As an Identity Manager administrator, you can further reduce security risks to your protected accounts and data by following these recommendations, at setup time and after.
To reduce security risks during setup:
Access Identity Manager through a secure Web server using HTTPS.
Reset the passwords for the default Identity Manager administrator accounts (Administrator and Configurator). To further protect the security of these accounts, you can rename them.
Limit access to the Configurator account.
Limit administrators’ capability sets to only those actions needed for their job functions, and limit administrator capabilities by setting up organizational hierarchies.
Change the default password for the Identity Manager Index Repository.
Turn on auditing to track activities in the Identity Manager application.
Edit the permissions on files in the Identity Manager directory.
Customize workflows to insert approvals or other checkpoints.
Develop a recovery procedure to describe how to recover your Identity Manager environment in the event of emergency.
To reduce security risks during use:
Periodically change the passwords for the default Identity Manager administrator accounts (Administrator and Configurator).
Log out of Identity Manager when not actively using the system.
Set or know the default timeout period for an Identity Manager session. Session timeout values may differ, as they can be set independently for each login application.
If your application server is Servlet 2.2-compliant, the Identity Manager installation process sets the HTTP session timeout to a default value of 30 minutes. You can change this value by editing the property; however, you should set the value lower to increase security. Do not set the value higher than 30 minutes.