3.1 Creating the Driver Object in Designer

The Designer tool helps you to create the REST driver object. You need to install the driver packages and them modify the configuration to suit your environment. After you create and configure the driver, you need to deploy it to the Identity Vault and start it.

NOTE:NetIQ recommends that you use the new package management features provided in Designer to create the REST driver. You should not create the driver objects by using the new Identity Manager 4.0 and later or configuration files through iManager. This method of creating driver objects is no longer supported.

3.1.1 Importing the Current Driver Packages

The driver packages contain the items required to create a driver, such as policies, entitlements, filters, and Schema Mapping policies. These packages are only available in Designer and can be updated after they are initially installed. You must have the most current version of the packages in the Package Catalog before you can create a new driver object.

To verify that you have the most recent version of the driver packages in the Package Catalog:

  1. Open Designer.

  2. In the toolbar, click Help > Check for Package Updates.

  3. Click OK to update the packages

    or

    Click OK if the packages are up-to-date.

  4. In the Outline view, right-click the Package Catalog.

  5. Click Import Package.

  6. Select any REST driver packages

    or

    Click Select All to import all of the packages displayed.

    By default, only the base packages are displayed. Deselect Show Base Packages Only to display all packages.

  7. Click OK to import the selected packages, then click OK in the successfully imported packages message.

  8. After the current packages are imported, continue with Section 3.1.2, Installing the Driver Packages.

3.1.2 Installing the Driver Packages

After you have imported the current driver packages into the Package Catalog, you can install the driver packages to create a new driver.

  1. In Designer, open your project.

  2. In the Modeler, right-click the driver set where you want to create the driver, then click New > Driver.

  3. Select REST Base, then click Next.

    NOTE:You can only select one base package.

  4. Select the type of REST driver packages to install, then click Next.

  5. Select the optional features to install for the REST driver, then click Next.

    The options are:

    Password Synchronization: This packages contains the policies that enable the REST driver to synchronize passwords. If you want to synchronize passwords, verify that this option is selected. For more information, see the NetIQ Identity Manager Password Management Guide.

    Default JSON Configuration: This package contains the default JSON configurations.

    Permission Collection and Reconciliation Services: This package contains policies for quick onboarding of custom entitlements and dynamic resource creation. This package contains GCVs to control the resource mapping. Select this package if you want to enable the entitlement onboarding feature for this driver. For more information about creating custom entitlements, see Section 3.4, Creating Custom Entitlements.

    For more information about PCRS, see “Understanding Permission Collection and Reconciliation Service” in the NetIQ Identity Manager Driver Administration Guide.

  6. (Conditional) If there are package dependencies for the packages you selected to install, you must install them to install the selected package. Click OK to install the package dependency listed.

  7. (Conditional) If more than one type of package dependency must be installed, you are presented with these packages separately. Continue to click OK to install any additional package dependencies.

  8. On the Driver Information page, specify a name for the driver, then click Next.

  9. On the Install REST Base page, fill in the following fields for the Subscriber options, then click Next:

    Authentication Method: Select the authentication method for the REST driver.

    NOTE:The authentication methods available are Anonymous, Basic, and OAuth2.0. You need to specify additional parameters depending upon the selected authentication method. For more information, see Section A.1, Driver Configuration.

    Authorization Header Fields: Click the icon to create authentication header fields.

    Truststore file: Specify the path and the name of the keystore file that contains the trusted certificates for the remote server to provide server authentication. For example, c:\security\truststore. Leave this field blank when server authentication is not used.

    Set mutual authentication parameters: Select Show if you want to set mutual authentication information.

    • Keystore file: Specify the path and the name of the keystore file that contains the trusted certificates for the remote server to provide mutual authentication. For example, C:\security\keystore. Leave this field blank when mutual authentication is not used.

    • Keystore password: Specify the password for the keystore file. Leave this field blank when mutual authentication is not used.

    HTTP Connection Timeout: Specify the HTTP connection time out value. The driver waits for the time specified and terminates the HTTP connection. The timeout value must be greater than zero.

    Proxy host and port: Specify the host address and the host post when a proxy host and port are used. For example: 192.168.0.0:port. Choose an unused port number on your server. Otherwise, leave this field blank.

