6.7 Prerequisites and Requirements for Installing the User Application and Roles Based Provisioning Module

NetIQ recommends that you review the prerequisites and computer requirements for both the User Application and RBPM before you begin the installation process. For more information about configuring the User Application environment, see the User Application Administration Guide.

6.7.1 Considerations for Installing the User Application and Roles Based Provisioning Module

Before installing the User Application and RBPM, review the following considerations:

  • During the installation process, the installation program writes log files to the installation directory. These files contain information about your configuration. After you configure your User Application and RBPM environment, you should consider deleting these log files or storing them in a secure location. During the installation process, you might choose to write the database schema to a file. Since this file contains descriptive information about your database, you should move the file to a secure location after the installation process is complete.

  • Before installing the User Application and RBPM, you must install the Identity Manager engine. The installation process requires the location of the computer running the Identity Manager engine. For more information about the Identity Manager engine, see Section 6.4, Prerequisites and Requirements for Installing the Identity Manager Engine.

  • Before installing the User Application and RBPM, you must install Identity Manager Designer. The drivers for RBPM derive from a set of packages in Designer. For more information about installing Designer, see Section 7.0, Installing Designer. For more information about the drivers, see Section 25.0, Creating the Drivers for the Roles Based Provisioning Module.

  • You must execute the RBPM installation program from the same computer where you installed the Identity Manager engine.

  • (Conditional) If you installed the Identity Vault in a non-default location, you must manually extend the eDirectory schema before installing RBPM. The Identity Vault must be running on the default LDAP ports 389 and 636.

    For more information about manually extending the schema, see Section 24.2, Extending the eDirectory Schema Using the Wizard and Section 24.3, Extending the Schema Manually without Using the Wizard. For more information about installing Identity Vault, see Section 10.0, Installing the Identity Vault on a Linux Server.

  • You must configure the Identity Vault to use NMAS Login as the process for a user’s first login to ensure that Identity Manager enforces Universal Password functionality.

    • Linux: Add the following commands to the end of the /opt/novell/eDirectory/sbin/pre_ndsd_start script:

      NDSD_TRY_NMASLOGIN_FIRST=true
      export NDSD_TRY_NMASLOGIN_FIRST
      
    • Windows: Add NDSD_TRY_NMASLOGIN_FIRST with the string value true to the HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Environment registry key.

  • Before you make the User Application available to users, the indexes for the Identity Vault must be in Online mode. For more information about configuring an index during installation, see Section 30.2.11, Miscellaneous.

  • You must create the User Application driver before creating the Role and Resource driver. The Role and Resource driver references the role vault container (RoleConfig.AppConfig) in the User Application driver.

  • You cannot use the Role and Resource Service Driver with the Remote Loader because the driver uses jClient.

  • You must install an application server on the local computer before installing the User Application. For more information, see Section 6.7.3, Understanding the Application Server Requirements.

  • The installation process places the program files in the C:\Novell\IDM or /opt/novell/idm directory by default. If you plan to install the User Application in non-default location, the new directory must meet the following requirements before you begin the installation process:

    • The directory exists and is writable.

    • For Linux environments, the directory is writable by non-root users.

  • Although NetIQ recommends that you use dedicated computers for the application server, you should install the User Application on the same server where you plan to install the Identity Reporting Module.

  • You must install a database on the local computer or a connected server before installing the User Application. For more information, see Section 6.7.4, Understanding the User Application Database.

  • Each User Application instance can service only one user container. For example, you can add users to, search, and query only the container associated with the instance. Also, a user container association with an application is meant to be permanent.

  • (Conditional) If you plan to use external password management, your environment must meet the following requirements:

    • Enable Secure Sockets Layer (SSL) protocol for the JBoss servers on which you deploy the User Application and the IDMPwdMgt.war file.

    • Ensure that the SSL port is open on your firewall.

    For more information about the IDMPwdMgt.war file, see Section 30.5, Configuring External Forgot Password Management.

6.7.2 Understanding the Installation Files for the Roles Based Provisioning Module

The installation files for the User Application and RBPM are located in the products/RBPM directory of the installation package.

File

Description

IDMProv.war

The Web Application Archive (WAR) file for RBPM. This file includes the User Application with Identity Self-Service and RBPM features.

IDMUserApp.jar

The User Application installation program.

silent.properties

Specifies the parameters required for a silent installation. These parameters correspond to the installation parameters that you set in the installation procedures.

