Configuring External User Registry

You can configure an external user registry for the IBM Verify Identity Governance - Container.

Overview

You can configure external user registry for IBM Verify Identity Governance - Container using any of the following three approaches.

Configure external user registry during container installation

To configure the External User Registry during installation of IBM Verify Identity Governance - Container, run the ./<starter>/bin/configure.sh script and answer the interactive prompts.

Configure external user registry after container installation

The External User Registry can be configured after completing the installation of IBM Verify Identity Governance - Container.

Perform the following steps.

Copy the enRoleAuthentication.properties file from the pod to the starter's data directory.
```
bash
./<starter>/bin/getConfigs.sh enRoleAuthentication.properties
```
Edit the <starter>/data/enRoleAuthentication.properties file with the appropriate values.

Set the idmapper to LdapIdMapper

enrole.authentication.idmapper=com.ibm.itim.authentication.mapping.LdapIdMapper

Enable external registry

Enable external registry by setting the enrole.authentication.registry.external property to true and set the appropriate values for the required properties

enrole.authentication.registry.external=true
enrole.authentication.registry.type=
enrole.authentication.registry.host=
enrole.authentication.registry.port=
enrole.authentication.registry.realm=
enrole.authentication.registry.useSSL=
enrole.authentication.registry.baseDN=
enrole.authentication.registry.bindDN=

[Optional] Set the filter properties

enrole.authentication.registry.groupFilter=
enrole.authentication.registry.groupIdMap=
enrole.authentication.registry.groupMemberIdMap=
enrole.authentication.registry.userFilter=
enrole.authentication.registry.userIdMap=

You may also add 1 or more attribute configuration items as indexed properties.

An Example is shown here.

enrole.authentication.registry.attributes.0.defaultValue=SomeDefault
enrole.authentication.registry.attributes.0.entityType=PersonAccount
enrole.authentication.registry.attributes.0.id=SomeId
enrole.authentication.registry.attributes.0.name=SomeName
enrole.authentication.registry.attributes.0.propertyName=SomeProperty
enrole.authentication.registry.attributes.0.syntax=SomeSyntax
enrole.authentication.registry.attributes.1.defaultValue=SomeDefault1
enrole.authentication.registry.attributes.1.entityType=PersonAccount
enrole.authentication.registry.attributes.1.id=SomeId1
enrole.authentication.registry.attributes.1.name=SomeName1
enrole.authentication.registry.attributes.1.propertyName=SomeProperty1
enrole.authentication.registry.attributes.1.syntax=SomeSyntax1
Update the enrole.properties file to set the same realm name as specified in enroleAuthentication.properties file.
Create config map by running ./<starter>/bin/createConfigs.sh
Set the passwords for isimsystem and external registry bind user.

Get the current enRole.properties file

Run the following commands to get the current enRole.properties file from the pod.

./<starter>/bin/getConfig.sh enRole.properties

./<starter>/bin/changePasswords.sh isimsystem

./<starter>/bin/changePasswords.sh eurbind
Perform the following steps for adding TLS certificates if SSL is enabled.
1. Copy the TLS certificate to <starter>/config/certs directory.
2. Open the <starter>/config/config.yaml file and include the certificate name. An Example is shown here.
```
server:
      truststore:
      - '@ldap_server_certificate.pem'
```
3. To integrate the server certificate into the IBM Verify Identity Governance - Container pod, execute: ./<starter>/bin/createConfigs.sh setup
Restart the pod to apply the settings.

Re-configuration of external user registry

After you have configured the external user registry (either during or after the installation of IBM Verify Identity Governance - Container, you can modify any attributes of the external user registry.

To re-configure the external user registry, perform the following steps:

Copy the enRoleAuthentication.properties file from the pod to the <starter>/data directory.
./<starter>/bin/getConfigs.sh enRoleAuthentication.properties
Edit the <starter>/data/enRoleAuthentication.properties file with the appropriate values.
Update the enrole.properties file to set the same realm name as specified in enroleAuthentication.properties file.
Create config map by running ./<starter>/bin/createConfigs.sh
Update the passwords for isimsystem and external registry bind user if required.
Get the current enRole.properties file from the pod by running :
- ./<starter>/bin/getConfig.sh enRole.properties
- ./<starter>/bin/changePasswords.sh isimsystem
- ./<starter>/bin/changePasswords.sh eurbind
Follow these steps for adding TLS certificates if SSL is enabled.
Copy certificate to <starter>/config/certs directory. Open the <starter>/config/config.yaml and include the certificate name. An Example is shown here.
```
server:
      truststore:
      - '@ldap_server_certificate.pem'
```
Restart the pod to apply the settings

Disabling External User Registry

Perform the following steps:

Copy the enRoleAuthentication.properties file from the pod to the <starter>/data directory. ./<starter>/bin/getConfigs.sh enRoleAuthentication.properties
Edit the <starter>/data/enRoleAuthentication.properties file with the appropriate values.
Set the idmapper to DefaultIDMapper

enrole.authentication.idmapper=com.ibm.itim.authentication.mapping.DefaultIDMapper

Disable external registry by setting the enrole.authentication.registry.external property to false

enrole.authentication.registry.external=false
Update enRole.properties file.
Get the current `enRole.properties` file from the pod by running ./<starter>/bin/getConfig.sh enRole.properties.

This will copy the file into `<starter>/data` directory

Set the property enrole.appServer.realm=itimCustomRealm

Change isimsystem password by running ./<starter>/bin/changePasswords.sh isimsystem
Create config map by running ./<starter>/bin/createConfigs.sh
Restart the pod to apply the settings.