ISIM Security hardening


Author(s): Adam Bulla | Created: 25 June 2022 | Last modified: 25 June 2022
Tested on: -

ISIM Security hardening

Section 1.1.1-10 Technical password requirements

Check the following passwords, to conform to the following requirements.

Requirements:

  • All passwords should be unique and different between instances, and different accounts.
  • Passwords must be chosen to be 'strong', and should abide the rules set for ITIM accounts:
    • At least 14 characters long
    • At least 1 numeric character
    • At least 1 upper, and 1 lower case alphabetic character
  • All passwords are advised to be stored in some kind of password store, preferably using .kdb

List of techical accounts, and where to change passwords:

  • ITIM manager account ( ISIM console -> Change Password -> Search System Administrator)
  • All credentials used by ISIM to communicate with adapters
    • For each service configured under Manage Services, check or change the password on the ISIM console, and on the adapter side
  • LDAP administrator account
    • ISIM Side: ISIM Management console -> Configure -> Directory Server configuration -> Reconfigure
    • LDAP Side: run idsdnpw –u cn=root –p on the LDAP server
  • DB2 administrator account
    • ISIM Side: ISIM Management console -> Configure -> Database Server configuration -> Reconfigure
    • DB2 Side: Log on as root, and run passwd db2inst1

The following userids should be managed as shared ids, and loaded into ISPIM:

  • ITIM manager
  • DB2 users: db2inst1 and isimuser
  • LDAP administrator: cn=root

ISIM Console

Section 1.1.11-19 Password Requirements

Navigate to Set System Security / Set Security Properties tab.

  • Enable Set password on user during user creation
  • Identity account password expiration period in days: 90
  • Maximum number of incorrect login attempts: 3

Navigate to the Manage policies / Manage Password Policies tab.

  • Create new password policy / Edit Global password policy
    • The password policy should have a target of "All service types"
  • Set the following rules:
    • Minimum Password length: 8
    • Minimum alphabetic characters: 1
    • Minimum numeric characters: 1
    • Passwords history: 8
    • Disallow user ID: True
    • Disallow user ID: True

ISIM Management site

1.2.1-21 Audit logging

Check Configure Identity Manager / Update Property / Identity Server property files / enroleAuditing.properties for the following property values:

  • itim.auditing=true
  • Audit.ACIManagement=true
  • Audit.AccessConfiguration=true
  • Audit.AccessManagement=true
  • Audit.AccountManagement=true
  • Audit.Authentication=true
  • Audit.ContainerManagement=true
  • Audit.DelegateAuthority=true
  • Audit.EntitlementWorkflowManagement=true
  • Audit.EntityOperationManagement=true
  • Audit.GroupManagement=true
  • Audit.ITIMConfiguration=true
  • Audit.ITIMGroupManagement=true
  • Audit.OrgRoleManagement=true
  • Audit.PersonManagement=true
  • Audit.PolicyManagement=true
  • Audit.Reconciliation=true
  • Audit.RuntimeEvent=true
  • Audit.SelfPasswordChange=true
  • Audit.ServiceManagement=true
  • Audit.ServicePolicyEnforcement=true

Section 1.2.22-24 Logging

For setting up the following logging configurations, navigate to Manage System Settings / Log retrieval and configuration / Identity tab, click Configure, choose Identity manager tab, and at the bottom of the box, add the following properties:

  • logger.msg.com.ibm.itim.security.logging=true
  • logger.msg.logging=true
  • logger.trace.logging=true

Section 2.1.3 Encryption

Configure Identity Manager / Update Property:

  • enrole.password.database.encrypted: true
  • enrole.password.ldap.encrypted: true
  • enrole.password.appServer.encrypted: true

Other

Configuring secure communication

Configuring VA and ISIM SSL certificate

VA is supplied with self-signed certificate. Create a new, trusted CA validated certificate, and upload it through the VA Admin console / Configure Identity Manager / Application Server Certificate Management

Configuring SSL for managed systems

To configure SSL for managed systems, please see the documentation of the adapter being configured.

For ISIM to be able to connect to an adapter through a secured SSL connection, ISIM must trust the certificate of the adapter. This can be achieved by importing the SSL certificate of the adapter through the VA admin console / Configure Identity Manager / SSL Certificate Management.

After the adapter certificate has been uploaded, update all necessary information about the adapter (e.g. ports, protocols) to reflect SLL usage.

Configuring SSL for Directory Server

For configuring SSL on the Directory Server, please see the corresponding guide for Directory Server.

For ISIM to be able to use SSL with Directory Server, the connection must be reconfigured on the VA admin console / Configure Identity Manager / Directory Server Configuration. Reconfigure the appropriate connection, and set up the necessary network parameters :

  • Enable SSL by checking the SSL checkbox.
  • Change the port number to the SSL port of the server (by default 636)

Configuring SSL for DB2

For configuring SSL on the DB2 Instance, please see the corresponding guide for DB2.

For ISIM to be able to use SSL with DB2, the connection must be reconfigured on the VA admin console / Configure Identity Manager / Database Server Configuration. Reconfigure the appropriate connection, and set up the necessary network parameters :

  • Enable SSL by checking the SSL checkbox.
  • Change the port number to the SSL port of the DB2 server