Application identity management
Application administrators can use Privileged Identity Manager for Applications (App ID) to remove hardcoded and unsafely stored credentials from applications, Windows services, and scripts. App ID can also be used to manage the credential entitlements, track the use of each credential, and automate periodic password change.
The App ID toolkit is provided to register applications and to allow different types of applications to get credentials that are managed by IBM® Security Privileged Identity Manager.
- Remove hard-coded and unsafely stored passwords from applications, scripts, Windows services, Windows Task Scheduler tasks, and their configuration files.
- Automatically change or rotate passwords.
- Remove access from applications that no longer require access to a resource.
IBM Security Privileged Identity Manager domain administrators can register application instances using the App ID toolkit and manage their credential entitlements using the Service Center. Registered instances use OAuth 2.0, enhanced with secure application instance fingerprinting, to authenticate with the IBM Security Privileged Identity Manager Server.
For application services, a service management agent can reconfigure managed application services with changed credentials. Types of application services include Windows services and Task Scheduler tasks.
An application may have multiple instances. For example, a Java™ EE application called HR Management System can be installed in Production Server, Staging Server, and Disaster Recovery Server. In App ID, each of these three install bases are called an application instance. The software, HR Management System, is called an application. Each application instance has a unique OAuth 2.0 access token and instance fingerprint. All instances of an application share the same set of credential entitlements.
An application instance is a IBM Security Privileged Identity Manager user. Unlike regular users, application instances cannot log in using a password.
Enrolling new | Steps |
---|---|
Applications Java EE data sources, Java applications, scripts |
|
Application services Windows services, Windows Task Scheduler tasks |
|
Application fingerprints
The application authorization process captures specific properties that are used to form an application instance fingerprint. Attributes include the workstation that it is run from, the binary path, network configuration, and the operating system. A custom group name can be added to an instance's fingerprint.
The authorization process of an application captures the following attributes:
Property | Compiled Application | Scripts | Java EE Application | Application services |
---|---|---|---|---|
Host name | Yes | Yes | Yes | Yes |
Operating System User | Yes | Yes | Yes | Yes |
Group Name | Yes | Yes | Yes | No |
Host Time Zone | Yes | Yes | Yes | Yes |
Network Interfaces | Yes | Yes | Yes | Yes |
Operating System | Yes | Yes | Yes | Yes |
Architecture | Yes | Yes | Yes | Yes |
Binary Path | Yes | No | No | No |
Binary Hash | Yes | No | No | No |
- Host name
- Full qualified name of the instance host.
- Operating system user
- Name of the operating system user who runs the application instance.
- Group name
- The group ID of the application instance.
- Host time zone
- Time zone name of the instance host.
- Network interfaces
- All network interfaces in the host. Only the interface used to connect to the Privileged Identity Manger server will be used for fingerprint matching.
- Operating system
- Name of the operating system host.
- Binary path
- The path to the JAR file containing the class that uses AppIDManager.
- Binary hash
- SHA 256 hash value of the file that is specified in the Binary Path.
An application administrator can change the way an application instance's fingerprint is verified based on the organization's security requirements. An application administrator can choose the fingerprint matching policy for each application instance, which will determine the list of properties that are used for fingerprint matching. For example, to allow for convenient upgrades, an application administrator can select the "Environment" fingerprint matching policy, which will disable binary hash matching.
The following fingerprint matching policies are available:
- Strict (default)
- All properties are included in fingerprint matching. Ideal for scripts and applications using data source, as well as Java applications that seldom changes.
- Environment
- Binary hash is excluded from fingerprint matching. Ideal for applications that are updated frequently.
- Flexible
- Only group name, host time zone, and operating system are included. Ideal for virtualized environments.
- Disabled
- An application instance is allowed to get credentials as long as it presents the correct OAuth 2.0 tokens. This option can be used for disaster recovery instances that are then suspended until they are required.
App ID Toolkit
An application administrator or developer uses the App ID Toolkit to register application instances and enable them to retrieve managed credentials from the IBM Security Privileged Identity Manager Server.
The App ID Toolkit consists only of one file, ibmappid.jar. This file is used in three ways:
- Command Line Tool
- Run this file using the command java -jar ibmappid.jar. This command line tool is used by the application administrator registering an application instance and by registered scripts to retrieve managed credentials. For managed application services, the command line tool is used to register a service management agent. The command line tool is also used to reconfigure managed application services with changed credentials on endpoints that reside within the same Windows domain.
- Java SDK
- Use the AppIDManager class in the com.ibm.ispim.appid.api package to enable a Java application to retrieve managed credentials
- Java EE Data Source
- Copy the file to your application server and configure a data source to be used by Java EE applications.
The App ID toolkit requires a workspace to store token files, SSL certificates of the server, and log files. By default, the workspace is the folder where the toolkit is located. Both the administrator who registers the application instance and the operating system user where the application instance runs must have read and write permissions to the workspace folder.