This section describes how to perform a silent install of the identity applications. A silent installation requires no interaction during the installation and can save you time, especially when you install on more than one server. You can perform silent installations on supported Linux computers only.
To prepare for the installation, review the activities listed in Section 32.1, Checklist for Installing the Identity Applications. Also see the Release Notes accompanying the release.
This process includes the following activities:
Instead of specifying the configuration passwords in the .properties file, you can set the passwords in the environment instead. In this case, the silent installer will read the passwords from the environment, rather than from the silent.properties file. This can provide some additional security.
You must specify the following passwords for the installation:
NOVL_DB_USER_PASSWORD
NOVL_CONFIG_DBADMIN_PASSWORD
NOVL_CONFIG_LDAPADMINPASS
NOVL_CONFIG_KEYSTOREPASSWORD
Use the export command. For example:
export NOVL_DB_USER_PASSWORD=myPassWord
Use the set command. For example:
set NOVL_DB_USER_PASSWORD=myPassWord
You must edit the parameter values in the .properties file before performing the silent installation or configuration. The table in this section provides a list of the parameters. The parameters correspond to the basic installation parameters as well as for configuring RBPM and the identity applications. For more information about specifying the parameter values, see Section 32.2, Using the Guided Process to Install the Identity Applications and Section 35.0, Configuring the Settings for the Identity Applications.
Log in as root to the computer where you want to install the identity applications
Ensure that the silent.properties file is stored on the local computer.
By default, you can find the file in the products/rbpm/user_app_install directory within the .iso image file for the Identity Manager installation package.
Open the user_app.install.properties file.
Modify the following parameters in the .properties file:
|
Parameter Name in silent.properties |
Equivalent Parameter Name in the Identity Applications Configuration Parameters File |
|---|---|
|
NOVL_CONFIG_LDAPHOST= |
eDirectory Connection Settings: LDAP Host. Specifies the hostname or IP address for your LDAP server. |
|
NOVL_CONFIG_LDAPADMIN= |
eDirectory Connection Settings: LDAP Administrator. Specifies the credentials for the LDAP Administrator. This user must already exist. The User Application uses this account to make an administrative connection to the Identity Vault. This value is encrypted, based on the master key. |
|
NOVL_CONFIG_LDAPADMINPASS= |
eDirectory Connection Settings: LDAP Administrator Password. Specifies the LDAP Administrator password. This password is encrypted, based on the master key. |
|
NOVL_CONFIG_ROOTCONTAINERNAME= |
eDirectory DNs: Root Container DN. Specifies the LDAP distinguished name of the root container. This is used as the default entity definition search root when no search root is specified in the directory abstraction layer. |
|
NOVL_CONFIG_PROVISIONROOT= |
eDirectory DNs: Provisioning Driver DN. Specifies the distinguished name of the User Application driver. For example, if your driver is UserApplicationDriver and your driver set is called myDriverSet, and the driver set is in a context of o=myCompany, you type a value of: cn=UserApplicationDriver,cn= myDriverSet,o=myCompany |
|
NOVL_CONFIG_LOCKSMITH= |
eDirectory DNs: User Application Admin. An existing user in the Identity Vault who has the rights to perform administrative tasks for the User Application user container specified. This user can use the Administration tab of the User Application to administer the portal. If the User Application Administrator participates in workflow administration tasks exposed in iManager, NetIQ Designer for Identity Manager, or the User Application (Requests & Approvals tab), grant this administrator appropriate trustee rights to object instances contained in the User Application driver. For more information, see the NetIQ Identity Manager User Application: Administration Guide. To change this assignment after you deploy the User Application, use the Administration > Security pages in the User Application. |
|
NOVL_CONFIG_PROVLOCKSMITH= |
