15.3 Installation Procedure

This section provides step-by-step instructions of installing a new instance of the identity applications on Tomcat and then configuring it for clustering.

  1. Install the Identity Manager 4.7 engine. For a production-level deployment, it is recommended to install Identity Manager engine on a separate server.

  2. Install database for Identity Applications. You can use the PostgreSQL database installed with the Identity Applications. However, it is recommended to install database on a separate server.

  3. On Node1, install and configure Identity Applications.

    During configuration, ensure that you:

    • select the new database option

    • provide a unique Workflow Engine ID. For example, Node1.

    • have the database jar file available in all the User Application nodes in the cluster. For PostgreSQL, the postgresql-9.4.1212.jar is located at /opt/netiq/idm/postgres.

    Identity Applications encrypt sensitive data using a master key. The installation program will create a new master key during Identity Applications configuration. In a cluster, the User Application clustering requires every instance of the User Application to use the same master key. Master key is stored under the property com.novell.idm.masterkey in the ism-configuration.properties file located at /opt/netiq/idm/apps/tomcat/conf/ directory.

  4. On Node2, install and configure Identity Applications.

    During configuration, ensure that you:

    • select the existing database option

    • provide a unique Workflow Engine ID. For example, Node2.

    • have the database jar file available in all the User Application nodes in the cluster. For PostgreSQL, the postgresql-9.4.1212.jar is located at /opt/netiq/idm/postgres.

    After completing the Node2 User Application configuration, copy the master key value from the Node1 ism-configuration.properties and replace the corresponding master key value stored in Node 2’s ism-configuration.properties.Master key is stored under the property com.novell.idm.masterkey in the ism-configuration.properties (/opt/netiq/idm/apps/tomcat/conf/).

  5. In load balancer server, start an instance of load balancer with Identity Applications port number. For example,

    ./balance 8543 node.47app1.novell.com:8543 !

  6. Install SSPR on a separate computer. After completing the SSPR installation, launch SSPR (https://<IP>:<port>/sspr/private/config/editor) and log in.

    NOTE:Update the SSPR information on Node1 and Node2 in the Configuration utility located at /opt/netiq/idm/apps/configupdate/. Launch the utility using the command:

    ./configupdate.sh

    You should run the configudate.sh file from the configupdate directory only. Running the configupdate.sh from a custom location will result in failures.

    Restart the tomcat services in both the nodes.

    On the SSPR interface, click Configuration Editor > Settings > Security > Web Security > Redirect Whitelist.

    1. Click Add value and specify the following URL:

      http://<DNS of the load balancer>:<port>/osp, where DNS of the load balancer is the server where load balancer is installed.

    2. Save the changes.

    3. In the SSPR Configuration page, click Settings > Single Sign On (SSO) Client > OAuth and modify the OAuth Login URL, OAuth Code Resolve Service URL, and OAuth Profile Service URL links by replacing the IP addresses with the DNS name of the server where the load balancer software is installed.

    4. Click Settings > Application > Application and update the Forward URL and Logout URL by replacing the IP addresses with the DNS name of the server where the load balancer software is installed. Update the Site URL by providing the IP address or hostname of the server/system where SSPR is installed.

    5. Navigate to Authentication > Authentication Server and specify the IP address of the load balancer in the OAuth server host identifier field.

    6. Navigate to SSO Clients and click Show Advanced Options. Set the value for RBPM to eDirectory SAML Configuration to Auto.

    7. Click SSO clients > Self Service Password Reset and specify the values for Client ID, Password, and OSP Auth Redirect URL parameters. For more information, see Self Service Password Reset.

    NOTE:Verify that the values for these parameters are updated in Node2.

  7. In Node1, stop Tomcat and generate a new osp.jks file by specifying the DNS name of the load balancer server by using the following command:

    /opt/netiq/common/jre/bin/keytool -genkey -keyalg RSA -keysize 2048 -keystore osp.jks -storetype <storetype> -storepass <password> -keypass <password> -alias osp -validity 1800 -dname "cn=<loadbalancer IP/DNS>"

    For example: /opt/netiq/common/jre/bin/keytool -genkey -keyalg RSA -keysize 2048 -keystore osp.jks -storetype jks -storepass changeit -keypass changeit -alias osp -validity 1800 -dname "cn=mydnsname"

    NOTE:Ensure that the key password is the same as the one provided during OSP installation. Alternatively, this can also be changed using Configuration Update utility including the keystore password.

  8. (Conditional) To verify if the osp.jks file is updated with the changes, run the following command:

    /opt/netiq/common/jre/bin/keytool -list -v -keystore osp.jks -storepass changeit

  9. Take a backup of the original osp.jks file located at /opt/netiq/idm/apps/osp/ and copy the new osp.jks file to this location.

  10. Copy the new osp.jks file located at /opt/netiq/idm/apps/osp/ from Node1 to other User Application nodes in the cluster.

  11. Launch the Configuration utility in Node1 and change all of the URL settings, such as URL link to landing page and OAuth Redirect URL to the load balancer DNS name under the SSO Client tab.

    1. Save the changes in the Configuration utility.

    2. To reflect this change in all other nodes of the cluster, copy the ism-configuration properties file located in /TOMCAT_INSTALLED_HOME/conf from Node1 to other User Application nodes in the cluster.

      NOTE:

      • You copied the ism-configuration.properties file from Node1 to the other nodes in the cluster. If you specified custom installation paths during the User Application installation, ensure that referential paths are corrected by using Configuration update utility in the cluster nodes.

      • After copying the ism-configuration.properties file from one node to another, ensure that the file has novlua:novlua permissions.

      • In this scenario, both OSP and User Application are installed on the same server; therefore, the same DNS name is used for redirect URLs.

      • If OSP and User Application are installed on separate servers, change the OSP URLs to a different DNS name pointing to the load balancer. Do this for all the servers where OSP is installed. Doing this ensures that all OSP requests are dispatched through load balancer to the OSP cluster DNS name. This involves having a separate cluster for OSP nodes.

  12. Assign the novlua permission to the osp.jks file:

    chown novlua:novlua osp.jks

  13. Perform the following actions in the setenv.sh file located at /TOMCAT_INSTALLED_HOME/bin/ directory:

    1. To ensure that the mcast_addr binding is successful, JGroups requires that the preferIPv4Stack property be set to true. To do so, add the JVM property “-Djava.net.preferIPv4Stack=true” in the setenv.sh file in all nodes.

    2. Add -Dcom.novell.afw.wf.engine-id="Engine1" in the setenv.sh file on Node1. Similarly, add a unique engine name for each node of the cluster. For example, for Node2, you can add the engine name as Engine2.

  14. Enable clustering in the User Application.

    1. Start Tomcat on Node1.

      Do not start any other servers.

    2. Log in to the User Application as a User Application Administrator.

      If you are using IDMProv, perform the following steps.

      http://<ip-address>:<port>/IDMProv

      NOTE:The User Application interface is discontinued from Identity Manager 4.7.1. Features that were earlier part of the User Application interface have been added to Identity Manager Dashboard 4.7.1. To change the caching settings, go to Identity Manager Dashboard > Configuration > Caching and Cluster. For more information, see the Managing Cluster Cache Settings section.

    3. Click the Administration tab.

      The User Application displays the Application Configuration portal.

    4. Click Caching.

      The User Application displays the Caching Management page.

    5. Select True for the Cluster Enabled property.

    6. Click Save.

    7. Restart Tomcat.

    NOTE:If you have selected Enable Local settings, repeat this procedure for each server in the cluster.

    The User Application cluster uses JGroups for cache synchronization across nodes using default UDP. In case you want to change this protocol to use TCP, see Configuring User Application Caching to use TCP in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  15. Enable the permission index for clustering.

    1. Log in to iManager on IDVault and navigate to View Objects.

    2. Under System, navigate to the driver set containing the User Application driver.

    3. Select AppConfig > AppDefs > > Configuration.

    4. Select the XMLData attribute and set the com.netiq.idm.cis.clustered property to true.

      For example:

      <property>

      <key>com.netiq.idm.cis.clustered</key>

      <value>true</value>

      </property>

    5. Click OK.

    6. Click Apply > OK.

  16. Enable Tomcat cluster.

    Open the Tomcat server.xml file from /TOMCAT_INSTALLED_HOME/conf/ and uncomment this line in this file on all the cluster nodes:

    <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>

    For advanced Tomcat clustering configuration, follow the steps from https://tomcat.apache.org/tomcat-8.5-doc/cluster-howto.html.

  17. Restart Tomcat on all the nodes.

  18. Configure the User Application Driver for clustering.

    In a cluster, the User Application driver must be configured to use the DNS name of the load balancer for the cluster. You configure the User Application driver using iManager.

    1. Log in to iManager that manages your Identity Manager engine.

    2. Click the Identity Manager node in the iManager navigation frame.

    3. Click Identity Manager Overview.

    4. Use the search page to display the Identity Manager Overview for the driver set that contains your User Application driver and Roles and Resource Service Driver.

    5. Click the round status indicator in the upper right corner of the driver icon:

      A menu is displayed that lists commands for starting and stopping the driver, and editing driver properties.

    6. Select Edit Properties.

    7. In the Driver Parameters section, change Host to the host name or IP address of the Load balancer.

    8. Click OK.

    9. Restart the driver.

  19. To change the URL of Roles and Resource Service Driver, repeat steps from 18a to 18f and click Driver Configuration and update the User application URL with the load balancer DNS name.

  20. Ensure session stickiness is enabled for the cluster created in the load balancer software for the User Application nodes.

  21. Configure client settings on Identity Manager dashboard. For more information, see Configuring Client Settings Mode in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  22. Import the User application certificate to the iManager certificate path: /opt/netiq/common/jre/lib/security/cacerts using the following keytool command:

    keytool -import -trustcacerts -alias <User Application certificate alias name> -keystore <cacerts file> -file <User Application certificate file>

    This step allows you to view the running PRDs or move a PRD from one node to the other node in a cluster through iManager.