The following procedure describes how to install OSP using an installation wizard, either in the GUI format or from the console. To prepare for the installation, review the considerations and system requirements listed in the following sections:
To perform a silent, unattended installation, see Section 3.4, Silently Installing One SSO Provider.
The installation program installs the components in the following default directory:
Linux: /opt/netiq/idm/apps/osp
Windows: C:\netiq\idm\apps\osp
To install OSP:
Log in as root on Linux server or an administrator on Windows server where you want to install OSP.
Stop Tomcat. For examples, see Stopping, Starting, and Restarting Tomcat.
From the directory that contains the installation files, complete one of the following actions:
Linux (console): Enter ./osp-install-linux.bin -i console
Linux (GUI): Enter ./osp-install-linux.bin
Windows (console): Enter cmd /c "osp-install-win.exe -i console"
Windows (GUI): Double-click osp-install-win.exe
NOTE:To execute the file, you might need to use the chmod +x or sh command for Linux or log in to your Windows server as an administrator.
Accept the license agreement, and then select Next.
Specify a path for the installed files.
Complete the guided process, using the following parameters:
Tomcat details
Specify a directory that represents the home directory for the Tomcat server. The installation process adds some files for OSP to this folder.
Linux: Default location of /opt/netiq/idm/apps/tomcat
Windows: Default location of c:\netiq\idm\apps\tomcat
Tomcat Java home
Specify the directory that represents the home directory for Java on the Tomcat server. The installation process uses Java for several processes, such as to run commands and create security stores.
Application address
Specify the address of the application that represents the settings of the URL that users need to connect to OSP. For example, https://myserver.mycompany.com:8443.
The installation program creates several symmetric keys and key pairs for signing, encryption, and TLS, which it places in the osp.pkcs12 file. The TLS key pair also specifies the host name as part of its distinguished name.
Specify whether you want to use http or https. To use SSL for communications, specify https.
If you specify https, ensure that you have configured your server for SSL communications. For more information, see Section 1.2.6, Understanding the Keystore for the Authentication Server.
Do not use localhost.
In a non-clustered environment, specify the DNS name of the Tomcat server where you are installing OSP.
In a clustered environment, specify the DNS name of the server that hosts the load balancer that you want to use. For more information about installing in a clustered environment, see Section 1.7.5, Ensuring High Availability for Identity Governance.
Specify the port that you want the server to use for communication with users’ computers.
When installing in a clustered environment, specify the port for the load balancer.
Login screen customization
(Optional) Specify a name that represents the organization name displayed on the login screen for users. The default value is NetIQ Access. Keep in mind the following points:
Allows the ASCII character set (0x20 - 0x7E)
Must add escape character for dollar signs (\$) and backslashes (\\)
Escaped backslashes do not appear
Apostrophes and spaces are converted into pseudo-tags [apos] and [nbsp], respectively
Installer stores result in oidp_enduser_custom_resources_en_US.properties.
Expected setup
Represents the relative server locations for how you plan to install Identity Governance and Identity Reporting. Select one option.
Specifies that you will have Identity Governance and Identity Reporting installed on different servers.
Specifies that you will have Identity Governance and Identity Reporting installed on the same server.
Specifies that you will not have Identity Governance and Identity Reporting installed on any server that this server will know about.
Authentication details
Represents the requirements for connecting to an authentication server that contains the list of users who can log in to the application. For more information about the authentication server, see Section 1.2.1, Understanding Authentication with Single Sign-On.
Specifies the DNS name of the LDAP authentication server, your directory server that contains the distinguished names of your user accounts.
Do not use localhost unless you want to specify a CSV file instead of an authentication server. (Test environment only)
Specifies the port that you want the LDAP authentication server to use for communication with Identity Governance. For example, specify 389 for a non-secure port or 636 for SSL connections.
Specifies whether you want to use Secure Sockets Layer protocol for connections between the Identity Governance and the authentication server.
Applies only when installing a new authentication server.
Specifies the DN for an administrator account of the LDAP authentication server. For example, cn=admin,ou=sa,o=system.
Applies only when installing a new authentication server.
Specifies the password for the administrator account of the LDAP authentication server.
Applies only when installing a new authentication server.
Specifies the container in the LDAP authentication server where you store the user accounts that can log in to Identity Governance. For example, o=data.
Applies only when installing a new authentication server.
Specifies the search context for the Identity Governance administrator accounts in the LDAP authentication server. In most cases, this value is the same as the container in the Admin DN field. For example, ou=sa,o=system.
Specifies the password for the trust store. The trust store is empty unless you specify to use SSL for LDAP or audit.
Applies only when installing a new authentication server.
Specifies the password that you want to create for the new keystore for the LDAP authentication server.
The password must be a minimum of six characters.
NOTE:After retrieving the authentication details, the installer uses the gathered information to connect to the LDAP server and attempt to determine whether the server is Active Directory (AD) or eDirectory (eDir). If this test is unsuccessful, then the installer prompts you to select the LDAP server type.
Auditing details
Represents the settings for auditing OSP events that occur in the authentication server.
Specifies whether you want to send OSP events to an auditing server.
If you select this setting, also specify the additional audit details.
Applies only when you enable auditing for OSP.
Specifies whether to use TCP (default), TLS (TCP using SSL), or UDP.
Applies only when you enable auditing for OSP.
Specifies name of the auditing server.
Applies only when you enable auditing for OSP.
Specifies the port to use for communication using the selected protocol.
Applies only when you enable auditing for OSP.
Specifies the location of the cache directory that you want to use for auditing.
Linux: For example, /opt/netiq/idm/apps/audit
Windows: For example, c:\netiq\idm\apps\audit
(Conditional) If prompted, accept or reject any untrusted certificates and acknowledge any errors.
The installer checks to see if you specified SSL for LDAP or audit. If so, the installer creates the trust store and attempts to retrieve the certificates. Untrusted certificates result in a prompt to accept or reject each certificate chain, with tabs showing extra certificates in the chain. The installer adds accepted certificates to the trust store.
The installer displays errors in the following conditions:
A single warning about potential future failures for all rejected certificates
A single warning for any errors when connecting to the secured servers
Review the pre-installation summary.
Start the installation process.
When the installation process completes, select Done.