JBossPostgreSQL.bin or JBossPostgreSQL.exe

A utility for installing the JBoss application server and PostgreSQL database. For more information about this utility, see Section 23.0, Installing the Community Edition of JBoss.

nmassaml.zip

Contains an eDirectory method to support SAML. Use this file if you are not using Access Manager. For more information, see Installing the SAML method in your eDirectory tree.

rbpm_driver_install.exe

The Windows installation program for the primary components of the RBPM (Role and Resource Service Driver, User Application Driver, and eDirectory schema).

rbpm_driver_install_linux.bin

The Linux installation program for the primary components of the RBPM (Role and Resource Service Driver, User Application Driver, and eDirectory schema).

The User Application installation program does the following:

  • Designates an existing version of an application server to use.

  • Designates an existing version of a database to use. For example PostgreSQL, Oracle, DB2, Microsoft SQL Server, or MySQL. The database stores User Application data and configuration information.

  • Configures the JDK’s certificates file so that the User Application (running on the application server) can communicate securely with the Identity Vault and the User Application driver.

  • Configures and deploys the Java Web Application Archive (WAR) file for the User Application to the application server. On WebSphere and WebLogic, you must manually deploy the WAR.

  • Enables logging through Novell or OpenXDAS auditing clients if you choose to do so.

  • Enables you to import an existing master key to restore a specific RBPM installation and to support clusters.

6.7.3 Understanding the Application Server Requirements

The User Application requires that an application server be installed with the following considerations:

  • The application server must be running with Java Development Kit (JDK) or Java Runtime Environment (JRE). For more information about supported versions, see Section 6.7.6, System Requirements for Installing the User Application and Roles Based Provisioning Module.

    You must set the JAVA_HOME environment variable to point to the JDK that you plan to use with the User Application. To override JAVA_HOME, manually specify the path during the User Application installation.

  • (Conditional) When installing on a SUSE Linux Enterprise Server (SLES), do not use the IBM JDK that comes with SLES. This version is incompatible with some aspects of the User Application installation. Instead, download the Oracle JDK.

  • (Conditional) If you plan to install more than one application server with a deployment of the User Application, you must have a separate User Application driver for each deployment unless you install the User Applications on sister nodes of the same JBoss cluster. For more information, see Section 6.7.5, Prerequisites for Installing the User Application in a Cluster Environment. For more information about configuring a cluster environment, see Section 27.0, Preparing a Cluster Environment for Use with the User Application.

  • (Conditional) To preserve documents that you digitally sign, you must install the User Application on a JBoss application server and use Novell Identity Audit. Digital signature documents are not stored with workflow data in the User Application database, but are stored in the logging database. You must also enable logging to preserve these documents. For more information, see the “Setting Up Logging” section of the User Application Administration Guide.

  • (Conditional) In environments where you log a large amount of user data or your directory-server contains a large number of objects, you might want more than one application server with a deployment of the User Application. For more information about configuring the User Application for optimal performance, see the “Performance Tuning” section of the User Application Administration Guide.

  • (Conditional) If you use a JBoss application server, do not start the server until after you complete the installation process.

  • (Conditional) If you use a JBoss application server with external password management, you must do the following to enable the Secure Sockets Layer (SSL) protocol:

    • Enable SSL for the JBoss servers on which you deploy RBPM and the IDMPwdMgt.war file.

    • Ensure that the SSL port is open on your firewall.

    For more information about enabling SSL, see your JBoss documentation.

    For more information about the IDMPwdMgt.war file, see Section 30.5, Configuring External Forgot Password Management and the User Application Administration Guide.

6.7.4 Understanding the User Application Database

The database stores the User Application data and configuration information.

Before installing the database instance, review the following prerequisites:

  • To configure a database for use with the application server, you must create a JDBC driver. The User Application uses standard JDBC calls to access and update the database. The User Application uses a JDBC data source file bound to the JNDI tree to open a connection to the database.

  • You must have an existing data source file that points to the database. Depending on your installation environment, you might need to create or configure the file:

  • Ensure that you have the following information:

    • Host and port of the database server.

    • Name of the database to create. The default database for the User Application is idmuserappdb.

    • Database username and password. The database username must represent an Administrator account or must have enough permissions to create tables in the Database Server. The default administrator for the User Application is idmadmin.

