test

Sun Identity Manager 8.1 Installation

Part V Appendices

This last part of the installation guide documents miscellaneous topics such as installing Identity Manager manually and uninstalling Identity Manager.

The appendices are presented in the following order:

Appendix A Installing Identity Manager Manually

If you do not want to install Identity Manager through the installation interface, use these alternate, manual installation procedures.

Installation Steps

Follow these general installation and configuration steps:

Step 1: Install the Application Server software

Refer to the installation chapters in Part II, Installing Identity Manager for information on installing and configuring specific application servers.

Step 2: Install the Application Software

Follow these steps to install the software.

On Windows

Enter the following series of commands:

set JAVA_HOME=Path to JDK
cd ApplicationDeploymentDirectory

where ApplicationDeploymentDirectory is the directory where your application server is deployed. For example, for a Tomcat installation, change directory to c:\tomcat-5.5.3\webapps.

mkdir idm (or any other directory name)
cd idm
set WSHOME=ApplicationDeploymentDirectory\idm
jar– xvf %CDPATH%\idm.war
Note –

Make sure the value of the WSHOME environment variable does NOT contain the following:

Do not use quotation marks, even if the path to the application deployment directory contains spaces.

ON UNIX

Enter the following series of commands:

PATH=$JAVA_HOME/bin:$PATH
cd $TOMCAT_HOME/webapps
cd ApplicationDeploymentDirectory

where ApplicationDeploymentDirectory is the directory where your application server is deployed. For example, for a Tomcat installation, change directory to /tomcat-5.5.3/webapps.

mkdir idm (or any other directory name)
cd idm
WSHOME=ApplicationDeploymentDirectory/idm;export WSHOME
jar– xvf /cdrom/cdrom0/idm.war

Change directory to $WSHOME/bin then set permissions on the files in the directory so that they are executable.

Step 3: Configure the Identity Manager Database Connection

Note –

If you plan to use a database, you may need to copy one or more files to the idm/WEB-INF/lib directory. For example, you may need to place a JAR file containing a JDBC driver (for a DriverManager connection) or a JAR file containing a JNDI InitialContextFactory (for a DataSource connection). To determine the steps you may need to perform before you go on, see the Appendix C, Database Reference.

The ServerRepository.xml file is an encrypted file that defines how to connect to the repository. Use one of the following procedures to configure the repository XML file.

ProcedureTo Configure the Repository XML file in Windows or Xwindows (UNIX) Environments

  1. Enter one of the following commands to launch the setup interface.

    On Windows 


    cd %WSHOME%\bin
lh setup

    On UNIX 


    cd $WSHOME/bin
lh setup

    The installer displays a welcome page. Click Next to display the Locate the Repository panel.

  2. Select a database from the list provided. Depending on your selection, setup prompts for additional setup information.

    Depending on your selection, setup prompts for additional setup information.

    Note –

    See Appendix C, Database Reference, for selections and setup instructions.

  3. Click Next to display the Continue Identity Manager Demo Setup? panel. Follow all subsequent prompts as directed.

ProcedureTo Configure the Repository XML file in Non-Xwindows Environments

  1. Set your repository with the following series of commands:


    cd $WSHOME/bin
chmod 755 *

  2. Run the setRepo command, using the appropriate location flags required to connect to the database.

    Note –

    For complete setRepo usage and options, see Appendix F, setRepo Reference.

  3. Start the application server.

  4. Load the initial database values. Follow these general steps:

    1. Log in to the Administrator Interface.

    2. From the menu bar, select Configure > Import Exchange File.

    3. Enter or browse for the init.xml file (located in the idm/sample directory), and then click Import.

Step 4: Install Optional Components

If your IT environment has Windows Active Directory, Novell NetWare, Domino, Remedy, or RSA ACE/Server resources, you should install the Identity Manager Gateway.

If your IT environment has Windows Active Directory domains, you should also install PasswordSync. The Identity Manager PasswordSync feature keeps user password changes made on Windows Active Directory domains synchronized with other resources defined in Identity Manager.

See Part III, Installing Optional Components for installation information.

Appendix B Uninstalling Identity Manager

This chapter has two sections:

Uninstalling the Identity Manager Software

Use these instructions to remove the software from a Windows or UNIX installation.

ProcedureTo Uninstall Identity Manager on Windows

  1. Stop your application server.

  2. If you are using a Windows server to run the Identity Manager Gateway, stop the gateway service with the command gateway –k.

    Note –

    You can later remove the gateway service with the command: gateway –r

  3. Remove configuration database files. To do this:

    1. Log in to your database server.

    2. Run the drop_waveset_tables.DatabaseType script for your database type.

  4. From the Windows Control Panel, open Add or Remove Programs.

  5. Click to highlight Identity Manager, and then click Change/Remove. Your system displays an Uninstaller panel.

  6. Click Uninstall Now to remove the application files and registry entries. After reading the Unistall Summary, click Finish.

  7. Remove links and references to the application software from your application server.

ProcedureTo Uninstall Identity Manager on UNIX

  1. Stop your application server.

  2. Go to the location where you installed the Identity Manager application.

  3. Remove configuration database files. To do this:

    1. Log in to your database server.

    2. Run the drop_waveset_tables.DatabaseType script for your database type.

  4. Enter the following command:

    java -cp . uninstall_Sun_System_Identity_Manager

    Note –

    • Do not include the .class extension of this file to the command.

    • If $WSHOME is in your class path, then you may omit the -cp . argument.

Removing the Identity Manager Database

Use one of the following commands to remove the Identity Manager database.

If your database is: 

On this platform: 

Run this command: 

MySQL 

Windows 

c:\mysql\bin\mysql < drop_waveset_tables.mysql

MySQL 

UNIX 

$MYSQL/bin/mysql < drop_waveset_tables.mysql

Oracle 

Windows 

sqlplus dbausername/dbapassword @drop_waveset_tables.oracle

Oracle 

UNIX 

sqlplus dbausername/dbapassword @drop_waveset_tables.oracle

DB2 

Windows and UNIX 

db2– tvf drop_waveset_tables.db2

SQL Server 

Windows 

isql -S Server -U User -P Password -i PathToFile \drop_waveset_tables.sqlserver

Appendix C Database Reference

If you plan to use a database, you may need to copy one or more files to the idm/WEB-INF/lib directory on your application server during the Identity Manager installation process. The following table shows the download or installed product location of one or more .jar files you need to copy for your database type.

