In an effort to increase participation and bring more value and interest to our user group, the CA MN Security User Group will be merging with the Ping User Group. Besides the significant overlap, the intent is to create a new vendor neutral Identity and Access Management User Group. This meeting will be the kick off to officially merge the groups and set guidelines of how we want to structure this group and what we hope to accomplish going forward.
We hope you will be able to join us and participate in setting that direction. Pass the word and invite your IAM peers. I am very pleased that both Ping Identity and CA have fully embraced this new direction and will continue to support us. As IAM professionals, we tend to all use multiple vendor products and we hope to have a user group that creates a forum for sharing knowledge and best practices across all related technologies.
Please join us to help set direction, get involved, network, and enjoy the company of our peers in the Twin Cities!
Wednesday, August 7th from 4pm till 6pm
16 N. Sixth St., Minneapolis, MN
Information can be found here:
https://communities.ca.com/web/midwest-information-security-user-league/welcome
RSVP can be done here:
http://www.meetup.com/Ping-Identity-User-Group-Twin-Cities/events/125428032/
Thursday, July 25, 2013
Saturday, October 13, 2012
Manual Deployment of CA IdentityMinder 12.6 on WebSphere 7 on Unix - Part 3: Deploying the IDM ear files
Now that you have the clustered WebSphere environment configured and your idm ear file modified, the final step is to deploy the ear file. The deployment process includes a few manual (surprise) steps you need to make sure are followed for an error free start up.
Step 3: Deploy Identity Manager ear files.
Deploy
CA_Styles
Deploy
to web servers and cluster. Accept Defaults for deployment
Deploy
WAS_R126sp#_.ear *
*Make
sure ear files has been configured for deployment in current WebSphere
Environment.
Select
detailed deployment
Step
1 Most steps are left as default. I will call out those that require a change.
Step
2 Map modules to servers > Deploy to your web servers and cluster.
Step 4 Provide options to compile JSPs > JDK Source Level 15
Step 8 Bind listeners for message-driven beans:
You
only need to update the first 3 modules but also check the remaining 3. The Destination JNDI name will be missing the prefix iam/im/....
If you do not make the changes here through the deployment process or miss a step, you can still updates these values after the deployment. This is one of the most common errors we find when we deploy. WebSphere SystemOut.log will complain about this right away.
EJB
|
Bindings-Activation Specification
Target Resource JNDI Name
|
Destination JNDI name
|
SubscriberMessageEJB
|
iam/im/ACT
|
iam/im/jms/queue/com.netegrity.ims.msg.queue
|
ServerCommandsEJB
|
iam/im/ServerCommand
|
iam/im/jms/topic/topic/ServerCommandTopic
|
RuntimeStatusDetailEJB
|
iam/im/jms/RuntimeStatusDetailQueue
|
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
|
ServerAutomatedActivityMDBean
|
iam/im/jms/wpServAutoActActSpec
|
iam/im/jms/queue/queue/wpServAutoActQueue
|
EventMDBean
|
iam/im/jms/wpEventActSpec
|
iam/im/jms/queue/queue/wpEventQueue
|
UtilityMDBean
|
iam/im/jms/wpUtilActSpec
|
iam/im/jms/queue/queue/wpUtilQueue
|
The
rest are left as default.
Do
not start new applications.
Post Deployment Configuration
PolicyServer J2C Connection Factory Configuration
Enterprise
Applications > IdentityMinder > Manage Modules > policyserverRA >
Resource Adapter > J2C connection factories > New
Name
|
JNDI
name
|
iam_im-PolicyServerConnection
|
iam/im/rar/nete/rar/PolicyServerConnection
|
Set
all Container-managed authentication alias to "None"
Optional:
Validate settings are appropriate for SiteMinder environment
Enterprise
Applications > IdentityMinder > Manage Modules > policyserver.rar >
IdentityMinder.PolicyServerRA > J2C connection factories >
PolicyServerConnection > Custom properties
Validate
correct SiteMinder settings (Leave turned off to troubleshoot other startup
issues first. Then enable once IDM app is validated to work.)
