3.1 Planning to Install the Identity Vault

This section provides the prerequisites, considerations, and system setup needed to install the Identity Vault. First, consult the checklist to understand the installation process.

3.1.1 Checklist for Installing the Identity Vault

NetIQ recommends that you perform the steps in the following checklist:

Checklist Items

  1. Review the planning information. For more information, see Section I, Planning to Install Identity Manager.

  1. Review the hardware and software requirements for the computers that will host the Identity Vault. For more information, see Meeting System Requirements.

  1. Understand how to use escape characters when the names of containers in the Identity Vault include a period (“.”). For more information, see Using Escape Characters when a Container Name Includes a Period (“.”).

  1. Understand how to use the Identity Vault in an environment that uses IPv6 addresses. For more information, see Using IPv6 Addresses on the Identity Vault Server.

  1. Understand the ports required for LDAP communications. For more information, see Using LDAP to Communicate with the Identity Vault.

  1. For installation instructions, see one of the following sections:

  1. (Optional) Exclude the DIB directory on your eDirectory server from any antivirus or backup software process.

  1. (Optional) Back up your DIB directory. For more information, see “Backing Up and Restoring NetIQ eDirectory” in the NetIQ eDirectory Administration Guide.

  1. Install the Identity Manager engine. For more information, see Section 4.0, Planning to Install the Engine, Drivers, and Plug-ins.

3.1.2 Prerequisites and Considerations for Installing the Identity Vault

Identity Vault uses a directory to store the objects that are synchronized through the Identity Manager solution. The follow sections contain guidelines that help you plan a deployment of NetIQ eDirectory to use as the framework for the Identity Vault.

NetIQ recommends that you review the following considerations before you install eDirectory as the framework for the Identity Vault:

  • You must configure a static IP address on the server for the eDirectory infrastructure to perform efficiently. If you use DHCP addresses on the server, eDirectory might have unpredictable results.

  • Synchronize time across all network servers. NetIQ recommends using Network Time Protocol’s (NTP) ntp option.

  • (Conditional) To install a secondary server, all the replicas in the partition that you install the product on should be in the On state.

  • (Conditional) To install a secondary server into an existing tree as a non-administrator user, create a container and then partition it. Ensure that you have the following rights:

    • Supervisor rights to the partition where you want to add the server.

    • Supervisor rights to the container where want to add the server.

    • All Attributes rights: read, compare, and write rights over the W0.KAP.Security object.

    • Attribute rights: read and compare rights over the Security container object.

    • Entry rights: browse rights over the Security container object.

    These rights are required for adding the replica when the replica count is less than 3.

  • (Conditional) To install a secondary server into an existing tree as a non-administrator user, ensure that at least one of the servers in the tree has the same or higher eDirectory version as that of the secondary being added as container admin. If the secondary being added is of later version, the administrator of the tree must extend the schema before adding the secondary using container admin.

  • While configuring eDirectory, you must enable a NetWare Core Protocol (NCP) port (the default is 524) in the firewall to allow the secondary server addition. Also, you can enable the following default service ports based on your requirements:

    • LDAP clear text - 389

    • LDAP secured - 636

    • HTTP clear text - 8028

    • HTTP secured - 8030

  • You must install Novell International Cryptographic Infrastructure (NICI) on every workstation using management utilities for eDirectory, such as iManager. NICI and eDirectory support key sizes up to 4096 bits. For more information, see “Installing NICI” in the NetIQ eDirectory Installation Guide.

  • (Conditional) If the names of containers in your eDirectory tree include a period, you must use escape characters to specify the Admin name, admin context, and server context parameters during installation and when adding server in to an existing tree. For more information, see Using Escape Characters when a Container Name Includes a Period (“.”).

  • You must have administrative rights to the server and to all portions of the eDirectory tree that contain domain-enabled User objects. For an installation into an existing tree, you need administrative rights to the Tree object so that you can extend the schema and create objects.

  • Because NTFS provides a safer transaction process than a FAT file system provides, you can install eDirectory only on an NTFS partition. Therefore, if you have only FAT file systems, do one of the following:

    • Use Disk Administrator. Refer to the Windows Server documentation for more information.

    • Create a new partition and format it as NTFS.

    • Convert an existing FAT file system to NTFS, using the CONVERT command.

    • Refer to the Windows Server documentation for more information.

    If your server only has a FAT file system and you forget or overlook this process, the installation program prompts you to provide an NTFS partition.

  • You must be running the latest version of the Windows SNMP service.

  • Your Windows operating system must be running the latest service packs before you begin the installation process.

  • To install on a virtual machine that has a DHCP address or on a physical or virtual machine in which SLP is not broadcast, ensure that the Directory Agent is configured in your network.

For installing Identity Vault in a cluster environment, see Section X, Deploying Identity Manager for High Availability.

3.1.3 Understanding Identity Manager Objects in eDirectory

The following list indicates the major Identity Manager objects that are stored in eDirectory and how they relate to each other. The installation process does not create objects. Instead, you create the Identity Manager objects when configuring the Identity Manager solution.

  • Driver Set: A driver set is a container that holds Identity Manager drivers and library objects. Only one driver set can be active on a server at a time. However, more than one server might be associated to one driver set. Also, a driver can be associated with more than one server at a time. However, the driver should only be running on one server at a time. The driver should be in a disabled state on the other servers. Any server that is associated with a driver set must have the Identity Manager server installed on it.

  • Library: The Library object is a repository of commonly used policies that can be referenced from multiple locations. The library is stored in the driver set. You can place a policy in the library so that every driver in the driver set can reference it.

  • Driver: A driver provides the connection between an application and the Identity Vault. It also enables data synchronization and sharing between systems. The driver is stored in the driver set.

  • Job: A job is automates a recurring task. For example, a job can configure a system to disable an account on a specific day, or initiate a workflow to request an extension of a person’s access to a corporate resource. The job is stored in the driver set.