The following procedure describes how to install Identity Governance and Identity Reporting using an installation wizard, either in GUI format or from the console. To prepare for the installation, review the considerations and system requirements listed in the following sections:
Section 1.8, Prerequisites for Installing Identity Governance
Section 1.9.1, Identity Governance Server System Requirements
Release Notes accompanying the release
To perform a silent, unattended installation, see Section 4.6, Performing a Silent Installation of Identity Governance.
To install Identity Governance:
Log in as root on Linux server or as an administrator on Windows server to the server where you want to install Identity Governance.
(Conditional) Stop Tomcat if you are not using TLS. For examples, see Stopping, Starting, and Restarting Tomcat.
From the directory that contains the installation files, complete one of the following actions:
Linux: Use one of the following commands to install Identity Governance on Linux.
To use the console: enter ./identity-governance-install-linux.bin -i console
To use the wizard: enter ./identity-governance-install-linux.bin
Windows: Use one of the following commands to install Identity Governance on Windows.
To use the console: enter cmd /c "identity-governance-install-win.exe -i console"
To use the wizard: double-click identity-governance-install-win.exe
NOTE:To execute the file, you might need to use the chmod +x or sh command for Linux or use Run as administrator if you did not log in to your Windows server as an administrator.
Accept the license agreement, and then select Next.
Select whether to install Identity Governance, Identity Reporting, or both.
Specify an installation path for each installed feature.
Complete the guided process, using the following parameters:
Tomcat installation
Represents the settings for the Tomcat installation that hosts Identity Governance. In a clustered environment, specify runtime values for each node where you install Identity Governance.
Specifies the path to the Tomcat installation.
Linux: /opt/apache-tomcat-x.x.xx
Windows: c:\netiq\idm\apps\tomcat-x.x.xx
Applies only when installing Identity Governance.
Specifies the DNS name or IP address for the Tomcat installation.
Applies only when installing Identity Governance.
Specifies the port that Tomcat uses to listen for communication from Identity Governance or the load balancers.
Applies only when installing Identity Governance.
In a non-clustered environment, you can specify the local server name.
In clustered environment, specifies the unique name for the current node. For example, node1 or ProdNode1. Do not use the server name, which might change according to a DHCP assignment.
Tomcat Java Home
Represents the path to the Java instance that Tomcat uses. For example, /root/jdk1.x.x_xx. The installation process uses Java for several processes, such as to run commands and create security stores.
Trust store details
Specifies the password for the trust store. The password must be 6 characters and must not contain spaces.
Authentication provider
Specifies the authentication service you are using, either OSP or Access Manager.
Application address
Represents the settings of the URL that users need to connect to Identity Governance or Identity Reporting. For example, https://myserver.mycompany.com:8443.
Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.
Do not use localhost.
In a non-clustered environment, specifies the DNS name or IP address of the server hosting Identity Governance.
In a clustered environment, specifies the DNS name of the server that hosts the load balancer that you want to use. For more information about installing in a clustered environment, see Section 1.7.5, Ensuring High Availability for Identity Governance.
Specifies the port that you want the server to use for communication with client computers. The default is 8080. To use SSL, the default is 8443.
When installing in a clustered environment, specify the port for the load balancer.
Select to use OSP as the authentication service. Do not select to use Access Manager as the authentication service.
The following apply only when using OSP as the authentication service.
Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.
In a non-clustered environment, specifies the DNS name or IP address of the authentication server. In a clustered environment, specifies the DNS name of the server that hosts the load balancer.
Specifies the port that you want the server to use for communication with client computers. The default is 8080. To use SSL, the default is 8443.
When installed in a clustered environment, specify the port for the load balancer.
The following apply only when using Access Manager as the authentication service.
In a non-clustered environment, specifies the DNS name or IP address of the authentication server. In a clustered environment, specifies the DNS name of the server that hosts the load balancer.
Specifies the port that you want the server to use for communication with client computers.
When installed in a clustered environment, specify the port for the load balancer.
In a non-clustered environment, specifies the DNS name or IP address of the Access Manager administration console. In a clustered environment, specifies the DNS name of the server that hosts the load balancer.
Specifies the port that you want the server to use for communication with the Access Manager administration console.
When installed in a clustered environment, specify the port for the load balancer.
Applies only when installing Identity Reporting.
Specifies the URL settings that connect to the Identity Governance client on the server that hosts Tomcat.
Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.
In a non-clustered environment, specifies the DNS name or IP address of the server hosting Identity Governance.
In a clustered environment, specifies the DNS name of the server that hosts the load balancer.
Specifies the port that you want the server to use for communication with client computers. The default is 8080. To use SSL, the default is 8443.
When installing in a clustered environment, specify the port for the load balancer.
Authentication details
Represents the requirements for connecting Identity Governance to the LDAP authentication server (for example, OSP or Access Manager) that contains the list of users who can log in to the application. For more information about the authentication server, see Section 1.2, Understanding Authentication for Identity Governance.
NOTE:In a clustered environment, specify the host and port for the load balancer’s server rather than the authentication server.
