The following procedure describes how to install OSP and SSPR on a Linux or Windows platform using an installation wizard, either in the GUI format or from the console. To perform a silent, unattended installation, see Section 27.2, Silently Installing the Single Sign-on and Password Management Components. To prepare for the installation, review the prerequisites and system requirements listed in Section 26.1, Checklist for Installing the Single Sign-on and Password Management Components.
Log in as root or an administrator to the server where you want to install OSP.
Stop the application server, such as Tomcat.
(Conditional) If you have the .iso image file for the Identity Manager installation package, navigate to the directory containing the OSP installation files, located by default in the products/rbpm/osp_sspr_install directory.
(Conditional) If you downloaded the OSP installation files, complete the following steps:
Navigate to the .tgz or win.zip file for the downloaded image.
Extract the contents of the file to a directory on the local computer.
From the directory that contains the installation files, complete one of the following actions:
Linux (console): Enter ./osp-sspr-install.bin -i console
Linux (GUI): Enter ./osp-sspr-install.bin
Windows: Run osp-sspr-install.exe
Accept the license agreement, and then click Next.
Specify whether you want to install OSP, SSPR, or both.
Specify a path for the installed files.
Complete the guided process, using the following parameters:
Tomcat details
Represents the home directory for the Tomcat server. For example, /opt/apache-tomcat-7.0.50. The installation process adds some files for OSP to this folder.
Tomcat connection
Represents the settings of the URL that users need to connect to OSP and SSPR on the Tomcat server. For example, https:myserver.mycompany.com:8080.
NOTE:You must also select Connect to an external authentication server and specify values for the external server if the following considerations are true:
You are installing SSPR.
OSP runs on a different instance of the application server than SSPR does.
Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.
Specifies the DNS name or IP address of the server where you are installing OSP or SSPR. Do not use localhost.
Specifies the port that you want the server to use for communication with client computers.
Specifies whether a different instance of the application server hosts the authentication server (OSP). The authentication server contains the list of users who can log in to SSPR.
If you select this setting, also specify values for the authentication server’s Protocol, Host name, and Port.
Tomcat Java home
Represents the home directory for Java on the Tomcat server. For example, /usr/lib/jvm/default-java. The installation process adds some files for OSP to the directory.
Login Screen Customization
Specifies the custom name that you want to display on user login screen. The default value is NetIQ Access.
NOTE:Only Latin1 Standard character set is supported.
Authentication details
Represents the requirements for connecting to the authentication server which contains the list of users who can log in to the application. For more information about the authentication server, see Section 4.5.1, Understanding Authentication with One SSO Provider.
Specifies the DNS name or IP address of the LDAP authentication server. Do not use localhost.
Specifies the port that you want the LDAP authentication server to use for communication with Identity Manager. For example, specify 389 for a non-secure port or 636 for SSL connections.
Specifies whether you want to use Secure Sockets Layer protocol for connections between the Identity Vault and the authentication server.
Applies only when you want to use SSL for the LDAP connection.
Specifies the path to the certificate. For example, C:\netiq\idm\apps\jre\lib\security\cacerts.
Applies only when you want to use SSL for the LDAP connection.
Specifies the password for the cacerts file.
Applies only when installing a new authentication server.
Specifies the DN for an administrator account of the LDAP authentication server. For example, cn=admin,ou=sa,o=system.
Applies only when installing a new authentication server.
Specifies the password for the administrator account of the LDAP authentication server.
Applies only when installing a new authentication server.
Specifies the container in the LDAP authentication server where you store the user accounts that can log in to Access Review. For example, o=data.
Applies only when installing a new authentication server.
Specifies the container in the LDAP authentication server where you store the administrator accounts for Access Review. For example, ou=sa,o=system.
Applies only when installing a new authentication server.
Specifies the password that you want to create for the new keystore for the LDAP authentication server.
The password must be a minimum of six characters.
Auditing details (OSP)
Represents the settings for auditing OSP events that occur in the authentication server.
Specifies whether you want to send OSP events to an auditing server.
If you select this setting, also specify the location for the audit log cache.
Applies only when you enable auditing for OSP.
Specifies the location of the cache directory that you want to use for auditing. For example, /var/opt/novell/naudit/jcache.
Indicates whether you want to use an existing certificate for the NAudit server or create a new one.
Applies only when you want to use an existing certificate.
Lists the custom public key certificate that you want the NAudit service to use to authenticate audit messages.
Applies only when you want to use an existing certificate.
Specifies the path to the custom private key file that you want the NAudit service to use to authenticate audit messages.
SSPR details
Represents the settings required for configuring SSPR.
Specifies the password that you want to create for an administrator to use to configure SSPR.
By default, SSPR does not have a configuration password. Without the password, any user who can log in to SSPR can also modify the configuration settings.
Specifies the absolute URL to which the client will redirect when actions such as password changes or challenge questions have been completed in SSPR. For example, forward to the Identity Manager home page.
Use the following format: protocol://server:port/path. For example, http://127.0.0.1:8080/landing.
Authentication server details
Represents the password that you want to create for the SSPR service to use when connecting to the OSP client on the server. Also referred to as the client secret.
To modify this password after installation, use the RBPM Configuration utility.
Auditing details (SSPR)
Represents the settings for auditing SSPR events that occur in the authentication server.
Specifies whether you want to send SSPR events to an auditing server.
If you select this setting, also specify the settings for the syslog server.
Applies only when you enable auditing for SSPR.
Specifies the DNS or IP address of the server that hosts the syslog server. Do not use localhost.
Applies only when you enable auditing for SSPR.
Specifies the port of the server that hosts the syslog server.
To configure the identity applications and Identity Reporting to use SSPR and OSP, continue to Section X, Installing the Identity Applications.
For more information about configuring forgotten password management, see Section 34.7, Configuring Forgotten Password Management.