You can deploy the Identity Console in one of the following ways:
NOTE:NetIQ recommends that when installing Identity Console and eDirectory on the same machine, the machine have at least one instance of eDirectory available.
This section covers how to deploy standalone Identity Console using the interactive installation method.
Log in to the Software License and Download portal and navigate to the Software Downloads page.
Select the following:
Product: eDirectory
Product Name: eDirectory per User Sub SW E-LTU
Version: 9.2
Download and extract the latest Identity Console build.
Navigate to the directory where you extracted the Identity Console build > IdentityConsole_<version>_Linux.
Run the following command while logged in as root or root-equivalent user:
./identityconsole_install
Read the Introduction, and then click ENTER.
Enter 'y' to accept the License Agreement. This will install all the required RPMs on your system.
Enter the Identity Console server’s hostname (FQDN)/IP address. For example, 10.10.33.100
If you press Enter without specifying an IP address, your system's IP address/hostname will be used by default.
Enter the port number for Identity Console to listen. The default value is 9000.
(Conditional) Do one of the following depending on your requirement:
If you do not want to integrate OSP with Identity Console, choose “n” and continue with Step 11.
If you want to integrate OSP with Identity Console, choose “y” and provide inputs for the following steps:
Enter the eDirectory/Identity Vault server’s Domain name/IP address with LDAPS port number.
For example:
192.168.1.1:636
Enter the eDirectory/Identity Vault username.
Example:
cn=admin,ou=org_unit,o=org
Enter the eDirectory/Identity Vault password.
Enter the eDirectory/Identity Vault password again to confirm the password.
Enter the OSP server domain name/IP address with SSO server SSL port number.
Enter the OSP client ID and OSP client password.
Enter the eDirectory/Identity Vault tree name.
Specify which eDirectory-hosts to connect. You can provide either IP address or domain name. For example: localhost:636,xx.xx.xx.xx:636 or edir.domain.com:636
If you want Identity Console to connect to multiple eDirectory trees, enter their IP addresses or domain names separated by commas.
NOTE:If you want Identity Console to connect to multiple eDirectory trees, enter the IP addresses or domain names separated by commas.
(Conditional) Do one of the following to import the CA certificate:
If you want to import the CA certificate from the server, input “y” and press Enter. Then, enter the eDirectory server domain name/IP address with LDAPS port number.
For example: 10.10.10.10:636
If you do not want to import the CA certificate from the server, input “n” and press Enter. Then, provide the location of your CA certificate directory path manually.
If you enter “q”, the installation will be terminated.
(Conditional) Do one of the following to generate a Server Certificate:
If you want to generate the Server Certificate, input “y” and press Enter. Provide inputs for the following steps:
Enter the eDirectory server domain name or IP address with LDAPS port number.
Enter the eDirectory user name. Example: cn=admin,o=novell.
Enter the eDirectory user password.
Re-enter the eDirectory user password.
Enter the server certificate name.
Example: servercert
Enter the server certificate password.
Example: password@123
Re-enter the server certificate password.
Example: password@123
If you already have a Server Certificate that you want to use, input “n” and press Enter. Provide inputs for the following steps:
Specify the location of your Server Certificate directory path manually.
For example, /home/cert/keys.pfx
Enter the server certificate password.
Re-enter the server certificate password.
NOTE:
You can find the following log files in the /var/opt/novell/eDirAPI/log directory:
edirapi.log - This file logs edirapi events and debugging issues.
edirapi_audit.log - This file logs edirapi audit events. The logs follow a CEF auditing format.
identityconsole_install.log - This file logs Identity Console events.
You can check the logs for Identity Console start and stop operations in the /var/log/messages file.
When you are generating the CA certificate and Server Certificate, make sure to run the Identity Console installer from the IdentityConsole_<version>_Linux directory in the extracted location.
If installation fails, uninstalling the existing Identity Console is not required, instead the user can run the following command:
/usr/bin/identityconsoleConfigure
You have the option to obtain CA Certificates and Server Certificates for other trees using the following tools or utilities.
Download and extract the latest Identity Console build.
Navigate to the directory where you extracted the Identity Console build > IdentityConsole_<version>_Linux.
Run the following command while logged in as root or root-equivalent user.
./get_cacert
Enter the eDirectory IP address with LDAPS port number. For example: 10.10.10.10:636.
Trusted root certificate(s) copied successfully from server to /tmp/SSCert.pem.
Download and extract the latest Identity Console build.
Navigate to the directory where you extracted the Identity Console build > IdentityConsole_<version>_Linux.
Run the following command while logged in as root or root-equivalent user.
./get_servercert <eDirectory IP address with LDAPS port number> <eDirectory/Identity Vault username> <userpassword> <server certificate name> <server certificate password> <path_of_CA _certificate with filename> <path of server certificate with filename>
Example:
./get_servercert 10.10.10.10:636 cn=admin,ou=org_unit,o=org password keys password /var/opt/novell/eDirectory/data/SSCert.pem /home/user/keys.pfx
Silent installation enables you to install Identity Console without any interactive input. To use this method, you must define your options for installing Identity Console in the silent_properties file and then run the installation process from the command line. To create the silent_properties file, you can use the create_silent_properties utility that comes with Identity Console version 1.7.2 and later. After you generate the properties file, the system uses the information from it to complete the installation silently.
Before starting the silent installation, ensure that you meet all the prerequisites.
To generate the silent properties file:
Navigate to the IdentityConsole_<version>_Linux directory in the location where you have extracted the Identity Console build.
Run the following command to use the create_silent_properties utility:
./create_silent_properties
Enter the Identity Console server hostname or IP address. For example, 10.0.0.1.
Enter the port number on which you want Identity Console to listen. For example, 9000.
(Conditional) Do one of the following depending on your requirement:
If you do not want to integrate OSP with Identity Console, choose “n” and continue with Step 6.
If you want to integrate OSP with Identity Console, choose “y” and provide inputs for the following steps:
Enter the eDirectory/Identity Vault server’s Domain name/IP address with LDAPS port number.
For example:
192.168.1.1:636
Enter the eDirectory/Identity Vault username.
Example:
cn=admin,ou=org_unit,o=org
Enter the eDirectory/Identity Vault password.
Enter the eDirectory/Identity Vault password again to confirm the password.
Enter the OSP server domain name/IP address with SSO server SSL port number.
Enter the OSP client ID and OSP client password.
Enter the eDirectory/Identity Vault tree name.
Enter the eDirectory server host names or IP address to which you want Identity Console to establish a connection. For example, 10.10.10.10:636.
Enter the eDirectory server host names or IP address to which you want Identity Console to establish a connection. For example, 10.10.10.10:636.
Enter the directory path of the server certificate, including the filename. For example, /home/cert/keys.pfx.
Enter the server certificate password.
Re-enter the server certificate password.
The silent_properties file is generated successfully in IdentityConsole_<version>_Linux location.
To perform a silent installation:
After generating the silent_properties file, run the following command to run the installer in silent mode:
./identityconsole_install -s silent_properties
Enter the eDirectory server Domain name/IP address with LDAPS port number. For example: 10.10.10.10:636
You can find installation-related logs in the Identity Console installation > identityconsole_install.log file.
To connect Identity Console with multiple eDirectory trees, you must provide eDirectory IP and LDAPS port separated commas in the edirapi.conf file located at /etc/opt/novell/eDirAPI/conf/. Also, you must copy the CA certificates from all the eDirectory trees to the /etc/opt/novell/eDirAPI/cert/ directory.
For example, to connect Identity Console to three eDirectory trees, provide the IP address in the following format:
edir-hosts="10.0.0.1:636,10.0.0.2:636,10.0.0.3:636"
Then copy the CA certificates as follows:
cp /home/user/SSCert1.pem /etc/opt/novell/eDirAPI/cert/SSCert1.pem
cp /home/user/SSCert2.pem /etc/opt/novell/eDirAPI/cert/SSCert2.pem
cp /home/user/SSCert3.pem /etc/opt/novell/eDirAPI/cert/SSCert3.pem
Run one of the following command to restart Identity Console:
/usr/bin/identityconsole restart
systemctl restart netiq-identityconsole.service
Perform the following steps to modify server certificate in Standalone Identity Console:
Run NLPCERT to store the keys:
su - nds -c "LD_LIBRARY_PATH=/opt/novell/lib64/:/opt/novell/eDirectory/lib64/:/opt/netiq/common/openssl/lib64/ /opt/novell/eDirAPI/sbin/nlpcert -i /Expiredcert/noexpire/new-keys.pfx -o /etc/opt/novell/eDirAPI/conf/ssl/private/cert.pem"
Restart the Identity Console:
systemctl restart netiq-identityconsole.service
To stop Identity Console, run one of the following command:
/usr/bin/identityconsole stop
or
systemctl stop netiq-identityconsole.service
To restart Identity Console, run one of the following command:
/usr/bin/identityconsole restart
or
systemctl restart netiq-identityconsole.service
To start Identity Console, run one of the following command:
/usr/bin/identityconsole start
or
systemctl start netiq-identityconsole.service