Identity Manager 8.0 - Installation Guide

About this Guide One Identity Manager Overview Installation Prerequisites Installing the One Identity Manager Installing and Configuring the One Identity Manager Service Updating the One Identity Manager Installing and Updating a One Identity Manager Application Server Installing, Configuring and Maintaining the Web Portal Installing the Operations Support Web Portal Installing and Updating the Manager Web Application Logging into One Identity Manager Tools Troubleshooting Appendix: One Identity Manager Authentication Modules Appendix: Creating a One Identity Manager Database for a Test or Development Environment from a Database Backup Appendix: Manager Web Application Extended Configuration Appendix: Machine Roles and Installation Packages Appendix: Settings for a New SQL Server Database

Importing Files with the Software Loader

Importing Files with the Software Loader

NOTE: Always start the Software Loader on an administrative workstation!

To import files

  1. Open the Launchpad and select Files for software update. This starts the program "Software Loader".
  2. Select Import into database on the start page.
  3. Enter the One Identity Manager database connection credentials on the Connect to database page.
  4. Specify the file to be imported on the Select files page.
    1. Select the base directory where the files can be found.

      The status and file size of all the files in the selected directory are displayed in the file list. The status is determined from the file information in the database. To test the file version, the file size and the hash value are determined and compared to the entry in the database.

      NOTE: Take note when selecting the base directory that a directory tree is not created accidentally.

      Table 37: Status Meaning
      Status Meaning
      Version unknown The file belongs to the known files but has not been loaded into the database yet. There is no version information in the database.
      File unknown This file is new. The file is in the list of known files but has not been loaded in the database yet. There is no version information in the database.
      Version OK The file version matches the version in the database.
      Version changed This version of the file has change with respect to the version in the database.
    2. Mark the files to be loaded into the One Identity Manager database. You can multi-select files with SHIFT + SELECT or CTRL + SELECT.

      TIP: Click with the mouse in a column header to sort by the selected column.

      TIP: Modified files can be preselected in the context menu.

      Table 38: Meaning of Context Menu Items
      Context Menu Item Meaning
      Open all directories All the directories are opened.
      Open all modified files All the files with the status "Version changed" are selected. Files in the subdirectories are only selected if the directories are opened beforehand.
  5. Apply a change label on the Select change label page.

    Issue a change label to mark files in order to simplify the transfer of new files between various databases (test database, development database, operational database). Change labels are offered in the program "Database Transporter" as export criteria when a customer transport package is created.

    1. Select Assign files to following change label.
    2. Select the change label using the button next to this option.
  6. The files are loaded straight from the One Identity Manager database. After successfully loading the files into the database, the semaphore value "Softwarerevision" is updated in the database by the DBQueue Processor. In this way, the files to be updated are added to the update file list at the next semaphore test and distributed to the workstations and servers.
  7. Specify other file settings on the Assign machine roles page.
    1. Assign a computer role to the files.
    2. To specify other settings, click ... next to the file name.
      Table 39: Other File Settings
      Setting Description
      Source directory Path in the installation source.
      Create backup A copy of the file is made if the software is updated automatically.
      No update The file is not updated automatic software update.
  8. Click Finish on the last page to end the program.
Related Topics

Automatic Updating of the One Identity Manager

Automatic Updating of the One Identity Manager

Particularly local installation and updating of software can prove to be a problem due to the distributed structure of servers and workstations. To help guarantee an acceptable workload for network administrators, a method for updating One Identity Manager automatically has been developed for One Identity Manager. Apart from updating the usual One Identity Manager installation files, new custom files can be simply added to the procedure and are, therefore, distributed to workstations and servers in the One Identity Manager network using the automatic software updating mechanism.

Detailed information about this topic

Basics for Automatic Update

Basics for Automatic Update

All files in a One Identity Manager installation are saved with their name and binary code in the One Identity Manager database. The affiliation to machine roles and installation packages are entered for each file. In addition, the file size and hash values are stored in the database for each file in order to identify them.

The necessary files are loaded into the database and updated when a hotfix, a service pack or a full version update One Identity Manager is run.

A semaphore "Softwarerevision" is maintained in the database. When a file is added, changed or deleted in the database, the semaphore value is recalculated by the DBQueue Processor. In every One Identity Manager installation directory there is a file Softwarerevision.viv. This file contains the following information:

  • The installation revision number

    The revision number is determined by the semaphore value 'softwarerevision’ in the database.

  • The start time of the last modification

In addition, you will find the file InstallState.config in the installation directory of all One Identity Manager installations. This file contains information about the installed machine roles, installation packages and files.

Whether a software update is required depends on the comparison of semaphore values from the database and the file. If semaphore values vary, machine roles for the computer or server are determined based on the InstallState.config. Each file belonging to a machine role is check to see if the file is known to the database.

If the file exists in the data, the following checks are made:

  • Has the file size changed?

    If this is the case, the file is added to the list of files to be updated.

  • Has the hash value changed?

    If this is the case, the file is added to the list of files to be updated.

New files that have been loaded into the One Identity Manager database through a hotfix, a service pack or a version update are also added to the list. All the files in the list are updated. All actions are logged in the file update.log. After the update has finished, the current semaphore value is copied from the database to the file softwarerevision.viv.

Automatic Updating of One Identity Manager Tools

When a program starts up, VI.DB.dll creates a connection to the database and carries out the semaphore test. If the file softwarerevision.viv is not found, a new file is added.

If the One Identity Manager installation directory does not have write access, an error message is displayed and the software update continues.

The update program (Updater.exe) expects a login by an administrator when user account control is active, assuming the logged in user does not have administration permissions for the installation directory (for example %ProgramFiles%). If installation takes place in a directory without user account control, the query does not apply. Then the update process is started.

To prevent further applications from starting during the update, a file called Update.lock is created in the installation directory. The trigger program and the update program (updater.exe) write their process ID’s in the file. The Update.lock file is deleted from the installation directory once updating has been successfully completed. The program is then restarted. To ensure that automatic updating is restarted when an application is restarted after quitting unexpectedly, Update.lock files older than two hours are ignored. If none of the processes whose ID’s are saved in the Update.lock file exist on the workstation when the application is restarted, the Update.lock file is also ignored and the update is restarted.

The semaphore test is carried out by VI.DB.dll on a cyclical basis during normal operations. If a file is identified for update, the update process is started automatically.

User Intervention in Automatic Updating of One Identity Manager Tools

Once the automatic One Identity Manager tool update has been identified on a workstation, the user is prompted to close all open programs. Updating starts after the user has closed all the programs.

The configuration parameter "Common\AutoUpdate\AllowOutOfTimeApps" controls whether One Identity Manager tools users can decide when their workstation is updated.

  • Users have no possibility to intervene in the update if the configuration parameter is not set. The update is executed immediately.
  • If the configuration parameter is set, the logged in user is prompted with a message. The user can decide whether the One Identity Manager tools update takes place on the workstation straight away or at a later time.

    If the user does not want to update immediately, he can continue working. The update is started the next time the program is started.

Updating the One Identity Manager Service Automatically

Automatic software updating is the default method for updating the One Identity Manager Service on servers. However, the update method takes into account that it may be essential to exclude certain servers from being updated automatically and to update them manually.

The One Identity Manager Service returns the actual state of the semaphore "SoftwareRevision" after each request following a process step. If this value differs from the value in the database, the Job server is labeled with "updating" in the database and no more normal process steps are sent to it.

A Job server update is executed depending on the method set in the configuration parameter "Common\Autoupdate\ServiceUpdateType".

First, the start time of the last change is determined from the file SoftwareRevision.viv. A list is compiled of all files with additional information specifying whether each file is new or not. This list is evaluated on the Job server to be updated and another list is compiled specifying which files will be updated. One Identity Manager Service is restarted if any one of the files has changed on the Job server. After the update is completed, the Job server label is reset in the database.

Automatically Updating Web Applications

In principle, web applications support automatic software update. However, a few web applications may require extra configuration to take part in automatic software update.

NOTE: The following permissions are required for automatic updating:

  • The user account for updating required write permissions for the application directory.
  • The user account for updating requires the local security policy "Log on as a batch job".
  • The user account, under which the application pool runs, requires the local security policies "Replace a process level token" and "Adjust memory quotas for a process".

Updating the web application requires restarting the application. The web application is restarted automatically by the web server when it has been idle for a defined length of time. This may take some time or be prevented if continuous user requests. Some web application offer you the option to restart manually.

If the web application update is identified, new files are copied from the database to a temporary directory on the server. The Updater.exe is started. It waits until the web application process is shutdown. Updater.exe copies the files from the temporary directories into the web application directory.

Related Topics

Implementing Automatic Software Update

Implementing Automatic Software Update

IMPORTANT:

  • Update the workstation on which the schema installation One Identity Manager database is started, with the installation wizard.
  • Update the One Identity Manager Service on the update server with the installation wizard.
Permissions for Automatic Software Update
  • It is recommended that you apply full access rights to the One Identity Manager installation directory for automatic updating of One Identity Manager tools.
  • The service's user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

To implement automatic software updating

  1. Ensure that an update server is set up. This server ensures that the other servers are updated automatically.
    1. This server must be entered in the database as a Job server with the server function "Update server".
    2. A One Identity Manager Service with direct access to the database must be installed and configured on the server.
    3. Exclude this server from automatic update. Set the option No automatic software update in the Designer on the Job server with the server function "Update server".
  2. Set the configuration parameter "Common\Autoupdate" in the Designer.
    • If the configuration parameter is set, One Identity Manager files, which do not have the current revision status, are updated automatically.
    • If the configuration parameter is not set, there is no automatic software update.
  3. Use the configuration parameter "Common\AutoUpdate\AllowOutOfTimeApps" to specify whether One Identity Manager tools users can decide when their workstation is updated.
    • If the configuration parameter is set, users of One Identity Manager tools are prompted to decided whether they want to update now or later.
    • If the configuration parameter is not set, One Identity Manager tools are updated immediately.
  4. Specify which method to use for updating the One Identity Manager Service in the configuration parameter "Common\Autoupdate\ServiceUpdateType".
    Table 40: Method for Configuration Parameter "Common\Autoupdate\ServiceUpdateType"
    Method Meaning
    Queue A process for distributing files is queued in the Job queue.
    DB The files are loaded straight from the database. Implement this procedure if all Job servers have a direct connection to the database.
    Auto All root servers are filled straight from the database. A process is set up in the Job queue for all leaf servers. The root servers must have a direct database connection for this method.
  5. Set No automatic software update in the Designer on a Job server to exclude it from automatic update.
  6. Web applications may require some individual configuration settings. Check the configuration settings.
Related Topics
Related Documents