The following procedure describes how to install the identity applications using an installation wizard, either in GUI format or from the console. To perform a silent, unattended installation, see Silently Installing the Identity Applications.
To prepare for the installation, review the activities listed in Checklist for Installing the Identity Applications. Also see the Release Notes accompanying the release.
NOTE:
The installation program does not save the values that you enter as you progress through the windows in the wizard. If you click Previous to return to an earlier window, you must re-enter the configuration values.
The installation program creates the novlua user account and sets the permissions in Tomcat to this user. For example, the idmapps_tomcat_init script uses this user account to run Tomcat.
To install with the guided process:
Log in as a root or administrative user to the computer where you want to install the identity applications.
Stop Tomcat.
(Conditional) If you have the .iso image file for the Identity Manager installation package, navigate to the directory containing the installation files, located by default in the products/RBPM/user_app_install directory.
(Conditional) If you downloaded the installation files, complete the following steps:
Navigate to the .tgz or win.zip file for the downloaded image.
Extract the contents of the file to a directory on the local computer.
From the directory that contains the installation files, complete one of the following actions:
Linux (console): Enter ./IdmUserApp.bin -i console
Linux (GUI): Enter ./IdmUserApp.bin
Windows: Run IdmUserApp.exe
Complete the guided process, using the following parameters:
Application Server Platform
Represents Tomcat for running the Identity Applications. Tomcat must already be installed.
Installation Folder
Represents the path to a directory where the installation program creates the application files.
Database Platform
Represents the platform of the User Application database. The database software must already be installed. However, you do not need to create the database schema during installation.
For your convenience, NetIQ provides PostgreSQL.
Database Host and Port
Represents the settings for the server that hosts the User Application database.
NOTE:In a cluster environment, you must specify the same database settings for each member in the cluster.
Specifies the name or IP address of the server.
Specifies the port that you want the server to use for communication with the User Application.
Database Username and Password
Represents the settings for running the User Application database.
NOTE:
If you installed PostgreSQL as part of the installation for this version of Identity Manager, the installation process already created the database and database administrator. By default, the installed database is idmuserappdb and the database user is idmadmin. Specify the same values that you used for the PostgreSQL installation.
In a cluster environment, you must specify the same database name, username, and password for each member in the cluster.
Specifies the name of the database according to the database platform. By default, the database name is idmuserappdb.
For a PostgreSQL or SQL Server database, specify the name.
For an Oracle database, specify the Security Identifier (SID) that you created with the database instance.
Specifies the name of an account that allows the User Application to access and modify data in the databases.
Specifies the password for the specified username.
Specifies the JAR file for the database platform.
The database vendor provides the driver JAR file, which represents the Thin Client JAR for the database server. For example, for PostgreSQL, you might specify postgresql-9.4-1212.jdbc42.jar, by default in the /opt/netiq/idm/apps/postgres/ folder.
NetIQ does not support driver JAR files from third-party vendors.
Database Administrator
Optional
Represents the name and password for the database administrator.
This field automatically lists the same user account and password that you specified for Database Username and Password. To use that account, do not make any changes.
(Optional) Specifies the account for a database administrator that can create database tables, views, and other artifacts.
(Optional) Specifies the password for the database administrator.
Create Database Tables
Indicates whether you want to configure your new or existing database as part of the installation process, or afterward.
The installation program creates the database tables as part of the installation process.
The installation program leaves instructions to create the tables when the User Application starts for the first time.
Generates a SQL script that the database administrator can run to create the databases. If you choose this option, you must also specify a name for Schema File. The setting is in the SQL Output File configuration.
You might select this option if you do not have permissions to create or modify a database in your environment. For more information about generating the tables with the file, see Manually Creating the Database Schema.
New Database or Existing Database
Specifies whether you want to use existing, empty databases or create new tables in the existing database. Use the following considerations:
New Database
If the database used is new, click New Database. Ensure that a database exists before selecting this option.
Existing Database
If database is existing and it has User Application tables from a previous installation, select Existing Database.
If the existing database runs on an Oracle platform, you must prepare Oracle before updating the schema. For more information, see Preparing an Oracle Database for the SQL File.
After selecting the database type, you need to specify, as to when the database tables should be created. The Create Database Tables screen gives you the option to create tables at installation time or at application startup. Alternatively, you can create a schema file at installation time, which the Database Administrator would use to create the tables later.
If you want to generate a schema file, select the Write SQL to File button and provide a name for the file in the Schema Output File field.
Test Database Connection
Specifies whether you want the installer to connect to the database for creating tables directly or for creating the .sql file.
The installation program attempt the connection when you click Next or press Enter.
NOTE:You can continue with installation if the database connection fails. However, after installation, you must manually create the tables and connect to the database. For more information, see Manually Creating the SQL File to Generate the Database Schema.
Java Install
Represents the path to the JRE file used to launch the installation program. For example, /root/opt/java/jre7.
Application_Server Configuration
Represents the path to the installation files for Tomcat. For example, /opt/apache-tomcat-7.0.52. The installation process adds some files to this folder.
IDM Configuration
Represents the settings for the identity application context used in URLs and for the workflow engine.
Specifies a name that represents the Tomcat configuration, the application WAR file, and the name in the URL context.
The installation script creates a server configuration, then names the configuration according to the name that you created when installing Tomcat. For example, IDMProv.
IMPORTANT: NetIQ recommends that you make a note of the specified Application Context. You will use this application name in the URL when you start the identity applications from a browser.
Select Audit Logging Type
Indicates whether you want to send log events to an auditing server. Specify Yes or No.
Audit Logging
Applies only when you specify Yes for Select Audit Logging Type.
Indicates the type of logging that you want to enable.
For more information about setting up logging, see the User Application Administration Guide.
Enables logging through a Novell or NetIQ client for the User Application.
NOTE:If you choose this option, you must also specify the hostname or IP address for the client server and the path to the log cache.These settings are in the Novell Identity Audit or NetIQ Sentinel configuration section.
Enables the User Application to send events to your OpenXDAS logging server.
Security - Master Key
Indicates whether you want to import an existing master key. The User Application uses the master key to access encrypted data. Specify Yes or No.
You might want to import the master key in the following situations:
After installing the first instance of the identity applications in a cluster. Every instance of the User Application in a cluster must use the same master key. For more information, see Using the Same Master Key for Each User Application in the Cluster.
If you are moving your installation from a staging system to a production system and want to keep access to the database you used with the staging system.
If you are restoring your User Application and you want to access the encrypted data stored by your previous version of the User Application.
Specifies that you want to import an existing master key.
Specifies that you want the installation program to create the key.
By default, the installation procedure writes the encrypted master key to the master-key.txt file in the installation directory.
Import Master Key
Applies only when you specify Yes for Security - Master Key.
Specifies the master key that you want to use. You can copy the master key from the master-key.txt file.
Application server connection
Represents the settings of the URL that users need to connect to the identity applications on Tomcat. For example, https:myserver.mycompany.com:8080.
NOTE:If OSP runs on a different instance of the Tomcat application server, you must also select Connect to an external authentication server and specify values for the OSP server.
Specifies whether you want to use http or https. To use Secure Sockets Layer (SSL) for communications, specify https.
Specifies the DNS name or IP address of the server hosting OSP. Do not use localhost.
Specifies the port that you want the server to use for communication with client computers.
Specifies whether a different instance of Tomcat hosts the authentication server (OSP). The authentication server contains the list of users who can log in to SSPR.
If you select this setting, also specify values for the authentication server’s Protocol, Host name, and Port.
Authentication server details
Specifies the password that you want the identity applications to use when connecting to the authentication server. Also referred to as the client secret. The installation process creates this password.
Configure the settings for the identity applications in the Config Update window.
Browse for the Identity Vault DNs.
Click OK.
NOTE:
Ensure that the User Application and the Roles and Resources Service drivers are already created and deployed to the Identity Vault. For more information, see Installation Considerations for the Identity Applications.
If you click Cancel, the installer takes you back to the Application Server Connection window.
After installing the User Application, you can modify most of the settings in the configureupdate.sh or configureupdate.bat files. For more information about specifying the values for the settings, see Section 40.0, Configuring the Settings for the Identity Applications.
(Conditional) In a GUI installation, to immediately configure the identity applications, complete the following steps in the Configure IDM window:
Click Yes and then click Next.
In Roles Based Provisioning Module Configuration, click Show Advanced Options.
Modify the settings as needed.
NOTE:
For more information about specifying the values, see Section 40.0, Configuring the Settings for the Identity Applications.
In production environments, all administrator assignments are restricted by licensing. NetIQ collects monitoring data in the audit database to ensure that production environments comply. Also, NetIQ recommends that only one user be given the permissions of the Security Administrator.
Click OK.
(Conditional) In a console installation, to immediately configure the identity applications, complete the following steps:
Launch the configuration update utility from the command line:
Linux: configupdate.sh
Windows: configupdate.bat
NOTE:SSO Client tab of the configupdate utility displays localhost:defaultport when Self Service Password Reset (SSPR) and Identity Reporting are not installed as a part of the same Identity User Application server. You need to manually update the Client ID, Password and the Redirect URL of the SSPR and Reporting server in the User Application server.
(Optional) To create the NMAS certificate, navigate to SSO Clients > RBPM, and then change RBPM to eDirectory SAML configuration to Auto.
Specify values for other settings as described in Section 40.0, Configuring the Settings for the Identity Applications.
Click Next.
In the Pre-Installation Summary window, click Install.
(Optional) Review the installation log files. For results of the basic installation, see the user_application_install_log.log file in the /opt/netiq/idm/apps/UserApplication/logs/ directory.
For information about the identity applications configuration, see the NetIQ-Custom-Install.log file in the /opt/netiq/idm/apps/UserApplication/ directory.
(Optional) If you are using an external password management WAR, manually copy the WAR to the installation directory and to the remote application server deploy directory that runs the external password WAR functionality.
Continue with the post-installation tasks described in Section 39.0, Completing the Installation of the Identity Applications.