This section defines the parameters that you need to specify to configure the Identity Manager installation. You can use the installation program to configure the components immediately after installing them or configure the components later by running the configure.sh script.
NOTE:
Identity Applications and Identity Reporting configured in typical configuration mode cannot connect to a database server installed on a different computer.
The installation process does not allow you to enable auditing for Identity Manager components. You must configure auditing for each component after completing the installation. For more information, see NetIQ Identity Manager - Configuring Auditing in Identity Manager.
Identity Vault is installed automatically with OES. To configure Identity Manager Engine on OES platform, you must select Custom Configuration and then select Add to an Existing Vault.
Table 4-1 describes the parameters required for configuring Identity Manager components in typical mode.
Table 4-1 Typical Configuration
Parameter |
Parameter in the Silent Properties File |
Typical Configuration |
---|---|---|
Identity Manager Engine |
|
|
Common password |
IS_COMMON_PASSWORD |
Specifies whether you want to set a common password. |
Identity Vault Administrator name |
ID_VAULT_ADMIN_LDAP |
Specifies the relative distinguished name (RDN) of the administrator object in the tree that has full rights, at least to the context to which this server is added. |
Identity Applications |
|
|
Common password |
IS_COMMON_PASSWORD |
Specifies whether you want to set a common password. Ensure that the password meets the considerations specified in the Using Non-Intuitive Passwords During Configuration section. |
Identity Vault Administrator name |
ID_VAULT_ADMIN_LDAP |
Specifies the relative distinguished name (RDN) of the administrator object in the tree that has full rights, at least to the context to which this server is added. |
Hostname (FQDN in lowercase) |
|
Specifies the fully qualified distinguished name or the default IP address of the server. |
Application Server DNS/IP address |
TOMCAT_SERVLET_HOSTNAME |
Specifies the IP address of the Tomcat server. |
Identity Applications administrator name |
UA_ADMIN |
Specifies the name of the administrator account for the identity applications. |
Identity Reporting |
|
|
Common password |
IS_COMMON_PASSWORD |
Specifies whether you want to set a common password. Ensure that the password meets the considerations specified in the Using Non-Intuitive Passwords During Configuration section. |
Identity Vault Hostname/IP Address |
ID_VAULT_HOST |
Specifies the IP address of the server where Identity Vault is installed. |
Identity Vault Administrator Name |
ID_VAULT_ADMIN_LDAP |
Specifies the relative distinguished name (RDN) of the administrator object in the tree that has full rights, at least to the context to which this server is added. |
Identity Vault Administrator Password |
ID_VAULT_PASSWORD |
Specifies the password for the Administrator object. For example, password. |
Hostname (FQDN in lowercase) |
|
Specifies the fully qualified distinguished name or the default IP address of the server. |
Connect to an external One SSO server |
|
Specifies whether you want to a connect to a different One SSO server. |
Application server DNS/IP address |
TOMCAT_SERVLET_HOSTNAME |
Specifies the IP address of the Tomcat server. |
One SSO server DNS/IP address |
SSO_SERVER_HOST |
Specifies the IP address of the server where single sign-on service is installed. |
Identity Reporting One SSO Service password |
RPT_SSO_SERVICE_PWD |
Specifies the password for the authentication service for Identity Reporting. |
Identity Reporting Administrator name |
RPT_ADMIN |
Specifies the administrator name for Identity Reporting. The default value is cn=uaadmin,ou=sa,o=data. |
Identity Reporting database account password |
RPT_DATABASE_SHARE_PASSWORD |
Specifies the database account password for Identity Reporting. |
Table 4-2 describes the parameters required for configuring Identity Manager components in custom mode.
