Skip to content

Application-Specific Password Management Requirements

Some applications have specific configurations requirements that go beyond the basic password management requirements previously discussed in this document. This section explores some of those application-specific requirements.

Active Directory and ADAM: SSL

Both AD and ADAM require a secure connection (SSL) for any password management activities. IdentityIQ offers two separate read-write connectors for each of these applications.

See SSL Configuration for the Direct Connector.

SSL Configuration for the Direct Connector

Installations using the AD or ADAM Direct connector must generate and install an SSL certificate under AD/ADAM and then build a java key store for IdentityIQ that trusts the AD/ADAM SSL certificate.

These are the basic steps for building that java key store and configuring IdentityIQ to use it.

  1. On a Domain Controller, log in as an administrator and open Internet Explorer. Navigate to Tools > Internet Options > Content and click Certificates.

  2. Switch to the Trusted Root Certificate Authorities Tab and select the certificate issued by your Active Directory integrated Certificate Server. Click Export.

  3. Choose Base-64 encoded X.509(.CER) as the Export File Format.

  4. Specify file name for the exported certificate.

  5. Finish the export and copy the exported.cer file to the Java client machine.

  6. At the client machine run the following command from the jdk bin directory:

    keytool -import -alias [aliasname] -keystore [keystore filename] -file [fully qualified certificate filename]

    The key store (jks) file is created in the bin directory where the keytool command is found. The name of the file is the name you specified following the -keystore parameter, such as myCaCerts.jks.

  7. Create the Application in IdentityIQ using the appropriate direct connector (Active Directory or LDAP - ADAM). Select Use SSL and provide all the required values. Save the application (do not click Test Connection yet).

  8. Assuming that the keystore is created in /tomcat/apache-tomcat-7.0.47/, enter the following in catalina.sh:

    -Djavax.net.ssl.trustStore=/tomcat/apache-tomcat-7.0.47/myCaCerts.jks -Djavax.net.ssl.trustStorePassword=password

  9. Restart the Tomcat server.

  10. Return to the Application Definition in the UI and click Test Connection to verify that the SSL connection is properly configured.

Windows Local and Active Directory: IQService Agent

Note

AD and ADAM require a secure connection (SSL) for any password management activities.

The IQService is a native Windows service that enables IdentityIQ to participate in a Windows environment and access information only available through Win32 APIs. You must install and register an IQService before you can provision to Active Directory, aggregate Terminal Services attributes, collect information from the Windows Event Logs, or load local Windows users or groups through the Direct connectors. This includes provisioning of password changes.

IQService can be installed on an independent Windows computer or on a Windows machine that is a member of a domain. It listens for connections from an IdentityIQ instance and can be used to do one of several things, including:

  • Aggregate access to the file shares on the server

  • Aggregate local user and group definitions from the independent Windows machine

  • Aggregate users and groups from the Active Directory or ADAM domain of which the machine is a member

  • Change the passwords for a user who has rights to the independent Windows machine or the domain

The application definition for the Active Directory or Windows Local application must then be configured with the host and port where IQService is installed and listening.

Windows Desktop Password Reset Utility

Since a user would normally have to successfully log into their computer before accessing IdentityIQ (or any other application) through a web browser, enabling reset of a Windows Desktop password requires the installation of a utility application called IdentityIQ Lifecycle Manager Desktop Password Reset. This application adds a link or button to the Windows login screen that can be configured to connect users to IdentityIQ's Forgot Password feature (or any other web-based password management solution) in a restricted browser to change their password; this functionality bypasses the Windows login credential requirement for this specific and limited purpose.

Note

Users can only be authenticated and permitted to change the Windows Desktop password through the IdentityIQ Forgot Password functionality if they have previously configured challenge question answers that can be used for authentication.

This utility is available to any customer who has licensed the Lifecycle Manager product.

When this application is installed, the Forgot Password? button, tile, or link appears on the login windows.

If configured to point to the IdentityIQ Forgot Password functionality, the restricted browser window displays the IdentityIQ's challenge question authentication windows.