Configuration change to tighten access controls in Identity Manager 4.5 & 4.6

  • 7018796
  • 11-Apr-2017
  • 11-Apr-2017

Environment

NetIQ Identity Manager 4.5
NetIQ Identity Manager 4.6
NetIQ Identity Manager Roles Based Provisioning Module 4.5
NetIQ Identity Manager Roles Based Provisioning Module 4.6

Situation

Apache ActiveMQ is an open source message broker which is shipped as part of Identity Manager and is used by more than one Identity Manager Components for secure & fault tolerant message passing between components. The following steps can be used to tighten access control to the Apache ActiveMQ Web Console.

Resolution

1. To remove web access entirely: 
In /opt/netiq/idm/apps/activemq/conf/activmq.xml, comment out or remove the following line: 
<import resource="jetty.xml"/> 
To comment it out, it should change to: 
<!--<import resource="jetty.xml"/>--> 


2. If the administrator wants to use ActiveMQ web console, then secure the channel by following the configuration below:

 a - Ensure activemq.xml has enabled the import resource for jetty.xml (as mentioned in the previous point)
 
 b - In /opt/netiq/idm/apps/activemq/conf/jetty.xml, uncomment the following lines for ActiveMQ https mode channel. 

<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector"> 
<constructor-arg ref="Server" /> 
<!-- see the jettyPort bean --> 
<property name="host" value="#{systemProperties['jetty.host']}" /> 
<property name="port" value="#{systemProperties['jetty.port']}" /> 
</bean> 
<!-- 
Enable this connector if you wish to use https with web console 
--> 
<bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector"> 
<constructor-arg ref="Server" /> 
<constructor-arg> 
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory"> 
<property name="keyStorePath" value="${activemq.conf}/broker.ks" /> 
<property name="keyStorePassword" value="password" /> 
</bean> 
</constructor-arg> 
<property name="port" value="8162" /> 
</bean> 
</list> 
</property> 
</bean> 


 c - Change the default http/https port number from /opt/netiq/idm/apps/activemq/conf/jetty.xml (change default port numbers 8161 or 8162 to appropriate unused/free port to secure) 

 d - Change the default password for admin/user from /opt/netiq/idm/apps/activemq/conf/jetty-realm.properties file: 

Default password for admin is ‘admin’ and for user is ‘user’ 
# Defines users that can access the web (console, demo, etc.) 
# username: password [,rolename ...] 
admin: <securepassword>, admin 
user: <securepassword>, user

Feedback service temporarily unavailable. For content questions or problems, please contact Support.