The integrated installer helps you to install the binary files for the Identity Manager components and to configure the components.
If you are installing Identity Manager through integrated installer on 64-bit SLES 11 platform, make sure that libgthread-2_0-0-32bit-2.17.2+2.17.3+20080708+r7171-3.1.x86_64.rpm compat library is installed before starting the installation.
Ensure that you install the following libraries before installing Identity Manager on RHEL 6.0:
For GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.
For a 64-bit RHEL: Install the following libraries in the same order:
libXau-1.0.5-1.el6.i686.rpm
libxcb-1.5-1.el6.i686.rpm
libX11-1.3-2.el6.i686.rpm
libXext-1.1-3.el6.i686.rpm
libXi-1.3-3.el6.i686.rpm
libXtst-1.0.99.2-3.el6.i686.rpm
glibc-2.12-1.7.el6.i686.rpm
libstdc++-4.4.4-13.el6.i686.rpm
libgcc-4.4.4-13.el6.i686.rpm
compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
For a 32-bit RHEL: Install the following library:
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
For Non-GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries.
For a 64-bit RHEL: Install the following libraries in the same order:
glibc-2.12-1.7.el6.i686.rpm
libstdc++-4.4.4-13.el6.i686.rpm
libgcc-4.4.4-13.el6.i686.rpm
compat-libstdc++-33-3.2.3-69.el6.x86_64.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
For a 32-bit RHEL: Install the following library:
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
NOTE:Ensure that the unzip rpm is installed before installing Identity Manager. This is applicable for all Linux platforms.
Access the Identity Manager 4.0.1 installation files either by mounting the .iso file or accessing the DVD you created from the .iso file.
For more information, see Section 4.1, Downloading the ISO File.
Go to the mount directory and start the installation by using the correct program for your platform.
Linux/Solaris: ./install.bin
To execute the binary file, enter ./install.bin.
Windows: install.exe
Use the following information to complete the installation:
Introduction: Select the language for your installation, then review the components you can install.
License Agreement: Read and accept the license agreement.
Select Components: Select the desired components to install. The options are:
Metadirectory Server
Roles Based Provisioning Module
Identity Reporting Module
Event Auditing Service
Role Mapping Administrator
iManager
Designer
Analyzer
NOTE:The Roles Based Provisioning Module and Identity Reporting Module can be installed on a system that doesn’t have the Identity Vault. You must always install the Roles Based Provisioning Module and the Identity Reporting Module on the same machine. The Roles Based Provisioning Module uses JBoss and PostgreSQL as application server and database.
Choose Installation Folder: Specify the base folder where Identity Manager and all of the components are installed. This option is only applicable for Windows.
UNIX installations have a predefined installation path. The integrated installer installs components in the following predefined installation paths:
eDirectory and Identity Manager: /opt/novell/eDirectory
Roles Based Provisioning Module, Reporting Module, Role Mapping Administrator, Designer, and Analyzer: /opt/novell/idm
Event Auditing Service: /opt/novell/sentinel_eas
Pre-Installation Summary: Review the Pre-Installation summary page, which contains information about the selected components. To change any of these settings, click .
Installation Complete Summary: Review the post-installation summary to verify the installation status of the selected components and the location of the log file for each component. See Table 4-2 for information about the location of the log files.
Continue for Configuration: (Conditional) This check box is enabled only when the selected components are configurable. If you want to continue with configuration, continue with Section 4.2.2, Configuration. If you don’t want to continue with the configuration, deselect this check box.
You can configure the Identity Manager components that you have already installed by using the integrated installer. Verify you have completed Section 4.2.1, Installation before preceding with the configuration.
IMPORTANT:When you are create a new tree or add to an existing tree, if the /etc/hosts file contains 127.0.0.2 entry, the configuration fails because default IP certificate is created for the 127.0.0.2 loopback address. For a successful configuration, comment the 127.0.0.2 loopback address and make sure that 127.0.0.1 loopback address and the real IP address is in the file.
To configure the Identity Manager components:
If you are continuing from Step 3 in the installation procedure, skip to Step 2. Otherwise, start the configuration with the correct program for your platform:
Linux: ./configure.bin
Solaris: ./configure.bin
To execute the binary file, enter ./configure.bin.
Windows: configure.exe
Select the components you want to configure, click .
