2.6 Recommended Installation Scenarios and Server Setup

You can install Identity Governance in many different configurations, depending on network topology and the identity management products with which it will integrate. Regardless of installation scenario, Identity Governance incorporates the following components:

  • ActiveMQ

  • Tomcat application server

  • Microsoft SQL Server, Oracle, or PostgreSQL database (must be on the same subnetwork as the Identity Governance server)

  • OSP

  • (Optional) SSPR

  • (Optional) Identity Reporting

This section presents a few common installation scenarios and recommendations to inform your installation choices:

2.6.1 Identity Governance in a New Environment

The Identity Governance installer installs the different required components if you do not have any or all of them in your environment. The Identity Governance installer includes an installer for Identity Reporting. In addition to the Identity Governance installer, the software download web page provides installers for ActiveMQ, Tomcat web server, PostgreSQL server, and OSP.

For best performance, do not install Identity Governance on the same server the databases, however, ensure that the databases and Identity Governance run in the same subnetwork. Also, you must ensure that the database include the supported versions of Java and the Tomcat application server.

It is important that you review all the prerequisites, requirements, and installation procedures in this chapter. Also, review the following topics as you prepare to install the Identity Governance components in a new environment:

2.6.2 Identity Governance and Identity Manager

To integrate Identity Governance with Identity Manager Advanced Edition, you can use some of the components that you installed with Identity Manager: OSP, SSPR, and Identity Reporting. The Identity Governance installation program will need the accounts and permissions to access, configure, and modify the existing Identity Manager components.

If you want to use Identity Reporting as part of your Identity Governance solution, but you already have Identity Manager installed and running, you must install the version Identity Reporting that comes with Identity Manager. Identity Reporting that comes with Identity Manager utilizes the Identity Manager security module to determine who has access the reports.

You will also need to perform the following tasks:

  • Update the configupdate.sh or configupdate.bat file to include a configuration variable for the Tomcat server

  • Create the databases for Identity Governance

  • Integrate OSP to define and provision Identity Governance user accounts

  • (Optional) Integrate with Identity Reporting

For more information about these activities, see Section 14.0, Integrating Single Sign-on Access with Identity Manager and Section 6.0, Installing Identity Reporting.

It is important that you review the prerequisites and requirements for Identity Governance and gather the server and account information necessary to complete the installation process. For more information, see the following:

2.6.3 Identity Governance and Existing Components

If you are installing Identity Governance into an environment that already has a supported version of Tomcat, PostgreSQL, and ActiveMQ, you can use those components. Ensure that you review the prerequisites and requirements provided in this chapter for each existing component. You should also consider the following:

  • Availability and suitability of existing components for Identity Governance use, including capacity, throughput, and utilization.

  • Additional processing load Identity Governance can place on existing components.

  • Resources needed to host Identity Governance components you must install in the environment.

  • OWASP best practices for securing your Tomcat environment at https://www.owasp.org/index.php/Securing_tomcat.

2.6.4 Component Installation Order

You must install the Identity Governance components in a specific order, which depends on whether you plan to integrate Identity Governance with Identity Manager.

Using Identity Governance without Identity Manager

To use Identity Governance without integrating with Identity Manager Advanced Edition, install the components in the following order:

  1. (Conditional) LDAP authentication server with admin and user containers

    To use an authentication server for the data source, ensure that you have Active Directory or eDirectory already installed.

  2. Database and Tomcat

    NOTE:

    • You must install Identity Governance on a Tomcat application server. For your convenience, there is an installation program for Tomcat. Alternatively, you can use your installation of Tomcat if it is a version supported by Identity Governance.

    • For your convenience, there is an installation program for PostgreSQL. Alternatively, you can use your installation of MS SQL Server, Oracle, or PostgreSQL if it is a version supported by Identity Governance.

  3. OSP

  4. (Optional) SSPR

  5. Identity Governance and Identity Reporting

  6. (Optional) Identity Reporting, if not installed at the same time as Identity Governance

Using Identity Governance with Identity Manager

To use Identity Governance with Identity Manager Advanced Edition, install the components in the following order:

  1. Identity Manager Advanced Edition

  2. Identity Governance

You can install Identity Reporting as part of the Identity Manager installation or after installing Identity Governance.

2.6.5 Recommended Server Setup

In a typical production environment, you might install Identity Governance components on three or more servers, as well as on client workstations.

The following table provides examples for an Identity Governance setup.

