BMC Identity Management Suite (JBoss Deployment)

Transcription

1 BMC Identity Management Suite (JBoss Deployment) Administrator Guide Supporting For UNIX and Windows operating systems: BMC User Administration Manager version 5.5 BMC Password Manager version 5.5 BMC Identity Compliance Manager version 5.5 BMC Identity Open Services version 5.5 BMC Web Access Manager version 5.5 BMC Identity Federation Manager version 5.5 BMC Identity Request Manager version 5.5 November 15, 2006

2 Contacting BMC Software You can access the BMC Software website at From this website, you can obtain information about the company, its products, corporate offices, special events, and career opportunities. United States and Canada Address BMC SOFTWARE INC 2101 CITYWEST BLVD HOUSTON TX USA Outside United States and Canada Telephone or Telephone (01) Fax (01) Fax Copyright 2006 BMC Software Inc. as an unpublished work. All rights reserved. BMC Software, the BMC Software logos, and all other BMC Software product or service names are registered trademarks or trademarks of BMC Software, Inc. Oracle is a registered trademark, and the Oracle product names are registered trademarks or trademarks of Oracle Corporation. All other trademarks belong to their respective companies. BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted rights notices included in this documentation. Restricted rights legend U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section , DFARS , DFARS , DFARS , and DFARS , as amended from time to time. Contractor/Manufacturer is BMC SOFTWARE INC, 2101 CITYWEST BLVD, HOUSTON TX , USA. Any contract notices should be sent to this address.

3 Customer support You can obtain technical support by using the BMC Software Customer Support website or by contacting Customer Support by telephone or . To expedite your inquiry, see Before contacting BMC. Support website You can obtain technical support from BMC 24 hours a day, 7 days a week at From this website, you can read overviews about support services and programs that BMC offers find the most current information about BMC products search a database for issues similar to yours and possible solutions order or download product documentation report an issue or ask a question subscribe to receive proactive alerts when new product notices are released find worldwide BMC support center locations and contact information, including addresses, fax numbers, and telephone numbers Support by telephone or In the United States and Canada, if you need technical support and do not have access to the web, call or send an message to [email protected]. Outside the United States and Canada, contact your local support center for assistance. Before contacting BMC Have the following information available so that Customer Support can begin working on your issue immediately: product information product name product version (release number) license number and password (trial or permanent) operating system and environment information machine type operating system type, version, and service pack or other maintenance level such as PUT or PTF system hardware configuration serial numbers related software (database, application, and communication) including type, version, and service pack or maintenance level sequence of events leading to the issue commands and options that you used messages received (and the time and date that you received them) product error messages messages from the operating system, such as file system full messages from related software 3

4 4 BMC Identity Management Suite Administrator Guide

5 Contents About this book 15 Related publications New terminology Syntax statements Conventions Chapter 1 Overview 21 BMC Identity Management Suite architecture Back-end Front-end Chapter 2 Installation 27 Installation checklist Installation worksheet Prerequisites Determine deployment type Obtain the product media Ensure system requirements Create the product installation account(s) Install database client Define ESS Application Servers Configure Enterprise SecurityStation Install new ESS Keywords Create an ESS administrator for the unattended administrator for Open Services Create the Person(s) and ESS administrator(s) for the unattended Persons Assign Person passwords to ESS administrators Initialize the passwords for all Suite users Enable the Common UI Login parameter Configure JBoss server directory and assign ports Prerequisites for Web Access Manager (Web Access Manager) Edit the Web server proxy file Prepare for Web Access Manager silent install Prerequisites for Request Manager Installation procedure Install the Suite product components Update environment variables UNIX: Log out and log in to the installation account(s)

6 22 Windows: Restart Windows Modify the run.sh script (Unix only) Modify the stop_idm_suite.bat script (Windows only) Install service pack for the IdM Suite Determine the Suite URL Import the shared secret into Enterprise SecurityStation Application deployment Deploy the Suite applications Post-installation Implement an SSL connection between distributed servers Implement a trusted connection between distributed servers Create a user who can configure the Suite and test the applications Start the BMC Identity Management Suite Register the ESS Application Servers parameters Register the unattended Person(s) Run the Form Generator utility Configure Identity Compliance Manager Test the Suite applications Additional configuration tasks Back up the installation directory Run the BMC Web Access Manager configuration wizard Set up Person to configure BMC Web Access Manager Modify the glue-web-ui-config.xml file Set up headers in Web Access Manager outside the Suite framework Installing the Web Access Manager Enforcement Agent Web SSO proxy configuration Uninstalling the BMC Identity Management Suite Chapter 3 General Configuration 119 General configuration issues Authorization needed to perform configuration tasks Starting/stopping the BMC Identity Management Suite Scope of configuration changes Overview of the BMC Identity Management Suite keystores Overview of the Suite Configuration application Summary: Suite Configuration options Using the Suite Configuration application Security and Authentication: Unattended Administrators Create the unattended ESS Persons for applications Security and Authentication: System Passwords Security and Authentication: ESS Login Profile Security and Authentication: Suite Keystores Security and Authentication: External Authentication Security and Authentication: Authentication Method Maintenance: Components Info Maintenance: Components Status Maintenance: Collect Logs Application Configuration: Form Generator Application Configuration: Manage ESS Global Parameters BMC Identity Management Suite Administrator Guide

7 Application Configuration: Compliance Manager Application Configuration: Workflow Schema Application Configuration: Request Manager Application Configuration: CDM Applications Application Configuration: Web Access and Federation Create/import/delete the ESS Shared Secret Generate a new ID number for the Suite certificates Displaying the Suite URL Enabling a BMC Identity Management Suite user Create the Persons in ESS Enable use of each product Set the initial password for the user Additional product-specific configuration requirements Setting the initial password of users Setting initial passwords using the Update command Forcing users to change their initial password Setting initial passwords using the Change password command Allow login with empty password Configure initial challenges and responses Disabling a BMC Identity Management Suite user Configuring password-change synchronization Configuring ESS Global parameters Enable propagation in the Suite Configuration application Managing the Session Enabling cookies Setting the session time-out interval Setting the default tabbed page Configure cryptographic algorithms and key aliases Configure the System password: temporary or permanent Implement a non-ssl connection in a distributed deployment Configuring log file attributes Viewing individual log files Setting log file attributes Connection Pool Size Discovery files Configure SSO links for change password and log off Chapter 4 ESS Global parameters 197 Defining and enforcing global security parameters Modifying global parameters General parameters tabbed page Audit parameters tabbed page Password strength parameters tabbed page Password policy parameters tabbed page ESS Login parameters tabbed page Challenges and responses parameters tabbed page Self service parameters tabbed page

8 Help Desk parameters tabbed page Provisioning Rules parameters tabbed page ESS Console parameters tabbed page Chapter 5 Operation 225 Starting/Stopping the BMC Identity Management Suite Permissions required for starting and stopping the Suite Start the BMC Identity Management Suite Stop the BMC Identity Management Suite Accessing the BMC Identity Management Suite Collecting Information for support issues Chapter 6 Localizing the user interface 231 Localizing the language the user interface displays Changing the English text in the user interface Appendix A Enabling cookies in your Web browser 237 Enabling cookies: Microsoft Internet Explorer IE version IE version Enabling cookies: Mozilla Firefox Appendix B External LDAP authentication 241 Implementation checklist Configure the external authentication Configure mapping type Configure external authentication Enable the log in page for external authentication Set ESS Person authentication method field Optional: Using a batch mapping procedure Create a mapping file Configure the IDM-mapldaptoess utility Optional: Configure multiple LDAP domains Run the IDM-mapldaptoess utility Understanding the IDM-mapldaptoesserror.log file Appendix C Securing ESS Audit records 259 Overview Enabling Audit entries Signing Audit entries Validating Audit entries Software required Prerequisite: Enabling audit messages Using the audit-validator Configuring the audit-validator Running the audit-validator BMC Identity Management Suite Administrator Guide

9 The audit-validator output file Validating Audit records from more than one Open Services Using more than one private/public key pair Appendix D Using JBoss behind a firewall 269 Intended audience Firewall Scenarios JBoss ports used by the BMC Identity Management Suite Enabling Request Manager Responsive Action under WAM Appendix E Messages 273 Message components Message log file Message descriptions Index 303 9

10 10 BMC Identity Management Suite Administrator Guide

11 Tables New BMC Identity Management terminology Installation Checklist Installation worksheet Installation worksheet for Web Access Manager Hardware and software requirements Installation prompts Web Access Manager installation prompts Security Review prompt (part 1) Security Review prompt (part 2) How to enable a product for a Person in ESS Security and Authentication Maintenance Application Configuration Permissions needed for the unattended administrator Define unattended ESS administrator Permissions needed for the unattended ESS Persons Define unattended ESS Person Change System password ESS Login Profile Parameters Authentication method Configure Compliance Manager screen Configure Compliance Manager screen Reports screen Workflow Schema configuration Request Manager configuration How to enable a product for a Person in ESS Console Line command to enable products for a Person Additional requirements for the Person in ESS Disabling BMC Identity Management Suite products General tabbed page Audit parameters tabbed page Password strength parameters tabbed page Password policy parameters tabbed page ESS Login tabbed page Challenge and response policy parameters tabbed page Manage Self Service page Help Desk parameters Global parameter Provisioning Rules parameters Timeout Values subfields Timeout Values Entities

12 ESS Console tabbed page Implementation Checklist map-ldap-to-ess-config.xml Starting the IDM-mapldaptoess utility open-services-config.xml audit-validator-config.xml Starting the audit-validator utility Configuring JBoss for use behind a firewall BMC Identity Management Suite Administrator Guide

13 Figures BMC Identity Management Suite architecture silent_options.txt file containing encryption key BMC Identity Management Suite installation wizard: Welcome screen BMC Identity Management Suite command-line prompts: Welcome New attribute associated to object class Attribute mapping Policy Manager application screen Policy Manager application - Search Results screen Custom Attribute Example Transfer of certificates between the Front-end and Back-end servers Suite Configuration application: main welcome screen General tabbed page Audit parameters tabbed page Password strength parameters tabbed page Password policy tabbed page ESS Login tabbed page Challenge and response parameters tabbed page Self-service parameters page Help Desk tabbed page Microsoft Internet Explorer security settings Advanced Privacy Settings dialog box Privacy settings Example: Mapping file LDAP ID to ESS ID map-ldap-to-ess-config.xml Example: Multiple LDAP domains Example Example: log file open-services-config.xml audit-validator-config.xml Open Services ID tag block Multiple Open Services (example)

14 14 BMC Identity Management Suite Administrator Guide

15 About this book This book describes how to install, configure, and maintain the BMC Identity Management Suite (for ease of reference also called the Suite ). The BMC Identity Management Suite provides highly-integrated identity management solutions including: User Administration and Provisioning Password Management Audit and Compliance Management Web Access Management Identity Federation Management NOTE The BMC Identity Management Suite also includes an Identity Common UI Services infrastructure. This infrastructure is universal to the Suite, and provides infrastructure services including unified login and session management. This book is intended for the members of an enterprise network security department whose job includes installing, configuring, and maintaining the BMC Identity Management Suite. This book assumes you are familiar with the following: Enterprise SecurityStation The operating system you are using for installing the Suite The J2EE application server you are using for deploying and administering the Suite Network security administration Like most BMC Software documentation, this book is available in printed and online formats. Visit the BMC Software Customer Support page at to request additional printed books or to view online books and notices (such as release notes and technical bulletins). Some product shipments also include the online books on a documentation CD. 15

16 Related publications NOTE Online books are formatted as Portable Document Format (PDF) or HTML files. To view, print, or copy PDF books, use the free Acrobat Reader from Adobe Systems. If your product installation does not install the reader, you can obtain the reader at Documentation Center The BMC Identity Management Suite application deployment includes installing the documentation as a Web-based Documentation Center. After the Suite is installed, the documentation can be accessed from: the Suite Configuration tab => Documentation Center the following URL: where the hostname and HTTPS port are the same as for the BMC Identity Management Suite. Related publications The following related publications supplement this book and the online Help: Document BMC Identity Management Suite BMC Identity Management Suite Administrator Guide BMC Identity Management Suite Getting Started Guide BMC Identity Management Suite SDK Programmer s Guide Description Describes how to install the Identity Management System which includes the Common UI Services infrastructure, Identity Open Services, User Administration Manager, Password Manager, Identity Compliance Manager, and Identity Open Services. The guide also describes how to perform relevant configuration, maintenance, and customization tasks. Provides an overview of the BMC Identity Management Suite and describes the documentation set for setting up and operating the Suite. Provides an overview of the Identity Open Services Java SDK, enabling developers to build customized Open Services clients. This guide is accompanied by the Identity Open Services Javadoc which presents the available Open Services API in HTML format. 16 BMC Identity Management Suite Administrator Guide

17 Related publications Document BMC User Administration Manager BMC User Administration Manager Administrator Guide BMC User Administration Manager User Guide BMC Password Manager BMC Password Manager Administrator Guide BMC Password Manager User Guide BMC Identity Compliance Manager BMC Identity Compliance Manager Administrator Guide BMC Identity Compliance Manager Policy Administrator Guide BMC Identity Compliance Manager User Guide BMC Identity Compliance Manager Compliance Modules Reference Manual BMC Web Access Manager BMC WAM AD and ADAM Pre-Installation Requirements Guide BMC Web Access Manager Configuration Guide BMC Web Access Manager Policy Manager Guide BMC Web Access Manager Extending WAM Guide Description Describes procedures for defining users of User Administration Manager, and how to customize the user interface to comply with site requirements. Describes how to perform security administration tasks employing the User Administration Manager. Describes Enterprise SecurityStation concepts, features, facilities, and operating instructions in detail. Describes procedures for defining users of Password Manager, and how to configure and customize the product to comply with site requirements. Describes how to use the Password Manager to change and synchronize your passwords and to solve problems of forgotten passwords and locked or revoked accounts. Describes initial configuration required after installing BMC Identity Compliance Manager and how to maintain the product. Also describes functions performed by the Identity Compliance Manager Administrator. Describes functions performed by the Policy Administrators, including creating Compliance Groups and scheduling Policy Activities. Provides instructions for Auditors to access information and reports generated by Identity Compliance Manager modules. Provides reference information for Compliance Modules and Reporting Modules in BMC Identity Compliance Manager Describes how to perform the actions required as prerequisites to installing the Web Access Management solution. Describes the configuration of BMC Web Access Manager through the Configuration Manager component. This includes Certificate information, Log Collector and Password Strength information. Describes the Policy Manager component and the procedures used to control access to the organization s web-enabled applications or Resources. Describes the methods to extend the BMC Web Access Manager (WAM) product. BMC WAM was designed for easy extendibility using standard Web technologies. The standard technologies used for the framework and implementation include the Jakarta Struts Framework (Struts), HTML, JavaServer Pages (JSP), J2EE Web Application Archives (War files), Cascading Style Sheets (CSS) and property files. 17

18 New terminology Document BMC Web Access Manager IBM Directory Server Configuration Guide BMC Web Access Manager J2EE API Developer s Guide BMC Web Access Manager.Net API Developer s Guide BMC Web Enforcement Agent Administrator Guide (formerly the EA Features Guide) BMC Web Enforcement Agent Installation Guide BMC Request Manager BMC Identity Request Manager Administrator Guide BMC Identity Request Manager Customization Guide BMC Identity Request Manager User Guide BMC Corporate Directory Manager Common UI Services Integration Implementation Guide BMC Corporate Directory Manager Workflow Implementation Guide Description Describes the configuration of the IBM Directory Server for use with the BMC Web Access Manager. This includes installation and configuration instructions for HTTP Server, DB2 and LDAP. Describes the methods for applications developers to develop interfaces into the BMC Web Access Manager using the J2EE API. Describes the methods for applications developers to develop interfaces into the BMC Web Access Manager using the.net API. Describes the features of the Enforcement Agent. Describes the steps to install the BMC Web Enforcement Agent. Describes how to install the BMC Identity Request Manager within the BMC Identity Management Suite. It also describes how to perform relevant configuration and administration tasks. Describes how to customize the BMC Identity Request Manager using the BMC Corporate Directory Manager tools. Describes how to use BMC Identity Request Manager to manage interoperating processes of the BMC Identity Management Suite products. Describes how to integrate a BMC Corporate Directory Manager application into the BMC Identity Management Suite. Describes how to integrate the BMC Corporate Directory Manager Workflow facility. It also describes how to develop business processes for existing BMC Corporate Directory Manager applications. New terminology New terminology is being phased in with the release of new BMC products. Enterprise SecurityStation application servers, database, and SA-Agents will all phase in the new terminology during the coming product release cycles. Password Manager and its related documentation now use this new terminology. The following table describes the differences between the current and new terminology Table 1 New BMC Identity Management terminology (Part 1 of 2) Original Term CONTROL-SA, CTSA Enterprise User Job Code New Term BMC Identity Management Suite Person/Persons Profile 18 BMC Identity Management Suite Administrator Guide

19 Syntax statements Table 1 New BMC Identity Management terminology (Part 2 of 2) Original Term RSS User User Group RSS RSS Type Update/View Profile (for logging in to Enterprise SecurityStation) SA-Agent USA-API New Term Account Group Managed System Managed System Type Properties Login Profile Services Manager Provisioning Module NOTE Most versions of the CONTROL-SA/Agents continue to use the original terminology: SA- Agent and USA-API. The terms Services Manager and Provisioning Module are being incrementally phased in together with current product releases. Syntax statements The following example shows a sample syntax statement: COMMAND KEYWORD1 [KEYWORD2 KEYWORD3] KEYWORD4={YES NO} filename... The following table explains conventions for syntax statements and provides examples: Item Items in italic type represent variables that you must replace with a name or value. If a variable is represented by two or more words, initial capitals distinguish the second and subsequent words. Brackets indicate a group of optional items. Do not type the brackets when you enter the option. A comma means that you can choose one or more of the listed options. You must use a comma to separate the options if you choose more than one option. Example alias databasedirectory serverhostname [tablename, columnname, field] [-full, -incremental, -level] (Unix) 19

20 Conventions Item Braces indicate that at least one of the enclosed items is required. Do not type the braces when you enter the item. A vertical bar means that you can choose only one of the listed items. In the example, you would choose either commit or cancel. An ellipsis indicates that you can repeat the previous item or items as many times as necessary. Example {DBDName tablename} UNLOAD device={disk tape, filename devicename} {-a -c} (Unix) {commit cancel} {-commit -cancel} (Unix) columnname... Conventions This book uses the following special conventions: All syntax, operating system terms, and literal examples are presented in this typeface. Variable text in path names, system messages, or syntax is displayed in italic text: testsys/instance/filename The symbol => connects items in a menu sequence. For example, Actions => Create Test instructs you to choose the Create Test command from the Actions menu. Throughout this manual, when the IdM Suite in installed on a Microsoft Windows platform, use %BMC_IDM_SUITE_HOME% whenever $BMC_IDM_SUITE_HOME is specified 20 BMC Identity Management Suite Administrator Guide

21 Chapter 1 1 Overview Today, most important corporate assets are stored in digital form on an information technology (IT) architecture built on an increasing variety of interconnected, complex, and heterogeneous computer systems and databases. Companies must implement IT solutions, and establish administrative practices, to protect and control access to this valuable corporate information. Access must be secure and private, with resources allowed only to properly authorized employees, partners, and customers. The BMC Identity Management Suite consists of several related products designed to provide solutions to several of the large problems in the area of identity management. The BMC Identity Management Suite provides the following solutions: User Administration and Provisioning solution: Manages the complete account provisioning life cycle, including account creation, maintenance, and revocation. Aligns persons via roles and business rules with any required IT-based business processes, securely, and at the right level of authorization. includes: User Administration Manager Password Management solution: Manages self-help password changes, enabling and registering accounts, and optionally implements password synchronization. Certain users can be granted the permission to be a Password Manager administrator. These administrators are empowered to perform similar actions (e.g., password change) on behalf of other users. includes: Password Manager, and User Administration Manager Chapter 1 Overview 21

22 Audit and Compliance Management solution: Supports IT audit compliance reporting. Compliance is measured against established operational and regulatory IT-governance policies. includes: Compliance Manager, and User Administration Manager Web Access Management solution: Manages end-user access to Web-based applications and resources from a unified Policy Manager application. Access is authorized by defining policies based on roles and organizations. WAM also provides a framework to provide secure Web single sign-on (SSO) to multiple Web resources. includes: Policy Manager, Change Password, Self-Service, Enforcement Agent, Configuration Manager Identity Federation Management solution: Joins identity and federated access information so that different internal and external groups of users can move seamlessly through different domains of network resources in a trustworthy fashion. includes: Identity Federation Manager, Identity Federation Manager Distributable Module Identity Request Management solution: Manages business workflow processes across the following BMC Identity Management Suite solutions: Identity Compliance Manager and User Administration Manager. All of Request Manager's actions are digitally signed in an audit trail. Request Manager has the ability to take automatic corrective actions based on Compliance Manager Policies. It also can perform "attestation" by periodically recertifying the access rights of users. Request Manager provides out-of-the-box workflows, enabling it to perform provisioning actions on persons and accounts. includes: Identity Request Manager, User Administration Manager, and Compliance Manager 22 BMC Identity Management Suite Administrator Guide

23 BMC Identity Management Suite architecture BMC Identity Management Suite architecture This section provides a brief overview of the BMC Identity Management Suite architecture. The BMC Identity Management Suite products are installed in a Windows or UNIX environment, on a J2EE application server, using a single, unified installation procedure. The BMC Identity Management Suite connects to Enterprise SecurityStation (ESS) and its central database. Users interact with the BMC Identity Management Suite using a Web-based graphical user-interface (GUI), that is accessed by logging in to a standard Internet browser. The main components of the architecture are shown in Figure 1, and below it are brief descriptions of each of the components. Figure 1 BMC Identity Management Suite architecture Chapter 1 Overview 23

24 BMC Identity Management Suite architecture Back-end Managed Systems A Managed System can be the native security of an operating system (e.g., Windows, Solaris, AIX, Linux, HP-UX), an add-on security product (e.g., RACF, Novell NetWare), or any other product that requires user log in authentication (e.g., SAP, Oracle). A Managed System is also an entity in Enterprise SecurityStation. It enables log in, and life-cycle actions (e.g., create, modify, revoke), to be performed on the accounts that reside in the Managed System. Services Managers and Provisioning Modules Services Managers and Provisioning Modules are usually installed on the Managed Systems. They enable two-way communication between the Managed Systems and Enterprise SecurityStation. These components are used to send requests to Managed Systems (e.g., create a new account for James Richards) and retrieve information that is sent back to Enterprise SecurityStation (e.g., a user has changed his/her password). Enterprise Security Station All BMC Identity Management Suite solutions (e.g., User Administration and Provisioning, Password Management) use the Enterprise SecurityStation capabilities and access its database. Enterprise SecurityStation is a powerful, versatile, database used for storing, manipulating, and retrieving enterprise-level information including detailed descriptions of users, roles, managed systems, accounts, groups, and resources. Enterprise SecurityStation works with data that encompasses more than twenty different security, provisioning, and administration categories called entities. The ESS entities are used for performing identity management tasks such as creating and revoking accounts, managing passwords, and performing audit and compliance verification. For more information, see the Enterprise SecurityStation Administration Guide and the ESS Console User Guide. 24 BMC Identity Management Suite Administrator Guide

25 BMC Identity Management Suite architecture Identity Open Services Identity Open Services is a Java-based middle-layer tier that connects the BMC Identity Management Suite products to Enterprise SecurityStation. Identity Open Services provides an easy-to-use API that developers can use to create their own front-end applications. Identity Open Services can also accept standards-based Webservices requests. For SDK developers Identity Open Services can be installed as a separate infrastructure component. Compliance Manager Back-end The Audit and Compliance Management solution uses the Compliance Manager Back-end as a server-side component. Front-end BMC Identity Management applications These BMC Identity Management Suite products are described briefly at the beginning of this chapter: User Administration Manager Password Manager Compliance Manager Web Access Manager Identity Federation Manager Request Manager Detailed descriptions are available for each product in separate user and administrator guides. For more information, see Related publications on page 16. Identity Common UI Services Identity Common UI Services is a Front-end infrastructure component that provides common user-interface services to all BMC Identity Management products. These services include: unified application login, and session management. This infrastructure component is automatically installed whenever any of the BMC Identity Management solutions are selected during the installation procedure. However, Identity Common UI Services can be installed by SDK developers as a separate component. Chapter 1 Overview 25

26 BMC Identity Management Suite architecture Form Generator The Form Generator is a stand-alone utility used to generate XML form definition files required by the User Administration Manager. The Form Generator is activated after the installation procedure to generate new XML form definition files. It must also needs to be activated on the occurrence of certain events to update the XML form definition files. For more information, see Application Configuration: Form Generator on page 159. The Form Generator retrieves from ESS the current Keyword definitions. Keyword is an entity used by all ESS entities to define and store properties. XML form definition files are used to present the current ESS Keywords as Web elements such as fields and drop-down lists. 26 BMC Identity Management Suite Administrator Guide

27 Chapter 2 2 Installation This chapter describes how to perform prerequisites, installation, application deployment, and basic configuration for the BMC Identity Management Suite. The following topics are discussed: Installation checklist Installation worksheet Prerequisites Determine deployment type Obtain the product media Ensure system requirements Create the product installation account(s) Install database client Define ESS Application Servers Configure Enterprise SecurityStation Install new ESS Keywords Create an ESS administrator for the unattended administrator for Open Services Create the Person(s) and ESS administrator(s) for the unattended Persons Assign Person passwords to ESS administrators Initialize the passwords for all Suite users Enable the Common UI Login parameter Configure JBoss server directory and assign ports Prerequisites for Web Access Manager (Web Access Manager) Edit the Web server proxy file Prepare for Web Access Manager silent install Prerequisites for Request Manager Installation procedure Install the Suite product components Update environment variables UNIX: Log out and log in to the installation account(s) Windows: Restart Windows Modify the run.sh script (Unix only) Modify the stop_idm_suite.bat script (Windows only) Install service pack for the IdM Suite Chapter 2 Installation 27

28 26 Determine the Suite URL Import the shared secret into Enterprise SecurityStation Application deployment Deploy the Suite applications Post-installation Implement an SSL connection between distributed servers Implement a trusted connection between distributed servers Create a user who can configure the Suite and test the applications Start the BMC Identity Management Suite Register the ESS Application Servers parameters Register the unattended Person(s) Run the Form Generator utility Configure Identity Compliance Manager Test the Suite applications Additional configuration tasks Back up the installation directory Run the BMC Web Access Manager configuration wizard Set up Person to configure BMC Web Access Manager Modify the glue-web-ui-config.xml file Set up headers in Web Access Manager outside the Suite framework Installing the Web Access Manager Enforcement Agent Web SSO proxy configuration Uninstalling the BMC Identity Management Suite BMC Identity Management Suite Administrator Guide

29 Installation checklist Installation checklist The table that follows lists the steps required to install and start BMC Identity Management Suite. TIP BMC Software recommends that you review the entire installation procedure before starting to ensure that you have access to all required information and resources. It is recommended that you print this table and use it as a checklist to help guide you through the installation procedure. Table 2 Installation Checklist (Part 1 of 2) Step Prerequisites 1 Determine deployment type 2 Obtain the product media 3 Ensure system requirements 4 Create the product installation account(s) 5 Install database client 6 Define ESS Application Servers 7 Configure Enterprise SecurityStation 8 Install new ESS Keywords 9 Create an ESS administrator for the unattended administrator for Open Services 10 Create the Person(s) and ESS administrator(s) for the unattended Persons 11 Assign Person passwords to ESS administrators 12 Initialize the passwords for all Suite users 13 Enable the Common UI Login parameter 14 Configure JBoss server directory and assign ports 15 Prerequisites for Web Access Manager 16 (Web Access Manager) Edit the Web server proxy file 17 Prepare for Web Access Manager silent install 18 Prerequisites for Request Manager Installation procedure 19 Install the Suite product components 20 Update environment variables 21 UNIX: Log out and log in to the installation account(s) 22 Windows: Restart Windows 23 Modify the run.sh script (Unix only) Chapter 2 Installation 29

30 Installation worksheet Table 2 Installation Checklist (Part 2 of 2) Step 24 Modify the stop_idm_suite.bat script (Windows only) 25 Install service pack for the IdM Suite 26 Determine the Suite URL 27 Import the shared secret into Enterprise SecurityStation Application deployment 28 Deploy the Suite applications Post installation 29 Implement an SSL connection between distributed servers 30 Implement a trusted connection between distributed servers 31 Create a user who can configure the Suite and test the applications 32 Start the BMC Identity Management Suite 33 Register the ESS Application Servers parameters 34 Register the unattended Person(s) 35 Run the Form Generator utility 36 Configure Identity Compliance Manager 37 Test the Suite applications 38 Additional configuration tasks 39 Back up the installation directory 40 Run the BMC Web Access Manager configuration wizard 41 Set up Person to configure BMC Web Access Manager 42 Modify the glue-web-ui-config.xml file 43 Set up headers in Web Access Manager outside the Suite framework 44 Installing the Web Access Manager Enforcement Agent 45 Web SSO proxy configuration Each of these procedures is described in this chapter. Installation worksheet It is recommended that you print Table 3 and fill it in as you progress through the installation procedure. Each item of information you supply may be required later in an installation or a configuration procedure. When deploying the BMC Identity Management Suite on more than one server in a distributed deployment, record the parameter values during installation of both the Back-end and the Front-end components. 30 BMC Identity Management Suite Administrator Guide

31 Installation worksheet Table 3 Installation worksheet Installation Parameters Product Installation Account: User Name Installation path for BMC Identity Management Suite Installation type (Only for custom installation) List of solutions selected List of components selected Database client(s) (Only if Oracle is selected) Oracle DB client path (Only if Sybase is selected) Value(s) for only Back-end or a unified deployment Value(s) for only Front-end distributed deployment N/A N/A N/A Sybase DB client path JBoss home directory Web server s secured HTTP port (HTTPS) Server s JNDI port List of the components you selected to install System password Do not write this value here. Do not write this value here. Signing key lifetime (months) Authentication key lifetime (months) Back-end host name N/A New Login Profile name N/A Is the ESS server for this Login N/A Profile secure Is the ESS server for this Login N/A Profile behind a firewall ESS Server Host Name N/A ESS Server Domain Name N/A ESS Server Port Number N/A ESS Manager Name N/A Enterprise SecurityStation version N/A number ESS Admin N/A ESS Admin password Do not write this value here. N/A Chapter 2 Installation 31

32 Installation worksheet Table 4 is applicable only if installing BMC Web Access Manager. Table 4 Installation worksheet for Web Access Manager Value(s) for only Back-end or a Installation Parameters unified deployment Name of directory server used with Web Access Manager Cookie key Save this key value for later use, but treat it as CONFIDENTIAL. LDAP Host LDAP Port Secure Data Port LDAP User LDAP Password Retype LDAP Password LDAP Settings Root: [Defaultcn=UIdPConfiguration,dc=yourdomain,dc=com] LDAP SSL Certificate File information Value(s) for only Front-end distributed deployment N/A N/A Enter the full path of the Java keystore to use for SSL: Configure the log sender to send logs to the log collectorkeystore file: Keystore file Keystore password Certificate Alias Certificate password Do not write this value here. 32 BMC Identity Management Suite Administrator Guide

33 Prerequisites Prerequisites This section describes the required procedures for installing and setting up the BMC Identity Management Suite. The following procedures describe prerequisites before installing the BMC Identity Management Suite. 1 Determine deployment type Summary The BMC Identity Management Suite can be optionally installed in two different deployment scenarios: Unified deployment: All products and components installed on one server. Distributed deployment: Front-end and Back-end products and components installed on two or more servers. The decision regarding which type of deployment option to implement will affect subsequent installation steps. To be performed by the IdM Suite Administrator. NOTE IdM Suite Administrator: the name of the role of the person responsible for installing, administering, and maintaining the BMC Identity Management Suite products. Account log in credentials: This administrator must have log in credentials for the Frontend and Back-end installation accounts. Permissions: Must be a member of a group that has read, write, and execute permissions on all (UNIX: except /opt) installation directories, and subdirectories. Must also be a member of a JBoss user group that has permissions to administer the application server. Chapter 2 Installation 33

34 Prerequisites When performing a new installation of the BMC Identity Management Suite products and components there are two deployment options available: Unified deployment environment: All BMC Identity Management Suite products and components installed together on one server. Distributed deployment environment: BMC Identity Management Suite products and components installed on a Frontend and a Back-end server as follows: Front-end: The Identity Common UI Services component and one or more of these Web-based products: User Administration Manager, Password Manager, Compliance Manager, Web Access Manager, Identity Federation Manager, Identity Request Manager. Back-end: Identity Open Services, together with the Compliance Manager Backend (if this application is installed). If all components are installed under a single account, the terms Front-end account and Back-end account refer to the same account. If you install the Suite on two servers you must install the Back-end first, because the separate Front-end installation will be prompted for the Back-end host name and the Back-end JNDI port. For more information, see 4 Create the product installation account(s) on page 40. NOTE The installed components will not interfere with existing components outside the Front-end account and the Back-end accounts. For example, the installed Java SDK does not interfere with an existing installation under /usr/local. Adding a BMC Identity Management Suite solution to an existing installation If the BMC Identity Management Suite has already been deployed without installing all available solutions, you can install any of the remaining solutions at any time after the initial installation procedure. The installation path cannot be changed when adding a solution. 34 BMC Identity Management Suite Administrator Guide

35 Prerequisites Example: Assume that you previously installed the solution: User Administration and Provisioning. After obtaining the required license from BMC Software, you can run the installation wizard again and install another solution (for example, the Password Management solution, or the Audit and Compliance Management solution). To add solutions to an existing installation 1 Stop the BMC Identity Management Suite before running the wizard. 2 Run the installation wizard or command prompts again to add one or more solutions. 3 Deploy the Suite applications that you are adding. For more information, see 28 Deploy the Suite applications UNIX: In the installation account/s log out, and then log in again. 4 For Windows restart the computer. Web Access Manager stand-alone solution Web Access Manager can be installed as a stand-alone solution. To implement a stand-alone solution, on the Custom Installation wizard screen (or by command-line prompts) select only Web Access Manager components. A stand-alone Web Access Manager solution: Does not connect to an ESS Server Will have Identity Open Services and a Common UI Infrastructure installed automatically. These components provide a Web interface for configuration tasks. NOTE If you select additional Suite solutions to install then your deployment will connect to an ESS server and Web Access Manager will be an integrated member of the BMC Identity Management Suite. Chapter 2 Installation 35

36 Prerequisites 2 Obtain the product media Summary Ensure that you have the correct product media (CDs or DVD) for installing the BMC Identity Management Suite. To be performed by the IdM Suite Administrator. Obtain the BMC Identity Management Suite 5.5 product installation media (a set of CDs or a DVD that is labeled: BMC Identity Management Suite 5.5 for JBoss environment). 3 Ensure system requirements Summary Ensure that all system requirements are satisfied. To be performed by a Windows or a UNIX administrator. Before installing the BMC Identity Management Suite, ensure all of the following requirements are met: The ESS Common UI Login facility must be activated and disabled Hardware and software requirements Compatibility requirements Ensure that the ESS Common UI Login facility is activated and disabled Ensure that the Common UI Login facility is activated and disabled as follows: In the ESS Console, display the Global Parameters window, ESS Login tabbed page. The Enable Common UI Login check box should appear on this page. If you can see this check box (whether it is selected or not) the Common UI Login facility is activated. If you cannot see the check box, the Common UI Login facility is not activated. In this case, perform the procedure that follows: To activate the Common UI Login facility. 36 BMC Identity Management Suite Administrator Guide

37 Prerequisites Be sure the Enable Common UI Login check box is cleared (i.e., disabled). To activate the Common UI Login facility 1 Log in as ESS owner. 2 Enter the following command: ess ActivateCommonLogin.sh The following message is displayed: ESS Common Login Activation Script Looking For Common Login Keywords Files... Attempting To Install Common Login Keywords... Refreshing Keywords Rules... Updating Keywords With Default Values... Keywords installation ended Activation of Common Login completed. + + Please recycle Orbix, gateways and router The Common UI Login facility is activated (but not enabled). The file $ESS_HOME\CL_ACTIVATION.LOG contains a log of the activation process. WARNING Do not select the Enable Common UI Login check box until 13 Enable the Common UI Login parameter on page 58. Hardware and software requirements Table 5 lists the required system requirements. Table 5 Hardware and software requirements (Part 1 of 3) Parameter Computer and Operating System Memory Requirement See the Compatibility section of the product release notes. Minimum recommended: 4 GB RAM Chapter 2 Installation 37

38 Prerequisites Table 5 Hardware and software requirements (Part 2 of 3) Parameter Processor Disk Space Requirement (Solaris) Minimum: Dual UltraSPARC IIIi 2x1.3 GHz (Windows) Minimum: Intel Pentium IV 2x2 GHz (Windows JBoss) The disk space required is the sum of the components you install. A unified deployment does not duplicate the common components. All numbers are approximate. Unspecified components require only a small amount of free space. Note: It is highly recommended to provide more disk space than the minimum required. Distributed deployment on a Front-end and Back-end server: Front-end server: Common including Identity UI and Form Generator (always installed); 275MB User Administration Manager: 20MB Password Manager: 5MB Compliance Manager: 30MB Request Manager: 35MB Identity Federation Manager: 35MB Web Access Manager: 45MB Front-end total: 445 Back-end server: Common (always installed) 250MB Open Services: 70MB Each additional Login Profile requires 20 MB Back-end total: 340MB Unified installation total: 570MB 38 BMC Identity Management Suite Administrator Guide

39 Prerequisites Table 5 Hardware and software requirements (Part 3 of 3) Parameter Disk Space Requirement (Solaris JBoss) The disk space required is the sum of the components you install. A unified deployment does not duplicate the common components. All numbers are approximate. Unspecified components require only a small amount of free space. Note: It is highly recommended to provide more disk space than the minimum required. Distributed deployment on a Front-end and Back-end server: Front-end server: Common including Identity UI and Form Generator (always installed); 300MB User Administration Manager: 15MB Password Manager: 5MB Compliance Manager: 35MB Request Manager: 30MB Identity Federation Manager: 35MB Web Access Manager: 45MB Front-end total: 465MB Back-end server: Common (always installed) 250MB Open Services: 70MB Compliance Manager: 115MB Each additional Login Profile requires 20MB Back-end total: 455MB Temp disk space Installation Device Service Packs Application Server Windows only: Java variable Database Unified installation total: 670MB (Solaris only) The /tmp directory requires at least 900 MB of free space during the entire Suite installation procedure. If you install from media (CD/DVD) on a remote computer the free space must be on the remote (not the local) computer. CD or DVD drive. Ensure that you have installed the required service pack for your version of Enterprise SecurityStation. For more information, see the product release notes. Ensure that the application server is installed. Ensure that you set a JAVA_HOME variable to point to the Java JDK. (Only for Identity Request Manager and Identity Compliance Manager) Request Manager and Identity Compliance Manager have specific database requirements described in the BMC Identity Management Suite Release Notes. Chapter 2 Installation 39

40 Prerequisites NOTE UNIX: You can check for available memory by entering the following command: prtconf -v grep Memory You can check for available disk space by entering the following command: df -k Compatibility requirements Review the following topics in the Compatibility section of the product release notes: Supported Platforms Support for J2EE Application Servers Support for Servlet Containers Compatibility With Enterprise SecurityStation Required service packs NOTE You must get the latest information in the separate Release Notes for each product: Identity Open Services, User Administration Manager, Password Manager, Compliance Manager. Web Access Manager, Identity Federation Manager, and Request Manager. 4 Create the product installation account(s) Summary Create either one or two user accounts under which BMC Identity Management Suite products and components will be installed and which will be used to manage the products. For more information, see 1 Determine deployment type on page 33. To be performed by a system administrator. Create accounts: either one or two user accounts under which the Front-end and the Back-end components (or both) will be installed and which also will be used to administer the products. For more information, see 1 Determine deployment type on page 33. Important: No other applications should be installed under the accounts. The installation accounts should be exclusively dedicated to the Suite. If all components are installed under a single account, the terms Front-end account and Back-end account refer to the same account. 40 BMC Identity Management Suite Administrator Guide

41 Prerequisites Ensure the following account requirements for the type of operating system you are using UNIX installation: account requirements The requirements for each account under UNIX are: You can install the BMC Identity Management Suite on the same computer as Enterprise SecurityStation (or ESS Client), but do not install the Suite in the same ESS (or ESS Client) account. Log in credentials: The IdM Suite Administrator must have login credentials for either one, or two, user accounts under which the Front-end and the Back-end components (or both) will be installed. Permissions: The IdM Suite Administrator must be a member of a group that has read, write, and execute permissions for all (except /opt) installation directories, and subdirectories. The IdM Suite Administrator must also be a member of a JBoss user group that has permissions to administer the application server. Local user: Each account must be defined as a local user (i.e., non-nis). Default shell: The default shell for the accounts must be csh or tcsh. Using the default installation path: If you want to use the default installation path request that your system administrator (i.e., with root permissions) do the following: under /opt create a bmc subdirectory (i.e., /opt/bmc) NOTE The default installation is to install the Front-end and the Back-end products and components under one account. Chapter 2 Installation 41

42 Prerequisites Windows installation: account requirements The requirements for each Windows account are: The IdM Suite Administrator should be defined as an account administrator and be given the log in credentials for the accounts. No other applications should be installed in the same directory. (Note: all of the BMC Identity Management Suite components can be installed in the same directory.) NOTE The default installation is to install the Front-end and the Back-end products and components under one account. 5 Install database client Summary You must install in the Back-end a DB client of the type used by Enterprise SecurityStation. To be performed by the IdM Suite Administrator The BMC Identity Management Suite requires a database client to enable it to communicate with the type of database used by Enterprise SecurityStation. The DB client is installed in the unified deployment server, or if using a distributed deployment in the Back-end server. During the installation with the wizard or command-line you will be prompted to specify the path to the client that you are installing now. You can install both DB clients if there is a possibility that you will be switching database types in the future. The following topics are discussed: How to install the Oracle DB client Installing the Oracle database client on Windows Installing the Oracle database client on Solaris How to install the Sybase DB client Installing the Sybase database on Windows Installing the Sybase database client on Solaris BMC Identity Management Suite Administrator Guide

43 Prerequisites Account requirement: the database client must be installed in an account that is in the same group as the UNIX account under which the BMC Identity Management Suite is installed. How to install the Oracle DB client Use this procedure to install an Oracle database client. Installing the Oracle database client on Windows The client is on a separate installation media. For the IdM Suite, the CD name is ORA_CLT_ To install an Oracle database client on Windows 1 Log in to the Back-end computer on which you are performing the database client installation. 2 Insert the database client installation disk into a local CD or DVD drive. You can also run the installation remotely from your network. 3 In the root directory, find and double-click the file: setup.exe. 4 On the Welcome screen, click Next. 5 On the Choose Destination Location screen, click Next to confirm the default installation directory. If you want to set a different installation path, click Change on the Choose Destination Location screen. and select the path. 6 On the Ready to Install the Program screen, click Install. The Oracle Universal Installer window opens in the background, and a message box opens in the foreground, warning you not to do anything until the Oracle Universal Installer window closes. 7 After the Oracle Universal Installer window closes, click OK to close the message box. 8 On the InstallShield Wizard Complete screen, click Finish. Chapter 2 Installation 43

