www.novell.com/documentation Installation Guide Identity Manager 4.0.
Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc.
Contents About This Guide 7 Part I Planning 9 1 Setting Up a Development Environment 11 2 Creating a Project Plan 13 2.1 2.2 2.3 2.4 2.5 2.6 2.7 Discovery Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.1 Defining Current Business Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.1.
.6 Additional Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5 Where to Get Identity Manager 39 6 System Requirements 43 6.1 6.2 6.3 6.4 6.5 6.6 6.7 eDirectory and iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Metadirectory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9 Troubleshooting Identity Manager 77 10 What’s New 83 10.1 10.2 What’s New in Identity Manager 4.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 10.1.1 Identity Manager Advanced Edition Versus Standard Edition . . . . . . . . . . . . . . . . . . . . . . . 83 10.1.2 Telemetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 10.1.3 Resource Request Activity. . . . . . .
Identity Manager 4.0.
About This Guide Novell Identity Manager is a data sharing and synchronization service that enables applications, directories, and databases to share information. It links scattered information and enables you to establish policies that govern automatic updates to designated systems when identity changes occur. Identity Manager provides the foundation for account provisioning, security, single sign-on, user self-service, authentication, authorization, automated workflow, and Web services.
For User Application documentation, see the Identity Manager Roles Based Provisioning Module Documentation Web site (http://www.novell.com/documentation/idmrbpm401/index.html). 8 Identity Manager 4.0.
I Planning I Identity Manager 4.0.1 helps you manage the identities and resources in your business. It also automates many business processes for you that are currently manual tasks. If you have any questions about the different components that make up an Identity Manager solution, see the Identity Manager 4.0.1 Overview Guide for more information about each component. To create an effective Identity Manager solution for your environment, you first must take time to plan and design the solution.
Identity Manager 4.0.
1 Setting Up a Development Environment 1 Before you begin the planning phase of the Identity Manager deployment, you must be familiar with the Identity Manager products so you can create a useful plan. Setting up a development environment where you can test, analyze, and develop your Identity Manager solution allows you to learn about each component of Identity Manager and find unforeseen issues that can arise.
Identity Manager 4.0.
2 Creating a Project Plan 2 This planning material provides an overview of the activities that are usually part of an Identity Manager project, from its inception to its full production deployment. Implementing an identity management strategy requires you to discover what all of your current business processes are, what are the needs for these processes, who the stakeholders are in your environment, and then design a solution, get buy-in from stakeholders, and test and roll out the solution.
Section 2.1.4, “Interviewing All Stakeholders,” on page 16 Section 2.1.5, “Creating a High-level Strategy and an Agreed Execution Path,” on page 16 2.1.1 Defining Current Business Processes Identity Manager automates business processes to easily manage identities in your environment. If you do not know what the current business processes are, you cannot design an Identity Manager solution that automates those processes.
Figure 2-1 Example of Business Processes After you determine processes, you start to identify how Identity Manager can be involved. Continue with Section 2.1.2, “Defining How the Identity Manager Solution Affects the Current Business Processes,” on page 15. 2.1.2 Defining How the Identity Manager Solution Affects the Current Business Processes After you have defined your current business processes, you need to decide which processes you want to incorporate into an Identity Manager solution.
2.1.3 Identifying the Key Business and Technical Stakeholders Identifying all stakeholders involved in the Identity Manager solution is important for the success of the solution. In most companies, there is not just one person you can contact who understands all business and technical aspects of the business processes. You must identify which services and systems are going to be affected by the Identity Manager solution, and you must also identify the person who is responsible for that service or system.
Create an agreed execution path for the Identity Manager solution. Define additional education for stakeholders. Discovery provides a common understanding of the issues and solutions for all stakeholders. It provides an excellent primer for the analysis phase, which is a phase that requires stakeholders to have a basic knowledge of directories, Novell eDirectory, Novell Identity Manager, and XML integration in general. After you have completed the discovery phase, proceed to Section 2.
Appropriate Identity Manager architecture for the solution. Details for additional system connection requirements. Strategies for data validation and record matching. Directory design to support the Identity Manager infrastructure. The following tasks should be completed during the requirements and design assessment: “Defining the Business Requirements” on page 18 “Analyzing Your Business Processes” on page 19 “Designing an Enterprise Data Model” on page 20 2.2.
Learning early on which items of information that system administrators and managers feel belong to them can help in obtaining and keeping buy-in from all parties. For example, the account administrator might want ownership over granting rights to specific files and directories for an employee. This can be accommodated by implementing local trustee assignments in the account system. After you have defined your business requirements, proceed to Section 2.2.2, “Analyzing Your Business Processes,” on page 19.
2.2.3 Designing an Enterprise Data Model After your business processes have been defined, you can use Designer to begin to design a data model that reflects your current business processes. The model in Designer illustrates where data originates, where it moves to, and where it can’t move. It can also account for how critical events affect the data flow. For example, Figure 2-2 shows data flow between Identity Vault and different connected systems.
Is the synchronization one-way or two-way? Which system is the authoritative source for which attributes? It is also important to consider the interrelationships of different values between systems. For example, an employee status field in PeopleSoft might have three set values: employee, contractor, and intern. However, the Active Directory system might have only two values: permanent and temporary.
2.5 Production Pilot The production pilot is the first step in migrating into a production environment. During this phase, there might be additional customization that occurs. In this limited introduction, the desired outcomes of the preceding activities can be confirmed and agreement obtained for the production rollout. The pilot validates the plan that has been created to this point in the process.
3 Technical Guidelines 3 The information that you gather in Designer allows you to make the technical decisions such as installation location and configuration options about each component of Identity Manager. For an introduction to each component, see the Identity Manager 4.0.1 Overview Guide guide. Figure 3-1 is one possible configuration of an Identity Manager solution.
3.1 Management Tools Guidelines The two main management tools for the Identity Manager solution are Designer and iManager, as illustrated in Figure 3-2. Designer is used during the planning and creation of the Identity Manager solution, and iManager is used for daily management tasks of the Identity Manager solution.
3.1.2 Designer Guidelines Designer is a thick client that is installed on a workstation. Designer is used to design, test, document, and then deploy your Identity Manager solution. Using Designer throughout the planning phase helps you capture information in one place. It also helps you see issues you might not be aware of as you look at all of the components of the solution together. There are no major considerations for using Designer, unless you have multiple people working on the same project.
Figure 3-3 Metadirectory Sever User Application Server/Reporting Server Designer iManager Analyzer Role Mapping Administrator Administration Workstation Metadirectory Server with eDirectory iManager and Role Mapping Administrator Web Services Event Auditing Service/Novell Sentinel Server There are many variables that affect the performance of the server. The standard recommendation is that you have no more than ten drivers running on a Metadirectory server.
3.3.1 Identity Manager Objects in eDirectory The following list indicates the major Identity Manager objects that are stored in eDirectory and how they relate to each other. No objects are created during the installation of Identity Manager. The Identity Manager objects are created during the configuration of the Identity Manager solution. Driver Set: A driver set is a container that holds Identity Manager drivers and library objects. Only one driver set can be active on a server at a time.
For example, if you want a driver to synchronize all user objects, the simplest way is to use one instance of the driver on a server that holds a master or read/write replica of all your users. However, many environments don’t have a single server that contains a replica of all the users. Instead, the complete set of users is spread across multiple servers. In this case, you have three choices: Aggregate users onto a single server.
To synchronize all users without having them replicated on one single server, you need to determine which set of servers holds all the users, and then create an instance of the Identity Manager driver on each of those servers. To prevent two instances of the driver from trying to synchronize the same users, you need to use scope filtering to define which users each instance of the driver should synchronize. NOTE: You should use scope filtering even if your server’s replicas don’t currently overlap.
Server B holds replicas of the Development and Finance containers, and the Identity Management container holding the driver set for Server B and the GroupWise Driver object for Server B. Because Server A and Server B both hold a replica of the Finance container, both servers hold the user JBassad, who is in the Finance container. Without scope filtering, both GroupWise Driver A and GroupWise Driver B would synchronize JBassad.
3.4 User Application The User Application should run on its own server, as shown in Figure 3-7. You might need more than one User Application server. Figure 3-7 User Application User Application Server/Reporting Server Designer Analyzer iManager Role Mapping Administrator Administration Workstation Metadirectory Server with eDirectory iManager and Role Mapping Administrator Web Services Event Auditing Service/Novell Sentinel Server Use the information in the “Performance Tuning” (http://www.novell.
Figure 3-8 Sentinel User Application Server/Reporting Server Designer iManager Analyzer Role Mapping Administrator Administration Workstation Metadirectory Server with eDirectory iManager and Role Mapping Administrator Web Services Event Auditing Service/Novell Sentinel Server 32 Identity Manager 4.0.
II Installation I The following sections contain the information required to install an Identity Manager system without using the integrated installer. For simple installation and configuration you should use the new integrated installer instead of installing the components separately. For more information about the integrated installer, see the Identity Manager 4.0.1 Integrated Installation Guide.
Identity Manager 4.0.
4 Basic Identity Manager System Checklist 4 The are many different ways to configure Identity Manager to take advantage of all of its features. Figure 4-1 represents a basic configuration of Identity Manager. This configuration provisions users by synchronizing data. No matter how Identity Manager is configured, you always start with a basic system. As you configure your Identity Manager system, use this checklist to make sure all steps are completed.
4.1 Prerequisites Verify that your system meets the system requirements listed in Chapter 6, “System Requirements,” on page 43. 4.2 Planning Planning is the key to having a successful implementation and deployment of Identity Manager. Create a development environment. It is important to have access to an Identity Manager system to validate your Identity Manager solution. You want to do all testing and development in the development environment before changing to the production environment.
4.4 Driver Configuration with the Remote Loader The Remote Loader allows you to synchronize information to a connected system without having eDirectory installed on the connected system. The Remote Loader synchronizes the information to the Metadirectory server, which stores the data in the Identity Vault. Identity Manager uses eDirectory as the Identity Vault. Install the Remote Loader on a machine that communicates with the connected system.
Auditing and Reporting: Adding auditing and reporting to your Identity Manager solution provides a means to show that your business policies comply with the company’s policies. You can add the Identity Reporting Module or Novell Sentinel to your Identity Manager solution for auditing and reporting. For more information about the Identity Reporting Module, see the Identity Reporting Module Guide. For more information about Novell Sentinel, see the Identity Manager 4.0.1 Reporting Guide for Novell Sentinel.
5 Where to Get Identity Manager 5 Identity Manager 4.0.1 is available in Advanced and Standard Editions. There are separate ISOs for each of them. Identity Manager 4.0.1 Advanced Edition includes a complete set of features for enterprise class user provisioning. To meet the varying customer requirements, Identity Manager Standard Edition includes a subset of features available in the Identity Manager Advanced Edition.
Table 5-1 Identity Manager ISO Images ISO Platform Description Identity_Manager_4.0.1_Wind ows_Advanced.iso Windows Contains the DVD image for the Metadirectory server, Designer, iManager, Role Mapping Administrator, Analyzer, Identity Reporting Module, and Roles Based Provisioning Module. Identity_Manager_4.0.1_Wind ows_Standard.iso Windows Contains the DVD image for the Metadirectory server, Designer, iManager, Analyzer, Identity Reporting Module, and Roles Based Provisioning Module.
LDAP Lotus Notes Activations for all other Identity Manager drivers must be purchased separately. The activations for the drivers are sold as Identity Manager Integration modules. An Identity Manager Integration module can contain one or more drivers. You receive a Product Activation Credential for each Identity Manager Integration module you purchase. For more information see, Identity Manager 4 Standard Edition (https://www.netiq.com/products/identity-manager/standard/technicalinformation/modules.
Identity Manager 4.0.
6 System Requirements 6 The components of Novell Identity Manager can be installed on multiple systems and platforms. Figure 6-1 shows which platforms and systems are supported.
Figure 6-1 System Requirements for the Identity Manager Components User Application / Reporting Server SLES 10 SP3 (32 and 64-bit) SLES 11 SP1 (32 and 64-bit) OES 2 SP3 (32 and 64-bit) OES 11 (64-bit) OES 11 SP1 (64-bit) RHEL 5.4 or later (32 and 64-bit) RHEL 6.0 or later (32 and 64-bit) Windows Server 2003 SP2 (32-bit only) Windows Server 2008 R2 (64-bit only) Windows Server 2008 SP1 (32 and 64-bit) Solaris 10 (64-bit) (User Application only) Administration Workstation Designer and Analyzer openSUSE 10.
Dependent Libraries for Identity Manager Installation on RHEL 6.x Ensure that you install the following libraries before installing Identity Manager on RHEL 6.x: For GUI Install: Before invoking the Identity Manager installer, manually install the dependant libraries. For a 64-bit RHEL: Install the following libraries in the same order: 1. libXau-1.0.5-1.el6.i686.rpm 2. libxcb-1.5-1.el6.i686.rpm 3. libX11-1.3-2.el6.i686.rpm 4. libXext-1.1-3.el6.i686.rpm 5. libXi-1.3-3.el6.i686.rpm 6. libXtst-1.0.99.2-3.
6.1 eDirectory and iManager Identity Manager requires eDirectory and iManager to be installed. These products provide a base for Identity Manager, and they are included in the Identity Manager Advanced Edition ISO image. Figure 6-2 illustrates these components. Figure 6-2 Base Products for Identity Manager Administration Workstation User Application Server 4.0.1/Reporting Server Designer Analyzer Administration Workstation Remote Loader 4.0.1 32-bit and /or 64-bit Server Metadirectory 4.0.
Figure 6-3 Supported Operating Systems for the Metadirectory Server Designer Administration Workstation User Application Server 4.0.1/Reporting Server Analyzer iManager Role Mapping Administrator Administration Workstation Remote Loader 4.0.1 32-bit and /or 64-bit Server Metadirectory 4.0.1 Server with eDirectory 8.8.
The supported 64-bit processors for Linux (Red Hat and SUSE Linux Enterprise Server) and Windows operating systems are: Intel EM64T AMD Athlon64 AMD Opteron All operating systems should have the latest support packs. 6.2.2 Server Operating Systems You can install the Metadirectory server as a 32-bit application on a 64-bit operating system. Table 6-1 contains a list of the supported server operating systems that the Metadirectory server can run on.
6.3 Server Operating System Version Notes Xen Xen is supported when the Xen Virtual Machine is running SLES 10/SLES 11 as the guest operating system in paravirtualized mode. VMware ESX The Metadirectory server runs in either 32-bit or 64-bit mode. Red Hat Enterprise Linux 5 Virtualization The Metadirectory server runs in either 32-bit or 64-bit mode. Windows Server 2008 R2 Virtualization with Hyper-V The Metadirectory server runs in either 32-bit or 64-bit mode.
Table 6-2 lists the supported operating systems for the Remote Loader. Table 6-2 Supported Operating Systems for the Remote Loader Server Operating System Version Notes Windows Server 2003 SP2 (32-bit and 64-bit) The Remote Loader runs in 32-bit and 64-bit mode. Windows Server 2008 or later support packs (32-bit and The Remote Loader runs in 32-bit and 64-bit 64-bit) mode. Windows Server 2008 Server R2 (64-bit) The Remote Loader runs only in 64-bit mode. Red Hat 5.
6.4 User Application For User Application system requirements, see the “System Requirements” section in the Identity Manager Roles Based Provisioning Module 4.0.1 User Application: Installation Guide. 6.5 Auditing and Reporting The Identity Reporting Module and Novell Sentinel are two different tools used to gather auditing and reporting information about Identity Manager. Figure 6-5 lists the supported version of Sentinel with Identity Manager 4.0.1.
6.6 Workstations Workstations are used to access Designer, iManager, the Role Mapping Administrator, or the User Application administration Web page. Figure 6-6 lists the different components for workstations that are supported with Identity Manager 4.0.1. Figure 6-6 Supported Components for Workstations Designer and Analyzer Administration Workstation User Application Server 4.0.1/Reporting Server openSUSE 10.3 (32 and 64-bit) openSUSE 11.2 (32 and 64-bit) SLED 10.
6.6.1 Workstation Platforms Table 6-3 contains a list of the supported workstation platforms for Designer and iManager. For system requirements information, refer to the individual component documentation. iManager: See the Installing iManager (http://www.novell.com/documentation/imanager27/ imanager_install_274/data/alw39eb.html) section in the Novell iManager 2.7 Installation Guide. Designer: See the “System Requirements” section in the Designer 4.0.1 for Identity Manager 4.0.1 Administration Guide.
6.7 Resource Requirements Table 6-4 Identity Manager Resource Requirements 54 Identity Manager Component Minimum Requirement Metadirectory Server 2048 MB Remote Loader 256 MB Drivers 200 MB iManager Plug-ins 80 MB Identity Manager 4.0.
