Security considerations

Security considerations ensure a more secure deployment and operation of the OpenText Directory and Resource Administrator. It is intended for administrators with several configuration guidelines. These guidelines can be used for enhancing the security of the environment.

It is recommended that the administrators frequently consult the product documentation TIDS, Cool Solutions, and keep up to date on patches and versions of both Access Manager and the host operating system.

Pre-installation server configurations

Firewalls:

Open only the necessary firewall ports required for communication between DRA and its connected servers.
To review the list of ports, see Understanding ports.

FIPS settings

FIPS 140-2 is a standard established by NIST (National Institute of Standards and Technology) and CSE (Communications Security Establishment Canada). FIPS 140-2 pertains to cryptographic modules in software or hardware products.

Ensure that DRA is configured and enabled to be compliant with FIPS standards for cryptographic modules.
To enable FIPS on Windows Server:
- Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Locate "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" and set it to "Enabled".
For additional FIPS considerations, see Prerequisites for Microsoft Entra ID.

STIG

DRA claims compliance with DISA STIG GPO Baseline GPOs, dated January 2025, and imported into an Active Directory environment deployed on a Windows 2022 Server based domain controller.

TLS settings

Windows Server 2016 and 2019: Enable TLS 1.2.
Windows Server 2022: TLS 1.3 is enabled by default.
TLS 1.2 settings and configurations can be enabled, refer to Enabling TLS 1.2 configurations.

User Account Control (UAC):

Ensure that UAC is properly configured to enforce the principle of least privilege.
Ensure UAC settings are high.
Configuration Path: Control Panel > System and Security > Security and Maintenance > Security > User Account Control > Change Settings.

Post-installation configurations

Antivirus programs:

For optimal performance, ensure you configure antivirus programs to allow or exclude necessary DRA processes and files.

Antivirus exclusions:

You must exclude the following default locations from antivirus scans; if custom locations are used, exclude those instead:
- Default DRA installation path:C:\Program Files (x86)\NetIQ\DRA
- Default parent path of log archive data, cache data, replication files and logs:C:\ProgramData\NetIQ\DRA
- Default path of log archive files:C:\ProgramData\NetIQ\DRA\NetIQLogArchive
- Default path of cache data files:C:\ProgramData\NetIQ\DRA\CacheData
- Default path of replication files:C:\ProgramData\NetIQ\DRA\Replication

General security:

User account passwords are encrypted by default in the persistence store.

gMSA

The DRA service uses a group Managed Service Account (gMSA) and also supports running gMSA services for enhanced security. For more information, see Managing Group Managed Service Accounts.

LPA

You must use least privilege accounts while managing domains and other configurations. For more information, see Least Privilege DRA Access Accounts.

Allowlist URLs for Entra ID management

The following is the list of permitted URLs for Entra ID management:
1. provisioningapi.microsoftonline.com
2. login.microsoftonline.com
3. graph.microsoft.com
4. azure.microsoft.com

Encrypted Communications:

Ensure to enable encrypted communications between servers and client interfaces.
Complete the following steps to enable encyrpted communications:
- Launch the Delegation and Configuration console
- Navigate to Configuration Management > Update Administration Server Options > General > Encrypted Communications
- Select the Use encrypted communication between server and the user interfaces (requires service restart) checkbox.

Customizing DRA ports

To customize the default port and for more details, see NetIQ DRA Continuous Cache Refresh Service.

Certificates

Use trusted certificates for all secure communications to prevent attacks and they are used for the following DRA services for encrypted communication:

DRA REST Service
Replication Service
Web Console Binding Certificate

DRA REST service

Retrieve the REST port number from Windows Registry as follows:

Run regedit.exe.
Right-click the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mission Critical Software\RestExtentions node.
1. Retrieve the port number from the key RestServicePortNumber.
Note the port number for use below.

View an existing SSL certificate

netsh.exe http show sslcert ipport=0.0.0.0:<REST port>

Delete an existing SSL certificate

Netsh http delete sslcert ipport=0.0.0.0:<REST port>

Add a new SSL certificate

Netsh http add sslcert ipport=0.0.0.0:<REST port> certhash=de6fe6c492b6cc424905350533cfa025e4a42ba3 appid={8031ba52-3c9d-4193-800a-d620b3e98508}

Replication service

View an existing SSL certificate

netsh.exe http show sslcert ipport=0.0.0.0:<Replication port>

Delete an existing SSL certificate

Netsh http delete sslcert ipport=0.0.0.0:<Replication port>

Add a new SSL certificate

Netsh http add sslcert ipport=0.0.0.0:<Replication port> certhash=de6fe6c492b6cc424905350533cfa025e4a42ba3 appid={8031ba52-3c9d-4193-800a-d620b3e98508}

Web console binding certificate

View an existing SSL certificate

netsh.exe http show sslcert

Delete an existing SSL certificate

Netsh http delete sslcert ipport=0.0.0.0:443

Add an new SSL certificate

Netsh http add sslcert ipport=0.0.0.0:443 certhash=de6fe6c492b6cc424905350533cfa025e4a42ba3 appid={8031ba52-3c9d-4193-800a-d620b3e98508}