When the Identity Service is not installed, everyone can access every OpenLM component without any security. If installing Identity Service and setting up Security Configuration, every component needs Client ID and Secret Key to be accessed.

There are 2 types of Security Configuration.

a. URL settings in Identity Service

• OpenLM Server
• Directory Sync
• Reports Scheduler
• ServiceNow

b. By setting the URL, when the user tries to open a URL in the Browser, Login Credentials will be asked. Client ID and Secret Key will be inserted into configuration files such as appsettings.json or property file. Once secured, every component connected to OpenLM Server should be set up in security mode:

• Authorization JSON file from EasyAdmin User Interface:
• Broker
• DSA
• Workstation Agent
• End User Services (Personal Dashboard)
• Applications Manager
• OpenLM Server API

Once OpenLM Server is configured to work in secure mode in Identity Service, issue the Authorization JSON file from EasyAdmin User Interface and import it into each component.

To configure the OpenLM components to work in a secure environment, select the Security Configuration tab in the Identity Service:

#

Configure the OpenLM Server to work in a secure environment #

1. In the Identity Service UI, select the Security Configuration tab.
2. Proceed with turning on the Server toggle switch.
3. Provide the Fully Qualified Domain Name for OpenLM Server Machine (Ex: http://FQDN:5015).
4. Type in the username (Admin by default)
5. Click Save.

Note: this will enable Security, Client ID and Secret Key in the appsettings.json file located at “C:\Program Files\OpenLM\OpenLM Server\bin\appsettings.json”

},

"Auth": {

"EnableSecurity": true,

"Authority": "https://l324md.openlm.biz:5009",

"Audience": "openlm.server.api",

"AuthProvider": "",

"ClientId": "openlm.server.client",

"ClientSecret": "c0936471-0f6a-44af-9078-99d150683cad",

"ClientScope": "openlm.cloud.scope openlm.ugs.read.scope IdentityServerApi openlm.dss.scope openlm.etlmanager.scope",

"TokenEndpoint": "/connect/token"

}

}

6. Go to Services and restart both the Identity Service and the OpenLM Server.

Restarting Services are mandatory to get a new Client ID and Secret Key.

In the EasyAdmin User Interface Dashboard, we can now see the logout button with the account:

Instead, if we turn off the Server’s toggle switch (Non-Security Mode), the logout/in button will disappear. Everyone can access EasyAdmin User Interface.

Note: the second time you decide to turn off the Security for the OpenLM Server, this will be done by changing the appsetings.json→EnableSecurity parameter to False (file located at “C:\Program Files\OpenLM\OpenLM Server\bin\appsettings.json”).

},

“Auth”: {

“EnableSecurity”: False,

“Authority”: “https://l324md.openlm.biz:5009”,

“Audience”: “openlm.server.api”,

“AuthProvider”: “”,

“ClientId”: “openlm.server.client”,

“ClientSecret”: “c0936471-0f6a-44af-9078-99d150683cad”,

“ClientScope”: “openlm.cloud.scope openlm.ugs.read.scope IdentityServerApi openlm.dss.scope openlm.etlmanager.scope”,

“TokenEndpoint”: “/connect/token”

}

}

Warning: Restart the OpenLM Server Service every time you turn on/off the Security Mode to reflect the changes.

Configure the Directory Sync to work in a secure environment #

1. In the Identity Service UI, select the Security Configuration tab.
2. Proceed with turning on the DSS toggle switch.
3. Provide the Fully Qualified Domain Name for OpenLM Server Machine (Ex: http://FQDN:7026).
4. Click Save.

Note: this will enable Security, Client ID and Secret Key in the appsettings.json file. C:Program FilesOpenLMOpenLM Directory Synchronization Service

5. Navigate to Services and DSS Service.

Restarting Services is mandatory to get a new Client ID and Secret Key.

Configure the Reports Scheduler to work in a secure environment #

1. In the Identity Service UI, select the Settings tab, then Security Configuration.
2. Turn on the Reports Scheduler toggle switch.
3. Provide the Fully Qualified Domain Name for OpenLM Server Machine (Ex: http://FQDN:8888).
4. Click Save.

Note: this will enable Security, Client ID and Secret Key in the report_scheduler.properties file. C:\Program Files\OpenLM\OpenLM Reports Scheduler\

5. Go to Windows Services and restart Reports Scheduler Service.

Restarting Services is mandatory to get a new Client ID and Secret Key.

Configure the ServiceNow Adapter to work in a secure environment #

1. In the Identity Service UI, select the Security Configuration tab.
2. Turn on the ServiceNow toggle switch.
3. Provide the Fully Qualified Domain Name for OpenLM Server Machine (Ex: http://FQDN:5005).
4. Click Save.

Note: this will enable Security, Client ID and Secret Key in the appsettings.json file. C:/Program Files/OpenLM/OpenLM External Platforms/Service

5. Go to Services and restart ExternalPlatformServices Service.

Restarting Services are mandatory to get a new Client ID and Secret Key.

Account in Identity Service and Role&Permissions #

If your license file doesn’t have Role&Permission, Identity Service still has basic Roles to assign users. It is presented in edit only mode (No Adding, Deleting, Duplicating).

But if your license file has Role&Permission, it can give you full range and functionality of Roles like the below.

Please consult with our Sales at sales@openlm.com if you want full functionalities.

The first default account is Admin in Identity Service. But if you want to create a new user, please follow the below steps.

1. Create a User account in Easyadmin User Interface: navigate to EasyAdmin User Interface→Start→Users&Groups→Users→Add User→Input the User’s data→Save.
2. Assign the Role to the user to login in EasyAdmin User Interface. (for more insights, please see the full Roles&Permissions document.
   
3. Navigate to your Identity Service instance→ Users tab→click Add User and create the same user as in the EasyAdmin User Interface→Click Save.
   
   →
   

Note: If you want the user to be able to edit Identity Service settings, enable the System Administrator toggle button.

1. Login to EasyAdmin User Interface with the user account.

Right now, we have to manually add the same user in each EasyAdmin User Interface and Identity Service UI. Only the system administrator of Identity Service UI can change the passwords.

Configuring each component in Security Mode #

#

Please note that, after you enable OpenLM Server Security mode in Identity Service, each connected component needs Client ID and Secret Key (Authorization Json file).

Navigate to EasyAdmin User Interface → Security&Service→Security Tab→Authorization Tab.

Add each component you are using and download Authorization Json file.

Import Json file while installing each component or put it under installation folder.

(This depends on each component)

Restart each service in Windows Service with OpenLM Server & Identity Service services running.
Please note that OpenLM Server needs to read Client ID and Secret Key info from each component.

Configuring User Name and Password #

Do not turn off User Name and Passwoord toggle button unless desired to disable security.

Configuring Windows Authentication #

Please refer to this document.

Configuring SMTP #

When resetting the password if you forget your account, this button enables you to set it back through your email address.

Configuring Session Time #

You can configure the Screen time in this tab and then use your credentials to login.

Configuring External Providers: #

Okta SSO.
Azure Active Directory.

AD FS.

Troubleshooting #