Web Portal Installation Guide 5.0
2011 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDI- TIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABIL- ITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIA- BLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 email: legal@quest.com Refer to our Web site (www.quest.com) for regional and international office information. Patents This product includes patent pending technology. Trademarks Quest, Quest Software, the Quest Software logo and Quest One Identity Manager are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software s trademarks, please see http://www.quest.com/legal/trademarks.aspx. Other trademarks and registered trademarks are property of their respective owners.
Third Party Contributions Quest One Identity Manager contains some third party components (listed below). Copies of their licenses may be found at http://www.quest.com/legal/third-party-licenses.aspx. COMPONENT ExplorerCanvas Release 3 MochiKit 1.4.2 Mono.Security 2.0.3600.1 Novell.Directory.LDAP 2.1.9.0 PlotKit 0.9.1 LICENSE OR ACKNOWLEDGEMENT Copyright 2006 Google Inc. Apache 2.0 License. Copyright 2005 Bob Ippolito. All rights reserved. MIT License. Copyright 2004 Novell, Inc. (http://www.novell.com). MIT License. Copyright 2003 Novell, Inc. (http://www.novell.com). MIT License. Copyright 2006 Alastair Tse. BSD Simple License. Quest One Identity Manager - Web Portal Installation Guide Updated - 21.10.11 Software Version - 5.0.2
CONTENT CHAPTER 1 ABOUT THIS GUIDE QUEST ONE IDENTITY MANAGER...................................... 8 INTENDED AUDIENCE............................................... 8 DOCUMENTATION MANUALS........................................ 8 CONVENTIONS.................................................. 10 ABOUT QUEST SOFTWARE, INC........................................ 10 CONTACTING QUEST SOFTWARE, INC................................. 10 CONTACTING QUEST SUPPORT..................................... 11 CHAPTER 2 BEFORE INSTALLING WEB SERVER INSTALLATION REQUIREMENTS................................ 14 LANGUAGE POOLS................................................ 14 LANGUAGE POOL SERVICE REQUESTS.................................... 14 CHAPTER 3 INSTALLATION USING THE WEB INSTALLER.......................................... 18 CHAPTER 4 CONFIGURATION USING THE WEBDESIGNER.CONFIGFILEEDITOR TOOL........................... 20 CONNECTION AND AUTHENTICATION SETTINGS.............................. 20 LOGGING CONFIGURATION........................................... 20 WEB CONFIGURATION............................................. 20 LANGUAGE POOL CONFIGURATION...................................... 21 CHAPTER 5 WEB APPLICATION MAINTENANCE RUNTIME MONITORING............................................. 24 SECURITY..................................................... 24 VIEWING LOG FILES AND EXCEPTIONS................................... 24 USING AUTOMATIC UPDATES......................................... 24 MAINTENANCE MODE.............................................. 25 MANUAL UPDATES................................................ 25 5
Quest One Identity Manager 6
1 About this Guide Quest One Identity Manager Intended Audience Conventions About Quest Software, Inc.
Quest One Identity Manager Quest One Identity Manager Quest One Identity Manager streamlines the process of managing user identities, access privileges and security enterprise wide. It empowers IAM to be driven by business needs, not IT capabilities. Quest One Identity Manager is based on an automation-optimized architecture that addresses major IAM challenges at a fraction of the complexity, time, or expense of traditional solutions. Intended Audience This document explains the process of setting up a Identity Manager Web Portal on a Microsoft Windows Server system. You need to guarantee the following system prerequisites in order to install the Web Portal: All installation prerequisites of an Identity Manager client, such as Microsoft.NET Framework with at least version 3.5 Installed Internet Information Service (IIS) service, version 5.x or higher An installation of the Identity Manager database This manual is intended for system administrators, consultants, analysts, and any other IT professionals using the product. This manual describes the default user functionality of the Web Installer. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions. Documentation Manuals Identity Manager documentation includes the following manuals as well as the Web Portal Installation Guide Manual. They can be found on the distribution CD in the directory...\quest One Identity Manager\Documentation. Getting Started The main components of the Getting Started Manual are: Installation prerequisites Installation and updates of Identity Manager administration tools Identity Manager database setup Configuration of administration workdesks Configuration of server for accessing the database Overview of Identity Manager administration and configuration tools User interface for the main Identity Manager tools 8
About this Guide Identity Management The main components of the Identity Management Manual are: Identity Management and User Provisioning with Identity Manager Complying to and monitoring regulatory requirements using Identity Audit Process Orchestration The main components of the Process Orchestration Manual are: Monitoring process handling Controlling process handling Troubleshooting Configuration The main components of the Configuration manual are: Identity Manager software architecture Configuration of Identity Manager data models System permissions configuration User interface configuration Script processing Creating reports Data transport System configuration parameters Identity Manager inheritance mechanism Service provisioning using Service Provisioning Markup Language (SPML) Provider mode IT Shop The main components of the IT Shop manual are: IT Shop for authorized employees to supply themselves with company resources. Development of approval policies and workflows Web Designer Reference The main sections in the Web Designer References are: Web Portals Development and Configuration with the Web Designer 9
