9.2 Deployment Procedure

The deployment procedure consists of the following steps:

For information about the recommended way for deploying Access Manager on AWS EC2, see Figure 1-7.

IMPORTANT:The LDAP server and web services must be deployed in the public cloud along with Identity Server and Access Gateway.

A VPN connection from Identity Server and Access Gateway in the public cloud to the LDAP user store and web servers in the on-premises deployments is not supported.

9.2.1 Creating AWS EC2 Services

This section outlines steps for creating AWS EC2 services to use with Access Manager. For more information, see the Amazon Elastic Compute Cloud Documentation.

Perform the following steps to create AWS EC2 services:

  1. Log in to AWS Management Console.

  2. Click Services and create the following services:

    Service

    Steps

    VPC

    1. Click Services > VPC under Networking & Content Delivery.

    2. Click Start VPC Wizard.

    3. Select a VPC configuration type and click Select.

    4. Specify the details in the form, and then click Create VPC.

      This creates a private network of the specified size. VPC and subnet creation use the CIDR notation for address ranges. The largest VPC size is a /16 network.

    For more information, see the Amazon Virtual Private Cloud Documentation.

    IMPORTANT:Creating a VPC using Start VPC Wizard creates Subnets, Internet gateways, and Route table for the VPC. You can view or edit these items as follows:

    Subnets

    1. In the left menu, click Subnets.

    2. Locate the subnet associated with this VPC.

    3. Select the subnet, verify the details, and edit if required.

    Internet gateways

    1. In the left menu, click Internet Gateways.

    2. Locate the Internet gateways associated with this VPC.

    3. Select the Internet gateways, verify the details, and edit if required.

    Route table

    1. In the left menu, click Route Tables.

    2. Select the route table that was automatically created for this VPC.

    3. In the Routes tab, click Edit.

    4. Click Add another route.

    5. In Destination, specify 0.0.0.0/0.

    6. In Target, select the IGW table that has been created in Internet gateways.

    7. Click Save.

  3. Continue with Creating and Deploying Instances.

9.2.2 Creating and Deploying Instances

This section outlines steps to create and deploy instances for a basic setup of Access Manager. A basic setup includes an Administration Console, an Identity Server, an Access Gateway, and a user store.

Perform the following steps to create four instances: One for Administration Console, one for Identity Server, one for Access Gateway, and one for the Active Directory user store.

  1. Click Services > EC2.

  2. Click Launch Instance.

  3. Select the SLES 12 SP5 or RHEL 8.3 image if you are creating this instance for an Access Manager component (Administration Console, Identity Server, or Access Gateway).

    When creating an instance for the Active Directory user store, select a Windows 2012 R2 image instead of SLES or RHEL.

    All instances that you create for deploying Access Manager components (Administration Console, Identity Server, or Access Gateway) must have the same operating system type (SLES or RHEL).

  4. Select the instance type that meets requirements of the base operating system and deployment of Access Manager components. See NetIQ Access Manager System Requirements.

    Each type has its own instance configuration settings, optimizations, and associated costs.

  5. Click Next: Configure Instance Details.

    Ensure that the instance is using the correct VPC and subnet.

    Field

    Action

    Auto-assign Public IP

    Set to Enable.

    Network Interfaces

    Specify a static IP address in Primary IP.

  6. Click Next: Add Storage.

    The default storage size is 10 GB. Change it as per your requirement.

  7. Click Next: Add Tags.

    Add tags as desired. Tags enable you to organize instances. For example, you can add the following two tags to each instance:

    • A tag indicating what the instance is being used for

    • A tag indicating who is the owner of this machine

  8. Click Next: Configure Security Group.

    Security groups are virtual firewall rules for groups of instances. It is recommended to create a separate security group for each group of instances with the same firewall requirements.

    For example, you can configure a security group for all nodes of Administration Console, one security group for all nodes of Identity Server, and one security group for all nodes of Access Gateway. By default, a new security group only allows incoming traffic on port 22, so that you can only connect to the instance by using SSH.

    For more information, see Amazon EC2 Security Groups for Linux Instances.

  9. Create a new security group; specify a name and description for it.

    Add additional port rules before installing the Access Manager components. For information about required ports, see Table 1-7, Table 1-8, and Table 1-9.

  10. Click Review and Launch.

  11. After reviewing the details, click Launch.

  12. Select an existing key pair or create a new one.

    This key pair is used for SSH access to the instance. You can use the same key pair with multiple machines.

  13. Click Download Key Pair.

    IMPORTANT:You can connect to and manage your instances only using the private key. Therefore, do not lose the private key after downloading it.

  14. Repeat Step 1 to Step 13 and create other instances.

  15. Continue with Installing Access Manager.

9.2.3 Installing Access Manager

Prerequisites

  • Ensure that you meet the requirements listed in Network Requirements.

  • Edit the /etc/hosts files on each instance and add an entry to resolve its hostname to its private IP address.

  • Create port rules in the various security groups. See Step 8 and Step 9 in Creating and Deploying Instances. For the list of ports, see Table 1-7, Table 1-8, and Table 1-9.

  • Before starting Access Manager installation, ensure that the additional packages listed in the prerequisites sections of each Access Manager component are added.

  • Verify the SSH connectivity to the instances. The following is a sample syntax for verifying the connectivity:

    "ssh -i <key_name> ec2-user@<instance_public_ip>

    To view the public IP address of an instance, click Instances > [instance] > Description.

IMPORTANT:Re-importing Identity Server and Access Gateway is not supported.

Installation Procedure

Perform the following steps to install Access Manager components on the respective instances:

In the following steps, run the Access Manager installation scripts as a root user using sudo. For example, sudo sh <script-name>.

  1. Copy the novell-access-manager-<version>.tar.gz file using Secure Copy (scp) to the instances on which you will install Administration Console and Identity Server.

    The following is a sample scp command that shows how to copy the installer using the SSH key and username specified while creating the instance:

    scp -i <keyname> <path&name_of_file_to_copy> ec2-user@<instance_ip>:/<directory>

  2. Copy the novell-access-gateway-<version>.tar.gz file to the instance on which you will install Access Gateway.

  3. Install Administration Console, Identity Server, and Access Gateway on the respective instances.

    For information about how to install these components, see Installing Administration Console, Installing Identity Server, and Installing Access Gateway Service.

    IMPORTANT:While installing Identity Server and Access Gateway, specify the internal IP address of the Administration Console machine. This ensures that communications among machines happen inside the firewall.

  4. Configure Identity Server and Access Gateway.

    For information about how to configure, see Setting Up a Basic Access Manager Configuration in the NetIQ Access Manager 5.0 Administration Guide.

9.2.4 (Optional) Creating an AWS EC2 Load Balancer

If multiple Access Gateway and Identity Server instances have been created and configured for clustering, you can configure an AWS EC2 load balancer for each cluster to balance the load of incoming requests across the clustered instances. A separate load balancer is used for an Identity Server cluster and an Access Gateway cluster.

The following procedures provide differences in the configuration details for Identity Server load balancer and Access Gateway load balancer wherever required.

Repeat the steps in Creating Target Groups, Creating an Elastic IP Address, and Creating a Load Balancer, and create separate target groups, elastic IP addresses, and load balancers for Identity Server and Access Gateway clusters.

Creating Target Groups

A target group provides a way to associate the load balancer to the IP addresses of instances (targets) among which the load will be distributed.

IMPORTANT:For each load balancer, create two target groups: one for HTTP and one for HTTPS.

For more information about target groups, see Target group.

Perform the following steps to create a target group:

  1. In the EC2 Dashboard, click Target Groups under LOAD BALANCING.

  2. Click Create target group.

  3. Specify the following details:

    Field

    Description

    Target group name

    Specify a name for the target group.

    Protocol

    Select TCP.

    Port

    Specify the port on which the server is configured for listening.

    IMPORTANT:You need to create two separate target groups for each load balancer, one for HTTP and one for HTTPS.

    For Access Gateway

    Specify the following values:

    • If you are creating the target group for the HTTPS traffic, specify 443.

    • If you are creating the target group for the HTTP traffic, specify 80.

    For an Identity Server listening on the default ports of 8080/8443

    Specify the following values:

    • If you are creating the target group for the HTTPS traffic, specify 8443.

    • If you are creating the target group for the HTTP traffic, specify 8080.

    You can use iptables to configure the listeners on Identity Server to use other ports. See Translating Identity Server Configuration Port.

    Target type

    Select ip.

    VPC

    Select the same VPC that you have selected for the instances of Access Manager components.

    Health Check Settings

    Protocol

    When creating a target group for the HTTPS protocol, select HTTPS.

    When creating a target group for the HTTP protocol, select HTTP.

    The load balancer uses this protocol while performing health checks.

    Path

    Specify the destination path for health checks.

    For Identity Server, specify /nidp/app/heartbeat.

    For Access Gateway, specify /nesp/app/heartbeat.

    Advanced health check settings

    Keep the default values.

  4. Click Create.

  5. Enable session stickiness.

    1. Select the target group you have created.

    2. In the Description tab, click Edit attributes.

    3. Select Enable for Stickiness.

  6. Add the IP addresses of instances (targets) among which load will be distributed.

    1. In the edit mode, select the Targets tab, and then click Edit.

    2. Click the + (Register targets) icon.

    3. Specify the following details:

      Field

      Description

      Network

      Populated with the VPC that you have selected under VPC in Step 3.

      IP

      Specify the private IP address of Identity Server or Access Gateway instances (targets) to register as targets that you want to add in the load balancer.

      Port

      Populated with the port value that you have specified for Port in Step 3.

    4. Click Add to list.

    5. Click Register.

    6. Repeat Step 6.b to Step 6.e and add other instances of the same component type that you want to add in the load balancer.

Creating an Elastic IP Address

An elastic IP address is a public IPv4 address, which is reachable from the Internet. Elastic IP addresses are used as the listeners for the load balancers.

  1. Click Services > EC2.

  2. Click Elastic IPs.

  3. Click Allocate new address.

  4. Click Allocate.

    A static IPv4 address is allocated that is not used by any other resource.

  5. Click Close.

Creating a Load Balancer

Perform the following steps to create a load balancer:

  1. In the left menu, click Load Balancers.

  2. Click Create Load Balancers.

  3. Click Create under Network Load Balancer.

  4. Specify the following details:

    Field

    Description

    Name

    Specify a name for the load balancer.

    Scheme

    Select internet-facing.

    Listeners

    Specify the listener ports as follows:

    For Identity Server:

    • Load Balancer Protocol: TCP

    • Load Balancer Port: 8080

    Click Add listener and specify the following:

    • Load Balancer Protocol: TCP

    • Load Balancer Port: 8443

    For Access Gateway:

    • Load Balancer Protocol: TCP

    • Load Balancer Port: 80

    Click Add listener and specify the following:

    • Load Balancer Protocol: TCP

    • Load Balancer Port: 443

    Availability Zones

    1. Select the same VPC that you have created earlier for Access Manager components.

    2. Select the Availability Zone in which Access Manager instances are available.

      The load balancer routes traffic to the targets in the specified Availability Zones only.

    3. Select the Subnet where the Access Manager component, for which you are configuring this load balancer, is available.

    4. In Elastic IP, select the elastic IP address you created for this load balancer in Creating an Elastic IP Address.

    Tags

    Do not make any change.

  5. Click Next: Configure Routing.

  6. Under Target group, specify the following details:

    Field

    Description

    Target group

    Select Existing target group.

    Name

    Select a target group from the list.

    You can select only one target group. For example, select the target group that you have created for the HTTP protocol.

    After creating the load balancer, you need to modify the listener port 8443 to use the target group that is configured for the HTTPS protocol. See Step 12 of this section.

    Protocol

    Populated with the value that you have configured in the specified target group. Review to ensure that the value is listed correctly.

    Port

    Populated with the value that you have configured in the specified target group. Review to ensure that the value is listed correctly.

    Target type

    Populated with the value that you have configured in the specified target group. Review to ensure that the correct value is listed.

  7. Under Health Checks, review the following details:

    Field

    Description

    Protocol

    Populated with HTTPS or HTTP based on the configuration of the target group you selected in Step 6. See Creating Target Groups.

    Path

    Populated with the health URL that you configured in the target group selected in Step 6. See Creating Target Groups.

    Advanced health check settings

    Keep the default values.

  8. Click Next: Register Targets.

    The list of all targets registered with the target group that you selected is displayed. You can modify this list only after creating the load balancer.

  9. Click Next: Review.

  10. Verify that the load balancer details are correct.

  11. Click Create and then click Close.

  12. Update the listener ports to use the appropriate target groups.

    1. Select the load balancer you have created.

    2. Select the Listeners tab.

      By default, both listeners (HTTP and HTTPS) are configured to forward to the same target group that you have created in Step 6 > Name.

    3. Select the HTTPS listener (8443 for Identity Server or 443 for Access Gateway).

    4. Click Actions > Edit to change the target group of the HTTPS listener.

    5. In Default target group, select the HTTPS target group for that component type (Identity Server or Access Gateway).

    6. Click Save.