44 Prerequisites Installing the Oracle database client on Solaris The client is on a separate installation media. For the IdM Suite, the CD name is ORA_CLNT_UNIX. To install an Oracle database client on Solaris 1 Log in to the Back-end computer on which you are performing the database client installation. 2 Insert the database client installation disk into a local CD drive. You can also run the installation remotely from your network. 3 Go to the Solaris directory on the CD by entering the following command: cd installpath/unix/solaris where installpath is the full path to the installation CD on your local computer or network. 4 Start the database client installation by entering the following command:./install_oraclient_8174_sunos.sh 5 In response to the installation path prompt, enter the path to the directory where the database client will be installed. 6 Wait until the installation has finished. 44 BMC Identity Management Suite Administrator Guide

45 Prerequisites How to install the Sybase DB client Use this procedure to install a Sybase database client. Installing the Sybase database on Windows The client is on a separate installation media. For the IdM Suite, the CD name is SYB_CLNT_1251. To install a Sybase database client on Windows 1 Log in to the Back-end computer on which you are performing the database client installation. 2 Insert the database client installation disk into a local CD or DVD drive. You can also run the installation remotely from your network. 3 In the root directory, find and double-click the file: setupwin32.exe. 4 On the Welcome screen, click Next. 5 On the Choose Destination Location screen, click Next to confirm the default installation directory. If you want to set a different installation path, click Change on the Choose Destination Location screen. and select the path. 6 On the Ready to Install the Program screen, click Install. 7 On the InstallShield Wizard Complete screen, click Finish. Installing the Sybase database client on Solaris The client is on a separate installation media. For the IdM Suite, the CD name is SYB_CLNT_1251. To install a Sybase database client on Solaris 1 Log in to the Back-end computer on which you are performing the database client installation. 2 Insert the database client installation disk into a local CD drive. You can also run the installation remotely from your network. Chapter 2 Installation 45

46 Prerequisites 3 Go to the Sybase directory on the CD by entering the following command: cd installpath/unix/solaris where installpath is the full path to the installation CD on your local computer or network. 4 Start the database client installation by entering the following command:./install_sybase_12.5.1_sunos.sh 5 In response to the installation path prompt, enter the path to the directory where the database client will be installed. 6 Wait until the installation has finished. 6 Define ESS Application Servers Summary Required when installing Identity Open Services. A range of ESS Application Servers to be used by Identity Open Services must be defined in Enterprise SecurityStation to support load balancing. To be performed by the ESS owner. NOTE This step should only be performed when installing Identity Open Services. This step must be performed in each Enterprise SecurityStation installation to which Identity Open Services will connect. Identity Open Services uses a range of ESS Application Servers to connect to the Enterprise SecurityStation database. The number of Servers used can be adjusted to optimize the response time for applications using Identity Open Services. (This process is referred to as load balancing.) Increasing the range of servers enhances response time at the cost of increased consumption of resources. The number of ESS Application Servers to define depends on the number of expected maximum concurrent users. 46 BMC Identity Management Suite Administrator Guide

47 Prerequisites For example: For an average of 1,500 password changes in Password Manager over a 2-hour period, the recommended number of Application Servers is 45. Use the procedure that follows to define the required range of Application Servers in Enterprise SecurityStation for load balancing. NOTE By default, Enterprise SecurityStation version defines 50 ESS Application Servers for use of Identity Open Services and other Suite applications. Therefore, the procedure described in this section for defining them manually is most likely not needed. To define ESS Application Servers 1 Log in to the Enterprise SecurityStation workstation as the ESS owner. 2 Using the Manager menu, start Orbix (if it is not already active). 3 Enter the following command. ess OrbixDef.sh numservers numservers = the number of ESS Application Servers that already exist (if any) + the number of Servers that you want to define for the instance of Identity Open Services that you are now installing. (The Servers will be assigned IDs ranging from 0 through numservers 1.) TIP You can determine the quantity and IDs of servers already defined by examining the contents of one of the following directories: For ESS up to and including version esshome/orbix/imprep/ For ESS starting with version esshome/orbix/config/repositories/ Each server defined is represented by a file called EssAppServerserverID.essOwner.imp, where serverid is the ID of the server and essowner is the user name of the ESS owner. 4 Note the start number and quantity of the ESS Application Servers to be allocated to the current instance of Identity Open Services. Record this information because it is required later in the installation process. For more information, see 33 Register the ESS Application Servers parameters. 5 Using the Manager menu, stop and then restart Orbix. Quit the menu. Chapter 2 Installation 47

48 Prerequisites Example You want to define 10 ESS Application Servers for this instance of Identity Open Services, and the following 5 Servers already exist for a different purpose in directory esshome/orbix/imprep/: EssAppServer0.ess.imp EssAppServer1.ess.imp EssAppServer2.ess.imp EssAppServer3.ess.imp EssAppServer4.ess.imp Enter the command: ess OrbixDef.sh 15 (15 = 5 existing Server + 10 new Servers to define) For each of the 5 Servers that already exists, the following message is displayed: You use these options when registering a *new* shared server, server already exists Please also check that you haven't done any of the following: (i) used -n and the -port flags together (ii) used -n flag with persistent servers (iii) used -n flag with unshared servers (iv) used -n and per-method flags together These messages can be ignored. ESS Application Servers 5 through 14 will be added to the existing Servers, for a total of 15 Servers. Later, you will have to supply the following values (example): Initial ESS Server ID: 5 Number of ESS Servers to use: 10 For more information, see 33 Register the ESS Application Servers parameters on page Configure Enterprise SecurityStation Summary Perform configuration tasks in Enterprise SecurityStation for the IdM Suite. To be performed by the ESS owner and ESS DBA. 48 BMC Identity Management Suite Administrator Guide

49 Prerequisites The following tasks are described: Define ESS Application Server ports Tune Sybase database parameters Tune Oracle database parameters Define ESS Application Server ports (Only relevant for Enterprise SecurityStation version ) 1 Log in to the Enterprise SecurityStation computer as the ESS Owner. 2 Open the file $ESS_HOME/orbix/config/common.cfg in a text editor. 3 Add the following line: IT_DAEMON_SERVER_RANGE= 100 ; 4 Close and save the file. 5 Enter the following command to start (or restart) Orbix: ess restart_orbix Tune Sybase database parameters (Only relevant when using a Sybase database server) Do the following to enlarge the number of possible database connections: 1 Use isql to log in to the ESS database with the sa user. For example: isql -U sa -P manager -D essdb -w To view how many connections are currently defined, enter the commands: > sp_configure "user_conn" > go See the information in the Run Value column. Chapter 2 Installation 49

50 Prerequisites 3 To change the value use the following commands: > sp_configure "user_conn",value > go where value is the desired value (recommend value is ; consult your Sybase DBA). Tune Oracle database parameters (Only relevant when using an Oracle database server) Do the following to enlarge the number of possible database connections: 1 Log in to the ESS Database Server account 2 Enter the command: cd $ORACLE_HOME/dbs 3 Open the file initinstancename.ora in a text editor. instancename is the database instance name (by default essdb). 4 Set the processes value to tune the database (recommended value is ; consult your oracle DBA). 5 If, after enlarging the number of database connections, the database server does not start successfully, the kernel semaphores SEMMNI and SEMMNS must be adjusted relative to the change in the process value. Consult your DBA and UNIX administrator: Under Solaris, make the change in the /etc/system file. This requires root permission. Under HP-UX, change the settings using the SAM tool (kernel configuration). This requires root permission. The system must be restarted after making kernel changes. 50 BMC Identity Management Suite Administrator Guide

51 Prerequisites 8 Install new ESS Keywords Summary You must install ESS keywords that are applicable to the BMC Identity Management Suite To be performed by the ESS Owner. These keywords are used by the BMC Identity Management Suite. To import the keyword definitions into Enterprise SecurityStation 1 Log in to the ESS owner account. 2 Ensure that the current directory is $ESS_HOME. 3 Import the file suite55kwdpm.tar into Enterprise SecurityStation. This file is located on the installation media here: installpath/ess/suite55kwdpm.tar 4 Untar the keywords file by entering the following command: tar xfv suite55kwdpm.tar The following file is extracted: suite55kwdpm.inp 5 Run the following batchrun command to install the keywords: ess batchrun -A -i suite55kwdpm.inp -S# NOTE When installing the keywords on ESS 3.2.x the following error message is displayed. Ignore this message. Error - Index value 9 is not valid for this table." Chapter 2 Installation 51

52 Prerequisites 6 Run the following commands: (Wait for the prompt to reappear before running each command.) ess db2td -A -t ent_user ess db2td -A -t global_parm ess db2td -A -t admin ess db2td -A -t audit_trail 7 Do this step only if all the following are true: The version of Enterprise SecurityStation is 3.3. Service Pack 4 for Enterprise SecurityStation has already been applied. Support for SHA-1 (Secured Hash Algorithm - 1) encryption was implemented in Enterprise SecurityStation. If all the above are true, enter the following command: ess batchrun -A -i $ESS_HOME/appl/ess.version/etc/encryption.inp 8 Run the following command to restart Orbix: ess restart_orbix Troubleshooting (Only applicable if you are using external authentication) The Suite s external authentication code uses an index in the Person record (Index Key: 9). For this reason, you must ensure that this index is unused for other purposes. To verify that the Person entity Index #9 is unused 1 In an ESS Console, open the Keyword entity properties window. 2 Filter records with Entity=Person, Index Key=9 3 If only one record (add_info_ix_9) appears after the filtering, no additional action is required. Important: If another keyword also uses ix=9, you have to reassign it. 52 BMC Identity Management Suite Administrator Guide

53 Prerequisites 9 Create an ESS administrator for the unattended administrator for Open Services Summary The BMC Identity Management Suite requires that you create an unattended ESS administrator to perform actions for Identity Open Services in the ESS database. In this procedure you create the ESS administrator in the ESS server and assign it permissions. Later during the installation procedure, you are prompted to register this ESS administrator with the BMC Identity Manager Suite. For more information, see Security and Authentication: Unattended Administrators on page 131. To be performed by an ESS Administrator. Unattended ESS administrator: used to perform actions in the ESS database for Identity Open Services. It performs actions across applications. Using an ESS Console, perform the procedure for creating the unattended ESS administrator for Identity Open Services, and then assign it permissions. This procedure is described in the following section: Create the ESS administrator on page 133. Later during the installation procedure (see 19 Install the Suite product components on page 71), using either the installation wizard or command line, you will be prompted to register this unattended ESS administrator with the BMC Identity Manager Suite. Chapter 2 Installation 53

54 Prerequisites 10 Create the Person(s) and ESS administrator(s) for the unattended Persons Summary The BMC Identity Management Suite requires that you create an unattended Person or Persons who will perform actions in the ESS database for: User Administration Manager, Compliance Manager, Request Manager (if the applications are deployed). After completing the procedure described in this section, in a later step you will use the Web-based Suite Configuration application to register these unattended Person(s) with the BMC Identity Manager Suite. For more information, see Security and Authentication: Unattended Administrators on page 131. To be performed by an ESS Administrator. Unattended Person(s): each unattended Person performs actions for BMC Identity Management Suite users in the ESS database for a specific Suite application. The BMC Identity Management Suite uses one unattended Person for each of the following applications: User Administration Manager Compliance Manager (required only if you installed the Compliance Manager) Request Manager (required only if you installed the Request Manager) Each unattended ESS Person must also be connected to an ESS administrator that has appropriate permissions. For more information see: Create the unattended Person and connected ESS administrator on page 137. Later during the installation procedure, you register these unattended ESS Persons with the BMC Identity Manager Suite. For more information see: 34 Register the unattended Person(s) on page BMC Identity Management Suite Administrator Guide

55 Prerequisites 11 Assign Person passwords to ESS administrators Summary When the Common UI Login facility is enabled ( 13 Enable the Common UI Login parameter on page 58) the ESS administrator password field in the ESS database becomes disabled. This will prevent ESS administrators from logging into the ESS Console, batchrun, and EssClient. ESS administrators logging into the ESS Console, batchrun, and EssClient now must use instead of their ESS administrator password the connected Person s password. The procedure in this section describes how to assign Person passwords. Note: To enable ESS administrators to log into the BMC Identity Management Suite you must perform all steps described in Enabling a BMC Identity Management Suite user on page 172. Performed by an ESS administrator who has permissions to update Person records. When the Common UI Login facility is enabled ( 13 Enable the Common UI Login parameter on page 58) the ESS administrator password field in the ESS database becomes disabled. To prevent existing ESS administrators from being locked out of the ESS Console, batchrun, and EssClient after the Common UI Login facility is enabled, you must assign a Person password to each ESS administrator. NOTE To enable ESS administrators to log into the BMC Identity Management Suite you must perform all of the steps described in Enabling a BMC Identity Management Suite user on page 172. When the Common UI Login facility is enabled, the ESS administrators login credentials for ESS Console, batchrun, and EssClient will be the following: ESS login name: The value entered into the name field of the ESS Console login screen. Person password: The password in the ESS administrator s connected Person record (not the ESS administrator password). The following procedure explains how to use the UPDATE command to assign a Person a password. The UPDATE command for assigning a Person password can be issued by either of the ESS command-line utilities: batchrun, or EssClient. This command updates the Person s password field using the required encryption function. Important: The new password is not propagated to any other account. Chapter 2 Installation 55

56 Prerequisites NOTE You can also assign the Person password using the ESS Console when the ESS Global Parameter Enable Common UI Login is selected, but doing so requires that the Person is connected to at least one account, and depending on your site s password synchronization options, the password change will also propagate to the Person s connected accounts. To assign a Person a password using the ESS Console, use the Change Password option from the pop-up menu in the Person Properties window. To assign a Person password to an ESS administrator 1 Using batchrun or ESSClient enter the following command to update the password of the Person (ent_user) that is connected to the ESS administrator. For more information about line commands, see the Enterprise SecurityStation Administration Guide. NOTE The UPDATE command can be used only when the ESS Global Parameter Enable Common UI Login is cleared. The update password command will fail if the check box is selected. For more information, see 13 Enable the Common UI Login parameter on page 58. The command to update a Person s password is as follows: UPDATE ent_user WITH user_id=userid SET 99 CURRENT_PASSWORD=password 99 LAST_PWD_UPDATE= yyyymmdd SET_ENCRYPT=1; Replace yyyymmdd with the current date. Replace password with a new password. For example: UPDATE ent_user WITH user_id=sl001 SET 99 CURRENT_PASSWORD=abcdef 99 LAST_PWD_UPDATE=" " SET_ENCRYPT=1; 2 Repeat step 1 for all existing ESS administrators. NOTE For more information regarding the effect of enabling the Common UI Login refer to the following: Release Notes for Enterprise SecurityStation Version: Service Pack 4 or later Release Notes for Enterprise SecurityStation Version: Service Pack 2 or later 56 BMC Identity Management Suite Administrator Guide

57 Prerequisites 12 Initialize the passwords for all Suite users Summary (Optional. Not needed if you are using Web Access Manager to log in) You can assign initial passwords to BMC Identity Management Suite users now, or after installation of the Suite. Performed by the IdM Suite Administrator. You can assign initial passwords to BMC Identity Management Suite users now, or after installation of the Suite. NOTE If you are using Web Access Manager to log in, there is no reason to initialize passwords for Suite users because they will use trusted login. If you have many users, you probably will run the UPDATE line command (instead of manually using the ESS Console). This command requires the ESS Global Parameter Enable Common UI Login to be cleared (see 13 Enable the Common UI Login parameter on page 58). The UPDATE command for assigning a Person password can be issued by either of the ESS command-line utilities: batchrun, or EssClient. This command updates the Person s password field using the required encryption function. Important: The new password is not propagated to any other account. NOTE You can also assign the Person password using the ESS Console when the ESS Global Parameter Enable Common UI Login is selected, but doing so requires that the Person is connected to at least one account, and depending on your site s password synchronization options, the password change will also propagate to the Person s connected accounts. To assign a Person a password using the ESS Console, use the Change Password option from the pop-up menu in the Person Properties window. Chapter 2 Installation 57

58 Prerequisites 1 Enter the following batchrun command to update the password of the Person (ent_user). For more information about line commands, see the Enterprise SecurityStation Administration Guide. NOTE The UPDATE command can only be used when the ESS Global Parameter Enable Common UI Login is cleared. The update password command will fail if the check box is selected. For more information, see 13 Enable the Common UI Login parameter on page 58. The command to update a Person s password is as follows: UPDATE ent_user WITH user_id=userid SET 99 CURRENT_PASSWORD=password 99 LAST_PWD_UPDATE= yyyymmdd SET_ENCRYPT=1; For example: UPDATE ent_user WITH user_id=sl001 SET 99 CURRENT_PASSWORD=essess 99 LAST_PWD_UPDATE=" " SET_ENCRYPT=1; 2 Repeat step 1 for all users. NOTE The preceding procedure assigns users initial passwords for the BMC Identity Management Suite but this is not sufficient to enable users to perform operations in the Suite. To enable Suite users, you must also perform all additional steps (e.g., enabling the use of each product) described in Enabling a BMC Identity Management Suite user on page 172. For more information, see Setting the initial password of users on page Enable the Common UI Login parameter Summary The Common UI Login facility in Enterprise SecurityStation must be enabled. Performed by an ESS administrator with access rights for Global parameters. Use the procedure that follows to enable the BMC Identity Management Suite Common UI Login facility in Enterprise SecurityStation. 58 BMC Identity Management Suite Administrator Guide

59 Prerequisites WARNING After enabling the ESS Global parameter Common UI Login, ESS administrators who do not have a Person password will not be able to log into the ESS Console or any other ESS client. For more information, see 11 Assign Person passwords to ESS administrators on page 55. If you need to clear the Common UI Login parameter you can run the following batchrun command: UPDATE global_parm WITH gp_key=1 SET CL_INSTALLED=0; To enable the Common UI Login facility in Enterprise SecurityStation In the ESS Global Parameters window, on the ESS Login tabbed page, select the Enable Common UI check box and click OK. The Common UI Login facility is now activated and enabled in Enterprise SecurityStation. Important: All Person password changes must now be made either from the BMC Identity Management Suite or from the ESS Console (right-click the Person Properties window to display a change password dialog box). In EssClient and batchrun, you cannot use the UPDATE ent_user command to change the value of the 99 CURRENT_PASSWORD field. For more information regarding the effect of enabling the Common UI Login refer to the following: Release Notes for Enterprise SecurityStation Version Service Pack 4 (or later) or Release Notes for Enterprise SecurityStation Version Service Pack 2 (or later). Chapter 2 Installation 59

60 Prerequisites 14 Configure JBoss server directory and assign ports Summary Configure a JBoss server directory for application deployment, and assign the JBoss ports that will be used by the BMC Identity Management Suite. To be performed by the IdM Suite Administrator. The procedure described in this section is used to configure a JBoss server directory for application deployment, and to assign and display JBoss ports that will be used by the BMC Identity Management Suite. NOTE Perform this procedure in the directory where you installed JBoss for the IdM Suite (referred to below as jbosshome). In a distributed deployment, this procedure must be performed by the IdM Suite administrator on both the Front-end and Back-end servers. Before You Begin The configuration procedure described in this section typically requires access to the internet. If internet access is not available on the computer where you are installing the IdM Suite, perform the steps that follow. 1 Open the file jbosshome\server\default\deploy\jbossweb-tomcat50.sar\meta- INF\jboss-service.xml in a text editor. Under Solaris, replace backslash characters ( \ ) in the path with forward slashes ( / ). 2 Add comment indicators <!-- and --> around the section that starts in the second line: <!DOCTYPE server PUBLIC "-//JBoss//DTD MBean Service 3.2//EN" " The section should now look like this: <!-- <!DOCTYPE server PUBLIC "-//JBoss//DTD MBean Service 3.2//EN" " --> 3 Save and close the file. 4 Be sure to perform the additional steps at the end of the configuration procedure. 60 BMC Identity Management Suite Administrator Guide

61 Prerequisites To configure a server directory and assign ports 1 From the installation media, run either of these utilities according to your operating system: (for UNIX): mountpoint/jboss/config-idm-server.sh (for Windows): medialocation/jboss/config-idm-server.bat NOTE Run the BAT file locally from the media, or copy the entire JBoss directory from the media to the local computer, and run the file config-idm-server.bat locally. The following prompt is displayed: Enter JBoss home directory 2 Enter the Path to the JBoss home directory and record it so you can provide it during the installation procedure (see the Installation worksheet on page 30). There is no default path. A sub directory will be created in this location: JBossHome\server\idm\ where JBossHome represents the location of the JBoss home directory you specified. The following prompt is displayed: Enter HTTP port [8080] NOTE For the following prompts be sure the ports you assign are available. 3 Enter the HTTP port or accept the default. Record the port number so you can provide it during the installation procedure. The following prompt is displayed: Enter JNDI port [1099] Chapter 2 Installation 61

62 Prerequisites 4 Enter the JNDI port or accept the default. Record the port number so you can provide it during the installation procedure. The following prompt is displayed: Enter HTTPS port [8443] 5 Enter the HTTPS port or accept the default. Record the port number so you can provide it during the installation procedure. A list of JBoss ports is displayed similar to the following: HTTP Port=8080 HTTPs Port=8443 JNDI Port=1099 Web Service Port=8083 RMI Port=1098 RMI Object Port=4444 Pooled Bind Port=4445 To complete the configuration process when internet access is not available 1 After completing the configuration procedure, again open the file jbosshome\server\default\deploy\jbossweb-tomcat50.sar\meta-inf\jbossservice.xml in a text editor. 2 Remove the comment indicators <!-- and --> that you added in step 2 on page 60. The file should now appear as it did originally: <!DOCTYPE server PUBLIC "-//JBoss//DTD MBean Service 3.2//EN" " 3 Save and close the file. 4 Open the newly-created file jbosshome\server\idm\deploy\jbosswebtomcat50.sar\meta-inf\ jboss-service.xml in a text editor. 5 Repeat step 2 for this file. Save and close the file. 62 BMC Identity Management Suite Administrator Guide

63 Prerequisites To display JBoss ports After you complete the configuration process, you can display the JBoss ports by running the following script: For Unix: $BMC_IDM_SUITE_HOME/general/tools/scripts/appl_server/jboss_ports.sh NOTE For Unix, you can use the script name without the full path. For Windows: %BMC_IDM_SUITE_HOME%\general\tools\scripts\appl_server\jboss_ports.bat Output similar to the following is displayed: HTTP Port=8080 HTTPS Port=8443 JNDI Port=1099 Web Service Port=8083 RMI Port=1098 RMI Object Port=4444 Pooled Bind Port= Prerequisites for Web Access Manager Summary When installing BMC Web Access Manager, perform the prerequisite tasks in this section. To be performed by the IdM Suite Administrator. WARNING Before installing the BMC Web Enforcement Agent, ensure that the following is done: Web Access Manager is installed and configured. An ESS Administrator is mapped to the Web Access Manager Administrator User (also called a WAM Super User). Chapter 2 Installation 63

64 Prerequisites If you are deploying the BMC Web Access Management solution perform all of the following prerequisite activities: 1 Read the BMC Web Access Management and the BMC Web Enforcement Agent Release Notes. 2 If using AD or ADAM, complete all of the pre-installation tasks that are described in BMC WAM AD and ADAM Pre-Installation Requirements Guide. 3 If using the Log Collector, refer to the BMC Web Access Manager Log Collector Guide before beginning the BMC WAM installation process. 4 If using certificates, refer to the BMC WAM Certificate Guide before beginning the BMC WAM installation process. 5 Install the webserver by following your third-party webserver documentation. For supported webservers, see the Supported Platforms list for BMC Web Access Manager v Configure the webserver to proxy to the application server where Suite applications are deployed. For more information, see third-party webserver documentation. 16 (Web Access Manager) Edit the Web server proxy file Summary When installing BMC Web Access Manager, perform the prerequisite tasks in this section To be performed by the WAM Installation Administrator. Edit the Apache server configuration file 1 Log in on the webserver computer with Administrator privileges. 2 Back up the following file, and then open it in a suitable editor: (Unix).../apache group/apache2/conf/httpd.conf (Windows) C:\Program Files\Apache Group\Apache2\conf\httpd.conf 3 Locate the section that begins with the following comment: # Dynamic Shared Object (DSO) Support 64 BMC Identity Management Suite Administrator Guide

65 Prerequisites 4 Following the comment, add the following lines: LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so 5 Locate the section that begins with the following comment: ### Section 3: Virtual Hosts 6 Following the comment, add the following: <VirtualHost host.domain.bmc.com:80> DocumentRoot "C:/Program Files/Apache Group/Apache2/htdocs" ServerName host.domain.com:80 ErrorLog error_log CustomLog access_log common ProxyPass /idm ProxyPassReverse /idm ProxyPass /signon ProxyPassReverse /signon </VirtualHost> where your host.domain.com is the server FQDN (Fully qualified domain name). 7 Save and then close httpd.conf. 8 Stop and then restart the webserver, as described in third-party documentation. Prerequisite for running the configuration wizard BMC Web Access Manager does not support Password Complexity installed by Active Directory (AD) out of the box. There are two options to make Password Complexity compatible with BMC Web Access Manager. Initiate this change prior to running the BMC Web Access Manager Configuration Wizard. Chapter 2 Installation 65

66 Prerequisites Do one of the following: Go to Web Access Config => System tab => Security tab. Change the Password Minimum Length to the same as the AD installed Security settings. OR 1 Go to Start => Programs => Domains Security Policy => Account Policy => Password Policy. 2 Change Minimum Password Length to 6. 3 Right-click Security Settings in the left hand pane and select Reload. NOTE The reload may require up to five minutes. 4 To allow changes to take effect immediately: From the Start menu, select Run. Enter gpupdate and click OK. The message Refreshing Policy Setting is displayed. 17 Prepare for Web Access Manager silent install Summary Perform setup activities before installing Web Access Manager using a silent install procedure. To be performed by the IdM Suite Administrator. Perform the activities in this section if the following are true: You plan to install Web Access Manager You intend to use the silent install procedure. The following activities are described: A Obtain silent install setup files B Provide an encryption key for silent installation of WAM BMC Identity Management Suite Administrator Guide

67 Prerequisites A Obtain silent install setup files The following files are required to prepare for silent install of Web Access Manager: wam-gencookiekey.zip silent_options.txt These files are included with the latest service pack currently available for the BMC Identity Management Suite. They can be found in either of the following locations: in the root directory of the service pack CD. in the service pack directory on the BMC FTP server. For Service Pack 1, this directory is: ftp://ftp.bmc.com/pub/controlsa/bmc_identity_management_suite/5.5.00/paidm / Copy these files to a Windows or UNIX computer. Information on BMC Identity Management Suite service packs is available from the BMC Support site, at: Follow the link for Product Documentation to the page for the BMC Identity Management Suite version Look for the release notes for the latest service pack. B Provide an encryption key for silent installation of WAM When installing Web Access Manager using the silent installation procedure, it is necessary to provide an existing key or to manually generate a key for encryption/decryption of the Web Access Manager credentials cookie, and to include this key in the install options file used by the Silent installation. (The option for generating a key automatically within the silent installation procedure should not be used.) NOTE Only Blowfish encryption is supported by the IdM Suite. This procedure describes how to generate the encryption/decryption key and how to paste it into the install options file for the Silent installation. Chapter 2 Installation 67

68 Prerequisites To provide an encryption key for silent installation of Web Access Manager 1 Copy the file wam-gencookiekey.zip (obtained in the previous procedure) to a temporary directory on the Windows or Unix computer where you are preparing the install options file (silent_options.txt). 2 Unzip the file wam-gencookiekey.zip in the temporary directory. The following files are unpacked: WAM_CookieKeyGenerator.bat WAM_CookieKeyGenerator.sh Gencookie.jar Continue with one of the steps that follow, depending on whether you are working on a Windows or Unix computer. 3 (Windows computer) Do the following: A Open a DOS console window and change to the temporary directory. B Enter the command: WAM_CookieKeyGenerator BF (Only Blowfish encryption is supported in the IdM Suite.) A randomly-generated key is generated in the console window. C Copy the key from the DOS console window. (From the program icon menu, select Edit => Mark. Select the displayed key. Select Edit => Copy.) D Assign the silent_options.txt file (obtained in the previous procedure) write permission, so you can edit the file. (Under Windows, clear the read-only attribute.) E Open the silent_options.txt file in a text editor. Do the following: 1. Uncomment the following parameters by removing the ### characters at the start of each line: ### -V GEN_KEY_VAL2="false" ### -V MANUALY_KEY_VAL="true" ### -V COOKIE_KEY="<value>" 68 BMC Identity Management Suite Administrator Guide

69 Prerequisites 2. Paste the key generated and copied earlier into the COOKIE_KEY parameter. The file should now appear similar to Figure 2. Figure 2 silent_options.txt file containing encryption key # Uncomment the following two parameters ONLY if you would like the installer to # populate the Cookie Key value by generating a new Key value # ### -V GEN_KEY_VAL2="true" ### -v MANUALY_KEY_VAL="false" # # Uncomment the following parameters ONLY if you would like to populate the # Cookie Key manually. # Make sure that the COOKIE_KEY parameter has value according to the following description # # -V COOKIE_KEY - Cookie key # Use the character # wherever you need to use the = character # -V GEN_KEY_VAL2="false" -V MANUALY_KEY_VAL="true" -V COOKIE_KEY="hKUue1we/4jWLdeF8dzHkA==" 4 (Unix computer) Do the following: A Change to the temporary directory. B Enter the following command to make the WAM_CookieKeyGenerator.sh file executable: chmod +x WAM_CookieKeyGenerator.sh C Enter the command: WAM_CookieKeyGenerator.sh BF (Only Blowfish encryption is supported in the IdM Suite.) A randomly-generated key is generated in the console window. D Copy the key from the console window. E Continue with Step 3E on page 68. Chapter 2 Installation 69

70 Prerequisites 18 Prerequisites for Request Manager Summary To use the BMC Request Manager it is necessary that you have installed an available Oracle database. To be performed by the Oracle Database Administrator. To deploy the BMC Request Manager, you must ensure the availability of an Oracle database. If your Enterprise SecurityStation uses an existing Oracle database, you can also use it for Request Manager. If your Enterprise SecurityStation works with a Sybase database, you must install a separate Oracle database for use by Request Manager. To create the Workflow Schema, you need an Oracle superuser in the database dedicated to the workflow. For more information, see the following: BMC Request Manager Release Notes 3 Ensure system requirements on page BMC Identity Management Suite Administrator Guide

71 Installation procedure Installation procedure This section describes procedures for installing the BMC Identity Management Suite on the destination computer. It also includes several configuration steps performed using the same installation wizard. 19 Install the Suite product components Summary To install the BMC Identity Management Suite solutions, run the installation setup file. To be performed by the IdM Suite Administrator. What is deployed Using the installation media you will be able to deploy the following solutions: User Administration and Provisioning Password Management Audit and Compliance Management Web Access Manager Identity Federation Manager Identity Request Manager Starting the BMC Identity Management Suite installation procedure NOTE You can optionally use the installation setup file to install the product components under either one or two separate user accounts (Front-end server and Back-end server). See 1 Determine deployment type on page 33. If you choose to install the components under two accounts, you have to run the installation setup file separately in both accounts. You must install the Back-end first, because the separate Front-end installation will be prompted for the Back-end host name, and the Back-end listener port. Chapter 2 Installation 71

72 Installation procedure The BMC Identity Management Suite includes a graphical wizard that provides easyto-follow steps to guide you through the installation procedure. You can install the BMC Identity Management Suite using any of these three different modes: Graphical wizard Command line prompts (not available for Windows) Silent (non-interactive) For all installation modes: Wait after activating the installer. Several minutes may be required for the launcher to start. WARNING Be sure that you remove unnecessary files from the /var directory. TIP The installation prompts (or parameters for silent installation) are the same when running either the graphical wizard, the command-line installation, or the silent installation procedure. NOTE If you run the Windows installation using any method other than installing from a local CD (e.g., installing from a network location), a message about the validity of the digital signature may appear. You should ignore this message. Starting the graphical installation wizard If you want to run the installation procedure using a graphical wizard, perform the following steps: NOTE UNIX: If you are performing a distributed deployment, you must set the DISPLAY variable for both accounts. 1 Log in to the account where you want to perform the installation. 72 BMC Identity Management Suite Administrator Guide

73 Installation procedure 2 Insert the BMC Identity Management Suite installation media into a local CD/DVD drive (if installing from a CD/DVD). You can optionally run the installation from the CD/DVD, a network location, or you can copy the setup file to a directory on your computer. 3 UNIX: If you have not set the DISPLAY variable, enter the following command: setenv DISPLAY localipaddress:0.0 where localipaddress is the IP address where your X server is running (typically the IP address of your PC). 4 Start the installation by entering in a console the appropriate UNIX command or for Windows double-click the file: For Solaris: installpath/suite_setup.sh For Windows: installpath/setupwin32.exe The CD/DVD installpath directory structure is as follows: ServerType_OSName/Suite/setupFile EXAMPLE This is an example of a path on the installation media to the Setup file: /cdrom/suite/suite_setup.sh NOTE To run the installation as a background process using the graphical mode on UNIX you should append " >log.txt &" to the executable name. suite_setup.sh >log.txt & The Welcome screen is displayed (Figure 3). Chapter 2 Installation 73

74 Installation procedure Figure 3 BMC Identity Management Suite installation wizard: Welcome screen The wizard will guide you through the complete installation procedure. As each wizard screens is displayed, read the prompts and enter the appropriate responses. To proceed to the next screen, click Next. To go back to the previous screen, click Back. For a list and description of the prompts, see Description of the Installation prompts on page 77. Starting the command-line installation 1 Log in to the account where you want to perform the installation. 2 Insert the BMC Identity Management Suite installation media into a local CD/DVD drive (if installing from a CD/DVD). You can optionally run the installation from the CD/DVD, a network location, or you can copy the setup file to a directory on your computer. 3 Start the installation by entering the following command: installpath/suite_setup.sh -console installpath is the full path on the installation CD/DVD, the location of the installation directory on your network, or the path to where you copied the setup file locally. The prompts in Figure 4 are displayed. 74 BMC Identity Management Suite Administrator Guide

75 Installation procedure Figure 4 BMC Identity Management Suite command-line prompts: Welcome BMC Identity Management Suite - Installation Welcome to the BMC Identity Management Suite installation Wizard This installation wizard will guide you through the process of installing the BMC Identity Management Suite. Using this media you will be able to install the following solutions: - Open Services - User Administration and Provisioning - Password Management - Audit and Compliance Management - Web Access Manager - Identity Federation Manager The prompts will guide you through the complete installation procedure. As each prompt is displayed, read it and enter the appropriate response. Enter 1 for Next, 2 to Previous, 3 to Cancel, or 5 to Redisplay, and then press Enter. For a list and description of the prompts, see Description of the Installation prompts on page 77. Starting the silent installation The silent installation is non-interactive. This method of installation is intended for administrators who may want to install multiple instances of the product. 1 Copy the install options template file (silent_options.txt) locally so you can change its permissions (i.e., the file is read-only on the CD/DVD media). The file is located here: installpath/silent/silent_options.txt installpath is the full path on the installation CD/DVD, the location of the installation directory on your network, or the path to where you copied the setup file locally. NOTE If you are installing Web Access Manager, you already obtained this file earlier from the latest service pack. Use the file that you prepared in 17 Prepare for Web Access Manager silent install on page Assign the file write permission, so you can edit the file. (Under Windows, clear the read-only attribute.) Chapter 2 Installation 75

76 Installation procedure 3 Open the file template in a text editor. This file will store all of the parameter values that you otherwise would provide by running either the graphical wizard or the command-line installation procedure. 4 Enable each parameter you want to set by removing leading '###' characters from the line (search for '###' to find settings you can change). 5 Enter a value by replacing the characters '<value>'. Always leave the doublequotes. Read each parameter description (included in the file) for information regarding how to specify its value. For more information, see Description of the Installation prompts on page Save the changes to the file. 7 Log in to the account where you want to perform the installation. 8 Insert the BMC Identity Open Services installation media into a local CD/DVD drive (if installing from a CD/DVD). You can optionally run the installation from the CD/DVD, a network location, or you can copy the setup file to a directory on your computer. 9 Start the installation by entering the appropriate command for your operating system. For Solaris: installpath/setupsolaris.bin -silent -options optionsfilenamepath For Windows: installpath/setupwin32.exe -silent -options optionsfilenamepath installpath is the full path on the installation CD/DVD, the location of the installation directory on your network, or the path to where you copied the setup file locally. optionsfilenamepath is the path to the options file. NOTE After entering the command the following occurs: UNIX: While the installation is running the prompt does not return. Windows: While the installation is running the prompt returns. The installation will run to completion without any interactive prompts. 76 BMC Identity Management Suite Administrator Guide

77 Installation procedure Description of the Installation prompts TIP The actual prompts are the same whether you perform the installation using the graphical wizard, or perform the installation using the command-line prompts. The installation flow (i.e., the sequence of the prompts) varies according to the solutions you select to install. This section lists and describes the flow of the BMC Identity Management Suite installation prompts. After you finish responding to all prompts, an Installation Summary screen is displayed listing the selections you have entered. You can either return to previous prompts and change values you entered, or you can start installing the BMC Identity Management Suite products. Table 6 provides descriptions of the installation prompts. Table 6 Installation prompts (Part 1 of 7) Prompt Welcome License Agreement Click next to install the BMC Identity Management Suite to this directory, or click Browse to install to a different directory. UNIX default: [/opt/bmc/idm/idmsuite5.5] Windows default: [Program Files/bmc/idm/idm-suite5.5 Description Displays a list of the solutions that can be installed. Accept the license agreement in order to continue the installation. Accept the default BMC Identity Management Suite installation path, or select a different location. If you accept the default, the directory will be created if it does not already exist. In a UNIX installation: Under /opt if a directory bmc does not exist (/opt/bmc), or is not accessible, the following default is used instead: $HOME/bmc/idm/idm-suite5.5 In the case of choosing $HOME as the install directory this must be a dedicated UNIX account and no other application should be installed there. Chapter 2 Installation 77

78 Installation procedure Table 6 Installation prompts (Part 2 of 7) Prompt Choose the installation type that best suits your needs: [ ] 1 - Complete. If you select this option, all Front-end and Back-end products will be installed in one account. [ ] 2- Custom: If you select this option, you can choose which products and components you want to install. [ ] 3- Infrastructure only: If you select this option, Identity Open Services and the Identity Common UI Services components are installed. (Only displayed if you previously selected custom installation) This screen allows you to select only the BMC Identity Management solutions you want to install. [ ] Back-end components: [ ] 1 - Open Services [ ] 2 - Compliance Manager [ ] 3 - Workflow Database Schema [ ] Front-end components: [ ] 4 - User Administration [ ] 5 - Password Manager [ ] 6 - Compliance Manager [ ] 7 - Identity Federated Manager [ ] 8 - Web Access Manager [ ] 9 - Identity Request Manager Description This screen allows you to select the type of installation: Complete: All Front-end and Back-end products will be installed in one account. Custom: If you select this option, you can select which products and components you want to install. Infrastructure only: If you select this option, only Identity Open Services and the Identity Common UI Services components are installed. The infrastructure option is used for creating SDK applications using the infrastructure components (when you are not installing any product). The Infrastructure Components should only be installed by SDK developers. This screen should only be used by advanced users, and is displayed only if you previously selected to use a custom installation. Select the products and components you want to install. Each solution will install the required infrastructure components. The Suite s Back-end and Front-end products can optionally be deployed using a distributed environment with a Front-end server working with a remote central Back-end server. Warning: If you are performing a distributed deployment (two servers), do not attempt to mix Back-end and Front-end products on the same server. Installation dependencies: Front-end: User Administrator Manager application is always automatically installed (except in a standalone Web Access Manager deployment). Back-end: Open Services is always automatically installed Front/Back-end: If installing Identity Request Manager then both Compliance Manager components, and also the Workflow Database Schema component must be installed. Select the solutions you want to install [no default]. 78 BMC Identity Management Suite Administrator Guide

79 Installation procedure Table 6 Installation prompts (Part 3 of 7) Prompt (Only displayed if installing Web Access Manager) Select the components to install: [ ] 1- Policy Manager [ ] 2- Self Service [ ] 3- Business Process Manager [ ] 4- RSA SecurID [ ] 5- Log Collector [ ] 6- API Note: Be sure to configure Web Access Manager and create the administrative User prior to installing the Web enforcement Agent. Failure to do so may prevent you from accessing any protected Web applications. Select an Oracle or Sybase client depending on the type of Enterprise SecurityStation database server. The client will not be installed. Specify the home directories. Sybase Select Sybase client home directory Oracle Select Oracle client home directory Description Select the components to install: Policy Manager: Web-based application to create users, organizations, resources and roles for making access decisions to Web-based resources by the Enforcement Agent. Self Service: Web-based application that allows end-users to create and manage their own user accounts in the LDAP directory identity store. Business Process Manager: Enables workflow capabilities within the Web Access Management Policy Manager. It automates and streamlines the process of creating, modifying, and deleting user accounts, as well as approving access to protected resources. RSA SecurID: (Applicable only if the customer site already is using RSA SecurID) Creates a WAM credential only after RSA has authenticated the user. Log Collector: Web-based application to which log entries are sent via HTTP/HTTPS requests. The Log Collector receives the log messages from any WAM component and writes them to the configured RDBMS. API: Java and.net (when installed on Windows) API for developer use. The BMC Identity Management Suite requires a database client to enable it to communicate with the same database type used by Enterprise SecurityStation. Select the appropriate type of database client and provide its path. Sybase DB client path: Append to the path the string: /sybase Example: /home/abc/sybase UNIX: Oracle DB client path: Append to the path the string: oraclt/product/8.1.7 Example: /home/abc/oraclt/product/8.1.7 Windows: Oracle DB client path: Append to the path the string: \product\10.2.0\client_1 Example: C:\programs\abc\product\10.2.0\client_1 If you think there is a possibility that you may switch database types in the future, you should select both database clients Chapter 2 Installation 79

80 Installation procedure Table 6 Installation prompts (Part 4 of 7) Prompt Enter the JBoss Home directory. Application server parameters Enter back-end host name: Enter the server s secured HTTP port (HTTPS) Enter the back-end server s JNDI port Description Indicate the installation path of the application server. Host name: This prompt displays when installing ONLY the Front-end on this server in a distributed deployment. Enter the Back-end host name to enable the Front-end to connect to the Back end server. Ports: IMPORTANT: Be sure the port numbers you assign in this wizard screen (or command-line installation) match all port values you may have configured as an installation pre-requisite. The prompts for the ports will vary depending on whether you are installing the Suite components on the: Front-end Back-end Please read the summary information below: Installation path: Suite Common Suite SDK Open Services Identity UI User Administration Compliance Manager Back-end Compliance Manager Web Password Manager Suite Configuration Core Suite Configuration Web ESS API Request Manager BMC Identity Federation Manager BMC Web Access Manager For a total size: MB or in a unified deployment on a single server This screen displays a summary of the following: The installation path you selected. IMPORTANT: The products and components that will be installed based on the solutions and other options you selected. The amount of disk space required (MB). If the summary information is correct, click Install. 80 BMC Identity Management Suite Administrator Guide

81 Installation procedure Table 6 Installation prompts (Part 5 of 7) Prompt BMC Identity Management Suite Security Configuration The System password is used for securing the Suite keystore and for using the Suite Configuration utility. The keystore contains authentication and signing entries. Do not use the same password as the account password. Description The System password is used for securing the Suite keystore and for running some scripts. Enter a password and then re-enter it to confirm it. Important: The System password must ONLY contain ASCII characters. Enter the lifetime in months of the two keys used by the Suite. Enter System Password: Password: Re-enter: Enter signing key lifetime in months [120] Enter authentication key lifetime in months [120] The JBoss System password is used to secure the connection between accounts, and to implement SSL. JBoss has its own keystore that will be used to create a secure connection if the Suite is deployed on more than one server. Note: Do not use the same password as the System password. Enter JBoss System password: Password: Re-enter: Chapter 2 Installation 81