Change this only when you choose to connect to an external authentication server.
Specifies whether you want to use http or https when connecting with the external LDAP authentication server. To use Secure Sockets Layer (SSL) for communications, specify https.
Change this only when you choose to connect to an external authentication server.
Specifies the IP address or DNS host name of the LDAP authentication server or load balancer. Do not use localhost.
Change this only when you choose to connect to an external authentication server.
Specifies the port that you want the LDAP authentication server or load balancer to use for communication with Identity Governance.
Specifies the password that you want to create for Identity Governance to use when connecting to the LDAP authentication server. Also referred to as the client secret.
Bootstrap administrator details
Represents the credentials for the bootstrap administrator. For more information, see Section 1.2.5, Understanding the Bootstrap Administrator for Identity Governance.
Applies only if you are using OSP for the authentication service.
Specifies the name of the bootstrap administrator account. The default value is igadmin.
(Conditional) When connecting to an existing Identity Manager authentication server, specify the full DN of a unique identity that already exists and can access Identity Manager Home as a bootstrap administrator. For example, cn=uaadmin,ou=sa,o=data.
NOTE:
If you use an Identity Vault user as a bootstrap administrator, you must configure Identity Governance to use Identity Vault instead of File in the Identity Governance Configuration Utility (/idgov/bin/configutil.sh or \idgov\bin\configutil.cmd). The Bootstrap Administrator section on the Authentication Server Details tab contains this setting.
The name of this account must be unique. Do not duplicate any accounts in the adminusers.txt file or in the container source or subtrees that you use for authentication.
Applies only if you are using OSP for the authentication service.
Specifies the password for the bootstrap administrator account.
Applies only if you are using Access Manager for the authentication service.
Specifies the distinguished name of the bootstrap administrator account.
Applies only if you are using Access Manager for the authentication service.
Specifies the password for the bootstrap administrator account.
Applies only if you are using Access Manager for the authentication service.
Specifies the distinguished name of the Access Manager administrator account. The installation program uses this account to log in to Access Manager to configure ISM properties to work with Access Manager.
Applies only if you are using Access Manager for the authentication service.
Specifies the password for the Access Manager administrator account.
ActiveMQ details
Applies only when installing Identity Governance.
(Optional) Represents the settings for ActiveMQ, which guarantees that notifications are sent using SMTP from Identity Governance.
For more information about configuring ActiveMQ in a clustered environment, see Section 6.3.2, Configuring ActiveMQ Failover in the Tomcat Cluster.
Specifies the DNS name or the IP address of the server that hosts the ActiveMQ instance.
Specifies the port that the server uses for ActiveMQ.
Database Type
Specifies the platform you want to use for the Identity Governance databases.
For more information about supported versions, see Section 1.9.2, Database Server System Requirements.
Database details
Represents the settings for the Identity Governance databases. For more information, see Section 1.3, Understanding the Identity Governance Databases.
To connect to an existing database instance, you must specify the names of the existing databases to match with the operations, archive, data collection, workflow, and analytics databases.
In a clustered environment, perform the configuration steps only on the primary node in the cluster. For more information about installing in a clustered environment, see Section 1.7.5, Ensuring High Availability for Identity Governance.
Specifies that you want to configure your new or existing databases as part of the installation process.
NOTE:Ensure that you specified the correct names for the existing databases.
Specifies that you want to generate the SQL scripts that the database administrator can run in your database platform to create the databases and other artifacts.
The installation process stores the scripts for Identity Governance in the ./idgov/sql directory and the scripts for Identity Reporting in the ./idrpt/sql directory. For more information about using the files, see Section 6.0, Completing the Installation Process.
Specifies that you do not want to configure a new or existing database.
Use this setting when you install Identity Governance on a secondary node in the cluster. For more information, see Section 1.7.5, Ensuring High Availability for Identity Governance.
Specifies the DNS name or the IP address of the server that hosts the Identity Governance databases.
Specifies the port of the server that hosts the Identity Governance databases. The default values are 1433 for MS SQL Server, 1521 for Oracle and 5432 for PostgreSQL.
Applies only when using an MS SQL Server database
Specifies the path to the JAR file for the MS SQL Server JDBC driver. Microsoft provides this file.
Applies only when using an Oracle database
Specifies the path to the JAR file for the Oracle JDBC driver. For example:
Linux: opt/oracle/ojdbc7.jar
Windows: c:\ProgramFiles\Oracle\ojbc7.jar
Oracle provides the driver JAR file, which represents the Thin Client JAR for the database server.
Applies only when using an Oracle database
Specifies the name of the database to which you want to add the Identity Governance databases. For example, Orclidentitygovernance.
Applies only when using an Oracle database
Specifies the name of the database storage unit for storing the schema for the Identity Governance databases. The default is USERS.
Applies only when using an Oracle database
Specifies the name of the temporary database storage unit for storing the schema. The default is TEMP.
Specifies the account for a database administrator that the installation process can use to configure the databases for Identity Governance.
Specifies the password for the database administrator.
Specifies the name of the database that stores operations data for Identity Governance. The default value is igops.
NOTE:If you created a blank database for the operations data, ensure that you specify the exact name of the existing, empty database.
Specifies the name of the database that stores archive data for Identity Governance. The default value is igarc.
NOTE:If you created a blank database for the archive data, ensure that you specify the exact name of the existing, empty database.
Specifies the name of the database that stores data collection information for Identity Governance. The default value is igdcs.
NOTE:If you created a blank database for the data collection information, ensure that you specify the exact name of the existing, empty database.
Specifies the name of the database that stores workflow information for Identity Governance. The default value is igwf.
NOTE:If you created a blank database for the workflow data, ensure that you specify the exact name of the existing, empty database.
Specifies the name of the database that stores analytics information for Identity Governance. The default value is igara.
NOTE:If you created a blank database for the analytics data, ensure that you specify the exact name of the existing, empty database.
Specifies the password for the database account administrator that can create database tables, views, and other artifacts in the Identity Governance databases.
Applies only when installing Identity Governance and not installing Identity Reporting at the same time.
Specifies the account for a database user that has rights to the views related to reporting for Identity Governance. The default value is igrptuser.
Specifies the password for the reporting user specified above.
Applies only when you choose to configure the database during the installation.
Specifies whether you want to have the installation process migrate or create new databases or use existing, empty databases. Select Update if you are installing or upgrading Identity Governance.
NOTE:To use existing databases, the installation program drops known tables and views within each schema and then adds the needed tables and views that it needs for the current version.
The installation process creates the following accounts if you select Configure database now and Update (rather than Use only existing).
Operations, Archive, Data collection, Workflow, and Analytics, and Reporting user
Identity Reporting database name and user if also installing Identity Reporting
Report default language
Applies only when you install Identity Reporting.
Specifies the language that you want to use for Identity Reporting.
Specifies the locale. Default selection is English.
Report email delivery
Applies only when you install Identity Reporting.
Represents the settings for the SMTP server that sends report notifications. To modify these settings after installation, use the configuration utility for Identity Governance.
Specifies the email address that you want Identity Reporting to use as the origin for email notifications.
Specifies the IP address or DNS name of the SMTP email host that Identity Reporting uses for notifications. Do not use localhost.
Specifies the port number for the SMTP server. The default value is 465.
Specifies whether you want to use SSL protocol for communication with the SMTP server.
Specifies whether you want to use authentication for communication with the SMTP server.
If you select this setting, also specify the credentials for the email server.
Applies only when you select Requires server authentication.
Specifies the name of a login account for the SMTP server.
Applies only when you select Requires server authentication.
Specifies the password of a login account for the SMTP server.
Report retention details
Applies only when you install Identity Reporting.
Represents the settings for maintaining completed reports.
Specifies the amount of time that Identity Reporting will retain completed reports before deleting them. For example, to specify six months, enter 6 and then select Month.
Specifies a path where you want to store the report definitions. For example:
Linux: /opt/netiq/IdentityReporting
Windows: c:\netiq\IdentityReporting
Identity Audit
Represents the settings for collecting auditing events that occur in the Identity Governance and Identity Reporting servers. For more information, see Enabling Auditing.
Specifies whether you want to send Identity Governance or Identity Reporting log events to an auditing server.
If you select this setting, also specify the audit server details.
Applies only when you enable identity auditing.
Specifies the IP address or DNS name of the audit server.
Applies only when you enable identity auditing.
Specifies the port to use for sending log events to the audit server.
Applies only when you enable identity auditing.
Specifies the location of the cache directory on the Identity Governance server that you want to use to store log events. For example:
Linux: /opt/netiq/idm/apps/audit
Windows: C:\netiq\idm\apps\audit
Applies only when you enable identity auditing.
Specifies whether to use TLS (TCP using SSL). If not selected, events are sent using TCP.
Applies only when you want to use TLS for audit events.
Specifies whether to attempt to connect to the audit server and trust the retrieved certificate within a temporary trust store file. The actual trust occurs immediately before the summary pages display.
NOTE:Attempting a TLS connection on a TCP port results in a timeout after 5 seconds. Be sure to specify a secure audit port if you select to use TLS.
Review the pre-installation summary.
NOTE:Application URL represents the URL that connects users to Identity Governance.
(Conditional) Stop Tomcat if it is still running. For examples, see Stopping, Starting, and Restarting Tomcat.
(Conditional) If prompted, accept or reject any untrusted certificates and acknowledge any errors.
The installer checks to see if you specified SSL for LDAP or audit. If so, the installer creates the trust store and attempts to retrieve the certificates. Untrusted certificates result in a prompt to accept or reject each certificate chain, with tabs showing extra certificates in the chain. The installer adds accepted certificates to the trust store.
The installer displays errors in the following conditions:
A single warning about potential future failures for all rejected certificates
A single warning for any errors when connecting to the secured servers
Start the installation process.
When the installation process completes, select Done.
Continue to Section 6.0, Completing the Installation Process.
NOTE:Do not start Tomcat.