You can install Identity Governance in many different configurations, depending on network topology and the identity management products with which it integrates. Regardless of installation scenario, Identity Governance incorporates the following components:
Tomcat application server
Java Runtime Environment
An external database of Microsoft SQL Server, Oracle, or PostgreSQL (must be on the same subnetwork as the Identity Governance server)
Authentication service, such as OSP or Access Manager
(Optional) ActiveMQ
(Optional) Identity Reporting
(Optional) Audit server
This section presents a few common installation scenarios and recommendations to inform your installation choices:
You can install Identity Governance components on a variety of operating system platforms. The following table helps you determine which servers you might want to use for your Identity Governance components. For more information about supported operating system versions, see Hardware and Software Requirements.
|
Platform |
Component |
|---|---|
|
|
|
Windows desktop |
|
You must prepare a new environment with required components for Identity Governance if you do not have all of the required components in your environment. The Identity Governance installer includes an installer for Identity Reporting. In addition to the Identity Governance installer, the software download page provides the installer for OSP.
For best performance, do not install Identity Governance on the same server as the databases, however, ensure that the databases and Identity Governance run in the same subnetwork. Also, you must ensure that the database server includes the supported versions of Java and the Tomcat application server.
It is important that you review all the prerequisites, requirements, and installation procedures in this chapter. Also, review the following topics as you prepare to install the Identity Governance components in a new environment:
If you are installing Identity Governance into an environment that already has a supported version of Tomcat, PostgreSQL, and ActiveMQ, you can use those components. Ensure that you review the prerequisites and requirements provided in this chapter for each existing component. You should also consider the following:
Availability and suitability of existing components for Identity Governance use, including capacity, throughput, and utilization.
Additional processing load Identity Governance can place on existing components.
Resources needed to host Identity Governance components you must install in the environment.
OWASP best practices for securing your Tomcat environment at https://www.owasp.org/index.php/Securing_tomcat.
To integrate Identity Governance with Identity Manager Advanced Edition, you can use some of the components that you installed with Identity Manager: OSP and Identity Reporting. The Identity Governance installation program needs the accounts and permissions to access, configure, and modify the existing Identity Manager components.
If you want to use Identity Reporting as part of your Identity Governance solution, but you already have Identity Manager installed and running, you must install the version of Identity Reporting that comes with Identity Manager. Identity Reporting that comes with Identity Manager uses the Identity Manager security module to determine who has access to the reports.
You will also need to perform the following tasks:
Create the databases for Identity Governance
Integrate OSP to define and provision Identity Governance user accounts
(Optional) Integrate with Identity Reporting
For more information about these activities, see Integrating Single Sign-on Access with Identity Manager and Section 5.0, Installing Identity Reporting.
It is important that you review the prerequisites and requirements for Identity Governance and gather the server and account information necessary to complete the installation process. For more information, see the following:
High availability ensures efficient manageability of critical network resources including data, applications, and services. Identity Governance supports high availability through stateless clustering or Hypervisor clustering, such as VMware Vmotion. When planning a high-availability environment, the following considerations apply:
To manage the availability of your network resources for Identity Governance, use the High Availability tools provided with your operating system. Always have the latest patches installed for your operating system.
You can run Identity Governance in a stateless cluster where the load balancers shift authentication requests among the various OSP servers. During installation, you must specify a URL that drives client access through your L4 switch or load balancer rather than specifying the hostname and port for the Tomcat server.
Each node in the cluster must have a persistent unique runtime identifier. For example, node1 or ProdNode1. For more information, see Section 6.3.1, Configuring the Nodes in the Tomcat Cluster.
Each Identity Governance runtime instance uses this identifier to claim and identify tasks that it processes. Some of these tasks are long-running, so the identifier must remain unique after a restart of the environment, where an IP address or other identifier might not remain the same.
The configuration settings for OSP and Identity Governance must be identical for all nodes in the cluster.
When installing an authentication server, consider the following requirements:
Configure a load balancer with a DNS host name and port for the authentication server (OSP or Access Manager server).
The authentication server can use the same load balancer specified for Identity Governance, a dedicated load balancer, or a single Tomcat instance.
Specifying the values for the appropriate load balancer instead of the connection settings to the Tomcat instance. For more information, see Application address in Step 6.
The configuration files must be on each authentication server deployment in the environment. For example, if using OSP, the osp.war file must be on each deployment of OSP in the environment. Use the same Keystore file for all deployments. For more information, see Section 3.0, Installing an Authentication Service.
When installing Identity Governance, consider the following requirements:
Configure a load balancer with a DNS host name and port for Identity Governance use.
Identity Governance can use a dedicated load balancer or the same load balancer as for the authentication server.
Specify the values for the load balancer instead of the host and port for the Tomcat connection. For more information, see Application address in Step 7.
On the primary (or master) node, perform the steps for configuring the databases. For more information, see Database details in Step 7.
For each installation on a secondary node, do not perform any database configuration steps. Instead, specify the settings for connecting to the previously configured databases. For more information, see Database details in Step 7.
To silently install OSP and Identity Governance on the secondary nodes in the cluster, use the content from the installation log files. The log files are:
Identity_Governance_InstallLog.log
osp_install_log.log
For more information, see Section 3.4.1, Creating a Silent Properties File for Installing on a Secondary Node.
For each component, copy the parameter values from the log to the silent.properties file.
NOTE:In the silent.properties file for Identity Governance, change the following settings:
install.db.configure=false
install.tomcat.runtime.id=
In a typical production environment, you might install Identity Governance components on three or more servers, as well as on client workstations.
The following table provides examples for an Identity Governance setup.
|
Case 1 |
Case 2 |
Case 3 |
Case 4 |
|---|---|---|---|---|
|
Server 1 |
OSP Identity Governance |
(can be clustered) OSP Identity Governance Identity Reporting |
(can be clustered) OSP Identity Governance |
(can be clustered) OSP or Access Manager |
|
Server 2 |
Database server |
Database server |
(can be clustered) Identity Reporting |
(can be clustered) Identity Governance |
|
Server 3 |
Authentication server |
Authentication server |
Database server |
(can be clustered) Identity Governance |
|
Server 4 |
|
Audit server |
Authentication server |
Identity Reporting |
|
Server 5 |
|
|
Audit server |
Database server |
|
Server 6 |
|
|
|
Authentication server |
|
Server 7 |
|
|
|
Audit server |
You must install the Identity Governance components in a specific order, which depends on whether you plan to integrate Identity Governance with Identity Manager.
To use Identity Governance without integrating with Identity Manager Advanced Edition, install the components in the following order:
(Conditional) LDAP authentication server with admin and user containers
To use an authentication server for the data source, ensure that you have Active Directory or eDirectory already installed.
(Optional) Audit server if enabling auditing during product installation
Database and Tomcat
OSP or Access Manager
Identity Governance and Identity Reporting
(Optional) Identity Reporting, if not installed at the same time as Identity Governance
(Optional) Audit server if enabling auditing after product installation
To use Identity Governance with Identity Manager Advanced Edition, install the components in the following order:
Identity Manager Advanced Edition
Identity Governance
You can install Identity Reporting as part of the Identity Manager installation or after installing Identity Governance.