Installation on AIX

This section describes the steps for a fresh installation of IBM Verify Identity Governance - Software Stack version 11.0.0 on IBM AIX platform.

Before you begin

  1. Ensure that you have administrator access on the AIX system.

Deployment on AIX

Perform the following steps to install IVIG - Software Stack on IBM AIX platform.

IBM MQ

Download IBM MQ (9.4.0.0-IBM-MQ-AixPPC64.tar.Z file) from IBM Passport Advantage portal on the AIX machine.

IBM MQ 9.4 LTS is available with part number G0B7VML.

Next, install IBM MQ.
Note: For detailed instructions to install IBM MQ on AIX, refer IBM MQ documentation.
  1. Decompress the IBM_MQ_9.4.0_AIX.tar.Z file on the AIX machine. Run this command: tar -xvf IBM_MQ_9.4.0_AIX.tar

    After executing this command, a directory MQServer is created.

  2. Run this command: sudo mkgroup id=500 mqm
  3. Run this command: sudo useradd -u 501 -g mqm -s /bin/bash -d /home/mqm -m mqm
  4. Run this command: sudo passwd mqm
  5. Run this command:sudo useradd -s /bin/bash -d /home/isimsystem -m isimsystem
    Important: Ensure that the isimsystem user is NOT a member of the mqm group. The userid that you use to create the queue managers must be in the mqm group, but the userid isimsystem used by IVIG connect to MQ must not be a member of the mqm group.
  6. Run this command: sudo passwd isimsystem
  7. Next, refer this IBM MQ documentation topic, and perform the following steps.
  8. Run this command: sudo lsuser -a nofiles mqm
  9. Run this command: sudo chuser nofiles=10240 mqm
  10. Run this command: sudo chuser nofiles_hard=10240 mqm
  11. Run this command: sudo chuser nofiles=10240 root
  12. Run this command: sudo chuser nofiles=10240 root
  13. Run this command: sudo ulimit -d unlimited
  14. Run this command: sudo ulimit -s unlimited
  15. Create the mqm data directory.
     sudo mkdir /var/mqm
 sudo chown mqm /var/mqm
 sudo chgrp mqm /var/mqm
  16. Next, install IBM MQ by running this command. sudo installp -acXgYd . *
    Note: For detailed information, refer to this IBM MQ documentation topic.
  17. Add the user to the mqm group.
    Note: This example code shows adding the root user to the mqm group. However, you must add your installer userid to the mqm group rather than the root user.
    
bash-5.2# id root
uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp),203(idsldap),204(instn1),205(instn2),206(proxys3),500(mqm)
  18. Run this command: . /usr/mqm/bin/setmqenv -s
    Important: Do not forget the <period><space> at the front to source this info into your environment.
Configure IBM MQ
  1. Ensure to use a user in the mqm group. You can also add your account to the group. sudo usermod -g mqm <yourid>
  2. Use the command newgrp to reload groups without having to log in again.
  3. Run this command: . /usr/mqm/bin/setmqenv -s
    Important: Do not forget the <period><space> at the front to source this info into your environment.
  4. From IBM Passport Advantage site, download the IVIG Software Stack files. Extract the files to a directory (for example, <extracted_directory>) on your local computer.
  5. Using command prompt, navigate to this directory: <extracted_directory>/wlp/usr/servers/defaultServer/config/config/mq/ and then use either ssl OR plain.

    Here, choose ssl directory if you want to use SSL, OR choose plain for non-SSL.

  6. Check the listener line at the end of the .mqsc files. The local is configured for port 1414 and shared for 1415, but they can be adjusted as needed.
  7. Create a queue manager. Run this command: crtmqm -ii isvgqm.ini ISVGQueueMgr
  8. Start the queue manager. Run this command: strmqm ISVGQueueMgr
  9. Open a command prompt for the queue manager. Run this command: runmqsc ISVGQueueMgr < ISVGQMgr.mqsc
Next, you need to set up the shared queues. It can be done on the IM system, or you can install MQ on another machine and run it there. Run these commands: 
crtmqm -ii isvgqm.ini ISVGQMgrShared
strmqm ISVGQMgrShared
runmqsc ISVGQMgrShared < ISVGQMgr-shared.mqsc

SSL: If you plan to use SSL, you will need to create a certificate for each queue manager. You can either use openssl to create a PKCS12 file to be imported into the MQ keystore, or you can create one with GSKit.

  1. Refer the MQ Documentation.
  2. Run as the mqm user or you will need to update permissions on the file.
  3. Run this command: runmqakm -keydb -create -populate -db /var/mqm/qmgrs/ISVGQueueMgr/ssl/key.kdb -pw the_password -stash
  4. If you have a PKCS12: Run this command: runmqakm -cert -import -db /var/mqm/qmgrs/ISVGQueueMgr/ssl/key.kdb -stashed -label pkcs12label -new_label ibmwebspheremqisvgqueuemgr -target cert.p12 -target_pw pkcs_password -type kdb -target_type pkcs12
  5. If you do not have PKCS12: Run this command: runmqakm -cert -create -db /var/mqm/qmgrs/ISVGQueueMgr/ssl/key.kdb -stashed -label ibmwebspheremqisvgqueuemgr -dn "CN=ISVGIM" -san_dnsname your_hostname -san_ipaddr your_ip
  6. If you have created a new certificate, extract the CA with this command: runmqakm -cert -extract -label ibmwebspheremqisvgqueuemgr -db /var/mqm/qmgrs/ISVGQueueMgr/ssl/key.kdb -stashed -file localCA.crt -format ascii

    NOTE: The label for the shared QM MUST be ibmwebspheremqisvgqmgrshared, and use a different file name.

  7. Use mqcertck Queue_Manager_Name

    This step is important to ensure that all the updates are correct.

  8. To enable SSL, you must restart the queue managers. Run the following commands.

    endmqm ISVGQueueMgr

    strmqm ISVGQueueMgr

  9. Next, perform the steps 3 to 8 for the ISVGQMgrShared QM.
Deploy IVIG Software Stack
Next, perform the following steps.
  1. Go to the IVIG- Software Stack package that you had extracted into its own directory (for example <extracted_directory>).
  2. Run this command: cd <extracted_directory>/wlp/bin
  3. Run this command: ./im_installer.sh configure --configfile /path/to/file

    The im_installer.sh script, when run in the configure mode, prompts for various inputs (such as LDAP, DB2, IBM connection parameters) and stores them in the configuration file that will be created in the specified directory on the local computer. If the same file already exists in the specified directory, then it will be updated.

    In this command, replace /path/to/file with the complete directory path including the file name that you want to use. For example: ./im_installer.sh configure --configfile /home/imssliberty/ivig11_config.properties

  4. Run this command: ./im_installer.sh install --configfile /path/to/file

    Here, the im_installer.sh script, when run in the install mode, uses the parameters from the configuration file created in the previous step. In this command, replace /path/to/file with the same directory path and the file name that was created in the previous step. For example: ./im_installer.sh install --configfile /home/imssliberty/ivig11_config.properties

  5. If you want the to use SSL, add your certificate and private key to the keystore listed as liberty.keystore.location in bootstrap.properties file. If not using SSL, then you can use port 9080 instead of 9443.
  6. Run this command: <wlp>/bin/server start
  7. Log in to IVIG Server:
    • If using SSL: https://<hostname>:9443/itim/console
    • If using non-SSL: http://<hostname>:9080/itim/console
    The screen prompts you to change the default password. Set a password of your choice, and then proceed with logging in to the IVIG Server.