15.2 Managing the Bootstrap Administrator

You define the bootstrap administrator during the installation process. Identity Governance allows you to create a new bootstrap administrator in certain scenarios, change the password, and change the details of the bootstrap administrator after you have completed the installation. Use the following information to perform those actions.

15.2.1 Creating a Bootstrap Administrator Using a Script

You would use the bootstrap administrator script to create a new bootstrap administrator account in the following scenarios:

  • If you are using the Identity Manager OSP instead of the OSP that comes with Identity Governance.

  • If you specify LDAP for the bootstrap administrator during the installation and want to change to using a file-based bootstrap administrator.

If you are going to use the bootstrap administrator script, you must use it after the OSP and Identity Governance installations complete. The Identity Governance installer places the script on the Identity Governance server. The bootstrap administrator script contains links that the installer configures relative to the JARs that the installer creates during the Identity Governance installation.

The default location of the bootstrap administrator script is:

  • Linux: /opt/netiq/idm/apps/idgov/bin/bootstrap-file-gen.sh

  • Windows: C:\netiq\idm\apps\idgov\bin\bootstrap-file-gen.bat

You use the bootstrap administrator script with parameters that define an alternate name for the administrator account, the password for the administrator account, and the location of the bootstrap administrator file. The following table lists the parameters, the default values, and a description of the parameter. If you run the script but do not use the parameters, the script uses the default values.

Table 15-2 Bootstrap Administrator Script Parameters

Parameter

Default Value

Description

-p

None

You must use this option with a password to set the password for the bootstrap administrator account.

-u

igadmin

Defines an alternate user name for the bootstrap administrator account.

-f

File name with the relative or absolute path

Defines the file location to redirect the bootstrap credentials.

To run the bootstrap administrator script:

  1. Access the command line utility on the Identity Governance server.

  2. Access the directory where the installer placed the bootstrap administrator script.

    • Linux: /opt/netiq/idm/apps/idgov/bin/

    • Windows: C:\netiq\idm\apps\idgov\bin\

  3. Execute the script with the appropriate parameters for your environment. For example:

    • Linux: ./bootstrap-file-gen.sh -p password -u bootstrap administrator name -f /opt/netiq/idm/apps/idgov/adminusers.txt

    • Windows: bootstrap-file-gen -p password -u bootstrap administrator name -f C:\netiq\idm\apps\idgov\adminusers.txt

  4. Restart Apache Tomcat to have the change take effect. For an example, see Section 3.5.3, Starting and Stopping Apache Tomcat.

15.2.2 Changing the Password for the Bootstrap Administrator

If you have the bootstrap administrator coming from the file system, you can change the password using the bootstrap administrator script. If you use an LDAP-based bootstrap, you must update the password stored within the LDAP server. Use the following steps to change the password if you use OSP as the authentication service and file-based bootstrap administrator where the system stores the credentials within a file.

  1. Run the bootstrap administrator script from a command line as follows:

    • Linux: ./bootstrap-file-gen.sh -p password

    • Windows: bootstrap-file-gen -p password

  2. (Conditional) If OSP runs on a separate server than Identity Governance, copy the adminusers.txt file to the OSP server and place it in the following directory:

    • Linux: /opt/netiq/idm/apps/osp/osp-extras/adminusers.txt

    • Windows: c:\netiq\idm\apps\osp\osp-extras\adminusers.txt

    The Identity Governance Configuration Update utility displays the path to this directory under Advanced Options. To see the path, click the Authentication tab, then Identity Governance Bootstrap Administrator.

  3. Restart Apache Tomcat on the server running OSP. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

15.2.3 Changing the Details of the Bootstrap Administrator

Identity Governance allows to you change if the bootstrap administrator is file-based or LDAP-based after the installation without having to run the installation a second time. You use the Identity Governance Configuration utility to make these changes.

  1. From a command prompt, launch the Identity Governance Configuration utility with the database password. For more information, see Section 15.1.4, Using the Identity Governance Configuration Utility.

  2. Click the Authentication Server Details tab.

  3. (Conditional) Change the bootstrap administrator to be file-based.

    1. Select Bootstrap Admin > Authentication Source > File.

    2. In Bootstrap Admin > Name, specify the name for the bootstrap administrator. The default name is igadmin.

    3. In Bootstrap Admin > Directory, specify the directory where the file is located that stores your bootstrap administrator information. The default location is:

      • Linux: /opt/netiq/idm/apps/idgov/osp/adminusers.txt

      • Windows: c:\netiq\idm\apps\idgov\osp\adminusers.txt

    4. In Bootstrap Admin > Filename, specify the file name for the bootstrap administrator. The default name is adminusers.txt.

    5. Click Save to save the changes.

  4. (Conditional) Change the bootstrap administrator to be LDAP-Based.

    1. Select Bootstrap Admin > Authentication Source > Identity Vault.

    2. In Bootstrap Admin > Name, specify the fully qualified domain name of a unique administrator user in LDAP. For example, cn=uaadmin,ou=sa,o=data

      NOTE:The name of this account must be unique. Do not duplicate any accounts in the adminusers.txt file or in the container source or subtrees that you use for authentication.

    3. Click Save.