 

Case 1

Case 2

Case 3

Case 4

Server 1

(can be clustered)

OSP

SSPR

Identity Governance

(can be clustered)

OSP

Identity Governance

Identity Reporting

(can be clustered)

OSP

Identity Governance

(can be clustered)

OSP

Server 2

(can be clustered)

Identity Reporting

(can be clustered)

SSPR

(can be clustered)

Identity Reporting

(can be clustered)

Identity Governance

Server 3

Database server

Database server

SSPR

(can be clustered)

Identity Governance

Server 4

Authentication server

Authentication server

Database server

Identity Reporting

Server 5

 

 

Authentication server

SSPR

Server 6

 

 

 

Database server

Server 7

 

 

 

Authentication server

Server 8

Audit server

Audit server

Audit server

Audit server

2.6.6 Selecting an Operating System Platform for Identity Governance

You can install Identity Governance components on a variety of operating system platforms. The following table helps you determine which servers you might want to use for your Identity Governance components. For more information about supported operating system versions, see Hardware and Software Requirements.

Platform

Component

  • Red Hat Enterprise Linux (RHEL),
  • SUSE Linux Enterprise Server (SLES)
  • Windows Server
  • Identity Governance
  • Identity Reporting
  • One SSO Provider
  • ActiveMQ
  • Self Service Password Reset
  • Tomcat
  • Browser access to Identity Governance

Windows desktop

  • Browser access to Identity Governance
  • Browser access to Identity Reporting

See the audit server documentation for supported platforms. Identity Governance supports the following auditing servers:

  • NetIQ Sentinel

  • ArcSight

  • Splunk

2.6.7 Ensuring High Availability for Identity Governance

High availability ensures efficient manageability of critical network resources including data, applications, and services. Identity Governance supports high availability through stateless clustering or Hypervisor clustering, such as VMware Vmotion. When planning a high-availability environment, the following considerations apply:

  • To manage the availability of your network resources for Identity Governance, use the SUSE Linux Enterprise High Availability Extension with SUSE Linux Enterprise Server (SLES) 12 with the latest patches installed.

  • You can run Identity Governance in a stateless cluster where the load balancers shift authentication requests among the various OSP servers. During installation, you must specify a URL that drives client access through your L4 switch or load balancer rather than specifying the hostname and port for the Tomcat server.

  • Each node in the cluster must have a unique runtime_identifier. For example, node1 or ProdNode1. For more information, see Configuring the Nodes in the Tomcat Cluster.

    Each Identity Governance runtime uses this identifier to claim and identify tasks that it processes. Some of these tasks are long-running, so the identifier should be able to remain unique after a restart of the environment, where an IP address or other identifier might not be guaranteed to remain the same.

  • The configuration settings for OSP and Identity Governance must be identical for all nodes in the cluster.

  • When installing OSP, consider the following requirements:

    • Configure a load balancer with a DNS host name and port for the authentication server (OSP server).

      The OSP server can use the same load balancer specified for Identity Governance, a dedicated load balancer, or a single Tomcat instance.

    • Specifying the values for the appropriate load balancer instead of the connection settings to the Tomcat instance. For more information, see Application address in Step 6.

    • The osp.war and configuration files must be on each deployment of OSP in the environment. Use the same Keystore file for all deployments. For more information, see Section 4.0, Installing One SSO Provider.

  • When installing Identity Governance, consider the following requirements:

    • Configure a load balancer with a DNS host name and port for Identity Governance use.

      Identity Governance can use a dedicated load balancer or the same load balancer as for the OSP server.

    • Specify the values for the load balancer instead of the host and port for the Tomcat connection. For more information, see Application address in Step 7.

    • On the primary (or master) node, perform the steps for configuring the databases. For more information, see Database details in Step 7.

    • For each installation on a secondary node, do not perform any database configuration steps. Instead, specify the settings for connecting to the previously configured databases. For more information, see Database details in Step 7.

  • To silently install OSP and Identity Governance on the secondary nodes in the cluster, use the content from the installation log files. The log files are:

    • Identity_Governance_InstallLog.log

    • osp_install_log.log

    For more information, see Creating a Silent Properties File for Installing on a Secondary Node.

    For each component, copy the parameter values from the log to the silent.properties file.

    NOTE:In the silent.properties file for Identity Governance, change the following settings:

    • install.db.configure=false

    • install.tomcat.runtime.id=