9.2 Installing Single Sign-on for Identity Manager

9.2.1 Using the Wizard to Install One SSO Provider

The following procedure describes how to install OSP on a Windows platform using an installation wizard. To perform a silent, unattended installation, see Silently Installing One SSO Provider. To prepare for the installation, review the prerequisites and system requirements listed in Checklist for Single Sign-on Component.

  1. Log in as an administrator to the server where you want to install OSP.

  2. Stop the Tomcat server.

  3. (Conditional) If you have the .iso image file for the Identity Manager installation package, navigate to the directory containing the OSP installation files, located by default in the products\CommonApplication\osp_install directory.

  4. (Conditional) If you downloaded the OSP installation files, complete the following steps:

    1. Navigate to the win.zip file for the downloaded image.

    2. Extract the contents of the file to a directory on the local computer.

  5. From the directory that contains the installation files, run the osp-install-win.exe file.

  6. Read and accept the license agreement, and then click Next.

  7. Specify a path for the installed files.

  8. Complete the guided process, using the following parameters:

    • Tomcat details

      Represents the home directory for the Tomcat server. For example, C:\NetIQ\idm\apps\tomcat\. The installation process adds some files for OSP to this folder.

    • Tomcat Java home

      Represents the home directory for Java on the Tomcat server. For example, C:\NetIQ\idm\jre. The installation process adds some files for OSP to the directory.

    • Application address

      Represents the settings of the URL that users need to connect to OSP on the Tomcat server. For example, https://myserver.mycompany.com:8543.

      Protocol

      Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.

      Host Name

      Specifies the DNS name or IP address of the server where you are installing OSP. Do not use localhost.

      Port

      Specifies the port that you want the server to use for communication with client computers.

    • Login Screen Customization

      Specifies the custom name that you want to display on user login screen. The default value is Identity Access.

      NOTE:Only Latin1 Standard character set is supported.

    • Authentication details

      Represents the requirements for connecting to the authentication server which contains the list of users who can log in to the application.

      LDAP host

      Specifies the DNS name or IP address of the LDAP authentication server. Do not use localhost.

      LDAP port

      Specifies the port that you want the LDAP authentication server to use for communication with Identity Manager. For example, specify 389 for a non-secure port or 636 for SSL connections.

      Use SSL

      Specifies whether you want to use Secure Sockets Layer protocol for connections between the Identity Vault and the authentication server.

      JRE Trust store (cacerts) file

      Applies only when you want to use SSL for the LDAP connection.

      Specifies the path to the certificate. For example, C:\NetIQ\idm\apps\jre\lib\security\cacerts.

      JRE Trust store password

      Applies only when you want to use SSL for the LDAP connection.

      Specifies the password for the cacerts file.

      Admin DN

      Applies only when installing a new authentication server.

      Specifies the DN for an administrator account of the LDAP authentication server. For example, cn=admin,ou=sa,o=system.

      Admin password

      Applies only when installing a new authentication server.

      Specifies the password for the administrator account of the LDAP authentication server.

      User container

      Applies only when installing a new authentication server.

      Specifies the container in the LDAP authentication server where you store the user accounts that can log in to Access Review. For example, o=data.

      Admin container

      Applies only when installing a new authentication server.

      Specifies the container in the LDAP authentication server where you store the administrator accounts. For example, ou=sa,o=system.

      Identity Vault

      Specifies your Identity Vault.

      Keystore Password

      Applies only when installing a new authentication server.

      Specifies the password that you want to create for the new keystore for the LDAP authentication server.

      The password must be a minimum of six characters.

    • Auditing details (OSP)

      Represents the settings for auditing OSP events that occur in the authentication server.

      (Conditional) Enable auditing for OSP

      Specifies whether you want to send OSP events to an auditing server.

      If you select this setting, also specify the location for the audit log cache.

      Audit log cache folder

      Applies only when you enable auditing for OSP.

      Specifies the location of the cache directory that you want to use for auditing. For example, C:\NetIQ\idm\naudit\jcache.

      Specify existing certificate / Generate a certificate

      Indicates whether you want to use an existing certificate for the NAudit server or create a new one.

      Enter Public key

      Applies only when you want to use an existing certificate.

      Lists the custom public key certificate that you want the NAudit service to use to authenticate audit messages.

      Enter RSA Key

      Applies only when you want to use an existing certificate.

      Specifies the path to the custom private key file that you want the NAudit service to use to authenticate audit messages.

  9. To install SSPR, continue to Section 10.0, Installing the Password Management Component.

    For more information about configuring forgotten password management, see Configuring Forgotten Password Management.

9.2.2 Silently Installing One SSO Provider

A silent (non-interactive) installation does not display a user interface or ask the user any questions.

  1. Log in as an administrator to the computer where you want to install the components.

  2. Stop Tomcat.

  3. (Conditional) If you have the .iso image file for the Identity Manager installation package, navigate to the directory containing the OSP installation files, located by default in the osp directory.

  4. (Conditional) If you downloaded the installation files from the NetIQ Downloads website, complete the following steps:

    1. Navigate to the .zip file for the downloaded image.

    2. Extract the contents of the file to a folder on the local computer.

  5. Copy the osp.configure.properties file on to the location where you have write access and edit this file.

    For more information about the settings for installation, see Step 7 and Step 8.

  6. To run the silent installation, issue the following command:

    osp-install-win.exe -i silent -f path_to_silent.properties_file

    In this command, specify the absolute path of the file. For example:

    osp-install-win.exe -i silent -f c:\NetIQ\idm\apps\osp\osp.silent.properties

  7. Install SSPR. For more information, see Section 10.0, Installing the Password Management Component.

9.2.3 Configuring Single Sign-on Access

You need to perform some actions to configure single sign-on access immediately after installing OSP. However, the final configuration process requires that first you install the identity applications. For more information, see Configuring Single Sign-on Access in Identity Manager in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

NOTE:While configuration the One SSO Provider in silent mode, ensure to specify the correct path for install, Java, Tomcat and SSL Keystore folders in the osp.silent.properties file. For example,

Install Folder: USER_INSTALL_DIR=C:\NetIQ\idm\apps\osp

Tomcat Folder: NETIQ_TOMCAT_HOME=C:\NetIQ\idm\apps\tomcat

Windows: NETIQ_TOMCAT_HOME=C:\NetIQ\idm\apps\tomcat

Java Folder: NETIQ_JAVA_HOME=C:\NetIQ\idm\apps\jre

SSL Keystore Folder: NETIQ_SSL_KEYSTORE_FILE=C:\NetIQ\idm\apps\jre\lib\security\cacerts