This document provides guidelines to install, configure, and upgrade Identity Manager 4.5 Standard Edition.
Identity Manager 4.5 Standard Edition provides the following features:
Rule-based automated provisioning
Password management (Self Service Password Reset)
Identity Reporting
Content packaging framework
Single sign-on (One SSO)
Analyzer
Designer
For more information, see NetIQ Identity Manager Setup Guide.
IMPORTANT:Integration modules continue to remain the same for both Identity Manager Advanced and Standard Editions.
For information about new features, enhancements, and features that have changed or are no longer supported in this version, see Release Notes.
Identity Manager 4.5 Standard Edition includes the following components:
Identity Vault
iManager
Identity Manager Engine
Designer
Analyzer
Remote Loader
Event Auditing Service (EAS)
Tomcat (supported application server)
Single Sign-on (One SSO)
Self Service Password Reset (SSPR)
Identity Reporting
To learn about the interaction among Identity Manager components, see Introduction
in the NetIQ Identity Manager Setup Guide.
Download the software from the Product Web site. The following .iso files contain the DVD image for installing the Identity Manager components:
Identity_Manager_4.5_Linux_Standard.iso
Identity_Manager_4.5_Windows_Standard.iso
The installation files are located in the products directory in the Identity Manager installation package. For information about the default installation locations, see Locating the Installation Paths in the Release Notes.
NetIQ recommends that you review the Installation Prerequisites in the Release Notes and then run the below checklist in the given sequence. Each task provides brief information and a reference to where you can find complete details. For specific details about installing each Identity Manager component, see NetIQ Identity Manager Setup Guide.
Task |
Notes |
---|---|
|
|
|
See |
|
Ensure that you install the components in the following order because the installation programs for some components require information about previously installed components.
IMPORTANT:The installation programs install the Identity manager components in |
|
Install eDirectory 8.8.8 Patch 3 or later. For installation instructions, see
|
|
Install iManager 2.7.7 Patch 2 or later. For the auditing to work, install iManager 2.7.7 Patch 3 or later. For installation instructions, see |
|
For installation instructions, see NOTE:The installation program does not create the DirMXL-PasswordPolicy object in the Identity Vault. After installing the Identity Manager engine, launch Designer and create the driver set. Install the Identity Manager Default Universal Password Policy package that contains DirMXL-PasswordPolicy. Add this policy to the driver set. Do this for each Identity Manager driver set in the Identity Vault. |
|
For installation instructions, see |
|
Select only Tomcat for deploying Identity Reporting. You do not need to install PostgreSQL because you are not installing RBPM. For installation instructions, see NOTE:If you are installing Tomcat on a computer that has iManager installed, do not use port 8080 for Tomcat. If the other ports are already in use, change them during installation. |
|
For installation instructions, see After installing the Single Sign-on and Password Management components, do the following actions:
|
|
NOTE:You must import the report definitions into Identity Reporting. To download them, use the Download page within the Reporting application. |
|
Activate your Identity Manager components. For more information, see |
The Identity Manager installation package includes the installation files in the products/EAS and products/Reporting directories within the .iso image file. By default, the installation program installs the components in the following locations:
Linux: /opt/netiq/idm/apps/IDMReporting
Windows: C:\netiq\idm\apps\IDMReporting
The following procedure describes how to install Identity Reporting by using an installation wizard, either in GUI format or from the console.
To prepare for the installation, review the prerequisites and system requirements listed in System Requirements for Identity Reporting
in the NetIQ Identity Manager Setup Guide and the Release Notes.
Ensure that the SIEM database is running in your event auditing service.
The installation program creates tables in the database and verifies connectivity. The program also installs a JAR file for the PostgreSQL JDBC driver, and automatically uses this file for database connectivity.
Log in to the computer where you want to install Identity Reporting.
Stop the application server. In this case, it is Tomcat.
(Conditional) If you have the .iso file for the Identity Manager installation package, navigate to the directory containing the installation files for Identity Reporting, located by default in the products/Reporting/ directory.
(Conditional) If you downloaded Identity Reporting installation files from the NetIQ Downloads website, complete the following steps:
Navigate to the .tgz file for the downloaded image.
