You can install OpenText Identity Governance and the required components in many different configurations, depending on network topology and the identity management products with which it integrates. This section presents a few common installation scenarios and recommendations to inform your installation choices:
Section 2.3.1, OpenText Identity Governance in a New Environment
Section 2.3.2, OpenText Identity Governance and Existing Components
Section 2.3.3, Installing OpenText Identity Governance to Integrate with OpenText Identity Manager
Section 2.3.4, Ensuring High Availability or Load Balancing for OpenText Identity Governance
You must prepare a new environment with the required components for OpenText Identity Governance. If you do not have all of the required components in your environment, you must install them before starting the OpenText Identity Governance installation. The OpenText Identity Governance installer includes an installer for Identity Reporting and Workflow Engine. In addition to the OpenText Identity Governance installer, the software download page provides the installer for OSP. You must download the other required components from the manufacturer’s website. For more information, see Section 3.0, Installing Required Components.
For best performance, do not install OpenText Identity Governance on the same server as the databases, but ensure that the databases and OpenText Identity Governance run in the same subnetwork. You must determine where you will install the required components and the OpenText Identity Governance components. For more information, see Section 2.3.5, Recommended Deployment Scenarios.
You must install the OpenText Identity Governance components in a specific order, which depends on whether you plan to integrate OpenText Identity Governance with OpenText Identity Manager. If you are integrating with OpenText Identity Manager, the order is different. For more information, see Section 2.3.3, Installing OpenText Identity Governance to Integrate with OpenText Identity Manager.
To use OpenText Identity Governance without integrating with Identity Manager Advanced Edition, install the components in the following order:
(Conditional) LDAP identity service with admin and user containers.
To use an identity service for the data source, ensure that you have Active Directory or OpenText eDirectory already installed.
(Optional) Audit server, if enabling auditing during installation.
Zulu OpenJDK on the server that runs OpenText Identity Governance.
Apache Tomcat on the server that runs OpenText Identity Governance.
One of the supported databases in the same subnetwork as OpenText Identity Governance.
OSP or OpenText Access Manager.
OpenText Identity Governance, Identity Reporting, and Workflow Engine
(Optional) Identity Reporting, if not installed at the same time as OpenText Identity Governance
(Optional) Workflow Engine, if not installed at the same time as OpenText Identity Governance, is installed on a server specific to workflow
(Optional) Audit server if enabling auditing after the installation.
If you are installing OpenText Identity Governance into an environment that already has a supported version of the following components, you can use these components for the OpenText Identity Governance installation. Those components are:
Zulu OpenJDK must run on the server where you will install OpenText Identity Governance
Apache Tomcat that runs against the Zulu OpenJDK on the server where you will install OpenText Identity Governance
Identity service of the Identity Manager Identity Vault (eDirectory); the identity service in Identity Manager is always eDirectory
Authentication service of OSP or Access Manager
A supported database server on the same subnetwork as OpenText Identity Governance
ActiveMQ
NOTE:The version of Identity Reporting that comes with OpenText Identity Manager contains different reports than the version that comes with OpenText Identity Governance. If you want the OpenText Identity Governance reports, you must install the version of Identity Reporting that comes with OpenText Identity Governance. If you have a prior version of Identity Reporting that came with OpenText Identity Governance, you must upgrade that version of Identity Reporting to match what comes with the version of OpenText Identity Governance that you install.
Ensure that you review the prerequisites and requirements provided in this chapter for each existing component. You should also consider the following:
Availability and suitability of existing components for OpenText Identity Governance use, including capacity, throughput, and utilization.
Additional processing load OpenText Identity Governance can place on existing components.
Resources needed to host OpenText Identity Governance components you must install in the environment.
OWASP best practices for securing your Apache Tomcat environment on the OWASP Wiki page.
To integrate OpenText Identity Governance with Identity Manager Advanced Edition, you can use some of the components that you installed with OpenText Identity Manager: OSP and Identity Reporting. The OpenText Identity Governance installation program needs the accounts and permissions to access, configure and modify the existing OpenText Identity Manager components.
If you want to use Identity Reporting as part of your OpenText Identity Governance solution, but you already have OpenText Identity Manager installed and running, you must install the version of Identity Reporting that comes with OpenText Identity Manager. Identity Reporting that comes with OpenText Identity Manager uses the security module of OpenText Identity Manager to determine who has access to the reports.
To install OpenText Identity Governance with OpenText Identity Manager, install the components in the following order:
Identity Manager Advanced Edition.
(Optional) Audit server, if enabling auditing during OpenText Identity Governance installation.
Use the OpenText Identity Manager Identity Vault as the identity service, or use a supported LDAP directory.
Zulu OpenJDK on the server that runs OpenText Identity Governance.
Apache Tomcat on the server that runs OpenText Identity Governance.
One of the supported databases in the same subnetwork as OpenText Identity Governance.
Ensure that you use an LDAP-based bootstrap administrator during the OpenText Identity Governance installation for security reasons. For more information, see Section 4.1.1, Using the Bootstrap Administrator.
OpenText Identity Governance.
(Conditional) If you are using OSP as the authentication service and the identity service is an OpenText eDirectory server or an Active Directory server that is separate from OpenText Identity Manager, you must manually extend the schema on that server or the OSP authentications do not work. For more information, see Section 9.2.2, Extending the Schema for OSP in the Identity Service not Part of Identity Manager.
(Optional) If you want the OpenText Identity Governance reports, install the version of Identity Reporting that comes with OpenText Identity Governance. If you want the OpenText Identity Manager reports, you must install the version of Identity Reporting on a separate server that comes with OpenText Identity Manager.
(Optional) Audit server if enabling auditing after the installation
For more information about these activities, see Integrating Single Sign-on Access with Identity Manager Using OSP.
You must review the prerequisites and requirements for OpenText Identity Governance and gather the server and account information necessary to complete the installation process. For more information, see the following:
High availability ensures efficient manageability of critical network resources including data, applications, and services. Load balancing allows you to divide the workload on a component across multiple instances of that component. OpenText Identity Governance supports high availability and load balancing through stateless clustering or Hypervisor clustering, such as VMware Vmotion. When planning a high-availability or load balancing environment, the following considerations apply:
To manage the availability of your network resources for OpenText Identity Governance, use the High Availability tools provided with your operating system. Always have the latest patches installed for your operating system.
To provide load balancing for OpenText Identity Governance, you can run OpenText Identity Governance in a stateless cluster where the load balancers shift authentication requests among the various OSP servers. During installation, you must specify a URL that drives client access through your L4 switch or load balancer rather than specifying the host name and port for the Apache Tomcat server.
Each node in the cluster must have a persistent unique runtime identifier. For example, node1 or ProdNode1. For more information, see Section 9.6.1, Configuring the Nodes in the Apache Tomcat Cluster.
Each OpenText Identity Governance runtime instance uses this identifier to claim and identify tasks that it processes. Some of these tasks are long-running, so the identifier must remain unique after a restart of the environment, where an IP address or another identifier might not remain the same.
The configuration settings and keystore passwords for OSP and OpenText Identity Governance must be identical for all nodes in the cluster.
When you are running OpenText Identity Governance, Identity Reporting, and OSP in a clustered environment, ensure that you run the OpenText Identity Governance Configuration Update utility on each server in the cluster to get the information populated on each server and also use the same keystore files.
When installing an identity service, consider the following requirements:
Configure a load balancer with a DNS host name and port for the identity service.
The identity service can use the same load balancer specified for OpenText Identity Governance, a dedicated load balancer, or a single Apache Tomcat instance.
Specify the values for the appropriate load balancer instead of the connection settings to the Apache Tomcat instance. For more information, see Application address in Step 6.
The configuration files must be on each identity service deployment in the environment. For example, if using OSP, the osp.war file must be on each deployment of OSP in the environment.
After the first installation, copy and use the same Identity Service Keystore and Database Encryption Keystore files on all nodes for all deployments. For more information, see Section 4.0, Installing an Authentication Service.
When installing OpenText Identity Governance, consider the following requirements:
Configure a load balancer with a DNS host name and port for OpenText Identity Governance use.
OpenText Identity Governance can use a dedicated load balancer or the same load balancer for the identity service.
Specify the values for the load balancer instead of the host and port for the Apache Tomcat connection. For more information, see Application address in Step 8.
On the primary (or master) node, perform the steps for configuring the databases. For more information, see Database details in Step 8.
For each installation on a secondary node, do not perform any database configuration steps. Instead, specify the settings for connecting to the previously configured databases. For more information, see Database details in Step 8.
To silently install OSP, OpenText Identity Governance, Identity Reporting, or Workflow Engine on the secondary nodes in the cluster, create a response file the first time you install a component using the guided installer. A response file contains the correctly formatted values for your environment that you must add to the install-silent.properties file. To create a response file, you must run the installer with the -r path-to-response-file option. For example:
OSP: Use the following command for your platform.
Linux: ./osp-install-linux.bin -r path_to_silent_properties_file
Windows: osp-install-win.exe -r path_to_silent_properties_file
OpenText Identity Governance and Identity Reporting: Use the following command for your platform.
Linux: ./identity-governance-install-linux.bin -r path_to_silent_properties_file
Windows: identity-governance-install-win.exe -r path_to_silent_properties_file
After you have the response file, you open the response file and the silent.properties file in a text editor. You copy and paste the values from the response file to the silent.properties file.
NOTE:In the silent.properties file for OpenText Identity Governance, change the following settings:
install_db_configure=false
install_tomcat_runtime_id=node1
For more information, see the following:
In a typical production environment, you might install OpenText Identity Governance components on three or more servers. The reason to have different components on different servers is due to the workload of the component. If one of the components has a heavy load and you have other components installed on the same server, the heavy workload impacts the performance of the other components.
The following information contains deployment recommendations for the components. Each component has different reasons why you would install it with other components or not. Use this information and the information in Table 2-2, Different OpenText Identity Governance Component Deployment Scenarios in a Production Environment to determine how you deploy the OpenText Identity Governance components in your production environment.
OSP: OSP does not require a lot of processing power to function unless you have hundreds of thousands of authentications occurring at the same time. In most of the production environments, you can install OSP on the OpenText Identity Governance server. In larger environments, having OSP with a clustered load on its server balances the authentications through each clustered OSP node.
Database: We recommend that you always install the databases for OpenText Identity Governance and Identity Reporting on a database server. Databases require a lot of processing power. If you install the database on a server with another OpenText Identity Governance component, this causes performance issues for the component.
ActiveMQ: ActiveMQ is an optional component that you can install to guarantee delivery of the emails that OpenText Identity Governance sends. ActiveMQ does not require a lot of processing power. You can install ActiveMQ on the OpenText Identity Governance server.
OpenText Identity Governance: Is a web application that the authorized users access to perform all of the tasks. We recommend that you cluster the OpenText Identity Governance component for fail-over scenarios. If one node goes down, the authorized users can still log in and use OpenText Identity Governance. You can run OSP on the same server as OpenText Identity Governance except for very large production environments. You can even run Workflow Engine on the same server with OpenText Identity Governance. You would only run Identity Reporting on the OpenText Identity Governance service if you do not generate a lot of reports. If you generate a lot of reports, we recommend that you install Identity Reporting on its own server.
Identity Service: The identity service is an existing, supported LDAP server in your IT environment. In most scenarios, the LDAP server already exists and contains the user accounts. Installing other components on the LDAP server can impact the performance of the users’ authentications. It is best practice to have the LDAP directory installed on its server.
Identity Reporting: We recommend that you install Identity Reporting on its own server if you generate a lot of reports daily. Generating reports requires a lot of processing power for Identity Reporting. If you have Identity Reporting installed on the server with other components and you see the performance of the other components being impacted, you must move Identity Reporting to its own server. You can also cluster Identity Reporting for load balancing and fail-over scenarios.
Workflow Engine: The Workflow Engine runs the workflow at runtime and manages approval tasks for approvers. If you have the Workflow Engine installed on the server with other components and you see the performance of the other components being impacted, you must move the Workflow Engine on a separate server. You can also cluster the Workflow Engine for load balancing and fail-over scenarios.
Audit Server: OpenText Identity Governance forwards the audit events to the audit server. We recommend you have the audit server installed and configured before you install OpenText Identity Governance. In a production environment, you should always install the audit server on its own server for performance reasons.
Table 2-2 Different OpenText Identity Governance Component Deployment Scenarios in a Production Environment
|
Case 1 |
Case 2 |
Case 3 |
Case 4 |
|---|---|---|---|---|
|
Server 1 |
OSP OpenText Identity Governance ActiveMQ |
(can be clustered) OSP OpenText Identity Governance Identity Reporting Workflow Engine ActiveMQ |
(can be clustered) OSP OpenText Identity Governance ActiveMQ |
(can be clustered) OSP or OpenText Access Manager |
|
Server 2 |
Database server |
Database server |
(can be clustered) Identity Reporting Workflow Engine |
(can be clustered) OpenText Identity Governance ActiveMQ |
|
Server 3 |
Identity service |
Identity service |
Database server |
(can be clustered) OpenText Identity Governance |
|
Server 4 |
|
Audit server |
Identity service |
Identity Reporting |
|
Server 5 |
|
|
Audit server |
Database server |
|
Server 6 |
|
|
|
Identity service |
|
Server 7 |
|
|
|
Audit server |
|
Server 8 |
|
|
|
Workflow Engine (Will be supported in a future release) |