Managing Security Domains

You can add new security domains, update or delete previously created domains in your deployment, as well as update the domain password.

Important: Managing security domain are critical operations as:
  • Adding or deleting a security domain interrupts service (as applications will be restarted), and can adversely impact the backup process.
  • Adding a security domain modifies the database.

After installation, the manageDomains.sh script (in the <ACTIVID_HOME>/ActivID_AS/bin folder) allows adding, deleting and updating a security domain.

Note: If optional parameters are not provided, then they are prompted from the terminal.

As ftadmin, use the following commands:

Copy

Add new security domains

manageDomains.sh -a [ -d <domain1, domain2,…> ]
Copy

Post-installation for existing security domains (after adding a new security domain, configuring the database data sources and restarting ActivID AS)

manageDomains.sh -p [ -d <domain1, domain2,…> ]
Copy

Delete existing security domains 

manageDomains.sh –r [ -d <domain1, domain2,…> ]
Note: The database data is not deleted.
Copy

Update existing domains (might be required after installing a service pack)

manageDomains.sh -u [ -d <domain1, domain2,…> ]

Add a Security Domain

Important: Adding a Security Domain causes an interruption of service.

When you create a new security domain, it adds a new set of data to your deployment.

This data is specific to your domain and is defined by the dataset you choose when creating the domain (for example, the default users and permissions included in the dataset).

  1. Create a new security domain in the database:
Prerequisites: Make sure the <ADMIN_USER> account is enabled. This account was created when the ActivID AS database was first installed and is required to add a domain. For further information, refer to the ActivID Authentication Server Oracle Database Configuration Guide available from the ActivID Customer Portal.
  1. Run the /Installation/Database/oracle/scripts/oracle-create-4tress.sql script to create a security domain in the set of tablespaces configured in oracle-config-4tress.sql using the following command:
Copy 
@./oracle-create-4tress.sql <CONNECTION_STRING> <ADMIN_USER> <ADMIN_PASSWORD> <Security Domain> <Security Domain Password> <Archive Security Domain Password>

Where:

  • <CONNECTION_STRING> is the connection string to connect to the ActivID AS database
  • <ADMIN_USER> is the dedicated installation user
  • <ADMIN_PASSWORD> is the password of the dedicated installation user
  • <Security Domain> is the name of security domain
Important: You must apply the following rules when creating the domain name:
  • Must contain alphanumeric characters
  • Must not contain any of these special characters !#%&()+"'<>?*-_
  • Must not start with a numeric character
  • Must be a maximum of 20 characters
  • Must not be a variation of an existing security domain name using a different case for one or more characters (for example, do not use Onlinebank when ONLINEBANK already exists)
  • Oracle reserved keywords are not allowed (that is “SELECT”, “ONLINE”, etc.)
  • <Security Domain Password> is the password for security domain.
  • <Archive Security Domain Password> is the password for archive user.
Note: The script is executed without logging. It uses the <ADMIN_USER> account to connect database.
  1. Optionally, to enable partitioning for the FTRESSAUDITLOG table (with the configuration defined in oracle-config-4tress.sql), use the following command:
Copy 
@./oracle-create-prt.sql <CONNECTION_STRING> <ADMIN_USER> <ADMIN_PASSWORD> <Security Domain> <Security Domain Password>

For further information about partitioning, refer to the ActivID Authentication Server Oracle Database Configuration Guide available from the ActivID Customer Portal.

  1. To create another security domain in the same set of tablespaces, execute the above steps again but with the corresponding domain parameters.
  2. If you need to create security domains in another set of tablespaces, first create the new set of tablespaces, and then create the new domain in the new tablespace set after changing the tablespace names in oracle-config-4tress.sql.

    3. For further information, refer to the ActivID Authentication Server Oracle Database Configuration Guide available from the ActivID Customer Portal.

  3. For archiving/purging of FTRESSAUDITLOG, create a new folder, /home/oracle/archive-and-drop-scripts, as defined in configuration file, where the extracted CSV data files will be stored.

