9.1 Planning to Install Single Sign-on for Identity Manager

This section provides information prerequisites, considerations, and system setup that are needed to install One SSO Provider (OSP).

9.1.1 Checklist for Single Sign-on Component

NetIQ recommends that you complete the steps in the following checklist:

Checklist Items

  1. Review the planning information. For more information, see Section I, Planning to Install Identity Manager.

  1. Review the hardware and software requirements for the computers that will host OSP. For more information, see Meeting System Requirements.

  1. Ensure that Tomcat has been installed. For more information, see Installing PostgreSQL and Tomcat.

  1. (Conditional) To use the Apache Log4j service to record events in Tomcat, ensure that you have the appropriate files. For more information, see Using the Apache Log4j Service to Log Sign-on.

  1. Install OSP:

  1. Install Self Service Password Reset (SSPR) to manage user passwords for Identity applications. For more information, see Section 10.0, Installing the Password Management Component.

  1. Install and configure the identity applications to use single sign-on access. For more information, see Installing the Identity Applications.

9.1.2 Prerequisites for Installing One SSO Provider

The following Identity Manager components require OSP for user authentication:

  • Identity Applications

  • Identity Reporting

Before installing OSP, NetIQ recommends that you review the following considerations:

  • To run OSP, you can use your own Tomcat installation program instead of the one provided in the Identity Manager installation kit. However, to use the Apache Log4j service with your version of Tomcat, ensure that you have the appropriate files installed. For more information, see Using the Apache Log4j Service to Log Sign-on.

  • OSP requires trust certificates to ensure that the identity applications and reporting can communicate with the authentication server. The installation process automatically creates a certificate for TLS/SSL in the osp.jks file. You can also have the process create the Trusted Root Certificate for a SAML Assertion to eDirectory.

    NOTE:These certificates expire two years after their creation date. You must create new certificates when the original ones expire. For more information, see Authentication Server and Configuring Single Sign-on Access in Identity Manager in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

9.1.3 System Requirements for One SSO Provider

OSP requires Apache Tomcat application server. The version of Tomcat must be the same as required for the identity applications.

All other server requirements match the server requirements for the identity applications. For more information, see Prerequisites and Considerations for Installing the Identity Applications and the most recent Release Notes for this version.

9.1.4 Using the Apache Log4j Service to Log Sign-on

You can use either the Apache Log4j or java.util.logging service to record events that occur in Tomcat. The Tomcat installer in the Identity Manager installation kit includes the files that you need for Log4j. However, if you install your own version of Tomcat, you need the following files to use the Apache logging service:

  • log4j-1.2.16.jar

  • tomcat-juli-adapters.jar

  • tomcat-juli.jar

To add the files to your Tomcat installation, complete the following steps:

  1. Download the “JULI” files for Tomcat v8.5.x from the Apache website:

    • tomcat-juli.jar

    • tomcat-juli-adapters.jar

  2. Download the log4j-1.2.16.jar file from the Apache website.

  3. Place the following files in the $TOMCAT_HOME\lib directory:

    • log4j-1.2.16.jar

    • tomcat-juli-adapters.jar

  4. Place the tomcat-juli.jar file in the $TOMCAT_HOME\bin directory.

  5. Specify a value for -Dlog4j.configuration in CATALINA_OPTS or create a log4j.properties file in the $TOMCAT_HOME\lib directory.