33.3 Prerequisites and Considerations for Installing the Identity Applications

33.3.1 Installation Considerations for the Identity Applications

The following considerations apply to the installation of the identity applications.

  • Require a supported version of the following Identity Manager components:

    • Designer

    • Identity Vault

    • Identity Manager engine

    • Remote Loader

    • One SSO Provider

    For more information about required versions and patches for these components, see the latest Release Notes.

  • Ensure that the Identity Vault includes the SecretStore module, and that the module is configured. For more information, see Adding SecretStore to the Identity Vault Schema.

  • Ensure that the Identity Vault includes the created and deployed User Application and Roles and Resources service drivers. For more information, see Section 38.0, Creating and Deploying the Drivers for the Identity Applications.

  • Install the following framework items before installing the identity applications:

  • (Conditional) When installing the identity applications on SUSE Linux Enterprise Server (SLES) platforms, do not use the IBM JDK that comes with SLES. This version is incompatible with some aspects of the User Application installation. Instead, download the Oracle JDK.

  • (Conditional) For a guided installation on a server running SLES 12 SP1 or later platforms, ensure that the server has libXtst6-32bit-1.2.1-4.4.1.x86_64, libXrender1-32bit, and libXi6-32bit libraries installed.

  • (Optional) NetIQ recommends that you enable Secure Sockets Layer (SSL) protocol for communication among the Identity Manager components. To use SSL protocol, you must enable SSL in your environment and specify https during the installation. For information about enabling SSL, see Configuring Security in the Identity Applications in the NetIQ Analyzer for Identity Manager Administration Guide.

  • Create the User Application driver before creating the Role and Resource driver. The Role and Resource driver references the role vault container (RoleConfig.AppConfig) in the User Application driver.

  • You cannot use the Role and Resource Service Driver with the Remote Loader because the driver uses jClient.

  • Set the JAVA_HOME environment variable to point to the JDK that you plan to use with the identity applications. To override JAVA_HOME, manually specify the path during the installation.

  • The installation process places the program files in the C:\NetIQ\IDM or /opt/netiq/idm directory by default. If you plan to install the User Application in a non-default location, the new directory must meet the following requirements before you begin the installation process:

    • The directory exists and is writable.

    • For Linux environments, the directory is writable by non-root users.

  • Each User Application instance can service only one user container. For example, you can add users to, search, and query only the container associated with the instance. Also, a user container association with an application is meant to be permanent.

  • (Conditional) If you plan to use external password management, your environment must meet the following requirements:

    • Enable Secure Sockets Layer (SSL) protocol for Tomcat on which you deploy the identity applications and the IDMPwdMgt.war file.

    • Ensure that the SSL port is open on your firewall.

    For more information about enabling SSL for Tomcat, see Updating the SSL Settings for Self Service Password Reset.

    For more information about the IDMPwdMgt.war file, see Configuring Forgotten Password Management.

  • To support LDAP search with Virtual List View (VLV) and Server Side Sort (SSS) controls, apply Hotfix 2 to eDirectory 9.0.2 or eDirectory 8.8.8 Patch 9. For more information, see Section 11.0, Applying Hotfix 2 to the Identity Vault.

    This hotfix is not needed if you installed eDirectory with the integrated installation program. The integrated installer installs an updated version of eDirectory that has this hotfix applied.

  • (Optional) To retrieve authorizations from managed systems, install one or more of the Identity Manager drivers.

33.3.2 Configuration and Usage Considerations for the Identity Applications

The following considerations apply to the configurations and initial usage of the identity applications.

  • Before users can access the identity applications, you must complete the following activities:

    • Ensure that all necessary Identity Manager drivers are installed.

    • Ensure that the indexes for the Identity Vault are in Online mode. For more information about configuring an index during installation, see Miscellaneous.

    • Enable cookies on all browsers. The applications do not work when cookies are disabled.

  • Users cannot access the identity applications as a guest or anonymous user without being logged in to the identity applications. The users are prompted to log in to the user interface. For more information, see Section XV, Configuring Single Sign-on Access in Identity Manager.

  • To ensure that Identity Manager enforces Universal Password functionality, configure the Identity Vault to use NMAS Login as the process for a user’s first login.

    • Linux: Add the following commands to the end of the /opt/novell/eDirectory/sbin/pre_ndsd_start script:

      NDSD_TRY_NMASLOGIN_FIRST=true
      export NDSD_TRY_NMASLOGIN_FIRST
    • Windows: Add NDSD_TRY_NMASLOGIN_FIRST with the string value true to the HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Environment registry key.

  • (Conditional) To run reports, you must have the components for Identity Reporting installed in your environment. For more information, see Administrator Guide to NetIQ Identity Reporting.

  • During the installation process, the installation program writes log files to the installation directory. These files contain information about your configuration. After you configure your Identity Applications environment, you should consider deleting these log files or storing them in a secure location. During the installation process, you might choose to write the database schema to a file. Since this file contains descriptive information about your database, you should move the file to a secure location after the installation process is complete.

  • (Conditional) To audit the identity applications, you must have the Identity Reporting and an auditing service installed in your environment and configured to capture the events. You must also configure the identity applications for auditing. For more information, see the

  • (Optional) You can configure the identity applications to work with NetIQ Access Manager using SAML authentication. For more information, see Section 49.0, Using SAML Authentication with NetIQ Access Manager for Single Sign-on.

33.3.3 Prerequisites and Considerations for the Application Server

The identity applications require that Tomcat be installed with the following considerations:

  • Tomcat must be running with the Java Development Kit (JDK) or Java Runtime Environment (JRE). For more information about supported versions, see System Requirements for the Identity Applications.

