Setting up Tenant Utility
This is provided with the SafeNet IDPrime Virtual solution, the Setup Tenant Utility is a simple command-line utility used to manage operations related to tenant(s). Update values in
The following operations can be performed:
- Creating a Tenant
- Deleting a Tenant
- Updating a Tenant
- Listing all Tenants
- List tenant's details
- Listing a Tenant’s Information
Creating a Tenant
Perform the following steps to create a tenant:
-
Open the terminal, and run the tenant onboarding utility by executing the following commands:
- Docker:
docker exec –it <idprime-virtual-server-container-name> sh- Kubernetes:
kubectl exec –it <idprime-virtual-server-kubernetes-pod-name> -n<namespace> sh -
RHEL 8 or 9 with podman environment:
podman exec -it <container-name> shWhere:
namespacemust be entered as created in step 1 of Deploying IDPrime Virtual Server in Kubernetes
-
Run the tenant creation utility using one the following commands based on the SafeNet IDPV version you are configuring:
IDPV v2.4.1
setuptenant create -i Config/azure-test.json -p Config/policy-configuration.json -a <client_secret> -k <true or false> -u <true or false> -c <IDPV> -n <tenant_name>IDPV v2.5
setuptenant create -i Config/idp-configuration.json -p Config/policyconfiguration.json –a <idp secret> -k true (or false) -n <tenant name> -c <tenant category> -m false (or true) -s <swsconfig.json> -u false (or true) -j false (or true) -f true (or false)IDPV v2.6
setuptenant create -i Config/idp-configuration.json -p Config/policyconfiguration.json –a <idp secret> -k true (or false) -n <tenant name> -c <tenant category> -m false (or true) -s <swsconfig.json> -u false (or true) -j false (or true) -f true (or false) -o false (or true)Where:
-i--idpConfigFilePath : accepts json file for idp configuration (file provided for IDPV installation) (Mandatory)-p--tokenPoliciesPath : accepts json file for sample policy (Mandatory)-
-a--IdpA : accepts IDP secret (Mandatory)Client Secret value for various IDPs can be located in the respective IDP configuration.
-
-k--exportKeys : accepts the HSM export key flag as either true or false (Optional) and if SKS flag is set to true, -k flag is always set to false.For HSM, the default value is set true. However, if KeySecure is configured, the default value is auto-set to false.
-kis set to true,
• when the HSM is configured for the export mode.
• to download the token offline bundle to support the offline mode feature. -
-n--tenantName : accepts a tenant name. -
-c--tenantCategory : provide tenant category from IDPV or Signature Web Service (SWS)The default value is set to IDPV if -c is not specified. (Optional)
-
-m--sksMode : accepts the HSM SKS flag as either true or false (Optional) -
-s--swsConfigFilePath : accepts ajsonfile as a sws configuration file. -
-u--IsAutoCardCreationEnabled : accepts true or false forIsAutoCardCreationEnabledflag (Optional). It enables/disables the automatic smart card creation for tenant if no smart card exist for the user. The default value is set to true. If-uis not specified, then the default value is used.Tenant created with
-u: trueallows auto creation of smart card. Tenant created with-u: falsedoes not allow auto creation of smart card. -
-j--IsAutoRefreshSigningKeyEnabled : Accepts true or false. The default value is false. If it is set to true, the signing key gets rotated automatically on the IDPV server. This flag is added in SafeNet IDPV v2.5.
The signing key is rotated,- At period intervals for which the interval value is set in the appsettings file (
KeyRotationRefreshIntervalInHrs). - At the time of Authorization failure (due to the signing key mismatch).
If it is set to false, the administrator has to manually update the IDP signing key, in case it gets changed at the IDP level.
The flag (-j) is applicable for Azure tenants only.
- At period intervals for which the interval value is set in the appsettings file (
-
-f--IsOfflineFallbackEnabled : The default value is true. This flag is used to enable or disable the Offline fallback feature. When enabled (-f: true), it allows you to go offline when TPM is FIPS compliant, but the keys are non FIPS. This flag is added in SafeNet IDPV v2.5.You can set this flag to false using the
setuptenant updatecommand.This feature has a dependency on -k (HSM export key flag). So, if you create a tenant with
-k: false, -f will also be set to false, and then you will not be able to configure it. If you set-k: true, the value of -f will be configurable (true/false). -
-o--IsAutoOfflineBundleDownloadEnabled : Accepts true or false. The default value is false. If it is set to true, the offline bundle is downloaded at the client side, after the user enters a correct PIN. This flag is added in SafeNet IDPV v2.6.You can set this flag to false using the
setuptenant updatecommand.This feature has a dependency on -k (HSM export key flag). So, if you create a tenant with
-k: false, -o will also be set to false, and then you will not be able to configure it. If you set-k: true, the value of -o will be configurable (true/false). -
--help
-
--version
The
/publish/Configpath is mapped with host directory/var/thales/configusing docker run command in deployment section. So path used inside container must be the same, i.e./publish/Config.
After running the above command, a Tenant ID is generated and saved as a text file in the
/publish/Tenant/<TenantGUID>.txtdirectory, and displayed on the console. -
Copy the Tenant ID to the machine using the following command:
docker cp idprime-virtual-server-containername:/publish/Tenant/<TenantGUID>.txt <location on host>For RHEL 8 or 9 with podman environment, the command is:
podman cp idprime-virtual-server-containername:/publish/Tenant/<TenantGUID>.txt <location on host>
Deleting a Tenant
Execute the following command:
setuptenant delete –t <tenantId>
Example:
setuptenant delete –t "8b6ad028-3266-4718-88f3-11ace3b90d78"
Where, -t : accepts the Tenant ID (Mandatory).
Updating a Tenant
Execute the following command:
setuptenant update –t <tenantId> -i Config/idp-configuration.json -p Config/policy-configuration.json –a <idp secret> -s <swsconfig.json> -n <tenant name> -u false (or true) -j false (or true) -f true (or false) -o false (or true)
Example:
setuptenant update –t "8b6ad028-3266-4718-88f3-11ace3b90d78" -i Config/idpconfiguration.json
Where:
-t--tenantId : accepts Tenant ID (Mandatory)-i--idpConfigFilePath : accepts json file for idp configuration-p--tokenPoliciesPath : accepts json file-a--IdpA : accepts IDP secret Client Secret value for various IDPs can be located in the respective IDP configuration.-s--swsConfigFilePath : accepts a json file for sws configuration.-n--tenantName : accepts tenant name.
-u--IsAutoCardCreationEnabled : accepts true or false forIsAutoCardCreationEnabledflag (Optional). It enables/disables the automatic smart card creation for tenant if no smart card exist for the user. For more information aboutswsconfig.json, refer to the IDPV package.-
-j--IsAutoRefreshSigningKeyEnabled : Accepts true or false. The default value is false. If it is set to true, the signing key gets rotated automatically on the IDPV server.
The signing key is rotated,- At period intervals for which the interval value is set in the appsettings file (
KeyRotationRefreshIntervalInHrs). - At the time of Authorization failure (due to signing key mismatch).
If it is set to false, the administrator has to manually update the IDP signing key, in case it gets changed at the IDP level.
The flag is applicable for Azure tenants only.
- At period intervals for which the interval value is set in the appsettings file (
-
-f--IsOfflineFallbackEnabled : The default value is true. This flag is used to enable or disable the Offline fallback feature. When enabled (-f: true), it allows you to go offline when TPM is FIPS compliant, but the keys are non FIPS.You can set this flag to false using the
setuptenant updatecommand.This feature has a dependency on -k (HSM export key flag). So, if you create a tenant with
-k: false, -f will also be set to false, and then you will not be able to configure it. If you set-k: true, the value of -f will be configurable (true/false). -
-o--IsAutoOfflineBundleDownloadEnabled : Accepts true or false. The default value is false. If it is set to true, the offline bundle is downloaded at the client side, after the user enters a correct PIN.You can set this flag to false using the
setuptenant updatecommand.This feature has a dependency on -k (HSM export key flag). So, if you create a tenant with
-k: false, -o will also be set to false, and then you will not be able to configure it. If you set-k: true, the value of -o will be configurable (true/false).
• At least one of the three flags, -i, -p, or -a is mandatory.
• In case of kubernetes, Pods must be updated if configuration files under /var/thales/hsm are updated.
For more information about idp-configuration.json file parameters, refer to step 4 of Updating Identity Provider Parameters.
Listing all Tenants
Execute the following command:
setuptenant list -l true
Where,
-l : shows all tenants (Mandatory)
List tenant's details
Run the following command:
setuptenant list –l false -t <tenantId>
For example,
setuptenant list –l false -t "8b6ad028-3266-4718-88f3-11ace3b90d78"
Where,
-t : accepts the Tenant ID (Mandatory)
Listing a Tenant’s Information
Execute the following command:
setuptenant usage -l true
To view the usage details for a single tenant:
setuptenant usage -l false -t <tenantId>
For example,
setuptenant usage -l false -t "8b6ad028-3266-4718-88f3-11ace3b90d78
Where:
-l: shows all tenants (Mandatory)
To view the usage details for all tenants: true
-t --tenantId : accepts Tenant ID (Mandatory)
Note: -t tag is mandatory when -l tag is false.
