4.2 New Installation by Using Physical Media or an ISO

The integrated installer helps you to install the binary files for the Identity Manager components and to configure the components.

If you are installing Identity Manager through integrated installer on 64-bit SLES 11 platform, make sure that libgthread-2_0-0-32bit-2.17.2+2.17.3+20080708+r7171-3.1.x86_64.rpm compat library is installed before starting the installation.

By default, libstdc++33-32bit is not installed on SLES 11SP1 (64-bit). When this library is not present, the integrated installer succeeds with no errors, but logging into iManager fails with a client error. If you run the iManager installer separately, the iManager installer identified that this library is not present and prompts you to install it.

Ensure that you install the following libraries before installing Identity Manager on RHEL 6.x:

NOTE:Ensure that the unzip rpm is installed before installing Identity Manager. This is applicable for all Linux platforms.

4.2.1 Installation

  1. Access the Identity Manager 4.0.2 installation files either by mounting the .iso file or accessing the DVD you created from the .iso file.

    For more information, see Section 4.1, Downloading the ISO File.

  2. Go to the mount directory and start the installation by using the correct program for your platform.

    Linux/Solaris: ./install.bin

    To execute the binary file, enter ./install.bin.

    Windows: install.exe

  3. Use the following information to complete the installation:

    Introduction: Select the language for your installation, then review the components you can install.

    License Agreement: Read and accept the license agreement.

    Select Components: Select the desired components to install. The options are:

    • Metadirectory Server

    • Roles Based Provisioning Module

    • Event Auditing Service

    • Identity Reporting Module

    • Role Mapping Administrator

    • iManager

    • Designer

    • Analyzer

    NOTE:You can install Roles Based Provisioning Module and Identity Reporting Module on a system that doesn’t have the Identity Vault. But you must always install the Roles Based Provisioning Module and the Identity Reporting Module on the same system.

    Choose Installation Folder: Specify the base folder where Identity Manager and all of the components are to be installed. This option is only applicable for Windows.

    UNIX installations have a predefined installation path. The integrated installer installs components in the following predefined installation paths:

    • eDirectory and Identity Manager: /opt/novell/eDirectory

    • Roles Based Provisioning Module, Reporting Module, Role Mapping Administrator, Designer, and Analyzer: /opt/novell/idm

    • Event Auditing Service: /opt/novell/sentinel_eas

    Pre-Installation Summary: Review the Pre-Installation summary page, which contains information about the selected components, then proceed with the installation. To change any of these settings, click Previous.

    Installation Complete Summary: Review the post-installation summary to verify the installation status of the selected components and the location of the log file for each component. See Table 4-2 for information about the location of the log files.

    Continue for Configuration: (Conditional) This check box is enabled only when the selected components are configurable. If you want to continue with configuration, continue with Section 4.2.2, Configuration. If you don’t want to continue with the configuration, deselect this check box.

4.2.2 Configuration

You can configure the Identity Manager components that you have already installed by using the integrated installer. Verify you have completed Section 4.2.1, Installation before preceding with the configuration.

IMPORTANT:When you are create a new tree or add to an existing tree, if the /etc/hosts file contains 127.0.0.2 entry, the configuration fails because default IP certificate is created for the 127.0.0.2 loopback address. For a successful configuration, comment the 127.0.0.2 loopback address and make sure that 127.0.0.1 loopback address and the real IP address is in the file.

To configure the Identity Manager components:

  1. If you are continuing from Step 3 in the installation procedure, skip to Step 2. Otherwise, start the configuration with the correct program for your platform:

    Linux: ./configure.bin

    Solaris: ./configure.bin

    To execute the binary file, enter ./configure.bin.

    Windows: configure.exe

  2. Select the components you want to configure, click Next.

  3. Select one of the following options to complete the configuration of the Identity Manager components:

    You must take a note of the following information before proceeding with the configuration of Identity Manager components:

    • If you are adding to an existing tree, run the NrfCaseUpdate utility on the primary server to support mixed-case searching on roles and resources if the primary server has Identity Manager 3.6 or above.

      If you don’t run the NrfCaseUpdate utility, Metadirectory server configuration fails. For more information on running the NrfCaseUpdate utility, see “Running the NrfCaseUpdate Utility” in the Identity Manager Roles Based Provisioning Module 4.0.2 User Application: Installation Guide.

    • The integrated installer does not perform a health check before the secondary server addition. You must run ndscheck before adding secondary server through integrated installer. On Windows, run the ndscheck from the <install location>\NDS location. On Linux/Solaris, run it from the /opt/novell/eDirectory/bin/ndscheck directory. Specify the mandatory parameters and run the command as follows:

      ndscheck [-h <hostname port]>] [-a <admin FDN>] [[-w <password>]

    • The logevent.cfg file is modified with the logging server details on both Windows and Linux platforms when either the Roles Based Provisioning Module or the Identity Reporting Module is configured through integrated installer. If you are configuring only Metadirectory server, manually add the logging server details to the logevent.cfg file.

Creating a New Tree

The fields that appear depend on the components you selected to configure in the previous page.

  1. Use the following information to configure your Identity Manager components if you selected to create a new tree.

  2. Review the preconfiguration summary, then click Configure.

  3. Review the configuration summary page, then click Done.

    If there were problems during the configuration, review the configuration logs. For more information, see Locating Log Files and Properties Files.

Identity Vault

Fill in the following fields to create a new tree:

New tree name: Specify a name for the new tree.

Admin password: Specify a password for the Identity Vault administrator.

Confirm admin password: Specify the password for the Identity Vault administrator again.

Identity Vault > Advanced

Select Advanced if you want to customize the tree that is created. Fill in the following fields to customize the tree:

Admin name: Specify the name of the Identity Vault administrator user.

NCP port: Either leave the default value of 524 for the NCP port or change the value of the port. NCP is the core eDirectory communications protocol.

LDAP port: Either leave the default value of 389 for the LDAP port or change the value of the port.

LDAP secure port: Either leave the default value of 636 for the LDAP secure port or change the value of the port.

HTTP port: Either leave the default value of 8028 for the HTTP port or change the value of the port.

HTTP secure port: Either leave the default value of 8030 for the HTTP secure port or change the value of the port.

Instance path: If your server is Linux/UNIX, you can run multiple instances of eDirectory on one server. Specify the path of this eDirectory instance on this server. The default path is /var/opt/novell/eDirectory.

DIB path: Specify the path for your eDirectory database (DIB). The default location of the DIB is:

  • Linux/UNIX: /var/opt/novell/eDirectory/data/dib

  • Windows: c:\Novell\IdentityManager\NDS\DIBFiles\

NOTE:DIB files must always reside inside the \NDS folder. If you change the default location of the DIB on Windows, for example \NDS\DIBFiles\, the configuration of the Metadirectory server fails.

Require TLS for simple binds with password: Select this option to require all LDAP connections to be on the secure port (default 636). If you deselect this option, users authenticating to LDAP server on the clear text port (default 389) pass their passwords in clear text. For more information, see Communicating with eDirectory through LDAP in the Novell eDirectory 8.8 Installation Guide.

Roles Based Provisioning Module (RBPM)

Fill in the following fields to configure the RBPM and your Event Auditing Service (EAS), which is part of the Identity Reporting Module:

EAS server address: Specify the DNS name or IP address of the server that hosts the EAS. You can either use this server or add another server. The Identity Reporting Module can be configured on only one EAS server.

idmadmin DB user password: Specify the password for the database user. This database stores information for reports.

User Application admin password: Specify the password for the User Application administrator.

(Conditional) Security Admin password: Specify the password for the security administrator.

This field is required only for the Identity Manager Standard Edition.

(Conditional) Confirm Security Admin password: Specify the password for the security administrator again.

This field is required only for the Identity Manager Standard Edition.

(Conditional) Reporting Admin password: Specify the password for the Identity Reporting administrator.

This field is required only for the Identity Manager Standard Edition.

(Conditional) Confirm Reporting Admin password: Specify the password for the Identity Reporting administrator again.

This field is required only for the Identity Manager Standard Edition.

Roles Based Provisioning Module (RBPM) > Advanced

Select Advanced if you want to customize the configuration of the RBPM.

User Application address: Specify the DNS name or IP address of the server that hosts the User Application.

User Application user: Specify name for the administrative user for the User Application.

(Conditional) Security Admin name: Specify the name for the security administrator for the User Application. This role gives members the full range of capabilities within the Security domain. The Security administrator can perform all possible actions for all objects within the Security domain.

This field is required only for the Identity Manager Standard Edition.

(Conditional) Reporting Admin name: Specify the name for the Reporting administrator. This user has full range of capabilities within the Reporting domain. The Reporting administrator can perform all actions for all objects within the Reporting domain.

This field is required only for the Identity Manager Standard Edition.

Identity Reporting Module

Fill in the following fields to configure the Identity Reporting Module:

EAS system password: Specify the password for the idmrptsrv user. The idmrptsrv user is the owner of the database schemas and objects for reporting.

idmrptsrv user password: Specify the password for the idmrptsrv user. The idmrptsrv user is the owner of the database schemas and objects for reporting.

idmrptuser password: Specify the password for the idmrptuser. This is a user with read-only access to the reporting data.

Database host address: Specify the DNS name or the IP address of the server that is running your database.

Database port: Specify the port of the server that is running your database. Either leave the default value of 15432 for the Database port or change the value of the port.

EAS dbauser password: Specify the password for the dbauser (database administrator).

(Conditional) Managed System Gateway port: Specify the port that the Managed System Gateway driver communicates on.

This field is required only for the Identity Manager Advanced Edition.

Data Collection Service address: Specify the IP address or the DNS name of the Data Collection Service server.

Identity Vault tree name: Specify the name of an Identity Vault that your server connects to. The server can connect to an existing tree or a remote Identity Vault.

Driver set name: Specify the name for the new driver set that is created during the configuration of the Identity Reporting Module.

Identity Reporting Module > Advanced

Select Advanced to customize the configuration of the Identity Reporting Module. Fill in the following fields to customize the Identity Reporting Module:

Enable subcontainer search: Select this option to enable the Identity Reporting Module to perform subcontainer searches to gather information for reports.

Secure LDAP: Select whether the server communicates over a secure LDAP connection.

LDAP port: If you have selected secure LDAP for communication, specify the LDAP secure port. Otherwise specify the clear text port.

Token expiration value (in minutes): Specify the number of minutes to retain the token for authentication.

Reporting unit: Select Day, Week, or Month.

Report retention value: Specify how long a report is retained. If the reporting unit is set to Day, and the report retention value is 1, the reports are maintained for 1 day before they are deleted.

Subcontainer login attribute: If you enable subcontainer searches, you need to provide the login attribute that is used for searching the subtree of the user container.

SMTP server address: Specify the DNS name or the IP address of the SMTP server to configure e-mails for the report notifications.

SMTP server port: Either leave 456 as the default port for the SMTP server port or change it.

SMTP user e-mail: Specify the e-mail address to use for authentication, when authentication is enabled.

SMTP user password: Specify the password for the SMTP user.

Default e-mail address: Specify a default e-mail address to use, if the person who runs the report does not have an e-mail address specified in the Identity Vault.

SMTP use SSL: Select this option if the SMTP server uses an SSL connection.

Server needs authentication: Select this option if authentication is required for the SMTP server.

Event Auditing Service

Filling the following fields to configure the Event Auditing Service:

Admin password: Specify the password for the administrative user.

Database admin password: Specify the password for the database admin.

Event Auditing Service > Advanced

Select Advanced to customize the configuration of the Event Auditing Service:

PostgreSQL port: Either leave the default value of 15432 for the PostgreSQL port or change it.

Enable port forwarding: Select this option to enable port forwarding or deselect it to disable port forwarding.

iManager > Advanced

There are only advanced configuration options for iManager. Select Advanced to display these options:

HTTP port: Either leave the default value of 8080 for the non-secure port or change it.

HTTP secure port: Either leave the default value of 8443 for the secure port or change it.

Adding to an Existing Tree

The fields that appear depend on the components you selected to configure in the previous page.

  1. Use the following information to configure the Identity Manager components if you selected to add this server to an existing tree.

  2. Review the configuration summary page, then click Done.

    If there were problems during the configuration, review the configuration logs. For more information, see Locating Log Files and Properties Files.

Identity Vault

Fill in the following fields to allow your server to join an existing Identity Vault:

Existing tree name: Specify the name for the existing tree.

Existing server address: Specify the IP address of a server in your existing tree.

Existing server port number: Specify the NCP port of the server specified above. The default port for NCP is 524.

Existing server admin name: Specify the name of the existing server admin.

In Windows, the existing server admin name is the existing tree administrator name.

Existing server admin context DN: Specify the DN of container where you want this server placed in your existing tree. For example, ou=server,o=system.

In Windows, the existing server admin context DN is the existing tree admin context LDAP DN.

Existing server admin password: Specify the password for the administrative user specified above.

Identity Vault > Advanced

Select Advanced if you want to customize this Identity Vault. Fill in the following fields to customize the Identity Vault:

NCP port: Either leave the default value of 524 for the NCP port or change the value of the port. NCP is the core eDirectory communications protocol.

LDAP port: Either leave the default value of 389 for the LDAP port or change the value of the port.

LDAP secure port: Either leave the default value of 636 for the LDAP secure port or change the value of the port.

HTTP port: Either leave the default value of 8028 for the HTTP port or change the value of the port.

HTTP secure port: Either leave the default value of 8030 for the HTTP secure port or change the value of the port.

Instance path: If your server is Linux/UNIX, you can run multiple instances of eDirectory on one server. Specify the path of this eDirectory instance on this server. The default path is /var/opt/novell/eDirectory/data.

DIB path: Specify the path for your eDirectory database (DIB). The default location of the DIB is:

  • Linux/UNIX: /var/opt/novell/eDirectory/data/DIB

  • Windows: c:\Novell\Identity Manager\NDS\DIBfiles\

NOTE:DIB files must always reside inside the \NDS folder. If you change the default location of the DIB on Windows, for example \NDS\DIBFiles\, the configuration of the Metadirectory server fails.

Require TLS for simple binds with password: Select this option to require all LDAP connections to be on the secure port (default 636). If you deselect this option, users authenticating to LDAP server on the clear text port (default 389) pass their passwords in clear text. For more information, see Communicating with eDirectory through LDAP in the Novell eDirectory 8.8 Installation Guide.

Enable encrypted replication: Select this option if you want the replication of your tree encrypted. For more information, see Encrypted Replication in the Novell eDirectory 8.8 Administration Guide.

Metadirectory Server

Driver set name: Specify the name for the new driver set that is created during the configuration of the Metadirectory server. Ensure that you do not use an existing driver set.

Driver set context DN: Specify the context where the new driver set is created in your tree.

Roles Based Provisioning Module (RBPM)

Fill in the following fields to configure the RBPM and your Event Auditing Service (EAS), which is part of the Identity Reporting Module:

EAS server address: Specify the DNS name or IP address of the server that hosts the EAS. You can either use this server or add another server. The Identity Reporting Module can be configured on only one EAS server.

idmadmin DB user password: Specify the password for the database user. This database stores information for reports.

User Application admin DN: Specify the DN for the User Application administrator in LDAP format. The User Application administrator is authorized to perform all management functions for the Identity Manager User Application, including accessing the Administration tab of the Identity Manager user interface to perform any administration actions that it supports.

IMPORTANT:Ensure that you specify different DNs for User App admin DN, Security admin DN, and Report Admin DN fields. If these DNs are already present on the primary server, the User Application configuration fails.

User Application admin password: Specify the password for the User Application administrator.

Confirm User Application admin password: Specify the password for the User Application administrator again.

User Application driver container DN: Specify the root container DN for the User Application administrator in LDAP format. For example, o=data.

(Conditional) Security admin DN: Specify the DN for the security administrator in LDAP format. This role gives members the full range of capabilities within the Security domain. The Security administrator can perform all possible actions for all objects within the Security domain.

This field is required only for the Identity Manager Standard Edition.

(Conditional) Security admin password: Specify the password for the security administrator.

This field is required only for the Identity Manager Standard Edition.

(Conditional) Reporting admin DN: Specify the DN for the Reporting administrator in LDAP format.This user has full range of capabilities within the Reporting domain. The Reporting administrator can perform all actions for all objects within the Reporting domain.

This field is required only for the Identity Manager Standard Edition.

(Conditional) Reporting admin password: Specify the password for the reporting administrator.

This field is required only for the Identity Manager Standard Edition.

Roles Based Provisioning Module (RBPM) > Advanced

The RBPM Advanced configuration options are the same for new tree and existing tree configurations. Refer to Roles Based Provisioning Module (RBPM) > Advanced.

With the secondary server installation after the RBPM configuration, you must change the Authentication ID of the User Application driver:

  1. Log in to the existing tree through iManager.

  2. Go to the Identity Manager Administration > Identity Manager Overview and select the driver set.

  3. Click the Edit Properties option of the User Application driver, change the value of the Authentication ID option to that of the User Application admin in LDAP format.

Identity Reporting Module

The Identity Reporting Module configuration options are the same for new tree and existing tree configurations. Refer to Identity Reporting Module and Identity Reporting Module > Advanced.

Event Auditing Service

The Event Auditing Service configuration options are the same for new tree and existing tree configurations. Refer to Event Auditing Service and Event Auditing Service > Advanced.

iManager > Advanced

The iManager configuration options are same for new tree and existing tree configurations. Refer to iManager > Advanced.