aims 9 installation and licensing guide - avatier - aims 9 installation and...sun solaris...

AIMS Installation and Licensing Guide

Version 9

2603 Camino Ramon Suite 110 San Ramon, CA 94583 Toll Free: 800-609-8610 Direct: 925-217-5170 FAX: 925-217-0853 Email: [email protected]


Limited Warranty Avatier Corporation warrants that the overall performance of the software will be substantially in accordance with its documentation. Avatier Corporation makes no warranty, representation, or promise not expressly set forth in this limited warranty. Avatier Corporation does not warrant that the software or documentation will satisfy your requirements, that the software and documenta-tion are without defect or error, or that the operation of the software will be uninter-rupted. Avatier Corporation disclaims and excludes any and all implied warranties of merchantability, title, and fitness for a particular purpose. Limitations on Liability and Remedies Avatier Corporation’s liability arising from your use of the software and its documen-tation is limited to the total paid by or for you for the software package. Neither Avatier Corporation nor any of its licensers, employees, or agents shall be liable for any special, incidental, consequential, indirect, or punitive damages, even if advised of the possibility of those damages. This warranty gives you specific legal rights. You may have others, which vary from state to state.


Table of Contents

1 AIMS INSTALLATION GUIDELINES 5

1.1 SERVER REQUIREMENTS 5

1.2 AIMS SERVER BUILD STEPS 7

1.3 SERVICE ACCOUNT REQUIREMENTS 7

1.4 DETERMINE THE LOCATION OF THE AIMS AUDIT LOGS AND AIMS CONFIGURATION FILES 8

1.5 IMPORTANT .NET AND ASPNET PERFORMANCE CONSIDERATIONS ERROR! BOOKMARK NOT

DEFINED.

1.6 DR. WATSON PROCESS AND AIMS ERROR! BOOKMARK NOT DEFINED.

1.7 .NET 1.1 AND .NET 2.0/3.5 RUNTIME DIFFERENCES 8

1.8 IMPORTANT INFORMATION FOR WEB AGENT (SOAP) BASED CONNECTORS 9

1.9 OBTAIN THE LATEST AIMS SOFTWARE 10

1.10 SOFTWARE INSTALLATION 11

2 LICENSING AIMS PRODUCTS 22

2.1 ACCESSING THE MAIN CONFIGURATION PAGE 22

2.2 APPLYING THE AIMS PRODUCT LICENSE 23

2.2.1 Online Licensing 23

2.2.2 Offline Licensing 25


Table of Figures

Figure 1 - Avatier Identity Management Server Installation Wizard 11 Figure 2 - Click Through License Agreement 12 Figure 3 - Destination Folder Selection Screen 13 Figure 4 - AIMS Service Account Configuration 14 Figure 5 - AIMS Products Selection Screen 15 Figure 6 - Enrollment Domain Selection Screen 16 Figure 7 - Domain Selection Screen 17 Figure 8 - Web Resources Configuration Dialog 18 Figure 9 - Web Site Configuration Notes 19 Figure 10 - Installation Progress Dialog 20 Figure 11 - Installation Wizard Completion Screen 21 Figure 12 - AIMS Main Configuration Screen 22 Figure 13 - License Status Screen 24 Figure 14 - Entering License Information 25 Figure 15 - Offline License Request Data 26 Figure 16 - Locate and Import Offline License File 26


1 AIMS Installation Guidelines

1.1 Server Requirements

It is strongly recommended that AIMS run on its own dedicated server

Operating System: 32 Bit Operating System (2 options)

Windows Server 2008 and all current Microsoft Security Patches Windows Server 2003 Standard SP2 if 4GB RAM, Enterprise edition if

more than 4 GB RAM and all current Microsoft Security Patches.

64 Bit Operating System

Windows Server 2008 Windows Server 2008 R2

Internet Information Server

On Server 2003: IIS 6 ASPNET .NET 4.0 Runtime - The full .NET 4.0 installation is required, not

just the .NET Client Profile component. ASPNET Allowed as a web service extension

On Server 2008

IIS 7 ASPNET Basic, Windows Integrated and Anonymous access methods in-

stalled .NET 4.0 Runtime - The full .NET 4.0 installation is required, not

just the .NET Client Profile component. ASPNET allowed as a web services extension


CPU and RAM: Physical Server

Physical Server Minimum: Single CPU 3.0 GHz, 4 GB RAM Physical Server Recommended: Dual CPU 3.0 GHz, 8 GB RAM

Virtual Server

Virtual Server Minimum: Single CPU 3.0 Ghz, 4 GB RAM Virtual Server Recommended: Multiple CPU 3.0 GHz, 8 GB RAM

Note: Allocation of Multiple CPUs to a virtual guest operating system does not guarantee an improvement in performance since virtualiza-tion technologies use shared CPU cycles of the host machine. Check with your virtualization system administrator for the limitations of your virtual environment


1.2 AIMS Server Build Steps

It is extremely important that the server preparation tasks be performed in the following order:

Build the base server Install IIS 6 for Windows 2003 or IIS 7 for Windows 2008 Install the .NET 4.0 Framework (full standalone version).

In addition, you may want to verify that the following is not enforced in your environment for the AIMS Server or the AIMS service account that will be created:

Are there any group policies in place that will prevent anonymous access to the web structure directories that require anonymous access in AIMS? If yes, you will need to make exceptions to the GPO, to allow anonymous access to the needed directory structure in AIMS

Has any baseline security product been installed on the server, either for the Operating System, or IIS that would prevent anonymous access? If yes, this security policy will need adjustment.

1.3 Installation and Service Account Requirements

Create an account that will be used to start the Avatier Identity Management Server service, and proxy all requests for the AIMS Suite of products.

This account needs to be:

A member of the "domain admins" group

A member of the AIMS server's local administrator’s group

Granted the "logon as service" rights


1.4 Determine the Location of the AIMS Audit Logs and AIMS Configuration Files

AIMS Versions prior to 8.0 differ in their base installations with regard to the light weight database architecture used to store AIMS Audit Log and AIMS configuration settings. AIMS versions prior to version 8.0 stored their data in Microsoft Access format. Beginning with AIMS 8.0 all configuration and audit data is stored in VistaDB file format. After the initial installation of the AIMS suite, migrate the configuration and audit data to a more powerful database engine. AIMS supports its configuration files loaded to Microsoft SQL Server versions 2003, 2005, and 2008, as well as Oracle.

Customers who have already migrated their audit log data to MS SQL Server in a prior version of AIMS can continue to write their audit log data to their existing database.

Upon an upgrade of AIMS to version 9.0, all local Microsoft Access files used in the previous versions of AIMS will be converted to VistaDB format.

Once you have upgraded to 9.0 or have installed AIMS 9.0 from scratch, please contact [email protected] for complete instructions on migrating your configuration and audit log data to Microsoft SQL Server or Oracle.

1.5 .NET 1.1 and .NET 4.0 Runtime differences Under the .NET 1.1 runtime environment, if an error condition was detected in the application pool. the .NET runtime environment logged the error, but continued to function. The .NET 4.0 runtime environment differs with respect to how multiple errors are handled. .NET 4.0 will actually stop and restart the application pool associated with the error. Microsoft has provided a Backward compatibility mode in the .NET 4.0 runtime environment to handle situations where you want your application pool to remain active and continue services requests for the web application. Avatier recommends setting the backward compatibility mode for the .NET runtime environment. To set the backward compatibility feature for .NET:


Use Notepad or other pure text editor to edit file C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.config

Modify <legacyUnhandledExceptionPolicy enabled="false" /> to <legacyUnhandledExceptionPolicy enabled="true" />

Save the changes

1.6 Important Information for Web Agent (SOAP) Based Connectors

The following information is for customers who have installed and configured the AIMS web agent for the following targeted systems, and whose AIMS server is restricted from accessing the Microsoft Windows Update web site either due to firewall or other corporate restrictions. The AIMS server uses SOAP over SSL to communicate with the installed web agents on the following platforms: IBM iSeries (AS400) IBM AIX LINUX HP-UX SUN SOLARIS Microsoft’s Internet Explorer running on Windows Server 2003 SP2 does root certificate checking for items that communicate with a server over SSL. If the ability to access the internet to check the root certificate that is installed on the AIMS server is restricted or prohibited by corporate policy, you will need to turn off root certificate checking on the AIMS server to avoid performance degradation of the product. To turn off root certificate checking: From the AIMS server, click the start menu, then Settings/ Control Panel / Add-

Remove Programs Select “Add/Remove Windows Components” Uncheck “Update Root Certificates” from the list and click the “next” button and

follow the on-screen instructions.


1.7 Obtain the Latest AIMS Software

Please contact Avatier Support at [email protected] to obtain instructions on downloading the latest release of the AIMS 9.0 software.


1.8 Software Installation

Once the IIS server is properly configured, the AIMS installation file has been downloaded, and a Domain Admin Service Account has been created, the installation of Avatier Identity Management Suite can begin. Logon to the AIMS server as a Domain Admin (preferably the same account

used for the AIMS Service Account). Place the AIMS installation file on the server in a temporary directory. Double-click on the AIMS installation file. The Welcome page of the Avatier Identity Management Server Installation

Wizard will appear on the screen and will automatically move to the next screen after a few seconds unless CANCEL is clicked.

Figure 1 - Avatier Identity Management Server Installation Wizard

Make sure that all other Windows applications are closed prior to running the

AIMS installation. This will prevent any common files held open by other


applications from not being updated by the installation process. When all other Windows programs are closed, click on the NEXT> button.

