4.2 Configuring the Drivers using iManager

You can manually configure the drivers using iManager. This method of configuring the drivers requires you to complete the following tasks:

4.2.1 Configuring the PIV Life Cycle Driver in iManager

When the PIV Life Cycle driver is installed on the Identity Vault server, it is ready to use. You installed the PIV Life Cycle driver previously. See Section 3.5.1, PIV Life Cycle Driver. No further configuration is required.

4.2.2 Configuring the PIV Workflow Driver in iManager

To import and configure the PIV Workflow Driver, you need to complete the following four tasks in the order listed:

Create a Sponsors group in the Identity Vault and add all users who you want to designate as Sponsors

This is the recommended method for assigning rights. You can also assign trustee rights to individual users also. See Assign rights to each of the provisioning requests.

  1. Launch iManager.

  2. From the Roles and Tasks menu, select Directory Administration > Create Object.

  3. Select Group, then click OK.

  4. Specify the group name as Sponsors and specify the context, then click OK > OK.

  5. Select Directory Administration > Modify Object.

  6. Browse for and select the Sponsors group, then click OK.

  7. Click the Members tab, browse and select the users you want in this group, then click OK.

Configure the PIV Workflow driver to point to the Identity Vault server

  1. In iManager, select Identity Manager > New Driver.

  2. Select an existing driver set or select a new driver set.

    Selecting the Driver Set

  3. If you selected an existing driver set, continue with Step 4.

    or

    If you selected to place the driver in a new driver set, skip to Step 6.

  4. If you select an existing driver set, browse to and select the driver set, then click Next.

  5. Browse to and select the server the driver is associated with, click Next, then skip to Step 8.

  6. If you selected to place the driver in a new driver set, click Next.

  7. Define the properties of the new driver set, then click Next.

    1. Specify the name of the driver set.

    2. Browse to and select the context where the driver set will be created.

    3. Browse to and select the server you want the driver set associated with.

    4. Leave the Create a new partition on this driver set option selected.

    5. Click Next.

      We recommend that you create a partition for the driver object. For Identity Manager to function, the server that is associated with the driver set must hold a real replica of the Identity Manager objects. If the server holds a Master or Read/Write replica of the context where the objects are to be created, then the partition is not required.

  8. Select Import a configuration from the server, browse to and select the IAS_PIVWorkflow_3_0_1-IDM3_0_1-V1.xml driver configuration file, then click Next.

  9. If the driver configuration file is not listed, select Import a configuration from the client, then click Browse.

    1. Browse to and select the driver configuration file from IAS_MODULES_3.0:\IDMDriver\configs\IAS_PIVWorkflow_3_0_1-IDM3_0_1-V1.xml from the IAS modules ISO, then click Open.

    2. Click Next.

  10. Configure the driver by filling in the configuration parameters, then click Next.

    1. Specify the name of the driver.

    2. Specify the Sponsors group DN.

      This is the DN of the Sponsors group you created in Create a Sponsors group in the Identity Vault and add all users who you want to designate as Sponsors

    3. Specify the IP address and port number of the server where you will install the User Application in Install User Application for Provisioning.

    4. Specify the User Application Administrator’s DN.

      This is the DN of a user who exists in the Identity Vault that you will designate as the User Application Administrator.

    5. Specify the User Application Administrator’s password.

  11. Select Define Security Equivalences.

    1. Click Add, then browse to and select a user object that has the rights the driver needs to have on the server.

      Many administrators use the Administrator User object in the Identity Vault for this task. However, you might want to create another object, such as a DriversUser, and assign sufficient rights to that user for the driver to function. Whatever rights the driver needs to have on the server, the DriversUser object must have the same rights.

    2. Click OK twice.

  12. Select Exclude Administrative Roles.

    1. Click Add, then browse to and select all objects that represent administrative roles and exclude them from replication with the driver.

      Exclude the User object in the Identity Vault (for example, DriversUser) that you specified in Step 11. If you delete the User object, you have removed the rights from the driver. Therefore, the driver can’t make changes to Identity Manager.

      If there are objects that are currently excluded, they do not appear in the Excluded users list unless you select Retrieve Current Exclusions.

    2. Click OK twice.

  13. Click Next.

  14. View the summary, then click Finish with Overview.

Install User Application for Provisioning

User Application for Provisioning is included in the Novell Identity Manager 3.0.1 build.