Quest One Identity Manager Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references. ELEMENT CONVENTION <> Identifies the user interface buttons and menu entries or keystrokes on the keyboard. Blue Text Indicates a cross-reference. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. About Quest Software, Inc. Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to www.quest.com. Contacting Quest Software, Inc. Email Mail Web site info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com Please refer to our Web site for regional and international office information. 10
About this Guide Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/. From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at http://support.quest.com/pdfs/global Support Guide.pdf. 11
Quest One Identity Manager 12
2 Before Installing Web Server Installation Requirements Language Pools Language Pool Service Requests
Before Installing Web Server Installation Requirements Microsoft Windows Operating Systems Windows Server 2003 Service Pack 2 or later, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 (R2) (32 bit or non-itanium 64 bit) Single Quad Core 1.65 GHz+ Processor 40 GB free disk space 4 GB RAM Software Requirements Microsoft Internet Information Service 6, Microsoft Internet Information Service 7, or Apache HTTP Server 2.1.Net 3.5 Service Pack 1 or later Linux Operating Systems See Operating System vendor for minimum requirements needed to host Apache HTTP Server 2.1 Software Requirements Apache HTTP Server 2.1 Mono 2.8 Language Pools Identity Manager requires that one web application needs to be installed per language. If you wish to publish the application in two languages, then you need to install at least two separate applications. (By default, the Web Installer installs one application per language.) When running multiple applications in parallel, you can define a language pool holding these applications. By using a language pool, you can publish the URL of any of the applications in the pool. You do not need to send different URLs for every language. When a user browses that URL, the request will automatically be redirected to the correct application according to the user s preferred language. The language pool can also be used to distribute server load equally among the language pool applications of a given language. In order to minimize downtime, it is recommended to install at two applications per language. Language Pool Service Requests In order to use a language pool, the different applications must be able to communicate with each other by way of internal HTTP requests. When using Windows authentication, you must supply an user account to use for the internal language pool requests. This user account does not need to be associated with an employee in the Identity Manager database, as it is used exclusively to authenticate to the IIS. 14
Before Installing Every application in the pool polls every other application the pool every 15 minutes (or 1 minute if the previous request had failed). The polling consists of a single request to the relative URL /AE.axd to determine the following information about the application: the language the number of active sessions the maintenance mode state. If an application is in maintenance mode, it will not be used for redirecting a request. 15
Quest One Identity Manager 16
3 Installation Using the Web Installer
Installation Using the Web Installer The preferred method of installing the web portal is by using the Web Installer (WebDesigner.Installer.exe) supplied in the setup folder. Start this tool on the server where you would like the web application to be installed. You will need to supply the following information: Installation source. You can choose whether to load the files from the database or to use the supplied folder. IIS target path. This is the web site of the IIS where the application(s) will be installed. Install dedicated application pools for each application. When this box is checked, every application will be installed in its own application pool. This option enables applications to be independently restarted. This option is available on systems running IIS 6.x or higher only. Assign file permissions. This option should remain checked. It assigns the proper file permissions on the following folders: - Read permission on the application folder - Write permission on the folders Logs, Cache, AssemblyCache and TemplateCache. These folders hold temporary data and log files. Service account. This setting is optional. When running several applications, the applications need to communicate between them. When the server is configured to use Windows Authentication, you need to supply credentials for these internal requests. The Web Installer generates the web applications and generates appropriate web.config files to every folder. You should be able to use the web application immediately. The Web Installer uses default values for most configuration settings. In most cases, you can keep these values, but it is recommended that you verify the settings using the WebDesigner.ConfigFileEditor tool described below. 18
4 Configuration Using the WebDesigner.ConfigFileEditor Tool Connection and Authentication Settings Logging Configuration Web Configuration Language Pool Configuration
Configuration Using the WebDesigner.ConfigFileEditor Tool The configuration of a web application is saved in the web.config file which is located in the root directory of the web application. The tool WebDesigner.ConfigFileEditor (WebDesigner.ConfigFileEditor.exe) is the preferred way to edit the web.config file. When you start the tool, you will need to select the web.config file of the application to configure. Connection strings and credentials are automatically encrypted in the web.config file with standard Microsoft ASP.NET cryptography. Connection and Authentication Settings Database connection. Use the button SQL or Oracle to enter a new database connection. If the connection has successfully been established, the name of the database is shown. Web project. This setting controls which web project will be used in the web application. Dialog product. This is the name of the product which will be used for authentication. Dynamic authentication modules use this information to determine effective permissions. Authentication module. This is the primary authentication module which will be used to authenticate users. Single sign on. Certain authentication modules allow single sign on without entering additional credentials. Fallback module. If single sign on authentication fails, a secondary module can be used for manual login. Logging Configuration Logging severity. This setting controls the minimum severity level an event must have to be logged. Timing. Timing log events can be selectively logged based on duration. You can use this setting to control that only events that have lasted longer than the threshold will be logged. Logging directory. Folder for log files. The web server process must have write permission on this folder. Web Configuration The following settings are available. Logout page. This setting controls which page is shown to the user after logging off from the application. It is possible to enter any URL here. Close session after idle time. You can configure the application to close a session after a user has been idle for a certain duration. 20
Quest One Identity Manager Compress HTTP transfer. If this setting is checked, all HTTP traffic will be compressed. Language Pool Configuration The following settings are available. Language. This is the associated language with this application. This is one of the languages defined in the Identity Manager database. Runtime culture. This is the.net culture associated with this application. This is used to localize various display texts (such as server messages, error messages or numeric values) that are not controlled by the database language. Number of users. This is the maximum number of sessions that may be active at any time. A value of 0 means that the number of sessions is unlimited. Language pool applications. This list allows you to edit information about the applications in the language pool. The list may be empty if you do not use a language pool. When using a language pool, several methods exist to determine a user s preferred language. Use the web browser s language information. Match the value of an attribute in the Identity Manager database. 21
Quest One Identity Manager 22
5 Web Application Maintenance Runtime Monitoring Security Viewing Log Files and Exceptions Using automatic Updates Maintenance Mode Manual Updates
Web Application Maintenance Runtime Monitoring The Identity Manager web application includes a runtime monitoring tool. This tool may be accessed by accessing a special URL on the web application: http://<server>/<application>/monitor.axd Security Access to this page is configured through the following setting in the web.config file. The default setting enables only members of the administrators role to access the runtime monitor. <location path="monitor.axd"> <system.web> <authorization> <allow roles="builtin\administrators" /> <! allow administrators --> <deny users="*" /> <! deny all other users --> </authorization> </system.web> </location> For more information about changing this setting, please refer to the ASP.NET documentation. Viewing Log Files and Exceptions The <Log files> tab of the runtime monitor allows you to view the log files generated by the web application. You can filter these by type and search for terms. The log files also reside in physical form in the log directory specified by the configuration (typically,./logs ). The <Exceptions> tab page of the runtime monitor allows you to view log messages referring to exceptions. These log messages are then aggregated by exception text and sorted by descending frequency. The top-most exception in the list was the most common exception. Using automatic Updates The Identity Manager web application is integrated with the Identity Manager automatic update. Please refer to the Getting Started manual for more information. It is important to understand that updating the software involves a complete restart of the web application. The web application automatic update involves the following steps: The web application detects that a new software version has been loaded to the database. The new files are copied from the database to a temporary directory on the server. The automatic updater tool Updater.exe is started. It waits until the web application process has shut down. (Please refer to the IIS documentation for more information on automatic shutdowns due to inactivity.) Updater.exe copies the files from the temporary directory to the web application directory. 24
Quest One Identity Manager Maintenance Mode A web application may be switched to maintenance mode in order to perform maintenance work. In maintenance mode, existing sessions will not be affected. However, no new sessions are accepted. Users who view the web application will see the contents of the file Maintenance.html located in the root folder of the web application. You may freely edit this file to display details about the maintenance work to the user. Maintenance mode is controlled by the presence of a file named Maintenance.mode in the root folder of the web application. Maintenance mode can also be toggled on the runtime monitor page. In maintenance mode, an application is also ignored by the integrated load balancer. You can use the maintenance mode to allow an automatic update to run at a specific point in time. Manual Updates It is preferable to use the update process described above. However, you may also update the web application manually by using the Software Loader to copy updated files from the database the bin folder of the web application. Note that any write operation to the bin folder of the web application will immediately cause a restart of the web application. This means that all active sessions on the application will be terminated, and any unsaved data will be lost. For this reason, you should only update the web application manually when there is no active session. Only the files in the \bin folder of the web application are controlled by the automatic update. 25
Quest One Identity Manager 26