Figure 2 - Click Through License Agreement

This screen displays the Avatier AIMS click through license agreement. By

clicking “I accept the license agreement”, the trial evaluation and eventual production use of the software are governed by this widely accepted and legally tested agreement. Please read the license, scroll down to the bottom, click on the “I accept…” radio button, and click NEXT>.


Figure 3 - Destination Folder Selection Screen

Choose the default location for the software installation, or browse for alternate

location then click NEXT>.


Figure 4 - AIMS Service Account Configuration


This screen requires the AIMS Service Account credentials. AIMS and all AIMS modules including Password Bouncer Enterprise Edition will use the authority of this account to manage user accounts and passwords. Typically, the account needs to be a Windows Domain Administrator account with full permissions over each domain in which AIMS will manage accounts and passwords. The Service Account must be a member of local Administrators group on the AIMS server and be able to run locally as a service. Enter the following information in the appropriate fields:

o The domain in which AIMS is being installed. o The Service Account ID. o The Service Account Domain Logon Password. o The Service Account Domain Logon Password again to confirm the

password. When the information is entered click NEXT>.

Figure 5 - AIMS Products Selection Screen

Check / Uncheck the product selections then click NEXT>.


Figure 6 - Enrollment Domain Selection Screen

This screen offers the selection of the User Enrollment Domain Type. This can either be Microsoft’s Active Directory or another LDAP source.


Figure 7 - Domain Selection Screen

This screen provides the ability to browse and select all domains AIMS will be

managing. Click on the browse button to see a list of identified and available domains. Select all the domains that will be included. Additional domains can be added or removed after AIMS is installed if needed. Click NEXT> to proceed.


Figure 8 - Web Resources Configuration Dialog

This screen is informational and precedes the screen which will allow you to configure the web site that will be used to configure Password Bouncer. Click the “Next >” button to proceed.


Figure 9 - Web Site Configuration Notes

AIMS will install as a virtual directory under the default web site.


Figure 10 - Installation Progress Dialog

The progress of the installation is displayed.


Figure 11 - Installation Wizard Completion Screen

When the installation has completed, simply click the “Finish” button.


2 Licensing AIMS Products

2.1 Accessing the Main Configuration Page

To begin the configuration of the Avatier Identity Management Suite, access the AIMS Configuration main screen. Open a web browser. Enter the URL of the AIMS configuration. By default, this URL is:

http://yourservername/aims/config. Enter your user id in the format domain\userid. Enter your password. The following screen will appear:

Figure 12 - AIMS Main Configuration Screen

The configuration screen of the Avatier Identity Management Suite is divided into three distinct sections.


The left hand pane, called P1, is a hierarchal tree view of the AIMS product modules.

The center pane, called P2, contains the options available for the items selected in P1.

The right pane, called P3 will contain the configurable settings for the option selected in P2.

2.2 Applying the AIMS Product License

Before beginning the configuration of any of the AIMS modules, you must first license the product for use within your organization.

2.2.1 Online Licensing

If the AIMS server has a working Internet connection, and port 443 (SSL) is an allowed outbound protocol on your network: Click on Avatier Identity Management Suite in P1. Click on “License Status” in the P2 Options pane and the following screen will

appear:


Figure 13 - License Status Screen

Click on the “Install License” button in P3.


Figure 14 - Entering License Information

Enter the license key that was sent to you from [email protected]. Enter the email address that is associated with that license key. Click the “Get License” button. AIMS will connect via the Internet to the Avatier Licensing service and download

the license to your AIMS server. When you receive the confirmation that the license has installed successfully,

click the “Restart” button in P3 to restart the AIMS Web Application and apply the license.

2.2.2 Offline Licensing

If no working Internet connection is available from the AIMS server due to network topology, or a firewall that restricts outbound port 443, you can still license the product; however, it becomes a two step manual process.


The first step involves generating the file needed for the off-line license request and mailing it to [email protected]. The second step is placing the file that Avatier generates for you onto the AIMS server and importing it into the product. To generate an offline license request:

Figure 15 - Offline License Request Data

Fill in your company name and email address in the provided fields. Click the “Offline License” button. Save the file to a temporary location. Take the file and mail it to [email protected]. When Avatier receives the offline license request file, they will generate a license file for you, and return it to the email address you have specified in the offline license request file. Place the attached license file in a temporary location on the AIMS server.

Figure 16 - Locate and Import Offline License File

Click the “Browse” button and locate the file. Click the “Import” button. Once the license file has been applied, you will be returned to the “License Status” screen. You will need to restart the AIMS web application. Click the “Restart” button to perform this function.

aims 9 installation and licensing guide - avatier - aims 9 installation and...sun solaris...

Documents