Notes on Configuring Databases and Downloading Supporting JAR Files

Note –

For any given database, there should only be one JAR file with JDBC drivers installed at any given time. When installing JAR files, inspect WEB-INF/lib and remove any JAR files that contain conflicting JDBC drivers. For example, if installing a JAR file containing Oracle JDBC drivers, remove the Oracle JAR that you are replacing before starting Identity Manager.

Databases that are managed resources also utilize JDBC driver JARs located in the WEB-INF/lib directory. The same JAR file that supports your repository will also support any managed database resources from the same vendor.

Tip –

To help avoid conflicts when installing JDBC driver JARs, Sun recommends renaming JARs using the format dbNamejdbc.jar. The name of the JAR file does not matter, but renaming a .jar file to include the name of the database followed by jdbc is recommended to help administrators avoid JAR file collisions in the future.

Database 

Download or Product Location 

Configuration Notes 

DB2

Db2/java/db2java.zip

—OR— 

If you are using the Type 4 network driver, use this file instead: 

db2jcc.jar

If you are using at least DB2 8.1.2, you will also need the following files: 

db2jcc_license_cisuz.jar

db2jcc_license_cu.jar

  1. Unzip the db2java.zip file.

    Note: On Windows systems rename the db2java.zip to db2java.jar.

  2. Copy the appropriate JAR files to the WEB-INF\lib directory.

  3. Optional: Rename the .jar file to db2jdbc.jar.

  4. Start the JDBC driver:

    • On UNIX systems, enter: db2jstrt port# (default 6789) running under instant owner

    • On Windows systems, start from services

MySQL

http://dev.mysql.com/downloads/

Select a version of MySQL Connector/J to download. 

  1. Unpack the connector package.

  2. Copy the mysql-connector-Version-bin.jar file to the WEB-INF\lib directory.

  3. Optional: Rename the .jar file to mysqljdbc.jar.

Oracle

Oracle/jdbc/lib/ojdbc14.jar

or

Oracle Database 11g release JDBC drivers

  1. Copy the .jar file to the idm\WEB-INF\lib directory.

  2. Optional: Rename the .jar file to oraclejdbc.jar.

SQL Server

Microsoft SQL Server 2005 Driver for JDBC/lib

  1. Copy the sqljdbc.jar file to the WEB-INF\lib directory.

  2. Optional: Rename sqljdbc.jar to mssqlserver.jar.

JDBC 2.0 Data Source

Depends on the directory service. Consult the documentation for your application server or other directory service to locate an appropriate JAR that contains the InitialContextFactory class. 

Copy the appropriate JAR (or JARs) to the WEB-INF/lib directory.

Note –

For a DataSource connection, you must copy or download (and place into WEB-INF/lib) a JAR that contains the InitialContextFactory class.

Refer to the following table when installing the Identity Manager software and completing database selections on the Locate Identity Manager Repository panel.

If your selection is: 

Enter 

JDBC 2.0 Data Source

  • Initial Context Factory: com.sun.jndi.fscontext.RefFSContextFactory

  • DataSource Name/Path: jdbc/SampleDB

Enter the database location. Optionally enter the password you selected when you set up the database. 

MySQL

  • URL: jdbc:mysql://localhost/waveset

  • JDBC Driver: org.gjt.mm.mysql.Driver

  • Connect as User: waveset

Enter the database location and the password you selected when you set up the database. 

Oracle

  • URL: java:oracle:thin:@host.your.com:1521:dbname

  • JDBC Driver: oracle.jdbc.driver.OracleDriver

  • Connect as User: waveset

Enter the database location and the password you selected when you set up the database. 

DB2

  • URL: jdbc:db2://host.your.com:6789/dbname

  • JDBC Driver:COM.ibm.db2.jdbc.net.DB2Driver— OR—com.ibm.db2.jcc.DB2Driver

  • Connect as User: Waveset

Enter the database location and the password you selected when you set up the database. 

SQLServer

Default values, to be used with the Microsoft SQL Server 2005 JDBC Driver:

  • URL: “jdbc:sqlserver://host.your.com:1433; DatabaseName=dbname”

  • JDBC Driver: com.microsoft.sqlserver.jdbc.SQLServerDriver

  • Connect as User: waveset

    Use the following values with the Microsoft SQL Server 2000 JDBC Driver:

  • URL: “jdbc:microsoft:sqlserver://host.your.com:1433; DatabaseName=dbname;SelectMethod=Cursor”

  • JDBC Driver: com.microsoft.jdbc.sqlserver.SQLServerDriver

  • Connect as User: waveset

Enter the database location and the password you selected when you set up the database. 

Note: All connections to SQL Server must be performed using the same version of the JDBC driver. This includes the repository as well as all resource adapters that manage or require SQL Server accounts or tables, including the Microsoft SQL adapter, Microsoft Identity Integration Server adapter, Database Table adapter, Scripted JDBC adapter, and any custom adapter based on these adapters. Conflict errors occur if you attempt use different versions of the driver.

LocalFiles

  • Path: c:\jakarta-tomcat\webapps\idm\config

Enter the directory location, or click Browse to locate it. 

Sun Java System Directory Server

  • Initial Context Factory: com.sun.jndi.ldap.LdapCtxFactory

  • URL: ldap://host.your.com/dc=myDomain,dc=your,dc=com

  • User: waveset

Enter the database location. Optionally enter the password you selected when you set up the database. 

Appendix D Configuring Data Sources for Identity Manager

This appendix provides procedures for creating data sources for Identity Manager.

It contains the following sections:

Configuring a Tomcat Data Source for Identity Manager

Background on how Tomcat 6 data sources are configured can be found at http://tomcat.apache.org/tomcat-6.0-doc/jndi-datasource-examples-howto.html

ProcedureTo Create the Data Source

These instructions are for Tomcat 6. They will not work with Tomcat 4.x or 5.x.

  1. Verify that the environment variable TOMCAT_HOME is set correctly.

  2. Copy the JDBC driver JAR for your database type to Tomcat's lib directory ($TOMCAT_HOME/lib).

  3. Define the data source for Tomcat by editing $TOMCAT_HOME/conf/web.xml and adding a resource reference as follows:


    <resource-ref>
  <res-ref-name>jdbc/IDM_database</res-ref-name>
  <res-type>javax.sql.DataSource</res-type>
  <res-auth>Container</res-auth>
</resource-ref>

  4. Define the data source for the Identity Manager webapp by editing the webapp deployment context (for example, $TOMCAT_HOME/conf/Catalina/localhost/idm.xml) and adding the data source resource as follows: 


    <Resource
  auth="Container"
  name="jdbc/IDM_database"
  type="javax.sql.DataSource"
  driverClassName="org.gjt.mm.mysql.Driver"
  password="waveset"
  maxIdle="5"
  maxWait="5000"
  username="waveset"
  url="jdbc:mysql://mysqlhost:3306/waveset"
  maxActive="150"/>
    Note –

    In the <resource-ref> element, the value of the <resource-ref name> element must be the same as the name attribute in the <Resource> element.

    Be sure to change the attributes in the <Resource> element to match your environment.

ProcedureTo Point Identity Manager to the Data Source

  1. Verify that the WSHOME and JAVA_HOME environment variables are set correctly.

  2. Create an Identity Manager ServerRepository.xml file that points to the Tomcat data source:


    lh setRepo -v -tDatastore -iorg.apache.naming.java.javaURLContextFactory 
-fjava:/comp/env/jdbc/IDM_database -n -o ServerRepository-datasource.xml
    Note –

    Change the -f location flag to the value you specified for the Resource name attribute, above. The prefix java:/com/env is specific to javaURLContextFactory and Tomcat. This is the JNDI prefix that the data source name is appended to.

  3. Configure the Identity Manager webapp to use the data source by copying the new ServerRepository file in place. For example:


    cp ServerRepository-datasource.xml $WSHOME/WEB-INF/ServerRepository.xml
    Note –

    • When you copy the data-source-enabled ServerRepository.xml to $WSHOME/WEB-INF, the lh command will stop working. This is expected because lh uses ServerRepository.xml to connect to the Identity Manager repository. Since lh is not running in the Tomcat container, it cannot look up the data source in Tomcat's JNDI.

    • When a Tomcat data source is used by Identity Manager, the data source will typically be responsible for connection pooling. In this case Identity Manager connection pooling needs to be disabled. Edit the RepositoryConfiguration configuration object and set the disableConnectionPool attribute to true to allow the Tomcat data source to manage the connection pool.

    • The concurrent use of the lh utility and Tomcat data sources can be problematic because of the connection pool issue mentioned above. Tomcat data sources will want to control the connection pool, but the lh utility cannot use the Tomcat data source, so the value of the RepositoryConfiguration disableConnectionPool attribute will depend on the type of access, either JDBC or data source.

Configuring a WebSphere Data Source for Identity Manager

Use the following information to configure a WebSphere Data Source for Identity Manager.

This section includes:

Servlet 2.3 Data Sources

As of the Identity Manager 6.0 release, the deployment descriptor in the WEB-INF/web.xml file refers to Servlet 2.3. Because of this, the Identity Manager web application can no longer be used with a WebSphere application server version 4 data source.

Note –

Due to interoperability issues between WebSphere data sources and Oracle JDBC drivers, Oracle customers who want to use a WebSphere data source with Identity Manager must use Oracle 10g R2 and the corresponding JDBC driver. (The Oracle 9 JDBC driver will not work with a WebSphere data source and Identity Manager.) If you have a version of Oracle prior to 10g R2 and cannot upgrade Oracle to 10g R2, then configure the Identity Manager repository so that it connects to the Oracle database using Oracle’s JDBC Driver Manager (and not a WebSphere data source).

ProcedureTo Configure a WebSphere Data Source for Identity Manager

  1. Configure a JDBC provider.

  2. Configure a WebSphere JDBC Data Source.

  3. Point the repository to the data source.

    These steps are discussed next.

Configuring a JDBC Provider

ProcedureTo Configure a JDBC Provider

Before You Begin

Use WebSphere’s administration console to configure a new JDBC Provider.

  1. Click the Resources tab in the left pane to display a list of resource types.

  2. Click JDBC then JDBC Providers to display a table of configured JDBC providers.

  3. Click the New button above the table of configured JDBC providers.

  4. Select from the list of JDBC database types, provider types, and implementation types. Optionally modify the Name and Description fields.

    Oracle, Oracle JDBC Drive, and Connection pool Data Source will be used for this example.

    Click Next.

  5. Enter database classpath information. The contents of the Enter database class path information page may vary, depending on what you selected in the previous step.

    • Specify the path to the JAR that contains the JDBC driver. For example, to specify the Oracle thin driver, specify a path similar to the following:

      /usr/WebSphere/AppServer/installedApps/idm/idm.ear/idm.war/WEB-INF/lib/oraclejdbc.jar

      Click Next.

    • Complete any other fields as required. The selected database, provider, and implementation types determine which fields are displayed. Click Next when you have completed the dialog.

    • A summary page is displayed. When you are finished reviewing your selections, click the Finish button at the bottom of the table. Click the Save link to keep your definition. The right pane should display the provider you added.

      To configure a data source that uses this JDBC provider, see Point the Identity Manager Repository to the Data Source.

Configuring a WebSphere JDBC Data Source

Use WebSphere’s Administrative Console to define a data source with an existing JDBC Provider.

Before you can finish configuring the data source, you must configure authentication data. These aliases contain credentials that are used to connect to the DBMS.

ProcedureTo Configure the Authentication Data

  1. Click Security > Secure administration, applications, and infrastructure.

  2. Under Authentication, click Java Authentiation and Authorization Service configuration > J2C authentication data. The JAAS - J2C authentication data panel is displayed.

  3. Click New.

  4. Enter a unique alias, a valid user ID, a valid password, and a short description (optional). The user ID must be valid on the target database.

  5. Click OK or Apply. No validation for the user ID and password is required.

  6. Click Save.

    Note –

    The newly created entry is visible without restarting the application server process to use in the data source definition. But the entry is only in effect after the server is restarted.

ProcedureTo Configure the Data Source

  1. Click Resources > JDBC Providers > Your_JDBC_Provider_Name > Data Sources tab in the left pane to display the Data sources page. The right pane displays a table of data sources configured for use with this JDBC provider. Click the New button above the table of data sources.

  2. Use the wizard provided to configure the general properties for the new data source. Note the following on the Enter basic data source information page:

    • The JNDI Name is the path to the DataSource object in the directory service. You must specify this same value as the -f argument in setRepo -tdbms -iinitCtxFac -ffilepath.

    • Select the Component-managed Authentication Alias that you created in Configuring a JDBC Provider. These are the credentials that will be used to access the DBMS (to which this DataSource points).

      Click Next when you have configured this panel. The Create New JDBC provider page is displayed.

  3. Configure the database-specific properties for this data source as needed. Refer to the online help for information about the available properties.

    Make sure Use this data source in container-managed persistence (CMP) is unchecked. Identity Manager does not use Enterprise Java Beans (EJBs). Click Next to go to the summary page.

  4. Click Finish to save your data source.

Configure the Data Source in a WebSphere Cluster

When configuring the data source in clustered WebSphere environments, configure it at the cell level. This allows the data source to be accessed from all nodes in the cell.

To configure this use the -D $propertiesFilePath option where $propertiesFilePath contains:

java.naming.provider.url=iiop://localhost:jndi_port/

or:

-u iiop://localhost:jndi_port/

ProcedureTo Determine the JNDI Port to Specify

Examine the WebSphere configuration to determine the JNDI port to specify.

  1. In the WebSphere administration console, navigate to Servers > Application Servers > Your_Server > Ports.

  2. Look at the BOOTSTRAP_ADDRESS property. Use the specified port in the java.naming.provider.url property.

    Note –

    The java.naming.provider.url uses localhost as the hostname. WebSphere replicates a JNDI server on each node in the cluster so that each application server has its own JNDI server to query. Specify localhost for the host so that each application server in the cluster is used as the JNDI server that Identity Manager queries when the DataSource is being located.

Point the Identity Manager Repository to the Data Source

ProcedureTo Point the repository to a Newly Created Data Source

  1. Set the WSHOME environment variable to point to your Identity Manager installation; for example:

    export WSHOME=$WAS_HOME/installedApps/idm.ear/idm.war

    where $WAS_HOME is the WebSphere home directory, such as /usr/WebSphere/AppServer

  2. Make sure that the JAVA_HOME environment variable is set correctly; for example:

    export JAVA_HOME=$WAS_HOME/java

  3. Make sure that the Java executable is in your path; for example:

    export PATH=$JAVA_HOME/bin;$PATH

  4. Make sure the classpath is pointing to the WebSphere properties directory. For example

    export CLASSPATH=$WAS_HOME/properties

  5. Change to the $WSHOME/bin directory.

  6. (For SQLServer only): Install JTA support:

    1. Copy the sqljdbc.dll file located in the SQLServer JTA directory to the SQL_SERVER_ROOT/binn directory of the SQLServer database server.

      Note –

      The default location of the SQLServer JTA directory is C:\Program Files\Microsoft SQL Server 2000 Driver for JDBC\SQLServer JTA. The default location of SQL_SERVER_ROOT/binn is C:\Program Files\Microsoft SQL Server\MSSQL\Binn.

    2. From the database server, use the ISQL or OSQL utility to run the instjdbc.sql script, which is also found in the SQLServer JTA directory. The following examples illustrate the use of these utilities:

      isql -Usa -p sa-password -S server-name -i location \instjdbc.sqlosql -E -i location \instjdbc.sql

  7. Archive a copy of the existing ServerRepository.xml file, in case you need to revert. By default, this file is located in $WSHOME/WEB-INF (UNIX), or %WSHOME%\WEB-INF (Windows).

  8. Point the repository to the new location. For example:


    lh -Djava.ext.dirs="$JAVA_HOME/jre/lib:$JAVA_HOME/jre/lib/ext:
   $WASHOME/lib:$WASHOME/:$WASHOME/runtimes" setRepo
 -Uusername
 -Ppassword
 -toracle -icom.ibm.websphere.naming.WsnInitialContextFactory -fDataSourcePath -n -o

    In the above example the DataSourcePath might be jdbc/jndiname. The -Djava.ext.dirs option adds all of the JAR files in WebSphere’s lib/ and java/jre/lib/ext/ directories to the CLASSPATH. This is necessary in order for the setRepo command to run normally.

    Change the -f location flag to match the value you specified for the JNDI Name field when configuring the data source. See Appendix F, setRepo Reference for more information about this command.

  9. In the RepositoryConfiguration configuration object, set the connectionPoolDisable attribute to true.

    <RepositoryConfiguration connectionPoolDisable=’true’>

    This setting prevents WebSphere from sending extraneous warnings to the SystemOut.log file. For more information, see http://www-1.ibm.com/support/docview.wss?uid=swg21121449

  10. Restart WebSphere to pick up changes. (This also restarts the system.)

Specifying Additional JNDI Properties to the setRepo Command

The setRepo command provides an option that allows you to specify an arbitrary set of properties. The -D $propertiesFilePath option allows you to specify any number of settings, including vendor-specific properties not specified by JNDI, by including them in a properties file that you create.

For example, to specify a different JNDI port number, include a line like the following in your properties file:

java.naming.provider.url=iiop://localhost:2909

Configuring a WebLogic Data Source for Identity Manager

Use the following procedure to update the repository configuration in Identity Manager to point to a WebLogic Data Source.

This section is organized into the following steps:

Create a WebLogic Data Source

This example procedure describes configuration steps to use an Oracle database driver. Specific entries you make will differ, depending on your database type.

Note –

These steps assume that you have:

Create a Connection Pool

ProcedureTo Create a Connection Pool

  1. Log in to the WebLogic Administrator Web console (by default, http://localhost:7001/console/).

  2. Expand the Services folder for the domain located in the navigation (left) pane.

  3. Expand the JDBC folder.

  4. Expand the Connection Pools folder.

  5. In the right pane (JDBC Connection Pools), click Configure a new JDBC Connection Pool.

  6. For Database Type select Oracle. You can use any of the applicable types. Note that drivers must be installed in order to use them.

  7. Select an applicable drive in the Database Driver selection box. In this example, select Oracle’s Driver (Thin).

  8. Click Continue.

  9. Configure the JDBC driver as follows:

    Value  

    Action  

    Name 

    Choose a unique name that identifies your connection pool. For example: myOraConnPool. 

    Database Name 

    Select the name of the Oracle database that you wish to connect to. In this example myOraDB. 

    Host Name 

    Specify the host name of the Oracle DB server. 

    Port 

    Specify the port (default is 1521) for the database server. 

    Database User Name 

    Specify the database account user's name used in the connection. 

    Password 

    Specify the password for the account user. 

  10. Click Continue.

  11. Test the database connection on this page or click Skip this step. You may need to add additional properties depending on your installation. See the administrator’s guide for your target database.

    Note –

    The following Connection Pool Settings are dependent on the driver that you select. The following options are for the Oracle driver and may not be applicable if you choose another kind of driver.

    The JDBC drivers must be installed for this to succeed. Follow the instructions provided with your target driver.

  12. Click Create and deploy.

  13. Configure connection settings for this connection pool:


    Example Connection Settings:
Initial Capacity:20
Maximum Capacity:100
Capacity Increment: 10
Statement Cache Type: LRU
Statement Cache Size: 20

Create a JDBC Data Source

ProcedureTo Create a JDBC Data Source

  1. Expand the Services folder for the domain located in the navigation (left) pane.

  2. Expand the JDBC folder.

  3. Expand the Data Source folder.

  4. In the right pane (JDBC Data Sources), click Configure a new JDBC Data Source.

  5. Configure the JDBC Data Source as follows:

    Value  

    Action  

    Name 

    Choose a unique name for this data source. This name is used as a reference throughout the WebLogic Console. For example, MyOraDataSource. 

    JNDI Name 

    Specify the JNDI name. This can be the same as the Data Source name. For example MyOraDataSource. 

    Honor Global Transactions  

    Select this check box (selected by default) if you want to enable global transactions using this data source (see WebLogic online help for more information concerning this option). In this example we keep the default. 

    Emulate Two-Phase Commit for non-XA Driver 

    See the WebLogic documentation for further information. 

  6. Click Continue.

  7. Select the connection pool from part A. This allows an application to get a connection from the underlying connection pool.

  8. Click Continue.

  9. Select the servers on which you want deploy the new data source.

  10. Click Create.

    Note –

    The configuration steps are saved in your WebLogic config.xml file for a given domain. Changes to the XML file appear as:


    <JDBCConnectionPool DriverName="oracle.jdbc.driver.OracleDriver"
Name="myOraConnPool" Password="{3DES}7Ne5r7/NaLfLyXYQGBHoYg=="
Properties="user=myuser" Targets="myserver"
TestTableName="SQL SELECT 1 FROM DUAL" URL="jdbc:oracle:thin:@my.hostname:1521:mydatabasename"/>
<JDBCTxDataSource JNDIName="MyOraDataSource"
Name="MyOraDataSource" PoolName="MyOraConnPool" Targets="myserver"/>

Point the Identity Manager Repository to the Data Source

ProcedureTo Point the Identity Manager Repository to the Data Source

  1. Set the WSHOME environment variable to point to your Identity Manager installation; for example:


    set WSHOME=C:\bea\user_projects\domains\mydomain\applications\idm

  2. Make sure that the JAVA_HOME environment variable is set correctly; for example:


    set JAVA_HOME=C:\j2sdk1.5

  3. Make sure that your chosen database drivers are installed for you Weblogic Server. See the WebLogic documentation for further information. In this example, the Oracle drivers and classes12.jar are installed in following directory:


    WebLogicHome\server\lib

    1. On Windows, set the class path to include these files:

      set CLASSPATH=%CLASSPATH%;WeblogicHome\server\lib<MyDBLibrary>

      For Oracle, set the class path to include these files:

      set CLASSPATH=%CLASSPATH%;c:\bea\weblogic81\server\lib\classes12.zip

  4. Include weblogic.jar in your CLASSPATH. On Windows, enter:


    set CLASSPATH=%CLASSPATH%;WeblogicHome\server\lib\weblogic.jar

    For example:


    set CLASSPATH=%CLASSPATH%;c:\bea\weblogic81\server\lib\weblogic.jar

  5. Change to the %WSHOME% directory (Windows), or $WSHOME (UNIX).

  6. Remove the j2ee.jar file from WEB-INF\lib\ after making a backup.

  7. Change directory to the %WSHOME%\bin directory (Windows), or $WSHOME/bin directory (UNIX).

  8. Point the repository to the new location. For example:


    lh setRepo -v -tOracle -iweblogic.jndi.WLInitialContextFactory -fDatasourceName 
-u"t3:Server:Port" -U"Username" -P"Password"

    For example:


    lh setRepo -v -tOracle -iweblogic.jndi.WLInitialContextFactory -fMyOraDataSource 
-u"t3://localhost:7001/" -U"weblogic" -P"weblogic"
    Note –

    Change the -f location flag to match the value you selected for the JNDI Name field.

  9. If there are no reported errors, restart WebLogic to pick up the changes. (This also restarts the Identity Manager system.)

Configuring a Sun GlassFish Enterprise Server Application Server Data Source for Identity Manager

Refer to the documentation for the Sun GlassFish Enterprise Server application server for information about creating and configuring a data source.

Note –

In this procedure, the environment variable WSHOME (or the equivalent Java system property waveset.home) must contain the path to the location where the Identity Manager web application is deployed.

ProcedureTo Point the Repository to an Application Server Data Source

  1. Remove the j2ee.jar file from the $WSHOME/WEB-INF/lib directory. This file causes conflicts with the j2ee.jar that ships with Application Server.

  2. If you are not using default host name and port, then you must add the following flags to your JAVA_OPTS environment variable:


    -Dorg.omg.CORBA.ORBInitialHost=Hostname -Dorg.omg.CORBA.ORBInitialPort=Port

    The default values for Hostname and Port are localhost and 3700, respectively.