Select one of the following options to complete the configuration of the Identity Manager components:
You must take a note of the following information before proceeding with the configuration of Identity Manager components:
If you are adding to an existing tree, run the NrfCaseUpdate utility on the primary server to support mixed-case searching on roles and resources if the primary server has Identity Manager 3.6 or above.
If you don’t run the NrfCaseUpdate utility, Metadirectory server configuration fails. For more information on running the NrfCaseUpdate utility, see Running the NrfCaseUpdate Utility
in the Identity Manager Roles Based Provisioning Module 4.0.1 User Application: Installation Guide.
The integrated installer does not perform a health check before the secondary server addition. You must run ndscheck before adding secondary server through integrated installer. On Windows, run the ndscheck from the <install location>\NDS location. On Linux/Solaris, run it from the /opt/novell/eDirectory/bin/ndscheck directory. Specify the madatory parameters and run the command as follows:
ndscheck [-h <hostname port]>] [-a <admin FDN>] [[-w <password>]
The logevent.cfg file is modified with the logging server details on both Windows and Linux platforms when either the Roles Based Provisioning Module or the Identity Reporting Module is configured through integrated installer. If you are configuring only Metadirectory server, manually add the logging server details to the logevent.cfg file.
The fields that appear depend on the components you selected to configure in the previous page.
Use the following information to configure your Identity Manager components if you selected to create a new tree.
Review the preconfiguration summary, then click .
Review the configuration summary page, then click .
If there were problems during the configuration, review the configuration logs. For more information, see Locating Log Files and Properties Files.
Fill in the following fields to create a new tree:
New tree name: Specify a name for the new tree.
Admin password: Specify a password for the Identity Vault administrator.
Confirm admin password: Specify the password for the Identity Vault administrator again.
Select if you want to customize the tree that is created. Fill in the following fields to customize the tree:
Admin name: Specify the name of the Identity Vault administrator user.
NCP port: Either leave the default value of 524 for the NCP port or change the value of the port. NCP is the core eDirectory communications protocol.
LDAP port: Either leave the default value of 389 for the LDAP port or change the value of the port.
LDAP secure port: Either leave the default value of 636 for the LDAP secure port or change the value of the port.
HTTP port: Either leave the default value of 8028 for the HTTP port or change the value of the port.
HTTP secure port: Either leave the default value of 8030 for the HTTP secure port or change the value of the port.
Instance path: If your server is Linux/UNIX, you can run multiple instances of eDirectory on one server. Specify the path of this eDirectory instance on this server. The default path is /var/opt/novell/eDirectory.
DIB path: Specify the path for your eDirectory database (DIB). The default location of the DIB is:
Linux/UNIX: /var/opt/novell/eDirectory/data/dib
Windows: c:\Novell\IdentityManager\NDS\DIBFiles\
NOTE:DIB files must always reside inside the \NDS folder. If you change the default location of the DIB on Windows, for example \NDS\DIBFiles\, the configuration of the Metadirectory server fails.
Require TLS for simple binds with password:
Select this option to require all LDAP connections to be on the secure port (default 636). If you deselect this option, users authenticating to LDAP server on the clear text port (default 389) pass their passwords in clear text. For more information, see Communicating with eDirectory through LDAP
in the Novell eDirectory 8.8 Installation Guide.
Fill in the following fields to configure the RBPM and your Event Auditing Service (EAS), which is part of the Identity Reporting Module:
EAS server address: Specify the DNS name or IP address of the server that hosts the EAS. You can either use this server or add another server. The Identity Reporting Module can be configured on only one EAS server.
idmadmin DB user password: Specify the password for the database user. This database stores information for reports.
Confirm idmadmin DB user password: Specify the password for the database user again.
Userapplication password: Specify the password for the User Application administrator.
Confirm User Application password: Specify the password for the User Application administrator again.
(Conditional) Security Admin password: Specify the password for the security administrator.
This field is required only for the Identity Manager Standard Edition.
(Conditional) Confirm Security Admin password: Specify the password for the security administrator again.
This field is required only for the Identity Manager Standard Edition.
(Conditional) Reporting Admin password: Specify the password for the Identity Reporting administrator.
This field is required only for the Identity Manager Standard Edition.
(Conditional) Confirm Reporting Admin password: Specify the password for the Identity Reporting administrator again.
This field is required only for the Identity Manager Standard Edition.
Select if you want to customize the configuration of the RBPM.
Userapplication address: Specify the DNS name or IP address of the server that hosts the User Application.
