![]() | |
Sun Java System Identity Manager 2005Q4M3 Administration |
5
Configuration
This chapter provides information and procedures for using the Administrator Interface to set up Identity Manager objects.
In this chapter, you can learn more about:
Understanding RolesRead this section for information about setting up roles in Identity Manager.
What are Roles?
Identity Manager roles define the collection of resources on which accounts are managed. Roles allow you to profile a class of users, grouping Identity Manager users with similar characteristics.
You can assign each user to one or more roles, or to none. All users assigned to a role share access to the same base group of resources.
All resources associated with a role are indirectly assigned to the user. Indirect assignment differs from direct assignment, in which resources are specifically selected for the user.
When you create or edit a role, Identity Manager launches the ManageRole workflow. This workflow saves the new or updated role in the repository, and allows you to insert approvals or other actions before the role is created or saved.
You assign roles to users through the Administrator Interface Create and Edit User pages.
Creating Roles
To create a role:
The Create Role page allows you to:
- Assign resources and resource groups to the role.
- Select role approvers and make notification selections.
Tip To learn more about the approval process, refer to Approvals in the chapter titled Administration.
- Exclude roles. This means that if this role is assigned to a user, the excluded role or roles may not also be assigned.
- Select the organizations to which this role will be available for assignment.
- Edit attribute values for resources assigned to the role.
Editing Assigned Resource Attribute Values
Click Set Attribute Values from the Assigned Resources area on the Create Role page to display a list of attributes for each resource assigned to the role. From this Edit attributes page, you can specify new values for each attribute and determine how attribute values are set. Identity Manager enables you to directly set values or use a rule to set values; it also provides a range of options for overriding or merging with existing values.
Editing Roles
To make changes to a role:
Finding Roles
Use the Find Roles area to search for roles. The search feature returns a list of roles that match your search criteria.
You can search for roles by one or more of these search types:
To search for roles, select Roles, and then select Find Roles.
Cloning Roles
You can use the selections from an existing role to create a new role. To do this:
Renaming Roles
To rename a role:
Synchronizing Identity Manager Roles and Resource Roles
You can synchronize Identity Manager roles with roles created natively on a resource. When synchronized, the resource is assigned, by default, to the role. This applies to roles that are created with the task, as well as existing Identity Manager roles that match one of the resource role names.
From the menu bar, select Tasks, and then select Run Tasks to access the Synchronize Identity Manager Roles with Resource Roles task page.
Understanding ResourcesRead this section for information and procedures to help you set up Identity Manager resources.
What are Resources?
Identity Manager resources store information about how to connect to a resource or system on which accounts are created. Identity Manager resources define the relevant attributes about a resource and help specify how resource information is displayed in Identity Manager.
Identity Manager provides resources for a wide range of resource types, including:
Resources Area
Identity Manager displays information about existing resources on the Resources page.
To access resources, select Resources on the menu bar.
Resources are grouped by type, represented in the list by named folders. To expand the hierarchical view and see currently defined resources, click the indicator next to the folder. Collapse the view by clicking the indicator again.
When you expand a resource type folder, it dynamically updates and displays the number of resource objects it contains (if it is a resource type that supports groups).
Some resources have additional objects you can manage, including:
Select an object from the resources list, and then make selections from one of these options lists to initiate a management task:
- Resource Actions — Perform a range of actions on resources, including edit, active synchronization, rename, and delete; as well as work with resource objects and manage resource connection.
- Resource Object Actions — Edit, create, delete, rename, save as, and find resource objects.
- Resource Type Actions — Edit resource policies, work with the account index, and configure managed resources.
When you create or edit a resource, Identity Manager launches the ManageResource workflow. This workflow saves the new or updated resource in the repository, and allows you to insert approvals or other actions before the resource is created or saved.
Managing the Resources List
The list from which you can select resources to create is managed from the Configure area of the Administrator Interface. Select Configure Managed Resources from the Resource Type Actions options list to choose the resources that will populate the resources list.
On the Managed Resources page, Identity Manager divides resources into two categories:
- Identity Manager resources — Resources included in this table are those most commonly managed by Identity Manager. The table shows the resource type and version. Choose one or more resources by selecting the option in the Managed? column, and then click Save to add them to the resources list.
- Custom resources — Use this page area to add custom resources to the Resources list.
To add a custom resource:
The following table lists custom resource classes.
Creating Resources
You create resources by using the Resource Wizard. The Resource Wizard guides you through the process of creating an Identity Manager resource adapter to manage objects on a resource.
Using the Resource Wizard, you will set up:
- Resource-specific parameters — You can modify these values from the Identity Manager interface when creating a specific instance of this resource type.
- Account attributes — Defined in the schema map for the resource. These determine how Identity Manager user attributes map to attributes on the resource.
- Account DN or identity template — Includes account name syntax for users, which is especially important for hierarchical namespaces.
- Identity Manager parameters for the resource — Sets up policies, establishes resource approvers, and sets up organization access to the resource.
To create a resource:
- Select New Resource from the Resource Type Actions list of options.
Identity Manager displays the New Resource page.
- Select the resource type, and then click New to display the Resource Wizard Welcome page.
Note Alternatively, you can select a resource type in the resources list before selecting New Resource from the Resource Type Actions list. In this case, Identity Manager does not display the New Resource page, but immediately launches the Resource Wizard.
- Click Next to begin defining the resource. Resource Wizard steps and pages that display are, in order:
- Resource Parameters — Set up resource-specific parameters that control authentication and resource adapter behavior. Enter parameters, and then click Test Connection to ensure the connection is valid. On confirmation, click Next to set up account attributes.
Figure 1. Resource Wizard: Resource Parameters
- Account Attributes (schema map) — Maps Identity Manager account attributes to resource account attributes.
To add an attribute, click Add Attribute. Select one or more attributes, and then click Delete Selected Attributes to delete attributes from the schema map. When finished, click Next to set up the identity template.
Figure 2. Resource Wizard: Account Attributes (Schema Map)
- Identity Template — Defines account name syntax for users. This feature is particularly important for hierarchical namespaces.
Select attributes from the Insert Attributes list. To delete attributes from the template, click in the list and delete one or more items from the string. Delete the attribute name, as well as the preceding and following $ (dollar sign) characters.
Figure 3. Resource Wizard: Identity Template
- Identity System Parameters — Sets Identity Manager parameters for the resource, including retry and policy configuration.
Figure 4. Resource Wizard: Identity System Parameters
Use Next and Back to move among the pages. When you complete all selections, click Save to save the resource and return to the list page.
