ISIQ 用户指南说明书

Agenda
•Overview of ISIQ
•Installation and Configuration of ISIQ •Integrate ISIM and IGI using ISIQ •Useful links
•Q&A
•The ISIQ application is comprised of many docker containers. These containers are bundled into four docker “stacks”:
Broker, Connect(ions), App and logs
•There are a set of yml(YAML) files to describe the stacks and the container configuration.
•As ISIQ is built as a highly-available component, it is designed for multiple instances to work together and the shipped yml files describe three instances of ISIQ.
•However for simple environments, such as we are using for the labs, there is a set of single-node yml files. The files can be found in <install-dir>/yml/single_node.
•ISIQ supports cross-product integration for
-ISIM, IGI, CI , External Application and IBM Cloud Identity Analyze
•ISIQ relies on two types of containers:
stateful and stateless
•Docker swarm can manage a cluster of docker nodes with the benefits of redundancy, failover, and scaling.
•Docker supports adding and removing nodes, altering whether a node acts as a manager or not, and modifying the metadata of a node.
High Level Architecture ISIQ Swarm
ISIM Cluster IGI Cluster
ISIM Database IGI Database
ISIM LDAP VIP
•Minimum Software/Hardware requirements:
-Docker Community Edition (CE) 18.03 running on CentOS,
-Debian, Fedora, or Ubuntu with x86_64/amd64, 8 GB RAM, 2 vCPU,
25 GB free disk space per node. Windows or MacOS not supported. Recommended:
•Docker Enterprise Edition (EE) 18.03 or higher running on CentOS, Red Hat Enterprise Linux, SuSE Linux Enterprise Server, Oracle Linux, Ubuntu with x86_64/amd64, 32 GB RAM, 4 vCPU, 100 GB free disk space per node, 3 or more nodes.
•Minimum browser version of Mozilla Firefox 60, Internet Explorer 11, Microsoft Edge 12, Google Chrome 58, or Apple Safari 5.
•Instructions for downloading docker can be found here: https:///install/overview/
Look under Docker CE/EE --> Linux --> <your OS>.
•If you are installing CE on Red Hat, pull it from Docker CE’s CentOS repository.
•ISIM version must be 7.0 FP7 or higher, or Version 6.0 FP18 or higher.
•IGI Version must be 5.2.5 FP1 or higher, or at the latest Interim Fixpack (IF) of Version 5.2.4 FP1 or higher.
ISIQ Deployment Details
•Download and extract the starter kit:
https:///support/pages/ibm-security-information-queue-starter-kit •Cryptographic configuration to generate ISIQ’s SSL certificates and encryption key for ISIQ’s nginx web server.
•Script “cfg/nginx/gencert.sh” help you generate the required certificate.
We can generate self signed certificate or request for CA signed
certificate.
•Specify the DNS names for your ISIQ server in cert.conf file before running gencert script.
•ISIQ’s connect service (name “connect_connect”), reads from and writes to target applications. Supported applications:
–ISIM LDAP directory server, ISIM Database, ISIM Server
–IGI Database
•In the extracted contents of the ISIQ starter kit, there are two files to be aware of in the <starterKitDir>/cfg/connect/ssl directory:
–isiq.truststore.jks–The ISIQ truststore is copied to the connect service’s
container. The default password of this truststore is “changeit”.
–ssl.client.props–Specifies the truststore password and file path. To change the password, update com.ibm.ssl.trustStorePassword.
Note: Do not modify the truststore file path defined in the
com.ibm.ssl.trustStore property.
Installation and Configuration
•In the connect-stack.yml file, the ISIQ_AUTOMATICALLY_IMPORT_CERTIFICATE environment variable determines how an application certificate is installed for ISIQ’s connect service:
–If the environment variable is set to false (the default), you must manually
import application certificate(s) to
<starterKitDir>/cfg/connect/ssl/isiq.truststore.jks before you deploy the connect service.
–If the environment variable is set to true, the application certificates are installed automatically into the truststore copy located at /etc/isiq/ssl/isiq.truststore.jks in the connect service’s container.
•ISIQ login requires authentication that depends on OpenID Connect (OIDC).
•To allow users to authenticate to ISIQ using your preferred OIDC provider, you need to collect the following information from the respective provider:
a. Client ID
b. Client Secret
c. Issuer URL
d. Authorization URL
e. Token URL
f. UserInfo Endpoint/UserInfo URL
g. Logout URL
•If you are using IBM Cloud’s AppID, the following data items are necessary:
a. Client ID
b. Secret
c. OAuth Server URL
d. Profiles URL
e. Tenant ID
•In addition to these data items, when you register your client with the OIDC provider, you must also supply a redirect/callback URL in the format: https://<YourHostName>/api/oidc
•The purpose of collecting this OIDC provider information is to edit ISIQ’s configuration file, oidcSettings.json, which is located in your
<starterKitDir>/cfg/oidc directory.
•To illustrate the OIDC setup process, here are the steps if you plan to use IGI’s OIDC provider
–Log in to your IGI Virtual Appliance.
–>Select Configure -> OpenID Connect Provider Configuration
•For Admin Console
•For Service Center
•Depending on which type of user you are configuring for the IGI OIDC provider, note the URLs that correspond to the particular type. Then, select Manage -> External Client Configuration
•Instead of using the /etc/hosts file on the docker host we must specify IP addresses in the URLs or hostname that can be resolved by configured DNS.
•Update the fields in oidcSettings.json under the “Generic” section. You can ignore the fields under the ”AppID” section and leave the placeholder values as is.
•Here are examples of logout URLs for some common OIDC providers
–IGI (Admin Console REST Client) –https://<IGI_VA_Hostname>:10443/logout
–IGI (Service Center REST Client) –https://<IGI_VA_Hostname>:11443/logout
–ISAM –https://<Hostname>:<port>/pkmslogout
–IBM Cloud Identity –https://<Hostname>/pkmslogout
–Google –https:///Logout
•In the app-stack.yml file, be sure that the LOGIN_WITH_APPID field under the rest service is set to false.
This setting indicates you are using the “Generic” OIDC settings rather than the “AppID” settings.
•To configure ISIQ to use AppID login, you must update the fields in the AppID section of cfg/oidc/oidcSettings.json, ignore the fields in the Generic section and set LOGIN_WITH_APPID to true.
•To accelerate ISIQ setup, consider the following two options:
–Set ISIQ_AUTOMATICALLY_IMPORT_CERTIFICATE=true ,in the connect-stack.yml
–Set ISIQ_SKIP_OIDC=true in the app-stack.yml
•To support Elasticsearch edit /etc/sysctl.conf to set vm.max_map_count to 262144 or to implement the change immediately run command: sysctl-w vm.max_map_count=262144
•If you do not have a Docker ID, you can obtain one at
https:///signup Then run “docker login”
•When you first login to Docker Hub, you must agree to the Terms of Service at https:///_/ibm-security-information-queue and "Proceed to Checkout" so that your Docker ID is authorized to retrieve ISIQ content.
•Pull the required docker images by running `<starterKitDir>/isiq setup’ and then after verify using this screen capture:
•Decide whether to run ISIQ in a single-node or cluster configuration. Under <starterKitDir>/yml, there are “single_node” and “cluster” subdirectories with corresponding .yml files.
•Create the docker swarm:
–docker swarm init(initial node) (note: this command is automatically run if you use the isiq script)
–docker swarm join (run this command on each additional node if you’re deploying
a multi-node cluster)
•Add metadata to each node to allow pinning tasks to them, for example:
–docker node update --label-add isiq=node1 alpha
–docker node update --label-add isiq=node2 bravo
–docker node update --label-add isiq=node3 Charlie
•Deploy the ISIQ stacks -<starterKitDir>/isiq start
•Verify Status of ISIQ by running -<starterKitDir>/isiq status
•To confirm that ISIQ images started correctly, use the “docker service ls” command.
•In the replicas column of the command output, the numerator and denominator should match (for example, 1/1 or 3/3).
•If any of the “REPLICAS” column values contain “0/1” or “0/3” or “1/3”, it means that one or more expected instances of the service are not active. Sometimes a service is slow to start.
•You can also check for particular log messages that indicate successful initialization. For example:
–docker logs $(docker ps–q –f name=broker_kafka1) | grep “started
(kafka.server.KafkaServer)”
–docker logs $(docker ps–q –f name=connect_connect) | grep “Herder started org.apache.kafka.connect.runtime.distributed.DistributedHerder)”
•Login page of ISIQ –https://<isiq-host>
•Redirected to IGI admin console for OIDC authentication
•After successful authentication on IGI, it will redirect on ISIQ for configuration and management.
•Now we can start adding ISIM and IGI for integration.
•Select IBM Security Identity Manager and click on Next and then fill the details…
•Now select IBM Identity Governance and Intelligence and click Next and then fill the details
•After adding IGI and ISIM, we can verify the status by clicking on health check.
•Verify custom attribute.
•Verify LDAP Connection.
•To check that ISIM data loading is working properly, there are two shell scripts, topicList.sh and topicPoll.sh, located in <starterKitDir>/util.
–topicList.sh: This will show the number of topics created with “directory” in the topic name. This can help to validate if any expected topics missing.
–topicPoll.sh: To help you display topic data. Example, To verify number of account
•To examine ISIQ’s connect service from ISIM perspective, we can set CONNECT_LOG4J_ROOT_LOGLEVEL=DEBUG and it will have more useful diagnostic data in the log.
•Verifying data loading avoids the risk of sending incorrect or incomplete ISIM data to your IGI that will require cleanup later.
•Ensure a Service Centre user exists
•Define adequate temporary table space size, temporary table space size space should be set to “L” .
•Update the USER_ERC attribute mapping to set the user DN.
•There are few more RULEs that need to be modify before subscribing the products . Please go through the "Appendix A: IGI Customizations for ISIQ" in ISIQ User Guide:
https:///support/pages/ibm-security-information-queue-users-guide
•Enable the EVENT_OUT_USER table, To support user integration from IGI to ISIM, ISIQ relies on IGI’s EVENT_OUT_USER table . There are two steps for enablement:
•In ISIQ’s connect-stack.yml file, set the
ISIQ_IGItoISIM_FULFILL_USER_EVENTS environment variable to true.
•If we have previously enabled the EVENT_OUT_USER then its already there and we can skip this step.
•In order for ISIQ to process deleted ISIM entities such as users, accounts, and roles, the “change log” option in the IBM Security Directory for ISIM must be enabled.
•To confirm that “change log” is working, you can check the “Topic List” UI •Search for the <subscriberID>.<isim-name>.directory.DELETES topic, in the “Msgs” column, you should see a value greater than 0.
•ISIQ provides a default template file, txdef.json, that defines how attributes are transformed when one product subscribes to another.
•If you need attributes to be consumed in a specialized format, you can modify txdef.json(backup recommended, restart required) to suit your customization requirements.
•You have to update your ISIQ subscriptions to make consumers aware of the new topics.
•Before upgrading to a newer ISIQ build level, be sure to save a copy of your customized txdef.json. You will want to retrofit your file changes after the upgrade.
•The “in” and “out” keys specify the product type.
IN -> source/producer
OUT -> sink/consumer
•Single Message Transformations (“smts”) describe mappings between source and sink entity topics.
•The “txe” key defines the JQ filters that get applied before attribute mappings and assignments take place. A “txe” can be specified as a null object “{}” if no transformations are necessary.
•A custom transformation can be created before a new subscription is processed, or it can be applied to an existing subscription by reprocessing the relevant topic data.
Mapping Entities and Events between ISIM and IGI
•In ISIQ, when an IGI product subscribes to an ISIM product, the various ISIM entities are loaded into corresponding entities in IGI. Conversely, when an ISIM product subscribes to an IGI product, a series of IGI events are sent to initiate updates in ISIM.
–Entity-to-Entity Mapping and Entity-Key Field Mapping
Supported Operations on ISIM and IGI Entities
•The following table lists ISIM entities, their corresponding names in IGI, and the operations that ISIQ supports from ISIM-to-IGI and from IGI-to-ISIM:
•In ISIQ, when we configure an ISIM or IGI product, we are in fact configuring one or more ISIQ-supplied connector programs.
•In Kafka terminology, there are source connectors and sink connectors. Source connectors produce and publish data. Sink connectors subscribe to and consume data.
•ISIQ includes ISIM source connectors that take data from LDAP and from the ISIM database and push it into Kafka “topics” (collections of related data). ISIQ also includes an IGI sink connector that pulls data from topics and stores it in the IGI database.
•Subscriptions provide a security mechanism to ensure only trusted consumers, which you configured, are allowed to access published data.
Useful Links
•IBM Security Information Queue Starter Kit: This includes the deployment guide, user’s guide and troubleshooting guide.
•ISIQ deployment best practices
•ISIQ FAQ’s
•IBM Security YouTube Channel
Questions for the panel
Ask the panelists a question now
Enter your question in the Q&A area
Ask a question after this presentation
You are encouraged to ask follow-up questions in the Support forums: https:///mysupport/s/forumshome
For more information
Security Learning Academy: https://
IBM Knowledge Center: https:///support/knowledgecenter/products IBM Support: https:///mysupport
Useful links:
Get started with IBM Security Support IBM Support
Sign up for My Notifications IBM Security Community
Follow us:
© Copyright IBM Corporation 2020. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at /legal/copytrade.shtml .All names and references for organizations and other business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental. All names and associated information for people in this deliverable’s scenarios are fictional. Any match with a real person is coincidental.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.Follow us:
/JoinIBMVIPRewards-Security
youtube/user/IBMSecuritySupport
@AskIBMSecurity
/IBMSecurityClientSuccess-LinkedIn
/security/community
Thank you。