Userapplication user: Specify name for the administrative user for the User Application.
(Conditional) Security Admin name: Specify the name for the security administrator for the User Application. This role gives members the full range of capabilities within the Security domain. The Security administrator can perform all possible actions for all objects within the Security domain.
This field is required only for the Identity Manager Standard Edition.
(Conditional) Reporting Admin name: Specify the name for the Reporting administrator. This user has full range of capabilities within the Reporting domain. The Reporting administrator can perform all actions for all objects within the Reporting domain.
This field is required only for the Identity Manager Standard Edition.
Fill in the following fields to configure the Identity Reporting Module:
idmrptsrv user password: Specify the password for the idmrptsrv user. The idmrptsrv user is the owner of the database schemas and objects for reporting.
idmrptuser password: Specify the password for the idmrptuser. This is a user with read-only access to the reporting data.
dbauser password: Specify the password for the dbauser (database administrator).
(Conditional) Managed System Gateway port: Specify the port that the Managed System Gateway driver communicates on.
This field is required only for the Identity Manager AE.
Data Collection Service address: Specify the IP address or the DNS name of the Data Collection Service server.
Identity Vault tree name: Specify the name of an Identity Vault that your server connects to. The server can connect to an existing tree or a remote Identity Vault.
Driver set name: Specify the name for the new driver set that is created during the configuration of the Identity Reporting Module.
Select to customize the configuration of the Identity Reporting Module. Fill in the following fields to customize the Identity Reporting Module:
Enable subcontainer search: Select this option to enable the Identity Reporting Module to perform subcontainer searches to gather information for reports.
Database host address: Specify the DNS name or the IP address of the server that is running your database.
Secure LDAP: Select whether the server communicates over a secure LDAP connection.
LDAP port: If you have selected secure LDAP for communication, specify the LDAP secure port. Otherwise specify the clear text port.
Token expiration value (in minutes): Specify the number of minutes to retain the token for authentication.
Reporting unit: Select , , or .
Report retention value: Specify how long a report is retained. If the reporting unit is set to Day, and the report retention value is 1, the reports are maintained for 1 day before they are deleted.
Subcontainer login attribute: If you enable subcontainer searches, you need to provide the login attribute that is used for searching the subtree of the user container.
SMTP server address: Specify the DNS name or the IP address of the SMTP server to configure e-mails for the report notifications.
SMTP server port: Either leave 456 as the default port for the SMTP server port or change it.
SMTP user e-mail: Specify the e-mail address to use for authentication, when authentication is enabled.
SMTP user password: Specify the password for the SMTP user.
Confirm STMP user password: Specify the password for the SMTP user again.
Default e-mail address: Specify a default e-mail address to use, if the person who runs the report does not have an e-mail address specified in the Identity Vault.
SMTP use SSL: Select this option if the SMTP server uses an SSL connection.
Server need authentication: Select this option if authentication is required for the SMTP server.
Filling the following fields to configure the Event Auditing Service:
Admin password: Specify the password for the administrative user.
Confirm admin password: Specify the password for the administrative user again.
Database admin password: Specify the password for the database admin.
Confirm database admin password: Specify the password for the database admin again.
Select to customize the configuration of the Event Auditing Service:
PostgreSQL port: Either leave the default value of 15432 for the PostgreSQL port or change it.
Enable port forwarding: Select this option to enable port forwarding or deselect it to disable port forwarding.
There are only advanced configuration options for iManager. Select to display these options:
HTTP port: Either leave the default value of 8080 for the non-secure port or change it.
HTTP secure port: Either leave the default value of 8443 for the secure port or change it.
The fields that appear depend on the components you selected to configure in the previous page.
Use the following information to configure the Identity Manager components if you selected to add this server to an existing tree.
Review the configuration summary page, then click .
If there were problems during the configuration, review the configuration logs. For more information, see Locating Log Files and Properties Files.
Fill in the following fields to allow your server to join an existing Identity Vault:
Existing tree name: Specify the name for the existing tree.
Existing server address: Specify the IP address of a server in your existing tree.
Existing server port number: Specify the NCP port of the server specified above. The default port for NCP is 524.
Existing server context DN: Specify the DN of container where you want this server placed in your existing tree. For example, ou=server,o=system.
Existing server admin DN: Specify the DN of the user that has full administrative rights to your tree.
