ISIM Security hardening

Author(s): Adam Bulla | Created: 26 April 2024 | Last modified: 26 April 2024

Tested on: -

Table of contents

ISIM Security hardening
Section 1.1.1-10 Technical password requirements
ISIM Console
Section 1.1.11-19 Password Requirements
ISIM Management site
1.2.1-21 Audit logging
Section 1.2.22-24 Logging
Section 2.1.3 Encryption
Other
Configuring secure communication

ISIM Security hardening↑

Section 1.1.1-10 Technical password requirements↑

Check the following passwords, to conform to the following requirements.

Requirements:

All passwords should be unique and different between instances, and different accounts.
Passwords must be chosen to be 'strong', and should abide the rules set for ITIM accounts:
- At least 14 characters long
- At least 1 numeric character
- At least 1 upper, and 1 lower case alphabetic character
All passwords are advised to be stored in some kind of password store, preferably using .kdb

List of techical accounts, and where to change passwords:

ITIM manager account ( ISIM console -> Change Password -> Search System Administrator)
All credentials used by ISIM to communicate with adapters
- For each service configured under Manage Services, check or change the password on the ISIM console, and on the adapter side
LDAP administrator account
- ISIM Side: ISIM Management console -> Configure -> Directory Server configuration -> Reconfigure
- LDAP Side: run idsdnpw –u cn=root –p on the LDAP server
DB2 administrator account
- ISIM Side: ISIM Management console -> Configure -> Database Server configuration -> Reconfigure
- DB2 Side: Log on as root, and run passwd db2inst1

The following userids should be managed as shared ids, and loaded into ISPIM:

ITIM manager
DB2 users: db2inst1 and isimuser
LDAP administrator: cn=root

ISIM Console↑

Section 1.1.11-19 Password Requirements↑

Navigate to Set System Security / Set Security Properties tab.

Enable Set password on user during user creation
Identity account password expiration period in days: 90
Maximum number of incorrect login attempts: 3

Navigate to the Manage policies / Manage Password Policies tab.

Create new password policy / Edit Global password policy
- The password policy should have a target of "All service types"
Set the following rules:
- Minimum Password length: 8
- Minimum alphabetic characters: 1
- Minimum numeric characters: 1
- Passwords history: 8
- Disallow user ID: True
- Disallow user ID: True

ISIM Management site↑

1.2.1-21 Audit logging↑

Check Configure Identity Manager / Update Property / Identity Server property files / enroleAuditing.properties for the following property values:

itim.auditing=true
Audit.ACIManagement=true
Audit.AccessConfiguration=true
Audit.AccessManagement=true
Audit.AccountManagement=true
Audit.Authentication=true
Audit.ContainerManagement=true
Audit.DelegateAuthority=true
Audit.EntitlementWorkflowManagement=true
Audit.EntityOperationManagement=true
Audit.GroupManagement=true
Audit.ITIMConfiguration=true
Audit.ITIMGroupManagement=true
Audit.OrgRoleManagement=true
Audit.PersonManagement=true
Audit.PolicyManagement=true
Audit.Reconciliation=true
Audit.RuntimeEvent=true
Audit.SelfPasswordChange=true
Audit.ServiceManagement=true
Audit.ServicePolicyEnforcement=true

Section 1.2.22-24 Logging↑

For setting up the following logging configurations, navigate to Manage System Settings / Log retrieval and configuration / Identity tab, click Configure, choose Identity manager tab, and at the bottom of the box, add the following properties:

logger.msg.com.ibm.itim.security.logging=true
logger.msg.logging=true
logger.trace.logging=true

Section 2.1.3 Encryption↑

Configure Identity Manager / Update Property:

enrole.password.database.encrypted: true
enrole.password.ldap.encrypted: true
enrole.password.appServer.encrypted: true

Other↑

Configuring secure communication↑

Configuring VA and ISIM SSL certificate

VA is supplied with self-signed certificate. Create a new, trusted CA validated certificate, and upload it through the VA Admin console / Configure Identity Manager / Application Server Certificate Management

Configuring SSL for managed systems

To configure SSL for managed systems, please see the documentation of the adapter being configured.

For ISIM to be able to connect to an adapter through a secured SSL connection, ISIM must trust the certificate of the adapter. This can be achieved by importing the SSL certificate of the adapter through the VA admin console / Configure Identity Manager / SSL Certificate Management.

After the adapter certificate has been uploaded, update all necessary information about the adapter (e.g. ports, protocols) to reflect SLL usage.

Configuring SSL for Directory Server

For configuring SSL on the Directory Server, please see the corresponding guide for Directory Server.

For ISIM to be able to use SSL with Directory Server, the connection must be reconfigured on the VA admin console / Configure Identity Manager / Directory Server Configuration. Reconfigure the appropriate connection, and set up the necessary network parameters :

Enable SSL by checking the SSL checkbox.
Change the port number to the SSL port of the server (by default 636)

Configuring SSL for DB2

For configuring SSL on the DB2 Instance, please see the corresponding guide for DB2.

For ISIM to be able to use SSL with DB2, the connection must be reconfigured on the VA admin console / Configure Identity Manager / Database Server Configuration. Reconfigure the appropriate connection, and set up the necessary network parameters :

Enable SSL by checking the SSL checkbox.
Change the port number to the SSL port of the DB2 server