2.1 Common Installation Scenarios

The following scenarios are examples of the environment in which Identity Manager might be used. For each scenario, some guidelines are provided to help you with your implementation.

2.1.1 New Installation of Identity Manager

Figure 2-1 New Installation

Identity Manager is a data-sharing solution that leverages your Identity Vault to automatically synchronize, transform, and distribute information across applications, databases, and directories.

Your Identity Manager solution includes the following components:

Identity Vault with Identity Manager

The Identity Vault contains the user or object data you want to share or synchronize with other connected systems. We recommend that you install Identity Manager in its own eDirectory™ instance and use it as your Identity Vault.

iManager Server with Identity Manager plug-ins

You use Novell® iManager and the Identity Manager plug-ins to administer your Identity Manager solution.

Connected Systems

Connected systems might include other applications, directories, and databases that you want to share or synchronize data with the Identity Vault. To establish a connection from your Identity Vault to the connected system, install the appropriate driver for that connected system. Refer to the driver implementation guides for specific instructions.

Common Identity Manager Tasks

  • Install System Components: Because your Identity Manager solution might be distributed across several computers, servers, or platforms, you should run the installation program and install the appropriate components per system. Refer to Section 4.2, Identity Manager Components and System Requirements for more information.

  • Set Up Connected Systems: Refer to Section 4.2, Identity Manager Components and System Requirements and the driver implementation guides for specific instructions.

  • Activate Your Solution: Identity Manager products (professional, server editions, Integration Modules, and User Applications) require activation within 90 days of installation. See Section 6.0, Activating Novell Identity Manager Products.

  • Define Business Policies: Business policies enable you to customize the flow of information into and out of the Identity Vault for a particular environment. Policies also create new objects, update attribute values, make schema transformations, define matching criteria, maintain Identity Manager associations, and many other things. A detailed guide to policies is contained in the Policy Builder and Driver Customization Guide.

  • Configure Password Management: Using Password policies, you can increase security by setting rules for how users create their passwords. You can also decrease help desk costs by providing users with self-service options for forgotten passwords and for resetting passwords. For in-depth information on Password Management, refer to “Managing Passwords by Using Password Policies” in the Managing Passwords guide.

  • Configure Entitlements: Entitlement definitions let you grant entitlements on connected systems to a defined group of users within the Identity Vault. Using Entitlement policies, you can streamline management of business policies and reduce the need to configure your Identity Manager drivers. For more information, see Creating and Using Entitlements in the Novell Identity Manager 3.0.1 Administration Guide.

  • Logging Events with Novell Audit: Identity Manager is instrumented to use Novell Audit for auditing and reporting. Novell Audit is a collection of technologies providing monitoring, logging, reporting and notification capabilities. Through integration with Novell Audit, Identity Manager provides detailed information about the current and historical status of driver and engine activity. This information is provided by a set of preconfigured reports, standard notification services, and user-defined logging. Refer to Logging and Reporting Using Novell Audit in the Novell Identity Manager 3.0.1 Administration Guide.

  • Workflow Approval and User Application: The Novell Identity Manager User Application is a powerful web application (and supporting tools) designed to provide a rich, intuitive, highly configurable, highly administrable web-UI experience atop a sophisticated identity-services framework. When used in conjunction with the Provisioning Module for Identity Manager and Novell Audit, the Identity Manager User Application provides a complete, end-tend provisioning solution that’s secure, scalable, and easy to manage. Refer to the User Application Documentation.

2.1.2 Using Identity Manager and DirXML 1.1a in the Same Environment

Figure 2-2 Installing Identity Manager in the Same Tree as DirXML 1.1a

If you are running both Identity Manager and DirXML® 1.1a in the same environment, keep in mind the following considerations.

Creating an Identity Vault

  • We recommend that you install Identity Manager in a separate eDirectory instance and use it as your Identity Vault.

Management Tools

  • ConsoleOne® is supported for DirXML 1.1a, but not for Identity Manager.

  • Two iManager servers are necessary, one for DirXML 1.1a plug-ins and one for Identity Manager plug-ins. This is because the plug-ins have been enhanced and because Identity Manager uses DirXML Script.

  • iManager plug-ins for DirXML 1.1a can’t read DirXML Script, which is used in the defined driver configurations for most Identity Manager drivers.

Backward Compatibility

  • You can run DirXML 1.1a driver shims and configurations on an Identity Manager server, and you can view the drivers in iManager in the Identity Manager Overview for the driver set. But the Identity Manager plug-ins do not let you view or edit the driver configurations until you convert them to Identity Manager format.

    In the Identity Manager plug-ins, if you click a driver that is in 1.1a format you are prompted to complete the conversion. This is a simple process done with a wizard, and it does not change the functionality of the driver configuration. As part of the process, a backup copy of the DirXML 1.1a version is saved.

  • Activation for DirXML 1.1a drivers is still valid when running them with the Identity Manager engine. However, if you upgrade the driver shim to an Identity Manager version, you need to obtain a new activation credential. See Section 6.0, Activating Novell Identity Manager Products for more detailed information.

  • In most cases, an Identity Manager driver shim can run with a DirXML 1.1a configuration. See the individual driver implementation guides for upgrade information.

    A notable exception is that Password Synchronization 1.0 which does not run correctly for AD and NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.

  • Running Identity Manager driver shims and driver configurations with the DirXML 1.1a engine is not supported.

  • Running Identity Manager driver configurations with DirXML 1.1a driver shims is not supported.

  • If you run the same Identity Manager driver configuration on more than one server, make sure the servers are running the same version of Identity Manager, and the same version of eDirectory.

Password Management

  • You can create Password policies that provide features such as Advanced Password Rules to require stronger passwords, and Forgotten Password Self-Service and Reset Password Self-Service for users. See the following section in the Password Management guide:

  • If you began using Universal Password with the initial release of NetWare 6.5®, some upgrade steps are necessary before you can use the new password policy features. See “(NetWare 6.5 only) Re-Creating Universal Password Assignments” in the Password Management guide. The procedure is not necessary if you began using Universal Password with NetWare 6.5 SP2.

  • Identity Manager Password Synchronization provides bidirectional password synchronization and supports more platforms than Password Synchronization 1.0.

  • If you have been using Password Synchronization 1.0 with AD or NT, make sure you review the upgrade instructions before you install the new driver shims. See Section 2.1.4, Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization.

  • Driver policy “overlays” are provided to help you add bidirectional Password Synchronization functionality to existing drivers. See Upgrading Existing Driver Configurations to Support Password Synchronization in the Novell Identity Manager 3.0.1 Administration Guide.

2.1.3 Upgrading from the Starter Pack to Identity Manager

Figure 2-3 Upgrading from Starter Pack to Identity Manager

The Identity Manager Starter Pack solutions included with other Novell products provide licensed synchronization of information held in NT Domains, Active Directory, and eDirectory. Additionally, evaluation drivers for several other systems including PeopleSoft*, GroupWise®, and Lotus Notes*, are included to allow you to explore data synchronization for your other systems.

This solution also offers you the ability to synchronize user passwords. With PasswordSync, a user is required to remember only a single password to log in to any of these systems. Administrators can manage passwords in the system of their choice. Any time a password is changed in one of these environments, it will be updated in all of them.

Identity Manager Starter Packs that shipped with NetWare 6.5 and Nterprise™ Linux Services 1.0 were based on DirXML 1.1a technology. When upgrading from a Starter Pack to the latest version of Identity Manager, keep in mind the following considerations:

Management Tools

  • ConsoleOne is supported for DirXML 1.1a, but not for Identity Manager.

Backward Compatibility

  • You can run DirXML 1.1a driver shims and configurations on an Identity Manager server, and you can view the drivers in iManager in the Identity Manager Overview for the driver set. But the Identity Manager plug-ins do not let you view or edit the driver configurations until you convert them to Identity Manager format.

    In the Identity Manager plug-ins, if you click a driver that is in 1.1a format, you are prompted to complete the conversion. This is a simple process done with a wizard, and it does not change the functionality of the driver configuration. As part of the process, a backup copy of the DirXML 1.1a version is saved.

  • Activation for DirXML 1.1a drivers is still valid when running them with the Identity Manager engine. However, if you upgrade the driver shim to an Identity Manager version, you need new activation.

  • In most cases, an Identity Manager driver shim can run with a DirXML 1.1a configuration. See the individual driver implementation guides for upgrade information.

    A notable exception Password Synchronization 1.0, which does not run correctly for AD and NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.

  • Running Identity Manager driver shims and driver configurations with the DirXML 1.1a engine is not supported.

  • Running Identity Manager driver configurations with DirXML 1.1a driver shims is not supported.

  • If you run the same Identity Manager driver configuration on more than one server, make sure the servers are running the same version of Identity Manager, and the same version of eDirectory.

Password Management

Activation

  • All Identity Manager products must be activated within 90 days. When you purchased other Novell software, the DirXML Starter Pack included activations for the DirXML 1.1a engine and the NT, AD, and eDirectory drivers. When upgrading from the Identity Manager Starter Pack, you might need to re-apply your activation credentials for those drivers.

    For more information on activation, refer to Section 6.0, Activating Novell Identity Manager Products.

2.1.4 Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization

Figure 2-4 Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization

Identity Manager Password Synchronization offers many features, including bidirectional password synchronization, additional platforms, and e-mail notification when password synchronization fails.

If you are using Password Synchronization 1.0 with Active Directory or NT Domain, it’s very important that you review the instructions for upgrading before you install the new driver shims.

If you are running Identity Manager 2.x with Password Synchronization 2.0, do you not need to follow these steps.

For information about Identity Manager Password Synchronization in general, see Password Synchronization across Connected Systems in the Novell Identity Manager 3.0.1 Administration Guide. That section contains conceptual information including a comparison of old and new features, prerequisites, a list of features supported for each connected system, instructions on adding support to existing drivers, and several scenarios showing how you could use the new features.

In this section:

Upgrading Password Synchronization for AD or NT

The new Password Synchronization functionality is done by driver policies, not by a separate agent. This means that if you install the new driver shim without upgrading the driver configuration at the same time, Password Synchronization 1.0 continues to work only for existing users. New, moved, or renamed users do not participate in Password Synchronization until you complete the upgrade of the driver configuration.

Use the following general steps to upgrade:

  1. Upgrade your environment so that it supports Universal Password, including upgrading the Novell Client™ if you are using it.

  2. Install the Identity Manager 3.0.1 driver shim to replace the DirXML 1.1a driver shim for AD or NT.

  3. Immediately create backward compatibility with Password Synchronization 1.0, by adding a new policy to the driver configuration.

    This step allows Password Synchronization 1.0 to continue to function correctly until you make the switch to Identity Manager Password Synchronization.

  4. Add support for the new Identity Manager Password Synchronization, using driver policies.

  5. Install and configure new Password Synchronization filters.

  6. Set up SSL, if necessary.

  7. Turn on Universal Password using password policies, if necessary.

  8. Set up the Identity Manager Password Synchronization scenario that you want to use.

    See Implementing Password Synchronization in the Novell Identity Manager 3.0.1 Administration Guide.

  9. Remove Password Synchronization 1.0.

For detailed instructions, see the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.

Upgrading Password Synchronization for eDirectory

Upgrading for eDirectory is fairly simple, and the driver shim is intended to work with your existing DirXML 1.1a driver configuration with no changes, assuming that your driver shim and configuration have the latest patches. For instructions, see the Identity Manager Driver for eDirectory: Implementation Guide.

Upgrading Other Connected System Drivers

Identity Manager Password Synchronization supports more connected systems than Password Synchronization 1.0.

For a list of the features that are supported for other systems, see Connected System Support for Password Synchronization in the Novell Identity Manager 3.0.1 Administration Guide.

Driver policy “overlays” are provided to help you add bidirectional Password Synchronization functionality to existing drivers for connected systems that were not previously supported. See Upgrading Existing Driver Configurations to Support Password Synchronization in the Novell Identity Manager 3.0.1 Administration Guide.

Handling Sensitive Information

Universal Password is protected by four layers of encryption inside eDirectory, so it is very secure in that environment. If you choose to use bidirectional password synchronization, and you synchronize Universal Password with the Distribution Password, keep in mind that you are extracting the eDirectory password and sending it to other connected systems. You need to secure the transport of the password, as well as the connected systems it is synchronized to. See Security: Best Practices in the Novell Identity Manager 3.0.1 Administration Guide.