Table 4-2 Custom Configuration
Parameter |
Parameter In the Silent Properties File |
Custom Configuration |
---|---|---|
Identity Manager Engine |
|
|
Create a new Identity Vault |
TREE_CONFIG |
Specifies the Identity Vault to be installed. |
Add to an Identity Vault existing on local machine |
Specifies whether you want to connect to an existing Identity Vault on the same server where you are installing Identity Manager Engine. |
|
Add to an Identity Vault existing on remote machine |
Specifies whether you want to connect to an Identity Vault installed on a different server than Identity Manager Engine. |
|
Identity Vault Tree Name |
ID_VAULT_TREENAME |
Specifies a new tree for your Identity Vault. The tree name must meet the following requirements:
NOTE:If you are installing Identity Manager on OES, specify the existing tree name. |
Identity Vault Administrator Name |
ID_VAULT_ADMIN_LDAP |
Specifies the relative distinguished name (RDN) of the administrator object in the tree that has full rights, at least to the context to which this server is added. |
Identity Vault Administrator Password |
ID_VAULT_PASSWORD |
Specifies the password for the Administrator object. For example, password. |
NDS var folder location |
ID_VAULT_VARDIR |
Specifies the path of this Identity Vault instance on this server. The default path is /var/opt/novell/eDirectory. |
NDS data location |
ID_VAULT_DIB |
Specifies the path in the local system where you want to install the Directory Information Base (DIB) files.The DIB files are your Identity Vault database files. The default location is /var/opt/novell/eDirectory/data/dib. |
NCP Port |
ID_VAULT_NCP_PORT |
Specifies the NetWare Core Protocol (NCP) port that the Identity Vault uses to communicate with the Identity Manager components. The default value is 524. |
LDAP non SSL port |
ID_VAULT_LDAP_PORT |
Specifies the port on which the Identity Vault listens for LDAP requests in clear text. The default value is 389. |
LDAP SSL port |
ID_VAULT_LDAPS_PORT |
Specifies the port on which the Identity Vault listens for LDAP requests using Secure Sockets Layer (SSL) protocol. The default value is 636. |
Identity Vault Context DN |
ID_VAULT_SERVER_CONTEXT |
Specifies the context DN of the existing Identity Vault server. The default value is servers.system. |
Identity Vault HTTP Port |
ID_VAULT_HTTP_PORT |
Specifies the port on which the HTTP stack operates in clear text. The default value is 8028. |
Identity Vault HTTPS Port |
ID_VAULT_HTTPS_PORT |
Specifies the port on which the HTTP stack operates using TLS/SSL protocol. The default value is 8030. |
NDS configuration file with path |
ID_VAULT_CONF |
Specifies the location of the configuration file for Identity Vault. The default value is /etc/opt/novell/eDirectory/conf/nds.conf. |
Identity Vault driver set name |
ID_VAULT_DRIVER_SET |
Specifies the name for a new Identity Manager driver set object. |
Identity Vault driver set deploy context |
ID_VAULT_DEPLOY_CTX |
Specifies the LDAP DN of the container where you want to create the driver set object. |
Custom driverset ldif file path |
|
Specifies the path of the sample driverset.ldif file. A driver set is a container that holds Identity Manager drivers. Only one driver set can be active on a server at a time. NetIQ provides a sample-driverset.ldif file in the Identity Manager installation kit to help you create or configure a driver set. For information about using this file, see Creating and Configuring a Driver Set. |
iManager Web Administration |
||
HTTP Port Number for Tomcat |
IMAN_TOMCAT_HTTP_PORT |
Specifies the HTTP port for Tomcat Application server. The default value is 8080. |
SSL Port Number for Tomcat |
IMAN_TOMCAT_SSL_PORT |
Specifies the HTTPS port for Tomcat Application server. The default value is 8443. |
Public Key Algorithm that you want TLS certificate to use |
IMAN_CERT_ALGO |
Specifies whether you want to use RSA or ECDSA as the public key algorithm. By default, the public key algorithm is set to RSA. If you select RSA, the certificate uses a 2048-bit RSA key pair. If you select ECDSA, the certificate uses a ECDSA key pair with curve secp256r1. |
Cipher Suite for TLS communication |
IMAN_CIPHER_SUITE_RSA |
If you select RSA, it allows the following cipher levels:
|
Administrative User Context |
IMAN_USER_CONTEXT |
Specifies the user name that you need to use for logging in to iManager. |
Administrative User Tree |
IMAN_DIR_TREE |
Specifies the IP address of the server where the Identity Vault tree exists. |
Identity Applications |
||
Common password |
IS_COMMON_PASSWORD |
Specifies whether you want to set a common password. Ensure that the password meets the considerations specified in the Using Non-Intuitive Passwords During Configuration section. |
Hostname (FQDN in lowercase) |
|
Specifies the fully qualified distinguished name or the default IP address of the server. NOTE:Ensure that FQDN is specified in lower case. The server hosting your component must also be configured to use FQDN in lower case. |
Identity Vault Hostname/IP Address |
ID_VAULT_HOST |
Specifies the IP address of the server where Identity Vault is installed. |
Identity Vault Administrator Name |
ID_VAULT_ADMIN_LDAP |
Specifies the relative distinguished name (RDN) of the administrator object in the tree that has full rights, at least to the context to which this server is added. |
Identity Vault Administrator Password |
ID_VAULT_PASSWORD |
Specifies the password for the Administrator object. For example, password. |
Application server DNS/IP address |
TOMCAT_SERVLET_HOSTNAME |
Specifies the IP address of the Tomcat server. |
OSP custom login screen name |
OSP_CUSTOM_NAME |
Specifies the name that will be displayed on the OSP login screen. |
SSPR Configuration password |
CONFIGURATION_PWD |
Applies only if you have set the common password as No. Specifies the password for password management used by identity applications. |
OAuth keystore password |
OSP_KEYSTORE_PWD |
Applies only if you have set the common password as No. Specifies the password that you want to create for loading the new keystore on the OAuth server. |
User search container DN |
USER_CONTAINER |
Specifies the default container for all user objects in the Identity Vault. |
Admin search container DN |
ADMIN_CONTAINER |
Specifies the distinguished name of the container in the Identity Vault that contains any administrator User objects that the authentication service (OSP) must authenticate. For example, o=data. |
Application Server HTTPS port |
TOMCAT_HTTPS_PORT |
Specifies the HTTPS port that you want the Tomcat server to use for communication with client computers. The default value is 8543. |
One SSO server SSL port |
SSO_SERVER_SSL_PORT |
Specifies the port that you want the single sign-on service to use. The default value is 8543. |
Identity Application One SSO Service password |
|
Applies only if you have set the common password as No. Specifies the password for the single sign-on client used by identity applications. |
Identity Applications administrator name |
UA_ADMIN |
Specifies the name of the administrator account for the identity applications. |
Database Platform |
UA_DB_PLATFORM_OPTION |
Specifies the databases required for Identity Applications. |
Configure PostgreSQL on current server |
INSTALL_PG_DB |
Specifies if you want to configure PostgreSQL database on the same server. |
Identity Applications database port |
UA_DB_PORT |
Specifies the database port for Identity Applications. |
Identity Applications database name |
UA_DATABASE_NAME |
Specifies the name of the database. The default value is idmuserappdb. |
Identity Applications database user name |
UA_DATABASE_USER |
Specifies the user name for the administrator of the database for the identity applications. |
Identity Application database JDBC jar file |
UA_DB_JDBC_DRIVER_JAR |
Specifies the JAR file for the database platform. |
Create schema |
UA_DB_CREATE_OPTION |
Indicates when you want to create the database schema as part of the installation process. The available options are Now, Startup, and File. |
Create a new database or upgrade/migrate from an existing database |
UA_DB_NEW_OR_EXIST |
Specifies whether you want to create a new database or upgrade from an existing database. |
Use custom container as root container |
ENABLE_CUSTOM_CONTAINER_CREATION |
Specifies whether you want to use custom container as a root container. By default, the installer creates o=data and chooses it as a user container and assigns the password policies and required trustee rights. To create a custom container, choose Yes. |
Custom container LDIF file path |
|
Applies only if you have set the custom container as Yes. Specifies the path of the LDIF file for custom container. |
Root container |
ROOT_CONTAINER |
Specifies the root container. The default value is o=data. |
Group search root container DN |
GROUP_ROOT_CONTAINER |
Specifies the DN of the group search root container. |
Create the User Application and Roles and Resources Services drivers for Identity Applications |
UA_CREATE_DRIVERS |
Specifies whether you want to install the UA and RRSD drivers. If you select N, you must specify the name of the existing User Application driver. |
Name of the existing User Application driver |
UA_DRIVER_NAME |
Applies only if you have set the value for creation of UA and RRSD drivers to No. Specifies the existing User Application driver DN details. |
Identity Reporting |
|
|
Common password |
IS_COMMON_PASSWORD |
Specifies whether you want to set a common password. Ensure that the password meets the considerations specified in the Using Non-Intuitive Passwords During Configuration section. |
Hostname (FQDN in lowercase) |
|
Specifies the fully qualified distinguished name or the default IP address of the server. NOTE:Ensure that FQDN is specified in lower case. The server hosting your component must also be configured to use FQDN in lower case. |
Identity Vault Hostname/IP Address |
ID_VAULT_HOST |
Specifies the IP address of the server where Identity Vault is installed. |
Identity Vault Administrator name |
ID_VAULT_ADMIN_LDAP |
Specifies the relative distinguished name (RDN) of the administrator object in the tree that has full rights, at least to the context to which this server is added. |
Identity Vault Administrator password |
ID_VAULT_PASSWORD |
Specifies the password for the Administrator object. For example, password. |
Connect to an external One SSO Server |
|
Specifies whether you want to connect to an external SSO server |
Application server DNS/IP address |
TOMCAT_SERVLET_HOSTNAME |
Specifies the IP address of the Tomcat server. |
OSP custom login screen name |
OSP_CUSTOM_NAME |
Specifies the name that will be displayed on the OSP login screen. |
User search container DN |
USER_CONTAINER |
Specifies the default container for all user objects in the Identity Vault. |
Admin search container DN |
ADMIN_CONTAINER |
Specifies the distinguished name of the container in the Identity Vault that contains any administrator User objects that the authentication service (OSP) must authenticate. For example, o=data. |
Application Server HTTPS port |
TOMCAT_HTTPS_PORT |
Specifies the HTTPS port that you want the Tomcat server to use for communication with client computers. The default value is 8543. |
One SSO server DNS/IP address |
SSO_SERVER_HOST |
Specifies the IP address of the server where single sign-on service is installed. |
One SSO server SSL port |
SSO_SERVER_PORT |
Specifies the port that you want the single sign-on service to use. The default value is 8543. |
OAuth Keystore Password |
OSP_KEYSTORE_PWD |
Specifies the OAuth keystore password. |
Application Server Keystore Password |
TOMCAT_SSL_KEYSTORE_PASS |
Specifies the keystore password for the application server. |
Identity Reporting One SSO Service password |
RPT_SSO_SERVICE_PWD |
Specifies the password for the authentication service for Identity Reporting. |
Select the database platform for Identity Reporting |
RPT_DATABASE_PLATFORM_OPTION |
Specifies the database that you want to use for Identity Reporting. |
Configure PostgreSQL on current server |
INSTALL_PG_DB_FOR_REPORTING |
Specifies if you want to configure PostgreSQL database on the same server. |
Identity Reporting database account password |
RPT_DATABASE_SHARE_PASSWORD |
Specifies the database account password for Identity Reporting. |
Create a new database or upgrade/migrate from an existing database |
RPT_DATABASE_NEW_OR_EXIST |
Specifies whether you want to create a new database or upgrade from an existing database. |
Identity Reporting Administrator name |
RPT_ADMIN |
Specifies the administrator name for Identity Reporting. The default value is cn=uaadmin,ou=sa,o=data. |
Identity Reporting Administrator password |
RPT_ADMIN_PWD |
Specifies the administrator password for Identity Reporting. |
Identity Reporting database name |
RPT_DATABASE_NAME |
Specifies the database name for Identity Reporting. The default value is idmrptdb. |
Identity Reporting database user |
RPT_DATABASE_USER |
Specifies the administration account that allows Identity Reporting to access and modify data in the databases. The default value is rptadmin. |
Identity Reporting database host |
Specifies the DNS name or IP address of the server where the database has to be created. |
|
Identity Reporting database port |
RPT_DATABASE_PORT |
Specifies the port to connect to the database.The default port is 5432. |
Identity Application database JDBC jar file |
RPT_DATABASE_JDBC_DRIVER_JAR |
Specifies the JAR file for the database platform. |
Create schema |
RPT_DATABASE_CREATE_OPTION |
Indicates when you want to create the database schema as part of the installation process. The available options are Now, Startup, and File. If you select the database schema creation option as Startup or File, you must manually add the datasource to the Identity Data Collection Services page. For more information, see Manually Adding the DataSource in the Identity Data Collection Services Page. If your database is running on a separate server, you must connect to that database. For a remotely installed PostgreSQL database, verify that the database is running. To connect to a remote PostgreSQL database, see Connecting to a Remote PostgreSQL Database. If you are connecting to an Oracle database, ensure that you have created an Oracle database instance. For more information, see Oracle documentation. If you select the database schema creation option as Startup or File, you must manually create the tables and connect to the database after the configuration. For more information, see Manually Generating the Database Schema. |
Default email address |
RPT_DEFAULT_EMAIL_ADDRESS |
Specifies the email address that you want Identity Reporting to use as the origination for email notifications. |
SMTP Server |
RPT_SMTP_SERVER |
Specifies the IP address or DNS name of the SMTP email host that Identity Reporting uses for notifications. |
SMTP Server port |
RPT_SMTP_SERVER_PORT |
Specifies the port number for the SMTP server. The default port is 465. |
Create the MSGW and DCS drivers for Identity Reporting |
RPT_CREATE_DRIVERS |
Specifies whether you want to create the MSGW and DCS drivers. |
Use the sample-driverset.ldif file from IDM/LDIF/ directory of the Identity Manager installation kit to help you create a driver set. The file has the following contents:
dn: cn=driverset1,o=system changetype: add DirXML-LogLimit: 0 DirXML-ConfigValues:: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48Y29u ZmlndXJhdGlvbi12YWx1ZXM+Cgk8ZGVmaW5pdGlvbnMvPgo8L2NvbmZpZ3VyYXRpb24tdmFsdWVzPg== objectClass: DirXML-DriverSet objectClass: Top objectClass: Partition objectClass: nsimPasswordPolicyAux
dn: cn=DirXML-PasswordPolicy,cn=Password Policies,cn=Security changetype: add nsimPwdRuleEnforcement: FALSE nspmSpecialAsLastCharacter: TRUE nspmSpecialAsFirstCharacter: TRUE nspmSpecialCharactersAllowed: TRUE nspmNumericAsLastCharacter: TRUE nspmNumericAsFirstCharacter: TRUE nspmNumericCharactersAllowed: TRUE description: This Password Policy is used by IDM Engine nspmMaximumLength: 64 nspmConfigurationOptions: 596 passwordUniqueRequired: FALSE passwordMinimumLength: 1 passwordAllowChange: TRUE objectClass: nspmPasswordPolicy objectClass: Top cn: DirXML-PasswordPolicy nsimAssignments: cn=driverset1,o=system
In a text editor, open the sample-driverset.ldif file and make the following changes:
Point the driver set DN to the new driver set. For example, change dn: cn=driverset1,o=system to dn:cn=Driverset47,ou=drivers,o=acme.
Change the nsimAssignments attribute value to the DN of the new driver set. For example, change nsimAssignments: cn=driverset1,o=system to nsimAssignments: cn=Driverset47,ou=drivers,o=acme.
NOTE:Copying the content as is might insert some hidden special characters in the file. If you receive a ldif_record() = 17 error message when you add these attributes to the Identity Vault, insert an extra space between the two DNs.
If Identity Manager is already installed on a server in the eDirectory tree, the DirXML-PasswordPolicy object exists in the tree. You have the following choices:
Use the existing password policy
Change
dn: cn=DirXML-PasswordPolicy,cn=Password Policies,cn=Security changetype: modify add: nsimAssignments nsimAssignments: cn=driverset1,o=system
Use a different password policy
Use
dn: cn=DirXML-PasswordPolicy,cn=Password Policies,cn=Security changetype: add
In a text editor, open the sample-driverset.ldif file and make the following changes:
Point the driver set DN to the new driver set.
Change the nsimAssignments attribute value to the DN of the new driver set.
Change the DirXML-PasswordPolicy attribute to point to the existing DirXML-PasswordPolicy object or a different password policy.