eDirectory DNs: Provisioning Application Admin. This user is available in the provisioning version of Identity Manager. The Provisioning Application Administrator uses the Provisioning tab (under the Administration tab) to manage the Provisioning Workflow functions. These functions are available to users through the Requests and Approvals tab of the User Application. This user must exist in the Identity Vault prior to being designated the Provisioning Application Administrator. To change this assignment after you deploy the User Application, use the Administration > Security pages in the User Application. |
|
NOVL_CONFIG_ROLECONTAINERDN= |
This role is available in RBPM. This role allows members to create, remove, or modify all roles, and grant or revoke any role assignment to any user, group, or container. It also allows its role members to run any report for any user. By default, the User Application Admin is assigned this role. To change this assignment after you deploy the User Application, use the Roles > Role Assignment page in the User Application. |
|
NOVL_CONFIG_COMPLIANCECONTAINERDN |
The Compliance Module Administrator is a system role that allows members to perform all functions on the Compliance tab. This user must exist in the Identity Vault prior to being designated as the Compliance Module Administrator. |
|
NOVL_CONFIG_USERCONTAINERDN= |
Meta-Directory User Identity: User Container DN. Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. This defines the search scope for users and groups. Users in this container (and below) are allowed to log in to the User Application. IMPORTANT:Be sure the User Application Administrator specified during User Application driver set up exists in this container if you want that user to be able to execute workflows. |
|
NOVL_CONFIG_GROUPCONTAINERDN= |
Meta-Directory User Groups: Group Container DN. Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the group container. Used by entity definitions within the directory abstraction layer. |
|
NOVL_CONFIG_KEYSTOREPATH= |
eDirectory Certificates: Keystore Path. Required. Specify the full path to your keystore (cacerts) file of the JRE that the application server uses. The User Application installation modifies the keystore file. On Linux, the user must have permission to write to this file. |
|
NOVL_CONFIG_KEYSTOREPASSWORD= |
eDirectory Certificates: Keystore Password. Specify the cacerts password. The default is changeit. |
|
NOVL_CONFIG_SECUREADMINCONNECTION= |
eDirectory Connection Settings: Secure Admin Connection. Required To require that all communication using the admin account be done using a secure socket (this option can have adverse performance implications), specify True. This setting allows other operations that do not require SSL to operate without SSL. If the admin account does not use SSL communication, specify False. |
|
NOVL_CONFIG_SECUREUSERCONNECTION= |
eDirectory Connection Settings: Secure User Connection. Required To require that all communication done on the logged-in user's account be done using a secure socket (this option can have severe adverse performance implications), specify True. This setting allows other operations that don't require SSL to operate without SSL. If the user’s account does not use SSL communication, specify False. |
|
NOVL_CONFIG_SESSIONTIMEOUT= |
Miscellaneous: Session Timeout. Required Specify a timeout interval for the application session. |
|
NOVL_CONFIG_LDAPPLAINPORT= |
eDirectory Connection Settings: LDAP Non-Secure Port. Required Specify the non-secure port for your LDAP server. For example, 389. |
|
NOVL_CONFIG_LDAPSECUREPORT= |
eDirectory Connection Settings: LDAP Secure Port. Required Specify the secure port for your LDAP server, for example 636. |
|
NOVL_CONFIG_ANONYMOUS= |
eDirectory Connection Settings: Use Public Anonymous Account. Required To allow users who are not logged in to access the LDAP Public Anonymous Account, specify True. To enable NOVL_CONFIG_GUEST instead, specify False. |
|
NOVL_CONFIG_GUEST= |
eDirectory Connection Settings: LDAP Guest. Allows users who are not logged in to access permitted portlets. You must also disable the Guest user account. The Guest user account must already exist in the Identity Vault. To disable the account, select Use Public Anonymous Account. |
|
NOVL_CONFIG_GUESTPASS= |
eDirectory Connection Settings: LDAP Guest Password. |
|
NOVL_CONFIG_EMAILNOTIFYHOST= |
