8.2 Installing the User Application with a Single Command

This procedure describes how to do a silent install. A silent install requires no interaction during the installation and can save you time, especially when you install on more than one system. Silent install is supported for Linux and Solaris.

  1. Obtain the appropriate installation files listed in Table 2-2.

  2. Log in and open a terminal session.

  3. Locate the Identity Manager properties file, silent.properties, which is bundled with the installation files. If you are working from a CD, make a local copy of this file.

  4. Edit silent.properties to supply your installation parameters and User Application configuration parameters.

    See the silent.properties file for an example of each installation parameter. The installation parameters correspond to the installation parameters you set in the GUI or Console installation procedures.

    See Table 8-1 for a description of each User Application configuration parameter. The User Application configuration parameters are the same ones you can set in the GUI or Console installation procedures or with the configupdate utility.

  5. Launch the silent install as follows:

    java -jar IdmUserApp.jar -i silent -f /yourdirectorypath/silent.properties

    Type the full path to silent.properties if that file is in a different directory from the installer script. The script unpacks the necessary files to a temporary directory and launches the silent install.

Table 8-1 User Application Configuration Parameters for a Silent Install

User Application Parameter Name in silent.properties

Equivalent Parameter Name in the User Application Configuration Parameters File

NOVL_CONFIG_LDAPHOST=

eDirectory™ Connection Settings: LDAP Host.

Specify the hostname or IP address for your LDAP server.

NOVL_CONFIG_LDAPADMIN=

eDirectory Connection Settings: LDAP Administrator.

Specify the credentials for the LDAP Administrator. This user must already exist. The User Application uses this account to make an administrative connection to the Identity Vault. This value is encrypted, based on the master key.

NOVL_CONFIG_LDAPADMINPASS=

eDirectory Connection Settings: LDAP Administrator Password.

Specify the LDAP Administrator password. This password is encrypted, based on the master key.

NOVL_CONFIG_ROOTCONTAINERNAME=

eDirectory DNs: Root Container DN.

Specify the LDAP distinguished name of the root container. This is used as the default entity definition search root when no search root is specified in the directory abstraction layer.

NOVL_CONFIG_PROVISIONROOT=

eDirectory DNs: Provisioning Driver DN.

Specify the distinguished name of the User Application driver that you created earlier in Section 4.1, Creating the User Application Driver in iManager. For example, if your driver is UserApplicationDriver and your driver set is called myDriverSet, and the driver set is in a context of o=myCompany, you type a value of:

cn=UserApplicationDriver,cn=myDriverSet,o=myCompany

NOVL_CONFIG_LOCKSMITH=

eDirectory DNs: User Application Admin.

An existing user in the Identity Vault who has the rights to perform administrative tasks for the User Application user container specified. This user can use the Administration tab of the User Application to administer the portal.

If the User Application Administrator participates in workflow administration tasks exposed in iManager, Novell Designer for Identity Manager, or the User Application (Requests & Approvals tab), you must grant this administrator appropriate trustee rights to object instances contained in the User Application driver. Refer to the User Application: Administration Guide for details.

To change this assignment after you deploy the User Application, you must use the Administration > Security pages in the User Application.

NOVL_CONFIG_PROVLOCKSMITH=

eDirectory DNs: Provisioning Application Admin.

This role is available in the provisioning version of Identity Manager. The Provisioning Application Administrator uses the Provisioning tab (under the Administration tab) to manage the Provisioning Workflow functions. These functions are available to users through the Requests and Approvals tab of the User Application. This user must exist in the Identity Vault prior to being designated the Provisioning Application Administrator.

To change this assignment after you deploy the User Application, you must use the Administration > Security pages in the User Application.

NOVL_CONFIG_ROLECONTAINERDN=

This role is available in the Novell Identity Manager Roles Based Provisioning Module. This role allows members to create, remove, or modify all roles, and grant or revoke any role assignment to any user, group, or container. It also allows its role members to run any report for any user. By default, the User Application Admin is assigned this role.