    HTTP Errors to Retry: Specify the HTTP errors that must return a retry status. Error codes must be a list of integers separated by spaces. For example, 307 408 503 504.

    Base URL of the REST Resources: Specify the URL of the REST server or Web service.

    NOTE:The Configure Resources to synchronize option is not available in the Designer tool to configure the class-name. You should use iManager to configure the resources for the REST driver to start successfully. For example, if user is the class-name, ensure that you specify the Schema name as user under Resources section in the Driver Configuration.

  10. On the Install REST Base page, fill in the following fields for the Publisher options, then click Next:

    Publisher Setting: Specify the publisher setting for the REST driver. You can either select Publish or Poll mode. Default is Publish.

    If you select Publish, fill in the following parameters:

    Listening IP address and port: Specify the IP address of the server where this driver is installed and the port that this driver listens on. You can specify 127.0.0.1 if there is only one network card installed in the server. Choose an unused port number on your server. For example: 127.0.0.1:port. The driver listens on this address for incoming requests, processes the requests, and returns a result.

    Authentication Method: Select the authentication method for the REST driver.

    NOTE:The authentication methods available are Anonymous and Basic. You need to specify additional parameters depending upon the selected authentication method. For more information, see Section A.1, Driver Configuration.

    If Poll mode is selected, fill in the following parameters:

    Configure Resource for Poll: Click the icon to configure resource poll.

    Search Results to Synchronize on First Startup: Specify the synchronization setting for search results. When this driver starts for the first time, it performs a search on the application. The search results are synchronized depending upon the specified parameter.

    • Synchronize only subsequent changes: Select this option to synchronize only the subsequent changes.

    • Synchronize everything: Select this option to synchronize the initial search results.

    Polling interval in minutes: Specify the polling interval in minutes. Default is one minute.

    KMO name: When this server is configured to accept HTTPS connections, this is the KMO name in eDirectory. The KMO name is the name before the - in the RDN. Leave this field blank when a keystore file is issued or when HTTPS connections are not used.

    Keystore file: When this server is configured to accept HTTPS connections, this is the path and the name of the keystore file. For example; C:\security\keystore. Leave this field blank when a KMO name is used or when HTTPS connections are not used.

    Keystore password: When this server is configured to accept HTTPS connections, this is the keystore file password. Leave this field blank when a KMO name is used or when HTTPS connections are not used.

    Server key alias: When this server is configured to accept HTTPS connections, this is the key alias. Leave this field blank when a KMO name is used or when HTTPS connections are not used.

    Server key password: When this server is configured to accept HTTPS connections, this is the key alias password (not the keystore password). Leave this field blank when a KMO name is used or when HTTPS connections are not used.

    Require mutual authentication: When using SSL, it is common to do only server authentication. However, if you want to force both client and server to present certificates during the handshake process, select Required.

    Heartbeat interval in minutes: Specify the heartbeat interval in minutes. Leave this field blank to turn off the heartbeat.

  11. Fill in the following fields for the Remote Loader information, then click Next:

    Connect To Remote Loader: Select Yes or No to determine if the driver will use the Remote Loader. For more information, see Configuring the Remote Loader and Drivers in the NetIQ Identity Manager Setup Guide.

    If you select No, skip to Step 12. If you select Yes, use the following information to complete the configuration of the Remote Loader:

    Host Name: Specify the IP address or DNS name of the server where the Remote Loader is installed and running.

    Port: Specify the port number for this driver. Each driver connects to the Remote Loader on a separate port. The default value is 8090.

    KMO: Specify the key name of the Key Material Object that includes keys and certificates for SSL. You use this parameter only when an SSL connection exists between the Remote Loader and the Metadirectory engine.

    NOTE:When this server is configured to accept HTTPS connections, this is the KMO name in eDirectory. The KMO name is the name before the - in the RDN. Leave this field blank when a keystore file is issued or when HTTPS connections are not used.

    Other Parameters: Specify any other parameter required in the connection string. The parameter must be a key-value pair. For example, paraName1=paraValue1.