Extract the contents of the file to a folder on the local computer.
From the directory that contains the installation files, complete one of the following actions:
Linux (console): Enter ./rpt-install.bin -i console
Linux (GUI): Enter ./rpt-install.bin
Windows: Run rpt-install.exe
In the installation program, specify the language that you want to use for installation, and then click OK.
Review the Introduction text, and then click Next.
Accept the License Agreement, and then click Next.
To complete the guided process, specify values for the following parameters:
Installation folder
Specifies the location for the installation files.
Identity Vault Connection Details
Represents the connection settings for the Identity Vault. To modify these settings after installation, use the Reporting Configuration utility (configupdate.sh) located in the /opt/netiq/idm/apps/IdentityReporting/bin/lib directory.
Specifies the DNS name or IP address of the Identity Vault server.
Specifies the LDAP port that you want Identity Reporting to use for communication with the Identity Vault.
Application server platform
Specifies the application server that will run the core (IDMRPT-Core.war), EASREST REST API (easrestapi.war), EAS Webstart (easwebstart.war), and Reporting REST API Reference WAR (rptdoc.war) files. NetIQ supports only Tomcat for Identity Reporting.
NOTE:Do not change the names of these WAR files. If you change the file names, the deployment process fails.
Application server details
Specifies a path to the deployment or webapps directory of the Tomcat instance. For example, /opt/netiq/idm/apps/tomcat/webapps.
Application server connection
Represents the settings of the URL that users need to connect to Identity Reporting on the application server. For example, https:myserver.mycompany.com:8080.
NOTE:If OSP runs on a different instance of the application server, you must also select Connect to an external authentication server and specify values for the OSP server.
Specifies whether you want to use http or https. To use SSL for communication, specify https.
Specifies the DNS name or IP address of the application server. Do not use localhost.
Specifies the port that you want the application server to use for communication with Identity Manager.
Specifies whether a different instance of the application server hosts the authentication server (OSP). The authentication server contains the list of users who can log in to Identity Reporting.
If you select this setting, also specify values for the authentication server’s Protocol, Host name, and Port.
Authentication server details
Specifies the password that you want to create for the Identity Reporting service to use when connecting to the OSP client on the authentication server.
To modify this password after installation, use the Reporting Configuration utility.
Event auditing service
Specifies whether you want to use NetIQ Event Auditing Service (EAS) to track events in Identity Reporting.
If you select this setting, also specify the DNS name or IP address of the server that hosts EAS.
Database details
Represents the settings for your SIEM database.
Specifies the port for the SIEM database. The default value is 15432.
Specifies the password for the administrative account for the database.
If you are using EAS, the installation program creates this password for the dbauser account.
Specifies the password for the account that owns the Identity Reporting schema and view in the database.
The installation program creates this password for the idmrptsrv account.
Specifies the password for the account that can access the database to run reports.
The installation program creates this password for the idmrptuser account.
Indicates whether you want the installation program to test the values specified for the database.
The installation program attempts the connection when you click Next or press Enter.
NOTE:You can continue with installation if the database connection fails. However, after installation, you must manually create the tables and connect to the database.
Authentication details
Represents the settings for the authentication server. To modify these settings after installation, use the Reporting Configuration utility.
Specifies the DN of the container that lists the users that can log in to Identity Reporting. For example, o=data.
NOTE:If the DN contains special characters, you might need to escape those characters. For more information, see RFC 2253/4514 Section 2.4.
Specifies the attribute that you want to use for searching the subtree of the user container. For example, cn.
Specifies the language that you want to use for Identity Reporting. The application uses the specified locale in searches.
Identity Vault Credentials
Represents the Identity Vault credentials for the Identity Vault server.
Specifies the DN of the admin user who has the authority to grant and revoke roles from other users.
Specifies the password of the admin user.
Specifies the path of a keystore file that contains the certificates to trust in SSL connections. By default, it is the same path that is created by the OSP SSPR installer.
Specifies the password for opening the keystore file. The default password is changeit.
Specifies the DN of the container where the installer will create the reportAdmin role.
