Novell Home

Novell Identity Vault on SUSE 9: from Vmware Project to Full Install

Novell Cool Solutions: AppNote
By Richard Cabana

Digg This - Slashdot This

Posted: 24 May 2006
 

Introduction

The purpose of this AppNote is to quickly get the reader up and running from a blank VM to a fully running Identity management solution, complete with Designer, Workflow and eDirectory 8.8 installed. The installation provides some basic troubleshooting steps as well.

Credits: I would like to thank Joe Manzali and Paul Caroll of our Consulting Resolution Team for their valuable insight into troubleshooting the IDM Workflow. A special thank you to Thomas King of IBM Canada for tips on VmWare and for reviewing my alpha draft.

Software Inventory

The following is a list of the software and version numbers that I use in this appnote. They are listed in the order you will require them. If you use different versions, some screens may change slightly:

Many of you are no doubt reading more and more about Identity management and provisioning. Identity and provisioning is the science of creating business processes in conjunction with physically connecting resources together, to provide companies with an identity and provisioning solution. This solution enables you to create, modify, or terminate an individual in a matter of moments across all of your company's integrated data systems. In the case of Novell, when an employee is hired they are created through our Human Resources database (Peoplesoft). Depending on their job descriptions, they may get access to GroupWise, Siebel system databases, Oracle, the Provo PBX, ldap servers - and even Open Enterprise Server, among other systems.

What some of you may not be aware of is that Novell is one of the pioneers in the identity and provisioning solution space, with our first offering having been available at the end of 1999 (called DirXML 1.0). Our present-day solution is now well ahead of most competitors, with a rich graphical design tool, provisioning and workflow built-in, and a large and growing larger still collection of connectors and special purpose or solutions drivers. (Please refer to http://www.novell.com/products/identitymanager/ for more information and to download your own trial copy).

So now your interest is a little piqued, and you want to try Identity Manager 3 in your own lab or in the comfort of your living room. This AppNote will take you through the basic installation procedure for Identity Manager, from the creation of a VmWare image to the full installation of the product - without any manuals or sacrificial chickens.

Phase 1: Creating a Suitable SUSE host server

Note: SUSE Linux Enterprise Server (SLES) can be downloaded for your experimentation at http://www.novell.com/products/linuxenterpriseserver/

For this exercise, I am running VmWare 5.5.1 build 19175. I have previously installed / created VmWare Suse images on 5.5 and 5.0 as well. My host operating system is Suse 10.0.

Settings

Figure 1 - SLES Settings

In order to fit my complete IDM 3 system including Designer, the Meta-Directory engine, and the User application/workflow components, I kept the VmWare drive to the default of 8 Gigabytes. For performance reasons, I boosted the memory to 640 Megabytes (you can get away with 512 Megabytes) and set up a custom bridged network with an address scheme that fits with our fellow architect's addressing scheme for demo systems. You can also use NAT if you like.

One anomaly I had with my installation is that I couldn't get the graphics environment to work properly while installing SUSE Linux. I was forced to use the full screen mode of VmWare and work on screens such as this one below:

Figure 2 - VmWare full screen mode

To resolve this, when you see the initial boot up screen, move your cursor to stop the countdown, then press F2 and select "text mode" for the video choice.

Figure 2a - Text-mode video

Finalizing the Suse Enterprise Setup

Once you have rebooted, you will get a 640 by 480 screen with a message that looks as follows:

Figure 3 - Graphics message

Click Yes to get into SAX2, which can be used to set up the graphics to your liking. I did so as follows:

1. Click Properties on the Vesa monitor that appears in your SAX2 menu.

2. Under Expert settings, enter "200" for your X value and "300" for your Y value.

3. Under Monitor model, I chose the Vesa 1024x768 at 60hz.

4. Verify under Color and Resolution that you are using 24-bit color with 1024x768 resolution.

Once you logout and log back in (or press Ctrl-Alt-Backspace) you will have a much more eloquent graphics interface. Tune the server as you wish at this point, to suit your needs.

One of the first software packages we will install as part of our Identity vault is eDirectory 8.8. In order for the installation to work smoothly you need to go into Yast and choose to install "gettext" so that the NSL files for the installation can be read. If you didn't modify the file selection during the text based install, go into the menu item "Yast" under System and run the software installation program.

Figure 4 - Installing "gettext"

Select the "gettext files" and when you "accept" you will be prompted for one additional file and then to put in CD 4.

You now have a fully working VM image of Suse Enterprise 9, ready for deployment of Identity Manager 3. At this point, it would be a good idea to use the VM tools and take a snapshot, permitting you to roll back or to re-use the base image for other installations. You can also clone it if you want.

Figure 5 - Taking a snapshot

Phase 2: Setting up your own Identity Vault

This next section will walk you through the installation of eDirectory 8.8, iManager 2.6, Identity Manager 3.0, and Designer. If you follow these instructions you should have a basic installation of Identity Manager 3 ready for your experimentation. (Don't forget to take a snapshot when you're done!).

eDirectory 8.8

The following installation will be using a DVD from our Software Evaluation Library. Some paths may differ slightly from the download ISO you may choose to use, but not significantly enough to cause confusion.

1. Open up a terminal as "root", and change into the linux installation directory:

" # cd /media/dvdram/eDirectory_8.8/linux"
" # ./nds-install

2. Go through the license agreement if you wish, or just type "q" to quit the editor screen and then "y" to accept the terms.

3. At the prompt, type "1,2" to install both eDirectory and its administration utilities:

Figure Installing eDirectory and utilities

Upon successful completion, the next step is to configure/install your first eDirectory instance. (Note that with eDirectory 8.8 you can have multiple trees on one server). The files are installed by default under "opt/novell/eDirectory/bin".

Configuring eDirectory

Once again from the terminal, do the following:

1. Run "# cd /opt/novell/eDirectory/bin"

2. Run "# ./ndsconfig def -t tree name -n server container -a admin.admin placement"

Figure 7 - Configuring eDirectory

For example, if you use the parameters I put in this screenshot, you would have a tree named "Borg_tree", a server object created under "services.novell" and an admin object place under the Organization object "novell". You will be asked to enter a password for the admin object, and afterwards it will ask you where to place the "instance" and the "database directory". I chose the default for both responses.

Once the installation is complete, there are several methods to verify if your eDirectory is working fine. Here are a few examples:

1) From the /opt/novell/eDirectory/bin directory, type "./ndsstat". This will give you the basic statistical info for your eDirectory instance(s).

2) Attempt to login from the terminal screen by executing:

"/opt/novell/eDirectory/bin # ./ndslogin -t Borg_tree  admin.novell"
(as per my example)

If you installed correctly, you should have a successful login message:

Figure 8 - Login message

If you prefer to verify your install graphically, you can run iMonitor (installed as option 2 when you installed eDirectory) by opening your browser and typing in your local Ethernet address followed by 8028. For example: "http://172.17.2.95:8028"

Figure 9 - iMonitor

Login with your admin id and password, and you are ready to go!

Phase 3: Installing iManager 2.6

The next phase of our installation is installing iManager 2.6. iManager is the web-based utility we will use to administrate our eDirectory, and more importantly - one of the basic tools for managing IDM 3.

The following installation will be using a DVD from our Software Evaluation Library. Some paths may differ slightly from the download ISO you may choose to use, but not significantly enough to cause confusion.

1.

# cd /media/dvdram/iMan2.6/linux/installs/linux

2.

# ./iManagerInstallLinux.bin

3. Choose your language.

4. My install detected a slightly slower cpu speed. I chose "OK" to ignore it.

5. Get through the license agreement and type "y" to accept the agreement.

6. I chose option "1", to install Novell iManager 2.6, Tomcat, and the JVM.

7. You can choose to download plug-ins if you like. Plug-ins are for extensions to manage IDM, security, etc. I chose not to, and instead chose the next option: installation from a local directory.

Again here, my plug ins are on the same SEL DVD. The path was:
/media/dvdram/iManager2.6_plugins

8. I chose not to use a pre-configured Apache server.

9. Enter your admin context, and then enter your tree info.

10. Review your settings. If they're fine, click OK to proceed.

Once you've finished installing iManager 2.6, you can test it by typing in your IP address and then port 8080 followed by "/nps/iManager.html"

Do you see the login screen below? Congratulations, you're almost there!

Figure 10 - Login screen

Role-Based Services (RBS)

The last step before moving on to IDM 3 is configuring Role-Based Services. The administrator needs to have the right scope defined in order to properly administer the tree.

1. Log in to iManager (ex: https://172.17.2.95:8080/nps/iManager)

2. Click the configuration icon (at the top, fifth from the left).

3. Under Configure, select RBS Configuration.

4. Click the Configuration Wizard shortcut in the pre-amble text.

5. Select the container you want to install the object to (I chose O=novell).

6. Select to import the plug-in modules.

7. Choose the tree root (eg: Borg_tree) if you wish to administrate the entire tree.

You're done with RBS configuration!

Figure 11 - RBS Configuration screen

Phase 4: Setting up Identity Manager

We are now close to finishing our project. Once iManager 2.6 is installed and configured, we can proceed to setting up IDM 3.

The following installation will be using a DVD from our Software Evaluation Library. Some paths may differ slightly from the download ISO you may choose to use, but not significantly enough to cause confusion.

1. Run "# cd /media/dvdram/NIM3/Linux_NW_Win/linux/setup"

2. Once you switch directories, you need to run:

. /opt/novell/eDirectory/bin/ndspath

3. Run " ./dirxml_linux.bin"

4. Agree to the license terms, then select option "1" (Metadirectory server).

5. Enter your admin credentials in LDAP form. Eg: cn=admin, o=novell

You will see a list of the modules that will be installed.

6. Press Enter.

We're almost there!

7. Go back into the install program (" ./dirxml_linux.bin") and this time choose option 3, to install web administration. This will add the connector plug-ins.

8. Reboot your server.

Congratulations! You have successfully installed Identity Manager 3.

Figure 12 - IDM setup

Creating the IDM Driver

1. Select "new driver " from the dirxml utilities menu. Use your existing Idvault driver set.

2. Select UserApplication.xml from the list of drivers.

3. Fill in the information where you plan to install the user application, as it is not installed till the next phase.

Example:

Authentication id: user_admin.novell
Host: 172.17.2.95
Port: 8081
Application context: IDM

Important: Do not start the driver yet, as it will fail at this point. It first needs to talk to the User application.

If you are planning to install the user application on the same server where you are running iManager, you need to choose a different port than 8080, which is already running the iManager portal.

Also, the user chosen here should be a user in the container that will be managed via user app - in other words, where the portal apps will be supported.

Figure 13 - IDM driver sets

Phase 6: User Application Driver for IDM 3

Note: For this next phase, log in as a non-root user; otherwise the graphical installation will fail. It is also very important to note that you must launch both mysql and jboss as the non-root user you logged in as for this step.

1. Log in as a local user and open a terminal.

2.

# cd /media/dvdram/linux/user_application

3.

/media/dvdram/linux/user_application # ./IdmUserApp.bin

4. Accept the licensing terms.

Figure 14 - Create Driver Wizard

Phase 6: User Application Modules for IDM 3

To install the user application modules for IDM,

1.

# cd /media/dvdram/linux/user_application

2.

# ./IdmUserApp.bin

3. Accept the license agreement.

By default, it will install MySql, Jboss and the IDM user application set. If you have any Mysql instances running, its best to shut them down before starting the install.

Figure 15 - SLES 9 install screen

4. Accept the default path.

5. Fill in your host address or leave it to "localhost"

6. For the port address of jboss, change it to "8081" or another value if you are installing on the same server as iManager, or you will have a conflict.

7. Add a root password for MySQL (this is not the same root as system, so you can choose a different password if you like).

8. If you want auditing, turn it on and add your IP address.

9. Fill in the user-app LDAP information:

Figure 16 - Configuration settings

The Admin ID you use for the User application component should be at the root of the user application structure you are building. If, for instance, your workflow user app will be installed at UserApp.novell, you should create an admin equivalent at this level and assign them the rights /security equivalence for the OU UserApp.novell. If you plan on supporting self-service creation of users and groups, you need to create two more OU's under UserApp: one for users and one for groups.

Once the installation is complete, you need to run the shell file to start the mySQL server and jboss. After the initial install, Mysql will already be loaded, but jboss will not. The procedure for both is as follows:

(Remember: Do not do this as root!)

1. Under /home/username/novell/idm/mysql, run the batch file "start-mysql.sh"

# ./start-mysql.sh admin name 

(the one you defined in the user app setup, default is "root")

2. Fom the directory /home/username/novell/idm, run the command "./start-jboss.sh"

Testing your Installation

If all went well, you should be able to use your browser to navigate to the IP address, port and userapp context you defined and see a working portal. For example:

http://172.17.2.95:8081/IDM

Figure 17 - IDM welcome screen

If you see this screen, congratulations! You are up and running.

If you don't see this screen then it is time for some basic troubleshooting. To test if mysql is successfully loaded, check for the file "mysql-novell.sock" found under /home/user_name/novell/idm/mysql. If this file is present, your mysql successfully loaded. The file only exists while mysql is running.

To verify Jboss, simply put in your IP address followed by port 8081. You should see the jboss-specific web interface.

Figure 18 - jboss web interface

If you don't see this screen, there are issues that need to be resolved.

1. Verify that your ports are OK by running: " netstat -anp |grep 8081" from your terminal.

2. Run the command "./configupdate.sh" as the user you installed with (not root!). The command is under /home/user_name/novell/idm/

Figure 19 - Configuration settings, troubleshooting

If this doesn't help, call technical support at 1-800-858-4000. The music is great!

Setting up a Provisioning Request

Well, you've set up an identity management VM lab, and now you're itching to try something out on this new set of tools at your disposal. This next section will take you through setting up basic provisioning/workflow request that will enable users to access a resource. In my example, we will use a Windows 2000 server and provide access to users upon approval by their managers. We will perform the following steps:

1) Install and configure a remote loader on a Win 2000 server with ADS (A Domain Controller).

2) Install and configure the ADS connector on your Identity vault, with entitlements.

3) Set up a provisioning request.

4) Test out our workflow.

Note: For this exercise, I have set up a simple authentication scheme between Windows 2000 and the eDirectory tree. This means it is set up as a standard domain/user login, and that we had to create an LDAP proxy user as well. The exercise will work with any security scheme that ADS supports.

Part 1: Remote Loader on ADS

1. From your IDM 3 media kit, locate the IDM installation module for Windows (my path is: /NIM3/Linux_NW_Win/nt/setup)

Figure 20 - Installing the IDM connected system

2. After you select the license agreement, choose to install "Novell Identity Manager connected System".

3. For my system, I cleared all driver choices and selected only the IDM remote loader and the Active Directory driver. (The driver includes password sync.)

Figure 21 - Installing the IDM Remote Loader and drivers

4. Click OK for the two message screens, then click Finish to start the install.

5. From your desktop, open the remote loader program and select Add to create a new remote loader configuration for ADS. Here is a screen shot of my settings:

Figure 22 - x

I did not use SSL, as I am setting up a simple access to test functionality. Once everything works, we can go ahead and set up SSL or Kerberos authentication. I set the trace to 3 so we can see if everything is working OK, or troubleshoot as needed. (Once it's functional, you should put the trace back to 1 to avoid performance issues).

Figure 23 - Settings for Remote Loader configuration

Part 2: ID Vault Driver Setup

This component can be set up either through iManager using the Identity manager driver utilities, or through Designer. For this exercise, I have chosen to use Designer as it will allow us to explore additional tool kits.

1. Import your existing ID vault.

The first time you open Designer after it is installed, you will be prompted to create a user workspace, then you will get a fancy graphic as your front page. Highlight Deploy, and select to create a new project. (If you went past this step, choose " project/new/from identity vault" from the upper menus.)

2. Select Import from Identity Vault and add your pertinent information.

Figure 24 - Adding authentication information

3. Scroll down to your Identity driver set and select it.

Figure 25 - Selecting the Identity driver set

4. Click Finish to get an imported view similar to the one below:

Figure 26 - View of import

5. From the Directory icon on the right hand palette, choose the Active Directory connector and drag it to your easel.

You will get over four pages of parameters to fill in. My values, with extra notes included, are these:

Page 1-
Authentication method: negotiate
Authentication ID: ADSTREE/Administrator (this is my DC backward compatibility name)

Password: As if! The password should be the ADS administrator 
(or whatever user with appropriate rights you assign) password

Authentication context: win2k.adstree.com
Domain name:  dc=adstree, dc=com
Domain dns name: adstree.com
Remote/local: Driver is remote
Page 2-
Hostname: 172.17.2.95:8090
(all other values are default)

Page 3-
Base eDirectory container: users.novell ( I chose flat, but doesn't matter)
Base ADS container: cn=users, dc=adstree, dc=com (I chose flat, but it doesn't matter)
Synchronization: bi-directional
Configure entitlements: YES (If you miss this, the ADS specific entitlements will not appear) 

Page 4-
User Accounts: Entitlements
Exchange Accounts: none (you can put entilements if you installed exchange)
Groups: Entitlements
Name assignements: Auto (not manual)
Use principal naming: Follow ID vault

All other settings are default.

You're almost there! The last step is to deploy the ADS driver back to your identity vault.

6. Click once on the ADS driver icon now showing up on your easel.

7. From the menu, choose Deploy > Object.

8. As prompted, fill in your eDirectory info, and your deployment will proceed.

Figure 27 - Adding eDirectory info

If you are asked to define your administrator include /exclude, you have successfully deployed a driver from designer to IDM.

Note: There is a bug in Designer; the port address will be written twice in the Remote Loader Connection Parameters setting. To work around this,

1. Go into iManager.

2. Click the ying /yang symbol on the ADS driver to edit the properties.

3. Scroll down to the "remote loader connection parameters" box and remove " :8090" from the ip address.

4. Set the trace level to 3 under "Misc" from the top menus.

Your driver will restart, and you should be in business. If not, use the trace files to determine why you're having issues.

Now go ahead and create a user. Observe my trace seen here below - at this point, the driver is acting as designed. In other words, ADS receives the request to create a new user, starts processing it, and then vetoes the request as there are is no workflow in place to accept the request:

Figure 28 - ADS veto, in iMonitor

For us older folks:

Figure 29 - ADS veto, line view

The entitlements we put in place when building the connector blocked, or vetoed the request. Let's now set up the Workflow component.

Part 3: Provisioning

1. From Identity manager, select "User provisioning request configuration - Provisioning requests.

2. Select your User Application driver from the search list.

Figure 30 - User application driver

3. Select one of the templates provided and choose "Create From". For this example, I chose TemplateSingleApproval_TD. This will expire if not approved in the alloted time.

4. Fill in a name for the request and a Display name that will appear in the workflow (add a description).

Figure 31 - Selecting request names

5. Provision from the available "provisioned resources" - this will open a submenu to be completed.

Figure 32 - Submenu for provisioning

Below is Step 1 of the sub-menu:

Figure 33 - Submenu, Step 1

Here is the view of the Search menu:

Figure 34 - Search menu

6. Steps 2 and 3 of the sub-menu are not necessary for the accounts entitlement. Just click Next and then Finish.

7. For Step 3 of the main menu, I chose the default values.

Figure 35 - Step 3 values

8. Choose a trustee to apply to the workflow /provisioning request. I chose the OU for my users.

Figure 36 - Trustee for the request

9. Make the provisioning request status "active" and choose to "grant" it.

Figure 37 - Active/grant status

You have now completed all of the necessary steps for workflow provisioning to ADS. This last section will test your workflow/provisioning.

Provisioning Test

1. From iManager, go back to one of your users and modify that user.

2. Under User Profile-business, add a manager from your user list.

3. Log in to the portal (xxx.xxx.xxx.xxx:8081/IDM) as the user you just modified.

4. Go to Requests/Approvals and request a resource. You will see your provisioning request in the dropdown box:

Figure 38 - Provisioning request

5. Log out, then log in as the manager user you assigned to your test user.

6. Claim the request and approve it.

Figure 39 - Approving the request

Congratulations! If you get the same type of screen as shown below, then you have successfully completed the following tasks:

  • Set up a VM of Suse Enterprise 9
  • Set up eDirectory 8.8
  • Set up iManager 2.6
  • Set up IDM 3
  • Set up User provisioning and workflow
  • Created a user APP driver
  • Set up designer
  • Set up an ADS driver
  • Created an entitlement
  • Linked it to workflow

Figure 40 - Success screen


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell