Ensure that your computer meets all the prerequisites described in Prerequisites. Pay particular attention to the instructions for setting up the Microsoft SQL Server and PointBase databases if you plan to use either of these database types.
Install the servlet container for the Administration Server. You can use WebLogic Server 9.2, 9.1, or 8.1 (with Service Pack 4 or Service Pack 5) or Apache Tomcat 5.5.15 as the servlet container.
Do one of the following to acquire a user account on a database server that will provide a policy data store for the Administration Server:
If you plan to use an existing database, get a user account on that database.
If you plan to install a database, install and configure a database server and set up a user account. The ALES Administration Server installation includes an example and documentation that can help you with installing and configuring the policy database. This example is located at BEA_HOME/ales26-admin/examples/DBSetupKit.
During installation, you are prompted to choose an existing BEA Home (BEA_HOME) directory. If you are using WebLogic Server as your servlet container, you should specify the same BEA Home directory that you specified when you installed WebLogic Server. If you are using Apache Tomcat as you servlet container, then the BEA Home directory is a repository for common files that are used by multiple BEA products installed on the same machine. For this reason, the BEA Home directory can be considered a central support directory for the BEA products installed on your system. The files in the BEA Home directory are essential to ensuring that BEA software operates correctly on your system. They perform the following types of functions:
Ensure that licensing works correctly for the installed BEA products
Facilitate checking of cross-product dependencies during installation
The files and directories in the BEA Home (BEA_HOME) directory are described in your WebLogic documentation. Although it is possible to create more than one BEA Home directory, BEA recommends that you avoid doing so. In almost all situations, a single BEA Home directory is sufficient. There may be circumstances, however, in which you prefer to maintain separate development and production environments on a single machine, each containing a separate product stack. With two directories, you can update your development environment (in a BEA Home directory) without modifying the production environment until you are ready to do so.
Product Installation Directory
The product installation directory contains all the software components used to administer BEA AquaLogic Enterprise Security. During installation, you are prompted to choose a product installation directory. If you accept the default, the software is installed in the following directory:
c:\bea\ales26-admin (Windows)
/opt/bea/ales26-admin (Sun Solaris and Linux)
where c:\bea or /opt/bea is the BEA_HOME directory and ales26-admin is the product installation directory. You can specify any name and location on your system for your product installation directory and there is no requirement that you name the directory ales26-admin or create it under the BEA Home directory.
System Security and BEA AquaLogic Enterprise Security
Like any component running on a system, the infrastructure it provides is only as secure as the operating environment where it is installed. When BEA AquaLogic Enterprise Security is installed on a system, it makes use of that system's security infrastructure to lock itself down and integrate with the security of its environment. Through the use of user, group, and file system permissions, BEA AquaLogic Enterprise Security allows limited access to many operations depending upon these permissions.
Which Users Can Install the Administration Server and SSMs?
As of version 2.2 of ALES, the user who installs the Administration Server and SSMs does not require administrator privileges on a Windows platform, or root access on a Sun Solaris or Linux platform. The installation procedures set the file and directory permissions based on the user who runs the installer.
This means that if the user who installs the Administration Server is not the same user who installed the servlet container (WebLogic Server or Apache Tomcat), you can potentially introduce file permission problems. For example, consider that on a Windows platform the WebLogic Server requires access to the BEA_HOME\ales26-admin\set-wls-env.bat file. In this case, you will need to update the file permissions manually or make sure that both users belong to the same user groups.
Note:
Unlike prior versions of AquaLogic Enterprise Security, as of version 2.2 the Administration Server installation does not create or require special users or groups, such as the previously default values of asiadmin, asiadgrp, scmuser, or asiusers.
Registering ALES Services
If the user who installs the Administration Server and SSMs on a Windows platform does not have administrator privileges, the ALES services are not registered in the system and the user has to run all services in console mode.
In this case, use the following commands to register the Windows services with proper privileges:
ALES Administration Server: WLESadmin.bat register
SCM: WLESscm.bat register
Secure Usernames and Passwords
AquaLogic Enterprise Security implements a sophisticated username and password schema to protect the application itself and to ensure secure communications. Understanding this schema is important to installing the product and ensuring that it operates properly in either a development or production environment.
There are two levels of password protection:
passwords for keystores (secure communication between components)
a password to protect the private keys (the Certificate Authority)
Understanding your enterprise and how responsibilities in your organization are separated is essential to establishing a secure environment. For example, the person who maintains the database is usually not the person who designs and implements security. The person who deploys applications is usually not the person who administers system usernames and passwords. And, while you may not be as concerned with a more formal authorization scheme in your development environment, your production environment needs to be firmly secured and responsibilities clearly defined.
Usernames and passwords are required to access the components listed and described in Table 4-1.
Table 4-1 Usernames and Passwords
Component
Description
Default
Database Server
A database server account used to connect to the database server where the policy data is stored, and update policy data using the policy import and export tools.
none
Certificate Authority
Sets the password for the private key for the Certificate Authority. All trust within the enterprise domain originates from this authority.
Randomly generated
Identity Key Passwords (Keystore Passwords)
You also need to supply private key passwords for each of the following identities:
Service Control Manager
Security Service Module
Administration Application
Private key passwords validate process authenticity by using the Certificate Authority chain of trust. Identities with invalid or untrusted keys cannot participate in the trust relationships in the enterprise domain.
Randomly generated
Configure Keystores
You need to supply keystore passwords for each of the Identity, Peer and Trust keystores.
Identity Keystore - stores and protects the private keys that represent the processes identity or identities.
Peer Keystore - stores and protects the public keys for all trusted identities within the installed component (Administration Application, Security Service Module or Service Control Manager).
Trust Keystore - stores and protects public keys for Certificate Authorities that originate the chain of trust.
Randomly generated
BEA recommends following these guidelines:
Development Environment—In a development environment, you can either use the default values generated during the installation process or you can assign your own usernames and passwords to protect your public and private keys.
Production Environment—In a production environment, you must choose all passwords explicitly. These passwords may be needed for future maintenance of the public key infrastructure (PKI), for example, in the case of a failure. Make sure to write down all password information and retain it in a secure location.
Note:
BEA does not recommend the use of randomly generated passwords, as the generation mechanism for these passwords is not secure. In a production environment, BEA does not recommend installing Security Service Modules on the same machine as the Administration Server.
Generating a Verbose Installation Log
If you start the installation process from the command line or from a script, you can specify the -log option to generate a verbose installation log. The installation log lists messages about events that occur during the installation process, including informational, warning, error, and fatal messages. This can be especially useful for silent installations.
Note:
You may see some warning messages in the installation log. However, unless there is a fatal error, the installation program completes the installation successfully. The installation user interface indicates the success or failure of the installation, and the installation log file includes an entry indicating that the installation was successful.
To create a verbose log file during installation, use the following command lines or scripts:
The -log parameter is optional. By default, the installation log is put in the log directory where you install the Administration Server. If for some reason, the installer fails, use this switch to generate an even more verbose output: -log_priority=debug.
The path must be the full path to a file name. If the file does not exist, all folders in the path must exist before you execute the command or the installation program does not create the log file.
Starting the Installation Program on Windows Platforms
Note:
Do not install the software from a network drive. Download the software to a local drive on your machine and install it from there.
To install the application in a Microsoft Windows environment:
Shut down any programs that are running.
Log in to the machine. Administrator privilege is not required. As of version 2.2 ALES sets the ownership of all files based on the user who runs the installer.
If you are installing from a CD-ROM, go to step 4. If you are installing by downloading from the BEA web site:
Figure 4-1 AquaLogic Enterprise Security Administration Server Installer Window
Starting the Installation Program on a Sun Solaris Platform
To run graphical-mode installation, your console must support a Java-based GUI. If the installation program determines that your system cannot support a Java-based GUI, the installation program automatically starts console-mode installation.
Before running the installer, ensure the following two things are done.
Ensure the PATH is set correctly.
