Team,
During a walk-through of updating the CA Identity Governance password hash, I noticed that clarification is needed for this process for the r14.x release. For previous releases, you may following these instructions:
How to encrypt passwords for GM datasources over jboss
Encrypting passwords for GM's datasources in jboss - CA Knowledge
For a sandbox / non-production deployment (or non-FIPS), you may see clear text datasource passwords in the JBOSS/Wildlfy configuration files.
With in the standalone-full-ha-gm.xml file move the “security” function from the datasource, to the “security-domain” sections.
- The password tool is USED, but the standalone file must be updated to allow it to reference the decryption module.
- May use the pwd tool from IG “password tool download” or from IAMSuite tools (may be tar/copied with the lib folder if needed)
BEFORE IG DATASOURXCE ENCRYPTION:
AFTER IG DATASOURCE ENCRYPTION: (Two changes)
- Update reference for a datasource’s <security> section to use a security domain.
- Update <security-domain> with reference to decryption module & the username/password encryption format.
Update Example(s) for the two (2) sections per each Datasource:
<security>
<security-domain>eurekifyDS</security-domain>
</security>
<security-domain name="eurekifyDS">
<authentication>
<login-module code="com.netegrity.jboss.datasource.PicketBoxPasswordEncryptedLogin" flag="required" module="com.ca.iam.idmutils">
<module-option name="userName" value="EUREKIFY_SDB"/>
<module-option name="password" value="{PBES}:pDlNMkpQppY="/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:name=eurekifyDS,service=NoTxCM"/>
</login-module>
</authentication>
</security-domain>
#### EXTRA INFO - What pwdtool.sh to use ####
IG password tool file, may be placed on workstation to extract password tool (or copied to server),
Enclosing a sample from my AWS cluster of IG r14.2 with datasource encryption.
Edit: 2018/09/20
The Identity Governance (IG) r14.x version has moved reference to the idmutils.jar file under the Wildfly modules folder.
You must add this missing folder structure AND the jar & module.xml file, for IG to use the class file to decrypt the newly encrypted passwords for the datasources.
You may see the below error message:
Here is a view of a delta between vApp (standalone with no encryption) and vApp AWS with encryption.
Steps:
1) mkdir -p /opt/CA/wildfly-ig/modules/com/ca/iam/idmutils/main
2) cd /opt/CA/wildfly-ig/modules/com/ca/iam/idmutils//main
3) vi module.xml [or copy this file]
4) cp -r -p /opt/CA/wildfly-ig/standalone/deployments/eurekify.war/WEB-INF/lib/idmutils-14.1.0-327.jar idmutils.jar
5) chown -R wildfly:wildfly /opt/CA/wildfly-ig/modules/*
6) chmod -R 744 /opt/CA/wildfly-ig/modules/*
7) Restart IG, and monitor for this error message after JDBC driver is declared:
Caused by: org.jboss.modules.ModuleNotFoundException: com.ca.iam.idmutils:main
View of the module.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="com.ca.iam.idmutils">
<resources>
<resource-root path="idmutils.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="org.picketbox"/>
<module name="javax.resource.api"/>
<module name="org.apache.log4j"/>
<module name="com.ca.iam.fips"/>
</dependencies>
</module>
##### Additional notes, if you have locked your vApp Oracle XE DB service IDs during this exercise #####
1) su - oracle
2) sqlplus
3) SQL> CONNECT SYS as SYSDBA
a) Enter the sysdba password (install password)
4) Example: ALTER USER account IDENTIFIED BY password ACCOUNT UNLOCK;
a) Copy and Paste these four lines (with new PASSWORD) within the sqlplus prompt:
ALTER USER EUREKIFY_SDB IDENTIFIED BY Password01 ACCOUNT UNLOCK;
ALTER USER EUREKIFY_TICKETDB IDENTIFIED BY Password01 ACCOUNT UNLOCK;
ALTER USER GVM_DATAWAREHOUSE IDENTIFIED BY Password01 ACCOUNT UNLOCK;
ALTER USER WPDS IDENTIFIED BY Password01 ACCOUNT UNLOCK;
Cheers,
Alan