Identity Manager 8.0 - Installation Guide

About this Guide One Identity Manager Overview Installation Prerequisites Installing the One Identity Manager Installing and Configuring the One Identity Manager Service Updating the One Identity Manager Installing and Updating a One Identity Manager Application Server Installing, Configuring and Maintaining the Web Portal Installing the Operations Support Web Portal Installing and Updating the Manager Web Application Logging into One Identity Manager Tools Troubleshooting Appendix: One Identity Manager Authentication Modules Appendix: Creating a One Identity Manager Database for a Test or Development Environment from a Database Backup Appendix: Manager Web Application Extended Configuration Appendix: Machine Roles and Installation Packages Appendix: Settings for a New SQL Server Database

Minimum System Requirements for the Web Server

The following system prerequisites must be fulfilled to install the Web Portal on a Web Server.

Table 11: System Requirements - Web Server

Processor

4 physical cores 1.65 GHz+

Memory

4 GB RAM

Hard drive storage

40 GB

operating system

Windows operating system

Following versions are supported:

  • Windows Server 2008 (non-Itanium based 64-bit) Service Pack 2 or later
  • Windows Server 2008 R2 (non-Itanium based 64-bit) Service Pack 1 or later
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Linux operating system

  • Linux operating system (64 bit), supported by the Mono project or Docker images provided by the Mono project. Note the operating system manufacturer's minimum requirements for Apache HTTP Server.

Additional software

Windows operating system

  • Microsoft .NET Framework Version 4.5.2 or later

    NOTE: Microsoft .NET Framework version 4.6 is not supported.
  • Windows Installer
  • Microsoft Internet Information Service 7, 7.5, 8, 8.5 or 10 with ASP.NET 4.5.2 and Role Services:
    • Web Server > Common HTTP Features > Static Content
    • Web Server > Common HTTP Features > Default Document
    • Web Server > Application Development > ASP.NET
    • Web Server > Application Development > .NET Extensibility
    • Web Server > Application Development > ISAPI Extensions
    • Web Server > Application Development > ISAPI Filters
    • Web Server > Security > Basic Authentication
    • Web Server > Security > Windows Authentication
    • Web Server > Performance > Static Content Compression
    • Web Server > Performance > Dynamic Content Compression

Linux operating system

  • NTP - Client
  • Mono 4.6 or later
  • Apache HTTP Server 2.0 or 2.2 with the following modules:
    • mod_mono
    • rewrite
    • ssl (optional)

Minimum System Requirements for the Application Server

Minimum System Requirements for the Application Server

The application server provides a connection pool for accessing the database and stores business logic. You must fulfill the following system prerequisites for installing the One Identity Manager on an application server.

Table 12: System Requirements - Application Server

Processor

8 physical cores 2.5 GHz+

Memory

8 GB RAM

Hard drive storage

40 GB

Operating system

Windows operating system

Following versions are supported:

  • Windows Server 2008 (non-Itanium based 64-bit) Service Pack 2 or later
  • Windows Server 2008 R2 (non-Itanium based 64-bit) Service Pack 1 or later
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Linux operating system

  • Linux operating system (64 bit), supported by the Mono project or Docker images provided by the Mono project. Note the operating system manufacturer's minimum requirements for Apache HTTP Server.

Additional software

Windows operating system

  • Microsoft .NET Framework Version 4.5.2 or later

    NOTE: Microsoft .NET Framework version 4.6 is not supported.
  • Windows Installer
  • Microsoft Internet Information Service 7, 7.5, 8, 8.5 or 10 with ASP.NET 4.5.2 and Role Services:
    • Web Server > Common HTTP Features > Static Content
    • Web Server > Common HTTP Features > Default Document
    • Web Server > Application Development > ASP.NET
    • Web Server > Application Development > .NET Extensibility
    • Web Server > Application Development > ISAPI Extensions
    • Web Server > Application Development > ISAPI Filters
    • Web Server > Security > Basic Authentication
    • Web Server > Security > Windows Authentication
    • Web Server > Performance > Static Content Compression
    • Web Server > Performance > Dynamic Content Compression

Linux operating system

  • NTP - Client
  • Mono 4.6 or later
  • Apache HTTP Server 2.0 or 2.2 with the following modules:
    • mod_mono
    • rewrite
    • ssl (optional)

Users and Permissions for One Identity Manager

Users and Permissions for One Identity Manager

Table 13: Users for One Identity Manager
Users Permissions

Database Users for Installing One Identity Manager

SQL Server:

For more information, see Permissions for SQL Server Database Users.

Oracle Database:

For more information, see Permissions for Oracle Database Users.

Database Users for One Identity Manager in Operation

SQL Server:

For more information, see Permissions for SQL Server Database Users.

Oracle Database:

For more information, see Permissions for Oracle Database Users.

Database Users for End Users

SQL Server:

End users that only work with the Web Portal, for example, only have to be members of the database role "basegroup".

Oracle Database:

For more information, see Permissions for Oracle Database Users.

User for Logging into One Identity Manager

One Identity Manager uses different authentication modules for logging in to administration tools. Authentication modules identify the system users to be used and load the user interface and database resource editing permissions depending on their permission group memberships.

For more information, see Appendix: One Identity Manager Authentication Modules.

User account for the One Identity Manager Service

The user account for the One Identity Manager Service requires access rights to carry out operations at file level (issuing user rights, adding directories and files to be edited).

The user account must belong to the group "Domain Users".

The user account must have the extended access right "Log on as a service".

The user account requires access rights to the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access rights for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update the One Identity Manager.

In the default installation the One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)

NOTE: Other target system specific permissions may be required for synchronizing the One Identity Manager with each target system. These permissions are explained in the corresponding guide.

For more information, see Setting up Permissions for Creating an HTTP Server.

Permissions for SQL Server Database Users

Permissions for SQL Server Database Users

NOTE: Select "English" as default language.

Database user permissions can be divided into two user types:

  • End user

    End users that only work with the Web Portal, for example, only have to be members of the database role "basegroup".

  • Administrative user

    Administrative users require the permissions listed in below. Here, you can differentiate between permissions for installation and permissions for normal operations.

To use One Identity Manager functions to the full, you require the following permissions.

Table 14: Permissions for Database Users under SQL Server
Permission For Database Required for Installation Required to Operate Required For

Server role "dbcreator"*

 

x

-

Creating the database

Server role "processadmin"

 

-

x

Activities for testing and closing the connection is required.

Database role "db_owner"

One Identity Manager

x

x

Creating the database Database operations.

Database role "basegroup"**

One Identity Manager

-

x

Internal permissions roles for database objects.

Permissions "Execute"

Master

x

x

Starting the SQL server agent.

Database role "SQLAgentUserRole"

msdb

-

x

Running database schedules.

Database role "db_Datareader"

msdb

-

x

Reading and changing database schedules.

Database role "SQLAgentOperatorRole"

msdb

x

x

Defining database schedules.

Permissions "Connect"

tempdb

x

x

Checks for single-user mode requirement during start up.

*) The permissions are only required if the database is created using the Configuration Wizard.

**) The database role "basegroup" is added during initial schema installation of the One Identity Manager by default.

NOTE: If the user account for the database user is changed after migration the new database user must be entered as the owner of the database schedule afterwards. Otherwise errors occur when running the database schedules.

Tips for Using Integrated Windows Authentication

Integrated One Identity Manager Service authentication can be used for the Windows and web applications without restriction. Integrated Windows authentication can be used for FAT clients. Use of Windows groups for logging in is supported. To ensure functionality it is strongly recommended you use SQL Server login.

To implement Windows authentication

  • Set up an SQL Server login for the user account on the database server.
  • Enter "dbo" as default schema.
  • Assign the required permissions SQL server login. For more information, see Table 14.
Related Documents