      (Conditional) For a MySQL database, the database user account must have full access to (be the owner of) the database. The account must also have access to the tables in the database. The minimum set of privileges is CREATE, INDEX, INSERT, UPDATE, DELETE, and LOCK TABLES. The user account must also have select rights to the mysql.user table. To grant the proper rights, specify the following syntax:

      USE mysql;
      GRANT SELECT ON mysql.user TO username@host;
      
    • The driver .jar file provided by the database vendor for the database that you are using. NetIQ does not support driver JAR files provided by third-party vendors.

  • The database instance can be on the local computer or a connected server.

  • The database character set must use Unicode encoding. For example, UTF-8 is an example of a character set that uses Unicode encoding, but Latin1 does not use Unicode encoding. For more information about specifying the character set, see Section 26.2.2, Configuring the Character Set or Section 26.3, Configuring an Oracle Database.

  • You must use case-sensitive collation. If you use case-insensitive collation, you might encounter duplicate key errors during migration. If a duplicate key error occurs, check the collation and correct it, then re-install the User Application.

  • (Conditional) To use the same database instance both for auditing purposes and for the User Application, NetIQ recommends installing the database on a separate dedicated server from the server that hosts the application server running the User Application.

  • (Conditional) If you are migrating to a new version of the User Application, you must use the same User Application database that you used for the previous installation.

  • (Conditional) If you use a MySQL database, you must add the ansi entry to the configuration file, my.cnf on Linux or my.ini file on Windows. For more information, see Section 26.2.4, Configuring the ANSI Setting.

  • (Conditional) When you install the MySQL Database, the user account that you specify for the User Application must have full access (be the owner of) the database. This account also needs access to the tables in the system. For more information, see Section 26.2.5, Configuring the Admin User Account.

  • (Conditional) To use SQL Server 2008, you must have version 3.0 of the Microsoft SQL Server 2008 JDBC Driver. The User Application has been tested specifically with version 3.0.119.0 of the Microsoft SQL Server 2008 JDBC Driver.

  • (Conditional) If you plan to use Microsoft SQL Server, NetIQ supports the JDBC driver and User Application only on the Red Hat Linux and Windows 2000 operating systems.

  • (Conditional) The installation package includes a utility for installing the Community Edition of the JBoss PostgreSQL database server. JBoss supports the Community Edition only in their User Forums. NetIQ recommends that you use this version only in your test environment. For production environments, use a full edition of the JBoss database server. For more information, see Section 23.0, Installing the Community Edition of JBoss.

  • Database clustering is a feature of each respective database server. NetIQ does not officially test with any clustered database configuration because clustering is independent of the product functionality. Therefore, we support clustered database servers with the following caveats:

    • Some features or aspects of your clustered database server might need to be disabled. For example, Transactional Replication must be disabled on certain tables due to constraint violations when trying to insert a duplicate key.

    • We do not provide assistance on the installation, configuration, or optimization of the clustered database server, including installation of our products into a clustered database server.

    • We exert our best effort to resolve any issues that might arise with the use of our products in a clustered database environment. Troubleshooting methods in a complex environment often require cooperative work to resolve issues. NetIQ provides expertise to analyze, plan, and troubleshoot the NetIQ products. The customer must provide expertise to analyze, plan and troubleshoot any third-party products. We ask customers to reproduce issues or analyze behavior of their components in a non-clustered environment to help isolate potential cluster setup issues from NetIQ product issues.

6.7.5 Prerequisites for Installing the User Application in a Cluster Environment

You can install the User Application database in an environment supported by JBoss, WebLogic, and WebSphere clusters with the following considerations:

  • The cluster must have a unique cluster partition name, multicast address, and multicast port. Using unique identifiers separates multiple clusters to prevent performance problems and anomalous behavior.

    • For each member of the cluster, you must specify the same port number for the listener port of the User Application database.

    • For each member of the cluster, you must specify the same hostname or IP address of the server hosting the User Application database.

  • You must synchronize the clocks of the servers in a User Application cluster. If server clocks are not synchronized, sessions might time out early, causing HTTP session failover not to work properly.

  • NetIQ recommends to not use multiple log ons across browser tabs or browser sessions on the same host. Some browsers share cookies across tabs and processes, so allowing multiple logons might cause problems with HTTP session failover (in addition to risking unexpected authentication functionality if multiple users share a computer).

  • (Conditional) For JBoss clusters, you must start each server using the same partition name and partition UDP group. Each server in the cluster should use a unique engine ID. Also, all nodes in the JBoss cluster must access the same database instance. For more information about configuring the JBoss system properties, see Section 27.2, Preparing a JBoss Cluster for the User Application.