82 Installation procedure Table 6 Installation prompts (Part 6 of 7) Prompt Create ESS Login Profile Login Profile name: The ESS server is secured [default: yes]: The ESS server is behind a firewall: ESS Server Host Name: ESS Server Domain Name: ESS Server Port Number [default: 1570] ESS Manager Name [default: ess] Specify the Enterprise SecurityStation version [] or higher [] or earlier [default] Description ESS Login Profile name: An ESS Login Profile is a file containing the parameters for connecting the BMC Identity Management Suite Back-end applications (e.g., Identity Open Services) to a specific installation of Enterprise SecurityStation. Enter a name to identify the Login Profile. The profile name can consist of letters (A-Z, a-z), numbers (0-9), hyphen ( ) and underscore ( _ ). ESS server secure: Whether communication between Identity Open Services and the ESS Application servers is encrypted by SSL. By default, when version or later is installed on any workstation, communication is encrypted. For more information, see the description of Application server security in the Enterprise SecurityStation Administration Guide. Behind a firewall: Specify yes if Enterprise SecurityStation is installed behind a firewall with a NAT router. Specify no if either of the following is true: Enterprise SecurityStation is not behind a firewall. A NAT router is not employed. Server host: Name of the UNIX server on which Enterprise SecurityStation is installed. Server domain: Domain name of the UNIX server on which Enterprise SecurityStation is installed. Server port: Port number on the UNIX server through which the current Login Profile should connect to the ESS Application Server. The value specified for this parameter should be the value specified for the base port number for the ESS Application server daemon during installation of the Enterprise SecurityStation server. Default: This is also the value of the environment variable IT_DAEMON_PORT in the.cshrc file in the UNIX installation. ESS manager: User name of the ESS manager, specified during installation of the Enterprise SecurityStation server. ESS version: Is the version of the ESS that you are using or higher, or is or earlier? 82 BMC Identity Management Suite Administrator Guide

83 Installation procedure Table 6 Installation prompts (Part 7 of 7) Prompt Define unattended ESS administrator for Open Services. Admin ID: ESS password: Re-enter password: Description (Only applicable if you are installing Identity Open Services in this server.) The Unattended ESS administrator is used to perform actions in the ESS database for Identity Open Services. Admin ID: The value specified for the field ESS Login Name in the ESS Administrator Properties window for this unattended Administrator. This is the ESS administrator you previously created (see 9 Create an ESS administrator for the unattended administrator for Open Services on page 53). ESS Admin password: According to the ESS version you selected in the wizard screen for ESS Login profile. If the installation of Enterprise SecurityStation is , then you must enter the password of the ESS administrator. If the ESS version is or later, you do not have to enter the ESS administrator password. The installation prompts in Table 7 are displayed only if you selected to install Web Access Manager. Table 7 Web Access Manager installation prompts (Part 1 of 3) Prompt (Only displayed if installing Web Access Manager) Description Select the type of LDAP directory server you are using with Web Access Manager. Select a Directory server to be used by BMC Web Access Manager [ ] 1- Sun Java System Directory Server [ ] 2- Microsoft Active Directory Server [ ] 3- Microsoft Active Directory Server Application Mode [ ] 4- Novell edirectory [ ] 5- IBM Directory Server Chapter 2 Installation 83

84 Installation procedure Table 7 Web Access Manager installation prompts (Part 2 of 3) Prompt (Only displayed if installing Web Access Manager) Important: The following value is used to decrypt the Web Access Manager credentials cookie. This value is encrypted and stored in the Web Access Manager configuration file. At no time is this value stored in plain text. You MUST record this value for later use with the Web Access Manager API or overwrite the generated key with a previously generate key if you have one. This value will not be displayed again. Cookie key: (Only displayed if installing Web Access Manager) LDAP Hosts Information: LDAP Host: LDAP Port: Secure Data Port: LDAP User: LDAP Password: Retype LDAP Password: Description Do either of the following: Save this key value for future use. Guard this value as a secret. Paste in a previously generated key value. Guard this value as a secret. Enter LDAP directory server connection information. Note: The values will be tested with an attempt to bind to the LDAP server. If the bind is successful the connection is added. LDAP Host: The name or IP address of the machine running the Directory Server LDAP Port: The IP port that the Directory Server is listening to on the server specified by the LDAP Host parameter. Secure Data Port: that the Directory Server is listening to on the server specified by the LDAP Host parameter. LDAP User: The fully qualified distinguished name of the BMC WAM administrative account to be used by the application. Example: cn=bmcbinduser, cn=users, dc=yourdomain, dc=com. LDAP Password: The LDAP password for the user entered above 84 BMC Identity Management Suite Administrator Guide

85 Installation procedure Table 7 Web Access Manager installation prompts (Part 3 of 3) Prompt (Only displayed if installing Web Access Manager) General Information: Description LDAP Settings Root: The DN of the object that is used as the root of the settings branch in the directory. SSL keystore: Enter the path to the keystore used for SSL. LDAP Settings Root: [Defaultcn=UIdPConfiguration,dc=you rdomain,dc=com] LDAP SSL Certificate File information Enter the full path of the Java keystore to use for SSL: (Only displayed if installing Web Access Manager) Logging information Configure the log sender to send logs to the log collectorkeystore file: Keystore file: Keystore password: Retype Keystore password Certificate Alias: Certificate password: Retype Certificate password: Chapter 2 Installation 85

86 Installation procedure Table 8 Security Review prompt (part 1) Prompt The BMC Identity Management Suite installation procedure provides by default a high level of security. To ensure this level of security BMC strongly advises you to perform the following actions: Description This installation screen provides a strong notice to installers that in a distributed deployment of the BMC Identity Management Suite, you should establish an SSL connection between the servers. 1. In distributed deployment (separate machines for the back-end server and the front-end servers) you need to install and configure the certificates between the backend server and all the front-end servers. a. For JBoss installation please refer to the BMC Identity Management Suite Administrator Guide Chapter 2 (Installation) section on implementing an SSL connection in a distributed deployment) for more instructions. b. For WebLogic and WebSphere installations please refer to the corresponding third-party server administrator guides for certificate configuration instructions. I confirm that I understand this requirement and I understand that I must fulfill it in order to ensure the high level of security of the product (y -Yes, n - No) Table 9 Security Review prompt (part 2) Prompt It is highly recommended that you secure the installation directories so they can only be accessed by system administrators. Description This installation screen provides a strong notice to installers that all installation directories should have strict permissions - only allowing access by system administrators. I confirm that I understand this requirement and I understand that I must fulfill it in order to ensure the high level of security of the product (y -Yes, n - No) 86 BMC Identity Management Suite Administrator Guide

87 Installation procedure NOTE During the installation progress, log data is written to the following file: $BMC_IDM_SUITE_HOME/bmc_idm_suite.log In addition, log data is written to files located in these directories: $BMC_IDM_SUITE_HOME/ess_api/Log $BMC_IDM_SUITE_HOME/general/log Upon completion, information is displayed listing the installed products and their completion status (e.g., success, failed). UNIX only: An additional message indicates that it is necessary to log out, and log in to the installation account. To complete the BMC Identity Management Suite installation (console: enter 0) click: Finish. 20 Update environment variables Summary Certain additional environment variable must be updated. Performed by the IdM Suite Administrator. NOTE Perform this procedure in the IdM Suite installation. In a distributed deployment, perform this procedure on the Back-end server only. Updating environment variable under Unix To update environment variables under Unix 1 Back up ~/.login to ~/.login.5500, and then open ~/.login in a suitable text editor. 2 Locate the last line in the file: # End INSTALLSHIELD Environment Variable Section Chapter 2 Installation 87

88 Installation procedure 3 Add the following text following the last line in the file: #For Oracle setenv NLS_LANG AMERICAN_AMERICA.WE8ISO8859P1 4 Save and close ~/.login. Updating environment variables under Windows To update environment variables under Windows 1 Choose Start => Settings => Control Panel => System => Advanced => Environment Variables. 2 In the System Variables section, click New. 3 In the New System Variable dialog box, paste the environment variable below in the Variable box, paste the Value in the Variable Value box, and click OK. Environment variable NLS_LANG Value AMERICAN_AMERICA.WE8ISO8859P1 4 Click OK as many times as needed to close the Control Panel dialog boxes. 21 UNIX: Log out and log in to the installation account(s) Summary You must log out and log in before continuing with product configuration. To be performed by the IdM Suite Administrator. To set environment variables in the installation account(s), log out and then log in again as the IdM Suite Administrator. 88 BMC Identity Management Suite Administrator Guide

89 Installation procedure 22 Windows: Restart Windows Summary You must restart Windows before continuing with product configuration. To be performed by the IdM Suite Administrator. You must restart Windows after finishing the install procedure. 23 Modify the run.sh script (Unix only) Summary Modify the run.sh script to satisfy requirements for JBoss under Unix. Performed by the IdM Suite Administrator. Perform this procedure while logged in to the IdM Suite account. For a distributed deployment, perform this procedure only on the Back-end server. To edit run.sh for JBoss under Unix 1 Enter the following command: echo $ESS_ROOT The actual path of the ESS_ROOT environment variable is displayed. 2 Record the path displayed in response to the command, which will be referred to below as EssRootValue. 3 Back up the following file, and then open it in a suitable text editor: $JBOSS_HOME/bin/run.sh 4 Locate the following comment: # Increase the maximum file descriptors if we can Chapter 2 Installation 89

90 Installation procedure 5 Add the following lines above the comment: LD_PRELOAD=EssRootValue/Lib/libEssPreLoad.so export LD_PRELOAD where EssRootValue is the response that you recorded in step 2. 6 Save and close the file. 24 Modify the stop_idm_suite.bat script (Windows only) Summary Modify the stop_idm_suite.bat script to satisfy requirements for JBoss under Windows. Performed by the IdM Suite Administrator. Perform this procedure while logged in to the IdM Suite account. For a distributed deployment, perform this procedure on both the Front-end server and Back-end server. To correct the Windows stop script 1 Log in on the IdM Suite server. 2 Back up the following file, and then open it in a suitable editor: %BMC_IDM_SUITE_HOME%\general\tools\scripts\app_server\stop_idm_suite.bat 3 Locate the following code: set JAVA_OPTS="- Djavax.net.ssl.trustStore=%BMC_IDM_SUITE_HOME%\security\keystore\jboss.keystore -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal. 4 (Back-end or unified deployment) Replace the code from step 3 with the following: set JAVA_OPTS="- Djavax.net.ssl.trustStore=%BMC_IDM_SUITE_HOME%\security\keystore\ctsa.keystore" Note: Be sure to enter all the replacement code on a single line. 90 BMC Identity Management Suite Administrator Guide

91 Installation procedure 5 (Front-end only) Replace the code from step 3 with the following: set JAVA_OPTS="- Djavax.net.ssl.trustStore=%BMC_IDM_SUITE_HOME%\security\keystore\jboss.keystore" Note: Be sure to enter all the replacement code on a single line. 6 Save and close stop_idm_suite.bat. 25 Install service pack for the IdM Suite Summary Install the latest service pack for the BMC Identity Management Suite. Performed by the IdM Suite Administrator. It is mandatory to install the latest service pack for the BMC Identity Management Suite. This incorporates the latest problem resolutions (and enhancements, if any) into the IdM Suite installation. NOTE If, at a later time after installing the IdM Suite, you rerun the installation script to add one or more solutions to the IdM Suite, you must reinstall the service pack. The installation procedure for the service pack will update only the newly-installed products. The service pack is available on CD from BMC Customer Support or from the BMC FTP site. Follow the instructions in the release notes that accompany the service pack. Information on service packs is available from the BMC Support site, at: Follow the link for Product Documentation to the page for the BMC Identity Management Suite version Look for the release notes for the latest service pack. Chapter 2 Installation 91

92 Installation procedure 26 Determine the Suite URL Summary Determine the URL required to connect to the installed BMC Identity Management Suite. To be performed by the IdM Suite Administrator. In this step, you run a utility to display the URL needed to connect to the BMC Identity Management Suite. To determine the URL required to connect to the BMC Identity Management Suite In the Front-end, or unified account, specify the following command: idm_tools suite_url A display similar to the following is displayed: 27 Import the shared secret into Enterprise SecurityStation Summary Only performed when installing Identity Open Services, and only when connecting to Enterprise SecurityStation version and later. Establishes a trusted connection between Identity Open Services and Enterprise SecurityStation by importing the Back-end account shared secret into Enterprise SecurityStation. The procedure for importing the Identity Open Services ID and the shared secret is described To import, delete, or replace the ESS_ID and the ESS_SS (ESS Shared Secret) parameters on page 167. To be performed by the IdM Suite Administrator and the ESS Owner. The Identity Open Services ID and the shared secret are generated automatically during the Identity Open Services installation procedure. 92 BMC Identity Management Suite Administrator Guide

93 Application deployment However, to establish the trusted connection between the Back-end account applications and Enterprise SecurityStation (version or later), it is also necessary to import the Identity Open Services ID and shared secret from the Identity Open Services into Enterprise SecurityStation. Follow the procedure for importing the Identity Open Services ID and the shared secret that is described in detail in the following section: To import, delete, or replace the ESS_ID and the ESS_SS (ESS Shared Secret) parameters on page 167. Application deployment This section describes procedures for deploying the BMC Identity Management Suite components in their application server. Important: The Identity Compliance Manager.ear and.war require that you configure the Compliance Manager in the Suite Configuration application before you deploy them. This means that you should deploy all other Suite.ears and.wars. Then after the Suite is up and running enabling you to use the Suite Configuration application, you should configure the Compliance Manager. After you configure the Compliance Manager, you can deploy the Identity Compliance Manager.ear and.war. 28 Deploy the Suite applications Summary You must deploy the BMC Identity Management Suite applications from their installation location to the application server. This section describes a procedure to deploy the Suite s applications. Follow the special instructions for deployment of the Identity Compliance Manager. To be performed by the IdM Suite Administrator. The installation procedure copied the Suite application.war and.ear files to the computer. This step is required to deploy the applications to their working environment on the application server. Chapter 2 Installation 93

94 Application deployment Note: Identity Compliance Manager must be configured before it is deployed. Therefore, do not deploy the following files at this point: cmpl_mgr.war cdm-request-manager.war cmpl_mgr.ear cdm-cmpl-mgr-rep.war Deploy all applications except those for Identity Compliance Manager, and continue performing all of the steps until 36 Configure Identity Compliance Manager on page 103. After configuring the Identity Compliance Manager, deploy the Compliance Manager as described in this procedure, and then return and continue at the end of 36 Configure Identity Compliance Manager on page 103. To deploy the Suite applications to JBoss 1 Log in to the account where the JBoss is installed. 2 Copy the ear and war files and directories that are located in $BMC_IDM_SUITE_HOME/deploy to the directory $JBOSS_HOME/server/idm/deploy NOTE Throughout this manual, when the IdM Suite in installed on a Microsoft Windows platform, use %BMC_IDM_SUITE_HOME% whenever $BMC_IDM_SUITE_HOME is specified 3 If you are installing the Suite in a distributed (Back-end and Front-end environment) then repeat the procedure on both servers. Deploy the Documentation Center Download and deploy the WAR file containing up-to-date documentation for the BMC Identity Management Suite. This enables you to access documentation from the IdM Suite user interface. The latest documentation file (doc-center.war) can be dowloaded from the directory: ftp://ftp.bmc.com/pub/controlsa/bmc_identity_management_suite/5.5.00/doc_center/ 94 BMC Identity Management Suite Administrator Guide

95 Post-installation Copy the file to the following directory: $JBOSS_HOME/server/idm/deploy In a distributed deployment, deploy the file on the Front-end server. Post-installation 29 Implement an SSL connection between distributed servers Summary Only required when using a distributed deployment of the BMC Identity Management Suite. The procedure is necessary to establish a secure SSL connection between the Front-end and the Back-end servers by importing the Back-end JBoss SSL public key certificate to the Front-end Suite keystore. Performed by the IdM Suite Administrator. If the BMC Identity Management Suite is installed on two separate servers (Front-end and Back-end) it is strongly recommended that you create a secure SSL connection between them. When the BMC Identity Management Suite is shipped, the Back-end JBoss-service.xml JBoss file is configured by default to enable SSL between a Front-end and a Back-end server. The remaining task for implementing SSL between servers is importing the JBoss SSL certificate to the Front-end Suite keystore. Figure 11 on page 124 provides an illustration of the procedure described in this section. Exporting the Back-end JBoss SSL public key certificate The JBoss SSL public key certificate is exported automatically during installation. It is exported to the following directory: $BMC_IDM_SUITE_HOME/security/keystore If necessary, you can manually export the certificate by using the idm_tools keystore_idm. line command. For more information, see Line command on page 153. Chapter 2 Installation 95

96 Post-installation NOTE When the BMC Identity Management Suite is shipped, the Back-end JBoss-service.xml JBoss file is configured by default to enable SSL between a Front-end and a Back-end server. Importing the public key certificates Although exporting the certificate is done automatically, it is necessary to manually import the certificate to the Front-end Suite keystore. To create a secure SSL connection between the Back-end and the Front-end servers in a distributed deployment 1 Log in to the Front-end account. 2 Stop the Front-end JBoss if it is running. 3 Copy (using binary FTP) the Back-end JBoss SSL public key certificate from the Back-end account to any directory in the Front-end server. The certificate file name and path is: $BMC_IDM_SUITE_HOME/security/keystore/idmIdValue_jboss.cer 4 Enter the following command to import the Back-end JBoss SSL public key certificate to the Front-end JBoss keystore: For Solaris: $BMC_IDM_SUITE_HOME/general/tools/scripts/appl_server/keystore_jboss.sh -import cerfile For Windows: %BMC_IDM_SUITE_HOME%\general\tools\scripts\appl_server\keystore_jboss.bat -import cerfile where: -import cerfile Enter the full path and name of the JBoss SSL public key certificate copied from the Back-end server. 96 BMC Identity Management Suite Administrator Guide

97 Post-installation When prompted, specify the following parameters: -pass keystorepassword Enter the Front-end JBoss keystore password. 5 Restart the Front-end server. 30 Implement a trusted connection between distributed servers Summary This procedure is mandatory when both of these conditions exist. You have implemented a distributed deployment of the BMC Identity Management Suite on two servers. Your site is using Enterprise SecurityStation version or later. This procedure is necessary to establish a trusted connection between the Front-end and the Back-end server. The Back-end server must import the Front-end Suite keystore public key certificate used for authentication to the Back-end Suite keystore. Important: This procedure is required by the BMC Identity Management Suite when installed on two servers regardless of whether or not you implement an SSL connection (see 29 Implement an SSL connection between distributed servers on page 95 ). Performed by the IdM Suite Administrator. If the BMC Identity Management Suite is installed on two separate servers and your site is using an ESS version or later you must implement a trusted relationship between servers. Important: This requirement is mandatory regardless of whether or not you have implemented an SSL connection between servers. Exporting the public key certificates The Suite Front-end keystore public key certificate for authentication is exported automatically during installation. It is exported to the following directory: $BMC_IDM_SUITE_HOME/security/keystore NOTE If necessary, you can manually export the certificate by using the idm_tools keystore_idm. line command. For more information, see Line command on page 153. Chapter 2 Installation 97

98 Post-installation Importing the public key certificate Although exporting the certificates is done automatically, it is necessary to manually import the certificate to the Back-end Suite keystore. To create a trusted connection between the Back-end and the Front-end servers in a distributed deployment 1 Log in to the Back-end account. 2 (Only applicable if this condition is met: After installation, and you are connecting the Suite to a second Enterprise security Station.) Stop the application server if it is running. 3 Using ftp (binary mode), copy the Front-end System authentication public key certificate from here: $BMC_IDM_SUITE_HOME/security/keystore/ctsaid.cer to the Back-end Suite keystore directory located here: $BMC_IDM_SUITE_HOME/security/keystore/ 4 Enter the following command to import the Front-end authentication certificate to the Back-end Suite keystore: idm_tools keystore_idm -import cerfile cerfile is the full path of the certificate including the file name. The file name and path in the Back-end is the following: $BMC_IDM_SUITE_HOME/security/keystore/ctsaid.cer When prompted, specify the following parameters keystorepassword Enter the Back-end System password (i.e., the Back-end Suite keystore password). 5 (Only applicable if this condition is met: After installation, and you are connecting the Suite to a second Enterprise security Station.) Start each Suite application server that was stopped. 98 BMC Identity Management Suite Administrator Guide

99 Post-installation 31 Create a user who can configure the Suite and test the applications Summary Create and enable a Person in Enterprise SecurityStation who can use the Suite Configuration application and can also test the functionality of the BMC Identity Management Suite applications. Performed by an ESS administrator with access rights for Persons and ESS administrators. Using ESS Console, prepare a new or existing Person to be used to configure the Suite, and will also be able to test the functionality of the other BMC Identity Management Suite applications. Do the following: Ensure that the Person is connected to at least one Account in any Managed System. On the Applications tabbed page of the Person Properties window (in some sites, the Password Manager parameter may appear on the Password Manager tabbed page), enable all relevant products for the test user as described in Table 10. Table 10 How to enable a product for a Person in ESS Product Action User Administration Select the following check box: User is ess administrator Manager Password Manager Clear the following check box: Disabled in Password Manager Compliance Manager Select the following check box: User of Compliance Manager Request Manager Select the following check box: Request Manager Suite Configuration Select the following check box: Configuration Manager Right-click in the Person Properties window and select Change Password from the pop-up menu. Enter a password for the Person. Ensure that the Person is connected to an ESS administrator. Perform the procedure: 4 - Additional product-specific configuration requirements on page 174 NOTE For more information, see Enabling a BMC Identity Management Suite user on page 172. Chapter 2 Installation 99

100 Post-installation 32 Start the BMC Identity Management Suite Summary You are now ready to start the BMC Identity Management Suite. If the IdM components have been installed in two accounts, the startup procedure must be performed in each account. Performed by the IdM Suite Administrator. The script starts the application server. All BMC Identity Management Suite components that have been deployed in the application server will start. To start the BMC Identity Management Suite 1 Log in to the account where the BMC Identity Management Suite is installed. 2 Enter the appropriate command for your operating system: In a UNIX console: $BMC_IDM_SUITE_HOME/general/tools/scripts/appl_server/start_idm_suite.sh NOTE UNIX: You can use the script name without the full path. In a Windows console: %BMC_IDM_SUITE_HOME%\general\tools\scripts\appl_server\start_idm_suite.bat 3 If you are prompted for the System password enter it. The BMC Identity Management Suite starts. Check to make sure that the BMC Identity Management Suite starts without generating error messages. 100 BMC Identity Management Suite Administrator Guide

101 Post-installation NOTE If you have multiple JBoss instances installed on Solaris when you start the Suite you may get the following exception thrown, but you should ignore it: 07:53:50,853 ERROR [UILServerILService] Starting failed jboss.mq:service=invocationlayer,type=uil2 java.net.bindexception: Address already in use at java.net.plainsocketimpl.socketbind(native Method) at java.net.plainsocketimpl.bind(plainsocketimpl.java:331) at java.net.serversocket.bind(serversocket.java:318) at java.net.serversocket.<init>(serversocket.java:185) at javax.net.defaultserversocketfactory.createserversocket(dashoa12275) at org.jboss.mq.il.uil2.uilserverilservice.startservice(uilserverilservi ce.java:182) For more information, see the section Starting/Stopping the BMC Identity Management Suite on page Register the ESS Application Servers parameters Register the values that you previously defined for ESS Application Servers (see 6 Define ESS Application Servers on page 46) starting ESS Application Servers number quantity of the ESS Application Servers to be allocated to the current instance of Identity Open Services Perform this task by assigning values in the relevant fields in the Suite Configuration application: Suite Configuration=> Security and Authentication=> ESS Login Profiles. For more information, see Security and Authentication: ESS Login Profile on page 145. Chapter 2 Installation 101

102 Post-installation 34 Register the unattended Person(s) Each Unattended Person(s) is used to perform actions for BMC Identity Management Suite users in the ESS database for a specific Suite application. NOTE BMC Password Manager does not require an Unattended Person. The BMC Identity Management Suite uses the following unattended Persons: an unattended Person for the User Administration Manager an unattended Person for the Compliance Manager an unattended Person for the Request Manager Prerequisite: You have already created the Person(s) and required ESS administrator(s). For more information, see 10 Create the Person(s) and ESS administrator(s) for the unattended Persons on page 54. In this section, you register the unattended Persons by using the Suite Configuration application. To do this, perform the procedure described in the following section: Run the Suite Configuration: Unattended Administrators option on page Run the Form Generator utility Summary Run the Form Generator utility to generate an updated set of form definition files for the User Administration Manager. The utility must be run separately for each Login Profile defined. Performed by the IdM Suite Administrator. Run the Form Generator by following the procedure described in this section: Application Configuration: Form Generator on page BMC Identity Management Suite Administrator Guide

103 Post-installation 36 Configure Identity Compliance Manager (Only applicable if you have installed Identity Compliance Manager.) Important: The Identity Compliance Manager.ear and.war files require you to configure the Compliance Manager initially in the Suite Configuration application after installing it from the CD or DVD media, but before it is deployed to the application serever. Perform the steps described in this section: Application Configuration: Compliance Manager on page 161. After you finish configuring the Compliance Manager, deploy its.ear and.war files ( 28 Deploy the Suite applications on page 93) and then return here to continue with the next procedure. 37 Test the Suite applications Summary Ensure that you can perform basic functions in installed BMC Identity Management Suite applications. Requires the test user login ID and password. Use the procedure that follows to verify that BMC Identity Management Suite was installed successfully. 1 Ensure that Enterprise SecurityStation processes (Router, database server, ESS Gateways, Orbix) are active. 2 On a computer with a TCP/IP link to the Front-end computer, start a Web browser and enter the following URL: where: hostname port Host name of the Front-end account computer HTTPS Port number used by the Front-end Chapter 2 Installation 103

104 Post-installation NOTE You have already determined the correct BMC Identity Management Suite URL in this step. See 26 Determine the Suite URL on page Using the test user previously prepared, log in to the BMC Identity Management Suite. 4 Ensure that you are able to view, retrieve, and modify data in User Administration Manager. If Password Manager was installed, test the product functionality. NOTE At this point, you cannot test the functionality of Compliance Manager, Web Access Manager, Identity Federated Manager, or Request Manager as additional configuration is required. 38 Additional configuration tasks Summary Before you deploy the product, be sure to do all of the following: Review Chapter 3: General Configuration Review the release notes for the individual products Review and perform all required procedures described in the separate administration books that you install Performed by the IdM Suite Administrator. Additional configuration procedures may be required. Before deploying the BMC Identity Management Suite, do all of the following: 1 Carefully review all of the configuration information for the BMC Identity Management Suite: Chapter 3, General Configuration 2 Carefully review the separate administration guide and release notes for each separate identity management product that you install (e.g., Password Manager) to learn about other additional installation and configuration steps that may be required. 104 BMC Identity Management Suite Administrator Guide

105 Post-installation 39 Back up the installation directory Summary After installation and configuration is complete, make a backup of the entire installation directory and save it to a reliable medium. Performed by the IdM Suite Administrator. It is a good idea to make a backup of the entire installation directory and save it to a reliable medium after installation and configuration is complete. If any file is lost or corrupted, having a backup available may prevent the need to perform a reinstallation of the product. 40 Run the BMC Web Access Manager configuration wizard Summary This procedure is required if your IdM Suite includes Web Access Manager. To be performed by the WAM Installation Administrator. To run Configuration Manager, you must be logged in as Administrator on the computer where BMC Web Access Manager is installed. See the BMC Web Access Manager for.net and J2EE AD (Active Directory) and ADAM (Active Directory Application Mode) Pre-Installation Requirements Guide, and refer to the Creation of the Directory User section for additional information. Run the Web Access Manager Configuration wizard, as described in BMC Web Access Manager for J2EE Configuration Manager Guide, Chapter 2, BMC WAM Configuration Manager Access. When WAM is integrated into the common UI, perform the following postinstallation step: 1 Import your certificate to the ctsa.keystore as follows: A From the Start menu, select Run and enter: cmd B Change the directory to: c:\j2sdk \bin C Enter the command to import the certificate. For example: keytool -import -file c:\certnew.cer -keystore C:\Program Files\BMC\IdM\IdM_Suite_5.5\security\keystore\ctsa.keystore Chapter 2 Installation 105

106 Post-installation D Enter the IdM Suite password. E Enter Y to accept the certificate. 41 Set up Person to configure BMC Web Access Manager Summary This procedure is required if your IdM Suite includes Web Access Manager. Performed by an administrator who can define Persons in the ESS Console and who has access and administrative privileges for the LDAP server to perform the ESS to WAM user mapping. When Web Access Manager is installed with the IdM Suite, configuration of Web Access Manager is performed using the IdM Suite Configuration Manager. The administrator who performs Web Access Manager configuration using the IdM Suite requires access rights and privileges in both the LDAP server and in the IdM Suite. This section describes how to set up the required accounts in each product and to map them so that the administrator has the necessary access rights and privileges to configure Web Access Manager. This section contains the following procedures: Set up Person to configure Web Access Manager Map ESS Person to Web Access Manager user Set up Person to configure Web Access Manager Using the ESS Console, prepare a new or existing Person to be used to configure Web Access Manager parameters using the IdM Suite Configuration Manager. Do the following: Ensure that the Person is connected to at least one Account in any Managed System. On the General tabbed page of the Person Properties window, ensure that Authentication Method is set to Trusted. 106 BMC Identity Management Suite Administrator Guide

107 Post-installation On the Applications tabbed page of the Person Properties window, ensure that the Configuration Manager check box is selected. Right-click in the Person Properties window and select Change Password from the pop-up menu. Enter a password for the Person. Map ESS Person to Web Access Manager user WARNING It is critical to control access to the mapping attribute in LDAP to reduce the risk of malicious users fraudulently affecting BMC Identity Management Suite access rights for themselves or others. If a WAM Administrator or delegated admin has the ability to alter the ESS Person mapping attribute in the directory, the WAM Administrator or delegated admin will have the capability to specify the ESS Person ID of a highly-privileged ESS Person. A malicious user could therefore fraudulently acquire a high level of access to the Suite. Use your directory service management tools to do the following: 1 Map the ESS Person set up above and the BMC Web Access Manager user as follows: A Create a new attribute in the directory schema on the directory server of the target system. For example, name the attribute ont-essuserid, where ont represents the name of the company deploying the IdM Suite (see Figure 5). Chapter 2 Installation 107

108 Post-installation Figure 5 New attribute associated to object class B Associate this new attribute with the ont-euser object class. C Set a directory-native access control entry that carefully limits the write (and possibly read) privileges to this attribute on the ont-euser object class. 2 Go to the BMC Web Access Manager user LDAP, and find the new BMC Web Access Manager user created during the Configuration process. 3 Add the ESS Person ID of the ESS Person to the newly-created attribute in the directory schema. For example: If the ESS Person ID is super, place this ID in the ont-essuserid field, where ont represents the name of the company deploying the IdM Suite (see Figure 6). 108 BMC Identity Management Suite Administrator Guide

109 Post-installation Figure 6 Attribute mapping 4 Another option is to manually map each individual BMC Web Access Manager user by modify all JSP pages related to the user to add the necessary fields needed to do the attribute mapping. (Modify those pages related to User Creation, Modification, Deletion, View and Migrate.) Chapter 2 Installation 109

110 Post-installation 42 Modify the glue-web-ui-config.xml file Summary This procedure is required if your IdM Suite includes Web Access Manager. To be performed by the WAM Installation Administrator. Modify the glue-web-ui-config.xml configuration file as described below. 1 Log in to the IdM Suite account server. 2 Back up the following file, and then open it in a suitable editor: (Under Unix) $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml (Under Windows) %BMC_IDM_SUITE_HOME%\glue_web\conf\glue-web-uiconfig.xml 3 Locate the line that begins with the following: <action-in-case-of-non-https-request> 4 Make sure that the value is ignore, as follows: <action-in-case-of-non-https-request> ignore</action-in-case-of-non-https-request> 5 Save and close glue-web-ui-config.xml. 43 Set up headers in Web Access Manager outside the Suite framework Summary This procedure is required if your IdM Suite includes BMC Web Access Manager. To be performed by the BMC Web Access Manager Administrator. 1 Enter the following in the Address line of your Web browser: BMC Identity Management Suite Administrator Guide

111 Post-installation where signonurl is the BMC Web Access Manager sign-on URL, and JBPort is the JBoss application server port (do not use the webserver port). By default, the JBoss port is Enter your BMC Web Access Manager Administrator name (created during the Configuration process) and password and submit your credentials. You will receive an error that states the system either has incorrect or no header information and will not allow you access to the IdM Suite. 3 In the same browser, type in the URL for the BMC Web Access Manager UIM application with the JBoss port is the jboss/application server port. 4 Click the Go button for your Web browser. You are forwarded to the Policy Manager application for BMC Web Access Manager outside of the IdM Suite. 5 In the Policy Manager, click the Resources tab and select Modify (see Figure 7). Figure 7 Policy Manager application screen 6 Click Search. 7 In the Search Results screen, select Universal Identity Manager and Glue Suite (see Figure 8), and then click Modify. Chapter 2 Installation 111

112 Post-installation Figure 8 Policy Manager application - Search Results screen 8 In each of the two resources, scroll to the bottom of the resource page and enter two headers, iv-user and wam-userid in to the header field of the resource. As shown in Figure 9, the iv-user header must contain the custom attribute that you create in the LDAP of the IdM Suite instance you install. Figure 9 Custom Attribute The iv-user header is the information passed as a credential that contains the unattended ESS Person information to be mapped from the LDAP attribute to the unattended ESS Person. The example in Figure 10 displays the fields for the wam-userid header and the required settings for the wam-userid credentials. 112 BMC Identity Management Suite Administrator Guide

113 Post-installation Figure 10 Example As shown in this screen, the wam-userid header passes the DN qualifier attribute to the BMC Web Enforcement Agent for single sign-on authentication. Once you have added these headers to both the Glue Suite and UIM resources you are ready to install BMC Web Enforcement Agent. 9 Proceed with installation of the BMC Web Enforcement Agent, described in 44 Installing the Web Access Manager Enforcement Agent below. 44 Installing the Web Access Manager Enforcement Agent Summary Install the Web Access Manager Enforcement Agent after you have finished installing and configuring Web Access Manager, and after you have created a WAM Administrative user. Performed by the IdM Suite Administrator. If you are deploying the BMC Web Access Management solution, you must now install the BMC Web Access Management Enforcement Agent. WARNING Web Access Manager must be installed, configured, and you must also create an Administrative User before you install the Web Access Manager Enforcement Agent. Failure to do so may prevent you from accessing any protected Web applications. The Web Access Management Enforcement Agent software is on a separate CD and is included as an integral component of the BMC Identity Management Suite. Chapter 2 Installation 113

114 Post-installation The Enforcement Agent CD also contains the following related books: BMC Web Enforcement Agent Administrator Guide BMC Web Enforcement Agent Installation and Configuration Guide BMC Web Enforcement Agent Release Notes After you install the BMC Web Enforcement Agent, you are ready to access the IdM Suite inside the IdM Suite framework. 1 Enter the IdM Suite URL into your Web browser (now, through the webserver proxy port). 2 Enter the credentials of your BMC Web Access Manager user. You will have access to the IdM Suite. 45 Web SSO proxy configuration Summary This procedure is required for securing the BMC Identity Management Suite when using Web Single Sign-On (SSO) in proxy mode (such as BMC Web Access Manager). Performed by the IdM Suite Administrator and the system administrator. (Applicable only when using a Web SSO authentication system). This procedure is required for securing the BMC Identity Management Suite when using Web Single Sign-On (SSO) in proxy mode (such as BMC Web Access Manager). SSO is a web access control solution that performs authentication for Suite users. For detailed information about configuring BMC Web Access Manager, refer to the Web Access Manager manuals listed in the section: Related publications on page 16. To verify that you have configured the Suite to use trusted login 1 Log in to the Front-end and open the following file in a text editor: $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml 2 Verify that the tag <trusted-login-by> header </trusted-login-by> contains either the value header or remoteuser. 114 BMC Identity Management Suite Administrator Guide

115 Uninstalling the BMC Identity Management Suite If you have configured the BMC Identity Management Suite to operate in Web SSO mode, you must ensure that only authorized applications can log in and access the Suite. Your system administrator is required to block end-users (browsers), and other applications, from directly accessing the Suite via its host or port. All requests should be routed by the Web Access proxy such as BMC WAM Enforcement Agent before they are passed to the BMC Identity Management Suite. WARNING Failure to block direct access to the Suite may allow system attacks that can result in unauthorized users bypassing the suite security mechanisms and breaching the security of the enterprise The Suite ports were configured as you specified under the installation prompts Application server parameters of the suite installation procedure. If you want you can run the command idm_tools suite_url to verify the Suite host name and port. For more information, see Displaying the Suite URL on page 171. Best practices solutions to block direct requests to the Suite include the following: Use a firewall to limit network traffic before it reaches the BMC Web Access Manager Enforcement Agent. For detailed descriptions and configuration instructions, refer to your firewall reference manuals. Configure the BMC Identity Management Suite application server to allow requests only from authorized applications. For detailed descriptions and configuration instructions, refer to your J2EE application server reference manuals. Uninstalling the BMC Identity Management Suite Summary An uninstall application enables you to select any or all BMC Identity Management Suite components to uninstall. A graphical wizard and a command-line script are available. The components deployed on the application server must be undeployed manually. Performed by the IdM Suite Administrator. Chapter 2 Installation 115

116 Uninstalling the BMC Identity Management Suite Use the procedure that follows to uninstall the BMC Identity Management Suite products and components. In a distributed deployment of the BMC Identity Management Suite, undeploying the application components and running the uninstall script must be performed separately on each server. The BMC Identity Management Suite uninstall wizard is available in two different forms: Graphical user interface Command-line prompts The uninstall wizard uninstalls Suite components from the Suite home directory (the directory you selected during product installation). As a separate step, you must manually undeploy the relevant components from the application server. WARNING The installation account(s) were required to be exclusively dedicated to the Suite. See 4 Create the product installation account(s) on page 40. When you uninstall all of the Suite components (either as a complete uninstall or by individually uninstalling all components) all files are removed from the Suite home directory ($BMC_IDM_SUITE_HOME). For example, if you installed a DB client in the Suite installation directory it should not be used by any other application other than the Suite because when you uninstall all of the suite componenets the DB client will also be removed. To uninstall the BMC Identity Management Suite 1 Manually undeploy components from the application server : Log into the JBoss account and manually undeploy the relevant application components. Partial uninstall: Remove the contents of the tmp and work directories: $JBOSS_HOME/server/idm/tmp $JBOSS_HOME/server/idm/work Be sure to also remove the application components you want uninstalled. Full uninstall: Remove all contents of the idm directory: $JBOSS_HOME/server/idm 116 BMC Identity Management Suite Administrator Guide

117 Uninstalling the BMC Identity Management Suite 2 Log in to the account where you want to perform the uninstall procedure. NOTE In a distributed deployment, you must run the uninstall script in both the Front-end and Backend accounts. 3 UNIX: For a graphical wizard - if you have not set the DISPLAY variable, enter the following command: setenv DISPLAY localipaddress:0.0 where localipaddress is the IP address where your X server is running (typically the IP address of your PC). 4 Enter the following command to start the uninstall procedure: For UNIX: $BMC_IDM_SUITE_HOME/uninstall/_uninstall_main/uninstall_suite.bin NOTE If you want you can run the uninstall procedure in either of these modes: Console mode: uninstall_suite.bin -console Silent mode (i.e., no prompts and all components in that account are uninstalled): uninstall_suite.bin -silent For Windows (always uses a graphical wizard): %BMC_IDM_SUITE_HOME%\uninstall\_uninstall_main\uninstall_suite.exe You can start the uninstall wizard by either of the following methods: Control Panel => Add/Remove programs Start Menu => Programs => Identity Management Suite => 5.5 => Uninstall At each wizard screen, or command-line prompt, enter the appropriate response. The following products and components can be uninstalled. Select the items you want to uninstall: []-1 Open Services Chapter 2 Installation 117

118 Uninstalling the BMC Identity Management Suite []-2 Compliance Manager Back-end []-3 Workflow Database Schema []-4 User Administration []-5 Password Manager []-6 Compliance Manager Front-end []-7 Identity Request Manager Select one of the above, or 0 to proceed: [0] 5 Enter the number of the component you want to install. The list will redisplay with the component selected. 6 Keep selecting the components until you want, and then enter 0 to proceed. 7 The following prompt is displayed: Press 1 for Next, 2 for Previous, 3 to Cancel or 5 to Redisplay [1] Enter 1. The uninstall procedure proceeds until completion. 8 (Optional: only if you uninstall all Suite components) Use an ESS Console (or another ESS client), in the ESS Global parameters window, to clear the Enable Common UI check box. If you clear Enable Common UI, ESS administrators will have to log in using their previous ESS administrator password (not with the Person password). 118 BMC Identity Management Suite Administrator Guide

119 Chapter 3 General Configuration 3 This chapter describes how to perform BMC Identity Management Suite configuration procedures. The following topics are discussed in this chapter: General configuration issues Authorization needed to perform configuration tasks Starting/stopping the BMC Identity Management Suite Scope of configuration changes Overview of the BMC Identity Management Suite keystores Overview of the Suite Configuration application Summary: Suite Configuration options Using the Suite Configuration application Security and Authentication: Unattended Administrators Security and Authentication: System Passwords Security and Authentication: ESS Login Profile Security and Authentication: Suite Keystores Security and Authentication: External Authentication Security and Authentication: Authentication Method What is a trusted third-party login method? Configuring the authentication method Maintenance: Components Info Maintenance: Components Status Maintenance: Collect Logs Application Configuration: Form Generator Application Configuration: Manage ESS Global Parameters Application Configuration: Compliance Manager Application Configuration: Workflow Schema Application Configuration: Request Manager Application Configuration: CDM Applications Application Configuration: Web Access and Federation Create/import/delete the ESS Shared Secret Generate a new ID number for the Suite certificates Displaying the Suite URL Chapter 3 General Configuration 119

120 General configuration issues Enabling a BMC Identity Management Suite user Create the Persons in ESS Enable use of each product Set the initial password for the user Additional product-specific configuration requirements Setting the initial password of users Setting initial passwords using the Update command Forcing users to change their initial password Setting initial passwords using the Change password command Allow login with empty password Configure initial challenges and responses Disabling a BMC Identity Management Suite user Configuring password-change synchronization Configuring ESS Global parameters Managing the Session Enabling cookies Setting the session time-out interval Setting the default tabbed page Configuring log file attributes Viewing individual log files Setting log file attributes Configure cryptographic algorithms and key aliases Configure the System password: temporary or permanent Implement a non-ssl connection in a distributed deployment Connection Pool Size Discovery files Configure SSO links for change password and log off BMC Software recommends that you review this entire chapter before deploying the product. General configuration issues This section discusses several general topics to review before performing any configuration procedures: Authorization needed to perform configuration tasks Starting/stopping the BMC Identity Management Suite Scope of configuration changes Authorization needed to perform configuration tasks This section describes the authorization requirements needed to perform the configuration tasks described in this chapter. 120 BMC Identity Management Suite Administrator Guide

