The following procedure describes how to install the identity applications using an installation wizard, either in GUI format or from the console. To perform a silent, unattended installation, see Section 32.3, Silently Installing the Identity Applications.
To prepare for the installation, review the activities listed in Section 32.1, Checklist for Installing the Identity Applications. Also see the Release Notes accompanying the release.
NOTE:
The installation program does not save the values that you enter as you progress through the windows in the wizard. If you click Previous to return to an earlier window, you must re-enter the configuration values.
The installation program creates the novlua user account and sets the permissions in the application server files to this user. For example, the idmapps_tomcat_init script uses this user account to run Tomcat.
When you deploy Home and Dashboard wars on WebSphere,
The Map modules to server option displays the module value of uadash for both wars. The URI values must match the war being deployed.
The Map context roots for Web modules option displays the module value of uadash for both wars. The URI values must match the war being deployed.
Deploy the wars with the context values that match the name of their .war file. For dash.war, specify the context value as dash and for landing.war, specify the context as landing.
Make sure the war files are deployed on the same WebSphere node as the User Application (IDMProv.war).
When you deploy Catalog Administrator (rra.war) on WebSphere, specify the context value in the Map context roots for Web modules as rra. Make sure you deploy rra.war on the same WebSphere node as the User Application (IDMProv.war).
To install with the guided process:
Log in as a root or administrative user to the computer where you want to install the identity applications.
(Conditional) To install in a WebSphere environment, apply the unrestricted policy files to the supported IBM JDK.
For more information, see the IBM documentation for a link to these files and instructions for applying them. The JAR file for unrestricted policy files must be located in the JAVA_HOME\jre\lib\security directory.
Without these unrestricted policy files, an error will occur that says “Illegal key size”. The root cause of this problem is the lack of unrestricted policy files, so be sure to use the correct IBM JDK.
Stop the application server, such as Tomcat.
(Conditional) If you have the .iso image file for the Identity Manager installation package, navigate to the directory containing the installation files, located by default in the products/RBPM/user_app_install directory.
(Conditional) If you downloaded the installation files, complete the following steps:
Navigate to the .tgz or win.zip file for the downloaded image.
Extract the contents of the file to a directory on the local computer.
From the directory that contains the installation files, complete one of the following actions:
Linux (console): Enter ./IdmUserApp.bin -i console
Linux (GUI): Enter ./IdmUserApp.bin
Windows: Run IdmUserApp.exe
Complete the guided process, using the following parameters:
Application Server Platform
Represents the application server that you want to run the Identity Application. The application server must already be installed.
For your convenience, NetIQ provides Tomcat.
Installation Folder
Represents the path to a directory where the installation program creates the application files.
Database Platform
Represents the platform of the User Application database. The database software must already be installed. However, you do not need to create the database schema during installation.
For your convenience, NetIQ provides PostgresSQL.
Database Host and Port
Represents the settings for the server that hosts the User Application database.
NOTE:In a cluster environment, you must specify the same database settings for each member in the cluster.
Specifies the name or IP address of the server.
Specifies the port that you want the server to use for communication with the User Application.
Database Username and Password
Represents the settings for running the User Application database.
NOTE:
If you installed PostgreSQL as part of the installation for this version of Identity Manager, the installation process already created the database and database administrator. By default, the installed database is idmuserappdb and the database user is idmadmin. Specify the same values that you used for the PostgreSQL installation.
In a cluster environment, you must specify the same database name, username, and password for each member in the cluster.
Specifies the name of the database according to the database platform. By default, the database name is idmuserappdb.
For a PostgreSQL or SQL Server database, specify the name.
For an Oracle database, specify the Security Identifier (SID) that you created with the database instance.
Specifies the name of an account that allows the User Application to access and modify data in the databases.
Specifies the password for the specified username.
Specifies the JAR file for the database platform.
The database vendor provides the driver JAR file, which represents the Thin Client JAR for the database server. For example, for PostgreSQL, you might specify postgresql-9.3-1101.jdbc41.jar, by default in the opt\netiq\idm\apps\Postgres folder.
NetIQ does not support driver JAR files from third-party vendors.
Database Administrator
Optional
Represents the name and password for the database administrator.
This field automatically lists the same user account and password that you specified for Database Username and Password. To use that account, do not make any changes.
(Optional) Specifies the account for a database administrator that can create database tables, views, and other artifacts.
(Optional) Specifies the password for the database administrator.
Create Database Tables
Indicates whether you want to configure your new or existing database as part of the installation process, or afterward.
The installation program creates the database tables as part of the installation process.
The installation program leaves instructions to create the tables when the User Application starts for the first time.
Generates a SQL script that the database administrator can run to create the databases. If you choose this option, you must also specify a name for Schema File. The setting is in the SQL Output File configuration.
You might select this option if you do not have permissions to create or modify a database in your environment. For more information about generating the tables with the file, see Section 34.2, Manually Creating the Database Schema.
New Database or Existing Database
Specifies whether you want to use existing, empty databases or create new tables in the existing database. Use the following considerations:
New Database
If the database used is new, click New Database. Ensure that a database exists before selecting this option.
Existing Database
If database is existing and it has User Application tables from a previous installation, select Existing Database.
If the existing database runs on an Oracle platform, you must prepare Oracle before updating the schema. For more information, see Section 54.7.1, Preparing an Oracle Database for the SQL File.
After selecting the database type, you need to specify, as to when the database tables should be created. The Create Database Tables screen gives you the option to create tables at installation time or at application startup. Alternatively, you can create a schema file at installation time, which the Database Administrator would use to create the tables later.
If you want to generate a schema file, select the Write SQL to File button and provide a name for the file in the Schema Output File field.
Test Database Connection
Specifies whether you want the installer to connect to the database for creating tables directly or for creating the .sql file.
The installation program attempt the connection when you click Next or press Enter.
NOTE:You can continue with installation if the database connection fails. However, after installation, you must manually create the tables and connect to the database. For more information, see Section 34.2.2, Manually Creating the SQL File to Generate the Database Schema.
Java Install
Represents the path to the JRE file used to launch the installation program. For example, /root/opt/java/jre7.
Application_Server Configuration
Represents the path to the installation files for the application server. For example, /opt/apache-tomcat-7.0.52. The installation process adds some files to this folder.
IDM Configuration
Represents the settings for the identity application context used in URLs and for the workflow engine.
Applies only when you are installing the provisioning WAR file on a node in a JBoss cluster.
Specifies the configuration for the application server. For example, if this installation is on a single node that is not part of a cluster, select default.
If you select all, you must specify the workflow engine ID.
Specifies a name that represents the application server configuration, the application WAR file, and the name in the URL context.
The installation script creates a server configuration, then names the configuration according to the name that you created when installing the application server. For example, IDMProv.
IMPORTANT: NetIQ recommends that you make a note of the specified Application Context. You will use this application name in the URL when you start the identity applications from a browser.
Applies only when you are installing the provisioning WAR file on a node in a JBoss cluster.
Specifies the ID for the workflow engine.
The engine ID cannot exceed 32 characters. For more information about workflow engine IDs, see the section on configuring workflows for clustering in the User Application: Administration Guide.
Select Audit Logging Type
Indicates whether you want to send log events to an auditing server. Specify Yes or No.
Audit Logging
Applies only when you specify Yes for Select Audit Logging Type.
Indicates the type of logging that you want to enable.
For more information about setting up logging, see the User Application Administration Guide.
Enables logging through a Novell or NetIQ client for the User Application.
NOTE:If you choose this option, you must also specify the hostname or IP address for the client server and the path to the log cache.These settings are in the Novell Identity Audit or NetIQ Sentinel configuration section.
Enables the User Application to send events to your OpenXDAS logging server.
Security - Master Key
Indicates whether you want to import an existing master key. The User Application uses the master key to access encrypted data. Specify Yes or No.
You might want to import the master key in the following situations:
After installing the first instance of the identity applications in a cluster. Every instance of the User Application in a cluster must use the same master key. For more information, see Section 31.4.3, Using the Same Master Key for Each User Application in the Cluster.
If you are moving your installation from a staging system to a production system and want to keep access to the database you used with the staging system.
If you are restoring your User Application and you want to access the encrypted data stored by your previous version of the User Application.
Specifies that you want to import an existing master key.
Specifies that you want the installation program to create the key.
By default, the installation procedure writes the encrypted master key to the master-key.txt file in the installation directory.
Import Master Key
Applies only when you specify Yes for Security - Master Key.
Specifies the master key that you want to use. You can copy the master key from the master-key.txt file.
Application server connection
Represents the settings of the URL that users need to connect to the identity applications on the application server. For example, https:myserver.mycompany.com:8080.
NOTE:If OSP runs on a different instance of the Tomcat application server, you must also select Connect to an external authentication server and specify values for the OSP server.
Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.
Specifies the DNS name or IP address of the server hosting OSP. Do not use localhost.
Specifies the port that you want the server to use for communication with client computers.
Specifies whether a different instance of the application server hosts the authentication server (OSP). The authentication server contains the list of users who can log in to SSPR.
If you select this setting, also specify values for the authentication server’s Protocol, Host name, and Port.
Authentication server details
Specifies the password that you want the identity applications to use when connecting to the authentication server. Also referred to as the client secret. The installation process creates this password.
Configure the settings for the identity applications in the Config Update window.
Browse for the Identity Vault DNs.
Click OK.
NOTE:
Ensure that the User Application and the Roles and Resources Service drivers are already created and deployed to the Identity Vault. For more information, see Section 28.3.1, Installation Considerations for the Identity Applications.
If you click Cancel, the installer takes you back to the Application Server Connection window.
After installing the User Application, you can modify most of the settings in the configureupdate.sh or configureupdate.bat files. For more information about specifying the values for the settings, see Section 35.0, Configuring the Settings for the Identity Applications.
(Conditional) In a GUI installation, to immediately configure the identity applications, complete the following steps in the Configure IDM window:
Click Yes and then click Next.
In Roles Based Provisioning Module Configuration, click Show Advanced Options.
Modify the settings as needed.
NOTE:
For more information about specifying the values, see Section 35.0, Configuring the Settings for the Identity Applications.
In production environments, all administrator assignments are restricted by licensing. NetIQ collects monitoring data in the audit database to ensure that production environments comply. Also, NetIQ recommends that only one user be given the permissions of the Security Administrator.
Click OK.
(Conditional) In a console installation, to immediately configure the identity applications, complete the following steps:
Launch the configuration update utility from the command line:
Linux: configupdate.sh
Windows: configupdate.bat
(Optional) To create the NMAS certificate, navigate to SSO Clients > RBPM, and then change RBPM to eDirectory SAML configuration to Auto.
Specify values for other settings as described in Section 35.0, Configuring the Settings for the Identity Applications.
Click Next.
In the Pre-Installation Summary window, click Install.
(Optional) Review the installation log files. For results of the basic installation, see the user_application_install_log.log file in the /opt/netiq/idm/apps/UserApplication/logs/ directory.
For information about the identity applications configuration, see the NetIQ-Custom-Install.log file in the /opt/netiq/idm/apps/UserApplication/ directory.
(Optional) If you are using an external password management WAR, manually copy the WAR to the installation directory and to the remote application server deploy directory that runs the external password WAR functionality.
(Conditional) If you are installing the identity applications on JBoss Enterprise Application Platform (EAP), continue to Post-Installation Steps for JBoss.
(Conditional) In a WebSphere environment, create new JVM system properties for the User Application. For more information, see Section 32.6.2, Adding User Application Configuration Files and JVM System Properties.
Continue with the post-installation tasks described in Section 34.0, Completing the Installation of the Identity Applications.