Securing IDM Server Files With a Read-Only Installation
One method of locking down the server is to install IDM on a read-only file system.
This section assumes that you have prepared the read-only volume appropriate for your Linux/UNIX installation environment and that you have set up a regular Linux user named idm
and a dedicated volume for the /idm
directory.
Configure the dedicated volume device, /dev/volume
in the /etc/fstab
file, as follows:
/dev/volume /idm ext4 ro,defaults 1,2
When you run the mount -a command, the /dev/volume
volume device is mounted on the /idm
directory.
You can switch between read-write and read-only mode for the /idm
volume with the following commands:
sudo mount -o remount,rw /idm
sudo mount -o remount,ro /idm
Confirm the result with the mount command, which should show that the /idm
volume is mounted in read-only mode:
/dev/volume on /idm type ext4 (ro)
Set up the /idm
volume in read-write mode:
sudo mount -o remount,rw /idm
With the following commands, you can unpack the IDM binary in the /idm
directory, and give user idm
ownership of all files in that directory:
sudo unzip /idm/IDM-7.0.4.zip
sudo chown -R idm.idm /idm
When you have installed IDM on a read-only file system, redirect audit and logging data to writable volumes. This procedure assumes a user idm
with Linux administrative (superuser) privileges.
Create an external directory where IDM can send logging, auditing, and internal repository information:
sudo mkdir -p /var/log/openidm/audit sudo mkdir /var/log/openidm/logs sudo mkdir -p /var/cache/openidm/felix-cache sudo mkdir /var/run/openidm
Alternatively, route audit data to a remote data store. For an example of how to send audit data to a MySQL repository, see Direct Audit Information To MySQL.
Give the
idm
user ownership of the newly created directories:sudo chown -R idm.idm /var/log/openidm sudo chown -R idm.idm /var/cache/openidm sudo chown -R idm.idm /var/run/openidm
Modify the following configuration files:
- conf/audit.json
Make sure the
handlerForQueries
is the JSON audit event handler and change thelogDirectory
property to the/var/log/openidm/audit
subdirectory:"eventHandlers" : [ { "class" : "org.forgerock.audit.handlers.json.JsonAuditEventHandler", "config" : { "name" : "json", "logDirectory" : "/var/log/openidm/audit", ... }, ... } ]
- conf/logging.properties
Change the
java.util.logging.FileHandler.pattern
property as follows:java.util.logging.FileHandler.pattern = /var/log/openidm/logs/openidm%u.log
- conf/config.properties
Activate and redirect the
org.osgi.framework.storage
property as follows:# If this value is not absolute, then the felix.cache.rootdir controls # how the absolute location is calculated. (See buildNext property) org.osgi.framework.storage=&{felix.cache.rootdir|&{user.dir}}/felix-cache # The following property is used to convert a relative bundle cache # location into an absolute one by specifying the root to prepend to # the relative cache path. The default for this property is the # current working directory. felix.cache.rootdir=/var/cache/openidm
Note
You might want to set up additional redirection for the following:
Connectors. Depending on the connector, and the read-only volume, consider configuring connectors to direct output to writable volumes.
Scripts. If you are using Groovy, examine the
conf/script.json
file for your project. Make sure that output such as to thegroovy.target.directory
is directed to an appropriate location, such asidm.data.dir
.
Adjust the value of the OPENIDM_PID_FILE
in the startup.sh
and shutdown.sh
scripts.
For RHEL 6 and Ubuntu 14.04 systems, the default shell is bash. You can set the value of OPENIDM_PID_FILE
for user idm
by adding the following line to /home/idm/.bashrc
:
export OPENIDM_PID_FILE=/var/run/openidm/openidm.pid
If you have set up a different command line shell, adjust your changes accordingly.
When you log in again as user idm
, your OPENIDM_PID_FILE
variable should redirect the process identifier file, openidm.pid
to the /var/run/openidm
directory, ready for access by the shutdown.sh
script.
While the volume is still mounted in read-write mode, start IDM normally:
./startup.sh -p project-dir
The first startup of IDM either processes the signed certificate that you added, or generates a self-signed certificate, and encrypts any passwords in the various configuration files.
Stop IDM if it is running.
You can now mount the /idm
directory in read-only mode. The configuration in /etc/fstab
ensures that Linux mounts the /idm
directory in read-only mode the next time that system is booted.
sudo mount -o remount,ro /idm
You can now start IDM, configured on a secure read-only volume.
./startup.sh -p project-dir