Chat now with support
Chat with Support

Identity Manager 9.1.2 - Installation Guide

About this guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing additional modules for a existing One Identity Manager installation Installing and updating an application server Installing the API Server Installing, configuring, and maintaining the Web Designer Web Portal Installing and updating the Manager web application Logging in to One Identity Manager tools Troubleshooting Advanced configuration of the Manager web application Machine roles and installation packages Configuration parameters for the email notification system How to configure the One Identity Manager database using SQL Server AlwaysOn availability groups

Installing application servers

IMPORTANT: Start the application server installation locally on the server.

NOTE: On Linux operating systems, use of oneidentity/oneim-appserver docker images is recommended.

To install an application server

  1. Launch autorun.exe from the root directory of the One Identity Manager installation medium.

  2. On the start page of the installation wizard:

    1. Change to the Installation tab.

    2. In the Web-based components pane, click Install.

    This starts the Web Installer.

  3. Select Install application server on the Web Installer and click Next.

  4. On the Database connection page, do the following:

    • To use an existing connection to the One Identity Manager database, select it in the Select a database connection menu.

      - OR -

    • To create a new connection to the One Identity Manager database, click Add new connection and enter a new connection .

  5. Select the authentication method and, under Authentication method, enter the login data for the database.

  6. Configure the following settings on the Select setup target page.

    Table 26: Settings for the installation target
    Setting Description

    Application name

    Name used as application name, as in the title bar of the browser, for example.

    Target in IIS

    Internet Information Services web page on which to install the application.

    Enforce SSL

    Specifies whether secure or insecure websites are available to install. If the option is set, only sites secured by SSL can be used for installing. This setting is the default value. If this option is not set, insecure websites can be used for installing.

    URL

    The application's Uniform Resource Locator (URL).

    Install dedicated application pool

    Specifies whether an application pool is installed for each application. This allows applications to be set up independently of one another. If this option is set, each application is installed in its own application pool.

    Application pool

    The application pool to use. This can only be entered if the Install dedicated application pool option is not set.

    If you use the DefaultAppPool default value, the application pool has the following syntax:

    <application name>_POOL

    Identity

    Permissions for running an application pool. You can use a default identity or a custom user account.

    If you use the ApplicationPoolIdentity default value, the user account has the following syntax:

    IIS APPPOOL\<application name>_POOL

    You can authorize another user by clicking ... next to the box, enabling the Custom account option and entering the user and password.

    Web authentication

    Type of authentication against the web application. You have the following options:

    • Windows authentication (single sign-on)

      The user is authenticated against the Internet Information Services using their Windows user account and the web application logs in the employee assigned to the user account as role-based. If single sign-on is not possible, the user is diverted to a login page. You can only select this authentication method if Windows authentication is installed.

    • Anonymous

      Login is possible without Windows authentication. The user is authenticated against the Internet Information Services and the web application anonymously, and the web application is directed to a login page.

    Database authentication

    NOTE: You can only see this section if you have selected an SQL database connection on the Database connection page.

    Type of authentication against the One Identity Manager database. You have the following options:

    • Windows authentication

      The web application is authenticated against the One Identity Manager database with the same Windows user account that your application pool uses. Login is possible with a user-defined user account or a default identity for the application pool.

    • SQL authentication

      Authentication is completed with an SQL Server login and password. The SQL Server login from the database connection is used. Use the [...] button to enter a different SQL login, for example, if the application is run with a access level for end users. This access data is saved in the web application configuration as computer specific encrypted.

  7. On the Assign machine roles page, define the machine roles.

    This enables the machine roles for the application server. The machine roles Search Service and Search Indexing Service are required for indexing the full text search. These machine roles are always used together.

    NOTE: If you want to use a Web Portal, you will need to use an application server with a search service installed.

  8. On the Set session token certificate page, select the certificate for creating and checking session tokens.

    NOTE: The certificate must have a key length of at least 1024 bits.

    • To use an existing certificate, set the following:

      1. Session token certificate: Select the Use existing certificate entry.

      2. Select certificate: Select the certificate.

        NOTE: It is strongly recommended to use the certificate already in use in other application servers and API Servers.

    • To create a new certificate, set the following:

      1. Session token certificate: Select the Create new certificate entry.

      2. Certificate issuer: Enter the issuer of the certificate.

      3. Key length: Specify the key length for the certificate.

      The certificate is entered in the application server's certificate management.

      NOTE: It is strongly recommended to export this newly created certificate and use it in other application servers and API Servers as well, so that all these server components have and use the identical session certificate.

    • To create a new certificate file, set the following:

      1. Session token certificate: Select the Generate new certificate file entry.

      2. Certificate issuer: Enter the issuer of the certificate.

      3. Key length: Specify the key length for the certificate.

      4. Certificate file: Enter the directory path and name of the certificate file.

      The certificate file is stored in the specified directory of the web application.

