AIMS Installation and Licensing Guide Version 9 2603 Camino Ramon Suite 110 San Ramon, CA 94583 Toll Free: 800-609-8610 Direct: 925-217-5170 FAX: 925-217-0853 Email: support@avatier.com
Limited Warranty Avatier Corporation warrants that the overall performance of the software will be substantially in accordance with its documentation. Avatier Corporation makes no warranty, representation, or promise not expressly set forth in this limited warranty. Avatier Corporation does not warrant that the software or documentation will satisfy your requirements, that the software and documentation are without defect or error, or that the operation of the software will be uninterrupted. Avatier Corporation disclaims and excludes any and all implied warranties of merchantability, title, and fitness for a particular purpose. Limitations on Liability and Remedies Avatier Corporation s liability arising from your use of the software and its documentation is limited to the total paid by or for you for the software package. Neither Avatier Corporation nor any of its licensers, employees, or agents shall be liable for any special, incidental, consequential, indirect, or punitive damages, even if advised of the possibility of those damages. This warranty gives you specific legal rights. You may have others, which vary from state to state. AIMS Installation and Licensing Guide Page 2
Table of Contents 1 AIMS INSTALLATION GUIDELINES 5 1.1 SERVER REQUIREMENTS 5 1.2 AIMS SERVER BUILD STEPS 7 1.3 SERVICE ACCOUNT REQUIREMENTS 7 1.4 DETERMINE THE LOCATION OF THE AIMS AUDIT LOGS AND AIMS CONFIGURATION FILES 8 1.5 IMPORTANT.NET AND ASPNET PERFORMANCE CONSIDERATIONS ERROR! BOOKMARK NOT DEFINED. 1.6 DR. WATSON PROCESS AND AIMS ERROR! BOOKMARK NOT DEFINED. 1.7.NET 1.1 AND.NET 2.0/3.5 RUNTIME DIFFERENCES 8 1.8 IMPORTANT INFORMATION FOR WEB AGENT (SOAP) BASED CONNECTORS 9 1.9 OBTAIN THE LATEST AIMS SOFTWARE 10 1.10 SOFTWARE INSTALLATION 11 2 LICENSING AIMS PRODUCTS 22 2.1 ACCESSING THE MAIN CONFIGURATION PAGE 22 2.2 APPLYING THE AIMS PRODUCT LICENSE 23 2.2.1 Online Licensing 23 2.2.2 Offline Licensing 25 AIMS Installation and Licensing Guide Page 3
Table of Figures Figure 1 - Avatier Identity Management Server Installation Wizard 11 Figure 2 - Click Through License Agreement 12 Figure 3 - Destination Folder Selection Screen 13 Figure 4 - AIMS Service Account Configuration 14 Figure 5 - AIMS Products Selection Screen 15 Figure 6 - Enrollment Domain Selection Screen 16 Figure 7 - Domain Selection Screen 17 Figure 8 - Web Resources Configuration Dialog 18 Figure 9 - Web Site Configuration Notes 19 Figure 10 - Installation Progress Dialog 20 Figure 11 - Installation Wizard Completion Screen 21 Figure 12 - AIMS Main Configuration Screen 22 Figure 13 - License Status Screen 24 Figure 14 - Entering License Information 25 Figure 15 - Offline License Request Data 26 Figure 16 - Locate and Import Offline License File 26 AIMS Installation and Licensing Guide Page 4
1 AIMS Installation Guidelines 1.1 Server Requirements It is strongly recommended that AIMS run on its own dedicated server Operating System: 32 Bit Operating System (2 options) Windows Server 2008 and all current Microsoft Security Patches Windows Server 2003 Standard SP2 if 4GB RAM, Enterprise edition if more than 4 GB RAM and all current Microsoft Security Patches. 64 Bit Operating System Windows Server 2008 Windows Server 2008 R2 Internet Information Server On Server 2003: IIS 6 ASPNET.NET 4.0 Runtime - The full.net 4.0 installation is required, not just the.net Client Profile component. ASPNET Allowed as a web service extension On Server 2008 IIS 7 ASPNET Basic, Windows Integrated and Anonymous access methods installed.net 4.0 Runtime - The full.net 4.0 installation is required, not just the.net Client Profile component. ASPNET allowed as a web services extension AIMS Installation and Licensing Guide Page 5
CPU and RAM: Physical Server Physical Server Minimum: Single CPU 3.0 GHz, 4 GB RAM Physical Server Recommended: Dual CPU 3.0 GHz, 8 GB RAM Virtual Server Virtual Server Minimum: Single CPU 3.0 Ghz, 4 GB RAM Virtual Server Recommended: Multiple CPU 3.0 GHz, 8 GB RAM Note: Allocation of Multiple CPUs to a virtual guest operating system does not guarantee an improvement in performance since virtualization technologies use shared CPU cycles of the host machine. Check with your virtualization system administrator for the limitations of your virtual environment AIMS Installation and Licensing Guide Page 6
1.2 AIMS Server Build Steps It is extremely important that the server preparation tasks be performed in the following order: Build the base server Install IIS 6 for Windows 2003 or IIS 7 for Windows 2008 Install the.net 4.0 Framework (full standalone version). In addition, you may want to verify that the following is not enforced in your environment for the AIMS Server or the AIMS service account that will be created: Are there any group policies in place that will prevent anonymous access to the web structure directories that require anonymous access in AIMS? If yes, you will need to make exceptions to the GPO, to allow anonymous access to the needed directory structure in AIMS Has any baseline security product been installed on the server, either for the Operating System, or IIS that would prevent anonymous access? If yes, this security policy will need adjustment. 1.3 Installation and Service Account Requirements Create an account that will be used to start the Avatier Identity Management Server service, and proxy all requests for the AIMS Suite of products. This account needs to be: A member of the "domain admins" group A member of the AIMS server's local administrator s group Granted the "logon as service" rights AIMS Installation and Licensing Guide Page 7
