2.1 Deploying Standalone Identity Console (Non-Docker)

You can deploy the Identity Console in one of the following ways:

NOTE:NetIQ recommends that when installing Identity Console and eDirectory on the same machine, the machine have at least one instance of eDirectory available.

2.1.1 Performing an Interactive Installation

This section covers how to deploy standalone Identity Console using the interactive installation method.

  1. Log in to the Software License and Download portal and navigate to the Software Downloads page.

  2. Select the following:

    • Product: eDirectory

    • Product Name: eDirectory per User Sub SW E-LTU

    • Version: 9.2

  3. Download and extract the latest Identity Console build.

  4. Navigate to the directory where you extracted the Identity Console build > IdentityConsole_<version>_Linux.

  5. Run the following command while logged in as root or root-equivalent user:

    ./identityconsole_install

  6. Read the Introduction, and then click ENTER.

  7. Enter 'y' to accept the License Agreement. This will install all the required RPMs on your system.

  8. Enter the Identity Console server’s hostname (FQDN)/IP address. For example, 10.10.33.100

    If you press Enter without specifying an IP address, your system's IP address/hostname will be used by default.

  9. Enter the port number for Identity Console to listen. The default value is 9000.

  10. (Conditional) Do one of the following depending on your requirement:

    • If you do not want to integrate OSP with Identity Console, choose “n” and continue with Step 11.

    • If you want to integrate OSP with Identity Console, choose “y” and provide inputs for the following steps:

      1. Enter the eDirectory/Identity Vault server’s Domain name/IP address with LDAPS port number.

        For example:

        192.168.1.1:636

      2. Enter the eDirectory/Identity Vault username.

        Example:

        cn=admin,ou=org_unit,o=org

      3. Enter the eDirectory/Identity Vault password.

      4. Enter the eDirectory/Identity Vault password again to confirm the password.

      5. Enter the OSP server domain name/IP address with SSO server SSL port number.

      6. Enter the OSP client ID and OSP client password.

      7. Enter the eDirectory/Identity Vault tree name.

  11. Specify which eDirectory-hosts to connect. You can provide either IP address or domain name. For example: localhost:636,xx.xx.xx.xx:636 or edir.domain.com:636

    If you want Identity Console to connect to multiple eDirectory trees, enter their IP addresses or domain names separated by commas.

    NOTE:

    • While upgrading to Identity Console 1.7.2 and above, it is required to add eDirectory server IP to edirapi.conf file before copying it to the container.

    • If you want Identity Console to connect to multiple eDirectory trees, enter the IP addresses or domain names separated by commas.

  12. (Conditional) Do one of the following to import the CA certificate:

    • If you want to import the CA certificate from the server, input “y” and press Enter. Then, enter the eDirectory server domain name/IP address with LDAPS port number.

      For example: 10.10.10.10:636

    • If you do not want to import the CA certificate from the server, input “n” and press Enter. Then, provide the location of your CA certificate directory path manually.

    • If you enter “q”, the installation will be terminated.

  13. (Conditional) Do one of the following to generate a Server Certificate:

    • If you want to generate the Server Certificate, input “y” and press Enter. Provide inputs for the following steps:

      1. Enter the eDirectory server domain name or IP address with LDAPS port number.

      2. Enter the eDirectory user name. Example: cn=admin,o=novell.

      3. Enter the eDirectory user password.

      4. Re-enter the eDirectory user password.

      5. Enter the server certificate name.

        Example: servercert

      6. Enter the server certificate password.

        Example: password@123

      7. Re-enter the server certificate password.

        Example: password@123

    • If you already have a Server Certificate that you want to use, input “n” and press Enter. Provide inputs for the following steps:

      1. Specify the location of your Server Certificate directory path manually.

        For example, /home/cert/keys.pfx

      2. Enter the server certificate password.

      3. Re-enter the server certificate password.

NOTE:

  • You can find the following log files in the /var/opt/novell/eDirAPI/log directory:

    • edirapi.log - This file logs edirapi events and debugging issues.

    • edirapi_audit.log - This file logs edirapi audit events. The logs follow a CEF auditing format.

    • identityconsole_install.log - This file logs Identity Console events.

  • You can check the logs for Identity Console start and stop operations in the /var/log/messages file.

  • When you are generating the CA certificate and Server Certificate, make sure to run the Identity Console installer from the IdentityConsole_172_Linux directory in the extracted location.

  • If installation fails, uninstalling the existing Identity Console is not required, instead the user can run the following command:

    /usr/bin/identityconsoleConfigure

2.1.2 Utilities to Generate Certificates

You have the option to obtain CA Certificates and Server Certificates for other trees using the following tools or utilities.

Generate CA Certificate

  1. Download and extract the latest Identity Console build.

  2. Navigate to the directory where you extracted the Identity Console build > IdentityConsole_<version>_Linux.

  3. Run the following command while logged in as root or root-equivalent user.

    ./get_cacert

  4. Enter the eDirectory IP address with LDAPS port number. For example: 10.10.10.10:636.

Trusted root certificate(s) copied successfully from server to "/tmp/SScert.pem.

