IBM Security Verify

Recipe for setting up IBM Security Verify Governance (IGI) and IBM Security Verify for Workforce IAM Integration

  • 1.  Recipe for setting up IBM Security Verify Governance (IGI) and IBM Security Verify for Workforce IAM Integration

    Posted Thu July 09, 2020 07:58 AM
    Edited by Vandana Verma Sehgal Thu July 09, 2020 07:59 AM

    Recipe for IBM Security Verify Governance (IGI) and IBM Security Verify for Workforce IAM Integration

     

     Architecture

     Components

     

    1. Identity Jump Server  

    This is a common VM used for most IGI-based labs. It contains many tools, utilities and browsers used in many of the training environments.

    For this lab it contains three main components:

    1. The browsers used to access the IGI, CIA Bridge and (optionally) your CI tenant
    2. DNS (named) to allow name resolution between the VMs and from within the docker containers
    3. Docker running two containers; the ciabridge container (application and UI) and couchdb3 container (db)

    All access to components is performed from the Identity Jump Server or Identity Docker.

    2. IGI Virtual Appliance (VA)

    This contains the IBM Security Identity Governance and Intelligence (IGI) application in virtual appliance form. It has configuration for the CIA integration.

    3. IGI Data Server

    This contains the IGI datastores, primarily the DB2 database used. The CIA bridge will connect to this DB in the lab.

    You can download the dispatcher from the passport page

    https://www.ibm.com/software/passportadvantage/

    Initialise the setup

    Step 1: Access the Virtual Appliance from IGI Docker or Jump Server

    Step 2: Confirming the Adapter Installation/Configuration

    • Check the RMI Dispatcher and Adapter Component Installation
    • The adapter relies on TDI to be installed, the RMI Dispatcher to be installed and a number of adapter specific files to be installed.

    To check these: Start the terminal

    I have downloaded an Integrator and named as SDI

    To check if the dispatcher has all the relevant files  :-  ls  -l /opt/IBM/SDI/V7.2/timsol

     

    Check if the identity adapters are present in the directory, If not download manually.

    ls -l /opt/IBM/TDI/V7.2/jars/connectors/

    CloudIDConnector.jar

    CloudIDAdapterConnector.jar  

     

     

    Check the relevant third party jar files are present for the connector to work and with the latest version.

     

    /opt/IBM/SDI/V7.2/jars/3rdparty/others

     

     

     

    To check the RMI Dispatcher is running

    ps -ef | grep ibmdi



    The VM is configured to automatically start the RMI Dispatcher and allocate that port using systemd.

    sudo systemctl status ibmdisrv_ITIMAd.service

    Run the command to test if the port is running:

    netstat -an | grep 1099

    I have used port 2099

    netstat -an | grep 2099

    To restart the dispatcher

    cd to /opt/IBM/SDI/V7.2/timsol

    sudo ./ITIMAd restart

     

    To flush the IP tables run the command

    "iptables -F"

    To stop the firewall:- sudo systemctl stop firewalld


    Check the SSL Cert is Imported for TDI Use

    keytool -v -list -keystore serverapi/testadmin.jks -storepass administrator -alias cloudid | more

    keytool -selfcert -v -alias server -validity 730 -keystore teststore.jks -storepass mypasswordIf it's not valid then run extend it – Then download the certificate from the CI tenant (IBM Security Verify Tenant)

    If there are any issues with the certificates. You can view the certificate in the ikeyman



    Open the ikeyman 


    Password : xxxxxxxxxx

    Password : XXXXXX

     

     

    If there is an issues with validity of the certificates, Extend Validity of Self Signed Certificates in Tivoli Directory Integrator

    https://www.ibm.com/support/pages/extend-validity-self-signed-certificates-tivoli-directory-integrator

    Stop the dispatcher

    Run the following commands to update the cert in the keystore

    Change to <TDI>/V7.0/testserver.jks

    // Extends the 'server' certificate by (x) days in 'testserver.jks'

    jvm/jre/bin/keytool -selfcert -v -alias server -validity 365 -keystore testserver.jks -storepass server

     

    // Exports a public copy of the certificate

    jvm/jre/bin/keytool -export -alias server -keystore testserver.jks -storepass server -file mtestserver.crt

     

    // Deletes the public certificate of 'server' in the 'testadmin.jks'

    jvm/jre/bin/keytool -delete -alias server -keystore serverapi/testadmin.jks -storepass administrator

     

    // Imports the renewed public certificate into 'testadmin.jks'

    jvm/jre/bin/keytool -import -alias server -keystore serverapi/testadmin.jks -storepass administrator -file mtestserver.crt

     

    Change to <TDI>/V7.0/serverapi/testadmin.jks

    jvm/jre/bin/keytool -selfcert -v -alias admin -validity 365 -keystore serverapi/testadmin.jks -storepass administrator 

    jvm/jre/bin/keytool -export -alias admin -keystore serverapi/testadmin.jks -storepass administrator -file serverapi/mtestadmin.crt

    jvm/jre/bin/keytool -delete -alias admin -keystore testserver.jks -storepass server

    jvm/jre/bin/keytool -import -alias admin -keystore testserver.jks -storepass server -file serverapi/mtestadmin.crt

     

    Optional

    Change to AMC and AM jks files

    The following 2 jks files are copies of the 'testadmin.jks'.

    So the updated testadmin.jks can be copied into these locations (depending on version).

    <TDI>/V7.0/bin/amc/ActionManager/testadmin.jks

    <TDI>/V7.0/lwi/runtime/isc/eclipse/plugins/AMC_7.0.0/testadmin.jks
     

    Check the version of TLS enabled:-

     

    Open "solution.properties" file and go to the bottom and check the TLS version

     

    If TLS has older version, add the below files to the bottom of the file

     

    com.ibm.di.SSLProtocols=TLSv1.2

    com.ibm.di.SSLServerProtocols=TLSv1.2

    com.ibm.jsse2.overrideDefaultProtocol=TLSv12

    com.ibm.jsse2.overrideDefaultTLS=true

    #jdk.tls.disabledAlgorithms=TLSv1,SSLv3

     

     

    Stop the firewall

    sudo systemctl stop firewalld

     

    Retstart the dispatchers

    cd to /opt/IBM/SDI/V7.2/timsol

    sudo ./ITIMAd restart


    Update Java Version

     In some cases while configuring the adapter, java could be an issue. So, update the java version to 1.8 and above.

    cd /opt/IBM/SDI/V7.2/jvm/jre

     

    Check the java version

     java -version

    Once the configuration is completed.

    Notes: Every time we restart the dispatcher, before testing the connector run the command

    • sudo systemctl stop firewalld

     

    Configure IGI

    Login to IGI Administrative console:- 

     

    Go to Enterprise Connectors

     

    Manage -> Connectors > Actions -> Add

     

     

    In the right pane, enter the following:

    • Name– CI tenant
    • Description – Descript of the connector
    • Profile Type – Identity Brokerage
    • Profile – Cloud Identity Profile
    • Entitle – Account
    • Trace - ON
    • Trace Level – INFO
    • History - ON 

     

    Click -> Save

    If the Adapter profile is missing or not visible. We can add the profile from the connectors.

    Go to Manage  -> Profile -> Import 


    Click on upload file and select the connector 


    Choose the connector (CloudIDAdapterProfile.jar) from the list of connectors

      

     

      

    Go to the Driver Configuration tab

    • For the Tivoli Directory Integrator locationenter: rmi://identity.iamlab.ibm.com:1099/ITDIDispatcher


    The dispatcher can have a customer URL, or you can use the below rmi://identity.iamlab.ibm.com:1099/ITDIDispatcherz

    Custom in case dispatcher is running on other system:

    rmi://192.168.42.128:2099/ITDIDispatcher

    For the Cloud Identity URL or IBM Security Verify  URL, login to the teant (like:https://iga-enble.ice.ibmcloud.com/)

    Switch to admin

    • Click the Add API client button above the table

    We could have selected individual accesses rather than the lazy approach of "select all". There

    are twenty-five (25) accesses required for the adapter according to the adapter guide out of a total of 49 in the security verify today.

    Save the new API Client

     

    • For the ClientID, Switch back to your CI tenant admin view, open(edit) the API client you specified before


    • Scroll down to the Client ID field and click the copy to clipboard icon to the right
    • Return to the IGI UI and past the field in For the Client Secret
    • Scroll down to the Client Secret field and click the copy to clipboard icon to the right
    • Return to the IGI UI and past the field in

     

    • Save the connector

     

    • In the Channel-Write To tab and click on the Mapping icon

    Click Map and on the Map Attribute select "erCloudIdentityGivenName" and click OK

     

     

    • In the table find the NAME attribute

    • Go to the Channel-Read From tab and click on the Mapping icon

    • In the table find the NAME attribute -> Click Map and on the MapAttribute:NAME
    • Select "erCloudIdentityGivenName"and click OK

    • Attribute is mapped

    Go to Connector Details ->


    Enable the connector

    Test the connection. If the connection is not successful, check the logs.

     

    Go to the command line, go to timsol directory

    cd /opt/IBM/SDI/V7.2/timsol

    To flush the IP tables run the command

    "iptables -F"

     

    Test the connection – The integration is working

     



    ------------------------------
    Vandana Verma Sehgal
    Security Solutions Architect
    ------------------------------