1.4 Determine the Location of the AIMS Audit Logs and AIMS Configuration Files AIMS Versions prior to 8.0 differ in their base installations with regard to the light weight database architecture used to store AIMS Audit Log and AIMS configuration settings. AIMS versions prior to version 8.0 stored their data in Microsoft Access format. Beginning with AIMS 8.0 all configuration and audit data is stored in VistaDB file format. After the initial installation of the AIMS suite, migrate the configuration and audit data to a more powerful database engine. AIMS supports its configuration files loaded to Microsoft SQL Server versions 2003, 2005, and 2008, as well as Oracle. Customers who have already migrated their audit log data to MS SQL Server in a prior version of AIMS can continue to write their audit log data to their existing database. Upon an upgrade of AIMS to version 9.0, all local Microsoft Access files used in the previous versions of AIMS will be converted to VistaDB format. Once you have upgraded to 9.0 or have installed AIMS 9.0 from scratch, please contact support@avatier.com for complete instructions on migrating your configuration and audit log data to Microsoft SQL Server or Oracle. 1.5.NET 1.1 and.net 4.0 Runtime differences Under the.net 1.1 runtime environment, if an error condition was detected in the application pool. the.net runtime environment logged the error, but continued to function. The.NET 4.0 runtime environment differs with respect to how multiple errors are handled..net 4.0 will actually stop and restart the application pool associated with the error. Microsoft has provided a Backward compatibility mode in the.net 4.0 runtime environment to handle situations where you want your application pool to remain active and continue services requests for the web application. Avatier recommends setting the backward compatibility mode for the.net runtime environment. To set the backward compatibility feature for.net: AIMS Installation and Licensing Guide Page 8
Use Notepad or other pure text editor to edit file C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.config Modify <legacyunhandledexceptionpolicy enabled="false" /> to <legacyunhandledexceptionpolicy enabled="true" /> Save the changes 1.6 Important Information for Web Agent (SOAP) Based Connectors The following information is for customers who have installed and configured the AIMS web agent for the following targeted systems, and whose AIMS server is restricted from accessing the Microsoft Windows Update web site either due to firewall or other corporate restrictions. The AIMS server uses SOAP over SSL to communicate with the installed web agents on the following platforms: IBM iseries (AS400) IBM AIX LINUX HP-UX SUN SOLARIS Microsoft s Internet Explorer running on Windows Server 2003 SP2 does root certificate checking for items that communicate with a server over SSL. If the ability to access the internet to check the root certificate that is installed on the AIMS server is restricted or prohibited by corporate policy, you will need to turn off root certificate checking on the AIMS server to avoid performance degradation of the product. To turn off root certificate checking: From the AIMS server, click the start menu, then Settings/ Control Panel / Add- Remove Programs Select Add/Remove Windows Components Uncheck Update Root Certificates from the list and click the next button and follow the on-screen instructions. AIMS Installation and Licensing Guide Page 9
1.7 Obtain the Latest AIMS Software Please contact Avatier Support at support@avatier.com to obtain instructions on downloading the latest release of the AIMS 9.0 software. AIMS Installation and Licensing Guide Page 10
1.8 Software Installation Once the IIS server is properly configured, the AIMS installation file has been downloaded, and a Domain Admin Service Account has been created, the installation of Avatier Identity Management Suite can begin. Logon to the AIMS server as a Domain Admin (preferably the same account used for the AIMS Service Account). Place the AIMS installation file on the server in a temporary directory. Double-click on the AIMS installation file. The Welcome page of the Avatier Identity Management Server Installation Wizard will appear on the screen and will automatically move to the next screen after a few seconds unless CANCEL is clicked. Figure 1 - Avatier Identity Management Server Installation Wizard Make sure that all other Windows applications are closed prior to running the AIMS installation. This will prevent any common files held open by other AIMS Installation and Licensing Guide Page 11
applications from not being updated by the installation process. When all other Windows programs are closed, click on the NEXT> button. Figure 2 - Click Through License Agreement This screen displays the Avatier AIMS click through license agreement. By clicking I accept the license agreement, the trial evaluation and eventual production use of the software are governed by this widely accepted and legally tested agreement. Please read the license, scroll down to the bottom, click on the I accept radio button, and click NEXT>. AIMS Installation and Licensing Guide Page 12
Figure 3 - Destination Folder Selection Screen Choose the default location for the software installation, or browse for alternate location then click NEXT>. AIMS Installation and Licensing Guide Page 13
Figure 4 - AIMS Service Account Configuration AIMS Installation and Licensing Guide Page 14
