The deployment procedure consists of the following steps:
Figure 1-8 in Section 1.6, Deploying Access Manager on Public Cloud illustrates the recommended way for deploying Access Manager on Azure.
This section outlines general steps for creating Azure services for use with Access Manager.
For more information, see the Azure documentation.
IMPORTANT:While creating services, (such as availability set, virtual network, security groups, instances, and load balancers), ensure to specify the same value for Location.
Perform the following steps to create Azure services:
Log in to Azure.
Create or determine an existing Resource group for use with Access Manager.
In the Azure portal, click New.
Search for resource group and select Resource group.
Click Create.
For more information about resource groups, see Azure Resource Manager Overview > Terminology > resource group.
NOTE:Not all administrators may have rights to create a new resource group.
Create or determine an existing Availability Set for use with Access Manager.
NOTE:If you plan to configure load balancing for Identity Server and Access Gateway, create a separate availability set for each cluster type.
In the Azure portal, click New.
Search for availability set and select Availability Set.
Click Create.
Specify values for Name, Subscription, Resource group, and Location.
Set Fault domains and Update domains to 2.
Click Create.
Create or determine a Virtual Network for use with Access Manager.
For this example configuration, all Access Manager components will use the same virtual network.
In the Azure portal, click New.
Search for virtual network and select Virtual Network.
Click Create.
Configure the required network settings, such as Name, Subscription, Resource group, Location, Address Space, Subnet name, and Subnet address range.
The following is an example configuration:
Click Create.
Continue with Section 7.2.2, Creating and Deploying Virtual Machines.
This section outlines steps to create and deploy virtual machines for a basic setup of Access Manager, which includes an Administration Console, an Identity Server, an Access Gateway, and a user store.
Perform the following steps to create four virtual machines: one for Administration Console, one for Identity Server, one for Access Gateway, and one for the user store.
NOTE:If you are using Azure Active Directory as the user store, deploy virtual machines only for Access Manager components. Azure hosts and manages Azure Active Directory as a service on the cloud.
Perform the following steps to create and deploy a virtual machine:
Log in to Azure.
Click New in the upper left pane of the dashboard.
In the search bar, search for SLES 12 SP3 or Red Hat Enterprise Linux 7.4 based on the operating system you want to use.
When creating a virtual machine for Active Directory, select a Windows 2012 R2 image instead of SLES or RHEL.
Each of these operating systems has their own licensing and costs associated with them. With the exception of the BYOS (Bring Your Own Subscription) option, each option includes a valid support license for the operating system.
NOTE:SLES 12 SP3 has been selected here as an example configuration.
Select SLES 12 SP3.
Click Create.
Configure the following settings in step 1 Basics:
|
Field |
Description |
|---|---|
|
Name |
Specify a name for the virtual machine. |
|
VM disk type |
Select SSD or HDD based on your requirements. The choice made here effects the behavior of templates displayed for selection in Step 8. |
|
User name |
Specify the name of the account that you want to use for administering the virtual machine. This username is used for ssh access to the virtual machine after deployment. |
|
Authentication type |
Select SSH public key. |
|
SSH public key |
Copy the content of your id_rsa.pub file that you have generated earlier, and paste it. |
|
Subscription |
Select the Azure subscription that should be used for the virtual machine. |
|
Resource group |
Select the resource group that you have created or determined in Step 2. |
|
Location |
Select from the list of the supported Azure location where you want to create the virtual machine. |
Click OK.
In 2 Size, click View all to see all available templates.
You can filter this list based on disk type, vCPU, and memory.
Each template has its own intended use cases, optimizations, and costs per hour of usage. Click a template that matches your requirements and the requirements of the Access Manager component that will later be installed on this virtual machine.
NOTE:You must select a virtual machine size of the Standard type if you require to configure an Azure load balancer later.
Click Select.
In 3 Settings, review networking, high availability, storage, and monitoring options by clicking the > icon.
|
Section |
Action |
|---|---|
|
High Availability |
While deploying a virtual machine for identity Server or Access Gateway, select the appropriate availability set that was created for each type in Step 3. For clustering and load balancing, place Identity Server virtual machines in one availability set and Access Gateway virtual machines in a different availability set. |
|
Storage |
keep the default value Yes for Use managed disks. |
|
Network > Virtual network |
Click Virtual network and select the virtual network that you created in Step 4. |
|
Network > Public IP Address |
(Optional) Configure the Public IP Address for this virtual machine or you can keep the default selection (dynamic addressing). If you do not specify a static address (adds an additional cost), the external IP address used to reach each virtual machine changes with each reboot. |
|
Network > Network Security Group (firewall) |
Accept the default network security group to allow incoming SSH access requests to the virtual machine used for Access Manager. The instructions to further configure these security groups are in a later section of the guide. In a more advanced setup where you install multiple Administration Consoles, Identity Servers, and Access Gateways, these virtual machines should use the security group created for the first virtual machine running that component type. |
|
Extension |
Keep the default value. |
|
Auto-shutdown |
Set to On if required. By default, this is set to Off. It is recommended to disable this option in a production environment. |
|
Monitoring |
Disable Boot diagnostics and Guest OS diagnostics if you do not want to monitor for those options. You can change these settings later if you need these functionalities. |
Click OK.
