Novell Identity Manager 4.0.1 Installation guide

Brand: Novell

Model: Identity Manager 4.0.1

Category: Network management software

Type: Installation guide

www.novell.com/documentation

Role Mapping Administrator

Installation and Configuration Guide

Identity Manager 4.0.1

December 08, 2011

Legal Notices

Novell,Inc.makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically

disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.

reservestherighttorevisethispublicationandtomakechangestoitscontent,at

anytime,withoutobligationtonotifyany

personorentityofsuchrevisionsorchanges.

Further,Novell,Inc.makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany

expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.reservestheright

makechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof

suchchanges.

AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade

lawsofothercountries.Youagreeto

complywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor

classificationtoexport,re‐exportorimportdeliverables.Youagreenottoexportorre‐exporttoentitiesonthecurrentU.S.

exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.

exportlaws.Youagreetonotuse

deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.SeetheNovellInternationalTrade

ServicesWebpage(http://www.novell.com/info/exports/)formoreinformationonexportingNovellsoftware.Novellassumes

noresponsibilityforyourfailuretoobtainanynecessaryexportapprovals.

Novell,Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedon

aretrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.

Novell, Inc.

1800 South Novell Place

Provo, UT 84606

U.S.A.

www.novell.com

OnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovell

DocumentationWebpage

(http://www.novell.com/documentation).

Novell Trademarks

ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/

tmlist.html).

Third-Party Materials

Allthird‐partytrademarksarethepropertyoftheirrespectiveowners.

Contents 3

Contents

About This Guide 5

1 Overview 7

1.1 How Role Mapping Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

1.2 Role Mapping Administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

1.3 Identity Vault Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.4 System Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

1.5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

1.6 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

1.7 Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

1.8 Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

2 Meeting Prerequisites and System Requirements 13

2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.2 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

2.3 Installing the iManager Plug-Ins for Identity Manager 4.0.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

2.4 Granting Rights to the Role Mapping Administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

2.4.1 Identity Vault Rights for Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

2.4.2 Roles Based Provisioning Module Assignments for Administration. . . . . . . . . . . . . . . . . . .16

2.4.3 Required Rights for the Role Mapping Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

3 Installing the Role Mapping Administrator 17

3.1 Installing the Role Mapping Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.2 Installing the Role Mapping Administrator in Silent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

3.3 Reconfiguring the Role Mapping Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

3.3.1 Changing the Port Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

3.3.2 Changing the Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

4 Configuring the Application 21

4.1 Providing Identity Vault Connection Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

4.2 Configuring the Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

4.3 Loading Authorizations into the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

4.4 Enabling SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

4.4.1 Enabling an SSL Connection from the Role Mapping Administrator to the Identity

Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

4.4.2 Enabling SSL for a Browser to Access the Role Mapping Administrator. . . . . . . . . . . . . . .26

4.5 Configuring the Role Mapping Administrator for Automatic Startup. . . . . . . . . . . . . . . . . . . . . . . . . .26