      NOTE: It is strongly recommended to use this newly created certificate in other application servers and API Servers as well, so that all these server components have and use the identical session certificate.

  9. Specify the user account for automatic updating on the Set update credentials page. The user account is used to add or replace files in the application directory.

    • Use IIS credentials for update: Set this option to use the user account under which the application pool is run for the updates.

    • Use other credentials for updates: To use a different user account, set this option. Specify the domain, the user name, and the user password.

  10. (Optional) The One Identity Manager History Database is used to provide archived data for analyzing in reports and the TimeTrace. If you access the One Identity Manager History Database is through an application server, on the Edit History Database connections page, enter the One Identity Manager History Database ID and the connection parameters.

    NOTE: You can enter the One Identity Manager History Database‘s connection parameters at a later date. Use the configuration file (web.config) to do this.

    For more information about connecting to the One Identity Manager History Database through an application server and the required configuration, see the One Identity Manager Data Archiving Administration Guide.

  11. Installation progress is displayed on the Setup is running page. After installation is complete, click Next.

  12. Click Finish on the last page to end the program.

  13. Close the autorun program.

NOTE: The Web Installer generates both the web application and the configuration file (web.config). The Web Installer uses default values for the configuration settings. You can keep these values but it is recommended you check the settings. You will find the configuration file (web.config) in the web application directory in the Internet Information Services.

Related topics

Displaying application servers' status

You can access the application server from a browser.

Use the appropriate URL for this:

http://<server name>/<application name>

https://<server>/<application name>

TIP: You can open the web server's status display in the Job Queue Info. In the Job Queue Info, select View > Server state in the menu and, on the Web servers tab, open the web server status display from the Open in browser context menu.

You will see different status information. Status information for the application server is displayed as performance indicators. Users with the Enables log display in the application server program function (AppServer_Logs) can see the log.

In addition, API documentation is available here. To access the REST API on the application server, the user required the Enables access to the REST API on the application server (AppServer_API). For more information about the REST API, see the One Identity Manager REST API Reference Guide

Updating application servers

NOTE:

  • We recommend that you perform the automatic update only in specific maintenance windows, in which the application cannot be accessed by users and the application can be manually restarted with no risk.

  • The following permissions are required for automatic updating:

    • The user account for updating requires write permissions for the application directory.

    • The user account for updating requires the local security policy Log on as a batch job.

    • The user account running the application pool requires the Replace a process level token and Adjust memory quotas for a process local security policies.

To run an update, first load the files to be updated into the One Identity Manager database. The necessary files are loaded into the One Identity Manager database and updated when a hotfix, a service pack, or a full version update is run.

The test depends on the selected mode for automatic update. New files are loaded from the database as they are identified. The files cannot be updated while the application is running. The update waits until the application is restarted.

The application is restarted automatically by the web server when it has been idle for a defined length of time. However, this may take some time or be hindered by continuous user requests.

Configure automatic updating in the application server's web.config file. In the <autoupdate> section, you can control the behavior of the update.

Table 27: Attribute for automatically updating the configuration

Attribute

Description

off

Specifies whether automatic update is disabled (True) or not (False).

mode

Mode for automatic update. Permitted values are:

  • timer: Scheduled checking (default). At application start up, a check for updated files in the database is carried out and afterward, at schedule intervals (attribute checkinterval).

  • manual: Manual checking. You start the check from the application server's status page. Regular checking if updated files in the database does not take place.

checkinterval

Time period for search for update in timer mode. Default: 5 minutes

inactivitytime

Time period without user activity so that the update can be started. Default: 10 seconds.

Example:

<autoupdate>

<!-- <add key="off" value="true" /> -->

<add key="mode" value="timer" /> <!-- Valid options: timer, manual -->

<add key="checkinterval" value="00:05:00"/>

<add key="inactivitytime" value="00:00:10"/>

</autoupdate>

To start the update manually

  1. Open the status page for the application server in the browser.

  2. In the menu for the currently logged on user, click Update immediately.

Related topics

Updating the search index on application servers

The searched index is updated when changes are made to a table with indexed columns, to referenced tables or translations.

Use the Common | Indexing | BatchSize configuration parameter to define the maximum number of objects that can be indexed in a single indexing run. The default value is 50000.

The Common | Indexing | Interval configuration parameter contains the interval between two indexing runs. The default value is 120 seconds. Once this time interval has elapsed, a new indexing run is started.

You can also update the search index manually.

To manually update the search index on the application server:

  1. Open the status page for the application server in the browser.

  2. In the menu for the currently logged-in user, click Update Index.

  3. Choose whether you want to update all indexes, or only some indexes.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating