4.3 Integrating OpenText Access Manager with OpenText Identity Governance

To use OpenText Access Manager as the authentication service for OpenText Identity Governance, you must configure OpenText Access Manager to use the OAuth 2.0 protocol, and you must define or add an attribute in the identity store for OpenText Access Manager to use to store authentication information. You can perform these steps before installing OpenText Identity Governance. If you use OSP as the authentication service and you want to move to OpenText Access Manager, you must perform these steps at that time.

4.3.1 OpenText Access Manager and the Identity Service Integration Checklist for OAuth 2.0

OpenText Access Manager integrates with OpenText Identity Governance through the use of the OAuth 2.0 protocol to allow for secure communication between the two products. OAuth 2.0 allows you to use different authentication methods beyond the name/password method. For more information, see OAuth and OpenID Connect in the NetIQ Access Manager 5.0 Administration Guide.

You must configure OpenText Access Manager to use OAuth 2.0 before starting the OpenText Identity Governance installation. You must also use an LDAP-based bootstrap administrator and add a special attribute to the identity store to store authentication information from OpenText Access Manager.

Use the following checklist to complete the configuration tasks in the identity store and OpenText Access Manager before starting the OpenText Identity Governance installation or if you want to stop using OSP as your authentication service.

Checklist Items

  1. Create an LDAP-based bootstrap administrator for OpenText Identity Governance. OpenText Identity Governance does not have access to the OpenText Access Manager file system to be able to use a file-based administrator.

    WARNING:Do not use the name admin and ensure that the name is unique.

    Create a user account in your identity service that has administrative rights to the identity service. Ensure that this account is only used as the bootstrap administrator for OpenText Identity Governance. For more information, see Section 4.1.1, Using the Bootstrap Administrator

  1. Create an attribute in the identity service to store the authorization grant information from OpenText Access Manager. OpenText Identity Governance uses the term identity service to refer to the LDAP server that holds the authorized users. The LDAP directory can either be Active Directory, Identity Manager Identity Vault, or eDirectory. OpenText Access Manager uses the term User Store to refer to the LDAP directory that stores the OpenText Access Manager users and configuration information.

    OpenText Access Manager stores the OAuth 2,0 authorization grant information for each user in an attribute in the identity service. You can use an unused attribute in your identity service or you can create a new attribute. This attribute must exist to enable OAuth 2.0 in OpenText Access Manager. The OpenText Access Manager contains the instructions on how to create a new attribute for Active Directory and eDirectory. For more information, see Extending a User Store for OAuth 2.0 Authorization Grant Information in the NetIQ Access Manager 5.0 Administration Guide.

  1. Enable the OAuth protocol in Access Manager. For more information, see Enabling OAuth in Access Gateway in the NetIQ Access Manager 5.0 Administration Guide.

  1. Add your identity service as the local User Store in OpenText Access Manager. OpenText Access Manager must be able to access the authorized user accounts to be able to authenticate the users to OpenText Identity Governance. For more information, see Configuring Identity User Stores in the NetIQ Access Manager 5.0 Administration Guide.

  1. Configure an OpenText Access Manager authentication contract to define how the OpenText Identity Governance authorized users authenticate. You can define one or more authentication contracts for the authorized users to use depending on the needs of the users. For more information, see Configuring Authentication Contracts in the NetIQ Access Manager 5.0 Administration Guide.

  1. Configure OpenText Access Manager to use the authentication contract for OpenText Identity Governance. You can define the OpenText Identity Governance authentication contract as the default authentication contract for OpenText Access Manager or you can define the OpenText Identity Governance application as a protected resource in OpenText Access Manager to enable SSO for the authorized users.

    • To make the OpenText Identity Governance authentication contract the default contract for the OpenText Access Manager Identity Server, see Specifying Authentication Defaults in the NetIQ Access Manager 5.0 Administration Guide.

    • To make the OpenText Identity Governance application a protected resource, see Protecting Web Resources Through Access Gateway in the NetIQ Access Manager 5.0 Administration Guide.

