8.2 Deployment Procedure

8.2.1 Creating Azure Services

This section outlines general steps for creating Azure services for use with Access Manager.

For more information, see the Azure documentation.

IMPORTANT:While creating services, (such as availability set, virtual network, security groups, instances, and load balancers), ensure to specify the same value for Location.

Perform the following steps to create Azure services:

  1. Log in to Azure.

  2. Create or determine an existing Resource group for use with Access Manager.

    1. In the Azure portal, click Create a resource.

    2. Search for resource group and select Resource group.

    3. Click Create.

    For more information about resource groups, see Azure Resource Manager Overview > Terminology > resource group.

    NOTE:All administrators may not have rights to create a new resource group.

  3. Create or determine an existing Availability Set for use with Access Manager.

    NOTE:If you plan to configure load balancing for Identity Server and Access Gateway, create a separate availability set for each cluster type.

    1. In the Azure portal, click Create a resource.

    2. Search for availability set and select Availability Set.

    3. Click Create.

    4. Specify values for Name, Subscription, Resource group, and Location.

    5. Set Fault domains and Update domains to 2.

      NOTE:Keep the default values as is in other fields.

    6. Click Create.

  4. Create or determine a Virtual Network for use with Access Manager.

    For this example configuration, all Access Manager components use the same virtual network.

    1. In the Azure portal, click New.

    2. Search for virtual network and select Virtual Network.

    3. Click Create.

    4. Configure the required network settings, such as Name, Subscription, Resource group, Location, Address Space, Subnet name, and Subnet address range.

      The following is an example configuration:

      • Name: NAM-subnet1
      • Address space: 10.10.10.0/24
      • Subnet name: default
      • Subnet address range: 10.10.10.0/24
    5. Click Create.

  5. Continue with Section 8.2.2, Creating and Deploying Virtual Machines.

8.2.2 Creating and Deploying Virtual Machines

This section outlines steps to create and deploy virtual machines for a basic setup of Access Manager, which includes an Administration Console, an Identity Server, an Access Gateway, and a user store.

Perform the following steps to create four virtual machines: one for Administration Console, one for Identity Server, one for Access Gateway, and one for the user store.

NOTE:If you are using Azure Active Directory as the user store, deploy virtual machines only for Access Manager components. Azure hosts and manages Azure Active Directory as a service on the cloud.

Perform the following steps to create and deploy a virtual machine:

  1. Log in to Azure.

  2. Click New in the upper left pane of the dashboard.

  3. In the search bar, search for SLES 12 SP5 or Red Hat Enterprise Linux 8.3 based on the operating system you want to use.

    When creating a virtual machine for Active Directory, select a Windows 2016 R2 image instead of SLES or RHEL. For more information about creating a Windows virtual machine, see Quickstart: Create a Windows virtual machine in the Azure portal.

    Each of these operating systems has their own licensing and costs associated with them. With the exception of the BYOS (Bring Your Own Subscription) option, each option includes a valid support license for the operating system.

    NOTE:SLES 12 SP5 has been selected here as an example configuration.

  4. Select SLES 12 SP5.

  5. Click Create.

  6. Configure the following settings in step 1 Basics:

    Field

    Description

    Name

    Specify a name for the virtual machine.

    VM disk type

    Select SSD or HDD based on your requirements.

    This selection affects the list of templates displayed for selection in Step 8.

    User name

    Specify the name of the account that you want to use for administering the virtual machine.

    This username is used for ssh access to the virtual machine after deployment.

    Authentication type

    Select SSH public key.

    SSH public key

    Copy the content of your id_rsa.pub file that you have generated earlier, and paste it.

    Subscription

    Select the Azure subscription that should be used for the virtual machine.

    Resource group

    Select the resource group that you have created or determined in Step 2.

    Location

    Select from the list of the supported Azure location where you want to create the virtual machine.

  7. Click OK.

  8. In 2 Size, click View all to see all available templates.

    You can filter this list based on disk type, vCPU, and memory.

    Each template has its own intended use cases, optimizations, and costs per hour of usage. Click a template that matches your requirements and the requirements of the Access Manager component that will later be installed on this virtual machine.

    NOTE:You must select a virtual machine size of the Standard type if you require to configure an Azure load balancer later.

  9. Click Select.

  10. In 3 Settings, review networking, high availability, storage, and monitoring options by clicking the > icon.

    Section

    Action

    High Availability

    While deploying a virtual machine for identity Server or Access Gateway, select the appropriate availability set that was created for each type in Step 3.

    For clustering and load balancing, place Identity Server virtual machines in one availability set and Access Gateway virtual machines in a different availability set.

    Storage

    keep the default value Yes for Use managed disks.

    Network > Virtual network

    Click Virtual network and select the virtual network that you created in Step 4.

    Network > Public IP Address

    (Optional)

    Configure the Public IP Address for this virtual machine or you can keep the default selection (dynamic addressing).

    If you do not specify a static address (adds an additional cost), the external IP address used to reach each virtual machine changes with each reboot.

    Network > Network Security Group (firewall)

    Accept the default network security group to allow incoming SSH access requests to the virtual machine used for Access Manager.

    The instructions to further configure these security groups are in a later section of the guide.

    In an advanced setup where you install multiple Administration Consoles, Identity Servers, and Access Gateways, these virtual machines should use the security group created for the first virtual machine running that component type.

    Extension

    Keep the default value.

    Auto-shutdown

    By default, this is set to Off.

    It is recommended to not set this option to on in a production environment. Enabling this option might result in a corrupted Access Manager setup.

    If it is necessary to enable Auto Shutdown, the system admin must set up a cron job to run several minutes prior to the shutdown time specified on the affected virtual machines. The cron script must be placed in the root user’s crontab and it must execute the following commands:

    1. /etc/init.d/novell-idp stop (on the virtual machine containing Identity Server)

    2. /etc/init.d/novell-ac stop (on the virtual machine containing Administration Console)

    This script shuts down Access Manager safely prior to the Azure Auto-Shutdown happens.

    IMPORTANT:Before you manually shut down an Azure virtual machine containing an Access Manager installation, first run the /etc/init.d/novell-[ac|idp] stop command. This ensure that the Access Manager instance is in a safe state.

    Monitoring

    Disable Boot diagnostics and Guest OS diagnostics if you do not want to monitor for those options.

    You can change these settings later if you need these functionalities.

  11. Click OK.

  12. In 4 Summary, review the summary of settings, terms of use, privacy policies, and cost of use.

  13. Click Create.

    Azure begins provisioning the virtual machine as you have configured it. This process may take a few minutes.

  14. Verify SSH access to the virtual machine after deployment completes by running the following command:

    ssh -i <keyfile> <username>@<publicIP>

    • Where,
    • <keyfile>: The name of the certificate file created with ssh-keygen.
    • <username>: The User name specified in Step 6 while deploying the virtual machine.
    • <publicIP>: The public IP address assigned to the virtual machine. You can view this in the dashboard by clicking the virtual machine.
  15. Repeat Step 1 to Step 14 to create additional virtual machines.

  16. Continue with Section 8.2.3, Configuring Network Security Groups.

8.2.3 Configuring Network Security Groups

In the previous section Creating and Deploying Virtual Machines, a separate network security group is created for each virtual machine. You must modify these security groups to open the required incoming ports, depending on the Access Manager component type that will be installed on the virtual machine.

Edit the network security groups for Administration Console, Identity Server, and Access Gateway to configure the ports based on requirements of that component.

For information about the required ports, see Table 1-7, Administration Console on Cloud, Table 1-8, Identity Server on Cloud, and Table 1-9, Access Gateway on Cloud.

  1. In the Azure portal, click All resources.

    You can filter the list can using the fields at the top of the page.

  2. Find and click the desired network security group created in Step 10.

  3. Click Inbound security rules > Add.

  4. Specify details in fields.

    The following is an example configuration:

    Field

    Value

    Source

    Any

    Source port range

    *

    Destination

    Any

    Destination port range

    8443

    Protocol

    TCP

    Action

    Allow

    Priority

    100

    Name

    Administration Console HTTPS

    Description

    HTTPS port for Access Manager Administration Console.

  5. Repeat Step 3 and Step 4 for each inbound port rule to be added as listed in Table 1-7, Administration Console on Cloud, Table 1-8, Identity Server on Cloud, and Table 1-9, Access Gateway on Cloud, depending on the component type that will use this network security group.

  6. Continue with Changing the Private IP Address from Dynamic to Static.

8.2.4 Changing the Private IP Address from Dynamic to Static

The private IP addresses of Access Manager virtual machines must be static for proper communications between these devices.

Perform the following steps for each virtual machine:

  1. In the Azure portal, click Virtual machines > name of the virtual machine.

  2. Under Settings, click Networking.

  3. Click the Network Interface.

  4. In the left menu, click IP configurations under Settings.

  5. Click the IP configuration line.

  6. Under Assignment, click Static.

  7. In IP address, specify the desired IP address.

  8. Click Save.

8.2.5 Installing Access Manager

Prerequisites

  • Ensure that you meet the network requirements listed in Network Requirements.

  • Edit the /etc/hosts files on each virtual machine and add an entry to resolve its hostname to its private IP address.

  • Ensure that the virtual machines do not have a default firewall configuration that could prevent proper installation and use of the Access Manager components.

  • Ensure that the required port rules in the network security groups have been created. See Section 8.2.3, Configuring Network Security Groups.

  • Before starting Access Manager installations, ensure that the additional packages listed in the prerequisites sections of each Access Manager component are added.

Important Points to Consider before Installation

You must know the following points before you start the installation:

Installation Procedure

Perform the following steps to install Access Manager components on virtual machines:

IMPORTANT:In the following steps, run the Access Manager installation scripts as a root user using sudo. For example, sudo sh <script-name>.

  1. Copy the novell-access-manager-<version>.tar.gz file using Secure Copy (scp) to the virtual machines on which you will install Administration Console and Identity Server.

    The following is a sample scp command that shows how to copy the installer using the SSH key and username specified while creating the virtual machine:

    scp -i <key> <path/filename_of_tarball> <username>@<vm_ip>:/<path>

  2. Copy the novell-access-gateway-<version>.tar.gz file to the virtual machine on which you will install Access Gateway.

  3. Install Administration Console, Identity Server, and Access Gateway on respective virtual machines.

    For information about how to install these components, see Installing Administration Console, Installing Identity Server, and Installing Access Gateway.

    IMPORTANT:While installing Identity Server and Access Gateway, specify the internal IP address of the Administration Console machine. This ensures that communications among machines happen inside the firewall.

  4. Configure Identity Server and Access Gateway.

    For information about how to configure, see Setting Up a Basic Access Manager Configuration in the NetIQ Access Manager 5.0 Administration Guide.