Securing IDM Server Files With a Read-Only Installation

One method of locking down the server is to install IDM on a read-only file system.

This section assumes that you have prepared the read-only volume appropriate for your Linux/UNIX installation environment and that you have set up a regular Linux user named idm and a dedicated volume for the /idm directory.

Configure the dedicated volume device, /dev/volume in the /etc/fstab file, as follows:

/dev/volume   /idm   ext4   ro,defaults   1,2

When you run the mount -a command, the /dev/volume volume device is mounted on the /idm directory.

You can switch between read-write and read-only mode for the /idm volume with the following commands:

sudo mount -o remount,rw /idm
sudo mount -o remount,ro /idm

Confirm the result with the mount command, which should show that the /idm volume is mounted in read-only mode:

/dev/volume on /idm type ext4 (ro)

Set up the /idm volume in read-write mode:

sudo mount -o remount,rw /idm

With the following commands, you can unpack the IDM binary in the /idm directory, and give user idm ownership of all files in that directory:

sudo unzip /idm/IDM-7.0.4.zip
sudo chown -R idm.idm /idm

When you have installed IDM on a read-only file system, redirect audit and logging data to writable volumes. This procedure assumes a user idm with Linux administrative (superuser) privileges.

  1. Create an external directory where IDM can send logging, auditing, and internal repository information:

    sudo mkdir -p /var/log/openidm/audit
    sudo mkdir /var/log/openidm/logs
    sudo mkdir -p /var/cache/openidm/felix-cache
    sudo mkdir /var/run/openidm

    Alternatively, route audit data to a remote data store. For an example of how to send audit data to a MySQL repository, see Direct Audit Information To MySQL.

  2. Give the idm user ownership of the newly created directories:

    sudo chown -R idm.idm /var/log/openidm
    sudo chown -R idm.idm /var/cache/openidm
    sudo chown -R idm.idm /var/run/openidm
  3. Modify the following configuration files:

    conf/audit.json

    Make sure the handlerForQueries is the JSON audit event handler and change the logDirectory property to the /var/log/openidm/audit subdirectory:

    "eventHandlers" : [
        {
            "class" : "org.forgerock.audit.handlers.json.JsonAuditEventHandler",
            "config" : {
                "name" : "json",
                "logDirectory" : "/var/log/openidm/audit",
                ...
            },
            ...
        }
    ]
    conf/logging.properties

    Change the java.util.logging.FileHandler.pattern property as follows:

    java.util.logging.FileHandler.pattern = /var/log/openidm/logs/openidm%u.log
    conf/config.properties

    Activate and redirect the org.osgi.framework.storage property as follows:

    # If this value is not absolute, then the felix.cache.rootdir controls
    # how the absolute location is calculated. (See buildNext property)
    org.osgi.framework.storage=&{felix.cache.rootdir|&{user.dir}}/felix-cache
    
    # The following property is used to convert a relative bundle cache
    # location into an absolute one by specifying the root to prepend to
    # the relative cache path. The default for this property is the
    # current working directory.
    felix.cache.rootdir=/var/cache/openidm

Note

You might want to set up additional redirection for the following:

  • Connectors. Depending on the connector, and the read-only volume, consider configuring connectors to direct output to writable volumes.

  • Scripts. If you are using Groovy, examine the conf/script.json file for your project. Make sure that output such as to the groovy.target.directory is directed to an appropriate location, such as idm.data.dir.

Adjust the value of the OPENIDM_PID_FILE in the startup.sh and shutdown.sh scripts.

For RHEL 6 and Ubuntu 14.04 systems, the default shell is bash. You can set the value of OPENIDM_PID_FILE for user idm by adding the following line to /home/idm/.bashrc:

export OPENIDM_PID_FILE=/var/run/openidm/openidm.pid

If you have set up a different command line shell, adjust your changes accordingly.

When you log in again as user idm, your OPENIDM_PID_FILE variable should redirect the process identifier file, openidm.pid to the /var/run/openidm directory, ready for access by the shutdown.sh script.

While the volume is still mounted in read-write mode, start IDM normally:

./startup.sh -p project-dir

The first startup of IDM either processes the signed certificate that you added, or generates a self-signed certificate, and encrypts any passwords in the various configuration files.

Stop IDM if it is running.

You can now mount the /idm directory in read-only mode. The configuration in /etc/fstab ensures that Linux mounts the /idm directory in read-only mode the next time that system is booted.

sudo mount -o remount,ro /idm

You can now start IDM, configured on a secure read-only volume.

./startup.sh -p project-dir
Read a different version of :