Security and Encryption

Contents
cg
Contents
Enabling Security
You can configure software security to behave in one of the following ways:
  • Default Permit
    Under this condition, everything is permitted. This method enables greater functionality, and it can be adequate for the initial phases of setting up and testing the system.
  • Default Deny
    Under this condition, everything that is not explicitly permitted is forbidden. While this method can improve security, it negatively affects functionality.
By default,
Identity Governance
Portal security is disabled. When a user logs in using a recognized user name, the Portal does not verify the user permissions and there are no limits on what the user can view and do.
Configure external authentication before you verify built in accounts credentials.
You configure the type of security that is used in the Portal by setting a security parameter in the eurekify.properties file.
The security parameter resembles the following parameter example:
sage.security.disable=true
When you set this property to false, the product switches to the Default Deny security method. Only functionality that is explicitly permitted is visible and enabled for the user.
Encryption
When you send user login and password data, we recommend that you encrypt this data. The following is an encryption security parameter:
sage.security.disable.ssl.ADAuthentication=true
When you set this parameter to true, Secure Sockets Layer (SSL) authentication is disabled.
When you set the parameter to false and SSL encryption is enabled.
You supply the keystore file in the following security parameter:
sage.security.eurekify.keyStore.file=
The keystore file is a database that stores the private and public keys necessary for SSL encryption and decoding.
Administrator Password Encryption
The following administration accounts are created by default when you install the
Identity Governance
server:
  • EAdmin -- a default account with administrator privileges in the Portal.
  • EBatch -- a default account that is used to run batch processing jobs.
To secure these accounts, change their default passwords and encrypt the new password. Perform this procedure after you implement the desired encryption algorithms on the portal. For example, if your operating environment requires FIPS-compliant encryption, enable FIPS encryption algorithms before you encrypt these passwords.
Repeat this procedure when you change the active encryption algorithm of the
Identity Governance
server.
You need administrator-level rights in the Portal to perform this procedure.
Follow these steps:
  1. Click Administration, Settings, Properties Settings from the Portal.
    The Properties screen appears.
  2. Enter the search term 
    password 
    in the Filter Properties Keys Containing field and click Apply Filter.
    A filtered list of properties appears.
  3. Locate the following values in the list:
    • sage.admin password
      Defines the password of the EAdmin user account.
    • sage.batch.password
      Defines the password of the EBatch user account.
  4. Modify and encrypt these passwords:
    1. Click Edit in the list to edit a property.
      The Edit Property window appears.
    2. Enter a new password in the Property Value field.
    3. In the Type drop-down list, select the Database Property option.
    4. Select the Encrypt Property check box, and click Save.
      The new password value is encrypted and saved to the database. Hash marks appear in the Property Value column of the Properties screen.
  5. Repeat this procedure for both system properties.
    Administrator passwords are encrypted.