121 General configuration issues Enabling use of the Suite Configuration application tabbed page To learn how to enable a BMC Identity Management Suite user with authorization to use the Suite Configuration application, see Enabling a BMC Identity Management Suite user on page 172. Starting and stopping the BMC Identity Management Suite Start and stop scripts are provided for installations of the BMC Identity Management Suite. Running the start/stop scripts requires providing the System password and requires IdM Suite Administrator permissions: login credentials (user name and password) for the product installation account or accounts. For more information, see Starting/stopping the BMC Identity Management Suite on page 121. NOTE IdM Suite Administrator: is the name of role of the person who is responsible for installing, administering, and maintaining the BMC Identity Management Suite products. For more information, see 4 Create the product installation account(s) on page 40. Enabling new BMC Identity Management Suite users: Each new BMC Identity Management Suite user needs an updated Person entity record in the Enterprise SecurityStation database. To update other Person entities, the User Administration Manager user who is performing this operation must have his/her Person record connected to an ESS administrator that has permissions to update other Person records. For more information, see Enabling a BMC Identity Management Suite user on page 172. The updates can be performed using the User Administration Manager, ESS Console, or with one of ESS command-line utilities (i.e, batchrun). For more information, see Enabling a BMC Identity Management Suite user on page 172. Starting/stopping the BMC Identity Management Suite To see how to start and stop the BMC Identity Management Suite, see Chapter 5, Operation. Some configuration activities (e.g., configuring ports) require stopping and restarting the BMC Identity Management Suite. Chapter 3 General Configuration 121

122 Overview of the BMC Identity Management Suite keystores Scope of configuration changes All BMC Identity Management Suite users are affected by the configuration changes that are described in this chapter. For example, if you change the BMC Identity Management Suite session time-out interval, or the default authentication Web page for logging in, the changes affect all users. If any configuration activities affect only individual Persons, it is indicated in the description. Overview of the BMC Identity Management Suite keystores This section provides a description of the keystores used by the BMC Identity Management Suite. Keystore definition: A keystore is a secure password-protected database used for creating and managing private keys and their certificate files (X.509 certificate chains used to authenticate their corresponding public keys). A keystore also can be used to import and manage the public key certificates belonging to other trusted entities. Keystores used in the BMC Identity Management Suite: One account: If the BMC Identity Management Suite is installed under one user account, (i.e., a typical installation) the installation procedure will create a Suite keystore (with a prompt asking you to supply a System password). Two accounts: If you deploy the BMC Identity Management Suite under two user accounts (Front-end and Back-end accounts), there will be installed a separate Suite keystore for each account (i.e., one keystore per account). NOTE All passwords that you create for any of the keystores should be unique. 122 BMC Identity Management Suite Administrator Guide

123 Overview of the BMC Identity Management Suite keystores System password The System password is used for these purposes: The Suite keystore password The password you are required to supply as an argument when using many of the Suite Configuration application options. The password you are required to supply as an argument when running the JBoss start script, For more information, see Starting/stopping the BMC Identity Management Suite on page 121. Keystore entries The BMC Identity Management Suite performs tasks that require digital signatures and authentication services. The keystores contain the following key entries: Digital signing key Authentication key Compliance Manager key CDM key Chapter 3 General Configuration 123

124 Overview of the BMC Identity Management Suite keystores Figure 11 provides an overview of the placement of certificates in keystore files. Figure 11 Transfer of certificates between the Front-end and Back-end servers The actions represented by the labels in Figure 11 are described below: A B C D The Front-end Suite keystore authentication public key certificate is generated and exported automatically during product installation. A new Authentication key can be generated and the certificate exported using the Suite Configuration application. For a two-server deployment, the front-end Suite keystore public key certificate must be manually imported into the Back-end Suite keystore. The Back-end JBoss public key certificate is generated and exported automatically during product installation. A new Authentication key can be generated and the certificate exported. For a two-server deployment, the Back-end JBoss public key certificate must be manually imported into the Front-end Suite keystore. 124 BMC Identity Management Suite Administrator Guide

125 Overview of the Suite Configuration application Overview of the Suite Configuration application This section provides an overview of the Suite Configuration application. The Suite Configuration application is a Web-based tool used for these purposes: After installation, but before using the BMC Identity Management Suite, you can fine-tune the default configuration. In a production environment, you can use the utility to modify configuration parameters. For a detailed description of the configuration tasks, see Using the Suite Configuration application on page 130. The main welcome screen (Figure 12) is accessed by clicking the Suite Configuration tab. NOTE The entries in the main welcome screen vertical navigation panel will vary if you have only installed the Web Access Manager. This is because no configuration related to Enterprise SecurityStation is required. Figure 12 Suite Configuration application: main welcome screen Chapter 3 General Configuration 125

126 Overview of the Suite Configuration application Summary: Suite Configuration options The following tables summarize the options available in the Suite Configuration navigation pane. Detailed procedures are cross-referenced. Table 11 Security and Authentication (Part 1 of 3) Option Unattended Administrators Description Registers the unattended ESS administrator and the unattended Persons with the BMC Identity Management Suite. These entities are used by Open Services and by Suite applications to perform operations in the ESS database. The unattended ESS administrator is initially created and registered during the BMC Identity Management Suite installation procedure. System Passwords For more information, see 9 Create an ESS administrator for the unattended administrator for Open Services on page 53 and Security and Authentication: Unattended Administrators on page 131. Changes the Suite keystore password, called the System password. For more information, see Security and Authentication: System Passwords on page 141 The System password is initially created during the BMC Identity Management Suite installation procedure. Note: In a distributed environment there will be a different System password for each server. ESS Login Profile For more information, see Overview of the BMC Identity Management Suite keystores on page 122. Updates an ESS Login Profile. An ESS Login Profile is a file containing the parameters for connecting the BMC Identity Management Suite Back-end applications (e.g., Identity Open Services) to a specific installation of Enterprise SecurityStation. You must have an ESS Login Profile for each Enterprise SecurityStation installation to which you want to connect. A single ESS Login Profile is created during the BMC Identity Management Suite installation procedure. A separate wizard is also available to create, delete, and update ESS Login Profiles. For more information, see Security and Authentication: ESS Login Profile on page BMC Identity Management Suite Administrator Guide

127 Overview of the Suite Configuration application Table 11 Security and Authentication (Part 2 of 3) Option Suite Keystores Description Manages these operations using the Suite keystore: Updates the authentication and signing keys and sets their lifetimes Exports an authentication certificate Imports an authentication certificate Lists the entries of keys and certificates An authentication key and a signing key are created during the BMC Identity Management Suite installation procedure. Note: In a distributed environment there will be a different Suite keystore for each server. External Authentication For more information, see Security and Authentication: Suite Keystores on page 150. Enables the BMC Identity Management Suite to work with a third-party LDAP external authentication system (EAS). For more information, see Security and Authentication: External Authentication on page 154 and Appendix B, External LDAP authentication.. Chapter 3 General Configuration 127

128 Overview of the Suite Configuration application Table 11 Security and Authentication (Part 3 of 3) Option Authentication Method Description Enables you to update several attributes related to logging in: You can select to whether or not to use a BMC Identity Management Suite log in screen. The use of some products with the Suite (e.g., Single Sign-on) eliminates the need to display any of the Suite s log in screens. You can select to display 'All' ESS Login Profiles on the log in screen in a drop-down list? If you select a specific ESS Login Profile, no ESS Login Profile will display to the end-user, and the single Login Profile you select will always be used. You can select to optionally enforce the requirement that end-users must use secured https requests. You can select to allow the propagation of Suite login password changes to all other accounts of the user. (ESS Global parameters must also be configured for password propagation). During the BMC Identity Management Suite installation procedure authentication login screens are initially selected. For more information, see Security and Authentication: Authentication Method on page 154. Table 12 Maintenance Option Components Info Components Status Collect Logs Description Lists the installed product names, version numbers, and Smart Numbers. For more information, see Maintenance: Components Info on page 158. Displays the status of the products: either up or down. For more information, see Maintenance: Components Status on page 158. Gathers and packs files for technical support. For more information, see Maintenance: Collect Logs on page BMC Identity Management Suite Administrator Guide

129 Overview of the Suite Configuration application Table 13 Application Configuration (Part 1 of 2) Option Form Generator Description Runs the (Front-end server) Form Generator for a specific ESS installation. The Form Generator is run during the BMC Identity Management Suite installation procedure. It must be run whenever any Web presentation fields (i.e., ESS keywords) are created, modified, or deleted (and on other specified events). Requires the login name of an ESS administrator who is authorized to view all keywords in Enterprise SecurityStation. Manage ESS Global Parameters For more information, see Application Configuration: Form Generator on page 159. ESS Global Parameters are used to set many different types of important configuration parameters including: General configuration ESS login Global login policy Password strength and policy Challenges-responses Self-service Provisioning rules Compliance Manager Workflow Schema Request Manager For more information, see Application Configuration: Manage ESS Global Parameters on page 161. Sets and modifies configuration parameters for the Compliance Manager. For more information, see Application Configuration: Compliance Manager on page 161. Enables you to configure Workflow Schema. This is a prerequisite before configuring the Request Manager. For more information, see Application Configuration: Workflow Schema on page 164. Enables you to configure Workflow Schema. Configuring Workflow Schema is a prerequisite before configuring the Request Manager. For more information, see Application Configuration: Request Manager on page 165. Chapter 3 General Configuration 129

130 Using the Suite Configuration application Table 13 Application Configuration (Part 2 of 2) Option CDM Applications Web Access and Federation Description Enables you to configure CDM Applications. For more information, see Application Configuration: CDM Applications on page 166. Enables you to configure Web Access and Federation. For more information, see Application Configuration: Web Access and Federation on page 166. Using the Suite Configuration application This section describes in detail how to perform configuration tasks using the Suite Configuration application. These configuration procedures are performed for the following purposes: After the installation procedure, but before using the BMC Identity Management Suite, you can fine-tune the default configuration parameters and other configuration parameters you set during installation. While the BMC Identity Management Suite is in a production environment, you can use the utility to perform many different, useful configuration tasks. For an overview of the tasks you can perform, see Overview of the Suite Configuration application on page 125. NOTE Many of the tasks that can be performed in the Suite Configuration application, can also be performed using a line command utility called: idm_tools. If a line command is available, it is noted at the description. Using a line command can be useful for troubleshooting if the Suite configuration application cannot display. 130 BMC Identity Management Suite Administrator Guide

131 Using the Suite Configuration application The following topics are discussed in this section: Security and Authentication: Unattended Administrators Security and Authentication: System Passwords Security and Authentication: ESS Login Profile Security and Authentication: Suite Keystores Security and Authentication: External Authentication Security and Authentication: Authentication Method Maintenance: Components Info Maintenance: Components Status Maintenance: Collect Logs Application Configuration: Form Generator Application Configuration: Manage ESS Global Parameters Application Configuration: Compliance Manager Application Configuration: CDM Applications Application Configuration: Workflow Schema Create/import/delete the ESS Shared Secret Security and Authentication: Unattended Administrators Overview There are two types of unattended administrators. The unattended ESS administrator for Identity Open Services, and the one or more unattended Person(s) used for specific applications: Unattended ESS administrator: used to perform actions in the ESS database for Identity Open Services. These are general actions across applications. NOTE The unattended ESS administrator for Identity Open Services is created in two steps: First: it is created as a prerequisite to running the installation script. See 9 Create an ESS administrator for the unattended administrator for Open Services on page 53. Second: during the installation procedure you are prompted to register the Unattended ESS administrator with the BMC Identity Management Suite. The Suite Configuration application also provides an alternative method to register the Unattended ESS administrator with the BMC Identity Management Suite. Chapter 3 General Configuration 131

132 Using the Suite Configuration application Unattended Persons: used to perform actions for BMC Identity Management Suite users in the ESS database for a specific Suite application. The BMC Identity Management Suite uses an unattended Person for the User Administration Manager, another unattended Person for the Compliance Manager Back-end (only required if the Compliance Manager is installed), and another for the BMC Identity Request Manager (only required if the Request Manager is installed). Each unattended ESS Person must also be connected to an ESS administrator which has appropriate permissions. NOTE The unattended Person(s) are created in two steps: First: they are created as a prerequisite to running the installation script. See 10 Create the Person(s) and ESS administrator(s) for the unattended Persons on page 54. Second: you must later run the Suite Configuration application to register the Unattended Person(s) with the BMC Identity Management Suite. Create the unattended ESS administrator for Identity Open Services Perform these tasks: Create the ESS administrator in the ESS database (Note: this is performed as an installation prerequisite: 9 Create an ESS administrator for the unattended administrator for Open Services on page 53) Run the command: idm_tools admins. Usually it will not be necessary to use the idm_tools command to register the unattended ESS Administrator. During the installation procedure, using the wizard or command-line, you are prompted to register the unattended ESS administrator with the Suite. (Only for ESS Login Profiles other than the Login Profiles to which you are currently connected) Run the Suite Configuration=> Unattended Administrators option. NOTE You cannot use the Web-based Suite Configuration tab to modify the unattended ESS Administrator for the ESS Login Profile to which you are currently connected. If you have no other ESS Login Profiles defined, you will get an error message. 132 BMC Identity Management Suite Administrator Guide

133 Using the Suite Configuration application You can also use the Suite Configuration application to replace or delete an unattended administrator used to connect to a different ESS Login Profile. Create the ESS administrator 1 In an ESS Console, create an ESS Administrator for Identity Open Services that has the permissions shown in Table 14. NOTE Use the ESS Console to perform this task. The User Administration Manager application does not support creating ESS Administrators, assigning ESS administrators permissions, or connecting Persons to ESS Administrators. For more information about creating ESS Administrators and assigning them permissions, see the Enterprise SecurityStation Console Administration Guide. Table 14 Permissions needed for the unattended administrator Entity Access Rule ESS Admin_Connection Global parameters Access all entity records Rule type (View): details Person Rule type (View): Access all entity Rule type (View): details records Rule type (Modify): Update, Rule type (Modify): Access all entity Change password, Restore records Account Managed System Managed System Type ESS Administrator Keyword Audit Managed System Administrator Rule type (View): Access all entity records Rule type (Modify): Modify, Access all entity records Rule type (View): Access all entity records Rule type (View): Access all entity records Rule type (View): Access all entity records Rule type (View): Access all entity records Rule type (View): details Rule type (Modify): Update, Change password, Restore Rule type (View): details Rule type (View): View details Rule type (View): details Rule type (View): details Rule type (View): Access all entity Rule type (View): details records When implementing the password synchronization facility in Enterprise SecurityStation or when installing Password Manager, the ESS administrator must be connected to a Managed System Administrator entity in each Managed System where passwords for Persons Accounts will be changed. Chapter 3 General Configuration 133

134 Using the Suite Configuration application WARNING It is highly recommended that you dedicate this ESS Administrator solely for the purpose of functioning as the unattended ESS Administrator. 2 (ESS 3.3 only) In the Person record that is connected to the ESS Administrator set the (General tab) Authentication Method to: trusted. 3 In the Person record that is connected to the ESS Administrator select the (Password Manager tab) Password Never Expires check box. 4 Using batchrun or EssClient enter the following command to update the password of the Person (ent_user) that is connected to this ESS administrator. NOTE The UPDATE command can be used only when the ESS Global Parameter Enable Common UI Login is cleared. The update password command will fail if the check box is selected. For more information, see 13 Enable the Common UI Login parameter on page 58. The command to update a Person s password is as follows: UPDATE ent_user WITH user_id=userid SET 99 CURRENT_PASSWORD=password 99 LAST_PWD_UPDATE= yyyymmdd SET_ENCRYPT=1; Replace yyyymmdd with the current date. Replace password with a password identical to the ESS administrator password. For example: UPDATE ent_user WITH user_id=sl001 SET 99 CURRENT_PASSWORD=abcdef 99 LAST_PWD_UPDATE=" " SET_ENCRYPT=1; For more information about line commands, see the Enterprise SecurityStation Administration Guide. 5 If you are currently installing the BMC Identity Management Suite then do not perform the registration step using the Suite Configure tab because you will register the Unattended ESS administrator in the installation wizard (or by the installation command-line procedure.) If you are setting up an unattended ESS administrator after installation, for example to connect another ESS server to the Suite then do the following: 134 BMC Identity Management Suite Administrator Guide

135 Using the Suite Configuration application Register the unattended ESS administrator in the BMC Identity Management Suite by running the Suite Configuration=> Unattended Administrators option described in the next section. Run the Suite Configuration: Unattended Administrators option After you create the Unattended ESS administrator in the ESS database and assign it permissions, you must register it with the Suite. During the installation procedure, using the wizard or command-line, you are prompted to register the unattended ESS administrator for Identity Open Services with the Suite. There is no need to register it using the Suite Configuration application after installation. The following procedure is only applicable for replacing or deleting unattended ESS Administrators that were defined for other, non-current, connections to an Enterprise SecurityStation. If you need to register an unattended ESS Administrator with the ESS Login Profile to which you are currently connected, you must use a line command (idm_tools admins). NOTE You cannot use the Web-based Suite Configuration tab to modify the unattended ESS Administrator for the ESS Login Profile to which you are currently connected. If you have no other ESS Login Profiles defined, you will get an error message. To register the unattended ESS administrator with the Suite 1 In the Suite Configuration tab, click Security and Authentication=> Unattended Administrators. 2 In the Unattended Administrators welcome page, click BMC Identity Open Services. A Web page dialog is displayed. 3 Enter the Back-end System password. 4 Select the ESS Login Profile to which you want to connect. 5 Click Create. A Web page dialog is displayed. 6 Enter the ESS Admin ID. You will have to enter the password only with ESS version ESS 3.3 or later does not require the ESS admin password. Chapter 3 General Configuration 135

136 Using the Suite Configuration application Table 15 Parameter Admin ID ESS Admin password Define unattended ESS administrator Description The value specified for the field ESS Login Name in the ESS Administrator Properties window for this unattended Administrator. If the installation of Enterprise SecurityStation is , then you must enter the password of the ESS administrator. If the ESS version is or later, you do not have to enter the ESS administrator password. The unattended ESS administrator for Identity Open Services is registered with the BMC Identity Management Suite in the following file: $BMC_IDM_SUITE_HOME/open_services/conf/unattended-admin-config.xml NOTE Create only one unattended ESS administrator for a given ESS Login Profile. You will remove the existing unattended ESS administrator if you attempt to create more than one. Line command (Optional) Instead of using the Suite Configuration UI, if you log into the Back-end you can run the following command: V idm_tools admins Follow the instructions displayed in the prompts. Create the unattended ESS Persons for applications The procedure provided in this section describes how to create and register an unattended Person for either of these applications: User Administration Manager Compliance Manager Back-end (required only if you installed the Compliance Manager) Request Manager (required only if you installed the Request Manager) If you install these applications, the procedure must be performed once for each product to create and register a total of three unattended ESS Persons. 136 BMC Identity Management Suite Administrator Guide

137 Using the Suite Configuration application WARNING It is highly recommended that you dedicate the Person and connected ESS Administrator only for the purpose of being used by the unattended Person. Perform both of these tasks: Create the unattended Person and connected ESS administrator in the ESS database (Note: this is performed as an installation prerequisite: 10 Create the Person(s) and ESS administrator(s) for the unattended Persons on page 54) Run the Suite Configuration=> Unattended Administrators option (Note: this must be performed using the Suite Configuration application. There are no prompts for registering the unattended Person during the installation procedure.) Create the unattended Person and connected ESS administrator 1 Create a Person using either ESS Console or batchrun. The Person must have the following properties set: (ESS 3.3 only) Authentication Method: trusted Password Never expires: select the check box 2 The ESS batchrun utility must be used to assign the Person a password. For more information about batchrun commands, see the Enterprise SecurityStation Administration Guide. You must use the appropriate command depending on the Enterprise SecurityStation version at your site: ESS version (example): INSERT ent_user WITH user_id="330846" SET user_name="silentperson", PWD_NEVER_EXPIRES = "1"; UPDATE ent_user WITH user_id = "330846" SET CURRENT_PASSWORD="ess18942" 99 LAST_PWD_UPDATE="yyyymmdd" SET_ENCRYPT=1; NOTE Replace yyyymmdd with the current date. It is essential to make this Person's password: Never Expires. Chapter 3 General Configuration 137

138 Using the Suite Configuration application ESS version 3.3 (example): INSERT ent_user WITH user_id="330846" SET user_name="silentperson", PWD_NEVER_EXPIRES = "1" auth_method = "Trusted"; NOTE No password is needed. 3 For the Person you have created, create a connected ESS administrator. You can use ESS Console to create and connect the ESS Administrator. Assign it the permissions that are specified in Table 16. Table 16 Permissions needed for the unattended ESS Persons (Part 1 of 2) Product BMC User Administration Manager Permissions The User Administration Manager is usually installed as an integral component of BMC Identity Management Suite solutions. (An exception is a standalone installation of Web Access Manager which does not require the User Administration Manager). You must connect the unattended Person for the User Administration Manager to an ESS administrator that has these permissions: BMC Identity Compliance Manager View All Compliance Manager is one of the optionally installed BMC Identity Management Suite applications. If you plan to install Compliance Manager, you must connect the unattended Person for Compliance Manager to an ESS administrator that has these permissions: View Persons View Profiles View ESS Administrators View Audit 138 BMC Identity Management Suite Administrator Guide

139 Using the Suite Configuration application Table 16 Permissions needed for the unattended ESS Persons (Part 2 of 2) Product BMC Request Manager Permissions The Request Manager is one of the optionally installed BMC Identity Management Suite applications. If you plan to install the Request Manager you must do the following: Connect the unattended Person for the Request Manager to an ESS administrator that has the following permissions: Entity Access Rule ESS Administrator: View Audit: View Person: Modify Person: View Profile Profile: View Organization: View Managed System: View Managed System Type: View Account: Modify Account: View Transaction: Modify Transaction: View Group: View ESS Admin connection View details View details All (Create, Delete, Update, Revoke, Restore, Connect, Change password) View details View details View details View details View details All (Update, Insert, Delete, Perform Connect, Perform Sync, Change Password, Revoke, Restore) View details All (Update) View details View details 4 Perform the procedure described above one time for each unattended ESS Person. 5 Register the unattended ESS administrator in the BMC Identity Management Suite by running the Unattended Administrators option described in the next section. Run the Suite Configuration: Unattended Administrators option After you define the Person and its ESS administrator with correct permissions, you must register it with Identity Open Services by running the Suite Configuration application Unattended Administrators. Chapter 3 General Configuration 139

140 Using the Suite Configuration application To register an unattended Person with the Suite 1 In the Suite Configuration tab, click Security and Authentication => Unattended Administrators. 2 In the Unattended Administrators welcome page, click one of the following: BMC User Administrator Manager BMC Identity Compliance Manager BMC Identity Request Manager A Web page dialog is displayed. 3 Enter the Front-end System password. (For Compliance Manager, enter the Backend System password.) 4 Select the ESS Login Profile to which you want to connect. 5 Click Create, Replace, or Delete. Non-applicable buttons will be disabled. A Web page dialog is displayed. 6 Enter the Person ID. You will have to enter the password only with ESS version ESS 3.3 or later does not require the Person password. 7 Enter values for the following parameters: Table 17 Define unattended ESS Person Parameter Person ID ESS Person password Description The value specified for the field Person ID in the ESS Person window. If the installation of Enterprise SecurityStation is , then you must enter the password of the ESS Person. If the ESS version is or later, you do not have to enter the ESS Person password. An unattended ESS Person for the application (e.g., User Administration Manager) is created and registered with the BMC Identity Management Suite in the following file: $BMC_IDM_SUITE_HOME/applicationName/conf/unattended-admin-config.xml where applicationname is the name of the application bound to this unattended administrator. 140 BMC Identity Management Suite Administrator Guide

141 Using the Suite Configuration application 8 If you are enabling the User Administration Manager, the Compliance manager, and the Request Manager you must perform the above procedure a separate time for each unattended ESS Person. Security and Authentication: System Passwords The Suite keystore and its initial password are created when you perform the BMC Identity Management installation procedure. During product installation you are prompted to provide a password for the Suite keystore. This is the System password. The System Passwords option is used when you want to update the System password. It is good security policy and recommended practice to periodically change this System password (e.g., every 60 days). If you install the BMC Identity Management Suite as a distributed application in two servers (Front-end and Back-end) during the separate installation procedures you will create a different Suite keystore and a System password for each account. For more information, see Overview of the BMC Identity Management Suite keystores on page 122 and Figure 11 on page 124. NOTE If you install the BMC Identity Management Suite in a distributed environment on a Back-end and a Front-end server then you must update each System password separately. The System password is used for these purposes: The Suite keystore password The password you are required to supply as an argument when using many of the Suite Configuration application options. The password you are required to supply as an argument when running the JBoss start script, For more information, see Starting/stopping the BMC Identity Management Suite on page 121. Chapter 3 General Configuration 141

142 Using the Suite Configuration application NOTE You can configure the System password to be temporary (default) or permanent for use (only) in the start script. This means that you won t be prompted for the System password each time you start the Suite. If you install the BMC Identity Management Suite as a distributed deployment (Front-end and Back-end account) the System password for each account must be configured separately. The System passwords are independent, so it is possible to have one temporary password and one permanent password.for more information, see Configure the System password: temporary or permanent on page 187. WARNING Update the System password only by using the Suite Configuration application. Do not change the System password by performing direct operations using a standard Java JDK keytool utility Important: Updating the System password affects other Suite Configuration code that uses the System password for encryption/decryption. After changing the password it is essential to perform certain procedures that are described in a section below (see, Warning on page 143). To change the System password 1 In the Suite Configuration tab, click Security and Authentication => System Passwords. The System Passwords welcome page is displayed. 2 Depending on whether you want to change the System password in the Back-end server or in the Front-end server, click the appropriate link. Note: In a unified deployment of the Suite, click the System password link. Update System password for Back-end Update System password for Front-end A Web page dialog is displayed. 142 BMC Identity Management Suite Administrator Guide

143 Using the Suite Configuration application 3 Enter values for the following parameters: Table 18 Change System password Parameter Enter the current System password Enter the new System password Re-enter the password for confirmation Description Enter the current System password. Enter the new System password. Re-enter the new System password for confirmation. 4 Click OK. The System password is changed. 5 If you have installed the BMC Identity Management Suite on more than one server you have to change each System password separately. 6 Restart the application server. Line command (Optional) Instead of using the Suite Configuration application, in the account where you want to manage the Suite keystore, you can use the following command: idm_tools passwd You will be prompted to enter the current System password, and your new System password. Warning After you change the System password you must do the following: If you change the Back-end System password Only for Enterprise SecurityStation version : 1. You have to re-register the existing unattended ESS Administrator for Identity Open Services (and also the unattended Person for the Identity Compliance Manager application). Chapter 3 General Configuration 143

144 Using the Suite Configuration application You can run the following command: NOTE You must use the command line at this point because the unattended ESS Administrator for Open Services is required to log into the Suite. idm_tools admins Follow the instructions displayed in the prompts. 2. You also have to re-register the existing unattended Person for the Identity Compliance Manager application. Run the following command from the Suite: Suite Configuration => Unattended Administrators Note: you are not re-creating these unattended entities, rather you are using the new System password and re-registering them. For more information, see Security and Authentication: Unattended Administrators on page 131. For Enterprise SecurityStation version : Only if you are using external LDAP authentication 1 Log in to the Suite using Basic login. If you have any problems with the log in screens, you can use the following command to return the login type to Basic so you can log in using a name and password: idm_tools basic_login 2 Run the Suite Configuration=> External Authentication=> Edit 3 Select the authentication domain => Update The existing values are displayed. Enter the unattended ESS admin password and confirm. Note: This unattended ESS admin password stays the same. It must be reentered only because the new System password will be used to encrypt it. 4 Perform step #2 for each domain (if you using more than 1 domain). 144 BMC Identity Management Suite Administrator Guide

145 Using the Suite Configuration application If you change the Front-end System password Only for Enterprise SecurityStation version : Run the Suite Configuration=> Unattended Administrators You have to re-register the existing unattended Persons for the User Administration Manager, and the Request Manager. Note: you are not re-creating these unattended entities, rather you are using the new System password and re-registering them. For more information, see Security and Authentication: Unattended Administrators on page 131. If you change the System password in a unified deployment Perform all tasks for both the Back-end and Front-end servers. Security and Authentication: ESS Login Profile An ESS Login Profile is a file containing parameters for connecting the BMC Identity Management Suite Back-end applications (e.g., Identity Open Services) to a specific installation of Enterprise SecurityStation. One ESS Login Profile is created during the BMC Identity Management Suite installation procedure. However, BMC Identity Management Suite supports the use of multiple ESS Login Profiles. A separate ESS Login Profile is required for each Enterprise SecurityStation installation to which you want to connect. NOTE If there are multiple ESS Login Profiles defined, the BMC Identity Management login screen supports the ability to display a drop-down list to enable end-users to select a single ESS Login Profile. For more information, see Security and Authentication: Authentication Method on page 154 Chapter 3 General Configuration 145

146 Using the Suite Configuration application After installing the Suite, if you want to create, update, or delete an ESS Login Profile you can do the following: Security and Authentication=> ESS Login Profile: This Web-based configuration option can only be used to update ESS Login Profiles. ESS Login Profile wizard: You can optionally run a separate ESS Login Profile wizard (or command-line script) to either create, update, or delete ESS Login Profiles. The ESS Login Profile wizard (or command-line prompts) is described here: Run the ESS Login Profile wizard to create, update, or delete an ESS Login Profile on page 148. To update an ESS Login Profile 1 In the Suite Configuration tab, click Security and Authentication => ESS Login Profile => Edit. 2 Select the ESS Login Profile you want to update. 3 Enter values for the following parameters. NOTE When updating an ESS Login Profile some of the parameters in Table 19 are readonly. 4 Click OK. Table 19 ESS Login Profile Parameters (Part 1 of 2) Parameter Select desired action: Description You can add, update, or delete a profile. Add a new profile When you update a profile: Update an existing profile Delete an existing profile Specify a new Login Profile name [default:] When using the graphical wizard, you can select an existing profile from a drop-down list. When using the command-line wizard, a list of existing profiles is displayed above the first prompt. Name to identify the Login Profile. The profile name can consist of letters (A-Z, a-z), numbers (0-9), hyphen ( ) and underscore ( _ ). 146 BMC Identity Management Suite Administrator Guide

147 Using the Suite Configuration application Table 19 ESS Login Profile Parameters (Part 2 of 2) Parameter Is the ESS server for this Login Profile secure? Is the ESS server for this Login Profile behind a firewall? Description Whether communication between Identity Open Services and the ESS Application servers is encrypted by SSL. By default, when version or later is installed on any workstation, communication is encrypted. For more information, see the description of Application server security in the Enterprise SecurityStation Administration Guide. Specify yes if Enterprise SecurityStation is installed behind a firewall with a NAT router. Specify no if either of the following is true: Specify the ESS Server Host Name [default:] Specify the ESS Server Domain Name [default:] Specify the ESS Server Port Number [default:1570] Enterprise SecurityStation is not behind a firewall. A NAT router is not employed. Name of the UNIX server on which Enterprise SecurityStation is installed. Domain name of the UNIX server on which Enterprise SecurityStation is installed. Port number on the UNIX server through which the current Login Profile should connect to the ESS Application Server. The value specified for this parameter should be the value specified for the base port number for the ESS Application server daemon during installation of the Enterprise SecurityStation server. Default: Specify the ESS Manager Name [default: ess] Database Server Timeout (Specify database server timeout) ESS Server Timeout (Specify ESS server timeout) Initial ESS Server ID (Specify ESS server load balancing range start) Number of ESS Servers to use (Specify the number of servers to include in load balancing) Character set encoding used by the data. (Specify character set encoding) This is also the value of the environment variable IT_DAEMON_PORT in the.cshrc file in the UNIX installation. User name of the ESS manager, specified during installation of the Enterprise SecurityStation server. Length of time (in seconds) to wait for a response from the Enterprise SecurityStation database server before issuing an error message. Length of time (in seconds) to wait for a response from the ESS Application server before issuing an error message. (For load balancing) First server ID in the range of ESS Application Servers to be made available to Identity Open Services to handle requests. The value for this parameter is used together with the parameter Number of ESS Servers to use to determine the range of connections that are available to Identity Open Services. (For load balancing) Number of ESS Application Server to use to handle requests. For more information, see the description of the parameter Initial ESS Server ID above. Character set encodings appear dynamically as a selection list. Select the character set that will be used to display data to the end user. Chapter 3 General Configuration 147

148 Using the Suite Configuration application The following procedures may be used for troubleshooting if the Suite Web-base UI cannot display. These procedures use a separate ESS Login Profile wizard utility that is included in the installation media. Run the ESS Login Profile wizard to create, update, or delete an ESS Login Profile Important: If you already have one or more existing ESS Login Profiles, and are now creating another ESS Login Profile, there are additional mandatory procedures that you must follow after running the ESS Login Profile wizard. These additional procedures are described after step #5. To create, update, or delete an ESS Login Profile 1 Log in to the Back-end account. 2 (UNIX: For the graphical wizard only) Enter the following command: setenv DISPLAY localipaddress:0.0 localipaddress is the IP address for the computer from which you are running the wizard. If you are running the wizard remotely (for example, using an X Window application such as Exceed), specify the IP address of the PC computer on which you are actually working. 3 Enter the following command: UNIX: For the graphical wizard: EssLoginProfileWizard.sh UNIX: For the command line wizard: EssLoginProfileWizardT.sh Windows: Start Menu => Programs => Identity Management Suite => 5.5 => ESS Login Profile Wizard 4 When you see the following prompt select the desired action: Add a new profile Update an existing profile Delete an existing profile 148 BMC Identity Management Suite Administrator Guide

149 Using the Suite Configuration application 5 Do one of the following: If you are adding a Login Profile provide the required information for the Login Profile as described in Table 19. If you are updating an existing Login Profile, select it from the list of existing Profiles that is displayed, and modify the required information for the Login Profile as described in Table 19. If you are deleting a Login Profile, select it from the list of existing Profiles that is displayed, and enter Delete. Important: If you have added a new ESS Login Profile to one or more existing ESS Login Profiles. Perform the following additional procedures: 1 In the ESS database, do the following: Create the unattended ESS administrator for Identity Open Services Create the unattended Person(s) for the Suite applications you are going to use with this new ESS Login Profile. NOTE You must use a command-line script, because the Web-based Suite Configuration application for this new ESS Login Profile cannot yet be displayed. The procedures are described here: Create the unattended ESS administrator for Identity Open Services on page 132 Create the unattended ESS Persons for applications on page Using a command-line script (idm_tools admins), register the unattended ESS administrator for Identity Open Services using the following procedure: To register the unattended ESS administrator with the Suite on page (Only applicable for ESS version 3.3, or later) Import the Shared Secret into ESS using the following procedure: Create/import/delete the ESS Shared Secret on page Log into the Suite. Chapter 3 General Configuration 149

150 Using the Suite Configuration application 5 (Only applicable when both of these conditions are met: The Suite is installed in a distributed deployment (i.e.., Front-end and a Backend servers) The new Login profile is for connecting to Enterprise SecurityStation version 3.3 or later, and you have not already performed this procedure Do the following: Import the Front-end authentication certificate to the Back-end Suite keystore using the following procedure. You then must restart the Suite. 30 Implement a trusted connection between distributed servers on page 97 6 Register the unattended Person(s) using the Suite Configuration application, as described in the following procedure: Run the Suite Configuration: Unattended Administrators option on page Run the Form Generator, as described in the following procedure: Application Configuration: Form Generator on page 159 NOTE If there are multiple ESS Login Profiles defined, the BMC Identity Management login screen supports the ability to display a drop-down list to enable end-users to select a single ESS Login Profile. For more information, see Security and Authentication: Authentication Method on page 154 Security and Authentication: Suite Keystores The Suite keystore is created initially when you run the installation procedure. For more information, see Overview of the BMC Identity Management Suite keystores on page 122. The Suite Keystores option is used to perform the following operations: (Update) Creates a new authentication and a new signing key and assign to each (separately) a key lifetimes Export an authentication certificate Import an authentication certificate 150 BMC Identity Management Suite Administrator Guide

151 Using the Suite Configuration application List the entries of keys and certificates WARNING Keys have a limited life span. Before the end of a key s validity period, the key must be replaced. To create a new authentication and signing key 1 In the Suite Configuration tab, click Security and Authentication => Suite Keystores. The Suite keystores page is displayed. 2 Click Manage the Suite Keystore. 3 Click the appropriate link: Manage the Suite Keystore for the Back-end server Manage the Suite Keystore for the Front-end server 4 Enter your System password. 5 Enter the lifetime (in months) for each key. The default is 120 months. 6 Click OK. The Suite Configuration application does all of the following: Creates two new keys (with the lifetimes you specified) which have these new aliases: Control-SA_authentication.idmIdValue Control-SA_signing.idmIdValue Control-SA_cmpl_mgr.idmIdValue Control-SA_cdm.idmIdValue (and saves the old aliases for future use) Note: A key alias is a part of the each key's record in the keystore. Updates $BMC_IDM_SUITE_HOME/security/conf/security-config.xml with the values of the two new keys alias names. Exports the public key certificate of the authentication key to $BMC_IDM_SUITE_HOME/security/keystore/idmIdValue.cer Chapter 3 General Configuration 151

152 Using the Suite Configuration application NOTE Throughout this manual, when the IDM Suite is installed on a Microsoft Windows platform, use %BMC_IDM_SUITE_HOME% whenever $BMC_IDM_SUITE_HOME is specified Important: (If you have updated the keystore in the Front-end server in a distributed deployment): You must import the new authentication certificate to the Back-end keystore and then restart the Back-end server. To export an authentication certificate 1 In the Suite Configuration tab, click Security and Authentication => Suite Keystores. The Suite keystores page is displayed. 2 Click Manage the Suite Keystore. 3 Click the appropriate link: Manage the Suite Keystore for the Back-end server Manage the Suite Keystore for the Front-end server 4 Enter your System password. 5 Click Export. The public key certificate of the authentication key is exported to $BMC_IDM_SUITE_HOME/security/keystore To import an authentication certificate 1 In the Suite Configuration tab, click Security and Authentication => Suite Keystores. The Suite keystores page is displayed. 2 Click Manage the Suite Keystore. 3 Click Manage the Suite Keystore for the Back-end server NOTE The import command is only available in a distributed deployment for the Back-end server. 4 Enter your System password. 5 Click Import. The public key certificate of the authentication key is imported to $BMC_IDM_SUITE_HOME/security/keystore 152 BMC Identity Management Suite Administrator Guide

153 Using the Suite Configuration application To view keystore details 1 In the Suite Configuration tab, click Security and Authentication => Suite Keystores. The Suite keystores page is displayed. 2 Click Manage the Suite Keystore. 3 Click the appropriate link: Manage the Suite Keystore for the Back-end server Manage the Suite Keystore for the Front-end server 4 Enter your System password. 5 Click Show. Details are displayed including the following information for each keystore entry: Alias name Creation date Entry type Validity period Line command (Optional) Instead of using the Suite Configuration application, in the account where you want to manage the Suite keystore, you can use the following command: idm_tools keystore_idm update validityperiodauth validityperiodsign -import cerfile -export -display -create validityperiodauthentication validityperiodsigning NOTE If you enter idm_tools keystore_idm and press Enter, the command-line arguments will be displayed as separate interactive prompts. Chapter 3 General Configuration 153

154 Using the Suite Configuration application Security and Authentication: External Authentication (Requires ESS version 3.3, or later.) Procedures are available for enabling the BMC Identity Management Suite to work with a third-party LDAP external authentication system (EAS). The procedures are applicable for sites that want to authenticate BMC Identity Management Suite users at the Suite log in page with a user name and password stored in an EAS instead of authenticating the Suite user with the Person ID and Person password stored in the ESS database. Complete details are presented in this appendix: Appendix B, External LDAP authentication. It describes in detail how to modify the relevant XML files, or alternatively - when applicable: How to enter values into the XML files by using the Suite Configuration tab => External Authentication. Security and Authentication: Authentication Method The Authentication Method option enables you to update several attributes related to logging in (theses attributes are applied globally to all users of the BMC Identity Management Suite): You can select to use a BMC Identity Management Suite log in screen, or a product (e.g., Single Sign-on) that does not use one of the Suite s log in screens. During the BMC Identity Management Suite installation procedure authentication login screens are initially selected. By default the normal log in and the challengeresponse log in screen are available to the end user. If more than one log in screen is enabled (e.g., Normal and RSA SecurID), users will be able to click a link and select one of the available screens. You can select to display 'All' ESS Login Profiles on the log in screen in a dropdown list. If you select a single specific ESS Login Profile, no ESS Login Profile will display to the end-user, and the single Login Profile you select will always be used. You can select to optionally enforce the requirement that end-users must use secured https requests. You can select to allow the propagation of Suite login password changes to all other accounts of the user. (ESS Global parameters must also be configured for password propagation. See Configuring password-change synchronization on page 179). 154 BMC Identity Management Suite Administrator Guide

155 Using the Suite Configuration application What is a trusted third-party login method? A trusted login method configured at the level of the Suite is a log in method that does not display any built-in Suite login page at all because log in to the Suite is considered trusted. An example of an application that uses trusted log in is implementing the Suite as a member of a single sign-on application such BMC Universal Identity Platform, or Netegrity SiteMinder. If you select to use a trusted log in method, any other configuration details regarding BMC Identity Management login methods (e.g., user name and password, challengeresponse) are ignored (i.e., because no Suite log in screen is displayed). In the steps that follow, if you select Use log in screen of a third-party product then you are enabling a trusted third-party login method. NOTE An additional, separate trusted login parameter configured at the level of each ESS database Person entity (e.g., setting the authentication method field in the Person record=trusted) for both single sign-on and also External LDAP authentication. Configuring the authentication method To configure the available authentication method 1 In the Suite Configuration tab, click Security and Authentication => Authentication Method. The Define Authentication Method welcome screen is displayed. 2 Click Update. A Web page dialog is displayed. 3 Enter the System password and Click Next. A Web page dialog is displayed. 4 Enter values for the parameters in Table 20. Chapter 3 General Configuration 155

156 Using the Suite Configuration application Table 20 Authentication method (Part 1 of 2) Parameter [ ] Use log in screen of a third-party product authentication product and pass user name via: [ ] Get remote user method [ ] HTTP header Description Select this check box if you are using a third-party product without a log in screen do the following: Select either get remote user method or http header. The default is: http header If you enter get remote user method, then you are done configuring the trusted authentication Header name [iv-user]: If you enter header, then enter a header name. The default is: iv-user. [ ] Use BMC IdM log in screens Priority [ ] Basic [ ] [ ] SecurID [ ] [ ] External [ ] For more information, see What is a trusted third-party login method? on page 155. Select this check box if you are using a BMC Suite log in screen. Basic: user name and password SecurID: RSA SecurID is a third-party authentication product that can be integrated with Enterprise SecurityStation External: If you are using a third-party authentication product that can be integrated with Enterprise SecurityStation. See Security and Authentication: External Authentication on page 154 and Appendix B, External LDAP authentication. Priority: For each option that you select you must also set a priority (i.e., 1-3). The lowest priority screen option will display to the end-user by default. 156 BMC Identity Management Suite Administrator Guide

157 Using the Suite Configuration application Table 20 Authentication method (Part 2 of 2) Parameter ESS Login Profile Description Default: All If you leave the All on the Suite login page all available Login profiles will be available in a drop-down list. If you select a specific Login profile, whether or not there is more than one Login profile available, then on the Suite login page no drop-down list of Login profiles will be displayed and the Login profile you selected will automatically be used. Important: If you use a trusted login method (e.g., single sign-on) it is mandatory to configure a Login profile) Note: if needed, the parameters for ESS Login Profiles can be edited in this file: Action in case of non https request from browser [ ] block [ ] warn [ ] ignore Changing your Suite password will allow synchronization of other account passwords [ ] Yes [ ] No $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-uiconfig.xml If a Suite user sends an unsecured browser request to the Suite you can configure three different actions: block: User s request is not sent to the Suite, and an error message is displayed in the browser. warn: User s request is sent to the Suite, but a warning message is displayed in the browser. ignore: User s request is sent to the Suite. Yes: password changes made at the Suite login page are able to be propagated to the user s other accounts? Note: The synchronization behavior of password changes ALSO depends on these three ESS parameters Enable Password Sync, Include in Password Sync, and Propagate Person Password Change to. For more information, see Configuring password-change synchronization on page 179. No: password changes made at the Suite login page will not be propagated to the user s other accounts? Chapter 3 General Configuration 157

158 Using the Suite Configuration application Line command (Optional) If you have any problems with the log in screens, you can use this command to return the login type to Basic so you can log in using a name and password. After you have logged in, you can use the Suite Configuration application as described above. Enter this command: idm_tools basic_login Maintenance: Components Info The Components Info option provides a method for generating a list of the installed BMC Identity Management Suite products and components. To view products information In the Suite Configuration tab, click Maintenance => Components Info. The View Products Info page is displayed. A list similar to the following is displayed: Application Release Smart Number Version BMC User Administration Manager LPCUA BMC Compliance Manager Web LPCAC BMC Password Manager LP1KQ Maintenance: Components Status The Components Status option provides a method for generating a list of the installed BMC Identity Management Suite products and components and indicates whether or not they are active. To view products status In the Suite Configuration tab, click Maintenance => Components Status. The View Products Status page is displayed. 158 BMC Identity Management Suite Administrator Guide

159 Using the Suite Configuration application A list similar to the following is displayed: Application Release BMC User Administration Manager BMC Compliance Manager Web BMC Password Manager Active Yes No Yes Line command (Optional) Instead of using the Web UI, in the account where you want to verify the status you can run the following command: V idm_tools status A list of products and their statuses will be displayed. Maintenance: Collect Logs The Collect Logs option provides a method that simplifies the process of collecting information to send BMC support personnel when making requests for technical support. This option gathers and packs files for technical support. NOTE Only run the Collect Logs option at the request of BMC Technical Support. For a detailed description of the Collect Logs option, see Collecting Information for support issues on page 229. Application Configuration: Form Generator The Form Generator option provides a method for running a BMC Identity Management Suite component called the Form Generator. The Form Generator reads keywords and keyword rules from the Enterprise SecurityStation database and generates the required XML form definition files and dictionaries for use by User Administration Manager. You must activate the Form Generator when any of the following events occur: Chapter 3 General Configuration 159

160 Using the Suite Configuration application After installing BMC Identity Management Suite After defining a new Login Profile. After each addition, modification, or deletion of any keyword or keyword rule in Enterprise SecurityStation. After actions that require using the Managed System Type Activation window in Enterprise SecurityStation (for example: activating a Managed System type, importing a new or updated Managed System type). It is not necessary to run the Form Generator after deactivating a Managed System type. (The Managed System Type Activation window is described in the Enterprise SecurityStation Console Administration Guide.) For more information, see the chapter about using the Form Generator in the BMC User Administration Manager Administrator Guide. To activate the Form Generator 1 If you are running the Form Generator in any of these two following circumstances you first must stop and restart the Identity Management Suite (Back-end): Because you added, modified, or deleted any keyword or keyword rule in Enterprise SecurityStation. After performing an action that required using the Managed System Type Activation window in Enterprise SecurityStation 2 Ensure that the Person who runs the Form Generator is connected to an ESS administrator that has the following permission: View All entities 3 In the Suite Configuration tab, click Application Configuration => Form Generator. The Form Generator welcome page is displayed. 4 Click Run. A Web page dialog is displayed. 5 Click Run. The Form Generator runs. 160 BMC Identity Management Suite Administrator Guide

161 Using the Suite Configuration application Application Configuration: Manage ESS Global Parameters The Manage Global Parameters option provides a method for configuring ESS Global parameters. ESS Global parameters provide a powerful tool for defining and implementing enterprise-wide security policies. Enterprise SecurityStation enables you to establish, validate, and control security policies across heterogeneous platforms. ESS Global parameters include many different types of parameters organized as a multi-tabbed Web page dialog. Examples of ESS Global parameters are the following: the minimum number of characters for a Managed System password, and the number of days after which the Managed System password expires. To learn how to manage ESS Global parameters, see the following: Chapter 4, ESS Global parameters. Application Configuration: Compliance Manager This option is only applicable for the BMC Compliance Manager. The Compliance Manager option provides a method for setting and modifying parameters for the BMC Compliance Manager. WARNING For initial configuration, Compliance Manager must be configured after installing it from the CD or DVD media, but before it is deployed to the application server. Important: For a more detailed description of how to configure BMC Compliance Manager, see the BMC Compliance Manager Administrator Guide. To configure the Compliance Manager 1 In the Suite Configuration tab, click Application Configuration => Compliance Manager => Create/Update Schema. Configuration Web dialogs will be displayed in sequence. A prompt for the System password is displayed 2 Enter the System password. 3 Enter configuration values as described in the following tables. Chapter 3 General Configuration 161

162 Using the Suite Configuration application Table 21 Configure Compliance Manager screen 1 Parameter BMC Identity Compliance Manager Database Connection Database type Database host name: Database port number: Database name BMC Identity Compliance Manager Database User User name: User password: Create new database Description Type of database server for the Compliance Manager database. This can be the ESS database or any other database. Select Oracle or Sybase. The host name of the computer where the Oracle database for CDM Workflow is installed. For example: myserver.company.com. The host name can be also an IP address. The database listener port. Default: 1521 The name of the database. (For Oracle: use the SID) Oracle or Sybase user name for accessing the Compliance Manager database. This user must have been previously created by the database administrator. Password of the database user. Yes No If selected, initializes Compliance Manager schema and tables in the Compliance Manager database. Note: You cannot enter the Yes option if Compliance Manager entities already exist for the database and database user. 162 BMC Identity Management Suite Administrator Guide

163 Using the Suite Configuration application Table 22 Configure Compliance Manager screen 2 Parameter BMC Identity Compliance Manager Administrator Profile: Central Auditor Profile: BMC Identity Open Services Login Profile: Description Name of the ESS Profile used for defining Compliance Managers administrators (default: CmplMgrAdmin). Note: You can specify the name of an existing Profile. You can also use the script CmplMgrProfiles to create this Profile later. The ESS Profile is an entity in the ESS DB, it should not be confused with the ESS Login Profile that contains connection parameters to a specific Enterprise SecurityStation. Name of the ESS Profile used for defining Central Auditors (default: CentralAuditor). Note: You can specify the name of an existing Profile. You can also use the script CmplMgrProfiles to create this Profile later. The ESS Profile is an entity in the ESS DB, it should not be confused with the ESS Login Profile that contains connection parameters to a specific Enterprise SecurityStation. Name of the ESS Login Profile for connecting to a specific Enterprise SecurityStation. Table 23 Reports screen 3 Parameter Report footer text Report logo path Description Printed at the bottom of every PDF report. The default text is Generated by BMC Identity Compliance Manager. The full path to the logo file. Note the following: This location must be accessible to the Back-end server. The logo file must be in one of the following formats: JPEG,PNG, GIF, TIF, or BMP. 4 Stop and restart the Back-end server. Chapter 3 General Configuration 163

164 Using the Suite Configuration application Application Configuration: Workflow Schema The Workflow Schema option provides a method for setting and modifying parameters for the BMC CDM Workflow Schema. Workflow Schema parameters must be configured after BMC CDM Workflow is installed and deployed. Workflow Schema parameters must be configured before BMC Request Manager is configured (see Application Configuration: Request Manager on page 165). For a detailed description of how to configure BMC Request Manager, see the BMC CDM Workflow Administrator Guide. To configure the Workflow Schema 1 In the Suite Configuration tab, click Application Configuration => Workflow Schema. A configuration Web dialog is displayed. 2 Enter configuration values as described in the following table. Table 24 Workflow Schema configuration Parameter Database Connection Database host name: Database port: Database service name (SID): Database User User name: User password: Description IMPORTANT: Request Manager requires an Oracle database. This Oracle database can also be used by Enterprise SecurityStation. The host name of the computer where the Oracle database for CDM Workflow is installed. For example: myserver.company.com. The host name can be also an IP address. The Oracle database listener port. Default: 1521 The SID of the Oracle database. The Oracle user name used by CDM Workflow. This user must have been previously created by an Oracle administrator. The Oracle user password for the CDM Workflow user. For more information, see the following guides: BMC Identity Request Manager Administrator Guide BMC Corporate Directory Manager Workflow Implementation Guide 164 BMC Identity Management Suite Administrator Guide

165 Using the Suite Configuration application Application Configuration: Request Manager The Request Manager option provides a method for setting and modifying parameters for the BMC Request Manager. Important: Workflow Schema parameters must be configured before BMC Request Manager is configured (see Application Configuration: Workflow Schema on page 164). To configure the BMC Request Manager 1 In the Suite Configuration tab, click Application Configuration => Request Manager. A configuration Web dialog is displayed. 2 Click Configure Request Manager. 3 Enter configuration values as described in the following table. Table 25 Request Manager configuration Parameter CDM Workflow Database User name: User password: ESS Account User name: User password: Description These must both match the values you have already entered in: Application Configuration => Workflow Schema User name: The CDM Workflow Database user name User password: The password of the CDM Workflow Database user These must both match the values you have already configured for the unattended Person for Request Manager. User name: the Person ID of the unattended Person for Request Manager User password: the person password of the unattended Person for Request Manager. For more information, see Create the unattended ESS Persons for applications on page 136. For more information, see the following guides: BMC Identity Request Manager Administrator Guide BMC Corporate Directory Manager Workflow Implementation Guide Chapter 3 General Configuration 165

166 Create/import/delete the ESS Shared Secret Application Configuration: CDM Applications For more information, see the following guides: BMC Identity Request Manager Administrator Guide BMC Identity Request Manager Customization Guide See also the following sections in the BMC Identity Compliance Manager Administrator Guide: BMC Identity Request Manager as target Changing the CDM/CM Report Application log folder Application Configuration: Web Access and Federation For information describing configuration, refer to the online help and the following books: BMC Web Access Manager for J2EE Configuration Guide (Implementation Guide) BMC Web Access Manager for J2EE Policy Manager Guide (AG) BMC Web Enforcement Agent for J2EE Administrator Guide (AG) Create/import/delete the ESS Shared Secret This section is applicable only when connecting to Enterprise SecurityStation version or later. When connecting to Enterprise SecurityStation (version or later) it is required to establish a trusted connection between Identity Open Services and the Back-end account applications to Enterprise SecurityStation. An Identity Open Services ID (plaintext identifier of Identity Open Services) and the An ESS Shared Secret are generated automatically during the Identity Open Services installation procedure as follows: OpenServicesKey.txt: Identity Open Services ID (plaintext identifier of Identity Open Services) and a hashed value of the ESS Shared Secret. This is the file that needs to be imported into Enterprise SecurityStation. open-services-security.xml: An encrypted value of the ESS Shared Secret to be used by Identity Open Services. As part of the installation procedure you must import the shared secret into Enterprise SecurityStation. You do not have to create a new shared secret. 166 BMC Identity Management Suite Administrator Guide

167 Create/import/delete the ESS Shared Secret NOTE Only create a new ESS Shared Secret it the open-services-security.xml file is lost or becomes corrupted. To create a new ESS Shared Secret 1 Log in to the Back-end account. 2 Enter the following command: idm_tools ess_ss A new encrypted shared secret value is stored in this file: open-services-security.xml. 3 Import the new shared secret into Enterprise SecurityStation using the procedure below. The ISS2DB.sh script provides options to import, replace, or delete the Identity Open Services ID and the shared secret. To import, delete, or replace the ESS_ID and the ESS_SS (ESS Shared Secret) parameters 1 Log in to the Enterprise SecurityStation computer as the ESS Owner. Be sure that the database server is active. 2 Be sure that the $ESS_HOME/site_specific/ess.version/defaults/ directory has the following file permissions: -rwxr-xr-x 3 Using FTP (ascii mode), copy the OpenServicesKey.txt file mode from the following directory in the Back-end account: $BMC_IDM_SUITE_HOME/security/conf/ to the following directory on the Enterprise SecurityStation computer: $ESS_HOME/site_specific/ess.version/defaults/ 4 In the ESS Owner account, enter the following command to run the script: $ESS_HOME/appl/ess.version/etc/ISS2DB.sh Chapter 3 General Configuration 167

168 Create/import/delete the ESS Shared Secret The following menu appears: ESS Identity Open Services Key Manager Choose One Of The Following Options: 1. Insert A New Identity Open Services Key To ESS Database. 2. Delete An Identity Open Services Key From ESS Database. 3. Replace An Identity Open Services Key In ESS Database. 4. Exit 5 Enter the command option (1=Insert, 2=Delete, or 3=Replace). 1: Imports the parameters in the OpenServicesKey.txt file to ESS. 2: Deletes the parameters in the OpenServicesKey.txt file from ESS. 3: Replaces the parameters in the OpenServicesKey.txt file in ESS. 6 (Only for option #2: Delete the parameters in ESS) The following prompt is displayed: Attempting To Delete An Identity Open Services Key From ESS Database... Please Enter The Shared Secret ID To Delete: Enter the current value of ESS_ID (the plaintext identifier of the installation of Open Services) in the OpenServicesKey.txt. 7 On completion of the script, delete the OpenServicesKey.txt file that is located in the Identity Open Services server. 8 Stop and restart Orbix. NOTE If you need the OpenServicesKey.txt parameters later, for example to run the script s delete option, you can retrieve the OpenServicesKey.txt from where you copied it in the ESS installation: $ESS_HOME/site_specific/ess.version/defaults/ 168 BMC Identity Management Suite Administrator Guide

169 Create/import/delete the ESS Shared Secret Troubleshooting In the ESS owner account, you can use batchrun commands to display all existng Shared Secrets, and to delete all Shared Secrets To display which shared secrets exist in the Global Parameters table 1 Enter the following command: ess batchrun -A 2 Enter the following command: read_all ess_shared_secret from global_parm; All of the shared secrets are displayed. Each shared secret is enclosed on both sides by a comma (,). To delete the shared secrets that exist in the Global Parameters table 1 Enter the following command: ess batchrun -A 2 Enter the following command: update global_parm with gp_key=1 set ess_shared_secret=""; The shared secrets are all deleted. Chapter 3 General Configuration 169

170 Generate a new ID number for the Suite certificates Generate a new ID number for the Suite certificates The Generate ctsa.id option can be used to generate a new ctsa.id file with a new idmidvalue number. The ctsa.id file stores an idmidvalue number that is a unique random number used as an identifying number for all certificate files that are exported from a specific idm_suite_home installation. (e.g cer). If the BMC Identity Management Suite is deployed on one server it uses one ctsa.id file. If the BMC Identity Management Suite is deployed on two servers it uses one ctsa.id file on each server. WARNING This section is applicable only if the file $BMC_IDM_SUITE_HOME/security/conf/ctsa.id is lost or corrupted. You should always back up the ctsa.id files after product installation and initial configuration so you do not have to perform the procedure described in this section to generate a new ctsa.id file. The result of generating a new ctsa.id file and value is that the current idm_suite_home instance will lose connection with all certificate files previously exported from it because the new identifier will be different. To create a new ctsa.id file and number 1 Log in to the account where you want to generate a new idmidvalue number. 2 Enter the following command to generate the new value. idm_tools generate_idmid A new ctsa.id file with a idmidvalue number is created in the following location: $BMC_IDM_SUITE_HOME/security/conf/ctsa.id 170 BMC Identity Management Suite Administrator Guide

171 Displaying the Suite URL Displaying the Suite URL The following procedure describes how to use the idm_tools suite_url utility to list the BMC Identity Management Suite host name (or IP address), HTTP (Web) port and listener (Back-end) port, and URL. The URL enables client Web browsers to connect to the BMC Identity Management Suite. In a distributed deployment of the Suite, you should run this utility only from the Front-end server. To display the Suite URL 1 Log in to the account for which you want to display configuration information. 2 Enter the following command: idm_tools suite_url A listing similar to the following is displayed: where for the URL: hostname port Host name of the Front-end server Web Server Port number used by the Front-end The URL for the BMC Identity Management Suite is displayed. Chapter 3 General Configuration 171

172 Enabling a BMC Identity Management Suite user Enabling a BMC Identity Management Suite user Enabling users requires that you perform all of the steps described in this section. 1 - Create the Persons in ESS Each BMC Identity Management Suite user must be defined as a Person in Enterprise SecurityStation. For more information, see Enterprise SecurityStation Console User Guide. You can use any of the following Enterprise SecurityStation clients to create the Persons: BMC User Administration Manager ESS Console batchrun EssClient 2 - Enable use of each product In each ESS Person properties window, there is a check box to enable or disable each BMC Identity Management Suite product (see Table 26). To enable or disable products, on the ESS Person properties =>Applications tabbed page, perform the actions specified in Table 26. The Suite Configuration application tab is enabled in the same way as products. NOTE The default for the Password Manager is that the product is enabled for each Person, and the default for the User Administration Manager and Compliance Manager is that they are disabled. In some sites, the Password Manager parameter may appear on the Password Manager tabbed page, instead of on the Applications tabbed page. 172 BMC Identity Management Suite Administrator Guide

173 Enabling a BMC Identity Management Suite user Table 26 Product User Administration Manager Password Manager Compliance Manager Request Manager Suite Configuration How to enable a product for a Person in ESS Console Action Select the following check box: User is ess administrator Clear the following check box: Disabled in Password Manager Select the following check box: User of Compliance Manager Select the following check box: Request Manager Select the following check box: Configuration Manager If you want to issue a command using batchrun or EssClient use the appropriate command specified in Table 27 to enable each product for a specific Person. (To disable a product, invert the 1 and 0). Table 27 Line command to enable products for a Person Product User Administration Manager Password Manager Compliance Manager Request Manager Suite Configuration Command to enable UPDATE ent_user WITH user_id=<uid> SET 99 USER_OF_USR_ADMINISTRATION=1 UPDATE ent_user WITH user_id=<uid> SET 99 PASSPORT_DISABLED=0 UPDATE ent_user WITH user_id=<uid> SET 99 USER_OF_COMPLIANCE_MANAGER=1 UPDATE ent_user WITH user_id=<uid> SET 99 USER_OF_REQUEST_MANAGER=1 UPDATE ent_user WITH user_id=<uid> SET 99 USER_OF_CONFIGURATION=1 3 - Set the initial password for the user Do the following: Set an initial password in each user s Person record. For more information, see Setting the initial password of users on page 175 Decide whether you want to force the new user to change his/her password at the initial login. Forcing users to change their initial password on page 176. Chapter 3 General Configuration 173

174 Enabling a BMC Identity Management Suite user 4 - Additional product-specific configuration requirements According to the different requirements of each BMC Identity Management Suite product, it may be necessary to perform the requirements specified in Table 28. NOTE The User Administrator Manager create ESS administrators and cannot connect Persons to ESS administrators. To perform these operations it is necessary to use other ESS clients (e.g., ESS Console). Table 28 Product User Administration Manager Additional requirements for the Person in ESS Requirement The user s Person must be connected to an ESS administrator. The tasks that can be performed in the User Administration Manager will depend on the permissions granted to this ESS administrator. Password Manager Compliance Manager Suite Configuration For more information, see the BMC User Administration Manager Administrator Guide The user s Person does not have to be connected to an ESS administrator. For more information, see the BMC Password Manager Administrator Guide The tasks performed by users vary according to several different Compliance Manager roles. There are four Compliance Manager roles (e.g., Central Auditor). One of the roles requires the user s Person to be connected to an ESS administrator. Two of the other roles require the user s Person to be connected to a specific Profile. For more information, see the BMC Compliance Manager Administrator Guide The user s Person must be connected to an ESS administrator. The tasks that can be performed in the Suite Configuration tab will depend on the permissions granted to this ESS administrator. Tip: You can create an ESS Administrator with Superuser permissions and revoke it when it is not needed to perform Suite configuration tasks. 174 BMC Identity Management Suite Administrator Guide

175 Setting the initial password of users This section discusses the following topics: Setting the initial password of users Setting initial passwords using the Update command Forcing users to change their initial password Setting initial passwords using the Change password command Allow login with empty password Configure initial challenges and responses NOTE For previous users of PassPort: If your site was encrypting passwords using one-way encryption, you do not have to initialize passwords These users can continue to use their PassPort password at the BMC Identity Management Suite login page. If your site was using PassPort and encrypting passwords using two-way encryption, you must reinitialize passwords. You can set initial passwords for users during the installation procedure, or you can set initial passwords anytime after the BMC Identity Management Suite has been installed. For more information, see 12 Initialize the passwords for all Suite users on page 57. Setting initial passwords using the Update command Initial passwords for users can be initialized using an UPDATE command. The UPDATE command can be issued using either of these ESS command-line utilities: batchrun, or EssClient. This command updates the Person s password field using the required encryption function. Important: The new password is not propagated to any other account. The UPDATE command can only be used when the ESS Global Parameter Enable Common UI Login is cleared. The update password command will fail if the check box is selected. For more information, see 13 Enable the Common UI Login parameter on page 58. WARNING The Enable Common UI Login check box must be selected in order for the BMC Identity Management Suite to operate. When there are active users in a production environment, and you clear the Enable Common UI Login check box, you will disable the ability of users to log in or use the system. Chapter 3 General Configuration 175

176 Setting the initial password of users For this reason, you should do either of the following: Issue this line command only when initially installing the BMC Identity Management Suite. For more information, see 12 Initialize the passwords for all Suite users on page 57. After users exist in a production environment, you can clear the Enable Common UI Login parameter at a planned maintenance shutdown (for example at 3 o clock in the morning), and be sure that you warn users ahead of time of the scheduled outage. Then you can safely issue the following line command. The command to update a Person s password is as follows: UPDATE ent_user WITH user_id=userid SET 99 CURRENT_PASSWORD=password 99 LAST_PWD_UPDATE= yyyymmdd SET_ENCRYPT=1; For example: UPDATE ent_user WITH user_id=sl001 SET 99 CURRENT_PASSWORD=essess 99 LAST_PWD_UPDATE=" " SET_ENCRYPT=1; Forcing users to change their initial password TIP It is good security policy to force all new users to change their passwords when they log in to the BMC Identity Management Suite for the first time. This policy helps to ensure the secrecy of their passwords. This section is applicable only when issuing an UPDATE line command (see Setting initial passwords using the Update command on page 175) because you have to set the Date of Last Pwd Change parameter. NOTE You can only set the Date of Last Pwd Change when issuing the UPDATE command, not from the ESS Console or from the BMC User Administration Manager where this field (by default) is read-only. To force users at initial login to change their password, you can configure the Person Parameter Date of Last Pwd Change using the UPDATE line command to contain either an empty value, or a value that indicates the password has expired. The first time the user tries to log in, a prompt is displayed, requesting the user to change the password. 176 BMC Identity Management Suite Administrator Guide

177 Setting the initial password of users Setting initial passwords using the Change password command A change password command is issued when you assign a password using any of the following methods: Line command (batchrun or EssClient) User Administration Manager ESS Console (the current version of the ESS Console version will not change a Person s password unless the Person is connected to at least one Account.) Important: the new password that you change may be propagated to all of the users accounts. This differs from using the UPDATE command that was previously described, which does not propagate password changes to any accounts. However for new users with no existing accounts, propagation of an initial password assigned by an administrator should not be a problem. NOTE The synchronization behavior of password changes after issuing a change password command depends on these three ESS parameters Enable Password Sync, Include in Password Sync, and Propagate Person Password Change to. For more information, see Configuring password-change synchronization on page 179. WARNING If an existing user in the Enterprise SecurityStation with connected accounts receives a new password assigned by an administrator with a change password command, that user will be unable to log in to accounts until informed of the new password. The following CHANGE_PASSWORD command is an example of how you can change a Person s password using the batchrun utility: CHANGE_PASSWORD ent_user WITH user_id="330846" USE_PASSWORD="essess"; Allow login with empty password WARNING It is a security risk to allow users to log in before they are assigned a password (i.e., someone can hijack the account). BMC strongly recommends that you do not enable logging in to the BMC Identity Management Suite with an empty password. Chapter 3 General Configuration 177

178 Disabling a BMC Identity Management Suite user You can implement the policy of allowing users to log in without a password by selecting the ESS Global Parameter Allow login with empty password. For more information, see Password policy parameters tabbed page on page 209. Configure initial challenges and responses (Applicable only when you install Password Manager) Password Manager allows you to (optionally) allow users to log in to the BMC Identity Management Suite by using challenges and responses. NOTE For previous users of PassPort: If your site was encrypting responses using one-way encryption, you do not have to initialize responses. Users can continue to work with their PassPort responses in the BMC Identity Management Suite. The procedure for configuring challenges and responses is described in the BMC Password Manager Administrator Guide. Disabling a BMC Identity Management Suite user When managing the BMC Identity Management Suite, it is important to be able to control who can, and who cannot, use each of the BMC Identity Management Suite products. To disable an individual user from using any of the BMC Identity Management Suite products, clear the appropriate check box for each of the products in that Person s entity record. (For Password Manager you select the check box to disable the user.) NOTE It is recommended that you initially disable all users in your organization. When you want to allow users to log in to the BMC Identity Management Suite, only then should you allow authorized users to access the products. 178 BMC Identity Management Suite Administrator Guide

179 Configuring password-change synchronization To disable use of the BMC Identity Management Suite products In the Person, Applications tab (in some sites the Password Manager parameter may appear under the Person, Password Manager tab) do the following: Table 29 Product User Administration Manager Password Manager Compliance Manager Request Manager Suite Configuration Disabling BMC Identity Management Suite products Action Clear the following check box: User is ess administrator Select the following check box: Disabled in Password Manager Clear the following check box: User of Compliance Manager Clear the following check box: Request Manager Clear the following check box: Configuration Manager NOTE The line commands for performing the enabling actions are specified in Table 27. Be sure that you invert the 1 and 0 to change an enable command to a disable command. If a user with no products enabled in his/her Person record in the ESS database attempts to log in to the BMC Identity Management Suite, access will be denied at the login page and an error message will be displayed. Configuring password-change synchronization NOTE This section describes password synchronization only from password-changes performed at the Suite login page. For information about password-change synchronization that occurs when users work with Password Manager, see the BMC Password Manager Administration Guide. You can optionally enable password synchronization to occur when an IdM Suite user changes his or her password on the BMC Identity Management Suite login page: If you configure password synchronization, changing a password on the Suite login page will propagate the new password to all of the user s accounts in the Managed Systems. If you do not configure password synchronization, only the Suite s login page password will be changed - not any of the user s account passwords. Chapter 3 General Configuration 179

180 Configuring password-change synchronization Enabling password synchronization from the Suite login page requires performing both of the following procedures: Configure ESS Global parameters that control password synchronization. See (below) Configuring ESS Global parameters on page 180. Enable password-change synchronization from the Suite login page by selecting a check box in the Suite Configuration tab=>authentication Method. See Enable propagation in the Suite Configuration application on page 181. Configuring ESS Global parameters The following ESS Global parameters in Enterprise SecurityStation can be configured to control how changes to a Person s password are propagated: Enable Password Sync This is a parameter in the Person entity. This check box must be selected to enable Password synchronization for the Person. If the check box is clear, no Password synchronization takes place for the Person. Include in Password Sync This is a parameter in the Account entity. This check box can be selected or cleared for each individual Account to indicate whether the password for the Account should be changed when password synchronization is initiated for the Person connected to the Account. Note the following: The setting for this parameter is ignored if the Enable Password Sync check box is not selected for the connected Person. The setting for this parameter can be overridden by the Global Parameter Propagate Person Password Change to (described below). Propagate Person Password Change to This is an ESS Global parameter. You can use this parameter to override the setting for all the individual Include in Password Sync parameters in the Account entities. 180 BMC Identity Management Suite Administrator Guide

181 Managing the Session Enable propagation in the Suite Configuration application In addition to configuring ESS Global parameters that control password synchronization, to propagate password-changes from the Suite log in pages it is necessary to perform this procedure. To enable password-change propagation from the log in page 1 In the Suite Configuration tab, click Security and Authentication => Authentication Method. The Define Authentication Method welcome screen is displayed. 2 Click Modify. A Web page dialog is displayed. 3 Select yes for the following parameter: Parameter Changing your Suite password will allow synchronization of other account passwords [ ] Yes [ ] No Description Yes: password changes made at the Suite login page are able to be propagated to the user s other accounts? Note: The synchronization behavior of password changes ALSO depends on these three ESS parameters Enable Password Sync, Include in Password Sync, and Propagate Person Password Change to. For more information, see Configuring password-change synchronization on page 179. No: password changes made at the Suite login page will not be propagated to the user s other accounts? Managing the Session This section discusses the following topics relating to managing the user session: Enabling cookies Setting the session time-out interval Setting the default tabbed page Enabling cookies An individual session starts when a user logs in to the BMC Identity Management Suite, and ends when the user logs out. The BMC Identity Management Suite Identity Common UI Services uses cookies to manage each user session. Chapter 3 General Configuration 181

182 Managing the Session Each user must have cookies enabled in his or her browser. By default, browsers are configured to accept cookies. If cookies are disabled, the user must enable them. To learn how to enable cookies, see Appendix A, Enabling cookies in your Web browser, or read the online documentation available in your Web browser. Setting the session time-out interval After a specified period of inactivity, as a security precaution, the BMC Identity Management Suite session automatically expires, logging out the user. This section describes how to configure the parameter that specifies the session time-out interval. To configure the session time-out interval 1 Log in to the Back-end account. 2 Open the file glue-service-config.xml in a text editor. The file is located here: $BMC_IDM_SUITE_HOME/glue_core/conf/glue-service-config.xml 3 Locate the text: <!--Suite Session time--> <max-idle-time>30</max-idle-time> 4 Change the value 30 (default) to any desired value greater than 0. The value expressed is the number of minutes of inactivity than can elapse before the BMC Identity Management Suite will automatically log out the session. 5 Save the file. 6 If the Suite is running, then you only have to re-login. 182 BMC Identity Management Suite Administrator Guide

183 Managing the Session Setting the default tabbed page The BMC Identity Management Suite can be configured to display a default tabbed page. A default tabbed page is the product page (i.e., Password Manager, User Administration Manager, Compliance Manager) each authorized user will initially view after successfully logging in. TIP From the default tabbed page, users can navigate to any other tab by clicking it. The default tabbed page is configured globally for all users by assigning a priority to each (available) tab. This is done by assigning in the file glue-web-ui-config.xml a priority number (e.g., 1, 2, or 3) to the available tabbed pages. The product that the tab represents must be installed. When a user logs in, the tabbed page that is displayed will be shown according to the following conditions: The priority settings assigned to each tabbed page in the file glue-web-uiconfig.xml. Either the default settings or any changes you make according to the procedure described in this section. The products each user is authorized to use in his/her ESS Person record. In the ESS database, each user s Person entity record contains a check box for enabling that specific user to display and use an available (i.e., installed) BMC Identity Management Suite product. If a user is not authorized to use one or more of the BMC Identity Management Suite products, then when he/she logs in to the BMC Identity Management Suite the tabbed page for that product will not be displayed irrespective of the priority assignment in glue-web-ui-config.xml. EXAMPLE For example, if the User Administration Management has a priority of 1, and the Password Manager has a priority of 2 when a user who is not authorized to access the User Administration Manager logs in he/she will view the Password Manager as the default tabbed page. For information on how to enable each user to display and use the BMC Identity Management Suite products see Enabling a BMC Identity Management Suite user on page 172. Chapter 3 General Configuration 183

184 Managing the Session To configure the default tabbed page 1 Log into the Front-end account. 2 Open the file glue-web-ui-config.xml in a text editor. The file is located here: $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml 3 Locate the text: <tab> <name>user.administration</name> <priority>1</priority> <uri>/ctsa/user-administration/main.htm</uri> <related-application>usr_administration</related-application> </tab> - <tab> <name>password.manager</name> <priority>2</priority> <uri>/ctsa/password-manager</uri> <related-application>password_manager</related-application> </tab> - <tab> <name>compliance.manager</name> <priority>3</priority> <uri>/ctsa/cmpl_mgr_webapp/jsp/index.jsp</uri> <related-application>compliance_manager</related-application> </tab> 4 Change the priorities for the various tabbed pages as desired. For example, if you want to set the Password Manager tab to priority 1, modify the line under the Password Manager product name to the following: <priority>1</priority>. Order the tabs with priorities from 1 to 3, ensuring that you do not duplicate any number. 5 When you are finished configuring the tab priorities, save the file. 6 If the Suite is running, then you only have to re-login. 184 BMC Identity Management Suite Administrator Guide

185 Configure cryptographic algorithms and key aliases Configure cryptographic algorithms and key aliases This section describes procedures that enable you to configure cryptographic algorithms and key aliases by modifying the security-config.xml file. NOTE The default values provided by the BMC Identity Management Suite enable you to deploy the Suite without changing any of the parameters. The following parameters can be modified in the security-config.xml file. key-alias: Identifies the authentication key entry in the keystore. Default: Control-SA_authentication sign-key-alias: Identifies the signing key entry in the keystore. Default: Control-SA_signing cipher: Used to perform two-way encryption/decryption. Default: AES128 The following procedure describes how to change the parameters listed above. To configure the cipher algorithms and key aliases 1 Log in to the Back-end account. 2 Stop the application server if it is running. 3 Open the file security-config.xml in a text editor. The file is located here: $BMC_IDM_SUITE_HOME/security/conf/security-config.xml To change the alias of the authentication key entry 4 Locate the text: <key-alias>control-sa_authentication</key-alias> 5 Change the value Control-SA_authentication (default) to the alias you want to use. The alias must match an existing key entry in the keystore. Chapter 3 General Configuration 185

186 Configure cryptographic algorithms and key aliases To change the alias of the signing key entry 6 Locate the text: <sign-key-alias>control-sa_signing</sign-key-alias> 7 Change the value Control-SA_signing (default) to the alias you want to use. The alias must match an existing key entry in the keystore. To change the values and set the priorities for the two-way encryption cipher 8 Locate the text: <!-- <cipher>--> <! <priority>1</priority>--> <!-- <cipher-provider-class>com.bmc.idm.ctsa.security.cipher.aes256cipher</cipherprovider-class>--> <!-- </cipher>--> <cipher> <priority>1</priority> <cipher-provider-class>com.bmc.idm.ctsa.security.cipher.aes128cipher</cipherprovider-class> </cipher> <cipher> <priority>2</priority> <cipher-providerclass>com.bmc.idm.ctsa.security.cipher.pbewithmd5andtripledescipher</cipher-providerclass> </cipher> <cipher> <priority>3</priority> <cipher-provider-class>com.bmc.idm.ctsa.security.cipher.desedecipher</cipherprovider-class> </cipher> 9 Inside each <cipher ></cipher > block, you can change the following: The type of cipher. Note: To use a AES256Cipher, you must remove its surrounding comment markers and set priorities lower than 1 (i.e., 2, 3, and 4) for the other ciphers. You also must obtain strong cipher jurisdiction policy files. The priority of the cipher (low to high). Low (=1) is the first cipher tried. 186 BMC Identity Management Suite Administrator Guide

187 Configure the System password: temporary or permanent NOTE The JCE architecture allows flexible cryptographic strength to be configured via jurisdiction policy files. The US_export_policy file and the local_policy files (in the standard place for the JCE) will be read to determine which cipher to use. The strongest cipher will be used according to the priorities you set and the specification in the policy files. For more information, go to the following location: 10 Start the application server. Configure the System password: temporary or permanent Configuration Task Functionality When Performed Utility or file Configure the System password: temporary or permanent Specify whether you will be prompted for the System password when you run the start script. After installation security-config.xml This section describes how to do the following: configure a permanent System password change a permanent System password back to a temporary password The System password is a temporary password by default. When you run many of the idm_tools commands, you must supply the password. The temporary password is not saved in any file. If you want, you can configure the System password as a permanent password for the start script. With a permanent password, you can run the start script without entering the System password each time you start the application server. A permanent password is saved in encrypted format to a file. The password file has no lifetime, except the time limit established by the keystore password validity period. The default keystore password validity period is 120 months. Chapter 3 General Configuration 187

188 Configure the System password: temporary or permanent NOTE The permanent password feature is applicable only for starting the Suite. If you install the BMC Identity Management Suite as a distributed deployment (Front-end and Back-end account) the System password for each account must be configured separately. The System passwords are independent, so it is possible to have one temporary password and one permanent password. The following procedure describes how to configure the System password changing it from its default temporary setting to permanent. To configure the System password to be permanent 1 Log in to the account where you want to change the temporary or permanent attribute of the System password. 2 Stop the application server if it is running. 3 Open the file security-config.xml in a text editor. The file is located here: $BMC_IDM_SUITE_HOME/security/conf/security-config.xml 4 Locate the text: <use-temp-password>true</use-temp-password> 5 Change the value true (default) to false. 6 Save the file. 7 At the prompt, enter the following command: idm_tools passwd You will be prompted to enter the current System password and the new password. NOTE It is strongly suggested that you enter the current password instead of a entering a new password. If you change your password other Suite features are affected, and you will have to follow several other procedures. For more information, see Warning on page BMC Identity Management Suite Administrator Guide

189 Configure the System password: temporary or permanent pass systempassword new_pass newpassword The parameters in this command are as follows: systempassword newpassword The current System password for the account. The new System password. This password must contain a minimum of 6 characters. 8 Start the application server. The System password is now permanent when you use the start script. 9 If you have installed the BMC Identity Management Suite as a distributed deployment (Front-end and Back-end) then you must repeat the procedure in the Front-end account. NOTE If you want to change the System back to a temporary password, repeat all of the steps in the procedure except in security-config.xml change the value false to true. Chapter 3 General Configuration 189

190 Implement a non-ssl connection in a distributed deployment Implement a non-ssl connection in a distributed deployment Summary Applicable only if deploying the BMC Identity Management Suite in two accounts residing in separate servers. For more information, see 1 Determine deployment type on page 33 and Implement a non-ssl connection in a distributed deployment on page 190. The procedure described in this section is necessary to establish a non-secure SSL connection between the Front-end account and the Back-end account. It is recommended that you implement an SSL connection in a distributed deployment as described in the previous section: 29 Implement an SSL connection between distributed servers on page 95 However, if for valid reasons you want to disable SSL, follow the procedure described in this section. Performed by the IdM Suite Administrator. NOTE It is recommended that you implement an SSL connection in a distributed deployment as described in the section: 30 Implement a trusted connection between distributed servers on page 97. This section describes how to create a non- secure SSL connection between the Back-end and the Front-end account in a two-server deployment. If you have not transferred the Back-end JBoss SSL public key certificate between servers as described in the section 29 Implement an SSL connection between distributed servers on page 95, you do not have to perform the procedure described here, because SSL is not implemented. If you have transferred the Back-end JBoss SSL public key certificate, you can leave the certificate that was transferred as is. When the BMC Identity Management Suite is shipped, the Back-end file JBoss-service.xml is configured by default to enable SSL (between the Back-end and the Front-end account for a distributed deployment). The procedure described in this section describes how to disable SSL in the JBoss-service.xml file. 190 BMC Identity Management Suite Administrator Guide

191 Configuring log file attributes To disable the SSL connection between the Back-end and the Front-end account in a distributed deployment 1 Log into the Back-end account. 2 Stop the IdM Suite Back-end (if it is running). 3 Locate the file jboss-service.xml and open it in a text editor. The file is located here: $JBOSS_HOME/server/idm/conf/jboss-service.xml The effective SSL disabling operation is to comment out certain lines in the JBoss configuration file: jboss-service.xml. 4 In the file locate the following text: <attribute name="rmiclientsocketfactory">org.jboss.security.ssl.rmisslclientsocketfactory</ attribute> <attribute name="rmiserversocketfactory">org.jboss.security.ssl.rmisslserversocketfactory</ attribute> <attribute name="securitydomain">java:/jaas/rmi+ssl</attribute> 5 Comment out the text: <!-- <attribute name="rmiclientsocketfactory">org.jboss.security.ssl.rmisslclientsocketfactory</ attribute> <attribute name="rmiserversocketfactory">org.jboss.security.ssl.rmisslserversocketfactory</ attribute> <attribute name="securitydomain">java:/jaas/rmi+ssl</attribute> --> 6 Save the file. 7 Start the JBoss server. Configuring log file attributes This section discusses the following topics: Viewing individual log files Setting log file attributes Chapter 3 General Configuration 191

192 Configuring log file attributes Viewing individual log files The log data for your application server and for all BMC Identity Management Suite products and components is initially sent to the main application server file. For information about your server s log file name and path, see your third-party server documentation. The BMC Identity Management Suite locates the log data for each product and component and deletes it from the server s main log file, and copies it to the following separate log file directories with various log file names indicated below: $BMC_IDM_SUITE_HOME/glue_core/log/glue-core.log $BMC_IDM_SUITE_HOME/glue_web/log/glue-web.log $BMC_IDM_SUITE_HOME/open_services/log/open_services.log $BMC_IDM_SUITE_HOME/open_services/log/open-services-audit.log $BMC_IDM_SUITE_HOME/suite_configuration/log/suite_config.log $BMC_IDM_SUITE_HOME/suite_configuration/log/suite_config_audit.log $BMC_IDM_SUITE_HOME/password_manager/log/password_manager.log $BMC_IDM_SUITE_HOME/user_administration/log/user_administration.log $BMC_IDM_SUITE_HOME/cmpl_mgr_backend/log/cmpl_mgr.log $BMC_IDM_SUITE_HOME/cmpl_mgr_webapp/log/cmpl_mgr.log To view the log files, open them in any text editor. Setting log file attributes Under each individual product and component in the conf directory, an XML log4j configuration file exists. For example: $BMC_IDM_SUITE_HOME/user_administration/conf/log4j-config.xml For each log file, you can configure several log file attributes affecting generation of the log file: File size: At what file size will the log file be backed up and a new log file started. By default, when the log file size reaches a certain size, the file is backed up and a new file is started. Default: 1 MB Backups to retain: Number of recent backup log files to retain. When more than a specified number of backup log files accumulate, the oldest backup is automatically deleted. Default: BMC Identity Management Suite Administrator Guide

193 Configuring log file attributes Verbosity level: Types of messages recorded in the log file. The verbosity level determines the volume of messages. Possible levels are: info, debug, warn, error, ranging from most verbose (info) to least (error). A high verbosity level will have negative impact on performance. Default: error The procedure that follows is an example of configuring log file attributes for the User Administration Manager. To configure log file attributes 1 Find and open the file log4j-config.xml in a text editor. The file is located here: $BMC_IDM_SUITE_HOME/user_administration/conf/log4j-config.xml 2 Locate the text: <param name="maxfilesize" value="1mb"/> <param name="maxbackupindex" value="5"/> 3 Modify the following parameters as required: Change the string 1MB to file size at which a new log file is started. Change the value 5 to the maximum number of recent backup log files to retain. 4 To set the verbosity level, locate the text: <category name="com.bmc" additivity="false"> <level value="error"/> <appender-ref ref="console"/> <appender-ref ref="rollingfile"/> </category> 5 Modify the verbosity value error as required. 6 Save the file. NOTE Additional parameters affecting log files can be configured. For more information, see the description of the Log4j product in the Jakarta project, accessible from the Web page. Chapter 3 General Configuration 193

194 Connection Pool Size Connection Pool Size Identity Open Services maintains a pool of open connections to the ESS-API. This can allow an Identity Open Services client application to reuse open connections rather than opening and closing connections repeatedly. Increasing the size of the pool can improve performance at the cost of increased memory usage. By default, maximum number of connections in this pool is set to 50. You have the option of increasing or decreasing this number as required. To change the connection pool size 1 Log into the Back-end account. 2 Open the file open-services-config.xml in a text editor. This file is located in the directory: $BMC_IDM_SUITE_HOME/open_services/conf/ where Identity Open Services is installed. 3 Locate the pool size: <connection-pool-max-size> <value>poolsize</value> </connection-pool-max-size> 4 Change the value poolsize to the required pool size. 5 Save the file. 6 Stop Identity Open Services (if it was active) and restart it. Discovery files Discovery files are repositories of communication parameters, such as the ports used by the various BMC Identity Management Suite products and components. 194 BMC Identity Management Suite Administrator Guide

195 Configure SSO links for change password and log off If an application needs to communicate with a BMC Identity Management Suite product or component, the software can inspect the relevant discovery file and find the necessary communication parameters (for example, when the Front-end applications need to communicate with the Back-end application). The data in these files is configured by the BMC Identity Management Suite automatically. Configure SSO links for change password and log off If you have installed WAM SSO the default links are automatically reconfigured. If you are using a different SSO system, or need to troubleshoot the links configuration used with WAM, perform the procedure described in this section. After you log in, the BMC Identity Management Suite uses default URLs as follows: Change Password: directs the user to the Suite s Change Password page. Log Off: directs the user to the Suite s Log in page. If you are using SSO, you will need to reconfigure the default URLs to direct the user instead to your SSO system s change password and log in pages. To configure the default URLs used for Change Password and Log Off 1 Log in to the Front-end account. 2 Open the file glue-web-ui-config.xml in a text editor. The file is located here: $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml 3 To configure the IdM Suite s Change Password links, locate the text: In case the SSO system is WAM, the value should be "/idm/changepassword/changepassword.do"--> <url-for-change-password>change-suite-password.do</url-forchange-password> Chapter 3 General Configuration 195

196 Configure SSO links for change password and log off 4 Modify the URL so it will direct the user to the change password page of your WAM, or other, SSO system. If you leave the value empty, the Change Password link within the Suite will not display. 5 To configure the IdM Suite s Log Off links locate the text: : In case the SSO system is WAM, the value should be "/signon/signout/logout.do"--> <url-for-logoff>logoff.do</url-for-logoff> 6 Modify the URL so it will direct the user to the login page of your WAM, or other, SSO system. 7 When you are finished configuring the tab priorities, save the file. 8 If the IdM Suite is running, you only have to re-log in. 196 BMC Identity Management Suite Administrator Guide

197 Chapter 4 ESS Global parameters 4 This chapter presents the following topics: Defining and enforcing global security parameters Modifying global parameters General parameters tabbed page Audit parameters tabbed page Password strength parameters tabbed page Password policy parameters tabbed page ESS Login parameters tabbed page Challenges and responses parameters tabbed page Self service parameters tabbed page Help Desk parameters tabbed page Provisioning Rules parameters tabbed page ESS Console parameters tabbed page Defining and enforcing global security parameters Global security parameters provide a powerful tool for defining and implementing enterprise-wide security policies. Enterprise SecurityStation enables you to establish, validate, and control security policies across heterogeneous platforms. Global security parameters include parameters such as minimum number of characters for a Managed System password, and the number of days after which the Managed System password expires. Default values for the global security parameter fields are set during Enterprise SecurityStation installation. These default values can be modified using the Suite Configuration application, Manage Global Parameters option. Chapter 4 ESS Global parameters 197

198 Modifying global parameters Enterprise SecurityStation can enforce consistent security policies across heterogeneous platforms, but it will not override local settings made on the actual Managed System. Global parameters may be overridden for specific Managed Systems. All Global parameters (e.g., Min Password Length) should be set and enforced as needed by each site within the constraints of field validation rules of the BMC Identity Management Suite, and the constraints of the Managed Systems in your network. NOTE Changes to global parameters are not applied retroactively to existing entities. For example, changing the global parameter for password expiration (i.e., the interval in days after which an account password becomes invalid) does not affect the password expiration date of the current passwords for existing Accounts. Modifying global parameters This section provides an overview of using the ESS Global parameters tabbed Web dialog. To modify ESS Global parameters 1 In the Suite Configuration tab, click Application Configuration => Manage ESS Global Parameters. The Manage Global parameters welcome page is displayed. 2 Click Update. A tabbed Web page dialog is displayed. The General tab is displayed by default (see Figure 13 on page 199). Click any of the tabs to display the various categories of ESS Global parameters. 198 BMC Identity Management Suite Administrator Guide

199 Modifying global parameters Figure 13 General tabbed page The ESS Global parameters tabbed pages are described on the following locations: General parameters tabbed page on page 200 Audit parameters tabbed page on page 204 Password strength parameters tabbed page on page 205 Password policy parameters tabbed page on page 209 ESS Login parameters tabbed page on page 212 Challenges and responses parameters tabbed page on page 213 Self service parameters tabbed page on page 218 Help Desk parameters tabbed page on page 220 Provisioning Rules parameters tabbed page on page 222 ESS Console parameters tabbed page on page Modify any of the Global parameters. 4 Click Next. 5 When prompted for confirmation, click OK. Chapter 4 ESS Global parameters 199

200 Modifying global parameters NOTE Some ESS Global parameters require that you re-login to the Suite before the new value takes effect. General parameters tabbed page Table 30 describes the parameters on the General parameters tabbed page. Table 30 General tabbed page (Part 1 of 4) Name Min Password length Description Minimum password length allowed for an Account password. This field is only applicable when: An ESS Administrator changes a password in the User Administration Manager, ESS Console, batchrun, or EssClient A Help Desk user changes a password. Note: A different Min Password length field located on the Password Strength tab is applicable when: Logging into the BMC Identity Management Suite A Password Manager user changes his/her own password ( self-service ). The Min Password length field located on the Password Strength tab must be greater than the Min Password length field located on the General tab or an error message is displayed. Password expiration (days) For more information, see the description of the Min Password length field in Table 32. Interval in days after which an Account password becomes invalid. Also, interval in days after which an ESS Administrator password becomes invalid. This specific functionality regarding ESS Administrator password lifetime is disabled if you enable the Suite (ie., if you select Enable Common UI Login). For more information, see the description of the ESS Global parameter Password Expiration under the Password Policy tab. 200 BMC Identity Management Suite Administrator Guide

201 Modifying global parameters Table 30 General tabbed page (Part 2 of 4) Name Min Account ID Length Max Login Attempts *Default Group Processing - User Update Description Minimum number of characters for an Account ID. Maximum number of unsuccessful login attempts a user is allowed to try when logging into an account. When the number of unsuccessful login attempts equals Max Login Attempts, the user is locked out of the account. Note: A different parameter Max failed login attempts is applicable only to attempts to log in from the Suite login page. How to handle changes to an Account s default Group. Available options are Drop Deletes the current default Group to Account connection. The user is no longer connected to the Group. Keep Keeps the current default Group to Account connection as a normal Group connection. Lock Interval (ESS version : Revoke Interval) Propagate Revoke Check Organization Type Prompt Prompts whether you wish to keep group to Account connection (on a case-by-case basis). Maximum number of minutes in which two or more Accounts (connected to a Person) must be revoked (by intruder lockout) to cause all of that Person s Accounts to be revoked. Note: Revoke is only propagated to other Managed Systems if Propagate Revoke is selected. Whether or not to revoke all the Accounts connected to a Person when any two of the Accounts are revoked within the time limit set in the Revoke Interval field. Whether or not X.500 organization structure rules are applied when organization entities are connected to each other: Organization structure rules are not applied. Validity of organization structure is not checked when organization entities are connected. *Organization Separator Organization structure rules are applied. Illegal connections are not allowed. The character selected as a separator between different levels in an organization structure as displayed in the field Organization Parent in the Organization Properties window. This can be any printable character available from the keyboard. Chapter 4 ESS Global parameters 201

202 Modifying global parameters Table 30 General tabbed page (Part 3 of 4) Name Synchronize passwords in reset mode Description Mode in which to change an Account s password when password synchronization is initiated from Enterprise SecurityStation: Password is changed in Permanent mode. The password must comply with minimum password length requirements specified for each Managed System. Password is changed in Reset mode. The password does not have to comply with minimum password length requirements specified for each Managed System. Note: This parameter does not affect password synchronization initiated when a user changes a password directly in a managed system and the password is intercepted and propagated to other accounts. In this case, the new password is propagated in permanent mode. *Propagate Person Password Change To If Password Manager is installed, a separate parameter Require password reset allows you to configure whether a change password request made by an administrator for a Person password (i.e., for the Suite) is made in reset mode. Require password reset does not activate or affect password synchronization. How to handle the change to a Person s password when initiated from Enterprise SecurityStation. Available options are: All Managed System Users Password change is propagated to all Accounts connected to the Person. Managed System Users Included in Pwd Sync Password change is only propagated to those Accounts which have been defined as included in password synchronization. 202 BMC Identity Management Suite Administrator Guide

203 Modifying global parameters Table 30 General tabbed page (Part 4 of 4) Name Password on Restore Description New password to assign to a previously revoked user when the Account is restored by one of the following methods: Using an ESS Line Command utility such as batchrun. The Password on Restore field is used when a password is required but is not provided by the utility. By restoring a Person. Field Password on Restore is optionally used for each connected Account requiring a password upon being restored. Note: A password is required when the Password Required on Restore field is selected in the Managed System Type Properties window. Password on Restore can contain either the actual password to assign to the user or an AutoEdit statement of up to 1,024 characters. For example: mypass This sets the password to the literal mypass. %%THIS_user_id:%%DATE Revoke ESS Admin on revoked Person Allow Account Restore This sets the password to a string consisting of the user s login ID plus the current date. Specify whether revoking a Person causes a connected ESS Administrator to be automatically revoked. Whether or not individual Accounts connected to a revoked Person can be restored. Individual Accounts cannot be restored. To restore Accounts, you must restore the Person to which they are connected. Default. *Threshold for DB Utilization Warning (%) Automatic Generation of Short Code Individual Accounts can be restored. Threshold for issuing a warning message (Sybase database server only). If the percentage of total space currently in use in the Enterprise SecurityStation database exceeds this amount, a warning message is issued to each ESS administrator upon logging in to Enterprise SecurityStation. The current status of the Enterprise SecurityStation database can be viewed using the Database Status dialog box. If selected, Enterprise SecurityStation will automatically generate unique value for the field Short Code when a new TCP/IP platform is defined in the Platform Entity window. Chapter 4 ESS Global parameters 203

204 Modifying global parameters NOTE The * symbol indicates that the field is mandatory. Audit parameters tabbed page The Audit parameters tabbed page is displayed in Figure 14. Table 31 describes the parameters on the Audit parameters tabbed page. Figure 14 Audit parameters tabbed page Table 31 Audit parameters tabbed page (Part 1 of 2) Name Audit in Download Description Whether or not audit entries should be generated for all Managed System entities received during a download: Audit entries are not generated. Default. Audit entries are generated. Audit in Global Sync Note: If this option is selected, downloads will operate more slowly and more space will be required in the Enterprise SecurityStation database. Whether or not audit entries should be generated for all Managed System entities received during a global synchronization: Audit entries are not generated. Default. Audit entries are generated. Note: If this option is selected, global synchronization will operate more slowly and more space will be required in the Enterprise SecurityStation database. 204 BMC Identity Management Suite Administrator Guide

205 Modifying global parameters Table 31 Audit parameters tabbed page (Part 2 of 2) Name Audit in Details Description Determines level of detail recorded by audit entries for changes to the Enterprise SecurityStation database. Audit entries are generated for each record added/modified/deleted. Audit entries are generated for every change to every field in each record added/modify/deleted. Default. Audit Automated Insert of Persons Note: It is highly recommended that you do not select both options Audit in Download and Audit in Global Sync; if both are selected, downloads and global synchronization will operate much more slowly and an excessive amount of space will be required in the Enterprise SecurityStation database. Whether or not audit entries should be generated for each Person record inserted by user exit essue002. This exit is called during downloads, global synchronization, and by utility datasync. Audit entries are not generated. Default. Audit entries are generated. Password strength parameters tabbed page Enforcing a strong set of password policies is a critical step to prevent intruders from guessing or cracking passwords that could enable them to gain entrance to your network. Strong passwords must be created according to all of these rules: has a minimum length of 8 characters created from random characters (i.e., cannot be found in any dictionary) contains characters from at least 3 out of the following 4 categories: upper-case letters (A-Z) lowercase letters (a-z) numbers (0-9) special characters (e.g., #$%) Chapter 4 ESS Global parameters 205

206 Modifying global parameters NOTE Your administrator selects the set of special characters you can use in your password. Important: A central feature of the BMC Identity Management Suite is to use an optional feature that automatically propagates password changes to all managed systems. For this reason, whatever password policy requirements you set in the password strength and password policy tabbed pages must be consistent with all password requirements and limits for creating passwords in each Managed System connected to Enterprise SecurityStation. EXAMPLE If a Managed System disallows using passwords with the space character, or any other special character, you cannot create in the Suite a password strength policy allowing these disallowed characters. The password strength tabbed page is displayed in Figure 15. Table 32 describes the parameters on the password strength tabbed page. Figure 15 Password strength parameters tabbed page 206 BMC Identity Management Suite Administrator Guide

207 Modifying global parameters Table 32 Password strength parameters tabbed page (Part 1 of 2) Name *Min password length Description Minimum password length allowed for a Person password. This field is only applicable when: Logging into the BMC Identity Management Suite A Password Manager user changes his/her own password ( self-service ). The Min Password length field located on the Password Strength tab must be greater or equal to the Min Password length field located on the General tab or an error message is displayed. Note: A different Min Password length field located on the General tab is applicable when: An ESS Administrator changes a password in the User Administration Manager or ESS Console A Help Desk user changes a password. Max password length Upper Case Characters in Password For more information, see the description of the Min Password length field in Table 30. (Only applicable when Password Manager is installed. Default: 8 characters) Specifies the maximum number of characters allowed in a password. (Only applicable when Password Manager is installed.) Determines whether upper-case letters are required, and if they are specifies the range of upper-case letters there must be in the password. Min: specify the minimum number of upper-case characters. Lower Case Characters in Password Max: specify the maximum number of upper-case characters. (Only applicable when Password Manager is installed.) Determines whether lower-case letters are required, and if they are specifies the range of lower-case letters there must be in the password. Min: specify the minimum number of lower-case characters. Max: specify the maximum number of lower-case characters. Chapter 4 ESS Global parameters 207

208 Modifying global parameters Table 32 Password strength parameters tabbed page (Part 2 of 2) Name Digits in password Description (Only applicable when Password Manager is installed.) Determines whether digits are required, and if they are specifies the range of digits there must be in the password. Min: specify the minimum number of digits. Special Chars allowed in Password Max: specify the maximum number of digits. (Only applicable when Password Manager is installed.) Enables you to list any special characters that users can include in their passwords. You can list any characters or symbols that can be displayed on screen, For example: Nm%^+.?#, Although you can specify alphanumeric characters as special characters, it is highly recommended that you only use characters such as punctuation marks. Special Characters in Password' Default is null. (Only applicable when Password Manager is installed.) Determines whether special characters are required, and if they are specifies the range that must be in the password. A special character can be any ASCII character. Min: specify the minimum number of special characters. Allow space in password Other Chars not allowed in Password Max: specify the maximum number of special characters. (Only applicable when Password Manager is installed.) Determines whether spaces are allowed within the password. Default is null. (Only applicable when Password Manager is installed.) Enables you to list other characters that users cannot use in passwords. You can list any characters or symbols that can be displayed on screen, For example: Nm%21^+.?#, Default is null. NOTE The * symbol indicates that the field is mandatory. 208 BMC Identity Management Suite Administrator Guide

209 Modifying global parameters Password policy parameters tabbed page The Password policy page is displayed in Figure 16. Table 33 describes the parameters on the page. Figure 16 Password policy tabbed page Chapter 4 ESS Global parameters 209

210 Modifying global parameters Table 33 Password policy parameters tabbed page (Part 1 of 2) Name *Password Expiration (days) *Min Password Change Interval (days) *Max Failed Login Attempts Prevent using previous passwords Password History Count Description Interval in days after which the Suite password (i.e., Person password) becomes invalid. This parameter is disabled if you disable the Suite (ie., if you clear Enable Common UI Login). For more information, see the description of the ESS Global parameter Password Expiration under the General tab. (Only applicable when Password Manager is installed.) Minimum number of days that must pass before a user can change the password. Default is null. (Only applicable when Password Manager is installed.) Number of failed login attempts to the Suite which if exceeded prevents a user from logging into the Suite. Default is null. Note: The ESS Global parameter Max Login Attempts is a different parameter applicable to ESS Administrators who log into ESS using ESS Console, batchrun, or ESSClient. When ESS Administrators log in to these clients, a separate counter keeps track of their failed login attempts. (Only applicable when Password Manager is installed.) If selected, a new password cannot be created that reuses a previous password (see Password History Count). Default: not prevented from password reuse. (Only applicable when Password Manager is installed.) Number of previous passwords to retain for each user. Prevent using Response as Password +Prevent Personal Details as Password Personal details to check Only relevant when Prevent using previous password is selected. The user cannot re-use a recent password as long as it is retained. Default is null. (Only applicable when Password Manager is installed.) Only applicable if using challenge/response log in. If selected, you cannot create a password that contains one of your responses to a challenge. Default: not prevented from using a response as a password. (Only applicable when Password Manager is installed.) If selected, you cannot create a password that contains elements from the personal details you select in Personal details to check. Default: not prevented. (Only applicable when Password Manager is installed.) Only applicable when Prevent using personal details as password is selected. Specify which personal details items cannot be included in a new password. 210 BMC Identity Management Suite Administrator Guide

211 Modifying global parameters Table 33 Password policy parameters tabbed page (Part 2 of 2) Name Prevent Substring of Personal Details as Pwd Length of Substring to compare +Use external word dictionaries Dictionary files Description (Only applicable when Password Manager is installed.) If selected, substrings of the selected personal details are checked against the password and any match will disallow the new password. (Only applicable when Password Manager is installed.) Only applicable when Prevent substring of personal details is selected. Specify the number of characters you want to extract from the new password to compare against the Personal details to check entries. Default: null (Only applicable when Password Manager is installed.) If selected, the new password will be checked against one or more dictionaries specified by the value of the parameter: Dictionary files. If the password is found in one of the dictionaries, then it cannot be used as a new password. Default: external dictionaries are not used. (Only applicable when Password Manager is installed.) Only applicable when Use external word dictionaries is selected. Specify which dictionaries should be used in a dictionary check against the new password. Prevent reusing current password substring Chars to compare from current password Default: pwd_chk.dictionary (Only applicable when Password Manager is installed.) If selected, substrings of current password are checked against the password and any match will disallow the new password. (Only applicable when Password Manager is installed.) Only applicable when Prevent reusing current password substring is selected. Specify the size of the current password substring to compare. NOTE The * symbol indicates that the field is mandatory. The + symbol indicates that the field is case-sensitive. Chapter 4 ESS Global parameters 211

212 Modifying global parameters ESS Login parameters tabbed page The ESS Login tabbed page is displayed in Figure 17. The parameters described in Table 34 are used to set global login policies for ESS administrators and for users of the BMC Identity Management Suite. NOTE These policies also affect ESS administrators who are logging in to ESS clients that do not connect through Open Services, such as the ESS Console, EssClient and batchrun. Figure 17 ESS Login tabbed page Table 34 ESS Login tabbed page (Part 1 of 2) Name Login Message Allow login with empty password Description Text of a message that will be displayed when an ESS administrator logs in to Enterprise SecurityStation. Determines whether an IdM Suite user or ESS administrator whose password is empty can log in. This parameter can be used, for example, to prevent an IdM Suite user from logging in to the product after installation and before the user has been assigned a temporary password. Enable login with empty password. Disable login with empty password. Default 212 BMC Identity Management Suite Administrator Guide

213 Modifying global parameters Table 34 ESS Login tabbed page (Part 2 of 2) Name *Login ID field name Description The field in the Person record that should be used as the login ID for logging in to the BMC Identity Management Suite. Select a field whose value is unique for each Person. Possible fields to use are: Person ID (appears as user ID ) User Name User-defined index (1 through 6) Allow log in with challenge/response Up to six fields in the Person record can be selected as index fields (numbered 1 through 6). You can select the corresponding index number here to set one of these fields as the login ID field. For more information about index fields, see the description of the Index Key parameter in the Enterprise SecurityStation Console Administration Guide. (Only applicable when Password Manager is installed.) Whether challenge/response log in is enabled. (Note: challenges and responses must also be defined.) Challenge/response log in is enabled. Default. Enable Common UI Login Challenge/response log in is disabled. Select this parameter if you want to use activate the Suite. If it is cleared the Suite cannot function. The Person password field is not active if this field is cleared. NOTE The * symbol indicates that the field is mandatory. Challenges and responses parameters tabbed page Enforcing a strong challenge/response policy is equally as important as creating strong passwords. Logging in using challenges/responses is intended for situations when you have forgotten your password. Logging in with challenges/responses requires that the user must immediately change his/her password. Strong responses should have a minimum of 6 words and should be designed to be extremely difficult to guess. Do not set up responses such as your birth date or telephone number. Responses should contain secret information that only you know. Chapter 4 ESS Global parameters 213

214 Modifying global parameters The challenge and response policy parameters tabbed page is displayed in Figure 18 on page 215. Table 35 on page 216 describes the parameters on the Challenge and response policy tabbed page. There are two types of challenges available for a site: User-defined challenges: created in Password Manager by end-users. The procedure to create user-defined challenges is described in the BMC Password Manager User Guide. Site-defined challenges (described below): created by an administrator in the User Administration Manager to be used globally by all end-users of Password Manager. To create/edit/delete site defined challenges 1 On the Challenges/Responses tabbed page click Create. In the screen that is displayed enter a unique ID and the text for the challenge. To edit an existing challenge, select the challenge. Click the Edit button and use the resulting screen to change the ID or the text of the challenge. WARNING Changing the ID or content of an existing challenge, or deleting existing challenges, may prevent users of Password Manager from logging in using challenges/responses. To delete one or more challenges, select the challenges and click Delete. 214 BMC Identity Management Suite Administrator Guide

215 Modifying global parameters Figure 18 Challenge and response parameters tabbed page Chapter 4 ESS Global parameters 215

216 Modifying global parameters Table 35 describes the fields in the challenge and response parameters tabbed page. Table 35 Challenge and response policy parameters tabbed page (Part 1 of 3) Name *Challenge Type Description (Only applicable when Password Manager is installed.) User defined: If selected, each user separately defines challenges specifically for their own use. *Min Number of Defined Challenges *Number of Login Challenges to Display *Min Number of Correct Responses *Min Response Length *Min Challenge Length Site defined: If selected, the site defines challenges that are used by all Password Manager users. (Only applicable when Password Manager is installed.) Minimum number of challenges that must be defined by the site or by the user. Password Manager selects a random subset of these challenges to display. (Only applicable when Password Manager is installed.) The number of challenges that will be displayed as a series of prompts to the user. The challenges displayed are chosen at random from the list of available challenges. The value for this parameter should be set equal to or greater than the parameter Minimum number of correct responses, and equal to or less than the parameter Min number of defined challenges. (Only applicable when Password Manager is installed.) The minimum number of challenges a user must answer correctly in order to log in. (Only applicable when Password Manager is installed.) Minimum number of characters required in each response not including spaces. (Only applicable when Password Manager is installed.) Applicable only to user-defined challenges. Minimum number of characters required in each challenge including spaces. 216 BMC Identity Management Suite Administrator Guide

217 Modifying global parameters Table 35 Challenge and response policy parameters tabbed page (Part 2 of 3) Name *Max Failed Challenge/Response Login Attempts Description (Only applicable when Password Manager is installed.) This parameter is the maximum number of failed login attempts. A failed login attempt refers to a complete series of responses that does not contain enough correct responses to log in as measured by the parameter Minimum number of correct responses. Prevent using current password as response Prevent using latest passwords as response Prevent reuse duplicate responses Prevent using Person's details as response +Personal details to check in response Prevent Substring of Personal Details as Response When Max failed challenge/response login attempts is reached, the user cannot log in to the BMC Identity Management Suite using challenge/response login. The user can log in via password if not already locked-out from logging in by this method as well. It is necessary to change the Suite password to restore the ability to log in by challenge/response. (Only applicable when Password Manager is installed.) If selected, you cannot specify a response that matches the current password. Default: not prevented. (Only applicable when Password Manager is installed.) If selected, a response cannot be created that uses a previous password (see Password Policy Parameters: Password History Count). Default: not prevented. (Only applicable when Password Manager is installed.) If selected, you cannot duplicate an existing response that you already are currently using. Default: cannot reuse duplicate responses (Only applicable when Password Manager is installed.) If selected, you cannot create a password that contains elements from the personal details that you specify for the values of: Personal details to check in response (Only applicable when Password Manager is installed.) Only applicable when Prevent using Person s details as response is selected. Specify which personal details items cannot be included in a response. (Only applicable when Password Manager is installed.) If selected, substrings of personal details are checked against the responses and any matches will disallow the new response. Chapter 4 ESS Global parameters 217

218 Modifying global parameters Table 35 Challenge and response policy parameters tabbed page (Part 3 of 3) Name Length of substring to compare +Prevent words from dictionaries as responses Dictionary files for responses Description (Only applicable when Password Manager is installed.) Only applicable when Prevent substring of personal details is selected. Specify the number of characters you want to extract from the response to compare against the Personal details to check in response. Default: null (Only applicable when Password Manager is installed.) If selected, any new responses will be checked against one or more dictionaries. Default: pwd_check.dictionary (Only applicable when Password Manager is installed.) Only applicable when Prevent words from dictionaries as responses is selected. Specify which dictionaries should be used in a dictionary check against the new response. Default: pwd_check.dictionary NOTE The * symbol indicates that the field is mandatory. The + symbol indicates that the field is case-sensitive. Self service parameters tabbed page Self-service is a term that describes the capability of a Password Manager end-user to perform a set of important tasks that ordinarily would require the assistance from a help desk staff member. Password Manager enables end users to perform the following self-service tasks for their own accounts: change and synchronize all account passwords in a single operation change the passwords for selected user accounts view a complete list of enabled/disabled accounts enable user accounts (certain limitations may be configured by your system administrator) register new accounts For more information, see the BMC Password Manager User Guide. 218 BMC Identity Management Suite Administrator Guide

219 Modifying global parameters The self service parameters tabbed page is displayed in Figure 19. Table 36 describes the parameters. Figure 19 Self-service parameters page Table 36 Manage Self Service page (Part 1 of 2) Field +Require current password on password change Enable accounts before changing person password Description (Only applicable when Password Manager is installed.) If selected, users must enter their current password in addition to their new password in order to change their password in Password Manager. Default: password not required on password change. (Only applicable when Password Manager is installed.) This parameter is applicable only when changing the password on the Password tabbed Page (not from the Password Page for Individual Accounts). When a user changes the password on the Password tabbed Page, the following will occur: According to the check boxes selected for the parameters Allow person to unlock accounts and Allow person to restore accounts, in addition to changing the password for the user s account/s, Password Manager will also attempt to automatically enable the user s account/s (unlock, restore, or both). Note: Selecting this option does not restore revoked Persons. Password Manager changes the users password but does not attempt to automatically enable the user s accounts. Default: cannot enable Accounts. Chapter 4 ESS Global parameters 219

220 Modifying global parameters Table 36 Manage Self Service page (Part 2 of 2) Field Allow person to restore accounts Allow person to register accounts Allow person to unlock accounts Show Accounts in Change Password Description (Only applicable when Password Manager is installed.) If selected, users can restore their own user Accounts with Password Manager. Default: cannot restore Accounts (Only applicable when Password Manager is installed.) If selected, users can register their own user Accounts with Password Manager. Default: cannot register Accounts. Note: If this parameter is not selected, the Register new accounts link in Password Manager is not displayed. (Only applicable when Password Manager is installed.) If selected, users can unlock their own user Accounts with Password Manager. Applicable if the Managed System supports locked/unlocked accounts. Default: cannot unlock Accounts. (Only applicable when Password Manager is installed.) If selected, on the Change Password page users can do the following: view all of his/her individual accounts select which account passwords should be changed If cleared, on the Change Password page individual accounts are not displayed, and the user is only able to change all account passwords. NOTE The + symbol indicates that the field is case-sensitive. Help Desk parameters tabbed page If a third-party Help Desk Application is supported (e.g., Remedy Help Desk), you can select one or more commands that supports generating a Help Desk ticket, or a transaction status that generates a Help Desk ticket. 220 BMC Identity Management Suite Administrator Guide

221 Modifying global parameters To define Help Desk criteria 1 Click the Help Desk tab. 2 Select Help Desk Application is Supported. Figure 20 is displayed. Table 37 describes the additional parameters. Figure 20 Help Desk tabbed page Table 37 Help Desk parameters (Part 1 of 2) Field Help Desk Application Name Commands That Support Ticket Creation Originated By Transaction Status Generates A Ticket Help Desk Server IP Address Help Desk Server Port Description Remedy Click the arrow to select commands that support ticket creation. Determines by whom a ticket is generated: All All but PassPort None PassPort only Determines how a ticket is generated: All All statuses generate a ticket. Error Error status generates a ticket. None No tickets are generated. IP address of Help Desk server Port number of Help Desk server Chapter 4 ESS Global parameters 221

222 Modifying global parameters Table 37 Help Desk parameters (Part 2 of 2) Field Help Desk Administrator Name Help Desk Administrator Password Help Desk Schema Name Description Name of Help Desk administrator Password of Help Desk administrator Schema name of Help Desk Provisioning Rules parameters tabbed page Table 38 describes the parameter on the Provisioning Rules tabbed page. Table 38 Global parameter Provisioning Rules parameters Field Last successful activation Description Time and date that the Provisioning Rules (biz_rules) utility was activated to apply Provisioning rules. ESS Console parameters tabbed page Customizing Session Timeout By default, there is no timeout for the ESS administrator in an inactive ESS Console session. The session remains active until the ESS administrator shuts down the ESS Console application. You have the option of activating the Session Timeout function. If this is done, after an ESS Console session has been inactive for the defined timeout period, the ESS administrator is locked out and required to re-enter the password before continuing to work in the ESS Console. NOTE Starting from version , the Session Timeout field is already defined in Enterprise SecurityStation. For Enterprise SecurityStation version or earlier, you must define the field (refer to the ESS Console Installation Guide). 222 BMC Identity Management Suite Administrator Guide

223 Modifying global parameters Customizing Connection Timeout Values If an ESS administrator performs an operation using the ESS Console that requires more than a certain amount of time to finish (typically one minute), the ESS Console assumes the connection to the Application Server has been lost and issues an error message to the ESS administrator. (To continue working, the ESS administrator must select System => Start Connection in the Enterprise SecurityStation Console window.) In some cases, complex operations such as connecting a Person to a Profile may require more time than allowed by this default timeout value, resulting in an unnecessary lost connection message. A global default timeout value is specified in the Login Profile parameter Server Timeout. It is possible to modify the default timeout value for specific types of operations so that the lost connection error message will not occur unnecessarily. The Timeout Values list field has the following subfields: Table 39 Timeout Values subfields Field Description Action Type of action (for example: INSERT, UPDATE, CONNECT) Entity1 The first entity, or * for all entities (see Table 40) Entity2 The connected entity, or * for all entities (see Table 40) Timeout The timeout value for this operation (in seconds) NOTE Any combination of action and entities that does not appear in the Timeout Values field is assigned the default timeout value specified in the Login Profile parameter Server Timeout (typically 1 minute). Table 40 lists values typically selected in the Entity1 and Entity2 fields. Table 40 Timeout Values Entities (Part 1 of 2) Entity admin admin_rule ent_user gtw job_code oe org platform Description ESS administrators Access rules Persons (formerly Enterprise users) Gateways (formerly ESS gateways) Profiles (formerly Job codes) Containers Organizations Platforms Chapter 4 ESS Global parameters 223

224 Modifying global parameters Table 40 Timeout Values Entities (Part 2 of 2) Entity rss rss_user rules template trans Description Managed Systems (formerly RSSs) Accounts (formerly RSS users) Keyword rules Templates Transactions EXAMPLE To change the default timeout value for connecting a Person to a Profile to ten minutes (600 seconds), the entry in the Timeout Values field should be: Action: CONNECT Entity1: ent_user Entity2: job_code Timeout: 600 Table 41 Name Disable Default Connections Session Timeout ESS Console tabbed page Description By default, an ESS administrator who is granted authorization to view, insert and modify a specific organization or Person entity has the same authorization for all lower-level organizations, Profiles, Persons and connected Accounts. If this check box is selected, this automatic authorization is disabled. For more information, see the description of access rights by inheritance in the ESS Console Administration Guide. Length of period (in seconds) of inactivity in an ESS Console session after which the ESS administrator is locked out and required to re-enter the password before continuing to work in ESS Console. (Depending on the version of Enterprise SecurityStation, this parameter may not appear unless added manually. For more information, see the Enterprise SecurityStation Console Installation Guide.) Timeout Values Note: If the parameter is left empty or assigned a value of 0 (zero), Session Timeout is disabled Connection timeout values for various operations performed using ESS Console. The values specified for this parameter replaced the default value specified in the Login Profile to determine when the connection to the ESS Application Server is lost. For more information, see the Enterprise SecurityStation Console Installation Guide. (Depending on the version of Enterprise SecurityStation, this parameter may not appear unless added manually.) 224 BMC Identity Management Suite Administrator Guide

225 Chapter 5 5 Operation The following topics are discussed in this chapter: Starting/Stopping the BMC Identity Management Suite Accessing the BMC Identity Management Suite Collecting Information for support issues Starting/Stopping the BMC Identity Management Suite This section describes how to start and stop the BMC Identity Management Suite. If the BMC Identity Management Suite is deployed in two user accounts, the Suite must be started and stopped in each of the accounts. Permissions required for starting and stopping the Suite Scripts are provided to start and stop the BMC Identity Management Suite. Running the start/stop scripts requires providing the System password and requires IdM Suite Administrator permissions: login credentials (user name and password) for the product installation account or accounts with read, write, and execute permissions. NOTE IdM Suite Administrator: The name of role of the person who is responsible for installing, administering, and maintaining the BMC Identity Management Suite products. For more information, see 4 Create the product installation account(s) on page 40. Chapter 5 Operation 225

226 Starting/Stopping the BMC Identity Management Suite Start the BMC Identity Management Suite Summary This section describes how to start the BMC Identity Management Suite. If the IdM components have been installed in two accounts, the startup procedure must be performed in each account. Performed by the IdM Suite Administrator. The script starts the application server. All BMC Identity Management Suite components that have been deployed in the application server will start. To start the BMC Identity Management Suite 1 Log in to the account where the BMC Identity Management Suite is installed. 2 Enter the appropriate command for your operating system: In a UNIX console: $BMC_IDM_SUITE_HOME/general/tools/scripts/appl_server/start_idm_suite.sh NOTE UNIX: If you want you can use the script name without the full path. In a Windows DOS console: %BMC_IDM_SUITE_HOME%\general\tools\scripts\appl_server\start_idm_suite.bat 3 If you are prompted for the System password enter it. The BMC Identity Management Suite starts. Check to make sure that the BMC Identity Management Suite starts without generating error messages. 226 BMC Identity Management Suite Administrator Guide

227 Starting/Stopping the BMC Identity Management Suite Stop the BMC Identity Management Suite This section describes how to run a script that stops all BMC Identity Management Suite products and components. However, as described below, you should also verify after running the script that no Java processes are running. To stop the BMC Identity Management Suite 1 As IdM Administrator, log in to the account where the BMC Identity Management Suite is installed. 2 Enter the appropriate command for your operating system: In a UNIX console: $BMC_IDM_SUITE_HOME/general/tools/scripts/appl_server/stop_idm_suite.sh In a Windows DOS console: %BMC_IDM_SUITE_HOME%\general\tools\scripts\appl_server\stop_idm_suite.bat The BMC Identity Management Suite stops. (Optional on UNIX) Check to make sure that the BMC Identity Management Suite is stopped. 3 At the prompt, enter the following command: ps -u username Verify that there are no Java processes running. If there are any Java processes kill them before proceeding. NOTE (Windows) If you have changed the JNDI port, then you must also be sure to update the value in the stop_idm_suite.bat file: set JBOSS_JNDI_PORT=newJNDIValue Chapter 5 Operation 227

228 Accessing the BMC Identity Management Suite Accessing the BMC Identity Management Suite Use the procedure that follows to access the BMC Identity Management Suite. 1 Ensure that Enterprise SecurityStation processes (Router, database server, ESS Gateways, Orbix) are active. 2 On a computer with a TCP/IP link to the Front-end computer, start a Web browser and enter the following URL: where: hostname port Host name of the Front-end account computer HTTPS Port number used by Front-end Identity Common UI Services NOTE If you do not know the URL, follow the procedure describe is this section: 26 Determine the Suite URL on page Log in to the BMC Identity Management Suite. NOTE To log in to the BMC Identity Management Suite you must be a Person in the ESS database, and you must be enabled in the Person record to access the applications (i.e., User Administration Manager, Password Manager, Compliance Manager, and Suite Configuration). For more information, see Enabling a BMC Identity Management Suite user on page Ensure that you are able to view, retrieve, and modify data using all of the BMC Identity Management Suite applications. 228 BMC Identity Management Suite Administrator Guide

229 Collecting Information for support issues Collecting Information for support issues In the Suite Configuration application, the Collect Logs option provides a method that simplifies the process of collecting information to send BMC support personnel when making requests for technical support. NOTE This utility should be run only at the request of BMC Technical Support. To collect logs for technical support 1 In the Suite Configuration tab, click Maintenance => Collect Logs. The Collect Logs page is displayed. 2 Select the applications for which you want to collect logs. 3 Click Collect. The collector creates a zip file under the $BMC_IDM_SUITE_HOME/output directory. This zip file should be sent technical support. Line command (Optional) Instead of using the Suite Configuration application, in the account where you want to verify the status you can run the following command: V idm_tools collector NOTE The line command is the same for UNIX and Windows. There is no need to specify a full path to execute the command. To run the collector utility 1 Log in to the account where the BMC Identity Management Suite is installed. 2 Enter the following command to start the collector utility: idm_tools collector Chapter 5 Operation 229

230 Collecting Information for support issues The following menu is displayed: Requested products: Available products: 1: BMC Identity Open Services : BMC Identity Compliance Manager Back-end : BMC User Administration : BMC Identity Compliance Manager Web : BMC Password Manager : BMC Identity Request Manager a: all products f: finish q: quit Type in your choice (1-6 a f q) [a]: 3 Enter the option you want. For example: a All products will be included. When the collector is finished it will display a list of the files it copied and zipped. The last line in the output provides the file name and path for the support information that has been collected and zipped by the collector utility. NOTE If you are selecting individual products instead of all products, you type in the number of the product (e.g., 1) followed by f and continue the same iterative pattern (e.g. 1 f 3 f 5 f) 4 Enter the option q to quit the collector utility. 230 BMC Identity Management Suite Administrator Guide

231 Chapter 6 Localizing the user interface 6 This section describes how to localize the BMC Identity Management Suite user interface to display non-english languages, and how to modify the standard Englishlanguage user interface to satisfy site requirements. The following topics are discussed: Localizing the language the user interface displays Changing the English text in the user interface Localizing the language the user interface displays The BMC Identity Management Suite login screens, and the product interfaces, display their user interface text in US English (by default). This text can be customized to display in other languages. Each of the following components must be localized separately: BMC Identity Management Suite login screens BMC Password Manager BMC User Administration Manager BMC Identity Compliance Manager BMC User Administration Manager BMC Suite Configuration Application Chapter 6 Localizing the user interface 231

232 Localizing the language the user interface displays NOTE The text of certain messages (or parts of messages) and labels of certain fields that originate in Enterprise SecurityStation are not affected by localizing language support. For more information, see the chapter Customization in the Enterprise SecurityStation Administration Guide. The online help can also be localized to display other languages. Contact BMC Technical Support to get the online help source files. The following procedure describes how to localize the user interface language. To localize the language 1 Log in to the Front-end account. 2 Locate the following file(s): For the BMC Identity Management Suite login screens: customize the files web_messages.properties and internal_messages.properties in the following directory: $BMC_IDM_SUITE_HOME/glue_web/resources/ For BMC Password Manager: customize the file messages.properties in the following directory: $BMC_IDM_SUITE_HOME/password_manager/resources/ For BMC User Administration Manager: customize the files console_messages.properties and binded_console_messsages.properties in the following directory: $BMC_IDM_SUITE_HOME/user_administration/resources/ For BMC Identity Compliance Manager: customize the two separate files named messages.properties. Back-end: $BMC_IDM_SUITE_HOME/cmpl_mgr_backend/resources/messages.properties Front-end: $BMC_IDM_SUITE_HOME/cmpl_mgr_webapp/resources/messages.properties For the Suite Configuration application: customize the file ui-messages.properties in the following directory: $BMC_IDM_SUITE_HOME/suite_configuration/resources/ 232 BMC Identity Management Suite Administrator Guide

233 Localizing the language the user interface displays 3 Create work files by copying the original files to a work directory, and renaming them: originalfilename.work. In each work file, translate all labels, messages, and terminology from English to the desired language (e.g., French). 4 (Only if you use characters other than Latin-1 characters.) Convert each work file by using the native2ascii utility. The native2ascii utility is a component of the Java SDK, and is located in the following directory: $BMC_IDM_SUITE_HOME/general/java/bin For more information regarding the native2ascii utility, see the documentation located at the following location: NOTE Use the native2ascii utility unless you are certain that your translated text only uses Latin-1 characters. To run the utility, enter the following command: native2ascii encoding canonicalname filein fileout The arguments in the command are as follows: canonical name filein fileout Specify the encoding of the input file (e.g., UTF8). The list of possible encoding values for the input file must be selected from the values under the column header Canonical Name for java.nio API in the Basic Encoding Set table that is located at this URL: Full path and name of the input work file. Full path and name of the output file. Use the following naming convention: originalfilename_suffix.properties Assign the correct suffix for the localized language. The required suffix are listed in the following location: Chapter 6 Localizing the user interface 233

234 Changing the English text in the user interface For example: native2ascii -encoding ISO filein fileout 5 Move the output file originalfilename_suffix.properties to the original directory. EXAMPLE This example demonstrates the steps required to convert the file messages.properties for Esperanto (suffix eo): 1. Create the work file messages.work in workdir by copying messages.properties from the directory $BMC_IDM_SUITE_HOME/password_manager/resources 2. Translate all labels, messages, and terminology from English to the desired language (e.g., Esperanto) in messages.work. 3. Enter the command: native2ascii -encoding UTF8 workdir/messages.work workdir/messages_eo.properties 4. Copy messages_eo.properties from workdir to the original directory: $BMC_IDM_SUITE_HOME/password_manager/resources 6 If the BMC Identity Management Suite is currently active, stop and restart it. 7 Set each Web browser that will use the modified language files so it will use the correct preferred language option. The BMC Identity Management Suite automatically serves language components based on the setting of the preferred language in the individual user s Web browser. For example, in Internet Explorer, set the preferred language by selecting Tools => Internet Options => Languages => Add. Select the language you want, and click OK. Changing the English text in the user interface This section describes how you can replace the default US English text in the user interface - customizing it to satisfy your site requirements. Use this procedure if you want to replace some (or all) default English interface elements (e.g., field labels) to your own preferred English words. The procedure involves taking the default messages properties files that you want to change, copying them, editing them, and then saving them with a new suffix: _en. 234 BMC Identity Management Suite Administrator Guide

235 Changing the English text in the user interface By setting each end-user Web browser to prioritize language preferences to English, the browser will look for and display the files with an _en suffix instead of files with the same name but without the _en suffix. Each of the following components can be localized separately: BMC Identity Management Suite login screens BMC Password Manager BMC User Administration Manager The procedure for customizing the US English interface is described below. To modify the English language text 1 Log into the Front-end account. 2 Locate any files you want to customize (see step 2 on page 232). 3 Copy the original files to a work directory, and rename them: originalfilename_en.properties. That is, add an _en suffix. 4 In each of these new files, customize any labels, messages, and terminology that you want and save the files. 5 Move the customized files back to the original directory described in step 2 on page 232 with the same, original default file name but now with an _en suffix EXAMPLE This example demonstrates the steps required to customize the file messages.properties: 1. Copy messages.properties from the following directory: $BMC_IDM_SUITE_HOME/password_manager/resources to the work directory. 2. In the work directory, rename the file to messages_en.properties. 3. Customize any labels, messages, and terminology as necessary in messages_en.properties. 4. Copy messages_en.properties from the work directory to the original directory: $BMC_IDM_SUITE_HOME/password_manager/resources 6 If the BMC Identity Management Suite is currently active, stop and restart it. Chapter 6 Localizing the user interface 235

236 Changing the English text in the user interface 7 In each Web browser that will use the modified language files configure the browser to use as a priority the preferred language option: US English. This forces the browser to use the files with the _en suffixes. For example: In Internet Explorer, set the preferred language by selecting Tools => Internet Options => Languages => Add. Select English (United States), and click OK. The customized files that contain the _en suffix will be read instead of the files with the same name but without the suffix. 236 BMC Identity Management Suite Administrator Guide

237 Appendix A Enabling cookies in your Web A browser The BMC Identity Management Suite requires that end-user s Web browsers are set to accept cookies. In general, Web browsers are set to accept cookies by default. If cookies are not enabled in end-user s Web browsers, or if you want to determine the current settings in an end-user s Web browser, use the appropriate procedure described below. The following topics are discussed in this chapter: Enabling cookies: Microsoft Internet Explorer IE version IE version Enabling cookies: Mozilla Firefox Enabling cookies: Microsoft Internet Explorer Use one of the procedures below to enable cookies in Microsoft Internet Explorer. IE version 5.5 To enable cookies in Internet Explorer version From the Tools menu in Internet Explorer, select Internet Options. The Internet Options dialog box is displayed. Appendix A 237

238 Enabling cookies: Microsoft Internet Explorer 2 Click the Security tab. 3 Click Custom Level. The Security Settings dialog box is displayed. 4 Scroll down the list box until the Cookies options are visible. The dialog box should now appear similar to Figure 21. Figure 21 Microsoft Internet Explorer security settings 5 Ensure that Enable is selected under each of the following options: Allow cookies that are stored on your computer Allow per-session cookies (not stored). 6 Click OK in the Security Settings dialog box. If a dialog box with the message Are you sure you want to change the security settings for this zone? is displayed, click Yes. 7 Click OK in the Internet Options dialog box. 238 BMC Identity Management Suite Administrator Guide

239 Enabling cookies: Microsoft Internet Explorer IE version 6.0 To enable cookies in Internet Explorer version From the Tools menu in Internet Explorer, select Internet Options. The Internet Options dialog box is displayed. 2 Click the Privacy tab. Several methods are available for customizing cookie settings on the Privacy tabbed page. One possible method is described below. Use the method recommended by your administrator. The method chosen must result in accepting cookies from a First party for the URL used to access BMC Identity Management Suite. (The setting for Third-party Cookies is not required.) 3 On the Privacy tabbed page, click Advanced. The Advanced Privacy Settings dialog box is displayed. 4 Select the Override automatic cookie handling check box. 5 Under First-party Cookies, select the Accept option. 6 Select the Always allow session cookies check box. The dialog box should now appear similar to Figure 22. Figure 22 Advanced Privacy Settings dialog box 7 Click OK. Close the Internet Options dialog box. Appendix A 239

240 Enabling cookies: Mozilla Firefox Enabling cookies: Mozilla Firefox To enable Cookies in Mozilla Firefox 1 From the Tools menu in Firefox, select Options. The Options dialog box is displayed. 2 From the list in the navigation panel, select Privacy. A dialog box similar to Figure 23 should appear. Figure 23 Privacy settings 3 Click Cookies. The cookies options are displayed. 4 By default cookies are enabled. If they are not enabled, ensure that option Accept all cookies is selected. 5 Click OK. 240 BMC Identity Management Suite Administrator Guide

241 Appendix B External LDAP authentication B This appendix describes procedures for enabling the BMC Identity Management Suite to work with a third-party LDAP external authentication system (EAS). These procedures require ESS version 3.3 or later. The procedures described in this appendix are applicable for sites that want to authenticate BMC Identity Management Suite users at the Suite log in page with a user name and password stored in an EAS instead of authenticating the Suite user with the Person ID and Person password stored in the ESS database. A site can optionally require all users to log in using only the EAS credentials (user name and password), or it can allow some users to log in only with the EAS log in method while allowing other users to log in only using the basic Suite log in screen. NOTE For a list of supported LDAP directories, see the BMC Identity Open Services Release Notes. There is no automatic synchronization of user name and password between the EAS directory and the ESS database. A password change in BMC Password Manager will change the Person password in ESS, but will not change the LDAP user password unless an SA-Agent is installed on Active Directory. The material presented in this appendix describes in detail how to modify the relevant XML files, or alternatively - when applicable: How to enter values into the XML files by using the Suite Configuration tab => External Authentication. Appendix B 241

242 Implementation checklist The following topics are discussed: Implementation checklist Configure the external authentication Enable the log in page for external authentication Set ESS Person authentication method field Optional: Using a batch mapping procedure Implementation checklist The table that follows lists the steps required to enable the BMC Identity Management Suite to work with a third-party LDAP external authentication system (EAS). Table 42 Implementation Checklist Step 1 Configure the external authentication 2 Enable the log in page for external authentication 3 Set ESS Person authentication method field 4 Optional: Using a batch mapping procedure Detailed information regarding each step can be found in the sections that follow. 1 Configure the external authentication External configuration parameters are assigned in the following file: $BMC_IDM_SUITE_HOME/glue_core/conf/glue-service-config.xml Important: There is no need to restart the application server after modifying and saving this file. You can configure external configuration parameters by using either of these methods: Use the Suite interface: Suite Configuration tab=>external Authentication Configure the glue-service-config.xml file manually 242 BMC Identity Management Suite Administrator Guide

243 1 Configure the external authentication Configure mapping type A connection must be created between the LDAP user records and the ESS Person records. This connection is called a mapping. You can select either of the following techniques to map LDAP user records with the corresponding ESS Person records: NOTE The BMC Identity Management Suite does not support the concurrent use of both types of mapping. The choice of mapping type must be selected when configuring the first domain and may not subsequently be changed. Internal mapping type (default): This type enables users to perform self-mapping once at a special Suite log in page. This self-mapping procedure copies the LDAP user GUID to the corresponding Person record in the ESS database. Self-mapping only has to be performed by each user one time. External mapping type: This mapping type is intended for sites where it may be convenient to use existing mapping where the ESS Person IDs already exist in the corresponding LDAP user record in the LDAP directory. Some sites may need to map this way because of special application requirements (e.g., a single sign-on product may require this mapping type). NOTE External mapping does not support user self-mapping. LDAP mapping must use the field in the Person record used for logging in to the Suite (e.g., User ID, User Name). This should be determined by examining the value of the ESS Global parameter Login ID field name. For internal mapping leave the default value: false <externally-stored-mapping>false</externally-stored-mapping> For external mapping change the value to: true <externally-stored-mapping>true</externally-stored-mapping> Configure external authentication You can change the following parameters using the Suite Configuration application or manually. Appendix B 243

244 1 Configure the external authentication The domain configuration is managed by the following XML block. If you are using multiple domains then use one block per domain. NOTE Each Active Directory domain is specified as one external authentication domain for the Suite. Example: <external-authentication-domain name="domain.abc.com"> <type>active-directory</type> <protocol>ldap</protocol> <hosts> <host>tv-dc-01</host> <host>lv-dc-02</host> </hosts> <issslsecured>true</issslsecured> <port>636</port> <searchbase>dc=domain,dc=abc,dc=com</searchbase> <unattendedadmin> CN=akrochek,OU=Domain Users,OU=Security,DC=domain,DC=abc,DC=com </unattendedadmin> <unattendedadminpassword> {AES128}MTUfflYmq6EWRp4O4GFlBg== </unattendedadminpassword> <externally-stored-mapping-attribute-name> </externally-stored-mapping-attribute-name> </external-authentication-domain> In between the quote marks enter the LDAP domain name. For example: "domain1.abc.com" <external-authentication-domain name="yourexternalauthdomainalias"> Enter the type of LDAP directory you are using. Currently the only supported LDAP directory type is Active-Directory. <type>active-directory</type> Enter the host name or names of your domain controllers. If you have more than one host for the domain you want to use for a failover mechanism, see Optional: Enable LDAP server failover on page 246. <hosts> <host>yourhostnameoripadress</host> </hosts> 244 BMC Identity Management Suite Administrator Guide

245 1 Configure the external authentication Enter true as the value of issslsecured. <issslsecured>true</issslsecured> Change the port value from 389 (for a non-ssl connection) to 636 for an SSL connection. For additional SSL information, see Optional: Implementing SSL on page 247. <port>636</port> Using DN format, specify the distinguished name of your LDAP domain as the search scope for finding the user. <searchbase></searchbase> Specify the DN of a domain user (called the unattended administrator) who will perform search actions in the domain. NOTE The unattended administrator of the domain must be set up with sufficient permissions to read attributes of other users (e.g., search for the users DN and GUID). <unattendedadmin></unattendedadmin> The next tag is where the encrypted password must be stored. Important: Because the password must be encrypted, you must enter the password using the Suite Configuration application. <unattendedadminpassword></unattendedadminpassword> If you configured external mapping, enter the name of the attribute on the LDAP User object that stores the ESS Person ID, otherwise leave it empty. <externally-stored-mapping-attribute-name> </externally-stored-mapping-attribute-name> Appendix B 245

246 1 Configure the external authentication Suite Configuration tab You can optionally set the values described in this subsection (above) in the Suite Configuration Web page as follows: Suite Configuration tab => External Authentication Optional: Enable LDAP server failover To ensure the availability of the authentication domain, you can provide more than one host name to implement a failover mechanism. In Active Directory these are domain controllers. In such a scenario, if the first host is not available, the system will try to connect to the next host on the list. Perform the following procedure to configure failover in $BMC_IDM_SUITE_HOME/glue_core/conf/glue-service-config.xml Enter additional host names or IP address on separate lines and enclose each name in the tags: <host></host>. Add one line for each host. <hosts> <host>server1</host> <host>server2</host> </hosts> Save the glue-service-config.xml file. If a failover connection succeeds, the host becomes the first machine (in the host list) to connect for subsequent login attempts. Important: After fixing the problem of the failed host, the IdM Suite administrator can revert to the original stored host list by simply opening and re-saving the following glue-service-config.xml file. There is no need to restart the application server. The system automatically reloads the updated file. Suite Configuration tab You can optionally set the values described in this subsection in the Suite Configuration Web page as follows: Suite Configuration tab => External Authentication => Modify The optional fields for secondary and backup hosts are the failover hosts. 246 BMC Identity Management Suite Administrator Guide

247 1 Configure the external authentication Optional: Implementing SSL To protect the LDAP communication between the LDAP authentication domain and the Back-end of the BMC Identity Management Suite you can implement secure SSL connections. All conditions described below must be met to enable SSL between the back-end of the BMC Identity Management Suite and the LDAP domain. Certificates 1 Issue authentication certificates Ensure that authentication certificates have been issued for the AD domain controllers (if they are not issued already). NOTE This is the responsibility of the customer. By default, AD domain controllers automatically enroll for domain controller certificates once an Enterprise CA has been installed. The root certificate can be found in the root of the system drive (e.g., if the operating system has been installed in c:\windows, the certification will be found in c:\) By default the certificate file is named <server_name>.<domain_name>_<name_you_gave>.crt 2 Import authentication certificate Using the Java keytool (i.e., key and certificate management tool) import this LDAP server certificate (in the current Suite version it is on the AD domain controller) into the Suite keystore. In a distributed deployment the certificate is imported into the keystore of the Back-end server. Copy the LDAP server certificate to the Suite Back-end to the following directory: $BMC_IDM_SUITE_HOME/security/keystore The certificate will be imported into the following keystore: $BMC_IDM_SUITE_HOME/security/keystore/ctsa.keystore Example: Importing a certificate tlvs0046.tlv-idm-2k.local_tlv-idm-2k-ca.crt into the keystore. Appendix B 247

248 1 Configure the external authentication The certificate will be stored in the keystore under alias <EAD_TLV-IDM-2K_alias>. The keytool command is as follows (the example is for UNIX): keytool -import -alias EAD_TLV-IDM-2K_alias -file /home/s55/bmc/idm/idm-suite5.5/security/keystore/tlvs0046.tlv-idm- 2k.local_tlv-idm-2k-ca.crt -keystore /home/s55/bmc/idm/idm-suite5.5/security/keystore/ctsa.keystore You will be prompted for the System password and confirmation of the import operation. You can verify the success of the import operation by running the following command. The keystore entries will be displayed as a list. Find the entry with your certificate s alias. keytool -list -keystore /home/s55/bmc/idm/idm-suite5.5/security/keystore/ctsa.keystore -v The Active Directory certificate is valid for all domains in the Active Directory forest. There is no need to import the same certificate if you configured more than one external authentication domain from the Active Directory forrest. NOTE You must restart the Suite server (if you have a distributed deployment the Back-end server) after importing the certificate. Configure the SSL port for the domain Change the port value from 389 to a port assigned to an SSL connection (default: 636). <port>636</port> <issslsecured>true</issslsecured> Save the glue-service-config.xml file. Troubleshooting: Verify the server start script In the application server start script (i.e., Back-end), the following line should be uncommented. set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=%BMC_IDM_SUITE_HOME%/security/keystore/ctsa.keystore 248 BMC Identity Management Suite Administrator Guide

249 2 Enable the log in page for external authentication For more information about the start script, see Starting/Stopping the BMC Identity Management Suite on page Enable the log in page for external authentication You can change the following parameters using the Suite Configuration application or manually. For more information, see Security and Authentication: Authentication Method on page 154. Log in page parameters for enabling and setting priorities are assigned in the following file: $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml Important: There is no need to restart the application server after modifying and saving this file. Change the isallowed tag value to true to enable the external login method. <ui-login-method name="external"> <isallowed>true</isallowed> <priority>1</priority> </ui-login-method> 3 Set ESS Person authentication method field You can enable the log in settings for each individual Suite user by modifying the value for the ESS Person field Authentication Method in each Person record: If you want a user to be able to log in with external authentication, set the ESS Person field Authentication Method to the value: Trusted. Important: This user will not be able to log in using the Basic log in page. 4 Optional: Using a batch mapping procedure This section describes how an IdM Suite administrator can perform internal mapping as a batch procedure using the standalone utility: IDM-mapldaptoess. Appendix B 249

250 4 Optional: Using a batch mapping procedure NOTE By default internal mapping is performed by users at a special Suite self-mapping log in page. For more information, see Configure mapping type on page 243. Perform all of the following procedures: NOTE If you are deploying the Suite as a distributed deployment, perform the following procedures only in the Back-end server. Create a mapping file Configure the IDM-mapldaptoess utility Optional: Configure multiple LDAP domains Run the IDM-mapldaptoess utility Understanding the IDM-mapldaptoesserror.log file Create a mapping file To create a mapping file 1 Create a comma-separated values (file extension: anyfilename.csv) text file with two columns of data as follows: In column #1 enter a list of LDAP User IDs In column #2 enter a list of ESS User IDs When you are finished, each line will map an LDAP User ID to the same User ID in the ESS database. Figure 24 Example: Mapping file LDAP ID to ESS ID Linda Stevens,L_Stevens Ellen_Wright,WrightE Meg_Johnson,MJohnson BrownR,Richard_Brown JillTrevor,TrevorJ 250 BMC Identity Management Suite Administrator Guide

251 4 Optional: Using a batch mapping procedure Configure the IDM-mapldaptoess utility Parameters for the IDM-mapldaptoess utility are set in a configuration XML file: mapldap-to-ess-config.xml. Additional parameters are passed as command-line arguments when running the utility. To configure the xml file 1 Open the following file in a text editor: $BMC_IDM_SUITE_HOME/general/tools/map-ldap-to-ess/conf/map-ldap-to-essconfig.xml The file looks like this (see Figure 25): Figure 25 map-ldap-to-ess-config.xml (Part 1 of 2) <?xml version="1.0" encoding="iso "?>^m <map_ldap_to_ess>^m <!-- ########################################## IMPORTANT ########################################## -->^M id@ has to be the exact same id used for the ldap externalauthentication-domain name -->^M <!-- used for the Suite application in file {idm_suite_home}/glue_core/conf/glue-service-config.xml -->^M <!-- Example of the external authentication domain's name - "adprod.bmc.com". -->^M <!-- The DNS style form of the name is for better user's understanding, not for parsing. -->^M <!-- Currently supported types are: "Active-Directory". --> ^M <external_authentication_domain name="@external authentication domain name@" type="active-directory" protocol="ldap" hostname="@host@" port="@port@">^m <initial_context_factory>com.sun.jndi.ldap.ldapctxfactory</initial_context_facto ry>^m <secure>@true/false@</secure>^m <ssl_keystore value="@ssl keystore file@"/>^m <search_base>@search base@</search_base>^m <ldap_admin_name>@admin login name@</ldap_admin_name>^m <person_search_filter>objectclass=person</person_search_filter>^m <ext_uid_attr>samaccountname</ext_uid_attr>^m <ext_id_attr>objectguid</ext_id_attr>^m </external_authentication_domain>^m <container type="@container type@">^m <initial_context_factory>@context factory class@</initial_context_factory>^m <url_prefix>@url prefix@://</url_prefix>^m <ssl_keystore value="@ssl keystore file@"/>^m <secure>@true/false@</secure>^m </container>^m Appendix B 251

252 4 Optional: Using a batch mapping procedure Figure 25 map-ldap-to-ess-config.xml (Part 2 of 2) <open_services_instance id="@instance id@" hostname="@host@" port="@port@">^m </open_services_instance>^m </map_ldap_to_ess>^m 2 Change the parameter values according to the descriptions in Table 43 and then save the file. Table 43 map-ldap-to-ess-config.xml (Part 1 of 2) Parameter External authentication domain name@ Description Copy this ID from this file and path. $BMC_IDM_SUITE_HOME/glue_core/conf/glueservice-config.xml Important: the value you enter in the file map-ldapto-ess-config.xml must match Host name or IP address of the LDAP directory Default port value for the non-ssl connection is 389 and for the SSL connection is 636. Any other value may be Is the connection between the LDAP directory and the IDM-mapldaptoess utility secure? This tag appears inside the tag: keystore file@ Full path and file name for the LDAP directory keystore. Use the Java keytool to import the LDAP server certificate into this login name@ $BMC_IDM_SUITE_HOME/suite_sdk/keystore/op en-services-client.keystore The distinguished name of the search base object from where the LDAP search begins. Unattended admin DN that performs the LDAP search/retrievals for the IDM-mapldaptoess utility. Copy this unattended admin DN from this file and path. Container type@ $BMC_IDM_SUITE_HOME/glue_core/conf/glueservice-config.xml Use: jboss 252 BMC Identity Management Suite Administrator Guide

253 4 Optional: Using a batch mapping procedure Table 43 map-ldap-to-ess-config.xml (Part 2 of 2) factory keystore file@ Description The fully qualified name of the initial context factory class: org.jnp.interfaces.namingcontextfactory Prefix of the URL to connect to the application server; Leave empty (Only applicable if the tag secure=true) Full path and file name of the SSL Open Services id@ Needed only when an SSL port is used. The keystore of the suite_sdk installation can be used. If the keystore of the suite_sdk is not configured for SSL, you can learn how to configure it in the Suite SDK Programmer s Guide Is the connection between IDM-mapldaptoess utility and the container secure. This tag appears inside the tag <container> This ID is specified in this file and path: $BMC_IDM_SUITE_HOME/security/conf /open-services-security.xml Host name or IP address of the Open Services installation Open Services listener port JNDI Optional: Configure multiple LDAP domains To configure multiple LDAP domains in the same file, copy the entire <ldap_instance></ldap_instance> block (including its enclosed subtags) and enter the specific parameter values for each domain. NOTE Be sure that each ldap_instance id="@instance id@" matches a value for the tag <external-authentication-domain name=" "> that exists in the file: glue-serviceconfig.xml. (see Configure external authentication on page 243). Appendix B 253

254 4 Optional: Using a batch mapping procedure For example: Figure 26 Example: Multiple LDAP domains <external_authentication_domain name="@external authentication domain name@" type="active-directory" protocol="ldap" hostname="@host@" port="@port@">^m <initial_context_factory>com.sun.jndi.ldap.ldapctxfactory</initial_context_facto ry>^m <secure>@true/false@</secure>^m <ssl_keystore value="@ssl keystore file@"/>^m <search_base>@search base@</search_base>^m <ldap_admin_name>@admin login name@</ldap_admin_name>^m <person_search_filter>objectclass=person</person_search_filter>^m <ext_uid_attr>samaccountname</ext_uid_attr>^m <ext_id_attr>objectguid</ext_id_attr>^m </external_authentication_domain>^m <external_authentication_domain name="@external authentication domain name@" type="active-directory" protocol="ldap" hostname="@host@" port="@port@">^m <initial_context_factory>com.sun.jndi.ldap.ldapctxfactory</initial_context_facto ry>^m <secure>@true/false@</secure>^m <ssl_keystore value="@ssl keystore file@"/>^m <search_base>@search base@</search_base>^m <ldap_admin_name>@admin login name@</ldap_admin_name>^m <person_search_filter>objectclass=person</person_search_filter>^m <ext_uid_attr>samaccountname</ext_uid_attr>^m <ext_id_attr>objectguid</ext_id_attr>^m </external_authentication_domain>^m Run the IDM-mapldaptoess utility At the command line when you run the IDM-mapldaptoess utility you can only specify one domain. This means that you must run the utility a separate time for each domain you specified in the map-ldap-to-ess-config.xml.xml file. Prerequisites: The person running the IDM-mapldaptoess utility must be defined in his/her Person record with the field Authentication Method set to Normal. The Person entity must also be connected to an ESS Administrator entity with permissions to update Person records. 254 BMC Identity Management Suite Administrator Guide

255 4 Optional: Using a batch mapping procedure To run the IDM-mapldaptoess utility 1 Be sure that the Back-end server is running. 2 Verify that the Back-end Suite keystore contains the public authentication key entry of the LDAP directory. (This step #1 is only required if you want to create a secure SSL connection between the IDM-mapldaptoess utility and the LDAP directory.) TIP Use the key tool to import the LDAP public authentication key entry if needed into the Back-end System keytool. 3 Change directory to the IDM-mapldaptoess utility directory. The utility is located here: $BMC_IDM_SUITE_HOME/general/tools/map-ldap-to-ess Run the utility using the appropriate file (see Table 44): Table 44 Starting the IDM-mapldaptoess utility Operating system Start file Windows IDM-mapldaptoess.bat UNIX IDM-mapldaptoess.sh NOTE IDM-mapldaptoess.bat can only run on a Windows platform, but it can access a remote UNIX computer. Parameters are passed as command-line arguments when running the utility. Messages are written to a log file when the utility starts and stops (see Understanding the IDM-mapldaptoesserror.log file on page 257). The following command describes the syntax for running the IDM-mapldaptoess utility: IDM-mapldaptoess -LI ldapinstanceid [-LP ldappassword] [-U username] [-h] [-md MapsDirectory] [-c configurationfile] [-P Password] -p profilename Appendix B 255

256 4 Optional: Using a batch mapping procedure ldapinstanceid: specify the same value as you did for the external-authenticationdomain name parameter in the map-ldap-to-ess-config.xml file. See 1 Configure the external authentication on page 242. ldappassword: LDAP administrator password. If you do not specify the password at the command line you will be prompted for it. username: ID used by the Person to log in to the Suite. MapsDirectory: The directory that holds the csv files to use as the input configurationfile: name and full path to the file: $BMC_IDM_SUITE_HOME/general/tools/map-ldap-to-ess/conf/map-ldap-to-essconfig.xml Password: Password of the Person (username) who logs in to the Suite. If you do not specify the password at the command line you will be prompted for it. profilename: ESS Login Profile name. Help: Prints the command usage. Figure 27 Example IDM-mapldaptoess -p ess-profile -U johndoe -P essess -LP password -LI domain.com -c "conf/map-ldap-to-ess-config.xml" -md "maps" NOTE The mapldaptoes utility copies from each LDAP user the GUID and name of the LDAP system into the following two Person (External Authentication tab) ESS database keywords: GUID in External Authentication System (i.e., the LDAP user GUID) External Authentication System name (i.e., Domain name of the user in LDAP) 256 BMC Identity Management Suite Administrator Guide

257 4 Optional: Using a batch mapping procedure Understanding the IDM-mapldaptoesserror.log file The log file is written to the following location: $BMC_IDM_SUITE_HOME/general/tools/map-ldap-to-ess/log/IDM-mapldaptoess.log The log file is used only for IDM-mapldaptoess utility messages. The contents of its messages is as follows: Utility starts mapping Utility finishes mapping Errors regarding any of the users, either LDAP users or ESS users The following is an example of a log file: Figure 28 Example: log file BMC-CPU003080I Starting to map the information from C:\BMC\IdM\map-ldap-to-ess\mapSample.csv BMC-CPU003076E Ldap user "Mary" not found BMC-CPU003006E Error mapping line for "Mary" message: "Person Update Error ESS5018: Record not found Key (user_id) Value (Mary) [Status code= -1]" BMC-CPU003081I Finished mapping. Appendix B 257

258 4 Optional: Using a batch mapping procedure 258 BMC Identity Management Suite Administrator Guide

259 Appendix C Securing ESS Audit records C This appendix describes a procedure an IdM Suite administrator can optionally use to verify the authenticity and integrity of the Audit entries Identity Open Services sends to the ESS database. The following topics are discussed: Overview Enabling Audit entries Signing Audit entries Validating Audit entries Software required Prerequisite: Enabling audit messages Using the audit-validator Configuring the audit-validator Running the audit-validator The audit-validator output file Validating Audit records from more than one Open Services Using more than one private/public key pair Overview This section provides an overview of Identity Open Services Audit entry validation. NOTE Signing and validating audit entries may slow the performance of the BMC Identity Management Suite. Appendix C 259

260 Overview Enabling Audit entries Only audit entries that one of the BMC Identity Management Suite applications sends to Open Services and are digitally signed can be validated. Configuration options are available in regard to whether certain audit entries are signed, and which types of audit entries are sent to the ESS database. For more information, see Prerequisite: Enabling audit messages on page 261. Signing Audit entries BMC Identity Open Services: automatically numbers and digitally signs Audit entries it sends to the ESS database. The types of audit entries sent depend on certain configuration parameters. For more information, see Prerequisite: Enabling audit messages on page 261. BMC Identity Open Services clients: Identity Compliance Manager (a client of Open Services) automatically signs all Audit entries it passes to Open Services and all of its entries are sent to the ESS database. The Audit entries originating by Compliance Manager are first signed by Compliance Manager, and then signed a second time by Open Services before they are save to the ESS database. Validating Audit entries A procedure to validate the numbered and signed Audit entries is available. The validation procedure can do the following: Authentication: Verifies that Audit records stored in the ESS database were created by: Open Services Open Services and a BMC product that is a client of Open Services (e.g., BMC Identity Compliance Manager). Integrity: Verifies that Audit records are not missing (i.e., deleted), or inserted with an existing count value. 260 BMC Identity Management Suite Administrator Guide

261 Prerequisite: Enabling audit messages Software required The validation procedure requires the following software: audit-validator utility: a standalone application that is installed with the BMC Identity Management Suite Back-end keystore: authentication key pair Client keystore: authentication key pair Prerequisite: Enabling audit messages The following should be noted about audit entries: The BMC User Administration Manager product does not send any audit entries to the ESS DB. The BMC Identity Compliance Manager product always sends audit entries to the ESS DB. The Compliance Manager audit entries cannot be disabled. There are several parameters that you can set relating to whether Open Services sends audit entries to Enterprise SecurityStation. The result of configuring not to send a type of audit entry is that the validation procedure will not be applicable for that type of entry. To configure audit enabling options 1 Open the file open-services-config.xml in a text editor. The file is located here: $BMC_IDM_SUITE_HOME/open_services/conf/open-services-config.xml Figure 29 open-services-config.xml <audit-on-self-service> <value>false</value> </audit-on-self-service> <audit-signature-enabled> <value>true</value> </audit-signature-enabled> <audit-on-login> <value>true</value> </audit-on-login> Appendix C 261

262 Using the audit-validator 2 Modify any of the default values that you want. The parameters are described in Table 45. Table 45 Parameter audit-on-self-service open-services-config.xml audit-signature-enabled audit-on-login Description Enables sending audits form Password Manager. Default: False Enables signing audits from Open Services. Default: True Enables sending audits from the Suite login page. Default: True 3 When you are finished, close and save the file. Using the audit-validator The audit-validator utility validates Audit entries for a given ESS Login Profile and a given Open Services ID. Parameters for the audit-validator utility are set in a configuration file. Additional parameters are passed as command-line arguments when running the utility. Configuring the audit-validator To configure the xml file 1 Open the following file in a text editor: $BMC_IDM_SUITE_HOME/general/tools/audit-validator/conf/audit-validatorconfig.xml The file looks like this (see Figure 30): Figure 30 audit-validator-config.xml (Part 1 of 2) <?xml version="1.0" encoding="iso "?> <audit_validator> <container type="@container type@"> factory class@ </initial_context_factory> <url_prefix>@url prefix@://</url_prefix> 262 BMC Identity Management Suite Administrator Guide

263 Using the audit-validator Figure 30 audit-validator-config.xml (Part 2 of 2) <ssl_keystore value="@ssl keystore file@"/> <secure>@true/false@</secure> </container> <open_services_instance id="@instance id@" hostname="@host@" Port="@port@"> <keystore value="@keystore file@"/> </open_services_instance> </audit_validator> 2 Change the parameter values according to the descriptions in Table 46 and then save the file. Table 46 audit-validator-config.xml Parameter type@ Use: factory class@ The fully qualified name of the initial context factory keystore file@ org.jnp.interfaces.namingcontextfactory Prefix of the URL to connect to the application server. Use: jnps:// (Only applicable if the tag secure=true) Full path and file name of the file@ Needed only when an SSL port is used. The keystore of the suite_sdk installation can be used. If the keystore of the suite_sdk is not configured for SSL, you can learn how to configure it in the Suite SDK Programmer s Guide Is the connection between Open Services and the container secure This ID is specified in this file and path: $BMC_IDM_SUITE_HOME/security/conf/ open-services-security.xml Host name or IP address of the Open Services installation Open Services listener port Full path and file name of the Back-end Suite keystore. This Suite keystore contains the certificate entry for the signed audits. The keystore must accessible to the audit-validator utility where it is executed. Appendix C 263

264 Using the audit-validator Running the audit-validator The person running the audit-validator utility must be defined in his/her Person record with the field Authentication Method set to Normal. To run the audit-validator utility 1 Ensure the Back-end Suite keystore can access the public authentication keys for all audit entries you want the audit-validator utility to authenticate. You can list the Suite keystore entries to be sure the authentication key aliases match the aliases of the keys used to sign the audit entries. For more information, see Security and Authentication: Suite Keystores on page Change directory to the audit-validator utility directory. The utility is located here: $BMC_IDM_SUITE_HOME/general/tools/audit-validator Run the utility using one of these files: Table 47 Starting the audit-validator utility Operating system Start file Windows IDM-auditvalidator.bat UNIX IDM-auditvalidator.sh NOTE IDM-auditvalidator.bat can only run on a Windows platform, but it can access a remote UNIX computer. Parameters are passed as command-line arguments when running the utility. The following command describes the syntax for running the audit-validator utility: IDM-auditvalidator -p EssProfileName [-U PersonID] [-P PersonPassword] [-c configurationfile] [-si StartIndex] [-h help] ProfileName: ESS Login Profile name. PersonID: user_id of the Person whose Ess Admin is permitted to view Audits. Password: Person password. If you do not specify the password at the command line you will be prompted for it. 264 BMC Identity Management Suite Administrator Guide

265 Using the audit-validator Configuration file: Name and full path to the configuration file. This value is required only if the path is different than the default. Start index: Index of the Audit entry the utility will start with (default Start Index = 1). If the ESS administrator deletes some Audit entries from the ESS database, the IdM Suite administrator can start the utility from any Index of the remaining Audit entries. NOTE The IDM-auditvalidator.log file that is generated when running the audit-validator reports the current indexes of the Audit entries. Help: Prints this IDM-auditvalidator usage. NOTE For information about cleaning old ESS Audit entries, see the description of db_del_old in Chapter 5 Utilities of the Enterprise SecurityStation Administration Guide. The audit-validator output file The audit-validator output file is written to the following location: $BMC_IDM_SUITE_HOME/general/tools/audit-validator/log/IDM-auditvalidator.log The output contains error messages for the following: Audit entry not authenticated Audit entry missing Audit entry inserted with an existing count value Validating Audit records from more than one Open Services The audit-validator utility supports ESS installations that are connected to several Open Services instances (IDs). The Open Services must all be deployed on the same type of application server (e.g., JBoss). Appendix C 265

266 Using the audit-validator In such an installation, the input XML file: $BMC_IDM_SUITE_HOME/general/tools/audit-validator/conf/audit-validator-config.xml should contain several input elements, each containing the Open Services tags for a given ID (i.e., a different installation of Open Services). Figure 31 Open Services ID tag block <open_services_instance id="@instance id@" hostname="@host@" Port="port"> <keystore value="@keystore file@"/> </open_services_instance> file@" paths: The multiple keystore files can be imported to the computer where the audit-validator utility is running (or accessible to the utility when you run it). Figure 32 Multiple Open Services (example) <open_services_instance id="1" hostname="host1" rmiport="111"> <keystore value="/home/os1/bmc/idm/idm-suite5.5/security/keystore/ ctsa_os1.keystore"/> <secure>true</secure> </open_services_instance> <open_services_instance id="2" hostname="host2" rmiport="222"> <keystore value="/home/os1/bmc/idm/idm-suite5.5/security/keystore/ ctsa_os2.keystore"/> <secure>true</secure> </open_services_instance> If several Open Services IDs are specified, the utility will run its validation several times, once for each Open Services installation. The utility will filter the Audit records for each Open Services installation according to its Open Services ID. Using more than one private/public key pair Two scenarios require using more than one private/public key pair: Audit entries are signed by Open Services and an Open Services client (e.g., Compliance Manager). The audit-validator utility will use the public keys in the Back-end System keytool. The private/public key pair of Open Services, or that of the client application is replaced with another private/public key pair. The IdM Suite administrator should keep a copy of the public key for validating audit record signatures from before the time of the change. 266 BMC Identity Management Suite Administrator Guide

267 Using the audit-validator Important: When adding public key entries to the Back-end Suite keystore do not delete any existing entries. Appendix C 267

268 Using the audit-validator 268 BMC Identity Management Suite Administrator Guide

269 Appendix D Using JBoss behind a firewall D This section provides information about how to work when JBoss is deployed behind a firewall. The following topics are discussed: Intended audience Firewall Scenarios JBoss ports used by the BMC Identity Management Suite Enabling Request Manager Responsive Action under WAM Intended audience The intended audience for this section is a firewall security administrator. It is assumed this administrator is familiar with how to operate and configure the site s firewall. For information regarding operating and configuring third-party firewall products, refer to the documentation provided by your firewall vendor. Firewall Scenarios This chapter is intended to cover the following situations: A firewall is located between: JBoss installed with Identity Open Services in a single account or a Back-end account (i.e., a distributed deployment) and another back-end application (e.g., a secured HR database) Appendix D 269

270 JBoss ports used by the BMC Identity Management Suite A firewall is located between: JBoss installed with the Suite s Web applications in a single account or a Front-end account (i.e., a distributed deployment) and IdM Suite end users working at browsers. JBoss ports used by the BMC Identity Management Suite To enable The BMC Identity Management Suite to operate through a firewall: The relevant JBoss listener ports used by the Suite must be opened in the firewall to enable access to JBoss JBoss listener ports used by the Suite may need to be reconfigured Table 48 provides the ports, socket type, associated service and link to the service configuration for the services in the default configuration file set, service name, and attribute name. Table 48 Configuring JBoss for use behind a firewall Port Type Service Description Service Name Attribute Name 1098 TCP conf/jboss-service.xml org.jboss.naming.namingservice RmiPort 1099 TCP conf/jboss-service.xml org.jboss.naming.namingservice JNDI Port 4444 TCP conf/jboss-service.xml org.jboss.invocation.jrmp.server.jr RMIObjectPort MPInvoker 4445 TCP conf/jboss-service.xml org.jboss.invocation.pooled.server. PooledInvoker PooledBindPort 8080 TCP deploy/jbossweb-tomcat50.sar /server.xml org.jboss.web.tomcat.tc4. EmbeddedTomcatService Port on HTTP Connector 8083 TCP conf/jboss-service.xml org.jboss.web.webservice Web Service Port For more information about configuring JBoss for use behind a firewall go to: JBoss Admin Development Guide, look for section 8.8. Configuring JBoss for use Behind a Firewall at the following location: BMC Identity Management Suite Administrator Guide

271 Enabling Request Manager Responsive Action under WAM Enabling Request Manager Responsive Action under WAM If user authentication is implemented using BMC Web Access Manager, perform this procedure if your IdM Suite solutions include both of the following: BMC Identity Compliance Manager BMC Identity Request Manager Before you begin 1 Make sure that you have permissions to access the Back-end account and change files. 2 Make sure that you know the IP address of the Compliance Manager Back-end server, referred to below as CmplMgrBkEndIP. To enable Request Manager Responsive Action under WAM 1 Log in as follows: (Unix) as the Front-end account owner. (Windows) on the Front-end server. 2 Back up the following file, and then open it in a suitable editor: (Unix) JBossServerHome/server/idm/deploy/jbossweb-tomcat50.sar/server.xml (Windows) JBossServerHome\server\idm\deploy\jbossweb-tomcat50.sar\server.xml where JBossServerHome is the full path of the JBoss application server. 3 Locate the following line: <Engine defaulthost="localhost" name="jboss.web"> 4 Add the following after the above line: <Valve classname="org.apache.catalina.valves.remoteaddrvalve" allow="cmplmgrbkendip" /> where CmplMgrBkEndIP is the IP address of the Compliance Manager Back-end server. Appendix D 271

272 Enabling Request Manager Responsive Action under WAM 5 Save server.xml. 6 Stop the Front-end server and then restart it (see Chapter 5, Operation ). 7 When performing actions described under Request Manager definitions in Compliance Manager in the BMC Identity Compliance Manager Administrator Guide. note that for the Host name value, do not use the computer name. Use only the IP address of the computer on which Request Manager is installed. 272 BMC Identity Management Suite Administrator Guide

273 Appendix E E Messages This appendix describes the error messages that are issued by BMC Identity Open Services. The following topics are discussed: Message components Message descriptions Message components Each message consists of an error code followed by a description of the message. The message code consists of: prefix number suffix For example: BMC-TOS002001I Each element in the code is described in the following table: Component prefix number suffix Description A character prefix identifying the component that produced the message: BMC-TOS The number 00 followed by a specific numeric identifier for the message A single character, indicating the severity of the message. (Not all messages have suffixes.) The following characters may appear: S Severe error E Error W Warning I Information or additional information Appendix E 273

274 Message log file Each message is followed by additional informative clauses: Clause Explanation; Type User Response Description Type and explanation of the cause of the message Action to be taken by the user to correct the problem Message log file All messages described in this chapter are written to log files that are located in the following directory: $BMC_IDM_SUITE_HOME/open_services/log The number of log files will vary according the how many events are recorded. Many of the messages described in this chapter are also displayed to the end user in the user s Web browser. Message descriptions BMC-TOS002000E Could not verify credentials. Please log in again. Explanation: Need to get new credentials. User Response: Log in. BMC-TOS002001E Credentials have expired. Please log in again. Explanation: Need to get new credentials. User Response: Log in. BMC-TOS002002E Change password is not supported for Authentication Method of type {0} Explanation: Cannot change password in this login method. BMC-TOS002003E Could not validate certificate, please check that the certificate was imported into the server keystore. Explanation: Login - invalid certificate. User Response: Supply a valid certificate. 274 BMC Identity Management Suite Administrator Guide

275 Message descriptions BMC-TOS002004E No client certificate signature defined. Explanation: Login - certificate signature was not supplied. User Response: Supply a certificate signature. BMC-TOS002005E No client certificate defined. Explanation: Login - certificate was not supplied. User Response: Supply a certificate. BMC-TOS002005S Cannot resolve {0} Explanation: Internal error. User Response: Contact Customer Support. BMC-TOS002005E No password defined. Explanation: Login - password was not supplied User Response: Supply a password. BMC-TOS002006E Please recheck user information. User name does not exist, or is not authenticated Explanation: The specified user name is invalid. User Response: Supply a correct and valid user name. BMC-TOS002006E(1) Please recheck user information. Cannot login with the specified ESS login name. Explanation: The specified user name is invalid. User Response: Supply a correct and valid user name. BMC-TOS002006E(2) No user name was defined in the Login request Explanation: The user name field was left empty. User Response: Supply a correct and valid user name. BMC-TOS002006E(3) Please recheck user information. Cannot login with the specified ESS login name and passcode. Explanation: The login name and/or passcode are invalid. User Response: Provide the correct login name and passcode. BMC-TOS002006E(4) Please recheck credentials. No client certificate specified. Explanation: Identity Open Services cannot find a required client certificate. User Response: Import the required client certificate to Identity Open Services. Appendix E 275

276 Message descriptions BMC-TOS002006E(5) Please recheck credentials. Certificate signature not valid. Explanation: A client certificate you have imported is not validly signed. User Response: Be sure to import a valid certificate. BMC-TOS002006E(6) Please recheck user information. Cannot login with the specified login name and certificate. Explanation: Authentication by trusted login has failed either because the login name is not valid, or there is a problem with the client certificate. User Response: Check the login name and certificate. BMC-TOS002006E(7) Cannot login. Challenge/Response login is not supported Explanation: An attempt to log in using challenges and responses failed because the site does not support this log in method. User Response: Use a supported log in method. BMC-TOS002006E(8) Please recheck user information. No Challenge/Response entries specified. Explanation: In BMC Password Manager you have not set up your challenges and responses. User Response: To use challenge/response login it is necessary to set up your responses and challenges. BMC-TOS002006E(9) Please recheck user information. Cannot login with the specified ESS login name and Challenge/Response pairs. Explanation: The responses are incorrect. User Response: Provide the correct responses to the challenges. BMC-TOS002006E(10) Please recheck user information. No password specified. Explanation: The password field was left empty. User Response: Provide the correct password. BMC-TOS002006E(11)Please recheck user information. Cannot login with the specified ESS login name and password. Explanation: The user name and/or the password field are incorrect. User Response: Be sure that you provide the correct user name and password. BMC-TOS002007E Capabilities information does not exist for this ESS version {0} Explanation: The ESS version information should be added to capabilities file. User Response: Invoke the ServiceManager.getCapabilities method in any context within the web application. 276 BMC Identity Management Suite Administrator Guide

