Securing your installation

The following sections describe options to secure your installation for production use.

Secure End user access to the OpenIAM UI

Enable HTTPS communication to the OpenIAM UI

Enable https communication to the OpenIAM UI and prevent unsecure communication. Steps to configure https can be found here:

Secure responses from cross-site scripting

By default XSS-Protection headers are already set. Additional, the following headers can set the following header to exclude MIME sniffing:

  • X-Content-Type-Options: nosniff

Update the password policy

Update your the password policy in OpenIAM to align with your corporate password policy. The policy can be configured using the webconsole.

Update the authentication policy

Update the authentication mechanism in OpenIAM to align with your corporate direction. This can be done in one of the following ways:

  • if you are using an external IdP, such as Azure, then integrate OpenIAM to act as a service provider to your IdP.
  • If OpenIAM will be your IdP, or you will be authenticating directly into OpenIAM, then define the authentication rules by:

Secure the infrastructure

Update default stack component passwords

The env.sh file contains default passwords for stack components. These should be updated and stored securely.

TLS communication with RabbitMQ

Enable TLS communication in RabbitMQ to ensure secure communication between infrastructure services.

Reduce log levels

The log levels should be reduced to WARN. Avoiding excessive debug will improve both security and performance.

Remove Default objects

There are a number of default objects which are created during installation to simplify the initial experience for those who are new to OpenIAM. These objects should be either removed or updated prior to going into production.

Remove default users

There are number of default users, which should be removed using the webconsole. The include:

  • Scott Nelson
  • Hiring Manager
  • Security Manager
  • Help Desk

Replace system admin accounts

The out of the box deployment includes to system admin accounts:

  • sys user (sysadmin)
  • sys2 user (sysadmin2)

Admin rights should be granted to named users so that there is traceability across the system. As such, the Super Security Admin role should be granted to the appropriate users. After access has been granted, login with super security admin rights and remove the above the two users.

Note: DO NOT remove the system user. This user has no rights in OpenIAM and is used by internal processes.

Remove default entitlement objects

Remove roles

Remove the roles listed below:

  • Help desk
  • End User
  • Security Admin
  • Security Admin_IDM

Note: DO NOT REMOVE the Super security admin and Global UAR Administrator

Remove default groups

Remove the groups listed below:

  • Security group
  • HR Group

Remove all organization objects

Remove all organization objects and replace them with a structure which represents your organization and requirements

Other recommendations

Restrict Access to servers hosting OpenIAM

Access to the servers / VMs where OpenIAM is hosted should only be enabled at the time that individuals working in those environments needs access. Permanent access should be avoided.

Stay current with patching

OpenIAM releases contain new features, bug fixes and fixes for vulnerabilities that have been reported. Its important that each deployment stay current with these releases.