  1. Register OpenText Identity Governance as an OAuth application in OpenText Access Manager. You must create an OpenText Access Manager role with the exact name of NAM_OAUTH2_ADMIN to register OpenText Identity Governance. For more information, see Registering OAuth Client Applications in the NetIQ Access Manager 5.0 Administration Guide.

4.3.2 Integrating OpenText Identity Governance and Access Manager During the Installation of OpenText Identity Governance

You can integrate OpenText Identity Governance and Access Manager during the installation of OpenText Identity Governance. You must select to use an LDAP-based bootstrap administrator and you provide connection information to Access Manager during the install. Installing OpenText Identity Governance contains the details for the configuration. For more information, see Section 6.4, OpenText Identity Governance Installation Worksheet.

After you have completed the OpenText Identity Governance installation and if you are using Active Directory as the identity service, you must change the OpenText Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the NetIQ Access Manager 5.0 Administration Guide.

  1. Log in to the OpenText Access Manager administration console as an administrator.

  2. Click Devices > Identity Server.

  3. Click the Shared Settings tab, then click the Attributes Sets tab.

  4. Click the OpenText Identity Governance object.

    • OpenText Identity Governance: If you used the default values during the OpenText Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.

    • OpenText Access Manager: If during the OpenText Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.

  5. Click Mapping.

  6. Click Ldap Attribute:entryDN [LDAP Attribute Profile].

  7. Select Local attribute.

  8. Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].

  9. Click OK.

  10. Click Apply, then click OK.

  11. Click Servers, then click Update All.

  12. On the OSP server, restart Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

4.3.3 Integrating OpenText Identity Governance and Access Manager After the OpenText Identity Governance Installation (Single Server)

If you installed OpenText Identity Governance using OSP as the authentication service and now you want to use Access Manager, OpenText Identity Governance allows you to do that without having to uninstall OpenText Identity Governance. To make the change it is a process that does require multiple steps.

The process is different if you have Access Manager, OpenText Identity Governance, Identity Reporting, and Workflow Engine installed on separate server. For more information, see Section 4.3.4, Integrating OpenText Identity Governance and OpenText Access Manager After the OpenText Identity Governance Installation in a Distributed Environment. Use the following information to switch from OSP to OpenText Access Manager if you have OSP and OpenText Identity Governance installed on the same server.

  1. Ensure that you have completed all of the OpenText Access Manager integration steps before proceeding. For more information, see Section 4.3.1, OpenText Access Manager and the Identity Service Integration Checklist for OAuth 2.0.

  2. Stop Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

  3. Verify that the single sign-on settings are populated.

    1. Launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

    2. Click the IG SSO Clients tab.

    3. Click Show Advanced Options.

    4. Ensure that all of the fields except for OpenText Identity Governance Client > Additional mapped LDAP attributes are populated. If any fields are missing information, add the information for your environment.

    5. Click OK even if you didn’t make any changes to save the configuration and the OpenText Identity Governance Configuration Update utility automatically closes.

  4. Verify that the ism-configuration.properties contains four response-types = client_credentials.

    1. Open the ism-configuration.properties file in a text editor. The default location is:

      • Linux: /opt/netiq/idm/apps/tomcat/conf

      • Windows: c:\netiq\idm\apps\tomcat\conf

    2. Search for response-types = client_credentials. There should be four.

    3. If there are not four entries, repeat Step 3.

  5. Change the authentication settings to use OpenText Access Manager.

    1. Launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

    2. Click the Authentications tab.

    3. (Conditional) Select OAuth server uses TLS.

    4. Select OpenText Access Manager is the OAuth provider.

    5. Populate the following fields with the OpenText Access Manager information.

      OAuth server host name

      Specify the fully qualified DNS name of your OpenText Access Manager server.

      OAuth server TCP port

      Specify the port for OpenText Access Manager. By default is 443.

      OpenText Identity Governance bootstrap admin

      Browse to and select the LDAP bootstrap administrator you created in Step 1.

    6. Click Configure OpenText Access Manager now.

    7. Use the following information to configure OpenText Identity Governance to work with OpenText Access Manager:

      Administrative Console > Console host

      Specify the fully qualified DNS name of the OpenText Access Manager administration console.