    4. This folder should be accessible by Oracle users and the path is configured in the oracle-config-4tress.sql file.

Note:  
  • The <Security Domain> and <Security Domain Password> information will be used to update the activid_setup.rsp response file used during the ActivID AS setup. For further information, refer to the ActivID AS installation guide for your application server available from the ActivID Customer Portal.
  • The security domains users are created with the Oracle DEFAULT user profile.
  1. Add the new security domain to the ActivID AS installation:
    2. Note: You will need the database administrator's username and password.
  1. Open a terminal as ftadmin.
  2. Launch the manageDomains.sh script using the following command and enter parameters when prompted:
Copy 
<ACTIVID_HOME>/ActivID_AS/bin/manageDomains.sh –a
  1. Enter the names of the security domains.
  2. At the Choice prompt, enter the number that corresponds to the required dataset.
  3. At the Password prompt, enter the password that you defined when you created the security domain in the database.
  4. Complete the script's instructions.
  1. Review the /home/ftadmin/activid_setup.log installation log file.
  1. Update the data sources on your application server:
    2. Note: Configure the data sources only if you are installing ActivID AS locally.
  1. Connect to the JBoss administration interface.
  2. Add the data source (with the parameters specified below) and reload the configuration:

A data source must be defined for each ActivID AS Security Domain.

If you are deploying multiple Security Domains, then the following steps must be completed for each domain with the following parameters:

  • Data Source Name – 4TRESSDataSource<Security Domain>
  • Driver Name – oracle
  • Connection URL – the value of Connection URL provided in the Datasource configuration section of the activid_deploy_info.txt file.

    Typically, jdbc:oracle:thin:@//<database hostname>:<port>/<database service>

  • JNDI Name – java:/jdbc/4TRESS/<Security Domain>
  • Username – <Security Domain>
  • Password – <Masked security domain password>
Copy 
<JBOSS_HOME>/bin/jboss-cli.sh -c
data-source add
--name=<Data Source Name>
--driver-name=<Driver Name>
--connection-url=<Connection URL>
--jndi-name=<JNDI NAME>
--user-name=<Username>
--password=<Password>
--min-pool-size=1
--max-pool-size=100
--use-java-context=false
--enabled=true
reload
  1. Test the database connection using the following command:
Copy 
<JBOSS_HOME>/bin/jboss-cli.sh -c
/subsystem=datasources/data-source=<Data Source Name>:test-connection-in-pool
Note: For security reasons, it is strongly recommended that you encrypt the security domain password using the JBoss password vault.
Note: ActivID AS installation on a WebSphere application server only supports deployment with an Oracle database.

A data source must be defined for each ActivID AS Security Domain. If you are deploying multiple Security Domains, then the following steps must be completed for each domain.

Deployment details can be found in the JDBC resources section of the activid_deploy_info.txt file.

  1. Log on to the WebSphere Administration Console.
  2. In the navigation pane, expand the Security node and select Global security.
  3. In the Authentication section, expand Java Authentication and Authorization Service and click J2C authentication data, and click New….
  4. Enter the following values to define the data source:
    • Alias = <DOMAIN_NAME> − can use any name
    • User ID = <DOMAIN NAME>− must match the database username
    • Password = <password> − must match the database password
  5. Click OK and then save your changes.
  6. In the navigation pane, expand the Resources and JDBC nodes and click JDBC providers.
  7. Select the scope (that is, Cell=<cellname>) and click New.
  8. Click the name of the newly created JDBC provider (database JDBC Driver) and, under Additional Properties, click Data sources.
  9. Click New….
  10. Enter the value jdbc/4TRESS/<DOMAIN> in the JNDI name field, where <DOMAIN> is the name of the security domain for which you are defining the JDBC provider and data source and click Next.
  11. Enter the following values and click Next:
    • URL – value of URL provided in the in the JDBC resources section of the activid_deploy_info.txt file.

