The installation wizard for the User Application gives you the option to modify the settings for RBPM during the installation process or wait until after the installation finishes. If you choose to modify the settings during installation, the wizard displays the Roles Based Provisioniong Module Configuration window.
To configure the settings for installation... |
See ... |
---|---|
On a JBoss application server |
|
On a WebLogic application server |
|
On a WebSphere application server |
|
From a console (command line) |
|
As a single command (silent installation) |
Otherwise, you can edit most of the settings by running the configupdate.sh script or the Windows configupdate.bat file located by default in the installation subdirectory. In a cluster, the configuration settings in the configuration update file must be identical for all members of the cluster.
This section provides information for specifying each configuration setting. It also indicates whether or when you can modify the values in the configupdate.sh script and configupdate.bat file.
This section defines the values that the User Application users when communicating with the Identity Vault. Some settings are required for completing the installation process.
By default, the window displays the basic options. To see all settings, you must click Show Advanced Options.
Required
Specifies the hostname or IP address for your LDAP server. For example: myLDAPhost.
Specifies the non-secure port for your LDAP server. For example: 389.
Specifies the secure port for your LDAP server. For example: 636.
Required
Specifies the credentials for the LDAP Administrator. For example, cn=admin. This user must already exist in the Identity Vault.
The User Application uses this account to make an administrative connection to the Identity Vault. This value is encrypted, based on the master key.
Required
Specifies the password associated the LDAP Administrator. This password is encrypted, based on the master key.
Specifies whether users who are not logged in can access the LDAP Public Anonymous Account.
If you select this setting, you cannot enable LDAP guest access.
Specifies the guest account for users who are not logged in to access permitted portlets. This user account must already exist in the Identity Vault.
To use this setting, you cannot select Use Public Anonymous Account.
Specifies the password for the LDAP Guest account.
Specifies whether RBPM uses SSL protocol for all communication related to the admin account. This setting allows other operations that do not require SSL to operate without SSL.
NOTE:This option might have adverse performance implications.
Specifies whether RPBM uses SSL protocol for all communication related to the logged-in user's account. This setting allows other operations that do not require SSL to operate without SSL.
NOTE:This option might have adverse performance implications.
This section defines the distinguished names for containers and user accounts that enable communication between the User Application and other Identity Manager components. Some settings are required for completing the installation process.
By default, the window displays the basic options. To see all settings, you must click Show Advanced Options.
Required
Specifies the LDAP distinguished name of the root container. This is used as the default entity definition search root when no search root is specified in the directory abstraction layer. For example, o=mycompany.
Required
Specifies the distinguished name of the User Application driver.
For example, if your driver is UserApplicationDriver and your driver set is called myDriverSet, and the driver set is in a context of o=myCompany, specify cn=UserApplicationDriver,cn=myDriverSet,o=myCompany.
Required
Specifies an existing user account in the Identity Vault that has the rights to perform administrative tasks for the specified user container for User Application. The following considerations apply to this setting:
If you have started the application server hosting the User Application, you cannot change this setting with the configupdate.sh or configupdate.bat files.
To change this assignment after you deploy the User Application, you must use the Administration > Security pages in the User Application.
This user account has the right to use the Administration tab of the User Application to administer the portal.
If the User Application Administrator participates in workflow administration tasks exposed in iManager, Designer for Identity Manager, or the User Application (Requests & Approvals tab), you must grant this administrator appropriate trustee rights to object instances contained in the User Application driver. For more information, see the User Application Administration Guide for details.
Specifies an existing user account in the Identity Vault that will manage Provisioning Workflow functions available throughout the User Application.
To change this assignment after you deploy the User Application, you must use the Administration > Administrator Assignments page in the User Application.
Specifies an existing account in the Identity Vault that performs a system role to allow members to perform all functions on the Compliance tab. The following considerations apply to this setting:
To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application.
During a configupdate, changes to this value take effect only if you do not have a valid Compliance Administrator assigned. If a valid Compliance Administrator exists, then your changes are not saved.
Specifies the role that allows members to create, remove, or modify all roles, and grant or revoke any role assignment to any user, group, or container. It also allows its role members to run any report for any user. The following considerations apply to this setting:
By default, the User Application Admin is assigned this role.
To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application.
During a configupdate, changes to this value take effect only if you do not have a valid Roles Administrator assigned. If a valid Roles Administrator exists, then your changes are not saved.
Specifies the role that gives members the full range of capabilities within the Security domain. The following considerations apply to this setting:
The Security Administrator can perform all possible actions for all objects within the Security domain. The Security domain allows the Security Administrator to configure access permissions for all objects in all domains within RBPM. The Security Administrator can configure teams, and also assign domain administrators, delegated administrators, and other Security Administrators.
To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application.
Specifies the role that gives members the full range of capabilities within the Resource domain. The following considerations apply to this setting:
The Resources Administrator can perform all possible actions for all objects within the Resource domain.
To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application.
Specifies the role that gives members the full range of capabilities within the Configuration domain. The following considerations apply to this setting:
The RBPM Configuration Administrator can perform all possible actions on all objects within the Configuration domain. The RBPM Configuration Administrator controls access to navigation items within RBPM. In addition, the RBPM Configuration Administrator configures the delegation and proxy service, the provisioning user interface, and the workflow engine.
To change this assignment after you deploy the User Application, use the Administration > Administrator Assignments page in the User Application.
Specifies the Reporting Administrator. By default, the installation program lists this value as the same user as the other security fields.
Specifies whether you want to reset security.
Specifies the URL for the user interface of the Identity Reporting Module.
This section defines the values that enable the User Application to communicate with a user container in the Identity Vault. Some settings are required for completing the installation process.
The installation program does not display these settings by default. You must click Show Advanced Options.
Required
Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. The following considerations apply to this setting:
Users in this container (and below) are allowed to log on to the User Application.
If you have started the application server hosting the User Application, you cannot change this setting with the configupdate.sh or configupdate.bat files.
This container must include the User Application Administrator that you specified as you set up the User Application driver. Otherwise, the specified account cannot execute workflows.
Specifies the depth of scope that Identity Vault users can search the container.
Specifies the object class of the LDAP user. Usually the class is inetOrgPerson.
Specifies the LDAP attribute that represents the user’s login name. For example, cn.
Specifies the LDAP attribute used as the identifier when looking up users or groups. This is not the same as the login attribute, which is used only during login. For example, cn.
(Optional) Specifies the LDAP attribute that represents the user’s group membership. Do not use spaces when specifying the name.
This section defines the values that enable the User Application to communicate with a group container in the Identity Vault. Some settings are required for completing the installation process.
The installation program does not display these settings by default. You must click Show Advanced Options.
Required
Specifies the LDAP distinguished name (DN) or fully qualified LDAP name of the group container. The following considerations apply to this setting:
Entity definitions within the directory abstraction layer use this DN.
If you have started the application server hosting the User Application, you cannot change this setting with the configupdate.sh or configupdate.bat files.
Specifies the depth of scope that Identity Vault users can search for the group container.
Specifies the object class of the LDAP group. Usually the class is groupofNames.
(Optional) Specifies the user’s group membership. Do not use spaces in this name.
Specifies whether you want to use dynamic groups.
Specifies the object class of the LDAP dynamic group. Usually the class is dynamicGroup.
This section defines the path and password for the JRE keystore. Some settings are required for completing the installation process.
The installation program does not display these settings by default. You must click Show Advanced Options.
Required
Specifies the full path to your keystore (cacerts) file of the JRE that the application server uses to run. You can manually enter the path or browse to the cacerts file. The following considerations apply to this setting:
In environments, you must specify the installation directory of RBPM. The default value is set to the correct location.
The User Application installation program modifies the keystore file. On Linux, the user must have permission to write to this file.
Required
Specifies the password for the keystore file. The default is changeit.
Specifies the password for the keystore file to verify that you entered the correct value.
This section defines the values that enable email notifications. The installation program does not display these settings by default. You must click Show Advanced Options.
Specifies the name or IP address of the application server that hosts the User Application. For example, myapplication serverServer.
This value replaces the $HOST$ token in e-mail templates. The installation program uses this information to create a URL to provisioning request tasks and approval notifications.
Specifies the port number of the application server that hosts the User Application.
This values replaces the $PORT$ token in e-mail templates that are used in provisioning request tasks and approval notifications.
Specifies the secure port number of the application server that hosts the User Application.
This value replaces the $SECURE_PORT$ token in e-mail templates used in provisioning request tasks and approval notifications.
Specifies a non-secure protocol included in the URL when sending user email. For example, HTTP.
This value replaces the $PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications.
Specifies the secure protocol included in the URL when sending user email. For example, HTTPS.
This value replaces the $SECURE_PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications.
Specifies the email account that the User Application uses to send email notifications.
Specifies the IP address or DNS name of the SMTP email host that the User Application users for provisioning emails.
Specifies the path to the image that you want to include in email notifications. For example, http://localhost:8080/IDMProv/images.
This section defines the values for the trusted keystore for the User Application. The installation program does not display these settings by default. You must click Show Advanced Options.
Specifies the path to the Trusted Key Store that contains all trusted signers’ certificates. If this path is empty, the User Application gets the path from System property javax.net.ssl.trustStore. If the System property cannot provide the path, the installation program defaults to jre/lib/security/cacerts.
Specifies the password for the Trusted Key Store. If you leave this field is empty, the User Application gets the password from System property javax.net.ssl.trustStorePassword. If the System property cannot provide the path, the installation program defaults to changeit.
This password is encrypted, based on the master key.
Specifies the password for the Trusted Key Store to verify that you entered the correct value
Specifies whether the trusted store path uses JKS for digital signing.
Specifies whether the trusted store path uses PKCS12 for digital signing.
This section configures your JBoss environment to take advantage of the digital signature support provided with the User Application. The User Application does not support digital signatures in WebLogic or WebSphere environments. For more information about digital signatures, see “Digital Signature Configuration” in the User Application Administration Guide.
NOTE:You must use Novell Identity Audit to preserve documents that you digitally sign. Digital signature documents are not stored with workflow data in the User Application database, but are stored in the logging database. You must also enable logging to preserve these documents.
The installation program does not display these settings by default. You must click Show Advanced Options.
Specifies the digital signature certificate for the audit service.
Specifies the private key of the digital signature. This key is encrypted, based on the master key.
This section defines the values that allow you to access the User Application with Novell Access Manager or iChain. The installation program does not display these settings by default. You must click Show Advanced Options.
Specifies whether the User Application supports simultaneous log out of the User Application and either Novell Access Manager or iChain. The User Application checks for a Novell Access Manager or iChain cookie on logout. When the cookie is present, the User Application reroutes the user to the ICS logout page.
Specifies the URL to the Novell Access Manager or iChain logout page, where the URL is a hostname that Novell Access Manager or iChain expects. If ICS logging is enabled and a user logs out of the User Application, the user is rerouted to this page.
This feature enables you to specify a self-service Web page where users who have forgotten their password can remedy their problem. The URL to the forgotten password page resides in an external Forgot Password WAR. The WAR uses the URL to call back the User Application through a Web service. For more information about configuring the User Application for managing password self-service and user authentication features, see “Password Management Configuration” in the User Application Administration Guide.
The installation program does not display these settings by default. You must click Show Advanced Options.
Specifies whether you want to use a self-service Web page where users who have forgotten their password can remedy their problem. The following considerations apply to this setting:
If you do not select Use External Password WAR, Identity Manager uses the default internal Password Management functionality, ./jsps/pwdmgt/ForgotPassword.jsp (without the http(s) protocol at the beginning). This redirects the user to the Forgot Password functionality built into the User Application, rather than to an external WAR.
If you select this setting,, you must also specify values for Forgot Password Link, Forgot Password Return Link, and Forgot Password Web Service URL.
Specifies the URL that points to a ForgotPassword.jsp file in an external or internal password management WAR. For example, http://pwdmgthost:posrt/pwdmgtwar/jsps/pwdmgt/ForgotPassword.jsp.
Specifies the URL that the user can click after performing a forgotten password operation.
Specifies the URL that the External Forgot Password WAR uses to call back to the User Application to perform core forgot password functionalities. Use the following syntax:
https://idmhost:sslport/idm/ pwdmgt/service
The installation program does not display these settings by default. You must click Show Advanced Options.
Specifies the time, in minutes, allowed before the User Application times out a user session. The default value is 20.
Specifies the Uniform Resource Identifier (URI) to use when the client installation uses the On-Line Certificate Status Protocol (OCSP). For example, http://host:port/ocspLocal.
The OCSP URI updates the status of trusted certificates online.
Specifies the fully qualified name of the authorization configuration file.
Specifies whether you want the installation program to create indexes on the manager, ismanager, and srvprvUUID attributes. The following considerations apply to this setting:
Without indexes on these attributes, User Application users can experience impeded performance of the User Application, particularly in a cluster environment.
You can create these indexes manually by using iManager after you install the User Application. For more information, see Section 30.3.1, Creating Indexes in eDirectory.
For best performance, you should create the index during instalaltion. The indexes must be in Online mode before you make the User Application available to users.
Specifies whether to removes indexes on the manager, ismanager, and srvprvUUID attributes.
Specifies the eDirectory server where you want the indexes to be created or removed. To configure indexes on multiple eDirectory servers, you must run the configupdate utility multiple times. You can specify only one server at a time.
Specifies whether you want to reset RBPM security when the installation process completes. You must also redeploy the User Application.
Specifies the URL of the Identity Manager Reporting Module. For example, http://hostname:port/IDMRPT.
Specifies the value that you want to use in the layout pattern for the CONSOLE and FILE appenders in the idmuserapp_logging.xml file. The default value is RBPM.
This section helps you to define the values for container objects or create new container objects. The installation program does not display these settings by default. You must click Show Advanced Options.
Specifies the Container Object Types that you want to use.
Specifies the container: locality, country, organizationalUnit, organization, or domain.
You can also define your own containers in iManager and add them under Add a new Container Object.
Specifies the name of the Attribute Type associated with the specified Container Object Type.
Specifies the LDAP name of an object class from the Identity Vault that can serve as a new container.
Specifies the name of the Attribute Type associated with the new Container Object Type.