IDM 7.4.1

Administrative users

The default IDM administrative user is openidm-admin. In a production environment, you might want to replace this user with a managed or internal user with the same roles, specifically the openidm-admin and openidm-authorized roles.

You can create either an internal or managed user with the same roles as the default openidm-admin user. To add these roles to an existing managed user, refer to Grant Internal Authorization Roles Manually. The following procedure creates a new administrative internal user (admin):

  1. Create an internal user:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --header "Content-Type: application/json" \
    --cacert ca-cert.pem \
    --request PUT \
    --data '{
      "password": "Passw0rd"
    }' \
    "https://localhost:8443/openidm/internal/user/admin"
    {
      "_id": "admin",
      "_rev": "00000000210f6746"
    }
  2. Add a STATIC_USER authentication module to the authentication configuration:

    Using the Filesystem

    Edit the conf/authentication.json file, and add the following:

    {
      "name" : "STATIC_USER",
      "properties" : {
        "queryOnResource" : "internal/user",
        "username" : "admin",
        "password" : "Passw0rd",
        "defaultUserRoles" : [
          "internal/role/openidm-authorized",
          "internal/role/openidm-admin"
        ]
      },
      "enabled" : true
    }

    If you are using Filesystem secret stores to secure your secrets, specify the filename where the password may be found instead of defining it directly in authentication.json. You can do this using the $purpose property, as follows (assuming a file name of idm.admin.password):

    "password": {
      "$purpose": {
        "name": "idm.admin.password"
      }
    }
    Using REST
    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Content-Type: application/json" \
    --header "Accept-API-Version: resource=1.0" \
    --cacert ca-cert.pem \
    --request PATCH \
    --data '[
      {
        "operation": "add",
        "field": "/serverAuthContext/authModules/-",
        "value": {
          "name" : "STATIC_USER",
          "properties" : {
            "queryOnResource" : "internal/user",
            "username" : "admin",
            "password" : "Passw0rd",
            "defaultUserRoles" : [
              "internal/role/openidm-authorized",
              "internal/role/openidm-admin"
            ]
          },
          "enabled" : true
        }
      }
    ]' \
    "https://localhost:8443/openidm/config/authentication"
    {
      "_id": "authentication",
      "serverAuthContext": {
        ...
        "authModules": [
          ...
          {
            "name": "STATIC_USER",
            "properties": {
              "queryOnResource": "internal/user",
              "username": "admin",
              "password": "{encrypted password}",
              "defaultUserRoles": [
                "internal/role/openidm-authorized",
                "internal/role/openidm-admin"
              ]
            },
            "enabled": true
          },
          ...
        ]
      }
    }
  3. To verify the changes, perform a REST call or log in to the admin UI as the new admin user. For example, query the list of internal users:

    curl \
    --header "X-OpenIDM-Username: admin" \
    --header "X-OpenIDM-Password: Passw0rd" \
    --header "Accept-API-Version: resource=1.0" \
    --cacert ca-cert.pem \
    --request GET \
    "https://localhost:8443/openidm/internal/user?_queryFilter=true"
    {
      "result": [
        {
          "_id": "admin",
          "_rev": "00000000f8e1665a"
        }
      ],
      ...
    }
  4. After you have verified the new admin user, you can delete or disable the openidm-admin user:

    Delete 'openidm-admin' User
    1. Delete the openidm-admin object:

      curl \
      --header "X-OpenIDM-Username: admin" \
      --header "X-OpenIDM-Password: Passw0rd" \
      --header "Accept-API-Version: resource=1.0" \
      --cacert ca-cert.pem \
      --request DELETE \
      "https://localhost:8443/openidm/internal/user/openidm-admin"
      {
        "_id": "openidm-admin",
        "_rev": "00000000210f6746"
      }
    2. Delete the authentication module for "username" : "openidm-admin":

      Using the Filesystem

      Edit the conf/authentication.json file, and delete:

      {
        "name" : "STATIC_USER",
        "properties" : {
          "queryOnResource" : "internal/user",
          "username" : "openidm-admin",
          "password" : "&{openidm.admin.password}",
          "defaultUserRoles" : [
            "internal/role/openidm-authorized",
            "internal/role/openidm-admin"
          ]
        },
        "enabled" : true
      }
      Using REST
      1. Get the current authentication configuration:

        curl \
        --header "X-OpenIDM-Username: openidm-admin" \
        --header "X-OpenIDM-Password: openidm-admin" \
        --header "Accept-API-Version: resource=1.0" \
        --cacert ca-cert.pem \
        --request GET \
        "https://localhost:8443/openidm/config/authentication"
        {
          "_id": "authentication",
          "serverAuthContext": {
            ...
            "authModules": [
              ...
              {
                "name": "STATIC_USER",
                "properties": {
                  "queryOnResource": "internal/user",
                  "username": "openidm-admin",
                  "password": "&{openidm.admin.password}",
                  "defaultUserRoles": [
                    "internal/role/openidm-authorized",
                    "internal/role/openidm-admin"
                  ]
                },
                "enabled": true
              },
              ...
            ]
          }
        }
      2. Remove the authentication module for "username" : "openidm-admin", and replace the authentication configuration:

        curl \
        --header "X-OpenIDM-Username: openidm-admin" \
        --header "X-OpenIDM-Password: openidm-admin" \
        --header "Accept-API-Version: resource=1.0" \
        --header "Content-Type: application/json" \
        --cacert ca-cert.pem \
        --request PUT \
        --data '{
          "_id": "authentication",
          "serverAuthContext": {
            "sessionModule": {
              "name": "JWT_SESSION",
              "properties": {
                "maxTokenLifeMinutes": 120,
                "tokenIdleTimeMinutes": 30,
                "sessionOnly": true,
                "isHttpOnly": true,
                "enableDynamicRoles": false
              }
            },
            "authModules": [
              {
                "name": "STATIC_USER",
                "properties": {
                  "queryOnResource": "internal/user",
                  "username": "anonymous",
                  "password": {
                    "$crypto": {
                      "type": "x-simple-encryption",
                      "value": {
                        "cipher": "AES/CBC/PKCS5Padding",
                        "stableId": "openidm-sym-default",
                        "salt": "xBlTp67ze4Ca5LTocXOpoA==",
                        "data": "mdibV6UabU2M+M5MK7bjFQ==",
                        "keySize": 16,
                        "purpose": "idm.config.encryption",
                        "iv": "36D2+FumKbaUsndNQ+/+5w==",
                        "mac": "ZM8GMnh0n80QwtSH6QsNmA=="
                      }
                    }
                  },
                  "defaultUserRoles": [
                    "internal/role/openidm-reg"
                  ]
                },
                "enabled": true
              },
              {
                "name": "STATIC_USER",
                "properties": {
                  "queryOnResource": "internal/user",
                  "username": "admin",
                  "password": "{encrypted password}",
                  "defaultUserRoles": [
                    "internal/role/openidm-authorized",
                    "internal/role/openidm-admin"
                  ]
                },
                "enabled": true
              },
              {
                "name": "MANAGED_USER",
                "properties": {
                  "augmentSecurityContext": {
                    "type": "text/javascript",
                    "source": "require('auth/customAuthz').setProtectedAttributes(security)"
                  },
                  "queryId": "credential-query",
                  "queryOnResource": "managed/user",
                  "propertyMapping": {
                    "authenticationId": "username",
                    "userCredential": "password",
                    "userRoles": "authzRoles"
                  },
                  "defaultUserRoles": [
                    "internal/role/openidm-authorized"
                  ]
                },
                "enabled": true
              },
              {
                "name": "SOCIAL_PROVIDERS",
                "properties": {
                  "defaultUserRoles": [
                    "internal/role/openidm-authorized"
                  ],
                  "augmentSecurityContext": {
                    "type": "text/javascript",
                    "globals": {},
                    "file": "auth/populateAsManagedUserFromRelationship.js"
                  },
                  "propertyMapping": {
                    "userRoles": "authzRoles"
                  }
                },
                "enabled": true
              }
            ]
          }
        }' \
        "https://localhost:8443/openidm/config/authentication"
    3. Prevent the openidm-admin user from being recreated on startup.

      Delete the following lines from the internal/user array in conf/repo.init.json:

      {
          "id" : "openidm-admin",
          "password" : "&{openidm.admin.password}"
      }
    Disable 'openidm-admin' User

    Change the enabled state of the authentication module for "username" : "openidm-admin":

    Using the Filesystem

    Edit the conf/authentication.json file:

    {
      "name" : "STATIC_USER",
      "properties" : {
        "queryOnResource" : "internal/user",
        "username" : "openidm-admin",
        "password" : "&{openidm.admin.password}",
        "defaultUserRoles" : [
          "internal/role/openidm-authorized",
          "internal/role/openidm-admin"
        ]
      },
      "enabled" : false
    }
    Using REST
    1. Get the current authentication configuration:

      curl \
      --header "X-OpenIDM-Username: openidm-admin" \
      --header "X-OpenIDM-Password: openidm-admin" \
      --header "Accept-API-Version: resource=1.0" \
      --cacert ca-cert.pem \
      --request GET \
      "https://localhost:8443/openidm/config/authentication"
      {
        "_id": "authentication",
        "serverAuthContext": {
          ...
          "authModules": [
            ...
            {
              "name": "STATIC_USER",
              "properties": {
                "queryOnResource": "internal/user",
                "username": "openidm-admin",
                "password": "&{openidm.admin.password}",
                "defaultUserRoles": [
                  "internal/role/openidm-authorized",
                  "internal/role/openidm-admin"
                ]
              },
              "enabled": true
            },
            ...
          ]
        }
      }
    2. Change the enabled state of the authentication module for "username" : "openidm-admin", and replace the authentication configuration:

      curl \
      --header "X-OpenIDM-Username: openidm-admin" \
      --header "X-OpenIDM-Password: openidm-admin" \
      --header "Accept-API-Version: resource=1.0" \
      --header "Content-Type: application/json" \
      --cacert ca-cert.pem \
      --request PUT \
      --data '{
        "_id": "authentication",
        "serverAuthContext": {
          "sessionModule": {
            "name": "JWT_SESSION",
            "properties": {
              "maxTokenLifeMinutes": 120,
              "tokenIdleTimeMinutes": 30,
              "sessionOnly": true,
              "isHttpOnly": true,
              "enableDynamicRoles": false
            }
          },
          "authModules": [
            {
              "name": "STATIC_USER",
              "properties": {
                "queryOnResource": "internal/user",
                "username": "anonymous",
                "password": {
                  "$crypto": {
                    "type": "x-simple-encryption",
                    "value": {
                      "cipher": "AES/CBC/PKCS5Padding",
                      "stableId": "openidm-sym-default",
                      "salt": "xBlTp67ze4Ca5LTocXOpoA==",
                      "data": "mdibV6UabU2M+M5MK7bjFQ==",
                      "keySize": 16,
                      "purpose": "idm.config.encryption",
                      "iv": "36D2+FumKbaUsndNQ+/+5w==",
                      "mac": "ZM8GMnh0n80QwtSH6QsNmA=="
                    }
                  }
                },
                "defaultUserRoles": [
                  "internal/role/openidm-reg"
                ]
              },
              "enabled": true
            },
            {
              "name": "STATIC_USER",
              "properties": {
                "queryOnResource": "internal/user",
                "username": "openidm-admin",
                "password": "&{openidm.admin.password}",
                "defaultUserRoles": [
                  "internal/role/openidm-authorized",
                  "internal/role/openidm-admin"
                ]
              },
              "enabled": false
            },
            {
              "name": "MANAGED_USER",
              "properties": {
                "augmentSecurityContext": {
                  "type": "text/javascript",
                  "source": "require('auth/customAuthz').setProtectedAttributes(security)"
                },
                "queryId": "credential-query",
                "queryOnResource": "managed/user",
                "propertyMapping": {
                  "authenticationId": "username",
                  "userCredential": "password",
                  "userRoles": "authzRoles"
                },
                "defaultUserRoles": [
                  "internal/role/openidm-authorized"
                ]
              },
              "enabled": true
            },
            {
              "name": "SOCIAL_PROVIDERS",
              "properties": {
                "defaultUserRoles": [
                  "internal/role/openidm-authorized"
                ],
                "augmentSecurityContext": {
                  "type": "text/javascript",
                  "globals": {},
                  "file": "auth/populateAsManagedUserFromRelationship.js"
                },
                "propertyMapping": {
                  "userRoles": "authzRoles"
                }
              },
              "enabled": true
            }
          ]
        }
      }' \
      "https://localhost:8443/openidm/config/authentication"