On-premises provisioning

Introduction

In order to manage provisioning for on-premises applications such as LDAP, Active Directory or Oracle, a hybrid setup is required which involves using on-premises docker containers to manage a provisioning queue and your IBM Verify tenant in the cloud. The on-premises docker containers consist of an agent bridge, an identity-brokerage and a postgres database.

The Identity brokerage manages some targets (such as Active Directory) via agents but for others (including LDAP or Oracle) it uses adapters running on IBM Security Directory Integrator.

These are the same adapters that are used by the IBM Security Governance product (previously known as IBM Security Identity Governance and Intelligence aka IGI). This not only reduces unnecessary redevelopment of IBM-provided adapters for on-premises components but also enables services, business partners, and customers to reuse custom adapters.

Configure Identity Agent in Verify

Identity agents is a bridge with connects external user repositories with IBM® Security Verify to perform authentication or provisioning. By using the identity agent, the native application stay on premises but, IBM® Security Verify can manage the same from cloud based tenant.

In order to configure Identity agent follow the below steps:
• Login to IBM® Security Verify as tenant administrator (Scott)
• From the Admin console navigate to Configuration > Identity agents tab

• Click on Create agent configuration
• In the Create agent configuration wizard, select purpose Provisioning and configuration type On-premises provisioning.

• Click Next
• On the Connection settings step, provide the details for:
o Identity Brokerage host and port – This is the hostname and port that the bridge will use to connect to the brokerage. In a standard docker-compose deployment this will be identity-brokerage:8443.
o Identity Brokerage username – provide some username (you will use this when configuring the brokerage)
o Identity Brokerage password – provide some password (you will use this when configuring the brokerage)

• Copy the docker-compose command which will be used to download the docker images in later steps
• Click Next
• Finalize the agent configuration by providing the Agent name and optional Description

• Click Create agent configuration

• As the agent gets saved the Connection details will get presented to admin which has button to Download Docker Compose YAML file and the docker-compose command details.

• Click on Download Docker Compose YAML to download the prefilled YAML file.
• Review the downloaded YAML file will have details for:
- SCIM_USER – This is the "identity brokerage username" set while configuring identity agent in ISV
- SCIM_USER_PASSWORD – This is the "identity brokerage password" set while configuring identity agent in ISV
- TENANT_URI – Complete URL of your ISV tenant
- CLIENT_ID – Client ID copied after the agent was configured in ISV
- CLIENT_SECRET – Client Secret copied after the agent was configured in ISV

version: '3'
volumes:
  postgres-vol: null
  broker-vol: null
services:
  ib-init:
    image: 'centos:8'
    container_name: ib-init
    entrypoint: /bin/sh
    command: >-
      -c " [ -d /postgres/certs ] && echo "exiting..." && exit 0; mkdir -p
      /broker/certs; mkdir -p /broker/common; chown -R 1001:1001 /broker/; yum
      install -y openssl; mkdir -p /postgres/certs; cd /postgres/certs; openssl
      req -new -text -passout pass:secret -subj /CN=ibdb -out server.req -keyout
      privkey.pem; openssl rsa -in privkey.pem -passin pass:secret -out
      server.key; openssl req -x509 -in server.req -text -key server.key -out
      server.crt; chmod 600 server.key;  mkdir -p /postgres/ibdb/ilc_ib_data;
      mkdir -p /postgres/ibdb/ilc_ib_indx; mkdir -p /postgres/ibdb/ilc_ib_blob;
      chown -R 70:70 /postgres/;"
    volumes:
      - 'postgres-vol:/postgres'
      - 'broker-vol:/broker'
  ibdb:
    image: 'postgres:12-alpine'
    container_name: ibdb
    shm_size: 1gb
    entrypoint: /bin/bash
    command: >-
      -c "echo 'Starting';  while true; do echo 'waiting for ib-init to
      complete...' && sleep 2 ; [ -d /var/lib/postgresql/data/ibdb/ilc_ib_blob ]
      && break;  done; /usr/local/bin/docker-entrypoint.sh postgres -c ssl=on -c
      ssl_cert_file=/var/lib/postgresql/data/certs/server.crt -c
      ssl_key_file=/var/lib/postgresql/data/certs/server.key;"
    user: postgres
    restart: always
    depends_on:
      - ib-init
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: **********
      POSTGRES_DB: ibdb
      PGDATA: /var/lib/postgresql/data/db-files/
    ports:
      - '5432:5432'
    volumes:
      - 'postgres-vol:/var/lib/postgresql/data'
  identity-brokerage:
    image: ibmcom/identity-brokerage
    container_name: identity-brokerage
    depends_on:
      - ib-init
      - ibdb
    environment:
      LICENSE_ACCEPT: 'yes'
      HOSTNAME: identity-brokerage
      DB_SERVICE_NAME: ibdb
      TRACE: enabled
      SCIM_USER: brokarageadmin
      SCIM_USER_PASSWORD: **********
    restart: always
    ports:
      - '8443:8443'
    volumes:
      - 'broker-vol:/store'
  verify-bridge:
    image: 'ibmcom/verify-bridge:latest'
    container_name: verify-bridge
    depends_on:
      - ib-init
      - ibdb
      - identity-brokerage
    environment:
      LICENSE_ACCEPT: 'yes'
      TRACE: enabled
      TENANT_URI: 'https://<yourtenantid>.verify.ibm.com'
      CLIENT_ID: <client ID>
      CLIENT_SECRET: <client secret>
    restart: always