Workflow J2C Connection Factory Configuration
Now
select the following from the actions menu Enterprise Applications >
IdentityMinder > Manage Modules > WorkflowRA > Resource Adapter >
J2C connection factories > New
Name
|
JNDI
name
|
iam_im-Workflow
|
iam/im/rar/Workflow
|
Set
all Container-managed authentication alias to "None"
Do
not delete existing connection factory
User Console Class Loader and WorkPoint Server
Configuration
Now
select the following from the actions menu Enterprise Applications >
IdentityMinder > Manage Modules > IMS-UI
Change
Class loader order to use:
Classes
loaded with local class loader first (parent last) - Starting weight: 4000
Also
Now
select the following from the actions menu Enterprise Applications >
IdentityMinder > Manage Modules > wpServer.jar
Starting
weight: 500
Application Server LIBPATH Configuration
Navigate
to Servers-> Server Types-> WebSphere Application Servers-> server-> server
Infrastructure->Java and Process Management -> process definition
-> Environment Entries-> New
Name
|
Value*
|
LIBPATH
|
.../WebSphere/Common/
|
*Path
will be unique for each application server
Update Web Server Plug-in
Environment-> Update
global Web Server plug-in configuration
Click
OK to update the plug-in
Starting Identity Manager
Make
sure nodes are in sync and restart WebSphere Environment
System
Administration > Nodes
Check for sync status
Restart
WebSphere on all nodes.
Check
SystemOut.log for any errors.
Check
IdentityManager console for validation
http://host:port/iam/immanage/
Now you are ready to create your first environment.
For other tips on IdentityMinder deployments as well as important security parameters, check these postings on the Binary Blogger site:
http://www.binaryblogger.com/p/ca-identityminder-posts.html
For previous posts in this series:
Part 1 - Configuring WebSphere 7
Part 2: Creating the IDM ear file for deployment
Now you are ready to create your first environment.
For other tips on IdentityMinder deployments as well as important security parameters, check these postings on the Binary Blogger site:
http://www.binaryblogger.com/p/ca-identityminder-posts.html
For previous posts in this series:
Part 1 - Configuring WebSphere 7
Part 2: Creating the IDM ear file for deployment
Manual Deployment of CA IdentityMinder 12.6 on WebSphere 7 on Unix - Part 2 Creating the IDM.ear for deployment
Before you deploy the idm ear file, you need to make some modifications in order to make it work within your environmnet. You can extract and package the ear file from your windows desktop easily. You only need to have a java jdk installed and have the jdk jre within your path.
-->
-->
Extracting the Ear
It doesn't matter on which platform
you install the IdentityMinder installer to obtain the IDM EAR file. For
example, I will install IdentityMinder 12.6 on my Windows7 workstation and select the option to
only create the ear files.
Extract WAS_IMr12.ear to
working directory /
jar -xvf WAS_IMr12.ear
Create folders:
policyserver
Move policyserver.rar into
/policyserver folder
user_console
Move user_console.war into
/user_console folder
workflow
Move workflow.rar into
/workflow folder
Update Workpoint ports
Under /config folder
!!Update the following file
and value to match the WebSphere application server BOOTSTRAP ADDRESS!!
workpoint-client.properties
java.naming.provider.url=iiop://localhost:9810 (Change localhost to server name)
Update the following file and value
to match the web server port
workpoint-server.properties
# This URL tells the
WorkPoint Server where the WorkPoint Gateway is located.
workpoint.gateway.url=http://localhost:8080/wpGateway/ (Change localhost to server name and use the correct port to WebSphere or IHS if you are using it as well.)
Update Provisioning Server
shared secret
Under custom/identitymanager
systemWideProperties.properties
# Shared secret for the
Provisioning server callback
IMeTASharedSecret={PBES}:xfx89…….
Get encypted password values
for this and other properties
Navigate to password tool
section on IdM server:
.../CA/IdentityManager/IAM_Suite/Identity_Manager/tools/PasswordTool
./pwdtools.sh -JSAFE -p
P@ssword
Update SiteMinder Policy
Server Configurations if enabling SiteMinder integration. This can also be done via the WebSphere console post deployment.
CD into the policyserver/
folder
Explode the policyserver.rar
jar -xvf policyserver.rar
CD into
/policyserver/META-INF folder
Update the ra.xml file with
correct SiteMinder environment information.
Will need all policy servers
listed, admin ID, agent name, and password hash.