For installation instructions, see Installing User Application section of the Identity Manager 3.0.1 Installation Guide.

HINT:During the User Application configuration, you need to enter the PIV Workflow driver’s distinguished name in the field next to Provisioning Driver DN.

Assign rights to each of the provisioning requests

Assign rights to each of the provisioning requests.

There are a set of tasks for PIV Sponsors, and a single task for PIV Applicants. See Table 4-1. You can create groups for PIV Sponsors and PIV Applicants and assign rights to the groups or you can assign rights to individual users or containers.

Table 4-1 PIV Roles and Tasks

Roles

Tasks

PIV Sponsors
  • Request Card for an Applicant
  • Approve Issuance Request
  • Suspend Card
  • Resume Card
  • Terminate Card
  • Collect PIV Card
  • Create Default Settings Object
  • Edit Default Settings Object
  • Assign Default Settings Object
  • Enable User for Re-issuance

PIV Applicants
  • Request card for yourself

  1. Launch iManager.

  2. From the Roles and Tasks menu, select Provisioning Request Configuration > Provisioning Requests.

  3. Browse for and select the PIV Workflow driver.

  4. Click OK.

  5. Select a workflow task.

  6. Click Actions > Define Rights with iManager.

  7. Click Add Trustee.

  8. Browse for and select the Sponsors group you created in Create a Sponsors group in the Identity Vault and add all users who you want to designate as Sponsors, then click OK > OK.

  9. Repeat Steps 5 through 8 for all the workflow tasks.

4.2.3 Configuring the Enrollment Driver in iManager

After the driver is installed, it is configured through iManager. (See Section 3.5.3, Enrollment Driver for Honeywell SmartPlus System for instructions on how to install the driver.) The Enrollment driver configuration file creates the policies that govern how the information is synchronized. If you used the IAS Designer project, you do not need to configure the driver.

  1. In iManager, select Identity Manager > New Driver.

  2. Select an existing driver set or select a new driver set.

    Selecting the Driver Set

  3. If you selected an existing driver set, continue with Step 4.

    or

    If you selected to place the driver in a new driver set, skip to Step 6.

  4. If you select an existing driver set, browse to and select the driver set, then click Next.

  5. Browse to and select the server the driver is associated with, click Next, then skip to Step 8.

  6. If you selected to place the driver in a new driver set, click Next.

  7. Define the properties of the new driver set, then click Next.

    1. Specify the name of the driver set.

    2. Browse to and select the context where the driver set will be created.

    3. Browse to and select the server you want the driver set associated with.

    4. Leave the Create a new partition on this driver set option selected.

    5. Click Next.

      We recommend that you create a partition for the driver object. For Identity Manager to function, the server that is associated with the driver set must hold a real replica of the Identity Manager objects. If the server holds a Master or Read/Write replica of the context where the objects are to be created, then the partition is not required.

  8. Select Import a configuration from the server, then browse to and select the IAS_IWBioEnrollent-IDM3_0_1-V1.xml driver configuration file, then click Next.

  9. If the driver configuration file is not listed, select Import a configuration from the client, then click Browse.

    1. Browse to and select the driver configuration file from IAS_MODULES_3.0:\IDMDriver\configs\IAS_IWBioEnrollment-IDM3_0_1-V1.xml from the IAS modules ISO, then click Open.

    2. Click Next.

  10. Configure the driver by filling in the configuration parameters, then click Next. See Table 4-2 for description of each field.

  11. Select Define Security Equivalences.

    1. Click Add, then browse to and select a user object that has the rights the driver needs to have on the server.

      Many administrators use the Administrator User object in the Identity Vault for this task. However, you might want to create another object, such as a DriversUser, and assign sufficient rights to that user for the driver to function. Whatever rights the driver needs to have on the server, the DriversUser object must have the same rights.

    2. Click OK twice.

  12. Select Exclude Administrative Roles.

    1. Click Add, then browse to and select all objects that represent administrative roles and exclude them from replication with the driver.

      Exclude the User object in the Identity Vault (for example, DriversUser) that you specified in Step 11. If you delete the User object, you have removed the rights from the driver. Therefore, the driver can’t make changes to Identity Manager.

      If there are objects that are currently excluded, they do not appear in the Excluded users list unless you select Retrieve Current Exclusions.