To change this assignment after you deploy the User Application, use the Roles > Role Assignment page in the User Application.

NOVL_CONFIG_COMPLIANCECONTAINERDN

The Compliance Module Administrator is a system role that allows members to perform all functions on the Compliance tab. This user must exist in the Identity Vault prior to being designated as the Compliance Module Administrator.

NOVL_CONFIG_USERCONTAINERDN=

Meta-Directory User Identity: User Container DN.

Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. This defines the search scope for users and groups. Users in this container (and below) are allowed to log in to the User Application.

IMPORTANT:Be sure the User Application Administrator specified during User Application driver set up exists in this container if you want that user to be able to execute workflows.

NOVL_CONFIG_GROUPCONTAINERDN=

Meta-Directory User Groups: Group Container DN.

Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the group container. Used by entity definitions within the directory abstraction layer.

NOVL_CONFIG_KEYSTOREPATH=

eDirectory Certificates: Keystore Path. Required.

Specify the full path to your keystore (cacerts) file of the JRE that the application server application server is using. The User Application installation modifies the keystore file. On Linux or Solaris, the user must have permission to write to this file.

NOVL_CONFIG_KEYSTOREPASSWORD=

eDirectory Certificates: Keystore Password.

Specify the cacerts password. The default is changeit.

NOVL_CONFIG_SECUREADMINCONNECTION=

eDirectory Connection Settings: Secure Admin Connection.

Required. Specify True to require that all communication using the admin account be done using a secure socket (this option can have adverse performance implications). This setting allows other operations that don't require SSL to operate without SSL.

Specify False if the admin account does not use secure socket communication.

NOVL_CONFIG_SECUREUSERCONNECTION=

eDirectory Connection Settings: Secure User Connection.

Required. Specify True to require that all communication done on the logged-in user's account be done using a secure socket (this option can have severe adverse performance implications). This setting allows other operations that don't require SSL to operate without SSL.

Specify False if the user’s account does not use secure socket communication.

NOVL_CONFIG_SESSIONTIMEOUT=

Miscellaneous: Session Timeout.

Required. Specify an application session timeout interval.

NOVL_CONFIG_LDAPPLAINPORT=

eDirectory Connection Settings: LDAP Non-Secure Port.

Required. Specify the non-secure port for your LDAP server, for example 389.

NOVL_CONFIG_LDAPSECUREPORT=

eDirectory Connection Settings: LDAP Secure Port.

Required. Specify the secure port for your LDAP server, for example 636.

NOVL_CONFIG_ANONYMOUS=

eDirectory Connection Settings: Use Public Anonymous Account.

Required. Specify True to allow users who are not logged in to access the LDAP Public Anonymous Account.

Specify False to enable NOVL_CONFIG_GUEST instead.

NOVL_CONFIG_GUEST=

eDirectory Connection Settings: LDAP Guest.

Allows users who are not logged in to access permitted portlets. You must also deselect Use Public Anonymous Account. The Guest user account must already exist in the Identity Vault. To disable the Guest user, select Use Public Anonymous Account.

NOVL_CONFIG_GUESTPASS=

eDirectory Connection Settings: LDAP Guest Password.

NOVL_CONFIG_EMAILNOTIFYHOST=

Email: Notify Template HOST token.

Specify the application server hosting the Identity Manager User Application. For example:

myapplication serverServer

This value replaces the $HOST$ token in e-mail templates. The URL that is constructed is the link to provisioning request tasks and approval notifications.

NOVL_CONFIG_EMAILNOTIFYPORT=

Email: Notify Template Port token.

Used to replace the $PORT$ token in e-mail templates used in provisioning request tasks and approval notifications.

NOVL_CONFIG_EMAILNOTIFYSECUREPORT=

Email: Notify Template Secure Port token.