It is also important to add the /bin directory to PATH and the /lib directory to LD_LIBRARY_PATH. If these settings are changed, you must reboot before the changes become available to processes running as services (which is how the Administration Server initializes itself).
Note:
BEA recommends setting these variables in /etc/profile so they are available to all processes starting from init.
Ensure that the location into which you do the install is accessible to all users at both the parent and the child directory levels. As of version 2.2 of ALES, the user who installs the Administration Server and SSMs does not require administrator privileges on a Windows platform, or root access on a Sun Solaris or Linux platform. The installation procedures set the file and directory permissions based on the user who runs the installer.
For example, if the installation directory is /opt/beahome/ales26-admin and the /opt/ directory is only accessible by root, post installation scripts that run as a user other than root cannot access the directory where they reside. Therefore, the directory into which you do the install (for example, /opt/beahome/ales26-admin) must have execute permissions for other. Run the following command to reset the permissions:
chmod o+x /opt/
The beahome and ales26-admin directories already have permissions set appropriately.
To install the application on a Sun Solaris platform:
Log in to the machine.
Set your DISPLAY variable if needed.
If you are installing from a CD-ROM, go to step 4. If you are installing by downloading from the BEA web site:
Starting the Installation Program on a Linux Platform
To run graphical-mode installation, your console must support a Java-based GUI. If the installation program determines that your system cannot support a Java-based GUI, the installation program automatically starts console-mode installation.
Before running the installer, ensure the following two things are done.
Ensure the PATH is set correctly.
It is also important to add the /bin directory to PATH and the /lib directory to LD_LIBRARY_PATH. If these settings are changed, you must reboot before the changes become available to processes running as services (which is how the Administration Server initializes itself).
Note:
BEA recommends setting these variables in /etc/profile so they are available to all processes starting from init.
Ensure that the location into which you do the install is accessible to all users at both the parent and the child directory levels. As of version 2.2 of ALES, the user who installs the Administration Server and SSMs does not require administrator privileges on a Windows platform, or root access on a Sun Solaris or Linux platform. The installation procedures set the file and directory permissions based on the user who runs the installer.
For example, if the installation directory is /opt/beahome/ales26-admin and the /opt/ directory is only accessible by root, post installation scripts that run as a user other than root cannot access the directory where they reside. Therefore, the directory into which you do the install (for example, /opt/beahome/ales26-admin) must have execute permissions for other. Run the following command to reset the permissions:
chmod o+x /opt/
The beahome and ales26-admin directories already have permissions set appropriately.
To install the application on a Linux platform:
Log in to the machine.
Set your DISPLAY variable if needed.
If you are installing from a CD-ROM, go to step 4. If you are installing by downloading from the BEA web site:
The installation program prompts you to enter specific information about your system and configuration, as described in Table 4-2.
Note:
You must install the Administration Server before installing any Security Service Modules. BEA does not recommend installing Security Service Modules on the same machine as the Administration Server in a production environment.
To complete this procedure you need the following information:
Name of the BEA HOME directory
Name of the product directory
Database connection information (see your database administrator).
Table 4-2 Administration Server Installation
In this Window:
Perform this Action:
Welcome
Click Next to proceed or cancel the installation at any time by clicking Exit.
BEA License Agreement
Read the BEA Software License Agreement, and then select Yes to indicate your acceptance of the terms of the agreement. To continue with the installation, you must accept the terms of the license agreement, click Yes, and then click Next.
Choose BEA Home Directory
Specify the BEA Home directory that serves as the central support directory for all BEA products installed on the target system. If you already have a BEA Home directory on your system, you can select that directory (recommended) or create a new BEA Home directory. If you choose to create a new directory, the installer program automatically creates the directory for you.
Choose Product Directory
Specify the directory in which to install the Administration Server software. You can accept the default product directory (ales26-admin) or create a new product directory.
If you choose to create a new directory, the installation program automatically creates the directory for you, if necessary.
Click Next to continue.
Choose Service Control Manager Directory
Specify the directory in which to install the Service Control Manager. You can accept the default directory (ales26-scm) or you can create a new one.
Click Next to continue.
Choose the Web Server to install the administration application
Specify the type of servlet container (WebLogic Server or Tomcat) and the directory in which it is installed.
Click Next to continue.
Choose Network Interfaces
Select the network interfaces to which to bind the Service Control Manager. This is the IP address used to listen for requests to distribute policy and configuration data.
Note:
If you are installing the Administration Server in a production environment with more than one network card, you want to select a protected (internal) interface; you do not want to expose the Service Control Manager through a public address.
Click Next to continue.
Configure Administration Application
Enterprise Domain Name
Enter the name to assign to this domain. The Enterprise Domain represents the collection of Security Service Modules administered by this BEA AquaLogic Enterprise Security Administration Server. Make a note of the Enterprise Domain Name you entered as you will need this to install any subsequent Security Service Modules.
Note:
The Enterprise Domain Name must be entered in all lower case, and may not contain any spaces or punctuation marks.
Configure Administration Application (Continued)
Administration Application
HTTP Port (7000)
Enter the HTTP port number for the Administration Console of the servlet container to use.
SSL Port (7010)
Enter the HTTPS port number for the Administration Server to use. When you enter the SSL port number, make sure that at least five consecutive port numbers are also available. These port numbers are used by services required by the BEA AquaLogic Enterprise Security Administration Server to operate properly, and the Administration Server always runs on a secure connection using these ports. The installer checks during installation to see if any of the ports are used, skips those that are used, and selects the next available port.
Note:
The installer is not be able to detect a port already assigned to another process that is currently not running. Hence there may be a port bind problem if two process try to use the same port.
Configure Administration Application (Continued)
Certificate Authority Duration (years)
Enter the number of years the security certificate remains in effect. The Certificate Authority is used to generate and sign certificates for other components in the BEA AquaLogic Enterprise Security system.
Click Next to continue.
Configure Database Connection
Database
Select the type and version of database you are using.
Database Connection
For Oracle:
Database JDBC URL
Change the <SID> and <SERVER> name to complete the JDBC URL:
jdbc:oracle:thin:@<SERVER>:1521:<SID>
Database JDBC Driver
The Oracle driver to use by default:
oracle.jdbc.driver.OracleDriver
Login ID
The database user login created in the pre-installation tasks
Password
The password created in the pre-installation tasks
Confirm Password
Confirm the password created in the pre-installation tasks
Configure Database Connection (Continued)
Database Connection
For Sybase:
Database JDBC URL
Change the <SERVER> name to complete the JDBC URL, assuming the Sybase server is running on port 4100:
The <SERVER> is the hostname or IP address of the machine running Sybase server. You may need to change port number if necessary. The Sybase server usually listens on port 5000 on the Windows platform and 4100 on other platforms.
jdbc:sybase:Tds:<SERVER>:4100
Database JDBC Driver
The Sybase driver to use by default:
com.sybase.jdbc3.jdbc.SybDriver
Login ID
The database user login created in the pre-installation tasks
Password
The password created in the pre-installation tasks
Confirm Password
Confirm the password created in the pre-installation tasks
Configure Database Connection (Continued)
Database Client
MS SQL Server 2000
JDBC URL
jdbc:sqlserver://<SERVER>\<INSTANCE>:1433
JDBC Driver
com.microsoft.sqlserver.jdbc.SQLServerDriver
JDBC Driver Location
Location of the MSSQL database driver
Login ID
The database user login created in the pre-installation tasks
Password
The password created in the pre-installation tasks
Confirm Password
Confirm the password created in the pre-installation tasks
Note:
ALES does not include the JDBC driver for MS SQL and PointBase. If you want to use MS SQL or PointBase for your database, you must download the appropriate JDBC driver. You must use the latest MS SQL 2005 JDBC driver with all versions of MS SQL.
Configure Database Connection (Continued)
Database Client
PointBase 5.1
JDBC URL
jdbc:pointbase:server://<SERVER>/<DATABASE>
JDBC Driver
com.pointbase.jdbc.jdbcUniversalDriver
JDBC Driver Location
Location of the PointBase database driver
Login ID
The database user login created in the pre-installation tasks
Password
The password created in the pre-installation tasks
Confirm Password
Confirm the password created in the pre-installation tasks
Click Next to continue.
Configure Database Connection (Continued)
If you want to install the policy database schema now, check the Install Database Schema check box.
There are two situations where you should not elect to the install the policy database schema:
If you previously installed the policy database schema for the Administration Server and made modifications, you should not reinstall it again because your modifications will be lost.
If you are installing a failover server for backup and failover purposes, you must not install the database schema again, because the failover server uses the same database schema.
Random Key Password Selection
You can direct the installer to randomly generate passwords for all keys. If you are installing the product in a production environment, BEA recommends using secure user names and passwords, and not those that are randomly generated. If you choose to use randomly generated passwords, the next step in the installation process is Installation Complete.
Configure Certificate Authority
The Certificate Authority is used to generate and sign certificates for other components in the BEA AquaLogic Enterprise Security system.
Key Password
You can either choose to use a randomly generated password or you can specify the private key password. You must confirm the password.
Note:
You should write down or remember all passwords and store them in a safe location should you ever need to use them again. For example, if you plan to install redundant servers, you need to use the same keystore and key passwords.
Click Next to continue.
Configure Keys
Enter the following key passwords to secure communications of internal processes. These are components of the Administration Server. Private key passwords are used to validate process authenticity by using the Certificate Authority chain of trust. Identities with invalid or untrusted keys cannot participate in the trust relationships of the enterprise domain.
Service Control Manager
Security Service Module
Administration Application
Configure Keystores
You may supply keystore passwords for each of the Identity, Peer and Trust Certificate Authority keystores or accept the randomly generated passwords.
Identity Keystore—stores and protects the private keys that represent the processes identity or identities.
Peer Keystore—stores and protects the public keys for all trusted identities within the installed component (Administration Application, Security Service Module or Service Control Manager).
Trust Certificate Authorities Keystore—stores and protects public keys for Certificate Authorities that originate the chain of trust.
Installation Complete
This page indicates the Administration Server completed successfully.
Note:
Be sure to write down the Administration Server URL. You will need this URL when you are installing additional components.
Click Done to complete the installation.
What's Next
Now that you have installed the necessary software, you must start the necessary services. For additional instructions, see Post Installation Tasks. If you want to install a second Administration Server to use as a backup, see Installing a Secondary Administration Server.
Upgrading from ALES 2.1, 2.2, and 2.5
ALES 2.6 includes a utility to help you upgrade from AquaLogic Enterprise Security versions 2.1, 2.1 SP1, 2.2, and 2.5. If you have an existing installation of ALES 2.1, 2.1 SP1, 2.2, and 2.5, follow this upgrade procedure to upgrade the Administration Server. For information about upgrading SSMs, see Upgrading from ALES 2.1, 2.2, or 2.5 in Installing Security Service Modules. Note that no upgrade is available for Apache and Microsoft IIS Web Server SSM instances.
Make sure you have read and delete permission for the ALES 2.1, 2.1 SP1, 2.2, and 2.5 files. You must be logged in as a member of whatever group you used when installing ALES 2.1, 2.1 SP1, 2.2, and 2.5.
Stop the ALES 2.1, 2.1 SP1, 2.2, and 2.5 processes, including the Administration Server, SCM, and SSM instances. For more information, see Starting and Stopping ALES Components in the Administration and Deployment Guide.
If you have installed the ALES 2.1, 2.1 SP1, 2.2, and 2.5 Administration Server on the same machine on which you have installed one or more ALES 2.1, 2.1 SP1, 2.2, and 2.5 SSMs, be sure to upgrade the Administration Server before you upgrade any SSMs.
Run the ALES 2.6 Administration Server installer on the machine on which your ALES 2.1, 2.1 SP1, 2.2, and 2.5 Administration Server is installed. The ALES 2.6 Administration Server installer detects the ALES 2.1, 2.1 SP1, 2.2, and 2.5 installation and uses its configuration information.
Run the upgrade script, which is located in BEA_HOME/ales26-admin/upgrade.
Installing in Silent Mode
You can run the Administration Server installation in silent mode. Silent installation mode allows you to run the installer once on one machine and then use the configuration of that machine to duplicate installation on multiple machines. When you run the installation program in silent mode, the installation program reads the configuration information it needs from an XML file that you specify in the command that launches the installation program.
When you run the installation program not in silent mode, it creates an XML file, located at BEA_HOME/ales26-admin/config/silent_install_admin.xml . You can edit this XML file and use it when you run the installation program in silent mode. You need to edit the silent_install_admin.xml file to set the values described in Table 4-3. Each installation parameter is specified in the XML file as the value of a <data-value> element, as in the following example:
The values you set in the <data-value> elements correspond generally to the responses you enter when you run the installation program not in silent mode, which are described in Table 4-2.
Table 4-3 Silent Installation Configuration File
Data Element Name
Description
Default or Sample Value
BEAHOME
BEA_HOME directory in which to install the Administration Server
C:\bea
USER_INSTALL_DIR
Directory within BEA_HOME directory in which to install the Administration Server
C:\bea\ales26-admin
SCM_INSTALL_DIR
Directory within BEA_HOME directory in which to install the Service Control Manager
C:\bea\ales26-scm
WEB_SERVER_TYPE
Servlet container that will host the Administration Server. Valid values are weblogic or tomcat.
weblogic
WEB_SERVER_DIR
Directory in which the servlet container is installed
C:\bea\weblogic81
ADMIN_APP_PORT
Port for the Administration Server
7000
ADMIN_APP_SSL_PORT
SSL port for the Administration Server
7010
ENTERPRISE_DOMAIN_ NAME
Deprecated in ALES 2.6. Should always be asi.
asi
CERTIFICATE_DURATION
The number of years the security certificate remains in effect.
10
DATABASE_CLIENT
The type of database you are using.
Possible values are ORACLE92,ORACLE90,ORACLE81, and SYBASE125
MSSQL_DB_DRIVER_LOC
The location of the MS SQL JDBC driver. This driver is not supplied by AquaLogic Enterprise Security, and you provide the location.
POINTBASE_DB_DRIVER_LOC
The location of the PointBase JDBC driver. This driver is not supplied by AquaLogic Enterprise Security, and you provide the location.
JDBC_URL
URL on which to reach the database
jdbc:oracle:thin: @host:port:SID
JDBC_DRIVER
Java classname of the database driver.
oracle.jdbc.driver. OracleDriver
DATABASE_LOGIN_ID
Username to access the database.
DATABASE_LOGIN_PASS
Password to access the database
CA_KEY_PASS
Optional. Will be generated by the installer if not specified.
IDENTITY_KEY_PASS
Password for identity keystore.
Optional. Will be generated by the installer if not specified.
PEER_KEY_PASS
Password for all trusted identities within the installed component (Administration Application, Security Service Module or Service Control Manager).
Optional. Will be generated by the installer if not specified.
TRUSTED_CA_KEY_ PASS
Password for public keys for Certificate Authorities that originate the chain of trust.
Optional. Will be generated by the installer if not specified.
SCM_KEY_PASS
Key password for Service Control Manager.
Optional. Will be generated by the installer if not specified.
SSM_KEY_PASS
Key password for Security Service Module.
Optional. Will be generated by the installer if not specified.
ADMIN_KEY_PASS
Key password for Administration Server.
Optional. Will be generated by the installer if not specified.
INSTALL_DB_SCHEMA
Specify whether or not to install the policy database schema.
no
SCM_INTERFACE_LIST
A comma-separated list of IP addresses of the network interfaces to which to bind the Service Control Manager.
169.254.25.129
To run the Administration Server installation in silent mode, use one of the following commands:
You may want to install and configure a second Administration Server on a separate machine to support failover. For information about this, see Setting up Administration Servers for Failover in the Administration and Deployment Guide.