Pages

Saturday, October 13, 2012

Manual Deployment of CA IdentityMinder 12.6 on WebSphere 7 on Unix - Part 3: Deploying the IDM ear files

Now that you have the clustered WebSphere environment configured and your idm ear file modified, the final step is to deploy the ear file. The deployment process includes a few manual (surprise) steps you need to make sure are followed for an error free start up.


Step 3: Deploy Identity Manager ear files.

Deploy CA_Styles
Deploy to web servers and cluster. Accept Defaults for deployment

Deploy WAS_R126sp#_.ear *
*Make sure ear files has been configured for deployment in current WebSphere Environment.
Select detailed deployment

Step 1  Most steps are left as default. I will call out those that require a change.

Step 2 Map modules to servers > Deploy to your web servers and cluster.

Step 4 Provide options to compile JSPs  > JDK Source Level 15

Step 8 Bind listeners for message-driven beans:
You only need to update the first 3 modules but also check the remaining 3. The Destination JNDI name will be missing the prefix iam/im/....
If you do not make the changes here through the deployment process or miss a step, you can still updates these values after the deployment. This is one of the most common errors we find when we deploy. WebSphere SystemOut.log will complain about this right away. 

EJB
Bindings-Activation Specification Target Resource JNDI Name
Destination JNDI name
SubscriberMessageEJB
iam/im/ACT
iam/im/jms/queue/com.netegrity.ims.msg.queue
ServerCommandsEJB
iam/im/ServerCommand
iam/im/jms/topic/topic/ServerCommandTopic
RuntimeStatusDetailEJB
iam/im/jms/RuntimeStatusDetailQueue
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
ServerAutomatedActivityMDBean
iam/im/jms/wpServAutoActActSpec
iam/im/jms/queue/queue/wpServAutoActQueue
EventMDBean
iam/im/jms/wpEventActSpec
iam/im/jms/queue/queue/wpEventQueue
UtilityMDBean
iam/im/jms/wpUtilActSpec
iam/im/jms/queue/queue/wpUtilQueue

The rest are left as default.

Do not start new applications.

Post Deployment Configuration

PolicyServer J2C Connection Factory Configuration
Enterprise Applications > IdentityMinder > Manage Modules > policyserverRA > Resource Adapter >  J2C connection factories > New
Name
JNDI name
iam_im-PolicyServerConnection
iam/im/rar/nete/rar/PolicyServerConnection
Set all Container-managed authentication alias to "None"


Optional: Validate settings are appropriate for SiteMinder environment
Enterprise Applications > IdentityMinder > Manage Modules > policyserver.rar > IdentityMinder.PolicyServerRA > J2C connection factories > PolicyServerConnection > Custom properties
Validate correct SiteMinder settings (Leave turned off to troubleshoot other startup issues first. Then enable once IDM app is validated to work.)

Workflow J2C Connection Factory Configuration
Now select the following from the actions menu Enterprise Applications > IdentityMinder > Manage Modules > WorkflowRA > Resource Adapter > J2C connection factories > New
Name
JNDI name
iam_im-Workflow
iam/im/rar/Workflow
Set all Container-managed authentication alias to "None"
Do not delete existing connection factory

User Console Class Loader and WorkPoint Server Configuration
Now select the following from the actions menu Enterprise Applications > IdentityMinder > Manage Modules > IMS-UI
Change Class loader order to use:
Classes loaded with local class loader first (parent last) - Starting weight: 4000

Also
Now select the following from the actions menu Enterprise Applications > IdentityMinder > Manage Modules > wpServer.jar
Starting weight: 500

Application Server LIBPATH Configuration
Navigate to Servers-> Server Types-> WebSphere Application Servers-> server-> server Infrastructure->Java and Process Management -> process definition -> Environment Entries-> New
Name
Value*
LIBPATH
.../WebSphere/Common//installedApps//iam_im.ear/library
*Path will be unique for each application server

Update Web Server Plug-in

Environment-> Update global Web Server plug-in configuration
Click OK to update the plug-in

Starting Identity Manager
Make sure nodes are in sync and restart WebSphere Environment
System Administration > Nodes
Check for sync status

Restart WebSphere on all nodes.

Check SystemOut.log for any errors.

Check IdentityManager console for validation
http://host:port/iam/immanage/
Now you are ready to create your first environment.

For other tips on IdentityMinder deployments as well as important security parameters, check these postings on the Binary Blogger site:
http://www.binaryblogger.com/p/ca-identityminder-posts.html

For previous posts in this series:
Part 1 - Configuring WebSphere 7 
Part 2: Creating the IDM ear file for deployment 

  

Manual Deployment of CA IdentityMinder 12.6 on WebSphere 7 on Unix - Part 2 Creating the IDM.ear for deployment

Before you deploy the idm ear file, you need to make some modifications in order to make it work within your environmnet. You can extract and package the ear file from your windows desktop easily. You only need to have a java jdk installed and have the jdk jre within your path.

-->
Extracting the Ear

It doesn't matter on which platform you install the IdentityMinder installer to obtain the IDM EAR file. For example, I will install IdentityMinder 12.6 on my Windows7 workstation and select the option to only create the ear files.

Extract WAS_IMr12.ear to working directory /
jar -xvf WAS_IMr12.ear

Create folders:
policyserver
Move policyserver.rar into /policyserver folder
user_console
Move user_console.war into /user_console folder
workflow
Move workflow.rar into /workflow folder


Update Workpoint ports
Under /config folder

!!Update the following file and  value to match the WebSphere application server BOOTSTRAP ADDRESS!!

workpoint-client.properties
java.naming.provider.url=iiop://localhost:9810   (Change localhost to server name)

Update the following file and value to match the web server port

workpoint-server.properties
# This URL tells the WorkPoint Server where the WorkPoint Gateway is located.
workpoint.gateway.url=http://localhost:8080/wpGateway/   (Change localhost to server name and use the correct port to WebSphere or IHS if you are using it as well.)

Update Provisioning Server shared secret

Under custom/identitymanager
systemWideProperties.properties
# Shared secret for the Provisioning server callback
IMeTASharedSecret={PBES}:xfx89…….

Get encypted password values for this and other properties
Navigate to password tool section on IdM server:
.../CA/IdentityManager/IAM_Suite/Identity_Manager/tools/PasswordTool
./pwdtools.sh -JSAFE -p P@ssword


Update SiteMinder Policy Server Configurations if enabling SiteMinder integration. This can also be done via the WebSphere console post deployment.
CD into the policyserver/ folder
Explode the policyserver.rar
jar -xvf policyserver.rar

CD into /policyserver/META-INF folder

Update the ra.xml file with correct SiteMinder environment information.
Will need all policy servers listed, admin ID, agent name, and password hash.

ValidateSMHeadersWithPS:true  
enabled:false
FIPSMode:false
ConnectionURL: policyserver1,44443,44443,44443
UserName: siteminder
AdminSecret: password encrypted*
AgentName: 4.x agent created for use by IdM
AgentSecret: 4.x agent password encrypted*
ConnectionMin:8
ConnectionMax:128
ConnectionStep:8
ConnectionTimeout:1000
FailoverServers: policyserver1,44443,44443,44443;policyserver2,44443,44443,44443
Failover: true
**

Repackage policyserver.rar

Move up one level to /policyserver

Delete existing policyserver.rar

jar -cvf policyserver.rar *

Move new policyserver.rar up one level to /

Delete the folder /policyserver/

Update User Console Config (only required if enabling SiteMinder integration)
CD into /user_console
Explode the user_console.war
jar -xvf user_console.war
CD into /user_console/WEB-INF
Update web.xml with following change:
    FrameworkAuthFilter
    com.netegrity.webapp.authentication.FrameworkLoginFilter
       
    Enable
    false
       

Repackage user_console.war
Move up one level to /user_console
Delete existing user_console.war
jar -cvf user_console.war *
Move new user_console.war up one level to /
Delete the folder /user_console/


Update Workflow Config
CD into /workflow
Explode the workflow.rar
jar -xvf workflow.rar
CD into /workflow/META-INF
Edit ra.xml
       
            UserName
            java.lang.String
            IDM
       
       
            Password
            java.lang.String
            sn0wba11
       
This IDM user must exist and be referenced by WebSphere at runtime. Also, Do NOT encrypt the password. It is encrypted by WebSphere at deployment time. The location of this ID will depend on your WebSphere Global Security configuration. For example, if WebSphere Global security is leveraging LDAP, this ID would need to be in LDAP.

Repackage workflow.rar
Move up one level to /workflow
Delete existing workflow.rar
jar -cvf workflow.rar *
Move new workflow.rar up one level to /
Delete the folder /workflow/

Repackage Ear
After all modifications are made, repackage the ear for the particular environment being deployed to.
From the location, delete the existing WAS_IMr12.ear.
Package the new ear with the following format:
WAS_IMr12(major version)sp(Service pack version)_environment.ear
jar -cvf  WAS_IMr126_Dev.ear *

Now you are ready to deploy your ear file.


Manual Deployment of CA IdentityMinder 12.6 on WebSphere 7 on Unix - Part 1 Configure WebSphere

-->
So you need to manually deploy IdentityMinder 12.6 on WebSphere 7? And I don’t mean trying to figure out the “slightly unusable” JACL scripts that come with the product. As with any mature software, you should be able to deploy the ear file to an existing cluster within WebSphere. While the CA documentation has you deploy t o a single node and then add an additional cluster member afterwards, that is not how most applications are deployed in WebSphere. You should be able to configure your multi-node clusters and be able to deploy the ear file across multiple nodes without any problems. This is completely doable with CA IdentityMinder 12.5 and 12.6. The only catch is to understand all the configurations required to have the environment setup properly. If it is setup properly, you should have no problems deploying and running IDM.

Note – There were some bugs on IDM r12.5, which cause workflow to not work when you enable with for a  given environment. There are some manual updates required against the workflow DB via the workpoint designer. If you need the steps, add a comment and I will post them as well.

This step-by-step guide is based on WebSphere 7.0.23 but is applicable to any supported version of WebSphere 7. This guide was also created based on deployments on AIX and Linux with an Oracle 11 RAC.

-->
Part 1: Configuring WebSphere 7
  
Update the Java Cryptography Extension (JCE)
Copy the IBM JCE files from:
\jce_ibm_java
local_policy.jar
US_export_policy.jar
 to:
../WebSphere70/Common/java/jre/lib/security

Create J2C Authentication Alias
You can use 1 schema user ID or 1 for each of the of IDM databases. It is best to use 1 for each of the 6 IDM databases.

Security->Global Security->Authentication->Java Authentication and Authorization Service->J2C Authentication Data
Create Oracle Users:
-->
Name / Alias
Password
Idm_audit
Password
Idm_data
Password
Idm_report
Password
Idm_archive
Password
Idm_connect
Password
Idm_workflow
Password
Idm_sib1
Password

-->
JDBC Resources
Resources->JDBC->JDBC providers

JDBC Provider: Create per cluster
Create Oracle XA Provider
point to location of the ojdbc6.jar

JDBC Resources (At Cluster Level Using XA Provider)
Name
JNDI name
J2C Authentication User
iam_im Audit Data Source
iam/im/jdbc/auditDbDataSource
Idm_audit
iam_im Object Store Data Source
iam/im/jdbc/jdbc/objectstore
Idm_data
iam_im Report Snapshot Data Source
iam/im/jdbc/jdbc/reportsnapshot
Idm_report
iam_im Task Persistence Archive Data Source
iam/im/jdbc/jdbc/archive
Idm_archive
iam_im Task Persistence Data Source
iam/im/jdbc/jdbc/idm
Idm_connect
iam_im Workflow Data Source
iam/im/jdbc/jdbc/WPDS
Idm_workflow

-->
Required configuration settings for all iam_im-* JDBC resources
Connection Pool Properties:
Connection timeout
10
Maximum Connections
200
Minimum Connections
5
Reap Time
150
Unused Timeout
300
Aged Timeout
300
Purge Policy
FailingConnectionOnly

Additional JDBC Resources (At Cluster Level using non-XA Provider)
SIB1 Message Store
jdbc/ibmwssib1
Idm_sib1

 
-->
IMSBUS Configuration
Service Integration->Buses->New

Create Bus - 1 per Cluster Each with unique name
example: iam_im-IMSBus_k1 for cluster 1 OR iam_im-IMSBus_k2 for cluster 2
Uncheck "Bus security" (If someone gets it to work with security enabled, let me know!)
Next -> Finish and Save

-->
Select newly created iam_im-IMSBus*
Local Topology->Bus members->Add
Select the cluster  (needs to be done for both clusters)

Keep defaults on "Messaging engine policy assistance settings"
Policy type should be "High availability" and "Enable messaging engine policy assistance? Enabled.
Click Next

Select the type of message store
Select 'Data Store'
Click Next

Configure messaging engines
Click on the messaging engine created by default

Specify data store properties
Use existing data sources created for each cluster
(idm_sib1 for k1, idm_sib2 for k2, etc..)
Data Source JNDI Name
jdbc/ibmwssib1
Schema Name
idm_sib1
Authentication alias
idm_sib1

Click next takes you back to Configuring message engines screen. Now that it has been configured, click Next to proceed.

Keep defaults on "Tune performance parameters" screen - Next->Finish -> Save

Configure message engines
Select one of  the Buses you just created (will need to be done for all buses)

Service Integration->Buses->iam_im-IMSBus->Destinations->New
Create New Queues using the following Identifiers:
iam_im-IMSEvents
iam_im-wpUtilQueue
iam_im-wpServAutoActQueue
iam_im-RuntimeStatusDetailQueue
iam_im-wpEventQueue

New Topic space using the following identifier:
iam_im-ServerCommand

-->
Go back to the beginning of the IMSBus configuration section and perform the same steps on the other cluster member(s).


JMS Resources Configuration

Queue Connection Factories
Resources->JMS->Queue Connection Factories->Select the scope to be the application server node(will need to do for all clusters)
New
Always use Default Messaging Provider
Name
JNDI name
Bus name
iam_im-neteQCF
iam/im/jms/factory/javax.jms.QueueConnectionFactory
iam_im-IMSBus
iam_im-wpConnectionFactory
iam/im/jms/factory/jms/wpConnectionFactory
iam_im-IMSBus
Apply
For both Queue Connection Factory objects, Under Additional Properties->Connection pool properties update:
Maximum Connections
128
PurgePolicy
FailingConnectionOnly
OK->OK
Click New
Go back to the top of the Queue Connection Factories section and complete the configs above for each cluster memeber


Topic Connection Factories
Resources->JMS->Topic Connection Factories->Select the scope to be the application server node(will need to do for all clusters)
Always use Default Messaging Provider
Name
JNDI name
Bus name
iam_im-neteTCF
iam/im/jms/factory/javax.jms.TopicConnectionFactory
iam_im-IMSBus
iam_im-GeneralMonitorCF
iam/im/jms/factory/com/netegrity/idm/GeneralMonitorCF
iam_im-IMSBus
Switch scope and perform same setup on remaining cluster(s)

 
-->
Queues
Resources->JMS->Queues->Select the scope to be the application server node(will need to do for all clusters)
New
Always use Default Messaging Provider
Name
JNDI name
Bus name
Queue name
iam_im-IMSEvents
iam/im/jms/queue/com.netegrity.ims.msg.queue
iam_im-IMSBus
iam_im-IMSEvents
iam_im-wpServAutoActQueue
iam/im/jms/queue/queue/wpServAutoActQueue
iam_im-IMSBus
iam_im-wpServerAutoActQueue
iam_im-wpUtilQueue
iam/im/jms/queue/queue/wpUtilQueue
iam_im-IMSBus
iam_im-wpUtilQueue
iam_im-RuntimeStatusDetailQueue
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
iam_im-IMSBus
iam_im-RuntimeStatusDetailQueue
iam_im-wpEventQueue
iam/im/jms/queue/queue/wpEventQueue
iam_im-IMSBus
iam_im-wpEventQueue



Topics
Resources->JMS->Topics->Select the scope to be the application server node(will need to do for both clusters)
Always use Default Messaging Provider
Name
JNDI name
Bus name
Topic name
iam_im-ServerCommand
iam/im/jms/topic/topic/ServerCommandTopic
iam_im-IMSBus
iam_im-ServerCommand


Activation Specifications
Resources->JMS->Activation specifications >Select the scope to be the application server node(will need to do for all clusters)
New
Always use Default Messaging Provider
Name
JNDI name
Destination type
Destination JNDI name
Bus name
iam_im-act
iam/im/ACT
queue
iam/im/jms/queue/com.netegrity.ims.msg.queue
iam_im-IMSBus
iam_im-wpServAutoActActSpec
iam/im/jms/wpServAutoActActSpec
queue
iam/im/jms/queue/queue/wpServAutoActQueue
iam_im-IMSBus
iam_im-wpUtilActSpec
iam/im/jms/wpUtilActSpec
queue
iam/im/jms/queue/queue/wpUtilQueue
iam_im-IMSBus
iam_im-ServerCommand
iam/im/ServerCommand
topic
iam/im/jms/topic/topic/ServerCommandTopic
iam_im-IMSBus
iam_im-RuntimeStatusDetailQueue
iam/im/jms/RuntimeStatusDetailQueue
queue
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
iam_im-IMSBus
iam_im-wpEventActSpec
iam/im/jms/wpEventActSpec
queue
iam/im/jms/queue/queue/wpEventQueue
iam_im-IMSBus


Mail Resources
Resources->Mail->Mail Sessions->Select the 2 sample sessions->Delete->Select Scope (k1/k2)->New
Name
JNDI name
iam_im-mailMail
iam/im/mail/mail/Mail
Needs to be done on all clusters. Also, update the value of the smtp for the mail provider otherwise you will get an error on the SystemOut.log. There will be no impact other than the error showing up. The value can be fake and it will make the error go away. 

Core Groups Configuration
Servers->Core groups -> Core group settings->DefaultCoreGroup->Policies
A policy is automatically created for each message engine. You only need to update the Preferred servers list.


Core groups->DefaultCoreGroup->Policies->Select the policy that was created->
Make sure "Failback" and "Preferred servers only" is enabled.
"Is alive timer" should be set to 0

Core groups->DefaultCoreGroup->Policies->Select the policy that was created->Match criteria
Verify or add the following 3 values:
WSAF_BUS = WSAF_SIB
WSAF_SIB_MESSAGING_ENGINE = (IMSBus member) ex: k1_idm_stg2.000-iam_im-IMSBus_k1  
type = WSAF_SIB

Core groups->DefaultCoreGroup->Policies->Select the policy that was created->Preferred servers
Add the appropriate*idm_prd*/k1n1s1_idm_prd* server to the Preferred servers list if not already created (One per cluster/node)

Add Node(s)
When multiple node, 1 policy will have primary and secondary servers in 1 order, while the 2nd policy will have order in reverse. Do not add nodes or Deployment manager
 
-->
Web Container Configuration

In the administrative console click Servers >Server Types >WebSphere Application Servers > server_name > Web Container settings > Web Container
Under Additional Properties select Custom Properties.
On the Custom Properties page, click New and create these two Name / Value pairs.
com.ibm.ws.jsp.jdkSourceLevel  / 15
com.ibm.ws.webcontainer.invokefilterscompatibility / true

CORBA Naming
In the administrative console click Environment->Naming->CORBA naming services users.
Add user. Select all 4 roles (Cos Naming Read/Write/Create/Delete). Search for LDAP user IDM* and select the user.

*when updating the workflow.rar, make sure that UserName matches this LDAP user.

Bounce The WebSphere Environment

Next
Part 2: Creating the IDM ear file for deployment
Part 3 - Deploying the IDM ear file