IBM Security Privileged Identity Manager, Version 2.0.2

Application identity management

Application administrators can use Privileged Identity Manager for Applications (App ID) to remove hardcoded and unsafely stored credentials from applications, Windows services, and scripts. App ID can also be used to manage the credential entitlements, track the use of each credential, and automate periodic password change.

The App ID toolkit is provided to register applications and to allow different types of applications to get credentials that are managed by IBM® Security Privileged Identity Manager.

Figure 1. Credentials are often embedded inside data sources, custom applications, application services, or unattended scripts to retrieve sensitive information.
Application identity management helps application and IT administrators accomplish the following goals:
  • Remove hard-coded and unsafely stored passwords from applications, scripts, Windows services, Windows Task Scheduler tasks, and their configuration files.
  • Automatically change or rotate passwords.
  • Remove access from applications that no longer require access to a resource.

IBM Security Privileged Identity Manager domain administrators can register application instances using the App ID toolkit and manage their credential entitlements using the Service Center. Registered instances use OAuth 2.0, enhanced with secure application instance fingerprinting, to authenticate with the IBM Security Privileged Identity Manager Server.

For application services, a service management agent can reconfigure managed application services with changed credentials. Types of application services include Windows services and Task Scheduler tasks.

An application may have multiple instances. For example, a Java™ EE application called HR Management System can be installed in Production Server, Staging Server, and Disaster Recovery Server. In App ID, each of these three install bases are called an application instance. The software, HR Management System, is called an application. Each application instance has a unique OAuth 2.0 access token and instance fingerprint. All instances of an application share the same set of credential entitlements.

An application instance is a IBM Security Privileged Identity Manager user. Unlike regular users, application instances cannot log in using a password.

The following steps describe the general process of enrolling a new application or application service to use managed credentials.
Table 1. Process of enrolling a new application or application service
Enrolling new Steps
Applications

Java EE data sources, Java applications, scripts
  1. Add the application credentials to the vault.

  2. Make the required modifications to the application code or the application server configuration.
  3. Authorize the application instance.
  4. Configure the credential entitlements for the application.
  5. Verify that the application instance is able to fetch the credentials that it requires.
Application services

Windows services, Windows Task Scheduler tasks
  1. Add the application credentials to the vault.
  2. If not already done, set up a service management agent on a resource.

    A service management agent can update configurations of application services that reside locally or on remote resources.

  3. Add the application services that you want to manage.

    You can add application services in bulk with a CSV file. You can also use the discover-services utility to discover services on hosts, save the results to a CSV file, which you can upload.

  4. Associate an application service with a credential.
  5. Apply the application service reconfiguration.
    • Apply configurations automatically.
    • Apply configurations manually.

Application fingerprints

The application authorization process captures specific properties that are used to form an application instance fingerprint. Attributes include the workstation that it is run from, the binary path, network configuration, and the operating system. A custom group name can be added to an instance's fingerprint.

The authorization process of an application captures the following attributes:

Table 2. Properties that can be used for fingerprinting with different application types.
Property Compiled Application Scripts Java EE Application Application services
Host name Yes Yes Yes Yes
Operating System User Yes Yes Yes Yes
Group Name Yes Yes Yes No
Host Time Zone Yes Yes Yes Yes
Network Interfaces Yes Yes Yes Yes
Operating System Yes Yes Yes Yes
Architecture Yes Yes Yes Yes
Binary Path Yes No No No
Binary Hash Yes No No No
Host name
Full qualified name of the instance host.
Operating system user
Name of the operating system user who runs the application instance.
Group name
The group ID of the application instance.
Host time zone
Time zone name of the instance host.
Network interfaces
All network interfaces in the host. Only the interface used to connect to the Privileged Identity Manger server will be used for fingerprint matching.
Operating system
Name of the operating system host.
Binary path
The path to the JAR file containing the class that uses AppIDManager.
Binary hash
SHA 256 hash value of the file that is specified in the Binary Path.

An application administrator can change the way an application instance's fingerprint is verified based on the organization's security requirements. An application administrator can choose the fingerprint matching policy for each application instance, which will determine the list of properties that are used for fingerprint matching. For example, to allow for convenient upgrades, an application administrator can select the "Environment" fingerprint matching policy, which will disable binary hash matching.

The following fingerprint matching policies are available:

Strict (default)
All properties are included in fingerprint matching. Ideal for scripts and applications using data source, as well as Java applications that seldom changes.
Environment
Binary hash is excluded from fingerprint matching. Ideal for applications that are updated frequently.
Flexible
Only group name, host time zone, and operating system are included. Ideal for virtualized environments.
Disabled
An application instance is allowed to get credentials as long as it presents the correct OAuth 2.0 tokens. This option can be used for disaster recovery instances that are then suspended until they are required.

App ID Toolkit

An application administrator or developer uses the App ID Toolkit to register application instances and enable them to retrieve managed credentials from the IBM Security Privileged Identity Manager Server.

The App ID Toolkit consists only of one file, ibmappid.jar. This file is used in three ways:

Command Line Tool
Run this file using the command java -jar ibmappid.jar. This command line tool is used by the application administrator registering an application instance and by registered scripts to retrieve managed credentials. For managed application services, the command line tool is used to register a service management agent. The command line tool is also used to reconfigure managed application services with changed credentials on endpoints that reside within the same Windows domain.
Java SDK
Use the AppIDManager class in the com.ibm.ispim.appid.api package to enable a Java application to retrieve managed credentials
Java EE Data Source
Copy the file to your application server and configure a data source to be used by Java EE applications.

The App ID toolkit requires a workspace to store token files, SSL certificates of the server, and log files. By default, the workspace is the folder where the toolkit is located. Both the administrator who registers the application instance and the operating system user where the application instance runs must have read and write permissions to the workspace folder.

Note: The App ID toolkit requires a compatible Java runtime. Check the supported versions of Java in Software Product Compatibility Report.
Parent topic: Administering

Feedback