4.3 Integrating Access Manager with Identity Governance

To use Access Manager as the authentication service for Identity Governance, you must configure Access Manager to use the OAuth 2.0 protocol, and you must define or add an attribute in the identity store for Access Manager to use to store authentication information. You can perform these steps before installing Identity Governance. If you use OSP as the authentication service and you want to move to Access Manager, you must perform these steps at that time.

4.3.1 Access Manager and the Identity Service Integration Checklist for OAuth 2.0

Access Manager integrates with Identity Governance through the use of the OAuth 2.0 protocol to allow for secure communication between the two products. OAuth 2.0 allows you to use different authentication methods beyond the name/password method. For more information, see OAuth and OpenID Connect in the NetIQ Access Manager 5.0 Administration Guide.

You must configure Access Manager to use OAuth 2.0 before starting the Identity Governance installation. You must also use an LDAP-based bootstrap administrator and add a special attribute to the identity store to store authentication information from Access Manager.

Use the following checklist to complete the configuration tasks in the identity store and Access Manager before starting the Identity Governance installation or if you want to stop using OSP as your authentication service.

Checklist Items

  1. Create an LDAP-based bootstrap administrator for Identity Governance. Identity Governance does not have access to the Access Manager file system to be able to use a file-based administrator.

    WARNING:Do not use the name admin and ensure that the name is unique.

    Create a user account in your identity service that has administrative rights to the identity service. Ensure that this account is only used as the bootstrap administrator for Identity Governance. For more information, see Section 4.1.1, Using the Bootstrap Administrator

  1. Create an attribute in the identity service to store the authorization grant information from Access Manager. Identity Governance uses the term identity service to refer to the LDAP server that holds the authorized users. The LDAP directory can either be Active Directory, Identity Manager Identity Vault, or eDirectory. Access Manager uses the term User Store to refer to the LDAP directory that stores the Access Manager users and configuration information.

    Access Manager stores the OAuth 2,0 authorization grant information for each user in an attribute in the identity service. You can use an unused attribute in your identity service or you can create a new attribute. This attribute must exist to enable OAuth 2.0 in Access Manager. The Access Manager contains the instructions on how to create a new attribute for Active Directory and eDirectory. For more information, see Extending a User Store for OAuth 2.0 Authorization Grant Information in the NetIQ Access Manager 5.0 Administration Guide.

  1. Enable the OAuth protocol in Access Manager. For more information, see Enabling OAuth in Access Gateway in the NetIQ Access Manager 5.0 Administration Guide.

  1. Add your identity service as the local User Store in Access Manager. Access Manager must be able to access the authorized user accounts to be able to authenticate the users to Identity Governance. For more information, see Configuring Identity User Stores in the NetIQ Access Manager 5.0 Administration Guide.

  1. Configure an Access Manager authentication contract to define how the Identity Governance authorized users authenticate. You can define one or more authentication contracts for the authorized users to use depending on the needs of the users. For more information, see Configuring Authentication Contracts in the NetIQ Access Manager 5.0 Administration Guide.

  1. Configure Access Manager to use the authentication contract for Identity Governance. You can define the Identity Governance authentication contract as the default authentication contract for Access Manager or you can define the Identity Governance application as a protected resource in Access Manager to enable SSO for the authorized users.

  1. Register Identity Governance as an OAuth application in Access Manager. You must create an Access Manager role with the exact name of NAM_OAUTH2_ADMIN to register Identity Governance. For more information, see Registering OAuth Client Applications in the NetIQ Access Manager 5.0 Administration Guide.

4.3.2 Integrating Identity Governance and Access Manager During the Installation of Identity Governance

You can integrate Identity Governance and Access Manager during the installation of Identity Governance. You must select to use an LDAP-based bootstrap administrator and you provide connection information to Access Manager during the install. Installing Identity Governance contains the details for the configuration. For more information, see Section 6.4, Identity Governance Installation Worksheet.

After you have completed the Identity Governance installation and if you are using Active Directory as the identity service, you must change the Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the NetIQ Access Manager 5.0 Administration Guide.

  1. Log in to the Access Manager administration console as an administrator.

  2. Click Devices > Identity Server.

  3. Click the Shared Settings tab, then click the Attributes Sets tab.

  4. Click the Identity Governance object.

    • Identity Governance: If you used the default values during the Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.

    • Access Manager: If during the Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.

  5. Click Mapping.

  6. Click Ldap Attribute:entryDN [LDAP Attribute Profile].

  7. Select Local attribute.

  8. Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].

  9. Click OK.

  10. Click Apply, then click OK.

  11. Click Servers, then click Update All.

  12. On the OSP server, restart Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

4.3.3 Integrating Identity Governance and Access Manager After the Identity Governance Installation (Single Server)

If you installed Identity Governance using OSP as the authentication service and now you want to use Access Manager, Identity Governance allows you to do that without having to uninstall Identity Governance. To make the change it is a process that does require multiple steps.

The process is different if you have Access Manager, Identity Governance, Identity Reporting, and Workflow Engine installed on separate server. For more information, see Section 4.3.4, Integrating Identity Governance and Access Manager After the Identity Governance Installation in a Distributed Environment. Use the following information to switch from OSP to Access Manager if you have OSP and Identity Governance installed on the same server.

  1. Ensure that you have completed all of the Access Manager integration steps before proceeding. For more information, see Section 4.3.1, Access Manager and the Identity Service Integration Checklist for OAuth 2.0.

  2. Stop Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

  3. Verify that the single sign-on settings are populated.

    1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

    2. Click the IG SSO Clients tab.

    3. Click Show Advanced Options.

    4. Ensure that all of the fields except for Identity Governance Client > Additional mapped LDAP attributes are populated. If any fields are missing information, add the information for your environment.

    5. Click OK even if you didn’t make any changes to save the configuration and the Identity Governance Configuration Update utility automatically closes.

  4. Verify that the ism-configuration.properties contains four response-types = client_credentials.

    1. Open the ism-configuration.properties file in a text editor. The default location is:

      • Linux: /opt/netiq/idm/apps/tomcat/conf

      • Windows: c:\netiq\idm\apps\tomcat\conf

    2. Search for response-types = client_credentials. There should be four.

    3. If there are not four entries, repeat Step 3.

  5. Change the authentication settings to use Access Manager.

    1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

    2. Click the Authentications tab.

    3. (Conditional) Select OAuth server uses TLS.

    4. Select Access Manager is the OAuth provider.

    5. Populate the following fields with the Access Manager information.

      OAuth server host name

      Specify the fully qualified DNS name of your Access Manager server.

      OAuth server TCP port

      Specify the port for Access Manager. By default is 443.

      Identity Governance bootstrap admin

      Browse to and select the LDAP bootstrap administrator you created in Step 1.

    6. Click Configure Access Manager now.

    7. Use the following information to configure Identity Governance to work with Access Manager:

      Administrative Console > Console host

      Specify the fully qualified DNS name of the Access Manager administration console.

      Administrative Console > Console port

      Specify the port for the Access Manager administration console.

      Administrative Console > Administrator DN

      Specify the fully qualified DN of an Access Manager administrator user.

      Administrative Console > Administrator Password

      Specify the password for the Access Manager administrator.

      Administrative Console > Update IDP

      Ensure that this option is selected to automatically update the Access Manager Identity Server with the Identity Governance information.

      OAuth 2.0 Administrator > Administrator DN

      Browse to and select the bootstrap administrator that you created with the NAM_OAUTH2_ADMIN Access Manager role in Step 7.

      OAuth 2.0 Administrator > Administrator Password

      Specify the password for the bootstrap administrator.

    8. Click OK to save the changes.

    9. Review and accept the certificate presented.

    10. After the configuration work is completed, click OK on the Notification message.

    11. Select the IG SSO Client tab and notice that the Client IDs and Secrets have been updated.

    12. Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.

  6. (Conditional) If you are using Active Directory as the identity service, change the Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the NetIQ Access Manager 5.0 Administration Guide.

    1. Log in to the Access Manager administration console as an administrator.

    2. Click Devices > Identity Server.

    3. Click the Shared Settings tab, then click the Attributes Sets tab.

    4. Click the Identity Governance object.

      • Identity Governance: If you used the default values during the Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.

      • Access Manager: If during the Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.

    5. Click Mapping.

    6. Click Ldap Attribute:entryDN [LDAP Attribute Profile].

    7. Select Local attribute.

    8. Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].

    9. Click OK.

    10. Click Apply, then click OK.

    11. Click Servers, then click Update All.

  7. Ensure that the ism-configuration.properties file lists the protocol as secure.

    1. Open the ism-configuration.properties file in a text editor. The default location is:

      • Linux: /opt/netiq/idm/apps/tomcat/conf

      • Windows: c:\netiq\idm\apps\tomcat\conf

    2. Search for com.netiq.idm.osp.url.host.

    3. If it is not set to https change it from http to https.

    4. Save and close the file.

  8. (Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.

    1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

    2. When it displays the fields, click OK.

    3. Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.

  9. Change additional settings in the Identity Governance Configuration utility.

    1. Launch the Identity Governance Configuration utility using the database password. For more information, see Section 15.1.4, Using the Identity Governance Configuration Utility.

    2. Click the Authentication tab.

    3. In the OAuth Server section, make the following changes:

      Same as IG Server

      Deselect this option.

      Protocol

      (Conditional) Change the protocol from http to https if it is not already at https.

      Host Name

      Specify the fully qualified DNS name of the Access Manager server.

      Port

      Specify the port for the Access Manager server. The default value is 443.

    4. Click Save to save the changes, then close the utility.

  10. Update the ism-configuration.properties file.

    1. Open the ism-configuration.properties file in a text editor. The default location is:

      • Linux: /opt/netiq/idm/apps/tomcat/conf

      • Windows: c:\netiq\idm\apps\tomcat\conf

    2. Add the following entry:

      com.netiq.iac.authserver.url.logout = ${com.netiq.idm.osp.url.host}/nidp/app/logout
    3. Save and close the file.

  11. Clean up Apache Tomcat.

    1. Delete the following cache directory. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost

      • Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost

    2. Delete all of the files and sub-folders in the temp directory. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/temp

      • Windows: c:\netiq\idm\apps\tomcat\temp

    3. Delete or move any Apache Tomcat log files. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/logs

      • Windows: c:\netiq\idm\apps\tomcat\logs

  12. Start Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

  13. Log in to Identity Governance to test if the authentication is now going through Access Manager.

4.3.4 Integrating Identity Governance and Access Manager After the Identity Governance Installation in a Distributed Environment

Identity Governance allows you to switch your authentication service from OSP to Access Manager without having to reinstall Identity Governance. If you have OSP, Identity Governance, Identity Reporting, and Workflow Engine installed on separate servers, you must use the following procedure to make the change. The steps are different than if you have all of the components installed on one server. If you have all of the components installed on one server, see Section 4.3.2, Integrating Identity Governance and Access Manager During the Installation of Identity Governance.

  1. Ensure that you have completed all of the Access Manager integration steps before proceeding. For more information, see Section 4.3.1, Access Manager and the Identity Service Integration Checklist for OAuth 2.0.

  2. On the OSP server, change the authentication service to Access Manager.

    1. Stop Apache Tomcat on the OSP, Identity Governance, Identity Reporting, and Workflow Engine servers. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

      1. Verify that the single sign-on settings are populated.

        1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

        2. Click the IG SSO Clients tab.

        3. Click Show Advanced Options.

        4. Ensure that all of the fields except for Identity Governance Client > Additional mapped LDAP attributes are populated. If any fields are missing information, add the information for your environment.

        5. Click the External Workflow tab.

        6. (Conditional) Ensure that all the above fields are populated. If any fields are missing information, add the information for your environment.

        7. Click OK even if you didn’t make any changes to save the configuration and the Identity Governance Configuration Update utility automatically closes.

    2. Verify that the database contains four or six response-types = client_credentials.

      1. On the Identity Governance server, create the following script using the path and file name of your choice:

        • set-backup-dir <path>

        • set-backup-file-name <filename>

        • backup

      2. Execute the script:

        /opt/netiq/idm/apps/idgov/bin/configutil.sh -password <password> -script <script>

      3. Open the backup file and look for the instances of client_credentials.

        Search for the following entries once you open the backup file for Identity Governance:

        • com.netiq.iac.dc_server.response-types

        • com.netiq.iac.dtp_server.response-types

        • com.netiq.iac.general-service.response-types

        • com.netiq.iac.wf_server.response-types

        (Conditional) Search for the following entries once you open the backup file for the Workflow Engine:

        • com.netiq.iac.standaloneworkflow.response-types

        • com.netiq.workflow.response-types

    3. Change the authentication settings to use Access Manager.

      1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

      2. Click the Authentication tab.

      3. (Conditional) Select OAuth server uses TLS.

      4. Select Access Manager is the OAuth provider.

      5. OAuth server host identifier.

        OAuth server host name

        Specify the fully qualified DNS name of your Access Manager server.

        OAuth server TCP port

        Specify the port for Access Manager. By default is 443.

        Identity Governance Bootstrap Admin

        Browse to and select the LDAP bootstrap administrator you created in Step 1.

      6. Click Configure Access Manager now.

      7. Click Show Advanced Options button.

      8. Use the following information to configure Identity Governance to work with Access Manager:

        Administrative Console > Console host

        Specify the fully qualified DNS name of the Access Manager administration console.

        Administrative Console > Console port

        Specify the port for the Access Manager administration console.

        Administrative Console > Administrator DN

        Specify the fully qualified DN of an Access Manager administrator user.

        Administrative Console > Administrator Password

        Specify the password for the Access Manager administrator.

        Administrative Console > Update IDP

        Ensure that this option is selected to automatically update the Access Manager Identity Server with the Identity Governance information.

        OAuth 2.0 Administrator > Administrator DN

        Browse to and select the bootstrap administrator that you created with the NAM_OAUTH2_ADMIN Access Manager role in Step 7.

        OAuth 2.0 Administrator > Administrator Password

        Specify the password for the bootstrap administrator.

      9. Click OK to save the changes.

      10. Review and accept the certificate presented.

      11. After the configuration work is completed, click OK on the Notification message.

      12. (Conditional) Select the External Workflow tab and notice that the Client IDs and Secrets have been updated.

      13. Select the IG SSO Client tab and notice that the Client IDs and Secrets have been updated.

      14. Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.

    4. Ensure the com.netiq.idm.osp.url.host property is set correctly with a secure protocol.

      1. On the Identity Governance server, create a script with the following content:

        display-configs com.netiq.idm.osp.url.host

      2. Execute the script.

        /opt/netiq/idm/apps/idgov/bin/configutil.sh -password <password> -script <script>

      3. (Conditional) If you need to update the value, create and execute the following script with your expected protocol, server, and host. The script prints the final value after the change.

        set-property com.netiq.idm.osp.url.host https://<Access Manager DNS name>

        display-configs com.netiq.idm.osp.url.host

        set-property com.netiq.iac.authserver.host https://<Access Manager DNS name>

        display-configs: com.netiq.iac.authserver.host

        set-property com.netiq.client.authserver.url.logout https://<Access Manager DNS name>/nidp/app/logout

        display-configs com.netiq.client.authserver.url.logout

      4. Save and close the file.

    5. (Conditional) If you are using Active Directory as the identity service, change the Access Manager Mapping Table to point to the Active Directory attribute of distinguishedName instead of entryDN. For more information, see Editing Attribute Sets in the NetIQ Access Manager 5.0 Administration Guide.

      1. Log in to the Access Manager administration console as an administrator.

      2. Click Devices > Identity Server.

      3. Click the Shared Settings tab, then click the Attributes Sets tab.

      4. Click the Identity Governance object.

        • Identity Governance: If you used the default values during the Identity Governance Configuration Update utility conversion, the name is Micro Focus ISM.

        • Access Manager: If during the Access Manager OAuth Configuration you used the advanced option of ISM Application Instance ID the name is Micro Focus ISM_specified_name.

      5. Click Mapping.

      6. Click Ldap Attribute:entryDN [LDAP Attribute Profile].

      7. Select Local attribute.

      8. Select Ldap Attribute:distinguishedName [LDAP Attribute Profile].

      9. Click OK.

      10. Click Apply, then click OK.

      11. Click Servers, then click Update All.

    6. (Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.

      1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

      2. When it displays the fields, click OK.

      3. Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.

  3. On the Identity Governance server change the authentication service to be Access Manager.

    1. At the Access Manager URL, access the OAuth Client IDs and Secrets.

      1. On the Identity Governance server launch a browser and access the Access Manager administration console.

      2. On the Dashboard under Identity Servers, select IDPCluster.

      3. Click the OAuth & OpenID Connect tab, then click the Client Applications tab.

      4. Leave the Client Applications tab open because it contains the client IDs and secrets for the Identity Governance applications that you created in Step 7. Add this information to the Identity Governance configuration.

    2. Verify that the client IDs and secrets from Access Manager have made it to the Identity Governance configuration. Because the properties are stored in the OSP database, and Configupdate on both OSP and IG servers have connection information for connecting to that database, the entries should already be populated.

      1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

      2. Click the IG SSO Clients tab.

      3. Copy the Client ID and Secret for each Identity Governance application listed in Access Manager. Use the following table to correlate the names in Identity Governance to the names in Access Manager.

        IMPORTANT:Ensure that you copy the Client ID not the Client Application Name.

        Identity Governance Application Name

        Access Manager Application Name

        Identity Governance

        iac

        Request Client

        cx_client

        Data Connectivity Service

        iac_dc_server

        General Service

        iac_general_service

        Data Transformation and Processing Service

        iac_dtp_server

        Workflow Service

        iac_wf_server

        Form Builder Client

        form_builder

        Identity Governance Client

        iac_ig_web

    3. In the Identity Governance Configuration Update utility ensure that the authentication settings are set to Access Manager values.

      1. Click the Authentication tab.

      2. (Conditional) Select OAuth server uses TLS.

      3. Select Access Manager is the OAuth provider.

      4. Populate the following fields with the Access Manager information.

        OAuth server host name

        Specify the fully qualified DNS name of your Access Manager server.

        OAuth server TCP port

        Specify the port for Access Manager. By default is 443.

        Identity Governance bootstrap admin

        Browse to and select the LDAP bootstrap administrator you created in Step 1.

      5. Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.

    4. Ensure that the ism-configuration.properties file lists the protocol as secure.

      1. Open the ism-configuration.properties file in a text editor. The default location is:

        • Linux: /opt/netiq/idm/apps/tomcat/conf

        • Windows: c:\netiq\idm\apps\tomcat\conf

      2. Search for com.netiq.idm.osp.url.host.

      3. If it is not set to https change it from http to https.

      4. Save and close the file.

    5. (Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.

      1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

      2. When it displays the fields, click OK.

      3. Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.

  4. On the Identity Governance server change additional settings in the Identity Governance Configuration utility.

    1. Launch the Identity Governance Configuration utility using the database password. For more information, see Section 15.1.4, Using the Identity Governance Configuration Utility.

    2. Click the Authentication tab.

    3. In the OAuth Server section, make the following changes:

      Protocol

      (Conditional) Change the protocol from http to https if it is not already at https.

      Host Name

      Specify the fully qualified DNS name of the Access Manager server.

      Port

      Specify the port for the Access Manager server. The default value is 443.

    4. In the Bootstrap Admin section, update the Name field to contain the fully qualified DN name of the bootstrap administrator you created in Step 1.

    5. Click Save to save the changes, then close the utility.

  5. On the Identity Governance server clean up Apache Tomcat.

    1. Delete the following cache directory. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost

      • Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost

    2. Delete all of the files and sub-folders in the temp directory. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/temp

      • Windows: c:\netiq\idm\apps\tomcat\temp

    3. Delete or move any Apache Tomcat log files. This is the default location.

      • Linux: /opt/netiq/idm/apps/tomcat/logs

      • Windows: c:\netiq\idm\apps\tomcat\logs

  6. On the Identity Governance server only, start Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

  7. Test authentication to Identity Governance to ensure that the changes worked.

  8. Make the following changes to the Identity Reporting server to use Access Manager instead of OSP.

    1. On the Identity Reporting server change the authentication service to be Access Manager.

      1. On the Access Manager server, access the OAuth Client IDs and Secrets.

        1. On the Identity Reporting server launch a browser and access the Access Manager administration console.

        2. On the Dashboard under Identity Servers, select IDPCluster.

        3. Click the OAuth & OpenID Connect tab, then click the Client Applications tab.

        4. Leave the Client Applications tab open, because it contains the client IDs and secrets for the Identity Governance applications that you created in Step 7. You will add this information to the Identity Governance configuration.

      2. Add the client IDs and secrets from Access Manager to the Identity Reporting server configuration.

        1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

        2. Click the OAuth SSO Client tab.

        3. Copy the Client ID and Secret for the Identity Reporting application listed in Access Manager as rpt to the Reporting application.

          IMPORTANT:Ensure that you copy the Client ID not the Client Application Name.

          Identity Governance Application Name

          Access Manager Application Name

          Reporting Utility Client

          rpt

          Reporting Client

          rpt_rpt_web

      3. In the Identity Governance Configuration Update utility ensure that the authentication settings are set to Access Manager values.

        1. Click the Authentications tab.

        2. (Conditional) Select OAuth server uses TLS.

        3. Select Access Manager is the OAuth provider.

        4. Populate the following fields with the Access Manager information.

          OAuth server host name

          Specify the fully qualified DNS name of your Access Manager server.

          OAuth server TCP port

          Specify the port for Access Manager. By default is 443.

        5. Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.

    2. Ensure the com.netiq.idm.osp.url.host property is set correctly with a secure protocol.

      1. On the Identity Governance server, create a script with the following content:

        display-configs com.netiq.idm.osp.url.host

      2. Execute the script.

        /opt/netiq/idm/apps/idgov/bin/configutil.sh -password <password> -script <script>

      3. (Conditional) If you need to update the value, create and execute the following script with your expected protocol, server, and host. The script prints the final value after the change.

        set-property com.netiq.idm.osp.url.host https://<server>

        display-configs com.netiq.idm.osp.url.host

      4. Save and close the file.

    3. (Conditional) If the ism-configuration.properties file was incorrect the Identity Governance Configuration Update utility must receive a valid certificate.

      1. On the Identity Reporting server, launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

      2. When it displays the fields, click OK.

      3. Review and accept the new certificate, then click OK to save and the Identity Governance Configuration Update utility automatically closes.

    4. On the Identity Reporting server clean up Apache Tomcat.

      1. Delete the following cache directory. This is the default location.

        • Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost

        • Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost

      2. Delete all of the files and sub-folders in the temp directory. This is the default location.

        • Linux: /opt/netiq/idm/apps/tomcat/temp

        • Windows: c:\netiq\idm\apps\tomcat\temp

      3. Delete or move any Apache Tomcat log files. This is the default location.

        • Linux: /opt/netiq/idm/apps/tomcat/logs

        • Windows: c:\netiq\idm\apps\tomcat\logs

    5. On the Identity Reporting server only, start Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

    6. Test authentication to Identity Governance to ensure that the changes worked.

  9. On the Workflow Engine server change the authentication service to be Access Manager.

    1. At the Access Manager URL, access the OAuth Client IDs and Secrets.

      1. On the Identity Governance server launch a browser and access the Access Manager administration console.

      2. On the Dashboard under Identity Servers, select IDPCluster

      3. Click the OAuth & OpenID Connect tab, then click the Client Applications tab.

      4. Leave the Client Applications tab open because it contains the client IDs and secrets for the Identity Governance applications that you created in Step 7. Add this information to the Identity Governance configuration.

    2. Verify that the client IDs and secrets from Access Manager have made it to the Identity Governance configuration. Because the properties are stored in the OSP database, and Configupdate on both OSP and IG servers have connection information for connecting to that database, the entries should already be populated.

      1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

      2. Click the IG SSO Clients tab.

      3. Copy the Client ID and Secret for each Identity Governance application listed in Access Manager. Use the following table to correlate the names in Identity Governance to the names in Access Manager.

    3. Add the client IDs and secrets from Access Manager to the Workflow Engine configuration.

      1. Launch the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

      2. Click the External Workflow tab.

      3. Copy the Client ID and Secret for each Identity Governance application listed in Access Manager. Use the following table correlate the names in Workflow Engine to the names in Access Manager.

        Identity Governance Application Name

        Access Manager Application Name

        Web Client

        wfconsole

        Workflow Consumer

        workflow

      4. Make sure all fields have valid entries.

  10. Update the ism-configuration.properties file on the Workflow Engine server with information from the Access Manager server.

    1. On the Identity Governance server, export the properties similar to steps Step 2.b.a - 2.b.2 using a different backup filename.

    2. On the Workflow Engine server, copy the following property values from those exported in step 4.a into the ism-configuration.properties file.

      • com.microfocus.wfe.consumer.password

      • com.microfocus.wfe.consumer.password._attr_obscurity

      • com.microfocus.wfe.consumer.userId

Repeat Step 5, Step 6, and Step 7 for the Workflow Engine server.