> Installing Security Service Modules > Installing

Installing Security Service Modules

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Installing

The following sections provide the information you need to install the ALES Security Service Modules:

 

Before you Begin

Before you begin this installation procedure, make sure you do the following:

Note: If you start the installation process from the command line or from a script, you can specify the -log option to generate a verbose installation log. For instructions on how to generate a verbose log file during installation, see Generating a Verbose Installation Log.

Generating a Verbose Installation Log

If you start the installation process from the command line or from a script, you can specify the -log option to generate a verbose installation log. The installation log lists messages about events during the installation process, including informational, warning, error, and fatal messages. This can be especially useful for silent installations.

Note: You may see some warning messages during in the installation log. However, unless there is a fatal error, the installation program will complete the installation successfully. The installation user interface will indicate the success or failure of the installation, and the installation log file will include an entry indicating that the installation was successful.

To generate a verbose log file during installation, include the -log=/full_path_to_log_file option in the command line or script. For example:

For Windows: 

ales260ssm_win32.exe -log=D:\logs\ales_install.log -log_priority=debug

For Sun Solaris: 

ales260ssm_solaris32.bin -log=/opt/logs/ales_install.log -log_priority=debug

For Linux:

For Red Hat 3.0: 

ales260ssm_rhas_IA32.bin -log=/opt/logs/ales_install.log -log_priority=debug

For IBM AIX: 

java -jar ales260ssm_aix32.jar -log=/opt/logs/ales_install.log -log_priority=debug

The path must be the full path to a file name. If the file does not exist, all folders in the path must exist before you execute the command or the installation program will not create the log file.

 

Starting the Installation Program

The procedure for starting the installation program varies depending the platform on which you install BEA AquaLogic Enterprise Security. Therefore, separate instructions are provide for each supported platform.

Note: In a production environment, BEA recommends that you install the Security Service Modules on machines other than the machine on which the Administration Server is installed.

To start the installation program, refer to the appropriate section listed below:

Starting the Installation Program on a Windows Platform

Note: Do not install the software from a network drive. Download the software distribution to a local drive on your machine and install it from there. Also, on a Windows platform, the file system used must be NTFS, not FAT. To check the file system format, open Windows Explorer and right-click the hard drive on which you intend to do the installation and select Properties.

To install the application in a Microsoft Windows environment:

  1. Shut down any programs that are running.
  2. Log in to the machine. As of ALES version 2.2 administrator privilege is not required. ALES sets the ownership of all files based on the user who runs the installer.
  3. If you are installing from a CD-ROM, go to step 4. If you want to install the product by downloading it from the BEA web site:
    1. Contact BEA Sales at http://www.bea.com/framework.jsp?CNT=sales1.htm&FP=/content/about/contact/ and request a download.
    2. Go to the directory where you downloaded the installation file and double-click ales260ssm_win32.exe.

      3. The BEA Installer - Security Service Module window appears (see Figure 4-1).

    3. Proceed to Running the Installation Program.
  4. If you are installing from a CD-ROM:
    1. Insert Disk 2 into the CD-ROM drive.

      2. If the installation program does not start automatically, open Windows Explorer and double-click the CD-ROM icon.

    2. From the installation CD, double-click ales260ssm_win32.exe.

      3. The BEA Installer - Security Service Module window appears (see Figure 4-1).

    3. Proceed to Running the Installation Program.

Starting the Installation Program on a Sun Solaris Platform

To run graphical-mode installation, your console must support a Java-based GUI. If the installation program determines that your system cannot support a Java-based GUI, the installation program automatically starts console-mode installation.

  1. Shut down any programs that are running.
  2. Log in to the machine. As of ALES version 2.2 root privilege is not required. ALES sets the ownership of all files based on the user who runs the installer.
  3. Open a command-line shell.
  4. If you are installing from a CD-ROM, go to step 5. If you want to install the product by downloading it from the BEA web site:
    1. Contact BEA Sales at http://www.bea.com/framework.jsp?CNT=sales1.htm&FP=/content/about/contact/ and request a download.
    2. Go to the directory where you downloaded the file and change the protection on the install file:
      3. chmod u+x ales260ssm_solaris32.bin
    3. Start the installation: ales260ssm_solaris32.bin

      4. The BEA Installer - Security Service Module window appears (see Figure 4-1).

    4. Proceed to Running the Installation Program.
  5. If you are installing from a CD-ROM:
    1. Insert the Disk 2 into the CD-ROM drive.
    2. In a command shell, go to the directory where you installed the CD-ROM and change the protection on the install file:

      3. chmod a+x ales260ssm_solaris32.bin

    3. Enter this command to start the installation: ales260ssm_solaris32.bin

      4. The BEA Installer - Security Service Module window appears (see Figure 4-1).

    4. Proceed to Running the Installation Program.

Starting the Installation Program on a Linux Platform

To run graphical-mode installation, your console must support a Java-based GUI. If the installation program determines that your system cannot support a Java-based GUI, the installation program automatically starts console-mode installation.

  1. Shut down any programs that are running.
  2. Log in to the machine. As of ALES version 2.2 administrator privilege is not required. ALES sets the ownership of all files based on the user who runs the installer.
  3. Set your DISPLAY variable if needed.
  4. Open a command-line shell.
  5. If you are installing from a CD-ROM, go to step 6. If you want to install the product by downloading it from the BEA web site:
    1. Contact BEA Sales at http://www.bea.com/framework.jsp?CNT=sales1.htm&FP=/content/about/contact/ and request a download.
    2. Go to the directory where you downloaded the file and change the protection on the install file:

      3. For Red Hat 3.0: chmod u+x ales260ssm_rhas_IA32.bin

    3. Start the installation:

      4. For Red Hat 3.0: ales260ssm_rhas_IA32.bin

      The BEA Installer - Security Service Module window appears (see Figure 4-1).

    4. Proceed to Running the Installation Program.
  6. If you are installing from a CD-ROM:
    1. Insert the Disk 2 into the CD-ROM drive.
    2. In a command shell, go to the directory where you installed the CD-ROM and enter this command to change the protection on the install file:

      3. For Red Hat 3.0: chmod u+x ales260ssm_rhas_IA32.bin

    3. Enter this command to start the installation:

      4. For Red Hat 3.0: ales260ssm_rhas_IA32.bin

      The BEA Installer window appears (see Figure 4-1).

    4. Proceed to Running the Installation Program.

Starting the Installation Program on an IBM AIX Platform

To run graphical-mode installation, your console must support a Java-based GUI. If the installation program determines that your system cannot support a Java-based GUI, the installation program automatically starts console-mode installation.

  1. Log in to the machine.
  2. Open a command-line shell.
  3. Download the Security Service Module installation file, ales260ssm_aix32.jar, from the BEA web site. Contact BEA Sales at http://www.bea.com/framework.jsp?CNT=sales1.htm&FP=/content/about/contact/ to request a download.
  4. Start the installation with this command:
    5. java -jar ales260ssm_aix32.jar
  5. The AquaLogic Enterprise Security - Security Service Module installer window appears (see Figure 4-1).
  6. Proceed to Running the Installation Program.
    7. Figure 4-1 AquaLogic Enterprise Security SSM Installer Window


    AquaLogic Enterprise Security SSM Installer Window

 

Running the Installation Program

The installation program prompts you to enter specific information about your system and configuration as described in Table 4-1. To complete this procedure you need the following information:

Note: If this is the first AquaLogic Enterprise Security product you have installed on this machine, the Service Control Manager is also included as part of the installation (which requires additional inputs, such as the Service Control Manager directory). This condition does not apply if you choose not to install the Service Control Manager, as described in Installing an SSM Without an Associated SCM.

Table 4-1 Running the Installation Program 
In this Window:
Perform this Action:
Welcome
Click Next to proceed, or cancel the installation at any time by clicking Exit.
BEA License Agreement
Read the BEA Software License Agreement, and then select Yes to indicate your acceptance of the terms of the agreement. To continue with the installation, you must accept the terms of the license agreement, click Yes, and then click Next.
Choose BEA Home Directory
Specify the BEA Home directory that serves as the central support directory for all BEA products installed on the target system. If you already have a BEA Home directory on your system, you can select that directory (recommended) or create a new BEA Home directory. If you choose to create a new directory, the installer program automatically creates the directory for you. For details about the BEA Home directory, see BEA Home Directory.
Choose product to install
Select the SSMs you wish to install, clear the other check boxes, and click Next.
Choose Product Directory
Specify the directory in which you want to install the product software, and then click Next. You can accept the default product directory (for example, C:\bea\ales26-ssm\wls-ssm) or you can create a new product directory.

Note: If you are installing on a machine with existing BEA AquaLogic Enterprise products or on a machine that you intend to install other BEA AquaLogic Enterprise products (for example, the Administration Server or another Security Service Module) you must select a different directory.

For additional information and a description of the resulting directory structure, see Product Installation Directory.
If you choose to create a new directory, the installation program automatically creates the directory for you, if necessary.
When you click Next, the installation program begins copying the components you specified to your system. If you have installed other products then you will see Installation Complete. Otherwise, continue installing the Service Control Manager.
Allow centralized configuration of security providers
If you are not installing on the Administration Server, and you are not installing only the WLS 9.x SSM, the installer asks whether to allow centralized (automatic) configuration of security providers. Leave the box selected to enable the SSM instance to get configuration information from the Administration Server. Uncheck the box if you do not want to associate the SSM with an SCM. If you uncheck this box, the SSM installer does not ask for an SCM installation directory and does not launch the SCM installer.
Later in this section, Figure 4-2 shows the Centralized Configuration of Security Providers screen.
Choose Service Control Manager Directory
Specify the directory in which to install the Service Control Manager. You can accept the default directory (ales26-scm) or you can create a new one.
Click Next to continue.
Choose Network Interface
Select the network interfaces to which to bind the Service Control Manager. This is the IP Address used to listen for requests to provision policy and configuration data.

Note: If you are installing the security service module in a production environment with more than one network card, you want to select a protected (internal) interface; you do not want to expose the Service Control Manager through a public address.

Click Next to continue.
Configure Enterprise Domain for Service Control Manager
Enterprise Domain Name—Deprecated in this Release. asi is used by default. The enterprise domain name is used to link all of the AquaLogic Enterprise Security components.

Note: This is same enterprise domain name that you entered when you installed the BEA AquaLogic Enterprise Security Administration Server.

SCM Logical Name—The name you assign to the Service Control Manager during this installation.
SCM Port—Port used by the Service Control Manager to receive configuration and policy data from the Administration Server; may not be used by any other server.

Note: The SCM values are different from the SCM values defined when you installed the BEA AquaLogic Enterprise Security Administration Server.

Primary Server URL—The address used by your Administration Server.
Backup Server URL—If you have a second Administration Server installed for the purpose of failover or backup, enter its address here. This field is optional and may be left blank.
Installation Complete
Indicates that the installation completed successfully. Click Done to finish the installation.

 

Upgrading from ALES 2.1, 2.2, and 2.5

ALES 2.6 includes a utility to help you upgrade from AquaLogic Enterprise Security versions 2.1, 2.1 SP1, 2.2, and 2.5. Note that no upgrade is available for Apache and Microsoft IIS Web Server SSM instances. If you have an existing installation of ALES 2.1, 2.1 SP1, 2.2, and 2.5, follow this upgrade procedure. For information about upgrading the Administration Server, see Upgrading from ALES 2.1, 2.2, and 2.5 in Installing the Administration Server.

  1. Make sure you have read and delete permission for the ALES 2.1, 2.1 SP1, 2.2, or 2.5 files. You must be logged in as a member of whatever group you used when installing ALES 2.1, 2.1 SP1, 2.2, or 2.5.
  2. Stop the ALES 2.1, 2.1 SP1, 2.2, or 2.5 processes, including the Administration Server, SCM, and SSM instances. For more information, see Starting and Stopping ALES Components in the Administration and Deployment Guide.
  3. If you have installed the ALES 2.1, 2.1 SP1, 2.2, or 2.5 Administration Server on the same machine on which you have installed one or more ALES 2.1, 2.1 SP1, 2.2, or 2.5 SSMs, be sure to upgrade the Administration Server before you upgrade any SSMs.
  4. Run the ALES 2.6 SSM installer on the machines on which your ALES 2.1, 2.1 SP1, 2.2, or 2.5 SSMs are installed. The ALES 2.6 SSM installer detects the ALES 2.1, 2.1 SP1, 2.2, or 2.5 installation and uses its configuration information.
  5. The upgrade script runs automatically. In response to the prompts, supply the location of the ALES 2.1, 2.1 SP1, 2.2, or 2.5 SSM instance to be upgraded and the destination of the ALES 2.6 SSM instance to be created. These locations may be the same.

 

Installing in Silent Mode

You can run the SSM installation in silent mode. Silent installation mode allows you to run the installer once on one machine and then use the configuration of that machine to duplicate SSM installation on multiple machines. When you run the installation program in silent mode, the installation program reads the configuration information it needs from an XML file that you specify in the command that launches the installation program.

When you run the installation program not in silent mode, it creates an XML file, located at BEA_HOME/ales26-ssm/<ssm>/adm/silent_install_ssm.xml . You can edit this XML file and use it when you run the installation program in silent mode. You need to edit the silent_install_ssm.xml file to set the values described in Table 4-2. Each installation parameter is specified in the XML file as the value of a <data-value> element, as in the following example: 

<data-value name="USER_INSTALL_DIR" value="C:\bea\ales26-admin" />

The values you set in the <data-value> elements correspond generally to the responses you enter when you run the installation program not in silent mode, which are described in Table 4-1.

Note: If you choose to not to install the Service Control Manager, as described in Installing an SSM Without an Associated SCM, do not fill in values for SCM_INSTALL_DIR, SCM_NAME, and SCM_PORT.
Table 4-2 Silent Installation Configuration

Data Element Name
Description
Default or Sample Value
BEAHOME
BEA_HOME directory in which to install the Administration Server
C:\bea
USER_INSTALL_DIR
Directory within BEA_HOME directory in which to install the SSM
C:\bea\ales26-wls-ssm
SCM_INSTALL_DIR
Directory within BEA_HOME directory in which to install the Service Control Manager
C:\bea\ales26-scm
COMPONENT_PATHS
Specifies the SSMs to install, separated by the pipe ( | ) character. Possible component selections are:
  • ALES SSM COMBO/ALES SSM for Java
  • ALES SSM COMBO/ALES SSM for Web Service
  • ALES SSM COMBO/ALES SSM for IIS
  • ALES SSM COMBO/ALES SSM for Apache
  • ALES SSM COMBO/ALES SSM for WLS8.1
  • ALES SSM COMBO/ALES SSM for WLS9.x
  
SCM_INTERFACE_LIST
A comma-separated list of IP addresses of the network interfaces to which to bind the Service Control Manager.
 
ENTERPRISE_DOMAIN_
NAME
Deprecated in this release. Should always be asi.
asi
SCM_NAME
The name you assign to the Service Control Manager during this installation.
 
SCM_PORT
Port used by the Service Control Manager to receive configuration and policy data from the Administration Server; may not be used by any other server.
 
SCM_PRIMARY_ADMIN_
URL
The address used by your Administration Server.
 
SCM_BACKUP_ADMIN_URL
The address used by your secondary (backup) Administration Server, if you have one. Optional.
 

To run the SSM installation in silent mode, use one of the following commands:

 

Installing an SSM Without an Associated SCM

AquaLogic Enterprise Security version 2.5 removed the requirement that a Service Control Module (SCM) be installed on each system where one or more Security Service Modules (SSMs) are installed.

This section describes how to install and configure an SSM without an associated SCM.

Configuring an SSM From Exported Data

This section describes the current architecture of the SCM and details why it is no longer required in this release.

The SCM is responsible for storing and maintaining the configuration data for all SSMs running on the system. Once started, an SSM receives its configuration data from the local SCM. When a change is made and distributed from the Administration Server, the SCM receives the change and updates the cached copy of the configuration. On restart, the SSM receives updated configuration data from the SCM.

Although the SCM performs this configuration process efficiently, it represents an additional process that has to be installed and maintained. Because the configuration of security providers might not change after the initial system setup, you might determine that maintaining the SCM is needlessly cumbersome.

In this release of AquaLogic Enterprise Security it is possible to deploy an SSM without the SCM. You can use the PolicyIX tool, described in PolicyIX in the Administration Reference, to communicate directly with the BLM and retrieve configuration data. The PolicyIX tool allows you to export configuration data (configured either through the ALES Administration Console or directly via the BLM API) for a given SSM to an XML file, and use it with the configured SSMs when the SCM is not available.

After you export the configuration data you must manually copy the XML configuration file and the associated signature file to the appropriate SSM configuration directory.

Note: The SCM is always installed on the ALES Administration server. However, an SSM installed on this system does not have to use the SCM, as described in Not Using the SCM When SSM is Installed on Administration Server.

PolicyIX Tool Not Used in WLS 9.x SSM for SSM Configuration

For the WLS 9.x SSM, you use the WebLogic Server console, and not the SCM, to make configuration changes, as described in Configuring the WebLogic Server 9.x SSM. The WLS 9.x SSM cannot read the configuration file exported by the PolicyIX tool.

XML Configuration Data File is Signed

PolicyIX uses the existing settings for the SSL infrastructure, specified during the administration server installation, to sign the exported configuration files. In particular, the following Java properties are used to retrieve the signing key:

For example, consider the following use: 

-Dwles.ssl.passwordFile="D:/beas/ales26-admin/ssl/password.xml"
-Dwles.ssl.passwordKeyFile="D:/beas/ales26-admin/ssl/password.key"
-Dwles.ssl.identityKeyStore="D:/beas/ales26-admin/ssl/identity.jks"
-Dwles.ssl.identityKeyAlias=wles-admin
-Dwles.ssl.identityKeyPasswordAlias=wles-admin

The PolicyIX.bat file invokes the tool with -Dales.policyTool.signer=wles-admin. The ales.policyTool.signer property is a required Java property that specifies the alias of the signing key in the identity keystore, which must be equal to the Administration server machine name.

The public key of the Administration server is then retrieved from the SSL peer keystore for the purpose of validating the configuration file's signature. This public key is available from the Administration server's certificate, which was added to the SSL peer keystore during the enrollment process.

The uuencoded signature of the XML file is stored in a corresponding signature file, whose name is derived from the full name of the signed XML file (including extension) with the added ".sig" extension. For example, myconfig.xml.sig.

Switching From Manual to Automatic Configuration

If you do not configure an SCM when you install the SSM, switching back to SCM configuration for that SSM is not possible: you must uninstall the SSM and then add it back.

Silent Install is Updated

As described in Installing in Silent Mode, you can run the SSM installation in silent mode. Silent installation mode allows you to run the installer once on one machine and then use the configuration of that machine to duplicate an SSM installation on multiple machines.

If you do not want an SCM to be configured, do not provide values for SCM_NAME, SCM_PORT, and SCM_INSTALL_DIR when you edit the BEA_HOME/ales26-ssm/<ssm>/adm/silent_install_ssm.xml file. These data elements are described in Table 4-2.

Installation Process

When you run the installation program for an SSM, as described in Running the Installation Program, you can choose to not install an SCM.

If you are installing the WLS 9.x SSM, the SCM is not installed. For other types of SSMs, the installer asks whether to allow centralized (automatic) configuration of security providers. Uncheck the box if you do not want to associate the SSM with an SCM. If you uncheck this box, the SSM installer does not ask for an SCM installation directory and does not launch the SCM installer.

Figure 4-2 shows the Centralized Configuration of Security Providers screen.

Figure 4-2 Centralized SSM Configuration Screen

Centralized SSM Configuration Screen

Post Installation Tasks

When you install an SSM without an SCM, the post installation tasks differ from those described in Post Installation Tasks.

The post installation task that you do not perform is as follows:

The post installation tasks that you do perform are as follows:

Note: It may seem counter-intuitive to configure an SCM in the Administration Console when the SSM is not associated with an SCM. However, the Administration Console is not aware that the SCM is not configured, and makes the SSM configuration information available as if it were. The PolicyIX tool then exports this configuration information.

Export the Configuration Data

After you have enrolled the instance of the SSM, as described in Enrolling the Instance of the Security Service Module, perform the following steps to export the SSM configuration data and configure the SSM:

  1. Use the PolicyIX tool to export the SSM configuration data to an XML file. The PolicyIX tool is described in PolicyIX in the Administration Reference.
  2. After you have done this, copy the resultant XML configuration file and the .sig signature file to the appropriate SSM configuration directory. For example, BEA_HOME/ales26-ssm/<ssm-type>/instance-name/config

    3. If you do not use the default name (wles.securityrealm.xml) for this configuration file, set the wles.realm.filename property in the BEA_HOME/ales26-ssm/<ssm-type>/instance-name/config/security.properties file. For example, wles.realm.filename=ssmConfig.xml. See Additional Security.Properties Settings for additional information.

  3. Start the SSM, or restart it if it is already started. See Starting and Stopping Processes. However, you can ignore the instructions about starting the SCM.

Additional Security.Properties Settings

The ALES runtime examines the value of the wles.properties system property during initialization, and if this property is set to a valid filename, the properties contained in the specified file are used to configure the runtime. By default, the ALES runtime looks for a property file called security.properties in the working directory. For example, BEA_HOME/ales26-ssm/<ssm-type>/instance-name/config/security.properties.

In addition to the wles.realm.filename property described in Export the Configuration Data, the following properties must also be set to export the configuration file:

Not Using the SCM When SSM is Installed on Administration Server

ALES always installs an SCM on an instance of the ALES Administration Server. For bootstrapping reasons, the Administration Server does need to have an SCM installed and does use it.

However, if you also install an SSM on that same system, the SSM does not have to use the SCM. To do this, follow the steps described in Installation Process, just as if the system did not include the Administration Server.

The prompt for the SCM does not appear because the SCM is already installed.

 

What's Next

Now that you have installed the necessary software, you must enroll the Service Control Manager, create an instance of the Security Service Module and enroll the instance, and then start the services. For additional instructions, see Post Installation Tasks.


  Back to Top       Previous  Next