The following procedure describes how to install Identity Governance and Identity Reporting using an installation wizard, either in GUI format or from the console. To prepare for the installation, review the considerations and system requirements listed in the following sections:
Release Notes accompanying the release
To perform a silent, unattended installation, see Performing a Silent Installation of Identity Governance.
To install Identity Governance:
Log in as root on Linux server or as an administrator on Windows server to the server where you want to install Identity Governance.
Stop Tomcat. For examples, see Stopping, Starting, and Restarting Tomcat.
From the directory that contains the installation files, complete one of the following actions:
Linux: Use one of the following commands to install Identity Governance on Linux.
To use the console: enter ./identity-governance-install-linux.bin -i console
To use the wizard: enter ./identity-governance-install-linux.bin
Windows: Use one of the following commands to install Identity Governance on Windows.
To use the console: enter cmd /c "identity-governance-install-win.exe -i console"
To use the wizard: double-click identity-governance-install-win.exe
NOTE:To execute the file, you might need to use the chmod +x or sh command for Linux or log in to your Windows server as an administrator.
Accept the license agreement, and then select Next.
Select whether to install Identity Governance, Identity Reporting, or both.
Specify an installation path for each installed feature.
Complete the guided process, using the following parameters:
Tomcat installation
Represents the settings for the Tomcat installation that hosts Identity Governance. In a clustered environment, specify runtime values for each node where you install Identity Governance.
Specifies the path to the Tomcat installation.The installation process adds or modifies some files for Identity Governance to this folder.
Linux: /opt/apache-tomcat-x.x.xx
Windows: c:\netiq\idm\apps\tomcat-x.x.xx
Specifies the DNS name or IP address for the Tomcat installation.
Specifies the port that Tomcat uses to listen for communication from Identity Governance or the load balancers.
In a non-clustered environment, you can specify the local server name.
In clustered environment, specifies the unique name for the current node. For example, node1 or ProdNode1. Do not use the server’s name, which might change according to a DHCP assignment.
Tomcat Java Home
Represents the path to the Oracle Java instance that Tomcat uses. For example, /root/jdk1.x.x_xx. The installation process adds some files for Identity Governance to the Tomcat home folder.
Application address
Represents the settings of the URL that users need to connect to the Identity Governance. For example, https://myserver.mycompany.com:8443.
Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.
Do not use localhost.
In a non-clustered environment, specifies the DNS name or IP address of the server hosting Identity Governance.
In a clustered environment, specifies the DNS name of the server that hosts the load balancer that you want to use. For more information about installing in a clustered environment, see Ensuring High Availability for Identity Governance.
Specifies the port that you want the server to use for communication with client computers. The default is 8080. To use SSL, the default is 8443.
When installing in a clustered environment, specify the port for the load balancer.
Authentication details
Represents the requirements for connecting Identity Governance to the LDAP authentication server (for example, OSP) that contains the list of users who can log in to the application. For more information about the authentication server, see Understanding Authentication for Identity Governance.
NOTE:In a clustered environment where the osp.war file resides behind the load balancer, specify the host and port for the load balancer’s server rather than the authentication server.
Specifies the password that you want to create for Identity Governance to use when connecting to the LDAP authentication server. Also referred to as the client secret.
Change this only when you choose to connect to an external authentication server.
Specifies whether you want to use http or https when connecting with the external LDAP authentication server. To use Secure Sockets Layer (SSL) for communications, specify https.
Change this only when you choose to connect to an external authentication server.
Specifies the IP address or DNS host name of the LDAP authentication server or load balancer. Do not use localhost.
Change this only when you choose to connect to an external authentication server.
Specifies the port that you want the LDAP authentication server or load balancer to use for communication with Identity Governance.
Bootstrap administrator details
Represents the credentials for the bootstrap administrator. For more information, see Understanding the Bootstrap Administrator for Identity Governance.
Specifies the name of the bootstrap administrator account. The default value is igadmin.
(Conditional) When connecting to an existing Identity Manager authentication server, specify the full DN of a unique identity that already exists and can access Identity Manager Home as a bootstrap administrator. For example, cn=uaadmin,ou=sa,o=data.
NOTE:
If you use an Identity Vault user as a bootstrap administrator, you must configure Identity Governance to use Identity Vault instead of File in the Identity Governance Configuration Utility (/idgov/bin/configutil.sh or \idgov\bin\configutil.cmd). The Bootstrap Administrator section on the Authentication Server Details tab contains this setting.
The name of this account must be unique. Do not duplicate any accounts in the adminusers.txt file or in the container source or subtrees that you use for authentication.
Specifies the password for the bootstrap administrator account.
ActiveMQ details
(Optional) Represents the settings for ActiveMQ, which guarantees that notifications are sent using SMTP from Identity Governance.
For more information about configuring ActiveMQ in a clustered environment, see Configuring ActiveMQ Failover in the Tomcat Cluster.
Specifies the DNS name or the IP address of the server that hosts the ActiveMQ instance.
Specifies the port that the server uses for ActiveMQ.
Database Type
Specifies the platform you want to use for the Identity Governance databases.
For more information about supported versions, see Database Server System Requirements.
Database details
Represents the settings for the Identity Governance databases. For more information, see Understanding the Identity Governance and Reporting Databases.
To connect to an existing database instance, you must specify the names of the existing databases to match with the operations, data collection, workflow, and analytics databases.
In a clustered environment, perform the configuration steps only on the primary node in the cluster. For more information about installing in a clustered environment, see Ensuring High Availability for Identity Governance.
Specifies that you want to configure your new or existing databases as part of the installation process.
NOTE:Ensure that you specified the correct names for the existing databases.
Specifies that you want to generate the SQL scripts that the database administrator can run in your database platform to create the databases and other artifacts.
The installation process stores the scripts in the ./idgov/sql directory. If you are installing Identity Reporting at this time, the installation process stores the scripts in the ./idrpt/sql directory. For more information about using the files, see Section 7.0, Completing the Installation Process.
Specifies that you do not want to configure a new or existing database.
Use this setting when you install Identity Governance on a secondary node in the cluster. For more information, see Ensuring High Availability for Identity Governance.
Specifies the DNS name or the IP address of the server that hosts the Identity Governance databases.
Specifies the port of the server that hosts the Identity Governance databases. The default values are 1433 for MS SQL Server, 1521 for Oracle and 5432 for PostgreSQL.
Applies only when using an MS SQL Server database
Specifies the path to the JAR file for the MS SQL Server JDBC driver. Microsoft provides this file.
Applies only when using an Oracle database
Specifies the path to the JAR file for the Oracle JDBC driver. For example, /opt/oracle/ojdbc7.jar.
Oracle provides the driver JAR file, which represents the Thin Client JAR for the database server.
Applies only when using an Oracle database
Specifies the name of the database to which you want to add the Identity Governance databases. For example, Orclidentitygovernance.
Applies only when using an Oracle database
Specifies the name of the database storage unit for storing the schema for the Identity Governance databases. The default is USERS.
Applies only when using an Oracle database
Specifies the name of the temporary database storage unit for storing the schema. The default is TEMP.
Specifies the name of the database that stores operations data for Identity Governance. The default value is igops.
NOTE:If you created a blank database for the operations data, ensure that you specify the exact name of the existing, empty database.
Specifies the name of the database that stores data collection information for Identity Governance. The default value is igdcs.
NOTE:If you created a blank database for the data collection information, ensure that you specify the exact name of the existing, empty database.
Specifies the name of the database that stores workflow information for Identity Governance. The default value is igwf.
NOTE:If you created a blank database for the workflow data, ensure that you specify the exact name of the existing, empty database.
Specifies the name of the database that stores analytics information for Identity Governance. The default value is igara.
NOTE:If you created a blank database for the analytics data, ensure that you specify the exact name of the existing, empty database.
Specifies the password for the database account administrator that can create database tables, views, and other artifacts in the Identity Governance databases.
Specifies the account for a database user that has rights to the views related to reporting for Identity Governance. The default value is igrptuser.
The installation process creates this account if you select Configure database now and Update (rather than Use only existing).
Specifies the password for the reporting user specified above.
Specifies the account for a database administrator that the installation process can use to configure the databases for Identity Governance.
WARNING:Do not use the default database administrator account (idmadmin) if that account was created when you installed PostgreSQL and Tomcat.
Specifies the password for the database administrator.
Applies only when you choose to configure the database during the installation.
Specifies whether you want to have the installation process migrate or create new databases or use existing, empty databases. Select Update if you are installing or upgrading Identity Governance.
NOTE:To use existing databases, the installation program drops known tables and views within each schema and then adds the needed tables and views that it needs for the current version.
Identity Audit
Represents the settings for collecting auditing events that occur in the Identity Governance server.
Specifies whether you want to send Identity Governance log events to an auditing server.
If you select this setting, also specify the audit server details.
Applies only when you enable identity auditing.
Specifies the IP address or DNS name of the audit server.
Applies only when you enable identity auditing.
Specifies the port to use for sending log events to the audit server.
Applies only when you enable identity auditing.
Specifies the location of the cache directory on the Identity Governance server that you want to use to store log events. For example:
Linux: /opt/netiq/idm/apps/audit
Windows: C:\netiq\idm\apps\audit
Applies only when you enable identity auditing.
Specifies whether to use TLS (TCP using SSL). If not selected, events are sent using TCP.
Applies only when you want to use TLS for audit events.
Specifies the path to the keystore file location for trusting the audit server certificate. For example:
Linux: /opt/netiq/idm/apps/jre/lib/security/cacerts
Windows: C:\netiq\idm\apps\jre\lib\security\cacerts
Applies only when you want to use TLS for audit events.
Specifies the password for the trust store file.
Applies only when you want to use TLS for audit events.
Specifies whether to attempt to connect to the audit server and trust the retrieved certificate within a copy of the trust store file. The actual trust occurs during the installation process.
NOTE:Attempting a TLS connection on a TCP port results in a timeout after 5 seconds. Be sure to specify a secure audit port if you select to use TLS.
Review the pre-installation summary.
NOTE:Application URL represents the URL that connects users to Identity Governance.
Start the installation process.
When the installation process completes, select Done.
Continue to Section 7.0, Completing the Installation Process.
NOTE:Do not start Tomcat.