This post of tips is for version 12.6 (the most recent as of this post) and only for Native IdentityMinder Management Console Authentication. If you have Siteminder protecting IdM then you are fine and don't need to worry about this.
I upgraded to version 12.6 from 12.5 SP13. The upgrade itself does not create the AuthenticationDirectory. If you install 12.6 from scratch it will. If you upgraded, don't have Siteminder, and want to protect the Management Console (you should) then there are some manual steps you need to take to get it up and working.
I followed the manual steps verbatim and I have a few additional tips.
In the manual you will find the steps here
Configuration Guide > CA IdentityMinder Protection > Management Console Security > Protect an Existing Environment After Upgrade
The first step has you editing a file that the docs state is in -
CA IdentityMinder_Installation\iam_im.ear.
This is not complete accurate, I read that and was looking in the IdentityMinder installation folder (D:\Program Files (x86)\CA\Identity Manager). It's not there. The EAR files are in your app server deployment, in the out of the box installation it will be in your JBOSS folders -
The second step can be read two different ways, I read it with a technical mind and after it failed I re-read it and saw the second meaning. Here's how it's written -
2.Create the IM_AUTH_USER table in the CA IdentityMinder object store.
The IM_AUTH_USER table stores information about Management Console administrators.
a.Navigate to CA\Identity Manager\IAM Suite\Identity Manager\tools\db\objectstore
b.Run one of the following scripts against the object store:
sql_objectstore.sql
oracle_objectstore.sql
I had a co-worker read the steps and do it as well and he did it the same way I did. The first line is a description of the step, not an instruction to go and create the table. I read it with an instruction mind set and went into the object store and created the IM_AUTH_USER table and then ran the script which failed to build the table's columns. I deleted the table and re-ran the script and it worked.
I followed the rest of the steps, added the user into the table and restarted the server. I noticed that in this table the password is clear text and the manual does warn you of this. However, it just tells you that the password is not encrypted, it does not state that you cannot update the directory to add encryption like any other RDB directory.
After you restart IdM and access the console you will get a Management Console login screen. Log in with your user you added and you'll see a new directory called AuthenticationDirectory in your list. It looks like any other directory except now there is a Used for Authentication column and the value is true. When you go into the directory you will see three buttons, Update Authentication, Export and Update. From my testing and trying to get it to work the Update is useless for this directory, it doesn't work. It will throw an AuthenticationDirectory already exists and stop. So it really is just a bootstrap to enable native security and allow you in to set a properly secured directory as your authentication source. One time use almost.
In the screenshot below you can see I have three directories and my CorpStore is set to be the authentication source where I have my Super User added the Management Console Authentication. Since you can only have one authentication directory I can delete the bootstrap user I created out of the IM_AUTH_USER table and leave it empty.
The Management Console is now secure.
If you run into a serious problem with your corporate store and can't log in all you need to do it go back into the web.xml file and set the ManagementConsoleAuthFilter setting to false to shut off authentication and restart to get in to the console if you are in a dire situation. With that ease of shutting off the security that you enable you will need to make sure that file is secure on the OS end as well.
Just another reason to have Siteminder and not worry about it.
End of Line.
Posted in: HowTo,IdentityMinder
0 comments:
Post a Comment