Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
JonH67 Absent Member.
Absent Member.
2288 views

4.5 Identity Apps Install and Configupdate.sh


I've started looking at the 4.5 Identity Apps, the last time I looked at
UserApp was 4.0.2.6 and 4.0.2.7 with HPD, I thought I was pretty
familiar with the terminology being used in the 4.5 Identity Apps. I
have to ask though has anyone ever got this working straight out of the
box? The initial impression with the numerous errors during the install,
the bad documentation, it really is quite woeful!

After curing far too many issues in what used to be a solid install
routine in previous versions. I'm now at the stage that the
configupdate.sh does not update anything during the user app gui
install, this time around I got a warning about something failing during
the install and was it ok to continue ( I assume that it was the
configupdate.sh as I had clicked apply to all the settings I added)
check the install log, no warning, no errors. The catalina.out file
states an illegalstateexception, looking at the ism-config-properties
file there are no settings for any of the changes I made in the user app
install configupdate. Start configupdate and the ua driver dn is
missing, I can't select advanced options of the Identity Vault tab to
check the rest of the information (edit_admin=true), although I can
select advanced in the other two tabs. All the SSO Client information is
missing, secrets, redirect urls.

I know there are patches, but do they work, do you have reinstall
everything configure it without being able to check, add patches and
hope it works? I downloaded a new IDM Advanced iso hoping updated base
files had been incorporated, but same results.


--
JonH67
------------------------------------------------------------------------
JonH67's Profile: https://forums.netiq.com/member.php?userid=411
View this thread: https://forums.netiq.com/showthread.php?t=57776

Labels (1)
0 Likes
24 Replies
spsivasubramanian Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

JonH67;2454631 wrote:


After curing far too many issues in what used to be a solid install
routine in previous versions. I'm now at the stage that the
configupdate.sh does not update anything during the user app gui
install, this time around I got a warning about something failing during
the install and was it ok to continue ( I assume that it was the
configupdate.sh as I had clicked apply to all the settings I added)
check the install log, no warning, no errors. The catalina.out file
states an illegalstateexception, looking at the ism-config-properties
file there are no settings for any of the changes I made in the user app
install configupdate. Start configupdate and the ua driver dn is
missing, I can't select advanced options of the Identity Vault tab to
check the rest of the information (edit_admin=true), although I can
select advanced in the other two tabs. All the SSO Client information is
missing, secrets, redirect urls.


Dear John,

Thanks.

Could you please double-check following:

- Check any errors in /opt/netiq/idm/apps/UserApplication/NetIQ-Custom-Install.log

- Any port conflicts for Application Server(say an ex: Tomcat) or PostgreSQL?

- Is this Fresh Identity Manager 4.5 install or Upgrading from legacy 4.0.x to 4.5?

- Installing all components on Single box or Distributed Environment setup?

Thanks in advance,
SivaPrakasamS
Micro Focus.
0 Likes
Knowledge Partner
Knowledge Partner

Re: 4.5 Identity Apps Install and Configupdate.sh

On 4/10/2017 2:34 AM, JonH67 wrote:
>
> I've started looking at the 4.5 Identity Apps, the last time I looked at
> UserApp was 4.0.2.6 and 4.0.2.7 with HPD, I thought I was pretty
> familiar with the terminology being used in the 4.5 Identity Apps. I
> have to ask though has anyone ever got this working straight out of the
> box? The initial impression with the numerous errors during the install,
> the bad documentation, it really is quite woeful!
>
> After curing far too many issues in what used to be a solid install
> routine in previous versions. I'm now at the stage that the
> configupdate.sh does not update anything during the user app gui
> install, this time around I got a warning about something failing during
> the install and was it ok to continue ( I assume that it was the
> configupdate.sh as I had clicked apply to all the settings I added)
> check the install log, no warning, no errors. The catalina.out file
> states an illegalstateexception, looking at the ism-config-properties
> file there are no settings for any of the changes I made in the user app
> install configupdate. Start configupdate and the ua driver dn is
> missing, I can't select advanced options of the Identity Vault tab to
> check the rest of the information (edit_admin=true), although I can
> select advanced in the other two tabs. All the SSO Client information is
> missing, secrets, redirect urls.
>
> I know there are patches, but do they work, do you have reinstall
> everything configure it without being able to check, add patches and
> hope it works? I downloaded a new IDM Advanced iso hoping updated base
> files had been incorporated, but same results.


Agreed. The install should be straightforward, but is not.

Much is left as config outside the installer and it is too complicated
by far. Alas.

However it is masterable. HAve you had the fun of OSP and certicates
yet? If not, remember, the Keystores you specify in configupdate need
the public key of all certs (eDir CA, Tomcat SSL cert, OSP SSL cert) in
the osp keystore, tomcat keystore (if you use a seperate one), and
cacerts for the JVM.


0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh


>
> However it is masterable. HAve you had the fun of OSP and certicates
> yet?.


I haven't yet, I wanted to look at the procedure for a customer and give
an honest view. Strangely enough I have found a series of cool solutions
going through OSP pain 😉

As for the configuration, it's a new Metdirectory server with a new 4.5
framework install, eDirectory is supplied by OES 11 SP2 eDir 8.8.8.8,
patched to Sept 2016 release for SLES and OES. I'm using another SLES
11.3 server for the apps with PostGre/Tomcat-OSP-User App, I'm not
installing SSPR, I'm using the SSPR 4.1 appliance for that due to the
old version of the SSPR software on the 4.5 media.

All I wanted to do was validate the product install routine based
against the previous versions I've used, the latest being 4.0.2.7
(especially 4.0.2.7 deprecating SSL) with HPD which required SSO-SAML,
java updates, driver updates etc. It was a complex or involved process,
but you had something working to work from and going from a working to
broken function is much easier than multiple errors during an install
producing a non functional environment. Testing the landing or dash page
returns a JSON error, is this because the Apps server cannot locate the
DN of the UA driver and the DAL because of the broken configupdate
during install or is it indicative of the SSO client information
missing, this is my point, too many errors that you cannot pinpoint
easily.

I'll be working my way through the various logs, but my first fix will
have to be the the ism-properties file via configupdate, I'm going to
update the Apps, OSP and configupdate to the 4.5.4 versions. Does anyone
have a good copy of the ism-properties they could post up? If I can't
get the configupdate.sh to start with admin rights to the Identity Vault
as it is now, I won't be able to update any IDV info if it's required
and I'll have to add it manually


--
JonH67
------------------------------------------------------------------------
JonH67's Profile: https://forums.netiq.com/member.php?userid=411
View this thread: https://forums.netiq.com/showthread.php?t=57776

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 4.5 Identity Apps Install and Configupdate.sh

On 4/10/17 6:55 PM, JonH67 wrote:
>
>>
>> However it is masterable. HAve you had the fun of OSP and certicates
>> yet?.

>
> I haven't yet, I wanted to look at the procedure for a customer and give
> an honest view. Strangely enough I have found a series of cool solutions
> going through OSP pain 😉
>
> As for the configuration, it's a new Metdirectory server with a new 4.5
> framework install, eDirectory is supplied by OES 11 SP2 eDir 8.8.8.8,
> patched to Sept 2016 release for SLES and OES. I'm using another SLES
> 11.3 server for the apps with PostGre/Tomcat-OSP-User App, I'm not
> installing SSPR, I'm using the SSPR 4.1 appliance for that due to the
> old version of the SSPR software on the 4.5 media.
>
> All I wanted to do was validate the product install routine based
> against the previous versions I've used, the latest being 4.0.2.7
> (especially 4.0.2.7 deprecating SSL) with HPD which required SSO-SAML,
> java updates, driver updates etc. It was a complex or involved process,
> but you had something working to work from and going from a working to
> broken function is much easier than multiple errors during an install
> producing a non functional environment. Testing the landing or dash page
> returns a JSON error, is this because the Apps server cannot locate the
> DN of the UA driver and the DAL because of the broken configupdate
> during install or is it indicative of the SSO client information
> missing, this is my point, too many errors that you cannot pinpoint
> easily.
>
> I'll be working my way through the various logs, but my first fix will
> have to be the the ism-properties file via configupdate, I'm going to
> update the Apps, OSP and configupdate to the 4.5.4 versions. Does anyone
> have a good copy of the ism-properties they could post up? If I can't
> get the configupdate.sh to start with admin rights to the Identity Vault
> as it is now, I won't be able to update any IDV info if it's required
> and I'll have to add it manually
>
>

Greetings,

1) Please only use the configupdate from the User Application install
folder when you have all of the products installed.

2) I would suggest that in the configupdate.sh.properties file you
change the setting for debug from false to true. Then launch
configupdate in a terminal, fill in any missing properties, press OK and
then look in the terminal for an error.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh


Thanks Steve

I'll switch on debug mode.

When the configupdate.sh is started during the User App gui install
routine, is that a mistake or an incorrect version?

Running the configupdate.sh again after the User App install has it's
own set of problems one is that the advanced options button on the
Identity Vault Tab is greyed out, so I can't check if the advanced
setting have been populated for the IDV, do these need to be in the ism
properties file? Also most of the SSO client information is missing, not
only secrets, but the OAuth redirect URL's OAuth Client ID's are missing
for RBPM, Reporting, DCS Driver, Catalog Administrator and SSPR, are
they written in the docs somewhere to populate them?


--
JonH67
------------------------------------------------------------------------
JonH67's Profile: https://forums.netiq.com/member.php?userid=411
View this thread: https://forums.netiq.com/showthread.php?t=57776

0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh


Ran configupdate.sh with debug and admin=true, ran from inside a
terminal session, updated the ua driver dn, that's all I could do on the
IDV tab as no advanced options. When running configupdate the terminal
reads most of the settings for the properties files except edit_admin or
it doesn't show in the terminal.
Added all the missing SSO client information, closed configupdate,
checked ism.properties had populated the settings I could change,
couldn't see any settings for uaadmin, prov admin etc as they live under
advanced options. Restarted the server, started the drivers, no change,
illegalstateexception in catalina.out and the JSON error when accessing
/dash /landing /rra JSON error failed to get roles


--
JonH67
------------------------------------------------------------------------
JonH67's Profile: https://forums.netiq.com/member.php?userid=411
View this thread: https://forums.netiq.com/showthread.php?t=57776

0 Likes
spsivasubramanian Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

JonH67;2454800 wrote:
Ran configupdate.sh with debug and admin=true, ran from inside a
terminal session, updated the ua driver dn, that's all I could do on the
IDV tab as no advanced options.



Dear Jon,

Could you please let us know, from which path you're running ./configupdate.sh utility. [I assume you're running from /opt/netiq/idm/apps/osp_sspr/bin/bin directory instead for UserApplication directory - that's what you're seeing first tab named 'Identity Vault' and 'Show Advanced options' button grayed out]

Kindly consider ./configupdate.sh use_console=false from UserApplication path say ex: /opt/netiq/idm/apps/UserApplication and populate appropriate values:

If needed, I may send you screens and values to populate for SSO Clients tab.

Thanks and Best Regards,
SivaPrakasamS
Micro Focus.
0 Likes
Knowledge Partner
Knowledge Partner

Re: 4.5 Identity Apps Install and Configupdate.sh

On 4/11/2017 10:05 PM, JonH67 wrote:
>
> Ran configupdate.sh with debug and admin=true, ran from inside a
> terminal session, updated the ua driver dn, that's all I could do on the
> IDV tab as no advanced options. When running configupdate the terminal
> reads most of the settings for the properties files except edit_admin or
> it doesn't show in the terminal.
> Added all the missing SSO client information, closed configupdate,
> checked ism.properties had populated the settings I could change,
> couldn't see any settings for uaadmin, prov admin etc as they live under
> advanced options. Restarted the server, started the drivers, no change,
> illegalstateexception in catalina.out and the JSON error when accessing
> /dash /landing /rra JSON error failed to get roles


What path did you run it from? I suspect you have the wrong
Configupdate.sh... The one in /opt/netiq/idm/apps/UserApplication not
in the osp_ssrp/bin directory wouold be the choice.

Yes, it is confusing to have multiple instances of it.


0 Likes
spsivasubramanian Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

JonH67;2454799 wrote:

When the configupdate.sh is started during the User App gui install
routine, is that a mistake or an incorrect version?


Also most of the SSO client information is missing, not
only secrets, but the OAuth redirect URL's OAuth Client ID's are missing
for RBPM, Reporting, DCS Driver, Catalog Administrator and SSPR, are
they written in the docs somewhere to populate them?


Dear JonH,

When the configupdate.sh is started during the User App gui install
routine, is that a mistake or an incorrect version?
- This is not mistake, as part of UserApplication/Identity Application Installer - expected to see 'configupdate utility' invoked and it is recommended to populate values as part of installation time. [Post installation or anytime we could launch configupdate utility from appropriate path UserApplication or OSP or Identity Reporting installed directories - modify/update values accordingly]

Thanks for your doc input, I'll look for any match in doc section if not we'll give references as per your suggestion

Here below SSO clients tab reference values:

Landing:
---------
OAuth client ID: ualanding
OAuth client secret: <password>
URL link to dash page: /dash
OSP OAuth redirect url: http://<ip_addr>:<port_no_8180>/landing/com.netiq.ualanding.index/oauth.html


Dashboard:
------------
OAuth client ID: uadash
OAuth client secret: <password>
OSP OAuth redirect url: http://<ip_addr>:<port_no_8180>/dash/com.netiq.uadash.index/oauth.html
<remanining fields defaults>


RBPM:
------
OAuth client ID: rbpm
OAuth client secret: <password>
URL link to dash page: /landing
OSP OAuth redirect url: http://<ip_addr>:<port_no_8180>/IDMProv/oauth
RBPM to eDirectory SAML configuration - No Change


Reporting:(optional, if reporting installed on same box)
-----------
OAuth client ID: rpt
OAuth client secret: <password>
URL link to dash page: /landing
OSP OAuth redirect url: http://<ip_addr>:<port_no_8180>/IDMRPT/oauth.html


DCS Driver:
------------
OAuth client ID: dcsdrv
OAuth client secret: <password>


Catalog Administrator:
-------------------------
OAuth client ID: rra
OAuth client secret: <password>
URL link to dash page: /landing
OSP OAuth redirect url: http://<ip_addr>:<port_no_8180>/rra/com.netiq.rra.index/oauth.html


Self Service Password Reset:
---------------------------------
OAuth client ID: sspr
OAuth client secret: <password>
URL link to dash page: http://<ip_addr>:<port_no_8180>/sspr/public/oauth

---
Thanks and Best Regards,
SivaPrakasamS
Micro Focus.
0 Likes
Highlighted
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh


Thanks for the SSO links, I had a list of them I made previously.

I can't remember how I managed it, but I found that the error with the
configupdate during the UserApp install states that the utility cannot
update soemthing, doesn't list what it cant update.

The Configupdate.sh I run after the install that has all the entries
missing and doesn't allow admin edit on the Identity Vault tab is the
one from the UserApp folder, I browse to it and double click-run in
terminal, just to make sure.

Has there been any change to the media iso to change/cure any of these
errors? This is a basic three step install on the 3 products required
and it simply doesn't work.


--
JonH67
------------------------------------------------------------------------
JonH67's Profile: https://forums.netiq.com/member.php?userid=411
View this thread: https://forums.netiq.com/showthread.php?t=57776

0 Likes
spsivasubramanian Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

JonH67;2455004 wrote:
Thanks for the SSO links, I had a list of them I made previously.

I can't remember how I managed it, but I found that the error with the
configupdate during the UserApp install states that the utility cannot
update soemthing, doesn't list what it cant update.

The Configupdate.sh I run after the install that has all the entries
missing and doesn't allow admin edit on the Identity Vault tab is the
one from the UserApp folder, I browse to it and double click-run in
terminal, just to make sure.

Has there been any change to the media iso to change/cure any of these
errors? This is a basic three step install on the 3 products required
and it simply doesn't work


Dear JonH,

Thanks for your confirmation and sorry for the inconvenience.

Hope you would have enabled debug flag in configupdate.sh.properties file to populate missing values as per below suggestion:


"2) I would suggest that in the configupdate.sh.properties file you
change the setting for debug from false to true. Then launch
configupdate in a terminal, fill in any missing properties, press OK and
then look in the terminal for an error."

- Also to ensure, we are running configupdate.sh utility using root Privileges.

- eDirectory is up and running on same/distributed server, hope certificates imported into java cacerts, please double confirm this as well.

Thanks and Best Regards,
SivaPrakasamS
Micro Focus.
0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

Thanks

I have rebuilt my dev server from scratch, carried out the following tasks, install Tomcat and Postgresql onto the SLES11SP3 Apps server, there were no error reported during this process, installed OSP only, I'm using the SSPR appliance and would integrate this if Identity Apps worked, as I was not using SSPR at this stage I did not select SSL or HTTPS.
An error was seen in the installer stating warnings occurred and check the logs, the log showed a non fatal warning that there was a keytool execution error, although the execute command: keytool showed a successful status.
Looking at the keytool-log showed an error where the key pair was not generated because alias <osp> already exists, I suspect this has more to do with the UserApp configupdate.sh.

I started the UserApp install, this is very similar to every RBPM install I've done over the last 8 years, the install went fine until the process spawned the configupdate.sh, I added all the IDV information and it looked ok, I clicked ok and the installer produced an error pop up saying that the was an error configuring the application server, is it ok to continue, I clicked yes to continue. There were no errors in the user_app_install_log, the NetIQ-Custom-install.log showed an error with the config tool: com.netiq.installer.idm.ldap.ConfigStoreException: ERROR storing configuration. The installer finished and I checked the ism-properties file and it was very sparse, I ran the configupdate a second time and added the information. this saved correctly as it has done every time I've run it after the install version failures.

I do believe that the auditing element has not been configured correctly by the installer process, the catalina.out file shows an error where it cannot configure logging, I ignored this thinking it was like the old jboss logs in 4.0.2, elements not configured could be ignored, but I read a forum thread that it expects certain elements of auditing to be configured correctly or it throws an illegalStateException
https://forums.novell.com/showthread.php/487321-UA-4-5-unable-configure-logging-IDMProv-fails?highlight=unable+configure+logging
Although unlike the above thread I have not configured HTTPS or SSL as this is a DEV test of the install routine compared against 4.0x. Is there an easy fix for this error as this is a clean server patched to Sept 2016 and simply doing the three product installs, there is nothing complex or difficult, yet it fails constantly.

The whole install was run as root at the server.

When installing Tomcat what is the best practice for ports? Do the Identity Apps sit on the Tomcat server as a separate application and use whatever port specified, or do you align the tomcat and IDM App ports.
0 Likes
spsivasubramanian Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

JonH67;2455223 wrote:
Thanks

I started the UserApp install, this is very similar to every RBPM install I've done over the last 8 years, the install went fine until the process spawned the configupdate.sh, I added all the IDV information and it looked ok, I clicked ok and the installer produced an error pop up saying that the was an error configuring the application server, is it ok to continue, I clicked yes to continue. There were no errors in the user_app_install_log, the NetIQ-Custom-install.log showed an error with the config tool: com.netiq.installer.idm.ldap.ConfigStoreException: ERROR storing configuration. The installer finished and I checked the ism-properties file and it was very sparse, I ran the configupdate a second time and added the information. this saved correctly as it has done every time I've run it after the install version failures.


Dear JonH,

Thanks for your detailed description.

Could you please check couple of things from your eDirectory tree level(Identity Vault Server):

- Login to IDV tree using iManager, navigate 'View Objects' -> Expand 'Security Container'; check 'Default Notification Collection' is present? If not, Kindly deploy 'Default Notification Collection' using Designer [I assume, here we're using 'English-US Language, not Localization boxes and ensure 'Default Notification Collection' string is in 'English']

- In the same page Security Container, check 'SecretStore' got created?

- Also, ensure 'SAML Assertion method' is present in 'Authorized Login Methods, Login Policy sequence available for the same [could check the same from iMonitor as well https://<ipaddr>:8030]

When installing Tomcat what is the best practice for ports? Do the Identity Apps sit on the Tomcat server as a separate application and use whatever port specified, or do you align the tomcat and IDM App ports
<
We need to ensure, we are using free/unused ports for Tomcat webapplication server; the same port will be used for Identity Applications;
say ex: if iManager installed on the same server which listens on port 8080; before invoking convenience installation(Tomcat installer) ensure 'free port' is available ex: http/8180 and assign the same;
so iManager tomcat uses 8080; whereas Identity Apps Tomcat uses 8180 - later you could configure https/SSL channel for Identity Applications by importing right certificates in cacerts and keystores
>

Thanks and Best Regards,
SivaPrakasamS
Micro Focus.
0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

Thanks for the pointers.

The Default Notification Collection is in place. The SAML assertion is in the Login Methods container, although this was not created by the configupdate.sh routine, the install configupdate and running after the install didn't update eDirectory even when setting the change to Auto. I had to extract SAML from the UA 4.0.2 Patch E and install and configure using those instructions.
According to eDirectory, the server and SSSCFG, SecretStore is all good, although the ssspolicyobject has not been created in the security Container. I'll rectify that issue and reinstall the apps from scratch.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.