Identity Manager 3.6.1 Fan-Out Driver: Installation Quick Start for Midrange Systems

June 5, 2009

1.0 Installation for Midrange Systems

This Quick Start provides basic steps for installing the Identity Manager Fan-Out Driver on i5/OS (OS/400 operating system). It condenses information from other documentation that includes more details and additional tasks required to install, configure, and deploy the Fan-Out Driver.

There are two main sections to this Quick Start: the Core Driver setup and the Platform Services setup. If you have already installed and configured the Core Driver and are adding an additional Fan-Out Driver platform, follow the steps in Installing Platform Services.

1.1 Required Knowledge and Skills

This Quick Start assumes you are familiar with concepts, key components and facilities of the Fan-Out Driver, Novell eDirectory™, and the administration of the OS/400.

For complete installation, configuration and administration information, see the Identity Manager Fan-Out Driver for Midrange Administration Guide at the Identity Manager 3.6.1 Drivers Documentation Web site.

Before installing Fan-Out Driver components, obtain the latest support pack and product updates, and review the release notes and readme files. For the latest support information, see the Novell Support Web site.

1.2 Prerequisites

Verify you are running Identity Manager 3.5.1 or higher, as well as the required versions of eDirectory, iManager, and your target platforms. For more about these requirements, see the associated readme files on the Identity Manager 3.6.1 Documentation Web site.

NOTE:The Identity Manager 3.6.1 Fan-Out Driver is compatible with Identity Manager 3.5. However, if you do install it on an Identity Manager 3.5 system, you will need to take the extra step of manually installing the Fan-Out driver’s schema extensions. For more details, see “Preparing for Core Driver Administration” in the Administration Guide.

The Fan-Out Driver includes two major components:

  • The Core Driver, which integrates with the system on which Identity Manager is running.

  • Platform Services, which is installed on the target system you wish to connect to Identity Manager.

For the LDAP server that you will use with the Core Driver, set the option to dereference aliases when resolving names, as follows:

  1. In iManager, select LDAP > LDAP Overview > View LDAP Servers.

  2. Click the LDAP Server.

  3. Under Nonstandard Behaviors, select Dereference Aliases When Resolving Names, then click Refresh.

If the Core Driver you install will be designated as primary, ensure that the target server holds replicas of all objects to be covered by a Census Search object.

If the Core Driver you install will be designated as secondary, ensure that the primary Core Driver is available, since it provides installation configuration information.

1.3 Installing the Core Driver

Install the Core Driver on a Linux, Solaris or Windows* system running Identity Manager as follows:

  1. From your installation media, locate and execute the installation software.

    • For Linux or Solaris, use one of the following self-extracting installers appropriate to your system:

      sh linux_x86_coredriver.bin
      sh linux_x86_64_coredriver.bin
      sh solaris_sparc_coredriver.bin

      NOTE:The x86 (32-bit) installer is compatible with both 32-bit and 64-bit versions of Linux. To use the x86_64 (64-bit) installer, you must first install and configure the 64-bit LDAP SDK.

    • For Windows, run the following command:


      This x86 (32-bit) executable is compatible with both x86 and x64 versions of Windows.

  2. Accept the license, select your installation directory and proceed to install the product files by responding to the prompts.

  3. You may need to change the port setting for the Core Driver's built-in remote loader. This is especially likely if you are also using the standard remote loader that comes with Identity Manager. Both versions of the remote loader use port 8090 as their default setting.

    The port setting for the Core Driver’s built-in remote loader resides in the fanout.conf file, which is located as follows:

    • For Linux and Solaris: /usr/local/ASAM/data/ASAM/data/

    • For Windows: C:\Novell\ASAM\data\

    Edit the following line to reflect the desired port:

    -connection "ca=/user/local/ASAM/keys/ca.pem port=8090"

  4. Start the Core Driver shim. To start the shim:

    • In Linux or Solaris, enter /etc/init.d/asamcdrvd start

    • In Windows, start the Fan-Out Driver Shim service

  5. Import and configure the Fan-Out Driver.

    1. In iManager, select Identity Manager Utilities > Import Drivers. Select a new or existing driver set, then click Next.

      NOTE:If you are running a version of iManager that does not include the Fan-Out Driver application plug-in, see Installing the iManager Plug-In (If not Preinstalled).

    2. Select the Fan-Out Driver from the list of drivers to import, then click Next.

      NOTE:If the driver is not available in the list, select Import a configuration from the client and select the file \rules\Fan-Out-IDM3_6_0-V1.xml in the directory where the Driver Shim is installed (C:\Novell\ASAM by default).

    3. Provide the requested information, then click Next.

    4. Click Define Security Equivalences, add your ASAM Master User object, then click OK.

    5. Click Exclude Administrative Roles, add the Admin user, your ASAM Master User, and any other high-privilege users to the Excluded Users list, then click OK.

    6. Click Finish.

  6. Restart eDirectory to bring the new indexes online.

  7. Start the Fan-Out Driver.

    1. Select Identity Manager Management > Overview.

    2. Locate the driver in its driver set.

    3. Click the status indicator in the upper right corner of the driver icon, then click Start Driver.

1.4 Installing the iManager Plug-In (If not Preinstalled)

You will use the Fan-Out Driver’s Web application to complete the Core Driver installation. This application resides in recent versions of iManager as a standard plug-in. If your version of iManager does not include the plug-in, you can install it from the software that comes with the Core Driver software.

  1. Login to iManager as an administrative user.

  2. Click the Configure icon at the top.

  3. Click Available Novell Plug-in Modules under Plug-in Installation on the left menu.

  4. Click Add above the list of plug-ins.

  5. Select fan-out\iManagerPlugIn\FanOutWeb.npm from your installation media and click OK.

  6. Check the box next to Novell Identity Manager - Fan-Out Driver Plug-in and click Install above the list of plug-ins.

  7. Restart the Tomcat or Tomcat5 service on your iManager system, and exit and log back into iManager.

  8. If the Fan-Out Driver Configuration role has not appeared, continue with the following steps.

  9. Click the Configure icon at the top.

  10. Click RBS Configuration under Role Based Services on the left menu.

  11. Click the number under the Not-Installed column in the table.

  12. Check the box next to FanOutWeb and click Install above the list.

  13. Click the Roles and Tasks icon at the top.

This procedure adds two new roles to iManager: Fan-Out Driver Configuration and Fan-Out Driver Utilities. The first time you use one of these roles, you are prompted for the DNS name or IP address and the TCP port number of the primary Core Driver. After you provide this information, the Fan-Out Driver is ready for you to continue with your deployment and testing plan.

1.5 Installing Platform Services

Install Platform Services on an i5/OS system (OS/400 operating system) as follows:

  1. If you do not have an appropriately configured Platform Set object, use iManager to create a Platform Set object.

    Associate users and groups with your Platform Set using the appropriate Search object configuration.

    Platform Sets are established for platforms that share a common population of users and groups. Multiple types of platforms can reside in a single Platform Set, and individual users and groups can appear on multiple Platform Sets.

    Whenever you modify Search objects, start a Trawl to populate the platforms.

  2. Use the iManager Fan-Out Driver plug-in to create a Platform object for your platform in an appropriate Platform Set.

    You must define all of the IP addresses for the platform so that mutually authenticated SSL can function properly.

  3. Sign in as QSECOFR or equivalent user to the server where you are installing Platform Services.

  4. Create a file to contain the Platform Services distribution package with this command:


  5. From a Windows* or UNIX* workstation, FTP the Platform Services distribution package to the target server. From a command line:

    1. ftp server_address

    2. Authenticate to the server.

    3. cd qsys

    4. bin

    5. put asam.sav asam.file

    6. quit

  6. Execute the following command:


    You can now remove the temporary ASAM.FILE.

  7. Execute the following command:


    This prepares the /usr/local/ASAM directory.

  8. Configure password replication for local password changes.

    Execute the following commands:




  9. Execute EDTLIBL and add ASAM to your library list.

  10. Execute WRKJOBD JOBD(ASAMRCVR) and modify the Job Description as appropriate for your system.

  11. Customize the Receiver scripts if appropriate for your installation.

    For information about developing your own custom scripts, see /usr/local/ASAM/bin/ScriptWritersGuide.txt.

  12. Execute GO ASAM to load the ASAM menu.

    1. Choose option 1 and review the contents of the platform configuration file.

      You must have at least one AUTHENTICATION statement, at least one PROVISIONING statement, and a DIRECTTOAUTHENTICATION statement.

    2. Choose option 2 to create the SSL certificates for communication to the Core Drivers.

    3. Choose option 3 on the menu to run the Platform Receiver in Persistent Mode.

      The first time a Platform Receiver is run for a new platform, it automatically receives provisioning events for all users and groups for the platform.

  13. Add the Platform Receiver operation into routine system startup and shutdown procedures as appropriate.

    Autostart the Platform Receiver in the default subsystem with the following command:


2.0 Legal Notice

Copyright © 2004, 2007-2009 Omnibond Systems, LLC. All rights reserved. Licensed to Novell, Inc. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. For Novell trademarks, see the Novell Trademark and Service Mark list. All third-party products are the property of their respective owners. A trademark symbol ( ®, TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.