Before installing Identity Governance, it is important that you review the prerequisites and considerations.
You can install Identity Governance and OSP in a stateless cluster. For more information about the installation requirements, see Ensuring High Availability for Identity Governance.
For best performance, do not install Identity Governance on the same server as its databases. However, the Identity Governance server should include the supported versions of Java, and Tomcat application server.
Do not install Identity Governance or its database on a server that is already running components for Identity Manager. For example, do not install on the same server as Identity Manager Home and Provisioning Dashboard.
You must use Latin-1 characters in the installation path.
Do not use mixed case domains. Identity Governance utilizes OAuth for authentication. OAuth does not support mixed case domains. For more information, see RCF 3986 Section 6.2.1 Simple String Comparison
.
To use an authentication server as your data source for Identity Governance users, ensure that you have Active Directory or eDirectory already installed. For more information, see Adding Identity Governance Users.
When you point to the installation directory for Java, it must be a supported Oracle Java instance used by the Tomcat server. The application does not work with IBM Java.
Ensure that the communication ports that you want to use are open in the firewall.
To integrate Identity Governance with Identity Manager, the Identity Manager component must already be installed and configured with OSP.
To use TLS auditing, the audit server should be up and running when you install Identity Governance so that the installer can connect to the audit server and retrieve the certificate to add to the keystore.
Before installing Identity Governance, you need the following information:
Paths to your Apache Tomcat and Java directories.
Credentials of a database administrator (DBA) account that can access and modify data in the databases to create database tables, views, and other artifacts.
NOTE:If you do not have credentials for the DBA, the installation process can generate a SQL script that the DBA runs to configure the databases.
IP address or DNS host name and port of your Identity Governance server. Login users will use this information in the URL for Identity Governance.
(Conditional) When using an LDAP authentication server, you need the following information:
Credentials of an administrator account for the server.
The container in the server where you store administrator accounts.
The container in the server where you store the accounts for users who can log in to Identity Governance.
(Conditional) To use an Identity Manager authentication server, you must have the DN, password, user container, and admin container of an administrator account for the server.
(Conditional) To use an Identity Manager authentication server or TLS auditing, you must have the keystore password for the server.
For best performance, do not install Identity Governance on the database server, however, the database server and the Identity Governance server must run in the same subnetwork. Also, ensure that the database is running the supported versions of Java and the Tomcat application server.
IP address or DNS host name and port of your database server.
IP address or DNS host name and port of your ActiveMQ server. If it is installed on a separate server.
Review the following considerations before installing Identity Governance:
For best performance, do not install Identity Governance on the database server, however, the database server and the Identity Governance server must run in the same subnetwork. Also, ensure that the database is running the supported versions of Java and the Tomcat application server.
You can install the version of PostgreSQL bundled with Identity Governance in an environment that runs an older version of the database program. To ensure that the new installation does not overwrite the previous version, specify a different directory for the files.
(Conditional) To use an Oracle database with Identity Governance, you must install the database with the Identity Governance admin user for the database before installing Identity Governance. For more information, see Section 7.0, Completing the Installation Process.
(Conditional) To install the databases in a clustered environment, see Ensuring High Availability for Identity Governance.
Review the following considerations before installing Tomcat:
We highly recommend that you configure Tomcat to use https with either TLSv1.2 or TLS1.1. Any prior version of TLS should not be used. For more information, see Securing Tomcat
.
You can install Tomcat, PostgreSQL, and ActiveMQ on the same server or on separate servers.
If selected, the installation process installs supported version of Apache ActiveMQ
If Tomcat or ActiveMQ is installed, the Oracle JRE is automatically included.
You can use your own Tomcat installation program instead of the one provided in the Identity Governance installation kit.
To use ActiveMQ, which guarantees that notifications are sent using SMTP, install MQServer.
The installation process sets the JRE location in the setenv.sh file.
Linux: Default location in /opt/netiq/idm/apps/tomcat/bin/
Windows: Default location in c:\netiq\idm\apps\tomcat\bin\
(Conditional) If you use Linux, do not run Tomcat as root. The installation process creates a user account for the Tomcat service, which should not be root.
Before installing OSP, it is important that you review the following considerations:
(Conditional) Even if you installed OSP with Identity Manager 4.5 or later, you must install OSP with Identity Governance.
(Conditional) OSP requires trust certificates configured for secure communication for user authentication in a production environment. Depending on your Identity Governance solution, OSP might need to communicate with an authentication server, a SAML provider, or one or more Advanced Authentication Framework servers. For more information, see Understanding the Keystore for the Authentication Server.
OSP requires a public/private key pair for use during normal operations to generate other key material. The installation program automatically creates the keypair and places it in the osp.jks file.
(Conditional) If you set up multiple instances of OSP for use in a high availability cluster, copy the osp.jks file from the installed location on the first server to the same location on the other member servers in the cluster. OSP must use the same key material.
It is important that you review the following prerequisites and considerations before starting the installation process.
When installing Identity Reporting, consider the following prerequisites and considerations:
This guide provides information about installing Identity Reporting for use with Identity Governance only. If you have already installed Identity Reporting with Identify Manager 4.5 or later, you might not need to install it again for Identity Governance. Ensure that you have the appropriate version of Identity Reporting. For more information, see the NetIQ Identity Governance 3.0.1 Release Notes. For more information about installing with Identity Manager, see:
You can install Identity Reporting on the same server as Identity Governance, and the two products use the same Tomcat instance, or you can install it on a separate server running Tomcat.
(Conditional) To run reports against a Microsoft SQL Server database, you must install the appropriate JDBC file. For example, sqljdbc42.jar.
(Conditional) To run reports against an Oracle 12c database, you must install the appropriate JDBC file. For example, ojdbc7.jar.
Assign the Report Administrator authorization to any users that you want to be able to access reporting functionality.
Ensure that all servers in your Identity Governance environment are set to the same time, particularly the servers for the database and events auditing components. If you do not synchronize the time on your servers, some reports might be empty when executed. For example, this issue can affect data related to new users when the servers hosting Identity Governance and the reporting databases have different time stamps.