  3. Set your CLASSPATH to include the following application server JAR files (in order):


    SAS_INSTALL_DIR/lib/appserv-admin.jar
SAS_INSTALL_DIR/lib/appserv-rt.jar
SAS_IMQ_DIR/lib/imq.jar
SAS_INSTALL_DIR/lib/j2ee.jar

  4. Set your CLASSPATH to include the JAR file or files required for your JDBC connection. For example:

    DataDirect JDBC Driver for Oracle

    • SAS_INSTALL_DIR/lib/jdbcdrivers/smoracle.jar

    • SAS_INSTALL_DIR/lib/jdbcdrivers/smbase.jar

    • SAS_INSTALL_DIR/lib/jdbcdrivers/smutil.jar

    MySQL

    • MYSQL_DIR/lib/mysql-connector-java-3.0.9-stable-bin.jar

  5. Change directories to $WSHOME/WEB-INF.

  6. If you are using any driver other than Data Direct JDBC Driver for Oracle that ships with Sun GlassFish Enterprise Server, connect to the data source with the following command:


    lh setRepo -v -tType -iInitContextFactory -fDataSourcePath -uiiop://hostname:port

    For example:


    lh setRepo -v -tOracle -icom.sun.enterprise.naming.SerialInitContextFactory -fjdbc/idm
-uiiop://localhost:3700
    Note –

    If you enter this command when using the Data Direct JDBC Driver for Oracle, the operation will fail with following exception:

    java.sql.SQLException: [sunm][Oracle JDBC Driver]This driver is locked for use with embedded applications.

  7. The Data Direct JDBC Driver for Oracle that ships with Sun GlassFish Enterprise Server is “locked” so that it works only with embedded applications. That is, the driver works only within the web container. As a result, to use the lh command, you must create a separate connection.

    1. Archive the existing $WSHOME/WEB-INF/ServerRepository.xml file.

    2. Use the following command to force the connection and create a new ServerRepository.xml file:


      lh setRepo -tOracle -icom.sun.enterprise.naming.SerialInitContextFactory 
-fjdbc/IdMgr -uiiop://Hostname:Port -n -o ServerRepository.xml

Configuring a JBoss Data Source for Identity Manager

Refer to the documentation provided with the JBoss application server for detailed information about creating and configuring a data source.

ProcedureTo Create the Data Source

  1. Copy the JDBC driver classes for your database type to the lib directory of your server configuration, for example JBossInstallDir\server\default\lib.

  2. Create a data source configuration file. These end in -ds.xml. Example files can be found in JBossInstallDir\docs\examples\jca. The file should configure a local transaction data source.

  3. Copy the configuration file to the deploy directory on your server configuration, for example JBossInstallDir\server\default\lib.

ProcedureTo Point Identity Manager to the Data Source

  1. Make sure that the WSHOME and JAVA_HOME environment variables are set correctly.

  2. Set the repository using the lh command and the no check option:


    lh setRepo -n -ofile -ttype -iInitContextFactory -fDataSourcePath

    For example:


    lh setRepo -n -oServerRepository.xml -tOracle 
-iorg.jnp.interfaces.NamingContextFactory -fjava:DatasourceName
    Note –

    The lh setRepo command is documented in Appendix F, setRepo Reference.

  3. Make a backup copy of the ServerRepository.xml file located in %WSHOME%\WEB-INF (Windows) or $WSHOME/WEB-INF (UNIX).

  4. Copy the new ServerRepository.xml config file to %WSHOME%\WEB-INF (Windows) or $WSHOME/WEB-INF (UNIX).

  5. Create a .war file from WSHOME

  6. Copy the idm.war file to your server configuration.

  7. Start the JBoss server.

Configuring an Oracle Application Server Data Source for Identity Manager

Data source configuration can be performed entirely in the Oracle Enterprise Manager 10g Application Server Control Console. The online help in the Application Server Control Console provides useful information on data source settings.

Use the following procedure to update the repository configuration in Identity Manager to point to an Oracle Application Server Data Source.

This section is organized into the following sections:

Create an Oracle Application Server Data Source

This example procedure describes configuration steps to use an Oracle database driver. Specific entries you make will differ, depending on your database type.

ProcedureTo Create a Connection Pool

  1. Log in to the Oracle 10g Application Server Control console (by default, http://localhost:port/me).

  2. On the Cluster Topology page select View By Application Servers.

  3. Click the OC4J home link, then on the OC4J:home page click the Administration link.

  4. Click the Go to Task icon for Services -> JDBC Resources (Create/delete/view data sources and connection pools).

  5. Under Connection Pools, click the Create button.

    1. Select idm from Application drop-down list

    2. Select the New Connection Pool radio button, then click Continue.

    3. On the Create Connection Pool page, configure the new connection pool as follows:

      Value 

      Action 

      Name 

      Choose a unique name that identifies your connection pool. For example, IdmOraConnPool. 

      Connection Factory Class 

      Use default value of oracle.jdbc.pool.OracleDataSource.

      JDBC URL 

      Specify jdbc:oracle:thin:@//hostname:1521/orcl (or fill in the Connection Information to have a URL generated for you)

      Hostname 

      Specify the host name of Oracle DB server. 

      Port 

      Specify the port (default is 1521) for the database server. 

      Username 

      Specify the database account users name used in the connection. 

      Password 

      Specify the cleartext password for the account user. 

    4. Click the Test Connection button to ensure connectivity.

    5. You may need to add additional properties on the Attributes and Properties pages depending on your installation. See the administrator’s guide for your target database.

  6. Click the Finish button.

ProcedureTo Create a JDBC Data Source

  1. On the JDBC Resources page, under Data Sources, click the Create button.

  2. Select idm from Application drop-down list.

  3. Select the Managed Data Source radio button.

  4. Click the Continue button.

  5. On the Create Data Source - Managed Data Source page, configure the JDBC Data Source as follows:

    Value 

    Action 

    Name 

    Choose a unique name for this data source. For example, IdmOraDataSource

    JNDI Name 

    Specify the JNDI name. For example, jdbc/idmpool

    Transaction Level 

    Use the default value of Global & Local Transactions. 

    Connection Pool 

    The name of the Connection Pool just created (IdmOraConnPool) should be displayed already. In this example we keep the default value.

