On-premises provisioning

Introduction

Managing accounts & fine-grained privileges on Cloud-inaccessible targets and applications such as LDAP, Active Directory or Oracle DB deployed on-premise, is a common problem.

This is accomplished with IBM Security Verify using the Verify Bridge for Provisioning, which requires container images to be deployed into an environment that is able to access the targets. There are 3 components involved, all made available to run in a Docker or any container orchestration environment, such as kubernetes:

  • Verify Bridge: This component acts as the proxy to the target and communicates with the Verify tenant using a long-polling mechanism. Thus, the communication is from the agent to the tenant and requires no additional investment, such as VPN technologies.
  • Verify Identity Brokerage: This component orchestrates the retrieval and provisioning of accounts and fine-grained permissions to the target.
  • Identity Brokerage DB (Postgres): This component holds provisioning state during the process, particularly during the reconciliation process. In addition, this also holds the adapter configuration profiles.

The Identity brokerage manages some targets (such as Active Directory) via agents but for others (including LDAP or Oracle) it uses adapters running on IBM Security Directory Integrator.

These are the same adapters that are used by the IBM Security Governance product (previously known as IBM Security Identity Governance and Intelligence aka IGI). This enables services, business partners, and customers to reuse existing custom adapters and also help them for easy migration to SaaS platform.

1238

Configure Identity Agent in Verify

Identity agents is a bridge with connects external user repositories with IBM® Security Verify to perform authentication or provisioning. By using the identity agent, the native application stay on premises but, IBM® Security Verify can manage the same from cloud based tenant.

In order to configure Identity agent follow the below steps:
• Login to IBM® Security Verify as tenant administrator (Scott)
• From the Admin console navigate to Configuration > Identity agents tab

1916

• Click on Create agent configuration
• In the Create agent configuration wizard, select purpose Provisioning and configuration type On-premises provisioning.

1128

• Click Next
• On the Connection settings step, provide the details for:
o Identity Brokerage host and port – This is the hostname and port that the bridge will use to connect to the brokerage. In a standard docker-compose deployment this will be identity-brokerage:8443.
o Identity Brokerage username – provide some username (you will use this when configuring the brokerage)
o Identity Brokerage password – provide some password (you will use this when configuring the brokerage)

1222

• Copy the docker-compose command which will be used to download the docker images in later steps
• Click Next
• Finalize the agent configuration by providing the Agent name and optional Description

1028

• Click Create agent configuration

• As the agent gets saved the Connection details will get presented to admin which has button to Download Docker Compose YAML file and the docker-compose command details.

1687

• Click on Download Docker Compose YAML to download the prefilled YAML file.
• Review the downloaded YAML file will have details for:
- SCIM_USER – This is the "identity brokerage username" set while configuring identity agent in ISV
- SCIM_USER_PASSWORD – This is the "identity brokerage password" set while configuring identity agent in ISV
- TENANT_URI – Complete URL of your ISV tenant
- CLIENT_ID – Client ID copied after the agent was configured in ISV
- CLIENT_SECRET – Client Secret copied after the agent was configured in ISV

Installing on-premise components

In order to manage the on-premise applications such as LDAP, Active Directory or Oracle which normally resides at the enterprise premise; few components are required which will act as a bridge for communication with IBM Security Verify. These components required are:

  1. Docker containers for:
    • Postgresql database
    • Identity brokerage
    • Verify bridge
  2. Download the required IBM Security Identity Adapter for LDAP or Oracle or Active Directory based on application which need to be created
  3. Create Application profile in verify

Installing containers

In order to deploy container images a Linux server is required with System requirements as:
Operating System: Linux based operating system having support for Linux based containers. See Docker install guide
CPU: Four cores reserved.
System memory: 16 GB reserved.
Disk space: At least 100 GB free hard disk space
Docker engine: 19.03.0 or higher.
Docker Compose: See Docker compose install
Network connectivity to a IBM® Security Verify tenant with Identity Governance subscription.

Copy the YAML file which is downloaded after configuring Identity Agent to the Linux server. Use the below command to create the various required containers:

docker-compose -f docker-compose.yml up -d

Make sure that all 3 containers get started and shows status as running using "docker ps -a" command:

[root@xxxxxxxx ~]# docker ps -a
CONTAINER ID        IMAGE                              COMMAND                  CREATED STATUS              PORTS                                        NAMES
722165e62ae9        ibmcom/verify-bridge:latest        "/sbin/bootstrap.sh"     4 months ago        Up 4 weeks                                                       verify-bridge
f26aade1cec6        postgres:12-alpine                 "docker-entrypoint..."   5 months ago        Up 4 weeks          0.0.0.0:5432->5432/tcp                       ibdb
1b45372dc651        ibmcom/identity-brokerage:latest   "/sbin/bootstrap.sh"     6 months ago        Up 12 days          9080/tcp, 0.0.0.0:8443->8443/tcp, 9443/tcp   identity-brokerage
[root@xxxxxxxx ~]#

Download LDAP adapter profile (in order to manage IBM Directory Server only)

• Refer to the Adapter reference to get the part number for LDAP adapters.
• Download the “IBM Security Verify Adapter for LDAP” from Passport Advantage. Search by part number using M0BMYML.
• Download the profile JAR files

Download Oracle adapter profile (in order to manage Oracle database only)

• Refer to the Adapter reference to get the part number for Oracle adapters.
• Download the “IBM Security Verify Adapter for Oracle Database” from Passport Advantage. Search by part number as M0BMZML.
• Download the profile JAR files

Create Application profile in verify

• Login to IBM® Security Verify as tenant admin (Scott)
• Navigate to Applications > Application profiles page
• Click the Create profile button

1862

• Click Identity adapter profile
• Give some Profile name
• Upload the identity adapter profile JAR file downloaded earlier

517

• Click Create profile

1565

• New profile gets created in draft state. Wait till it get ready for publish
• Once ready, publish the profile by clicking Publish
• After the profile is published, admin can review the General settings and Attributes section

1180 1147

Optional: Installing Security Directory Integrator (SDI)

  • Download the Security Directory Integrator (SDI) v7.2 from Passport Advantage. Search by part number using CJ30YML and download the binaries for required operating system
  • Follow the installation guide to install the Directory Integrator product on your system.
  • After the product is successfully installed you can validate it on file system. Default installation directory on Linux is /opt/IBM/TDI/V7.2
[root@xxxxxxxx V7.2]# pwd
/opt/IBM/TDI/V7.2
[root@xxxxxxxx V7.2]# ls
amc  docs      ibmdisrv       idisrv.sth  jvm       license  maintenance  properties  shortcutFiles.dat  tools    xsl
bin  etc       ibmditk        jars        LDAPSync  logs     osgi         SCIM        testserver.der     _uninst  XSLT
ce   examples  IDILoader.jar  jscript     libs      lwi      performance  serverapi   testserver.jks     xsd

ℹ️

SDI Port

Note: When SDI is installed, it creates a “Default server” which listens on port 1099. This can cause issues when installing the RMI Dispatcher (in later steps) which need the same port.

Hence, stop the “Default server” before installing the RMI Dispatcher.

Install latest SDI fixpack

After the SDI is installed successfully, upgrade the server with latest fixpack (7.2.0-ISS-SDI-FP0009).
You can download the Fixpack from IBM Fix Central.

Install Identity Adapter RMI Dispatcher

  • Download the “IBM Security Identity Adpater RMI Dispatcher v7.1.40” from Passport Advantage. Search by part number using CC7ZMML.
  • Extract the downloaded SIA_RMI_7140_SDI_7X_MP_ML.zip
  • Follow the Dispatcher install guide to installation of adapter

For Linux, installation details using GUI mode are as follows:

[root@xxxxxxxx RMI]# cd /opt/IBM/TDI/V7.2/jvm/jre/bin/
[root@xxxxxxxx bin]# ./java -jar /root/Downloads/SDI_Installer/RMI/DispatcherInstall.jar
821 825 820 822 820 822

ℹ️

Follow SSL configuration

Make sure to follow the Installation Guide if you select the “Enable SSL” checkbox"

822 820 820 821

After installation, open the file “/opt/IBM/TDI/V7.2/timsol/solution.properties” and update following properties:

  • com.ibm.di.dispatcher.objectPort=1094
  • java.rmi.server.hostname=

Now restart the RMI Dispatcher using below commands:

[root@xxxxxxxx /]# cd /opt/IBM/TDI/V7.2/timsol/
[root@xxxxxxxx timsol]# ./ITIMAd restart
Platform is Linux
Shutting down the IBM Tivoli Identity Manager Adapter service
PID File Exists

IBM Tivoli Identity Manager Adapter Service successfully stopped!
Going to delete PID file...

Platform is Linux
Starting IBM Tivoli Identity Manager Adapter service...
No TDI processes running
Service not running.... Creating the service
Starting Service with Process ID:
15360
nohup: redirecting stderr to stdout

IBM Tivoli Identity Manager Adapter Service start request successfully issued!
PID File Created

Configure Verify Password Policy

It is important to configure the Verify password policy which conform with any target server password rules.
This is required to make sure that new user account passwords get an appropriate new password.

  • Login to Verify as tenant administrator (Scott)
  • From the Admin console navigate to Security > Password policies
  • Edit the Default password policy
  • Click on Cloud Directory identity source
  • Set the Password Strength which matches with the password rules of on-premise application to manage
987

What’s Next

Now that you have the on-premises provisioning infrastructure in place, you can set up provisioning to your on-premises systems.