Identity Vault uses a directory to store the objects that are synchronized through the Identity Manager solution. The follow sections contain guidelines that help you plan a deployment of NetIQ eDirectory to use as the framework for the Identity Vault.
Section 7.2.1, Prerequisites for Installing the Identity Vault
Section 7.2.2, Prerequisites for Installing the Identity Vault as a Non-root User
Section 7.2.3, Prerequisites for Installing Identity Vault on a Windows Server
Section 7.2.4, Prerequisites for Installing the Identity Vault in a Clustered Environment
NetIQ recommends that you review the following considerations before you install eDirectory as the framework for the Identity Vault:
Before installing eDirectory, you must have a method for resolving tree names to server referrals. NetIQ recommends using Service Location Protocol (SLP) services. Releases of NetIQ eDirectory before version 8.8 included SLP in the installation. However, after version 8.8, you must separately install SLP. You can also use the flat file hosts.nds to resolve tree names. For more information, see Section 8.2, Using OpenSLP or hosts.nds for Resolving Tree Names.
(Conditional) When installing on a Linux server, you must enable the host for multicast routing, with 224.0.0.0 in the routing table. For example, enter the following command:
route add -net 224.0.0.0 netmask 240.0.0.0 dev interface
where interface represents a value such as eth0, hme0, hme1, or hme2, depending on the network interface card.
You must configure a static IP address on the server for the eDirectory infrastructure to perform efficiently. If you use DHCP addresses on the server, eDirectory might have unpredictable results.
Synchronize time across all network servers. NetIQ recommends using Network Time Protocol’s (NTP) ntp option.
(Conditional) To install a secondary server, all the replicas in the partition that you install the product on should be in the On state.
(Conditional) To install a secondary server into an existing tree as a non-administrator user, create a container and then partition it. Ensure that you have the following rights:
Supervisor rights to the partition where you want to add the server.
(Windows) Supervisor rights to the container where want to add the server.
All Attributes rights: read, compare, and write rights over the W0.KAP.Security object.
Attribute rights: read and compare rights over the Security container object.
Entry rights: browse rights over the Security container object.
These rights are required for adding the replica when the replica count is less than 3.
(Conditional) To install a secondary server into an existing tree as a non-administrator user, ensure that at least one of the servers in the tree has the same or higher eDirectory version as that of the secondary being added as container admin. If the secondary being added is of later version, the administrator of the tree must extend the schema before adding the secondary using container admin.
While configuring eDirectory, you must enable a NetWare Core Protocol (NCP) port (the default is 524) in the firewall to allow the secondary server addition. Also, you can enable the following default service ports based on your requirements:
LDAP clear text - 389
LDAP clear text - 636
HTTP clear text - 8028
HTTP clear text - 8030
You must install Novell International Cryptographic Infrastructure (NICI) on every workstation using management utilities for eDirectory, such as iManager. NICI and eDirectory support key sizes up to 4096 bits.
On Linux, the Identity Vault installation program, nds-install, automatically installs NICI. However, you can install NICI manually. For more information, see “Installing NICI” in the NetIQ eDirectory Installation Guide.
(Conditional) NICI 2.7 and eDirectory 8.8.x support key sizes up to 4096 bits. To use a 4 KB key size, you must upgrade every server to the supported version of eDirectory. Also, you must also install NICI 2.7 on every workstation using the management utilities, such as iManager and ConsoleOne.
When you upgrade your Certificate Authority (CA) server to a supported version of eDirectory, the key size will not change but will still be 2 KB. To create a 4 KB key size, you must recreate the CA on the upgraded eDirectory server. In addition, during the CA creation, you must change the default from 2 KB to 4 KB for the key size.
(Conditional) If the names of containers in your eDirectory tree include a period, you must use escape characters to specify the Admin name, admin context, and server context parameters during installation and when adding server in to an existing tree. For more information, see Section 8.1, Using Escape Characters when a Container Name Includes a Period (“.”).
To install the Identity Vault as a non-root user, your environment must meet the following conditions:
You cannot install the Identity Vault in a cluster environment as a non-root user.
The SNMP subagent (NOVsubag) must be installed on the server by a root user and configured.
Enter the following command: rpm -ivh --nodeps NOVLsubag_rpm_file_name_with_path.
Manually export the paths for the environment variables using the following command:
export LD_LIBRARY_PATH=custom_location/opt/novell/eDirectory/lib64:/opt/novell/eDirectory/lib64/nds-modules:/opt/novell/lib64:$LD_LIBRARY_PATH export PATH=/opt/novell/eDirectory/bin:$PATH export MANPATH=/opt/novell/man:$MANPATH
For example:
rpm -ivh --nodeps novell-NOVLsubag-8.8.1-5.i386.rpm
(Conditional) To use SLP and SNMP on the Identity Vault server, you must install the services as root.
The non-root user account that installs Identity Vault must have Write rights to the directory where you want to install.
NetIQ recommends that you review the following considerations before you install the Identity Vault on a Windows server:
You must have administrative rights to the Windows server and to all portions of the eDirectory tree that contain domain-enabled User objects. For an installation into an existing tree, you need administrative rights to the Tree object so that you can extend the schema and create objects.
(Conditional) Before performing a silent installation (unattended), you must install the following software on the target server:
Microsoft Visual C++ 2005 and Microsoft Visual C++ 2012 Redistributable Packages. By default, the installation files, vcredist_x86.exe and vcredist_x64.exe are located in the eDirectory\Windows\x64\redist_pkg folder.
Novell International Cryptographic Infrastructure (NICI) for both 32-bit and 64-bit. By default, the installation files are located in the eDirectory/Windows/processor_type/nici folder.
Because NTFS provides a safer transaction process than a FAT file system provides, you can install eDirectory only on an NTFS partition. Therefore, if you have only FAT file systems, do one of the following:
Use Disk Administrator. Refer to the Windows Server documentation for more information.
Create a new partition and format it as NTFS.
Convert an existing FAT file system to NTFS, using the CONVERT command.
Refer to the Windows Server documentation for more information.
If your server only has a FAT file system and you forget or overlook this process, the installation program prompts you to provide an NTFS partition.
You must be running the latest version of the Windows SNMP service.
Your Windows operating system must be running the latest service packs before you begin the installation process.
To install on a virtual machine that has a DHCP address or on a physical or virtual machine in which SLP is not broadcast, ensure that the Directory Agent is configured in your network. For more information, see Section 8.2.2, Understanding OpenSLP.
Before installing the Identity Vault in a clustered environment, NetIQ recommends reviewing the following considerations:
You must have two or more Windows servers or Linux servers with clustering software.
You must have external shared storage supported by the cluster software, with sufficient disk space to store all Identity Vault and NICI data:
The Identity Vault DIB must be located on the cluster shared storage. State data for the Identity Vault must be located on the shared storage so that it is available to the cluster node that is currently running the services.
The root Identity Vault instance on each of the cluster nodes must be configured to use the DIB on the shared storage.
You must also share NICI (NetIQ International Cryptographic Infrastructure) data so that server-specific keys are replicated among the cluster nodes. NICI data used by all cluster nodes must be located on the cluster shared storage.
NetIQ recommends storing all other eDirectory configuration and log data on the shared storage.
You must have a virtual IP address.
(Conditional) If you are using eDirectory as the support structure for the Identity Vault, the nds-cluster-config utility supports configuring the root eDirectory instance only. eDirectory does not support configuring multiple instances and non-root installations of eDirectory in a cluster environment.
For more information about installing the Identity Vault in a clustered environment, see Deploying eDirectory on High Availability Clusters in the NetIQ eDirectory Installation Guide.