![]() ![]() ![]() ![]() ![]() ![]() ![]() |
The following sections describe how to install the ALES Administration Server on either Windows or UNIX platforms:
Before you begin this installation procedure, make sure to do the following:
BEA_HOME/ales25-admin/examples/DBSetupKit
.The following topics provide additional information to assist you in preparing for an installation:
During installation, you need to specify locations for the following directories:
During installation, you are prompted to choose an existing BEA Home (BEA_HOME
) directory. If you are using WebLogic Server as your servlet container, you should specify the same BEA Home directory that you specified when you installed WebLogic Server. If you are using Apache Tomcat as you servlet container, then the BEA Home directory is a repository for common files that are used by multiple BEA products installed on the same machine. For this reason, the BEA Home directory can be considered a central support directory for the BEA products installed on your system. The files in the BEA Home directory are essential to ensuring that BEA software operates correctly on your system. They perform the following types of functions:
The files and directories in the BEA Home (BEA_HOME
) directory are described in your WebLogic documentation. Although it is possible to create more than one BEA Home directory, BEA recommends that you avoid doing so. In almost all situations, a single BEA Home directory is sufficient. There may be circumstances, however, in which you prefer to maintain separate development and production environments on a single machine, each containing a separate product stack. With two directories, you can update your development environment (in a BEA Home directory) without modifying the production environment until you are ready to do so.
The product installation directory contains all the software components used to administer BEA AquaLogic Enterprise Security. During installation, you are prompted to choose a product installation directory. If you accept the default, the software is installed in the following directory:
where c:\bea
or /opt/bea
is the BEA_HOME
directory and ales25-admin is the product installation directory. You can specify any name and location on your system for your product installation directory and there is no requirement that you name the directory ales25-admin or create it under the BEA Home directory.
Like any component running on a system, the infrastructure it provides is only as secure as the operating environment where it is installed. When BEA AquaLogic Enterprise Security is installed on a system, it makes use of that system's security infrastructure to lock itself down and integrate with the security of its environment. Through the use of user, group, and file system permissions, BEA AquaLogic Enterprise Security allows limited access to many operations depending upon these permissions.
As of version 2.2 of ALES, the user who installs the Administration Server and SSMs does not require administrator privileges on a Windows platform, or root access on a Sun Solaris or Linux platform. The installation procedures set the file and directory permissions based on the user who runs the installer.
This means that if the user who installs the Administration Server is not the same user who installed the servlet container (WebLogic Server or Apache Tomcat), you can potentially introduce file permission problems. For example, consider that on a Windows platform the WebLogic Server requires access to the BEA_HOME
\ales25-admin\set-wls-env.bat
file. In this case, you will need to update the file permissions manually or make sure that both users belong to the same user groups.
Note: | Unlike prior versions of AquaLogic Enterprise Security, as of version 2.2 the Administration Server installation does not create or require special users or groups, such as the previously default values of asiadmin , asiadgrp , scmuser , or asiusers . |
AquaLogic Enterprise Security implements a sophisticated username and password schema to protect the application itself and to ensure secure communications. Understanding this schema is important to installing the product and ensuring that it operates properly in either a development or production environment.
There are two levels of password protection:
Understanding your enterprise and how responsibilities in your organization are separated is essential to establishing a secure environment. For example, the person who maintains the database is usually not the person who designs and implements security. The person who deploys applications is usually not the person who administers system usernames and passwords. And, while you may not be as concerned with a more formal authorization scheme in your development environment, your production environment needs to be firmly secured and responsibilities clearly defined.
Usernames and passwords are required to access the components listed and described in Table 4-1.
Identity Keystore - stores and protects the private keys that represent the processes identity or identities.
|
BEA recommends following these guidelines:
Note: | BEA does not recommend the use of randomly generated passwords, as the generation mechanism for these passwords is not secure. In a production environment, BEA does not recommend installing Security Service Modules on the same machine as the Administration Server. |
If you start the installation process from the command line or from a script, you can specify the -log
option to generate a verbose installation log. The installation log lists messages about events that occur during the installation process, including informational, warning, error, and fatal messages. This can be especially useful for silent installations.
Note: | You may see some warning messages in the installation log. However, unless there is a fatal error, the installation program completes the installation successfully. The installation user interface indicates the success or failure of the installation, and the installation log file includes an entry indicating that the installation was successful. |
To create a verbose log file during installation, use the following command lines or scripts:
ales250admin_win32.exe -log=D:\bea\logs\ales_install.log -log_priority=debug
ales250admin_solaris32.bin -log=/bea/logs/ales_install.log -log_priority=debug
ales250admin_rhas3_IA32.bin -log=/bea/logs/ales_install.log -log_priority=debug
Note: | The -log parameter is optional. By default, the installation log is put in the log directory where you install the Administration Server. If for some reason, the installer fails, use this switch to generate an even more verbose output: -log_priority=debug. |
The path must be the full path to a file name. If the file does not exist, all folders in the path must exist before you execute the command or the installation program does not create the log file.
Note: | Do not install the software from a network drive. Download the software to a local drive on your machine and install it from there. |
To install the application in a Microsoft Windows environment:
ales250admin_win32.exe
.The AquaLogic Enterprise Security - Administration Application window appears as shown in Figure 4-1.
If the installation program does not start automatically, open Windows Explorer and double-click the CD-ROM icon.
ales250admin_win32.exe
.The AquaLogic Enterprise Security - Administration Application window appears as shown in Figure 4-1.
To run graphical-mode installation, your console must support a Java-based GUI. If the installation program determines that your system cannot support a Java-based GUI, the installation program automatically starts console-mode installation.
Before running the installer, ensure the following two things are done.
It is also important to add the /bin
directory to PATH
and the /lib directory to LD_LIBRARY_PATH
. If these settings are changed, you must reboot before the changes become available to processes running as services (which is how the Administration Server initializes itself).
Note: | BEA recommends setting these variables in /etc/profile so they are available to all processes starting from init . |
For example, if the installation directory is /opt/beahome/ales25-admin
and the /opt/
directory is only accessible by root, post installation scripts that run as a user other than root cannot access the directory where they reside. Therefore, the directory into which you do the install (for example, /opt/beahome/ales25-admin
) must have execute permissions for other.
Run the following command to reset the permissions:
chmod o+x /opt/
The beahome
and ales25-admin
directories already have permissions set appropriately.
To install the application on a Sun Solaris platform:
DISPLAY
variable if needed.chmod u+x ales250admin_solaris32.bin
: ./ales250admin_solaris32.bin
The AquaLogic Enterprise Security - Administration Application window appears as shown in Figure 4-1.
ales250admin_solaris32.bin
.The AquaLogic Enterprise Security - Administration Application window appears as shown in Figure 4-1.
To run graphical-mode installation, your console must support a Java-based GUI. If the installation program determines that your system cannot support a Java-based GUI, the installation program automatically starts console-mode installation.
Before running the installer, ensure the following two things are done.
It is also important to add the /bin
directory to PATH
and the /lib directory to LD_LIBRARY_PATH
. If these settings are changed, you must reboot before the changes become available to processes running as services (which is how the Administration Server initializes itself).
Note: | BEA recommends setting these variables in /etc/profile so they are available to all processes starting from init . |
For example, if the installation directory is /opt/beahome/ales25-admin
and the /opt/
directory is only accessible by root, post installation scripts that run as a user other than root cannot access the directory where they reside. Therefore, the directory into which you do the install (for example, /opt/beahome/ales25-admin
) must have execute permissions for other.
Run the following command to reset the permissions:
chmod o+x /opt/
The beahome
and ales25-admin
directories already have permissions set appropriately.
To install the application on a Linux platform:
DISPLAY
variable if needed.chmod u+x ales250
admin_linux32.bin
: ./ales250admin_linux32.bin
The AquaLogic Enterprise Security - Administration Application window appears as shown in Figure 4-1.
ales250admin_linux32.bin
.The AquaLogic Enterprise Security - Administration Application window appears as shown in Figure 4-1.
The installation program prompts you to enter specific information about your system and configuration, as described in Table 4-2.
Note: | You must install the Administration Server before installing any Security Service Modules. BEA does not recommend installing Security Service Modules on the same machine as the Administration Server in a production environment. |
To complete this procedure you need the following information:
BEA HOME
directory
Specify the BEA Home directory that serves as the central support directory for all BEA products installed on the target system. If you already have a BEA Home directory on your system, you can select that directory (recommended) or create a new BEA Home directory. If you choose to create a new directory, the installer program automatically creates the directory for you.
|
|||
Specify the directory in which to install the Administration Server software. You can accept the default product directory (
ales25-admin ) or create a new product directory.
|
|||
Select the network interfaces to which to bind the Service Control Manager. This is the IP address used to listen for requests to distribute policy and configuration data.