Managing Resources
You can perform a range of edit actions on the resource from the resources list. In addition to editing capabilities on each of the Resource Wizard pages, you can:
- Delete resources — Select one or more resources, and then select Delete from the Resource Actions list. You can select resources of several types at the same time. You cannot delete a resource if any roles or resource groups are associated with it.
- Search for resource objects — Select a resource, and then select Find Resource Object from the Resource Object Actions list to find a resource object (such as an organization, organizational unit, group, or person) by object characteristics.
- Manage resource objects — For some resource types, you can create new objects. Select the resource, and then select Create Resource Object from the Resource Object Actions list.
- Rename resources — Select a resource, and then select Rename from the Resource Actions list. Enter a new name in the entry box that appears, and then click Rename.
- Clone resources — Select a resource, and then select Save As from the Resource Actions list. Enter a new name in the entry box that appears. The cloned resource appears in the resource list with the name you select.
Working with Account Attributes
Identity Manager resources use schema maps to define names and types for attributes coming from the external resource (resource account attributes); they then map those attributes to the standard Identity Manager account attributes. By setting up a schema map (on the Account Attributes page of the Resource Wizard), you can:
To access these values, select the resource from the resources list, and then select Edit Resource Schema from the Resource Actions list.
The left column of the schema map (titled Identity system User Attribute) contains the names of Identity Manager account attributes that are referenced by the forms used in the Identity Manager Administrator and User interfaces. The right column of the schema map (titled Resource User Attribute) contains the names of attributes from the external source.
By defining Identity system attribute names, attributes from difference resources can be defined with common names. For example, on an Active Directory resource, the lastname attribute in Identity Manager is mapped to the Active Directory resource attribute sn; on GroupWise, the fullname attribute can be mapped to the GroupWise attribute Surname. As a result, an administrator is required to complete a value for lastname only once; when the user is saved, it is passed to the resources with different names.
Resource Groups
Use the resources area also to manage resource groups, which let you group resources to be updated in a specific order. By including and ordering resources in a group, and assigning the group to a user, you determine the order in which that user’s resources are created, updated, and deleted.
Activities are performed on each resource in turn. If an action fails on a resource, the remaining resources are not updated. This type of relationship is important for related resources.
For example, an Exchange 5.5 resource relies on an existing Windows NT or Windows Active Directory account: one of these must exist before the Exchange account can be successfully created. By creating a resource group with (in order) a Windows NT resource and an Exchange 5.5 resource, you ensure the correct sequence when creating users. Conversely, this order ensures that resources are deleted in the correct sequence when you delete users.
Select Resources, and then select List Resource Groups to display a list of currently defined resource groups. From that page, click New to define a resource group. When defining a resource group, a selection area lets you choose and then order chosen resources, as well as select the organizations to which the resource group will be available.
Understanding ChangeLogsRead this section for information about the Identity Manager ChangeLog feature, and for procedures to help you configure and use ChangeLogs.
What are ChangeLogs?
ChangeLogs provide a view of identity attributes information contained by Identity Manager resources. Each ChangeLog is defined to capture changes to a subset of identity attributes.
As attribute data changes on a resource, ActiveSync adapters capture the information, and then write changes to a ChangeLog. Custom scripts developed specifically to interact with a resource in the enterprise then read the ChangeLogs and update the resource.
The ChangeLogs feature differs from Identity Manager’s standard resource active synchronization and reconciliation features because it enables indirect communication to resources from the provisioning system (via custom scripts).
ChangeLogs and Security
Identity Manager's ChangeLog feature requires write access to a designated directory or directories in the local file system. Some Web containers, by default, do not allow local file system access to the hosted Web modules like Identity Manager.
You grant access by editing a Java policy file. If using /tmp/changelogs as the directory, your policy file should contain:
grant {
permission java.io.FilePermission "/tmp/changelogs/*", "read,write,delete";
};You must define a file permission for each ChangeLog directory that you have specified.
The default security policy file for Java can be found at:
$JAVA_HOME/jre/lib/security/java.policy
Editing that file may be sufficient; however, if you are using your own file (not the default file), then the server is running with options such as:
-Djava.security.manager -Djava.security.policy=/path/to/your/java.policy
In this case, edit the file identified by the java.security.policy system property.
Note You may need to restart the Web container after editing the security policy file.
ChangeLogs Feature Requirements
The ChangeLogs feature requires that you configure identity attributes before configuring a ChangeLog.
Configuring Identity Attributes
Use the following information and procedures to configure Identity Attributes and to select the Identity system applications to which Identity Attributes will be applied.
Working with Identity Attributes
To configure identity attributes, select Configure, and then select Identity Attributes from the Identity Manager Administrator interface. The Identity Attributes page displays.
To add an Identity Attribute, click Add Attribute. Once added to the list, edit an Identity Attribute by clicking its name in the list. To remove one or more Identity Attributes, select them, and then click Remove Selected Attributes.
Note You must click Save before the action will take place.
Selecting Applications
Use the Enabled Applications area to select the Identity system applications to which the Identity Attributes will be applied. Select one or more applications from the Available applications area and move them to the Enabled applications area. You must click Save before the action will take place.
Note To use the ChangeLog feature, you must enable the ActiveSync application.
Adding and Editing Identity Attributes
From the Add Identity Attributes or Edit Identity Attributes pages, make these selections to add or edit Identity Attributes:
- Attribute Name — Select or enter an attribute name. Select from the default values provided (from resource schema map entries, operational Identity Attributes, and user extended attributes); or enter a value in the text box.
- Sources — Select one or more sources with which to populate the value for this Identity Attribute. The sources will be evaluated in order, and the Identity Attribute will be set to the first non-null value.
- Resource — The value comes from a selected attribute on a selected resource.
- Rule — The value comes from the evaluation of a selected rule.
- Constant — The value is set to the supplied constant value.
Click + (plus sign) to add a new line to select another source. Click - (minus sign) next to a source to delete it.
- Attribute Properties — Use this area to set up properties for the Identity Attribute.
- Identity Attribute is authoritative — The value of the Identity Attribute is authoritatively set on all targets. Select this option to cause the value determined by the sources to override any values entered by the user in a form. Typically, this option should be selected.
- Store attribute in IDM repository — Select to store the Identity Attribute locally in the Identity system repository. This should be selected if the Identity system user is to be the authoritative store for the Identity Attribute, or if the attribute should be capable of handling queries.
- Set value on all assigned resources — Select this option if the Identity Attribute should globally be set on all assigned resources that support this attribute.
- Targets — Select the target resource on which this Identity Attribute should be set. If no targets are defined, then click Add Target. To remove a target from the list, select it, and then click Remove Selected Targets.
Click OK to add the Identity Attribute and return to the Identity Attributes page. You must click Save on the Identity Attributes page to save the additions.
