Securing your installation
The following sections describe options to secure your installation for production use.
Secure End user access to the OpenIAM UI
Enable HTTPS communication to the OpenIAM UI
Enable https communication to the OpenIAM UI and prevent unsecure communication. Steps to configure https can be found here:
Secure responses from cross-site scripting
By default XSS-Protection headers are already set. Additional, the following headers can set the following header to exclude MIME sniffing:
- X-Content-Type-Options: nosniff
Update the password policy
Update your the password policy in OpenIAM to align with your corporate password policy. The policy can be configured using the webconsole.
Update the authentication policy
Update the authentication mechanism in OpenIAM to align with your corporate direction. This can be done in one of the following ways:
- if you are using an external IdP, such as Azure, then integrate OpenIAM to act as a service provider to your IdP.
- If OpenIAM will be your IdP, or you will be authenticating directly into OpenIAM, then define the authentication rules by:
- Creating an authentication rule.
- Updating the content provider to use this rule
Secure the infrastructure
Update default stack component passwords
The env.sh file contains default passwords for stack components. These should be updated and stored securely.
TLS communication with RabbitMQ
Enable TLS communication in RabbitMQ to ensure secure communication between infrastructure services.
Reduce log levels
The log levels should be reduced to WARN. Avoiding excessive debug will improve both security and performance.
Remove Default objects
There are a number of default objects which are created during installation to simplify the initial experience for those who are new to OpenIAM. These objects should be either removed or updated prior to going into production.
Remove default users
There are number of default users, which should be removed using the webconsole. The include:
- Scott Nelson
- Hiring Manager
- Security Manager
- Help Desk
Replace system admin accounts
The out of the box deployment includes to system admin accounts:
- sys user (sysadmin)
- sys2 user (sysadmin2)
Admin rights should be granted to named users so that there is traceability across the system. As such, the
Super Security Admin role should be granted to the appropriate users. After access has been granted, login with super security admin rights and remove the above the two users.
Note: DO NOT remove the
system user. This user has no rights in OpenIAM and is used by internal processes.
Remove default entitlement objects
Remove the roles listed below:
- Help desk
- End User
- Security Admin
- Security Admin_IDM
Note: DO NOT REMOVE the
Super security admin and
Global UAR Administrator
Remove default groups
Remove the groups listed below:
- Security group
- HR Group
Remove all organization objects
Remove all organization objects and replace them with a structure which represents your organization and requirements
Restrict Access to servers hosting OpenIAM
Access to the servers / VMs where OpenIAM is hosted should only be enabled at the time that individuals working in those environments needs access. Permanent access should be avoided.
Stay current with patching
OpenIAM releases contain new features, bug fixes and fixes for vulnerabilities that have been reported. Its important that each deployment stay current with these releases.