cursor and you must know the commands you want to use, the correct format of the commands, the correct property name, and the parameter to make any changes in console mode.

IMPORTANT:The proper format of the commands is to have the commands, parameters, and values separated by a space. The console mode only recognizes spaces. It does not recognize parentheses or commas.

Table 15-1 contains the list of commands that are currently used in the documentation.

WARNING:Identity Governance utility console mode enables you to make uncommon, specific, or extensive changes to the application configuration that can potentially damage the application data. Run the utility in console mode only under the guidance of Technical Support.

Table 15-1 Identity Governance Configuration Utility Console Mode Commands

Command

Parameter Name

Parameter Value

Description

display-configs

prefix-filter

 

Displays all the known configuration keys and values. If you use the prefix-filter parameter, you can filter the configuration keys and values by a known prefix. For example:

display-configs ism

Displays all of the properties that start with ism.

add-property

configuration-type (optional)

property-key

property-value

NODE or GLOBAL

some.key

some value

Adds a property with the node or global configuration type and adds the value you specify. For example:

add-property com.netiq.iac.access.request.enabled false

Disables the Access Request service for Identity Governance.

set-property

property-key

property-value

some.key

some value

Updates the value of an existing property that is identified with the property-key. For example:

set-property com.netiq.iac.analytics.roles.technical.MaxPermSize 10000

Sets the maximum permission size as 10000.

exit

 

 

Exits from the console mode and from the Identity Governance Configuration utility.

Using the Identity Governance Configuration Utility in Console Mode

The Identity Governance Configuration utility console mode does not require graphics on the server to run. The utility allows you to add and modify properties that reside in properties files stored on the local file system or in the database to add a new feature or change the behavior of Identity Governance. The console mode allows you to make uncommon, specific, or extensive changes to the application configuration that can potentially damage the application data.

WARNING:The Identity Governance Configuration utility console mode enables you to make uncommon, specific, or extensive changes to the application configuration that can potentially damage the application data. Run the utility in console mode only under the guidance of Technical Support.

To use the Identity Governance Configuration utility in console mode:

  1. Access the installation directory for the utility from a command prompt as user with root access on a Linux server or administrative privileges on a Windows server. The default installation directory is:

    • Linux: /opt/netiq/idm/apps/idgov/bin

    • Windows: c:\netiq\idm\apps\idgov/bin

  2. From the command line, enter:

    • Linux: ./configutil.sh -password database_password -console

    • Windows: configutil.bat -password database_password -console

  3. Use the information in Table 15-1, Identity Governance Configuration Utility Console Mode Commands to issue the commands properly.

  4. When you have performed the required changes, type exit to exit console mode and the Identity Governance Configuration utility.

15.1.5 Using the Identity Governance Configuration Update Utility

Three of the Identity Governance components use the Identity Governance Configuration Update utility to change settings instead of using the Identity Governance Configuration utility. There is a separate utility because the Identity Governance Configuration utility allows more granular and scripted functionality for manipulating properties than the Identity Governance Configuration Update utility can currently offer. The three components that use the Identity Governance Configuration Update utility are:

  • One SSO Provider (OSP)

  • Identity Reporting

  • Auditing

If the path to the Identity Governance Configuration Update utility is unknown to the current installer, then the installer will prompt you to specify its location during the installation of Identity Governance. The default location is:

  • Linux: /opt/netiq/idm/apps/configupdate/configupdate.sh

  • Windows: C:\netiq\idm\apps\configupdate\configupdate.bat

You can run the Identity Governance Configuration Update utility in console mode or guided mode. The console mode provides menu-based options to walk through to update the settings. You would use the Identity Governance Configuration Update utility in console mode if your Linux server did not have graphical capabilities (X server).

To run the Identity Governance Configuration Update utility access the configupdate directory from a command prompt.

  • Linux: Enter the following at the command prompt:

    • Guided: ./configupdate.sh --use-console false

    • Console: ./configupdate.sh --use-console true

  • Windows: Enter the following at the command prompt:

    • Guided: configupdate.bat --use-console false

    • Console: configupdate.bat --use-console true

The Identity Governance Configuration Update utility console mode is different from the Identity Governance Configuration utility console mode. The Identity Governance Configuration Update utility provides menu-based options to update the settings in the three products. The Identity Governance Configuration Update utility does not have command options like the Identity Governance Configuration utility does.