Administrative Users
The default IDM administrative user is openidm-admin
. In a production environment, you might want to replace this user with a managed or internal user with the same roles, specifically the openidm-admin
and openidm-authorized
roles.
You can create either an internal or managed user with the same roles as the default openidm-admin
user. To add these roles to an existing managed user, see "Grant Internal Authorization Roles Manually". The following procedure creates a new administrative internal user (admin
):
Create an internal user:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --cacert ca-cert.pem \ --request PUT \ --data '{ "password": "Passw0rd" }' \ "https://localhost:8443/openidm/internal/user/admin"
{ "_id": "admin", "_rev": "00000000210f6746" }
Add a
STATIC_USER
authentication module to the authentication configuration:Edit the
conf/authentication.json
file, and add the following:{ "name" : "STATIC_USER", "properties" : { "queryOnResource" : "internal/user", "username" : "admin", "password" : "Passw0rd", "defaultUserRoles" : [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled" : true }
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --request PATCH \ --data '[ { "operation": "add", "field": "/serverAuthContext/authModules/-", "value": { "name" : "STATIC_USER", "properties" : { "queryOnResource" : "internal/user", "username" : "admin", "password" : "Passw0rd", "defaultUserRoles" : [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled" : true } } ]' \ "https://localhost:8443/openidm/config/authentication"
{ "_id": "authentication", "serverAuthContext": { ... "authModules": [ ... { "name": "STATIC_USER", "properties": { "queryOnResource": "internal/user", "username": "admin", "password": "{encrypted password}", "defaultUserRoles": [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled": true }, ... ] } }
To verify the changes, perform a REST call or log in to the Admin UI as the new admin user. For example, query the list of internal users:
curl \ --header "X-OpenIDM-Username: admin" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --request GET \ "https://localhost:8443/openidm/internal/user?_queryFilter=true"
{ "result": [ { "_id": "admin", "_rev": "00000000f8e1665a" } ], ... }
(Optional) After you have verified the new admin user, you can delete or disable the
openidm-admin
user:Delete the
openidm-admin
object:curl \ --header "X-OpenIDM-Username: admin" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --request DELETE \ "https://localhost:8443/openidm/internal/user/openidm-admin"
{ "_id": "openidm-admin", "_rev": "00000000210f6746" }
Delete the authentication module for
"username" : "openidm-admin"
:Edit the
conf/authentication.json
file, and delete:{ "name" : "STATIC_USER", "properties" : { "queryOnResource" : "internal/user", "username" : "openidm-admin", "password" : "&{openidm.admin.password}", "defaultUserRoles" : [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled" : true }
Get the current authentication configuration:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --request GET \ "https://localhost:8443/openidm/config/authentication"
{ "_id": "authentication", "serverAuthContext": { ... "authModules": [ ... { "name": "STATIC_USER", "properties": { "queryOnResource": "internal/user", "username": "openidm-admin", "password": "&{openidm.admin.password}", "defaultUserRoles": [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled": true }, ... ] } }
Remove the authentication module for
"username" : "openidm-admin"
, and replace the authentication configuration:curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --cacert ca-cert.pem \ --request PUT \ --data '{ "_id": "authentication", "serverAuthContext": { "sessionModule": { "name": "JWT_SESSION", "properties": { "maxTokenLifeMinutes": 120, "tokenIdleTimeMinutes": 30, "sessionOnly": true, "isHttpOnly": true, "enableDynamicRoles": false } }, "authModules": [ { "name": "STATIC_USER", "properties": { "queryOnResource": "internal/user", "username": "anonymous", "password": { "$crypto": { "type": "x-simple-encryption", "value": { "cipher": "AES/CBC/PKCS5Padding", "stableId": "openidm-sym-default", "salt": "xBlTp67ze4Ca5LTocXOpoA==", "data": "mdibV6UabU2M+M5MK7bjFQ==", "keySize": 