Generate Server Certificate

  1. Download and extract the latest Identity Console build.

  2. Navigate to the directory where you extracted the Identity Console build > IdentityConsole_<version>_Linux.

  3. Run the following command while logged in as root or root-equivalent user.

    ./get_servercert <eDirectory IP address with LDAPS port number> <eDirectory/Identity Vault username> <userpassword> <server certificate name> <server certificate password> <path_of_CA _certificate with filename>

    Example:

    ./get_servercert 10.10.10.10:636 cn=admin,ou=org_unit,o=org password keys password /var/opt/novell/eDirectory/data/SSCert.pem

2.1.3 Performing a Silent Installation

Silent installation enables you to install Identity Console without any interactive input. To use this method, you must define your options for installing Identity Console in the silent_properties file and then run the installation process from the command line. To create the silent_properties file, you can use the create_silent_properties utility that comes with Identity Console version 1.7.2 and later. After you generate the properties file, the system uses the information from it to complete the installation silently.

Before starting the silent installation, ensure that you meet all the prerequisites.

To generate the silent properties file:

  1. Navigate to the IdentityConsole_<version>_Linux directory in the location where you have extracted the Identity Console build.

  2. Run the following command to use the create_silent_properties utility:

    ./create_silent_properties

  3. Enter the Identity Console server hostname or IP address. For example, 10.0.0.1.

  4. Enter the port number on which you want Identity Console to listen. For example, 9000.

  5. (Conditional) Do one of the following depending on your requirement:

    • If you want to integrate Identity Console with OSP, enter 1 and provide the values for the following prompts:

      1. Enter the eDirectory or Identity Vault server Domain name or IP address with the LDAPS port number. For example, 10.10.10.10:636.

      2. Enter the eDirectory or Identity Vault user name. For example, cn=admin,ou=sa,o=system.

      3. Enter the eDirectory or Identity Vault user password.

      4. Re-enter the eDirectory or Identity Vault user password.

      5. Enter the OSP server Domain name or IP address with the SSO server and SSL port number. For example, 10.10.10.10:8543.

      6. Enter the OSP client ID. For example, identityconsole.

      7. Enter the OSP client password.

      8. Re-enter the OSP client password.

      9. Enter the eDirectory or Identity Vault tree name. For example, my_tree.

      10. Enter the eDirectory server host name or IP address to which you want Identity Console to establish a connection. For example, 10.10.10.10:636.

      11. Enter the directory path of the trusted root certificates. For example, /home/cert/.

      12. Enter the directory path of the server certificate, including the filename. For example, /home/cert/keys.pfx.

      13. Enter the server certificate password.

      14. Re-enter the server certificate password.

        The silent_properties file is generated successfully in IdentityConsole_<version>_Linux location.

    • If you do not want to integrate Identity Console with OSP, enter 2 and provide the values for the following prompts:

      1. Enter the eDirectory server host names or IP address to which you want Identity Console to establish a connection. For example, 10.10.10.10:636.

      2. Enter the directory path of the trusted root certificates. For example, /home/cert/.

      3. Enter the directory path of the server certificate, including the filename. For example, /home/cert/keys.pfx.

      4. Enter the server certificate password.

      5. Re-enter the server certificate password.

        The silent_properties file is generated successfully in IdentityConsole_<version>_Linux location.

To perform a silent installation:

After generating the silent_properties file, run the following command to run the installer in silent mode:

./identityconsole_install -s silent_properties

You can find installation-related logs in the Identity Console installation > identityconsole_install.log file.

2.1.4 Multi-tree with Standalone Identity Console

To connect Identity Console with multiple eDirectory trees, you must provide eDirectory IP and LDAPS port separated commas in the edirapi.conf file located at /etc/opt/novell/eDirAPI/conf/. Also, you must copy the CA certificates from all the eDirectory trees to the /etc/opt/novell/eDirAPI/cert/ directory.

For example, to connect Identity Console to three eDirectory trees, provide the IP address in the following format:

edir-hosts="10.0.0.1:636,10.0.0.2:636,10.0.0.3:636"

Then copy the CA certificates as follows:

cp /home/user/SSCert1.pem /etc/opt/novell/eDirAPI/cert/SSCert1.pem
cp /home/user/SSCert2.pem /etc/opt/novell/eDirAPI/cert/SSCert2.pem
cp /home/user/SSCert3.pem /etc/opt/novell/eDirAPI/cert/SSCert3.pem

Run one of the following command to restart Identity Console:

  • /usr/bin/identityconsole restart
  • systemctl restart netiq-identityconsole.service

2.1.5 Modifying Server Certificate in Standalone Identity Console

Perform the following steps to modify server certificate in Standalone Container:

  1. Run NLPCERT to store the keys:

    su - nds -c "LD_LIBRARY_PATH=/opt/novell/lib64/:/opt/novell/eDirectory/lib64/:/opt/netiq/common/openssl/lib64/ /opt/novell/eDirAPI/sbin/nlpcert -i /Expiredcert/noexpire/new-keys.pfx -o /etc/opt/novell/eDirAPI/conf/ssl/private/cert.pem"

  2. Restart the Identity Console:

    systemctl restart netiq-identityconsole.service

2.1.6 Stopping and Restarting Standalone Identity Console

  • To stop Identity Console, run one of the following command:

    /usr/bin/identityconsole stop

    or

    systemctl stop netiq-identityconsole.service

  • To restart Identity Console, run one of the following command:

    /usr/bin/identityconsole restart

    or

    systemctl restart netiq-identityconsole.service

  • To start Identity Console, run one of the following command:

    /usr/bin/identityconsole start

    or

    systemctl start netiq-identityconsole.service