Adding Target Resources
Tip It is not necessary to set targets for Identity Attributes if they are being used solely for the ChangeLog. You might do this, for example, if you wanted to use the ChangeLog, but also wanted to use the standard "Input Form" to push data through ActiveSync. If there are no targets, then the MetaView just calculates the identity attributes' values; it doesn't set them on any of the other resources.
Make selections to add a target resource for which an Identity Attribute should be set:
- Target Resource — Select the target resource on which the selected Identity Attribute should be set.
- Target Attribute — Select the name of the attribute on the target resource that will receive the value.
- Condition — Select a rule to run to determine if the selected Identity Attribute should be set on this target resource. This rule should return a value of true or false. If the condition is not set, then the target attribute always will be set for the selected event types.
- Apply To: — Select the types of events for which the selected Identity Attribute should be set on this target resource. These selections are combined with the Condition to determine if the target attribute should be set.
Click OK to add the target resource and return to the Add or Edit Identity Attribute page.
Removing Target Resources
To remove one or more target resources, select them in the list, and then click Remove Selected Targets.
Importing Identity Attributes
Using the Import Identity Attributes feature, you can select one or more forms to import and populate Identity Attributes values. Identity Manager will analyze the imported form values and make a "best guess" at Identity Attributes; however, it may be necessary to edit the Identity Attributes after import.
Make these import selections:
- Merge with existing Identity Attributes — If you select this option, then Identity Manager will merge imported values with existing Identity Attributes. If not selected, then the Identity Attributes are cleared before the import occurs.
- Forms to import — Select one or more forms from the Available Forms area to populate the Identity Attributes.
Click Import to import the forms. The Identity Attributes page displays with the new or merged Identity Attributes listed.
Click Save to save changes to the Identity Attributes.
Note If there are Identity Attributes conditions that need to be corrected, then Identity Manager will display a Warning page that lists one or more warnings. Click OK to return to the Configure area.
Configuring ChangeLogs
You configure ChangeLogs by creating ChangeLog policies and ChangeLogs. Each ChangeLog must have an associated ChangeLog policy. A ChangeLog defines the subset of changes, detected by ActiveSync and pushed through the Identity Attributes, should be written to a log. Its associated ChangeLog policy defines how the ChangeLog files should be written. The ChangeLog files will be consumed by custom scripts.
To configure ChangeLogs and ChangeLog policies, select Configure, and then select ChangeLogs from the Administrator interface menu bar.
Identity Manager displays the ChangeLog Configuration page, which displays two summary areas.
Figure 5. ChangeLog Configuration
ChangeLog Policies Summary
The ChangeLog Policies summary area shows currently defined ChangeLog policies. To edit an existing ChangeLog policy, click its name in the list. To create a ChangeLog policy, click Create Policy.
To remove one or more ChangeLog policies, select them in the list, and then click Remove Policy. (No confirmation is needed for this action.)
ChangeLogs Summary
The ChangeLogs summary area shows currently defined ChangeLogs. To edit an existing ChangeLog, click its name in the list. To create a ChangeLog, click Create ChangeLog.
To remove one or more ChangeLogs, select them in the list, and then click Remove ChangeLog. (No confirmation is needed for this action.)
Saving ChangeLog Configuration Changes
Any changes you make to the ChangeLog Configuration — either to ChangeLog policies or defined ChangeLogs — must be saved from the ChangeLog Configuration page. Click Save to save changes and return to the Identity Manager Configure page.
Creating and Editing ChangeLog Policies
Provide input and make selections on the Edit ChangeLog Policy page to create or edit ChangeLog Policies:
- Policy Name — Enter a unique name for the policy.
- Daily Start Time — Establish the time of day used to calculate the times when rotations should start or change over. ChangeLogs using this policy will start new rotations at this time and at increments calculated from this time. For example, if the start time is set to midnight (00:00) with 3 'Rotations Per Day', the prefixes on log files will change at 00:00, 08:00, and 16:00.
Filenames follow the pattern, 'cl_User_yyyyMMddHHmmss.n.suffix', where 'HHmmss' is the most recent time for a rotation to start. ('.n' is the Sequence number, and .suffix is a suffix provided in the ChangeLog definition.)
Using '00:00' for the start time with 3 as the number of rotations, if you were to activate a ChangeLog at 9:24 a.m. one morning, the resulting rotation name would include the most recent rotation start time (for example, 08:00). In this case, the filenames would start with cl_User_yyyyMMdd080000. At 16:00, a new rotation (a new prefix on filenames) would start.
- Rotations Per Day — Specify the number of times you want to rotate the logs each day. For example, if you want a rotation every 4 hours, enter a value of 6.
This value is limited to non-negative integers. A value of 0 means to ignore this field. When this field is non-zero, the 'Maximum Age of a Rotation' setting is ignored.
If you specify the length of rotations in seconds, and if the 'Rotations Per Day' field is 0, then this value is used to determine the period of rotation.
This is limited to non-negative integer values. If you specify a non-zero number of 'Rotations Per Day', then that value is used (and this one is not). If the value of both of these fields is 0, then only the sequence information is applied. (Even Daily Start Time is unused in this case.)
- Number of Rotations to Keep — Specify how many rotations are allowed to accumulate before Identity Manager deletes them. For example, if you are running with 3 rotations per day and want to keep 2 days of changes in the logs, specify a value of 6.
- Maximum File Size in Bytes — A new log file (with the same rotation prefix, but with a new sequence number) is started if writing a change to the current file will exceed this limit. A value of 0 indicates that this limit is not used. All of the limit fields (size, lines, age) that are non-zero are used; however, this limit is checked before the others.
- Maximum File Size in Lines — If writing a change will cause the current file to have more lines than this limit, then a new sequence file is created and the line is written to the new file. A value of 0 indicates 'no limit.' This limit is checked after the size limit and before the age limit.
- Maximum File Age in Seconds — When a change is received and the existing sequence file is now older than the number of seconds specified here, a new sequence file is created before writing the change. A value of 0 indicates that this limit is not used. The other limits, if non-zero, are applied before this one.
Click OK to return to the ChangeLog Configuration page. You must click OK from the Configuration page to save the new ChangeLog policy or changes to an existing policy.
Creating and Editing ChangeLogs
Provide input and make selections on the Edit ChangeLogs page to create or edit a ChangeLog:
- ChangeLog Name — Enter a unique name for the ChangeLog.
- Active — If you select this option, then the ChangeLog will monitor and write changes as they flow through ActiveSync resources and into the Identity Attributes (ActiveSync must be an Identity Attributes application for this to work).
- Filter — Enter the name of the ChangeLog filter to use. 'Noop' means use the default filter, which accepts all changes. This should be sufficient for the vast majority of cases. Otherwise, this must name a Java class implementing com.sun.idm.changelog.ChangeLogFilter. The class must be in the classpath of the server, and it must have a public default constructor.