Specifies the DN of the user that the installer will assign the reportAdmin role.
NOTE:Ensure that the container where the reportAdmin role resides does not include any object with the same name.
Choose Java JRE Base folder path
Represents the location of the JRE used by the application server.
Specifies the path for JRE used by the application server. For example, /opt/netiq/idm/apps/jre
Email delivery
Represents the settings for the SMTP server that sends report notifications. To modify these settings after installation, use the Reporting Configuration utility.
Specifies the email address that you want Identity Reporting to use for sending email notifications.
Specifies the IP address or DNS name of the SMTP email host that Identity Reporting uses for notifications. Do not use localhost.
Specifies the port number for the SMTP server. The default value is 465.
Specifies whether you want to use SSL protocol for communication with the SMTP server.
Specifies whether you want to use authentication for communication with the SMTP server.
If you select this setting, also specify the credentials for the email server.
Report details
Represents the settings for maintaining completed reports.
Specifies the amount of time that Identity Reporting will retain completed reports before deleting them. For example, to specify six months, enter 6 and then select Month.
Specifies a path where you want to store the report definitions. For example, /opt/netiq/IdentityReporting.
Novell Identity Audit
Represents the settings for auditing activity in Identity Reporting.
Specifies whether you want to send log events to an auditing server.
If you select this setting, also specify the location for the audit log cache.
Applies only when you enable auditing for Identity Reporting.
Specifies the location of the cache directory that you want to use for auditing. For example, /opt/novell/Identity Reporting.
NOTE:If you enable auditing, ensure that the logevent file has valid paths for the cache directory and the nauditpa.jar file. If these settings are not defined correctly, Identity Reporting will not start.
NAudit certificates
Applies only when you enable auditing for Identity Reporting.
Represents the settings for the NAudit service which sends events from Identity Reporting to EAS.
Indicates whether you want to use an existing certificate for the NAudit server or create a new one.
Applies only when you want to use an existing certificate.
Lists the custom public key certificate that you want the NAudit service to use to authenticate audit messages sent to EAS.
Applies only when you want to use an existing certificate.
Specifies the path to the custom private key file that you want the NAudit service to use to authenticate audit messages sent to EAS.
Review the information in the Pre-Installation Summary window, and then click Install.
A silent (non-interactive) installation does not display a user interface or prompts any questions to the user. Instead, the system uses information from a .properties file. You can run the silent installation with the default file or edit the file to customize the installation process.
To prepare for the installation, review the prerequisites and system requirements listed in System Requirements for Identity Reporting
in the NetIQ Identity Manager Setup Guide. Also see the Release Notes accompanying the release.
(Conditional) To avoid specifying the administrator passwords for the installation in the .properties file for a silent installation, use the export or set command. For example:
Linux: export NOVL_ADMIN_PWD=myPassWord
Windows: set NOVL_ADMIN_PWD=myPassWord
The silent installation process reads the passwords from the environment, rather than from the .properties file.
Specify the following passwords:
Specifies the password for the administrator for the SIEM database.
Specifies the password for the owner of the database schemas and objects for reporting.
Specifies the password for the idmrptuser that has read-only access to reporting data.
Specifies the password for the EAS server.
You can copy the system password from the system property in the activemqusers.properties file on the computer where EAS is installed.
(Conditional) To enable subcontainer searches at login time, specifies the password of an LDAP administrator.
(Conditional) To use authentication for email communications, specifies the password for the default SMTP email user.
To specify the installation parameters, complete the following steps:
Ensure that the .properties file is located in the same directory as the execution file for installation.
For your convenience, NetIQ provides two .properties files, located by default in the products/Reporting directory of the .iso image:
rpt_installonly.properties to use the default installation settings
rpt_configonly.properties to customize the installation settings
In a text editor, open the .properties file.
Specify the parameter values. For a description of the parameters, see Step 10.
Save and close the file.
To launch the installation process, enter one of the following commands:
Linux: ./rpt-install.bin -i silent -f path_to_properties_file
Windows: ./rpt-install.exe -i silent -f path_to_properties_file
NOTE:If the .properties file resides in a different directory from the installation script, you must specify the full path to the file. The script unpacks the necessary files to a temporary directory and then launches the silent installation.
