The process of installing the Identity Reporting Module requires that you run two separate install programs:
Event Auditing Service (EAS) install program
Identity Reporting Module install program
You need to run the EAS install program before running the Identity Reporting Module.
NOTE:You must have the Roles Based Provisioning Module (RBPM) installed and configured before beginning the installation of the reporting module. You must also install the User Application driver and assign the Report Administrator role to any users you want to be able to access the reporting module.
The remaining topics in this section provide instructions for running the stand-alone versions of each of these install programs. You can also use the Integrated Installer for Identity Manager, which runs these install programs for you. For more information, see the Identity Manager 4.0.2 Integrated Installation Guide
The Identity Reporting Module relies on the following drivers:
Identity Manager Driver for Data Collection Service
Identity Manager Managed System Gateway Driver
These drivers are installed automatically by the Integrated Installer for Identity Manager, so the steps provided in this section are only necessary if you are running the stand-alone versions of the install programs.
The Event Auditing Service (EAS) runs on SUSE Linux Enterprise Server 11 (32-bit and 64-bit), as well as Red Hat Enterprise Linux 5.7 and 6.0 (32-bit and 64-bit). You need to launch the installer for EAS on a SUSE Linux Enterprise Server or Red Hat Enterprise Linux machine.
NOTE:EAS requires that ksh be installed on the SLES machine. A standard installation of SLES includes ksh. If you remove it, the init.d script will not execute properly.
The reporting module can be installed and run in a variety of environments.
IMPORTANT:The reporting module must have an exclusive EAS running on a separate Linux machine. You cannot have multiple reporting instances communicating with a single EAS environment.
To use the reporting module, you must meet the system requirements listed in Table 2-1. Certified platforms have been fully tested. Supported platforms are expected to be functional, but have not been fully tested.
Table 2-1 System Requirements for the Identity Reporting Module
|
Required System Component |
System Requirements |
|---|---|
|
Application Server |
The reporting module runs on JBoss, WebSphere, and WebLogic. The reporting module with JBoss Enterprise Application Platform 5.1.2 (or JBoss Community Edition 5.1.0) requires JRE 1.6.0_31 from Sun and is certified on:
The reporting module on WebSphere 7.0 requires the IBM J9 VM (build 2.4, J2RE 1.6.0). It is certified on these platforms:
The reporting module on WebLogic 10.3.5 (11gR1 requires JRockit JVM 1.6.0_05 and is certified on these platforms.
|
|
Virtualization |
The reporting module supports virtualization on the following platforms as long as the guest operating system is one that is certified by the User Application:
|
|
Database Server |
PostgreSQL 8.4.3. (This is the only database certified with the reporting module.) |
|
Metadirectory |
eDirectory 8.8.7 with Identity Manager 4.0.2 For the list of certified operating systems, see the Identity Manager and eDirectory documentation. |
|
Browser |
The User Application is certified with both Firefox and Internet Explorer, as described below. FireFox 9 is certified on:
Internet Explorer 8 is certified on:
Internet Explorer 9 is certified on:
|
Uninstalling EAS or the Identity Reporting Module In order to conserve disk space, the installation programs for EAS and the Identity Reporting Module do not install a Java virtual machine (JVM). Therefore, if you need to uninstall one or more components, you need to be sure you have a JVM available and also make sure that the JVM is in the PATH. If you encounter an error during an uninstall, add the location of a JVM to the local PATH environment variable and run the uninstall program again.
The installer for the Event Auditing Service (EAS) performs these functions:
Installs and optionally configures the service
Configures the user who is able to perform administration tasks for the service
Configures the DBA used by the service to interact with the database
Allows you to define the port on which the PostgreSQL database runs
EAS runs on SUSE Linux Enterprise Server 11, as well as Red Hat Enterprise Linux 6.0 (32-bit and 64-bit). You need to launch the installer for EAS on one of these certified platforms.
Check the clocks before running the EAS installer If the times of your machines are not in synchronization when you install the Event Auditing Service (EAS), there may be problems with your configuration. You cannot install EAS on Windows. It must be installed on Linux. Therefore, the Linux server where EAS is installed must be synchronized with the machine where you are installing the rest of your components.
This section outlines several prerequisites for installing EAS on Red Hat Enterprise Linux or SUSE Linux. Before installing EAS on RHEL or SLES, ensure that these prerequisites are met.
These prerequisites apply to RHEL 5.7 and 6.0.
Verify that the hostname returns properly In order for the installer to work properly, the Linux system must be able to properly return the hostname. To do this, add the hostname to the /etc/hosts file to the line containing the IP address (for example, 127.0.0.1), then enter hostname -f to make sure that the hostname is displayed properly.
Change the Kernel SHMMAX Parameter to EnablePostgreSQL You must change the kernel SHMMAX parameter to enable the database to run on the Linux server. To change the kernel SHMMAX parameter on RHEL 6.x, append the following information to the /etc/sysctl.conf file.
# for Sentinel Postgresql kernel.shmmax=1073741824
NOTE:The value shown above for the kernel SHMMAX parameter is a minimum value. Your system may require more memory.
To set the SHMMAX parameter on RHEL 6.0, execute these commands:
cd /proc/sys/kernel echo new_val_to_set > shmmax
For more information, see Managing Kernel Resources
in the PostgreSQL documentation.
Configure the Firewall for Syslog Port Forwarding If you want to forward the syslog file, you must configure the server for port forwarding. The installers give you the option to configure the server. However, if your are not able to configure the server during the installation process, execute the following command:
iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT –toports 1514
Check for Openssl libraries version changes EAS requires Openssl libraries, usually libssl.so.0.9.8 and libcrypto.so.0.9.8. Before installing EAS, see if the version of the .so files matches. Otherwise, create a soft-link.
In Red Hat Enterprise Linux 6.x, these libraries are found under /usr/lib and /usr/lib64 for 32-bit and 64-bit operating systems, respectively. RHEL 6.x may also use a bundled upgrade version such as: libssl.so.1.0.0.
ln -s libssl.so.1.0.0 libssl.so.0.9.8 ln -s libcrypto.so.1.0.0 libcrypto.so.0.9.8
In Red Hat Enterprise Linux 5.x, these libraries are found under /lib and /lib64 for 32-bit and 64-bit OS respectively.
ln -s libssl.so.0.9.8e libssl.so.0.9.8 ln -s libcrypto.so.0.9.8e libcrypto.so.0.9.8
Check KornShell availability KornShell is usually bundled with all of the Linux operating system environments. However, you should make sure it is installed, since some of the installation scripts use KornShell (found at /bin/ksh).
The installer for the reporting module performs these functions:
Allows you to choose an application server platform
Deploys the client WAR file to the application server
This WAR file contains the user interface components for reporting.
Deploys the core WAR file
This WAR file contains the core REST services needed for reporting.
Deploys the authentication services WAR file
This WAR file contains the authentication services, which control authentication to the reporting module.
Defines the location of the server for the Event Auditing Service (installed separately)
Creates the reporting schema in the Security Information and Event Management (SIEM) database
Configures the PostgreSQL JDBC driver that connects to the SIEM database
Configures the authentication services for the reporting module
Configures the e-mail delivery system for the reporting module
Configures the core reporting services for the reporting module
Check the clocks before running the reporting installer Before running the installer, be sure that all servers have the same time. If the times of your machines are not in synchronization when you install the Identity Reporting Module, some reports might be empty when executed. This might occur if the Metadirectory and reporting servers are running on different machines, and the time stamp value of the Metadirectory server is ahead compared to the reporting server. This happens only for new users when the time between the servers is out of synchronization. If a user is created and then modified, the reports are populated with data.
Changing from Standard Edition to Advanced Edition If you change from the Standard Version to the Advanced Edition, the version change for the reporting module might not show immediately. The version change occurs after the next batch of events is processed.
The EAS installation process creates a novell group and novell user. The novell user is created without a password. If you want to log in as the novell user later (for example, to install patches), create a password for this user after the installation is completed.
In addition, when you install EAS and the Identity Reporting Module, the following database users are created automatically:
Table 2-2 Database Users Created By the Install Process
|
User name |
Description |
|---|---|
|
dbauser |
Administrator of the PostgreSQL server and owner of the EAS schema and views. |
|
admin |
User identity for use with EAS administrative utilities. |
|
idmrptsrv and idmrptuser |
Owner of the Identity Reporting schema and views, as well as credentials used for Identity Reporting database connectivity. |
|
rptuser and appuser |
Reserved for compatibility with Sentinel. |