11.1 Planning to Install the Identity Applications

The identity applications installation includes the following components:

  • Identity Manager Dashboard

  • Identity Manager Administration Console

  • User Application

  • Role and Resource Service driver (RRSD)

  • User Application driver (UAD)

The installation does not include the two drivers required for the identity applications: User Application driver and Roles and Resource Services driver.

NOTE:Technically Identity Reporting could be considered an identity application because the component also uses SSPR and OSP, and you modify the settings with the RBPM configuration utility. However, Identity Reporting has its own installation program, can be installed on a separate server, and uses a different database.

11.1.1 Checklist for Installing the Identity Applications

Before beginning the installation process, NetIQ recommends that you review the following steps:

Checklist Items

  1. Review the planning information. For more information, see Section I, Planning to Install Identity Manager.

  1. Review the hardware requirements, software requirements, and considerations for installing the identity applications and their supporting framework. For more information, see the following sections:

  1. Decide whether you should install an Sentinel before installing the identity applications. For more information, see Recommended Installation Scenarios and Server Setup.

  1. Ensure that the Identity Manager engine has been installed. For more information about installing the engine, see Section 4.0, Planning to Install the Engine, Drivers, and Plug-ins.

  1. Create a User Application Administrator account in the Identity Vault. For more information, see Assigning Rights to Identity Vault Administrator and User Application Administrator Account.

  1. Install and configure a database for the identity applications on the local computer or a connected server.

  1. Prepare an application server on the local computer or in a cluster.

  1. (Conditional) To use the Apache Log4j service to record events in Tomcat, ensure that you have the appropriate files. For more information, see Using the Apache Log4j Service to Log Sign-on.

  1. Review the contents of the identity applications installation kit to determine which files are needed for your environment. For more information, see Understanding the Installation Program for the Identity Applications.

  1. Install the identity applications. For more information, see Installing the Identity Applications.

  1. Create and deploy the User Application driver and the Roles and Resource Service driver. For more information, see Creating and Deploying the Drivers for the Identity Applications.

  1. To perform the final tasks in the installation process, see Completing the Installation of the Identity Applications.

  1. Ensure that you have configured the identity applications and single sign-on settings correctly. For more information, see Verifying Single Sign-on Access for the Identity Applications in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  1. (Optional) To begin using the identity applications, see the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

11.1.2 Understanding the Installation Program for the Identity Applications

The installation files for the identity applications are located in the \products\UserApplication\ directory of the installation package.

The installation program (IdmUserApp.exe) does the following:

  • Designates an existing version of an application server to use.

  • Designates an existing version of a database to use. The database stores identity application data and configuration information.

  • Configures the JDK’s certificates file so that the identity application (running on Tomcat) can communicate securely with the Identity Vault and the User Application driver.

  • Configures and deploys the Java web application archive (WAR) file for the User Application to Tomcat.

  • Enables logging through Sentinel auditing clients if you choose to do so.

  • Enables you to import an existing master key to restore a specific installation of the identity applications and to support clusters.

11.1.3 Prerequisites and Considerations for Installing the Identity Applications

NetIQ recommends that you review the prerequisites and computer requirements for the identity applications before you begin the installation process. For more information about configuring the User Application environment, see NetIQ Identity Manager - User’s Guide to the Identity Applications.

Installation Considerations for the Identity Applications

The following considerations apply to the installation of the identity applications.

  • Require a supported version of the following Identity Manager components:

    • Designer

    • Identity Vault

    • Identity Manager engine

    • Remote Loader

    • One SSO Provider

    For more information about required versions and patches for these components, see the latest Release Notes.

  • Ensure that the Identity Vault includes the created and deployed User Application and Roles and Resources service drivers. For more information, see Creating and Deploying the Drivers for the Identity Applications.

  • Install the following framework items before installing the identity applications:

  • (Optional) NetIQ recommends that you enable Secure Sockets Layer (SSL) protocol for communication among the Identity Manager components. To use SSL protocol, you must enable SSL in your environment and specify https during the installation. For information about enabling SSL, see Configuring Security in the Identity Applications in the NetIQ Analyzer for Identity Manager Administration Guide.

  • Create the User Application driver before creating the Role and Resource driver. The Role and Resource driver references the role vault container (RoleConfig.AppConfig) in the User Application driver.

  • You cannot use the Role and Resource Service Driver with the Remote Loader because the driver uses jClient.

  • Set the JAVA_HOME environment variable to point to the JDK that you plan to use with the identity applications. To override JAVA_HOME, manually specify the path during the installation.

  • The installation process places the program files in the C:\NetIQ\idm directory by default.

    If you plan to install the User Application in a non-default location, the new directory must exist and is writable.

  • Each User Application instance can service only one user container. For example, you can add users to, search, and query only the container associated with the instance. Also, a user container association with an application is meant to be permanent.

  • (Conditional) If you plan to use external password management, your environment must meet the following requirements:

    • Enable Secure Sockets Layer (SSL) protocol for Tomcat on which you deploy the identity applications and the IDMPwdMgt.war file.

    • Ensure that the SSL port is open on your firewall.

    For more information about enabling SSL for Tomcat, see Updating the SSL Settings for Self Service Password Reset in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications..

    For more information about the IDMPwdMgt.war file, see Configuring Forgotten Password Management.

  • (Optional) To retrieve authorizations from managed systems, install one or more of the Identity Manager drivers.

Prerequisites and Considerations for the Application Server

The identity applications require that Tomcat be installed with the following considerations:

  • Tomcat must be running with the Java Development Kit (JDK) or Java Runtime Environment (JRE). For more information about supported versions, see the NetIQ Identity Manager Technical Information website.

  • Set the JAVA_HOME environment variable to point to the JDK that you plan to use with the User Application. To override JAVA_HOME, manually specify the path during the installation.

  • (Conditional) You can use your own Tomcat installation program instead of the one provided in the Identity Manager installation kit. However, to use the Apache Log4j service with your version of Tomcat, ensure that you have the appropriate files installed. For more information, see Using the Apache Log4j Service to Log Sign-on.

  • (Conditional) To preserve documents that you digitally sign, you must install the identity applications on a Tomcat application server and use Novell Identity Audit. Digital signature documents are not stored with workflow data in the User Application database, but are stored in the logging database. You must also enable logging to preserve these documents. For more information, see Setting Up Logging in the Identity Applications in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  • (Conditional) In environments where you log a large amount of user data or your directory-server contains a large number of objects, you might want more than one application server with a deployment of the identity applications. For more information about configuring for optimal performance, see Tuning the Performance of the Applications in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  • (Conditional) If you use a Tomcat application server, do not start the server until after you complete the installation process.

  • (Conditional) To use external password management, you must do the following to enable the Secure Sockets Layer (SSL) protocol:

    • Enable SSL for Tomcat on which you deploy the identity applications and the IDMPwdMgt.war file.

    • Ensure that the SSL port is open on your firewall.

    For more information about the IDMPwdMgt.war file, see Configuring Forgotten Password Management and the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  • The installation process does not modify the JAVA_HOME or JRE_HOME entries on a Tomcat server. By default, the convenience installer for Tomcat places the setenv.bat file in the C:\NetIQ\idm\apps\tomcat\bin\ directory. The installation also configures the JRE location in the file.

Prerequisites for Installing the Database for the Identity Applications

The database stores the identity applications data and configuration information.

Before installing the database instance, review the following prerequisites:

  • To configure a database for use with Tomcat, you must create a JDBC driver. The identity applications use standard JDBC calls to access and update the database. The identity applications use a JDBC data source file bound to the JNDI tree to open a connection to the database.

  • You must have an existing data source file that points to the database. The installation program for the User Application creates a data source entry for Tomcat in server.xml and context.xml which points to the database.

  • Ensure that you have the following information:

    • Host and port of the database server.

    • Name of the database to create. The default database for the identity applications is idmuserappdb.

    • Database username and password. The database username must represent an Administrator account or must have enough permissions to create tables in the Database Server. The default administrator for the User Application is idmadmin.

    • The driver .jar file provided by the database vendor for the database that you are using. NetIQ does not support driver JAR files provided by third-party vendors.

  • The database instance can be on the local computer or a connected server.

  • The database character set must use Unicode encoding. For example, UTF-8 is an example of a character set that uses Unicode encoding, but Latin1 does not use Unicode encoding. For more information about specifying the character set, see Configuring the Character Set or Configuring an Oracle Database.

  • The case-sensitive collation might cause a duplicate key error during migration. Check the collation and correct it, then re-install the identity applications.

  • (Conditional) By default, the identity applications installation program accepts only Oracle System ID when using Oracle for the database. To access the database by using a service name instead of Oracle System ID, you must perform certain post-installation actions as described in Accessing the Oracle Database Using Oracle Service Name.

  • (Conditional) To use the same database instance both for auditing purposes and for the identity applications, NetIQ recommends installing the database on a separate dedicated server from the server that hosts Tomcat running the identity applications.

  • (Conditional) If you are migrating to a new version of the identity applications, you must use the same database that you used for the previous installation.

NetIQ supports clustering database servers with certain considerations. For more information, see Prerequisites for Installing the Database for the Identity Applications.