      Typically, jdbc:oracle:thin:@//<database hostname>:<port>/<database service name>

    • Data Store helper class name − database data store helper
    • Clear the Use this data in container managed persistence option
  12. From the Component-managed authentication alias drop-down list, select the alias corresponding to your cell (<cellnode>/<DOMAIN>), and click Next.
  13. Click Finish and then save your changes.
  14. Select the check box for the data source, and then click Test connection.
  15. Repeat the above steps for each security domain.
  1. Restart the ActivID AS applications.
  2. Launch the manageDomains.sh script again using the following command (for post-installation processing) and enter the security domain name when prompted:
Copy 
<ACTIVID_HOME>/ActivID_AS/bin/manageDomains.sh –p
  1. Restart all the ActivID AS applications.

Update a Security Domain

To update the security domain of the ActivID AS installation:

  1. Open a terminal as ftadmin.
  2. Launch the manageDomains.sh script using the following command and enter the security domain name when prompted:
Copy 
<ACTIVID_HOME>/ActivID_AS/bin/manageDomains.sh –u
  1. Review the /home/ftadmin/activid_setup.log installation log file.
  2. Restart all the ActivID AS applications.

The Force update option (-F) should only be used by HID Global Technical Support to re-install previous updates (for example, if an error occurred when an update was originally applied).

  1. Open a terminal as ftadmin.
  2. Launch the manageDomains.sh script using the following command and enter the security domain name when prompted:
Copy 
<ACTIVID_HOME>/ActivID_AS/bin/manageDomains.sh –u -F
  1. Review the /home/ftadmin/activid_setup.log installation log file.
  2. Restart all the ActivID AS applications.

For further information, contact HID Global Technical Support.

Delete a Security Domain

Important: Deleting a domain deletes all the data associated with the Security Domain, and causes an interruption of service.

To delete the security domain from ActivID AS:

  1. Open a terminal as ftadmin.
  2. Launch the manageDomains.sh script using the following command and enter the security domain name when prompted:
Copy 
<ACTIVID_HOME>/ActivID_AS/bin/manageDomains.sh –d
  1. Review the /home/ftadmin/activid_setup.log installation log file.
  2. In deployments with an Oracle database, remove the data source for the security domain on your application server (refer to the documentation provided with your application server).
  3. Delete the security domain from the database:
Prerequisites: Remove the security domain from ActivID AS as described above before deleting the domain from the database.
  1. Run the /Installation/Database/oracle/scripts/oracle-delete-4tress.sql script to delete a security domain in the set of tablespaces configured in oracle-config-4tress.sql using the following command:
Copy 
@./oracle-delete-4tress.sql <CONNECTION_STRING> <ADMIN_USER> <ADMIN_PASSWORD> <Security Domain> <Security Domain Password> <Archive Security Domain Password>

Where:

  • <CONNECTION_STRING> is the connection string to connect to the ActivID AS database.
  • <ADMIN_USER> is the dedicated installation user.
  • <ADMIN_PASSWORD> is the password of the dedicated installation user.
  • <Security Domain> is the name of security domain.
  • <Security Domain Password> is the password for security domain.
  • <Archive Security Domain Password> is the password for archive user.
Note: The script is executed without logging; it will use the ADMIN_USER account and its password to connect database.
  1. Restart all the ActivID AS applications.

Update the Security Domain Passwords

As the database administrator, renew the database users' passwords before the expiration at the database level.

  1. As the web server administrator, update the JDBC connectors with the new passwords and to check that the database connectivity succeeds.

  2. Stop the ActivID AS instances.

  3. As ftadmin, run the changePasswords.sh script and update and obfuscate the security domain password using the Security domains password menu.

    4. This will update the various obfuscated passwords in the ActivID AS configuration files and allow internal scripts to work silently.

    The new password will be validated before updating the ActivID AS installation.

  4. Restart the ActivID AS instances.

See also:

For instructions on managing security domains in deployments with a RADIUS front end using the manageRFE.sh script, refer to the ActivID Authentication Server RADIUS Front End Solution Guide available from the ActivID Customer Portal.