|
|||
Enter the name to assign to this domain. The Enterprise Domain represents the collection of Security Service Modules administered by this BEA AquaLogic Enterprise Security Administration Server. Make a note of the Enterprise Domain Name you entered as you will need this to install any subsequent Security Service Modules.
|
|||
Enter the HTTP port number for the Administration Console of the servlet container to use. Enter the HTTPS port number for the Administration Server to use. When you enter the SSL port number, make sure that at least five consecutive port numbers are also available. These port numbers are used by services required by the BEA AquaLogic Enterprise Security Administration Server to operate properly, and the Administration Server always runs on a secure connection using these ports. The installer checks during installation to see if any of the ports are used, skips those that are used, and selects the next available port.
|
|||
Certificate Authority Duration (years) Enter the number of years the security certificate remains in effect. The Certificate Authority is used to generate and sign certificates for other components in the BEA AquaLogic Enterprise Security system. |
|||
Local service name (Oracle System Identifier SID).
Change the
|
|||
Sybase server entry you configured in this local machine, used to connect to Sybase database server running elsewhere. Name of the Sybase database—the name of policy database.
Change the
The
You can use the latter URL format when the default database for Login ID is set to the policy database. |
|||
<host name of the server that MSSQL is running on>
Location of the MSSQL database driver The user created in step 2 of the pre-installation tasks The password created in step 2 of the pre-installation tasks
|
|||
Location of the PointBase database driver The user created in step 3 of the pre-installation tasks The password created in step 3 of the pre-installation tasks |
|||
|
|||
You can direct the installer to randomly generate passwords for all keys. If you are installing the product in a production environment, BEA recommends using secure user names and passwords, and not those that are randomly generated. If you choose to use randomly generated passwords, the next step in the installation process is Installation Complete.
|
|||
The Certificate Authority is used to generate and sign certificates for other components in the BEA AquaLogic Enterprise Security system.
You can either choose to use a randomly generated password or you can specify the private key password. You must confirm the password.
|
|||
Enter the following key passwords to secure communications of internal processes. These are components of the Administration Server. Private key passwords are used to validate process authenticity by using the Certificate Authority chain of trust. Identities with invalid or untrusted keys cannot participate in the trust relationships of the enterprise domain.
|
|||
You may supply keystore passwords for each of the Identity, Peer and Trust Certificate Authority keystores or accept the randomly generated passwords.
Identity Keystore—stores and protects the private keys that represent the processes identity or identities.
|
|||
|
Now that you have installed the necessary software, you must start the necessary services. For additional instructions, see Post Installation Tasks. If you want to install a second Administration Server to use as a backup, see Installing a Secondary Administration Server.
ALES 2.5 includes a utility to help you upgrade from AquaLogic Enterprise Security 2.1 or 2.2. If you have an existing installation of ALES 2.1 or 2.2, follow this upgrade procedure to upgrade the Administration Server. For information about upgrading SSMs, see Upgrading from ALES 2.1 or 2.2 in Installing Security Service Modules. Note that no upgrade is available for Apache and Microsoft IIS Web Server SSM instances.
upgrade
script, which is located in BEA_HOME
/ales25-admin/upgrade
.
You can run the Administration Server installation in silent mode. Silent installation mode allows you to run the installer once on one machine and then use the configuration of that machine to duplicate installation on multiple machines. When you run the installation program in silent mode, the installation program reads the configuration information it needs from an XML file that you specify in the command that launches the installation program.
When you run the installation program not in silent mode, it creates an XML file, located at BEA_HOME/ales25-admin/config/silent_install_admin.xml
. You can edit this XML file and use it when you run the installation program in silent mode. You need to edit the silent_install_admin.xml
file to set the values described in Table 4-3. Each installation parameter is specified in the XML file as the value of a <data-value>
element, as in the following example:
<data-value name="USER_INSTALL_DIR" value="C:\bea\ales25-admin" />
The values you set in the <data-value>
elements correspond generally to the responses you enter when you run the installation program not in silent mode, which are described in Table 4-2.
To run the Administration Server installation in silent mode, use one of the following commands:
ales250admin_win32.exe -mode=silent -silent_xml=<
path_to_silent.xml>
ales250admin_solaris32.bin -mode=silent -silent_xml=<
path_to_silent.xml>
ales250admin_linux32.bin -mode=silent -silent_xml=<
path_to_silent.xml>
You may want to install and configure a second Administration Server on a separate machine to support failover. For information about this, see Setting up Administration Servers for Failover in the Administration and Deployment Guide.
![]() ![]() ![]() |