Identity Manager 8.1 - Installation Guide

About this Guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing and updating an application server Installing the API Server Installing, configuring and maintaining the Web Portal Installing and updating the Manager web application Logging in to One Identity Manager tools Error handling Appendix: Creating a One Identity Manager database for a test or development environment from a database backup Appendix: Extended configuration of the Manager web application Appendix: Machine roles and installation packages Appendix: Settings for a new SQL Server database

Installing and configuring the One Identity Manager database

Important: Always start the Configuration Wizard on an administrative workstation. If you start the Configuration Wizard on a server on which you also want to configure a One Identity Manager Service, simply skip the section for installing the service on the local server in the Configuration Wizard.

To install a database in the Configuration Wizard

  1. Start the Configuration Wizard.
  2. Select the Create and install a database option on the Configuration Wizard home page and click Next.

  3. To use an existing database, perform the following steps in the Create administrative connection view.

    1. Enable Advanced.

    2. In the Advanced options area, set the Use an existing, empty database for installation option.

    3. Enter the following connection data for the database.

      • Server: Database server. Enter the server name or select a server from the list.

      • (Optional) Windows Authentication: Specifies whether integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

      • User: SQL Server Login name of the installation user.

      • Password: Password for the installation user.

      • Database: Select the database.

    - OR -

    To install a new database, enter the following database connection data in the Create administrative connection view.

    • Server: Database server. Enter the server name or select a server from the list.

    • (Optional) Windows Authentication: Specifies whether integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

    • User: SQL Server Login name of the installation user.

    • Password: Password for the installation user.

  4. If you are using an existing database, on the Create database view, Installation source area, select the directory containing the installation files.

    - OR -

    If you are creating a new database, perform the following tasks on the Create database page.

    1. In the area Database properties, enter the following information about the database.

      Table 16: Database properties
      Data Description

      Database name

      Name of the database.

      Data directory

      Directory in which the data file is created. You have the following options:

      • <Default>: Default installation directory of the database server.

      • <browse>: Select a directory using the file browser.

      • <Directory name>: Directory in which data files are already installed.

      Log directory

      Directory in which the transaction log file is created. You have the following options:

      • <Default>: Default installation directory of the database server.

      • <browse>: Select a directory using the file browser.

      • <Directory name>: Directory in which transaction log files are already installed.

      Memory tables directory

      Directory for data file group and database file for memory-optimized tables. You have the following options:

      • <Default>: Default installation directory of the database server.

      • <browse>: Select a directory using the file browser.

      • <Directory name>: Directory in which data files for memory-optimized tables are already installed.

      Initial size

      Initial size of the database files. You have the following options:

      • <Default>: Default entry for the database server.

      • <custom>: User-defined entry.

      • Different recommended sizes: Depending on the number of employees being administrated.

    2. Select the directory with the installation files in Installation source.

  5. Select the configuration module on Select configuration module.

    • If you started the Configuration Wizard from the install wizard, the configuration modules for the selected edition are already activated. Check the module selection in this case.
    • Select the configuration module at this point if you started the Configuration Wizard directly. Dependent configuration modules are selected automatically.
  6. On the Create a new login for administrators page, decide which SQL server login to use for administrative users. You have the following options:

    • Create new SQL Server logins for the database: Select this option if you want to set up a new administrative login on the SQL Server. Other SQL Server logins with permissions for system configuration and for end users are created after the database has been migrated.

      Enter the login name, password and password confirmation for the new SQL Server login.

      NOTE: The password must meet the Windows policy requirements for passwords.

    • Use the current SQL Server login for the database: If you select this option, no other SQL server logins are created for the database. In this case, you cannot work with granular permissions concepts at SQL level. The user you specified is used to connect to the database.

      NOTE: If you want to switch to granular permissions at a later time, contact Support. To access the Support Portal, go to https://support.oneidentity.com/identity-manager/.

  7. Error that prevent processing the database are displayed on the Database check page. Correct the errors before you continue with the installation.

  8. The installation steps are shown on the Processing database page.

    Installation and configuration of the database is automatically carried out by the Configuration Wizard. This procedure may take some time depending on the amount of data and system performance. Once processing is complete, click Next.

    TIP: Set Advanced to obtain detailed information about processing steps and the migration log.

  9. On the Create SQL server logins page, enter the login name, the password, and password confirmation for the SQL Server logins for configuration users and end users.

    NOTE: The password must meet the Windows policy requirements for passwords.

  10. On the System information page, enter the customer information and create administrative system users for One Identity Manager.

    1. In the Customer information area, enter the full name of the company.
    2. In the System user area, you configure the predefined administrative system users and enter your own administrative system users.
      • Enter a password and password confirmation for the predefined system users.
      • To create customer-specific system users, click the button and enter the name, password and password confirmation.

      TIP: Use the <...> button next to the name of a system user to configure further settings for that system user. You can also adjust these settings in the Designer at a later time.
    3. (Optional) Create custom permissions groups.

      The Configuration Wizard creates custom permissions groups, which you can use to define permissions for any custom schema extensions you require.

      • For non-role-based login, the permission groups CCCViewPermissions and CCCEditPermissions are created. Administrative system users are automatically added to these permissions groups.

      • For-role-based login, the permission groups CCCViewRole and CCCEditRole are created.

      To create additional permissions groups

      1. Enable the Advanced option and in the Permissions groups area, click the button.

      2. Enter the name for the permissions group. Label custom permission groups with the prefix CCC.

      3. For role-based permissions groups, enable the Role-based option.

  11. On the Service installation page, you can create a Job server for the server on which the One Identity Manager database is installed.

    NOTE: If you do not want to set up a One Identity Manager Service at this stage, select Skip service installation.

    1. Enter the following information to install the One Identity Manager Service.

      Table 17: Installation Data

      Data

      Description

      Computer

      Server on which to install and start the service from.

      To select a server

      • Enter a name for the server.

        - OR -

      • Select a entry from the list.

      Service account

      User account data for the One Identity Manager Service.

      To enter a user account for the service

      • Set the option Local system account.

        This starts the One Identity Manager Service under the NT AUTHORITY\SYSTEM account.

        - OR -

      • Enter user account, password and password confirmation.

      Installation account

      Data for the administrative user account to install the service.

      To enter an administrative user account for installation

      • Enable Advanced.

      • Enable the option Current user.

        This uses the user account of the current user.

        - OR -

      • Enter user account, password and password confirmation.

      Machine roles

      Specify the machine role. The Job server machine role is defined by default. You can add more machine roles.

    2. Check the One Identity Manager Service configuration. Enable Advanced.

      NOTE: The initial service configuration is predefined already. If further changes need to be made to the configuration, you can do this later with the Designer. For more detailed information about configuring the One Identity Manager Service, see the One Identity Manager Configuration Guide.

    3. Click Next to start installing the service.

      Installation of the service occurs automatically and may take some time.

      NOTE: The service is entered with the name One Identity Manager Service in the server service management.

  12. Click Finish on the last page of Configuration Wizard.

Related Topics

Editing the One Identity Manager database during setup using the Configuration Wizard

Installation and configuration of the One Identity Manager database is automatically carried out by the Configuration Wizard. The Configuration Wizard can create a new database and install the One Identity Manager schema. Alternatively, the One Identity Manager schema can be installed in an existing database.

The Configuration Wizard performs the following steps when processing the database:

  • Creating the required SQL Server logins and database users with permissions for the administrative user, configuration user and end user. For more information, see Permissions for the One Identity Manager database.
  • Installing the One Identity Manager schema.

    Before the schema installation can take place the Configuration Wizard tests the database. Error messages are displayed in a separate window. The errors must be corrected manually. The schema installation cannot be started until these are resolved.

    All the tables, data types, database procedures that are required are loaded into the database through migration. The selected Editions and configuration modules are enabled. During migration, calculation tasks are queued in the database. These are processed by the DBQueue Processor.

    When a schema is installed with the Configuration Wizard, migration date and migration revision are recorded in the database's transport history.

  • Compiling the system.

    Scripts, templates and processes are declared in the database. The System user authentication module with the viadmin system user is used for compilation.

  • Uploading files for automatic software update.

    In order to distribute One Identity Manager files using the automatic software updating mechanism, the files are loaded into the One Identity Manager database.

  • Creates administrative system users and permissions groups.

    A system user is required for authentication in One Identity Manager. One Identity Manager provides various system users whose permissions are matched to the various tasks. For detailed information about system users, access rights and granting permissions, see the One Identity Manager Authorization and Authentication Guide.

    The viadmin system user is the default system user in One Identity Manager. This system user can be used to compile and initialize the One Identity Manager database and for the first user login to the administration tools.

    IMPORTANT: Do not use the viadmin system user in a live environment. Create your own system user with the appropriate permissions.

    Custom system users are created as administrative system users by the Configuration Wizard. Administrative system users are automatically added to all non-role-based permissions groups, and are assigned all permissions of the system user viadmin.

  • Installing and configuring a One Identity Manager Service with direct access to the database for handling SQL processes and automatic server software updates.

    The One Identity Manager Service handles defined processes. The service has to be installed on the One Identity Manager network server to execute the processes. The server must be declared as a "Job server" in the One Identity Manager database.

    During the initial schema installation with the Configuration Wizard, in the One Identity Manager database a Job server is already created for the server on which the One Identity Manager database is installed. This Job server receives the server functions SQL processing server and Update server.

    • The SQL processing server handles SQL processes.
    • The update sever ensures that software is updated automatically on other servers.

    The SQL processing server and the update server require a direct connection to the One Identity Manager database to handle processes. Use the Configuration Wizard to install the One Identity Manager Service on a server for handling these processes.

    The Configuration Wizard executes the following steps.

    • Installs the One Identity Manager Service components
    • Configuring the One Identity Manager Service
    • Starting the One Identity Manager Service
Related Topics

Configuring a One Identity Manager database for testing, development or production

You use the staging level of the One Identity Manager database to specify whether the database is a test database, development database or a live database. A number of database settings are controlled by the staging level. The following database settings are configured when you change the staging level.

Table 18: Database settings for development, test and live environments
Setting Database Staging Level
Development Environment Test environment Live Environment

Color of the One Identity Manager tools status bar.

none

Green

Yellow

Maximum DBQueue Processor runtime

20 minutes

40 minutes

120 minutes

Maximum number of slots for DBQueue Processor

5

7

Maximum number of slots according to the hardware configuration

To modify a database staging level

  1. Open the Launchpad and select Database staging level. Starts the Designer.
  2. Select the database and change the value of the Staging level property to Test environment, Development environment or Live environment.
  3. Select Database | Save to database and click Save.

The DBQueue Processor configuration settings are configured for normal operations and must not be modified normally. The configuration settings are reduced for test environments and development environments because several databases may be located on a server.

If it is necessary to change the settings for testing or development environments for reasons of performance, you must modify the following configuration parameter settings in the Designer.

Table 19: Configuration parameters for the DBQueue Processor
Configuration parameter Meaning
QBM | DBQueue | CountSlotsMax

This configuration parameter specifies the maximum number of slots to be used. Use this configuration parameter to reduce the number of slots if required. Values lower than 5 are not permitted.

Exception: Enter a value of 0 for using the maximum number of slots available based on the hardware configuration.

QBM | DBQueue | KeepAlive

This configuration parameter regulates the maximum runtime of the central dispatcher. Tasks on slots currently in use are still processed when the timeout expires. Then the slot database schedules are stopped and the central dispatches exits.

The lowest permitted value for runtime is 5 minutes; the maximum permitted value is 720 minutes.

Related Topics

Encrypting database information

In certain circumstances, it is necessary to store encrypted information in the One Identity Manager database.

  • In Designer, choose the configuration parameter Common | EncryptionScheme to define which encryption method to use.
    Table 20: Configuration parameter values
    Value Description

    RSA

    RSA encryption with AES for large data (default).

    FIPSCompliantRSA

    FIPS certified RSA with AES for large data. This method is used if encryption must match the FIPS 1040-2 standard. The local security policy Use FIPS compliant algorithms for encryption, hashing, and signing must be enabled.

    NOTE: If the configuration parameter Common | EncryptionScheme is not enabled, the method used is RSA.

  • Encryption is carried out using the Crypto Configuration program. With this program an encryption file is created and the contents of the database columns that are effected are converted. The encrypted data is stored in the database table DialogDatabase.

NOTE: It is recommended that you create a backup before encrypting the database information in a database. Then you can restore the previous state if necessary.

Detailed information about this topic
相关文档