    2. Click OK twice.

  13. Click Next.

  14. View the summary, then click Finish with Overview.

Table 4-2 Enrollment Driver Configuration Parameters

Parameter

Description

Driver name

Specify the name of the driver.

Remote host name and port

Specify the hostname or IP address and port of the Honeywell SmartPlus Enrollment System.

Driver password

Specify the driver object password. It is the same password as specified in Step 8 of Install Identity Manager 3.01 for Connected System on the Enrollment Biometric Capture System.

Remote password

Specify the Remote Loader password. It is the same password as specified in Step 7 of Install Identity Manager 3.01 for Connected System on the Enrollment Biometric Capture System.

KMO Name

Specify the name of the KMO object. See Providing for Secure Data Transfer for steps on how to create a KMO.

URL of the Biometric Enrollment Server

Specify the URL of the Honeywell Smartplus Enrollment server.

Listening Hostname and Port

Specify the IP address and port of the server where the Remote Loader is installed. It should be the IP address of the Honeywell SmartPlus Enrollment server. See Install Identity Manager 3.01 for Connected System on the Enrollment Biometric Capture System for more information.

4.2.4 Configuring the Honeywell SmartPlus Enrollment System

The Enrollment/Biometric Capture driver runs on the Honeywell SmartPlus Enrollment system. (For installation instructions, see Section 3.1, Installing the User Enrollment Biometric Capture Station.) The iws.cfg file must be modified to communicate with the Identity Manager server.

  1. Locate the Tomcat directory where the Honeywell SmartPlus Enrollment Web service is running.

  2. Open the tomcat_directory/webapps/PIV/WEB-INF/iws.cfg file in a text editor.

  3. Add the following two lines at the bottom of this file:

    • IDMS=NOVELL
    • IDMS_NovellEnrollURL = http://Identity_Manager_server_IP:Publisher_Port_Number

    The Publisher port number is located on the properties of the Enrollment driver. It can be any port that is not in use on the Identity Manager server.

    1. In iManager, click Identity Manager > Identity Manager Overview, then click Search to find the driver set objects in the Identity Vault.

    2. Click the upper right corner of the driver, then select Edit properties.

    3. The Publisher port number is listed under Driver Configuration > Driver Parameters Publisher Options > Listening IP address and port.

  4. Restart Tomcat.

4.2.5 Configuring the CMS Driver in iManager

After the driver is installed, it is configured through iManager. (See Section 3.5.4, CMS Driver for ActivIdentity ActivID for instructions on how to install the driver.) The CMS driver configuration file creates the policies that govern how the information is synchronized. If you used the IAS Designer project, you do not need to configure the driver.

  1. In iManager, select Identity Manager > New Driver.

  2. Select an existing driver set or select a new driver set.

    Selecting the Driver Set

  3. If you selected an existing driver set, continue with Step 4.

    or

    If you selected to place the driver in a new driver set, skip to Step 6.

  4. If you select an existing driver set, browse to and select the driver set, then click Next.

  5. Browse to and select the server the driver is associated with, click Next, then skip to Step 8.

  6. If you selected to place the driver in a new driver set, click Next.

  7. Define the properties of the new driver set, then click Next.

    1. Specify the name of the driver set.

    2. Browse to and select the context where the driver set will be created.

    3. Browse to and select the server you want the driver set associated with.

    4. Leave the Create a new partition on this driver set option selected.

    5. Click Next.

      We recommend that you create a partition for the driver object. For Identity Manager to function, the server that is associated with the driver set must hold a real replica of the Identity Manager objects. If the server holds a Master or Read/Write replica of the context where the objects are to be created, then the partition is not required.

  8. Select Import a configuration from the server, browse to and select the IAS_AICMSDriver-IDM3_0_1-V1.xml driver configuration file, then click Next.

  9. If the driver configuration file is not listed, select Import a configuration from the client, then click Browse.

    1. Browse to and select the driver configuration file from IAS_MODULES_3.0:\IDMDriver\configs\IAS_AICMSDriver-IDM3_0_1-V1.xml from the IAS modules ISO, then click Open.

    2. Click Next.

  10. Configure the driver by filling in the configuration parameters, then click Next. See Table 4-3 for description of each field.

  11. Select Define Security Equivalences.

    1. Click Add, then browse to and select a user object that has the rights the driver needs to have on the server.

      Many administrators use the Administrator User object in the Identity Vault for this task. However, you might want to create another object, such as a DriversUser, and assign sufficient rights to that user for the driver to function. Whatever rights the driver needs to have on the server, the DriversUser object must have the same rights.

    2. Click OK twice.

  12. Select Exclude Administrative Roles.

    1. Click Add, then browse to and select all objects that represent administrative roles and exclude them from replication with the driver.

      Exclude the User object in the Identity Vault (for example, DriversUser) that you specified in Step 11. If you delete the User object, you have removed the rights from the driver. Therefore, the driver can’t make changes to Identity Manager.

      If there are objects that are currently excluded, they do not appear in the Excluded users list unless you select Retrieve Current Exclusions.

    2. Click OK twice.

  13. Click Next.

  14. View the summary, then click Finish with Overview.

Table 4-3 CMS Driver Configuration Parameters

Parameter

Description

Driver name

Specify the name of the driver.

Remote host name and port

Specify the hostname or IP address and port number where the Remote Loader Service has been installed for this driver.

Driver Password

Specify the driver password. It is the same password as specified in Step 8 of the Install Identity Manager 3.0.1 for Connected Systems on the Card Management System.

Remote Password

Specify the remote password. It is the same password as specified in Step 7 of the Install Identity Manager 3.0.1 for Connected Systems on the Card Management System.

KMO name

Specify the KMO name.

Client certificate

Specify the path to a client certificate that can be used to initiate an SSL connection with CMS.

Client certificate password

Specify the password to unwrap the client certificate.

Trusted root certificate

Specify the path to a trusted root certificate.

Card Policy

Specify the name of the CMS policy that will be used to issue PIV cards.

CMS users parent AD context

Specify the name of the container in Active Directory where the driver will create CMS users.

Default email domain for CMS users

Specify the default e-mail domain for CMS users.

4.2.6 Configuring the ActivIdentity Card Management System

For this deployment scenario, ActivIdentity Card Management System is being used for the card management system. The CMS driver runs on the ActivIdentity Card Management System. The installation of the Card Management System was done previously. See Section 3.2, Installing the Card Management System.

You must complete the following steps:

  1. Stop IIS.

  2. Locate the /cmsevent directory located inside the Remote Loader directory created by the CMS Driver Install.

  3. Copy the following files from the /cmsevent directory to the CMS Directory/cms_portal/WEB-INF/lib directory:

    • novellplugin.jar
    • aims-spi.jar

  4. Copy the following files from the /cmsevent directory to the CMS Directory/cms_portal/WEB-INF/conf directory:

    • novellplugin.properties

    NOTE:This file contains a path to c:\novell\remoteloader\cmsevent\event. This path must match the event files directory that is configured for the CMS driver. If you accepted all of the default settings during the CMS driver installation, then the paths will match.

  5. Edit the CMS Directory/cms_portal/WEB-INF/conf/eventnotificationplugins.properties file.

    1. Locate the plugins = line near the top of the file. Add ,novell_plugin at the end of this line.

      For example, plugins = piv_notify,novell_plugin

    2. Add the following two lines at the end of the file:

      • # Novell Event Notification Plugin
      • novell_plugin.class=com.novell.nds.dirxml.novellplugin.NovellCMSEventPlugin

  6. Edit the CMS Directory/cms_portal/WEB-INF/conf/log4j.properties file.

    1. Add the following lines at the end of the List categories for logging section of this file:

      • log4j.category.com.novell.nds.dirxml.novellplugin =INFO, novellplugin
      • log4j.additivity.com.novell.nds.dirxml.novellplugin = false

    2. Add the following lines at the end of this file (replace occurrences of CMS Dir below with the directory where CMS is installed):

      • # NOVELL
      • #---------------------------
      • log4j.appender.novellplugin = org.apache.log4j.RollingFileAppender
      • log4j.appender.novellplugin.File = CMS Dir/logs/novell_plugin.log
      • log4j.appender.novellplugin.MaxFileSize = 10MB
      • log4j.appender.novellplugin.MaxBackupIndex = 20
      • log4j.appender.novellplugin.layout = org.apache.log4j.PatternLayout
      • log4j.appender.novellplugin.layout.ConversionPattern = %d{ISO8601} %-5p [%t] %c{1} %M - %m%n
      • log4j.appender.credProviders.File=CMS Dir/logs/credProviders.log
      • log4j.appender.InitializationManager.File=CMS Dir/logs/InitializationManager.log

  7. Start IIS.

HINT:In order for CMS notification events, such as Suspend/Resume, to be properly propagated to the IDM system, the CMS system needs to have card binding properly configured. For example, where the CMS directory is Microsoft* Active Directory* in the CMS Portal, the setting for Card Binding under the Configuration/Customization/Directories section should be set to distinguishedName.

4.2.7 Configuring the PACS Integration Driver in iManager

After the driver is installed, it is configured through iManager. (See Section 3.5.5, PACS Integration Driver for Honeywell SmartPlus System for instructions on how to install the driver.) The PACS Integration driver configuration file creates the policies that govern how the information is synchronized. If you used the IAS Designer project, you do not need to configure the driver.

  1. In iManager, select Identity Manager > New Driver.

  2. Select an existing driver set or select a new driver set.

    Selecting the Driver Set

  3. If you selected an existing driver set, continue with Step 4.

    or

    If you selected to place the driver in a new driver set, skip to Step 6.

  4. If you select an existing driver set, browse to and select the driver set, then click Next.

  5. Browse to and select the server the driver is associated with, click Next, then skip to Step 8.

  6. If you selected to place the driver in a new driver set, click Next.

  7. Define the properties of the new driver set, then click Next.

    1. Specify the name of the driver set.

    2. Browse to and select the context where the driver set will be created.

    3. Browse to and select the server you want the driver set associated with.

    4. Leave the Create a new partition on this driver set option selected.

    5. Click Next.

      We recommend that you create a partition for the driver object. For Identity Manager to function, the server that is associated with the driver set must hold a real replica of the Identity Manager objects. If the server holds a Master or Read/Write replica of the context where the objects are to be created, then the partition is not required.

  8. Select Import a configuration from the server, then browse to and select the IAS_HoneywellPACS-IDM3_0_1-V1.xml driver configuration file, then click Next.

  9. If the driver configuration file is not listed, select Import a configuration from the client, then click Browse.

    1. Browse to and select the driver configuration file from IAS_MODULES_3.0:\IDMDriver\configs\IAS_HoneywellPACS-IDM3_0_1-V1.xml from the IAS modules ISO, then click Open.

    2. Click Next.

  10. Configure the driver by filling in the configuration parameters, click Next. See Table 4-4 for description of each parameter.

  11. Select Define Security Equivalences.

    1. Click Add, then browse to and select a user object that has the rights the driver needs to have on the server.

      Many administrators use the Administrator User object in the Identity Vault for this task. However, you might want to create another object, such as a DriversUser, and assign sufficient rights to that user for the driver to function. Whatever rights the driver needs to have on the server, the DriversUser object must have the same rights.

    2. Click OK twice.

  12. Select Exclude Administrative Roles.

    1. Click Add, then browse to and select all objects that represent administrative roles and exclude them from replication with the driver.

      Exclude the User object in the Identity Vault (for example, DriversUser) that you specified in Step 11. If you delete the User object, you have removed the rights from the driver. Therefore, the driver can’t make changes to Identity Manager.

      If there are objects that are currently excluded, they do not appear in the Excluded users list unless you select Retrieve Current Exclusions.

    2. Click OK twice.

  13. Click Next.

  14. View the summary, then click Finish with Overview.

Table 4-4 PACS Integration Driver Configuration Parameters

Parameter

Description

Driver name

Specify the name of the driver.

Remote host name and port

Specify the hostname or IP address and port of the Honeywell SmartPlus PACS Integration system.

Driver password

Specify the driver object password. It is the same password as specified in Step 8 of the Install Identity Manager 3.0.1 for Connected Systems on the Physical Access Control System.

Remote password

Specify the Remote Loader password. It is the same password as specified in Step 7 of the Install Identity Manager 3.0.1 for Connected Systems on the Physical Access Control System.

KMO Name

Specify the name of the KMO object. See Providing for Secure Data Transfer for steps on how to create a KMO.

URL of the Honeywell SmartPlus PAC Server

Specify the URL of the Honeywell Smartplus PACS Integration server.

Listening Hostname and Port

Specify the IP address and port of the server where the Remote Loader is installed. It should be the IP address of the Honeywell SmartPlus Enrollment server. See Install Identity Manager 3.0.1 for Connected Systems on the Physical Access Control System for more information.