277 Message descriptions BMC-TOS002008E Index type cannot be a null object {0} Explanation: Internal error. User Response: Contact Customer Support. BMC-TOS002009E Unknown index type {0} Explanation: Internal error. Not fatal. User Response: Contact Customer Support. BMC-TOS002010E Cannot create pk from string {0} - incorrect field set Explanation: Abnormal circumstances. User Response: Correct field set. BMC-TOS002011E Cannot create pk from string {0} - no fields set Explanation: Abnormal circumstances. User Response: Correct field set. BMC-TOS002012E Profile name is null or empty Explanation: Internal error. User Response: Contact Customer Support. BMC-TOS002013E No version information for the ess-profile {0} Explanation: Internal error. User Response: Contact Customer Support. BMC-TOS002015E The method {0} not supported Explanation: The specified method is not supported. User Response: Do not use the method. BMC-TOS002017E Cannot get reference to configuration file {0} Explanation: Cannot load configuration file. As a result, the system cannot be used. User Response: Contact Customer Support. BMC-TOS002018E Cannot load configuration mapping file {0} Explanation: Cannot load configuration file, caused by missing the file which specifies the mapping rules for reading a configuration xml file. As a result, the system cannot be used. User Response: Contact Customer Support. Appendix E 277

278 Message descriptions BMC-TOS002019E loadconfigfile: Could not load config file {0} Explanation: Cannot load configuration file, caused by missing a configuration xml file. As a result, the system cannot be used. User Response: Contact Customer Support. BMC-TOS002023E No class associated with property key {0} Explanation: Reflection error. As a result, the specific JNI interface cannot be used. User Response: Contact Customer Support. BMC-TOS002024E Cannot create new instance {0} Explanation: Reflection error. As a result, the specific JNI interface cannot be used. User Response: Contact Customer Support. BMC-TOS002025E Unable to initialize entity factory Explanation: Could not load the appropriate JNI class. As a result, the specific JNI interface cannot be used. User Response: Contact Customer Support. BMC-TOS002030E ESS API handle not Initialized Explanation: Internal Error. As a result, Identity Open Services cannot connect to the ESS API. User Response: Contact Customer Support. BMC-TOS002036E Cannot create a Primary Key from the given map Explanation: An attempt was made to create a Primary Key object using the constructor which accepts a Map as an argument. The map given is not valid for the creation of the Primary Key object. BMC-TOS002037E Could not create credentials from String Explanation: An attempt was made to create a Credentials object from a String using the method ESSCredentials.constructFromBase64(). The string given is not a valid for the creation of a Credentials object. BMC-TOS002038E Users who logged in using Challenge/Response cannot obtain ESS credentials Explanation: There was an attempt to log in with Challenge/Response and then get ESS credentials for ESS activities. Logging through Challenge/Response only allows access to Self Services. User Response: Any ESS Operation 278 BMC Identity Management Suite Administrator Guide

279 Message descriptions BMC-TOS002039E Failure to create ESS Admin credentials from a person s identity context Explanation: Person attempts to perform an ESS operation after a successful login, but doesn t have authorization for obtaining ESS credentials. User Response: Review log file. Call an administrator. BMC-TOS Unable to perform operation for non-trusted client Explanation: This service can be performed only by clients logged in using the Trusted Authentication method. User Response: Review log file. Call an administrator. BMC-TOS002041E No unattended Administrator was defined for this login profile Explanation: An unattended Administrator was not defined for this Login Profile. User Response: Define an unattended Administrator for this Login Profile using the Unattended Admin Builder Tool. BMC-TOS002042E Person Login Failure. Please Call System Administrator. Explanation: Person cannot log in. Some possible reasons are: person is in revoked status person had too many failed login attempts person did not use the correct authentication method User Response: Review log file. Call an administrator. BMC-TOS002042E(1) Person Login Failure. Login name specified belongs to more than one user. Explanation: Person cannot log in because the login ID is not unique. User Response: Call an administrator. BMC-TOS002042E(2) Person Login Failure. There were too many failed login attempts. Explanation: Person cannot log in. If there are too many invalid login attempts your system locks you out. User Response: Call an administrator. BMC-TOS002042E(3) Person Login Failure. ESS Person ({1}) not configured to login with {0} authentication method. Explanation: Person cannot log in. For the person named the specified login method is not supported. User Response: Use a supported login method. Appendix E 279

280 Message descriptions BMC-TOS002042E(4) Person Login Failure. Trusted login not supported. Explanation: Person cannot log in.trusted log in is not supported. User Response: Use a supported login method. BMC-TOS002042E(5) Person Login Failure. There were too many failed Challenge/Response login attempts. Explanation: Person cannot log in. If there are too many invalid challenge/response attempts your system locks you out. User Response: Call an administrator. BMC-TOS002042E(6) Person Login Failure. User is revoked. Explanation: Person cannot log in because the user has been revoked. User Response: Call an administrator. BMC-TOS002042E(7) Person Login Failure. User is inactive. Explanation: Person cannot log in because the user has been given the status: inactive. User Response: Call an administrator. BMC-TOS002042E(8) Person Login Failure. Policy does not allow login with empty password. Explanation: Person cannot log in because a password is required, and no password was provided. User Response: Provide the correct password. BMC-TOS002043E Problem occurred during login. Please call System Administrator. Explanation: A problem occurred during the login process. User Response: See the log file for a more detailed description. BMC-TOS002044E You are only authorized to change your password. To regain your full rights please change your password and re-login. Explanation: You used challenges and responses for accessing the Suite but this authentication method requires that you change you password and log in. User Response: Change your password and use your new password to log in. BMC-TOS002048E Challenge length must be at least {0} characters. Explanation: You created a challenge that has less than the indicated number of characters. User Response: Create a challenge that has at least the indicated number of challenges. 280 BMC Identity Management Suite Administrator Guide

281 Message descriptions BMC-TOS002053E Account self registration feature was disabled by the administrator. Explanation: You cannot use BMC Password Manager to register your own accounts. User Response: To use BMC Password Manager to manage your unregistered accounts you should ask your administrator. BMC-TOS002056E The challenge text is already defined for another challenge. Explanation: The new challenge you have entered already exists. User Response: Create a different challenge. BMC-TOS002062E Person is not authorized to enable accounts. Explanation: Enabling your own accounts is not authorized. User Response: Call your administrator. BMC-TOS002063E Person is not authorized to unlock accounts. Explanation: Unlocking your own accounts is not authorized. User Response: Call your administrator. BMC-TOS002064E Person is not authorized to restore accounts. Explanation: Restoring your own accounts is not authorized. User Response: Call your administrator. BMC-TOS002065E Password cannot be empty for the specified accounts. Explanation: You cannot leave the password field empty. User Response: Enter a password. BMC-TOS002067E Minimum password change interval is {0} days Explanation: You cannot change your password more frequently than the interval indicated. User Response: Call your administrator. BMC-TOS002068E The current password does not match the person password. Explanation: You entered an incorrect password. User Response: You must provide your current password to verify ownership of the account. BMC-TOS002069E Response submission failure: The response matches the current password Explanation: When creating responses you entered your current password. Appendix E 281

282 Message descriptions User Response: Enter a response that is different from your current password. BMC-TOS002070E Password change failure: The new password is equal to the current password Explanation: When creating a new password it cannot match the current password. User Response: Enter a password that is different from the current password. BMC-TOS002071E Response submission failure: The new response matches a previous password Explanation: When creating a new response it cannot match a password that is stored in your password history log. User Response: Enter a new response that is different from any of your recent passwords. BMC-TOS002072E Password change failure: The new password matches a previous password Explanation: When creating a new password it cannot match a password that is stored in your password history log. User Response: Enter a new password that is different from any of your recent passwords. BMC-TOS002073E Response submission failure: The new response is identical to an existing response Explanation: When creating a new response it cannot match any of the existing responses you already created. User Response: Enter a new response that is different from any of your existing responses. BMC-TOS002074E Password change failure: The password matches an existing response Explanation: When creating a new password it cannot match any of the existing responses you already created. User Response: Enter a new password that is different from any of your existing responses. BMC-TOS002075E Response submission failure: The response matches a personal detail in the database Explanation: When creating a new response it cannot contain personal details (e.g., your address). User Response: Enter a new response that does not contain your personal details. BMC-TOS002076E Password change failure: The password matches a personal detail in the database Explanation: When creating a new password it cannot contain personal details (e.g., your address). 282 BMC Identity Management Suite Administrator Guide

283 Message descriptions User Response: Enter a new password that does not contain your personal details. BMC-TOS002077E Response submission failure: The response is over the max limit of {0} characters Explanation: Your new response is longer than allowed. User Response: Create a response that has up to the indicated number of characters. BMC-TOS002078E Password change failure: The password is over the max limit of {0} characters Explanation: Your new password is longer than allowed. User Response: Create a password that has up to the indicated number of characters. BMC-TOS002079E Response submission failure: The response is under the minimum of {0} characters Explanation: Your new response is shorter than allowed. User Response: Create a response that has at least the indicated number of characters. BMC-TOS002080E Password change failure: The password is under the minimum of {0} characters Explanation: Your new response is shorter than allowed. User Response: Create a password that has at least the indicated number of characters. BMC-TOS002081E Response submission failure: The Response matches an entry in a forbiddenresponses dictionary Explanation: Your response contains one or more words that are not allowed by your site. User Response: Create a response using different words. BMC-TOS002082E Password change failure: The password matches an entry in a forbiddenpasswords dictionary Explanation: Your password matches an entry that is not allowed by your site. User Response: Create a password that is different from the one you just entered. BMC-TOS002083E Password change failure: password resembles current password Explanation: Your password is similar to your current password. User Response: Create a password that is substantially different from the one you just entered. Appendix E 283

284 Message descriptions BMC-TOS002084E Password change failure: Password contains too many uppercase letters Explanation: Your new password has more uppercase characters than are allowed. User Response: Create a password uses fewer uppercase characters. BMC-TOS002085E Password change failure: Password contains too many lowercase letters Explanation: Your new password has more lowercase characters than are allowed. User Response: Create a password uses fewer lowercase characters. BMC-TOS002086E Password change failure: Password contains too many digits Explanation: Your new password has more uppercase digits than are allowed. User Response: Create a password uses fewer digits. BMC-TOS002087E Password change failure: Password does not contain enough uppercase letters Explanation: Your new password does not have enough uppercase letters. User Response: Create a password using more uppercase letters. BMC-TOS002088E Password change failure: Password does not contain enough lower case letters Explanation: Your new password does not have enough lowercase letters. User Response: Create a password using more lowercase letters. BMC-TOS002089E Password change failure: Password does not contain enough digits Explanation: Your new password does not have enough digits. User Response: Create a password using more digits. BMC-TOS002090E Password change failure: Password not allowed to contain spaces Explanation: You cannot include any spaces within your password. User Response: Create a password that does not contain any spaces. BMC-TOS002091E Password change failure: Password contains disallowed character: {0} Explanation: You cannot create a new password that contains the indicated character. User Response: Create a password that does not contain the indicated character. BMC-TOS002092E Password change failure: Password similar to a personal detail in the database Explanation: When creating a new password it cannot contain personal details (e.g., your address). 284 BMC Identity Management Suite Administrator Guide

285 Message descriptions User Response: Enter a new password that does not contain your personal details. BMC-TOS002093E Password contains too many characters of the following types: {0} Explanation: Your new password includes too many characters of the indicated types (e.g., uppercase/lowercase letters, digits). User Response: Enter a new password that has fewer characters of each indicated type. BMC-TOS002094E Password does not contain enough characters of the following types: {0} Explanation: Your new password includes too few characters of the indicated types (e.g., uppercase/lowercase letters, digits). User Response: Enter a new password that has more characters of each indicated type. BMC-TOS002095E Mapping failed. Password of ESS person {0} is not valid. Change password is needed. Explanation: To complete the mapping you need to change your Person password. User Response: Call your administrator. BMC-TOS002096E Mapping failed. ESS Person(s) {0} already mapped to these external credentials. Explanation: Mapping failed because it was previously completed and needs to be done only once. User Response: No action is needed. BMC-TOS005560I Starting to validate Audits from index: {0} Explanation: Validation process has started. User Response: Do nothing. BMC-TOS005561I Finished validating at count {0} Explanation: Validation process has finished. The last count validated is indicated for use in the next run as the starting index. User Response: Do nothing. BMC-TOS005500E More than one entry found with the same count: {0} Server ID: {1} Explanation: More than one audit record has the same count number. User Response: Try to Locate and fix the source of the problem. Appendix E 285

286 Message descriptions BMC-TOS005501E Entry is missing for count: {0} Server ID: {1} Explanation: There is an unexpected gap in the audit records. This specific count number is missing. User Response: Try to Locate and fix the source of the problem. BMC-TOS005502E Validation failed for: {0} Explanation: The signature and the data in the audit record do not match. User Response: Try to Locate and fix the source of the problem. BMC-TOS005503E Configuration File Path is empty Explanation: The parameter that holds the configuration file path is empty. This parameter is mandatory. User Response: Provide the full path to a valid configuration file. BMC-TOS005504E Log file initialization error Explanation: Error during log file initialization. User Response: Try to Locate and fix the source of the problem. BMC-TOS005505E Config file initialization error Explanation: Error during configuration file initialization. User Response: Try to Locate and fix the source of the problem. BMC-TOS005506E Error occurred. Please refer to the log file for details: {0} Explanation: General error occurred during the utility process. The detailed error may be found in the log file. User Response: Look at the log file for details on the error and correct the problem. BMC-TOS005521E Container type already exists Explanation: More than one Container instance is defined in the configuration file with the same type. Only one Container of a specific type can be defined. User Response: Try to Locate and fix the source of the problem. BMC-TOS005522E Container type is empty Explanation: Type parameter in the Container instance definition is empty. This parameter is mandatory. User Response: Enter the value. 286 BMC Identity Management Suite Administrator Guide

287 Message descriptions BMC-TOS005523E Initial context factory is empty Explanation: Initial Context parameter in the Container instance definition is empty. This parameter is mandatory. User Response: Fill in the value. BMC-TOS005524E URL prefix is empty Explanation: URL prefix parameter in the Container instance definition is empty. This parameter is mandatory. User Response: Fill in the value. BMC-TOS005525E Keystore file path is empty Explanation: Keystore file path parameter in the Container instance definition is empty.this parameter is mandatory if the type is JBOSS and the communication is indicated as secure User Response: Fill in the value. BMC-TOS005540E Open Services Instance ID already exists Explanation: More than one Open Services instance is defined in the configuration file with the same ID. User Response: Try to Locate and fix the source of the problem. BMC-TOS005541E User name is empty Explanation: The parameter that holds the user name is empty. This parameter is mandatory. User Response: Provide the user name. BMC-TOS005542E Password is empty Explanation: The parameter that holds the password is empty. This parameter is mandatory. User Response: Provide the password. BMC-TOS005543E Login profile is empty Explanation: The parameter that holds the login profile is empty. This parameter is mandatory. User Response: Provide the login profile. BMC-TOS005544E Open Services Instance ID is empty Explanation: Instance ID parameter in the Open Services instance definition is empty. This parameter is mandatory. Appendix E 287

288 Message descriptions User Response: Fill in the value. BMC-TOS005545E Open Services Instance ID: {0} Keystore file path is empty Explanation: Keystore file path parameter in the Open Services instance definition is empty. This parameter is mandatory. User Response: Fill in the value. BMC-TOS005546E Open Services Instance ID: {0} Host name is empty Explanation: Host name parameter in the Open Services instance definition is empty. This parameter is mandatory. User Response: Fill in the value. BMC-TOS005547E Open Services Instance ID: {0} Port number is empty Explanation: Port number parameter in the Open Services instance definition is empty. This parameter is mandatory. User Response: Fill in the value. BMC-TOS003048E Failed to connect to Open Services Instance Id {0} Explanation: An error occurred during the attempt to connect to Open Services. User Response: Correct the problem and try again. BMC-CPU000001E A server error occurred. Contact your Administrator. Explanation: An internal error occurred. User Response: The administrator should contact Customer Support. BMC-CPU000002E Login error: Basic authentication failed. Explanation: Additional information regarding the problem is displayed in the error message that follows this message. BMC-CPU000003E Login error: SecureID authentication failed. Explanation: Additional information regarding the problem is displayed in the error message that follows. BMC-CPU000004E Login error: Challenge-Response authentication failed. Explanation: Additional information regarding the problem is displayed in the error message that follows that follows this message. BMC-CPU000005E Login error: Some details required for Trusted Login are incorrect or missing. Explanation: Additional information regarding the problem is displayed in the error message that follows that follows this message. 288 BMC Identity Management Suite Administrator Guide

289 Message descriptions BMC-CPU000006E Context error: JNDI configurations are incorrect, or required object is not registered. Explanation: A configuration error may exist in the following files: $BMC_IDM_SUITE_HOME/discovery/gluecore/client-jndi-config.xml, $BMC_IDM_SUITE_HOME/discovery/openservices/client-jndi-config.xml. User Response: Correct port or host values in the file. Restart the BMC Identity Management Suite. BMC-CPU000007E Communication error. Explanation: A problem with remote communication with other software components occurred. Additional information regarding the problem is displayed in the error message that follows that follows this message. BMC-CPU000008E Authentication provider error. Explanation: A problem with ESS occurred. Additional information regarding the problem is displayed in the error message that follows that follows this message. BMC-CPU000009E : The two passwords you entered are not identical. Please try again. Explanation: When you retyped the password for verification, the retyped password did not match the first password. User Response: Specify the new password again. BMC-CPU000010E Login error: Name of Person or current password is incorrect. Explanation: The login ID and/or password you entered are incorrect. Either the login ID does not exist or the wrong password was specified. User Response: Specify the correct login ID and password. BMC-CPU000011E Change password action failed. Explanation: Additional information regarding the problem is displayed in the error message that follows that follows this message. BMC-CPU000012E No login method is allowed. Explanation: None of the available login methods is enabled. User Response: Enable a login-method in the file $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml. Restart the BMC Identity Management Suite. BMC-CPU000013I You have not defined any challenges. Explanation: You attempted to log in to Identity Management Suite using challenges and responses, but no challenges or responses are defined. Appendix E 289

290 Message descriptions User Response: Log in to Identity Management Suite with your password and then define the required number of challenge-response pairs in Password Manager. If you do not know your password, contact your system administrator. BMC-CPU000014I You must change your password. This may be your first login, or your password has expired. Explanation: You have no valid password, or your password has expired. User Response: Click Change Password and enter a new password. BMC-CPU000015I Your session has timed out. Log in again. Explanation: The program has been idle beyond the time period allowed. User Response: Log in again. BMC-CPU000016E Login with External authentication failed. Explanation: The login using external authentication failed. User Response: Contact your administrator. BMC-CPU000016I Keywords required for External Authentication mapping were not found in Suite login profile ({0}). Please, see documentation. Explanation: Keywords required to be installed in the Person records in the ESS database were not found in the indicated ESS profile. User Response: Review the documentation in the Suite Administrator Guide regarding the required installation of keywords. BMC-CPU000017E Login error: External authentication of user ({0}) in ({1}) succeed, but login into Suite login profile ({2}) failed. Explanation: The external authentication succeeded, but the log in to the BMC Identity Management Suite failed. User Response: Contact your administrator. BMC-CPU000018E Mapping error: External authentication of user ({0}) in ({1}) succeed, but mapping person ({2}) in Suite login profile ({3}) to that user failed. Explanation: The external authentication succeeded, but the mapping to the Suite Person failed. User Response: Contact your administrator. BMC-CPU000019E External account ({0}) is mapped in Suite login profile ({1}) to the person, that in order to be authenticated externally, is required to be configured for Trusted login only. Please, call administrator. Explanation: In the ESS installation indicated, the specified Person record must be configured to use trusted login only. 290 BMC Identity Management Suite Administrator Guide

291 Message descriptions User Response: Perform required change in Enterprise SecurityStation. BMC-CPU000020E Account ({0}) is mapped to more then one person in Suite login profile ({1}). Please, call administrator. Explanation: The LDAP user must be mapped to one Person record in the ESS database. User Response:.Perform required change in Enterprise SecurityStation. BMC-CPU000021E In order to be authenticated externally, person ({0}) in Suite login profile ({1}) is required to be configured for Trusted login only. Please, call administrator. Explanation: In the ESS installation indicated, the specified Person record must be configured to use trusted login only. User Response: Perform required change in Enterprise SecurityStation. BMC-CPU000022E External account ({0}) is already mapped to another person in Suite login profile ({1}). Please, call administrator. Explanation: The indicated LDAP user is already mapped to an existing ESS Person record. User Response: Perform required change in Enterprise SecurityStation. BMC-CPU000023I The request you submitted has been configured by your administrator to be blocked because it is not secured (not https). Explanation: You cannot submit your request because your administrator has configured your BMC Identity Management Suite to accept messages only if they are sent by a secure (https) protocol. User Response: Contact your administrator. BMC-CPU000024I WARNING! The request you submitted has been configured by your administrator to display a warning because it is not secured (not https). Do you want to continue?. Explanation: You can submit your request. However a warning message is displayed indicating that you are sending an unsecured request. User Response: Contact your administrator for more information. BMC-CPU000025E You successfully changed your password. Explanation: The program has successfully changed your password. User Response: Log in again. BMC-CPU001001E You are not allowed to use any of the installed applications Explanation: You have not been enabled in any BMC Identity Management Suite product. Appendix E 291

292 Message descriptions User Response: Contact your administrator. BMC-CPU001002E Default login-profile is not defined Explanation: There is no default ESS Login Profile defined. User Response: Contact your administrator. BMC-CPU001003E Name of login-profile required for Trusted Login is not configured Explanation: The ESS Login Profile required for trusted login has not been created. User Response: Contact your administrator. BMC-CPU001004E Header name required for Trusted Login is not configured Explanation: The Header Name required for trusted login has not been created. User Response: Contact your administrator. BMC-CPU001005E Value of header <{0}> required for Trusted Login is missing or empty Explanation: The header indicated in the message that is required for trusted login has not been supplied. User Response: Contact your administrator. BMC-CPU001006E Could not get remote user required for Trusted Login Explanation: Could not retrieve the remote user required for login. User Response: Contact you administrator. BMC-CPU001007E Unsupported type of Trusted login Explanation: The type of trusted login specified by your administrator is not supported. User Response: Contact your administrator. User Response: BMC-CPU002001E User ({0}) was not found in ({1}) authentication domain. Please, check the user name Explanation: The user indicated my the message was not found in the domain indicated. User Response: Verify that the user name exists. BMC-CPU002002E Authentication of Unattended Administrator ({0}) of ({1}) authentication domain on server ({2}) failed Explanation: Authentication of the unattended administrator specified in the message of the indicated domain on the server specified failed. 292 BMC Identity Management Suite Administrator Guide

293 Message descriptions User Response: Correct the problem. BMC-CPU002003E Error occurred during searching for user ({0}) in ({1}) authentication domain on server ({2}) Explanation: An error occurred when searching for the specified user in the specified domain of the indicated server. User Response: Correct the problem. BMC-CPU002004E Authentication of user ({0}) in ({1}) authentication domain on server ({2}) failed. Please, check the password or revoke status of the user Explanation: Authentication of the specified user in the specified domain on the indicated server failed. User Response: Check the password or revoke status of the user. BMC-CPU002005E Password of account in authentication domain is empty Explanation: There is no account password provided. User Response: Provide the password. BMC-CPU002006E The type ({0}) is not a supported LDAP type. Currently supported LDAP types are: ({1}) Explanation: LDAP type is not supported. Must be Active Directory. User Response: You can use only a supported type. BMC-CPU002007E System failed to create {0} connection to any of the configured hosts for ({1}) authentication domain. Last error: {2} Explanation: System failed to create a connection to any of the configured hosts. User Response: Try to locate and correct the problem. BMC-CPU002008E ({0}) is not supported type of External Authentication System. Explanation: You are attempting to use an unsupported external authentication system. User Response: You can use only a supported type of external authentication system. BMC-CPU002009E Decryption of password of unattended administrator of ({0}) authentication domain failed. Call system administrator Explanation: Decryption of the unattended administrator password in the specified authentication domain failed. User Response: Contact the administrator. Appendix E 293

294 Message descriptions BMC-CPU002010E Configured attribute with name ({0}) was not found on Person object in ({1}) authentication domain. Please, check the attribute name Explanation: A configured attribute with the specified name was not found on the Person object in the indicated authentication domain. User Response: Check the attribute name. BMC-CPU003080I Starting to map the information from {0} Explanation: The mapping process has started. The mapping is done using the file indicated in the message. User Response: No action required. BMC-CPU003081I Finished mapping Explanation: The mapping process has finished. User Response: No action required. BMC-CPU003004E Map File error. Line {0} does not have {1} tokens only Explanation: The line in the map file indicated, does not have 2 tokens as expected. The number of tokens found is indicated in the message. User Response: Rewrite the line to hold only the necessary 2 tokens. BMC-CPU003005E Error mapping file has been read until line {0} Explanation: An error has occurred during the information retrieval process. The last line read before the error occurred is indicated in the message. Use this index as the starting index for the next run. User Response: Try to locate and fix the source of the problem. BMC-CPU003006E Error mapping line for {0} message: {1} Explanation: An error has occurred during the mapping process. The error that caused this problem is indicated in the message. User Response: Try to locate and fix the source of the problem. BMC-CPU003007E Map directory has no files: {0} Explanation: The directory indicated in the parameters as the mapping directory is empty and has no *.csv files. User Response: Move the *.csv file/s to the directory indicated above. BMC-CPU003008E LDAP Instance ID {0} not found in the configuration file Explanation: The LDAP instance ID indicated in the parameters cannot be found in the configuration file. This can be caused by a spelling mistake. 294 BMC Identity Management Suite Administrator Guide

295 Message descriptions User Response: Recheck the spelling used for the LDAP instance ID, or add the required instance to the configuration file. BMC-CPU003002E Configuration File Path is empty Explanation: The parameter that holds the configuration file path is empty. This parameter is mandatory. User Response: Provide the full path to a valid configuration file. BMC-CPU003009E Log file initialization error Explanation: An error occurred during log file initialization. User Response: Correct the problem. BMC-CPU003009E Config file initialization error Explanation: Error during initialization of the configuration file. User Response: Correct the problem. BMC-CPU003010E Error occurred. Please refer to the log file for details: {0} Explanation: A general error occurred during the utility process. The detailed error may be found in the log file. User Response: Look at the log file for details on the error, and correct the problem. BMC-CPU003021E Container type already exists Explanation: More than one Container instance is defined in the configuration file with the same type. Only one Container of a specific type can be defined. User Response: Correct the problem. BMC-CPU003022E Container type is empty Explanation: Container type parameter in the Container instance definition is empty. This parameter is mandatory. User Response: Fill in the Container type value. BMC-CPU003023E Initial context factory is empty Explanation: Initial Context parameter in the Container instance definition is empty. This parameter is mandatory. User Response: Fill in the initial context factory value. BMC-CPU003024E URL prefix is empty Explanation: URL prefix parameter in the Container instance definition is empty. This parameter is mandatory. Appendix E 295

296 Message descriptions User Response: Fill in the URL prefix parameter value. BMC-CPU003025E Keystore file path is empty Explanation: Keystore file path parameter in the Container instance definition is empty. This parameter is mandatory if the type is 'JBOSS' and the communication is indicated as secure. User Response: Fill in the Keystore file path parameter value. BMC-CPU003040E Open Services Instance ID already exists Explanation: More than one Open Services instance is defined in the configuration file with the same ID. User Response: Leave only one instance with each ID. BMC-CPU003041E User name is empty Explanation: The parameter that holds the user name is empty. This parameter is mandatory. User Response: Provide the user name. BMC-CPU003042E Password is empty Explanation: The parameter that holds the password is empty. This parameter is mandatory. User Response: Provide the password. BMC-CPU003043E Login profile is empty Explanation: The parameter that holds the login profile is empty. This parameter is mandatory. User Response: Provide the login profile. BMC-CPU003044E Open Services Instance ID is empty Explanation: Instance ID parameter in the Open Services instance definition is empty. This parameter is mandatory. User Response: Fill in the Open Services Instance ID parameter value. BMC-CPU003045E Open Services Instance ID: {0} Keystore file path is empty Explanation: Keystore file path parameter in the Open Services instance definition is empty. This parameter is mandatory. User Response: Fill in the Keystore file path parameter value. 296 BMC Identity Management Suite Administrator Guide

297 Message descriptions BMC-CPU003046E Open Services Instance ID: {0} Host name is empty Explanation: Host name parameter in the Open Services instance definition is empty. This parameter is mandatory. User Response: Fill in the Host name parameter value. BMC-CPU003047E Open Services Instance ID: {0} Port number is empty Explanation: Port number parameter in the Open Services instance definition is empty. This parameter is mandatory. User Response: Fill in the Port number parameter value. BMC-CPU003048E Failed to connect to Open Services Instance Id {0} Explanation: An error occurred during the attempt to connect to Open Services. User Response: Correct the problem and try again. BMC-CPU003060E LDAP Instance ID already exists Explanation: More than one LDAP instance is defined in the configuration file with the same ID. User Response: Leave only one instance with each ID. BMC-CPU003061E LDAP Instance is empty Explanation: Instance ID parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the Instance ID parameter value. BMC-CPU003062E LDAP Directory type is empty Explanation: Directory type parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the Directory type parameter value. BMC-CPU003063E LDAP Directory protocol is empty Explanation: Directory protocol parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the Directory protocol parameter value. BMC-CPU003064E LDAP Initial context factory is empty Explanation: Initial Context parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the Initial Context parameter value. Appendix E 297

298 Message descriptions BMC-CPU003065E LDAP Instance ID: {0} Host name is empty Explanation: Host name parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the Host name parameter value. BMC-CPU003066E LDAP Instance ID: {0} Port number is empty Explanation: Port number parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the Port number parameter value. BMC-CPU003067E LDAP user name is empty Explanation: User name parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the User name parameter value. BMC-CPU003068E LDAP search base is empty Explanation: Search base parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the Search base parameter value. BMC-CPU003069E LDAP person search filter is empty Explanation: Person search filter parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the Person search filter parameter value. BMC-CPU003070E LDAP external unique ID attribute is empty Explanation: External unique ID parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the External unique ID parameter value. BMC-CPU003071E LDAP external ID attribute is empty Explanation: External ID parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the External ID parameter value. BMC-CPU003072E LDAP SSL Keystore file path is empty Explanation: SSL Keystore file path parameter in the LDAP instance definition is empty. This parameter is mandatory. User Response: Fill in the SSL Keystore file path parameter value. 298 BMC Identity Management Suite Administrator Guide

299 Message descriptions BMC-CPU003073E Failed to login to LDAP directory using {0} Explanation: An error occurred during the attempt to connect to LDAP Directory. The user used to login is indicated in the message. User Response: Contact your administrator. BMC-CPU003074E LDAP user {0} not found Explanation: The LDAP user unique ID given in the map file does not exist in the directory or the search filter is incorrect. User Response: Correct the spelling of the unique ID or the search filter. BMC-CPU003075I LDAP user {0} logged in to {1} successfully Explanation: This information message indicates successful login to the LDAP directory. User Response: No action required. BMC-CPU003076E LDAP User search Interrupted. Please try again Explanation: During the attempt to search the user in the LDAP directory, an interrupt has occurred. User Response: Contact your administrator and try again. BMC-CPU003077E Error during LDAP User search Explanation: An error occurred during the attempt to search for the user in the LDAP directory. User Response: Contact your administrator. BMC-CPU003078E Unknown error during LDAP User search Explanation: An unknown error occurred during the attempt to search for the user in the LDAP directory. User Response: Contact your administrator. BMC-CPU003079E Unknown LDAP type {0} Explanation: The LDAP type indicated in the configuration file for the LDAP instance is not supported. User Response: Use one of the supported types according to the documentation. BMC-CPU004008E A Microsoft browser component (MSXML3 or higher) is required. Click OK to display download instructions. Explanation: When using Microsoft IE browsers to access the BMC Identity Management Suite a component (MSXML3 or higher) is required. Appendix E 299

300 Message descriptions User Response: Click OK to display download instructions, BMC-CPU004008E Failed to load XML using the installed MSXML parser. A Microsoft browser component (MSXML3 or higher) is required. Click OK to display download instructions. Explanation: When using Microsoft IE browsers to access the BMC Identity Management Suite a component (MSXML3 or higher) is required. User Response: Click OK to display download instructions, BMC-CPU004009E Failed to load an XSL style sheet using the installed MSXML parser. A Microsoft browser component (MSXML3 or higher) is not properly installed. Click OK to display instructions for downloading MSXML. Explanation: When using Microsoft IE browsers to access the BMC Identity Management Suite a component (MSXML3 or higher) is required. User Response: Click OK to display download instructions, BMC-CPU004010E Failed to load the ActiveX XMLHTTP object. A Microsoft browser component (MSXML3 or higher) is required. Click OK to display download instructions. Explanation: When using Microsoft IE browsers to access the BMC Identity Management Suite a component (MSXML3 or higher) is required. User Response: Click OK to display download instructions, BMC-CPU004011E Failed to perform XSL transformation. A Microsoft browser component (MSXML3 or higher) is not properly installed. Click OK to display instructions for downloading MSXML. Explanation: When using Microsoft IE browsers to access the BMC Identity Management Suite a component (MSXML3 or higher) is required. User Response: Click OK to display download instructions, BMC-CPU100001E You are not allowed to use any of the installed applications. Explanation: You have not been assigned permission to use any applications in the BMC Identity Management Suite. User Response: Contact your Help Desk. The administrator should assign the required permissions in the Person record. BMC-CPU100002E Default login-profile is not defined. Explanation: The value for <login-profile> in $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml is empty. User Response: Set a value for <login-profile> in the file. Restart the BMC Identity Management Suite. 300 BMC Identity Management Suite Administrator Guide

301 Message descriptions BMC-CPU100003E Name of login-profile, required for Trusted Login, is not configured. Explanation: The value for <login-profile> in $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml is empty. User Response: Set a value for <login-profile> in the file. Restart the BMC Identity Management Suite. BMC-CPU100004E Header name, required for Trusted Login, is not configured. Explanation: The <trusted-login-header-name> in $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml is empty. User Response: Set a value for <trusted-login-header-name> in the file. Restart the BMC Identity Management Suite. BMC-CPU100005E Value of header < trusted-login-header-name >, required for Trusted Login, is missing or empty. Explanation: The value of the header with the name <trusted-login-headername> in $BMC_IDM_SUITE_HOME/glue_web/conf/glue-web-ui-config.xml is empty. User Response: Set a value for <trusted-login-header-name> in the file. Restart the BMC Identity Management Suite. BMC-CPU100006E Could not get remote user required for Trusted Login. Explanation: If remoteuser was set for trusted-login-by in $BMC_IDM_SUITE_HOME/glue_web/glue-web-ui-config.xml, for some reason the external authentication system does not provide the login ID, which must be retrieved by method getremoteuser() of HttpServlet service. User Response: Determine why your external authentication system is not providing the login ID. BMC-CPU100007E Unsupported type of Trusted Login. Explanation: The value for <trusted-login-by> in $BMC_IDM_SUITE_HOME/glue_web/glue-web-ui-config.xml is not header or remoteuser. User Response: Ensure that header or remoteuser is specified. If your external authentication system requires a different value for this parameter, ensure that the value is specified correctly and that the external authentication system is functioning correctly. After changing the value for <trusted-login-by>, restart the BMC Identity Management Suite. Appendix E 301

302 Message descriptions 302 BMC Identity Management Suite Administrator Guide

303 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Index Symbols $BMC_IDM_SUITE_HOME/general/log 87 A access rights by inheritance 224 accessing the BMC Identity Management Suite 228 Accounts ID length, global setting 201 restoring 203 Adding a BMC Identity Management Suite solution 34 Allow Account Restore field 203 Allow Account Restore parameter described 203 Allow log in with challenge/response field 213 Allow login with empty password 177, 178 Allow login with empty password field 212 Allow person to register accounts field 220 to restore accounts field 220 to unlock accounts field 220 Application Servers defining 47 whether secure 82, 147 Audit and Compliance Management solution 22 Audit Automated Insert of Persons global parameter 205 Audit Automated Insert of Persons field 205 audit compliance reporting 22 Audit in Details field 205 Audit in Details global parameter described 205 Audit in Download field 204 Audit in Global Sync field 204 Audit Parameters tabbed page (Global Parameters) 204 Audit trails for download, setting on/off 204 for global synchronization, setting on/off 204 of downloads 204 of every field modified 205 of global synchronization 204 AutoEdit in field Password on Restore 203 Automatic Generation of Short Code field 203 B Back-end Compliance Manager Back-end 25 Enterprise Security Station 24 Identity Open Services 25 Managed Systems 24 Services Managers and Provisioning Modules 24 batchrun utility Source for password for Restore operation 203 biz_rules utility 222 BMC Identity Management Suite architecture 23 installation wizard 71 BMC Software, contacting 2 C certificate files 122 Change password command 177 Check Organization Type field 201 Collect Logs 159, 229 Commands That Support Ticket Creation field 221 Common UI Login facility enabling 58 Common UI Service 15 connection pool size 194 connection pool size, configuring 194 connection timeout value 223 conventions, documentation 20 cookies 237 csh shell, requirements for 41 customer support 3 D Database threshold for issuing warning message 203 database list of entity tables in 223 Default Group Processing - User Update field 201 default tabbed page 183 deploying the documentation center 94 Disable Default Connections field

304 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z disabling a BMC Identity Management Suite user 178 discovery file 194 display the JBoss ports 63 Distributed deployment described 33 documentation related 16 Documentation Center 16 documentation center, deploying 94 Download auditing 204 E empty password 177 Enable accounts before changing person password field 219 Enable Password Sync parameter 180 enabling cookies 237 Enterprise SecurityStation 15 messages originating in 232 entity auditing changes in Properties window 205 error/information messages 273 ESS Administrator timeout of ESS Console session 222 ESS Application Servers, See Application Servers ESS Console tabbed page (Global Parameters) 222 ESS Global parameters 197 ESS Login Profile wizard 148 ESS Login tabbed page (Global Parameters) 212 ESS Max Failed Login Attempts (global parameter) 210 essue002 auditing automatic insert of Persons 205 F fields labels, localization 232 firewall, operating through 82, 147 first party cookies, setting 239 forcing users to change their initial password 176 Form Generator overview 26 Front-end BMC Identity Management applications 25 Form Generator 26 Identity Common UI Services 25 G general configuration 119 authorization needed to perform configuration tasks 120 enabling a BMC Identity Management Suite user 172 scope of configuration changes 122 setting the initial password of users 175 stopping/starting the BMC Identity Management Suite 121 General tabbed page (Global Parameters) 200 Global Parameters about 197 overriding parameters 198 Global synchronization auditing 204 H Help Desk Administrator Name field 222 Help Desk Administrator Password field 222 Help Desk Application Name field 221 Help Desk Schema Name field 222 Help Desk Server IP Address field 221 Help Desk Server Port field 221 Help Desk tabbed page (Global Parameters) 221 How to install database client 42 I Identity Federation Manager solution 22 IdM Suite user setting the login ID for 213 idm_tools suite_url 92 Include in Password Sync parameter use of 180 Index field selecting as login ID for IdM Suite user 213 initial ESS Server ID parameter 147 Install database client 42 installation checklist 29 prompts 77 summary 29 installation procedure additional configuration 104 back up the installation directory 105 create the product installation account/s 40 define ESS Application Servers 46, 48 determine deployment type 33 enable the common UI login in Enterprise SecurityStation 58 ensure system requirements 36 implement an SSL connection in a distributed deployment 95 import the shared secret into Enterprise SecurityStation 92 install product components 71 log in BMC Identity Management Suite Administrator Guide

305 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z log out and log in to the installation account/s 88 obtain the product media 36 run the Form Generator utility 102 start the BMC Identity Management Suite 100 verify the URL 92 Internet Explorer, enabling cookies 237 J JBoss ports 60 JBoss server directory 60 K keystores 122 Keyword (in ESS) when modified 160 Keyword rule (in ESS) when modified 160 L labels of fields, localization 232 language in the user interface, localizing 231 language support, localizing 231 LDAP authentication system login 241 load balancing Login Profile parameters 147 localizing the user interface 231 English text 234 language 231 Lock Interval 201 log file attributes configuring 191 login ID setting field in Person record to use as 213 Login ID field name (Global parameter) 213 Login Message field 212 M Managed System overriding parameters 198 managing the session 181 enabling cookies 181 session time-out interval 182 Max Login Attempts field 201 Message displayed upon logging in, setting 212 message text, localization of 232 messages 273 Min Account ID Length field 201 N NAT router 82, 147 native2ascii utility 233 Netscape Navigator, enabling cookies 240 New Terminology 18 non-ssl connection in a distributed deployment 190 Number of ESS Servers to Use parameter 48, 147 O open-services-security.xml file about 167 operating the Suite 225 Organization entity applying structure validity rules 201 Organization Separator field 201 Originated By field 221 overview 21 P Password changing 202 providing automatically for Restore operation 203 synchronizing 202 password changes 21 password management solution 21 Password on Restore field 203 password synchronization 21, 133, 179 permissions for unattended administrator 133, 138 Persons automatic creation of, auditing 205 pool size for connections, configuring 194 product support 3 Propagate Person Password Change to (Global parameter) 180 Propagate Person Password Change To field 202 described 202 Propagate Revoke field 201 Provisioning Rules tabbed page (Global Parameters) 222 publications related 16 R regulatory IT-governance 22 related publications 16 Request Manager Prerequisites 70 responsive action 271 Require current password on password change field 219 requirements, for product installation 36, 40 responsive action, firewall configuration for

306 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Restore access for Account 203 providing password for Account 203 revoke of IdM System user, after failed log in attempts 210 run.sh script, modifying for JBoss 89 S security configuration configure the system password temporary or permanent 187 cryptographic algorithms 185 keystores 122 Server Timeout parameter used as default 223 service pack for the IdM Suite, installing 91 session cookies, setting 239 session time-out interval 182 Session Timeout parameter 224 session timeout, customizing 222 setting log file attributes 192 shell, required default for owner account 41 Short Code automatic generation of 203 silent installation 75 silent_options.txt, obtaining 67 solutions Audit and Compliance Management 22 Password Management 21 User Administration and Provisioning 21 SSL encryption 82, 147 starting/stopping the BMC Identity Management Suite 225 stop_idm_suite.bat script, modifying for JBoss 90 stopping the BMC Identity Management Suite 227 Suite Configuration how to enable 172 support, customer 3 syntax statement conventions 19 System password 122 temporary or permanent 187 system requirements UNIX systems 36 third-party cookies, setting 239 Threshold for DB Utilization Warning field 203 timeout for connection, customizing 223 for ESS Console session 222 of an inactive ESS Console session 224 values 223 Timeout Values parameter 224 Transaction Status Generates A Ticket field 221 trusted login method 155, 157 U unified deployment described 33 uninstalling the BMC Identity Management Suite 115 UNIX system requirements 36 User Administration and Provisioning solution 21 user interface localizing language support for 231 User-Defined Index Field parameter 213 V viewing individual log files 192 W wam-gencookiekey.zip, obtaining 67 Web Access Management prerequisites 63 solution 22 Web Access Manager stand-alone deployment 35 Web Access Manager Enforcement Agent 113 Web browser cookies 237 Web SSO proxy configuration 114 T TCP/IP platform generating Short Code field automatically 203 tcsh shell, requirements for 41 technical support 3 temporary or permanent System password 187 test user logging in with 103 preparing 99, BMC Identity Management Suite Administrator Guide

307 Notes

308 *66202* *66202* *66202* *66202* *66202*