In Windows, the existing server admin name is the existing tree administrator name and the existing server admin context DN is the existing tree admin context LDAP DN.
Existing server admin password: Specify the password for the administrative user specified above.
Select if you want to customize this Identity Vault. Fill in the following fields to customize the Identity Vault:
NCP port: Either leave the default value of 524 for the NCP port or change the value of the port. NCP is the core eDirectory communications protocol.
LDAP port: Either leave the default value of 389 for the LDAP port or change the value of the port.
LDAP secure port: Either leave the default value of 636 for the LDAP secure port or change the value of the port.
HTTP port: Either leave the default value of 8028 for the HTTP port or change the value of the port.
HTTP secure port: Either leave the default value of 8030 for the HTTP secure port or change the value of the port.
Instance path: If your server is Linux/UNIX, you can run multiple instances of eDirectory on one server. Specify the path of this eDirectory instance on this server. The default path is /var/opt/novell/eDirectory/data.
DIB path: Specify the path for your eDirectory database (DIB). The default location of the DIB is:
Linux/UNIX: /var/opt/novell/eDirectory/data/DIB
Windows: c:\Novell\Identity Manager\NDS\DIBfiles\
NOTE:DIB files must always reside inside the \NDS folder. If you change the default location of the DIB on Windows, for example \NDS\DIBFiles\, the configuration of the Metadirectory server fails.
Require TLS for simple binds with password:
Select this option to require all LDAP connections to be on the secure port (default 636). If you deselect this option, users authenticating to LDAP server on the clear text port (default 389) pass their passwords in clear text. For more information, see Communicating with eDirectory through LDAP
in the Novell eDirectory 8.8 Installation Guide.
Enable encrypted replication:
Select this option if you want the replication of your tree encrypted. For more information, see Encrypted Replication
in the Novell eDirectory 8.8 Administration Guide.
Driver set name: Specify the name for the new driver set that is created during the configuration of the Metadirectory server. Ensure that you do not use an existing driver set.
Driver set context DN: Specify the context where the new driver set is created in your tree.
Fill in the following fields to configure the RBPM and your Event Auditing Service (EAS), which is part of the Identity Reporting Module:
EAS server address: Specify the DNS name or IP address of the server that hosts the EAS. You can either use this server or add another server. The Identity Reporting Module can be configured on only one EAS server.
idmadmin DB user password: Specify the password for the database user. This database stores information for reports.
Userapp admin dn: Specify the DN for the User Application administrator in LDAP format. The User Application administrator is authorized to perform all management functions for the Identity Manager User Application, including accessing the Administration tab of the Identity Manager user interface to perform any administration actions that it supports.
IMPORTANT:Ensure that you specify different DNs for fields. If these DNs are already present on the primary server, the User Application configuration fails.
Userapplication password: Specify the password for the User Application.
User Application driver container dn: Specify the root container DN for the User Application administrator in LDAP format.
(Conditional) Security admin dn: Specify the DN for the security administrator in LDAP format. This role gives members the full range of capabilities within the Security domain. The Security administrator can perform all possible actions for all objects within the Security domain.
This field is required only for the Identity Manager Standard Edition.
(Conditional) Security admin password: Specify the password for the security administrator.
This field is required only for the Identity Manager Standard Edition.
(Conditional) Reporting admin dn: Specify the DN for the Reporting administrator in LDAP format.This user has full range of capabilities within the Reporting domain. The Reporting administrator can perform all actions for all objects within the Reporting domain.
This field is required only for the Identity Manager Standard Edition.
(Conditional) Reporting admin password: Specify the password for the reporting administrator.
This field is required only for the Identity Manager Standard Edition.
The RBPM Advanced configuration options are the same for new tree and existing tree configurations. Refer to Roles Based Provisioning Module (RBPM) > Advanced.
With the secondary server installation after the RBPM configuration, you must change the of the User Application driver:
Log in to the existing tree through iManager.
Go to the and select the driverset.
Click the option of the User Application driver, change the value of the option to that of the User Application admin in LDAP format.
The Identity Reporting Module configuration options are the same for new tree and existing tree configurations. Refer to Identity Reporting Module and Identity Reporting Module > Advanced.
The Event Auditing Service configuration options are the same for new tree and existing tree configurations. Refer to Event Auditing Service and Event Auditing Service > Advanced.
The iManager configuration options are same for new tree and existing tree configurations. Refer to iManager > Advanced.