This screen requires the AIMS Service Account credentials. AIMS and all AIMS modules including Password Bouncer Enterprise Edition will use the authority of this account to manage user accounts and passwords. Typically, the account needs to be a Windows Domain Administrator account with full permissions over each domain in which AIMS will manage accounts and passwords. The Service Account must be a member of local Administrators group on the AIMS server and be able to run locally as a service. Enter the following information in the appropriate fields: o The domain in which AIMS is being installed. o The Service Account ID. o The Service Account Domain Logon Password. o The Service Account Domain Logon Password again to confirm the password. When the information is entered click NEXT>. Figure 5 - AIMS Products Selection Screen Check / Uncheck the product selections then click NEXT>. AIMS Installation and Licensing Guide Page 15
Figure 6 - Enrollment Domain Selection Screen This screen offers the selection of the User Enrollment Domain Type. This can either be Microsoft s Active Directory or another LDAP source. AIMS Installation and Licensing Guide Page 16
Figure 7 - Domain Selection Screen This screen provides the ability to browse and select all domains AIMS will be managing. Click on the browse button to see a list of identified and available domains. Select all the domains that will be included. Additional domains can be added or removed after AIMS is installed if needed. Click NEXT> to proceed. AIMS Installation and Licensing Guide Page 17
Figure 8 - Web Resources Configuration Dialog This screen is informational and precedes the screen which will allow you to configure the web site that will be used to configure Password Bouncer. Click the Next > button to proceed. AIMS Installation and Licensing Guide Page 18
Figure 9 - Web Site Configuration Notes AIMS will install as a virtual directory under the default web site. AIMS Installation and Licensing Guide Page 19
Figure 10 - Installation Progress Dialog The progress of the installation is displayed. AIMS Installation and Licensing Guide Page 20
Figure 11 - Installation Wizard Completion Screen When the installation has completed, simply click the Finish button. AIMS Installation and Licensing Guide Page 21
2 Licensing AIMS Products 2.1 Accessing the Main Configuration Page To begin the configuration of the Avatier Identity Management Suite, access the AIMS Configuration main screen. Open a web browser. Enter the URL of the AIMS configuration. By default, this URL is: http://yourservername/aims/config. Enter your user id in the format domain\userid. Enter your password. The following screen will appear: Figure 12 - AIMS Main Configuration Screen The configuration screen of the Avatier Identity Management Suite is divided into three distinct sections. AIMS Installation and Licensing Guide Page 22
The left hand pane, called P1, is a hierarchal tree view of the AIMS product modules. The center pane, called P2, contains the options available for the items selected in P1. The right pane, called P3 will contain the configurable settings for the option selected in P2. 2.2 Applying the AIMS Product License Before beginning the configuration of any of the AIMS modules, you must first license the product for use within your organization. 2.2.1 Online Licensing If the AIMS server has a working Internet connection, and port 443 (SSL) is an allowed outbound protocol on your network: Click on Avatier Identity Management Suite in P1. Click on License Status in the P2 Options pane and the following screen will appear: AIMS Installation and Licensing Guide Page 23
Figure 13 - License Status Screen Click on the Install License button in P3. AIMS Installation and Licensing Guide Page 24
Figure 14 - Entering License Information Enter the license key that was sent to you from sales@avatier.com. Enter the email address that is associated with that license key. Click the Get License button. AIMS will connect via the Internet to the Avatier Licensing service and download the license to your AIMS server. When you receive the confirmation that the license has installed successfully, click the Restart button in P3 to restart the AIMS Web Application and apply the license. 2.2.2 Offline Licensing If no working Internet connection is available from the AIMS server due to network topology, or a firewall that restricts outbound port 443, you can still license the product; however, it becomes a two step manual process. AIMS Installation and Licensing Guide Page 25
The first step involves generating the file needed for the off-line license request and mailing it to support@avatier.com. The second step is placing the file that Avatier generates for you onto the AIMS server and importing it into the product. To generate an offline license request: Figure 15 - Offline License Request Data Fill in your company name and email address in the provided fields. Click the Offline License button. Save the file to a temporary location. Take the file and mail it to support@avatier.com. When Avatier receives the offline license request file, they will generate a license file for you, and return it to the email address you have specified in the offline license request file. Place the attached license file in a temporary location on the AIMS server. Figure 16 - Locate and Import Offline License File Click the Browse button and locate the file. Click the Import button. Once the license file has been applied, you will be returned to the License Status screen. You will need to restart the AIMS web application. Click the Restart button to perform this function. AIMS Installation and Licensing Guide Page 26