During installation, you must provide a password that the Identity Governance service uses for authorized interactions with the identity service. The installation process assumes that you want to use OSP or Access Manager with an LDAP server. By default, if you select SSL for LDAP protocol or TLS for audit protocol, the OSP installation program places the TLS/SSL trust certificates in the following location:
Linux: /opt/netiq/idm/apps/osp/osp-truststore.pkcs12
Windows: c:\netiq\idm\apps\osp\osp-truststore.pkcs12
The OSP installer provides a keystore that houses several symmetric keys and key pairs for signing, encryption, and, when necessary, TLS. The OSP keystore is located at:
Linux: /opt/netiq/idm/apps/osp/osp.pkcs12
Windows: c:\netiq\idm\apps\osp\osp.pkcs12
By default, the Identity Governance and the Identity Reporting installation programs place TLS/SSL trust certificates in the following locations:
Linux: /opt/netiq/idm/apps/tomcat/conf/apps-truststore.pkcs12
Windows: c:\netiq\idm\apps\tomcat\conf\apps-truststore.pkcs12
This file stores certificates from the following secured servers:
Identity service when you specify https for OSP or when you use Access Manager for authentication and when the identity service is on a different server than Identity Governance or Identity Reporting
Identity Governance server when installing only Identity Reporting, specifying https, and the server or port differs from the Identity Reporting server or port
SMTP server when specifying SSL for use and the port is valid
Audit server when specifying TLS
Application server when specifying https
Both the guided and console installation modes display the certificate details and ask for confirmation of each certificate retrieved. The silent installation mode imports certificate files specified in the silent properties file.
To use SAML 2.0 authentication, you must manually install the SAML identity provider’s TLS/SSL certificate in the trust store that you want to use. When using a Certificate Authority (CA) to issue certificates for the LDAP server, SAML IDP, or Advanced Identity Services, you can install the trusted root certificate of the certificate authority into the trust store and remove any server-specific certificates. For more information, see Section 4.2.2, Considerations for Installing One SSO Provider.
To use a non-default trust store, or to change the password of the default trust store, use the Identity Governance Configuration Update utility.
Linux: /opt/netiq/idm/apps/configupdate/configupdate.sh
Windows: C:\netiq\idm\apps\configupdate\configupdate.bat
Next, modify the keystore settings in the Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.