16, "purpose": "idm.config.encryption", "iv": "36D2+FumKbaUsndNQ+/+5w==", "mac": "ZM8GMnh0n80QwtSH6QsNmA==" } } }, "defaultUserRoles": [ "internal/role/openidm-reg" ] }, "enabled": true }, { "name": "STATIC_USER", "properties": { "queryOnResource": "internal/user", "username": "admin", "password": "{encrypted password}", "defaultUserRoles": [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled": true }, { "name": "MANAGED_USER", "properties": { "augmentSecurityContext": { "type": "text/javascript", "source": "require('auth/customAuthz').setProtectedAttributes(security)" }, "queryId": "credential-query", "queryOnResource": "managed/user", "propertyMapping": { "authenticationId": "username", "userCredential": "password", "userRoles": "authzRoles" }, "defaultUserRoles": [ "internal/role/openidm-authorized" ] }, "enabled": true }, { "name": "SOCIAL_PROVIDERS", "properties": { "defaultUserRoles": [ "internal/role/openidm-authorized" ], "augmentSecurityContext": { "type": "text/javascript", "globals": {}, "file": "auth/populateAsManagedUserFromRelationship.js" }, "propertyMapping": { "userRoles": "authzRoles" } }, "enabled": true } ] } }' \ "https://localhost:8443/openidm/config/authentication"
Prevent the
openidm-admin
user from being recreated on startup.Delete the following lines from the
internal/user
array inconf/repo.init.json
:{ "id" : "openidm-admin", "password" : "&{openidm.admin.password}" }
Change the
enabled
state of the authentication module for"username" : "openidm-admin"
:Edit the
conf/authentication.json
file:{ "name" : "STATIC_USER", "properties" : { "queryOnResource" : "internal/user", "username" : "openidm-admin", "password" : "&{openidm.admin.password}", "defaultUserRoles" : [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled" : false }
Get the current authentication configuration:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --cacert ca-cert.pem \ --request GET \ "https://localhost:8443/openidm/config/authentication"
{ "_id": "authentication", "serverAuthContext": { ... "authModules": [ ... { "name": "STATIC_USER", "properties": { "queryOnResource": "internal/user", "username": "openidm-admin", "password": "&{openidm.admin.password}", "defaultUserRoles": [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled": true }, ... ] } }
Change the enabled state of the authentication module for
"username" : "openidm-admin"
, and replace the authentication configuration:curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --cacert ca-cert.pem \ --request PUT \ --data '{ "_id": "authentication", "serverAuthContext": { "sessionModule": { "name": "JWT_SESSION", "properties": { "maxTokenLifeMinutes": 120, "tokenIdleTimeMinutes": 30, "sessionOnly": true, "isHttpOnly": true, "enableDynamicRoles": false } }, "authModules": [ { "name": "STATIC_USER", "properties": { "queryOnResource": "internal/user", "username": "anonymous", "password": { "$crypto": { "type": "x-simple-encryption", "value": { "cipher": "AES/CBC/PKCS5Padding", "stableId": "openidm-sym-default", "salt": "xBlTp67ze4Ca5LTocXOpoA==", "data": "mdibV6UabU2M+M5MK7bjFQ==", "keySize": 16, "purpose": "idm.config.encryption", "iv": "36D2+FumKbaUsndNQ+/+5w==", "mac": "ZM8GMnh0n80QwtSH6QsNmA==" } } }, "defaultUserRoles": [ "internal/role/openidm-reg" ] }, "enabled": true }, { "name": "STATIC_USER", "properties": { "queryOnResource": "internal/user", "username": "openidm-admin", "password": "&{openidm.admin.password}", "defaultUserRoles": [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ] }, "enabled": false }, { "name": "MANAGED_USER", "properties": { "augmentSecurityContext": { "type": "text/javascript", "source": "require('auth/customAuthz').setProtectedAttributes(security)" }, "queryId": "credential-query", "queryOnResource": "managed/user", "propertyMapping": { "authenticationId": "username", "userCredential": "password", "userRoles": "authzRoles" }, "defaultUserRoles": [ "internal/role/openidm-authorized" ] }, "enabled": true }, { "name": "SOCIAL_PROVIDERS", "properties": { "defaultUserRoles": [ "internal/role/openidm-authorized" ], "augmentSecurityContext": { "type": "text/javascript", "globals": {}, "file": "auth/populateAsManagedUserFromRelationship.js" }, "propertyMapping": { "userRoles": "authzRoles" } }, "enabled": true } ] } }' \ "https://localhost:8443/openidm/config/authentication"