Used to replace the $SECURE_PORT$ token in e-mail templates used in provisioning request tasks and approval notifications

NOVL_CONFIG_NOTFSMTPEMAILFROM=

Email: Notification SMTP Email From.

Required. Specify e-mail From a user in provisioning e-mail.

NOVL_CONFIG_NOTFSMTPEMAILHOST=

Email: Notification SMTP Email Host.

Required. Specify the SMTP e-mail host that provisioning e-mail is using. This can be an IP address or a DNS name.

NOVL_CONFIG_USEEXTPWDWAR=

Password Management: Use External Password WAR.

Specify True if you are using an external password management WAR. If you specify True, you must also supply values for NOVL_CONFIG_EXTPWDWARPTH and NOVL_CONFIG_EXTPWDWARRTNPATH.

Specify False to use the default internal Password Management functionality, ./jsps/pwdmgt/ForgotPassword.jsp (without the http(s) protocol at the beginning). This redirects the user to the Forgot Password functionality built into the User Application, rather than to an external WAR.

NOVL_CONFIG_EXTPWDWARPATH=

Password Management: Forgot Password Link.

Specify the URL for the Forgot Password functionality page, ForgotPassword.jsp, in an external or internal password management WAR. Or, accept the default internal password management WAR. For details, see Configuring External Forgot Password Management.

NOVL_CONFIG_EXTPWDWARRTNPATH=

Password Management: Forgot Password Return Link.

Specify the Forgot Password Return Link so that the user can click after performing a forgot password operation.

NOVL_CONFIG_FORGOTWEBSERVICEURL=

Password Management: Forgot Password Web Service URL.

This is the URL that the External Forgot Password WAR will use to call back to the User Application to perform core forgot password functionalities. The format of the URL is:

https://<idmhost>:<sslport>/<idm>/pwdmgt/service

NOVL_CONFIG_USEROBJECTATTRIBUTE=

Meta-Directory User Identity: User Object Class.

Required. The LDAP user object class (typically inetOrgPerson).

NOVL_CONFIG_LOGINATTRIBUTE=

Meta-Directory User Identity: Login Attribute.

Required. The LDAP attribute (for example, CN) that represents the user’s login name.

NOVL_CONFIG_NAMINGATTRIBUTE=

Meta-Directory User Identity: Naming Attribute.

Required. The LDAP attribute used as the identifier when looking up users or groups. This is not the same as the login attribute, which is used only during login, and not during user/group searches.

NOVL_CONFIG_USERMEMBERSHIPATTRIBUTE=

Meta-Directory User Identity: User Membership Attribute. Optional.

Required. The LDAP attribute that represents the user’s group membership. Do not use spaces in this name.

NOVL_CONFIG_GROUPOBJECTATTRIBUTE=

Meta-Directory User Groups: Group Object Class.

Required. The LDAP group object class (typically groupofNames).

NOVL_CONFIG_GROUPMEMBERSHIPATTRIBUTE=

Meta-Directory User Groups: Group Membership Attribute.

Required. Specify the attribute representing the user’s group membership. Do not use spaces in this name.

NOVL_CONFIG_USEDYNAMICGROUPS=

Meta-Directory User Groups: Use Dynamic Groups.

Required. Specify True to use dynamic groups. Otherwise, specify False.

NOVL_CONFIG_DYNAMICGROUPOBJECTCLASS=

Meta-Directory User Groups: Dynamic Group Object Class.

Required. Specify the LDAP dynamic group object class (typically dynamicGroup).

NOVL_CONFIG_TRUSTEDSTOREPATH=

Trusted Key Store: Trusted Store Path.

The Trusted Key Store contains all trusted signers’ certificates used to validate digital signatures. If this path is empty, the User Application gets the path from System property javax.net.ssl.trustStore. If the path isn’t there, it is assumed to be jre/lib/security/cacerts.

NOVL_CONFIG_TRUSTEDSTOREPASSWORD=

Trusted Key Store: Trusted Store Password.