7 Installing Identity Manager 7 Identity Manager contains an integrated installer that simplifies the installation process and installs and configures all of the components at the same time. If you are installing your first Identity Manager system, use the integrated installer. For more information, see the Identity Manager 4.0.1 Integrated Installation Guide.
2 Ensure that you have downloaded the necessary Identity Manager files from the Novell Downloads Web site. For more information, see Chapter 5, “Where to Get Identity Manager,” on page 39. 3 Start the installation by executing the correct program for your workstation’s platform. Linux: IDM4.0.1_Lin/products/Analyzer/install To execute the binary file, enter ./install. Windows: IDM4.0.1_Win:/products/Analyzer/install.
To run a silent installation of Designer, refer to the “Using the Silent Install” section of the Designer 4.0.1 for Identity Manager 4.0.1 Administration Guide. 7.3 Installing eDirectory Ensure that you have downloaded the necessary Identity Manager files from the Novell Downloads Web site. For more information, see Chapter 5, “Where to Get Identity Manager,” on page 39. eDirectory 8.8.6 is provided on the Identity Manager media. There are installers for both 32-bit platforms and 64-bit platforms.
7.5 Installing the Metadirectory Server For Linux\UNIX platforms you can install the Metadirectory server as root or a non-root user. The installation procedure is different if you are using the non-root installation. See Section 7.5.1, “Nonroot Installation of the Metadirectory Server,” on page 59 for the installation instructions. This procedure covers the GUI installation of the Metadirectory server, Web components, and utilities for the different platforms that Identity Manager supports.
Novell Identity Manager Connected System Server (32-bit): This option does not require the Identity Vault to be installed on this server. Select this option only if you are installing the 32-bit Remote Loader. For more information, see Section 7.6, “Installing the Remote Loader,” on page 61. Novell Identity Manager Connected System Server (64-bit): This option does not require the Identity Vault to be installed on this server. Select this option only if you are installing the 64-bit Remote Loader.
You should install Identity Manager as the same user you used to install the non-root version of eDirectory. The user who installs Identity Manager must have write access to the directories and files of the non-root eDirectory installation. 4 Execute the installation program for your platform. Linux: IDM4.0.1_Lin/products/IDM/linux/setup/idm-nonroot-install Solaris: IDM4.0.
EDIR_USER_NAME=cn=admin,o=test EDIR_USER_PASSWORD=test METADIRECTORY_SERVER_SELECTED=true CONNECTED_SYSTEM_SELECTED=false X64_CONNECTED_SYSTEM_SELECTED=false WEB_ADMIN_SELECTED=false UTILITIES_SELECTED=false For default installed locations, see /tmp/idmInstall.log. If you have installed iManager, and you later want to install iManager plug-ins, you must set the WEB_ADMIN_SELECTED value to true.
7.6.2 Supported Drivers Not all Identity Manager drivers are supported by the Remote Loader. The following is a list the drivers that have Remote Loader capability. Active Directory Avaya PBX Data Collection Services Delimited Text GroupWise (Available only for 32-bit Remote Loader) JDBC JMS LDAP Linux/UNIX Settings Lotus Notes Managed System Gateway Manual Task Services PeopleSoft 5.2 Remedy ARS RACF SalesForce.
7.6.3 Installation Procedure The Remote Loader has different programs for the different platforms, so it can communicate with the Metadirectory server. Linux/UNIX: rdxml is an executable that enables the Metadirectory server to communicate with the Identity Manager drivers running in Solaris or Linux environments. Windows: The Remote Loader Console uses rlconsole.exe to interface with dirxml_remote.
Remote Loader Service 64-bit: The service that communicates with the Metadirectory server. Drivers: Select which driver files to install. You should install all of the driver files. If you need to add another Remote Loader instance, you do not need to run the installation again. Novell Identity Manager Connected System Server (.NET): (Windows Only) Installs the .NET Remote Loader service and the SharePoint driver.
If you have installed iManager, and you later want to install iManager plug-ins, you must set the WEB_ADMIN_SELECTED value to true. 7.6.5 Installing the Java Remote Loader on UNIX or Linux dirxml_jremote is a pure Java Remote Loader. It is used to exchange data between the Metadirectory server running on one server and the Identity Manager drivers running in another location, where rdxml doesn’t run. It should be able to run on any system with a compatible JRE (1.5.0 minimum) and Java Sockets.
8 Customize the dirxml_jremote script by doing either of the following: Verify that the Java executable is reachable through the PATH environment variable by setting the environment variable RDXML_PATH. Enter the following commands to set the environment variable: 1. set RDXML_PATH=path 2. export RDXML_PATH Edit the dirxml_jremote script and prepend the path to the Java executable on the script line that executes Java. 9 Configure the sample config8000.
The driver files are included with this option. Novell Utilities Select this option to install utilities to help configure some drivers. Customize the selected components: Allows you to select just the driver files without installing the Metadirectory server or the Remote Loader. 5 Click Next. 6 Unselect the Metadirectory Engine option and the Remote Loader Service option if they have been selected in Step 4 on page 66.
Windows: IDM4.0.1_Win:\products\RMA\IDMRMAP.jar 3 From a command line, access the Role Mapping Administrator installation directory, then enter java -jar IDMRMAP.jar. NOTE: For security reasons, you should install the Role Mapping Administrator as a non-root user on Linux platforms. 4 Enter Yes to accept the license agreement. 5 Specify the installation directory for the Role Mapping Administrator. The default path is your current location.
7.12.1 Prerequisites Stop eDirectory. If eDirectory is not stopped, the patch installer tries to stop it. Stop Remote Loader services. If the Remote Loader is in use, the patch installer cannot replace it. (Conditional) Set the Java path for a non-root installation. Edit the JAVA_NONROOT variable in the install.sh file or export the Java 1.6 path. 7.12.2 GUI Installation Run the following steps for both root and non-root installation. 1 Download the Identity Manager 4.0.
where x is the version of the Identity Manager patch. On Linux, run the rpm -qa | grep nov | grep 4.0.1 command to verify Identity Manager RPMs installed on your system. On Solaris, running this command shows Identity Manager packages installed on your system. NOTE: In a non-root patch installation/upgrade, the RPM versions are not upgraded. Windows: Do the following: Check the modification date for the files updated by the patch installer.
7.13 Language Support for the Identity Manager Installers Each of the Identity Manager installers support different languages. Metadirectory Server: French, German, Japanese, Simplified Chinese, and Traditional Chinese. Integrated Installer: French, German, Japanese, Simplified Chinese, and Traditional Chinese. Roles Based Provisioning Module: Brazilian Portuguese, Danish, Dutch, French, German, Italian, German, Japanese, Russian, Simplified Chinese, Spanish, Swedish, and Traditional Chinese.
7.13.1 Non-Installer Language Considerations Although Designer is localised in nine languages, the Identity Manager drivers are localized only in five languages. If the driver language is not supported, the driver configuration defaults to English. All of the Identity Manager iManager plug-ins are translated into five languages. Four iManager plug-ins are translated into Spanish, Russian, Italian, and Portuguese.
8 Activating Novell Identity Manager Products 8 The following information explains how activation works for products based on Novell Identity Manager. Identity Manager, Integration Modules, and the Provisioning Module must be activated within 90 days of installation, or they will shut down. At any time during the 90 days, or afterward, you can choose to activate Identity Manager products. You can activate Identity Manager and the drivers by completing the following tasks: Section 8.
Carefully copy the contents, and make sure that no extra lines or spaces are included. You should begin copying from the first dash (-) of the credential (----BEGIN PRODUCT ACTIVATION CREDENTIAL) through the last dash (-) of the credential (END PRODUCT ACTIVATION CREDENTIAL-----). WARNING: If Standard Edition activation is applied to an existing non-activated Advanced Edition system, it stops the Identity Manager Metadirectory server and drivers. 3 Open iManager.
8.4 Activating Identity Manager Drivers Your Identity Manager purchase includes activations for service drivers and several common drivers.
Identity Manager 4.0.
9 Troubleshooting Identity Manager 9 Keep in mind the following information when you install Identity Manager: “Lotus Notes driver issue while installing Identity Manager” on page 77 “The Identity Manager installation might sporadically fail on Windows 2008 SP2 32-bit platform” on page 77 “Issues with invoking installer in the GUI mode” on page 80 “When two events occur on the syntax stream attribute, the first attribute change is lost” on page 80 “lcache issue during Identity Manager upgrade”
2 Extend Identity Manager schema through iManager by using the Import Convert Export Wizard under eDirectory Maintenance. 3 Create the default objects by using the LDIF file.
tZT0iVXNlckZ1bGxOYW1lIiBkZXNjcmlwdGlvbj0iVGhlIHVzZXIncyBm dWxsIG5hbWUiLz4NCiAgICA8Zm9ybTp0b2tlbi1kZXNjcmlwdGlvbiBpd GVtLW5hbWU9IlVzZXJHaXZlbk5hbWUiIGRlc2NyaXB0aW9uPSJUaGUgdX NlcidzIGdpdmVuIG5hbWdDT0xPUj0iI0ZGRkZGRiI+DQogIDxwPkRlYXI gJFVzZXJGdWxsTmFtZSQsPC9wPg0KICA8cD5UaGlzIGlzIGEgbm90aWNl IHRoYXQgeW91ciBwYXNzd29yZCBjb3VsZCBub3QgYmUgcmVzZXQgaW4gd GhlICRDb25uZWN0ZWRTeXN0ZW1OYW1lJCBzeXN0ZW0uLiAgVGhlIHJlYX NvbiBmb3IgZmFpbHVyZSBpcyBpbmRpY2F0ZWQgYmVsb3c6PC9wPg0KICA 8cD5SZWFzb246ICRGYWlsdXJlUmVhc29uJDwvcD4NCiAgPHA
GVtLW5hbWU9IlVzZXJHaXZlbk5hbWUiIGRlc2NyaXB0aW9uPSJUaGUgdX NlcidzIGdpdmVuIG5hbWUiLz4NCiAgICA8Zm9ybTp0b2tlbi1kZXNjcml wdGlvbiBpdGVtLW5hbWU9IlVzZXJMYXN0TmFtZSIgZGVzY3JpcHRpb249 IlRoZSB1c2VyJ3MgbGFzdCBuYW1lIi8+DQogICAgPGZvcm06dG9rZW4tZ GVzY3JpcHRpb24gaXRlbS1uYW1lPSJDb25uZWN0ZWRTeXN0ZW1OYW1lIi BkZXNjcmlwdGlvbj0iVGhlIGV4dGVybmFsIGFwcGxpY2F0b24gbmFtZSI vPg0KICAgIDxmb3JtOnRva2VuLWRlc2NyaXB0aW9uIGl0ZW0tbmFtZT0i RmFpbHVyZVJlYXNvbiIgZGVzY3JpcHRpb249IlRoZSBmYWlsdXJlIHJlY XNvbiIvPg0KICA8L2Zvcm06dG9rZW4tZGVzY3JpcHRpb25zP
updates the connected system. If these attributes are modified before the engine reads them from the Identity Vault, the modified value is updated in the connected system and the intermediate change might be lost. Action: If the attribute is changed frequently, use an appropriate syntax other than SYN_STREAM. For example, if an XML object is stored in the STREAM attribute, use XMLData syntax instead of SYN_STREAM.
Identity Manager 4.0.
10 What’s New 10 Identity Manager 4.0.1 includes several new features and enhancements: Section 10.1, “What’s New in Identity Manager 4.0.1,” on page 83 Section 10.2, “What’s New in Identity Manager 4.0,” on page 84 10.1 What’s New in Identity Manager 4.0.1 Section 10.1.1, “Identity Manager Advanced Edition Versus Standard Edition,” on page 83 Section 10.1.2, “Telemetry,” on page 83 Section 10.1.3, “Resource Request Activity,” on page 83 Section 10.1.
10.1.4 New Reports Added to the Identity Reporting Module The following reports have been added: User Status Change within the Identity Vault: Displays significant events for the Identity Vault users. User Password change within the Identity Vault: Displays all user password changes within the Identity Vault. Access Requests by Recipient: Displays resource assignment workflow processes grouped by recipients.
For details on the reporting module and on the two reporting drivers, see the Identity Reporting Module Guide. For details on the predefined reports, see Using Identity Manager 4.0.1 Reports. 10.2.2 New Drivers The following new drivers are included with Identity Manager 4.0.1: “SharePoint Driver (.NET Remote Loader)” on page 85 “Salesforce.com Driver” on page 85 SharePoint Driver (.
10.2.6 Analyzer Analyzer allows you to diagnose, clean, and prepare identity data for management with Identity Manager. For more information, see the Analyzer 4.0.1 for Identity Manager Administration Guide. 10.2.7 Integrated Installer Identity Manager 4.0.1 comes with an integrated installer that installs and configures all of the Identity Manager components through one installer. The installer is used for new installations in small to medium environments.
III Upgrading Identity Manager I For upgrading Identity Manager components, use the individual product installers for upgrading to Identity Manager 4.0.1. Upgrading from Identity Manager 4.0.1 Standard Edition to Advanced Edition has a different upgrade procedure, which involves only configuration changes. You do not need to run the Identity Manager installer for this upgrade. For more information on Identity Manager upgrade, see the Identity Manager 401 Upgrade and Migration Guide.
Identity Manager 4.0.
11 Upgrade Versus Migration 1 Before beginning, make sure you have reviewed the differences between an upgrade and a migration. See the Identity Manager 4.0.1 Upgrade and Migration Guide.
Identity Manager 4.0.
IV Uninstalling Identity Manager IV If you need to uninstall any of the Identity Manager, you must uninstall each component.
Identity Manager 4.0.
12 Uninstalling the Identity Manager Components 12 Unistall the Identity Manager components in the order listed. Section 12.1, “Removing Objects from eDirectory,” on page 93 Section 12.2, “Uninstalling the Metadirectory Server,” on page 94 Section 12.3, “Uninstalling the Remote Loader,” on page 94 Section 12.4, “Uninstalling the Roles Based Provisioning Module,” on page 95 Section 12.5, “Uninstalling the Identity Reporting Module Components,” on page 97 Section 12.
12.2 Uninstalling the Metadirectory Server When Identity Manager is installed, there is an uninstall script that is placed on the Identity Manager server. It allows you to remove all services, packages, and directories that were created when Identity Manager was installed. Section 12.2.1, “Uninstalling on Linux/UNIX,” on page 94 Section 12.2.2, “Uninstalling a Non-root Installation,” on page 94 Section 12.2.3, “Uninstalling on Windows,” on page 94 12.2.
12.3.1 Uninstalling on Linux/UNIX To uninstall the Remote Loader on Linux/UNIX, run the uninstall script located at /root/idm/ Uninstall_Identity_Manager/Uninstall_Identity_Manager. To execute the script, enter ./ Uninstall_Identity_Manager. If you installed the Remote Loader as a non-root user, the idm directory is placed in the directory of the user that installed the Remote Loader. 12.3.
To execute the script, enter ./Uninstall\ Roles\ Based\ Provisioning\ Module\ for\ Novell\ Identity\ Manager. Windows: The procedure to uninstall the User Application is different for each of the supported Windows platforms. Windows 2003 SP2 (32-bit and 64-bit): In the Control Panel, select Add or Remove Programs > Roles Based Provisioning Module, then click Change/Remove.
Windows 2008 SP1 (32-bit and 64-bit): Click Programs and Features > JBossPostgreSQL, then right-click and select Uninstall. Windows 2008 R2 (64-bit): Click Programs and Features > JBossPostgreSQL, then right-click and select Uninstall. 12.5 Uninstalling the Identity Reporting Module Components The Identity Reporting Module consists of multiple components. Each component must be uninstalled in order to uninstall the Identity Reporting Module. Section 12.5.
12.6 Uninstalling iManager Linux: As root, execute the uninstall script located at /var/opt/novell/iManager/nps/ UninstallerData/UninstalliManager. To execute the script, enter ./UninstalliManager. Windows: The procedure to uninstall iManager is different for each of the supported Windows platforms. Windows 2003 SP2 (32-bit and 64-bit): In the Control Panel, select Add or Remove Programs > Novell iManager, then click Change/Remove.
To execute the script, enter ./nds-uninstall. Windows: The procedure to uninstall eDirectory is different for each of the supported Windows platforms. Windows 2003 SP2 (32-bit and 64-bit): In the Control Panel, select Add or Remove Programs > Novell eDirectory, then click Change/Remove. Windows 2008 SP1 (32-bit and 64-bit): Click Programs and Features > Novell eDirectory, then right-click and select Uninstall.
Windows 2008 R2 (64-bit): Click Programs and Features > Designer for Identity Manager, then right-click and select Uninstall. 12.10 Uninstalling the Role Mapping Administrator 1 Access the installation directory of the Role Mapping Administrator. This directory is defined during the installation, so it can be different for each installation. 2 From the command line, stop the Role Mapping Administrator by running the stop script. Linux: stop.sh To execute the script, enter ./stop.sh Windows: stop.