4.5.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

4.5.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

4.6 Changing the Java Heap Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

4 Contents

5 Changing the Configuration 29

6 Configuring Authentication 31

6.1 Configuring Single Sign-On Through the Roles Based Provisioning Module. . . . . . . . . . . . . . . . . . .31

6.1.1 Enabling the Roles Based Provisioning Module for Single Sign-On . . . . . . . . . . . . . . . . . .31

6.1.2 Creating a Shared Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

6.1.3 Assigning Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

6.1.4 Selecting Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

6.2 Configuring Single Sign-On Through Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

6.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

6.2.2 Configuring Active Directory to Assign Kerberos Tickets . . . . . . . . . . . . . . . . . . . . . . . . . .34

6.2.3 Configuring the Access Manager Identity Server to Consume the Kerberos Tickets . . . . . 36

6.2.4 Configuring the User’s Web Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

7 Enabling Auditing 43

7.1 Configuring the Role Mapping Administrator Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

7.1.1 Default Values of Role Mapping Administrator Auditing Configuration . . . . . . . . . . . . . . . .44

7.1.2 Examples of Role Mapping Administrator Auditing Configuration . . . . . . . . . . . . . . . . . . .44

8 Security Best Practices 45

8.1 Tuning Session Timeouts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

A Role Mapping Administrator Audit Events 47

A.1 Event ID 00031550 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

A.2 Event ID 00031551 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

A.3 Event ID 00031630 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

A.4 Event ID 00031631 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

A.5 Event ID 00031632 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

A.6 Event ID 00031633 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

A.7 Event ID 00031634 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

A.8 Event ID 000361635 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

A.9 Event ID 00031670 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

A.10 Event ID 00031671 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

A.11 Event ID 00031674 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

A.12 Event ID 00031675 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

A.13 Event ID 00031676 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

A.14 Event ID 00031677 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

A.15 Event ID 0003167A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

A.16 Event ID 0003167B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

About This Guide 5

About This Guide

ThisguideprovidesinstallationandconfigurationinstructionsfortheNovellIdentityManagerRole

MappingAdministrator.Theguideisorganizedasfollows:

InstallationInformation:

 Chapter 1,“Overview,”onpage 7

 Chapter 2,“MeetingPrerequisitesandSystemRequirements,”onpage 13

 Chapter 3,“InstallingtheRoleMappingAdministrator,”onpage 17

ConfigurationInformation:

 Chapter 4,“ConfiguringtheApplication,”onpage 21

 Chapter 6,

“ConfiguringAuthentication,”onpage 31

 Chapter 7,“EnablingAuditing,”onpage 43

 Chapter 8,“SecurityBestPractices,”onpage 45

Audience

Thisguideisintendedforpartners,consultants,andcustomerswhoareveryfamiliarwiththe 

productsintheNovellComplianceManagementPlatformextensionforSAPenvironments.

Feedback

Wewanttohearyourcommentsandsuggestionsaboutthismanualandtheotherdocumentation

includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe

onlinedocumentationandenteryourcommentsthere.

Documentation Updates

ForthemostrecentversionoftheNovellIdentityManagerRoleMappingAdministratorInstallationand

ConfigurationGuide,visittheIdentityManager4.0.1DocumentationWebsite(http://

www.novell.com/documentation/idm401).

Additional Documentation

FordocumentationontheNovellComplianceManagementPlatform,seetheNovellCompliance

ManagementPlatformDocumentationWebsite( http:// www.novell.com/documentation/ncmp10/

index.html).

FordocumentationontheIdentityManagerRolesBasedProvisioningModule,seetheIdentity

ManagerRolesBasedProvisioningModule4.0.1DocumentationWebsite(http:// www.novell.com/

documentation/idmrbpm401/index.html).

FordocumentationontheSAPdrivers,seethe

IdentityManager4.0.1DriversDocumentationWeb

site(http://www.novell.com/documentation/idm401drivers/index.html).

6 Identity Manager Role Mapping Administrator 4.0.1 Installation and Configuration Guide

FordocumentationonAccessManager,seetheAccessManager3.1DocumentationWebsite(http://

www.novell.com/documentation/novellaccessmanager31/index.html).

FordocumentationonSentinel,seetheSentinel6.1DocumentationWebsite(http://www.novell.com/

documentation/sentinel61/index.html).

FordocumentationontheSAPConnector,SAPCollector,andtheSAPSolutionPack,seetheSentinel

6.1downloadWebsite(http://support.novell.com/products/sentinel/secure/sentinel61.html).

Overview 7

Overview

TheNovellIdentityManagerRoleMappingAdministratorletsyoumaproles,compositeroles,and

profiles(collectivelyreferredtoasauthorizations)toIdentityManagerroles.Whenauserisassigned

anIdentityManagerroleintheRolesBasedProvisioningModule,heorshereceivesall

authorizationsmappedtothatrole.

Thefollowing

sectionsprovideinformationyoushouldunderstandbeforeinstallingandconfiguring

theRoleMappingAdministrator:

 Section 1.1,“HowRoleMappingWorks,”onpage 7

 Section 1.2,“RoleMappingAdministrator,”onpage 9

 Section 1.3,“IdentityVaultAccess,”onpage 9

 Section 1.4,“SystemAccess,”onpage 10

 Section 1.5,“Authentication,”onpage 10

 Section 1.6,“Authorization,”onpage 10

 Section 1.7,“Database,”onpage 11



Section 1.8,“RoleManagement,”onpage 11

1.1 How Role Mapping Works

TheRoleMappingAdministratorisonepartoftheNovellrolemappingsolution.Itisdependenton

theproperinstallationandconfigurationofallrolemappingcomponents.Therolemappingprocess

isexplainedinFigure1‐1.

8 Identity Manager Role Mapping Administrator 4.0.1 Installation and Configuration Guide

Figure 1-1 HowtheRoleMappingAdminist ra torWorks

1. TheRoleMappingAdministratorconnectstotheIdentityVaultandreadstheIdentityManager

rolesstoredinthevault.

2. TheRoleMappingAdministratorretrievesthemanagedsystemauthorizationsbyusingthe

managedsystemdrivertoquerythemanagedsystems.Theretrievedmanagedsystem

authorizationsareaddedtotheRoleMappingAdministrator

database.

3. AuseroftheRoleMappingAdministratormapsauthorizationstooneormoreIdentity

Managerroles.Whenanauthorizationismappedtoarole,aresourceiscreatedandupdatedto

reflecttheauthorizationmapping.TheroleisupdatedintheIdentityVaulttomaptothenewly

createdresource.

IMPORTANT:InearlierversionofRoleMappingAdministrator,rolesweremappeddirectlyto

theauthorizations.Withthisreleaseonwards,resourcesareintroduced.Rolesaremappedto

resourcesthatareinturnaremappedtoauthorizations.Whenyoucreateamappingbetweena

roleandanentitlement/authorization,resourcesareautomaticallycreated

intheRoleMapping

Administrator.

Overview 9

Resourcesprovidetheabilityforenduserstorequestprovisioningofauthorizationsfor

themselvesorforusersthattheyhavearelationshipwith.WithRoleMappingAdministrator 

1.0,userscouldnotunderstandwhattheyrequestedorthestatusofwhattheyhadrequested.

Providinganinterfacethatconveysthisinformationis

criticaltothesuccessoftheproduct.

Resourcesprovidetheabilityforadministratorstogainbettercontroloverthemanagementof

useraccesstoentitlements/authorizations,ensuringthattherightpeoplehavetherightaccessto

therightresources.

4. AuserisassignedtheroleintheRolesBasedProvisioningModule,atwhichpointtheRole

Servicedrivergrantstheuseranauthorizationtoallmanagedsystemauthorizationsthatare

mappedtotherole.

5. Themanagedsystemdriverrespondstotheentitlementgrantbyinitiatingtheauthorization

assignmentinthemanagedsystem.

1.2 Role Mapping Administrator

TheRoleMappingAdministratorisaWebapplication.Allcomponentsrequiredfortheapplication

areincludedintheinstallationfile,includingaTomcatapplicationserverandanHSQLdatabase.See

Chapter 2,“MeetingPrerequisitesandSystemRequirements,”onpage 13fortheapplication’s

systemrequirements.

1.3 Identity Vault Access

TheRoleMappingAdministratorrequiresaccesstotheIdentityVault.ThisenablestheRole

MappingAdministratortoperformtherequiredIdentityVaultoperations,including:

 AuthenticatinguserswhologintotheRoleMappingAdministratorandestablishingtheir

authorizationlevel.TheusersshouldhavebothResourceAdministratorandRoleAdministrator

roles.



RetrievingrolesinformationtodisplayiftheauthenticateduserisaRoleModuleAdministrator.

IftheauthenticateduserisaRoleMa nager,theRoleMappingAdministratorusestheuser’s

credentialstodisplayroles.

 Creatingresourceswiththeselectedauthorization/entitlementandmappingthemwiththe

IdentityVaultrole.

 Accessinginformationstoredon

theIdentityManagerdriverobjecttobuildthequeriesrequired

toretrieveauthorizationsfrommanagedsystems.

 Sendingthequeriestothe IdentityManagerdrivers.

 Creating,editing,anddeletingroles.

Formoreinformation,seeSection 2.4,“GrantingRightstothe RoleMappingAdministrator,”on

page 15.

IMPORTANT:Becausenowarningsaredisplayedintheuserinterface,youmustnotperformany

modificationsonthemappingsunlessyouaresureaboutwhatyouaredoing.

role_mappi

10 Identity Manager Role Mapping Administrator 4.0.1 Installation and Configuration Guide

1.4 System Access

TheRoleMappingAdministratordoesnotrequiredirectaccesstothemanagedsystems.All

authorizationsareretrievedthroughtheIdentityManagerdriversthatsupporttheRoleMapping

Administrator.

WhentheRoleMappingAdministratorconnectstotheIdentityVault,itautomaticallydetectsthe

IdentityManagerdriversconfiguredinthevault.TheRole

MappingAdministratordisplayseach

systemconnectedviaadriverandallowsyoutoretrieveauthenticationsfromanyofthosesystems.

ForalistofthesupportedIdentityManagerdrivers,seeChapter 2,“MeetingPrerequisitesand

SystemRequirements,”onpage 13.

1.5 Authentication

TheRoleMappingAdministratorusestheIdentityVaulttoauthenticateusers.Accessisrestrictedto

IdentityVaultuserswhoaredefinedasboth ResourceAdministratorsandRoleAdministratorsinthe

RolesBasedProvisioningModuleapplication.

YoucansetupRoleMappingAdministratorauthenticationthroughthefollowingmethods:

 Directlogin:Theuser

providescredentials(usernameandpassword)ontheRoleMapping

Administratorloginpage.

 Singlesign‐onthroughtheRolesBasedProvisioningModule:ARoleMappingAdministrator

linkisaddedtotheRolesBasedProvisioningModule.Whenauserclicksthelink,theRoles

BasedProvisioningModulepassestheuser’scredentialstothe

RoleMappingAdministrator.

 Singlesign‐onthroughAccessManager:AccessManagerprovidestheuserʹscredentials

(usernameandpasswordorSAMLtoken)totheRoleMappingAdministratorthroughAccess

ManagerIdentityInjection.Theuserisnotpromptedforanycredentialinformation.

Forinformationonhowtoconfiguresinglesign‐on,see

Chapter 6,“ConfiguringAuthentication,”on

page 31.

1.6 Authorization

OnlyuserswhoaredefinedasRoleAdministrators,RoleManagers,ResourceAdministrators,and

ResourceManagersintheRolesBasedProvisioningModulecanlogintotheRoleMapping

Administrator.Afterauserisloggedin,theusercanperformonlythetasksassociatedwith hisorher

assignedrole:

Overview 11

Table 1-1 AllowedOperationsforVariousRolesinRMA

NOTE:Restrictedaccessmeansread‐onlyaccesstorolesandmappingsinRoleMapping

Administrator.

Forinformation,seeSection 2.4,“GrantingRightstotheRoleMappingAdministrator,”onpage 15.

1.7 Database

TheRoleMappingAdministratorusesHSQLDB,alightweight100%JavaSQLdatabase,tostore

authorizationsthatitretrievesfromthemanagedsystems.ThisallowstheRoleMapping

Administratortoquicklydisplayauthorizationsformapping.

Themanagedsystemauthorizationsmustbemanuallyloadedintothedatabase.Youcanselect

whichauthorizationsyou

wantloadedforeachsystemconnectedthroughasupportedIdentity

Managerdriver.Aftertheauthorizationshavebeenloadedintothedatabase,authorizationsmustbe

manuallyrefreshedtoreflectanynewauthorizationsinthemanagedsystems.

IdentityManagerrolesarenotstoredintheRoleMappingAdministratordatabase.TheRole

MappingAdministrator

readsanddisplaystherolesdirectlyfromtheIdentityVault.

1.8 Role Management

Inadditiontomappingroles,theRoleMappingAdministratorcancreatenewIdentityManager

roles,editexistingroles,andremoveexistingroles.Whenyoucreateanewrole,youcanaddtherole

tothecorrectcategory,giveitalevellocation,andassignowners.

Role Allowed Operation in RMA

roleAdministrator, resourceAdministrator Unrestricted access.

 Create mappings

 Edit mappings

 Delete mappings

roleAdministrator, resourceManager Restricted access

roleManager, resourceAdministrator Restricted access

roleManager, resourceManager Restricted access

12 Identity Manager Role Mapping Administrator 4.0.1 Installation and Configuration Guide

Meeting Prerequisites and System Requirements 13

Meeting Prerequisites and System

Requirements

 Section 2.1,“Prerequisites,”onpage 13

 Section 2.2,“SystemRequirements,”onpage 13

 Section 2.3,“InstallingtheiManagerPlug‐InsforIdentityManager4.0.1,”onpage 14

 Section 2.4,“GrantingRightstotheRoleMappingAdministrator,”onpage 15

2.1 Prerequisites

VerifythatthefollowingprerequisiteshavebeenmetbeforeinstallingtheRoleMapping

Administrator:

 InstallandconfigureIdentityManager4.0.1.Formoreinformation,seethe IdentityManager4.0.1

InstallationGuide(http://www.novell.com/documentation/idm401/idm_install/

index.html?page=/documentation/idm40/idm_install/data/front.html).

 InstallandconfiguretheRolesBasedProvisioningModule.Formoreinformation,seetheRoles

BaseProvisioningModuleInstallationGuide(http://www.novell.com/documentation/idmrbpm401/

install/data/bcy2k2j.html).

 YoumusthaveupdatediManagerplug‐insandanupdatedDesignerinordertomanagethese

newdrivers.

 InstallDesigner4.0.1

 InstalltheiManagerplug‐insforIdentityManager4.0.1

 InstallandconfigurethesupportedIdentityManagerdrivers.Youcanhaveoneormoreofeach

supporteddriver.

OnlytheIdentityManager3.6.1,4.0,orlaterdriversaresupported.TheycanrunonIdentity

Manager3.6,3.6.1,or4.0orlater.Forinstallationinstructions,seetheseguidesatIdentity

Manager3.6.1

Drivers(http://www.novell.com/documentation/idm361drivers/)andIdentity

Manager4.0.1Drivers(http://www.novell.com/documentation/idm401drivers/).

 GrantuserssufficientrightstousetheRoleMappingAdministrator,sotheycanloginanduse

theapplication.Forinstructions,seeSection 2.4,“Gra ntingRightstotheRoleMapping

Administrator,”onpage 15.

 Resourceswillbecreatedwiththeselectedauthorization/entitlementandmappedtotherole

2.2 System Requirements

ThefollowingisthelistofsystemrequirementsfortheRoleMappingAdministrator.Onlyone

instanceoftheRoleMappingAdministratorcanbeinstalledperserver.

14 Identity Manager Role Mapping Administrator 4.0.1 Installation and Configuration Guide

2.3 Installing the iManager Plug-Ins for Identity Manager 4.0.1

InordertomanagedriverswithstructuredGCVs,youmustinstalltheiManagerplug‐insforIdentity

Manager4.0.1.

1 LaunchiManagerandlog inasanadministrativeuser.

2 Onthetoolbar,clicktheConfigureicon .

3 ClickPlug‐inInstallation>AvailableNovellPlug‐inModules.

4 SelectNovellIdentityManagerPlug‐insfor4.0,thenclickInstall.

5 SelectIAgreeinthelicenseagreement,thenclickOK.

6 Aftertheinstallationfinishes,clickClosetwice.

7 LogoutofiManagerandrestartTomcattohavethechangestakeeffect.

1 IftheNovellIdentityMana gerPlug‐insfor4.0.1arenotinthelist,downloadtheIdentity

Manager4.0plug‐insforiManager2.7fromtheNovellproductdownloadWebsite(http://

download.novell.com)toyouriManagerserver.

2 LaunchiManagerandlog inasanadministrativeuser.

3 Onthetoolbar,clicktheConfigureicon .

4 ClickPlug‐inInstallation>AvailableNovellPlug‐inModules.

5 ClickAdd.

6 BrowsetoandselecttheIdentityManager

.npm

file,thenclickOK.

7 Aftertheinstallationfinishes,clickClosetwice.

8 LogoutofiManagerandrestartTomcattohavethechangestakeeffect.

System Component Requirement

Role Mapping Administrator SUSE Linux Enterprise Server 10 SP3 32 and 64-bit, SUSE Linux

Enterprise Server 11 32 and 64-bit, Windows Server 2003 SP2 32-bit, or

Windows 2008 R2 64-bit, Red Hat Enterprise Linux 5.4 32 and 64-bit

Web Browser Microsoft Internet Explorer 7, 8, and 9

Mozilla Firefox 3.5, Firefox 3.6.x, and Firefox 5.x

Java Sun JRE 1.6

Meeting Prerequisites and System Requirements 15

2.4 Granting Rights to the Role Mapping Administrator

UsersmusthaveaspecificsetofrightsintheIdentityVaultandspecificroleassignmentsintheRoles

BasedProvisioningModuletousetheRoleMappingAdministrator.

ThebestpracticeistocreateauserthatisusedforadministrationoftheRoleMapping

Administrator.Allotherusersthatuse

theRoleMappingAdministratorshouldhavetheirrights

limitedtomatchtheirjobduties.

 Section 2.4.1,“IdentityVaultRightsforAdministration,”onpage 15

 Section 2.4.2,“RolesBasedProvisioningModuleAssignmentsforAdministration,”onpage 16

 Section 2.4.3,“RequiredRightsfortheRoleMapping Administrator,”onpage 16

2.4.1 Identity Vault Rights for Administration

AnadministrativeuserneedsthefollowingminimalrightstousetheRoleMappingAdministrator:

 BrowseentryrightssotheycanselectobjectsintheconfigurationpaneloftheRoleMapping

Administrator.Forexample,theRootUsercontainer,DriverDiscoveryDN,andtheUser

ApplicationdriverDN.

 Browseentryandreadrights

ontheuserscontainedwithintheRootUsercontainerdefinedin

theconfigurationpaneloftheRoleMappingAdministrator.Thelistofpotentialroleownersis

derivedbytheserights.

 BrowseentryrightsontheactiveDriverSetobjectthatislocatedundertheDriverDiscoveryDN

asdefinedin

theRoleMappingAdministratorconfigurationpanel.

 Inheritedbrowserightsandreadattributerightsonthedriversthatparticipateinrolemapping.

TheRoleMapping Administratorneedsaccesstotheentitlementsandentitlementconfiguration

objectsthatarecontainedwithinthedriversthatparticipateinrolemapping.

 Inheritedbrowseentryandreadattribute

rightsontheUserApplicationdriver.TheRole

MappingAdministratorneedsaccesstoDALcategorydefinitions,roleconfigurationobjects,

androledefinitioncontainers.

 InheritablesupervisorrightstotheRoleDefs.RoleConfig.AppConfig,

ResourceDefs.RoleConfig.AppConfigandResourceAssociations.RoleConfig.AppConfig

containerswithintheUAD.Allroleandresourceadds,modifies,anddeletesaredonewith

theserights.Rights

canbepareddownasneeded.

Youcanmaketheseassignmentstospecificusersoryoucanmaketheassignmentstoagroupora

container,thenassignuserstothegrouporadduserstothecontainer.

1 LogintoiManagerasanadministrativeuserforyourIdentityVault.

2 SelectViewObjectsonthetoolbar,thenbrowsetoandselecttheuser,group,orcontaineryou

wanttoassignrightsto.