    Login Timeout 

    Set as desired for your installation. 

    It is not necessary to enter Username and Cleartext Password information in the Credentials section unless you need to override the information already provided in the connection pool configuration.

  6. Click the Finish button.

    Note –

    The connection information is saved in your Oracle Application Server’s data-sources.xml file located in the $J2EE/home/application-deployments/idm directory.

ProcedureTo Point the Identity Manager Repository to the Data Source

  1. Set the WSHOME environment variable to point to your Identity Manager installation. For example:

    set WSHOME=OracleAppServerInstallationDirectory/j2ee/home/applications/idm/idm

  2. Make sure that the JAVA_HOME environment variable is set correctly. For example:


    set JAVA_HOME=/product/10.1.3.1/OracleAS_1/jdk

  3. Create a CLASSPATH environment variable and set it to include the location of the oc4j-internal.jar file. This file is part of the application server distribution and is located here:

    OracleAppServerInstallationDirectory/j2ee/home/lib/oc4j-internal.jar

  4. Change to the %WSHOME%\WEB-INF (Windows) or $WSHome/WEB-INF (UNIX) directory.

  5. Make a backup of WEB-INF/ServerRepository.xml file and move it out of the directory. This is your direct connection setup from the original install of Identity Manager.

  6. Point the repository to the new location using the Identity Manager lh command. For example:


    ../bin/lh setRepo -v -tOracle -icom.evermind.server.ApplicationInitialContextFactory 
-fjdbc/idmpool -n -oServerRepository.xml
    Note –

    The -f location flag should match the value you selected for the JNDI Name field.

  7. If there are no reported errors, restart your Oracle Application Server to pick up the changes. (This also restarts the Identity Manager system.)

Appendix E Changing the Database Repository Password

If you are using a DBMS (such as MySQL, Oracle, DB2, or SQL Server) as the location for the Identity Manager repository, it may be necessary to change the database connection password or username periodically. The procedure for changing these values depends on how Identity Manager connects to the database.

Changing a Repository Password Stored in a Database

Use the following procedure to:

Note –

It is recommended that you perform each of these steps in the order presented. If you change the repository password at a time other than when directed in this sequence, problems can occur.

If Identity Manager connects to the repository with a JDBC driver, or if it connects to the repository using a Data Source that does not contain the connection user name and password, then use the following procedure to change the user or password:

ProcedureTo Change a Repository Password Stored in a Database

Before You Begin

The examples used in this procedure are for a MySQL repository. Some steps may vary depending on the specific repository used.

  1. Archive a copy of the existing ServerRepository.xml file, in case you need to revert to it. By default, this file is located in $WSHOME/WEB-INF.

    If you have deployed Identity Manager in an application server cluster, you should operate on the main source folder for Identity Manager (from which the application server deploys the IDM web application), rather than on each target folder (to which the application server deploys the web application on a particular server or node within the cluster).

  2. Shut down Identity Manager. If you have deployed Identity Manager in a cluster, then you must stop all instances of the web application across the cluster.

  3. Verify the existing repository:

    lh setRepo -c

    Identity Manager responds with the current repository information; for example:

    MysqlDataStore:jdbc:mysql://localhost/waveset

  4. Create a temporary file system repository location:

    mkdir c:\tempfs

  5. Set Identity Manager to use the temporary file system repository location:

    lh setRepo -tLocalFiles -fc:\tempfs LocalFiles:c:\tempfs

  6. Change the password for your repository. This procedure depends on the mechanism provided by your repository provider. This example highlights steps for a MySQL database:

    mysqladmin.exe -hlocalhost -uwaveset -poldpasswd password newpasswd

  7. Set the application to use the modified repository information:

    lh setRepo -tMysql -ujdbc:mysql://localhost/waveset -Uwaveset -Pnewpasswd

    The application responds with this warning:

    WARNING: No UserUIConfig object in repository. MysqlDataStore:jdbc:mysql://localhost/waveset

    Note –

    The warning message appears because the temporary file system that you pointed to has no contents. Ignore this message; after running the command, the temporary file system will no longer be needed.

  8. Verify the new repository value:

    lh setRepo -c

    The application responds with the new value:

    MysqlDataStore:jdbc:mysql://localhost/waveset

  9. Restart the server and verify that you can log in. If you have deployed Identity Manager in a cluster, then you must re-deploy Identity Manager across the cluster. This will distribute the updated web application (which includes the updated ServerRepository.xml file), to all nodes in the application server cluster.

  10. Remove the c:\tempfs temporary directory, and the ServerRepository.xml file that you archived in Changing a Repository Password Stored in a Database.

Changing a Repository Password Stored in a Data Source

If Identity Manager connects to the repository via a JDBC data source, and the data source contains the user name and password, then use the following procedure to change the username or password.

ProcedureTo Change a Repository Password Stored in a Data Source

  1. Stop Identity Manager. If you have deployed Identity Manager in an application server cluster, stop the application on all hosts.

  2. Change the password for the connection user name in the DBMS instance that you are using as your repository location. For example, on MySQL

    mysqladmin.exe -hlocalhost -uwaveset -poldpasswd password newpasswd

  3. Change the password that is stored on the DataSource object using the tools provided by the application server, directory server, or DBMS that manages your DataSource object.

  4. Re-start the server and verify that you can login. If you have deployed Identity Manager in a cluster, then you must re-deploy Identity Manager across the cluster. This will distribute the updated web application (which includes the updated ServerRepository.xml file), to all nodes in the application server cluster.

Appendix F setRepo Reference

The lh setRepo command sets the Identity Manager repository to the location specified.

Usage

setRepo [location_flags] [options]

location_flags

Flag 

Description 

-d databaseName

dbName in URL. The default name is waveset. Ignored if the -u flag is specified.

-D propsPath

Path to Properties file (JDBC/JNDI Connection Properties) 

-f filepath

Filesystem path for LocalFiles (JNDI RDN for DataSource) 

-h hostName

Host name URL. Ignored if the -u flag is specified.

-i initCtxFac

Name of the InitialContextFactory class for JNDI

-j jdbcDriver

JDBC Driver class. (The default is DBMS-specific.) 

-p portNumber

Port number in URL. Ignored if the -u flag is specified.

