IDM 7.3.1

Secure IDM server files with a read-only installation

One method of locking down the server is to install IDM on a read-only file system. To accomplish this, complete all procedures in this topic.

This topic assumes that you have prepared the read-only volume appropriate for your Linux/UNIX installation environment and that you have set up a regular Linux user named idm and a dedicated volume for the /idm directory.

Prep

  1. Configure the dedicated volume device, /dev/volume in the /etc/fstab file, as follows:

    /dev/volume/idm   ext4   ro,defaults   1,2

    When you run the mount -a command, the /dev/volume volume device is mounted on the /idm directory.

  2. You can switch between read-write and read-only mode for the /idm volume with the following commands:

    sudo mount -o remount,rw /idm
    sudo mount -o remount,ro /idm
  3. Confirm the result with the mount command, which should show that the /idm volume is mounted in read-only mode:

    /dev/volumeon /idm type ext4 (ro)
  4. Set up the /idm volume in read-write mode:

    sudo mount -o remount,rw /idm
  5. With the following commands, you can unpack the IDM binary in the /idm directory, and give user idm ownership of all files in that directory:

    sudo unzip /idm/IDM-7.3.1.zip
    sudo chown -R idm.idm /idm

Redirect audit and logging data

After you have installed IDM on a read-only file system, redirect audit and logging data to writable volumes. This procedure assumes a user idm with Linux administrative (superuser) privileges.

  1. Create an external directory where IDM can send logging, auditing, and internal repository information:

    sudo mkdir -p /var/log/openidm/audit
    sudo mkdir /var/log/openidm/logs
    sudo mkdir -p /var/cache/openidm/felix-cache
    sudo mkdir /var/run/openidm

    Alternatively, route audit data to a remote data store. For an example of how to send audit data to a MySQL repository, refer to Direct audit information to MySQL.

  2. Give the idm user ownership of the newly created directories:

    sudo chown -R idm.idm /var/log/openidm
    sudo chown -R idm.idm /var/cache/openidm
    sudo chown -R idm.idm /var/run/openidm
  3. Modify the following configuration files:

    conf/audit.json

    Make sure the handlerForQueries is the JSON audit event handler and change the logDirectory property to the /var/log/openidm/audit subdirectory:

    "eventHandlers" : [
        {
            "class" : "org.forgerock.audit.handlers.json.JsonAuditEventHandler",
            "config" : {
                "name" : "json",
                "logDirectory" : "/var/log/openidm/audit",
                ...
            },
            ...
        }
    ]
    conf/logging.properties

    Change the java.util.logging.FileHandler.pattern property as follows:

    java.util.logging.FileHandler.pattern = /var/log/openidm/logs/openidm%u.log
    conf/config.properties

    Activate and redirect the org.osgi.framework.storage property as follows:

    # If this value is not absolute, then the felix.cache.rootdir controls
    # how the absolute location is calculated. (See buildNext property)
    org.osgi.framework.storage=&{felix.cache.rootdir|&{user.dir}}/felix-cache
    
    # The following property is used to convert a relative bundle cache
    # location into an absolute one by specifying the root to prepend to
    # the relative cache path. The default for this property is the
    # current working directory.
    felix.cache.rootdir=/var/cache/openidm

Your setup may require additional redirection for the following:

  • Connectors. Depending on the connector, and the read-only volume, consider configuring connectors to direct output to writable volumes.

  • Scripts. If you are using Groovy, examine the script configuration for your project. Make sure that output such as to the groovy.target.directory is directed to an appropriate location, such as idm.data.dir.

Finishing touches

  1. Adjust the value of the OPENIDM_PID_FILE in the startup.sh and shutdown.sh scripts. To do so for a default bash shell, set the value of OPENIDM_PID_FILE for user idm by adding the following line to /home/idm/.bashrc:

    export OPENIDM_PID_FILE=/var/run/openidm/openidm.pid
    For other shells, adjust your changes accordingly.

    When you log in again as user idm, your OPENIDM_PID_FILE variable should redirect the process identifier file, openidm.pid to the /var/run/openidm directory, ready for access by the shutdown.sh script.

  2. While the volume is still mounted in read-write mode, start IDM normally:

    path/to/openidm/startup.sh -p project-dir

    The first startup of IDM either processes the signed certificate that you added, or generates a self-signed certificate, and encrypts any passwords in the various configuration files.

  3. Stop IDM.

  4. You can now mount the /idm directory in read-only mode. The configuration in /etc/fstab ensures that Linux mounts the /idm directory in read-only mode on next system boot.

    sudo mount -o remount,ro /idm
  5. Reboot the system.

  6. You can now start IDM, configured on a secure read-only volume.

    path/to/openidm/startup.sh -p project-dir