3 Selecttheobject,thenclickActions>ModifyTrust ees.

4 Addtherightsasdefinedabove,thenclickOKtosavethechanges.

16 Identity Manager Role Mapping Administrator 4.0.1 Installation and Configuration Guide

2.4.2 Roles Based Provisioning Module Assignments for Administration

TheadministrationorconfigurationusersmustbemembersoftheRoleManagerroleortheRole

ModuleAdministratorroleintheRolesBasedProvisioningModule.Youcanmaketheserole

assignmentstospecificusersoryoucanmaketheassignmentstoagrouporacontainer,thenassign

userstothe

grouporadduserstothecontainer.

1 LogintotheRolesBasedProvisioningModuleasanadministrationuser.

2 ClickRoles>RolesAssignments.

3 SelectUser,Group,orContainertomaketheroleassignment.

4 Searchfortheuser,group,orcontainer,thenselectthedesiredobject.

5 ClickNewAssignment.

6 Fillinthefollowingfields:

InitialRequestDescription:Specifyareasonforrequestingtherole.

SelectRoles:SearchfortheRoleManagerrole,RoleAdministratorrole,ResourceManagerrole,and

theResourceAdministratorrole,selecttheroles,thenclickSelect.

EffectiveDate:(Optional)Specifyadatethisassignmentiseffective.

ExpirationDate:

(Optional)Selectwhetherthereisanexpirationdateforthisassignment.

7 ClickSubmittomaketheassignments.

2.4.3 Required Rights for the Role Mapping Administrator

Usersshouldbeonlygrantedtheminimalrightsrequiredtofulfilltheirjobduties.Youcanrestrict

rightsbyrestrictingtherightstotherolestheuserisassignedtoandrestrictinghisorherrightsinthe

IdentityVaultaswell.

Installing the Role Mapping Administrator 17

Installing the Role Mapping

Administrator

TheRoleMappingAdministratorcanbeinstalledasrootorthroughasilentinstallation.

 Section 3.1,“InstallingtheRoleMappingAdministrator,”onpage 17

 Section 3.2,“InstallingtheRoleMappingAdministratorinSilentMode,”onpage 18

 Section 3.3,“ReconfiguringtheRoleMappingAdministrator,”onpage 19

3.1 Installing the Role Mapping Administrator

ToinstalltheRoleMappingAdministrator:

1 LocatetheRoleMappingAdministratorinstallationfileontheIdentityManagermedialocated

here:

 Windows:

IDM4.0.1_Win:\products\RMA\IDMRMAP.jar

 Linux:

IDM4.0.1_Lin/products/RMA/IDMRMAP.jar

2 FromacommandlineaccessRoleMapping Administratorinstallationdirectory,thenenter

java

-jar IDMRMAP.jar

NOTE:Forsecurityreasons,itisrecommendedtoinstalltheRoleMappingAdministratorasa

nonroot

user,onLinux.

3 Enter

Yes

toacceptthelicenseagreement.

4 SpecifytheinstallationdirectoryfortheRoleMappingAdministrator.Thedefaultpathisyour

currentlocation.

5 SpecifytheportionoftheURLrepresentingtheRoleImpingingAdministratorname.The

defaultvalueisIDMRMAP.

6 SpecifytheHTTPport.Thedefaultvalueis8081.

7 Specifyapasswordfortheconfigurationadministrator.

TheRoleMappingAdministratorisnowinstalled.Theapplicationisnotautomaticallystartedafter

theinstallationfinishes.Usethefollowingscriptstointheinstallationdirectorytostopandstartthe

application.

 Windows:Thestartscriptis

start.bat

andthestopscriptis

stop.bat

 Linux:Thestartscriptis

start.sh

andthestopscriptis

stop.sh

Aftertheapplicationisinstalledandstarted,youmustconfigureit.ProceedtoChapter 4,

“ConfiguringtheApplication,”onpage 21.

18 Identity Manager Role Mapping Administrator 4.0.1 Installation and Configuration Guide

Ifyouneedtochangeanyoftheinformationspecifiedduringtheinstallation,seeChapter 5,

“ChangingtheConfiguration,”onpage 29.

NOTE:YoushouldnotinstalltheRoleMappingAdministratoras

root

forsecurityconsiderations.

3.2 Installing the Role Mapping Administrator in Silent Mode

TheRoleMappingAdministratorcanbeinstalledsilentlywithouthumanintervention.Usethe

followingcommandtoconfiguretheunattendedinstallation,includingtheinstalllocation,port

configuration,RoleMappingAdministratoradministrationconfigurationpassword,andsoon.

java -jar IDMRMAP.jar [-h] [-s] [-i <install path>] [-p <port>] [-w <password>] [-

n <name>] [-l <log path>]

where[‐s]specifiessilentinstallation.

Table 3-1 SilentInstallationCLIArguments

Ifthesilentinstallationargumentsarenotpassed,defaultvaluesareassumed.

Argument Description

-h

Displays help.

-i

Specifies the installation location.

-l

Specifies the Role Mapping Administrator installation log file location, rma-

install.log. By default, the log file is located in the installation directory.

-n

<name>

Specifies the Role Mapping Administrator application name. The default name is

IDMRMAP.

-p

<port>

Specifies the Role Mapping Administrator HTTP port number. The default port is

8081.

-s -i

is a mandatory argument for silent installation. It performs the silent

installation.

-w

<password> |

<env:VAR>

Specifies the Role Mapping Administrator administration configuration password.

The password can be passed in clear text or through a user defined environment

variable. The installer reads the password from the environment variable.

Example 1:

-w mypassword

The user password is mypassword.

Example 2:

-w env:RMA_PASSWD

The installer reads the password from the RMA_PASSWD environment variable.

 On Windows, run the

set RMA_PASSWD=novell

command.

 On Linux, run the

export RMA_PASSWD=novell

command.

Installing the Role Mapping Administrator 19

3.3 Reconfiguring the Role Mapping Administrator

 Section 3.3.1,“ChangingthePortNumber,”onpage 19

 Section 3.3.2,“ChangingthePassword,”onpage 19

3.3.1 Changing the Port Number

YoucanchangetheRoleMappingAdministratorportnumbersbyeditingthefollowingentriesinthe

<rma_install_path>/rma/tomcat/conf/server.xml

file.

 Replace8081and8443portnumberswiththenewportnumbersinthefollowingentriesforthe

HTTPservice.

<Connector port="8081" protocol="HTTP/1.1

connectionTimeout="20000"

redirectPort="8443" />

 Replacethe8006portnumberwiththenewportnumberusedtoshutdowntheTomcatservice.

Theseportnumberscanbechangedwhenportnumbersareinuse.

3.3.2 Changing the Password

TheRoleMappingAdministratoradminpasswordcanbesetthroughthecommandlineinterface

duringtheinstallationprogrameitherthroughthepasswordpromptorbypassingitwith

-w

password|env:ENV_VAR

commandlineargument.YoucanalsosetitthroughtheWebportal.

Ifapasswordhasnotbeensetthroughthecommandlineinterfaceduringinstallation,youcansetit

throughtheWebportal.

1 StarttheRoleMappingAdministratorbyexecuting

<rma_install_path>/rma/start.sh

or

<rma_install_path>\rma\start.bat

commandrelevanttoyourplatform.

2 WhentheRoleMappingAdministratorWebportalislaunchedwith

http://localhost:8081,



settheRoleMappingAdministratoradministratorpassword.Ifthepasswordhasnotbeenset

throughthecommandlineinterfaceduringtheinstallationprogram,thereisnochangeinthe

behaviorandyoucanseetheadministratorloginpage.

20 Identity Manager Role Mapping Administrator 4.0.1 Installation and Configuration Guide

Entertheadminpassword.TheRoleMappingAdministratoradminpasswordissetwhenthe

textstringintheAdministratorPasswordandConfirmPasswordfieldsmatch.

3 ClickOK.Youareagainpromptedtoentertheadminpassword.

Page is loading ...

Novell Identity Manager 4.0.1 Installation guide

Brand: Novell

Model: Identity Manager 4.0.1

Category: Network management software

Type: Installation guide

Download PDF

report

Novell Identity Manager 4.0.1 Installation guide

Novell Identity Manager 4.0.1 Installation guide

Related papers

Other documents