Part III Installing Optional Components

Identity Manager optional components are installed on machines other than the machine(s) hosting your application server(s). These components may be necessary if you plan to set up certain resource adapters such as Domino or Novell NetWare, or if you operate a Windows Active Directory domain.

Resource adapters are not the same as optional components and are not documented in this installation guide. Resource adapter documentation can be found in the Sun Identity Manager 8.1 Resources Reference.

Chapters in this part include:

• Chapter 10, Installing the Sun Identity Manager Gateway

• Chapter 11, Installing PasswordSync

Chapter 10 Installing the Sun Identity Manager Gateway

Identity Manager requires a lightweight gateway to manage resources that cannot be directly accessed from the server. If you plan to set up any of the following resource adapters, you must install the Sun Identity Manager Gateway.

• Windows Active Directory

• Domino

• Novell NetWare, including GroupWise

• Remedy

• RSA ACE/Server

• Scripted Gateway

These resources include systems that require API calls that are platform specific. With the Gateway installed on the target platform, Identity Manager can make the API calls that are needed to interact with the resource.

Prerequisites

You must ensure that the Identity Manager Gateway is made highly available and that Gateway machines are properly configured. Please review the following prerequisites.

• The Gateway may be installed on at least Windows 2000 SP3 and Windows 2003 platforms.

• You should run an instance of the Gateway on multiple machines to prevent the Gateway from becoming a single point of failure. Configure your network to provide failover if the main Gateway instance dies.

• Placing the Gateways behind a device that load balances is not a supported configuration and will cause certain Identity Manager functions to fail.

• All Windows domains managed by a Gateway must be part of the same forest. Managing domains across forest boundaries is unsupported. If you have multiple forests, install at least one Gateway in each forest.

• Systems that are running the Identity Manager Gateway should be configured so that Dr. xWatson does not produce visual notifications. If this feature is set and the Gateway encounters an error, the process will hang until the pop-up window is closed.

• The Gateway system should also be configured to use a default ANSI codepage that is compatible with all data that Identity Manager manages.

• If you need to access resources that use different code pages, install a separate Gateway for each code page. The Gateway and resource should implement the same code page.

• You should use UTF-8 whenever possible, and if multiple resources are to be accessed from a single Gateway, the Gateway and all resources should all be configured to use UTF-8.

• Refer to the following web page for information about setting international support on Windows XP and Server 2003 systems:

  http://www.microsoft.com/globaldev/handson/user/xpintlsupp.mspx

Installation

To Install the Identity Manager Gateway

Before You Begin

Select the Windows machine on which to install the Gateway. It must be a member of the domain in which the accounts and other objects will be managed (the managed domain) or a member of a domain that is trusted by the managed domain. The Gateway does not need to run on a domain controller.

For better performance, the Gateway should be located near (from a network connectivity perspective) the domain controllers of the managed domain.

1. If you are selecting a system that is not the Identity Manager server, then:

   1. Create a directory called idm on the remote system.

   2. Copy the gateway.zip file from the Identity Manager installation package.

   3. Unpack and copy the contents of the gateway.zip file to the idm directory.

2. From the directory where the Gateway files are installed, run the following command to install the Gateway as a service:gateway -i

3. Run the following command to start the Gateway service:gateway -s

   ---

   Note –

   • You can stop the Gateway service by running the command:gateway -k

   • You can also start and stop the Gateway by following these steps:

     1. Open the Windows Control Panel.

     2. Open Services. (In Windows, Services is located in Administrative Tools.)

     3. Select Identity Manager Gateway.

     4. Click Start or Stop.

   ---

Failure Messages

Two common messages and their likely causes when working with the Gateway are as follows:

• ’Overlapped I/O operation is in progress’

  The most common cause of this message is that you have asked for the service to be installed or removed before a prior installation or removal has fully completed. Check the state of the service.

• ’Input/output error’

  The most common cause of this is that you do not have rights to work with this service.

Chapter 11 Installing PasswordSync

This chapter briefly describes PasswordSync, which is an Identity Manager optional component. For full instructions on installing and configuring PasswordSync, see Chapter 11, PasswordSync, in Sun Identity Manager 8.1 Business Administrator’s Guide

About PasswordSync

The Identity Manager PasswordSync feature keeps user password changes made on Windows Active Directory domains synchronized with other resources defined in Identity Manager. Plan on installing PasswordSync on each domain controller and backup domain controller in the domains that will be synchronized with Identity Manager.

After installing PasswordSync, you will need to configure Identity Manager to accept PasswordSync change notifications. Depending on the complexity of your environment, PasswordSync can take some time to configure. For this reason, and because PasswordSync is not essential in order to start using Identity Manager, the PasswordSync installation and configuration steps are located together in Chapter 11, PasswordSync, in Sun Identity Manager 8.1 Business Administrator’s Guide.