NOVL_CONFIG_AUDITCERT=

Digital Signature Certificate

NOVL_CONFIG_AUDITKEYFILEPATH=

Digital Signature Private Key File path.

NOVL_CONFIG_ICSLOGOUTENABLED=

Access Manager and iChain Settings: Simultaneous Logout Enabled.

Specify True to enable simultaneous logout of the User Application and either Novell Access Manager or iChain®. The User Application checks for a Novell Access Manager or iChain cookie on logout and, if the cookie is present, reroutes the user to the ICS logout page.

Specify False to disable simultaneous logout.

NOVL_CONFIG_ICSLOGOUTPAGE=

Access Manager and iChain Settings: Simultaneous Logout Page.

Specify the URL to the Novell Access Manager or iChain logout page, where the URL is a hostname that Novell Access Manager or iChain expects. If ICS logging is enabled and a user logs out of the User Application, the user is rerouted to this page.

NOVL_CONFIG_EMAILNOTIFYPROTOCOL=

Email: Notify Template PROTOCOL token.

Refers to a non-secure protocol, HTTP. Used to replace the $PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications.

NOVL_CONFIG_EMAILNOTIFYSECUREPROTOCOL=

Email: Notify Template Secure Port token.

NOVL_CONFIG_OCSPURI=

Miscellaneous: OCSP URI.

If the client installation uses the On-Line Certificate Status Protocol (OCSP), supply a Uniform Resource Identifier (URI). For example, the format is http://hstport/ocspLocal. The OCSP URI updates the status of trusted certificates online.

NOVL_CONFIG_AUTHCONFIGPATH=

Miscellaneous: Authorization Config Path.

The fully qualified name of the authorization configuration file.

NOVL_CONFIG_CREATEDIRECTORYINDEX

Miscellaneous:Create eDirectory Index

Specify true if you want the silent installer to create indexes on the manager, ismanager, and srvprvUUID attributes on the eDirectory server specified in the NOVL_CONFIG_SERVERDN. If this parameter is set to true, NOVL_CONFIG_REMOVEEDIRECTORYINDEX cannot be set to true.

For best performance results, the index creation should be complete. The indexes should be in Online mode before you make the User Application available.

NOVL_CONFIG_REMOVEDIRECTORYINDEX

Miscellaneous: Remove eDirectory Index

Specify true if you want the silent installer to remove indexes on the server specified in the NOVL_CONFIG_SERVERDN. If this parameter is set to true NOVL_CONFIG_CREATEEDIRECTORYINDEX cannot be true.

NOVL_CONFIG_SERVERDN

Miscellaneous: Server DN

Specify the eDirectory server where indexes should be created or removed.

NOVL_DATABASE_NEW

Indicates whether the database is new or existing. Specify True if it’s a new database. Specify False if it’s an existing database.

NOVL_RBPM_SEC_ADMINDN

Security Administrator

This role gives members the full range of capabilities within the Security domain.

The Security Administrator can perform all possible actions for all objects within the Security domain. The Security domain allows the Security Administrator to configure access permissions for all objects in all domains within the Roles Based Provisioning Module. The Security Administrator can configure teams, and also assign domain administrators, delegated administrators, and other Security Administrators.

NOVL_RBPM_RESOURCE_ADMINDN

Resources Administrator

This role gives members the full range of capabilities within the Resource domain. The Resources Administrator can perform all possible actions for all objects within the Resource domain.

NOVL_RBPM_CONFIG_ADMINDN

This role gives members the full range of capabilities within the Configuration domain. The RBPM Configuration Administrator can perform all possible actions on all objects within the Configuration domain. The RBPM Configuration Administrator controls access to navigation items within the Roles Based Provisioning Module. In addition, the RBPM Configuration Administrator configures the delegation and proxy service, the digital signature service, the provisioning user interface, and the workflow engine.