  • Set the JAVA_HOME environment variable to point to the JDK that you plan to use with the User Application. To override JAVA_HOME, manually specify the path during the installation.

  • (Conditional) You can use your own Tomcat installation program instead of the one provided in the Identity Manager installation kit. However, to use the Apache Log4j service with your version of Tomcat, ensure that you have the appropriate files installed. For more information, see Using the Apache Log4j Service to Log Sign-on.

  • (Conditional) To preserve documents that you digitally sign, you must install the identity applications on a Tomcat application server and use Novell Identity Audit. Digital signature documents are not stored with workflow data in the User Application database, but are stored in the logging database. You must also enable logging to preserve these documents. For more information, see Setting Up Logging in the Identity Applications in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  • (Conditional) In environments where you log a large amount of user data or your directory-server contains a large number of objects, you might want more than one application server with a deployment of the identity applications. For more information about configuring for optimal performance, see Tuning the Performance of the Applications in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  • (Conditional) If you use a Tomcat application server, do not start the server until after you complete the installation process.

  • (Conditional) To use external password management, you must do the following to enable the Secure Sockets Layer (SSL) protocol:

    • Enable SSL for Tomcat on which you deploy the identity applications and the IDMPwdMgt.war file.

    • Ensure that the SSL port is open on your firewall.

    For more information about the IDMPwdMgt.war file, see Configuring Forgotten Password Management and the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  • The installation process does not modify the JAVA_HOME or JRE_HOME entries on a Tomcat server. By default, the convenience installer for Tomcat places the setenv.sh file in the /opt/netiq/idm/apps/tomcat/bin/ directory. The installation also configures the JRE location in the file.

33.3.4 Prerequisites for Installing the Identity Applications in a Cluster Environment

You can install the database for the identity applications in an environment supported by Tomcat clusters with the following considerations:

  • The cluster must have a unique cluster partition name, multicast address, and multicast port. Using unique identifiers separates multiple clusters to prevent performance problems and anomalous behavior.

    • For each member of the cluster, you must specify the same port number for the listener port of the identity applications database.

    • For each member of the cluster, you must specify the same hostname or IP address of the server hosting the identity applications database.

  • You must synchronize the clocks of the servers in the cluster. If server clocks are not synchronized, sessions might time out early, causing HTTP session failover not to work properly.

  • NetIQ recommends to not use multiple log ins across browser tabs or browser sessions on the same host. Some browsers share cookies across tabs and processes, so allowing multiple logins might cause problems with HTTP session failover (in addition to risking unexpected authentication functionality if multiple users share a computer).

  • The cluster nodes reside in the same subnet.

  • A failover proxy or a load balancing solution is installed on a separate computer.

For more information about configuring the identity applications in a cluster environment, see Section 36.0, Preparing Your Environment for the Identity Applications.

33.3.5 Prerequisites for Installing the Database for the Identity Applications

The database stores the identity applications data and configuration information.

Before installing the database instance, review the following prerequisites:

  • To configure a database for use with Tomcat, you must create a JDBC driver. The identity applications use standard JDBC calls to access and update the database. The identity applications use a JDBC data source file bound to the JNDI tree to open a connection to the database.

  • You must have an existing data source file that points to the database. The installation program for the User Application creates a data source entry for Tomcat in server.xml and context.xml which points to the database.

  • Ensure that you have the following information:

    • Host and port of the database server.

    • Name of the database to create. The default database for the identity applications is idmuserappdb.

    • Database username and password. The database username must represent an Administrator account or must have enough permissions to create tables in the Database Server. The default administrator for the User Application is idmadmin.

    • The driver .jar file provided by the database vendor for the database that you are using. NetIQ does not support driver JAR files provided by third-party vendors.

  • The database instance can be on the local computer or a connected server.

  • The database character set must use Unicode encoding. For example, UTF-8 is an example of a character set that uses Unicode encoding, but Latin1 does not use Unicode encoding. For more information about specifying the character set, see Configuring the Character Set or Configuring an Oracle Database.

  • To avoid duplicate key errors during migration, use case-sensitive collation. If a duplicate key error occurs, check the collation and correct it, then re-install the identity applications.

  • (Conditional) To use the same database instance both for auditing purposes and for the identity applications, NetIQ recommends installing the database on a separate dedicated server from the server that hosts Tomcat running the identity applications.

  • (Conditional) If you are migrating to a new version of the identity applications, you must use the same database that you used for the previous installation.

  • Database clustering is a feature of each respective database server. NetIQ does not officially test with any clustered database configuration because clustering is independent of the product functionality. Therefore, we support clustered database servers with the following caveats:

    • By default, the maximum number of connections is set to 100. This value might be too low to handle the workflow request load in a cluster. You might see the following exception:

      (java.sql.SQLException: Data source rejected establishment of connection, message from server: "Too many connections."

      To increase the maximum number of connections, set the max_connections variable in the my.cnf file to a higher value.

    • Some features or aspects of your clustered database server might need to be disabled. For example, Transactional Replication must be disabled on certain tables due to constraint violations when trying to insert a duplicate key.

    • We do not provide assistance on the installation, configuration, or optimization of the clustered database server, including installation of our products into a clustered database server.

    • We exert our best effort to resolve any issues that might arise with the use of our products in a clustered database environment. Troubleshooting methods in a complex environment often require cooperative work to resolve issues. NetIQ provides expertise to analyze, plan, and troubleshoot the NetIQ products. The customer must provide expertise to analyze, plan and troubleshoot any third-party products. We ask customers to reproduce issues or analyze behavior of their components in a non-clustered environment to help isolate potential cluster setup issues from NetIQ product issues.