Professional Documents
Culture Documents
Installation Guide
V7.0.2
Contact Information
RSA Link at https://community.rsa.com contains a knowledgebase that answers common questions and provides
solutions to known problems, product documentation, community discussions, and case management.
Trademarks
RSA, the RSA Logo, and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or
other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go
to www.emc.com/legal/emc-corporation-trademarks.htm#rsa .
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This
software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-
party software in this product may be viewed by launching the RSA Identity Governance and Lifecycle product and selecting
the About menu.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC
believes the information in this publication is accurate as of its publication date. The information is subject to change without
notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Copyright © 2017 EMC Corporation. All Rights Reserved. Published in the USA.
June 2017
Installation Guide
Contents
Preface 8
About This Guide 8
Documentation Set 8
Support and Service 8
Chapter 1: Installation Scenarios 9
Application Server Cluster Support for RSA Appliance and Soft Appliance 10
Chapter 2: Installation Prerequisites 11
Supported Browsers 11
Port Requirements 11
Remote Agent Requirements 12
Verify Prerequisites for a Customer-Supplied Database 12
Download Installation Files for Your Database 12
Plan the Remote Database Configuration 13
Verify Prerequisites for an RSA Appliance 14
RSA Appliance Components 14
Soft Appliance Requirements 15
Hardware Requirements for the Soft Appliance 15
Operating System Requirements for the Soft Appliance 16
Customer-Supplied Database Requirements for the Soft Appliance 17
Time Server Requirement for the Soft Appliance 17
Verify Prerequisites for Installing on WebSphere 17
Customer-Supplied Database Configuration for WebSphere Installations 18
WebSphere Application Server Requirements 18
Verify Prerequisites for Installing on WebLogic 19
Customer-Supplied Database Configuration for WebLogic Installations 20
WebLogic Application Server Requirements 20
Chapter 3: RSA Appliance Installation 22
Install the Appliance 22
Configure Appliance Network Settings 23
Log on to RSA Identity Governance and Lifecycle 25
Apply the Latest Operating System and Database Patch Updates to an Appliance 25
Confirm the Setting for the Encryption Key Directory 26
Using Non-restrictive Mode for the Encryption Key Directory 27
Error Messages 28
Implement Security Best Practices 30
Check SSL/TLS Settings for Secure Communication Ports 30
Using a Signed Certificate for HTTPS Access to RSA Identity Governance and Lifecycle 31
Check Security Settings for RSA Identity Governance and Lifecycle 35
Setting Up User Access to RSA Identity Governance and Lifecycle 35
Chapter 4: Soft Appliance Installation 37
Download the RSA Identity Governance and Lifecycle Installation Files 37
Before You Begin 37
Copy the Installation Files to the Installation Host 39
3
Installation Guide
4
Installation Guide
5
Installation Guide
Install the AFX Server Using an Archive Downloaded from RSA Identity Governance and
Lifecycle 125
Install the AFX Connector Packages 128
Appendix A: Security and Authentication Management (RSA Appliance
and Soft Appliance) 130
Working with Keystores and Certificates 130
Keytool 131
Ciphers 132
Managing the Keystore 132
List Your Certificates in the Keystore 132
Change the Default Aveksa Keystore Password 132
Change the Truststore Password 134
Back Up and Restore Default HTTPS Certificates 134
Migrating Certificates to SHA-256 135
Migrate the RSA Identity Governance and Lifecycle Server Certificate to SHA-256 136
Establishing a Secure LDAP/AD Connection for a Data Collector 136
Export the Application Server's Public Certificate 136
Import LDAP/AD system Certificates into the Application Server Keystore 137
Appendix B: Troubleshooting 138
Troubleshooting an RSA Appliance or Soft Appliance 138
Overview 138
Installation 139
Start Up 140
Runtime 142
Certificate and Keystore Management 142
Troubleshooting a WebSphere Installation 146
Overview 146
Deployment 147
Start Up 149
Runtime 153
Post-Deployment or Upgrade of RSA Identity Governance and Lifecycle 153
Troubleshooting a WebLogic Installation 154
Overview 154
Deployment 155
Start Up 157
Runtime 159
Post-Deployment of RSA Identity Governance and Lifecycle 161
Appendix C: Maintenance 162
Maintaining an RSA Appliance or Soft Appliance 162
Back Up the RSA-Supplied Database 163
Import the AVUSER Schema/Data for a Database Restoration/Load 164
Migrating the Database 168
Operating System Installation Overview 169
Firewall Configuration for SUSE 178
Firewall Configuration for Red Hat 179
Mount an External Drive 181
Check for Running Tasks on an Appliance or Server 182
Determining the Oracle ASM Partition 182
6
Installation Guide
7
Installation Guide
Preface
Documentation Set
The latest product documentation is always available at
https://community.rsa.com/community/products/governance-and-lifecycle.
Document Description
Release Notes What's new in the release, fixed issues, known issues and
workarounds.
Upgrade and Migration Guide Instructions for upgrading your product version and data.
Online Help All concepts and instructions you need to configure and use the
product.
Preface 8
Installation Guide
Scenario Description
RSA Appliance RSA-supplied hardware with all required components (operating system,
database, application server and RSA Identity Governance and Lifecycle)
pre-installed. Provides Oracle as the local database.
Soft Appliance RSA Identity Governance and Lifecycle software installed on customer-
supplied hardware that meets minimum physical requirements and runs a
supported operating system. The Soft Appliance installation includes the
application server and RSA Identity Governance and Lifecycle. It can also
provide Oracle as the local database, or you can use your own Oracle
database (referred to as a remote database).
Access Fulfillment AFX automates the access request fulfillment process by executing the
Express (AFX) fulfillments at the target endpoints. For AFX installation scenarios and
information on installing AFX, see AFX Installation.
For each scenario, this guide provides instructions for the following environments.
l Development: Used for staging functional testing. Not for large multi-user environments.
l Soft Appliance. You can install multiple Soft Appliances that use the same customer-supplied
database.
For more information, see the RSA Identity Governance and Lifecycle Solution Integration Guide:
Configuring Wildfly Clustering.
Browser Version
Port Requirements
RSA Identity Governance and Lifecycle uses the following ports:
Port Use
22 SSH connections
8443 Secure connection (using Secure Sockets Layer (SSL) and secure
cookies) when you access RSA Identity Governance and
Lifecycle. (default)
2. Edit the agent configuration file to change the hostname from localhost to the hostname of the
RSA Identity Governance and Lifecycle server, or in a clustered environment, the System
Operations Node (SON).
l Ensure that your remote Oracle 12.1.0.2.0 database has all up-to-date Oracle patches installed.
Procedure
1. Log in to RSA Link at https://community.rsa.com/community/products/governance-and-lifecycle.
2. Download the following files to the RSA Appliance or Soft Appliance machine.
l instantclient-basiclite-linux-x64-12.1.0.2.0.zip
l instantclient-sqlplus-linux-x64-12.1.0.2.0.zip
Oracle
listener
hostname
Oracle
listener
port
number
Oracle
SID
Use the following table to record additional configuration parameters listed in the next table if your
installation meets any of the following conditions:
l You are installing a Soft Appliance and the Oracle 12.1.0.2 database uses an Oracle Service
Name that is different than the Oracle SID.
l You are installing RSA Identity Governance and Lifecycle on WebLogic server.
l You are installing RSA Identity Governance and Lifecycle on WebSphere server.
AVUSER password
AVDWUSER password
ACMDB password
Note: If you created the database instance with non-default names for the database users, you must
use the same usernames and passwords when prompted during installation.
l Keyboard
l Crossover cable
RAM 48 GB 48 GB
Installation script checks for 4GB and Installation script checks for 4GB and
minimally 50 MB free for installation; minimally 50 MB free for installation;
swap space up to 16 GB. swap space up to 16 GB.
Processor Intel E5-2400 Quad Core Dual Intel E5-2400 Quad Core
If you are installing Access Fulfillment Express (AFX), you need additional disk space for AFX
software, connectors, and log files. The following table lists the AFX requirements.
AFX Installation 5 GB
/root 5.1 GB
/home 1 GB
/home/oracle 5.2 GB
/home/admin 1 GB
/u01 5.2 GB
Note: RSA Identity Governance and Lifecycle soft appliance using an RSA-supplied database does
not support automatic storage management (ASM).
Required Packages
Verify that required Oracle packages are installed on the same machine as the RSA Identity
Governance and Lifecycle software.
l See the "Package Requirements for Oracle Management Service" section at
http://docs.oracle.com/cd/E29505_01/install.1111/e22624/preinstall_req_packages.htm
l See the "Configuring Operating Systems for Oracle Grid Infrastructure and Oracle RAC" section
at http://docs.oracle.com/database/121/CWLIN/prelinux.htm#CWLIN168
Verify Availability of Required IDs for Operating System Users and Groups
The following tables list the operating system users and groups the installation script creates for
RSA Identity Governance and Lifecycle and the IDs they require.
datadir 502
Verify that the required IDs for them are available before you run the installation script. If the IDs
are used for other users or groups, you must free them for use by RSA Identity Governance and
Lifecycle users and groups before you install.
Component Requirement
WebSphere Either of the following:
Version
l IBM WebSphere Application Server Edition 8.5.5 Fix Pack 2
Component Requirement
Database An Oracle 12.1.0.2 instance configured to support RSA Identity Governance
and Lifecycle.
For more information about database requirements, see Verify Prerequisites
for a Customer-Supplied Database.
For instructions on configuring the remote, customer-supplied database, see
the Database Setup and Management Guide.
Disk Space 600 MB available for RSA Identity Governance and Lifecycle
l RSA recommends that the RSA Identity Governance and Lifecycle application is the sole
application running on a server instance to ensure that the memory requirements are met.
l In a clustered environment, each node must have a unique name. The display name of the server
instance in WebSphere is used as the unique node name in RSA Identity Governance and
Lifecycle.
l Machine name
l Node name
l Server name
l Bootstrap address
Component Requirement
WebLogic 12.1.3 or greater
Version
Disk Space 600 MB available for RSA Identity Governance and Lifecycle
AVUSER password:
ACMDB password:
AVDWUSER password:
AVPERF username/password:
Oracle Database SID:
Oracle Host listener:
Oracle Listener Port:
Distribution path for RSA software:
In a clustered environment, the following information is also required for each node in the cluster.
