Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-15545

Docs - Missing updated steps in "Administrative Users"

    Details

    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      1
    • Sprint:
      2020.14 - IDM

      Description

      Config based authentication for Internal users did not make it into the Security Guide where it explains how to replace the admin user. https://backstage.forgerock.com/docs/idm/7/security-guide/managing-openidm-admin.html#managing-openidm-admin
      Some of these steps may already mix with current documentation. These are the steps I found to work for me. Notice there are different ways to approach it, but wasn't sure which fit best with current documentation. I included additional steps to avoid IDM restart since restart was not a previous requirement to configure new admin user.

      • Create a new "admin" user (note no longer with "authzRoles")
        curl \
        --header "X-OpenIDM-Username: openidm-admin" \
        --header "X-OpenIDM-Password: openidm-admin" \
        --header "Accept-API-Version: resource=1.0" \
        --header "Content-Type: application/json" \
        --cacert ca-cert.pem \
        --request PUT \
        --data '{
          "password": "Passw0rd"
        }' \
        "https://localhost:8443/openidm/internal/user/admin"
      • Enable new admin and disable openidm-admin user
        • Without IDM restart - by directly setting authentication password
          1. Replace the STATIC_USER authModule in pathToIdm/conf/authentication.json for "username" : "openidm-admin"
            {
              "name" : "STATIC_USER",
              "properties" : {
                "queryOnResource" : "internal/user",
                "username" : "admin",
                "password" : "Passw0rd",
                "defaultUserRoles" : [
                  "internal/role/openidm-authorized",
                  "internal/role/openidm-admin"
                ]
              },
              "enabled" : true
            }
        • With IDM restart
          1. Change the STATIC_USER authModule in pathToIdm/conf/authentication.json for "username" : "openidm-admin" to "username" : "admin"
          2. Change the property value of "openidm.admin.password" in pathToIdm/resolver/boot.properties from "openidm-admin" to "Passw0rd"
          3. Restart IDM
        • If removing the openidm-admin Internal user
          1. Authenticating as your new admin user, Delete the openidm-admin user
            curl \
            --header "X-OpenIDM-Username: admin" \
            --header "X-OpenIDM-Password: Passw0rd" \
            --header "Accept-API-Version: resource=1.0" \
            --cacert ca-cert.pem \
            --request DELETE \
            "https://localhost:8443/openidm/internal/user/openidm-admin"
      • Enable new admin without disabling or removing openidm-admin user
        • Without IDM restart - by directly setting authentication password
          1. Add an additional STATIC_USER module in pathToIdm/conf/authentication.json
            {
              "name" : "STATIC_USER",
              "properties" : {
                "queryOnResource" : "internal/user",
                "username" : "admin",
                "password" : "Passw0rd",
                "defaultUserRoles" : [
                  "internal/role/openidm-authorized",
                  "internal/role/openidm-admin"
                ]
              },
              "enabled" : true
            }
        • With IDM restart
          1. Shutdown IDM
          2. Add a boot property in pathToIdm/resolver/boot.properties for your new admin password: openidm.newadmin.password=Passw0rd
          3. Add an additional STATIC_USER module in pathToIdm/conf/authentication.json
            {
              "name" : "STATIC_USER",
              "properties" : {
                "queryOnResource" : "internal/user",
                "username" : "admin",
                "password" : "&{openidm.newadmin.password}",
                "defaultUserRoles" : [
                  "internal/role/openidm-authorized",
                  "internal/role/openidm-admin"
                ]
              },
              "enabled" : true
            }
          4. Startup IDM

        Attachments

          Activity

            People

            • Assignee:
              curtis.masuda Curtis Masuda
              Reporter:
              katie.gonzalez Katie Gonzalez
              QA Assignee:
              Son Nguyen
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: