4.2 Using the Wizard to Install One SSO Provider

The following procedure describes how to install OSP using an installation wizard, either in the GUI format or from the console. To prepare for the installation, review the considerations and system requirements listed in the following sections:

To perform a silent, unattended installation, see Silently Installing One SSO Provider.

To install OSP:

  1. Log in as root on Linux server or an administrator on Windows server where you want to install OSP.

  2. Stop Tomcat. For examples, see Stopping, Starting, and Restarting Tomcat.

  3. From the directory that contains the installation files, complete one of the following actions:

    • Linux (console): Enter ./osp-install-linux.bin -i console

    • Linux (GUI): Enter ./osp-install-linux.bin

    • Windows (console): Enter cmd /c "osp-install-win.exe -i console"

    • Windows (GUI): Double-click osp-install-win.exe

    NOTE:To execute the file, you might need to use the chmod +x or sh command for Linux or log in to your Windows server as an administrator.

  4. Accept the license agreement, and then select Next.

  5. Specify a path for the installed files.

  6. Complete the guided process, using the following parameters:

    • Tomcat details

      Represents the home directory for the Tomcat server. The installation process adds some files for OSP to this folder.

      • Linux: Default location of /opt/netiq/idm/apps/tomcat

      • Windows: Default location of c:\netiq\idm\apps\tomcat

    • Tomcat Java home

      Represents the home directory for Java on the Tomcat server. The installation process adds some files for OSP to the directory.

      • Linux: Default location of /opt/netiq/idm/apps/jre

      • Windows: Default location of c:\netiq\idm\apps\jre

    • Application address

      Represents the settings of the URL that users need to connect to OSP. For example, https://myserver.mycompany.com:8443.

      The installation program creates a certificate in the osp.jks file that uses the specified host name.

      Protocol

      Specifies whether you want to use http or https. To use SSL for communications, specify https.

      If you specify https, ensure that you have configured your server for SSL communications. For more information, see Understanding the Keystore for the Authentication Server.

      Host Name

      Do not use localhost.

      In a non-clustered environment, specifies the DNS name or IP address of the Tomcat server where you are installing OSP.

      In a clustered environment, specifies the DNS name of the server that hosts the load balancer that you want to use. For more information about installing in a clustered environment, see Ensuring High Availability for Identity Governance.

      Port

      Specifies the port that you want the server to use for communication with users’ computers.

      When installing in a clustered environment, specify the port for the load balancer.

    • Login screen customization

      (Optional) Represents the organization name displayed on the login screen for users. The default value is NetIQ Access. Keep in mind the following points:

      • Allows the ASCII character set (0x20 - 0x7E)

      • Must add escape character for dollar signs (\$) and backslashes (\\)

      • Escaped backslashes do not appear

      • Apostrophes and spaces are converted into pseudo-tags [apos] and [nbsp], respectively

      • Installer stores result in oidp_enduser_custom_resources_en_US.properties.

    • Authentication details

      Represents the requirements for connecting to an authentication server that contains the list of users who can log in to the application. For more information about the authentication server, see Understanding Authentication with One SSO Provider.

      LDAP host

      Specifies the DNS name or IP address of the LDAP authentication server, your directory server that contains the distinguished names of your user accounts.

      Do not use localhost unless you want to specify a CSV file instead of an authentication server. (Test environment only)

      LDAP port

      Specifies the port that you want the LDAP authentication server to use for communication with Identity Governance. For example, specify 389 for a non-secure port or 636 for SSL connections.

      Use SSL

      Specifies whether you want to use Secure Sockets Layer protocol for connections between the Identity Governance and the authentication server.

      JRE Trust store (cacerts) file

      Applies only when you want to use SSL for the LDAP connection or TLS for audit events.

      Specifies the path to the certificate.

      • Linux: For example, /opt/netiq/idm/apps/jre/lib/security/cacerts

      • Windows: For example, c:\netiq\idm\apps\jre\lib\security\cacerts

      JRE Trust store password

      Applies only when you want to use SSL for the LDAP connection or TLS for audit events.

      Specifies the password for the cacerts file.

      Admin DN

      Applies only when installing a new authentication server.

      Specifies the DN for an administrator account of the LDAP authentication server. For example, cn=admin,ou=sa,o=system.

      Admin password

      Applies only when installing a new authentication server.

      Specifies the password for the administrator account of the LDAP authentication server.

      User container

      Applies only when installing a new authentication server.

      Specifies the container in the LDAP authentication server where you store the user accounts that can log in to Identity Governance. For example, o=data.

      Admin container

      Applies only when installing a new authentication server.

      Specifies the search context for the Identity Governance administrator accounts in the LDAP authentication server. In most cases, this value is the same as the container in the Admin DN field. For example, ou=sa,o=system.

      Keystore Password

      Applies only when installing a new authentication server.

      Specifies the password that you want to create for the new keystore for the LDAP authentication server.

      The password must be a minimum of six characters.

      NOTE:After retrieving the authentication details, the installer uses the gathered information to connect to the LDAP server and attempt to determine whether the server is Active Directory (AD) or eDirectory (eDir). If this test is unsuccessful, then the installer prompts you to select the LDAP server type.

    • Auditing details

      Represents the settings for auditing OSP events that occur in the authentication server.

      Enable auditing for OSP

      Specifies whether you want to send OSP events to an auditing server.

      If you select this setting, also specify the location for the audit log cache.

      Protocol

      Applies only when you enable auditing for OSP.

      Specifies whether to use TCP (default), TLS (TCP using SSL), or UDP.

      Audit server

      Applies only when you enable auditing for OSP.

      Specifies name of the auditing server.

      Audit port

      Applies only when you enable auditing for OSP.

      Specifies the port to use for communication using the selected protocol.

      Audit events cache

      Applies only when you enable auditing for OSP.

      Specifies the location of the cache directory that you want to use for auditing.

      • Linux: For example, /opt/netiq/idm/apps/audit

      • Windows: For example, c:\netiq\idm\apps\audit

  7. Review the pre-installation summary.

  8. Start the installation process.

  9. When the installation process completes, select Done.