You can see the server information in the WebLogic Administration Console under Environment >
Servers.
l RSA recommends that the RSA Identity Governance and Lifecycle application is the sole
application running on a server instance to ensure that the memory requirements are met.
l In a clustered environment, each node must have a unique name. The display name of the server
instance in WebLogic is used as the unique node name in RSA Identity Governance and
Lifecycle.
l Listening address
l Listening port
4. Apply the Latest Operating System and Database Patch Updates to an Appliance
Important: to our legacy customers with existing hard appliance with RHEL5u8 OS with prior 7x
versions of ACM, please review the following documents before you begin:
We no longer provide hard appliance with red hat OS. All our hard appliance are pre-configured and
shipped with SUSE (SLES 11 SP4) OS. Please contact support for EOPS Policy and extended
support.
Verify the hardware, software, and database requirements described in Chapter 2, Installation
Prerequisites.
Procedure
1. Using the provided rack and bezel, install the appliance hardware in a secure area.
Note: The operating system is pre-installed on the RSA Appliance. If you need to re-install and
configure the SUSE operating system, see the Operating System Installation Overview section in
Appendix C.
Refer to the Appliance Network Configuration sheet that shipped with the appliance for this
information. You may still need, or want, to modify this configuration information.
Procedure
1. Log on to the appliance in one of the following ways:
l Log on using the iDRAC IP address listed on the Appliance Network Configuration sheet.
where <new password> is the new password that you want to use for the admin
account.
Important: The modifyhostname.sh script re-creates the server-side certificates with the
new hostname. If the installation includes the AFX module, you must re-create its client
certificates to include the new hostname. For more information, see Change an AFX Server
SSL Certificate in the Help.
a. Enter
sudo bash setnameserver.sh <ns1> <ns2>
where <ns1> is the first name server and <ns2> is the backup name server.
Where:
l <IP> is the IP address of the appliance
where <timezone> is the abbreviation of a country and city in the same geographic location as
the appliance. For a list of valid time zone abbreviations, see /usr/share/zoneinfo.
For example, to set the time zone for an appliance located in New York, enter
sudo setlocaltime America/New_York
8. After reboot, you must restart Oracle database services and RSA Identity Governance and
Lifecycle. Enter
sudo service aveksa_server startoracle
sudo service aveksa_server start
Procedure
1. On the appliance, open a browser, then enter the following URL:
https://<installation machine IP address>
4. When prompted, enter the new password for the AveksaAdmin user in the New Password box.
The password must contain at least eight characters, including one upper and one lower case
character, and one number.
6. Click OK.
Apply the Latest Operating System and Database Patch Updates to an Appli-
ance
Important: The appliance updater does not patch the RSA Identity Governance and Lifecycle
application.
It is important to keep the operating system and database components of an RSA Identity
Governance and Lifecycle appliance up-to-date with the latest patches. RSA provides the Appliance
Updater to achieve that goal. It bundles a certified patch set for the operating system (SUSE or Red
Hat) of an RSA appliance and the database on the appliance. Downloading and running these
patches closes vulnerabilities and addresses bugs.
The patches are provided in a compressed file (rsaimg_updater_<release quarter>_
<platform>.tar.bz2) and posted on RSA Link at
https://community.rsa.com/community/products/governance-and-lifecycle.
Download and apply the appliance updater patches on a regular basis as new patches are released.
For more information, see the RSA Identity Governance and Lifecycle Appliance Updater Guide.
Procedure
1. Log in as root.
2. Make sure you have a directory for storing the encryption key. For security purposes, the
directory should have the following settings:
l If the directory already exists, set its permissions to 700 (rwx------) and make sure that the
directory is owned by the same user under which RSA Identity Governance and Lifecycle is
running.
l If the directory does not exist, the parent directory must be writable for the user under which
RSA Identity Governance and Lifecycle is running. In this case, RSA Identity Governance
and Lifecycle will create the directory with the correct permissions.
l For a cluster, this same directory also needs to exist on each of the nodes.
3. Confirm that the Java system property "rsavialg.security.keydir" is set to the appropriate
directory. Use the steps for your platform in the following table to confirm or add the setting.
Platform: Instructions:
Platform: Instructions:
The default value for the directory is "/home/oracle/security" You should change
this to the directory where you will store the encryption key
The setting on the domain controller will be propagated to the other nodes in the
cluster. Make sure you have the same encryption key directory on each of the
nodes.
4. Create a secure backup process to back up the keys in the encryption key directory. RSA Identity
Governance and Lifecycle generates these keys and stores them only in the designated directory.
Important: If the keys are lost, any data encrypted with those keys will be irrecoverable. The
backup process should ensure that the keys are not compromised during the backup or after they
are in the backup location.
Note: Anytime that you change the value of the Java system property after the keys have already
been created (meaning after you configured the property and brought the system up), you must bring
down the system and move the keys to the new location before bringing up the system again.
Procedure
1. Add the "rsavialg.security.strict.permissions.disabled" property to system properties and set the
value to "true" as shown for the platform type:
Platform: Instructions:
Platform: Instructions:
values:
<system-properties>
<property name="rsavialg.security.keydir" value="/home/oracle/security"/>
<property name="rsavialg.security.strict.permissions.disabled" value="true"/>
</system-properties>
l If the directory already exists, set its permissions such that the user (owner of the process
under which RSA Identity Governance and Lifecycle is running) has “rwx” access into this
directory. The owner of the directory need not be the same as the owner of the application
process, but the owner of the application process must be able to read and write into this
directory. This means “rwx” permissions have to be set for the appropriate file permission
field (owner, group, all) , which will allow the application process full access.
l If the directory does not exist, it is recommended that you create it. Set up the permissions on
the directory as specified in the previous item.
l If the directory does not exist and you do not create it, the application will attempt to create
the directory on first startup using default permissions and the directory will be owned by the
same user as the application process.
Error Messages
The following table lists error messages that might display (in the AveksaServer.log) after you
configure the encryption key directory. The table lists default directory paths for the master
encryption key directory (/home/oracle/security) and its parent directory (/home/oracle). The
suggested actions are performed on the RSA Identity Governance and Lifecycle host.
KEK_ERROR_ The parent directory /home/oracle for Change permissions on the specified
PARENT_ the specified encryption key storage encryption key directory to allow
DIRECTORY_ directory /home/oracle/security is not RSA Identity Governance and
IS_NOT_ writable. Lifecycle to write to the directory.
WRITABLE
KEK_ERROR_ The parent /etc/hosts for the specified Specify a directory path for the
PARENT_IS_ encryption key storage directory encryption key directory.
A_FILE /etc/hosts/security is a file, not a
directory.
KEK_ERROR_ A file already exists with the same path Specify a directory location, not a
FILE_ as the specified encryption key storage file location.
ALREADY_ directory /etc/hosts.
EXISTS
KEK_ERROR_ Could not create the encryption key Create the directory, set permissions
COULD_NOT_ storage directory /home/oracle. to allow RSA Identity Governance
CREATE_ and Lifecycle to read from and write
DIRECTORY to the directory, and specify the
encryption key directory again.
KEK_ERROR_ The encryption key storage directory Verify that directory permissions
DIRECTORY_ /home/oracle is not writable. allow RSA Identity Governance and
IS_NOT_ Lifecycle to write to the directory.
WRITABLE
KEK_ERROR_ The encryption key storage directory Create the directory, set permissions
DIRECTORY_ /home/oracle does not exist. to allow RSA Identity Governance
DOES_NOT_ and Lifecycle to read from and write
EXIST to the directory, and specify the
encryption key directory again.
KEK_ERROR_ The encryption key storage directory Verify that directory permissions
INVALID_ /home/oracle must have rwx------ (700) allow RSA Identity Governance and
DIRECTORY_ permissions. Please refer to the Lifecycle to write to the directory.
PERMISSIONS installation documentation for a system Alternatively, you can set a system
property that can be set to remove this property to remove this restriction.
restriction. See "Using Non-restrictive Mode for
the Encryption Key Directory" in the
previous section.
l Check Security Settings for the RSA Identity Governance and Lifecycle Application
Port Communications from a web browser or web services to RSA Identity Governance and
8443 Lifecycle. By default, port 8443 supports all TLS versions (v1, v1.1, v1.2). A client can
connect using any of the supported versions. If you want to force use of the latest TLS
version, see the procedure below.
Port Internal communications with AFX and remote agents. By default, port 8444 uses the latest
8444 TLS version (v1.2 ) and enforces that AFX and remote agents use the same version.
If you force use of TLSv1.2, users must use browser supports this protocol. The following browsers
support TLSv1.2:
Browser Version
Perform the following procedure to use TLSv1.2 for browser and web service communication (port
8443) and communication with AFX and remote agents (port 8444).
Procedure
1. Access the RSA Identity Governance and Lifecycle machine using SSH.
2. Log on as root.
l To restart RSA Identity Governance and Lifecycle and begin using TLSv1.2 immediately,
enter Yes.
l If you do not want to restart the application, enter No. RSA Identity Governance and
Lifecycle uses the previously configured protocol until the next restart.
Using a Signed Certificate for HTTPS Access to RSA Identity Governance and
Lifecycle
When you connect to RSA Identity Governance and Lifecycle using a browser, the RSA Identity
Governance and Lifecycle server identifies itself using a certificate. RSA recommends that you use
a signed certificate to provide the most secure communications.
A self-signed certificate is installed with the product. Though the self-signed certificate enables an
HTTPS connection, the client browser will always display a certificate warning before it allows a
user to connect. Replace the self-signed certificate with a certificate signed by a Certificate
Authority (CA).
For more information, see Working with Keystores and Certificates.
This section describes how to obtain a CA-signed certificate and use it to identify the server.
You can generate a new request and have the certificate signed by an internal CA, or you can
request a server certificate to be signed by a well-known CA to replace the default RSA Identity
Governance and Lifecycle self-signed server certificate.