Email: Notify Template HOST token. Specify the application server hosting the Identity Manager User Application. For example: myapplication serverServer This value replaces the $HOST$ token in e-mail templates. The URL that is constructed is the link to provisioning request tasks and approval notifications. |
|
NOVL_CONFIG_EMAILNOTIFYPORT= |
Email: Notify Template Port token. Used to replace the $PORT$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
NOVL_CONFIG_EMAILNOTIFYSECUREPORT= |
Email: Notify Template Secure Port token. Used to replace the $SECURE_PORT$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
NOVL_CONFIG_NOTFSMTPEMAILFROM= |
Email: Notification SMTP Email From. Required Specify e-mail From a user in provisioning e-mail. |
|
NOVL_CONFIG_NOTFSMTPEMAILHOST= |
Email: Notification SMTP Email Host. Required Specify the SMTP e-mail host that provisioning e-mail is using. This can be an IP address or a DNS name. Do no use localhost. |
|
NOVL_CONFIG_USEEXTPWDWAR= |
Password Management: Use External Password WAR. To use an external password management WAR, specify True, and then specify values for NOVL_CONFIG_EXTPWDWARPTH and NOVL_CONFIG_EXTPWDWARRTNPATH. To use the default internal Password Management functionality,./jsps/pwdmgt/ForgotPassword.jsp (without the http(s) protocol at the beginning), specify False. This redirects the user to the Forgot Password functionality built into the User Application, rather than to an external WAR. |
|
NOVL_CONFIG_EXTPWDWARPATH= |
Password Management: Forgot Password Link. Specify the URL for the Forgot Password functionality page, ForgotPassword.jsp, in an external or internal password management WAR. Alternatively, accept the default internal password management WAR. For more information, see Section 34.7, Configuring Forgotten Password Management. |
|
NOVL_CONFIG_EXTPWDWARRTNPATH= |
Password Management: Forgot Password Return Link. Specify the Forgot Password Return Link so that the user can click after performing a forgot password operation. |
|
NOVL_CONFIG_FORGOTWEBSERVICEURL= |
Password Management: Forgot Password web service URL. Represents the URL that the External Forgot Password WAR will use to call back to the User Application to perform core forgot password functionalities. Use the following format: https://idmhost:sslport/idm/ pwdmgt/service |
|
NOVL_CONFIG_USEROBJECTATTRIBUTE= |
Meta-Directory User Identity: User Object Class. Required The LDAP user object class (typically inetOrgPerson). |
|
NOVL_CONFIG_LOGINATTRIBUTE= |
Meta-Directory User Identity: Login Attribute. Required The LDAP attribute that represents the user’s login name. For example, CN. |
|
NOVL_CONFIG_NAMINGATTRIBUTE= |
Meta-Directory User Identity: Naming Attribute. Required The LDAP attribute used as the identifier when looking up users or groups. This is not the same as the login attribute, which is used only during login, and not during user/group searches. |
|
NOVL_CONFIG_USERMEMBERSHIPATTRIBUTE= |
Meta-Directory User Identity: User Membership Attribute. Optional. Required The LDAP attribute that represents the user’s group membership. Do not use spaces in this name. |
|
NOVL_CONFIG_GROUPOBJECTATTRIBUTE= |
Meta-Directory User Groups: Group Object Class. Required The LDAP group object class (typically groupofNames). |
|
NOVL_CONFIG_GROUPMEMBERSHIPATTRIBUTE= |
Meta-Directory User Groups: Group Membership Attribute. Required Specify the attribute representing the user’s group membership. Do not use spaces in this name. |
|
NOVL_CONFIG_USEDYNAMICGROUPS= |
Meta-Directory User Groups: Use Dynamic Groups. Required To use dynamic groups, specify True. |
|
NOVL_CONFIG_DYNAMICGROUPOBJECTCLASS= |
Meta-Directory User Groups: Dynamic Group Object Class. Required Specify the LDAP dynamic group object class (typically dynamicGroup). |
|
NOVL_CONFIG_TRUSTEDSTOREPATH= |
Trusted Key Store: Trusted Store Path. The Trusted Key Store contains all trusted signers’ certificates. If this path is empty, the User Application gets the path from System property javax.net.ssl.trustStore. If the path does not exist, the User Application uses jre/lib/security/cacerts. |
|
NOVL_CONFIG_TRUSTEDSTOREPASSWORD= |
Trusted Key Store: Trusted Store Password. |
|
NOVL_CONFIG_ICSLOGOUTENABLED= |
Access Manager and iChain Settings: Simultaneous Logout Enabled. To enable simultaneous logout of the User Application and either NetIQ Access Manager or iChain, specify True. The User Application checks for a NetIQ Access Manager or iChain cookie on logout and, if the cookie is present, reroutes the user to the ICS logout page. To disable simultaneous logout, specify False. |