      Administrative Console > Console port

      Specify the port for the OpenText Access Manager administration console.

      Administrative Console > Administrator DN

      Specify the fully qualified DN of an OpenText Access Manager administrator user.

      Administrative Console > Administrator Password

      Specify the password for the OpenText Access Manager administrator.

      Administrative Console > Update IDP

      Ensure that this option is selected to automatically update the OpenText Access Manager Identity Server with the OpenText Identity Governance information.

      OAuth 2.0 Administrator > Administrator DN

      Browse to and select the bootstrap administrator that you created with the NAM_OAUTH2_ADMIN OpenText Access Manager role in Step 7.

      OAuth 2.0 Administrator > Administrator Password

      Specify the password for the bootstrap administrator.

    8. Click OK to save the changes.

    9. Review and accept the certificate presented.

    10. After the configuration work is completed, click OK on the Notification message.

    11. Select the IG SSO Client tab and notice that the Client IDs and Secrets have been updated.

    12. Click OK to save the changes and the OpenText Identity Governance Configuration Update utility automatically closes.

  6. (Conditional) If you are using Active Directory as the identity service, change the OpenText Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the NetIQ Access Manager 5.0 Administration Guide.

    1. Log in to the OpenText Access Manager administration console as an administrator.

    2. Click Devices > Identity Server.

    3. Click the Shared Settings tab, then click the Attributes Sets tab.

    4. Click the OpenText Identity Governance object.

      • OpenText Identity Governance: If you used the default values during the OpenText Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.

      • OpenText Access Manager: If during the OpenText Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.

    5. Click Mapping.

    6. Click Ldap Attribute:entryDN [LDAP Attribute Profile].

    7. Select Local attribute.

    8. Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].

    9. Click OK.

    10. Click Apply, then click OK.

    11. Click Servers, then click Update All.

  7. Ensure that the ism-configuration.properties file lists the protocol as secure.

    1. Open the ism-configuration.properties file in a text editor. The default location is:

      • Linux: /opt/netiq/idm/apps/tomcat/conf

      • Windows: c:\netiq\idm\apps\tomcat\conf

    2. Search for com.netiq.idm.osp.url.host.

    3. If it is not set to https change it from http to https.

    4. Save and close the file.

  8. (Conditional) If the ism-configuration.properties file was incorrect the OpenText Identity Governance Configuration Update utility must receive a valid certificate.

    1. Launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

    2. When it displays the fields, click OK.

    3. Review and accept the new certificate, then click OK to save and the OpenText Identity Governance Configuration Update utility automatically closes.

  9. Change additional settings in the OpenText Identity Governance Configuration utility.

    1. Launch the OpenText Identity Governance Configuration utility using the database password. For more information, see Section 15.1.4, Using the OpenText Identity Governance Configuration Utility.

    2. Click the Authentication tab.

    3. In the OAuth Server section, make the following changes:

      Same as IG Server

      Deselect this option.

      Protocol

      (Conditional) Change the protocol from http to https if it is not already at https.

      Host Name

      Specify the fully qualified DNS name of the OpenText Access Manager server.

      Port

      Specify the port for the OpenText Access Manager server. The default value is 443.

    4. Click Save to save the changes, then close the utility.

  10. Update the ism-configuration.properties file.

    1. Open the ism-configuration.properties file in a text editor. The default location is:

      • Linux: /opt/netiq/idm/apps/tomcat/conf

      • Windows: c:\netiq\idm\apps\tomcat\conf

    2. Add the following entry:

      com.netiq.iac.authserver.url.logout = ${com.netiq.idm.osp.url.host}/nidp/app/logout

    3. Save and close the file.

  11. Clean up Apache Tomcat.

    1. Delete the following cache directory. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost

      • Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost

    2. Delete all of the files and sub-folders in the temp directory. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/temp

      • Windows: c:\netiq\idm\apps\tomcat\temp

    3. Delete or move any Apache Tomcat log files. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/logs

      • Windows: c:\netiq\idm\apps\tomcat\logs

  12. Start Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

  13. Log in to OpenText Identity Governance to test if the authentication is now going through OpenText Access Manager.

4.3.4 Integrating OpenText Identity Governance and OpenText Access Manager After the OpenText Identity Governance Installation in a Distributed Environment

