This section describes how to install the IDM User Application on a WebSphere Application Server with the graphical user interface version of the installer.
Navigate to the directory containing your installation files.
Launch the installer:
java -jar IdmUserApp.jar
Select a language from the drop-down menu, then click OK.
Read the license agreement, click
, then click .Read the Introduction page of the install wizard, then click
.In the Application Server Platform window, select the WebSphere application server platform.
If the Identity Manager User Application WAR file is in a different directory from the installer, the installer prompts for the path to the WAR.
If the WAR is in the default location, you can click
. Or, to specify the location of the WAR file, click and select a location.On the Choose Install Folder page, select where to install the User Application. If you want to to use the default location, click
, or if you want to choose another location for the installation files, click and browse to a location.Fill in the following fields:
NOTE:With WebSphere, you must use the IBM JDK that has the unrestricted policy files applied.
Click
to browse for your Java root folder. Or, to use the default location, click .To enable Novell Audit logging (optional) for the User Application:
Fill in the following fields:
Specify whether to import an existing master key or create a new one. Examples of reasons to import an existing master key include:
You are moving your installation from a staging system to a production system and want to keep access to the database you used with the staging system.
You installed the User Application on the first member of a cluster and are now installing on subsequent members of the cluster (they require the same master key).
Because of a failed disk, you need to restore your User Application. You must reinstall the User Application and specify the same encrypted master key that the previous installation used. This gives you access to the previously stored encrypted data.
Click
to import an existing master key, or click to create a new one.Click
.The installation procedure writes the encrypted master key to the master-key.txt file in the installation directory.
If you chose Section 5.7.10, Configuring the User Application. After you finish the installation, you must manually record the master key.If you chose , continue with Step 3.
, skip toIf you choose to import an existing encrypted master key, cut and paste the key into the install procedure window.
The User Application install enables you to set User Application configuration parameters. Most of these parameters are also editable with configupdate.sh or configupdate.bat after installation; exceptions are noted in the parameter descriptions. For a cluster, specify identical User Application configuration parameters for each member of the cluster.
Click
through the first User Application Configuration page.Set the basic User Application configuration parameters described in Table Table 5-6, then continue with Step 3.
Table 5-6 User Application Configuration: Basic Parameters
If you want to set additional User Application configuration parameters, click Table 5-7 describes the Advanced Options parameters. If you do not want to set additional parameters described in this step, skip to Step 4.
. (Scroll to view the whole panel.) TableTable 5-7 User Application Configuration: All Parameters
Type of Setting |
Field |
Description |
---|---|---|
eDirectory Connection Settings |
|
Required. Specify the hostname or IP address for your LDAP server. For example: myLDAPhost |
|
Specify the non-secure port for your LDAP server. For example: 389. |
|
|
Specify the secure port for your LDAP server. For example: 636. |
|
|
Required. Specify the credentials for the LDAP Administrator. This user must already exist. The User Application uses this account to make an administrative connection to the Identity Vault. This value is encrypted, based on the master key. |
|
|
Required. Specify the LDAP Administrator password. This password is encrypted, based on the master key. |
|
|
Allows users who are not logged in to access the LDAP Public Anonymous Account. |
|
|
Allows users who are not logged in to access permitted portlets. This user account must already exist in the Identity Vault. To enable LDAP Guest, you must deselect . To disable Guest User, select . |
|
|
Specify the LDAP Guest password. |
|
|
Select this option to require that all communication using the admin account be done using a secure socket (this option can have adverse performance implications). This setting allows other operations that don't require SSL to operate without SSL. |
|
|
Select this option to require that all communication done on the logged-in user's account be done using a secure socket (this option can have severe adverse performance implications). This setting allows other operations that don't require SSL to operate without SSL. |
|
eDirectory DNs |
|
Required. Specify the LDAP distinguished name of the root container. This is used as the default entity definition search root when no search root is specified in the directory abstraction layer. |
|
Required. Specify the distinguished name of the User Application driver. For example, if your driver is UserApplicationDriver and your driver set is called myDriverSet, and the driver set is in a context of o=myCompany, you type a value of: cn=UserApplicationDriver,cn=myDriverSet,o=myCompany |
|
|
Required. An existing user in the Identity Vault who has the rights to perform administrative tasks for the User Application user container specified. This user can use the tab of the User Application to administer the portal.If the User Application Administrator participates in workflow administration tasks exposed in iManager, Novell Designer for Identity Manager, or the User Application (IDM User Application: Administration Guide for details. tab), you must grant this administrator appropriate trustee rights to object instances contained in the User Application driver. Refer to theTo change this assignment after you deploy the User Application, you must use the pages in the User Application. |
|
|
This role is available in the provisioning version of Identity Manager 3.5.1. The Provisioning Application Administrator manages Provisioning Workflow functions available through the tab of the User Application. This user must exist in the Identity Vault prior to being designated the Provisioning Application Administrator.To change this assignment after you deploy the User Application, you must use the pages in the User Application. |
|
Meta-Directory User Identity |
|
Required. Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the user container. This defines the search scope for users and groups. Users in this container (and below) are allowed to log in to the User Application. IMPORTANT:Be sure the User Application Administrator specified during User Application driver setup exists in this container if you want that user to be able to execute workflows. |
|
The LDAP user object class (typically inetOrgPerson). |
|
|
The LDAP attribute (for example, CN) that represents the user’s login name. |
|
|
The LDAP attribute used as the identifier when looking up users or groups. This is not the same as the login attribute, which is used only during login, and not during user/group searches. |
|
|
Optional. The LDAP attribute that represents the user’s group membership. Do not use spaces in this name. |
|
Meta-Directory User Groups |
|
Required. Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the group container. Used by entity definitions within the directory abstraction layer. |
|
The LDAP group object class (typically groupofNames). |
|
|
The attribute representing the user’s group membership. Do not use spaces in this name. |
|
|
Select this option if you want to use dynamic groups. |
|
|
The LDAP dynamic group object class (typically dynamicGroup). |
|
eDirectory Certificates |
|
Required. Specify the full path to your keystore (cacerts) file of the JRE that the application server application server is using to run, or else click the small browser button and navigate to the cacerts file. The User Application installation modifies the keystore file. On Linux or Solaris, the user must have permission to write to this file. |
|
Required. Specify the cacerts password. The default is changeit. |
|
Private Key Store |
|
The private keystore contains the User Application’s private key and certificates. Reserved. If you leave this empty, this path is /jre/lib/security/cacerts by default. |
|
This password is changeit unless you specify otherwise. This password is encrypted, based on the master key. |
|
|
This alias is novellIDMUserApp unless you specify otherwise. |
|
|
This password is nove1lIDM unless you specify otherwise. This password is encrypted, based on the master key. |
|
Trusted Key Store |
|
The Trusted Key Store contains all trusted signers’ certificates used to validate digital signatures. If this path is empty, the User Application gets the path from System property javax.net.ssl.trustStore. If the path isn’t there, it is assumed to be jre/lib/security/cacerts. |
|
If this field is empty, the User Application gets the password from System property javax.net.ssl.trustStorePassword. If the value is not there, changeit is used. This password is encrypted, based on the master key. |
|
Novell Audit Digital Signature and Certificate Key |
|
Contains the Novell Audit digital signature key and certificate. |
|
|
Displays the digital signature certificate. |
|
|
Displays the digital signature private key. This key is encrypted, based on the master key. |
iChain Settings |
|
If this option is selected, the User Application supports simultaneous logout of the User Application and either iChain or Novell Access Manager. The User Application checks for an iChain or Novell Access Manager cookie on logout and, if the cookie is present, reroutes the user to the ICS logout page. |
|
The URL to the iChain or Novell Access Manager logout page, where the URL is a hostname that iChain or Novell Access Manager expects. If ICS logging is enabled and a user logs out of the User Application, the user is rerouted to this page. |
|
|
|
Specify the application server hosting the Identity Manager User Application. For example: myapplication serverServer This value replaces the $HOST$ token in e-mail templates. The URL that is constructed is the link to provisioning request tasks and approval notifications. |
|
Used to replace the $PORT$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
|
Used to replace the $SECURE_PORT$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
|
Refers to a non-secure protocol, HTTP. Used to replace the $PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
|
Refers to a secure protocol, HTTPS. Used to replace the $SECURE_PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications. |
|
|
Specify e-mail from a user in provisioning e-mail. |
|
|
Specify the SMTP e-mail host that provisioning e-mail is using. This can be an IP address or a DNS name. |
|
Password Management |
|
|
|
This feature enables you to specify a Forgot Password page residing in an external Forgot Password WAR and a URL that the external Forgot Password WAR uses to call back the User Application through a Web service. If you select , you must supply values for and .If you do not select /jsps/pwdmgt/ForgotPassword.jsf (without the http(s) protocol at the beginning). This redirects the user to the Forgot Password functionality built into the User Application, rather than to an external WAR. IDM uses the default internal Password Management functionality, . |
|
|
This URL points to the Forgot Password functionality page. Specify a ForgotPassword.jsf file in an external or internal password management WAR. |
|
|
|
If you are using an external password management WAR, supply the path that the external Password Management WAR uses to call back the User Application through Web Services, for example https://idmhost:sslport/idm. |
Miscellaneous |
|
The application session timeout. |
|
If the client installation uses the On-Line Certificate Status Protocol (OCSP), supply a Uniform Resource Identifier (URI). For example, the format is http://host:port/ocspLocal. The OCSP URI updates the status of trusted certificates online. |
|
|
Fully qualified name of the authorization configuration file. |
|
|
|
|
|
|
|
Container Object |
|
Select each Container Object Type to use. |
|
Select from the following standard containers: locality, country, organizationalUnit, organization, and domain. You can also define your own containers in iManager and add them under . |
|
|
Lists the Attribute Type name associated with the Container Object Type. |
|
|
Specify the LDAP name of an objectclass from the Identity Vault that can serve as a container. For information on containers, see the Novell iManager 2.6 Administration Guide . |
|
|
Supply the attribute name of the container object. |
After you finish configuring the settings, click Section 5.7.11, Verify Choices, and Install.
