So
you need to manually deploy IdentityMinder 12.6 on WebSphere 7? And I don’t
mean trying to figure out the “slightly unusable” JACL scripts that come with
the product. As with any mature software, you should be able to deploy the ear
file to an existing cluster within WebSphere. While the CA documentation has
you deploy t o a single node and then add an additional cluster member
afterwards, that is not how most applications are deployed in WebSphere. You
should be able to configure your multi-node clusters and be able to deploy the
ear file across multiple nodes without any problems. This is completely doable
with CA IdentityMinder 12.5 and 12.6. The only catch is to understand all the
configurations required to have the environment setup properly. If it is setup
properly, you should have no problems deploying and running IDM.
Note
– There were some bugs on IDM r12.5, which cause workflow to not work when you
enable with for a given environment.
There are some manual updates required against the workflow DB via the
workpoint designer. If you need the steps, add a comment and I will post them
as well.
This
step-by-step guide is based on WebSphere 7.0.23 but is applicable to any
supported version of WebSphere 7. This guide was also created based on
deployments on AIX and Linux with an Oracle 11 RAC.
-->
Part 1: Configuring WebSphere 7
Update the Java Cryptography Extension (JCE)
Copy
the IBM JCE files from:
\jce_ibm_java
local_policy.jar
US_export_policy.jar
to:
../WebSphere70/Common/java/jre/lib/security
Create J2C Authentication Alias
You
can use 1 schema user ID or 1 for each of the of IDM databases. It is best to
use 1 for each of the 6 IDM databases.
Security->Global
Security->Authentication->Java Authentication and Authorization
Service->J2C Authentication Data
Create
Oracle Users:
-->
Name
/ Alias
|
Password
|
Idm_audit
|
Password
|
Idm_data
|
Password
|
Idm_report
|
Password
|
Idm_archive
|
Password
|
Idm_connect
|
Password
|
Idm_workflow
|
Password
|
Idm_sib1
|
Password
|
JDBC Resources
Resources->JDBC->JDBC
providers
JDBC
Provider: Create per cluster
Create
Oracle XA Provider
point
to location of the ojdbc6.jar
JDBC
Resources (At Cluster Level Using XA Provider)
Name
|
JNDI
name
|
J2C
Authentication User
|
iam_im
Audit Data Source
|
iam/im/jdbc/auditDbDataSource
|
Idm_audit
|
iam_im
Object Store Data Source
|
iam/im/jdbc/jdbc/objectstore
|
Idm_data
|
iam_im
Report Snapshot Data Source
|
iam/im/jdbc/jdbc/reportsnapshot
|
Idm_report
|
iam_im
Task Persistence Archive Data Source
|
iam/im/jdbc/jdbc/archive
|
Idm_archive
|
iam_im
Task Persistence Data Source
|
iam/im/jdbc/jdbc/idm
|
Idm_connect
|
iam_im
Workflow Data Source
|
iam/im/jdbc/jdbc/WPDS
|
Idm_workflow
|
Required
configuration settings for all iam_im-* JDBC resources
Connection
Pool Properties:
Connection
timeout
|
10
|
Maximum
Connections
|
200
|
Minimum
Connections
|
5
|
Reap
Time
|
150
|
Unused
Timeout
|
300
|
Aged
Timeout
|
300
|
Purge
Policy
|
FailingConnectionOnly
|
Additional
JDBC Resources (At Cluster Level using non-XA Provider)
SIB1
Message Store
|
jdbc/ibmwssib1
|
Idm_sib1
|
IMSBUS Configuration
Service
Integration->Buses->New
Create
Bus
- 1 per Cluster Each with unique name
example:
iam_im-IMSBus_k1 for cluster 1 OR iam_im-IMSBus_k2 for cluster 2
Uncheck
"Bus security" (If someone gets it to work with security enabled, let
me know!)
Next
-> Finish and Save
-->
Select
newly created iam_im-IMSBus*
Local
Topology->Bus members->Add
Select
the cluster (needs to be done for both
clusters)
Keep
defaults on "Messaging engine policy assistance settings"
Policy
type should be "High availability" and "Enable messaging engine
policy assistance? Enabled.
Click
Next
Select
the type of message store
Select
'Data Store'
Click
Next
Configure
messaging engines
Click
on the messaging engine created by default
Specify
data store properties
Use
existing data sources created for each cluster
(idm_sib1
for k1, idm_sib2 for k2, etc..)
Data
Source JNDI Name
|
jdbc/ibmwssib1
|
Schema
Name
|
idm_sib1
|
Authentication
alias
|
idm_sib1
|
Click
next takes you back to Configuring message engines screen. Now that it has been
configured, click Next to proceed.
Keep
defaults on "Tune performance parameters" screen - Next->Finish
-> Save
Configure
message engines
Select
one of the Buses you just created (will
need to be done for all buses)
Service
Integration->Buses->iam_im-IMSBus->Destinations->New
Create
New Queues using the following Identifiers:
iam_im-IMSEvents
iam_im-wpUtilQueue
iam_im-wpServAutoActQueue
iam_im-RuntimeStatusDetailQueue
iam_im-wpEventQueue
New
Topic space using the following identifier:
iam_im-ServerCommand
-->
Go
back to the beginning of the IMSBus configuration section and perform the same
steps on the other cluster member(s).
JMS Resources Configuration
Queue Connection Factories
Resources->JMS->Queue
Connection Factories->Select the scope to be the application server
node(will need to do for all clusters)
New
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Bus
name
|
iam_im-neteQCF
|
iam/im/jms/factory/javax.jms.QueueConnectionFactory
|
iam_im-IMSBus
|
iam_im-wpConnectionFactory
|
iam/im/jms/factory/jms/wpConnectionFactory
|
iam_im-IMSBus
|
Apply
For
both Queue Connection Factory objects, Under Additional
Properties->Connection pool properties update:
Maximum
Connections
|
128
|
PurgePolicy
|
FailingConnectionOnly
|
OK->OK
Click
New
Go back to the top
of the Queue Connection Factories section and complete the configs above for
each cluster memeber
Topic Connection Factories
Resources->JMS->Topic
Connection Factories->Select the scope to be the application server
node(will need to do for all clusters)
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Bus
name
|
iam_im-neteTCF
|
iam/im/jms/factory/javax.jms.TopicConnectionFactory
|
iam_im-IMSBus
|
iam_im-GeneralMonitorCF
|
iam/im/jms/factory/com/netegrity/idm/GeneralMonitorCF
|
iam_im-IMSBus
|
Switch
scope and perform same setup on remaining cluster(s)
Queues
Resources->JMS->Queues->Select
the scope to be the application server node(will need to do for all clusters)
New
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Bus
name
|
Queue
name
|
iam_im-IMSEvents
|
iam/im/jms/queue/com.netegrity.ims.msg.queue
|
iam_im-IMSBus
|
iam_im-IMSEvents
|
iam_im-wpServAutoActQueue
|
iam/im/jms/queue/queue/wpServAutoActQueue
|
iam_im-IMSBus
|
iam_im-wpServerAutoActQueue
|
iam_im-wpUtilQueue
|
iam/im/jms/queue/queue/wpUtilQueue
|
iam_im-IMSBus
|
iam_im-wpUtilQueue
|
iam_im-RuntimeStatusDetailQueue
|
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
|
iam_im-IMSBus
|
iam_im-RuntimeStatusDetailQueue
|
iam_im-wpEventQueue
|
iam/im/jms/queue/queue/wpEventQueue
|
iam_im-IMSBus
|
iam_im-wpEventQueue
|
Topics
Resources->JMS->Topics->Select
the scope to be the application server node(will need to do for both clusters)
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Bus
name
|
Topic
name
|
iam_im-ServerCommand
|
iam/im/jms/topic/topic/ServerCommandTopic
|
iam_im-IMSBus
|
iam_im-ServerCommand
|
Activation Specifications
Resources->JMS->Activation
specifications >Select the scope to be the application server node(will need
to do for all clusters)
New
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Destination
type
|
Destination
JNDI name
|
Bus
name
|
iam_im-act
|
iam/im/ACT
|
queue
|
iam/im/jms/queue/com.netegrity.ims.msg.queue
|
iam_im-IMSBus
|
iam_im-wpServAutoActActSpec
|
iam/im/jms/wpServAutoActActSpec
|
queue
|
iam/im/jms/queue/queue/wpServAutoActQueue
|
iam_im-IMSBus
|
iam_im-wpUtilActSpec
|
iam/im/jms/wpUtilActSpec
|
queue
|
iam/im/jms/queue/queue/wpUtilQueue
|
iam_im-IMSBus
|
iam_im-ServerCommand
|
iam/im/ServerCommand
|
topic
|
iam/im/jms/topic/topic/ServerCommandTopic
|
iam_im-IMSBus
|
iam_im-RuntimeStatusDetailQueue
|
iam/im/jms/RuntimeStatusDetailQueue
|
queue
|
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
|
iam_im-IMSBus
|
iam_im-wpEventActSpec
|
iam/im/jms/wpEventActSpec
|
queue
|
iam/im/jms/queue/queue/wpEventQueue
|
iam_im-IMSBus
|
Mail Resources
Resources->Mail->Mail
Sessions->Select the 2 sample sessions->Delete->Select Scope
(k1/k2)->New
Name
|
JNDI
name
|
iam_im-mailMail
|
iam/im/mail/mail/Mail
|
Needs
to be done on all clusters. Also, update the value of the smtp for the mail provider otherwise you will get an error on the SystemOut.log. There will be no impact other than the error showing up. The value can be fake and it will make the error go away.
Core Groups Configuration
Servers->Core
groups -> Core group settings->DefaultCoreGroup->Policies
A
policy is automatically created for each message engine. You only need to
update the Preferred servers list.
Core
groups->DefaultCoreGroup->Policies->Select the policy that was
created->
Make
sure "Failback" and "Preferred servers only" is enabled.
"Is
alive timer" should be set to 0
Core
groups->DefaultCoreGroup->Policies->Select the policy that was
created->Match criteria
Verify
or add the following 3 values:
WSAF_BUS
= WSAF_SIB
WSAF_SIB_MESSAGING_ENGINE
= (IMSBus member) ex: k1_idm_stg2.000-iam_im-IMSBus_k1
type
= WSAF_SIB
Core
groups->DefaultCoreGroup->Policies->Select the policy that was
created->Preferred servers
Add
the appropriate*idm_prd*/k1n1s1_idm_prd* server to the Preferred servers list if
not already created (One per cluster/node)
Add
Node(s)
When
multiple node, 1 policy will have primary and secondary servers in 1 order,
while the 2nd policy will have order in reverse. Do not add nodes or Deployment
manager
Web Container Configuration
In
the administrative console click Servers >Server Types >WebSphere
Application Servers > server_name > Web Container settings >
Web Container
Under
Additional Properties select Custom Properties.
On
the Custom Properties page, click New and create these two Name / Value pairs.
com.ibm.ws.jsp.jdkSourceLevel / 15
com.ibm.ws.webcontainer.invokefilterscompatibility
/ true
CORBA Naming
In
the administrative console click Environment->Naming->CORBA naming
services users.
Add
user. Select all 4 roles (Cos Naming Read/Write/Create/Delete). Search for LDAP
user IDM* and select the user.
*when
updating the workflow.rar, make sure that UserName matches this LDAP user.
Bounce The WebSphere Environment
Next
Part 2: Creating the IDM ear file for deployment
Part 3 - Deploying the IDM ear file
No comments:
Post a Comment