Utilities

Edit online

Overview of various tools and utilities supplied with the IBM Verify Identity Governance - Container product.

Overview

The following utility programs are bundled with the IBM Verify Identity Governance - Container.

Utilities in /starter/bin

The following utility scripts are available in the /starter/bin directory.

changePasswords.sh

Run this script whenever a data tier password needs to be changed.

You should periodically change the passwords for the endpoints to which IBM Verify Identity Governance - Container is connected. This utility updates all the necessary fields for the password change to take effect. Ensure to restart the Container Pods.

Options:
  • db: change the database password
  • ldap: change the LDAP password
  • mail: configure or update the credentials for SMTP Mail
  • isimsystem: configure or update the isimsystem user credentials. This option enables you to change the ejbuser password. This parameter is usually internal to the is all internal to the IBM Verify Identity Governance - Container, and usually does not require to be updated. This option is provided for the convenience of the customers that may have a mandate to change all the passwords on a periodic basis.
  • eurbind: configure or update the external user registry user credentials. This option enables you to change the credentials for users hosted on a different LDAP server.
  • mq: change the IBM MQ passwords
  • oidc: change the OpenID Connect credentials
  • customrepo: change the custom image repository credentials. The customrepo refers to an image repository that requires credentials. By default, the IBM Verify Identity Governance - Container uses images from docker hub and IBM Cloud Container Registry, and do not require any credentials. However, if you need to import the images from a different repository which requires credentials, you can use this option to set the credentials required for that repository.

Example usage: $ ./changePasswords.sh ldap

configls.sh

Run this script to update the configuration files in data directory.

The script provides a directory listing of the ISVGIM_HOME/datadirectory inside the pod. This allows you to see which files are available to retrieve with getConfig.sh. You can optionally pass in a filter to limit the list of files returned.

Example usage: $ ./configls.sh *.properties

configure.sh
Tip:

It is recommended that you run this script before running install.sh.

The script prompts for the information needed in config.yaml file and thus avoids any formatting issues with the file.

Example usage: $ ./configure.sh

createConfigs.sh

You must run this script after updating configuration files or the data directory.

This script generates the ConfigMap object holding all the IBM Verify Identity Governance - Container configuration data. It must be run after editing any files in the config or data directories, and creates the necessary YAML file. The changes will not take effect until you restart your IBM Verify Identity Governance - Container pods.

Options:
  • [blank]: packages the files in the data directory
  • keystore: packages the IBM Verify Identity Governance - Container keystore files
  • db: packages PostgreSQL configuration and certs
  • ldap: packages LDAP configuration and certs
  • mq: packages queue manager configuration
  • setup: packages config.yaml and IBM Verify Identity Governance - Container Server certificates.
Example usage: $ ./createConfigs.sh $ ./createConfigs.sh db
getConfig.sh

Run this script when updating configuration files in data directory.

This script retrieves configuration files from the IBM Verify Identity Governance - Container pod. To persist changes, configuration files must be edited on the host and turned into a ConfigMap. After retrieving and editing the files, run createConfigs.sh and restart IBM Verify Identity Governance - Container pods for changes to take effect.

The script takes one parameter: the name of the file to retrieve from the pod.

Example usage: $ ./getConfig.sh enRoleMail.properties

getLogs.sh

This script retrieves the IBM Verify Identity Governance - Container and WebSphere Liberty logs from the container and adds them as date-stamped tar files or gzip files in the logs directory. Use this script during troubleshooting of any issues.

Example usage: $ ./getLogs.sh

install.sh

Use this utility to install the IBM Verify Identity Governance - Container product.

This is the main installation script. It internally calls the necessary pieces to configure LDAP, DB, and the application. It also optionally deploys Verify Directory and PostgreSQL containers for use with IBM Verify Identity Governance - Container.

Example usage: $ ./install.sh

loadHRFeed.sh

This utility copies a DSML file into the IBM Verify Identity Governance - Container, so that it can be accessed by an HR Feed service. Use this utility to upload new HR data from a DSML file to IBM Verify Identity Governance - Container.

Example usage: $ ./loadHRFeed.sh myHRFeed.dsml

renewCerts.sh

The auto-generated SSL certificates used in the IBM Verify Identity Governance - Container expire in just over one year. Run this utility annually to update auto-generated SSL certificates. Note that although the renewed certificates are added to the ConfigMap, you must restart all the pods for the change to take effect.

Example usage: $ ./renewCerts.sh

Options:

-check : displays the current expiration date for each certificate

Example usage: $ ./renewCerts.sh -check

updateYaml.sh

Run this script after modifying a yaml file in the helm/templates directory.

This configuration script is called internally by the installer. It will turn a template into a fully filled out YAML file.

Example usage: $ ./updateYaml.sh 000-namespace.yaml

Utilities in /starter/bin/util

The following utility scripts are available in the /starter/bin/util directory.

backupMasterKey.sh

You must run this script after installation is complete.

This script takes a backup of the master key from the IBM Verify Identity Governance - Container pod. It takes one parameter. The masterKey_password is a password of user's choice. Ensure to save this password in a secure location as you must provide the same password to restore this masterKey

Example usage: $ ./backupMasterKey.sh {masterkey_password}

DBPurge.sh

This script deletes historical workflow audit data, non-workflow audit events, and reconciliation reporting entries from the database that were completed before the specified date.

Parameters:

-age: Removes all the data older than the specified number of days from the current date

Example usage: To remove the data older than 90 days from the current date: $ ./DBPurge.sh -age 90

DBPurge -age <num_days> | -date <yyyy-mm-dd[-HH:mm]> [-grouping <group_size>] [-workflow <wf_flag> [-process_type <proc_type>]] [-audit <audit_flag>] [-recon <recon_flag>]

Here:
  • <num_days> is a required integer indicating the age of the records to remove, which must be non-negative, where a value of 0 will remove all data, including today's data.
  • <date> is an alternative way to specify the deletion date and optional time (eg. '2010-08-15-22:00') all records created this date or earlier will be deleted
  • <group_size> is an optional integer parameter for the number of process or audit related records to be removed in a group, which must be between 1 and 100, and defaults to 50
  • <wf_flag> is an optional boolean flag, which determines if workflow data is removed, and defaults to true
  • <proc_type> is an optional 2-character parameter which indicates process types to delete (eg. 'AP'). If unspecified, then all workflow process types are deleted
  • <audit_flag> is an optional boolean flag, which determines if non-workflow audit data is removed, and defaults to true
  • <recon_flag> is an optional boolean flag, which determines if historical reconciliation data is removed, and defaults to true
dbUpgrade.sh

Use this script when upgrading to a new version of IBM Verify Identity Governance - Container.

This configuration script is used to update the database schema.

Example usage: $ ./dbUpgrade.sh

encryptLibertyPwd.sh

Use this script to specify a password used by the Liberty server.

The script takes a plain text password and returns an AES encrypted string.

Example usage: encryptLibertyPwd.sh thePassword

getExtensions.sh

IBM Verify Identity Governance - Container installation has a collection of helpful examples for configuring its behavior. To access this content, run this script to copy the data from the container to your host.

Example usage: $ ./getExtensions.sh

getDepthOfLocalMQ.sh

When you run this script, it displays the message depth for all the queues present in that particular pod. When the queue depth is 0 for a pod, you can scale down that particular pod.

Example usage: $ ./getDepthOfLocalMQ.sh

ldapUpgrade.sh

Use this script when upgrading to a new version of IBM Verify Identity Governance - Container.

This script is used to update the LDAP schema.

Example usage: $ ./ldapUpgrade.sh

migrateKeystore.sh

Use this script when migrating to the IBM Verify Identity Governance - Container.

This configuration script is used to setup the existing keystore.

Example usage: $ ./migrateKeystore.sh

restoreMasterKey.sh

Use this script to restore a lost master key.

This script restores the master key from the IBM Verify Identity Governance - Container pod. It takes two parameters:
  • masterKey_password is same password that was used to back up the masterKey
  • masterKey is the same encrypted string that was returned during the backup of masterKey.

Example usage: $ ./restoreMasterKey.sh {masterKey_password} {masterKey}

syncISIMData.sh

This utility script updates the Access Catalog for use in the Service Center. Use this utility on a regular basis to keep the Access Catalog up to date.

Example usage: syncISIMData.sh [-syncOption value] [-dataType value] echo

Here: -syncOption is a required parameter. Valid values are 'Upgrade' or 'Maintenance'.

-dataType is a required parameter. Valid values are 'ConfigData', 'AccessCatalog', or 'ALL'.

upgradeRoleHierarchy.sh

This script is used to upgrade the Role Hierarchy data when upgrading to a new version of IBM Verify Identity Governance - Container.

Example usage: $ ./upgradeRoleHierarchy.sh

Miscellaneous utilities

These utilities are called internally by the system to perform housekeeping functions.

cleanup.sh

This script is present in /starter/bin/sys.

Restriction: The files in /starter/bin/sys directory are for internal usage by IBM Verify Identity Governance - Container system and they are not meant to be used directly by the user.

This script is run automatically by the installer if the installation fails. The script removes the yaml and data directories and also removes any k8s objects that were deployed.

Example usage: $ ./cleanup.sh

Options:

-force: Removes all the data from an installed IBM Verify Identity Governance - Container.
CAUTION:
Use this command with caution!

Example usage: $ ./cleanup.sh -force