, then continue withRead the Pre-Install Summary page to verify your choices for the installation parameters.
If necessary, use
to return to earlier installation pages to change installation parameters.The User Application configuration page does not save values, so after you re-specify earlier pages in the installation, you must re-enter the User Application configuration values.
When you are satisfied with your installation and configuration parameters, return to the Pre-Install Summary page and click Section 5.7.12, View Log Files.
. Continue withIf your installation completed without error, continue with Section 5.7.13, Add User Application configuration files and JVM system properties.
If the installation issued errors or warnings, review the log files to determine the problems:
Identity_Manager_User_Application_InstallLog.log holds results of the basic installation tasks.
Novell-Custom-Install.log holds information about the User Application configuration done during installation.
Copy the sys-configuration-xmldata.xml file from the User Application install directory to a directory on the machine hosting the WebSphere server, for example /UserAppConfigFiles. The User Application install directory is the directory in which you installed the User Application.
Set the path to the sys-configuration-xmldata.xml file in the JVM system properties. Log in to the WebSphere admin console as an admin user to do this.
From the left panel, go to
Click on the server name in the server list, for example server1.
In the list of settings on the right, go to
under .Expand the link and select
.Under the list of
, select .Select
under the heading for the JVM page.Click
to add a new JVM system property.For the extend.local.config.dir.
, enterFor the sys-configuration-xmldata.xml file to this folder.).
, enter the name of the install folder (directory) that you specified during installation. (The installer wrote theFor the path to sys-configuration-xmldata.xml.
, enter a description for the property, for exampleClick
to save the property.Click
to add another new JVM system property.For the idmuserapp.logging.config.dir
, enterFor the
, enter the name of the install folder (directory) that you specified during installation.For the path to idmuserapp_logging.xml.
, enter a description for the property, for exampleClick
to save the property.NOTE:The idmuserapp-logging.xml file does not exist until you persist the changes through .
The User Application installation procedure exports the eDirectory trusted root certificates to the directory in which you install the User Application. Copy these certificates to the machine hosting the WebSphere server.
Import the certificates into the WebSphere keystore. You can do this using the WebSphere admininstrator’s console (Importing Certificates with the WebSphere Administrator’s Console) or through the command line (Importing certificates with the command line).
After you import certificates, proceed to Section 5.7.15, Deploy the IDM WAR file.
Log in to the WebSphere administration console as an admin user.
From the left panel, go to
.In the list of settings on the right, go to
under .Select
(or the truststore you are using).Under
on the right, select .Click
.Type in the Alias name and full path to the certificate file.
Change the Data type in the dropdown to
.Click
. You should now see the certificate in the list of signer certificates.From the command line on the machine hosting the WebSphere server, run the keytool to import the certificate into the WebSphere keystore.
NOTE:You need to use the WebSphere keytool or this does not work. Also, be sure the store type is PKCS12.
The WebSphere keytool can be found at /IBM/WebSphere/AppServer/java/bin.
keytool -import -trustcacerts -file servercert.der -alias myserveralias -keystore trust.p12 -storetype PKCS12
If you have more than one trust.p12 file on your system, you might need to specify the full path to the file.
Log in to the WebSphere administration console as an admin user.
From the left panel, go to
Browse to the file location of the IDM War. (The IDM WAR file is configured during the installation of the User Application. It is in the the User Application installation directory that you specified during installation of the User Application.)
Type in the Context root for the application, for example IDMProv. This will be the URL path.
Keep the radio button selected for
Then, click to move to the page.Accept the defaults for this screen and click
to move to the screen.Leave everything as the defaults for this page and click
to move to the page.For the authentication method, select the MyServerNode01/MyAlias.
check box. Then for the drop-down, select the alias you created earlier, for exampleIn the table below the authentication settings, find the module you are deploying. Under the column titled Target Resource JNDI Name click the browse button to specify a JNDI name. This should bring up a list of resources. Select the datasource that you created earlier and click the button to get back to the Map resource references to resources page, for example MyDataSource.
Select
to go to the .Leave everything as the defaults for this page and select
to go to the page.Select
to complete the deployment.After the deployment is finished, click
to save the changes.Continue with Section 5.7.16, Start the Application.
Log in to the WebSphere administrator’s console as an admin user.
From the left navigation panel go to
.Select the check box next to the application you want to start. Then, click
.After starting, the
column shows a green arrow.Access the portal using the context you specified during deployment. The default port for the Web container on WebSphere is 9080, or 9443 for the secure port. The format for the URL is:
http://<server>:9080/IDMProv