Symantec IGA

Update the Identity Governance Datasource Password Encryption

  • 1.  Update the Identity Governance Datasource Password Encryption

    Posted Sep 11, 2018 03:40 PM

    Team,

     

    During a walk-through of updating the CA Identity Governance password hash, I noticed that clarification is needed for this process for the r14.x release.     For previous releases, you may following these instructions:

    How to encrypt passwords for GM datasources over jboss 

    Encrypting passwords for GM's datasources in jboss - CA Knowledge 

     

     

     

    For a sandbox / non-production deployment (or non-FIPS), you may see clear text datasource passwords in the JBOSS/Wildlfy configuration files.

     

     

     

    With in the standalone-full-ha-gm.xml file move the “security” function from the datasource, to the “security-domain” sections.

    • The password tool is USED, but the standalone file must be updated to allow it to reference the decryption module.
      • May use the pwd tool from IG “password tool download” or from IAMSuite tools (may be tar/copied with the lib folder if needed)

     

     

    BEFORE IG DATASOURXCE ENCRYPTION:

     

     

     

    AFTER IG DATASOURCE ENCRYPTION:  (Two changes)

    1. Update reference for a datasource’s <security> section to use a security domain.
    2. Update <security-domain> with reference to decryption module & the username/password encryption format.

     

     

     

     

     

     

     

    Update Example(s) for the two (2) sections per each Datasource:

     

     

                       <security>

                            <security-domain>eurekifyDS</security-domain>

                        </security>

     

     

                    <security-domain name="eurekifyDS">

                        <authentication>

                            <login-module code="com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin" flag="required" module="com.ca.iam.idmutils">

                                <module-option name="userName" value="EUREKIFY_SDB"/>

                                <module-option name="password" value="{PBES}:pDlNMkpQppY="/>

                                <module-option name="managedConnectionFactoryName" value="jboss.jca:name=eurekifyDS,service=NoTxCM"/>

                            </login-module>

                        </authentication>

                    </security-domain>

     

     

     

    #### EXTRA INFO  -  What pwdtool.sh to use ####

     

     

    IG password tool file, may be placed on workstation to extract password tool (or copied to server),

     

     

     

    Enclosing a sample from my AWS cluster of IG r14.2 with datasource encryption.

     

     

    Edit:   2018/09/20

     

    The Identity Governance (IG) r14.x version has moved reference to the idmutils.jar file under the Wildfly modules folder.   

    You must add this missing folder structure AND the jar & module.xml file, for IG to use the class file to decrypt the newly encrypted passwords for the datasources.

     

    You may see the below error message:

     

     

     

     

     

    Here is a view of a delta between  vApp (standalone with no encryption) and vApp AWS with encryption.

     

    Steps:

    1) mkdir -p /opt/CA/wildfly-ig/modules/com/ca/iam/idmutils/main
    2) cd /opt/CA/wildfly-ig/modules/com/ca/iam/idmutils//main

    3) vi module.xml [or copy this file]

    4) cp -r -p /opt/CA/wildfly-ig/standalone/deployments/eurekify.war/WEB-INF/lib/idmutils-14.1.0-327.jar idmutils.jar
    5) chown -R wildfly:wildfly /opt/CA/wildfly-ig/modules/*

    6) chmod -R 744 /opt/CA/wildfly-ig/modules/*

    7) Restart IG, and monitor for this error message after JDBC driver is declared:
           Caused by: org.jboss.modules.ModuleNotFoundException: com.ca.iam.idmutils:main

     

    View of the module.xml file:

     

     

    <?xml version="1.0" encoding="UTF-8"?>
    <module xmlns="urn:jboss:module:1.1" name="com.ca.iam.idmutils">
    <resources>
    <resource-root path="idmutils.jar"/>
    </resources>

    <dependencies>
    <module name="javax.api"/>
    <module name="org.picketbox"/>
    <module name="javax.resource.api"/>
    <module name="org.apache.log4j"/>
    <module name="com.ca.iam.fips"/>
    </dependencies>
    </module>

     

     

     

     

     

     

    ##### Additional notes, if you have locked your vApp Oracle XE DB service IDs during this exercise #####

     

    1) su - oracle
    2) sqlplus
    3) SQL> CONNECT SYS as SYSDBA
        a) Enter the sysdba password (install password)
    4) Example:  ALTER USER account IDENTIFIED BY password ACCOUNT UNLOCK;

        a)  Copy and Paste these four lines (with new PASSWORD) within the sqlplus prompt:


    ALTER USER EUREKIFY_SDB IDENTIFIED BY Password01 ACCOUNT UNLOCK;
    ALTER USER EUREKIFY_TICKETDB IDENTIFIED BY Password01 ACCOUNT UNLOCK;
    ALTER USER GVM_DATAWAREHOUSE IDENTIFIED BY Password01 ACCOUNT UNLOCK;
    ALTER USER WPDS IDENTIFIED BY Password01 ACCOUNT UNLOCK;

     

     

     

     

     

    Cheers,

     

    Alan