In 4 Summary, review the summary of your settings, terms of use, privacy policies, and cost of use.
Click Create.
Azure begins provisioning the virtual machine as you have configured it. This process may take a few minutes.
Verify SSH access to the virtual machine after deployment completes by running the following command:
ssh -i <keyfile> <username>@<publicIP>
Repeat Step 1 to Step 14 to create additional virtual machines.
Continue with Section 7.2.3, Configuring Network Security Groups.
In the previous section Creating and Deploying Virtual Machines, a separate network security group is created for each virtual machine. You must modify these security groups to open the required incoming ports, depending on the Access Manager component type that will be installed on the virtual machine.
Edit the network security groups for Administration Console, Identity Server, and Access Gateway to configure the ports based on requirements of that component.
For information about the required ports, see Table 1-7, Administration Console on Cloud, Table 1-8, Identity Server on Cloud, and Table 1-9, Access Gateway on Cloud.
In the Azure portal, click All resources.
You can filter the list can using the fields at the top of the page.
Find and click the desired network security group created in Step 10.
Click Inbound security rules > Add.
Specify details in fields.
The following is an example configuration:
|
Field |
Value |
|---|---|
|
Source |
Any |
|
Source port range |
* |
|
Destination |
Any |
|
Destination port range |
8443 |
|
Protocol |
TCP |
|
Action |
Allow |
|
Priority |
100 |
|
Name |
Administration Console HTTPS |
|
Description |
HTTPS port for Access Manager Administration Console. |
Repeat Step 3 and Step 4 for each inbound port rule to be added as listed in Table 1-7, Administration Console on Cloud, Table 1-8, Identity Server on Cloud, and Table 1-9, Access Gateway on Cloud, depending on the component type that will use this network security group.
Continue with Section 7.2.4, Changing the Private IP Address from Dynamic to Static.
The private IP addresses of Access Manager virtual machines must be static for proper communications between these devices.
Perform the following steps for each virtual machine:
In the Azure portal, click Virtual machines > name of the virtual machine.
Under Settings, click Networking.
Click the Network Interface.
In the left menu, click IP configurations under Settings.
Click the IP configuration line.
Under Assignment, click Static.
In IP address, specify the desired IP address.
Click Save.
Prerequisites
Ensure that you meet the network requirements listed in Section 1.3, Network Requirements.
Edit the /etc/hosts files on each virtual machine and add an entry to resolve its hostname to its private IP address.
Ensure that the virtual machines do not have a default firewall configuration that could prevent proper installation and use of the Access Manager components.
Ensure that the required port rules in the network security groups have been created. See Section 7.2.3, Configuring Network Security Groups.
Important Points to Consider before Installation
You must know the following points before you start the installation:
Re-importing Identity Server and Access Gateway is not supported.
Auto scaling of nodes is not supported. You can add or remove nodes manually. See Section C.0, Recommendations for Scaling Access Manager Components in Public Cloud.
Installation Procedure
Perform the following steps to install Access Manager components on virtual machines:
IMPORTANT:In the following steps, run the Access Manager installation scripts as a root user using sudo. For example, sudo sh <script-name>.
Copy the novell-access-manager-<version>.tar.gz file using Secure Copy (scp) to the virtual machines on which you will install Administration Console and Identity Server.
The following is a sample scp command that shows how to copy the installer using the SSH key and username specified while creating the virtual machine:
scp -i <key> <path/filename_of_tarball> <username>@<vm_ip>:/<path>
Copy the novell-access-gateway-<version>.tar.gz file to the virtual machine on which you will install Access Gateway.
Install Administration Console, Identity Server, and Access Gateway on respective virtual machines.
For information about how to install these components, see Section 2.1, Installing Administration Console on Linux, Section 3.2, Installing Identity Server on Linux, and Section 4.3.1, Installing Access Gateway Service on Linux.
IMPORTANT:While installing Identity Server and Access Gateway, specify the internal IP address of the Administration Console machine. This ensures that communications among machines happen inside the firewall.
Configure Identity Server and Access Gateway.
For information about how to configure, see Setting Up a Basic Access Manager Configuration
in the NetIQ Access Manager 4.4 Administration Guide.