Install Guide
Install Guide
6
Installation and Configuration Guide
March 2021
Legal Notice
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in
the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained
herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see http://www.microfocus.com/about/
legal/.
2
About this Book and the Library
The Installation Guide provides installation and initial configuration information for the Identity
Governance product. This book also provides upgrade information for current product installations.
Intended Audience
This book provides information for Identity Governance administrators responsible for installing and
configuring the product in their environment.
Reporting Guide
Provides information about Identity Reporting for Identity Governance and how you can use the
features it offers.
Identity Manager Driver for Identity Governance
Provides information about how to install and configure the Identity Manager Driver for
Identity Governance. The Identity Governance driver allows you to provision application-
specific permission catalog data from Identity Governance to Identity Manager, giving you the
Contents 5
3.4.2 Installing Apache Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.4.3 Starting and Stopping Apache Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.5 Installing or Preparing a Database Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.6 Preparing or Installing an Identity Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.7 Installing an Authentication Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.8 Securing Connections with TLS/SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.8.1 Understanding Secure Communication with Identity Governance . . . . . . . . . . . . . . . . . . . 51
3.8.2 Securing Communications with Apache Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.8.3 Securing Connections to the Identity Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.8.4 Securing Communications to the Database Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.8.5 Securing Communications with the SMTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.8.6 Securing Communications with the Audit Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.9 Installing Optional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.9.1 Understanding the Identity Reporting Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.9.2 Understanding the Auditing Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.9.3 Understanding Enabling Email Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6 Contents
5.8.3 Creating the PostgreSQL Databases Before Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.8.4 Using Vertica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.9 Creating a Temporary Database Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.9.1 Creating a Temporary Oracle Database Administrator for the Installation Process . . . . . 107
5.9.2 Creating a Temporary Microsoft SQL Server Database Administrator for the
installation process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.9.3 Creating a Temporary PostgreSQL Database Administrator for the Installation
Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.10 Creating the Schema for the Databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.11 Configuring the Databases Using the SQL Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.11.1 Configuring the PostgreSQL Databases for Identity Governance . . . . . . . . . . . . . . . . . . . . 111
5.11.2 Configuring the Oracle Database for Identity Governance . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.11.3 Configuring the Microsoft SQL Databases for Identity Governance. . . . . . . . . . . . . . . . . . 115
5.11.4 Configuring the Identity Reporting Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.12 How to Change the Configuration Options for the Databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
5.12.1 Updating the Identity Governance Configuration Update Utility for the Database
Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
5.12.2 Updating the Identity Governance Configuration Utility for the Database Changes . . . . 118
5.12.3 Updating the Identity Governance Database Initialization File for the Database
Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.12.4 Updating the Apache Tomcat sever.xml File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Contents 7
8.2.2 Preparing OSP to Use an Active Directory LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
8.2.3 Extending the Schema for OSP in the Identity Service not Part of Identity Manager. . . . 172
8.2.4 Configuring OSP to Work with AD FS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
8.2.5 Configuring OSP to Use Google reCAPTCHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
8.3 Starting and Initializing Identity Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
8.4 Configuring Identity Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
8.4.1 Assigning the Report Administrator Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
8.4.2 Starting Identity Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
8.4.3 Testing the Integration with Identity Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
8.4.4 Configuring a Proxy Server for the Identity Reporting Server. . . . . . . . . . . . . . . . . . . . . . .181
8.4.5 Adding Data Sources to Identity Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
8.5 Completing the Cluster Configuration for Identity Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
8.5.1 Configuring the Nodes in the Apache Tomcat Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
8.5.2 Configuring ActiveMQ Failover in the Apache Tomcat Cluster . . . . . . . . . . . . . . . . . . . . . . 184
8.5.3 Cleaning Up Unfinished Data Production Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
8 Contents
11.3 Configuring Auditing after the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
11.3.1 Enabling Auditing for OSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
11.3.2 Enabling Auditing for Identity Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
11.3.3 Enabling Auditing for Identity Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
11.4 Enabling Email Notifications after the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
11.4.1 Prerequisites for Email Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
11.4.2 Enabling Email Notifications for Identity Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
11.4.3 Enabling Email Notifications with a Load Balancer or a Reverse Proxy . . . . . . . . . . . . . . . 223
Contents 9
A Ports Used in Identity Governance 269
10 Contents
1 Identity Governance Overview
1
Identity Governance is a solution that enables administrators and managers to easily collect all user
and access information in one central location and certify that users have only the level of access
that they need to do their jobs. Following the principle of least privilege, this product allows you to
ensure that your users have focused access to those applications and resources they use and cannot
access resources they do not need to access.
With Identity Governance, administrators and business managers can ensure that your employees,
either individually or as a group, have the appropriate set of permissions. Identity Governance
collects information from various identity and application data sources and manages the entire
review and certification process. Identity Governance provides tools to guide you through the key
phases of the access or account review, audit case management, and validation process.
Section 1.1, “Understanding the Identity Governance Components,” on page 12
Section 1.2, “Understanding the Installation Methods,” on page 17
Section 1.3, “Understanding the Uninstallation Methods,” on page 21
Section 1.4, “Understanding the Identity Governance Configuration Utilities,” on page 23
Section 1.5, “Understanding REST Services for Identity Governance,” on page 24
OSP Or Access
Manager
LDAP Server
Authorized
Users Identy Governance
Oponal
Administrators
Collectors
SSO
User Interface
Managers
Audit Server
Java Tomcat
Catalog
Auditors
Operang System
Identy Reporng
Databases
Other Users Applicaon Server
AcveMQ
(Sends email
noficaons)
This guides explains the different components that are part of Identity Governance. The User and
Administration Guide contains information about how Identity Governance works and all of the
features it provides. For more information, see “Introduction” in the Identity Governance User and
Administration Guide.
The following information is important for the people that deploy Identity Governance and
configure it to obtain the identity data and application data in the IT environment.
Section 1.1.1, “Understanding the Required Components for Identity Governance,” on page 13
Section 1.1.2, “Understanding Authorized Users for Identity Governance,” on page 14
Section 1.1.3, “Understanding the Data Sources,” on page 15
Section 1.1.4, “Understanding the Optional Components,” on page 16
WARNING: Identity Governance must have a supported Java instance installed and running to
function. You cannot assume the Java version installed with the operating system also works with
Identity Governance. The Zulu OpenJDK is the only supported Java version for Identity Governance.
For more information, see Section 3.3, “Installing Zulu OpenJDK,” on page 47.
For more information about supported versions, see Section 2.4.5, “Audit Server System
Requirements,” on page 43.
Use the following information to determine which method works best for your environment.
Section 1.2.1, “Understanding the Sample Installation Scripts,” on page 18
Section 1.2.2, “Understanding the Guided Installation,” on page 18
The Linux sample script does not install the PostgreSQL database. You must have a database installed
before starting the Identity Governance installation. For more information, see Chapter 5, “Creating
Databases for Identity Governance and Identity Reporting,” on page 91.
The sample installation scripts are located on the Identity Governance documentation page under
the References heading. You must download the scripts, extract the ZIP file, and then read the
Readme.txt file. The file contains the instructions on how to use the sample scripts.
The sample scripts place all of the files for the installations in the following default directory:
Linux: /opt/netiq/idm/apps/
Windows: C:\netiq\idm\apps\
The OSP, Identity Governance, and Identity Reporting installers use this as a default location as well.
This guide lists these default directories to help you know where to access the different products,
configuration files, and the tools to manage Identity Governance. You can choose to change this
default path by editing the installation scripts or changing the path when you run the installers.
The information you must provide to complete the installation is the same whether you use the
guided installation, the console installation, or the silent installation. For more information, see the
following sections:
Section 4.2, “Installing One SSO Provider for Identity Governance,” on page 61
Chapter 6, “Installing Identity Governance,” on page 121
Chapter 7, “Installing Identity Reporting,” on page 151
The information you must provide to complete the installation is the same whether you use the
guided installation, the console installation, or the silent installation. For more information, see:
Section 4.2.3, “One SSO Provider (OSP) Installation Worksheet,” on page 63
Section 6.4, “Identity Governance Installation Worksheet,” on page 124
Section 7.4, “Identity Reporting Installation Worksheet,” on page 155
You can use these file if you have multiple installations to perform or you do not want to interact
with the installation utility. You can also use the silent installation to install additional nodes when
you cluster the components. For more information, see Section 2.3.4, “Ensuring High Availability or
Load Balancing for Identity Governance,” on page 33.
After you have created the response file, open the response file and the silent properties file in a
text editor. Copy the properly formatted values for your environment from the response file to the
silent properties file.
After you have created the silent properties file with the proper values, you use this file in
conjunction with the installer utility. When you launch the installer utility, you pass this file as a
parameter. The installer uses the information in the silent properties file to complete the
installation. For example, from the directory where you have the installation files enter the
following:
OSP: Use the following command for your platform.
Linux: ./osp-install-linux.bin -i silent -f
path_to_silent_properties_file
Windows: osp-install-win.exe -i silent -f
path_to_silent_properties_file
Identity Governance and Identity Reporting: Use the following command for your platform.
Linux: ./identity-governance-install-linux.bin -i silent -f
path_to_silent_properties_file
IMPORTANT: The uninstall utilities do not contain Java. You edit the uninstall utility and add the path
to the jre bin directory. The uninstall utility adds it as an environment variable to your server. If
you do not do this, the uninstall utility will not run.
For more information, see Chapter 13, “Uninstalling the Identity Governance Components,” on
page 239.
For more information, see Chapter 13, “Uninstalling the Identity Governance Components,” on
page 239.
For more information, see Chapter 13, “Uninstalling the Identity Governance Components,” on
page 239.
When updating the values associated with the duplicate settings, the different installation utilities
place the information in different locations. If you are updating a duplicate setting using the Identity
Governance Configuration Update utility, the value ends up in the ism-
configuration.properties file. If you are updating a duplicate setting using the Identity
Governance Configuration utility, the value ends up in the GLOBAL database.
Any component of Identity Governance, Identity Reporting, or OSP that retrieves the value of the
duplicate property, retrieves the value from the ism-configuration.properties file rather
than the value found in the GLOBAL database. This can cause issues in a clustered environment.
NOTE: You should manually move or delete the WAR files and folders from the Tomcat webapps
directory in your production environment.
Identity Governance requiere que instale y configure componentes adicionales para que el
producto funcione. Identity Governance permite muchas implementaciones de configuración
diferentes del producto. Debe tomar varias decisiones antes de instalar Identity Governance. Use
la siguiente información para crear un plan y recopile la información requerida antes de comenzar
la instalación de Gobierno de identidad.
Section 2.1, “Making Decisions on How to Install Identity Governance,” on page 26
Section 2.2, “Obtaining Identity Governance, Identity Reporting, and OSP,” on page 29
Section 2.3, “Recommended Production Environment Installation Scenarios,” on page 30
Section 2.4, “Hardware and Software Requirements,” on page 36
Where are
Linux Select the appropriate
the users, groups,
permissions, and data source collectors
What plaorm? for your systems
(Choose one) accounts to
analyze?
Windows
Where do the
Identy Governance Acve Directory
users reside?
(choose one)
What
applicaon Only the Apache eDirectory
server? Tomcat server
Access Manager*
OSP
PostgreSQL
Oponal
Yes
Install AcveMQ
Do you need
guaranteed delivery
of email
noficaons? No
Nothing is needed
No
Nothing is needed
Use Sennel
This worksheet does not list the specific supported versions of the different components. To see that
information, see Section 2.4, “Hardware and Software Requirements,” on page 36.
Linux
Windows
Virtual (As long as the virtual
environment supports the Linux or
Windows version, we support Identity
Governance running on those
platforms in virtual environments.)
OSP
Access Manager
OSP from Identity Manager
Puede instalar los componentes para Identity Governance en muchas configuraciones diferentes
según su entorno de TI. Recomendamos que instale los componentes en un entorno distribuido
para implementaciones de producción. Varios de los componentes también pueden ejecutarse en
un clúster de alta disponibilidad. Para obtener más información sobre dónde debe instalar estos
componentes, consulte Section 2.3, “Recommended Production Environment Installation
Scenarios,” on page 30.
NOTE: The version of Identity Reporting that comes with Identity Manager contains different reports
than the version that comes with Identity Governance. If you want the Identity Governance reports,
you must install the version of Identity Reporting that comes with Identity Governance. If you have a
prior version of Identity Reporting that came with Identity Governance, you must upgrade that
version of Identity Reporting to match what comes with the version of Identity Governance that you
install.
NOTE: In the silent.properties file for Identity Governance, change the following settings:
install_db_configure=false
install_tomcat_runtime_id=node1
ActiveMQ
ActiveMQ
Identity
Governance
Disk Space 50 GB
Operating System Red Hat Enterprise Linux 8.0 (64-bit) or later patched versions of 8.x
SUSE Linux Enterprise Server 15.1 or later patched version of 15.x
Microsoft Windows Server 2016 (64-bit) or later patched version of
Windows Server 2016
Microsoft Windows Server 2019 or later patched versions of Windows
Server 2019
Virtual Systems We support Identity Governance on enterprise-class virtual systems that provide
official support for the operating systems where our products are running. As
long as the vendors of the virtual systems officially support these operating
systems, we support Identity Governance running on them.
Java Zulu OpenJDK 8u222, 1.8.0_242 from Azul JRE or JDK, or later respective patched
versions of 8uxxx and 1.8.0_xxx
Application Server Apache Tomcat 9.0.22, 9.0.33, or later patched versions of 9.0.x
LDAP Identity Service Microsoft Active Directory that comes with Windows Server 2016 or
Windows Server 2019
Microsoft Active Directory Federation Service (AD FS) that comes with
Windows Server 2016 or Windows Server 2019
eDirectory 9.2 or later patched versions of 9.2.x
Identity Manager 4.7.3, 4.7.4, or later patched versions of 4.7.x
Identity Manager 4.8 or later patched versions of 4.8.x
Third-Party Connector (Optional) The Identity Governance JDBC Collectors and SAP User Management
Libraries Collector use third-party client connector software that is not distributed with
the product. Find and download the appropriate JDBC driver file for your
database from the database vendor.
DB2: com.ibm.db2.jcc.DB2Driver
Generic jTDS: net.sourceforge.jtds.jdbc.Driver
Microsoft SQL Server:
com.microsoft.sqlserver.jdbc.SQLServerDriver
MySQL: com.mysql.jdbc.Driver
Oracle Thin Client: oracle.jdbc.driver.OracleDriver
PostgreSQL: org.postgresql.Driver
SAP: sapjco3.jar
NOTE: Ensure that all required SAP Java Connector Native library
components are installed on the host system. For more information, refer to
the vendor documentation.
Sybase: com.sybase.jdbc3.jdbc.SybDriver
To gather identity and application data from one of these sources, put one or
more of the these client .jar files into the Apache Tomcat /lib folder, then
restart the Apache Tomcat server. The default installation location is:
Linux: /opt/netiq/idm/apps/tomcat/lib
Windows: c:\netiq\idm\apps\tomcat\lib
Operating System Red Hat Enterprise Linux 8.0 (64-bit) or later patched versions of 8.x
SUSE Linux Enterprise Server 15.1 or later patched versions of 15.x
Microsoft Windows Server 2016 (64-bit) or later patched versions of
Windows Server 2016
Microsoft Windows Server 2019 or later patched versions of Windows
Server 2019
Virtual Systems We support the databases for Identity Governance on enterprise-class virtual
systems that provide official support for the operating systems where our
products are running. As long as the vendors of the virtual systems officially
support these operating systems, we support Identity Governance running on
them.
For information about the different options on how to create and populate the different Identity
Governance databases, see Chapter 5, “Creating Databases for Identity Governance and Identity
Reporting,” on page 91.
Processor Pentium 4
Disk Space 50 GB
Memory 16 GB
Operating System Red Hat Enterprise Linux 8.0 (64-bit) or later patched versions of 8.x
SUSE Linux Enterprise Server 15.1 or later patched versions of 15.x
Microsoft Windows Server 2016 (64-bit) or later patched versions of
Windows Server 2016
Microsoft Windows Server 2019 or later patched versions of Windows
Server 2019
Virtual Systems We support Identity Reporting on enterprise-class virtual systems that provide
official support for the operating systems where our products are running. As
long as the vendors of the virtual systems officially support these operating
systems, we support Identity Reporting on them.
Application Server Apache Tomcat 9.0.22, 9.0.33, or later patched versions of 9.0.x
Download from the Apache Tomcat (https://tomcat.apache.org/) website
Java Zulu OpenJDK 8u222, 1.8.0_242 from Azul JRE or JDK, or later respective
patched versions of 8uxxx
Download from the Download Zulu Community (https://www.azul.com/
downloads/zulu-community/) website
Microsoft SQL
Microsoft SQL 2017 or later patched versions of Microsoft SQL 2017
Microsoft SQL JDBC driver 7.2.2 or later patched versions
Download the driver here: Microsoft JDBC Driver for SQL Server
Oracle
Oracle 18c or later patched versions of 18x
Oracle 19c or later patched versions of 19x
Oracle JDBC driver ojdbc8.jar
Download the driver here: Oracle website
PostgreSQL
PostgreSQL 11.5, 11.7, or later patched versions of 11.x
PostgreSQL JDBC driver 42.2.6 or later patched versions of the
PostgreSQL JDBC driver
Download the driver here: PostgreSQL JDBC Driver
Vertica
Vertica 9.2.1 or later patched versions of 9.2.x
Vertica JDBC driver 9.2.x
Download the driver here: Vertica Client Drivers
To see how to install Identity Reporting that comes with Identity Governance, see Chapter 7,
“Installing Identity Reporting,” on page 151.
To determine where you should install the audit server, see Section 2.3, “Recommended Production
Environment Installation Scenarios,” on page 30. You can enable auditing during the installation of
the components or you can enable auditing after you have installed the components. It depends on
your environment and your needs.
You can enable email notification during the installation of Identity Governance or Identity
Reporting or you can enable email notifications after the installation. It depends on your
environment and your needs.
Esta guía contiene información sobre cómo instalar y configurar la versión de Identity Reporting
que viene con Identity Governance. Si desea integrar y usar la versión de Identity Reporting que
viene con Identity Manager, debe consultar y usar la documentación de Identity Manager. Para
más información, ver el Administrator Guide to NetIQ Identity Reporting.
Para prepararse para la instalación de los componentes requeridos, asegúrese de haber revisado
Chapter 2, “Planning to Install Identity Governance,” on page 25 para asegurarse de tener su
entorno listo para el gobierno de identidad. También es importante revisar las últimas notas de
la versión antes de comenzar. Para más información, ver Identity Governance 3.6 Release Notes.
Checklist Items
1. Decida qué servidores desea usar para sus componentes de Gobierno de identidad. Para
obtener más información, consulte las siguientes secciones:
Installing Components Required for Identity Governance, Identity Reporting, and OSP 45
Checklist Items
2. Review the minimum required versions for the components. For more information, see
Section 2.4, “Hardware and Software Requirements,” on page 36.
3. Instale las versiones compatibles de Zulu OpenJDK, Apache Tomcat, una plataforma de
base de datos, un servicio de identidad y un servicio de autenticación antes de instalar
Identity Governance. Para los pasos de instalación, ver :
4. Los directorios de instalación no pueden contener espacios. Si instala Zulu Java OpenJDK,
Apache Tomcat o ActiveMQ en un directorio con espacios, los instaladores OSP y Identity
Governance fallan.
6. Determine si usará TLS / SSL para asegurar la comunicación entre los componentes
requeridos y OSP, Gobierno de identidad o Informe de identidad. Si desea asegurar la
comunicación entre estos componentes, asegúrese de configurar el servidor de
aplicaciones, el servicio de identidad y las bases de datos para una comunicación segura
antes de iniciar las instalaciones OSP, Gobierno de identidad o Informe de identidad. Para
más información, ver Section 3.8, “Securing Connections with TLS/SSL,” on page 51.
46 Installing Components Required for Identity Governance, Identity Reporting, and OSP
truststore.pkcs12. The OSP installer provides a keystore that houses several symmetric keys
and key pairs for signing, encryption, and, when necessary, TLS. The OSP keystore is located at /
opt/netiq/idm/apps/osp/osp.pkcs12 or c:\netiq\idm\apps\osp\osp.pkcs12.
By default, the Identity Governance and Identity Reporting installation program places TLS/SSL trust
certificates in /opt/netiq/idm/apps/tomcat/conf/apps-truststore.pkcs12 or
c:\netiq\idm\apps\tomcat\conf\apps-truststore.pkcs12. This file stores certificates
from the following secured servers:
Identity service when you specify https for OSP or when you use Access Manager for
authentication and when the identity service is on a different server than Identity Governance
or Identity Reporting
Identity Governance server when installing only Identity Reporting, specifying https, and the
server or port differs from the Identity Reporting server or port
SMTP server when specifying SSL for use and the port is valid
Audit server when specifying TLS
Application server when specifying https
Both the guided and console installation modes display the certificate details and ask for
confirmation of each certificate retrieved. The silent installation mode imports certificate files
specified in the silent properties file.
To use SAML 2.0 authentication, you must manually install the SAML identity provider’s TLS/SSL
certificate in the trust store that you want to use. When using a Certificate Authority (CA) to issue
certificates for the LDAP server, SAML IDP, or Advanced Identity Services, you can install the trusted
root certificate of the certificate authority into the trust store and remove any server-specific
certificates. For more information, see Section 4.2.2, “Considerations for Installing One SSO
Provider,” on page 62.
To use a non-default trust store or to change the password of the default trust store, use the Identity
Governance Configuration Update utility.
Linux: /opt/netiq/idm/apps/configupdate/configupdate.sh
Windows: C:\netiq\idm\apps\configupdate\configupdate.bat
Next, modify the keystore settings in the Configuration Update utility. For more information, see
Section 14.1.4, “Using the Identity Governance Configuration Update Utility,” on page 251.
WARNING: Identity Governance debe tener un JRE apoyado para trabajar. Zulu OpenJDK JRE es
la única versión de Java que funciona con Identity Governance.
Installing Components Required for Identity Governance, Identity Reporting, and OSP 47
To install Zulu OpenJDK:
1 Ensure that you know what version of Zulu OpenJDK Identity Governance requires. For more
information, see Section 2.4.1, “Identity Governance Server System Requirements,” on page 37.
2 Access the Azul website and download the supported version of Zulu OpenJDK from the Zulu
Community Download (https://www.azul.com/downloads/zulu-community/) web page.
3 Use the documentation for Zulu OpenJDK to install the product. For more information, see the
Zulu Installation Guide (https://docs.azul.com/zulu/zuludocs/index.htm).
4 (Optional) Create and use a common directory for the Zulu OpenJDK installation such as:
Linux: /opt/netiq/idm/apps/java
Windows: C:\netiq\idm\apps\java
5 Record the installation path to use when installing Identity Governance and OSP.
48 Installing Components Required for Identity Governance, Identity Reporting, and OSP
3 Use the documentation for the supported version of Apache Tomcat to complete the
installation. For more information, see the Apache Tomcat (http://tomcat.apache.org/) web
page.
4 (Opcional) Cree y use un directorio común para la instalación de Apache Tomcat como:
Linux: /opt/netiq/idm/apps/tomcat
Windows: C:\netiq\idm\apps\tomcat
5 Ensure that you configure TLSv1.2 or TLSv1.1 for https communication. For more information,
see “SSL/TLS Configuration How-To”.
6 Record the installation path for Apache Tomcat to use when installing Identity Governance, OSP,
and Identity Reporting.
Installing Components Required for Identity Governance, Identity Reporting, and OSP 49
El gobierno de identidad y los informes de identidad requieren que existan bases de datos
específicas con nombres específicos para que estos productos funcionen. Hay múltiples formas de
crear bases de datos específicas. Para más información, ver Chapter 5, “Creating Databases for
Identity Governance and Identity Reporting,” on page 91.
Puede instalar Identity Governance sin un directorio LDAP instalado, configurado y poblado con
cuentas de usuario si utiliza una cuenta de administrador de bootstrap basada en archivos para
realizar la instalación y la configuración básica. Para más información, ver “Understanding the
Bootstrap Administrator for Identity Governance” on page 14.
Recomendamos que configure el directorio LDAP para comunicarse a través de LDAP a través de SSL
(LDAPS) para garantizar que las credenciales de los usuarios autorizados se mantengan seguras. El instalador
de Identity Governance puede configurar Identity Governance para comunicarse a través de LDAPS con el
directorio LDAP cuando proporciona el nombre de host DNS, el puerto y las credenciales de administrador
para el directorio LDAP durante la instalación. El directorio LDAP debe rellenarse con cuentas de usuario
que tengan contraseñas y debe configurarse para usar LDAPS para que el instalador pueda obtener la
información adecuada para establecer la conexión segura.
Ensure that you either use the bootstrap administrator account for the installation of Identity
Governance or have the LDAP directory installed, configured to use LDAPS, and populated with the
user accounts and passwords of the authorized users for Identity Governance.
Using AD FS with OSP required additional configuration steps that must performed after you install
OSP. For more information, see Section 8.2.4, “Configuring OSP to Work with AD FS,” on page 172.
50 Installing Components Required for Identity Governance, Identity Reporting, and OSP
3.7 Installing an Authentication Service
Identity Governance requiere que configure un servicio de autenticación para los usuarios que
acceden y usan consolas para Identity Governance. El servicio de autenticación le permite
configurar cómo los usuarios se autentican para proporcionar acceso de inicio de sesión único y
aumentar la seguridad. Identity Governance es compatible con OSP y Access Manager como
servicios de autenticación. Para más información, ver Chapter 4, “Installing an Authentication
Service,” on page 57.
Installing Components Required for Identity Governance, Identity Reporting, and OSP 51
configure estos componentes para comunicarse a través de TLS / SSL en un entorno de
producción. Use la siguiente información para habilitar la comunicación TLS / SSL para estos
productos antes de comenzar las instalaciones OSP, Identity Governance o Identity Reporting.
Si instala OSP, Gobierno de identidad o Informe de identidad sin configurar estos componentes
para comunicarse de forma segura utilizando TLS / SSL, puede configurar una comunicación segura
en un momento posterior utilizando las utilidades de configuración. Para más información, ver
Section 11.1, “Configuring SSL/TLS Communication after the Installation,” on page 217.
52 Installing Components Required for Identity Governance, Identity Reporting, and OSP
3.8.5 Securing Communications with the SMTP Server
Para proporcionar correos electrónicos seguros para notificaciones de informes por correo
electrónico, debe configurar el servidor SMTP para comunicaciones seguras. Siga la documentación
de su servidor SMTP específico para habilitar comunicaciones seguras antes de comenzar la
instalación de Informes de identidad.
3.8.6 Securing Communications with the Audit Server
To provide secure communications between OSP, Identity Governance, and Identity Reporting with
the audit server, you must configure the audit server to communicate over TLS/SSL. The OSP, Identity
Governance, and the Identity Reporting installers can import the trusted certificate from the
auditing sever during the installation. See the documentation for your audit server on how to enable
secure communications with external applications.
Install Zulu OpenJDK. For more information, see Section 3.3, “Installing Zulu OpenJDK,” on
page 47.
Install Apache Tomcat. For more information, see Section 3.4, “Installing the Apache Tomcat
Application Server,” on page 48.
(Conditional) Configure Apache Tomcat for TLS/SSL communication if you choose to have secure
communication between Identity Governance and Identity Reporting. For more information,
see Section 3.8, “Securing Connections with TLS/SSL,” on page 51.
Installing Components Required for Identity Governance, Identity Reporting, and OSP 53
El instalador de Identity Reporting solicita la información de acceso URL para el servidor de Identity
Reporting. Se le solicita esta información antes de instalar Identity Reporting en el servidor
separado. Es por eso que debe tener Zulu OpenJDK y Apache Tomcat instalados en el servidor
separado.
Hay tareas adicionales que debe realizar en el servidor separado antes de comenzar la instalación
de Identity Reporting. Para más información, ver Chapter 7, “Installing Identity Reporting,” on page
151.
54 Installing Components Required for Identity Governance, Identity Reporting, and OSP
Si solo instala Identity Governance, el instalador agrega valores predeterminados para el
servidor SMTP que cambia más adelante en la utilidad de actualización de configuración de
Identity Governance.
Si está instalando el Gobierno de identidad y los Informes de identidad, el instalador le
solicita la información del servidor SMTP durante la sección Informes de identidad.
Para habilitar la notificación por correo electrónico después de completar las instalaciones,
consulte Section 11.4, “Enabling Email Notifications after the Installation,” on page 222.
Installing Components Required for Identity Governance, Identity Reporting, and OSP 55
56 Installing Components Required for Identity Governance, Identity Reporting, and OSP
4 Installing an Authentication Service
4
This section provides information about installing an authentication service, such as One SSO
Provider (OSP) or Access Manager, which Identity Governance uses for login authentication and
allows you to configure Identity Governance for single sign-on access.
Identity Governance requires one of the following scenarios for the authentication service:
OSP
Access Manager
Access Manager configured to connect to OSP
Ensure that the version of OSP and Identity Governance you use is supported. For more information,
see Section 2.4, “Hardware and Software Requirements,” on page 36.
IMPORTANT: Identity Governance always uses an authentication service as the login mechanism,
even in a non-SSO environment. You must have OSP or Access Manager installed before installing
Identity Governance.
You must understand the Identity Governance authentication process before you start any
installation or integration. Next, you must select whether to use OSP, Access Manager, or Access
Manager with OSP as your authentication service for Identity Governance.
Use the following information to determine which authentication service works best for your
environment, and then use the appropriate section to either install OSP or integrate Access Manager
with Identity Governance.
Section 4.1, “Understanding Authentication for Identity Governance,” on page 57
Section 4.2, “Installing One SSO Provider for Identity Governance,” on page 61
Section 4.3, “Integrating Access Manager with Identity Governance,” on page 76
NOTE: The name for the bootstrap administrator account must be unique. Do not duplicate the
name of any accounts the root container or subtrees that you use for authentication. The default
file-based bootstrap administrator account name is igadmin. You can specify an alternative name
for this account through the bootstrap administrator script. Do not use “admin” or “administrator”
for the account name.
During the installation, you select one of two methods to create a bootstrap administrator account.
You must select one of the options. The options are:
File: If the bootstrap administrator account is file-based, this account does not link to any
account in the LDAP directory. This account exists in a file that the installer for OSP creates for
you. The default name of the file that contains the bootstrap administrator account is
adminusers.txt. The default bootstrap administrator account name is igadmin.The file-
based bootstrap administrator account can access all items in the administration console except
for Reviews and Access Request.
If you selected to use the LDAP-based bootstrap administrator and want to move back to file-
base, you must use a script included in the Identity Governance product to make this change.
For more information, see “Creating a Bootstrap Administrator Using a Script” on page 252.
You should not continue using the file-based bootstrap administrator account after you have
Identity Governance running in a production environment. As soon as you have collected user
accounts in Identity Governance, assign one of the collected LDAP accounts as a global
administrator. For more information about assigning authentications, see “Global
Authorizations ” in Identity Governance User and Administration Guide.
LDAP: If you have not performed a data collection on the LDAP directory where the LDAP-based
bootstrap administrator resides or mapped this account to an identity in Identity Governance,
the LDAP-based bootstrap administrator account has limited rights. When you have performed
a data collection on the LDAP directory or mapped this account to an identity in Identity
Governance, Identity Governance adds the Identity Governance Global Administrator role to
this LDAP-based bootstrap administrator account and it has unrestricted access.
The restricted LDAP-based bootstrap administrator account can access all items in the
administration console except for Reviews and Access Request. After you collect and publish the
data from a data source and you map the LDAP-based bootstrap administrator account to an
IMPORTANT: Due to access to the file system and security updates for Identity Governance 3.6 or
later you cannot always use the file-based bootstrap administrator account.
If your environment matches any of the following conditions, you must always use the LDAP-based
bootstrap administrator account.
Integrated with Identity Manager
Using SAML authentication method
Using Access Manager as the authentication service
Not using OSP as the authentication service
The silent installation, guided installation, and the console installation can create the bootstrap
administrator account for you or you can use a script to create the account. For more information,
see Section 14.2.1, “Creating a Bootstrap Administrator Using a Script,” on page 252.
The OSP authentication service supports the OAuth2 specification and requires an LDAP identity
service. Identity Governance works with eDirectory, Identity Manager Identity Vault, and Microsoft
Active Directory. You must deploy the identity service before you install Identity Governance. For
more information, see Section 3.6, “Preparing or Installing an Identity Service,” on page 50.
You can configure the type of authentication that you want OSP to use: userID and password,
Kerberos, or SAML 2.0. However, OSP does not support MIT-style Kerberos or SAP login tickets.
Access Manager supports several authentication methods, such as name/password, RADIUS token-
based authentication, X.509 digital certificates, Kerberos, risk-based authentication, Time-Based
One-Time Password (TOTP), social authentication, and OpenID Connect. Plus, Access Manager can
integrate with Advanced Authentication to provide many more authentication methods.
How do OSP, Access Manager, and SSO work?
If you use Identity Manager Identity Vault as your identity service, users with the names (CN)
and passwords in the specified container can log in to Identity Governance immediately after
installation. Without these login accounts, only the administrator that you specify during
installation can log in immediately.
When a user directs the browser to one of the browser-based components, the component
determines that it requires authentication and temporarily redirects the browser to the OSP or
to the Access Manager authentication service. The OSP service or the Access Manager service
authenticates the user by asking the configured authentication method for the user. The
IMPORTANT: Identity Governance always uses an authentication service as the login mechanism,
even in a non-SSO environment.
IMPORTANT: Identity Governance always uses an authentication service as the login mechanism,
even in a non-SSO environment.
4.1.5 Using Access Manager with One SSO Provider for Authentication
Identity Governance can use Access Manager to connect with OSP as the authentication service.
With Access Manager, you can provide single sign-on access among Identity Governance and other
applications in your environment that use Access Manager for authentication. For more information,
see “Configuring Single Sign-On to Specific Applications” in the Access Manager 4.5 Administration
Guide.
IMPORTANT: Identity Governance always uses an authentication service as the login mechanism,
even in a non-SSO environment.
Checklist Items
1. Decide where to deploy OSP and the required components in relation to your Identity
Governance components. For more information, see Section 2.3, “Recommended
Production Environment Installation Scenarios,” on page 30.
2. Decide whether you want to install Identity Governance and the authentication service in a
clustered environment. For more information about the requirements, see Section 2.3.4,
“Ensuring High Availability or Load Balancing for Identity Governance,” on page 33.
3. Review the considerations for before installing OSP. For more information, see
“Considerations for Installing One SSO Provider” on page 62
4. Ensure that Apache Tomcat has been installed on the server where you install OSP. For more
information, see Chapter 3, “Installing Components Required for Identity Governance,
Identity Reporting, and OSP,” on page 45.
5. Ensure that you have an identity service installed and configured. If you are in a production
environment ensure that you have configured the identity service for SSL/TLS
communication. For more information, see Section 3.8, “Securing Connections with TLS/
SSL,” on page 51.
6. Decide which installation method to use. For more information, see Section 1.2,
“Understanding the Installation Methods,” on page 17.
7. The installation directory for OSP cannot contain any spaces in the name. If it does contain
spaces, the installation fails.
8. Ensure that you fill out the OSP Installation Worksheet before starting the installation. The
worksheet helps you gather the required information to complete the installation. You use
the information you gather for the guided, console, and silent installation method. For more
information, see Section 4.2.3, “One SSO Provider (OSP) Installation Worksheet,” on
page 63.
9. You must manually extend the schema for eDirectory or Active Directory to allow OSP
authentications to work. If you integrate with Identity Manager you can skip this step. For
more information, see Section 8.2.3, “Extending the Schema for OSP in the Identity Service
not Part of Identity Manager,” on page 172.
Linux: /opt/netiq/idm/apps/osp
Windows:
C:\netiq\idm\apps\osp
Apache Tomcat Home Specify the path to the Apache Tomcat home
Directory directory.
Linux: /opt/netiq/idm/apps/
tomcat
Windows:
c:\netiq\idm\apps\tomcat
Java Home Directory for Specify the path to the Zulu JRE home
Apache Tomcat directory. The Zulu JRE is installed when you
install the Zulu OpenJDK. The installation
process uses Java for several processes, such
as to run commands and create security
stores.
Linux: /opt/netiq/idm/apps/jre
Windows:
c:\netiq\idm\apps\jre
Application Address for Specify the port that you want OSP to use for
OSP > Port communication with the Identity
Governance clients.
(Conditional) External Specify the port that you want OSP to use for
Identity Governance communication with Identity Governance.
Details > Port
When installing in a clustered environment,
specify the port for the load balancer.
(Conditional) External Specify the details for the URL and client
Identity Reporting password to connect OSP to the Identity
Details > Protocol Reporting server. These are the Apache
Tomcat details that host Identity Reporting.
(Conditional) External Specify the port that you want OSP to use for
Identity Reporting communication with Identity Reporting.
Details > Port
When installing in a clustered environment,
specify the port for the load balancer.
Identity Service Details Specify the information for the Identity Vault
(LDAP server). For more information, see
“Understanding the Identity Service” on
page 14.
LDAP Port Specify the port that you want the LDAP
identity service to use for communication
with Identity Governance. For example,
specify 389 for a non-secure port or 636 for
TLS/SSL connections.
Trust Store Secret Specify the password for the trust store. The
trust store is empty unless you select to use
SSL for LDAP or audit.
Enabling Auditing > Specify a local directory on the OSP server for
Audit Cache Location caching of audit events before they are sent
to the audit server. The default directory is:
Linux: /opt/netiq/idm/apps/
audit
Windows:
c:\netiq\idm\apps\audit
Linux: /opt/netiq/idm/apps/
configupdate
Windows:
c:\netiq\idm\apps\configudat
e
To install OSP:
1 Ensure that you have completed the OSP Installation Worksheet before starting the installation.
For more information, see Section 4.2.3, “One SSO Provider (OSP) Installation Worksheet,” on
page 63.
2 Log in as root on Linux server or an administrator on Windows server where you want to install
OSP.
NOTE: To execute the file, you might need to use the chmod +x or sh command for Linux to
change the permissions on the installer or log in to your Windows server as an administrator.
6 Complete the installation, using the information you gathered in the OSP Installation
Worksheet. For more information, see Section 4.2.3, “One SSO Provider (OSP) Installation
Worksheet,” on page 63.
7 Review the pre-installation summary.
8 (Conditional) If you are in a clustered environment, stop Apache Tomcat at this time. For more
information, see Section 3.4.3, “Starting and Stopping Apache Tomcat,” on page 49.
9 Start the installation process.
10 (Conditional) At the end of the installation, if prompted, accept or reject any certificates, and
acknowledge any errors.
The installer checks to see if you specified SSL for LDAP or audit. If so, the installer creates the
trust store and attempts to retrieve the certificates. Untrusted certificates result in a prompt to
accept or reject each certificate chain, with tabs showing extra certificates in the chain. The
installer adds accepted certificates to the trust store.
The installer displays errors in the following conditions:
A single warning about potential future failures for all rejected certificates
A single warning for any errors when connecting to the secured servers
11 When the installation process completes, review the OSP_Install.log file to see what the
installer did. The default location of the OSP_Install.log file is here:
Linux: /opt/netiq/idm/apps/osp/logs
Windows: c:\netiq\idm\apps\osp\logs
12 Before starting Apache Tomcat again, delete the contents of the following two directories from
Apache Tomcat that contain cached files. The directories are:
Linux: Default installation location:
/opt/netiq/idm/apps/tomcat/temp
/opt/netiq/idm/apps/tomcat/work/Catalina/localhost
IMPORTANT: You must create an empty file and have it in the location before starting the
installation or the installation does not run.
A response file contains the correctly formated properties and values that you must add to the osp-
install-silent.properties file for your environment. You can open the response file and
copy the values from the response file to the osp-install-silent.properties file to simplify
the process of creating the osp-install-silent.properties file.
You can also use the OSP Installation Worksheet to add the proper values to the osp-install-
silent.properties file. You open the osp-install-silent.properties file in a text editor
and then use the information you gathered in the OSP Installation Worksheet to add the correct
values for your environment. For more information, see Section 4.2.3, “One SSO Provider (OSP)
Installation Worksheet,” on page 63.
NOTE: To execute the file, you might need to use the chmod +x or sh command for Linux
to change the permissions on the installer or log in to your Windows server as an
administrator.
3b Use the OSP Installation Worksheet to complete the first guided or console installation of
OSP to create the response file. For more information, see Section 4.2.3, “One SSO
Provider (OSP) Installation Worksheet,” on page 63.
3c Review the OSP_Install.log file to ensure that no errors occurred.
Linux: /opt/netiq/idm/apps/osp/logs
Windows: c:\netiq\idm\apps\osp\logs
4 Find and open the response file in a text editor.
5 Find and open the osp-install-silent.properties in a text editor.
6 Copy the values from the response file to the osp-install-silent.properties file.
NOTE: If you are deploying on Windows, ensure that you escape the backslashes '\' or the
silent properties files does not work.
0 false
1 true
6 Change the values for the NetIQ servlet and auditing protocols as specified in the following
table:
NETIQ_SERVLET_PROTOCOL_HTTP=1 NETIQ_SERVLET_PROTOCOL=http
NETIQ_SERVLET_PROTOCOL_HTTPS=0
NETIQ_SERVLET_PROTOCOL_HTTP=0 NETIQ_SERVLET_PROTOCOL=https
NETIQ_SERVLET_PROTOCOL_HTTPS=1
NETIQ_OSP_AUDIT_PROTOCOL_TCP=1 NETIQ_OSP_AUDIT_PROTOCOL=tcp
NETIQ_OSP_AUDIT_PROTOCOL_TLS=0
NETIQ_OSP_AUDIT_PROTOCOL_UDP=0
NETIQ_OSP_AUDIT_PROTOCOL_TCP=0 NETIQ_OSP_AUDIT_PROTOCOL=tls
NETIQ_OSP_AUDIT_PROTOCOL_TLS=1
NETIQ_OSP_AUDIT_PROTOCOL_UDP=0
NETIQ_OSP_AUDIT_PROTOCOL_TCP=0 NETIQ_OSP_AUDIT_PROTOCOL=udp
NETIQ_OSP_AUDIT_PROTOCOL_TLS=0
NETIQ_OSP_AUDIT_PROTOCOL_UDP=1
7 (Optional) Specify any number of certificate files and corresponding aliases to accept into the
trust store. For example:
NETIQ_CERT_1_FILE=/home/username/Downloads/ldap_cert
NETIQ_CERT_1_ALIAS=osp-ldap
NOTE: You can specify the files in any order, and they must exist on the same machine as the
OSP installer. The installer starts trusting with 1 and stops with the first missing consecutive
number. So if you list files 1, 2, and 4, the installer only trusts certificates 1 and 2.
NOTE: If the silent properties file is in a different directory from the installation script, you must
specify the full path to the file. The script unpacks the necessary files to a temporary directory
and then launches the silent installation.
9 When the console prompt returns, review the log file to ensure that the installation completed
successfully. The silent installation does not display any messages on the console.
The log file is located in the following default directory:
Linux: /opt/netiq/idm/apps/osp/logs/
Windows: c:\netiq\idm\apps\osp\logs\
10 When the installation process completes, continue to Chapter 6, “Installing Identity
Governance,” on page 121.
Checklist Items
WARNING: Do not use the name admin and ensure that the name is unique.
Create a user account in your identity service that has administrative rights to the identity
service. Ensure that this account is only used as the bootstrap administrator for Identity
Governance. For more information, see Section 4.1.1, “Using the Bootstrap Administrator,”
on page 58
2. Create an attribute in the identity service to store the authorization grant information from
Access Manager. Identity Governance uses the term identity service to refer to the LDAP
server that holds the authorized users. The LDAP directory can either be Active Directory,
Identity Manager Identity Vault, or eDirectory. Access Manager uses the term User Store to
refer to the LDAP directory that stores the Access Manager users and configuration
information.
Access Manager stores the OAuth 2,0 authorization grant information for each user in an
attribute in the identity service. You can use an unused attribute in your identity service or
you can create a new attribute. This attribute must exist to enable OAuth 2.0 in Access
Manager. The Access Manager contains the instructions on how to create a new attribute
for Active Directory and eDirectory. For more information, see “Extending a User Store for
OAuth 2.0 Authorization Grant Information” in the Access Manager 4.5 Administration
Guide.
3. Enable the OAuth protocol in Access Manager. For more information, see “Enabling OAuth
in Access Gateway” in the Access Manager 4.5 Administration Guide.
4. Add your identity service as the local User Store in Access Manager. Access Manager must
be able to access the authorized user accounts to be able to authenticate the users to
Identity Governance. For more information, see “Configuring Identity User Stores” in the
Access Manager 4.5 Administration Guide.
6. Configure Access Manager to use the authentication contract for Identity Governance. You
can define the Identity Governance authentication contract as the default authentication
contract for Access Manager or you can define the Identity Governance application as a
protected resource in Access Manager to enable single sign-on for the authorized users.
To make the Identity Governance authentication contract the default contract for the
Access Manager Identity Server, see “Specifying Authentication Defaults” in the Access
Manager 4.5 Administration Guide.
To make the Identity Governance application a protected resource, see “Protecting
Web Resources Through Access Gateway” in the Access Manager 4.5 Administration
Guide.
7. Register Identity Governance as an OAuth application in Access Manager. You must create
an Access Manager role with the exact name of NAM_OAUTH2_ADMIN to register Identity
Governance. For more information, see “Registering OAuth Client Applications” in the
Access Manager 4.5 Administration Guide.
com.netiq.iac.authserver.url.logout =
${com.netiq.idm.osp.url.host}/nidp/app/logout
10c Save and close the file.
11 Clean up Apache Tomcat.
11a Delete the following cache directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/work/Catalina/localhost
Windows: c:\netiq\idm\apps\tomcat\work\Catalina\localhost
11b Delete all of the files and sub-folders in the temp directory. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/temp
Windows: c:\netiq\idm\apps\tomcat\temp
11c Delete or move any Apache Tomcat log files. This is the default location.
Linux: /opt/netiq/idm/apps/tomcat/logs
Windows: c:\netiq\idm\apps\tomcat\logs
12 Start Apache Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache
Tomcat,” on page 49.
13 Log in to Identity Governance to test and see if the authentication are now going through
Access Manager.
IMPORTANT: Ensure that you copy the Client ID not the Client Application Name.
3c In the Identity Governance Configuration Update utility ensure that the authentication
settings are set to Access Manager values.
3c1 Click the Authentications tab.
3c2 (Conditional) Select OAuth server uses TLS.
3c3 Select Access Manager is the OAuth provider.
3c4 Populate the following fields with the Access Manager information.
OAuth server host name
Specify the fully qualified DNS name of your Access Manager server.
OAuth server TCP port
Specify the port for Access Manager. By default is 443.
Identity Governance bootstrap admin
Browse to and select the LDAP bootstrap administrator you created in Step 1.
3c5 Click OK to save the changes and the Identity Governance Configuration Update utility
automatically closes.
3d Ensure that the ism-configuration.properties file lists the protocol as secure.
3d1 Open the ism-configuration.properties file in a text editor. The default
location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
com.netiq.idm.osp.oauth.auth-params =
4c Copy the entry and the value for this entry.
4d On the Identity Governance server, open the ism-configuration.properties file in a
text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: c:\netiq\idm\apps\tomcat\conf
4e Add the entry that you copied in Step 4c to the Identity Governance ism-
configuration.properties file.
4f Add the following entry to the Identity Governance ism-configuration.properties
file:
com.netiq.iac.authserver.url.logout =
${com.netiq.idm.osp.url.host}/nidp/app/logout
4g Save and close the OSP and the Identity Governance ism-configuration.properties
files.
5 On the Identity Governance server change additional settings in the Identity Governance
Configuration utility.
5a Launch the Identity Governance Configuration utility using the database password. For
more information, see Section 14.1.3, “Using the Identity Governance Configuration
Utility,” on page 248.
5b Click the Authentication tab.
5c In the OAuth Server section, make the following changes:
Protocol
(Conditional) Change the protocol from http to https if it is not already at https.
IMPORTANT: Ensure that you copy the Client ID not the Client Application Name.
com.netiq.idm.osp.oauth.auth-params =
9d3 Copy the entry and the value for this entry.
Si está permitiendo que el instalador cree las bases de datos, la base de datos debe estar instalada
pero no debe contener ningún dato para que el instalador pueda crear adecuadamente las bases
de datos. Para más información, ver Section 5.4, “Using the Identity Governance Installer to Create
and Populate the Databases,” on page 94.
Si está creando manualmente las bases de datos, debe tener todas las bases de datos creadas
con los nombres propios antes de comenzar la instalación. Para más información, ver Section
5.6, “Manually Creating and Populating the Databases,” on page 96.
Las bases de datos tienen nombres específicos que el instalador crea para usted. Si está creando
manualmente la base de datos, debe usar estos nombres específicos, como se enumeran en la
siguiente tabla.
operations igops
archive igarc
workflow igwf
analytics igara
Para entornos de producción, debe instalar un servidor de base de datos que aloje múltiples bases de
datos de Gobierno de identidad. Puede instalar las bases de datos de Gobierno de identidad y la base de
datos de Informes de identidad en el mismo servidor de base de datos. Para obtener más información
sobre los informes de identidad, consulte Chapter 7, “Installing Identity Reporting,” on page 151.
Cada base de datos realiza una función específica. Por ejemplo, la base de datos de recopilación de
datos almacena la información del catálogo para sus fuentes de identidad y fuentes de aplicación.
La consola de administración de Identity Governance muestra estos nombres de bases de datos
con las funciones asociadas que debe realizar.
Requirements
The database server, the Identity Governance server, and the Identity Reporting server
must run in the same subnetwork.
Install a database server or use an existing database server that Identity Governance supports. For more
information about the specific database versions, see
Section 2.4.2, “Database Requirements,” on page 39.
(Conditional) If you do not use PostgreSQL, ensure that the JDBC driver for the supported
database is on the server where you install Identity Governance and Identity Reporting. For
more information, see Section 5.7, “Adding the JDBC File to the Application Server,” on page 97.
(Conditional) You can install the version of PostgreSQL that Identity Governance requires in an
environment that runs an older version of the database program. To ensure that the new
installation does not overwrite the previous version, specify a different directory for the new
files.
Recommendations
For production environments, we recommend that you never install Identity Governance or
Identity Manager components on the same server where the databases run. If you do install
these components on the same server where the databases run, it significantly impacts the
performance of Identity Governance. For more information, see Section 2.3, “Recommended
Production Environment Installation Scenarios,” on page 30.
For production environments, we recommend that you cluster the database server to provide
fault tolerance for the information stored in the database. The Identity Governance installer
does not cluster the database server for you. For more information on how to cluster the
database server, Section 2.3.4, “Ensuring High Availability or Load Balancing for Identity
Governance,” on page 33.
For production environments, if you use Identity Reporting often, we recommend that you
install Identity Reporting on a separate server from Identity Governance. For more information,
see Section 2.3, “Recommended Production Environment Installation Scenarios,” on page 30.
For production environments, if you are installing both Identity Governance and Identity
Reporting on the same server, and you plan to move one of the features to a different server,
we recommend that you install both features separately to facilitate the future move.
To have the Identity Governance installer create and populate the database:
1 Ensure that Identity Governance supports the database version you are using. For more
information, see Section 2.4, “Hardware and Software Requirements,” on page 36.
2 Ensure that the database server and the Identity Governance server run on the same
subnetwork in your IT environment.
3 (Conditional) If you are not using PostgreSQL, download the appropriate JDBC driver for your
database and copy it to the server where you will install Identity Governance. For more
information, see Section 5.7, “Adding the JDBC File to the Application Server,” on page 97.
4 Ensure that you meet the prerequisites for the Identity Governance installation and then you
can start the installation. For more information, see Section 6.3, “Prerequisites for Identity
Governance,” on page 123.
5 Use the information that you gather in the Table 6-1, “Identity Governance Installation
Worksheet,” on page 124 to install Identity Governance.
6 During the installation of Identity Governance, select Configure database now to have the
installer create and populate the databases.
7 When the installation process completes, review the
Identity_Governance_InstallLog.log file. The default location of the
Identity_Governance_InstallLog.log file is here:
Linux: /opt/netiq/idm/apps/idgov/logs
Windows: c:\netiq\idm\apps\idgov\logs
To have the Identity Governance installer create and populate the database:
1 Ensure that Identity Governance supports the database version you are using. For more
information, see Section 2.4, “Hardware and Software Requirements,” on page 36.
2 Ensure that the database server, the Identity Governance server, and the Identity Reporting
server run on the same subnetwork in your IT environment.
3 (Conditional) If you are not using PostgreSQL, download the appropriate JDBC driver for your
database and copy it to the server where you will install Identity Reporting. For more
information, see Section 5.7, “Adding the JDBC File to the Application Server,” on page 97.
4 Ensure that you meet the prerequisites for the Identity Governance installation and then you
can start the installation. For more information, see Section 7.2, “Prerequisites for Identity
Reporting,” on page 153.
IMPORTANT: If you start Identity Governance or Identity Reporting before using the SQL scripts,
Identity Governance automatically populates the databases for you. If you do not want to have
the Identity Governance installer modify the databases, ensure to run the SQL scripts before
starting Identity Governance or Identity Reporting.
IMPORTANT: The databases must not contain anything but the schema, or the installation of
Identity Governance fails.
The Identity Governance installer needs the name of the databases to represent the operations,
archive, data collection, provisioning workflow, and analytics databases for Identity Governance. For
more information, see Section 5.1, “Understanding the Identity Governance and Identity Reporting
Databases,” on page 91.
However, your database administrator might prefer to create the schema for the databases, as well
as the database artifacts, rather than allowing the installation process to do so. If that is the case,
then you would use the SQL scripts to create the schema and populate the databases. Use the steps
for the appropriate database version to manually create the databases before starting the Identity
Governance installation.
Section 5.8.1, “Creating the Microsoft SQL Server Databases before Installing,” on page 98
Section 5.8.2, “Creating the Oracle Schema Before Installing Identity Governance,” on page 101
Section 5.8.3, “Creating the PostgreSQL Databases Before Installing,” on page 104
Section 5.8.4, “Using Vertica,” on page 107
USE [master];
CREATE DATABASE [igops];
CREATE DATABASE [igarc];
CREATE DATABASE [igdcs];
CREATE DATABASE [igwf];
CREATE DATABASE [igara];
USE [igops];
CREATE USER [igops] FOR LOGIN [igops];
ALTER ROLE [db_owner] ADD MEMBER [igops];
CREATE ROLE [IG_REPORT_ROLE];
CREATE LOGIN [igrptuser] WITH PASSWORD = 'password';
CREATE USER [igrptuser] FOR LOGIN [igrptuser];
ALTER ROLE [IG_REPORT_ROLE] ADD MEMBER [igrptuser];
GO
USE [igarc];
CREATE USER [igarc] FOR LOGIN [igarc];
ALTER ROLE [db_owner] ADD MEMBER [igarc];
CREATE ROLE [IG_REPORT_ROLE];
GO
USE [igwf];
CREATE USER [igwf] FOR LOGIN [igwf];
ALTER ROLE [db_owner] ADD MEMBER [igwf];
GO
USE [igara];
CREATE USER [igara] FOR LOGIN [igara];
ALTER ROLE [db_owner] ADD MEMBER [igara];
GO
4 Specify the same password for all databases.
NOTE: The installation process for Identity Governance requires you to specify one password
that becomes the password for all of the databases. After installing Identity Governance, you
can modify the passwords to be unique for each database.
5.8.1.2 Creating the Microsoft SQL Server Database before Installing Identity
Reporting
As a system administrator, create a database, such as igrpt. Alternatively, you can allow the
installation program to create a database for you. Specify an account for the database owner that
the installation process can use. For more information, see “Creating a Temporary Microsoft SQL
Server Database Administrator for the installation process” on page 108.
1 (Optional) If you are installing Identity Reporting, also use the following commands:
USE [igrpt];
CREATE USER [idm_rpt_cfg] FOR LOGIN [idm_rpt_cfg];
CREATE SCHEMA [IDM_RPT_CFG] AUTHORIZATION [idm_rpt_cfg];
ALTER AUTHORIZATION ON SCHEMA::[IDM_RPT_CFG] TO [idm_rpt_cfg];
ALTER ROLE [db_owner] ADD MEMBER [idm_rpt_cfg];
GO
2 When installing Identity Reporting, specify one of the following settings:
Configure database now > Update, if you want the installation program to generate or
update the schemas, tables, and views when you migrate from the previous release of
Identity Governance
Configure database now > Use only existing, if your database is already set up correctly with
all schemas, roles, and users
Generate SQL for later, if your database administrator wants to generate the schemas,
tables, and views
For more information about using SQL scripts, see Section 5.6, “Manually Creating and
Populating the Databases,” on page 96.
IMPORTANT: You must turn on the SQL Tuning Advisor to optimize queries in the Oracle database.
NOTE: The installation process for Identity Governance requires you to specify one password
that applies to all of the schemas. After installing Identity Governance, you can modify the
passwords to be unique for each schema.
NOTE: If you use the default values of users and temp, skip these commands:
alter user dbName default tablespace users;
alter user dbName temporary tablespace temp;
7 Create the Identity Governance user that access reporting information igrptuser.
CREATE USER igrptuser IDENTIFIED BY "igrptuser_password";
8 Grant the reporting role to the reporting user plus additional privileges.
IMPORTANT: You must create the database (SID) in AL32UTF-8 (Unicode UTF-8 Universal
character set) before installing Identity Reporting.
2 Ensure that the database server, Identity Governance, and Identity Reporting run in the same
subnetwork.
3 Use the following commands to create the database:
Section 5.8.3.1, “Creating the PostgreSQL Databases before Installing Identity Governance,” on
page 105
Section 5.8.3.2, “Creating the PostgreSQL Database before Installing Identity Reporting,” on
page 106
NOTE: The installation process for Identity Governance requires you to specify one password
that applies to all databases. After installing Identity Governance, you can modify the
passwords to be unique for each database.
7 When you install Identity Governance, specify one of the following settings:
Configure database now > Update, if you want the installation program to generate or
update the schemas, tables, and views when you migrate from the previous release of
Identity Governance
NOTE: The installation process for Identity Governance requires you to specify one password
that applies to all databases. After installing Identity Governance, you can modify the
passwords to be unique for each database.
3 When you install Identity Reporting or during the Identity Governance installation if you install
Identity Reporting on the Identity Governance server, specify one of the following settings:
Configure database now > Update, if you want the installation program to generate or
update the schemas, tables, and views when you migrate from the previous release of
Identity Governance
Configure database now > Use only existing, if your database is already set up correctly with
all schemas, roles, and users
Generate SQL for later, if your database administrator wants to generate the schemas,
tables, and views
For more information about using SQL statements after installation, see Section 5.11,
“Configuring the Databases Using the SQL Scripts,” on page 110.
IMPORTANT: If you create the Oracle database administrator in a database hosted in the cloud,
ensure that you follow the documentation for the cloud platform you are using to have the proper
rights for the database administrator. The following steps are for databases installed on premise and
might not be correct if you are installing in the cloud.
The temporary account must have the CONNECT role and the following system privileges:
Alter user
Create public synonym
Create user
Drop public synonym
Drop user
Grant any object privilege
During installation, you can also select Generate SQL for later, which prevents the installation
program from creating the tables, views, and artifacts in the Identity Governance or Identity
Reporting database. Instead, the program generates a SQL file for each schema, which your database
administrator can run to update the database. For more information about using the SQL files, see
Section 5.11, “Configuring the Databases Using the SQL Scripts,” on page 110.
IMPORTANT: If you create the Microsoft SQL database administrator in a database hosted in the
cloud, ensure that you follow the documentation for the cloud platform you are using to have the
proper rights for the database administrator. The following steps are for databases installed on
premise and might not be correct if you are installing in the cloud.
During installation, you can also select Generate SQL for later, which prevents the installation
program from creating the tables, views, and artifacts in the Identity Governance or Identity
Reporting databases. Instead, the program generates a SQL file for each database, which your
database administrator can run to update the database. For more information about using the SQL
files, see “Configuring the Databases Using the SQL Scripts” on page 110.
IMPORTANT: If you create the PostgreSQL database administrator in a database hosted in the cloud,
ensure that you follow the documentation for the cloud platform you are using to have the proper
rights for the database administrator. The following steps are for databases installed on premise and
might not be correct if you are installing in the cloud.
The temporary account must have privileges to complete the following tasks:
create databases
create roles
assign ownership of each database to a role so that this role can then create tables, views, and
other artifacts within the databases that it owns
grant connect on a database to a role
grant one role to another.
During installation, you can also select Generate SQL for later, which prevents the installation
program from creating the tables, views, and artifacts in the Identity Governance or Identity
Reporting databases. Instead, the program generates a SQL file for each database, which your
database administrator can run to update each database. For more information about using the SQL
files, see Section 5.11, “Configuring the Databases Using the SQL Scripts,” on page 110.
"/opt/netiq/idm/apps/jre/bin/java" -
Djava.util.logging.config.file="/opt/netiq/idm/apps/idgov/conf/
logging.properties" -Djava.security.egd=file:///dev/urandom -
Dcom.netiq.ism.config="/opt/netiq/idm/apps/idgov/conf/unused.props"
-classpath "/opt/netiq/idm/apps/idgov/lib/ig-configutil.jar":"/opt/
netiq/idm/apps/idgov/lib/ojdbc.jar"
com.netiq.iac.config.util.IacConfigUtil -dbDriver
oracle.jdbc.OracleDriver -dbUser %igops-user% -dbPassword
%password% -dbUrl "jdbc:oracle:thin:@%oracle-server%:%port%/%sid%"
-script "/opt/netiq/idm/apps/idgov/scripts/all-import-
configs.script"
Microsoft SQL: Use the following command:
"/opt/netiq/idm/apps/jre/bin/java" -
Djava.util.logging.config.file="/opt/netiq/idm/apps/idgov/conf/
logging.properties" -Dcom.netiq.ism.config="/opt/netiq/idm/apps/
idgov/conf/unused.props" -classpath "/opt/netiq/idm/apps/idgov/lib/
ig-configutil.jar":"/opt/netiq/idm/apps/idgov/lib/msjdbc.jar"
com.netiq.iac.config.util.IacConfigUtil -dbDriver
com.microsoft.sqlserver.jdbc.SQLServerDriver -dbUser igops -
dbPassword %igops-password% -dbUrl "jdbc:sqlserver://
%server%:%port%;databaseName=igops" -script "/opt/netiq/idm/apps/
idgov/scripts/all-import-configs.script"
NOTE: The commands in these examples contain the default installation path of /opt/netiq/
idm/apps.
NOTE: You must create the roles with the igops, igdcs, igwf, igara, and igarc database
passwords rather than the database administrator password.
Ensure that the scripts are located on the database server. If you cannot access the SQL scripts, see
Section 11.2, “Manually Generating the Database Schema after the Installation,” on page 218.
1 To populate the user schema in the database, have the database administrator run a command
similar to the following:
"/opt/netiq/idm/apps/jre/bin/java" -Djava.util.logging.config.file="/
opt/netiq/idm/apps/idgov/conf/logging.properties" -
Djava.security.egd=file:///dev/urandom -Dcom.netiq.ism.config="/opt/
netiq/idm/apps/idgov/conf/unused.props" -classpath "/opt/netiq/idm/
apps/idgov/lib/ig-configutil.jar":"/opt/netiq/idm/apps/idgov/lib/
postgresql-42.2.6.jar" com.netiq.iac.config.util.IacConfigUtil -
dbDriver org.postgresql.Driver -dbUser %igops-user% -dbPassword
%password% -dbUrl "jdbc:postgresql://%postgresql-server%:%port%/%igops-
db%" -script "/opt/netiq/idm/apps/idgov/scripts/all-import-
configs.script"
"/opt/netiq/idm/apps/jre/bin/java" -Djava.util.logging.config.file="/
opt/netiq/idm/apps/idgov/conf/logging.properties" -
Djava.security.egd=file:///dev/urandom -Dcom.netiq.ism.config="/opt/
netiq/idm/apps/idgov/conf/unused.props" -classpath "/opt/netiq/idm/
apps/idgov/lib/ig-configutil.jar":"/opt/netiq/idm/apps/idgov/lib/
ojdbc.jar" com.netiq.iac.config.util.IacConfigUtil -dbDriver
oracle.jdbc.OracleDriver -dbUser %igops-user% -dbPassword %password% -
dbUrl "jdbc:oracle:thin:@%oracle-server%:%port%/%sid%" -script "/opt/
netiq/idm/apps/idgov/scripts/all-import-configs.script"
For example:
"/opt/netiq/idm/apps/jre/bin/java" -Djava.util.logging.config.file="/
opt/netiq/idm/apps/idgov/conf/logging.properties" -
Djava.security.egd=file:///dev/urandom -Dcom.netiq.ism.config="/opt/
netiq/idm/apps/idgov/conf/unused.props" -classpath "/opt/netiq/idm/
apps/idgov/lib/ig-configutil.jar":"/opt/netiq/idm/apps/idgov/lib/
ojdbc.jar" com.netiq.iac.config.util.IacConfigUtil -dbDriver
oracle.jdbc.OracleDriver -dbUser igops -dbPassword netiq -dbUrl
"jdbc:oracle:thin:@myoracle.mycompany.com:1521/mysid" -script "/opt/
netiq/idm/apps/idgov/scripts/all-import-configs.script"
NOTE: Debes crear los roles con el igops, igarc, igdcs, igwf, and igara contraseñas de
bases de datos en lugar de la contraseña del administrador de la base de datos.
"/opt/netiq/idm/apps/jre/bin/java" -Djava.util.logging.config.file="/
opt/netiq/idm/apps/idgov/conf/logging.properties" -
Dcom.netiq.ism.config="/opt/netiq/idm/apps/idgov/conf/unused.props" -
classpath "/opt/netiq/idm/apps/idgov/lib/ig-configutil.jar":"/opt/
netiq/idm/apps/idgov/lib/msjdbc.jar"
com.netiq.iac.config.util.IacConfigUtil -dbDriver
com.microsoft.sqlserver.jdbc.SQLServerDriver -dbUser igops -dbPassword
%igops-password% -dbUrl "jdbc:sqlserver://
%server%:%port%;databaseName=igops" -script "/opt/netiq/idm/apps/idgov/
scripts/all-import-configs.script"
Si no puede acceder a los scripts SQL, consulte Section 11.2, “Manually Generating the Database
Schema after the Installation,” on page 218.
Asegúrese de que el script esté ubicado en el servidor de la base de datos. La siguiente es una lista de comandos de
ejemplo para ejecutar en las diferentes bases de datos para generar la base de datos de Informes de identidad.
PostgreSQL
For example, if you have the PostgreSQL utility and psql installed at /usr/lib/postgresql/
bin/psql use the following command:
Identity Governance stores this information in multiple locations. You must update this information
in all of the locations to have Identity Governance see the changes. Use the following information to
update the database configuration information in Identity Governance.
Section 5.12.1, “Updating the Identity Governance Configuration Update Utility for the
Database Changes,” on page 117
Section 5.12.2, “Updating the Identity Governance Configuration Utility for the Database
Changes,” on page 118
Section 5.12.3, “Updating the Identity Governance Database Initialization File for the Database
Changes,” on page 119
Section 5.12.4, “Updating the Apache Tomcat sever.xml File,” on page 120
Esta sección proporciona información sobre la instalación y configuración de Identity Governance. Debe
revisar el proceso de instalación, incluidos los requisitos previos y los requisitos, antes de comenzar:
Section 6.1, “Checklist for Installing Identity Governance,” on page 121
Section 6.2, “Installing the Optional Components for Identity Governance,” on page 122
Section 6.3, “Prerequisites for Identity Governance,” on page 123
Section 6.4, “Identity Governance Installation Worksheet,” on page 124
Section 6.5, “Installing Identity Governance,” on page 141
Section 6.6, “Silently Installing Identity Governance and Identity Reporting,” on page 142
Checklist Items
1. Ensure that your environment meets the prerequisites and requirements for hosting
Identity Governance. For more information, see Section 6.3, “Prerequisites for Identity
Governance,” on page 123 and Section 2.4, “Hardware and Software Requirements,” on
page 36.
2. Decide whether you want to install Identity Governance in a clustered environment. For
more information about the requirements, see Section 2.3.4, “Ensuring High Availability or
Load Balancing for Identity Governance,” on page 33.
3. Determine if you need Identity Reporting. For more information, see “Understanding
Identity Reporting” on page 17.
4. Determine how many servers to use with your Identity Governance deployment. For more
information, see Section 2.3, “Recommended Production Environment Installation
Scenarios,” on page 30.
5. Determine which installation method you will use. For more information, see Section 1.2,
“Understanding the Installation Methods,” on page 17.
6. Ensure that your environment has the required components installed and configured. For
more information, see Chapter 3, “Installing Components Required for Identity Governance,
Identity Reporting, and OSP,” on page 45.
7. Ensure that you installed one of the following supported databases on a separate server for
a production environment.
For more information about supported databases and versions, see Section 2.4.2,
“Database Requirements,” on page 39.
8. Ensure that your environment has a supported version of OSP or Access Manager installed.
For more information, see Chapter 4, “Installing an Authentication Service,” on page 57.
9. The installation directory for Identity Governance cannot contain any spaces in the name. If
it does contain spaces, the installation fails.
10. Complete the Identity Governance Installation Worksheet before starting the installation.
For more information, see Section 6.4, “Identity Governance Installation Worksheet,” on
page 124.
11. (Conditional) To use TLS auditing, the audit server should be up and running when you
install Identity Governance so that the installer can connect to the audit server and retrieve
the certificate to add to the trust store. For more information, see Section 3.8, “Securing
Connections with TLS/SSL,” on page 51.
Authentication Prerequisites
Review the following prerequisites for authentication to Identity Governance:
Do not use mixed case domains. Identity Governance utilizes OAuth2 for authentication.
OAuth2 does not support mixed case domains. For more information, see “RCF 3986 Section
6.2.1 Simple String Comparison”.
To use an identity service as your data source for Identity Governance users, ensure that you
have Active Directory or eDirectory already installed. For more information, see “Adding
Identity Governance Users” in Identity Governance User and Administration Guide.
To integrate Identity Governance with Identity Manager, the Identity Manager component must
already be installed and configured with OSP.
Ensure that the communication ports that you want to use are open in the firewall. For more
information, see Appendix A, “Ports Used in Identity Governance,” on page 269.
Components to Install
Linux: /opt/netiq/idm/
apps/idgov
Windows:
C:\netiq\idm\apps\idg
ov
Linux: /opt/netiq/idm/
apps/idrpt
Windows:
C:\netiq\idm\apps\idr
pt
https://
myserver.mycompany.com:844
3
Linux: /opt/netiq/idm/
apps/tomcat
Windows:
C:\netiq\idm\apps\tom
cat
Apache Tomcat Java Home > JRE Specify the path to the Zulu JRE
home folder home directory. The Zulu JRE is
installed when you install Zulu
OpenJDK. The installation process
uses Java for several processes,
such as to run commands and
create security stores.
Linux: /opt/netiq/idm/
apps/jre
Windows:
C:\netiq\idm\apps\jre
Linux: /opt/netiq/idm/
apps/tomcat/conf/
apps-trustore.pkcs12
Windows:
C:\netiq\idm\apps\tom
cat\conf\apps-
trustore.pkcs12
(Conditional) OSP > Connect to an Usted define cómo los clientes se conectan
external OSP server al servicio de autenticación externo (OSP),
si OSP está en un servidor separado de
Identity Governance, de lo contrario no
seleccione esta opción y continúe con la
instalación.
In a clustered environment,
specifies the DNS name of the
server that hosts the load balancer
or the reverse proxy.
OSP authentication server port Specify the port that the clients
use to access OSP. For http, the
default port 8080. For https, the
default port is 8443.
Access Manager IDP host name Specify the DNS name of the
Access Manager Identity Server.
Identity Reporting > Host name WARNING: Use the fully qualified
domain name (FQDN) name rather
than localhost or an IP address.
In a non-clustered environment,
specify the DNS name of the server
hosting Identity Reporting.
Identity Reporting > Port Specify the port that the clients
use to access Identity Reporting.
For http, the default port 8080. For
https, the default port is 8443.
Microsoft SQL
Oracle
PostgreSQL
Database details > Configure Seleccione esta opción para tener el instalador de
database now Identity Governance para crear y completar las
bases de datos. Selecciona esta opción si está
realizando una actualización o una nueva
instalación. Para más información, see Section 5.4,
“Using the Identity Governance Installer to Create
and Populate the Databases,” on page 94.
Database details > Generate SQL Seleccione esta opción para que el
for later administrador de su base de datos cree
y complete las bases de datos utilizando
los scripts SQL generados y almacenados
por el instalador en el siguiente
directorio predeterminado para Identity
Governance:
Linux: /opt/netiq/idm/
apps/idgov/sql
Windows:
C:\netiq\idm\apps\idg
ov\sql
Linux: /opt/netiq/idm/
apps/idrpt/sql
Windows:
C:\netiq\idm\apps\idr
pt\sql
Operations: igops
Archive: igarc
Data collection: igdcs
Workflow: igwf
Analytics: igara
Seleccione si el instalador de
Identity Governance crea los
nombres de las bases de datos, crea
el esquema, crea usuarios, crea
roles y llena las bases de datos con
esta información. Seleccione esta
opción para nuevas instalaciones o
actualizaciones.
O seleccione usar bases de datos
existentes con los nombres y
usuarios de su base de datos.
(Conditional) Use SSL for SMTP Select whether you want to use
secure communicate with the
SMTP server. If you select this
option, you must configure your
SMTP server for TLS/SSL
communication. For more
information, see Section 3.8,
“Securing Connections with TLS/
SSL,” on page 51.
SMTP user name and password Specify the credentials for a login
account to the SMTP server.
Identity Reporting > Keep finished Specify the amount of time that
reports for Identity Reporting retains
completed reports before deleting
them. For example, to specify six
months, enter 6 and then select
Month.
Linux: /opt/netiq/idm/
apps/idrpt
Windows:
C:\netiq\idm\apps\idr
pt
Linux: /opt/netiq/idm/
apps/audit
Windows:
C:\netiq\idm\apps\aud
it
NOTE: To execute the file, you might need to use the chmod +x or sh command for Linux or
use Run as administrator if you did not log in to your Windows server as an administrator.
NOTE: Application URL represents the URL that connects users to Identity Governance.
11 Click Install.
12 (Conditional) If prompted, accept or reject any untrusted certificates and acknowledge any
errors.
Section 6.6.1, “Understanding the Passwords that Identity Governance Reads from Environment
Variables During the Installation Process,” on page 143
Section 6.6.2, “Creating a Silent Properties File for Identity Governance and Identity Reporting,”
on page 144
Section 6.6.3, “Creating a Silent Properties File for Installing an Additional Node to Cluster
Identity Governance and Identity Reporting,” on page 145
Section 6.6.4, “Performing the Silent Installation of Identity Governance and Identity
Reporting,” on page 148
IMPORTANT: You must create an empty file and have it in the location before starting the
installation or the installation does not run.
A response file contains the values that you must add to the identity-governance-install-
silent.properties file for your environment. You can open the response file and copy the
parameters from the response file to identity-governance-install-silent.properties
file to simplify the process of creating the identity-governance-install-
silent.properties file.
You can also use the Identity Governance Installation Worksheet to add the proper values to the
identity-governance-install-silent.properties file. You open the identity-
governance-install-silent.properties file in a text editor and then use the information
you gathered in the Identity Governance Installation Worksheet to add the correct values for your
environment. For more information, see Table 6-1, “Identity Governance Installation Worksheet,” on
page 124.
NOTE: To execute the file, you might need to use the chmod +x or sh command for Linux
to change the permissions on the installer or log in to your Windows server as an
administrator.
3b Use the Identity Governance Installation Worksheet to complete the first guided or console
installation of Identity Governance to create the response file. For more information, see
Table 6-1, “Identity Governance Installation Worksheet,” on page 124.
3c Review the OSP_Install.log file to ensure that no errors occurred.
Linux: /opt/netiq/idm/apps/idgov/logs
Windows: C:\netiq\idm\apps\idgov\logs
4 Find and open the response file in a text editor.
5 Find and open the identity-governance-install-silent.properties in a text editor.
6 Copy the values from the response file to the identity-governance-install-
silent.properties file.
NOTE: If you are deploying on Windows, ensure that you escape the backslashes '\' or the
silent properties files does not work.
0 false
1 true
install_servlet_protocol_http=1 install_servlet_protocol=http
install_servlet_protocol_https=0
install_servlet_protocol_http=0 install_servlet_protocol=https
install_servlet_protocol_https=1
install_authserver_protocol_http=1 install_authserver_protocol=http
install_authserver_protocol_https=0
install_authserver_protocol_http=0 install_authserver_protocol=https
install_authserver_protocol_https=1
install_govern_protocol_http=1 install_govern_protocol=http
install_govern_protocol_https=0
install_govern_protocol_http=0 install_govern_protocol=https
install_govern_protocol_https=1
The default value in the silent properties file uses the values set for the servlet:
install_govern_protocol=$install_servlet_protocol$
install_govern_hostname=$install_servlet_hostname$
install_govern_port=$install_servlet_port$
8 (Optional) Specify any number of certificate files and corresponding aliases to accept into the
trust store (/opt/netiq/idm/apps/tomcat/conf/apps-truststore.pkcs12). For
example:
install_cert_1_file=/home/username/Downloads/tomcat_cert
install_cert_1_alias=ig-tomcat
install_cert_2_file=/home/username/Downloads/audit_cert
install_cert_2_alias=ig-audit
NOTE: You can specify the files in any order, and they must exist on the same machine as the
Identity Governance installer. The installer will start trusting with 1 and stop with the first
missing consecutive number. So if you list files 1, 2, and 4, the installer only trusts certificates 1
and 2.
9 (Optional) To prevent the installation process from creating or configuring the database, specify
no for install_db_configure and leave install_db_create blank.
For example:
# When to Configure DB?
# Allowable values:
# during - Perform configuration during installation
# after - Perform configuration post install, via a generated SQL
script
# no - Do not perform DB configuration
install_db_configure=no
# Create DB?
# If performing the DB configuration during installation,
# should the installer also create the database
# or should it use an existing database.
#
# Allowable values:
# true - Create the database.
# false - Use an existing database.
install_db_create=
The installation process only needs the values for the databases under #Database details.
To silently install:
1 Ensure that you have created the identity-governance-install-silent.properties
file for your environment. For more information, see Section 6.6.2, “Creating a Silent Properties
File for Identity Governance and Identity Reporting,” on page 144.
2 (Conditional) If this server is an additional node to cluster Identity Governance, ensure that you
have properly modified the identity-governance-install-silent.properties file for
the additional nodes in a cluster. For more information, see Section 6.6.3, “Creating a Silent
Properties File for Installing an Additional Node to Cluster Identity Governance and Identity
Reporting,” on page 145.
3 Ensure that this server meets the prerequisites for Identity Governance. For more information,
see Section 6.3, “Prerequisites for Identity Governance,” on page 123.
4 Ensure that the Identity Governance installation files are on the server. For more information,
see Section 2.2, “Obtaining Identity Governance, Identity Reporting, and OSP,” on page 29.
5 Log in as root on Linux server or an administrator on Windows server where you want to
install Identity Governance.
6 Stop Apache Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache
Tomcat,” on page 49.
7 Copy the populated osp-install-silent.properties file to this server.
8 To run the silent installation, enter the following at a command prompt:
Linux: ./identity-governance-install-linux.bin -i silent -f
path_to_silent_properties_file
Windows: cmd /c "identity-governance-install-win.exe -i silent -f
path_to_silent_properties_file”
NOTE: If the silent properties file is in a different directory from the installation file, you must
specify the full path to the file. The script unpacks the necessary files to a temporary directory
and then launches the silent installation.
9 When the console prompt returns, review the log file to ensure that the installation completed
successfully. The silent installation does not display any messages on the console.
When the installation completes, there are additional configuration steps to perform before you can
use Identity Governance and Identity Reporting. For more information, see Chapter 8, “Completing
the Installation Process,” on page 167.
that comes with Identity Governance and is configured to run only with Identity Governance. This
version uses the Identity Governance security module to determine who has access to the reports.
Installed this way, you can run both Identity Manager and Identity Governance reports by
configuring an external data source where you store the data. However, Identity Reporting cannot
be utilized for Data Collection in Identity Manager.
The second version of Identity Reporting ships with Identity Manager. If you already have an
Identity Manager environment and you want to utilize Data Collection, you must use that version
of Identity Reporting. It uses the Identity Manager security module to determine who has access to the
reports. It can run both the Identity Manager and Identity Governance reports by configuring an
external data source where you store the data.
You can also install both versions of Identity Reporting in the Identity Governance environment and
in the Identity Manager environment so that each system has its separate reporting environment.
However, installing Identity Reporting this way requires that you deploy, configure, and run reports
on two different servers. For more information about Identity Reporting, see the Identity
Governance 3.6 Reporting Guideand Administrator Guide to NetIQ Identity Reporting.
Before you install Identity Reporting, you must decide if you want to install the Identity Reporting
that comes with Identity Governance or the Identity Reporting that comes with Identity Manager.
You can install Identity Reporting when you install Identity Governance, or you can install it at a
later time. This chapter guides you through the process of installing the required components for
Identity Reporting with the assumption that you do not intend to use Identity Reporting as part of
an Identity Manager environment. For more information about installing reporting for Identity
Manager, see:
The Identity Governance installer installs Identity Reporting. You can install Identity Reporting on the
same server as Identity Governance or on a separate server. The following information explains how
to install Identity Reporting on a different server from Identity Governance. For information about
installing Identity Reporting with Identity Governance, see Chapter 6, “Installing Identity
Governance,” on page 121.
Use the following information to install Identity Reporting that comes with Identity Governance on a
separate server from Identity Governance:
Section 7.1, “Checklist for Installing Identity Reporting,” on page 152
Section 7.2, “Prerequisites for Identity Reporting,” on page 153
Section 7.3, “Understanding the Installation Process for the Identity Reporting Components,” on
page 154
Section 7.4, “Identity Reporting Installation Worksheet,” on page 155
Section 7.5, “Installing Identity Reporting,” on page 165
Section 7.6, “Silently Installing Identity Reporting,” on page 166
Checklist Items
1. Learn about the interaction among Identity Reporting components. For more information,
see “Understanding Identity Reporting” on page 17.
2. Decide which server you want to use for your Identity Reporting components. For more
information, see Section 2.3, “Recommended Production Environment Installation
Scenarios,” on page 30.
3. Review the considerations for installing Identity Reporting. For more information, see
Section 7.2, “Prerequisites for Identity Reporting,” on page 153.
4. Review the hardware and software requirements for the computer that will host Identity
Reporting. For more information, see Section 2.4.3, “Identity Reporting Server System
Requirements,” on page 40.
5. Ensure that the server where you want to install Identity Reporting has Zulu OpenJDK and
Apache Tomcat installed. For more information, see Chapter 3, “Installing Components
Required for Identity Governance, Identity Reporting, and OSP,” on page 45.
6. Ensure that you have a database to which the installation process can connect. For more
information, see Chapter 5, “Creating Databases for Identity Governance and Identity
Reporting,” on page 91.
(Conditional) Add the schema for the reporting user. For more information, see
Section 5.8.2, “Creating the Oracle Schema Before Installing Identity Governance,” on
page 101 and Section 7.3.2, “Understanding the Users that the Installation Process Creates,”
on page 154.
7. Determine the installation method you want to use. For more information, see Section 1.2,
“Understanding the Installation Methods,” on page 17.
8. The installation directory for Identity Reporting cannot contain any spaces in the name. If it
does contain spaces, the installation fails.
9. (Conditional) If you want email notifications for reports, you must have an SMTP server
installed and running. If you want to guarantee the delivery of emails, you must install
ActiveMQ on the Identity Governance server. For more information, see Chapter 3,
“Installing Components Required for Identity Governance, Identity Reporting, and OSP,” on
page 45.
For a guided installation, see Section 7.5, “Installing Identity Reporting,” on page 165.
To install Identity Reporting silently, see Section 7.6, “Silently Installing Identity
Reporting,” on page 166.
11. Complete the installation and configuration for Identity Reporting. For more information,
see Section 8.4, “Configuring Identity Reporting,” on page 178.
igrptuser Created by Identity Governance and granted access to run and view reports for
Identity Governance
idm_rpt_cfg Owns the reporting configuration data and the Identity Manager reporting views
If you do not want the installer to create the database for you, you must manually create the
database and use the SQL files to populate the databases. For more information, see Chapter 5,
“Creating Databases for Identity Governance and Identity Reporting,” on page 91.
Linux: /opt/netiq/idm/apps/
idrpt
Windows:
C:\netiq\idm\apps\idrpt
Linux: /opt/netiq/idm/apps/
tomcat
Windows:
C:\netiq\idm\apps\tomcat
Linux: /opt/netiq/idm/apps/
jre
Windows:
C:\netiq\idm\apps\jre
OSP > Identity Reporting Select if you want to use http or https
Protocol for Identity Reporting. If you select
https, you must have configured Apache
Tomcat for TLS/SSL communication on
the Identity Reporting server. For more
information, see Section 3.8, “Securing
Connections with TLS/SSL,” on page 51.
OSP > Identity Reporting Host WARNING: Use the fully qualified
name domain name (FQDN) name rather than
localhost or an IP address.
In a non-clustered environment,
specifies the DNS name of the Identity
Reporting server.
OSP > Identity Reporting Port Specify the port you want the Identity
Reporting server to use for
communication with client computers.
The default is 8080. To use TLS/SSL, the
default is 8443.
In a non-clustered environment,
specifies the DNS name of the OSP
server.
OSP > OSP authentication Specify the port that the clients use to
server port access OSP. For http, the default port
8080. For https, the default port is 8443.
Microsoft SQL
Oracle
PostgreSQL
Database details > Configure Select this option to have the installer
database now create and populate the database. You
select this option if you are performing
an upgrade or a new installation. For
more information, see Section 5.4,
“Using the Identity Governance Installer
to Create and Populate the Databases,”
on page 94.
Database details > Generate Select this option to have your database
SQL for later administrator create and populate the
database for Identity Reporting using
the SQL scripts generated and stored by
the installer in the following default
directory for Identity Reporting:
Linux: /opt/netiq/idm/apps/
idrpt/sql
Windows:
C:\netiq\idm\apps\idrpt\s
ql
Oracle JDBC JAR Specify the path to the Oracle JDBC JAR
file. For more information, see
Section 5.7, “Adding the JDBC File to the
Application Server,” on page 97
Microsoft SQL
Oracle
PostgreSQL
Oracle JDBC JAR Specify the path to the Oracle JDBC JAR
file. For more information, see
Section 5.7, “Adding the JDBC File to the
Application Server,” on page 97
Default email address Specify the email address that you want
Identity Reporting to use as the origin
for email notifications.
SMTP Server Port Specify the port number for the SMTP
server. The default value is 465.
(Conditional) Use SSL for Select whether you want to use secure
SMTP communications with the SMTP server.
If you select this option, you must
configure your SMTP server for TLS/SSL
communication. For more information,
see Section 3.8, “Securing Connections
with TLS/SSL,” on page 51.
Keep finished reports for Specify the amount of time that Identity
Reporting retains completed reports
before deleting them. For example, to
specify six months, enter 6 and then
select Month.
Linux: /opt/netiq/idm/apps/
idrpt
Windows:
C:\netiq\idm\apps\idrpt
Linux: /opt/netiq/idm/apps/
audit
Windows:
C:\netiq\idm\apps\audit
NOTE: Identity Reporting requires you to log in as root on Linux server or an administrator on
Windows server to complete the installation successfully.
4 Ensure that you have a copy of the installer on this server. For more information, see
Section 2.2, “Obtaining Identity Governance, Identity Reporting, and OSP,” on page 29.
5 If you are in a clustered environment, proceed to Step 6, otherwise, stop Apache Tomcat. For
more information, see Section 3.4.3, “Starting and Stopping Apache Tomcat,” on page 49.
6 From the directory that contains the installation files, complete one of the following actions:
NOTE: To execute the file, you might need to use the chmod +x or sh command for Linux or
use Run as administrator if you did not log in to your Windows server as an administrator.
NOTE: If you are deploying on Windows, ensure that you escape the backslashes '\' or the silent
properties files does not work.
After performing a guided or silent installation, you must initialize Identity Governance and verify
that you can log in to the product as the bootstrap administrator. In a cluster, ensure that the Apache
Tomcat configuration file on each node specifies a unique runtime identifier.
Section 8.1, “Checklist for Configuring Identity Governance,” on page 167
Section 8.2, “Preparing One SSO Provider for Use,” on page 168
Section 8.3, “Starting and Initializing Identity Governance,” on page 176
Section 8.4, “Configuring Identity Reporting,” on page 178
Section 8.5, “Completing the Cluster Configuration for Identity Governance,” on page 183
Checklist Item
1. To use third-party client connector software for gathering identity and application data,
ensure that you add the appropriate .jar files. For more information, see Section 2.4.1,
“Identity Governance Server System Requirements,” on page 37.
2. Complete the setup for Identity Governance and its database. For more information, see
Section 8, “Completing the Installation Process,” on page 167.
3. (Conditional) For OSP authentications to work you must manually extend the schema in the
identity service if it is not part of Identity Manager. For more information, see Section 8.2.3,
“Extending the Schema for OSP in the Identity Service not Part of Identity Manager,” on
page 172.
4. (Optional) Modify the SSL settings for communication with the identity service. For more
information, see Section 3.8, “Securing Connections with TLS/SSL,” on page 51.
5. (Optional) Modify the configuration settings for Identity Governance. For more information,
see Chapter 10, “Customizing Identity Governance,” on page 205.
6. (Optional) Add users who can log in to Identity Governance and assign them to
authorizations in the application. For more information, see “Adding Identity Governance
Users” in the Identity Governance User and Administration Guide.
7. (Optional) Customize the user interface. For more information, see “Customizing the User
Interface” on page 206.
8. (Optional) Customize the templates for email notifications and collectors. For more
information, see “Customizing Email Notification Templates” and “Customizing the Collector
Templates for Data Sources” in the Identity Governance User and Administration Guide.
9. (Optional) Create a single sign-on experience for users between Identity Governance and
Identity Manager Home and Provisioning Dashboard. For more information, see
Section 9.5.1, “Checklist for Integrating Identity Governance with Identity Manager,” on
page 198.
Properties Conditions
use_ssl=true if LDAP is secured Only the OSP installer sets this option. The Identity Governance and
Identity Reporting installers preserve the existing value.
use_ssl=false if LDAP is not Only the OSP installer sets this option. The Identity Governance and
secured Identity Reporting installers preserve the existing value.
edition=none Limits the pages that the Identity Governance Configuration Update
utility displays. The alternative values are standard and
advanced.
sso_apps='ig,rpt' Identity Governance and Reporting are on different servers. The tab
title displays as IG SSO Clients.
force_no_osp=true OSP is not on this server. This property removes the Identity Vault
tab from the Identity Governance Configuration Update utility.
For more information, see “SSO Clients Parameters” in the NetIQ Identity Manager Setup Guide for
Linux.
./configupdate.sh
Windows: Default location in C:\netiq\idm\apps\configupdate
configupdate.bat
3b Select SSO Clients.
3c Under Reporting, specify values for the following parameters:
NOTE: Regardless whether you use Identity Reporting, the utility requires values in these
fields.
OAuth client ID
For example, rpt
OAuth client secret
URL link to landing page
For example, http://123.456.78.90:8180/#/landing
URL link to Identity Governance
For example, http://123.456.78.90:8080/#/nav
OSP Oauth redirect url
For example, http://123.456.78.90:8180/IDMRPT/oauth.html
3d Under DCS Driver, specify values for the following parameters:
NOTE: Regardless whether you use Identity Reporting, the utility requires values in these
fields.
OAuth client ID
For example, dcsdriver.
OAuth client secret
3e To save your changes, select OK.
3f Update the settings for Identity Vault and Authentication, as needed.
3g (Conditional) If this is the first time you run the Identity Governance Configuration Update
utility, under Authentication, go to Advanced Settings and enter the bootstrap
administrator password. By doing this, the adminusers.txt file is not overwritten or
deleted. If you do not do this, you will not be able to login as bootstrap administrator when
you restart Apache Tomcat.
./configupdate.sh
Windows: Default location in C:\netiq\idm\apps\configupdate
configupdate.bat
4 Select Reporting > Identity Vault Settings > Identity Vault User Identity > Login Attribute.
5 For Login Attribute, specify the attribute in Active Directory that you want to use for logging in
to Identity Governance. For example, sAMAccountName.
WARNING: Work with your directory administrator to properly extend the schema on the server or
data corruption can occur.
The OSP installation places the files required to extend the schema in the following default directory:
Linux
Active Directory: /opt/netiq/idm/apps/osp/osp-extras/schema/ad/
osp_ext.ldif
eDirectory: /opt/netiq/idm/apps/osp/osp-extras/schema/edir/osp.sch
Windows
Active Directory: c:\netiq\idm\apps\osp\osp-
extras\schema\ad\osp_ext.ldif
eDirectory: c:\netiq\idm\apps\osp\osp-extras\schema\edir\osp.sch
To manually extend the schema on the eDirectory server, see “Manually Extending the Schema”. To
manually extend the schema on the Active Directory server, see “How to Extend the Schema”.
https://osp-server:port/osp/a/idm/auth/saml2/spmetadata
3c At the end of the configuration, ensure that you select Configure claims assurance policy for
this application.
3d (Conditional) If the Configure claims assurance policy configuration does not automatically
load, right click on the Relaying Party Trust you created in Step 3a, then select Edit Claims
Insurance Policy.
3e Add two custom rules to have AD FS send the email attribute and a local Active Directory
server information to the OSP server. For more information, see AD FS 2.0 Claim Rule
Language Primer (https://blogs.technet.microsoft.com/askds/2011/10/07/ad-fs-2-0-claims-
rule-language-primer/).
Sending the email attribute
Use the following information to create the first custom rule to send the email
attribute:
Name
Specify a name for the rule.
Provide the Custom Rule
The following is a sample rule that you might need to edit for your environment.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/
identity/claims/windowsaccountname", Issuer == "AD
AUTHORITY"]
=> issue(store = "Active Directory", types = ("mail",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
upn"), query = ";mail,userPrincipalName;{0}", param =
c.Value);
Sending Via SAML
Use the following information to create the second rule to send the attribute to the
OSP server via SAML:
Name
Specify a name for the custom rule.
NOTE: The API key pair includes a site key and a secret key, which are required to perform this
configuration procedure.
1 Launch the Identity Governance Configuration Update utility on the OSP server. For more
information, see Section 14.1.4, “Using the Identity Governance Configuration Update Utility,”
on page 251.
2 Click the Authentication tab.
3 Click Show Advanced Options.
4 In the Authentication Method section, perform the following steps:
4a Select Name and Password from the Method list, if it is not already selected.
4b Select Enable reCAPTCHA, and then enter the appropriate values in the following fields:
Number of attempts before required
Type the number of access attempts required before reCAPTCHA is required for
access. The default value is 0.
Site key
Copy and paste the site key created when you created the API key pair.
Private key
Copy and paste the secret key created when you created the API key pair.
NOTE: En un entorno agrupado, inicie Apache Tomcat solo en el nodo primario (o maestro).
4 (Condicional) Para observar el proceso de inicialización en Apache Tomcat, ingrese el siguiente comando:
tail -f path_to_Tomcat_folder/logs/catalina.yyyy-mm-dd.log
When the process completes, the file concludes with the following message:
INFO: Server startup in nnnn ms
5 Open a web browser and navigate to one of the following URLs, depending on how you installed
Identity Governance:
http://hostname_or_IP_address:port/
https://hostname_or_IP_address:port/
For example:
http://texasone:8080/
https://172.16.254.1:8443/
The browser should display the login page for Identity Governance.
Exit code: 0
NOTE
Identity_Governance_InstallLog.log contains the results of all the log files. It
does not have an individual exit code.
The checksums-log.txt file contains multiple commands and multiple iterations of
Exit code: 0 for each command.
If a log file ends with a nonzero exit code, an error occurred in that part of the
installation process.
You must now add a data source for Identity Reporting to be able to generate reports. For more
information, see Section 8.4.5, “Adding Data Sources to Identity Reporting,” on page 182.
https://myserver.mydomain.com:8443/IDMRPT
1b Select Home in the upper right corner.
https://myserver.mydomain.com:8443
2b Remove the Report Administrator authorization from the account that successfully logged
in to Identity Reporting.
2c Log in to Identity Reporting with that account, which no longer has the authorization, and
log in to Identity Governance and access the reporting features.
Identity Governance: https://myserver.mydomain.com:8443
Identity Reporting: https://myserver.mydomain.com:8443/IDMRPT
2d Verify you cannot access Identity Reporting.
You can also attempt to log in to Identity Reporting by using a Global Administrator or Security
Officer account to verify that accounts with high-level privileges cannot access Identity
Reporting without the Report Administrator authorization.
DMZ
Internet
Micro Focus Proxy Server
Reporting Content
Delivery Network
(CDN)
Private Network
Identity Identity
Governance Server Reporting Server
You must use the Identity Governance Configuration Update utility to enable the Identity Reporting
server to send the request for the Micro Focus Reporting CDN through the proxy server.
To configure the Identity Reporting server to use a proxy server for the updated reports requests:
1 Log in to the Identity Reporting server as an administrator user on a Windows server or as a
user with root access on a Linux server.
2 From a command prompt, access the Identity Governance Configuration Update utility
directory.
Linux: /opt/netiq/idm/apps/configupdate
Windows: C:\netiq\idm\apps\configupdate
3 Launch the Identity Governance Configuration Update utility.
Linux: ./configupdate.sh
Windows: configupdate.bat
4 Click the Reporting tab.
5 In the lower left corner, click Show Advanced Options.
IMPORTANT: You must add the Identity Governance operations (igops) database as a data source
in Identity Reporting. The igops name is the default name of the operations database.
https://myserver.mydomain.com:8443/IDMRPT
2 Select Data Sources.
3 Select Add.
4 Specify whether you want to select from the list of data sources or provide the details for the
source.
5 (Conditional) If you selected Provide database details, specify the values for the data source. For
example, database platform, the host name or IP address of the database server, and include
the following settings:
Database
Specifies the name of the database. For example, to add the Identity Governance database,
specify igops for PostgreSQL and orcl or whatever name you gave the Oracle database.
Username
Specifies an account that can access the tables and views in the database. For example,
when adding the Identity Governance database, specify igrptuser.
6 (Optional) Test the connection to your data source.
7 Select Save.
8 Clean up the Apache Tomcat folders as described in Step 2 on page 179.
You might need to restart Apache Tomcat.
9 Run a test report to verify functionality in Identity Reporting.
For more information about running reports, see “Using the Reports Page” in the Identity
Reporting Guide.
NOTE: It is possible for two clustered nodes to simultaneously attempt to claim a data processing
task. When this occurs, one of the nodes will report a “stale object” exception, which you can ignore
since the work will still be carried out.
For more information, see Section 2.3.4, “Ensuring High Availability or Load Balancing for Identity
Governance,” on page 33.
1 Stop Apache Tomcat, if the application server is running. For more information, see
Section 3.4.3, “Starting and Stopping Apache Tomcat,” on page 49.
2 To specify a unique runtime identifier, complete the following steps:
2a Log in to primary node in the cluster.
2b In a text editor, open the ism-configuration.properties file.
Linux: Default location in /opt/netiq/idm/apps/tomcat/conf
Windows: Default location in C:\netiq\idm\apps\tomcat\conf
2c Ensure that com.netiq.iac.runtime.id is a unique value that represents the node.
For example, node1 or ProdNode1.
2d Save and close the file.
2e Repeat this procedure for each node in the cluster.
3 To specify a different port for a node than the port exposed by the load balancer, complete the
following steps:
3a Log in to the node where you want to change the port.
3b In a text editor, open the ism-configuration.properties file.
Linux: Default location in /opt/netiq/idm/apps/tomcat/conf
Windows: Default location in C:\netiq\idm\apps\tomcat\conf
Identity Governance
By default, Identity Governance uses the user name and password as the authentication method for
both OSP or Access Manager. You can use any available authentication method provided by OSP or
Access Manager. You can deploy Identity Governance in many different configurations and you can
use the different authentication methods that work best for your environment.
The following are use cases for a couple of the different authentication methods that you can use
with Identity Governance. We assume that you have an administrative level of understanding of
common authentication methods such as SAML, OAuth2, and so forth. This guide is not a primer for
these authentication methods. You must also have administrative level knowledge of the different
products that you can integrate with Identity Governance to provide the different authentication
methods.
Section 9.1, “Configuring Identity Governance for Two-Factor Authentication,” on page 187
Section 9.2, “Configuring Single Sign-on Access with Access Manager,” on page 191
Section 9.3, “Using SAML Authentications from Access Manager to Provide Single Sign-On to
Identity Governance through the OSP,” on page 192
Section 9.4, “Configuring OSP to Use Kerberos for Single Sign-On,” on page 193
Section 9.5, “Integrating Single Sign-on Access with Identity Manager Using OSP,” on page 198
Section 9.6, “Ensuring Rapid Response to Authentication Requests,” on page 203
NOTE: Email OTP methods do not need enrollment to be available for a user. It is enabled
by default.
5 Click OK to save the configuration, then the Identity Governance Configuration Update utility
automatically closes.
https://osp-server:port/osp/s/idm/encryptionCertificate
5b Add the encryption certificate to the NIDP Trust Store in Access Manager. For more
information, see “Managing Trusted Roots and Trust Stores” in the Access Manager 4.5
Administration Guide.
NOTE: For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.
IMPORTANT: For domain or realm references, use uppercase format. For example,
@MYCOMPANY.COM.
NOTE: For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.
1 To define your operating system settings for the Kerberos configuration, complete the following
steps:
1a Open the krb5 file in a text editor on the Identity Governance server.
Linux: /etc/krb5.conf
Windows: C:\Windows\krb5.ini
1b Add the following information to the krb5 file:
[libdefaults]
default_realm = WINDOWS-DOMAIN
kdc_timesync = 0
forwardable = true
proxiable = false
[realms]
WINDOWS-DOMAIN = {
kdc = FQDN Active Directory Server
admin_server = FQDN Active Directory Server
}
[domain_realm]
.your.domain = WINDOWS-DOMAIN
your.domain = WINDOWS-DOMAIN
For example:
NOTE: The novlua user needs permissions to create the Kerberos_login.config file.
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
refreshKrb5Config="true"
useTicketCache="true"
ticketCache="/opt/netiq/idm/apps/tomcat/kerberos/
spnegoTicket.cache"
doNotPrompt="true"
principal="HTTP/DNS_Identity_Governance_server@WINDOWS-
DOMAIN"
useKeyTab="true"
keyTab="/absolute_path/filename.keytab"
storeKey="true";
};
An example on a Windows server is as follows:
keyTab="c:\\NetIQ\\IdentityGoverance\\apps\\tomcat\\kerberos\\rbpm.
keytab"
2b In the file, specify values for principal and keyTab. For example:
principal="HTTP/[email protected]"
keyTab="/home/usr/rbpm.keytab"
The value for principal must match the same value that you specified for Kerberos.
For more information, see Step 3 on page 194.
Provide the absolute path of the keytab file on your Identity Governance server. The
file does not have to reside in the default directory for Identity Governance.
2c Refer to the Kerberos_login.config file in JVM java.security file with the
following line:
NOTE: You must perform this procedure for each end-user computer where you want to provide
single sign-on access to Identity Governance and Identity Reporting.
Checklist Items
1. To ensure that you have the correct software versions for integration, review the latest
release notes for Identity Governance and Identity Manager identity applications. For more
information, see the Identity Manager Documentation site (https://www.netiq.com/
documentation/identity-manager/).
2. (Conditional) Create an index in eDirectory for the login attribute if you do not use a
standard login attribute. For more information, see Section 9.6, “Ensuring Rapid Response
to Authentication Requests,” on page 203.
3. Ensure that users can link to Identity Manager Home from Identity Governance. For more
information, see Section 9.5.2.1, “Adding a Link to Identity Manager Home in the Identity
Governance Menu,” on page 200.
4. Ensure that Identity Governance connects to the Identity Vault for Identity Manager. For
more information, see Section 9.5.2.2, “Changing Identity Governance to Use the Identity
Manager Identity Vault as the Identity Service,” on page 200.
5. (Conditional) If your identity service is a separate eDirectory or Active Directory from the
Identity Manager Identity Vault, you must manually extend the schema for the OSP
authentications to work. For more information, see Section 8.2.3, “Extending the Schema
for OSP in the Identity Service not Part of Identity Manager,” on page 172.
6. (Conditional) If you are using the OSP that comes with Identity Manager, ensure that you
are using the LDAP-based instead of the file-based bootstrap administrator account. For
more information, see Section 4.1.1, “Using the Bootstrap Administrator,” on page 58.
7. Update Identity Manager Home to connect to Identity Governance. For more information,
see Section 9.5.3, “Configuring Identity Manager for Integration with Identity Governance,”
on page 201.
8. (Optional) Integrate Identity Governance with the workflows used in Identity Manager. For
more information, see “Using Workflows to Fulfill the Changeset” and “Configuring
Fulfillment” in Identity Governance User and Administration Guide.
For more information about Identity Manager, see the NetIQ Identity Manager Overview and
Planning Guide.
9.5.2.2 Changing Identity Governance to Use the Identity Manager Identity Vault
as the Identity Service
This section describes how to configure Identity Governance to use the Identity Manager Identity
Vault as the Identity Governance identity service for verifying users who log in to Identity
Governance. This section assumes that, when you installed Identity Governance, you did not specify
the Identity Manager Identity Vault that you specified a different identity service. For example, you
might have installed Identity Governance before adding Identity Manager to your environment.
NOTE: Identity Applications use https communication by default. You create a wildcard certificate
on one of the servers and copy the certificate on all the servers. For example, you create the
wildcard certificate *.example.com on the OSP server.
1. Add this certificate to the keystoreFile on all the servers.
2. Restart Apache Tomcat on all the servers.
3. Ensure that keystoreFile is updated in the server.xml.
<Connector port="8543"
protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLSv1.2" keystoreFile="conf/tomcat.ks"
keystorePass="novell" sslEnabledProtocols="TLSv1.2" />
1 Stop Identity Governance and Apache Tomcat. For more information, see Section 3.4.3,
“Starting and Stopping Apache Tomcat,” on page 49.
2 Launch the Identity Governance Configuration utility. For more information, see Section 14.1.3,
“Using the Identity Governance Configuration Utility,” on page 248.
3 Click the Authentication Server Details tab.
4 Deselect Same as IG Server.
6 Click Save.
7 Make a note of the settings for the Identity Vault.
The values for these settings must match the settings that you specify for Identity Governance
in the RBPM Configuration utility. For more information, see Section 9.5.3, “Configuring Identity
Manager for Integration with Identity Governance,” on page 201.
8 Click the Security Settings tab, then make a note of the settings in the General Service section.
The values for these settings must match the settings that you specify for Identity Governance
in the RBPM Configuration utility. For more information, see Section 9.5.3, “Configuring Identity
Manager for Integration with Identity Governance,” on page 201.
9 Close the utility.
10 Start Apache Tomcat to start Identity Governance. For more information, see Section 3.4.3,
“Starting and Stopping Apache Tomcat,” on page 49.
-Dcom.netiq.uaconfig.impl.custom.clients=path_to_conf_dir/uaconfig-
ig36-defs.xml
NOTE: Active Directory automatically creates an index for the "mail" attribute.
1 If using with Identity Manager, to specify the login attribute, complete the following steps:
1a Run the RBPM Configuration utility.
For more information, see “Configuring Identity Applications” in the NetIQ Identity
Manager Setup Guide for Linux.
1b Select Authentication > Show Advanced Options.
For more information, see “Authentication Parameters” in the NetIQ Identity Manager
Setup Guide for Linux.
1c For Duplicate resolution naming attribute, specify the attribute that you want to use for
login activities. For example, Internet Email Address.
1d Save your changes.
Identity Governance allows you to customize the Identity Governance web application to provide
the appropriate experience for the authorized users. You can change the preferred language for your
users, you can customized the web application, and translate content for Identity Governance and
OSP.
If you use Access Manager as your authentication service, the users access and log in through the
Access Manager log in pages, not the Identity Governance application. None of the following
information applies if you use Access Manager as your authentication service. Access Manager
allows you to customize their pages. For more information, see “Identity Server Advanced
Configuration” in the Access Manager 4.5 Administration Guide.
Use the following information to customize Identity Governance for your environment.
Section 10.1, “Customizing the Name in the Identity Governance Application,” on page 205
Section 10.2, “Localizing the Preferred Language of the User,” on page 206
Section 10.3, “Customizing the User Interface,” on page 206
Section 10.4, “Translating Content for Identity Governance and One SSO Provider,” on page 211
Section 10.5, “Customizing the Identity Governance Style Sheet,” on page 215
Identity Governance cannot always reconcile the differences in language that occur when different
users collect data and run reports on that collection. For example, a user in Spain runs a collection
for a set of data. Then a user in Russia runs a report against that collection. The fields in the report
appear in Russian since that is the report user’s default language. However, the reported data is in
Spanish because the collection occurred on a computer with Spanish as the default language.
You can customize the content in the provided languages. Alternatively, you can apply a new
language to Identity Governance and OSP.
For more information about translating the content to a new language instead of customizing it, see
Section 10.4, “Translating Content for Identity Governance and One SSO Provider,” on page 211.
NOTE: If prompted, do not rename the .properties file. Identity Governance cannot upload
a file that does not match the expected name.
4 In a text editor, customize the displayed text for the attributes that you want to change.
For example, you want to change all instances of user ID to account name. When you search for
user ID, you will find the following type of string:
com.netiq.iac.persistence.ops.AttributeDefinition.USER.userID=User ID
from source
Change User ID from Source to Account Name from Source.
WARNING: Do not modify any text in the code string before the = sign. For example,
com.netiq.iac.persistence.ops.AttributeDefinition.USER.userID=. Identity
Governance might not function appropriately if you change the code string incorrectly.
NOTE: Depending on the browser settings, you might need to sign out of Identity Governance,
clear the cache in the browser, and then log in again.
NOTE: Be sure to set the correct permissions and ownership of the .jar file.
NOTE: Be sure to set the correct permissions and ownership of the .jar file.
16 Stop Apache Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache
Tomcat,” on page 49.
17 Delete all files and folders in the following temporary directories:
/opt/netiq/idm/apps/tomcat/temp
/opt/netiq/idm/apps/tomcat/work/Catalina/localhost
18 Delete all log files from the logs directory for Apache Tomcat.
/opt/netiq/idm/apps/tomcat/logs
19 Start Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache
Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache Tomcat,” on
page 49.
If you want to verify your changes, clear your browser cache, then log in to Identity Governance and
view the pages that should contain your changes.
For more information about customizing the content for a current new language instead of adding a
language, see Section 10.3, “Customizing the User Interface,” on page 206.
WARNING: Do not change the directory structure of the .jar files or modify any text in the code
strings before the = sign. Identity Governance might not function if you make inappropriate
alterations.
WARNING: Ensure that the translator maintains the file names and directory structure of the
.jar files. Also, do not modify any text in the code string before the = sign. For example,
com.netiq.iac.persistence.ops.AttributeDefinition.USER.guid=. Identity
Governance might not function if you make inappropriate alterations.
NOTE: Depending on the browser settings, you might need to sign out of Identity Governance,
clear the cache in the browser, then log in again.
Ensure that you Complete the steps in Section 10.4.2, “Ensuring that Identity Governance
Recognizes the New Language,” on page 213 before starting this procedure.
1 Navigate to the temporary directory where you had copied the original .jar files in Step 2b on
page 212.
2 Add the translated .jar files to the temporary directory.
3 For each translated .jar file, extract the translated .properties file(s).
4 Copy the translated .properties file(s) to their appropriate locations in the original .jar files
in the temporary directory.
Linux: For example, place the iac-ConfigUIstringsRsrc_nb.properties file in the
/com/netiq/iac/config/util directory of the iac-configutil-strings.jar
file.
Windows: For example, place the iac-ConfigUIstringsRsrc_nb.properties file in
the c:\netiq\com\iac\config\util directory of the iac-configutil-
strings.jar file.
5 Delete the translated .jar file(s) from the temporary directory.
6 Copy the .jar file(s) with the added translations to the lib directory for Apache Tomcat.
Linux: Default directory of /opt/netiq/idm/apps/tomcat/lib
Windows: Default directory of c:\netiq\idm\apps\tomcat\lib
7 Stop Apache Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache
Tomcat,” on page 49.
8 Delete all files and folders in the following Apache Tomcat directories:
Linux: Default locations of
/opt/netiq/idm/apps/tomcat/temp
/opt/netiq/idm/apps/tomcat/work/Catalina
NOTE: For Windows environments, you might need to create the directory in a different
location. To determine the correct location, you can use the Process Monitor tool from
Microsoft. For more information, see Process Monitor (https://technet.microsoft.com/en-us/
sysinternals/processmonitor.aspx) in the Windows Sysinternals documentation.
3 (Optional) If you are using Process Monitor, include the following steps:
3a Create a filter including the following:
Process name is java.exe
Operation is CreateFile
There are options features that you might not have enabled during the installation but now you
need them. Identity Governance allows you to add these features without reinstalling Identity
Governance or running the installers again.
Section 11.1, “Configuring SSL/TLS Communication after the Installation,” on page 217
Section 11.2, “Manually Generating the Database Schema after the Installation,” on page 218
Section 11.3, “Configuring Auditing after the Installation,” on page 219
Section 11.4, “Enabling Email Notifications after the Installation,” on page 222
You can choose to enable auditing during the installation of these components, or you can enable it
through configuration any time after you have installed the components. To enable auditing events
for Identity Governance or Identity Reporting after installation, you must log into Identity
Governance as a Global Administrator and use the Configuration menu. To do so for OSP, use the
Identity Governance Configuration Update utility, which also allows you to change the server details,
and TLS settings.
Identity Governance also allows you to enable a more granular view of the audit events by enabling
loggers. For more information, see Section 14.6, “Increasing Logging Levels for Identity Governance
and the Identity Governance Clients,” on page 264.
Section 11.3.1, “Enabling Auditing for OSP,” on page 220
Section 11.3.2, “Enabling Auditing for Identity Governance,” on page 221
Section 11.3.3, “Enabling Auditing for Identity Reporting,” on page 221
NOTE: Si está utilizando el servidor Gmail SMTP, Gmail ignora el valor del servidor SMTP y utiliza
la dirección real de Gmail como origen de las notificaciones por correo electrónico.
You can upgrade to Identity Governance 3.6 from Identity Governance 3.0.1 or later. The Identity
Governance components run against Apache Tomcat and Zulu OpenJDK. To ensure that the Identity
Governance components run against the supported versions of Apache Tomcat and Zulu OpenJDK,
you must uninstall the old Identity Governance components, upgrade Apache Tomcat and Zulu
OpenJDK, and then reinstall the current version of the Identity Governance components to complete
the upgrade. As part of the upgrade process, you must also migrate data because some of the
collector templates and database tables and views change between the releases of Identity
Governance.
Upgrading to the latest Identity Governance version is a process of multiple tasks that you must
follow. You must back up your current data, uninstall the version of the Identity Governance
components you currently have installed, upgrade the required hardware and software, and then
reinstall the current version of the Identity Governance components.
If you installed Identity Governance and Identity Reporting on the same server but you need to have
Identity Reporting run on a separate server, an upgrade is the best time to move Identity Reporting
to its own server to increase the performance of Identity Governance.
Use the following information to plan and perform the upgrade of the Identity Governance
components.
Section 12.1, “Planning to Upgrade Identity Governance,” on page 225
Section 12.2, “Securing Passwords for a Silent Install,” on page 227
Section 12.3, “Upgrading Procedure for Identity Governance,” on page 227
Section 12.4, “Changing Host File IP Addresses to DNS Names,” on page 236
Section 12.5, “Applying the Latest Patches,” on page 237
Section 12.6, “Moving Identity Reporting to a Separate Server,” on page 237
IMPORTANT: If you are upgrading and changing database platforms, you cannot
migrate your existing data to the new platform. For example, if you are running
Identity Governance with PostgreSQL as your database and you plan to upgrade and
use Microsoft SQL Server as your database, your existing data cannot move to the new
database.
(Conditional) To upgrade your Identity Governance Oracle database, you must grant
the CREATE PUBLIC SYNONYM and DROP PUBLIC SYNONYM privileges to the igops
schema.
3. Back up your trust store files, and then run the OSP installer.
4. Run the Identity Governance and Identity Reporting installers.
5. Restore trust store files.
6. If you installed the Identity Governance components on the same server and you want to
install the components separately, prepare the proper amount of new servers to run the
components.
NOTE: These scripts help you upgrade only the framework components installed for Identity
Governance. After you upgrade the components, you must then upgrade Identity Governance and
Identity Reporting (if applicable).
NOTE: The upgrade component script for Linux does not upgrade PostgreSQL, so you must do so
manually. For more information, see “Upgrading PostgreSQL for Linux” on page 230.
NOTE: The upgrade component script does not upgrade your database if:
You use Oracle or Microsoft SQL Server as your database
You use PostgreSQL on Linux
The upgrade component script renames the existing component folders to a name that includes a
time stamp matching the time you launched the upgrade component script (all components on
Windows; but only Tomcat, ActiveMQ, and Java on Linux). The script creates a new directory with
the original directory name, and then places the updated components in that directory.
In addition, the script copies specified files from the old setup, and provides you with the option to
see file structure differences. Doing so allows you to manually copy additional files the script did not
copy. In theory, you should be able to swap the new and old component folders again if you change
your mind.
NOTE: For Windows, the prompt to upgrade PostgreSQL defaults to “No.” If you use PostgreSQL
as a database, and want to upgrade it using the script, press “Y” or “y” when prompted to
upgrade PostgreSQL.
NOTE: The Windows script provides the option to terminate services for you, including some
applications if files (such as Tomcat logs) are open and locked.
Deletes certain webapps folders from the unpacked content (Tomcat only).
Copies known files from the old file structure to the new.
NOTE: If the script copies an unpacked file, it backs up the file with *-backup.* in its name.
(Linux only) Applies the ownership retrieved above, and recursively applies it to the new folder.
NOTE: Depending on your setup, you could need to apply a different sub-ownership.
Gives you the option of viewing file differences, with the following caveats:
(Windows only) Tomcat and PostgreSQL can take a significant amount of time generating
these differences.
File and directory comparison for Linux is more efficient than that for Windows.
NOTE: SLES 12 SP3 requires adding the most current libopenssl1_0_0-1.0.2u RPM
before you install postgresql11-server.
NOTE: Use --no-role-passwords only for cloud-based setups where SU (or root) access
is not allowed and, therefore, the passwords cannot be retrieved. Upon restoration,
administrators must restore their passwords manually.
Tab Setting
Components
There are times when you are required to uninstall Identity Governance. You would uninstall Identity
Governance in a lab environment or during an upgrade procedure. The Identity Governance
components run against Apache Tomcat and Zulu OpenJDK, to perform an upgrade you must
uninstall the Identity Governance components, upgrade Zulu OpenJDK and Apache Tomcat, and then
reinstall the Identity Governance components. For more information about upgrading, see
Chapter 12, “Upgrading Identity Governance,” on page 225.
Identity Governance does come with an uninstall utility that you use to uninstall the product. OSP
contains a separate uninstall utility. The uninstall utility for Identity Reporting is the Identity
Governance uninstall utility. If you have installed Identity Reporting and Identity Governance
together on the same server, the uninstall utility uninstalls Identity Governance and Identity
Reporting at the same time. If you have installed Identity Reporting on a separate server without
Identity Governance, the uninstall utility only uninstalls Identity Reporting.
IMPORTANT: You must ensure that all of the files are removed from the server before reinstalling
the same version of Identity Governance or a new version of Identity Governance for the upgrade
procedure.
You can also uninstall the components using the guided method, console method, and silent method
in the same way that you install these components. The silent uninstall method does not require a
silent properties file. It does not require any interaction to complete the uninstallation. For more
information, see Section 1.3, “Understanding the Uninstallation Methods,” on page 21.
Use the following information to uninstall the Identity Governance components.
Section 13.1, “Uninstalling OSP,” on page 239
Section 13.2, “Uninstalling Identity Governance or Uninstalling Identity Governance and
Identity Reporting,” on page 241
Section 13.3, “Uninstalling Identity Reporting,” on page 244
IMPORTANT: You must always use the version of OSP that comes with the version of Identity
Governance that you are using. Trying to use different versions of OSP causes unexpected behavior
and is not supported.
The default mode of the uninstall utility is the mode that you used to install OSP. If you want to
uninstall using a different method you must pass the appropriate parameter to perform that type of
uninstall. For more information, see Section 1.3, “Understanding the Uninstallation Methods,” on
page 21.
To uninstall OSP:
1 Log in to the server running OSP as root on a Linux server or as a user with administrative
privileges on a Windows server.
2 Define the Java path to the jre bin directory as an environment variable in the uninstall script
file that launches the uninstall utility.
IMPORTANT: If you do not define the path to the jre bin directory, the uninstall utility does
not work. The utility does not come with Java. You must point to the Java you use with OSP.
2a Open the uninstall script file in a text editor. The default location of the script is:
Linux: /opt/netiq/idm/apps/osp/Uninstall_osp/LaunchUninstall.sh
Windows:
c:\netiq\idm\apps\idgov\Uninstall_osp\LaunchUninstall.bat
2b Change or ensure that the path listed for the JRE_HOME variable is the path to the jre bin
directory that is installed with the Zulu OpenJDK. The default path is:
Linux: /opt/netiq/idm/apps/jre/bin
Windows: c:\netiq\idm\apps\jre\bin
2c Save and close the file.
3 Stop Apache Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache
Tomcat,” on page 49.
4 Uninstall OSP.
4a (Conditional) Uninstall OSP from a Linux server.
4a1 Access the uninstall directory located here: /opt/netiq/idm/apps/osp/
Uninstall_osp
4a2 Execute the script as root from a command line enter the following:
./LaunchUninstall.sh
4b (Conditional) Uninstall OSP on a Windows server.
4b1 Access the Control Panel as an administrator.
4b2 Search for and select OSP.
4b3 Select Uninstall and follow the prompts to complete the uninstall.
IMPORTANT: If you do not define the path to the jre bin directory, the uninstall utility does
not work. The utility does not come with Java. You must point to the Java you use with Identity
Governance.
2a Open the uninstall script file in a text editor. The default location of the script is:
Linux: /opt/netiq/idm/apps/idgov/Uninstall_IdentityGovernance/
LaunchUninstall.sh
./LaunchUninstall.sh
4b (Conditional) Uninstall Identity Reporting on a Windows server.
4b1 Access the Control Panel as an administrator.
4b2 Search for Identity Reporting.
4b3 Click Uninstall and follow the prompts to uninstall Identity Reporting.
5 (Conditional) Uninstall Identity Governance or uninstall Identity Governance and Identity
Reporting if your version of Identity Governance is 3.0 or later.
5a (Conditional) Uninstall Identity Governance or Identity Governance and Identity Reporting
from a Linux server.
5a1 Access the uninstall directory located here: /opt/netiq/idm/apps/idgov/
Uninstall_IdentityGovernance
5a2 Execute the script as root from a command line enter the following:
./LaunchUninstall.sh
5b (Conditional) Uninstall Identity Governance or uninstall Identity Governance and Identity
Reporting on a Windows server.
5b1 Access the Control Panel as an administrator.
5b2 Search for and select Identity Governance.
5b3 Select Uninstall and follow the prompts to complete the uninstallation.
6 (Conditional) If you installed Identity Governance and Identity Reporting at different times on
the same server, run the uninstall utility a second time to delete the component you installed
first.
To uninstall Identity Reporting when it is installed on a separate server from Identity Governance:
1 Log in to the server running Identity Reporting as root on a Linux server or as a user with
administrative privileges on a Windows server.
2 Define the Java path to the jre bin directory as an environment variable in the uninstall script
file that launches the uninstall utility.
2a Open the uninstall script file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/idrpt/Uninstall_IdentityGovernance/
LaunchUninstall.sh
Windows:
c:\netiq\idm\apps\idrpt\Uninstall_IdentityGovernance\LaunchUnin
stall.bat
2b Change or ensure that the path listed for the JRE_HOME variable is the path to the jre bin
directory for the Zulu JRE that is installed with the Zulu OpenJDK. The default path is:
Linux: /opt/netiq/idm/apps/jre/bin
Windows: c:\netiq\idm\apps\jre\bin
2c Save and close the file.
3 Stop Apache Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache
Tomcat,” on page 49.
4 (Conditional) If you are running any version of Identity Governance prior to 3.0, you must use a
different uninstall utility for Identity Reporting.
4a (Conditional) Uninstall Identity Reporting on a Linux server.
4a1 Access the uninstall directory. The default location is: /opt/netiq/idm/apps/
idrpt/Uninstall_IdentityGovernance.
4a2 To execute the script, enter:
./LaunchUninstall.sh
4b (Conditional) Uninstall Identity Reporting on a Windows server.
4b1 Access the Control Panel as an administrator.
4b2 Search for Identity Reporting.
4b3 Click Uninstall and follow the prompts to uninstall Identity Reporting.
5 (Conditional) Uninstall Identity Reporting if your version of Identity Governance is 3.0 or later.
5a (Conditional) Uninstall Identity Reporting from a Linux server.
5a1 Access the uninstall directory located here: /opt/netiq/idm/apps/idrpt/
Uninstall_IdentityGovernance
5a2 Execute the script as root from a command line enter the following:
./LaunchUninstall.sh
5b (Conditional) Uninstall Identity Reporting on a Windows server.
5b1 Access the Control Panel as an administrator.
5b2 Search for and select Identity Governance.
5b3 Select Uninstall and follow the prompts to complete the uninstallation.
After you have installed and configured Identity Governance, you must perform some configuration
tasks using the administration utilities. There are additional management tasks that you might have
to perform. Use the following information to help perform these tasks.
Section 14.1, “Accessing the Application and Administration Utilities,” on page 247
Section 14.2, “Managing the Bootstrap Administrator,” on page 252
Section 14.3, “Changing the Values for Authentication Matching and Identity Governance
Services,” on page 254
Section 14.4, “Managing Connected Systems Information,” on page 257
Section 14.5, “Changing Network Settings for Identity Governance Components,” on page 258
Section 14.6, “Increasing Logging Levels for Identity Governance and the Identity Governance
Clients,” on page 264
Section 14.7, “Updating the License Key,” on page 266
Section 14.8, “Adjusting Timeout Values to Increase Performance,” on page 266
To run the Identity Governance Configuration utility you must access the utility from a command
prompt as root on a Linux server or a user with administrative privileges on a Windows server. Enter
the following from the Identity Governance Configuration utility installation directory:
Linux: ./configutil.sh -password database_password
Windows: configutil.bat -password database_password
IMPORTANT: The proper format of the commands is to have the commands, parameters, and values
separated by a space. The console mode only recognizes spaces. It does not recognize parentheses
or commas.
Table 14-1 contains the list of commands that are currently used in the documentation.
WARNING: Identity Governance utility console mode enables you to make uncommon, specific, or
extensive changes to the application configuration that can potentially damage the application data.
Run the utility in console mode only under the guidance of Technical Support.
display-configs ism
add-property configuratio NODE or GLOBAL Adds a property with the node or global
n-type configuration type and adds the value you
(optional) specify. For example:
WARNING: Identity Governance utility console mode enables you to make uncommon, specific, or
extensive changes to the application configuration that can potentially damage the application data.
Run the utility in console mode only under the guidance of Technical Support.
If the path to the Identity Governance Configuration Update utility is unknown to the current
installer, then the installer will prompt you to specify its location during the installation of Identity
Governance. The default location is:
Linux: /opt/netiq/idm/apps/configupdate/configupdate.sh
Windows: C:\netiq\idm\apps\configupdate\configupdate.bat
You can run the Identity Governance Configuration Update utility in console mode or guided mode.
The console mode provides menu-based options to walk through to update the settings. You would
use the Identity Governance Configuration Update utility in console mode if your Linux server did
not have graphical capabilities (X server).
To run the Identity Governance Configuration Update utility access the configupdate directory
from a command prompt.
Linux: Enter the following at the command prompt:
Guided: ./configupdate.sh --use-console false
Console: ./configupdate.sh --use-console true
Windows: Enter the following at the command prompt:
Guided: configupdate.bat --use-console false
The Identity Governance Configuration Update utility console mode is different from the Identity
Governance Configuration utility console mode. The Identity Governance Configuration Update
utility provides menu-based options to update the settings in the three products. The Identity
Governance Configuration Update utility does not have command options like the Identity
Governance Configuration utility does.
You use the bootstrap administrator script with parameters that define an alternate name for the
administrator account, the password for the administrator account, and the location of the
bootstrap administrator file. The following table lists the parameters, the default values, and a
description of the parameter. If you run the script but do not use the parameters, the script uses the
default values.
-p None You must use this option with a password to set the
password for the bootstrap administrator account.
-f File name with the relative or Defines the file location to redirect the bootstrap
absolute path credentials.
NOTE: The name of this account must be unique. Do not duplicate any accounts in the
adminusers.txt file or in the container source or subtrees that you use for
authentication.
IMPORTANT: Set all matching rule attributes with the following list and search options in
the Identity Governance User (identity) schema:
Display in lists and detail views
Available in catalog searches. Changes take effect after publication.
For more information, see “Extending the Identity Governance Schema” in Identity
Governance User and Administration Guide.
Auth Attribute Map
Specifies the mapping of SUSER attributes to OSP attributes using a comma-separated list
of attribute name pairs. Use the format SUSER attribute:OSP attribute. For
example, dn:name,lastName:last_name,firstName:first_name,emails:email
maps the SUSER attributes of dn, lastName, firstName, and emails to the OSP attributes of
name, last_name, first_name, and email.
SSO Client
Defines the values for the Identity Governance SSO client. You must define the values of
the SSO client service for the following items:
IG Client ID
Specifies the name that you want to use to identify the Identity Governance SSO client
ID. The default value is iac.
IG Client Secret
Specifies the password for the Identity Governance SSO client ID.
Response types
Defines what the general service uses for a response. The default response type is
password.
General Service
Defines the values for the Identity Governance general service. You must define the values
of the general service for the following items:
IG Client ID
Specifies the name that you want to use to identify the Identity Governance general
service. The default value is iac-service.
Tab Setting
IMPORTANT: Do not restart Apache Tomcat until the networking settings have been changed
for each node in the cluster.
IMPORTANT: Do not restart Apache Tomcat until the networking settings have been changed
for each node in the cluster.
10 Start Apache Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache
Tomcat,” on page 49.
11 (Conditional) If you clustered OSP start Apache Tomcat on each node in the cluster. For more
information, see Section 3.4.3, “Starting and Stopping Apache Tomcat,” on page 49.
IMPORTANT: Do not restart Apache Tomcat until the networking settings have been changed
for each node in the cluster.
7 Start Apache Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache
Tomcat,” on page 49.
8 (Conditional) If you clustered Identity Governance start Apache Tomcat on each node in the
cluster. For more information, see Section 3.4.3, “Starting and Stopping Apache Tomcat,” on
page 49.
IMPORTANT: Do not restart Apache Tomcat until the networking settings have been changed
for each Identity Reporting node in the cluster.
11 Start Apache Tomcat. For more information, see Section 3.4.3, “Starting and Stopping Apache
Tomcat,” on page 49.
12 (Conditional) If you have clustered Identity Reporting start Apache Tomcat on each node in the
cluster. For more information, see Section 3.4.3, “Starting and Stopping Apache Tomcat,” on
page 49.
You can use the following information to enable or increase the logging levels for Identity
Governance and Identity Governance clients, or you can use the Identity Governance Configuration
menu to set logging levels. For more information, see “Managing Logging Levels” in the Identity
Governance User and Administration Guide.
Section 14.6.1, “Increasing the Logging Levels for Identity Governance,” on page 264
Section 14.6.2, “Increasing the Logging Levels for the Identity Governance Clients,” on page 266
WARNING: Use the Identity Governance Configuration Update utility to change the server details,
TLS settings, and to enable auditing. If you make changes for these options in the ig-server-
logging.xml file, it can cause the Identity Governance Configuration Update utility to no longer
affect the audit settings.
The ig-server-logging.xml file is an XML file. It contains three parts. You must understand
what each part does and which part to edit and not to edit. The parts are listed by XML parent-child
relationships.
audit/syslog: This section contains the global auditing setting.
WARNING: Use the Identity Governance Configuration Update utility to change the settings for
the server details, TLS settings, and to enable auditing. If you make changes for these options in
the ig-server-logging.xml file, it can cause the v Configuration Update utility to no
longer affect the audit settings.
There are two application-specific logging configuration files that you can edit and enable the
loggers per the request of technical support. The two files are:
ig-client-logging.xml
cx-client-logging.xml
If in your environment, you use different ports, ensure that you change the ports during the
installation to match your environment.
Scripts Create
NetIQ provides sample installation scripts that you can use to install the required components, the
optional components, and Identity Governance. You can download the sample scripts from the
Identity Governance documentation page under the Reference heading. The sample scripts install
some of the components as services. If a product is a service, then starting and stopping the service
is different from starting and stopping the regular product. Use the following information to manage
the components that the sample scripts install as services.
Section B.1, “Stopping, Starting, and Restarting the Apache Tomcat Service,” on page 271
Section B.2, “Stopping, Starting, and Restarting the ActiveMQ Service,” on page 272
NOTE: If the Task Manager Services does not restart, it could be due to the time it takes for Stop
to finish. Wait a minute and then try Start again.