Your company might require further configuration for the trusted CA or RSA Identity Governance
and Lifecycle server certificates on the application server.
Important: When using an RSA Identity Governance and Lifecycle server certificate signed by an
external or internal CA, you must add the trusted root CA certificate file to the truststore prior to
uploading the server certificate file. Browsers and application servers often contain CA root
certificates from well known CAs. Users may be required to import the root/intermediate CA
certificate file to their web browsers if the CA is not known. See the web browser documentation for
more information.
4. Import Signed Server Certificate into the RSA Identity Governance and Lifecycle Keystore
Procedure
1. Log on as the oracle user, then go to the keystore directory:
cd /home/oracle/keystore
For example:
keytool -genkeypair -keysize 2048 -validity 18000 -alias mycorpServer -
dname "CN=acm-
server.mycorp.com,OU=Aveksa,O=MyCorp,L=Waltham,S=Massachusetts,C=US" -
keyalg RSA -keypass Av3k5a15num83r0n3 -storepass Av3k5a15num83r0n3 -
keystore aveksa.keystore
This example defines in the FQDN a server on which RSA Identity Governance and Lifecycle is
running, a key size of 2048, and the length of time the certificate is valid (18000 days or ~50
years). The alias is myCorpServer.
The alias cannot be the same as the alias used by any existing certificate. Also the CN value
must be the exact URL from which RSA Identity Governance and Lifecycle will be accessed; if
RSA Identity Governance and Lifecycle is accessed from any other address, the certificate does
not secure the connection. If it is accessed from multiple URLs on the same server, a separate
certificate must be generated for each URL.
Procedure
1. Log in as the oracle user, then go to the following directory:
cd /home/oracle/keystore
Procedure
1. Log in as root, then go to the truststore directory. For example:
cd $JAVA_HOME/jre_openjdk/lib/security
cp cacerts cacerts.backup
For example:
keytool -import -v -noprompt -trustcacerts -alias ACMEROOT -file ACME-
Root.cer -storepass changeit -keystore cacerts
Step 4: Import a Signed Server Certificate into the RSA Identity Governance and Lifecycle Key-
store
Procedure
1. Log in as the oracle user, then run the following commands:
cd /home/oracle/keystore
keytool -import -v -noprompt -trustcacerts -alias <server-cert-alias> -
file <Server_cert_file> -storepass Av3k5a15num83r0n3 -keystore
aveksa.keystore
where
<server-cert-alias> is the alias you specified for the server certificate.
<Server_cert_file> is the signed server certificate file.
2. To verify that RSA Identity Governance and Lifecycle is using the new certificate, enter:
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
3. In the list of certificates, verify that Certficate[1] uses the alias of the new certificate and that
other certificates listed (Certificate[2], Certificate[3] and so on), are part of the certificate chain
of the new certificate.
4. If Certificate[1] uses the alias of the old certificate, delete the old certificate. Enter
keytool -delete -alias <old-cert-alias> -storepass Av3k5a15num83r0n3 -
keystore aveksa.keystore
acm restart
6. Verify that the new certificate is used when you access the application through a browser.
b. View the certificate information in the browser. Most browsers display a lock icon in the
URL bar that you can click to display certificate and security information.
c. If there is no root certificate, restart RSA Identity Governance and Lifecycle to register the
root certificate.
d. If the certificate information indicates that the root certificate is not trusted, either of the
following conditions may apply:
l The wrong root certificate was imported. In this case, you must obtain the correct root
certificate from the CA, import it into cacert, restore the aveksa.kesytore backup and
perform the steps in Setting Up a Signed Certificate for HTTP Access to RSA
Governance and Lifecycle.
l The signed certificate was imported before the trusted root certificate was imported. In
this case, you must restore the aveksa.kesytore backup and perform the steps in Setting Up
a Signed Certificate for HTTP Access to RSA Governance and Lifecycle.
l XSS/Scripting Security
The default settings comply with security best practices. For information about these settings, click
Help on the Security settings page.
l An LDAP-compliant authentication source, for example an Active Directory server. In this case,
RSA Identity Governance and Lifecycle collects account or identity data for all users who require
access. You must configure the account or identity collectors.
For instructions on setting up an authentication source, see Managing Log On Authentication Sources
in Help.
l You must have a valid license for RSA Identity Governance and Lifecycle.
Procedure
1. Download the following installation files:
f. Click Download Software (it may take a minute to display the Product List).
g. Click RSA Identity Governance and Lifecycle (formerly Aveksa) - Version Upgrades.
The Current tab lists the most recent release. The Archive tab lists previous releases.
l wildfly-8.2.0.Final.tar
l openjdk17_v002.tar.bz2
l aveksa-<product-version>.tar.bz2
l instantclient-basiclite-linux.x64-12.1.0.2.0.zip
l instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
2. If you are using an RSA-supplied database, go back one screen, select Hardware Appliance
Version 7.0SP1, then download these files:
l linuxamd64_12102_database_1of2.zip
l linuxamd64_12102_database_2of2.zip
l linuxamd64_12102_grid_1of2.zip
l linuxamd64_12102_grid_2of2.zip
l oracle_12.1.0.2_patches_v001.zip
l asmlib-008_x64.tar.bz2
l cvupack_Linux_x86_64.zip
Note: If the /tmp/aveksa/packages directory already exists, delete any files in the directory.
4. Verify that the compressed package files you downloaded were not corrupted during the file
transfer. Run the following commands in the /tmp/aveksa/packages directory:
The commands list the packages and indicate if errors were detected.
l Network settings
l System configurations
The script displays information about the checks, and it indicates if a requirement is not met. After
you resolve the requirement, you can run the script again.
Installation scripts and any installation errors are recorded in the install log (/tmp/aveksa-install.log).
Procedure
1. Log in as root.
If you are installing the Access Fulfillment Express (AFX) module (if licensed), enter
./install.sh -afx
Note: The -afx option installs AFX. You do not need to run a separate AFX installation.
6. Specify the location of the package files. If the suggested directory is correct, press Enter.
7. When prompted, enter N if you want to install RSA Identity Governance and Lifecycle with a
local database, or Y to install your own remote Oracle database.
If you entered Y, you will be prompted to provide information to identify your Oracle database.
See Plan the Remote Database Configuration for a list of the parameters (such as Oracle listener
hostname, port, SID, database users) that you need to input.
Note: If you created the database instance with non-default names for the database users, you
must use the same user names and passwords when prompted.
The installation begins. A summary displays the location of the package files, and information
about the Oracle database configuration..
8. If the summary of install information is correct for your system, enter "yes" at the following
prompt:
Does this match your current install information (yes or no)?
9. If the summary of install information is incorrect, enter "no." The installation prompts you to
provide the correct information for each item.
The version number and build number are displayed.
10. If you want to install the version shown on the screen, enter yes.
When the installation is finished, it displays a summary of the installation and the following message:
Installation Completed
For information about actions performed during the installation, see the install log (/tmp/aveksa-
install.log).
Procedure
1. On the appliance, open a browser and enter the following URL:
https://<Fully Qualifed Domain Name (FQDN) or IP address>
4. When prompted, enter a new password for this user in the New Password box.
This password must contain at least 8 characters, including one upper and one lower case
character, and one number.
6. Click OK.
It is important to keep the operating system and database components of an RSA Identity
Governance and Lifecycle appliance up-to-date with the latest patches. For a Soft Appliance, RSA
provides the Appliance Updater, which bundles a certified patch set for an RSA-supplied Oracle
database. Downloading and running these patches closes vulnerabilities and bugs.
Note: The customer-supplied operating system should be updated regularly with patches supplied by
the vendor.
Procedure
1. Log in to the system as an administrator with root privileges.
2. Make sure you have a directory for storing the encryption key. For security purposes, the
directory should have the following settings:
l If the directory already exists, set its permissions to 700 (rwx------) and make sure that the
directory is owned by the same user under which RSA Identity Governance and Lifecycle is
running.
l If the directory does not exist, the parent directory must be writable for the user under which
RSA Identity Governance and Lifecycle is running. In this case, RSA Identity Governance
and Lifecycle will create the directory with the correct permissions.
l For a cluster, this same directory also needs to exist on each of the nodes.
3. Confirm that the Java system property "rsavialg.security.keydir" is set to the appropriate
directory. Use the steps for your platform in the following table to confirm or add the setting.
Platform: Instructions:
4. Create a secure backup process to back up the keys in the encryption key directory. RSA Identity
Governance and Lifecycle generates these keys and stores them only in the designated directory.
Important: If the keys are lost, any data encrypted with those keys will be irrecoverable. We
recommend that you create a secure backup process for the keys and store the backup in a secure
location.
Note: Anytime that you change the value of the Java system property after the keys have already
been created (meaning after you configured the property and brought the system up), you must bring
down the system and move the keys to the new location before bringing up the system again.
Procedure
1. Add the "rsavialg.security.strict.permissions.disabled" property to system properties and set the
value to "true" as shown for the platform type:
Platform: Instructions:
l If the directory already exists, set its permissions such that the user (owner of the process
under which RSA Identity Governance and Lifecycle is running) has “rwx” access into this
directory. The owner of the directory need not be the same as the owner of the application
process, but the owner of the application process must be able to read and write into this
directory. This means “rwx” permissions have to be set for the appropriate file permission
field (owner, group, all) , which will allow the application process full access.
l If the directory does not exist, it is recommended that you create it. Set up the permissions on
the directory as specified in the previous item.
l If the directory does not exist and you do not create it, the application will attempt to create
the directory on first startup using default permissions and the directory will be owned by the
same user as the application process.
Error Messages
The following table lists error messages that might display (in the AveksaServer.log) after you
configure the encryption key directory. The table lists default directory paths for the master
encryption key directory (/home/oracle/security) and its parent directory (/home/oracle). The
suggested actions are performed on the RSA Identity Governance and Lifecycle host.
KEK_ERROR_ The parent directory /home/oracle for Change permissions on the specified
PARENT_ the specified encryption key storage encryption key directory to allow
DIRECTORY_ directory /home/oracle/security is not RSA Identity Governance and
IS_NOT_ writable. Lifecycle to write to the directory.