Installing on-premise components

In order to manage the on-premise applications such as LDAP, Active Directory or Oracle which normally resides at the enterprise premise; few components are required which will act as a bridge for communication with IBM Security Verify. These components required are:

  1. Docker containers for:
  • Postgres
  • Identity brokerage
  • Verify bridge
  1. Optional: IBM Security Identity Adapter for LDAP or Oracle (in order to manage IBM Directory Server OR Oracle database only)
  2. Optional: Active Directory Adapter (in order to manage Active Directory only)

In order to deploy above components a Linux server is required with System requirements as:
Operating System: Linux based operating system having support for Linux based containers. See Docker install guide
CPU: Four cores reserved.
System memory: 16 GB reserved.
Disk space: At least 100 GB free hard disk space
Docker engine: 17.05.0-ce or higher.
Docker Compose: See Docker compose install
Network connectivity to a IBM® Security Verify tenant with Identity Governance subscription.

Installing containers

Copy the YAML file which is downloaded after configuring Identity Agent to the Linux server. Use the below command to create the various required containers:

docker-compose -f docker-compose.yml up -d

Make sure that all 3 containers get started and shows status as running using "docker ps -a" command:

[[email protected] ~]# docker ps -a
CONTAINER ID        IMAGE                              COMMAND                  CREATED STATUS              PORTS                                        NAMES
722165e62ae9        ibmcom/verify-bridge:latest        "/sbin/bootstrap.sh"     4 months ago        Up 4 weeks                                                       verify-bridge
f26aade1cec6        postgres:12-alpine                 "docker-entrypoint..."   5 months ago        Up 4 weeks          0.0.0.0:5432->5432/tcp                       ibdb
1b45372dc651        ibmcom/identity-brokerage:latest   "/sbin/bootstrap.sh"     6 months ago        Up 12 days          9080/tcp, 0.0.0.0:8443->8443/tcp, 9443/tcp   identity-brokerage
[[email protected] ~]#

Optional: Load LDAP adapter profile (in order to manage IBM Directory Server only)

• Refer to the Adapter reference to get the part number for LDAP adapters.
• Download the “IBM Security Verify Adapter for LDAP” from Passport Advantage. Search by part number using CC8YNML.
• Download the profile JAR files
• Load profile jar file to On-Premises Verify Identity Brokerage using Docker cli
• Login to docker host, copy profile jar in docker container

[[email protected] ~]# docker cp LdapProfile.jar containerName:/store/

• Execute command loadProfile with profile jar file path inside container.

[[email protected] ~]# docker exec -it identity-brokerage bash
[email protected]:/$
[email protected]:/$ loadProfile /store/LdapProfile.jar
load profile: /store/LdapProfile.jar
File exist on system with path /store/LdapProfile.jar
 Invoking curl request for Target Profile
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  142k  100   693  100  141k    209  43885  0:00:03  0:00:03 --:--:-- 44095
{"schemas":["urn:ibm:idbrokerage:params:scim:schemas:LdapProfile:2.0:TargetProfile"],"id":"LdapProfile","name":"LDAP profile","description":"LDAP service profile","targetType":"Managed","accountProfile":{"profileName":"LdapAccount","objectClass":"erLDAPUserAccount","rdnAttr":"eruid"},"groupProfiles":[{"profileName":"LdapGroupProfile","objectClass":"erLdapGroupAccount","rdnAttr":"erLdapServiceGroup","groupMapping":"erldapgroupname","attributeMap":{"ergroupdescription":"erldapgroupdescription","ergroupname":"erldapservicegroup","ergroupid":"erldapgrouprdn"}}],"meta":{"location":"https://localhost:8443/BrokerageService/identity/TargetProfiles/LdapProfile","resourceType":"TargetProfile"}}
Profile loaded successfully with path /store/LdapProfile.jar !
[email protected]:/$

Optional: Load Oracle adapter profile (in order to manage Oracle database only)

• Refer to the Adapter reference to get the part number for LDAP adapters.
• Download the “IBM Security Verify Adapter for Oracle Database” from Passport Advantage. Search by part number as CC9J0ML.
• Download the profile JAR files
• Load profile jar file to On-Premises Verify Identity Brokerage using Docker cli
• Login to docker host, copy profile jar in docker container

[[email protected] ~]# docker cp OracleAdapterProfile.jar containerName:/store/

• Execute command loadProfile with profile jar file path inside container.

[email protected]:/$ loadProfile /store/OracleAdapterProfile.jar
load profile: /store/OracleAdapterProfile.jar
File exist on system with path /store/OracleAdapterProfile.jar
 Invoking curl request for Target Profile
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 58744  100  1114  100 57630    302  15643  0:00:03  0:00:03 --:--:-- 15945
{"schemas":["urn:ibm:idbrokerage:params:scim:schemas:OracleAdapterProfile:2.0:TargetProfile"],"id":"OracleAdapterProfile","name":"Oracle Service Profile","description":"Oracle Account Service Profile ","targetType":"Managed","accountProfile":{"profileName":"OracleAdapterAccount","objectClass":"erOraAccount","rdnAttr":"eruid"},"groupProfiles":[{"profileName":"OraSysPrivProfile","objectClass":"erOraSysPrivs","rdnAttr":"erOraSysPriv","groupMapping":"erorasyspriv","attributeMap":{"ergroupname":"erorasyspriv","ergroupid":"erorasyspriv"}},{"profileName":"OraGroupsProfile","objectClass":"erOraRsrcConsumerGroups","rdnAttr":"erOraRsrcConsumerGroup","groupMapping":"erorarsrcconsumergroup","attributeMap":{"ergroupname":"erorarsrcconsumergroup","ergroupid":"erorarsrcconsumergroup"}},{"profileName":"OraRolesProfile","objectClass":"erOraRoles","rdnAttr":"erOraRolesName","groupMapping":"erorarole","attributeMap":{"ergroupname":"erorarolesname","ergroupid":"erorarolesname"}}],"meta":{"location":"https://localhost:8443/BrokerageService/identity/TargetProfiles/OracleAdapterProfile","resourceType":"TargetProfile"}}
Profile loaded successfully with path /store/OracleAdapterProfile.jar !
[email protected]:/$

Optional: Installing Security Directory Integrator (SDI)

  • Download the Security Directory Integrator (SDI) v7.2 from Passport Advantage. Search by part number using CJ30YML and download the binaries for required operating system
  • Follow the installation guide to install the Directory Integrator product on your system.
  • After the product is successfully installed you can validate it on file system. Default installation directory on Linux is /opt/IBM/TDI/V7.2
[[email protected] V7.2]# pwd
/opt/IBM/TDI/V7.2
[[email protected] V7.2]# ls
amc  docs      ibmdisrv       idisrv.sth  jvm       license  maintenance  properties  shortcutFiles.dat  tools    xsl
bin  etc       ibmditk        jars        LDAPSync  logs     osgi         SCIM        testserver.der     _uninst  XSLT
ce   examples  IDILoader.jar  jscript     libs      lwi      performance  serverapi   testserver.jks     xsd

📘

Note: When SDI is installed, it creates a “Default server” which listens on port 1099. This can cause issues when installing the RMI Dispatcher (in later steps) which need the same port.
Hence, stop the “Default server” before installing the RMI Dispatcher.

Install latest SDI fixpack

After the SDI is installed successfully, upgrade the server with latest fixpack (7.2.0-ISS-SDI-FP0006).
You can download the Fixpack from IBM Fix Central.

Install Identity Adapter RMI Dispatcher

  • Download the “IBM Security Identity Adpater RMI Dispatcher v7.1.40” from Passport Advantage. Search by part number using CC7ZMML.
  • Extract the downloaded SIA_RMI_7140_SDI_7X_MP_ML.zip
  • Follow the Dispatcher install guide to installation of adapter

For Linux, installation details using GUI mode are as follows:

[[email protected] RMI]# cd /opt/IBM/TDI/V7.2/jvm/jre/bin/
[[email protected] bin]# ./java -jar /root/Downloads/SDI_Installer/RMI/DispatcherInstall.jar

📘

Follow SSL configuration

Make sure to follow the Installation Guide if you select the “Enable SSL” checkbox

After installation, open the file “/opt/IBM/TDI/V7.2/timsol/solution.properties” and update following properties:

  • com.ibm.di.dispatcher.objectPort=1094
  • java.rmi.server.hostname=

Now restart the RMI Dispatcher using below commands:

[[email protected] /]# cd /opt/IBM/TDI/V7.2/timsol/
[[email protected] timsol]# ./ITIMAd restart
Platform is Linux
Shutting down the IBM Tivoli Identity Manager Adapter service
PID File Exists

IBM Tivoli Identity Manager Adapter Service successfully stopped!
Going to delete PID file...

Platform is Linux
Starting IBM Tivoli Identity Manager Adapter service...
No TDI processes running
Service not running.... Creating the service
Starting Service with Process ID:
15360
nohup: redirecting stderr to stdout

IBM Tivoli Identity Manager Adapter Service start request successfully issued!
PID File Created

Configure Verify Password Policy

It is important to configure the Verify password policy which conform with any target server password rules.
This is required to make sure that new user account passwords get an appropriate new password.

  • Login to Verify as tenant administrator (Scott)
  • From the Admin console navigate to Security > Password policies
  • Edit the Default password policy
  • Click on Cloud Directory identity source
  • Set the Password Strength which matches with the password rules of on-premise application to manage

What’s Next

Now that you have the on-premises provisioning infrastructure in place, you can set up provisioning to your on-premises systems.

Did this page help you?