    Remote Loader Password: Specify a password to control access to the Remote Loader. It must be the same password that is specified as the Remote Loader password on the Remote Loader.

    Driver Password: Specify a password for the driver to authenticate to the Metadirectory server. It must be the same password that is specified as the Driver Object Password on the Remote Loader.

  12. Review the summary of tasks that will be completed to create the driver, then click Finish.

  13. After you have installed the driver, you must change the configuration for your environment. Proceed to Section 3.1.3, Configuring the Driver Object.

3.1.3 Configuring the Driver Object

After the driver packages are installed, you need to configure the driver before it can run. You should complete the following tasks to configure the driver:

  • Configure the driver parameters: There are many settings that can help you customize and optimize the driver. The settings are divided into categories such as Driver Configuration, Engine Control Values, and Global Configuration Values (GCVs). Although it is important for you to understand all of the settings, your first priority should be to review the Driver Parameters located on the Driver Configuration page. The Driver Parameters let you configure the publication method and other parameters associated with the Publisher channel.

  • Customize the driver policies and filter: The driver policies and filter control data flow between the Identity Vault and the application. You should ensure that the policies and filters reflect your business needs. For instructions, see Section 4.0, Customizing the Driver for RESTful Services.

  • Set Up a Secure HTTPS Connection: The connection between the driver and the RESTful connected system can be configured to use a secure HTTPS connection rather than an HTTP connection.

After completing the configuration tasks, continue with either Creating Custom Entitlements or Deploying the Driver Object.

3.1.4 Deploying the Driver Object

After the driver object is created in Designer, it must be deployed into the Identity Vault.

  1. In Designer, open your project.

  2. In the Modeler, right-click the driver icon or the driver line, then select Live > Deploy.

  3. If you are authenticated to the Identity Vault, skip to Step 4; otherwise, specify the following information, then click OK:

    Host: Specify the IP address or DNS name of the server hosting the Identity Vault.

    Username: Specify the DN of the user object used to authenticate to the Identity Vault.

    Password: Specify the user’s password.

  4. Read the deployment summary, then click Deploy.

  5. Read the message, then click OK.

  6. Click Define Security Equivalence to assign rights to the driver.

    The driver requires rights to objects within the Identity Vault. The Admin user object is most often used to supply these rights. However, you might want to create a DriversUser (for example) and assign security equivalence to that user. Whatever rights that the driver needs to have on the server, the DriversUser object must have the same security rights.

    1. Click Add, then browse to and select the object with the correct rights.

    2. Click OK twice.

      For more information about defining a Security Equivalent User in objects for drivers in the Identity Vault, see “Establishing a Security Equivalent User” in the Identity Manager 4.0.2 Security Guide.

  7. Click Exclude Administrative Roles to exclude users that should not be synchronized.

    You should exclude any administrative User objects (for example, Admin and DriversUser) from synchronization.

    1. Click Add, then browse to and select the user object you want to exclude, then click OK.

    2. Repeat Step 7.a for each object you want to exclude, then click OK.

  8. Click OK.

  9. Continue with the next section, Starting the Driver.

3.1.5 Starting the Driver

When a driver is created, it is stopped by default. To make the driver work, you must start the driver. Identity Manager is an event-driven system, so after the driver is started, it won’t do anything until an event occurs. You can use iManager or dxevent commands to start the driver.

To start the driver using Designer:

  1. In Designer, open your project.

  2. In the Modeler, right-click the driver icon or the driver line, then select Live > Start Driver.

To start the driver using iManager:

To start the driver using iManager:

  1. In iManager, click to display the Identity Manager Administration page.

  2. Click Identity Manager Overview.

  3. Browse to and select the driver set object that contains the driver you want to start.

  4. Click the driver set name to access the Driver Set Overview page.

  5. Click the upper right corner of the driver, then click Start driver.

IMPORTANT:When you start the driver for the first time, don't add new users to the Publisher channel until the first polling interval completes because the driver treats all users as existing users and stores them in the change cache without sending them to the Identity Manager engine. It sends the new users to the Identity Manager engine from the next polling interval. Therefore, ensure that new users are added to the Publisher channel after the first polling cycle completes.