To modify installation properties after installation, run the configuration update utility depending on your platform.
Linux: Run configupdate.sh from /opt/netiq/idm/apps/IdentityReporting/bin/lib.
Windows: Run configupdate.bat from C:\netiq\idm\apps\IdentityReporting\bin\lib.
If you change any setting for Identity Reporting with the configuration tool, you must restart the application server for the changes to take effect. However, you do not need to restart the server after making changes in the web user interface for Identity Reporting.
Access the Reporting URL as a Report Administrator. The URL will follow this pattern: http://server:port/IDMRPT/. Ensure that authentication and authorization is successful. NetIQ recommends that you do not attempt logging in without sufficient administrative rights.
IMPORTANT:If you logged in to the Reporting application with a user with no rights, the logout option and Home link are not displayed.
NetIQ supports the following upgrade paths for Identity Manager 4.0.2 Standard Edition:
Identity Manager 4.0.2 Standard Edition to Identity Manager 4.5 Standard Edition
Identity Manager 4.5 Standard Edition to Identity Manager 4.5 Advanced Edition
You cannot perform a direct upgrade from Identity Manager 4.0.2 Standard Edition to Identity Manager 4.5 Advanced Edition. However, you can choose one of the following approaches to complete the upgrade:
Upgrade Identity Manager 4.0.2 Standard Edition to Identity Manager 4.5 Standard Edition and then upgrade to Identity Manager 4.5 Advanced Edition.
Upgrade Identity Manager 4.0.2 Standard Edition to Identity Manager 4.0.2 Advanced Edition and then upgrade to Identity Manager 4.5 Advanced Edition.
To perform the upgrade, NetIQ recommends that you review the Upgrade Prerequisites in the Release Notes and then complete the following tasks in the same sequence:
Task |
Notes |
---|---|
|
For more information, see |
|
You cannot directly upgrade or migrate to version 4.5 from versions before 4.0.2. For more information, see the NetIQ Identity Manager Setup Guide 4.0.2. |
|
Ensure that you have the latest installation kit to upgrade/migrate Identity Manager to 4.5 Standard Edition. |
|
For more information, see |
|
Ensure that your computers meet the hardware and software prerequisites for a newer version of Identity Manager. For more information, see |
|
For more information, see |
|
Upgrade Designer to the latest version. For more information, see |
|
Upgrade Designer to the latest version. For more information, see |
|
On the server running Identity Manager, upgrade eDirectory to the latest version and patch. For more information, see the NetIQ eDirectory 8.8 Installation Guide and Identity Manager Release Notes. |
|
Upgrade iManager to the latest version and patch. For upgrade instructions, see |
|
Stop the drivers that are associated with the server where you installed the Identity Manager engine (Metadirectory). For more information, see |
|
For more information, see NOTE:If you are migrating the Identity Manager engine to a new server, you can use the same eDirectory replicas that are on the current Identity Manager server. For more information, see |
|
If any of the drivers in the driver set for the Identity Manager Engine are Remote Loader drivers, upgrade the Remote Loader servers for each driver. For more information, see |
|
If you are using packages instead of driver configuration files, upgrade the packages on the existing drivers to get new policies. For more information, see This is only required if a newer version of a package is available and there is a new functionality included in the policies for a driver that you want to add to your existing driver. |
|
In iManager, make sure that you apply the Identity Manager 4.5 Standard Edition activation. If you do not apply the activation, the Identity Manager engine and the drivers run in the evaluation mode. |
|
Remove RBPM and Identity Reporting files and folders from your current application server. This requires you to take the following actions:
|
|
Remove the User Application driver and the Roles and Resource Service driver from the driver set of the upgraded setup and from the Designer project. For more information, see |
|
Install Identity Reporting components. This requires you to take the following actions:
|
|
Start the drivers associated with the Identity Reporting and the Identity Manager engine. For more information, see |
|
(Conditional) If you have custom policies and rules, restore your custom settings. For more information, see |
|
(Conditional) If you are using NetIQ Sentinel, ensure that you are running the latest service pack. For more information about upgrading Sentinel, see the NetIQ Sentinel Installation and Configuration Guide. |
Upgrading Identity Manager 4.5 Standard Edition to Identity Manager 4.5 Advanced Edition involves configuration changes for the Identity Manager components. You do not need to run the Identity Manager installation program to perform this upgrade.
The Identity Manager 4.5 Advanced Edition includes all the features included in the Standard Edition along with additional features such as identity applications. The New Features section in the Identity Manager 4.5 Advanced Edition Release Notes includes brief summaries of the new features in Identity Manager 4.5 Advanced Edition. You might want to take a few minutes to look at the section.
To perform the upgrade, NetIQ recommends that you complete the steps in the below checklist in the given order:
Task |
Description |
---|---|
|
Review the differences between an upgrade and a migration. For more information, see |
|
You cannot upgrade or migrate to version 4.5 from versions before 4.0.2. For more information, see the NetIQ Identity Manager Setup Guide 4.0.2. |
|
Ensure that you have the latest installation kit to upgrade Identity Manager to 4.5 Advanced Edition. |
|
For more information, see |
|
Ensure that your computers meet the hardware and software prerequisites for a newer version of Identity Manager. For more information, see |
|
In this case, the application server is Tomcat. |
|
Uninstall the Identity Reporting WAR files from your application server. To do this, follow the instructions in the documentation specific to your application server. For more information, see |
|
In iManager, ensure that you apply the Identity Manager 4.5 Advanced Edition activation key. Otherwise, the Identity Manager engine upgrade does not proceed. IMPORTANT:To ensure that Identity Manager displays correct version and brand name after upgrade, apply the Identity Manager 4.5 Patch 2 from the NetIQ Downloads website. For detailed information on downloading and applying the patch, see |
|
For more information, see |
|
Install WebSphere or JBoss as your application server. If you want to use Tomcat as your application server, you can reuse the existing instance of Tomcat. |
|
NOTE:The upgrade process does not remove the existing roles assigned to users in eDirectory. If the Report Administrator user role still exists in the upgraded software, make sure you delete this role for security reasons. The installation program will install the following components:
For more information, see |
|
If your application server is not Tomcat, start your application server (WebSphere or JBoss) and Tomcat. You need to run Tomcat because NetIQ supports OSP installation only on Tomcat. |
|
(Conditional) Update the Data Collection Service driver configuration for your new application server. Update the Data Collection Service driver configuration to register the Managed System Gateway driver. For more information, see Section 4.3, Updating the Configuration Information of the Data Collection Service Driver. |
|
Provide the existing EAS server details during the installation. For more information, see To log the Identity Reporting events in the EAS server, perform the following actions:
|
|
Start the drivers associated with the Identity Reporting and the Identity Manager engine. For more information, see |
|
(Conditional) If you have custom policies and rules, restore your custom settings. For more information, see |
|
(Conditional) If you are using NetIQ Sentinel, ensure that you are running the latest service pack. For more information about upgrading Sentinel, see the NetIQ Sentinel Installation and Configuration Guide. |
Launch Designer, then go to DCS Driver Configuration > Driver Parameters > Driver Options.
In the Managed System Gateway Registration section, change the settings as below:
Set Register Manage System Gateway to Yes.
Change the MSGW Driver DN. For example, CN=Managed System Gateway Driver,cn=driverset1,o=system.
Change the User DN. For example, cn=admin,ou=sa,o=system.
Specify the password for the User DN.
For more information on configuring the driver, see Configuring the Driver for Data Collection Service
in the NetIQ Identity Manager Setup Guide.
Save the settings, then deploy the DCS driver.
Restart the DCS driver.
Upgrading the Identity Reporting might not immediately show the Advanced Version. The version change occurs after the next batch of events is processed.
Some components of Identity Manager have prerequisites for uninstallation. Ensure that you review full section for each component before beginning the uninstallation process. For more information, see Uninstalling Identity Manager Components
in the NetIQ Identity Manager Setup Guide.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material (“Module”) is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2015 NetIQ Corporation. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.