OpenText Identity Governance allows you to switch your authentication service from OSP to OpenText Access Manager without having to reinstall OpenText Identity Governance. If you have OSP, OpenText Identity Governance, Identity Reporting, and Workflow Engine installed on separate servers, you must use the following procedure to make the change. The steps are different than if you have all of the components installed on one server. If you have all of the components installed on one server, see Section 4.3.2, Integrating OpenText Identity Governance and Access Manager During the Installation of OpenText Identity Governance.

  1. Ensure that you have completed all of the OpenText Access Manager integration steps before proceeding. For more information, see Section 4.3.1, OpenText Access Manager and the Identity Service Integration Checklist for OAuth 2.0.

  2. On the OSP server, change the authentication service to OpenText Access Manager.

    1. Stop Apache Tomcat on the OSP, OpenText Identity Governance, Identity Reporting, and Workflow Engine servers. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

      1. Verify that the single sign-on settings are populated.

        1. Launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

        2. Click the IG SSO Clients tab.

        3. Click Show Advanced Options.

        4. Ensure that all of the fields except for OpenText Identity Governance Client > Additional mapped LDAP attributes are populated. If any fields are missing information, add the information for your environment.

        5. Click the External Workflow tab.

        6. (Conditional) Ensure that all the above fields are populated. If any fields are missing information, add the information for your environment.

        7. Click OK even if you didn’t make any changes to save the configuration and the OpenText Identity Governance Configuration Update utility automatically closes.

    2. Verify that the database contains four or six response-types = client_credentials.

      1. On the Identity Governance server, create the following script using the path and file name of your choice:

        • set-backup-dir <path>

        • set-backup-file-name <filename>

        • backup

      2. Execute the script:

        /opt/netiq/idm/apps/idgov/bin/configutil.sh -password <password> -script <script>

      3. Open the backup file and look for the instances of client_credentials.

        Search for the following entries once you open the backup file for Identity Governance:

        • com.netiq.iac.dc_server.response-types

        • com.netiq.iac.dtp_server.response-types

        • com.netiq.iac.general-service.response-types

        • com.netiq.iac.wf_server.response-types

        (Conditional) Search for the following entries once you open the backup file for the Workflow Engine:

        • com.netiq.iac.standaloneworkflow.response-types

        • com.netiq.workflow.response-types

    3. Change the authentication settings to use OpenText Access Manager.

      1. Launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

      2. Click the Authentication tab.

      3. (Conditional) Select OAuth server uses TLS.

      4. Select OpenText Access Manager is the OAuth provider.

      5. OAuth server host identifier.

        OAuth server host name

        Specify the fully qualified DNS name of your Access Manager server.

        OAuth server TCP port

        Specify the port for Access Manager. By default is 443.

        Identity Governance Bootstrap Admin

        Browse to and select the LDAP bootstrap administrator you created in Step 1.

      6. Click Configure OpenText Access Manager now.

      7. Click Show Advanced Options button.

      8. Use the following information to configure OpenText Identity Governance to work with OpenText Access Manager:

        Administrative Console > Console host

        Specify the fully qualified DNS name of the OpenText Access Manager administration console.

        Administrative Console > Console port

        Specify the port for the OpenText Access Manager administration console.

        Administrative Console > Administrator DN

        Specify the fully qualified DN of an OpenText Access Manager administrator user.

        Administrative Console > Administrator Password

        Specify the password for the OpenText Access Manager administrator.

        Administrative Console > Update IDP

        Ensure that this option is selected to automatically update the OpenText Access Manager Identity Server with the OpenText Identity Governance information.

        OAuth 2.0 Administrator > Administrator DN

        Browse to and select the bootstrap administrator that you created with the NAM_OAUTH2_ADMIN OpenText Access Manager role in Step 7.

        OAuth 2.0 Administrator > Administrator Password

        Specify the password for the bootstrap administrator.

