This chapter provides information and procedures for using the Administrator Interface to set up and maintain Identity Manager objects. For more information about Identity Manager objects, see Identity Manager Objects of the Overview chapter.
For information about configuring Identity Manager for a Service Provider implementation, see Chapter 17, Service Provider Administration
This chapter is organized in the following topics:
Read this section for information about configuring user policies.
This section contains the following topics:
Identity Manager policies set limitations for Identity Manager users by establishing constraints for Identity Manager accountID, login, and password characteristics.
Identity Manager also provides Audit policies that are specifically designed to audit user compliance. Audit policies are discussed in Chapter 13, Identity Auditing: Basic Concepts
Policies are categorized as the following types:
Identity System Account policies. Establish user, password, and authentication policy options and constraints. You assign Identity System Account policies to organizations from the Create and Edit Organization pages or to users from the Create and Edit User pages.
You can set or select the following options:
User Account Policy Options. Specify how Identity Manager treats user accounts if a user fails to correctly answer authentication questions.
Password Policy Options. Set password expiration, warning time before expiration, and reset options.
Secondary Authentication Policy Options. Determine how authentication questions are presented to the user, whether the user can provide his own authentication questions, enforce authentication at login, and establish the bank of questions that can be presented to a user.
Service Provider System Account policies. Use this policy type in a service provider implementation to establish user, password, and authentication policy options and constraints for service provider users. You assign the policies to organizations from the Create and Edit Organization pages or to users from the Create and Edit Service Provider User pages.
String Quality Policies. Includes policy types such as password, accountID, and authentication. Use to set length rules, character type rules, allowed words, and attribute values. This policy type is tied to each Identity Manager resource and is set on each resource page. The following figure provides an example.
You can set the following options and rules for passwords and accountIDs:
Length rules. Determine minimum and maximum length.
Character type rules. Set minimum and maximum allowable values for alphabetic, numeric, uppercase, lowercase, repetitive, and sequential characters.
Password re-use limits. Specify the number of passwords preceding the current password that cannot be reused. When a user attempts to change his password, the new password will be compared to the password history to ensure this is a unique password. For security reasons, a digital signature of the previous passwords is saved; new passwords are compared to this.
Prohibited words and attribute values. Specify words and attributes that cannot be used as part of an ID or password.
You create and edit Identity Manager user policies from the Policies page. To open this page, follow these steps:
Log in to the Administrator interface.
Click the Security tab, then click the Policies subtab.
The Policies page opens as shown in the following figure.
You can change the allowed set of “must not contain” attributes in the UserUIConfig configuration object.
Attributes are listed in UserUIConfig as follows:
<PolicyPasswordAttributeNames> attribute. Policy type Password
<PolicyAccountAttributeNames> attribute. Policy type AccountId
<PolicyOtherAttributeNames> attribute. Policy type Other
A dictionary policy enables Identity Manager to check passwords against a word database to ensure that they are protected from a simple dictionary attack. By using this policy with other policy settings to enforce the length and makeup of passwords, Identity Manager makes it difficult to use a dictionary to guess passwords that are generated or changed in the system.
The dictionary policy extends the password exclusion list that you can set up with the policy. (This list is implemented by the Must Not Contain Words option on the Administrator Interface password Edit Policy page.)
To set up a dictionary policy, you must:
Configure dictionary server support
Load the dictionary
Open the Policies page as described in To Open the Policies Page.
Click Configure Dictionary to display the Dictionary Configuration page.
Select and enter database information.
Database information includes:
Database Type. Select the database type (Oracle, DB2, SQLServer, or MySQL) that you will use to store the dictionary.
Host. Enter the name of the host where the database is running.
User. Enter the user name to use when connecting to the database.
Password. Enter the password to use when connecting to the database.
Port. Enter the port on which the database is listening.
Connection URL. Enter the URL to use when connecting. These template variables are available:
%h - host
%p - port
%d - database name
Driver Class. Enter the JDBC driver class to use while interacting with the database.
Database Name. Enter the name of the database where the dictionary will be loaded.
Dictionary Filename. Enter the name of the file to use when loading the dictionary.
Click Test to test the database connection.
If the connection test is successful, click Load Words to load the dictionary. The load task may take a few minutes to complete.
Click Test to ensure that the dictionary was loaded correctly.
Use the following steps to implement a dictionary policy:
Open the Policies page as described in To Open the Policies Page.
Click the Password Policy link to edit the password policy.
On the Edit Policy page, select the Check passwords against dictionary words option.
Click Save to save your changes.
Once implemented, all changed and generated passwords will be checked against the dictionary.
Identity Manager uses email templates to deliver information and requests for action to users and approvers. The system includes templates for:
Access Review Notice. Sends notification that the access rights for a user needs to be reviewed. The system sends this notification when a violation of an access policy must be remediated or mitigated.
Account Creation Approval. Sends notification to an approver that a new account is awaiting his approval. The system sends this notification when the Provisioning Notification Option for the associated role is set to approval.
Account Creation Notification. Sends notification that an account has been created with a particular role assignment. The system sends this notification when one or more administrators are selected in the Notification recipients field on the Create Role or Edit Role pages.
Account Deletion Approval. Sends notification to an approver that a user account deletion action is awaiting approval. The system sends this notification when one or more administrators are selected in the Notification recipients field on the Create Role or Edit Role pages.
Account Deletion Notification. Sends notification that an account has been deleted.
Account Update Notification. Sends notification to the specified email addresses or user accounts that an account has been updated.
External Resource. Notifies an external resources provisioner that a provisioning task must be performed.
Password Reset. Sends notification of a Identity Manager password reset. Depending on the Reset Notification Option value selected for the associated Identity Manager policy, the system displays notification immediately (in the Web browser) to the administrator resetting the password or emails the user whose password is being reset.
Password Synchronization Notice. Notifies the user that a password change has completed successfully on all resources. The notification lists which resources were updated successfully and indicates the origin of the password change request.
Password Synchronization Failure Notice. Notifies the user that the password change was not successful on all resources. The notification provides a list of errors and indicates the origin of the password change request.
Policy Violation Notice. Sends a notice that an account policy violation has occurred.
Reconcile Account Event. Reconcile Resource Event, Reconcile Summary. Called from the Notify Reconcile Response, Notify Reconcile Start, and Notify Reconcile Finish default workflows, respectively. Notification is sent as configured in each workflow.
Report. Sends a generated report to a specified list of recipients.
Request Resource. Sends notification to a resource administrator that a resource has been requested. The system sends this notification when an administrator requests a resource from the Resources area.
Request resources are deprecated in favor of external resources as of the Identity Manager version 8.1 release. You can no longer create new connections using the Request adapter. Use the External Resource adapter instead. For more information, see Understanding and Managing External Resources.
Retry Notification. Sends notification to an administrator that a particular operation has been unsuccessfully attempted on a resource a specified number of times.
Risk Analysis. Sends a risk analysis report. The system sends this report when one or more email recipients are specified as part of a resource scan.
Temporary Password Reset. Sends notification to the user or role approver that a temporary password has been provided for the account. Depending on the Password Reset Notification Option value selected for the associated Identity Manager policy, the system displays notification immediately (in the Web browser) to the user, emails the user, or emails the role approvers.
User ID Recovery. Sends a recovered user ID to the specified email address.
You can customize email templates to provide specific directions to the recipient, telling him how to accomplish a task or how to see results. For example, you might want to customize the Account Creation Approval template to direct an approver to an account approval page by adding the following message:
Please go to http://host.example.com:8080/idm/approval/approval.jsp to approve account creation for $(fullname).
Use the following procedure to customize an email template using the Account Creation Approval template as an example:
In the Administrator interface, click the Configure tab, then click the Email Templates subtab.
The Email Templates page opens.
Click to select the Account Creation Approval template.
Enter details for the template.
You can enter the following information:
In the SMTP Host field, enter the SMTP server name so that email notification can be sent.
In the From field, customize the originating email address.
In the To and Cc fields, enter one or more email addresses or Identity Manager accounts that will be the recipients of the email notification.
In the Email Body field, customize the content to provide a pointer to your Identity Manager location.
You can also modify email templates by using the Sun Identity Manager Integrated Development Environment (Identity Manager IDE). For information about the Identity Manager IDE, go to the following website: https://identitymanageride.dev.java.net/.
You must register and log in to this site.
You can insert HTML-formatted content into an email template to display in the body of an email message. Content can include text, graphics, and Web links to information. To enable HTML-formatted content, select the HTML Enabled option.
You can also include references to variables in the email template body, in the form $(Name); for example: Your password $(password) has been recovered.
Allowable variables for each template are defined in the following table.
.Table 4–1 Email Template Variables
$(password)– newly generated password
$(fullname)– user’s full name
$(role)– user’s role
$(fullname)– user’s full name
$(role)– user’s role
$(report)– generated report
$(id)– encoded ID of the task instance
$(timestamp)– time when email was sent
$(fullname)– user’s full name
$(resource)– resource type
$(report)– risk analysis report
Temporary Password Reset
$(password)– newly generated password
$(expiry)– password expiration date
Setting up audit configuration groups allows you to record and report on system events you select. Setting up audit groups also enables you to run AuditLog reports later.
You use the Audit Configuration page to set up audit groups. To open the Audit Configuration page, follow these steps:
Open the Administrator interface.
Click the Configure tab, then click the Audit subtab.
The Audit Configuration page opens.
Configuring audit groups and events requires the Configure Audit administrative capability.
Open the Audit Configuration page as described in the previous section.
The Audit Configuration page shows the list of audit groups, each of which may contain one or more events. For each group, you can record successful events, failed events, or both.
Click an audit group in the list to display the Edit Audit Configuration Group page. This page lets you select the types of audit events to be recorded as part of an audit configuration group in the system audit log.
Check that the Enable auditing check box is selected. Clear the check box to disable the auditing system.
Use the following steps to add an event to the group:
Identity Manager adds an event at the bottom of the page.
Select an object type from the list in the Object Type column, and then move one or more items in the Actions column from the Available area to the Selected area for the new object type.
Click OK to add the event to the group.
You can edit events in the group by adding or deleting actions for an object type, as follows:
Move items in the Actions column from the Available to the Selected area for that object type.
You can integrate Identity Manager with a Remedy server, enabling it to send Remedy tickets according to a specified template.
Set up Remedy integration in two areas of the Administrator interface:
Remedy server settings. Set up Remedy configuration by creating a Remedy resource from the Resources area. (See Managing the Resources List.) After setting up the resource, test the connection to ensure integration is enabled.
Remedy template. After setting up the Remedy resource, define a Remedy template. To do this, open the Administrator interface, click the Configure tab, then click Remedy Integration. You will then select the Remedy schema and resource.
Creation of Remedy tickets is configured through Identity Manager workflow. Depending on your preferences, a call can be made at an appropriate time that uses the defined template to open a Remedy ticket. For more information about configuring workflows, see Chapter 2, Workflow, in Sun Identity Manager Deployment Reference.
Administrators can configure certain aspects of the end-user interface by modifying a form in the Administrator interface.
In the Administrator interface, click Configure in the main menu.
Click User Interface in the secondary menu.
The User Interface page opens.
Complete and save the End User Dashboard portion of the form. Click Help if you need help with the form.
For information on completing the Anonymous Enrollment portion of the form, see Anonymous Enrollment.
Process diagrams depict the workflow that Identity Manager follows when end-users launch a request or update their profile. When enabled, process diagrams display on the results page after the end-user submits a form.
Process diagrams must be enabled in the Administrator interface before they can be enabled in the end-user interface. See Enabling Process Diagrams for more information.
Open the User Interface configuration page by following the steps in Configuring the End-User Interface
Select the Enable End-User Process Diagrams option, which is located in the Result Pages section of the form.
If the Enable End-User Process Diagrams option is not available, then you must first enable process diagrams in the Administrator interface. See Enabling Process Diagrams.
Administrators are encouraged to register their installation of Identity Manager.
You must have a Sun Online Account and password to register. If you do not have a Sun Online Account, you can register for one by completing the form at this address:
Identity Manager can be registered from the console or by using the Administrator interface.
Registering from the console allows you to also create a local service tag, which can be used with Sun Service Tag software to track your inventory of Sun systems, software, and services. The service tags client package should be installed before you create a local service tag. This package can be downloaded by clicking the Download Service Tags button at the following address:
To register Identity Manager, you must log on with an administrator account that allows you to configure Identity Manager objects. This account must have the Product Registration capability. For information about capabilities, see Assigning Capabilities to Users.
Java on your Identity Manager application servers must be properly configured for SSL for the product registration feature to work. All Jar files referenced in your java.security file (or equivalent) need to be present.
The rest of this section provides information and instructions to help you register Identity Manager. This information is organized into the following topics:
This section contains information you need to register Identity Manager from the Console.
You use the register command to register Identity Manager from the console. This section provides information about using this command.
register -local register -remote [-u <userid> [-p <password>]] [-prompt] -userSOA <userid> -passSOA <password> [-proxy <proxyHost> [-port <proxyPortNumber>]] register [-help | -?]
The following table describes the options you can use with the register command.Table 4–2 Command Options
Create a service tag on this host.
Register this installation of Identity Manager over the network directly with Sun.
The Identity Manager user ID of the Identity Manager administrator who is authorized to do the registration.
The Identity Manager password of the Identity Manager administrator who is authorized to do the registration.
Interactively prompt for the password if missing.
The user ID of the Sun Online Account that will be used for registration. Required if registering with the -remote option.
The password of the Sun Online Account that will be used for registration. Required if registering with the -remote option.
The network proxy to use for access to the Sun online registration service. Required if registering with the -remote option and your network is configured to use a proxy to reach external Internet addresses.
The port on the network proxy to use for access to the Sun online registration service. Required if registering with the -remote option and your network is configured to use a proxy to reach external Internet addresses.
-help | -?
Print help for this command to the console.
To register Identity Manager from the Console, you must create a local service tag or register with Sun over the Internet. Use the following instructions:
Start the Identity Manager console (command-line) interface.
From a Windows command line, type
From a UNIX command line, type
Use the register command as follows:
To create a local service tag,
To register Identity Manager over the Internet, use the following command:
register -remote -u <userid> -p <password> -userSOA <soaUserid> -passSOA <soaPassword> -proxy <proxyHost> -port <proxyPortNumber>
userid is the Identity Manager userID of the Identity Manager administrator who is authorized to do the registration.
password is the Identity Manager password of the Identity Manager administrator who is authorized to do the registration.
soaUserid is the user ID of the Sun Online Account that will be used for registration.
soaPassword is the password of the Sun Online Account that will be used for registration.
proxyHost is the network proxy to use for access to the Sun online registration service. Only required if your network is configured to use a proxy to reach external Internet addresses.
proxyPortNumber is the port on the network proxy to use for access to the Sun online registration service. Only required if your network is configured to use a proxy to reach external Internet addresses.
If you do not need to create a local service tag, register Identity Manager from the Administrator interface.
In the Administrator interface, click Configure.
In the secondary menu, click Product Registration.
The Product Registration page opens.
Complete the form and click Register Now. Click the i-Helps for information about individual form fields.
If your application server is not configured to allow outgoing SSL connections, you might see the following error message:
Failed to register on Sun Connection server due to invalid Sun Online Account user/password.
To resolve this issue, add the appropriate trusted root certificates to your application server’s keystore. Consult your application server’s documentation for details.
If old versions of xml-apis.jar and xercesImpl.jar are present in your application server’s classpath, you might see the following error message:
To resolve this problem, modify the classpath so that only the most recent versions of xml-apis.jar and xercesImpl.jar are present.
In the course of administering Identity Manager, you will occasionally be called upon to edit the Identity Manager system configuration object (also referred to as the System Configuration File), or other similar objects.
Open the Identity Manager Debug Page by typing the following URL into your browser:
The System Settings page opens.
You must have the Debug capability to view /idm/debug/ pages.
Find the List Objects button, then select Configuration from the adjacent Type drop-down list.
Click the List Objects button.
The List Objects of type: Configuration page opens.
In the list of objects, find the object you need, then click edit.
For example, to edit the system configuration object, find System Configuration, then click edit.
Edit the object as directed and click Save.
If directed to do so, restart your server (or servers).