OpenText Identity Governance handles user account information, permissions, and other sensitive data. You want to ensure that all communication channels between OpenText Identity Governance and the other components are secure using the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol. This ensures that any data that OpenText Identity Governance gathers for reviews, reports, or any other activity is secure from eavesdropping or tampering from external sources.
Use the following information to understand the different communication paths and how to secure them for secure communication with OpenText Identity Governance.
Use the TLS/SSL protocol to secure the following types of network connections:
HTTPS: Provides secure end-user access to and from OpenText Identity Governance. You would configure the application server (Apache Tomcat) to communicate over https instead of http.
LDAPS: Ensures that the communication between the authentication provider and the identity service is secure. You would configure OSP or OpenText Access Manager to use the certificates from the LDAP directory to communicate securely with the LDAP directory for the authorized users.
JDBC: Ensures that the communication between OpenText Identity Governance and the database server is secure.
SMTP: Ensures that the email notifications OpenText Identity Governance, Identity Reporting, and Workflow Engine sends are secure.
By default, the OpenText Identity Governance installer does not enable secure communications. You must enable it during the installation or after the installation. You enable the secure communications by selecting https when you define the application server and the identity service.
If you have configured the components for secure communication using TLS/SSL, the OpenText Identity Governance installer imports the correct certificates from these locations to the trust store for OpenText Identity Governance when you select to communicate over TLS/SSL. We highly recommend that you configure these components to communicate over TLS/SSL in a production environment. Use the following information to enable TLS/SSL communication for these products before starting the OSP, OpenText Identity Governance, or the Identity Reporting installations.
If you do install OSP, OpenText Identity Governance, Identity Reporting, or Workflow Engine without configuring these components to communicate securely using TLS/SSL, you can configure secure communication at a later time using the configuration utilities. For more information, see Section 12.1, Configuring SSL/TLS Communication after the Installation.
Each server that has OSP, OpenText Identity Governance, Identity Reporting, and Workflow Engine installed must have Apache Tomcat configured for https communication to provide secure communication between all of the separate OpenText Identity Governance components.
If you use OpenText Access Manager instead of OSP as the authentication service, the OpenText Identity Governance installer assumes OpenText Access Manager is configured to communicate over its default “https”. The OpenText Identity Governance installer prompts you for the ports for the OpenText Access Manager Identity Server and the OpenText Access Manager administration console. The OpenText Identity Governance installer automatically retrieves the certificates from OpenText Access Manager before prompting you to accept them into the OpenText Identity Governance keystore.
To configure the application server to use TLS/SSL, you configure Apache Tomcat to use TLS/SSL. We highly recommend that you configure Apache Tomcat to use https with either TLSv1.2 or TLS1.1. Any prior version of TLS should not be used. For more information, see Securing Tomcat on the OWASP org page.
To configure the identity service to use TLS/SSL, you configure the LDAP server that contains the authorized OpenText Identity Governance users to use LDAPS. For more information, see:
Active Directory: See the Step by Step Guide to Setup LDAPS on Windows Server on the Microsoft learning page.
OpenText eDirectory:
SeeAuthentication and Security
in the eDirectory Administration Guide
To configure the database for your environment to communicate securely, you must configure the database to communicate over JDBC using TLS/SSL. For more information, see:
Microsoft SQL: See Enabling Encrypted Connections to the Database Engine on the Microsoft learning page.
Oracle: See Keeping Your Oracle Database Secure on the Oracle docs page.
PostgreSQL: See Secure TCP/IP Connections with SSL on the Postgresql docs page.
Vertica: See TLS Protocol on the Vertica documentation page.
To provide secure emails for email notifications you must configure the SMTP server for secure communications. Follow the documentation for your specific SMTP server to enable secure communications before starting the installation.
To provide secure communications between OSP, OpenText Identity Governance, Identity Reporting and Workflow Engine with the audit server, you must configure the audit server to communicate over TLS/SSL. The OSP, OpenText Identity Governance, and the Identity Reporting installers can import the trusted certificate from the audit server during the installation. See the documentation for your audit server on how to enable secure communications with external applications.