Pages

Sunday, February 20, 2011

How to Deploy CA Identity Manager R12.5 on WebSphere6.1 on AIX 6.1

UPDATE: March 1, 2011. Identity Manager 12.5 SP6 has been released and officially supports WebSphere 6.1 64bit on AIX 6.1


Additional Update: JDBC Resource configuration section has been updated with connection pool requirements.  JMS Queue Connection Factories section has been updated with connection pool requirements.



Unofficial / Unsupported Guide to deploying Identity Manager R12sp5 on WebSphere6.1 Cluster (64 bit) on AIX6.1
Scenario:
OS: AIX 6.1
APP: WebSphere 6.1 64bit Deployment Manager (Cluster)
This document is broken into 3 sections. Part one covers modifications required to the ear file. Part two covers all the WebSphere configurations required. Part three covers deployment and post deployment configurations.
If you are only deploying Identity Manager standalone, that is to say without any SiteMinder integration, then you can deploy on the CA supported WebSphere 6.1 32bit. However, if you are attempting to deploy Identity Manager and integrate with SiteMinder, there is a bug which requires that you use WebSphere 6.1 64 bit. Additional information on this bug can be found on CA support TEC #537795. You can still use this doc to do a manual deployment on the 32 bit WebSphere. Furthermore, the WebSphere configuration steps would be applicable to WebSphere on any platform.
Part One: Required ear file modifications
Extract Ear
Extract WAS_IMr12.ear to working directory /
jar -xvf WAS_IMr12.ear

Create folders:
policyserver
Move policyserver.rar into /policyserver folder

user_console
Move user_console.war into /user_console folder

workflow
Move workflow.rar into /workflow folder
Update SiteMinder agent libraries
Optional - You only need to do this if you are going to integrate with SiteMinder and if you are using AIX 6.1 or AIX 5.3 64 bit. You will need to download the Web Agent SDK. You will need to obtain the 64 bit version of the required files. 
libsmagentapi.so, libsmcommonutil.so, libsmerrlog.so, libsmjavaagentapi.so
Under the /library
Replace the existing *.so agent files in library.

Update Workpoint ports
Under /config folder
Update the following file and  value to match the WebSphere application server BOOTSTRAP ADDRESS
workpoint-client.properties
java.naming.provider.url=iiop://localhost:9810

Update the following file and  value to match the web server port
workpoint-server.properties
# This URL tells the WorkPoint Server where the WorkPoint Gateway is located.
workpoint.gateway.url=http://localhost:8080/wpGateway/

Update SiteMinder Policy Server Configurations
CD into the policyserver/ folder
Explode the policyserver.rar
jar -xvf policyserver.rar
CD into /policyserver/META-INF folder
Update the ra.xml file with correct SiteMinder environment information.
Will need all policy servers listed, admin ID, agent name, and password hash.
ValidateSMHeadersWithPS:true  
enabled:false
FIPSMode:false
ConnectionURL: policyserver1,44443,44442,44441
UserName: siteminder
AdminSecret: password encrypted*
AgentName: 4.x agent created for use by IdM
AgentSecret: 4.x agent password encrypted*
ConnectionMin:8
ConnectionMax:128
ConnectionStep:8
ConnectionTimeout:1000
FailoverServers: policyserver1,44443,44442,44441;policyserver2,44443,44442,44441
Failover: true

**
Get encypted password values for the Agent password as well as SiteMinder or other admin password.
Navigate to password tool section on IdM server:
.../CA/IdentityManager/IAM_Suite/Identity_Manager/tools/PasswordTool

./pwdtools.sh -JSAFE -p P@ssword01
--------------------------------------------------
Your JAVA_HOME is currently set to .../WebSphere/Common/java
--------------------------------------------------
Encrypting your password ...
******************************************
Plain Text: P@ssword01
Encrypted value: {PBES}:xfx8/9xxmHDOB3Raw9VZJA==
******************************************

Repackage policyserver.rar
Move up one level to /policyserver
Delete existing policyserver.rar
jar -cvf policyserver.rar *
Move new policyserver.rar up one level to /
Delete the folder /policyserver/

Update User Console Config
CD into /user_console
Explode the user_console.war
jar -xvf user_console.war
CD into /user_console/WEB-INF
Update web.xml with following change:
    FrameworkAuthFilter
    com.netegrity.webapp.authentication.FrameworkLoginFilter
       
    Enable
    false
       


Repackage user_console.war
Move up one level to /user_console
Delete existing user_console.war
jar -cvf user_console.war *
Move new user_console.war up one level to /
Delete the folder /user_console/

Update Workflow Config
CD into /workflow
Explode the workflow.rar
jar -xvf workflow.rar
CD into /workflow/META-INF
Edit ra.xml

       
            UserName
            java.lang.String
            IDM
       
       
            Password
            java.lang.String
            P@ssword01
       

This IDM user must exist and be referenced by WebSphere at runtime. Also, Do NOT encrypt the password. It is encrypted by WebSphere at deployment time. The location of this ID will depend on your WebSphere Global Security configuration. 

Repackage workflow.rar
Move up one level to /workflow
Delete existing workflow.rar
jar -cvf workflow.rar *
Move new workflow.rar up one level to /
Delete the folder /workflow/

Repackage Ear
After all modifications are made, repackage the ear for the particular environment being deployed to.
From the location, delete the existing WAS_IMr12.ear.
Package the new ear with the following format:
WAS_IMr12(major version)sp(Service pack version)_environment.ear
jar -cvf  WAS_IMr125sp5_Dev.ear *

Ear file is ready to be deployed.
Part Two: Manual Configuration of WebSphere Resources
Creating JDBC Resources
JDBC Provider:
Create the appropriate Provider

Required JDBC Sources

Name
JNDI name
Audit Data Source
auditDbDataSource
Object Store Data Source
jdbc/objectstore
Report Snapshot Data Source
jdbc/reportsnapshot
Task Persistence Archive Data Source
jdbc/archive
Task Persistence Data Source
jdbc/idm
Workflow Data Source
jdbc/WPDS

IMSBUS Configuration
Create Bus
Service Integration->Buses->New
IMSBus (no security) IMSBUS# if using Clusters. 1 IMSBus per Cluster with unique names.

Select newly created IMSBus
Topology->Bus members->Add
Select Application Server
Select DB *Setting are unique for each member

Data Source JNDI Name
jdbc/ibmwssib1
Schema Name
Idm_sib1

Buses->IMSBus->Destinations
Create New Queue using the following Identifier:
IMSEvents
wpUtilQueue
wpServAutoActQueue
RuntimeStatusDetailQueue
wpEventQueue

New Topic space using the following identifier:
ServerCommand

JMS Resources Configuration

Queue Connection Factories
Always use Default Messaging Provider

Name
JNDI name
Bus name
neteQCF
javax.jms.QueueConnectionFactory
IMSBus
wpConnectionFactory
jms/wpConnectionFactory
IMSBus

Topic Connection Factories
Always use Default Messaging Provider

Name
JNDI name
Bus name
neteTCF
javax.jms.TopicConnectionFactory
IMSBus
GeneralMonitorCF
com/netegrity/idm/GeneralMonitorCF
IMSBus


Queues
Always use Default Messaging Provider

Name
JNDI name
Bus name
Queue name
IMSEvents
com.netegrity.ims.msg.queue
IMSBus
IMSEvents
wpServAutoActQueue
queue/wpServAutoActQueue
IMSBus
wpServerAutoActQueue
wpUtilQueue
queue/wpUtilQueue
IMSBus
wpUtilQueue
RuntimeStatusDetailQueue
queue/RuntimeStatusDetailQueue
IMSBus
RuntimeStatusDetailQueue
wpEventQueue
queue/wpEventQueue
IMSBus
wpEventQueue
  
Topics
Always use Default Messaging Provider

Name
JNDI name
Bus name
Topic name
ServerCommand
topic/ServerCommandTopic
IMSBus
ServerCommand
  
Activation Specifications
Always use Default Messaging Provider

Name
JNDI name
Destination type
Destination JNDI name
Bus name
Act
ACT
queue
com.netegrity.ims.msg.queue
IMSBus
wpServAutoActActSpec
jms/wpServAutoActActSpec
queue
queue/wpServAutoActQueue
IMSBus
wpUtilActSpec 
jms/wpUtilActSpec
queue
queue/wpUtilQueue
IMSBus
ServerCommand
ServerCommand
topic
topic/ServerCommandTopic
IMSBus
RuntimeStatusDetailQueue
jms/RuntimeStatusDetailQueue
queue
queue/RuntimeStatusDetailQueue
IMSBus
wpEventActSpec
jms/wpEventActSpec
queue
queue/wpEventQueue
IMSBus

Mail Resources

Mail->Mail Sessions->New

Name
JNDI name
mailMail
mail/Mail
  
Core Groups Configuration
Servers->Core groups -> Core group settings->DefaultCoreGroup->Policies
Create new policy for each node that will be a part of the cluster.
New policy->Select  "One of N policy"
Name: (Create a unique name) Node1GP
Is alive timer =120
Click OK to enable Match criteria link
Additional Properties->Match criteria->New
Name=type Value=WSAF_SIB
Name=WSAF_SIB_MESSAGING_ENGINE Value=(IMSBus Bus member value)

Core groups->DefaultCoreGroup->Policies->Node1GP->Preferred servers (One per cluster/node)

Add Node(s)
When multiple node, 1 policy will have primary and secondary servers in 1 order, while the 2nd policy will have order in reverse.


Web Container Configuration

In the administrative console click Servers > Application Servers > server_name > Web Container settings > Web Container
Under Additional Properties select Custom Properties.
On the Custom Properties page, click New and create these two value pairs.
com.ibm.ws.jsp.jdkSourceLevel  = 15
com.ibm.ws.webcontainer.invokefilterscompatibility = true
Bounce WebSphere Environment

Part Three: IDM ear File Deployment and Post Deploy Configurations
Deploy Identity Manager ear files.
Deploy CA_Styles_R5.1.1
Deploy to web server and cluster. Accept Defaults for deployment

Deploy WAS_R125sp5.ear
Select Precompile JavaServer Pages Files.
Deploy to web server and cluster.
The rest are left as default.

Do not start new applications.

Post Deployment Configuration

Message Driven Bean Listener
Enterprise Applications > IdentityMinder > Message Driven Bean listener bindings

You only need to update the first 3 modules as the remaining 3 are properly configured.

EJB
Bindings-Activation Specification Target Resource JNDI Name
SubscriberMessageEJB
ACT
ServerCommandsEJB
ServerCommand
RuntimeStatusDetailEJB
jms/RuntimeStatusDetailQueue
ServerAutomatedActivityMDBean
jms/wpServAutoActActSpec
EventMDBean
jms/wpEventActSpec
UtilityMDBean
jms/wpUtilActSpec



PolicyServer J2C Connection Factory Configuration
Enterprise Applications > IdentityMinder > Manage Modules > policyserverRA > Resource Adapter> J2C connection factories > PolicyServerRA >New

Name
JNDI name
PolicyServerConnection
nete/rar/PolicyServerConnection
Set all Container-managed authentication alias to "None"
Delete default connection factory: com.netegrity.ra.policyserver.IPolicyServerConnectionFactory

Optional: Validate settings are appropriate for SiteMinder environment
Enterprise Applications > IdentityMinder > Manage Modules > policyserver.rar > IdentityMinder.PolicyServerRA > J2C connection factories > PolicyServerConnection > Custom properties
Validate correct SiteMinder settings

Workflow J2C Connection Factory Configuration
Now select the following from the actions menu Enterprise Applications > IdentityMinder > Manage Modules > WorkflowRA > Resource Adapter > J2C connection factories > WorkflowRA>New

Name
JNDI name
Workflow
Workflow
Set all Container-managed authentication alias to "None"
Do not delete existing connection factory

User Console Class Loader Configuration
Now select the following from the actions menu Enterprise Applications > IdentityMinder > Manage Modules >IMS-UI
Change Class loader order to use:
Classes loaded with application class loader first

Application Server LIBPATH Configuration
Navigate to Application Servers-> server->process definition ->Environment Entries->New

Name
Value*
LIBPATH
.../WebSphere/Common/profile/AppServer/installedApps/.../IdentityMinder.ear/library
*Path will be unique for each application server

Starting Identity Manager
Make sure nodes are in sync and restart WebSphere Environment
Check SystemOut.log for any errors.

Check IdentityManager console for validation
http://host:port/idmmanage/homepage.do