- Log these Operations — Log events of the types selected, which includes Creates, Updates, and Deletes. Events not selected are ignored.
- ChangeLog View — Define the contents (columns) of the ChangeLog by using this table. Each table row specifies a column in the ChangeLog. Click Add Column to add a ChangeLog column. Each column has a name, a type, and an Identity Attribute Name. The order of the rows indicates the order of the columns. Use the 'Up' and 'Down' buttons to order columns after they are defined.
Note In every ChangeLog, there will be an implicit first column in the table named 'changeType'. This implicit first column indicates the type of the change. This column's type is 'Text'. The data in the log will be one of the following values: 'ADD', 'MOD', or 'DEL'.
- Use the Policy Named — Select a defined ChangeLog policy from the list to use for logging.
- Output Path — Enter the name of the directory on the file system that will contain the log files. This can be a network-mounted location; but it is preferable to use a directory that is local to the server. It is also advisable to use a unique location per ChangeLog.
- Suffix — Enter a suffix for the ChangeLog files (for example, .csv). The suffix selected may be used to differentiate these files from other ChangeLog files.
Click OK to return to the ChangeLog Configuration page. You must click OK from the Configuration page to save the new ChangeLog or changes to an existing ChangeLog.
Example
View this example that details how to set up identity attributes and a ChangeLog to capture a specific set of attributes data.
Example: Define Identity Attributes
In this example, two Identity Manager resources (Resource 1 and Resource 2) provide source data to a third resource (Resource 3). Resource 3 is not directly connected to the Identity Manager system. A ChangeLog is needed to pull and maintain a data subset from Resource 1 and 2 to Resource 3.
Resource 1: EmployeeInfo
employeeNumber*
givenname
mi
surname
phoneResource2 : OrgInfo
employeeNum*
managerEmpNum
departmentNumberResource 3 : PhoneList
empId*
fullname
phone
department
Note * indicates a key to correlate records.
The Identity Attributes are defined as follows.
Example: Configure the ChangeLog
After defining the identity attributes, define a ChangeLog called PhoneList ChangeLog. Its purpose is to write a subset of the identity attributes to a ChangeLog file.
ChangeLogView in PhoneList ChangeLog
Column Name
Type
Identity Attribute
empId
Text
employee
fullname
Text
fullname
phone
Text
phoneNumber
When records in Resource 1 or Resource 2 are changed, the full set of data (not just the changes) for a ChangeLog record (all data from the identity attributes) is written to the ChangeLog. A custom script reads the information and uses it to populate Resource 3.
CSV File Format
Read this section for information about the format of the comma-separated value (CSV) file written by ChangeLogs.
Think of a ChangeLog file in terms of rows and column, such as a spreadsheet or database table. Each “row” is a line in the file.
The ChangeLog format is self-describing using the first two rows. Together, these two rows define the “schema”; that is, the logical names and logical types of each “cell” (values between commas on a row) in the table.
The first row names the attributes in the file. The second row describes the types of values of the attributes. Additional rows represent all the data for a change-event.
The ChangeLog file is encoded in Java UTF-8 format.
Columns
The first column in the file has special significance. This defines the operation type; for example, whether the change event was a create, modify, or delete action. It is always named changeType, and is always type T (representing Text). Its value is one of the values ADD, MOD, or DEL.
Exactly one column should hold a unique identifier (the primary key) for the entry. This generally is the second column in the file.
Other columns simply name the attribute. The name is taken from the Column Name value in the ChangeLog View table.
Rows
After the first two header rows that define the "schema" of the file, the remaining rows hold the values of the attributes. The values appear in the order of the columns in the first row. The ChangeLog is applied from the Identity Attributes, and therefore contains all data known about the user at the time the change is detected.
In addition, there is no special sentinel value indicating null (or not set). If a value is not present when a change is detected, then the ChangeLog writes an empty string.
Values are encoded according to the type of the column, as specified in the second row of the file. Supported types are:
Text Values
Text values are written as a string, with two exceptions:
- If a value contains a , (comma), then Identity Manager escapes the comma within the value by inserting a \ (backslash) character. For example, if the value for fullname is Mouse, Mickey, then Identity Manager writes
Mouse \,Mickey as the value.- If a value contains a \ (backslash) character, then Identity Manager escapes it with another \. For example, if a value for homedir contains C:\users\home, then Identity Manager writes C:\\users\\home to the log.
Text values cannot contain a newline. If the file needs newlines, then use the Binary value type.
Binary Values
Binary values are Base64 encoded.
Multi-Text Values
Multi-Text values are written similarly to Text values, but are comma-separated and bracketed (using [ and ]).
Multi-Binary Values
Multi-Binary values are written like Binary values (Base64 encoded), but also are comma-separated and bracketed (using [ and ]).
Formatting Examples
The following examples illustrate various output format. Each example is in the form:
column1, column2, column3, column4
Column 3 of each example shows the example text.
- Text (T) data appear as strings in the file:
ADD,account0,some text data,column4
- Binary (B) data appears base64 encoded.
ADD,account0,FGResWE23WDE==,column4
- Multi-Text (MT) appears as:
ADD,account0,[one,two,three],column4
- Multi-Binary (MB) appears as:
ADD,account0,[FGResWE23WDE==,FGRCAFEBADE3sseGHSD],column4
Note The Base64 alphabet does not include the , (comma), [ (left bracket), or ] (right bracket) characters, or a newline.
ChangeLog Filenames
Filenames are of the form:
servername_User_timestamp.sequenceNumber.suffix
Where:
- timestamp is the time that this log was started or rolled over. Files with the same timestamp are considered to be a "Rotation."
- sequenceNumber is a monotonically increasing number, used to partition a rotation into subsets of files, that are controlled by a maximum number of bytes, lines, or seconds. Each of these is known as a "Sequence" file.
- suffix is the file extension defined in the ChangeLog config, usually .csv.
Configuring Rotations and Sequences
These are defined in ChangeLogPolicy objects and referred to from ChangeLogs.
Example
A policy that defines rotations to:
would result in rotation file names similar to the following. (There are two sequence files in each of these rotations.)
myServer_User_20060101070000.1.csv
myServer_User_20060101070000.2.csv
myServer_User_20060101150000.1.csv
myServer_User_20060101150000.2.csv
myServer_User_20060101230000.1.csv
myServer_User_20060101230000.2.csvmyServer_User_20060102070000.1.csv
myServer_User_20060102070000.2.csv
myServer_User_20060102150000.1.csv
myServer_User_20060102150000.2.csv
myServer_User_20060102230000.1.csv
myServer_User_20060102230000.2.csvJanuary 1 shows 3 rotations, 8 hours apart, beginning at 07:00:00. January 2 is similar; only the portion of the name that corresponds to the day (20060102) differs.