-P password

Password for JDBC connection. 

-t type

Oracle, MySQL, SQLServer, DB2, or LocalFiles 

-u url

URL for JDBC connection (overrides the -d, -h, and -p flags)

-U username

User name for JDBC connection. 

Options

Option 

Description 

-A administrator

Administrator username. The default username is configurator.

-C credentials

Administrator password (if changed from default) 

-c

Current (print current location to stdout) 

-v

Verbose (print configuration to stdout) 

-n

No checks. Use with the –o flag when the new location is unreachable, or with -c when current location is unreachable from the command line environment.

-o outfile

Output file path. Use this if the new location is unreachable. Write the config file, but DO NOT update the server and DO NOT check the new location. 

Syntax

Note –

If any parameters contain a shell escape or illegal characters, use double quotation marks around them to avoid failures. For example, the ";", "&", "&&", "|", and "||" characters cause these failures.

The following is an example containing arguments for a direct JDBC driver connection:

{-toracle { -u$url | -h$host [-p$port] [-d$dbname] } [-U$userid \
-P$pwd] [-D$propsPath]
| -tmysql [ -u$url | [-h$host] [-p$port] [-d$dbname] ] [-U$userid \
-P$pwd] [-D$propsPath]
| -tsqls { -u$url | -h$host [-p$port] [-d$dbname] } [-U$userid \
-P$pwd] [-D$propsPath]
| -tdb2 { -u$url | -h$host [-p$port] [-d$dbname] } [-U$userid \
 -P$pwd] [-D$propsPath]
}

The following is an example containing arguments that specify a direct DataSource connection:

| -toracle -i$initCtxFac -f$path [-u$providerUrl] [-U$userid \
 -P$pwd] [-D$propsPath]
| -tmysql -i$initCtxFac -f$path [-u$providerUrl] [-U$userid -P$pwd] \
[-D$propsPath]
| -tsqlserver -i$initCtxFac -f$path [-u$providerUrl] [-U$userid \
-P$pwd] [-D$propsPath]
| -tdb2 -i$initCtxFac -f$path [-u$providerUrl] [-U$userid -P$pwd] \
[-D$propsPath]
 }

Examples

setRepo
setRepo -c
setRepo -tLocalFiles -f$WSHOME
setRepo -tOracle -hhost.your.com -p1521 -ddbname -Uuser -Ppwd
setRepo -tOracle -ujava:oracle:thin:@host.your.com:1521:dbname  -Uuser -Ppwd
setRepo -tOracle -icom.sun.jndi.fscontext.RefFSContextFactory \
  -fjdbc/SampleDB
setRepo -tMysql -Uuser -Ppwd
setRepo -tMysql -ujdbc:mysql://localhost/waveset -Uuser -Ppwd
setRepo -tSQLServer -ujdbc:microsoft:sqlserver://host.your.com:1433;Database\
  Name=dbname -Uuser -Ppwd
setRepo -tDB2 -ujdbc:db2://host.your.com:6789/dbname -Uuser -Ppwd
setRepo -tDB2 -ujdbc:db2:dbname -jCOM.ibm.db2.jdbc.app.DB2Driver -Uuser -Ppwd

Appendix G DBMS Recovery and the Repository

This chapter discusses strategies for backing up and recovering the repository.

Recovering the Repository

Disaster recovery planning is an essential part of deploying any business-critical system. Each supported DBMS has multiple mechanisms for data backup and restoration. Any of these are appropriate. Identity Manager has no implicit requirements.

Typically, if a database fails, it would only be necessary to restore the repository to the point just before the database failure. However, if business requirements dictate that the repository be restored to any given point in time (through use of the appropriate vendor-specific methods such as ARCHIVELOG mode or Flashback in Oracle or FULL logging mode in SQL Server), this can be done as well. Regardless of the recovery method used, it is necessary to consider some implications of restoring a version of the repository that is not completely up-to-date.

While the state of the repository will be self-consistent after the data restoration, it will not necessarily be consistent (or even compatible) with external objects such as the resources. The following items demonstrate some possible inconsistencies that might arise:

Additionally, resources are themselves the repository of account attributes. Restoring the repository to a specific point in time may not aid in restoring resources to prior states, since the information required to do so may never have been stored in the repository.

redo Logs

Point-in-time recovery methods require the existence of an unbroken set of change records (typically referred to as “redo logs”). This can often present logistical challenges if the rate of change is high, generating a large volume of redo.

Identity Manager tries to minimize the need to write to the redo logs. However, database activity cannot be completely eliminated. Even when Identity Manager appears to be idle, each server polls the repository in order to detect changes to repository objects, tasks ready to run, tasks ready to clean up, and so forth.

The intervals on which these activities occur are configurable, and increasing these configured intervals will reduce the frequency of (but will not eliminate) database operations that Identity Manager executes against the repository when idle. To configure these intervals, define new values for the cache.pollingInterval and other properties that begin with cache and ChangeNotifier in the Waveset.properties file.

In addition, disable the listcache.size property on any application server in a cluster that does not serve the Identity Manager Graphic User Interface. Disabling this property reduces number of operations that Identity Manager executes against the repository when the application is idle.

Appendix H Working with Firewalls or Proxy Servers

This chapter describes how Identity Manager uses Uniform Resource Locators (URLs) and how to configure Identity Manager to obtain accurate URL data when firewalls or proxy servers are in place.

Servlet APIs

The Web-based Identity Manager user interface is highly dependent on Uniform Resource Locators (URLs) to specify the location of pages to be retrieved by the Web client.

Identity Manager depends on the Servlet APIs provided by an application server (such as Apache Tomcat, IBM WebSphere, or BEA WebLogic) to determine the fully qualified URL in the current HTTP request so that a valid URL can be placed in the generated HTML and HTTP response.

Some configurations prevent the application server from determining the URL the Web client uses for an HTTP request. Examples include:

For instances in which the Servlet APIs do not provide accurate URL data from an HTTP request, the correct data can be configured in the Waveset.properties file (located in your Identity Manager installation config directory).

The following attributes control Identity Manager’s Web-based documentation root and whether Identity Manager uses the HTML BASE HREF tag:

Overriding this calculated value can be useful when those APIs do not return the whole truth, which occurs when: