Use the following worksheet to gather the information that you need to complete the Identity Governance installation successfully. You can use this information for the guided installation, the console installation, or the silent installation.
Table 6-1 Identity Governance Installation Worksheet
Item |
Description |
Value |
---|---|---|
Components to Install |
|
|
Identity Governance, and or Identity Reporting, Workflow Engine |
The Identity Governance installer installs Identity Governance, Identity Reporting, and the Workflow Engine. You must decide if you want to install Identity Reporting and the Workflow Engine and if you want to run them on the same server as Identity Governance. If you want to install and run Identity Reporting and the Workflow Engine on servers separate from Identity Governance, you must run the Identity Governance installer on those separate servers by clearing the Identity Governance option, and selecting only the components you want for that server. |
|
Identity Governance Installation Location |
Specify the installation path for Identity Governance. WARNING:Spaces in the path are not supported. The default directory is:
|
|
(Conditional) Identity Reporting Installation Location |
If you are installing Identity Reporting on the same server as Identity Governance, specify the installation path for Identity Reporting. WARNING:Spaces in the path are not supported. The default directory is:
|
|
(Conditional) Workflow Engine Installation Location |
If you are installing the Workflow Engine on the same server as Identity Governance, specify the installation path. WARNING:Spaces in the path are not supported. The default directory is:
|
|
Apache Tomcat Installation |
Specify the address of the application that represents the settings of the URL that users need to connect to Identity Governance. For example: https://myserver.mycompany.com:8443 |
|
Tomcat Installation Location |
Specify the installation path for Apache Tomcat. WARNING:Spaces in the path are not supported. The default directory is:
|
|
Runtime host name |
WARNING:Use the fully qualified domain name (FQDN) rather than localhost or an IP address. Specify the runtime host name for the local instances of Apache Tomcat that Identity Governance uses. If you have installed OSP on this same server, OSP uses this same instance of Apache Tomcat. If you are installing Identity Reporting and/or Workflow Engine, Identity Reporting and Workflow Engine use this same instance of Apache Tomcat. The Identity Governance installer creates a trust store for the certificates to allow for SSL/TLS communication. Certificates use the fully qualified domain name (FQDN) of the servers, which is why you must use the DNS name of the server instead of an IP address. |
|
Runtime port |
Specify the runtime port that the local instance of Apache Tomcat uses. For http, the default port is 8080. For https, the default port is 8443. |
|
Runtime identifier |
In a non-clustered environment, specify the local server name. In a clustered environment, specify the unique name for the current node. For example, node1. |
|
Apache Tomcat Java Home > JRE home folder |
Specify the path to the Zulu JRE home directory. The Zulu JRE is installed when you install Zulu OpenJDK. The installation process uses Java for several processes, such as to run commands and create security stores. WARNING:Spaces in the path are not supported. The default location is:
|
|
Encryption Keystore |
Specify the keystore file. You must always select the Use existing option so that you can select the encrypt-keys.pkcs12 file that was created while installing OSP. If OSP is on a separate server, copy the encrypt-keys.pkcs12 file from the installed location of the first server to the second server. Then during installation, navigate to the location where you had copied the file and then select the file. If OSP is on the same server, navigate to the /opt/netiq/idm/apps/tomcat/conf folder and select the emcrypt-keys.pkcs12 file. Select the Create new option if your authentication method is Access Manager. |
|
Encryption Keystore Password |
Enter the encryption keystore password that you created while installing OSP or a new password when using Access Manager as your authentication method. |
|
Trust store password |
The Identity Governance installer creates a trust store to store the certificates for SSL/TLS communication. The installer creates the trust store in the following default file:
If this trust store already exists, specify the password for it. If this is a new installation, specify a new password for this new trust store and the installer creates the trust store for you. The password must be six characters or longer and contain no spaces. |
|
Authentication Service |
Use the following sections to gather information about your OSP deployment or your Access Manager deployment. You must use one of these services to deploy Identity Governance. |
|
Access Manager or OSP |
Select the appropriate authentication service for your environment. Depending on your choices, there are different options presented that you must populate with the information for the specific authentication service. The options are OSP or Access Manager. |
|
(Conditional) OSP > Application Address |
If you selected Access Manager, skip this section and proceed to the Access Manager sections here (Conditional) Access Manager > Application Address. If you plan to install OSP and Identity Governance on the same server, this information is for that server. If you install OSP and Identity Governance on separate server, this information is for Identity Governance and the external OSP. The application address represents the URL that users need to connect to Identity Governance, Identity Reporting or the Workflow Engine if installed on the same server. For example, https://myserver.mycompany.com:8443 and for Reporting https://myserver.mycompany.com:8443/IDMRPT. |
|
Identity Governance protocol |
Select if you want to use http or https for Identity Governance. If you select https, you must have configured Apache Tomcat for TLS/SSL communication on the Identity Governance server. For more information, see Section 3.9, Securing Connections with TLS/SSL. |
|
Identity Governance host name |
WARNING:Use the fully qualified domain name (FQDN) rather than localhost or an IP address for the Identity Governance server. If you have installed OSP and Identity Governance on the same server, this information is for that server. If you install OSP and Identity Governance on separate server, this information is for Identity Governance. In a non-clustered environment, specify the DNS name of the server hosting Identity Governance. In a clustered environment, specify the DNS name of the server that hosts the load balancer or reverse proxy that you want to use. For more information, see Section 2.3.4, Ensuring High Availability or Load Balancing for Identity Governance. |
|
Identity Governance port |
If you have installed OSP and Identity Governance on the same server, this information is for that server. If you install OSP and Identity Governance on separate server, this information is for Identity Governance. Specify the port you want the server to use for communication with client computers. The default is 8080. To use TLS/SSL, the default is 8443. When installing in a clustered environment or when using a reverse proxy, specify the port of the load balancer or of the reverse proxy. |
|
(Conditional) OSP > Connect to an external OSP server |
You define how the clients connect to the external authentication service (OSP), if OSP is on a separate server from Identity Governance select this option, otherwise do not select this option and proceed with the installation. |
|
OSP authentication server protocol |
If OSP is on a separate server, select whether the clients that connect to OSP use http or https. To use https, ensure that you have configured the Apache Tomcat instance on the OSP and Identity Governance servers to use SSL/TLS. For more information, see Section 3.9, Securing Connections with TLS/SSL. |
|
OSP authentication host name |
In a non-clustered environment, specifies the DNS name of the OSP server. In a clustered environment, specifies the DNS name of the server that hosts the load balancer or the reverse proxy. |
|
OSP authentication server port |
Specify the port that the clients use to access OSP. For http, the default port is 8080. For https, the default port is 8443. |
|
(Conditional) OSP > Bootstrap Administrator Details |
Specify whether you are using a file-based or an LDAP-based bootstrap administrator. If you are using an LDAP-based bootstrap administrator, you must specify the distinguished name for the administrator account that is the bootstrap administrator. For example, cn=admin,ou=sa,o=company. NOTE:If you are enabling hosted SaaS, you will need to provide the SaaS bootstrap administrator name and authentication source details, as well as the analytics bootstrap administrator name and authentication source details, if applicable. If you are installing Identity Governance on-premises, you need not provide this information. |
|
(Conditional) Access Manager > Application Address |
If you selected OSP, skip the following sections about Access Manager and proceed to (Conditional) Identity Reporting Settings if you have installed Identity Reporting on this server. If you do not have Identity Reporting on this server, proceed to ConfigUpdate details. |
|
Identity Governance protocol |
Select if you want to use http or https for Identity Governance. If you select https, you must have configured Apache Tomcat for TLS/SSL communication on the Identity Governance server. For more information, see Section 3.9, Securing Connections with TLS/SSL. |
|
Identity Governance host name |
WARNING:Use the fully qualified domain name (FQDN) rather than localhost or an IP address. Specify the DNS name of the Identity Governance server. |
|
Identity Governance port |
Specify the port that Identity Governance uses. For http, the default port is 8080. For https, the default port is 8443. |
|
Access Manager IDP host name |
Specify the DNS name of the Access Manager Identity Server. |
|
Access Manager IDP port |
Specify the port the Access Manager Identity Server uses. |
|
Access Manager Console host name |
Specify the DNS name of the Access Manager administration console. |
|
Access Manager Console port |
Specify the port the Access Manager administration console uses. |
|
Service Password |
This is an OAuth 2.0 password that allows users to single sign-on to Identity Governance. Specify this password and remember it for later use. You can change this password after the installation completes through the configuration utilities. |
|
(Conditional) Access Manager > Bootstrap Administrator Details |
|
|
Bootstrap admin DN |
Specify the DN of the LDAP bootstrap administrator for Identity Governance. You must have an LDAP bootstrap administrator to integrate with Access Manager. For more information, see Section 4.1.1, Using the Bootstrap Administrator. |
|
Bootstrap admin password |
Specify the password of the LDAP bootstrap administrator account for Identity Governance. |
|
Access Manager admin DN |
Specify the DN of an Access Manager administrator account. |
|
Access Manager admin password |
Specify the password for the Access Manager administrator account. |
|
(Conditional) Identity Reporting Settings |
If you plan to install Identity Reporting on another server or you are not using Identity Reporting, skip to Workflow Engine Settings. If you plan to install Identity Reporting on the same server as Identity Governance, gather the following information to configure Identity Reporting. You are defining the URL settings that the clients access to use Identity Reporting on this server. |
|
Identity Reporting > Protocol |
Select whether the clients that connect to Identity Reporting use http or https. To use https, ensure that you have configured the Apache Tomcat instance on this server to use SSL/TLS. For more information, see Section 3.9, Securing Connections with TLS/SSL. |
|
Identity Reporting > Host name |
WARNING:Use the fully qualified domain name (FQDN) rather than localhost or an IP address. In a non-clustered environment, specify the DNS name of the server hosting Identity Reporting. In a clustered environment, specify the DNS name of the server that hosts the load balancer or reverse proxy that you want to use. For more information, see Section 2.3.4, Ensuring High Availability or Load Balancing for Identity Governance. |
|
Identity Reporting > Port |
Specify the port that the clients use to access Identity Reporting. For http, the default port is 8080. For https, the default port is 8443. |
|
(Conditional) Workflow Engine Settings |
If you plan to install Workflow Engine on another server or you are not using Workflow Engine, skip to ConfigUpdate details. If you plan to install Workflow Engine on the same server as Identity Governance, gather the following information to configure Workflow Engine. |
|
Workflow Engine > Protocol |
Select whether the clients that connect to Workflow Engine use http or https. To use https, ensure that you have configured the Apache Tomcat instance on this server to use SSL/TLS. For more information, see Section 3.9, Securing Connections with TLS/SSL. |
|
Workflow Engine > Host name |
WARNING:Use the fully qualified domain name (FQDN) rather than localhost or an IP address. In a non-clustered environment, specify the DNS name of the server hosting Workflow Engine. In a clustered environment, specify the DNS name of the server that hosts the load balancer or reverse proxy that you want to use. For more information, see Section 2.3.4, Ensuring High Availability or Load Balancing for Identity Governance. |
|
Workflow Engine > Port |
Specify the port that the clients use to access Workflow Engine. For http, the default port is 8080. For https, the default port is 8443. |
|
ConfigUpdate details |
Specify the directory where the Identity Governance installer installs the Configuration Update utility. |
|
(Conditional) ActiveMQ Details |
|
|
Use ActiveMQ or Do not use ActiveMQ |
Select whether you want to use ActiveMQ to guarantee email delivery. |
|
ActiveMQ host name |
Specify the DNS name of the server where you have installed ActiveMQ. |
|
ActiveMQ port |
Specify the port that ActiveMQ uses to communicate. The default port is 61616. |
|
Database Details |
Collect the following information for the database type that you have selected to use. Ensure that you install the database before starting the Identity Governance installation. For more information, see Section 5.8, Creating the Databases before Installing Identity Governance. |
|
Database type |
Select the type of database you are using. The supported databases are:
For a list of the supported database versions, see Section 2.4.2, Database Requirements. |
|
Database Configuration Details |
Select one of the following three options: |
|
Database details > Configure database now |
Select this option to have the Identity Governance installer to create and populate the databases. You select this option if you are performing an upgrade or a new installation. For more information, see Section 5.4, Using the Identity Governance Installer to Create and Populate the Databases. |
|
Database details > Generate SQL for later |
Select this option to have your database administrator create and populate the databases using the SQL scripts generated and stored by the installer in the following default directory for Identity Governance:
If you installed Identity Reporting at the same time, the Identity Reporting files are located in the following default directory:
If you installed the Workflow Engine at the same time, the Workflow Engine files are located in the following default directory:
For more information about using the SQL files, see Section 5.11, Configuring the Databases Using the SQL Scripts. |
|
Database details > No database configuration |
Select this option to do nothing. You would select this option if you were installing the second node in a cluster. For more information, see Section 2.3.4, Ensuring High Availability or Load Balancing for Identity Governance. |
|
Host |
Specify the DNS name of the database server. |
|
Port |
Specify the port the database server uses to communicate. The default port is:
|
|
(Conditional) Microsoft SQL Server JDBC JAR |
If you are using Microsoft SQL Server, specify the path to the Microsoft SQL Server JDBC JAR file. For more information, see Section 5.7, Adding the JDBC File to the Application Server. |
|
(Conditional) Oracle Database Details |
If you are using an Oracle database, gather the following information to complete the Identity Governance installation. |
|
Oracle JDBC JAR |
Specify the path to the Oracle JDBC JAR file. For more information, see Section 5.7, Adding the JDBC File to the Application Server. |
|
Oracle Database name |
Specify the name of the Oracle database where the installer will add the schema for Identity Governance, Identity Reporting, Workflow Engine, or for all three. For example, oracleidgov. |
|
Oracle User tablespace |
Specify the name of the database storage unit for storing the schema for the Identity Governance databases. The default is USERS. |
|
Oracle Temporary tablespace |
Specify the name of the temporary database storage unit for storing the schema. The default name is TEMP. |
|
Database credentials |
Specify the credentials for accessing the various Identity Governance databases. |
|
(Conditional) Database Administrator user and password |
Specify the credentials of a database account that can access and modify data in the databases. This account must be able to create databases, tables, views, and other artifacts. You can test the connection to the database. |
|
Database names |
Specify the names of the required databases for Identity Governance. This is a list of the default names of the databases and what they do.
|
|
Database password |
Specify a single password the Identity Governance installer uses to create the databases. The installer sets the same password for each database. You can change the password at a later time if you want to have a separate password for each database. For more information, see Section 5.12, How to Change the Configuration Options for the Databases. |
|
Reporting user and password |
Specify a name and password of a database user that Identity Governance uses to generate reports for Identity Governance. The default name is igrptuser. Identity Governance uses this user if you have Identity Reporting installed or not. |
|
(Conditional) Identity Reporting database users password |
If you install Identity Reporting with Identity Governance, specify the name and password of the required database for Identity Reporting. The default database name is igrpt. NOTE:The database password is requested only for Microsoft SQL Server and PostgreSQL. |
|
(Conditional) Workflow Engine database name |
If you install Workflow Engine with Identity Governance, specify the name of the required database for the Workflow Engine. The default name is igaworkflowdb. |
|
Workflow Engine user name and password |
Specify the name and password of the database user for the Workflow Engine. The default name is igwfadmin. |
|
Update or Only use existing |
Applies only when you choose to configure the database during the installation. Select whether the Identity Governance installer creates the database names, creates the schema, creates users, creates roles, assigns permissions to roles, and populates the databases with this information. Select this option for new installations or upgrades. Or select to use existing databases with your database names and users. |
|
(Conditional) Additional Identity Reporting Options Identity Reporting > Target Locale |
If you install Identity Reporting with Identity Governance, you must select the language Identity Reporting uses to generate the reports. The default is English. |
|
Email Delivery |
Gather the information for the SMTP server that delivers report notifications. |
|
Default email address |
Specify the email address that you want to use as the origin of email notifications. |
|
SMTP Server |
WARNING:Use the fully qualified domain name (FQDN) rather than localhost or an IP address. Specify the DNS name of the SMTP email host that is used for email notifications. |
|
SMTP Server Port |
Specify the port number for the SMTP server. The default value is 465. |
|
(Conditional) Use SSL for SMTP |
Select whether you want to use secure communication with the SMTP server. If you select this option, you must configure your SMTP server for TLS/SSL communication. For more information, see Section 3.9, Securing Connections with TLS/SSL. |
|
(Conditional) Require server authentication |
Select whether you want to use authentication for communication with the SMTP server. If you select this option, you must provide the SMTP server credentials. |
|
SMTP user name and password |
Specify the credentials for a login account to the SMTP server. |
|
(Conditional) Identity Reporting > Keep finished reports for |
If you install Identity Reporting with Identity Governance, then specify the report retention time and location. For example, to specify retention time of six months, enter 6, then select Month. Identity Reporting retains completed reports for the specified time then deletes them. |
|
(Conditional) Identity Reporting > Location of report definitions |
Specify a path where you want to store the report definitions. The default directory is:
|
|
(Conditional) Auditing Details |
Gather the following information if you want to enable auditing capabilities for Identity Governance. |
|
Enable auditing |
Select whether you want to enable auditing. |
|
Audit server |
Specify the DNS name of the audit server. |
|
Audit port |
Specify the port the audit server uses to communicate. The default port is 6514. |
|
Audit cache location |
Specify a local directory on the Identity Governance server for caching of audit events before they are sent to the audit server. The default directory is:
|
|
Secure layer |
Select if you are using TLS communication to the audit server. If you are, you can test the connection before you proceed. For more information, see Section 3.9, Securing Connections with TLS/SSL. |
|