  • (Conditional) By default, MySQL sets the maximum number of connections to 100. This number might be too small to handle the workflow request load in a cluster. If the number is too small, you might see the following exception:

    (java.sql.SQLException: Data source rejected establishment of connection, message from server: "Too many connections.")
    

    To increase the maximum number of connections, set the max_connections variable in my.cnf to a number greater than 100.

For more information about configuring the User Application in a cluster environment, see Section 27.0, Preparing a Cluster Environment for Use with the User Application and the “Clustering” section of the User Application: Administration Guide.

6.7.6 System Requirements for Installing the User Application and Roles Based Provisioning Module

This section provides requirements to help you set up the server hosting the User Application and RBPM.

Category

Requirement

Processor

Pentium* III 600MHz, at a minimum

Disk Space

  • 320 MB for data

  • Enough space for the content of supporting applications, such as the database and application server logs

Memory

512 MB for the JBoss Application Server

Operating System

One of the following operating systems, at a minimum:

  • Red Hat Enterprise 6.2 (32-bit or 64-bit)

  • Red Hat 5.7 (32-bit or 64-bit)

  • SUSE Linux Enterprise Server 11 SP1 (32-bit or 64-bit)

  • SUSE Linux Enterprise Server 10 SP4 (32-bit or 64-bit)

  • Windows Server 2008 R2 SP1 (64-bit)

  • Windows Server 2008 SP2 (32-bit or 64-bit)

  • Windows Server 2003 (32-bit or 64-bit)

NOTE:(Conditional) If you run the JBoss application server, you can also use one of the following operating systems:

  • Open Enterprise Server 2015 (64-bit)

  • Open Enterprise Server 11 (64-bit)

  • Open Enterprise Server 2 SP3 (32-bit or 64-bit)

Virtualization Systems

One of the following systems running a supported operating systems:

  • Red Hat Enterprise Linux Virtualization (64-bit)

  • VMware ESXi Workstation 6.5

  • VMware ESXi 5.0 (32-bit or 64-bit)

  • VMware ESXi 4.1 (32-bit or 64-bit)

  • VMware ESXi 4.0 (32-bit or 64-bit)

  • VMware ESX 4.0 (32-bit or 64-bit)

  • Windows Sever 2008 R2 Virtualization with Hyper-V (32-bit or 64-bit)

  • Xen Virtual Machine running SLES 10 or SLES 11 as a guest operating system in para-virtualized mode

Application Server

  • IBM WebSphere 7.0 with IBM J9 VM (build 2.4, J2RE 1.6.0) and Fix Pack 7

  • JBoss Enterprise 5.1.2 with Java Development Kit (JDK) or Java Runtime Environment (JRE) 1.6.0_31

  • JBoss Community Edition 5.10 with JDK or JRE 1.6.0_31

  • Oracle WebLogic 10.3 (11gR1) with JRockit JVM 1.6.0_17

NOTE:NetIQ provides the JBossPostgreSQL utility for installing the Community Edition of JBoss Application Server and PostgreSQL in your test environment.

Database

  • IBM DB2 9.5b (for use with the WebSphere application server)

  • Microsoft SQL Server 2008

  • MySQL 5.1 (for use with the JBoss Enterprise application server)

  • Oracle 11gR2

  • PostgreSQL 8.4.3 and 9 (for use in your test environment)

Port

8180

Browser

One of the following Internet browsers:

  • FireFox 9 is certified on:

    • Windows XP with SP3

    • Windows 7

    • SUSE Linux Enterprise Desktop 11

    • SUSE Linux Enterprise Server 11

    • Novell OpenSUSE 11.2

    • Apple Mac

  • Internet Explorer 8 is certified on Windows XP with SP3

  • Internet Explorer 9 is certified on Windows 7

NOTE:For Internet Explorer browsers, the XML DOM (ActiveX control) from Microsoft Corporation is required for the Identity Manager Roles Based Provisioning Module 4.01 to work correctly. The version number of the XML DOM depends on the version of Internet Explorer being used.

OpenXDAS

0.8.345

NOTE:(Conditional) For servers running SLES 10, you must have the following versions:

  • openxdas-0.8.351-1.1.i586.rpm

  • openxdas-0.8.351-1.1.x86_64.rpm

Domain Services for Windows

OES 2 SP1

Password Management Challenge Response

NMAS Challenge Response Login Method version: 2770 Build: 20080603, at a minimum