Skip to main content
Skip table of contents

Initial configuration of Identity Manager (WAR file)

This article includes updates for Identity Manager 5.1.0.

This article describes the initial configuration for Identity Manager WAR deployment installation.

For Smart ID Identity Manager docker installation, see Initial configuration of Smart ID Identity Manager (docker).

Prerequisites

Step-by-step instruction

Log in to Identity Manager Admin

  1. Log in to Identity Manager Admin as a bootstrap administrator, with username admin and password admin.

  2. In Language, select your preferred language.

Upload license file

If a license file has not yet been uploaded, you get a message asking you to do so:

  1. Click Choose file.

  2. Browse for the Identity Manager Admin license file in <delivery folder>\Server\3-licences\. Click Open to view the license details.

  3. Click Save.

Upload configuration file

If you have a ready, customer-specific configuration file in .zip format, you can now upload it.

New from PRIME 3.8.1: To be able to properly view and upload a configuration file, you must first edit the admin user and make the setting described in step 5 and 6 under heading "Create users for administration". When you have done the setting, log out and log in to PRIME Designer again.

  1. In Identity Manager Admin, go to the Configuration File tab.

  2. Click Upload configuration and then Select file.

  3. Browse for the provided configuration .zip file and then click Open. The configuration is read and checked for syntax. The contents of the configuration are displayed in the popup.

  4. Start the import by clicking Upload. When the upload is completed, close the window with Close.

    The configuration file has now been uploaded.

Symbolic name handling

The handling of symbolic names depends on the source, case, and database. For more information, see Symbolic names in Smart ID Identity Manager

Create users for administration

To create users with administrative rights, follow the instruction below. Several people can be registered as administrators. It is of course important that passwords are kept secret.

When you create users for administration it is necessary to allow the created administrators to see the Configuration File tab. Otherwise it is not possible for them to upload any configuration. This is covered in the steps below and is new from PRIME 3.8.1.

For each user:

  1. Go to Home > User Administration.
    If you have uploaded a configuration, all the users defined in that configuration are now displayed.

  2. Click +New. Enter a User Name, Password, and Full user name.

  3. Click Save + Edit. A view is displayed, that shows the available roles on the left.

  4. Select Administrator on the left. Click the right arrow button to add the Administrator role to the new user.

  5. Select the Permissions tab and then the General tab.

  6. Check Configuration File. This is necessary to allow the created administrators to upload configurations.

  7. Click Save, and close the form.

    The new users will now appear in the User Administration panel.

If only one person or a few persons have administrator rights, then absence, a forgotten password or lost login credentials can lead to administrators being locked out. To avoid this, the login name and credential of an emergency administrator can be stored in a secure place to only be accessed through emergency procedures.

The procedures for managing this emergency login should be defined in the IT security policy of your organization. The double verification principle should be applied, so that no single person can log in themselves with the emergency login.

Define the cron user

Before you can delete the bootstrap administrator, you must do this update in system.properties.

  1. Edit system.properties and update these rows:

    CODE
    cronUsername.encrypted=NEW_ADMIN_USER 
    cronPassword.encrypted=NEW_ADMIN_PW
  2. Restart Tomcat, so the new admin user is used for the scheduler.

Delete bootstrap administrator account

  1. Go to Home > User Administration.

  2. Select the bootstrap administrator, admin.

  3. Click Delete and confirm the deletion with Yes.
    The bootstrap administrator is now deleted, and only the administrators you have created can log in to Identity Manager Admin. When the configuration has also been uploaded to the Identity Manager Operator, the same is also valid there.

    The customization of the application is now complete and Identity Manager is ready for operation.

Settings for client authentication

If you use client authentication to log in to Identity Manager or Smart ID Self-Service, such as browser-based smart card or soft token login, do the following to avoid failure of CA connector calls during card production with Identity Manager and CardSDK:

  1. Open the file system.properties for editing.

  2. Specify https ports without client authentication for CA connector calls and JPKIEncoder downloads by CardSDK:

    CODE
    # if you use client-auth to log into Identity Manager or Smart ID Self-Service you need to configure overrides to non-client-auth HTTPS ports here,
    # otherwise the CardSDK trying to download the JPKIEncoder or the JPKIEncoder calling an integrated CA connector will not be able to connect
    
    # for JPKIEncoder download:
    webappUrlInfo.httpsOverridePort=18443
    
    # for CA connector calls:
    webServer.httpsOverridePort=18443
  3. A login request into an Identity Manager application is redirect to dedicated URLs where the actual authentication happens.

    1. A login using a client certificate requires a dedicated HTTP connector which is configurable in the server.xml of the Apache Tomcat. You need to declare this port to IDM by setting:

      CODE
      # Informs IDM which port to use for Client Certificate Authentication. This must match the configured connector in your Tomcat's server.xml.
      login.certificateLoginPort=8444
    2. If an error occurs (for example invalid certificate, wrong credentials etc.) you get back to the login page where an error message is displayed. You can then try to log in again. If there is a certificate-based login error, the Identity Manager application needs to know which HTTP connector of your Apache Tomcat that displays the login page, that is, the standard connector. Add the following settings in system.properties to specify the standard HTTP connector:

      CODE
      # Informs IDM which port and scheme match the standard connector of your Tomcat's server.xml.
      login.standardLoginPort=8443
      login.standardLoginScheme=https

The settings above are the defaults. Make sure they match a HTTP connector of the Tomcat.

Settings for proxy usage

In system.properties, the proxy setting idmDeploymentWithoutProxy can be set to true or false depending on how Identity Manager is deployed.

When Identity Manager is deployed as a WAR file, make sure to set idmDeploymentWithoutProxy to true, which means that the application is running without a proxy and handles forwarded headers in its own filter chain.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.