NetIQ Identity Governance (Access Review) Driver Install & Configuration Notes
During an installation and configuration of the Access Review driver in an IdM environment using OSP as an authentication source we learned that there were details needed to successfully configure the driver that were not available in the NetIQ User Guides.
The NetIQ Identity Governance User Guide discusses the integration of IdM (Identity Manager) and IdG (Identity Governance) in detail. The guide discusses how the Identity Governance driver (actually called the NetIQ IdM Driver for NetIQ Access Review) can be used to provision data and users collected by IdG to/from IdM. Chapter 14 of the NetIQ Identity Governance User Guide provides details of the synchronization between IdG and IdM. This chapter references the NetIQ IdM Driver for Access Review Installation and Configuration Guide.
The second installation guide explains the IdM Access Review driver and discusses the steps to set the driver up in an IdM environment. However, the section which describes the actual installation of the driver lacks important details needed to successfully configure the driver.
We completed the installation of the Access Review driver (by going through the driver setup wizard), and then deployed the driver as the document instructs. After the driver was deployed, we then attempted to start the driver, but the startup failed with the following error message in the driver trace log:
DirXML Log Event ------------------- Driver: \IDMW-DEV\IDMW\System\DriverSet\AccessReview Channel: Publisher Status: Fatal Message: <description>Unable to authenticate to Access Review. Validate Access Review Connection and Authentication parameters.</description>
We had previously completed the installation of IdM UserApp and OSP on a second server and were trying to utilize the OSP installation to provide the authentication for Access Review. The driver would not start because it could not authenticate the proper credentials for the Access Review Data Administrator. The Access Review Data Administrator user account was defined in the setup of the driver, but the details provided in the installation guide did not clearly indicate what the various portions of the configuration screen needed.
Driver Installation & Configuration
The driver installation wizard (in Designer) steps through the creation of the Access Review driver in a similar fashion to other drivers being added to an IdM project. One of the steps of the driver installation asks for the information that can later be accessed in the various tabs of the “Driver Configuration” section of the driver properties. Figure 1 provides a screenshot of this step in the driver installation wizard.
The various components configured in this screen are as follows:
Application Authentication – the “Authentication ID” & password for the driver itself.
Database connection information: the ardbhost:ardbport need to be configured with the proper database settings
UserApp connection information: Driver DN, provisioninig URL, and UserApp user & credentials
Access Review connection information: The URL needed here is the URL that will provide the authentication for Access Review. The default has “arhost.” However, if you are using OSP, this would be the URL being used for that authentication. The user name here is the Access Review administrative user previously configured during the IdG installation.
The demonstration installation had IdG configured (arhost) on a server with an IP address of 10.0.2.13 and UserApp and OSP configured on a server with an IP address of 10.0.2.12. To get the driver to authenticate properly and ultimately run, the Access review URL needed to point to the OSP server (and port) and not the arhost as suggested by the wizard.
We set up the demonstration driver to not connect to a remote loader. Because of this, one additional item needed to be configured for this driver to work properly. The name of the Java class (com.novell.nds.dirxml.driver.arshim.AccessReviewDriverShim) needed to be added because it was not added by default. It is the same shim used if a remote loader were to be used, but it did not populate automatically. The screenshot below shows the name of the Java Class required for the configuration of the demo driver.
Additional documentation for Access Review / Identity Governance v 2.5 can be found on the MicroFocus/NetIQ website (requires MicroFocus Account & Authentication): https://www.netiq.com/documentation/access-review-25/