Common Installation Scenarios
The following scenarios are examples of the environment in which Identity Manager might be used. For each scenario, some guidelines are provided to help you with your implementation.
- New Installation of Identity Manager
- Using Identity Manager and DirXML 1.1a in the Same Environment
- Upgrading from the Starter Pack to Identity Manager
- Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization
New Installation of Identity Manager
NsureTM Identity Manager is a data-sharing solution that leverages your identity vault to automatically synchronize, transform, and distribute information across applications, databases, and directories.
Your Identity Manager solution includes the following components:
Identity Vault Tree with Identity Manager
The identity vault tree contains the user or object data you want to share or synchronize with other connected systems. We recommend that you install Identity Manager in its own tree and use it as your identity vault.
iManager Server with Identity Manager plug-ins
You use Novell® iManager and the Identity Manager plug-ins to administer your Identity Manager solution.
Connected Systems
Connected systems might include other applications, directories, and databases that you want to share or synchronize data with the identity vault. To establish a connection from your identity vault to the connected system, install the appropriate driver for that connected system. Refer to the driver implementation guides for specific instructions.
Common Identity Manager Tasks
Install System Components: Because your Identity Manager solution might be distributed across several computers, servers, or platforms, you should run the installation program and install the appropriate components per system. Refer to Identity Manager Components and System Requirements for more information.
Set Up Connected Systems: Refer to Identity Manager Components and System Requirements and the driver implementation guides for specific instructions.
Activate Your Solution: Identity Manager products (professional or server editions and driver groups) require activation within 90 days of installation. See Activating Novell Identity Manager Products.
Define Business Policies: Business policies enable you to customize the flow of information into and out of Novell eDirectoryTM for a particular environment. Policies also create new objects, update attribute values, make schema transformations, define matching criteria, maintain Identity Manager associations, and many other things. A detailed guide to Policies is contained in the Policy Builder and Driver Customization Guide.
Configure Password Management: Using Password policies, you can increase security by setting rules for how users create their passwords. You can also decrease help desk costs by providing users with self-service options for forgotten passwords and for resetting passwords. For in-depth information on Password Management, refer to Managing Passwords by Using Password Policies.
Configure Role-Based Entitlements: Role-based entitlements let you grant entitlements on connected systems to a group of Novell eDirectory users. Using Entitlement policies, you can streamline management of business policies and reduce the need to configure your DirXML drivers. See Using Role-Based Entitlements for more information.
Logging Events with Nsure Audit: Nsure Identity Manager is instrumented to use Novell Nsure Audit for auditing and reporting. Nsure Audit is a collection of technologies providing monitoring, logging, reporting and notification capabilities. Through integration with Nsure Audit, Identity Manager provides detailed information about the current and historical status of driver and engine activity. This information is provided by a set of preconfigured reports, standard notification services, and user-defined logging. Refer to Logging and Reporting Using Nsure Audit.
Using Identity Manager and DirXML 1.1a in the Same Environment
If you are running both Identity Manager and DirXML® 1.1a in the same environment, keep in mind the following considerations.
Creating an Identity Vault
- We recommend that you install Identity Manager in a separate tree and use it as your identity vault.
Management Tools
- ConsoleOne® is supported for DirXML 1.1a, but not for Identity Manager.
- Two iManager servers are necessary, one for DirXML 1.1a plug-ins and one for Identity Manager plug-ins. This is because the plug-ins have been enhanced and because Identity Manager drivers use DirXML Script.
- iManager plug-ins for DirXML 1.1a can't read DirXML Script, which is used in the sample driver configurations for most Identity Manager drivers.
Backward Compatibility
- You can run DirXML 1.1a driver shims and configurations on an Identity Manager server, and you can view the drivers in iManager in the DirXML Overview for the driver set. But the Identity Manager plug-ins do not let you view or edit the driver configurations until you convert them to Identity Manager format.
In the Identity Manager plug-ins, if you click a driver that is in 1.1a format you are prompted to complete the conversion. This is a simple process done with a wizard, and it does not change the functionality of the driver configuration. As part of the process, a backup copy of the DirXML 1.1a version is saved.
- Activation for DirXML 1.x drivers is still valid when running them with the Identity Manager engine. However, if you upgrade the driver shim to an Identity Manager version, you need new activation.
- In most cases, an Identity Manager driver shim can run with a DirXML 1.1a configuration. See the individual driver implementation guides for upgrade information.
A notable exception is that Password Synchronization 1.0 won't run correctly for AD and NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the DirXML Drivers for Active Directory and NT Domain.
- Running Identity Manager driver shims and driver configurations with the DirXML 1.1a engine is not supported.
- Running Identity Manager driver configurations with DirXML 1.1a driver shims is not supported.
- If you run the same DirXML driver configuration on more than one server, make sure the servers are running the same version of DirXML or Identity Manager, and the same version of eDirectory.
Password Management
- You can create Password policies that provide features such as Advanced Password Rules to require stronger passwords, and Forgotten Password Self-Service and Reset Password Self-Service for users. See Managing Passwords by Using Password Policies and Password Self-Service.
- If you began using Universal Password with the initial release of NetWare 6.5, some upgrade steps are necessary before you can use the new Password Policy features. See (NetWare 6.5 only) Re-Creating Universal Password Assignments. The procedure is not necessary if you began using Universal Password with NetWare 6.5 SP2.
- Identity Manager Password Synchronization provides bidirectional password synchronization and supports more platforms than Password Synchronization 1.0.
- If you have been using Password Synchronization 1.0 with AD or NT, make sure you review the upgrade instructions before you install the new driver shims. See Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization.
- Driver policy "overlays" are provided to help you add bidirectional Password Synchronization functionality to existing drivers. See Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization.
Upgrading from the Starter Pack to Identity Manager
The DirXML Starter Pack solutions included with other Novell products provide licensed synchronization of information held in NT Domains, Active Directory, and eDirectory. Additionally, evaluation drivers for several other systems including PeopleSoft*, GroupWise®, and Lotus Notes*, are included to allow you to explore data synchronization for your other systems.
This solution also offers you the ability to synchronize user passwords. With PasswordSync, a user is required to remember only a single password to log in to any of these systems. Administrators can manage passwords in the system of their choice. Any time a password is changed in one of these environments, it will be updated in all of them.
DirXML Starter Packs that shipped with NetWare 6.5 and Nterprise Linux Services 1.0 were based on DirXML 1.1a technology. When upgrading from a Starter Pack to the latest version of Identity Manager, keep in mind the following considerations:
Management Tools
- ConsoleOne is supported for DirXML 1.1a, but not for Identity Manager.
Backward Compatibility
- You can run DirXML 1.1a driver shims and configurations on an Identity Manager server, and you can view the drivers in iManager in the DirXML Overview for the driver set. But the Identity Manager plug-ins do not let you view or edit the driver configurations until you convert them to Identity Manager format.
In the Identity Manager plug-ins, if you click a driver that is in 1.1a format you are prompted to complete the conversion. This is a simple process done with a wizard, and it does not change the functionality of the driver configuration. As part of the process, a backup copy of the DirXML 1.1a version is saved.
- Activation for DirXML 1.x drivers is still valid when running them with the Identity Manager engine. However, if you upgrade the driver shim to an Identity Manager version, you need new activation.
- In most cases, an Identity Manager driver shim can run with a DirXML 1.1a configuration. See the individual driver implementation guides for upgrade information.
A notable exception is that Password Synchronization 1.0 won't run correctly for AD and NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the DirXML Drivers for Active Directory and NT Domain.
- Running Identity Manager driver shims and driver configurations with the DirXML 1.1a engine is not supported.
- Running Identity Manager driver configurations with DirXML 1.1a driver shims is not supported.
- If you run the same DirXML driver configuration on more than one server, make sure the servers are running the same version of DirXML or Identity Manager, and the same version of eDirectory.
Password Management
- Password Synchronization 1.0, which shipped with Starter Packs (DirXML 1.1a), won't work correctly for AD and NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the DirXML Drivers for Active Directory and NT Domain.
- Refer to Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization for specific instructions surrounding this upgrade process.
Activation
- All Identity Manager and DirXML products must be activated within 90 days. When you purchased other Novell software, the DirXML Starter Pack included activations for the DirXML 1.1a engine and the NT, AD, and eDirectory drivers. When upgrading from the DirXML Starter Pack, you might need to re-apply your activation credentials for those drivers.
For more information on activation, refer to Activating Novell Identity Manager Products.
Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization
Identity Manager Password Synchronization offers many new features, including bidirectional password synchronization, additional platforms, and e-mail notification when password synchronization fails.
If you are using Password Synchronization 1.0 with Active Directory or NT Domain, it's very important that you review the instructions for upgrading before you install the new driver shims.
For information about Identity Manager Password Synchronization in general, see Password Synchronization across Connected Systems. That section contains conceptual information including a comparison of old and new features, prerequisites, a list of features supported for each connected system, instructions on adding support to existing drivers, and several scenarios showing how you could use the new features.
In this section:
- Upgrading Password Synchronization for AD or NT
- Upgrading Password Synchronization for eDirectory
- Upgrading Other Connected System Drivers
- Handling Sensitive Information
Upgrading Password Synchronization for AD or NT
The new Password Synchronization functionality is done by driver policies, not by a separate agent. This means that if you install the new driver shim without upgrading the driver configuration at the same time, Password Synchronization 1.0 continues to work only for existing users. New, moved, or renamed users do not participate in Password Synchronization until you complete the upgrade of the driver configuration.
Use the following general steps to upgrade:
- Upgrade your environment so that it supports Universal Password, including upgrading the Novell Client if you are using it.
- Install the Identity Manager driver shim to replace the DirXML 1.x driver shim for AD or NT.
- Immediately create backward compatibility with Password Synchronization 1.0, by adding a new policy to the driver configuration.
This step allows Password Synchronization 1.0 to continue to function correctly until you make the switch to Identity Manager Password Synchronization.
- Add support for the new Identity Manager Password Synchronization, using driver policies.
- Install and configure new Password Synchronization filters.
- Set up SSL, if necessary.
- Turn on Universal Password using Password Policies, if necessary.
- Set up the Identity Manager Password Synchronization scenario that you want to use.
See "Implementing Password Synchronization" in the Novell Nsure Identity Manager 2.0.1 Administration Guide.
- Remove Password Synchronization 1.0.
For detailed instructions, see the driver implementation guides for the DirXML Drivers for Active Directory and NT Domain.
Upgrading Password Synchronization for eDirectory
Upgrading for eDirectory is fairly simple, and the new driver shim is intended to work with your existing driver configuration with no changes, assuming that your driver shim and configuration have the latest patches. For instructions, see the DirXML Driver for eDirectory Implementation Guide.
Upgrading Other Connected System Drivers
Identity Manager Password Synchronization supports more connected systems than Password Synchronization 1.0.
For a list of the features that are supported for other systems, see Connected System Support for Password Synchronization.
Driver policy "overlays" are provided to help you add bidirectional Password Synchronization functionality to existing drivers for connected systems that were not previously supported. See Upgrading Existing Driver Configurations to Support Identity Manager Password Synchronization.
Handling Sensitive Information
Universal Password is protected by four layers of encryption inside eDirectory, so it is very secure in that environment. If you choose to use bidirectional password synchronization, and you synchronize Universal Password with the Distribution Password, keep in mind that you are extracting the eDirectory password and sending it to other connected systems. You need to secure the transport of the password, as well as the connected systems it is synchronized to. See Handling Sensitive Information.