Role Optimizer deployment

Edit online

Detailed procedure to deploy the IVIG Role Optimizer feature.

Overview

This section describes the steps for a fresh installation of IVIG Role Optimizer version 11.0.0 on Red Hat Enterprise Linux/Ubuntu Linux platform.

Role Optimizer deployment

  1. Login as a user with root privileges. Ensure that directory /opt/ibm is present on the local Linux computer.
  2. Extract the IVIGRoleOptimizer.zip to /opt/ibm/IVIGRoleOptimizer directory.

    unzip IVIGRoleOptimizer.zip -d /opt/ibm/IVIGRoleOptimizer

  3. Verify that the extracted directory contains the following artifacts:
    • BuildUtilities
    • DB.zip
    • install.sh
    • isig.zip
    • ISIMDataExtractionutility.zip
    • java-x86_64-80.zip
    • UserManagementUtility.zip
    • wlp.zip
    • build.properties
  4. Perform database configuration steps mentioned in the Installation on database topic. Ensure that the database is setup before proceeding with the next steps.
  5. Navigate to /IVIGRoleOptimizer/BuildUtilities/dbUtil from the extracted directory. Update the db.properties file with the following values.
    jdbc.url=jdbc:<dbType>://<DB_Hostname>:<DB_Port>/<DB_Name>
    jdbc.user=<DB_instance_owner>
    jdbc.password=<DB_instance_password>

    For example,

    jdbc.url=jdbc:db2://dbhost.ibm.com:50050/RO_DB

    OR

    jdbc:postgresql://dbhost.ibm.com:5432/RO_DB

    jdbc.user=iviginst

    jdbc.password=Passw0rd

  6. Navigate to /IVIGRoleOptimizer directory. Execute the install.sh script using below command. Check the install.log file at the same location for more details.

    ./install.sh

  7. At the prompt 'Enter the password to set for the default login user:', enter a password which would be used by a default user called "roleadmin". For example: 
    Enter the password to set for the default login user: Passw0rd
  8. At the prompt 'Enter the new encryption key:', enter an encryption key to be used for encrypting basic user registry passwords. For example,: 
    Enter the new encryption key: Sunshine123
  9. When creating the application certificate, you would be prompted to enter Common Name, Organizational Unit, Organizational Name and Country Code details for the certificate. For example:
    Enter the Common Name (CN) (e.g., ro.ibm.com): ivigro.ibm.com 
Enter the Organizational Unit (OU) (e.g., IBM Verify Identity Governance): IVIG 
Enter the Organization Name (O) (e.g., IBM): IBM 
Enter the Country Code (C) (e.g., IN): IN

    Note that the certificate CN cannot be empty.

  10. At the prompt '"Enter the Keystore Password: ', enter a password for the default keystore being created for IVIG Role Optimizer. This password should be at least 6 characters long.
  11. After the installation is complete, the following message appears. 
    IVIG Role Optimizer installation completed successfully.

  12. Post installation, update /opt/ibm/wlp/usr/servers/igi/datasources/<db2 or postgre>/datasource.xml file with the relevant DB hostname, port number, DB name and DB user password. For example:

    databaseName="RO_DB" serverName="dbhost.ibm.com" portNumber="50050"

  13. Note: See troubleshooting section "Conflicts with port 2821 and 5471" before proceeding with this step.
    Update /opt/ibm/wlp/usr/servers/igi/endpoint.xml with iiop host details of the Role Optimizer setup. For example:
    <iiopEndpoint host="ivigro.ibm.com" id="defaultIiopEndpoint" iiopPort="2821"> 
<iiopsOptions iiopsPort="28210"></iiopsOptions> 
 </iiopEndpoint>
  14. Update the /opt/ibm/wlp/usr/servers/igi/bootstrap.properties as follows. 
    IDEAS_DB_TYPE=<db2 OR postgre> 
IDEAS_DB_SERVICE_SCHEMA=<IGASERV for db2 OR IGA_SERVICE for postgre> 
 
IDEAS_DB_DRIVER=<com.ibm.db2.jcc.DB2Driver OR org.postgresql.Driver> 
IDEAS_DB_DIALECT=<org.hibernate.dialect.DB2Dialect OR org.hibernate.dialect.PostgreSQLDialect> 
 
IDEAS_EJB_PROVIDER_URL=corbaloc:iiop:<iiopEndpointHost>:<iiopPort>

    For example:

    IDEAS_EJB_PROVIDER_URL=corbaloc:iiop:<ROHost.ibm.com>:2821 

    LOCAL_REST_URL=https://<hostname>:<port>/rest

    For example:

    LOCAL_REST_URL=https://ivigro.ibm.com:9343/rest

  15. Restart the server using below commands.

    /opt/ibm/wlp/bin/server stop igi

    /opt/ibm/wlp/bin/server start igi --clean

  16. Create an application user. See User Management Utility topic for more details. The default super user for the first time usage is "roleadmin". Use the password created in step 7 to login to the User Management Utility for the first time.
  17. Configure the authentication mechanism of your choice. See IVIG Role Optimizer Authentication topic for more details.
  18. Access the setup using https://<hostname>:<port>, for example, https://ivigro.ibm.com:9343, where 9343 is the https port configured by default in /opt/ibm/wlp/usr/servers/igi/endpoint.xml file.

    To access the setup using http://<hostname>:<port>, follow additional steps mentioned below.

    1. Open the /opt/ibm/wlp/usr/servers/igi/server.xml file. Go to the line <webAppSecurity ssoCookieName="igiAppCookie" ssoRequiresSSL="true" />
    2. By default, ssoRequiresSSL parameter is set to true. You need to change the value to false, and then save the file.
    3. After making these updates, restart the server. You can now access the application over http.

  19. Log in using the credentials set in configured authentication mode.