      9. Click OK to save the changes.

      10. Review and accept the certificate presented.

      11. After the configuration work is completed, click OK on the Notification message.

      12. (Conditional) Select the External Workflow tab and notice that the Client IDs and Secrets have been updated.

      13. Select the IG SSO Client tab and notice that the Client IDs and Secrets have been updated.

      14. Click OK to save the changes and the OpenText Identity Governance Configuration Update utility automatically closes.

    4. Ensure the com.netiq.idm.osp.url.host property is set correctly with a secure protocol.

      1. On the Identity Governance server, create a script with the following content:

        display-configs com.netiq.idm.osp.url.host

      2. Execute the script.

        /opt/netiq/idm/apps/idgov/bin/configutil.sh -password <password> -script <script>

      3. (Conditional) If you need to update the value, create and execute the following script with your expected protocol, server, and host. The script prints the final value after the change.

        set-property com.netiq.idm.osp.url.host https://<Access Manager DNS name>

        display-configs com.netiq.idm.osp.url.host

        set-property com.netiq.iac.authserver.host https://<Access Manager DNS name>

        display-configs: com.netiq.iac.authserver.host

        set-property com.netiq.client.authserver.url.logout https://<Access Manager DNS name>/nidp/app/logout

        display-configs com.netiq.client.authserver.url.logout

      4. Save and close the file.

    5. (Conditional) If you are using Active Directory as the identity service, change the OpenText Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the NetIQ Access Manager 5.0 Administration Guide.

      1. Log in to the OpenText Access Manager administration console as an administrator.

      2. Click Devices > Identity Server.

      3. Click the Shared Settings tab, then click the Attributes Sets tab.

      4. Click the OpenText Identity Governance object.

        • OpenText Identity Governance: If you used the default values during the OpenText Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.

        • OpenText Access Manager: If during the OpenText Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.

      5. Click Mapping.

      6. Click Ldap Attribute:entryDN [LDAP Attribute Profile].

      7. Select Local attribute.

      8. Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].

      9. Click OK.

      10. Click Apply, then click OK.

      11. Click Servers, then click Update All.

    6. (Conditional) If the ism-configuration.properties file was incorrect the OpenText Identity Governance Configuration Update utility must receive a valid certificate.

      1. Launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

      2. When it displays the fields, click OK.

      3. Review and accept the new certificate, then click OK to save and the OpenText Identity Governance Configuration Update utility automatically closes.

  3. On the OpenText Identity Governance server change the authentication service to be OpenText Access Manager.

    1. At the OpenText Access Manager URL, access the OAuth Client IDs and Secrets.

      1. On the OpenText Identity Governance server launch a browser and access the OpenText Access Manager administration console.

      2. On the Dashboard under Identity Servers, select IDPCluster.

      3. Click the OAuth & OpenID Connect tab, then click the Client Applications tab.

      4. Leave the Client Applications tab open because it contains the client IDs and secrets for the OpenText Identity Governance applications that you created in Step 7. Add this information to the OpenText Identity Governance configuration.

    2. Verify that the client IDs and secrets from OpenText Access Manager have made it to the OpenText Identity Governance configuration. Because the properties are stored in the OSP database, and Configupdate on both OSP and IG servers have connection information for connecting to that database, the entries should already be populated.

      1. Launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

      2. Click the IG SSO Clients tab.

      3. Copy the Client ID and Secret for each OpenText Identity Governance application listed in OpenText Access Manager. Use the following table to correlate the names in OpenText Identity Governance to the names in OpenText Access Manager.

        IMPORTANT:Ensure that you copy the Client ID not the Client Application Name.

        OpenText Identity Governance Application Name

        OpenText Access Manager Application Name

        Identity Governance

        iac

        Request Client

        cx_client

        Data Connectivity Service

        iac_dc_server

        General Service

        iac_general_service

        Data Transformation and Processing Service

        iac_dtp_server

        Workflow Service

        iac_wf_server

        Form Builder Client

        form_builder

        Identity Governance Client

        iac_ig_web

    3. In the OpenText Identity Governance Configuration Update utility ensure that the authentication settings are set to OpenText Access Manager values.

      1. Click the Authentication tab.

      2. (Conditional) Select OAuth server uses TLS.

      3. Select OpenText Access Manager is the OAuth provider.

      4. Populate the following fields with the OpenText Access Manager information.

        OAuth server host name

        Specify the fully qualified DNS name of your OpenText Access Manager server.

        OAuth server TCP port

        Specify the port for OpenText Access Manager. By default is 443.

        OpenText Identity Governance bootstrap admin

        Browse to and select the LDAP bootstrap administrator you created in Step 1.

      5. Click OK to save the changes and the OpenText Identity Governance Configuration Update utility automatically closes.

    4. Ensure that the ism-configuration.properties file lists the protocol as secure.

      1. Open the ism-configuration.properties file in a text editor. The default location is:

        • Linux: /opt/netiq/idm/apps/tomcat/conf

        • Windows: c:\netiq\idm\apps\tomcat\conf

      2. Search for com.netiq.idm.osp.url.host.

      3. If it is not set to https change it from http to https.

      4. Save and close the file.

    5. (Conditional) If the ism-configuration.properties file was incorrect the OpenText Identity Governance Configuration Update utility must receive a valid certificate.

      1. Launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

      2. When it displays the fields, click OK.

      3. Review and accept the new certificate, then click OK to save and the OpenText Identity Governance Configuration Update utility automatically closes.

  4. On the OpenText Identity Governance server change additional settings in the OpenText Identity Governance Configuration utility.

    1. Launch the OpenText Identity Governance Configuration utility using the database password. For more information, see Section 15.1.4, Using the OpenText Identity Governance Configuration Utility.

    2. Click the Authentication tab.

    3. In the OAuth Server section, make the following changes:

      Protocol

      (Conditional) Change the protocol from http to https if it is not already at https.

      Host Name

      Specify the fully qualified DNS name of the OpenText Access Manager server.

      Port

      Specify the port for the OpenText Access Manager server. The default value is 443.

    4. In the Bootstrap Admin section, update the Name field to contain the fully qualified DN name of the bootstrap administrator you created in Step 1.

    5. Click Save to save the changes, then close the utility.

  5. On the OpenText Identity Governance server clean up Apache Tomcat.

    1. Delete the following cache directory. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost

      • Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost

    2. Delete all of the files and sub-folders in the temp directory. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/temp

      • Windows: c:\netiq\idm\apps\tomcat\temp

    3. Delete or move any Apache Tomcat log files. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/logs

      • Windows: c:\netiq\idm\apps\tomcat\logs

  6. On the OpenText Identity Governance server only, start Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

  7. Test authentication to OpenText Identity Governance to ensure that the changes worked.

  8. Make the following changes to the Identity Reporting server to use OpenText Access Manager instead of OSP.

    1. On the Identity Reporting server change the authentication service to be OpenText Access Manager.

      1. On the OpenText Access Manager server, access the OAuth Client IDs and Secrets.

        1. On the Identity Reporting server launch a browser and access the OpenText Access Manager administration console.

        2. On the Dashboard under Identity Servers, select IDPCluster.

        3. Click the OAuth & OpenID Connect tab, then click the Client Applications tab.

        4. Leave the Client Applications tab open, because it contains the client IDs and secrets for the OpenText Identity Governance applications that you created in Step 7. You will add this information to the OpenText Identity Governance configuration.

      2. Add the client IDs and secrets from OpenText Access Manager to the Identity Reporting server configuration.

        1. Launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

        2. Click the OAuth SSO Client tab.

        3. Copy the Client ID and Secret for the Identity Reporting application listed in OpenText Access Manager as rpt to the Reporting application.

          IMPORTANT:Ensure that you copy the Client ID not the Client Application Name.

          Identity Governance Application Name

          Access Manager Application Name

          Reporting Utility Client

          rpt

          Reporting Client

          rpt_rpt_web

      3. In the OpenText Identity Governance Configuration Update utility ensure that the authentication settings are set to OpenText Access Manager values.

        1. Click the Authentications tab.

        2. (Conditional) Select OAuth server uses TLS.

        3. Select OpenText Access Manager is the OAuth provider.

        4. Populate the following fields with the OpenText Access Manager information.

          OAuth server host name

          Specify the fully qualified DNS name of your OpenText Access Manager server.

          OAuth server TCP port

          Specify the port for OpenText Access Manager. By default is 443.

        5. Click OK to save the changes and the OpenText Identity Governance Configuration Update utility automatically closes.

    2. Ensure the com.netiq.idm.osp.url.host property is set correctly with a secure protocol.

      1. On the Identity Governance server, create a script with the following content:

        display-configs com.netiq.idm.osp.url.host

      2. Execute the script.

        /opt/netiq/idm/apps/idgov/bin/configutil.sh -password <password> -script <script>

      3. (Conditional) If you need to update the value, create and execute the following script with your expected protocol, server, and host. The script prints the final value after the change.

        set-property com.netiq.idm.osp.url.host https://<server>

        display-configs com.netiq.idm.osp.url.host

      4. Save and close the file.

    3. (Conditional) If the ism-configuration.properties file was incorrect the OpenText Identity Governance Configuration Update utility must receive a valid certificate.

      1. On the Identity Reporting server, launch the OpenText Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

      2. When it displays the fields, click OK.

      3. Review and accept the new certificate, then click OK to save and the OpenText Identity Governance Configuration Update utility automatically closes.

    4. On the Identity Reporting server clean up Apache Tomcat.

      1. Delete the following cache directory. This is the default location.

        • Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost

        • Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost

      2. Delete all of the files and sub-folders in the temp directory. This is the default location.

        • Linux: /opt/netiq/idm/apps/tomcat/temp

        • Windows: c:\netiq\idm\apps\tomcat\temp

      3. Delete or move any Apache Tomcat log files. This is the default location.

        • Linux: /opt/netiq/idm/apps/tomcat/logs

        • Windows: c:\netiq\idm\apps\tomcat\logs

    5. On the Identity Reporting server only, start Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

    6. Test authentication to OpenText Identity Governance to ensure that the changes worked.

  9. On the Workflow Engine server change the authentication service to be Access Manager.

    1. At the Access Manager URL, access the OAuth Client IDs and Secrets.

      1. On the Identity Governance server launch a browser and access the Access Manager administration console.

      2. On the Dashboard under Identity Servers, select IDPCluster

      3. Click the OAuth & OpenID Connect tab, then click the Client Applications tab.

      4. Leave the Client Applications tab open because it contains the client IDs and secrets for the OpenText Identity Governance applications that you created in Step 7. Add this information to the Identity Governance configuration.

    2. Verify that the client IDs and secrets from Access Manager have made it to the Identity Governance configuration. Because the properties are stored in the OSP database, and Configupdate on both OSP and IG servers have connection information for connecting to that database, the entries should already be populated.

      1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

      2. Click the IG SSO Clients tab.

      3. Copy the Client ID and Secret for each Identity Governance application listed in Access Manager. Use the following table to correlate the names in Identity Governance to the names in Access Manager.

    3. Add the client IDs and secrets from Access Manager to the Workflow Engine configuration.

      1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.

      2. Click the External Workflow tab.

      3. Copy the Client ID and Secret for each Identity Governance application listed in Access Manager. Use the following table correlate the names in Workflow Engine to the names in Access Manager.

        Identity Governance Application Name

        Access Manager Application Name

        Web Client

        wfconsole

        Workflow Consumer

        workflow

      4. Make sure all fields have valid entries.

  10. Update the ism-configuration.properties file on the Workflow Engine server with information from the Access Manager server.

    1. On the Identity Governance server, export the properties similar to steps Step 2.b.a - 2.b.2 using a different backup filename.

    2. On the Workflow Engine server, copy the following property values from those exported in step 4.a into the ism-configuration.properties file.

      • com.microfocus.wfe.consumer.password

      • com.microfocus.wfe.consumer.password._attr_obscurity

      • com.microfocus.wfe.consumer.userId

Repeat Step 5, Step 6, and Step 7 for the Workflow Engine server.