ValidateSMHeadersWithPS:true
enabled:false
FIPSMode:false
ConnectionURL:
policyserver1,44443,44443,44443
UserName: siteminder
AdminSecret: password
encrypted*
AgentName: 4.x agent created
for use by IdM
AgentSecret: 4.x agent
password encrypted*
ConnectionMin:8
ConnectionMax:128
ConnectionStep:8
ConnectionTimeout:1000
FailoverServers: policyserver1,44443,44443,44443;policyserver2,44443,44443,44443
Failover: true
**
Repackage policyserver.rar
Move up one level to
/policyserver
Delete existing
policyserver.rar
jar -cvf policyserver.rar *
Move new policyserver.rar up
one level to /
Delete the folder
/policyserver/
Update User Console Config
(only required if enabling SiteMinder integration)
CD into /user_console
Explode the user_console.war
jar -xvf user_console.war
CD into /user_console/WEB-INF
FrameworkAuthFilter
com.netegrity.webapp.authentication.FrameworkLoginFilter
Enable
false
Repackage user_console.war
Move up one level to
/user_console
Delete existing
user_console.war
jar -cvf user_console.war *
Move new user_console.war up
one level to /
Delete the folder
/user_console/
Update Workflow Config
CD into /workflow
Explode the workflow.rar
jar -xvf workflow.rar
CD into /workflow/META-INF
Edit ra.xml
UserName
java.lang.String
IDM
Password
java.lang.String
sn0wba11
This IDM user must exist and
be referenced by WebSphere at runtime. Also, Do NOT encrypt the password.
It is encrypted by WebSphere at deployment time. The location of this ID will depend
on your WebSphere Global Security configuration. For example, if WebSphere
Global security is leveraging LDAP, this ID would need to be in LDAP.
Repackage workflow.rar
Move up one level to
/workflow
Delete existing workflow.rar
jar -cvf workflow.rar *
Move new workflow.rar up one
level to /
Delete the folder /workflow/
Repackage Ear
After all modifications are
made, repackage the ear for the particular environment being deployed to.
From the location, delete the
existing WAS_IMr12.ear.
Package the new ear with the
following format:
WAS_IMr12(major
version)sp(Service pack version)_environment.ear
jar -cvf
WAS_IMr126_Dev.ear *
Now you are ready to deploy your ear file.
Manual Deployment of CA IdentityMinder 12.6 on WebSphere 7 on Unix - Part 1 Configure WebSphere
-->
-->
-->
-->
-->
-->
-->
-->
-->
Next
Part 2: Creating the IDM ear file for deployment
Part 3 - Deploying the IDM ear file
So
you need to manually deploy IdentityMinder 12.6 on WebSphere 7? And I don’t
mean trying to figure out the “slightly unusable” JACL scripts that come with
the product. As with any mature software, you should be able to deploy the ear
file to an existing cluster within WebSphere. While the CA documentation has
you deploy t o a single node and then add an additional cluster member
afterwards, that is not how most applications are deployed in WebSphere. You
should be able to configure your multi-node clusters and be able to deploy the
ear file across multiple nodes without any problems. This is completely doable
with CA IdentityMinder 12.5 and 12.6. The only catch is to understand all the
configurations required to have the environment setup properly. If it is setup
properly, you should have no problems deploying and running IDM.
Note
– There were some bugs on IDM r12.5, which cause workflow to not work when you
enable with for a given environment.
There are some manual updates required against the workflow DB via the
workpoint designer. If you need the steps, add a comment and I will post them
as well.
This
step-by-step guide is based on WebSphere 7.0.23 but is applicable to any
supported version of WebSphere 7. This guide was also created based on
deployments on AIX and Linux with an Oracle 11 RAC.
-->
Part 1: Configuring WebSphere 7
Update the Java Cryptography Extension (JCE)
Copy
the IBM JCE files from:
\jce_ibm_java
local_policy.jar
US_export_policy.jar
to:
../WebSphere70/Common/java/jre/lib/security
Create J2C Authentication Alias
You
can use 1 schema user ID or 1 for each of the of IDM databases. It is best to
use 1 for each of the 6 IDM databases.
Security->Global
Security->Authentication->Java Authentication and Authorization
Service->J2C Authentication Data
Create
Oracle Users:
-->
Name
/ Alias
|
Password
|
Idm_audit
|
Password
|
Idm_data
|
Password
|
Idm_report
|
Password
|
Idm_archive
|
Password
|
Idm_connect
|
Password
|
Idm_workflow
|
Password
|
Idm_sib1
|
Password
|
JDBC Resources
Resources->JDBC->JDBC
providers
JDBC
Provider: Create per cluster
Create
Oracle XA Provider
point
to location of the ojdbc6.jar
JDBC
Resources (At Cluster Level Using XA Provider)
Name
|
JNDI
name
|
J2C
Authentication User
|
iam_im
Audit Data Source
|
iam/im/jdbc/auditDbDataSource
|
Idm_audit
|
iam_im
Object Store Data Source
|
iam/im/jdbc/jdbc/objectstore
|
Idm_data
|
iam_im
Report Snapshot Data Source
|
iam/im/jdbc/jdbc/reportsnapshot
|
Idm_report
|
iam_im
Task Persistence Archive Data Source
|
iam/im/jdbc/jdbc/archive
|
Idm_archive
|
iam_im
Task Persistence Data Source
|
iam/im/jdbc/jdbc/idm
|
Idm_connect
|
iam_im
Workflow Data Source
|
iam/im/jdbc/jdbc/WPDS
|
Idm_workflow
|
Required
configuration settings for all iam_im-* JDBC resources
Connection
Pool Properties:
Connection
timeout
|
10
|
Maximum
Connections
|
200
|
Minimum
Connections
|
5
|
Reap
Time
|
150
|
Unused
Timeout
|
300
|
Aged
Timeout
|
300
|
Purge
Policy
|
FailingConnectionOnly
|
Additional
JDBC Resources (At Cluster Level using non-XA Provider)
SIB1
Message Store
|
jdbc/ibmwssib1
|
Idm_sib1
|
IMSBUS Configuration
Service
Integration->Buses->New
Create
Bus
- 1 per Cluster Each with unique name
example:
iam_im-IMSBus_k1 for cluster 1 OR iam_im-IMSBus_k2 for cluster 2
Uncheck
"Bus security" (If someone gets it to work with security enabled, let
me know!)
Next
-> Finish and Save
-->
Select
newly created iam_im-IMSBus*
Local
Topology->Bus members->Add
Select
the cluster (needs to be done for both
clusters)
Keep
defaults on "Messaging engine policy assistance settings"
Policy
type should be "High availability" and "Enable messaging engine
policy assistance? Enabled.
Click
Next
Select
the type of message store
Select
'Data Store'
Click
Next
Configure
messaging engines
Click
on the messaging engine created by default
Specify
data store properties
Use
existing data sources created for each cluster
(idm_sib1
for k1, idm_sib2 for k2, etc..)
Data
Source JNDI Name
|
jdbc/ibmwssib1
|
Schema
Name
|
idm_sib1
|
Authentication
alias
|
idm_sib1
|
Click
next takes you back to Configuring message engines screen. Now that it has been
configured, click Next to proceed.
Keep
defaults on "Tune performance parameters" screen - Next->Finish
-> Save
Configure
message engines
Select
one of the Buses you just created (will
need to be done for all buses)
Service
Integration->Buses->iam_im-IMSBus->Destinations->New
Create
New Queues using the following Identifiers:
iam_im-IMSEvents
iam_im-wpUtilQueue
iam_im-wpServAutoActQueue
iam_im-RuntimeStatusDetailQueue
iam_im-wpEventQueue
New
Topic space using the following identifier:
iam_im-ServerCommand
-->
Go
back to the beginning of the IMSBus configuration section and perform the same
steps on the other cluster member(s).
JMS Resources Configuration
Queue Connection Factories
Resources->JMS->Queue
Connection Factories->Select the scope to be the application server
node(will need to do for all clusters)
New
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Bus
name
|
iam_im-neteQCF
|
iam/im/jms/factory/javax.jms.QueueConnectionFactory
|
iam_im-IMSBus
|
iam_im-wpConnectionFactory
|
iam/im/jms/factory/jms/wpConnectionFactory
|
iam_im-IMSBus
|
Apply
For
both Queue Connection Factory objects, Under Additional
Properties->Connection pool properties update:
Maximum
Connections
|
128
|
PurgePolicy
|
FailingConnectionOnly
|
OK->OK
Click
New
Go back to the top
of the Queue Connection Factories section and complete the configs above for
each cluster memeber
Topic Connection Factories
Resources->JMS->Topic
Connection Factories->Select the scope to be the application server
node(will need to do for all clusters)
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Bus
name
|
iam_im-neteTCF
|
iam/im/jms/factory/javax.jms.TopicConnectionFactory
|
iam_im-IMSBus
|
iam_im-GeneralMonitorCF
|
iam/im/jms/factory/com/netegrity/idm/GeneralMonitorCF
|
iam_im-IMSBus
|
Switch
scope and perform same setup on remaining cluster(s)
Queues
Resources->JMS->Queues->Select
the scope to be the application server node(will need to do for all clusters)
New
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Bus
name
|
Queue
name
|
iam_im-IMSEvents
|
iam/im/jms/queue/com.netegrity.ims.msg.queue
|
iam_im-IMSBus
|
iam_im-IMSEvents
|
iam_im-wpServAutoActQueue
|
iam/im/jms/queue/queue/wpServAutoActQueue
|
iam_im-IMSBus
|
iam_im-wpServerAutoActQueue
|
iam_im-wpUtilQueue
|
iam/im/jms/queue/queue/wpUtilQueue
|
iam_im-IMSBus
|
iam_im-wpUtilQueue
|
iam_im-RuntimeStatusDetailQueue
|
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
|
iam_im-IMSBus
|
iam_im-RuntimeStatusDetailQueue
|
iam_im-wpEventQueue
|
iam/im/jms/queue/queue/wpEventQueue
|
iam_im-IMSBus
|
iam_im-wpEventQueue
|
Topics
Resources->JMS->Topics->Select
the scope to be the application server node(will need to do for both clusters)
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Bus
name
|
Topic
name
|
iam_im-ServerCommand
|
iam/im/jms/topic/topic/ServerCommandTopic
|
iam_im-IMSBus
|
iam_im-ServerCommand
|
Activation Specifications
Resources->JMS->Activation
specifications >Select the scope to be the application server node(will need
to do for all clusters)
New
Always
use Default Messaging Provider
Name
|
JNDI
name
|
Destination
type
|
Destination
JNDI name
|
Bus
name
|
iam_im-act
|
iam/im/ACT
|
queue
|
iam/im/jms/queue/com.netegrity.ims.msg.queue
|
iam_im-IMSBus
|
iam_im-wpServAutoActActSpec
|
iam/im/jms/wpServAutoActActSpec
|
queue
|
iam/im/jms/queue/queue/wpServAutoActQueue
|
iam_im-IMSBus
|
iam_im-wpUtilActSpec
|
iam/im/jms/wpUtilActSpec
|
queue
|
iam/im/jms/queue/queue/wpUtilQueue
|
iam_im-IMSBus
|
iam_im-ServerCommand
|
iam/im/ServerCommand
|
topic
|
iam/im/jms/topic/topic/ServerCommandTopic
|
iam_im-IMSBus
|
iam_im-RuntimeStatusDetailQueue
|
iam/im/jms/RuntimeStatusDetailQueue
|
queue
|
iam/im/jms/queue/queue/RuntimeStatusDetailQueue
|
iam_im-IMSBus
|
iam_im-wpEventActSpec
|
iam/im/jms/wpEventActSpec
|
queue
|
iam/im/jms/queue/queue/wpEventQueue
|
iam_im-IMSBus
|
Mail Resources
Resources->Mail->Mail
Sessions->Select the 2 sample sessions->Delete->Select Scope
(k1/k2)->New
Name
|
JNDI
name
|
iam_im-mailMail
|
iam/im/mail/mail/Mail
|
Needs
to be done on all clusters. Also, update the value of the smtp for the mail provider otherwise you will get an error on the SystemOut.log. There will be no impact other than the error showing up. The value can be fake and it will make the error go away.
Core Groups Configuration
Servers->Core
groups -> Core group settings->DefaultCoreGroup->Policies
A
policy is automatically created for each message engine. You only need to
update the Preferred servers list.
Core
groups->DefaultCoreGroup->Policies->Select the policy that was
created->
Make
sure "Failback" and "Preferred servers only" is enabled.
"Is
alive timer" should be set to 0
Core
groups->DefaultCoreGroup->Policies->Select the policy that was
created->Match criteria
Verify
or add the following 3 values:
WSAF_BUS
= WSAF_SIB
WSAF_SIB_MESSAGING_ENGINE
= (IMSBus member) ex: k1_idm_stg2.000-iam_im-IMSBus_k1
type
= WSAF_SIB
Core
groups->DefaultCoreGroup->Policies->Select the policy that was
created->Preferred servers
Add
the appropriate*idm_prd*/k1n1s1_idm_prd* server to the Preferred servers list if
not already created (One per cluster/node)
Add
Node(s)
When
multiple node, 1 policy will have primary and secondary servers in 1 order,
while the 2nd policy will have order in reverse. Do not add nodes or Deployment
manager
Web Container Configuration
In
the administrative console click Servers >Server Types >WebSphere
Application Servers > server_name > Web Container settings >
Web Container
Under
Additional Properties select Custom Properties.
On
the Custom Properties page, click New and create these two Name / Value pairs.
com.ibm.ws.jsp.jdkSourceLevel / 15
com.ibm.ws.webcontainer.invokefilterscompatibility
/ true
CORBA Naming
In
the administrative console click Environment->Naming->CORBA naming
services users.
Add
user. Select all 4 roles (Cos Naming Read/Write/Create/Delete). Search for LDAP
user IDM* and select the user.
*when
updating the workflow.rar, make sure that UserName matches this LDAP user.
Bounce The WebSphere Environment
Next
Part 2: Creating the IDM ear file for deployment
Part 3 - Deploying the IDM ear file
Subscribe to:
Posts (Atom)