Overview #

This is an attempt to provide some clarification and a quick overview of IDM 4.01 and the integrated installer when doing a "silent" install and configuration.

Terminology#

Some terminology is used that we had not seen before and so we start by trying to get everyone in the same context.

Metadirectory Server #

When Novell refers to the Metadirectory Server, they mean the Identity Vault, IDM Engine, and/or Remote Loader. The Metadirectory server processes the events from the drivers. During the installation of the Identity Manager, Identity Vault is automatically installed. The properties files refer to this as "UID_IDM_FRAMEWORK"

User Application#

The Identity Manager User Application is your view into the information, roles, resources, and capabilities of Identity Manager.

The Roles Based Provisioning Module 4.0.1, by default uses JBoss 5.1 as the application server PostgreSQL 8.4.3 and 9 for the database. The User Application is also referred to as the "Roles Based Provisioning Module (RBPM)" and by "UID_RBPM" in the properties files.

Auditing and Reporting#

By adding auditing and reporting, you can meet compliance standards that many companies must abide by. You can create audit trails for any events you need to track, and you can generate reports to meet audit standards for your company. The Identity Reporting Module and Novell Sentinel are two different tools used to gather auditing and reporting information about Identity Manager.

The Identity Reporting Module is a component of the Identity Manager 4.0.1. Novell Sentinel is not bundled with the Identity Manager, but it is an optional component you can add to your Identity Manager system.

The Identity Reporting Module requires that you run two separate install programs, one for the reporting module and one for EAS. The Reporting Module is also referred to as the "UID_REPORTING" in the properties files.

Event Auditing Service (EAS) #

The Event Auditing Service (EAS) is an appliance that runs on SUSE Linux Enterprise Server 11 (32-bit and 64-bit). You need to launch the installer for EAS on a SUSE Linux Enterprise Server machine. The EAS should be installed before the Identity Reporting Module. The EAS should be installed on a separate server than any other components.

The EAS is also referred to as the "UID_EAS" in the properties files.

Reporting Module#

The Reporting Module generates reports that show critical business information about various aspects of your Identity Manager configuration, including information collected from Identity Vaults and managed systems such as Active Directory or SAP. The reporting module provides a set of predefined report definitions you can use to generate reports. In addition, it gives you the option to import custom reports defined in a third-party tool. The user interface for the reporting module makes it easy to schedule reports to run at off-peak times to optimize performance. The core of the reporting module is the Identity Information Warehouse. The warehouse is an intelligent repository of information about the actual state and the desired state of the Identity Vault and the managed systems within an organization. By querying the warehouse, you can retrieve all of the information you need to ensure that your organization is in full compliance with relevant business laws and regulations. The warehouse gives you a 360-degree view of your business entitlements, providing the knowledge you need to see the past and present state of authorizations and permissions granted to identities in your organization. With this knowledge, you can answer even the most sophisticated Governance Risk and Compliance (GRC) queries.

Identity Information Warehouse#

The Identity Information Warehouse uses two new drivers to collect data about an organization:
  • Data Collection Service Driver - The Data Collection Service Driver uses a push model to collect data about changes made to user accounts, roles, resources, group memberships, and other objects in the vault.
  • Managed System Gateway Driver - The Managed System Gateway Driver can pull information from any managed system that has been enabled for data collection in Identity Manager 4.0.1, as long as it supports entitlements.

NOTE:You must have the Roles Based Provisioning Module (RBPM) installed before beginning the installation of the reporting module. The reason for this is that the RBPM and the reporting module need to be installed on the same application server so that they can share a secure SSL connection.

The Reporting Module is also referred to as the "UID_REPORTING" in the properties files.

Workstation Components#

We do not cover these.

Designer#

We do not cover these.

Analyzer#

We do not cover these.

Role Mapping Administrator#

We do not cover these.

Pre-Installation Steps#

There are a couple of pre-installation steps that we did before we started to make things work better.

If you must use an existing structure in the IDV. Be careful where in your tree you place the UserApplication container.

You should create at least one user that you will assign all "system" roles to this user. This user can then assign the roles to other desired users at a later point.

Complete the following accounts in the IDV:

´╗┐cn=ua-admin,ou=Services,o=willeke

Create Installation Directories#

For each target server, create the following directories on the target server:
mkdir /root/install/propfiles
mkdir /media/cdrom
mkdir /root/downloads

Copy the DVD:#

Identity_Manager_4.0.1_Linux_Advanced.iso to: (THis is what we used)
/root/downloads

Use the following command to mount the dvd: mount -o loop -t iso9660 /root/downloads/Identity_Manager_4.0.1_Linux_Advanced.iso /media/cdrom

Integrated Installer#

The integrated installer allows everything to be installed in a silent mode without any GUI required. All information can be configured within properties files for the product or products you wish to install on a given server.

When doing a silent install, the procedure uses a install; then configure methodology.

Installing#

Each service will use a slightly different install.properties file.

If you used the setup so far, you will find sample install.properties file in the folder of the Identity_Manager_4.0.1_Linux_Advanced.iso at:

/media/cdrom/install/propfiles

We copied this directory to a writable location to be able edit and rename the files.

cp /media/cdrom/install/propfiles/ /root/install/propfiles/

Comment out Some Lines#

At the top of the sample install.properties file, comment out the line:
SELECTED_PRODUCTS=UID_IDM_FRAMEWORK,UID_RBPM,UID_RMA,UID_IMANAGER,UID_DESIGNER,UID_ANALYZER,UID_REPORTING,UID_EAS

IDV#

You can edit this line to contain the each product you wish to install on a given type of server. As an example, on the client we were working with, we decided on the following servers:
  • IDV - The IDV servers would each have the following products installed:
    • UID_IDM_FRAMEWORK - Metadirectory Server
    • UID_IMANAGER - iManager
So we set the line to be:
SELECTED_PRODUCTS=UID_IDM_FRAMEWORK,UID_IMANAGER

We used a file named install-idv.properties for this install.

AUTH#

  • AUTH - The AUTH servers would each have the following products installed:
    • UID_IDM_FRAMEWORK - Metadirectory Server
    • UID_IMANAGER - iManager
We used a file named install-auth.properties for this install. So we set the line to be:
SELECTED_PRODUCTS=UID_IDM_FRAMEWORK,UID_IMANAGER

EAS#

  • EAS - The EAS servers would each have the following products installed:
    • UID_EAS - Event Auditing Service
We used a file named install-eas.properties for this install. So we set the line to be:
SELECTED_PRODUCTS=UID_EAS

User Application #

  • UA - The UA servers would each have the following products installed:
    • UID_REPORTING - Identity Reporting Module

NOTE: You must have the Roles Based Provisioning Module (RBPM) installed before beginning the installation of the reporting module. The reason for this is that the RBPM and the reporting module need to be installed on the same application server so that they can share a secure SSL connection.

SELECTED_PRODUCTS=UID_REPORTING
We used a file named install-ua.properties for this install.

Identity Reporting Module#

  • REPORTING - The UA servers would each have the following products installed:
    • UID_REPORTING - Identity Reporting Module

NOTE: You must have the Roles Based Provisioning Module (RBPM) installed before beginning the installation of the reporting module. The reason for this is that the RBPM and the reporting module need to be installed on the same application server so that they can share a secure SSL connection.

SELECTED_PRODUCTS=UID_REPORTING
We used a file named install-reporting.properties for this install.

Install then Configure#

We decided not to install and configure in one process even though the itegrated installer is capable of going on to the configuration. To prevent this we set the parameter which is near the bottom of the file:
CONTINUE_CONFIGURE=false

The rest of the file can remain unchanged.

The Install#

We then went to each server and with the appropriate properties file performed the following:
cd /media/cdrom/
./install.bin -i silent -f /root/install/propfiles/<install-???.properties>

Configure #

Configure properties files#

You can create one "master" configure.propelrties file and then with slight modifications, install all the products using the same install.properties file.

We used the file configure_existing_tree.properties as a template. Again at the top of the sample configure_existing_tree.properties file, comment out the line:

SELECTED_PRODUCTS=UID_IDM_FRAMEWORK,UID_RBPM,UID_RMA,UID_IMANAGER,UID_DESIGNER,UID_ANALYZER,UID_REPORTING,UID_EAS

We rigorously filled out every parameter that we could figure out.

You can edit this line to contain the each product you wish to install on a given type of server. As an example, on the client we were working with, we decided on the following servers:

IDV#

  • IDV - The IDV servers would each have the following products installed:
    • UID_IDM_FRAMEWORK - Metadirectory Server
    • UID_IMANAGER - iManager
So we set the line to be:
SELECTED_PRODUCTS=UID_IDM_FRAMEWORK,UID_IMANAGER

We used a file named configure-idv.properties for this install.

AUTH Tree#

  • AUTH - The AUTH servers would each have the following products installed:
    • UID_IDM_FRAMEWORK - Metadirectory Server
    • UID_IMANAGER - iManager
So we set the line to be:
SELECTED_PRODUCTS=UID_IDM_FRAMEWORK,UID_IMANAGER
We used a file named configure-auth.properties for this install.

EAS#

  • EAS - The EAS servers would each have the following products installed:
    • UID_EAS - Event Auditing Service
So we set the line to be:
SELECTED_PRODUCTS=UID_EAS
We used a file named configure-eas.properties for this install.

User Application#

  • UA - The EAS servers would each have the following products installed:
    • UID_RBPM - Roles Based Provisioning Module(RBPM)
    • UID_REPORTING - Identity Reporting Module
SELECTED_PRODUCTS=UID_RBPM,UID_REPORTING
We used a file named configure-ua.properties for this install.

The rest of the file can remain unchanged for each server.

The Configure#

We then went to each server and with the appropriate properties file performed the following:
cd /media/cdrom/
./configure.bin -i silent -f /root/install/propfiles/<configure-???.properties>

Post Configuration Tasks#

Appears the Integrated installer does not create partitions for in eDirectory. You should create partitions on the new server as desired.

You will also need to add the "new" IDM server to the existing driverset.

Bug 737757#

Identity Manager Integrated Installer fails install into tree, missing IA_IDVAULT_EXISTING_IP_ADDRESS_VISIBLE We ran into a bug when we tried to perform the configure on the UID_IDM_FRAMEWORK.

Apparently the you need to add a trick that is required, but not documented appears to be the same as: IA_IDVAULT_EXISTING_IP_ADDRESS IA_IDVAULT_EXISTING_IP_ADDRESS_VISIBLE=<server ip address>

With the help of Aaron Burgemeister and David Gersic we were able to enter Bug 737757 on this issue.

Once the IA_IDVAULT_EXISTING_IP_ADDRESS_VISIBLE parameter was set, there were no observed anomalies.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-16) was last changed on 06-Feb-2012 15:33 by jim