지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.2 - Installation Guide

About this guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing additional modules for a existing One Identity Manager installation Installing and updating an application server Installing the API Server Installing, configuring, and maintaining the Web Designer Web Portal Installing and updating the Manager web application Logging in to One Identity Manager tools Troubleshooting Advanced configuration of the Manager web application Machine roles and installation packages Configuration parameters for the email notification system How to configure the One Identity Manager database using SQL Server AlwaysOn availability groups

Updating application servers

NOTE:

  • We recommend that you perform the automatic update only in specific maintenance windows, in which the application cannot be accessed by users and the application can be manually restarted with no risk.

  • The following permissions are required for automatic updating:

    • The user account for updating requires write permissions for the application directory.

    • The user account for updating requires the local security policy Log on as a batch job.

    • The user account running the application pool requires the Replace a process level token and Adjust memory quotas for a process local security policies.

To run an update, first load the files to be updated into the One Identity Manager database. The necessary files are loaded into the One Identity Manager database and updated when a hotfix, a service pack, or a full version update is run.

The test depends on the selected mode for automatic update. New files are loaded from the database as they are identified. The files cannot be updated while the application is running. The update waits until the application is restarted.

The application is restarted automatically by the web server when it has been idle for a defined length of time. However, this may take some time or be hindered by continuous user requests.

Configure automatic updating in the application server's web.config file. In the <autoupdate> section, you can control the behavior of the update.

Table 28: Attribute for automatically updating the configuration

Attribute

Description

off

Specifies whether automatic update is disabled (True) or not (False).

mode

Mode for automatic update. Permitted values are:

  • timer: Scheduled checking (default). At application start up, a check for updated files in the database is carried out and afterward, at schedule intervals (attribute checkinterval).

  • manual: Manual checking. You start the check from the application server's status page. Regular checking if updated files in the database does not take place.

checkinterval

Time period for search for update in timer mode. Default: 5 minutes

inactivitytime

Time period without user activity so that the update can be started. Default: 10 seconds.

Example:

<autoupdate>

<!-- <add key="off" value="true" /> -->

<add key="mode" value="timer" /> <!-- Valid options: timer, manual -->

<add key="checkinterval" value="00:05:00"/>

<add key="inactivitytime" value="00:00:10"/>

</autoupdate>

To start the update manually

  1. Open the status page for the application server in the browser.

  2. In the menu for the currently logged on user, click Update immediately.

Related topics

Uninstalling application servers

Perform the following steps to uninstall the web application.

To uninstall a web application

  1. Launch autorun.exe from the root directory of the One Identity Manager installation medium.

  2. On the start page of the installation wizard:

    1. Change to the Installation tab.

    2. In the Web-based components pane, click Install.

    This starts the Web Installer.

  3. On the Web Installer start page, click Uninstall a web application and click Next.

  4. On the Uninstall a web application page, double-click the application that you want to remove.

    The icon is displayed in front of the application.

  5. Click Next.

  6. On the Database connection page, select the database connection and authentication method and enter the corresponding login data.

  7. Click Next.

  8. Confirm the security prompt with Yes.

  9. The uninstall progress is displayed on the Setup is running page.

  10. Once installation is complete, click Next.

  11. On the Wizard complete page, click Finish.

  12. Close the autorun program.

Installing the API Server

The API Server deploys the Web Portal, the Password Reset Portal as well as the Operations Support Web Portal and your HTML5 web applications. It also provides an API.

You can install the API Server with help from the Web Installer or the ImxClient command line program (the install-apiserver command). Read through the following sections for instructions on how to install the API Server on a Web Installer using the Windows Server and set it up with the default configuration. For more information about installing with the ImxClient command line program, see the One Identity Manager API Development Guide.

Before installing, ensure that the minimum hardware and software prerequisites are fulfilled on the server.

NOTE: On Linux operating systems, use of oneidentity/oneim-api docker images is recommended.

Detailed information about this topic

Installing the API Server

IMPORTANT: Start the API Server installation locally on the server.

NOTE: On Linux operating systems, use of oneidentity/oneim-api docker images is recommended.

To install the API Server

  1. Launch autorun.exe from the root directory of the One Identity Manager installation medium.

  2. On the installation wizard's home page, perform the following actions:

    1. Click Installation.

    2. In the Web-based components pane, click Install.

    This starts the Web Installer.

  3. On the start page of the Web Installer, click Install API Server and click Next.

  4. On the Database connection page, do the following.

    TIP: One Identity recommend establishing a connection via an application server.

    • To use an existing connection to the One Identity Manager database, select it in the Select a database connection menu.

      - OR -

    • To create a new connection to the One Identity Manager database, click Add new connection and enter a new connection.

  5. Select the authentication method and enter the login data for the database under Authentication method.

  6. On the Installation source page in the Installation source pane, specify where to find the installation data.

    • To retrieve the installation data from the database, activate the Database option.

    • To retrieve the installation data from the installation media (for example, from the hard drive), activate the File system option and enter the path.

  7. On the Installation source page, in the Additional connections pane, enter any additional information for authentication. This displays the number of connections that can be configured.

    1. To configure additional authentication data, click .

    2. In the Authentication data dialog, select the project you want to authenticate and enter the authentication data.

      NOTE: You can also configure the authentication data for optional projects at a later date. You must enter authentication data if the project is marked in red.

      • Multi-factor authentication with OneLogin (OneLogin): Multi-factor authentication with OneLogin can be used for specific security-critical actions in One Identity Manager. For more information, see the One Identity Manager Web Application Configuration Guide.

        Enter the authentication data for logging in to the OneLogin domain.

        • Connection string: Connection string for logging in to the OneLogin domain.

          Syntax: Domain=<domain>;ClientId=<clientid>;ClientSecret=<clientSecret>

          - OR -

        • Domain: Enter the DNS name of the synchronized OneLogin domain.

          Example: <your domain>.onelogin.com

        • Client ID: Enter the client ID with which the application is registered in OneLogin. You obtain the client ID when you register your application with OneLogin.

        • Client secret: Enter the security token for the OneLogin application. You obtain the client secret when you register your application with OneLogin.

      • Authentication for self-registration of new users (sub:register): For self-registration of new users in the Password Reset Portal, a user is required with which the new user accounts are created.

        NOTE: It is recommended to use the IdentityRegistration system user. This system user has the specified permissions required for self-registration of new users in the Password Reset Portal.

        If you have your own system user, ensure that it has the necessary permissions. For more information about system users and permissions, see the One Identity Manager Authorization and Authentication Guide.

        • If you use the IdentityRegistration system user, enter a password for the system user.

        • If you want to user your own system user, under Authentication method, select the authentication module for logging in. Depending on the authentication module, other data may be required, such as user and password. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

    3. To test the data, click Test connection.

    4. To accept the data, click OK.

  8. Configure the following settings on the Select setup target page.

    Table 29: Settings for the installation target
    Setting Description

    Application name

    Enter the name to use in the browser as the application name.

    Target in IIS

    Select the website on the Internet Information Services where the application is installed.

    Enforce SSL

    Specifies whether secure or insecure websites are available to install.

    If the option is set, only sites secured by SSL can be used for installing. This setting is the default value.

    If this option is not set, insecure websites can be used for installing.

    URL

    Enter the application's URL.

    Install dedicated application pool

    Enable this option if you want to install a separate application pool for each application. This allows applications to be set up independently of one another. If this option is set, each application is installed in its own application pool.

    Application pool

    Select the application pool to use. This can only be entered if the Install dedicated application pool option is not set.

    If you use the DefaultAppPool default value, the application pool has the following syntax:

    <application name>_POOL

    Identity

    Specify the permissions for implementing the application pool. You can use a default identity or a custom user account.

    If you use the ApplicationPoolIdentity default value, the user account has the following syntax:

    IIS APPPOOL\<application name>_POOL

    You can authorize another user by clicking ... next to the box, enabling the option Custom account and entering the user and password.

    Assign file permissions for application pool identity

    Specify whether the identity that the application pool was running with obtains the file permissions.

    Overwrite default IIS request limits

    Specify whether the default IIS values for the URL length, query string length, and content length are overwritten. If the values are not adequate, IIS returns an HTTP 404 error. For more information, see HTTP 404 Error Substatus Codes.

    Adjust the values to suit your requests if necessary.

    • Max. URL length [B]: Maximum length if a URL in bytes. The default value is 4096 bytes.

    • Max. query string length [B]: Maximum length of a query string in bytes. The default value is 32768 bytes.

    • Max. content length [B]: Maximum length of content in bytes. The efault value is 30000000 bytes.

    NOTE: You can configure these values at a later date.

    Web authentication

    Specify which type of authentication to use against the web application. You have the following options:

    • Windows authentication (single sign-on)

      The user is authenticated against the Internet Information Services using their Windows user account and the web application logs in the identity assigned to the user account as role-based. If single sign-on is not possible, the user is diverted to a login page. You can only select this authentication method if Windows authentication is installed.

    • Anonymous

      Login is possible without Windows authentication. The user is authenticated against the Internet Information Services and the web application anonymously, and the web application is directed to a login page.

    Database authentication

    NOTE: You can only see this section if you have selected an SQL database connection on the Database connection page.

    Specify which type of authentication to use against the One Identity Manager database. You have the following options:

    • Windows authentication

      The web application is authenticated against the One Identity Manager database with the same Windows user account that your application pool uses. Login is possible with a user-defined user account or a default identity for the application pool.

    • SQL authentication

      Authentication is completed with a SQL Server login and password. The SQL Server login from the database connection is used. Use the [...] button to enter a different SQL login, for example, if the application is run with a access level for end users. This access data is saved in the web application configuration as computer specific encrypted.

  9. (Optional) On the Select application server page, perform the following actions.

    NOTE: This page only shown if you have selected a direct database connection.

    NOTE: If you would like to use the full text search, then you must specify an application server.

    1. Click Select application server.

    2. In the dialog, in the URL field, enter the web address of the application server that is running the search service for full-text search.

    3. Click OK.

  10. On the Set session token certificate page, select the certificate for creating and checking session tokens.

    NOTE: The certificate must have a key length of at least 1024 bits.

    • To use an existing certificate, set the following:

      1. Session token certificate: Select the Use existing certificate entry.

      2. Select certificate: Select the certificate.

        NOTE: It is strongly recommended to use the certificate already in use in other application servers and API Servers.

    • To create a new certificate, set the following:

      1. Session token certificate: Select the Create new certificate entry.

      2. Certificate issuer: Enter the issuer of the certificate.

      3. Key length: Specify the key length for the certificate.

      The certificate is entered in the application server's certificate management.

      NOTE: It is strongly recommended to export this newly created certificate and use it in other application servers and API Servers as well, so that all these server components have and use the identical session certificate.

    • To create a new certificate file, set the following:

      1. Session token certificate: Select the Generate new certificate file entry.

      2. Certificate issuer: Enter the issuer of the certificate.

      3. Key length: Specify the key length for the certificate.

      4. Certificate file: Enter the directory path and name of the certificate file.

      The certificate file is stored in the specified directory of the web application.

      NOTE: It is strongly recommended to use this newly created certificate in other application servers and API Servers as well, so that all these server components have and use the identical session certificate.

  11. On the Assign machine roles page, define the machine roles.

    The SCIM Provider machine role is required for the SCIM plug-in in the API Server. For more information about the SCIM plug-in, see the One Identity Manager Configuration Guide.

    NOTE: You can configure the SCIM plug-in at a later date.

  12. Specify the user account for automatic updating on the Set update credentials page by activating one of the following options:

    NOTE: The user account is used to add or replace files in the application directory.

    • Use IIS credentials for update: Set this option to use the user account used by the application pool to run updates.

    • Use other credentials for updates: To use a different user account, set this option. Specify the domain, the user name, and the user password.

  13. On the Application token page, enter the application token for the API Server into the input field. The application token is required by the Password Reset Portal.

    NOTE: Handle the application token like a password. Once the application is saved in the database, it cannot be displayed in text form again. Make a note of the application token if necessary.

    TIP: To use a new token and therefore replace the existing token in the database, activate the option Replace the application token in the database. When doing so, note that the current token will become invalid and every location that uses it must be updated with the new token.

  14. Installation progress is displayed on the Setup is running page. After installation is complete, click Next.

  15. On the Wizard complete page, click Finish.

  16. Close the autorun program.

Related topics
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택