The following scenarios are examples of the environment in which Identity Manager might be used. For each scenario, some guidelines are provided to help you with your implementation.
Figure 2-1 New Installation
Identity Manager is a data-sharing solution that leverages your Identity Vault to automatically synchronize, transform, and distribute information across applications, databases, and directories.
Your Identity Manager solution includes the following components:
The Identity Vault contains the user or object data you want to share or synchronize with other connected systems. We recommend that you install Identity Manager in its own eDirectory™ instance and use it as your Identity Vault.
You use Novell iManager and the Identity Manager plug-ins to administer your Identity Manager solution.
Connected systems might include other applications, directories, and databases that you want to share or synchronize data with the Identity Vault. To establish a connection from your Identity Vault to the connected system, install the appropriate driver for that connected system. Refer to the driver implementation guides for specific instructions.
Install System Components: Because your Identity Manager solution might be distributed across several computers, servers, or platforms, you should run the installation program and install the appropriate components per system. Refer to Section 1.4, Identity Manager Installation Programs and Services for more information.
Set Up Connected Systems: Refer to Section 1.4, Identity Manager Installation Programs and Services and the driver implementation guides for specific instructions.
Activate Your Solution: Identity Manager products (professional, server editions, Integration Modules, and user applications) require activation within 90 days of installation. See Section 6.0, Activating Novell Identity Manager Products.
Define Business Policies: Business policies enable you to customize the flow of information into and out of the Identity Vault for a particular environment. Policies also create new objects, update attribute values, make schema transformations, define matching criteria, maintain Identity Manager associations, and many other things. A detailed guide to policies is contained in Policies in iManager for Identity Manager 3.5.1.
Configure Password Management: Using Password policies, you can increase security by setting rules for how users create their passwords. You can also decrease help desk costs by providing users with self-service options for forgotten passwords and for resetting passwords. For in-depth information on password management, refer to “Managing Passwords by Using Password Policies”.
Configure Entitlements:
Entitlement definitions let you grant entitlements on connected systems to a defined group of users within the Identity Vault. Using Entitlement policies, you can streamline management of business policies and reduce the need to configure your Identity Manager drivers. For more information, see Creating and Using Entitlements
in the Novell Identity Manager 3.5.1 Administration Guide.
Logging Events with Novell Audit:
Identity Manager is instrumented to use Novell Audit for auditing and reporting. Novell Audit is a collection of technologies providing monitoring, logging, reporting and notification capabilities. Through integration with Novell Audit, Identity Manager provides detailed information about the current and historical status of driver and engine activity. This information is provided by a set of preconfigured reports, standard notification services, and user-defined logging. Refer to Using Status Logs
in the Identity Manager 3.5.1 Logging and Reporting.
Workflow Approval and User Application: The Novell Identity Manager user application is a powerful Web application (and supporting tools) designed to provide a rich, intuitive, highly configurable, Web-UI experience atop a sophisticated identity-services framework. When used in conjunction with the Provisioning Module for Identity Manager and Novell Audit, the Identity Manager user application provides a complete, end-to-end provisioning solution that’s secure, scalable, and easy to manage. Refer to the User Application documentation.
Figure 2-2 Installing Identity Manager in the Same Tree as DirXML 1.1a
If you are running both Identity Manager and DirXML® 1.1a in the same environment, keep in mind the following considerations:
We recommend that you install Identity Manager in a separate eDirectory instance and use it as your Identity Vault.
ConsoleOne® is supported for DirXML 1.1a, but not for Identity Manager.
Two iManager servers are necessary, one for DirXML 1.1a plug-ins and one for Identity Manager plug-ins. This is because the plug-ins have been enhanced and because Identity Manager uses DirXML Script.
iManager plug-ins for DirXML 1.1a can’t read DirXML Script, which is used in the defined driver configurations for most Identity Manager drivers.
Designer is a tool that allows you to design, test, update, and document the Identity Manager drivers.
You can run DirXML 1.1a driver shims and configurations on an Identity Manager server, and you can view the drivers in iManager in the Identity Manager Overview for the driver set. But the Identity Manager plug-ins do not let you view or edit the driver configurations until you convert them to Identity Manager format.
In the Identity Manager plug-ins, if you click a driver that is in 1.1a format, you are prompted to complete the conversion. This is a simple process done with a wizard, and it does not change the functionality of the driver configuration. As part of the process, a backup copy of the DirXML 1.1a version is saved.
Activation for DirXML 1.1a drivers is still valid when running them with the Identity Manager engine. However, if you upgrade the driver shim to an Identity Manager version, you need to obtain a new activation credential. See Section 6.0, Activating Novell Identity Manager Products for more detailed information.
In most cases, an Identity Manager driver shim can run with a DirXML 1.1a configuration. See the individual driver implementation guides for upgrade information.
A notable exception is that Password Synchronization 1.0 does not run correctly for Windows AD and Windows NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.
Running Identity Manager driver shims and driver configurations with the DirXML 1.1a engine is not supported.
Running Identity Manager driver configurations with DirXML 1.1a driver shims is not supported.
If you run the same Identity Manager driver configuration on more than one server, make sure the servers are running the same version of Identity Manager, and the same version of eDirectory.
You can create Password policies that provide features such as Advanced Password Rules to require stronger passwords, and Forgotten Password Self-Service and Reset Password Self-Service for users. See the “Managing Password Synchronization” section in the Password Management 3.1 Guide.
If you began using Universal Password with the initial release of NetWare® 6.5, some upgrade steps are necessary before you can use the new password policy features. See “(NetWare 6.5 only) Deploying Universal Password” in the Password Management 3.1 Guide. The procedure is not necessary if you began using Universal Password with NetWare 6.5 SP8.
Identity Manager Password Synchronization provides bidirectional password synchronization and supports more platforms than Password Synchronization 1.0.
If you have been using Password Synchronization 1.0 with Windows AD or Windows NT, make sure you review the upgrade instructions before you install the new driver shims. See Section 2.2.4, Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization.
Driver policy “overlays” are provided to help you add bidirectional Password Synchronization functionality to existing drivers. See Upgrading Existing Driver Configurations to Support Password Synchronization
in the Novell Identity Manager 3.5.1 Administration Guide.
Figure 2-3 Upgrading from the Starter Pack to Identity Manager
The Identity Manager Starter Pack solutions included with other Novell products provide licensed synchronization of information held in NT domains, Active Directory, and eDirectory. Additionally, evaluation drivers for several other systems including PeopleSoft, GroupWise®, and Lotus Notes, are included to allow you to explore data synchronization for your other systems.
This solution also offers you the ability to synchronize user passwords. With PasswordSync, a user is required to remember only a single password to log in to any of these systems. Administrators can manage passwords in the system of their choice. Any time a password is changed in one of these environments, it will be updated in all of them.
Identity Manager Starter Packs that shipped with NetWare 6.5 and Nterprise™ Linux Services 1.0 were based on DirXML 1.1a technology. When upgrading from a Starter Pack to the latest version of Identity Manager, keep in mind the following considerations:
You can run DirXML 1.1a driver shims and configurations on an Identity Manager server, and you can view the drivers in iManager in the Identity Manager Overview for the driver set. But the Identity Manager plug-ins do not let you view or edit the driver configurations until you convert them to Identity Manager format.
In the Identity Manager plug-ins, if you click a driver that is in 1.1a format, you are prompted to complete the conversion. This is a simple process done with a wizard, and it does not change the functionality of the driver configuration. As part of the process, a backup copy of the DirXML 1.1a version is saved.
Activation for DirXML 1.1a drivers is still valid when running them with the Identity Manager engine. However, if you upgrade the driver shim to an Identity Manager version, you need new activation.
In most cases, an Identity Manager driver shim can run with a DirXML 1.1a configuration. See the individual driver implementation guides for upgrade information.
A notable exception is Password Synchronization 1.0, which does not run correctly for Windows AD and Windows NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.
Running Identity Manager driver shims and driver configurations with the DirXML 1.1a engine is not supported.
Running Identity Manager driver configurations with DirXML 1.1a driver shims is not supported.
If you run the same Identity Manager driver configuration on more than one server, make sure the servers are running the same version of Identity Manager, and the same version of eDirectory.
Password Synchronization 1.0, which shipped with Starter Packs (DirXML 1.1a), won’t work correctly for AD and NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.
Refer to Section 2.2.4, Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization for specific instructions surrounding this upgrade process.
All Identity Manager products must be activated within 90 days. When you purchased other Novell software, the DirXML Starter Pack included activations for the DirXML 1.1a engine and the NT, AD, and eDirectory drivers. When upgrading from the Identity Manager Starter Pack, you might need to re-apply your activation credentials for those drivers.
For more information on activation, refer to Section 6.0, Activating Novell Identity Manager Products.
Figure 2-4 Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization
Identity Manager Password Synchronization offers many features, including bidirectional password synchronization, additional platforms, and e-mail notification when password synchronization fails.
If you are using Password Synchronization 1.0 with Active Directory or NT Domain, it’s very important that you review the instructions for upgrading before you install the new driver shims.
If you are running Identity Manager 2.x with Password Synchronization 2.0, do you not need to follow these steps.
For information about Identity Manager Password Synchronization in general, see Password Synchronization across Connected Systems
in the Novell Identity Manager 3.5.1 Administration Guide. That section contains conceptual information, including a comparison of old and new features, prerequisites, a list of features supported for each connected system, instructions on adding support to existing drivers, and several scenarios showing how you can use the new features.
In this section:
The new Password Synchronization functionality is done by driver policies, not by a separate agent. This means that if you install the new driver shim without upgrading the driver configuration at the same time, Password Synchronization 1.0 continues to work only for existing users. New, moved, or renamed users do not participate in Password Synchronization until you complete the upgrade of the driver configuration.
Use the following general steps to upgrade:
Upgrade your environment so that it supports Universal Password, including upgrading the Novell Client™ if you are using it.
Install the Identity Manager 3.5.1 driver shim to replace the DirXML 1.1a driver shim for Active Directory or Windows NT.
Immediately create backward compatibility with Password Synchronization 1.0, by adding a new policy to the driver configuration.
This step allows Password Synchronization 1.0 to continue to function correctly until you make the switch to Identity Manager Password Synchronization.
Use driver policies to add support for the new Identity Manager Password Synchronization.
Install and configure new Password Synchronization filters.
Set up SSL, if necessary.
Turn on Universal Password by using password policies, if necessary.
Set up the Identity Manager Password Synchronization scenario that you want to use.
See Implementing Password Synchronization
in the Novell Identity Manager 3.5.1 Administration Guide.
Remove Password Synchronization 1.0.
For detailed instructions, see the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.
Upgrading for eDirectory is fairly simple, and the driver shim is intended to work with your existing DirXML 1.1a driver configuration with no changes, assuming that your driver shim and configuration have the latest patches. For instructions, see the Identity Manager 3.5.1 Driver for eDirectory: Implementation Guide.
Identity Manager Password Synchronization supports more connected systems than Password Synchronization 1.0.
For a list of the features that are supported for other systems, see Connected System Support for Password Synchronization
in the Novell Identity Manager 3.5.1 Administration Guide.
Driver policy “overlays” are provided to help you add bidirectional Password Synchronization functionality to existing drivers for connected systems that were not previously supported. See Upgrading Existing Driver Configurations to Support Password Synchronization
in the Novell Identity Manager 3.5.1 Administration Guide.
Universal Password is protected by four layers of encryption inside eDirectory, so it is very secure in that environment. If you choose to use bidirectional password synchronization, and you synchronize Universal Password with the Distribution Password, keep in mind that you are extracting the eDirectory password and sending it to other connected systems. You need to secure the transport of the password, as well as the connected systems it is synchronized to.
Along with passwords, you can also use Novell SecretStore® and Novell SecureLogin to synchronize credentials. These allow you to provision the SecureLogin passphrase question and answer in environments where non-repudiation is desired. See Security: Best Practices
in the Novell Identity Manager 3.5.1 Administration Guide.