OS and IDM Installation, v5.0

 

1. OS Installation

Install Suse Enterprise Server 15 SP1 with the following options:

  • Select the following Extentions and Modules: “Basesystem Module”, “Server Applications Module”, “Web and Scripting Module” and “Legacy Module”

  • Systemrole - Select Text Mode

  • Disk filesystem must changed from BTFS to XFS (as BTFS is not supported by eDirectory).
    Liga recommends XFS (for more info please see: https://support.microfocus.com/kb/doc.php?id=7017056).

  • Set server Name and IP, DNS and Gateway

 

Complete the basic OS installation including registration.

Use Yast to install the RPM’s needed for eDirectory and iManager, as descriped in the IDM installation guide:
https://www.netiq.com/documentation/identity-manager-48/setup_linux/data/installing-idm-on-sles-servers.html

Add the packages:

  • glibc-32bit

  • libnsl2

  • libstdc++6-32bit

  • libncurses5

  • libncurses6

  • insserv-compat

 

Libncurses5 is part of the Legacy module. It may be added later from the command line:
SUSEConnect --product sle-module-legacy

 

If the web and scripting modules was missing in the initial installation, it can be added from the command line:
SUSEConnect --product sle-module-web-scripting/15.2/x86_64

Install the required packages for GlobalID:

  • tomcat

  • apache2-mod_jk

  • java-11-openjdk

 

1 2 3 zypper in tomcat zypper in apache2-mod_jk zypper in java-11-openjdk

2. Firewall configuration

Use YaST to configure the SUSE firewall on the server.

port 80 and 443 for Tomcat / GlobalID

port 8080 and 8443 for Tomcat / iManager

port 22 for SSH.

or

1 2 3 4 5 sudo firewall-cmd --permanent --zone=public --add-port=80/tcp sudo firewall-cmd --permanent --zone=public --add-port=443/tcp sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp sudo firewall-cmd --permanent --zone=public --add-port=8443/tcp sudo firewall-cmd --reload

3. IDM Installation

Install MicroFocus IDM 4.8.0 according to the documentation:

https://www.netiq.com/documentation/identity-manager-48/

 

During the installation please choose:

  • Confirm with “y” that you want to install the “Advanced Edition” of MicroFocus IDM.

  • Select 1, 4 (Identity Manager Engine, iManager Web Administration)

  • After installation, start the ./configure.sh for IDM configuration. Select #2 “Custom configuration”

  • Specify 1, 2 (Identity Manager Engine, iManager Web Administration)

  • Specify a common password and keep a note of it

  • Identity Vault IP address is the server’s IP address or FQDN

  • Select #1 (Create a new Identity Vault)

  • Name the Identity Vault Tree “GlobalID”

  • Server Context: “servers.system”

  • Identity Vault Administrator name: “cn=admin, ou=sa, o=system”

  • RSA key size: 4096

  • Curve: P384

  • Certificate life: 10 (years)

  • NDS folder location: /var/opt/novell/eDirectory

  • NDS data location: /var/opt/novell/eDirectory/data/dib

  • NCP port: 524

  • LDAP non SSL port: 389

  • LDAP SSL port: 636

  • Identity Vault HTTP port: 8028

  • Identity Vault HTTPS port: 8030

  • NDS configuration file path /etc/opt/novell/eDirectory/conf/nds.conf

  • Identity Vault driver set name: driverset1

  • Identity Vault driver set deploy context: o=system

  • HTTP port number for Tomcat (iManager): 8080

  • SSL port number for Tomcat (iManager): 8443

  • Public key algorithm: RSA

  • Cipher suite for TLS: None

  • iManager Administrative User Distinguished Name: none

  • iManager Administrative User Tree: none

 

Patch MicroFocus IDM to version IDM 4.8.3 according to the documentation:

https://www.netiq.com/documentation/identity-manager-48/

The IDM 4.8.3 patch includes a mandatory upgrade of eDirectory. During the upgrade of eDirectory, please specify administrator DN: admin.sa.system

Confirm access to iManager in your browser at https://<hostname>:8443/nps

4. Database Installation

Use Yast to install the MariaDB server and mariadb-connector-odbc.

MariaDB should be version 10.3

Use Yast “System” → “Service Manager” to change the startup option of MariaDB to “auto” and start it now.

Use “mysql_secure_installation” to configure MariaDB:

  • Do not allow unix socket authencation

  • Set password for user “root” and keep a note of it

  • Remove anonymous users: yes

  • Disallow root login remotely: yes

  • Remove test database and access to it: yes

  • Reload privilege tables: yes

 

5. Camunda Database Configuration

Copy the files from the installation folder GlobalID/sql to the server and change to that directory.

Create the camunda database in MariaDB and import the SQL data:

mysql -u root -p

create database camunda;

use camunda;

source mariadb_engine_7.14.0.sql;

source mariadb_identity_7.14.0.sql;

Create a user for camunda:

create user ‘camunda’@'localhost' identified by ‘<password>’;

Make a note of the camunda user’s password.

GRANT ALL PRIVILEGES ON camunda.* TO 'camunda'@'localhost';

FLUSH PRIVILEGES;

exit

6. Camunda Database SSL Configuration

This step is only needed if MariaDB should be accessible from other interfaces than 127.0.0.1

Please refer to the guide at https://mariadb.com/kb/en/securing-connections-for-client-and-server/ for details regarding the SSL settings.

Export the server certificate and private key as server-cert.pem and server-key.pem and store the exported files in /etc/mysql/ssl
Export the root certificate used for issuing the server certificate as ca.pem also to /etc/mysql/ssl

Certificate exports can be done from the iManager tool at https://<servername>:8443/nps under → NetIQ Certificate Access → Server Certificates

Change the mariadb configuration file (/etc/my.cnf) (normally line 64-66)

1 2 3 4 5 6 [mariadb] ... ssl_ca = /etc/mysql/ssl/ca-cert.pem ssl_cert = /etc/mysql/ssl/server-cert.pem ssl_key = /etc/mysql/ssl/server-key.pem ...

Restart mariadb for SSL to be enabled, using : systemctl restart mariadb