|
NOVL_CONFIG_ICSLOGOUTPAGE= |
Access Manager and iChain Settings: Simultaneous Logout Page. Specify the URL to the NetIQ Access Manager or iChain logout page, where the URL is a hostname that NetIQ Access Manager or iChain expects. If ICS logging is enabled and a user logs out of the User Application, the user is rerouted to this page. |
|
NOVL_CONFIG_EMAILNOTIFYPROTOCOL= |
Email: Notify Template PROTOCOL token. Refers to a non-secure protocol, HTTP. Used to replace the $PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
NOVL_CONFIG_EMAILNOTIFYSECUREPROTOCOL= |
Email: Notify Template Secure Port token. |
|
NOVL_CONFIG_OCSPURI= |
Miscellaneous: OCSP URI. If the client installation uses the On-Line Certificate Status Protocol (OCSP), specify a Uniform Resource Identifier (URI). For example, the format is http://hstport/ocspLocal. The OCSP URI updates the status of trusted certificates online. |
|
NOVL_CONFIG_AUTHCONFIGPATH= |
Miscellaneous: Authorization Config Path. The fully qualified name of the authorization configuration file. |
|
NOVL_CONFIG_CREATEDIRECTORYINDEX |
Miscellaneous:Create eDirectory Index Specify true if you want the silent installer to create indexes on the manager, ismanager, and srvprvUUID attributes on the eDirectory server specified for NOVL_CONFIG_SERVERDN. If this parameter is set to true, you cannot set NOVL_CONFIG_REMOVEEDIRECTORYINDEX to true. For best performance results, the index creation should be complete. The indexes should be in Online mode before you make the User Application available. |
|
NOVL_CONFIG_REMOVEDIRECTORYINDEX |
Miscellaneous: Remove eDirectory Index If you want the silent installer to remove indexes on the server specified in the NOVL_CONFIG_SERVERDN, specify true. If this parameter is set to true, you cannot set NOVL_CONFIG_CREATEEDIRECTORYINDEX to true. |
|
NOVL_CONFIG_SERVERDN |
Miscellaneous: Server DN Specify the eDirectory server where indexes should be created or removed. |
|
NOVL_CREATE_DB |
Indicates how the database will be created. The following are valid values:
|
|
NOVL_DATABASE_NEW |
Indicates whether the database is new or existing. If the database is new, specify True. |
|
NOVL_RBPM_SEC_ADMINDN |
Security Administrator This role gives members the full range of capabilities within the Security domain. The Security Administrator can perform all possible actions for all objects within the Security domain. The Security domain allows the Security Administrator to configure access permissions for all objects in all domains within RBPM. The Security Administrator can configure teams, and also assign domain administrators, delegated administrators, and other Security Administrators. |
|
NOVL_RBPM_RESOURCE_ADMINDN |
Resources Administrator This role gives members the full range of capabilities within the Resource domain. The Resources Administrator can perform all possible actions for all objects within the Resource domain. |
|
NOVL_RBPM_CONFIG_ADMINDN |
This role gives members the full range of capabilities within the Configuration domain. The RBPM Configuration Administrator can perform all possible actions on all objects within the Configuration domain. The RBPM Configuration Administrator controls access to navigation items within RBPM. In addition, the RBPM Configuration Administrator configures the delegation and proxy service, the provisioning user interface, and the workflow engine. |
|
RUN_LDAPCONFIG= |
Specifies when you want to configure LDAP settings now or later. Values are:
|
Log in as a root user to the computer where you want to install the identity applications.
Open a terminal session.
Specify the values for the installation. For more information, see Section 32.3.2, Editing the .properties File and Section 25.2.1, Safeguarding the Passwords for a Silent Installation.
To launch the installation program for your platform, enter the following command:
Linux: ./IdmUserApp.bin -i silent -f /yourdirectorypath/silent.properties
Windows: ./IdmUserApp.exe -i silent -f /yourdirectorypath/silent.properties
NOTE:If the silent.properties file is in a different directory from the installer script, you must specify the full path to the file. The script unpacks the necessary files to a temporary directory and then launches the silent installation.