3.1 Installation Procedures

You might want to have a pen handy to record the static IP address and login credentials in the spaces provided below.

NOTE:If Administration Console and Identity Server are installed on different servers, both use 8080 and 8443 ports. If Administration Console and Identity Server are installed on the same server, Identity Server uses 8080 and 8443 ports and Administration Console uses 2080 and 2443 ports.

3.1.1 Installing on Linux

  1. If you have Red Carpet or auto update running, stop these programs before you install the Administration Console.

  2. Verify that the machine meets the minimum requirements. See Section 2.4, Administration Console Requirements.

  3. Open a terminal window.

  4. Access the install script:

    1. Make sure you have downloaded the software or you have the CD available.

      For software download instructions, see the “NetIQ Access Manager Readme” .

    2. Do one of the following:

      • Insert the CD into the drive, then navigate to the device. Enter the following:

        cd /media

        Change to your CD-ROM drive, which is usually cdrom but can be something else such as cdrecorder or dvdrecorder, depending on your hardware.

      • If you downloaded the tar.gz file, unpack the file by using the following command:

        tar -xzvf <filename>

    3. Change to the novell-access-manager directory.

  5. At the command prompt, enter the following:

    ./install.sh

    It is important that you ensure that you have adequate space in the system before you proceed with the installation. For details, refer

  6. When you are prompted to install a product, type 1 for Install NetIQ Access Manager Administration, then press the Enter key and select 1. Install Administration Console.

  7. Review and accept the License Agreement.

    Novell Base and JDK for NetIQ are installed.

  8. (Optional) The installer displays a warning if the host name of the system is mapped to the IP address 127.0.0.2 in the /etc/hosts file:

    An entry of 127.0.0.2 in the /etc/hosts file affects the Access Manager functionality. Do you want to proceed with removing it (y/n) [y]

    Click Y to proceed.

    The host name mapping to 127.0.0.2 may cause certain Access Manager processes to encounter errors when they attempt to resolve the host name of the machine. To avoid these problems, the 127.0.0.2 entry should be removed from the/etc/hosts file.

  9. Specify whether this is the primary Access Manager Administration Console in a failover group. The first Administration Console installed becomes the primary console:

    Note: The administration server failover will not be enabled until a second server is added to the cluster.
Is this the primary administration server in a failover group (y/n) ? [y]:

    You can install up to three Administration Consoles for replication and failover purposes. If this is not the primary console, you must provide the IP address for the primary Administration Console.

  10. Specify the administration username.

    Press Enter to use admin as the default admin username, or change this to a username of your choice.

    NOTE:The Administration Console username does not accept special characters hash (#), ampersand (&), and round brackets (()).

    Record the admin username here: __________________________________

  11. Specify the administration password.

    Use alphanumeric characters only. You must remember this password because it gives rights to the administrator, the configuration store, and subsequent logins to the Administration Console.

    NOTE:The Administration Console password does not accept special characters colon (:) and double quotes (“).

    Record the admin password here: __________________________________

  12. Confirm the password, then wait as the system installs the components.

    This can take several minutes, depending upon the speed of your hardware.

    The following components are installed:

    • Novell Audit Platform Agent: Responsible for packaging and forwarding the audit log entries to the configured Novell Audit Server. For more information, see Enabling Auditing in the NetIQ Access Manager 3.2 SP3 Administration Console Guide.

    • Tomcat for NetIQ: The NetIQ packaging of the Java-based Tomcat Web server used to run servlets and JavaServer Pages (JSP) associated with NetIQ Access Manager Web applications.

    • Novell Access Manager Configuration Store: An embedded version of eDirectory used to store user-defined server configurations, LDAP attributes, Certificate Authority keys, certificates, and other Access Manager attributes that must be securely stored.

    • Novell iManager: The Web-based administration console that provides customized, secure access to server administration utilities. It is a modified version and cannot be used to manage other eDirectory trees.

    • Novell Audit Server: The server bundled as part of the Administration Console to monitor and log all enabled Access Manager components. For more information, see Enabling Auditing in the NetIQ Access Manager 3.2 SP3 Administration Console Guide.

    • NetIQ Administration Console: A modification of Novell iManager that enables management of all aspects of Access Manager. This component is not a standard iManager plug-in. It significantly modifies the tasks that iManager can perform.

    • NetIQ Identity Server Administration Plug-In: Works in conjunction with the NetIQ Administration Console to specifically manage the NetIQ Identity Server.

  13. Record the login URL.

    When the installation completes, the login URL is displayed. It looks similar to the following:

    http://10.10.10.50:8080/nps

    Record your login URL here: __________________________________

    This is the URL you enter into a browser to configure the Access Manager components. If you log in now with the username and password you entered during the installation, you have an empty system with no components installed.

  14. Continue with Section 3.2, Configuring the Administration Console Firewall.

3.1.2 Installing on Windows

  1. Verify that the machine meets the minimum requirements. See Section 2.4, Administration Console Requirements.

  2. Close any running applications and disable any virus scanning programs.

  3. (Conditional) To use a remote desktop for installation, use one of the following:

    • Current version of VNC viewer

    • Microsoft Remote Desktop with the /console switch for Windows XP SP2

    • Microsoft Remote Desktop with the /admin switch for Windows XP SP3

  4. Download the software file and execute it.

    For software download instructions, see the “NetIQ Access Manager Readme”.

  5. Read the introduction, then click Next.

  6. Accept the license agreement, then click Next.

  7. Select NetIQ Access Manager Administration Console, then click Next.

    If you are also installing the Identity Server on this machine, you can also select NetIQ Identity Server.

  8. Specify whether this is the primary Administration Console in a failover group, then click Next.

    The first Administration Console installed becomes the primary console.

    You can install up to three Administration Consoles for replication and failover purposes. If this is not the primary console, you must provide the IP address for the primary Administration Console.

  9. Specify the following information:

    Administration user ID: Specify a name for the user account to use for logging into the Administration Console.

    Password and Re-enter Password: Specify a password and re-enter the password for the administration user account.

    Server IP Address: Specify the static IP address of the machine.

  10. Click Next, then review the summary.

  11. A message prompt to enable or disable the SSL renegotiation appears during the installation.

    WARNING:This installer is bundled with JDK, which has the SSL renegotiation disabled by default. If you use x509 authentication, then SSL renegotiation must be enabled. Would you like to enable SSL renegotiation for this session Y/N [N].

  12. SSL renegotiation is disabled by default because the TLS, SSL protocol 3.0 or earlier are vulnerable to man-in-the-middle attack. Select “N” to disable the SSL renegotiation and “Y” to enable the SSL renegotiation. Enabling the SSL renegotiation leaves the system open to possible man-in-the-middle attacks. The preferred option is to disable the SSL renegotiation when using the x509 certificate based authentication under the following scenarios:

    1. Browser to identity provider when using the x509 certificate based authentication.

    2. Identity provider to identity provider communication when using the x509 certificate for mutual authentication.

    3. Secure LDAP connections with mutual authentication into the LDAP user store.

  13. To start the install, click Install.

    The configuration database takes awhile to install and configure.

  14. (Optional) After the installation completes, view the install log file found in the following location:

    Windows Server 2008: \Program Files (x86)\Novell\log\AccessManagerServer_ InstallLog.log

  15. Reboot the machine.

    IMPORTANT:You must restart the machine before installing any other Access Manager components.

  16. (Windows Server 2008) In a terminal window, run the auditext.exe utility.

    1. Change to the \Program Files\Novell\NSure Audit directory.

      The .lsc file required when executing the auditext.exe utility is located in the \Program Files\Novell\Nsure Audit\LogSchema\nids_en.lsc directory.

    2. Enter the following command:

      auditext -lsc -u:<admin> -p:<novell> -a:Novell Access Manager -f:c:\Program Files\Novell\Nsure Audit\LogSchema\\nids_en.lsc -l:en

      Modify the following variables to match your system:

      Variable

      Description

      c:

      The drive letter for where the Program Files directory is located.

      -u:<admin>

      This is the name of the administrator for the Administration Console. Replace <admin> with the name of your administrator

      -p:<novell>

      This is the password for the administrator. Replace <novell> with the password of your administrator.

      For more information about this utility, see “AuditExt”.

  17. (Windows Server 2008) In a terminal window, run the auditext.exe utility.

    1. Change to the \Program Files (x86)\Novell\NSure Audit directory.

      The .lsc file required when executing the auditext.exe utility is located in the \Program Files (x86)\Novell\Nsure Audit\LogSchema\nids_en.lsc directory.

    2. Enter the following command:

      auditext -lsc -u:<admin> -p:<novell> -a:Novell Access Manager -f:c:\Program Files (x86)\Novell\Nsure Audit\LogSchema\\nids_en.lsc -l:en

      Modify the following variables to match your system:

      Variable

      Description

      c:

      The drive letter for where the Program Files (x86) directory is located.

      -u:<admin>

      This is the name of the administrator for the Administration Console. Replace <admin> with the name of your administrator

      -p:<novell>

      This is the password for the administrator. Replace <novell> with the password of your administrator.

      For more information about this utility, see “AuditExt”.

  18. Continue with Section 3.2, Configuring the Administration Console Firewall.