7018796: Configuration change to tighten access controls in Identity Manager 4.5 & 4.6

This document (7018796) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Identity Manager 4.5
NetIQ Identity Manager 4.6
NetIQ Identity Manager Roles Based Provisioning Module 4.5
NetIQ Identity Manager Roles Based Provisioning Module 4.6

Situation

Apache ActiveMQ is an open source message broker which isshipped as part of Identity Manager and is used by more than one Identity ManagerComponents for secure & fault tolerant message passing between components. The following steps can be used to tighten access control to the Apache ActiveMQWeb Console.

Resolution

1.To remove web access entirely:
In /opt/netiq/idm/apps/activemq/conf/activmq.xml, comment out or remove the following line:
<import resource=”jetty.xml”/>
To comment it out, it should change to:
<!–<import resource=”jetty.xml”/>–>
2.If the administrator wants to use ActiveMQ web console, then secure the channel by following the configuration below:
a – Ensure activemq.xml has enabled the import resource for jetty.xml (as mentioned in the previous point)
b – In /opt/netiq/idm/apps/activemq/conf/jetty.xml, uncomment the following lines for ActiveMQ https mode channel.
<bean>
<constructor-arg ref=”Server” />
<!– see the jettyPort bean –>
<property name=”host” value=”#{systemProperties[‘jetty.host’]}” />
<property name=”port” value=”#{systemProperties[‘jetty.port’]}” />
</bean>
<!–
Enable this connector if you wish to use https with web console
–>
<bean>
<constructor-arg ref=”Server” />
<constructor-arg>
<bean>
<property name=”keyStorePath” value=”${activemq.conf}/broker.ks” />
<property name=”keyStorePassword” value=”password” />
</bean>
</constructor-arg>
<property name=”port” value=”8162″ />
</bean>
</list>
</property>
</bean>
c – Change the default http/https port number from /opt/netiq/idm/apps/activemq/conf/jetty.xml (change default port numbers 8161 or 8162 to appropriate unused/free port to secure)
d – Change the default password for admin/user from /opt/netiq/idm/apps/activemq/conf/jetty-realm.properties file:
Default password for admin is ‘admin’ and for user is ‘user’
# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename …]
admin: <securepassword>, admin
user: <securepassword>, user

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply