Pages

Saturday, October 13, 2012

Manual Deployment of CA IdentityMinder 12.6 on WebSphere 7 on Unix - Part 1 Configure WebSphere

-->
So you need to manually deploy IdentityMinder 12.6 on WebSphere 7? And I don’t mean trying to figure out the “slightly unusable” JACL scripts that come with the product. As with any mature software, you should be able to deploy the ear file to an existing cluster within WebSphere. While the CA documentation has you deploy t o a single node and then add an additional cluster member afterwards, that is not how most applications are deployed in WebSphere. You should be able to configure your multi-node clusters and be able to deploy the ear file across multiple nodes without any problems. This is completely doable with CA IdentityMinder 12.5 and 12.6. The only catch is to understand all the configurations required to have the environment setup properly. If it is setup properly, you should have no problems deploying and running IDM.

Note – There were some bugs on IDM r12.5, which cause workflow to not work when you enable with for a  given environment. There are some manual updates required against the workflow DB via the workpoint designer. If you need the steps, add a comment and I will post them as well.

This step-by-step guide is based on WebSphere 7.0.23 but is applicable to any supported version of WebSphere 7. This guide was also created based on deployments on AIX and Linux with an Oracle 11 RAC.

-->
Part 1: Configuring WebSphere 7
  
Update the Java Cryptography Extension (JCE)
Copy the IBM JCE files from:
\jce_ibm_java
local_policy.jar
US_export_policy.jar
 to:
../WebSphere70/Common/java/jre/lib/security

Create J2C Authentication Alias
You can use 1 schema user ID or 1 for each of the of IDM databases. It is best to use 1 for each of the 6 IDM databases.

Security->Global Security->Authentication->Java Authentication and Authorization Service->J2C Authentication Data
Create Oracle Users:
-->
Name / Alias
Password
Idm_audit
Password
Idm_data
Password
Idm_report
Password
Idm_archive
Password
Idm_connect
Password
Idm_workflow
Password
Idm_sib1
Password

-->
JDBC Resources
Resources->JDBC->JDBC providers

JDBC Provider: Create per cluster
Create Oracle XA Provider
point to location of the ojdbc6.jar

JDBC Resources (At Cluster Level Using XA Provider)
Name
JNDI name
J2C Authentication User
iam_im Audit Data Source
iam/im/jdbc/auditDbDataSource
Idm_audit
iam_im Object Store Data Source
iam/im/jdbc/jdbc/objectstore
Idm_data
iam_im Report Snapshot Data Source
iam/im/jdbc/jdbc/reportsnapshot
Idm_report
iam_im Task Persistence Archive Data Source
iam/im/jdbc/jdbc/archive
Idm_archive
iam_im Task Persistence Data Source
iam/im/jdbc/jdbc/idm
Idm_connect
iam_im Workflow Data Source
iam/im/jdbc/jdbc/WPDS
Idm_workflow

-->
Required configuration settings for all iam_im-* JDBC resources
Connection Pool Properties:
Connection timeout
10
Maximum Connections
200
Minimum Connections
5
Reap Time
150
Unused Timeout
300
Aged Timeout
300
Purge Policy
FailingConnectionOnly

Additional JDBC Resources (At Cluster Level using non-XA Provider)
SIB1 Message Store
jdbc/ibmwssib1
Idm_sib1

 
-->
IMSBUS Configuration
Service Integration->Buses->New

Create Bus - 1 per Cluster Each with unique name
example: iam_im-IMSBus_k1 for cluster 1 OR iam_im-IMSBus_k2 for cluster 2
Uncheck "Bus security" (If someone gets it to work with security enabled, let me know!)
Next -> Finish and Save

-->
Select newly created iam_im-IMSBus*
Local Topology->Bus members->Add
Select the cluster  (needs to be done for both clusters)

Keep defaults on "Messaging engine policy assistance settings"
Policy type should be "High availability" and "Enable messaging engine policy assistance? Enabled.
Click Next

Select the type of message store
Select 'Data Store'
Click Next

Configure messaging engines
Click on the messaging engine created by default

Specify data store properties
Use existing data sources created for each cluster
(idm_sib1 for k1, idm_sib2 for k2, etc..)
Data Source JNDI Name
jdbc/ibmwssib1
Schema Name
idm_sib1
Authentication alias
idm_sib1

Click next takes you back to Configuring message engines screen. Now that it has been configured, click Next to proceed.

Keep defaults on "Tune performance parameters" screen - Next->Finish -> Save

Configure message engines
Select one of  the Buses you just created (will need to be done for all buses)

Service Integration->Buses->iam_im-IMSBus->Destinations->New
Create New Queues using the following Identifiers:
iam_im-IMSEvents
iam_im-wpUtilQueue
iam_im-wpServAutoActQueue
iam_im-RuntimeStatusDetailQueue
iam_im-wpEventQueue

New Topic space using the following identifier:
iam_im-ServerCommand

-->
Go back to the beginning of the IMSBus configuration section and perform the same steps on the other cluster member(s).


JMS Resources Configuration

Queue Connection Factories
Resources->JMS->Queue Connection Factories->Select the scope to be the application server node(will need to do for all clusters)
New
Always use Default Messaging Provider
Name
JNDI name
Bus name
iam_im-neteQCF
iam/im/jms/factory/javax.jms.QueueConnectionFactory
iam_im-IMSBus
iam_im-wpConnectionFactory
iam/im/jms/factory/jms/wpConnectionFactory
iam_im-IMSBus
Apply
For both Queue Connection Factory objects, Under Additional Properties->Connection pool properties update:
Maximum Connections
128
PurgePolicy
FailingConnectionOnly
OK->OK
Click New
Go back to the top of the Queue Connection Factories section and complete the configs above for each cluster memeber


Topic Connection Factories
Resources->JMS->Topic Connection Factories->Select the scope to be the application server node(will need to do for all clusters)
Always use Default Messaging Provider
Name
JNDI name
Bus name
iam_im-neteTCF
iam/im/jms/factory/javax.jms.TopicConnectionFactory
iam_im-IMSBus
iam_im-GeneralMonitorCF
iam/im/jms/factory/com/netegrity/idm/GeneralMonitorCF
iam_im-IMSBus
Switch scope and perform same setup on remaining cluster(s)

 
-->
Queues
Resources->JMS->Queues->Select the scope to be the application server node(will need to do for all clusters)
New
Always use Default Messaging Provider
Name
JNDI name
Bus name
Queue name
iam_im-IMSEvents
iam/im/jms/queue/com.netegrity.ims.msg.queue
iam_im-IMSBus
iam_im-IMSEvents
iam_im-wpServAutoActQueue
iam/im/jms/queue/queue/wpServAutoActQueue
iam_im-IMSBus
iam_im-wpServerAutoActQueue
iam_im-wpUtilQueue
iam/im/jms/queue/queue/wpUtilQueue
iam_im-IMSBus
iam_im-wpUtilQueue
iam_im-RuntimeStatusDetailQueue
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
iam_im-IMSBus
iam_im-RuntimeStatusDetailQueue
iam_im-wpEventQueue
iam/im/jms/queue/queue/wpEventQueue
iam_im-IMSBus
iam_im-wpEventQueue



Topics
Resources->JMS->Topics->Select the scope to be the application server node(will need to do for both clusters)
Always use Default Messaging Provider
Name
JNDI name
Bus name
Topic name
iam_im-ServerCommand
iam/im/jms/topic/topic/ServerCommandTopic
iam_im-IMSBus
iam_im-ServerCommand


Activation Specifications
Resources->JMS->Activation specifications >Select the scope to be the application server node(will need to do for all clusters)
New
Always use Default Messaging Provider
Name
JNDI name
Destination type
Destination JNDI name
Bus name
iam_im-act
iam/im/ACT
queue
iam/im/jms/queue/com.netegrity.ims.msg.queue
iam_im-IMSBus
iam_im-wpServAutoActActSpec
iam/im/jms/wpServAutoActActSpec
queue
iam/im/jms/queue/queue/wpServAutoActQueue
iam_im-IMSBus
iam_im-wpUtilActSpec
iam/im/jms/wpUtilActSpec
queue
iam/im/jms/queue/queue/wpUtilQueue
iam_im-IMSBus
iam_im-ServerCommand
iam/im/ServerCommand
topic
iam/im/jms/topic/topic/ServerCommandTopic
iam_im-IMSBus
iam_im-RuntimeStatusDetailQueue
iam/im/jms/RuntimeStatusDetailQueue
queue
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
iam_im-IMSBus
iam_im-wpEventActSpec
iam/im/jms/wpEventActSpec
queue
iam/im/jms/queue/queue/wpEventQueue
iam_im-IMSBus


Mail Resources
Resources->Mail->Mail Sessions->Select the 2 sample sessions->Delete->Select Scope (k1/k2)->New
Name
JNDI name
iam_im-mailMail
iam/im/mail/mail/Mail
Needs to be done on all clusters. Also, update the value of the smtp for the mail provider otherwise you will get an error on the SystemOut.log. There will be no impact other than the error showing up. The value can be fake and it will make the error go away. 

Core Groups Configuration
Servers->Core groups -> Core group settings->DefaultCoreGroup->Policies
A policy is automatically created for each message engine. You only need to update the Preferred servers list.


Core groups->DefaultCoreGroup->Policies->Select the policy that was created->
Make sure "Failback" and "Preferred servers only" is enabled.
"Is alive timer" should be set to 0

Core groups->DefaultCoreGroup->Policies->Select the policy that was created->Match criteria
Verify or add the following 3 values:
WSAF_BUS = WSAF_SIB
WSAF_SIB_MESSAGING_ENGINE = (IMSBus member) ex: k1_idm_stg2.000-iam_im-IMSBus_k1  
type = WSAF_SIB

Core groups->DefaultCoreGroup->Policies->Select the policy that was created->Preferred servers
Add the appropriate*idm_prd*/k1n1s1_idm_prd* server to the Preferred servers list if not already created (One per cluster/node)

Add Node(s)
When multiple node, 1 policy will have primary and secondary servers in 1 order, while the 2nd policy will have order in reverse. Do not add nodes or Deployment manager
 
-->
Web Container Configuration

In the administrative console click Servers >Server Types >WebSphere Application Servers > server_name > Web Container settings > Web Container
Under Additional Properties select Custom Properties.
On the Custom Properties page, click New and create these two Name / Value pairs.
com.ibm.ws.jsp.jdkSourceLevel  / 15
com.ibm.ws.webcontainer.invokefilterscompatibility / true

CORBA Naming
In the administrative console click Environment->Naming->CORBA naming services users.
Add user. Select all 4 roles (Cos Naming Read/Write/Create/Delete). Search for LDAP user IDM* and select the user.

*when updating the workflow.rar, make sure that UserName matches this LDAP user.

Bounce The WebSphere Environment

Next
Part 2: Creating the IDM ear file for deployment
Part 3 - Deploying the IDM ear file