Writing ChangeLog Scripts
Read this section for information helpful to ChangeLog script writers.
- Scripts likely run continuously, waiting for new data, new files, or sleeping between activity; and then simply read the file and apply the changes for each line to the back-end resource.
- ChangeLogs support delete operations; however, only the accountId value will be included in DEL lines.
- By using Rotations and Sequences, you can decide how often a script runs. For example, you could specify:
- Rotation at midnight; and then every night run the script against the prior rotation.
- Rotation every 4 hours, starting at 8:00 a.m., and then run the scripts every four hours (at 8, 12, 16, 20, 24, 4, ...)
- No rotation, and run the script such that it reads a sequence file when the sequence number bumps. You can control how the sequence number increments; it can be size-based, num-operations based, or time-based.
- Each ChangeLog can be seen as a representation of the records in the back-end system. To keep things simple for the script reading the log, Identity Manager always writes all data for a given record, whether or not it has changed. Scripts can "blindly" apply the data in the records.
However, they need to ensure that the back-end resource (or the script), especially with regard to ADD and DEL, can either:
- Handle this idempotently. (Idempotency means if you apply the data more than once, then it does nothing.) If the script reads the ChangeLog from start to finish in two passes, then the state of the data records in the resource should be exactly the same after each pass.
- Does this (at most) one time. For example, if the resource cannot be made idempotent with regard to add and delete actions, then the script must ensure that it applies changes only once, either by reading the log entries only once, or by otherwise tracking its progress.
- A good approach might be to watch for a sequence file to appear, and then apply the previous file. For example, do not apply a .1 file until the .2 file appears. When .3 appears, apply .2. After applying a file, note that you have done so on a disk. This approach allows you to avoid using calls like fstat or
tail -f.
Understanding PoliciesRead this section for information and procedures for configuring policies.
What are Policies?
Identity Manager policies set limitations for Identity Manager users by establishing constraints for Identity Manager account ID, login, and password characteristics.
You create and edit Identity Manager policies from the Policies page. From the menu bar, select Configure, and then select Policies. From the displayed list page, you can edit existing policies and create new ones.
Policies are categorized as:
- Identity System Account policies — Establish user, password, and authentication policy options and constraints. You assign Identity System Account policies to organizations or users, through the Create and Edit Organization and Create and Edit User pages.
Figure 6. Identity Manager Policy
Options you can set or select include:
- User policy options — Specify how Identity Manager treats user accounts if a user fails to correctly answer authentication questions
- Password policy options — Set password expiration, warning time before expiration, and reset options
- Authentication policy options — Determine how authentication questions will be presented to the user, whether the user can provide his own authentication questions, and establish the bank of questions (up to 10) that could be presented to a user.
- String Quality Policies — String quality policies include policy types such as password, AccountID, and authentication, and set length rules, character type rules, and allowed words and attribute values. This type of policy is tied to each Identity Manager resource, and is set on each resource page.
Figure 7. Create/Edit Password Policy
Options and rules you can set for passwords and account IDs include:
- Length rules — Determine minimum and maximum length.
- Character type rules — Set minimum and maximum allowable values for alphabetic, numeric, uppercase, lowercase, repetitive, and sequential characters.
- Password re-use limits — Specify the number of passwords preceding the current password that cannot be re-used. When a user attempts to change his password, the new password will be compared to the password history to ensure this is a unique password. For security reasons, a digital signature of the previous passwords is saved; new passwords are compared to this.
- Prohibited words and attribute values — Specify words and attributes that cannot be used as part of an ID or password.
Dictionary Policy
The dictionary policy enables Identity Manager to check passwords against a word database to ensure that they are protected from a simple dictionary attack. By using this policy with other policy settings to enforce the length and makeup of passwords, Identity Manager makes it difficult to use a dictionary to guess passwords that are generated or changed in the system.
The dictionary policy extends the password exclusion list that you can set up with the policy. (This list is implemented by the Must Not Contain Words option on the Administrator Interface password Edit Policy page.)
Configuring the Dictionary Policy
To set up the dictionary policy, you must:
Follow these steps:
- From the menu bar, select Configure, and then select Policies.
- Click Configure Dictionary to display the Dictionary Configuration page.
- Select and enter database information:
- Database Type — Select the database type (Oracle, DB2, SQLServer, or MySQL) that you will use to store the dictionary.
- Host — Enter the name of the host where the database is running.
- User — Enter the user name to use when connecting to the database.
- Password — Enter the password to use when connecting to the database.
- Port — Enter the port on which the database is listening.
- Connection URL — Enter the URL to use when connecting. These template variables are available:
- Driver Class — Enter the JDBC driver class to use while interacting with the database.
- Database Name — Enter the name of the database where the dictionary will be loaded.
- Dictionary Filename — Enter the name of the file to use when loading the dictionary.
- Click Test to test the database connection.
- If the connection test is successful, click Load Words to load the dictionary.
Note The load task may take a few minutes to complete.
- Click Test to ensure that the dictionary was loaded correctly.
Implementing the Dictionary Policy
Implement the dictionary policy from the Identity Manager policies area. From the Policies page, click to edit a password policy. On the Edit Policy page, select the Check passwords against dictionary words option. Once implemented, all changed and generated passwords will be checked against the dictionary.
Understanding CapabilitiesCapabilities are groups of rights in the Identity Manager system. Capabilities represent administrative job responsibilities, such as resetting passwords or administering user accounts. Each Identity Manager administrative user is assigned one or more capabilities, which provide a set of privileges without compromising data protection.
Not all Identity Manager users need capabilities assigned; only those who will perform one or more administrative actions through Identity Manager. For example, an assigned capability is not needed to enable a user to change his password, but an assigned capability is required to change another user’s password.
Your assigned capabilities govern which areas of the Identity Manager Administrator Interface you can access. All Identity Manager administrative users can access certain areas of Identity Manager, including:
Capabilities Categories
Identity Manager defines capabilities as:
Built-in capabilities (those provided with the Identity Manager system) are protected, meaning that you cannot edit them. You can, however, use them within capabilities that you create.
Protected (built-in) capabilities are indicated in the list with a red key (or red key and folder) icon. Capabilities that you create and can edit are indicated in the capabilities list with a green key (or green key and folder) icon.
Working with Capabilities
Create a Capability
To create a capability, click New.
Edit a Capability
To edit a non-protected capability, right-click it in the list, and then select Edit.
Note You cannot edit built-in capabilities; however, you can save them with a different name to create your own capability, or use them in capabilities you create.
Save and Rename a Capability
To “clone” a capability (save it with a different name to create a new capability):
You can edit the new capability, even if the copied capability is protected.
Assigning Capabilities
Assign capabilities to a user from the Create and Edit User page.
Note You can also assign capabilities to a user by assigning an admin role, which you set up through the Security area. See Understanding Admin Roles for more information.
Capabilities Hierarchy
Task-based capabilities fall within the following functional capabilities hierarchy:
Account Administrator
Admin Role Administrator
Bulk Account Administrator
Bulk Change Account Administrator
Capability Administrator
Change Account Administrator
Import/Export Administrator
Login Administrator
Organization Administrator
Password Administrator (Verification Required)
Policy Administrator
Reconcile Administrator
Remedy Integration Administrator
Report Administrator
Resource Administrator
Resource Object Administrator
Resource Password Administrator
Role Administrator
Security Administrator
View Organizations
View Resources
Waveset Administrator
Capabilities Definitions
The following table describes each of the task-based capabilities and highlights the tabs and subtabs accessible with each capability.
All capabilities grant the user or administrator access to the Change My Password and Change My Answers subtabs (Passwords tab).
Table 1. Identity Manager Capabilities Descriptions
Understanding Admin RolesAdmin roles enable the assignment of a unique set of capabilities for each set of organizations managed by an administrator. An admin role is assigned capabilities and controlled organizations; it can then be assigned to an administrative user.
The assignment of capabilities and organizations to an admin role can be:
- Direct — This option allows you to assign specific capabilities, controlled organizations, or both to the admin role.
- Dynamic (indirect) — This option uses capabilities and controlled organizations rules to dynamically determine, each time the assigned user logs into Identity Manager, the capabilities and controlled organizations given to him through the admin role.
Note See Capabilities Rules and Controlled Organizations Rules for key information about setting up these rules.
You can assign one or more admin roles to each user. An admin role can be assigned to one or more users.
User Admin Role
Identity Manager includes a built-in admin role, titled "User". By default, it contains no capabilities or controlled organization assignments, and it cannot be deleted. This admin role is implicitly assigned to all users (end users and administrators) at login time.
You can edit the User admin role through the Administrator interface (select Configure, and then select Admin Roles).
Because any capabilities or controlled organizations that are statically assigned through this admin role are assigned to all users, it is recommended that the assignment of capabilities and controlled organizations be done through rules. This will enable different users to have different (or no) capabilities, and assignments will be scoped depending on factors such as who they are, which department they are in, or whether they are managers, which can be queried for within the context of the rules.
The User admin role does not deprecate or replace the use of the authorized=true flag used in workflows. This flag is still appropriate in cases where the user should not have access to objects accessed by the workflow, except when the workflow is executing. Essentially, this lets the user enter a "run as superuser" mode.
However, in cases where a user should have specific access to one or more objects outside of and potentially inside of workflows, then dynamic assignment of capabilities and controlled organizations via the User admin role enables dynamic, fine-grain authorization to those objects.
Example
The steps in the following example show how the User admin role can be used in a dynamic environment.
When a user logs in, then:
- If his Active Directory user title is 'manager', then he will be assigned the "Account Administrator" capability and assigned control of the "My Team" organization.
- If his AD user title is not 'manager', then he will not be assigned any capabilities or organizations to control.
- If the logged-in user's title is 'manager', then when the "My Team" organization is opened, the "Get My Team" rule will invoke getResourceObjects on the Active Directory resource requesting all users whose 'manager' is the accountInfo.accounts[AD].accountId of the user currently logged in.
This setup will enable managers logged into the User interface to manage their employees, and prevent employees from performing admin functions when logged in to the User interface.
Creating and Editing Admin Roles
To create or edit an admin role, you must be assigned the Admin Role Administrator capability. To access the admin roles area, click Configure, and then click Admin Roles. The Admin Roles list page allows you to create, edit, and delete admin roles in Identity Manager.
To edit an existing admin role, click a name in the list. Click New to create an admin role. Identity Manager displays the Create Admin Role page, where you specify the capabilities and scope of the new admin role.
Figure 8. Admin Role: Create Page
Scoping Controlled Organizations
For each directly assigned, controlled organization included in an admin role, you can define the scope of objects on which a user can act. You can choose to include or exclude one or more objects that are generally available to each organization controlled by the user.
For example, you might choose to restrict the access of a user who can create, update, and delete users within an organization that includes a wide range of resources to a specific subset of resources in that organization. To do this, you could create an admin role with these characteristics:
To do this, make selections in the Select Objects to Include / Exclude area of the Create Admin Role page.
Figure 9. Admin Role: Include/Exclude Selections for Controlled Organizations
If you include an item in both an include and an exclude list, it is excluded from the admin role.
Assigning User Forms to an Admin Role
You can specify a user form as an attribute of an admin role. The admin assigned the admin role will use this user form when he creates or edits users in the organizations controlled by that admin role. A user form assigned through an admin role overrides any user form that is inherited from the organization of which the admin is a member. It does not override a user form that is directly assigned to the admin.
The user form that will be used when editing a user is determined in this order of precedence:
- If a user form is assigned directly to the admin, then it is used.
- If no user form is assigned directly to the admin, but the admin is assigned an admin role that:
- If no user form is assigned directly to the admin, or assigned indirectly through an admin role, then the user form assigned to the admin’s member organizations (starting with the admin’s member organization and going up to just below Top) is used.
- If none of the admin’s member organizations are assigned a user form, then the default user form is used.
If an admin is assigned more than one admin role that controls the same organization but specifies different user forms, then an error is displayed when he attempts to create or edit a user in that organization. If an admin attempts to assign two or more admin roles that control the same organization but specify different user forms, then an error is displayed. Changes cannot be saved until the conflict is resolved.
Capabilities Rules and Controlled Organizations Rules
The following samples show how you might set up a capabilities rule or controlled organizations rule that can dynamically control the assigned capabilities or controlled organizations given to a user assigned an admin role.
Note For information about creating and working with rules in Identity Manager, see Identity Manager Deployment Tools.
Capabilities Rule: Key Definitions and Inclusions
- A capabilities rule must include the authType=’CapabilitiesRule’ entry. This is required to ensure that you can select the rule from within the admin role page.
- The context is the currently authenticated Identity Manager user’s user view.
- In the following sample rule, the defined variable (defvar) ‘user groups’ gets the currently authenticated Identity Manager user’s account on the Windows Active Directory server named ‘ranger-AD’, and returns the list of groups of which the user is currently a member.
- The conditional logic (cond) checks to see if the currently authenticated Identity Manager user is a member of the ‘manager’ group. If yes, the user is assigned the Identity Manager capabilities Login Administrator and Resource Administrator. If no, then no Identity Manager capabilities are assigned.
Sample Capabilities Rule
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Rule authType='CapabilitiesRule' name='If Manager'>
<block>
<defvar name='user groups'>
<get>
<invoke name='getResourceObject' class='com.waveset.ui.FormUtil'>
<ref>context</ref>
<s>ranger-AD</s>
<s>User</s>
<ref>accountInfo.accounts[ranger-AD].accountId</ref>
<map>
<s>searchAttrsToGet</s>
<list>
<s>memberOf</s>
</list>
</map>
</invoke>
<s>user.attributes.memberOf</s>
</get>
</defvar>
<cond>
<contains>
<ref>user groups</ref>
<s>CN=manager,DC=dev-ad,DC=waveset,DC=com</s>
</contains>
<list>
<s>Login Administrator</s>
<s>Resource Administrator</s>
</list>
</cond>
</block>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#ObjectGroup:Waveset' name='Waveset'/>
</MemberObjectGroups>
</Rule>
Controlled Organizations Rule: Key Definitions
- A controlled organizations rule must include the authType=’ControlledOrganizationsRule’ entry. This enables you to select the rule from within the admin role page.
- The context is the currently authenticated Identity Manager user’s user view.
- In the following sample rule, the defined variable (defvar) ‘user groups’ gets the currently authenticated Identity Manager user’s account on the Windows Active Directory server named ‘ranger-AD’ and returns the list of groups of which the user is currently a member.
- The conditional logic (cond) checks to see if the currently authenticated Identity Manager user is a member of the ‘manager’group. If yes, the user is assigned control of the Identity Manager ‘Waveset’ organization. If no, then no organizational control is assigned.
Sample Controlled Organizations Rule
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Rule authType='ControlledOrganizationsRule' name='Get managed departments'>
<block>
<defvar name='user groups'>
<get>
<invoke name='getResourceObject' class='com.waveset.ui.FormUtil'>
<ref>context</ref>
<s>ranger-AD</s>
<s>User</s>
<ref>accountInfo.accounts[ranger-AD].accountId</ref>
<map>
<s>searchAttrsToGet</s>
<list>
<s>memberOf</s>
</list>
</map>
</invoke>
<s>user.attributes.memberOf</s>
</get>
</defvar>
<cond>
<contains>
<ref>user groups</ref>
<s>CN=manager,DC=dev-ad,DC=waveset,DC=com</s>
</contains>
<list>
<s>Waveset</s>
</list>
</cond>
</block>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#ObjectGroup:Waveset' name='Waveset'/>
</MemberObjectGroups>
</Rule>
Understanding Email TemplatesIdentity Manager uses email templates to deliver information and requests for action to users and approvers. The system includes templates for:
- Account Creation Approval — Sends notification to an approver that a new account is awaiting his approval. The system sends this notification when the Provisioning Notification Option for the associated role is set to approval.
- Account Creation Notification — Sends notification that an account has been created with a particular role assignment. The system sends this notification when one or more administrators are selected in the Notification recipients field on the Create Role or Edit Role pages.
- Password Reset — Sends notification of a Identity Manager password reset. Depending on the Reset Notification Option value selected for the associated Identity Manager policy, the system displays notification immediately (in the Web browser) to the administrator resetting the password or emails the user whose password is being reset.
- Password Synchronization Notice — Notifies the user that a password change has completed successfully on all resources. The notification lists which resources were updated successfully and indicates the origin of the password change request.
- Password Synchronization Failure Notice — Notifies the user that the password change was not successful on all resources. The notification provides a list of errors and indicates the origin of the password change request.
- Reconcile Account Event, Reconcile Resource Event, Reconcile Summary — Called from the Notify Reconcile Response, Notify Reconcile Start, and Notify Reconcile Finish default workflows, respectively. Notification is sent as configured in each workflow.
- Report — Sends a generated report to a specified list of recipients.
- Request Resource — Sends notification to a resource administrator that a resource has been requested. The system sends this notification when an administrator requests a resource from the Resources area.
- Retry Notification — Sends notification to an administrator that a particular operation has been unsuccessfully attempted on a resource a specified number of times.
- Risk Analysis — Sends a risk analysis report. The system sends this report when one or more email recipients are specified as part of a resource scan.
- Temporary Password Reset — Sends notification to the user or role approver that a temporary password has been provided for the account. Depending on the Password Reset Notification Option value selected for the associated Identity Manager policy, the system displays notification immediately (in the Web browser) to the user, emails the user, or emails the role approvers.
Customizing Email Templates
You can customize email templates to provide specific directions to the recipient, telling him how to accomplish a task or see results. For example, you might want to customize the Account Creation Approval template to direct an approver to an account approval page:
Please go to http://host.example.com:8080/idm/approval/approval.jsp to approve account creation for $(fullname).
To customize the Account Creation Approval template:
- From the menu bar, select Configure.
- On the Configure page, select Email Templates.
- Click to select the Account Creation Approval template.
Figure 10. Customize Email Template
- Enter details for the template:
- In the SMTP Host field, enter the SMTP server name so that email notification can be sent.
- In the From field, customize the originating email address.
- In the To and Cc fields, enter one or more email addresses or Identity Manager accounts that will be the recipients of the email notification.
- In the Email Body field, customize the content to provide a pointer to your Identity Manager location.
- Click Save.
Note You can also modify email templates by using the Business Process Editor (BPE). For more information on the BPE, see Identity Manager Deployment Tools.
HTML and Links in Email Templates
You can insert HTML-formatted content into an email template to display in the body of an email message. Content can include text, graphics, and Web links to information. To enable HTML-formatted content, select the HTML Enabled option.
Allowable Variables in the Email Body
You can also include references to variables in the email template body, in the form $(Name); for example: Your password $(password) has been recovered.
Allowable variables for each template are defined in the following table.
Table 2. Email Template Variables
Audit Group ConfigurationSetting up audit configuration groups allows you to record and report on system events you select.
To configure audit configuration groups, select Configure from the menu bar, and then select Audit Events.
The Audit Events page shows the list of audit configuration groups, each of which may contain one or more events. For each group, you can record successful events, failed events, or both.
Click an audit configuration group in the list to display the Edit Audit Configuration Group page. This page lets you select the types of audit events to be recorded as part of an audit configuration group in the system audit log.
Editing Events in the Audit Configuration Group
To edit events in the group, you can add or delete actions for an object type. To do this, move items in the Actions column from the Available to the Selected area for that object type, and then click OK.
Adding Events to the Audit Configuration Group
To add an event to the group, click New. Identity Manager adds an event at the bottom of the page. Select an object type from the list in the Object Type column, and then move one or more items in the Actions column from the Available area to the Selected area for the new object type. Click OK to add the event to the group.
Remedy IntegrationYou can integrate Identity Manager with a Remedy server, enabling it to send Remedy tickets according to a specified template.
Set up Remedy integration in two areas of the Administrator interface:
- Remedy server settings — Set up Remedy configuration by creating a Remedy resource from the Resources area. After setting up the resource, test the connection to ensure integration is enabled.
- Remedy template — After setting up the Remedy resource, define a Remedy template. To do this, select Configure, and then select Remedy Integration. You will then select the Remedy schema and resource.
Creation of Remedy tickets is configured through Identity Manager workflow. Depending on your preferences, a call can be made at an appropriate time that uses the defined template to open a Remedy ticket. For more information about configuring workflows, see Identity Manager Workflows, Forms, and Views.
Configuring Identity Manager Server SettingsYou can edit server-specific settings so that Identity Manager servers run only specific tasks. To do this, select Configure, and then select Servers.
To edit settings for an individual server, select a server in the list on the Configure Servers page. Identity Manager displays the Edit Server Settings page, where you can edit reconciler and scheduler settings.
Reconciler Settings
By default, reconciler settings display on the Edit Server Settings page. You can accept the default value or de-select the Use default option to specify a value:
- Parallel Resource Limit — Specify the maximum number of resources that the reconciler can process in parallel.
- Minimum Worker Threads — Specify the number of processing threads that the reconciler will always keep alive.
- Maximum Worker Threads — Specify the maximum number of processing threads that the reconciler can use. The reconciler will only start as many threads as the workload requires; this places a limit on that number.
Scheduler Settings
Click Scheduler on the Edit Server Settings page to display scheduler options. You can accept the default value or de-select the Use default option to specify a value:
- Scheduler Startup — Select a startup mode for the scheduler:
- Tracing Enabled — Select this option to activate scheduler debug tracing to standard output.
- Task Restrictions — Specify the set of tasks that can execute on the server. To do this, select one or more tasks from the list of available tasks. The list of selected tasks can be an inclusion or exclusion list depending on the option you select. You can choose to allow all tasks except those selected in the list (the default behavior), or allow only the selected tasks.
Click Save to save changes to the server settings.
Editing Default Server Settings
The Default Server Settings feature lets you set the default settings for all Identity Manager servers. The servers inherit these settings unless you select differently in the individual server settings pages. To edit the default settings, click Edit Default Server Settings. The Edit Default Server Settings page displays the same options as the individual server settings pages.
Changes you make to each default server setting is propagated to the corresponding individual server setting, unless you have de-selected the Use default option for that setting.
Click Save to save changes to the server settings.
Signed ApprovalsUse the following information and procedures to set up digitally signed approvals. Steps and examples follow for:
Configuring Signed Approvals
Follow these steps to configure signed approvals.
Server-Side Configuration
To enable server-side configuration:
- In the system configuration, set security.nonrepudiation.signedApprovals=true
- Add your certificate authority (CA)’s certificates as trusted certificates. To do this, you must first obtain a copy of the certificates.
For example, if you are using a Microsoft CA, follow steps similar to these:
- Add the certificate to Identity Manager as a trusted certificate:
- From the Administrator interface, select Configure, and then select Certificates. Identity Manager displays the Certificates page.
Figure 11. Certificates
- In the Trusted CA Certificates area, click Add. Identity Manager displays the Import Certificate page.
- Browse to and then select the trusted certificate, and then click Import.
The certificate now displays in the list of trusted certificates.
- Add your CA's certificate revocation list (CRL):
- In the CRLs area of the Certificates page, click Add.
- Enter the URL for the CA's CRL.
Notes:
- The certificate revocation list (CRL) is a list of certificate serial numbers that have been revoked or are not valid.
- The URL for the CA’s CRL may be http or LDAP.
- Each CA has a different URL where CRLs are distributed; you can determine this by browsing the CA certificate’s CRL Distribution Points extension.
- Click Test Connection to verify the URL.
- Click Save.
- Sign applets/ts1.jar using jarsigner.
Note Refer to http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/jarsigner.html for more information. The ts1.jar file provided with Identity Manager is signed using a self-signed certificate, and should not be used for production systems. In production, this file should be re-signed using a code-signing certificate issued by your trusted CA.
Client-Side Configuration
Follow these steps to enable client-side configuration:
Prerequisites
Your client system must be running a Web browser with JRE 1.4 or higher.
Procedure
Obtain a certificate and private key, and then export them to a PKCS#12 keystore.
For example, if using a Microsoft CA, you would follow steps similar to these:
- Using Internet Explorer, browse to http://IPAddress/certsrv, and then log in with administrative privileges.
- Select Request a certificate, and then click Next.
- Select Advanced request, and then click Next.
- Click Next.
- Select User for Certificate Template.
- Select these options:
- Click Submit, and then click OK.
- Click Install this certificate.
- Select Run —> mmc to launch mmc.
- Add the Certificate snap-in:
- Select Console—>Add/Remove Snap-in.
- Click Add...
- Select Computer account.
- Click Next, and then click Finish.
- Click Close.
- Click OK.
- Go to Certificates—>Personal—>Certificates.
- Right-click Administrator All Tasks—>Export.
- Click Next.
- Click Next to confirm exporting the private key.
- Click Next.
- Provide a password, and then click Next.
- File CertificateLocation.
- Click Next, and then click Finish. Click OK to confirm.
Signing Approvals
Follow these steps to sign an approval.
- from the Identity Manager Administrator interface, select Approvals.
- Select an approval from the list.
- Enter comments for the approval, and then click Approve.
Identity Manager prompts you and asks whether to trust the applet.
- Click Always.
Identity Manager displays a dated summary of the approval.
- Enter or click Browse to locate the keystore location (the location provided in Step 10m of the server-side configuration procedure).
- Enter the keystore password (the password provided in Step 10l of the server-side configuration procedure).
- Click Sign to approve the request.
Signing Subsequent Approvals
After signing an approval, subsequent approval actions require only that you enter the keystore password and then click Sign. (Identity Manager should remember the keystore location from the previous approval.)
Viewing the Transaction Signature
Follow these steps to view the transaction signature in an Identity Manager AuditLog report.
- From the Identity Manager Administrator interface, select Reports.
- On the Run Reports page, select AuditLog Report from the New... list of options.
- In the Report Title field, enter a title (for example, “Approvals”).
- In the Organizations selection area, select all organizations.
- Select the Actions option, and then select Approve.
- Click Save to save the report and return to the Run Reports page.
- Click Run to run the Approvals report.
- Click the details link to see transaction signature information, including: