The application server provides a connection pool for accessing the database. Clients send their queries to the application server, which processes the objects, for example, by determining values using templates and sending the results back to the clients. The data from the application is sent to the database when an object is saved.
Before installation ensure that the minimal hardware and software prerequisites are fulfilled on the server.
Detailed information about this topic
Note the following for installing an application server:
-
If you want to run the One Identity Manager Service or the Designer through an application server, the application server requires sufficient permissions for a configuration user. Use the SQL login for the configuration user to connect to the One Identity Manager database and to authenticate against the One Identity Manager database when you install the application server.
-
To limit permissions for end users, you can make other application servers available that use the SQL login for end users.
-
To use the Web Portal or full-text search in the Manager, you need an application server with a search service installed on it.
-
Start the application server installation locally on the server.
-
Use the QBM | AppServer | SessionTimeout configuration parameter to add the timeout in hours, after which inactive application server sessions are closed. The default value is 24 hours. In the Designer, edit the configuration parameter.
IMPORTANT: Start the application server installation locally on the server.
To install an application server
-
Launch autorun.exe from the root directory of the One Identity Manager installation medium.
-
On the installation wizard's home page, perform the following actions:
-
Change to the Installation tab.
-
In the Web-based components section, click Install.
This starts the Web Installer.
-
Select Install application server on the Web Installer and click Next.
-
On the Database connection page, perform the following actions.
-
To use an existing connection to the One Identity Manager database, select it in the Select a database connection drop-down.
- OR -
To create a new connection to the One Identity Manager database, click Add new connection and enter a new connection.
-
Under Authentication method, specify the method and login data you would like to use.
-
On the Installation source page in the Installation source section, specify where to find the installation data.
-
To retrieve the installation data from the database, enable the Database option.
-
To retrieve the installation data from the installation media (for example, from the hard drive), enable the File system option and enter the path.
-
Configure the following settings on the Select setup target page.
Table 26: Settings for the installation target
|
Application name |
Enter the name to use in the browser as the application name. |
|
Target in IIS |
Select the website on the Internet Information Services where the application is installed. |
|
Enforce SSL |
Specifies whether secure or insecure websites are available to install.
If the option is set, only sites secured by SSL can be used for installing. This setting is the default value.
If this option is not set, insecure websites can be used for installing. |
|
URL |
Enter the application's URL. |
|
Install dedicated application pool |
Enable this option if you want to install a separate application pool for each application. This allows applications to be set up independently of one another. If this option is set, each application is installed in its own application pool. |
|
Application pool |
Select the application pool to use. This can only be entered if the Install dedicated application pool option is not set.
If you use the DefaultAppPool default value, the application pool has the following syntax:
<application name>_POOL |
|
Identity |
Specify the permissions for implementing the application pool. You can use a default identity or a custom user account.
If you use the ApplicationPoolIdentity default value, the user account has the following syntax:
IIS APPPOOL\<application name>_POOL
You can authorize another user by clicking ... next to the box, enabling the option Custom account and entering the user and password. |
|
Assign file permissions for application pool identity |
Specify whether the identity that the application pool was running with obtains the file permissions. |
|
Web authentication |
Specify which type of authentication to use against the web application. You have the following options:
-
Windows authentication (single sign-on)
The user is authenticated against the Internet Information Services using their Windows user account and the web application logs in the identity assigned to the user account as role-based. If single sign-on is not possible, the user is diverted to a login page. You can only select this authentication method if Windows authentication is installed.
-
Anonymous
Login is possible without Windows authentication. The user is authenticated against the Internet Information Services and the web application anonymously, and the web application is directed to a login page. |
|
Database authentication |
NOTE: You can only see this section if you have selected an SQL database connection on the Database connection page.
Specify which type of authentication to use against the One Identity Manager database. You have the following options:
-
Windows authentication
The web application is authenticated against the One Identity Manager database with the same Windows user account that your application pool uses. Login is possible with a user-defined user account or a default identity for the application pool.
-
SQL authentication
Authentication is completed using an SQL login and password. The SQL login used is from the database connection. Use the [...] button to enter a different SQL login, for example, if the application is run with a access level for end users. This access data is saved in the web application configuration as computer specific encrypted. |
-
On the Assign machine roles page, define the machine roles.
This enables the machine roles for the application server. The machine roles Search Service and Search Indexing Service are required for indexing the full-text search. These machine roles are always used together.
NOTE: If you want to use a Web Portal, you will need to use an application server with a search service installed.
-
On the Set session token certificate page, select the certificate for creating and checking session tokens.
NOTE: The certificate must have a key length of at least 1024 bits.
-
To use an existing certificate, set the following:
-
Session token certificate: Select the Use existing certificate entry.
-
Select certificate: Select the certificate.
NOTE: It is strongly recommended to use the certificate already in use in other application servers and API Servers.
-
Show invalid certificates too: (Optional) Enable this option to show other certificates.
-
To create a new certificate, set the following:
-
Session token certificate: Select the Create new certificate entry.
-
Certificate issuer: Enter the issuer of the certificate.
-
Key length: Specify the key length for the certificate.
The certificate is entered in the application server's certificate management.
NOTE: It is strongly recommended to export this newly created certificate and use it in other application servers and API Servers as well, so that all these server components have and use the identical session certificate.
-
To create a new certificate file, set the following:
-
Session token certificate: Select the Generate new certificate file entry.
-
Certificate issuer: Enter the issuer of the certificate.
-
Key length: Specify the key length for the certificate.
-
Certificate file: Enter the directory path and name of the certificate file.
The certificate file is stored in the specified directory of the web application.
NOTE: It is strongly recommended to use this newly created certificate in other application servers and API Servers as well, so that all these server components have and use the identical session certificate.
-
Specify the user account for automatic updating on the Set update credentials page. The user account is used to add or replace files in the application directory.
-
Use IIS credentials for update: Set this option to use the user account under which the application pool is run for the updates.
-
Use other credentials for updates: To use a different user account, set this option. Specify the domain, the user name, and the user password.
-
(Optional) The One Identity Manager History Database is used to provide archived data for analyzing in reports and the TimeTrace. If you access the One Identity Manager History Database is through an application server, on the Edit History Database connections page, enter the One Identity Manager History Database ID and the connection parameters.
NOTE: You can enter the One Identity Manager History Database‘s connection parameters at a later date. Use the appsettings.json configuration file to do this.
For more information about connecting to the One Identity Manager History Database through an application server and the required configuration, see the One Identity Manager Data Archiving Administration Guide.
-
Installation progress is displayed on the Setup is running page. After installation is complete, click Next.
-
Click Finish on the last page to end the program.
-
Close the autorun program.
NOTE: The Web Installer generates both the web application and the appsettings.json configuration file. The Web Installer uses default values for the configuration settings. You can keep these values but it is recommended you check the settings. You will find the appsettings.json configuration file in the web application installation directory in the Internet Information Services.
You can access the application server from a browser.
Use the appropriate URL for this:
http://<server name>/<application name>
https://<server>/<application name>
TIP: You can open the web server's status display in the Job Queue Info. In the Job Queue Info, select View > Server state in the menu and, on the Web servers tab, open the web server status display from the Open in browser context menu.
You will see different status information. Status information for the application server is displayed as performance indicators. Users with the AppServer_Logs program function see the log.
In addition, API documentation is available here. To access the REST API in the application server, users require the AppServer_API program function. For more information about the REST API, see the One Identity Manager REST API Reference Guide
