3.4 Considerations for Installing Identity Applications Components

NetIQ recommends that you review the prerequisites and computer requirements for the identity applications before you begin the installation process. For more information about configuring the identity applications environment after installing the application components, see NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

3.4.1 Installation Considerations

  • The Identity Applications installation process requires the following minimum space for installing the components:

    • /opt - 5 GB

    • /var - 100 MB

  • Identity Applications require a supported version of the following Identity Manager components:

    • Identity Manager engine

    • Remote Loader

  • (Optional) NetIQ enables Secure Sockets Layer (SSL) protocol during the installation. To change the communication settings among the identity applications components in your environment, see Configuring Security in the Identity Applications in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  • You cannot use the Role and Resource Service driver with the Remote Loader because the driver uses jClient.

  • If you plan to install User Application in a non-default location, ensure that the new directory is writable by non-root users.

  • Each User Application instance can service only one user container. For example, you can add users to, search, and query only the container associated with the instance. Also, a user container association with an application is meant to be permanent.

  • In a distributed environment, you must have a certificate with CN as Identity Applications in the keystore (idm.jks) of the Identity Applications server. As part of enhanced Java security, now Identity Applications requires trusted certificate to communicate with OSP.

3.4.2 Database Considerations

The database stores the identity applications data and configuration information.

Before installing the database instance, review the following prerequisites:

  • To configure a database for use with Tomcat, you must ensure that it contains the required JDBC jar file. The identity applications use standard JDBC calls to access and update the database. The identity applications use a JDBC data source file bound to the JNDI tree to open a connection to the database.

  • You must have an existing data source file that points to the database. The installation program for the User Application creates a data source entry for Tomcat in server.xml and context.xml which points to the database.

  • If you are using a supported version of Oracle or Microsoft SQL Server database, you must configure two database instances for Identity Applications to work correctly; Identity Applications (idmuserappdb) database and the Workflow (igaworkflowdb) database. Ensure that you configure the database instances on the same server.

  • Ensure that you have the following information:

    • Host and port of the database server.

    • Name of the database to create. The default database for the identity applications is idmuserappdb.

    • Database username and password. The database username must represent an Administrator account or must have enough permissions to create tables in the Database Server. The default administrator for the User Application is idmadmin.

    • The driver .jar file provided by the database vendor for the database that you are using. NetIQ does not support driver JAR files provided by third-party vendors.

  • The database instance can be on the local computer or a connected server.

  • The database character set must use Unicode encoding. For example, UTF-8 is an example of a character set that uses Unicode encoding, but Latin1 does not use Unicode encoding. For more information about specifying the character set, see Configuring the Character Set or Configuring an Oracle Database.

  • If you are connecting to a remote database, ensure that you create the database before installing Identity Applications. For information on connecting to the remote PostgreSQL database, see Connecting to a Remote PostgreSQL Database.

  • The case-sensitive collation for your database might cause a duplicate key error during migration. Check the collation and correct it, then re-install the identity applications.

  • (Conditional) To use the same database instance both for auditing purposes and for the identity applications, NetIQ recommends installing the database on a separate dedicated server from the server that hosts Tomcat running the identity applications.

  • (Conditional) If you are migrating to a new version of the identity applications, you must use the same database that you used for the previous installation.

  • The only supported collation for MS SQL is SQL_Latin1_General_CP1_CI_AS.

3.4.3 Configuring the Database for Identity Applications

The database for the identity applications supports tasks such as storing configuration data and data for workflow activities. Before you can install the applications, the database must be installed and configured.

By default, the installation process installs PostgreSQL database for the identity applications and creates an administrative user called idmadmin to own the database. However, the installation does not create the schema in the database for the identity applications. Schema information is added when you install the identity applications.

Configuring an Oracle Database

This section provides configuration options for using an Oracle database for the User Application.

Checking Compatibility Level of Databases

Databases from different releases of Oracle are compatible if they support the same features and those features perform the same way. If they are not compatible, certain features or operations might not work as expected. For example, creation of schema fails that does not allow you to deploy the identity applications.

To check the compatibility level of your database, perform the following steps:

  1. Connect to the Database Engine.

  2. After connecting to the appropriate instance of the SQL Server Database Engine, in Object Explorer, click the server name.

  3. Expand Databases, and, depending on the database, either select a user database or expand System Databases and select a system database.

  4. Right-click the database, and then click Properties.

    The Database Properties dialog box opens.

  5. In the Select a page pane, click Options.

    The current compatibility level is displayed in the Compatibility level list box.

  6. To check the Compatibility Level, enter the following in the query window and click Execute.

    SQL> SELECT name, value FROM v$parameter

    WHERE name = 'compatible';

    The expected output is 12.2.x.x, 18.x.x, or 19.x.x.

    NOTE:Oracle 19c is supported from Identity Manager 4.8.1 onwards.

Configuring the Character Set

Your User Application database must use a Unicode-encoded character set. When creating the database, use AL32UTF8 to specify this character set.

To confirm that your supported Oracle database is set for UTF-8, issue the following command:

select * from nls_database_parameters;

If the database is not configured for UTF-8, the system responds with the following information:

NLS_CHARACTERSET
WE8MSWIN1252

Otherwise, the system responds with the following information that confirms the database is configured for UTF-8:

NLS_CHARACTERSET
AL32UTF8

For more information about configuring a character set, see “Choosing an Oracle Database Character Set”.

Configuring the Admin User Account

The User Application requires that the Oracle database user account has specific privileges. In the SQL Plus utility, enter the following commands:

CREATE USER idmuser IDENTIFIED BY password;
GRANT CREATE SESSION TO idmuser;
GRANT CREATE CLUSTER TO idmuser;
GRANT CREATE PROCEDURE TO idmuser;
GRANT CREATE SEQUENCE TO idmuser;
GRANT CREATE TABLE TO idmuser;
GRANT CREATE TRIGGER TO idmuser;
ALTER USER idmuser quota 100M on USERS;

where idmuser represents the user account.

NOTE:It is recommended to use JDBC JAR version ojdbc8.jar.

Configuring a SQL Server Database

This section provides configuration options for using an SQL Server database for the User Application.

Configuring the Character Set

SQL Server does not allow you to specify the character set for databases. The User Application stores SQL Server character data in a NCHAR column type, which supports UTF-8.

Configuring the Admin User Account

After installing Microsoft SQL Server, create a database and database user using an application such as SQL Server Management Studio. The database user account must have the following privileges:

  • CREATE TABLE

  • DELETE

  • INSERT

  • SELECT

  • UPDATE

  • REFERENCES

NOTE:It is recommended to use JDBC JAR version sqljdbc42.jar.