WRITABLE
KEK_ERROR_ The parent /etc/hosts for the specified Specify a directory path for the
PARENT_IS_ encryption key storage directory encryption key directory.
A_FILE /etc/hosts/security is a file, not a
directory.
KEK_ERROR_ A file already exists with the same path Specify a directory location, not a
FILE_ as the specified encryption key storage file location.
ALREADY_ directory /etc/hosts.
EXISTS
KEK_ERROR_ Could not create the encryption key Create the directory, set permissions
COULD_NOT_ storage directory /home/oracle. to allow RSA Identity Governance
CREATE_ and Lifecycle to read from and write
KEK_ERROR_ The encryption key storage directory Verify that directory permissions
DIRECTORY_ /home/oracle is not writable. allow RSA Identity Governance and
IS_NOT_ Lifecycle to write to the directory.
WRITABLE
KEK_ERROR_ The encryption key storage directory Create the directory, set permissions
DIRECTORY_ /home/oracle does not exist. to allow RSA Identity Governance
DOES_NOT_ and Lifecycle to read from and write
EXIST to the directory, and specify the
encryption key directory again.
KEK_ERROR_ The encryption key storage directory Verify that directory permissions
INVALID_ /home/oracle must have rwx------ (700) allow RSA Identity Governance and
DIRECTORY_ permissions. Please refer to the Lifecycle to write to the directory.
PERMISSIONS installation documentation for a system Alternatively, you can set a system
property that can be set to remove this property to remove this restriction.
restriction. See "Using Non-restrictive Mode for
the Encryption Key Directory" in the
previous section.
l Check Security Settings for the RSA Identity Governance and Lifecycle Application
Port Communications from a web browser or web services to RSA Identity Governance and
8443 Lifecycle. By default, port 8443 supports all TLS versions (v1, v1.1, v1.2). A client can
connect using any of the supported versions. If you want to force use of the latest TLS
version, see the procedure below.
Port Internal communications with AFX and remote agents. By default, port 8444 uses the latest
8444 TLS version (v1.2 ) and enforces that AFX and remote agents use the same version.
If you force use of TLSv1.2, users must use browser supports this protocol. The following browsers
support TLSv1.2:
Browser Version
Perform the following procedure to use TLSv1.2 for browser and web service communication (port
8443) and communication with AFX and remote agents (port 8444).
Procedure
1. Access the RSA Identity Governance and Lifecycle machine using SSH.
2. Log on as root.
l To restart RSA Identity Governance and Lifecycle and begin using TLSv1.2 immediately,
enter Yes.
l If you do not want to restart the application, enter No. RSA Identity Governance and
Lifecycle uses the previously configured protocol until the next restart.
Using a Signed Certificate for HTTPS Access to RSA Identity Governance and
Lifecycle
When you connect to RSA Identity Governance and Lifecycle using a browser, the RSA Identity
Governance and Lifecycle server identifies itself using a certificate. RSA recommends that you use
a signed certificate to provide the most secure communications.
A self-signed certificate is installed with the product. Though the self-signed certificate enables an
HTTPS connection, the client browser will always display a certificate warning before it allows a
user to connect. Replace the self-signed certificate with a certificate signed by a Certificate
Authority (CA).
For more information, see Working with Keystores and Certificates.
This section describes how to obtain a CA-signed certificate and use it to identify the server.
You can generate a new request and have the certificate signed by an internal CA, or you can
request a server certificate to be signed by a well-known CA to replace the default RSA Identity
Governance and Lifecycle self-signed server certificate.
Your company might require further configuration for the trusted CA or RSA Identity Governance
and Lifecycle server certificates on the application server.
Important: When using an RSA Identity Governance and Lifecycle server certificate signed by an
external or internal CA, you must add the trusted root CA certificate file to the truststore prior to
uploading the server certificate file. Browsers and application servers often contain CA root
certificates from well known CAs. Users may be required to import the root/intermediate CA
certificate file to their web browsers if the CA is not known. See the web browser documentation for
more information.
4. Import Signed Server Certificate into the RSA Identity Governance and Lifecycle Keystore
Procedure
1. Log on as the oracle user, then go to the keystore directory:
cd /home/oracle/keystore
cp aveksa.keystore aveksa.keystore.backup
For example:
keytool -genkeypair -keysize 2048 -validity 18000 -alias mycorpServer -
dname "CN=acm-
server.mycorp.com,OU=Aveksa,O=MyCorp,L=Waltham,S=Massachusetts,C=US" -
keyalg RSA -keypass Av3k5a15num83r0n3 -storepass Av3k5a15num83r0n3 -
keystore aveksa.keystore
This example defines in the FQDN a server on which RSA Identity Governance and Lifecycle is
running, a key size of 2048, and the length of time the certificate is valid (18000 days or ~50
years). The alias is myCorpServer.
The alias cannot be the same as the alias used by any existing certificate. Also the CN value
must be the exact URL from which RSA Identity Governance and Lifecycle will be accessed; if
RSA Identity Governance and Lifecycle is accessed from any other address, the certificate does
not secure the connection. If it is accessed from multiple URLs on the same server, a separate
certificate must be generated for each URL.
Procedure
1. Log in as the oracle user, then go to the following directory:
cd /home/oracle/keystore
Procedure
1. Log in as root, then go to the truststore directory. For example:
cd $JAVA_HOME/jre_openjdk/lib/security
For example:
keytool -import -v -noprompt -trustcacerts -alias ACMEROOT -file ACME-
Root.cer -storepass changeit -keystore cacerts
Step 4: Import a Signed Server Certificate into the RSA Identity Governance and Lifecycle Key-
store
Procedure
1. Log in as the oracle user, then run the following commands:
cd /home/oracle/keystore
keytool -import -v -noprompt -trustcacerts -alias <server-cert-alias> -
file <Server_cert_file> -storepass Av3k5a15num83r0n3 -keystore
aveksa.keystore
where
<server-cert-alias> is the alias you specified for the server certificate.
<Server_cert_file> is the signed server certificate file.
2. To verify that RSA Identity Governance and Lifecycle is using the new certificate, enter:
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
3. In the list of certificates, verify that Certficate[1] uses the alias of the new certificate and that
other certificates listed (Certificate[2], Certificate[3] and so on), are part of the certificate chain
of the new certificate.
4. If Certificate[1] uses the alias of the old certificate, delete the old certificate. Enter
keytool -delete -alias <old-cert-alias> -storepass Av3k5a15num83r0n3 -
keystore aveksa.keystore
6. Verify that the new certificate is used when you access the application through a browser.
b. View the certificate information in the browser. Most browsers display a lock icon in the
URL bar that you can click to display certificate and security information.
c. If there is no root certificate, restart RSA Identity Governance and Lifecycle to register the
root certificate.
d. If the certificate information indicates that the root certificate is not trusted, either of the
following conditions may apply:
l The wrong root certificate was imported. In this case, you must obtain the correct root
certificate from the CA, import it into cacert, restore the aveksa.kesytore backup and
perform the steps in Setting Up a Signed Certificate for HTTP Access to RSA
Governance and Lifecycle.
l The signed certificate was imported before the trusted root certificate was imported. In
this case, you must restore the aveksa.kesytore backup and perform the steps in Setting Up
a Signed Certificate for HTTP Access to RSA Governance and Lifecycle.
l XSS/Scripting Security
The default settings comply with security best practices. For information about these settings, click
Help on the Security settings page.
l An LDAP-compliant authentication source, for example an Active Directory server. In this case,
RSA Identity Governance and Lifecycle collects account or identity data for all users who require
access. You must configure the account or identity collectors.
For instructions on setting up an authentication source, see Managing Log On Authentication Sources
in Help.
4. Install RSA Identity Governance and Lifecycle Using the Aveksa EAR File.
7. Configure SSL for Internal Communication Between RSA Identity Governance and Lifecycle
Components.
8. Configure SSL for External Communication (Browser or Web Services to RSA Identity
Governance and Lifecycle).
l Determine if you need to use a modified version of RSA Identity Governance and Lifecycle. See
If You Need a Modified Version of RSA Identity Governance and Lifecycle.
l Confirm that a cluster is already configured for an RSA Identity Governance and Lifecycle
deployment. You need information about each application server instance in the cluster. For
background information about running RSA Identity Governance and Lifecycle in a cluster, see
Clustered Application Server and Oracle RAC Implementation Environments.
l Setting Up RSA Identity Governance and Lifecycle > Integrations in Help for customizing
settings for integration with any of the following:
For more information, see the Help topic, "Managing Server Cluster Nodes."
l Private Network — The private network used for coordinating cluster activities and the network
that accesses the shared storage system. The private network allows the Oracle cluster to the
access Cluster Ready Services (CRS)/Voting disk. Because RSA Identity Governance and
Lifecycle operates in a mixed Online Transaction Processing (OLTP) and Decision Support
System (DSS) mode, many installations benefit from a faster 10-Gbit network to support the
caching requirements of DSS operations such as collections and report generation.
l Shared Storage — RSA Identity Governance and Lifecycle supports Storage Area Network
(SAN) systems with multiple disk volumes. SANs with RAID 5 or RAID0+1 provide the required
read-write performance for the Oracle RAC.
The shared storage system, along with Oracle Automatic Storage Management (ASM), provides
three types of storage for the cluster that will be assigned to Logical Unit Numbers (LUN).
Traditional Oracle tablespace storage will occupy most of the space and will be stored in the
LUN "VOL1." A second LUN, will be created for cluster activities and will be assigned to the
LUN "CRS1."
The third LUN will provide a general purpose "cluster-aware" file system that will be shared with
all of the members of the cluster and will be assigned to the LUN "FS1." Oracle requires this
"cluster-aware" file system be used when setting up Oracle directories in a cluster. Because RSA
Identity Governance and Lifecycle requires the AVEKSA_EXPORTIMPORT_DIRECTORY,
we recommend a configuration that uses Oracle Automatic Storage Management Cluster File
System (Oracle ACFS) to create a mountable volume usable by the operating system itself.
Procedure
1. Log on to the machine hosting the WebSphere application server.
f. Click Download Software (it may take a minute to display the Product List).
g. Click RSA Identity Governance and Lifecycle (formerly Aveksa) - Version Upgrades.
The Current tab lists the most recent release. The Archive tab lists previous releases.
l ACM-WebSphere-<product version>.tar
l Maximum permanent generation heap. This requires at least 512 MB. The JVM argument is:
–XX:MaxPermSize=512m
l Ensure your hardware has sufficient physical memory for those requirements.
Procedure
1. In the WebSphere console, to select the server, click Servers > Server types > WebSphere
application servers > Select server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
3. Under the Configuration tab, select Server Infrastructure > Java and Process Management >
Process Definition.
6. In the Generic JVM arguments field, to set the max perm size, add this command to the generic
JVM argument:
–XX:MaxPermSize=512m
Procedure
1. In the WebSphere console, to select the server, click Servers > Server types > WebSphere
application servers > Select server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
3. Under the Configuration tab, select Server Infrastructure > Java and Process Management >
Process Definition.
5. Enter the following under Generic JVM Arguments to set the character encoding:
-Dclient.encoding.override=UTF-8
-Dfile.encoding=UTF-8
Configuring the Application Server Bootstrap Port for RSA Identity Governance and
Lifecycle
RSA Identity Governance and Lifecycle uses the application server’s bootstrap port number and the
host name or IP address for communication. This information is used to define the ACMProviderUrl
system configuration setting. Perform this task to do the following:
l Identify the bootstrap port for your application server, or in a cluster environment, for each node
in the cluster.
Procedure
1. In the WebSphere console, to select the WebSphere application server, click Servers > Server
types > WebSphere application servers > Select server.
4. To select the RSA Identity Governance and Lifecycle server, click Servers > Server types >
WebSphere application servers > Select server.
5. Choose the server used for RSA Identity Governance and Lifecycle.
6. Under the Configuration tab, select Server Infrastructure > Java and Process Management >
Process Definition.
7. Under Additional Properties, select Java Virtual Machine > Custom Properties.
8. Select New.
l Name: ACMProviderUrl
l RSA Identity Governance and Lifecycle reporting engine user. The default name is
AVDWUSER.
l RSA Identity Governance and Lifecycle public database schema user. The default name is
ACMDB.
l RSA Identity Governance and Lifecycle Statistics Report user. The default name is AVPERF.
This user is required only if Oracle Statspack is installed on the database and you want to include
Statspack data in RSA Identity Governance and Lifecycle Statistics Reports. If you do not have
the statspack on your database do not create the avperf objects — user and data source. However,
you must enter a value in the resource mapping during deployment. See the Database Setup and
Management Guide for information on Statspack installation.
Note: If you created your database instance with non-default names, you must use the same user
names and passwords when you create the authentication users and aliases.
Procedure
1. In the WebSphere console, from the Security menu, select Global Security.
2. Under Authentication, expand Java Authentication and Authorization Service and select J2C
authentication data.
l AVUSER
l Alias: avuser
l AVDWUSER
l Alias: avdwuser
l ACMDB
l Alias: acmdb
l AVPERF
l Alias: avperf
Procedure
1. In the WebSphere console, from the Resources menu, click JDBC > JDBC Providers.
l (Cluster) cluster=MyCluster
5. In the Class Path section, enter the following three lines, separated by the ENTER key:
${ORACLE_JDBC_DRIVER_PATH}/ojdbc7.jar
${ORACLE_JDBC_DRIVER_PATH}/xdb6.jar
${ORACLE_JDBC_DRIVER_PATH}/xmlparserv2_sans_jaxp_services.jar
6. In the Directory location for ojdbc6.jar section, enter the location of the following ojdbc jar files:
ojdbc7.jar, xdb6.jar, xmlparserv2_sans_jaxp_services.jar.
Procedure
1. Copy the ojdbc driver file to each node.
Procedure
1. In the WebSphere console, from the Resources menu, select JDBC > JDBC Providers.
l (Cluster) cluster=MyCluster
5. In the Class Path section, enter the following three lines, separated by the ENTER key:
${ORACLE_JDBC_DRIVER_PATH}/ojdbc7.jar
${ORACLE_JDBC_DRIVER_PATH}/xdb6.jar
${ORACLE_JDBC_DRIVER_PATH}/xmlparserv2_sans_jaxp_services.jar
6. In the Directory location for ojdbc6.jar section, enter the location of the following ojdbc jar files:
ojdbc7.jar, xdb6.jar, xmlparserv2_sans_jaxp_services.jar.
8. (Clusters only) Restart the server and node agents after configuration of the JDBC Provider and
before the creation of the JDBC data sources.
l RSA Identity Governance and Lifecycle reporting engine user. The default name is
AVDWUSER.
l RSA Identity Governance and Lifecycle public database schema user. The default name is
ACMDB.
l RSA Identity Governance and Lifecycle Statistics Report user. The default name is AVPERF.
This user is required only if Oracle Statspack is installed on the database and you want to include
Statspack data in RSA Identity Governance and Lifecycle Statistics Reports. Statspack can
provide useful runtime diagnostic information. See the Database Setup and Management Guide for
information on Statspack installation. The data source is optional, but you must enter a value in
the resource mapping during deployment.
Note: If you created the database instance with non-default names, you must use the same user
names and passwords when you create the JDBC data sources. See the Database Setup and
Management Guide to ensure that the database instance meets RSA Identity Governance and
Lifecycle product requirements. To configure the JDBC data sources, you need the Oracle SID,
Oracle listener hosts, Oracle listener port, and Oracle service name.
This task describes how to create the following required JDBC data sources:
l avdb
l avdwdb
l acmdb
l avperf — Required only if Oracle Statspack is installed on the database and you want to include
Statspack data in RSA Identity Governance and Lifecycle Statistics Reports. This optional data
source provides valuable runtime diagnostic information.)
Test each data source after you create it to validate the connection configuration.
Procedure
1. In the WebSphere console, from the Resources menu, select JDBC > Data Sources.
l (Cluster) cluster=MyCluster
l URL: jdbc:oracle:thin:@<oracle-listener-host>:<oracle-listener-
port>/<oracle-service-name>
For example: jdbc:oracle:thin:@my_oracle_host:1555/avdb
l Data store helper class name: Oracle 10g or Oracle 11g (whichever is used for RSA
Identity Governance and Lifecycle)
l URL: jdbc:oracle:thin:@<oracle-listener-host>:<oracle-listener-
port>/<oracle-service-name>
For example: jdbc:oracle:thin:@my_oracle_host:1555/avdb
l Data store helper class name: Oracle 10g or Oracle 11g (whichever is used for RSA
Identity Governance and Lifecycle)
l URL: jdbc:oracle:thin:@<oracle-listener-host>:<oracle-listener-
port>/<oracle-service-name>
For example: jdbc:oracle:thin:@my_oracle_host:1521/avdb
l Data store helper class name: Oracle 10g or Oracle 11g (whichever is used for RSA
Identity Governance and Lifecycle)
l Name: avperf
l URL: jdbc:oracle:thin:@<oracle-listener-host>:<oracle-listener-
port>/<oracle-service-name>
For example: jdbc:oracle:thin:@my_oracle_host:1521/avdb
l Data store helper class name: Oracle 10g or Oracle 11g (whichever is used for RSA
Identity Governance and Lifecycle)
l URL: jdbc:oracle:thin:@<oracle-listener-host>:<oracle-listener-
port>/<oracle-service-name>
For example: jdbc:oracle:thin:@my_oracle_host:1521/avdb
l Data store helper class name: Oracle 10g or Oracle 11g (whichever is used for RSA
Identity Governance and Lifecycle)
l URL: jdbc:oracle:thin:@<oracle-listener-host>:<oracle-listener-
port>/<oracle-service-name>
For example: jdbc:oracle:thin:@my_oracle_host:1521/avdb
l Data store helper class name: Oracle 10g or Oracle 11g (whichever is used for RSA
Identity Governance and Lifecycle)
l URL: jdbc:oracle:thin:@<oracle-listener-host>:<oracle-listener-
port>/<oracle-service-name>
For example: jdbc:oracle:thin:@my_oracle_host:1521/avdb
l Data store helper class name: Oracle 10g or Oracle 11g (whichever is used for RSA
Identity Governance and Lifecycle)
4. Edit each data source configuration and save changes to the master configuration after each edit:
l Under Additional Properties > Connection pool properties, set Maximum connections to
300.
l Under Additional Properties > Connection pool properties, set Maximum connections to 50.
l Under Additional Properties > Connection pool properties, set Maximum connections to
150. This is the recommended minimum. Heavy loads on workflows might require a higher
setting.
5. From the Data source page, test the connections to the data sources by selecting each data
source and click Test Connection.
You must define wpUtilQueue for the RSA Identity Governance and Lifecycle workflow engine.
The workflow engine handles the processing of access requests.
Procedure
1. In the WebSphere console, from the Service integration menu, select Buses.
l (Standalone server) Select Server, then select the associated server from the drop-down list.
Note: In a cluster, the next page prompts to select the Messaging Engine policy assistance
settings. Please consult your WebSphere vendor for recommendations. The most commonly
used setting is "Scalability."
Note: The Bus Member is associated with a message store that is required. By default this is
a file store within the WebSphere installation.
Note: In a cluster, all servers must access the message store for the messaging engine. This is
more easily done using a data store configuration, but can be done using a file store if all
servers can access the file location.
l Message store: Select File Store or Data Store. Configure the store for your environment:
l File store requires directory path information for logging to the file system.
l Data store requires information for data access. You need to provide the pre-configured
data-source JNDI name and authentication alias.
l Identifier: wpUtilQueue
l Bus member: The member that will process this queue. In a standalone environment, this is
the server. In a cluster, this is the cluster.
Procedure
1. In the WebSphere console, from the Resources menu, select JMS > JMS Provider.
2. Set the scope:
l Name: wpUtilQueue
l JNDI name: queue/wpUtilQueue
l Bus name: wpBus
l Queue name: wpUtilQueue
l Name: wpUtilActSpec
l Name: acmConnectionFactory
l Name: acmMessageTopic
l Name: acmSubscriberActSpec
18. Restart the WebSphere server to initialize the JMS objects before deployment.
Install RSA Identity Governance and Lifecycle Using the Aveksa EAR File
This section describes how to install the RSA Identity Governance and Lifecycle application by
using the Aveksa EAR File.
l By default, this initial server instance is the system operations node (SON).
l If migrating a clustered deployment, it is important to run the SON. New RSA Identity
Governance and Lifecycle security is initialized the first time the SON is run after an new
deployment.
Procedure
1. In the WebSphere console, initiate the installation:
a. From Applications menu, select Application Types > websphere enterprise applications, and
click Install.
b. Browse to the aveksa.ear file in the DISTRIBUTION folder or in the customization directory
(specified in Modifying the Enterprise Archive) as required.
3. (Clusters only) Select Map Modules to Servers. Select all modules, select the scope from the list
of Clusters and Servers, and click Apply. The server associated with the module should be listed
as the cluster. Click Next.
4. Select "Prompt me only when additional information is required," and click Next.
5. Select Bind listeners for message-driven beans and activation specification for each EJB module.
Set the Target Resource JNDI Name as follows:
l SubscriberMDB: jms/acmSubscriberActSpec
l ServerAutomatedActivityMDBean: jms/wpServAutoActSpec
l EventMDBean: jms/wpEventActSpec
l UtilityMDBean: jms/wpUtilActSpec
6. Select Map resource references to resources. Most of the Target Resource JNDI Names are
defined by default. You must configure six additional resources: two resources for the subscriber
Message bean (SubscriberMDB) and four JDBC resources for the Aveksa application. Enter the
following values:
l To map topic/acmMessageTopic to the resource, in the Target Resource JNDI field, enter
topic/acmMessageTopic.
10. Complete the installation of the EAR. This process takes several minutes to complete.
12. Start the RSA Identity Governance and Lifecycle application. In a cluster, start the application
on the single designated deployment node only.
Because the entire database schema for RSA Identity Governance and Lifecycle must be created
during the initial post-installation restart, the process might take several minutes.
You can view the SystemOut.log file to check the restart progress. The file is located in the path
similar to: $WEBSPHERE_HOME/AppServer/profiles/AppSrv01/logs/server1. See
Troubleshooting for more information on log files.
13. Verify your installation by accessing RSA Identity Governance and Lifecycle through your
WebSphere server port at: http://<server or node name>:9080/aveksa/main.
Note: Port 9080 is the standard WebSphere server port, but your deployment might use a
different port.
Procedure
1. In the WebSphere console, Initiate the installation:
a. From Applications menu, select Application Types > Websphere Enterprise Applications,
and click Install.
3. (Clusters only) Select Map Modules to Servers. Select all modules, select the scope from the list
of Clusters and Servers, and click Apply. The server associated with the module should be listed
as the cluster. Click Next.
4. In the Map Virtual Hosts for Web Modules screen, click Next.
5. Complete the installation of the EAR. This process takes several minutes to complete.
Procedure
1. Log in to the system as administrator with root privileges.
2. Make sure you have a directory for storing the encryption key. For security purposes, the
directory should have the following settings:
l If the directory already exists, set its permissions to 700 (rwx------) and make sure that the
directory is owned by the same user under which RSA Identity Governance and Lifecycle is
running.
l If the directory does not exist, the parent directory must be writable for the user under which
RSA Identity Governance and Lifecycle is running. In this case, RSA Identity Governance
and Lifecycle will create the directory with the correct permissions.
3. Set a Java system property "rsavialg.security.keydir" to the directory where the encryption key is
stored. Perform these steps in the Admin console for WebSphere:
1. To select the server, click Servers > Server types > WebSphere application servers > Select
server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
3. Under the Configuration tab, select Server Infrastructure > Java and Process Management >
Process Definition.
4. Under Additional Properties, select Java Virtual Machine > Custom Properties.
Name: rsavialg.security.keydir
Value: <directory path for encryption key>
For example, in a standalone environment:
rsavialg.security.keydir=<directory path for the encryption
key>
For example, in a cluster environment:
rsavialg.security.keydir=<server and directory path for the
encryption key>, where server is the hostname of a common network path that is
accessible from all nodes.(You could also set this up on each node by defining a local
directory path on each node.)
4. Create a secure backup process to back up the keys that are in the encryption key directory. RSA
Identity Governance and Lifecycle generates these keys and stores them only in the designated
directory.
Important: If the keys are lost, any data encrypted with those keys will be irrecoverable. The
backup process should ensure that the keys are not compromised, or otherwise exposed, during
the backup or after they are in the backup location.
Note: Anytime that you change the value of the Java system property after the keys have already
been created (meaning after you configured the property and brought the system up), you must bring
down the system and move the keys to the new location before bringing up the system again.
Procedure
1. In the Admin console, add a java system property named
"rsavialg.security.strict.permissions.disabled" property and set the value to "true" as shown for
the platform type:
1. To select the server, click Servers > Server types > WebSphere application servers > Select
server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
3. Under the Configuration tab, select Server Infrastructure > Java and Process Management >
Process Definition.
4. Under Additional Properties, select Java Virtual Machine > Custom Properties.
Error Messages
The following table contains a list of error messages that might display (in the AveksaServer.log)
after you configure the encryption key directory. The table lists default directory paths for the
encryption key directory (/home/oracle/security) and its parent directory (/home/oracle). The
suggested actions are performed on the RSA Identity Governance and Lifecycle host.
KEK_ERROR_ The parent directory /home/oracle for the Change permissions on the
PARENT_ specified encryption key storage specified encryption key
DIRECTORY_IS_ directory /home/oracle/security is not directory to allow RSA
NOT_WRITABLE writable. Identity Governance and
Lifecycle to write to the
directory.
KEK_ERROR_ The parent /etc/hosts for the specified Specify a directory path for
PARENT_IS_A_ encryption key storage directory the encryption key directory.
FILE /etc/hosts/security is a file, not a
directory.
KEK_ERROR_FILE_ A file already exists with the same path Specify a directory location,
ALREADY_EXISTS as the specified encryption key storage not a file location.
directory /etc/hosts.
KEK_ERROR_ Could not create the encryption key Create the directory, set
COULD_NOT_ storage directory /home/oracle. permissions to allow RSA
CREATE_ Identity Governance and
DIRECTORY Lifecycle to read from and
write to the directory, and
specify the encryption key
directory again.
KEK_ERROR_ The encryption key storage directory Create the directory, set
DIRECTORY_ /home/oracle does not exist. permissions to allow RSA
DOES_NOT_EXIST Identity Governance and
Lifecycle to read from and
write to the directory, and
specify the encryption key
directory again.
Procedure
1. Download the server.keystore file from RSA Identity Governance and Lifecycle to the
WebSphere server.
Note: If an agent is installed on a remote machine, you must configure the agent and RSA Identity
Governance and Lifecycle to use SSL for communication. You must edit the agent’s configuration
file to change the hostname from localhost to the hostname of the RSA Identity Governance and
Lifecycle server, or in a cluster, the SON. Additionally, you must configure the agent and server to
use certificates as described in Help in Security: SSL Configuration and Authentication.
l Load the private keys and trusted CAs into the keystore.
Procedure
1. Log into RSA Identity Governance and Lifecycle as an administrator, for example,
AveksaAdmin.
7. Write down the location of the file. You must specify this location when you create the keystore
on the WebSphere server.
Property Value
Property Value
Procedure
1. In the WebSphere console, click Security > SSL certificate and key management > SSL
configurations.
7. Restart WebSphere.
Procedure
1. In the WebSphere console, configure a web container transport chain using the following settings
and save the transport chain to the master configuration:
Setting Value
2. Edit the WCAveska8444 transport chain and modify SSL inbound channel (SSL_4) to use the
SSL configuration specific to this endpoint: Aveksa Agent SSL.
3. Create a new host alias for the default_host using the following settings and save the changes to
the master configuration:
Setting Value
Host *
Port 8444
Property Value
To configure SSL, see your WebSphere documentation. Use the following information when entering
properties:
Property Value
Procedure
1. In the WebSphere console, configure a web container transport chain using the following settings
and save the transport chain to the master configuration:
Setting Value
2. Edit the WCAveska9443 transport chain and modify SSL inbound channel (SSL_4) to use the
SSL configuration specific to this endpoint: Aveksa SSL.
3. Create a new host alias for the default_host using the following settings and save the changes to
the master configuration:
Setting Value
Host *
Port 9443
Port Communications from a web browser or web services to RSA Identity Governance and
8443 Lifecycle. By default, port 8443 supports all TLS versions (v1, v1.1, v1.2). A client can
connect using any of the supported versions. If you want to force use of the latest TLS
version, see your WebSphere documentation.
Port Internal communications with AFX and remote agents. By default, port 8444 uses the latest
8444 TLS version (v1.2 ) and enforces that AFX and remote agents use the same version.
Configure the port on the WebSphere application server. Use the latest available version of TLS for
maximum security.
Note: If you force use of TLSv1.2 on Port 8443, your users must use a browser that supports this
protocol. The following browsers support TLSv1.2:
Browser Versions
Apple Safari 8.x or later
Procedure
1. In the WebSphere console, from the Servers menu, click WebSphere Application Servers >
<server-name>
l XSS/Scripting Security
The default settings comply with security best practices. For information about these settings, click
Help on the Security settings page.
l An LDAP-compliant authentication source, for example an Active Directory server. In this case,
RSA Identity Governance and Lifecycle collects account or identity data for all users who require
access. You must configure the account or identity collectors.
For instructions on setting up an authentication source, see Managing Log On Authentication Sources
in Help.
2. Configure WebLogic JVM Settings for RSA Identity Governance and Lifecycle.
5. Install RSA Identity Governance and Lifecycle using the Aveksa EAR File.
8. Configure SSL for Internal Communications Between RSA Identity Governance and Lifecycle
Components.
9. Configure SSL for External Communications (Browser or Web Services to RSA Identity
Governance and Lifecycle).
l You should have a working knowledge of WebLogic, privileges to deploy RSA Identity
Governance and Lifecycle within the environment, and know how to stop and start WebLogic
Server instances as required.
l Confirm that a cluster is already configured for an RSA Identity Governance and Lifecycle
deployment. You need information about each application server instance in the cluster. For
background information about running RSA Identity Governance and Lifecycle in a cluster, see
Clustered Application Server and Oracle RAC Implementation Environments.
l The Help for information on customizing settings in the “customization” directory for integration
with any of the following:
For more information, see the Help topic, "Managing Server Cluster Nodes."
l Private Network — The private network used for coordinating cluster activities and the network
that accesses the shared storage system. The private network allows the Oracle cluster to the
access Cluster Ready Services (CRS)/Voting disk. Because RSA Identity Governance and
Lifecycle operates in a mixed Online Transaction Processing (OLTP) and Decision Support
System (DSS) mode, many installations benefit from a faster 10-Gbit network to support the
caching requirements of DSS operations such as collections and report generation.
l Shared Storage — RSA Identity Governance and Lifecycle supports Storage Area Network
(SAN) systems with multiple disk volumes. SANs with RAID 5 or RAID0+1 provide the required
read-write performance for the Oracle RAC.
The shared storage system, along with Oracle Automatic Storage Management (ASM), provides
three types of storage for the cluster that will be assigned to Logical Unit Numbers (LUN).
Traditional Oracle tablespace storage will occupy most of the space and will be stored in the
LUN "VOL1." A second LUN, will be created for cluster activities and will be assigned to the
LUN "CRS1."
The third LUN will provide a general purpose "cluster-aware" file system that will be shared with
all of the members of the cluster and will be assigned to the LUN "FS1." Oracle requires this
"cluster-aware" file system be used when setting up Oracle directories in a cluster. Because RSA
Identity Governance and Lifecycle requires the AVEKSA_EXPORTIMPORT_DIRECTORY,
we recommend a configuration that uses Oracle Automatic Storage Management Cluster File
System (Oracle ACFS) to create a mountable volume usable by the operating system itself.
Procedure
1. Log on to the machine hosting the WebLogic application server.
f. Click Download Software (it may take a minute to display the Product List).
g. Click RSA Identity Governance and Lifecycle (formerly Aveksa) - Version Upgrades.
The Current tab lists the most recent release. The Archive tab lists previous releases.
l ACM-WebLogic-<product version>.tar
Note: On Solaris, use a tar utility that handles long filenames such as GNU tar.
This step creates an ACM-WebLogic directory that includes all software components required for
the installation. The directory location is referred to as DISTRIBUTION in this chapter.
Configure WebLogic JVM Settings for RSA Identity Governance and Life-
cycle
Use the WebLogic console to perform all installation and configuration steps. See your WebLogic
administrator for the URL and access credentials.
Note: Restart the application server instance after you change JVM settings described in this
section.
Procedure
1. Start WebLogic using the doomain 'startWebLogic.sh' command. For example:
$DOMAIN_HOME/bin/startWebLogic.sh
2. From your browser, access the WebLogic Administration Console using the following URL:
http://<hostname>:7001/console
Procedure
1. In the WebLogic console, to select the server, click Environment > Servers > Select server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
5. Click Save.
Configuring the Application Server Listening Port for RSA Identity Governance and
Lifecycle
RSA Identity Governance and Lifecycle uses the application server’s listening port number and the
host name or IP address for communication. This information is used to define the ACMProviderUrl
system configuration setting. Perform this task to do the following:
l Identify the listening port for your application server, or in a cluster environment, for each node in
the cluster.
Procedure
1. Log on to the WebLogic console.
4. Note down the Listening Port value(s). In a cluster, use a comma-separated list host:port pairs.
Use one of the following methods to set JVM arguments. If you use custom scripts to start the
WebLogic application server, these methods might not map to your environment. Consult the
WebLogic administrator on how the JVM settings are set for your environment.
For example:
StandAlone: JAVA_OPTIONS="$JAVA_OPTIONS -
DACMProviderUrl=localhost:7001 "
Specifying JVM arguments within the Admin Console for a server instance.
This method is typically used when your servers are managed by NodeManager.
Procedure
1. Log on to the WebLogic console.
l Maximum permanent generation heap. Requires at least 512 MB. The JVM argument is: –
XX:MaxPermSize=512m
If you use custom scripts to start the WebLogic application server, these methods might not map to
your environment. Consult the WebLogic administrator on how the JVM arguments are set for your
environment.
USER_MEM_ARGS overrides the default memory settings. If you require other memory settings,
make sure you retain those settings in along with RSA Identity Governance and Lifecycle settings.
For example:
USER_MEM_ARGS=" –Xms256m -Xmx8192m -XX:CompileThreshold=8000 -
XX:PermSize=48m -XX:MaxPermSize=512m "
Procedure
1. To select the server, click Environment > Servers > Select server.
Procedure
1. Open Oracle admin console.
Procedure
1. Start WebLogic using your domain 'startWebLogic.sh' command. For example:
$DOMAIN_HOME/bin/startWebLogic.sh
Note: If you change security realm user information after the RSA Identity Governance and
Lifecycle EAR has been deployed, you must change corresponding settings in the EAR and then
redeploy the EAR. See Changing the Security Realm User and Group Information for more
information.
Procedure
1. Log on to the WebLogic console.
3. Select myRealm > Users and Groups tab and create the users and groups as follows:
a. Click New.
b. Enter:
Name: acmUsers
Description: acm runtime user
Click OK.
a. Click New.
b. Enter:
l Name: WorkPointUsers
c. Click OK.
a. Click New.
b. Enter:
a. Name: aveksaUser
c. Password: Aveksa123
c. Click OK.
a. Click New.
b. Enter:
Name: workpoint
Description: Workpoint user
Password: w0rkp0int (0=zero)
c. Click OK.
4. Add the users you created to the groups you created from the Users and Groups > Users tab:
a. Click aveksaUser.
d. Click Save.
a. Click workpoint.
c. Move acmUsers and WorkPointUsers from the Available list to the Chosen list.
d. Click Save.
l RSA Identity Governance and Lifecycle reporting engine user. The default name is
AVDWUSER.
l RSA Identity Governance and Lifecycle public database schema user. The default name is
ACMDB.
l RSA Identity Governance and Lifecycle Statistics Report user. The default name is AVPERF.
This user is required only if Oracle Statspack is installed on the database and you want to include
Statspack data in Aveksa Statistics Reports. If you remove or disable Statspack on your database,
remove the AVPERF data source and restart the database.
Note: If you created the database instance with non-default names, you must use the same user
names and passwords when you create the JDBC data sources. See the Database Setup and
Management Guide to ensure that the database instance meets the RSA Identity Governance and
Lifecycle product requirements. To configure the JDBC data sources, you need the Oracle SID,
Oracle listener hosts, Oracle listener port, and Oracle service name.
Create the following JDBC data sources required by RSA Identity Governance and Lifecycle:
l avdb
l avdwdb
l acmdb
l avperf
Procedure
1. Log on to the WebLogic console.
l Click New to create each data source. From the New button menu, choose an option:
l Name: AVDB
l Database Driver:
Non-Oracle RAC: Oracle’s Driver (Thin) for Instance connections
Oracle RAC: Oracle’s Driver (Thin) for RAC Service-Instance connections
l Name: AVDWDB
l Database Driver:
Non-Oracle RAC: Oracle’s Driver (Thin) for Instance connections
Oracle RAC: Oracle’s Driver (Thin) for RAC Service-Instance connections
l Name: ACMDB
l Database Driver:
Non-Oracle RAC: Oracle’s Driver (Thin) for Instance connections
Oracle RAC: Oracle’s Driver (Thin) for RAC Service-Instance connections
l Name: avperf
l Database Driver:
Non-Oracle RAC: Oracle’s Driver (Thin XA) for Instance connections
Oracle RAC: Oracle’s Driver (Thin XA) for RAC Service-Instance connectionss
l Name: WPDS
l Database Driver:
Non-Oracle RAC: Oracle’s Driver (Thin XA) for Instance connections
Oracle RAC: Oracle’s Driver (Thin XA) for RAC Service-Instance connections
l Name: WPDS2
l Database Driver:
Non-Oracle RAC: Oracle’s Driver (Thin XA) for Instance connections
Oracle RAC: Oracle’s Driver (Thin XA) for RAC Service-Instance connections
l Name: WPDS3
l Database Driver:
Non-Oracle RAC: Oracle’s Driver (Thin XA) for Instance connections
Oracle RAC: Oracle’s Driver (Thin XA) for RAC Service-Instance connections
a. Go to the Connection Pool tab, expand the Advanced settings, then uncheck Wrap Data
Types.
b. Configure the Set Maximum capacity value according to the following table:
AVDB 300
ACMDB 50
AVDWDB 50
6. (Optional) Secure each data source with a security policy. You can enable security after
installing RSA Identity Governance and Lifecycle.
Note: The settings here are dependent on the users and groups defined in Create Security Realm
Users and Groups.
d. Click OK.
g. Select Add.
h. Select Finish.
i. Select Save.
j. Restart WebLogic.
Procedure
1. To create a JMS server or servers. Click Services > Messaging > JMS Servers > New.
On a standalone system, configure a single server with the AdminServer as the target. For a
cluster, create a JMS server for each server instance or node. See the Database Configuration
Values for installing in a clustered environment.
l Name: acmJMSServer1
l Persistent Store: Select a preconfigured Persistent Store or click New to create one with the
required information for the given persistent store type. Set the persistent store target to match
the target for this JMS server.
l Target: Choose the target server instance. Choose the server for a cluster configuration.
For example: Node1
l Directory (File Store): Provide the directory on the server where the persistent store is
kept.
l Prefix Name (JDBC Store): Prefix for the table name for the store. For example, server1,
would result in table SERVER1WLSTORE.
2. Create a new JMS Module. Click Services > Messaging > JMS Modules > New.
l Name: acmJMSModule
l Name: acmSubDeployment
l Targets: Choose the JMS Servers Target(s). Select multiple Target JMS Servers for a cluster,
for example: acmJMSServer1, acmJMSServer2, and so on.
4. Add the required resource to the acmJMSModule. Select acmJMSModule, select the
Configuration tab for each new resource, and click New.
a. New Queue:
l Name: wpUtilQueue
l Name: acmConnectionFactory
b. Edit the acmConnectionFactory: From the Default Delivery tab, set the Default Delivery
Mode to Non-Persistent.
c. New Topic:
l Name: acmMessageTopic
Install RSA Identity Governance and Lifecycle Using the Aveksa EAR File
This section describes how to install the RSA Identity Governance and Lifecycle application by
using the Aveksa EAR file.
l By default, this initial server instance is the system operations node (SON).
l If migrating a clustered deployment, it is important to run the SON. New RSA Identity
Governance and Lifecycle security is initialized the first time the SON is run after a new
deployment.
Procedure
1. Log on to the WebLogic console.
3. Browse to aveksa.ear. For example: ACM-WebLogic /aveksa.ear. The path may differ for a
hotfix or a customized aveksa.ear.
7. Choose the default selection: Copy this application to every target for me" under Source
accessibility.
9. Start the RSA Identity Governance and Lifecycle application. In a cluster, start the application
on the single designated deployment node only.
In a cluster, the first managed server you start deploys and initializes the database schema,
which might take several minutes.
You can check installation progress by viewing the WebLogic Admin Server log file. See
Troubleshooting for more information on log files.
10. Validate the installation by accessing RSA Identity Governance and Lifecycle from
http://localhost:7001/aveksa/main.
In a cluster, verify your installation before starting additional nodes.
Once the initial node is validated, all other nodes can be started. For information on how to
manage RSA Identity Governance and Lifecycle instance nodes in the cluster, see the Help
topic, "Managing Server Cluster Nodes."
Procedure
1. Log on to the WebLogic console.
6. Choose the default: Copy this application to "every target for me" under Source accessibility.
8. Click Finish.
Procedure
1. Log in to the system as administrator with root privileges.
2. Make sure you have a directory for storing the encryption key. For security purposes, the
directory should have the following settings:
l If the directory already exists, set its permissions to 700 (rwx------) and make sure that the
directory is owned by the same user under which RSA Identity Governance and Lifecycle is
running.
l If the directory does not exist, the parent directory must be writable for the user under which
RSA Identity Governance and Lifecycle is running. In this case, RSA Identity Governance
and Lifecycle will create the directory with the correct permissions.
3. Set a Java system property "rsavialg.security.keydir" to the directory where the encryption key is
stored. The location of this property depends on the platform you are running on and also whether
RSA Identity Governance and Lifecycle is standalone or running in a cluster.
There are two ways to set JVM arguments in WebLogic installations. These methods might not
map to your environment if you use custom scripts for starting a WebLogic application server
instance. See your WebLogic administrator to configure the JVM setting for your environment.
l Edit the WebLogic Domain startup environment script. This is typically done on a standalone
system and is required if using the AdminServer as the instance where you are deploying RSA
Identity Governance and Lifecycle.
Edit the setDomainEnv.sh file for the domain in which you will be deploying the RSA Identity
Governance and Lifecycle application.
For example, from $WEBLOGIC_HOME/user_projects/domains/<domain_name>/bin, add the
following settings to the beginning of the setDomainEnv script, where WL_HOME is set.
JAVA_OPTIONS="$JAVA_OPTIONS -Drsavialg.security.keydir=<directory path for the
encryption key>"
export JAVA_OPTIONS
For example, in a standalone environment:
JAVA_OPTIONS="$JAVA_OPTIONS
-Drsavialg.security.keydir="/wls/masterkeystorage"
For example, in a cluster environment:
JAVA_OPTIONS="$JAVA_OPTIONS -
Drsavialg.security.keydir="/wls/masterkeystorage"
l Use the Administration Console to specify JVM arguments for a server instance. This is
typically used if your servers are managed through NodeManager.
From the Admininistration Console:
1. Click Environment > Servers > Select server.
3. Add the startup setting -Drsavialg.security.keydir=<directory path for the encryption key>
to the Arguments field .
Note: Anytime that you change the value of the Java system property after the keys have already
been created (meaning after you configured the property and brought the system up), you must bring
down the system and move the keys to the new location before bringing up the system again.
Procedure
1. Add a java system property named "rsavialg.security.strict.permissions.disabled" property and
set the value to "true" as shown for the platform type:
There are two ways to set JVM arguments in WebLogic installations. These methods might not
map to your environment if you use custom scripts for starting a WebLogic application server
instance. See your WebLogic administrator to configure the JVM setting for your environment.
l Edit the WebLogic Domain startup environment script. This is typically done on a standalone
system and is required if using the AdminServer as the instance where you are deploying RSA
Identity Governance and Lifecycle.
Edit the setDomainEnv.sh file for the domain in which you will be deploying the RSA Identity
Governance and Lifecycle application.
For example, from $WEBLOGIC_HOME/user_projects/domains/<domain_name>/bin, add the
following settings to the beginning of the setDomainEnv script, where WL_HOME is set.
JAVA_OPTIONS="$JAVA_OPTIONS -Drsavialg.security.strict.permissions.disabled=true"
export JAVA_OPTIONS
For example, in a standalone environment:
JAVA_OPTIONS="$JAVA_OPTIONS
-Drsavialg.security.strict.permissions.disabled="true"
For example, in a cluster environment:
JAVA_OPTIONS="$JAVA_OPTIONS -
Drsavialg.security.strict.permissions.disabled="true"
l Use the Administration Console to specify JVM arguments for a server instance. This is
typically used if your servers are managed through NodeManager.
Error Messages
The following table lists error messages that might display (in the AveksaServer.log) after you
configure the encryption key directory. The table lists default directory paths for the encryption key
directory (/home/oracle/security) and its parent directory (/home/oracle). The suggested actions are
performed on the RSA Identity Governance and Lifecycle host.
KEK_ERROR_ The parent directory /home/oracle for the Change permissions on the
PARENT_ specified encryption key storage directory specified encryption key
DIRECTORY_IS_ /home/oracle/security is not writable. directory to allow RSA
NOT_WRITABLE Identity Governance and
Lifecycle to write to the
directory.
KEK_ERROR_ The parent /etc/hosts for the specified Specify a directory path for
PARENT_IS_A_ encryption key storage directory the encryption key directory.
FILE /etc/hosts/security is a file, not a directory.
KEK_ERROR_ A file already exists with the same path as Specify a directory location,
FILE_ALREADY_ the specified encryption key storage not a file location.
EXISTS directory /etc/hosts.
KEK_ERROR_ Could not create the encryption key Create the directory, set
COULD_NOT_ storage directory /home/oracle. permissions to allow RSA
CREATE_ Identity Governance and
DIRECTORY Lifecycle to read from and
write to the directory, and
specify the encryption key
directory again.
KEK_ERROR_ The encryption key storage directory Create the directory, set
DIRECTORY_ /home/oracle does not exist. permissions to allow RSA
DOES_NOT_EXIST Identity Governance and
Lifecycle to read from and
write to the directory, and
specify the encryption key
directory again.
RSA Identity Governance and Lifecycle trusts connections with AFX servers and remote agents
because their certificates have been signed by the RSA Identity Governance and Lifecycle CA.
To enable SSL between RSA Identity Governance and Lifecycle and AFX or agents, you must make
the server.keystore available to WebLogic by completing the following tasks:
Procedure
1. Download the server.keystore file from RSA Identity Governance and Lifecycle to the
WebLogic server.
2. Import the certificates from the downloaded server.keystore into the WebLogic keystore.
If the WebLogic server does not contain the keystores and certificates required to use SSL, you must
perform the following configuration tasks before you configure the RSA Identity Governance and
Lifecycle application to use SSL:
l Obtain private keys and digital certificates from a reputable certificate authority, such as
Verisign, Inc. or Entrust.net.
l Load the private keys and trusted certificate authorities (CAs) into the keystores.
For instructions on how to perform these tasks, see the WebLogic documentation.
Procedure
1. Log on to RSA Identity Governance and Lifecycle as an administrator user, for example,
AveksaAdmin.
7. Write down the location of the file. You must specify this location when you import the
certificates into the keystore on the WebLogic server.
Import the RSA Identity Governance and Lifecycle Certificates into the WebLogic
Keystores
To communicate with the AFX server and RSA Identity Governance and Lifecycle agents, the
WebLogic server running RSA Identity Governance and Lifecycle needs to know of the certificates
contained in the server.keystore file. Use the Weblogic keytool utility to import the certificates.
WebLogic contains two keystores: an identity keystore and a trusted keystore. Use the keytool to
import the trusted certificate (also known as the CA) into the trusted keystore and the private key
into the identity keystore. If your WebLogic server uses the same keystore trust and identity, you can
import the private key and the trusted certificate into the single keystore.
The following sections provide the command parameters to use when you run the keytool.
Procedure
Log on to the Weblogic server and type the following at a command prompt:
keytool -importkeystore -srcalias server -srckeypass
Av3k5a15num83r0n3 -srckeystore <directory_path>/server.keystore -
srcstorepass Av3k5a15num83r0n3 -srcstoretype jks -destalias server
-destkeypass Av3k5a15num83r0n3 -destkeystore <dest-keystore> -
deststorepass <dest-storepass>
where
l <directory_path>/server.keystore is the full directory path to server.keystore.
Procedure
Log on to the Weblogic server and type the following at a command prompt:
keytool -importkeystore -srcalias aveksa_ca -srckeypass
Av3k5a15num83r0n3 -srckeystore <directory_path>/server.keystore -
srcstorepass Av3k5a15num83r0n3 -srcstoretype jks -destalias
aveksa_ca -destkeystore <dest-keystore> -deststorepass <dest-
storepass>
where
l <directory_path>/server.keystore is the full directory path to server.keystore.
To import the private key and the trusted certificate into the same keystore
Procedure
Log on to the Weblogic server and type the following at a command prompt:
keytool -importkeystore -srckeystore <directory_
path>/server.keystore -destkeystore <dest-keystore> -srcstorepass
Av3k5a15num83r0n3 -deststorepass <dest-storepass>
where
Procedure
1. In WebLogic, create a new network channel using the following settings. In the WebLogic
console, the channnel settings are typically found under Server > Protocols. See the WebLogic
documentation for details on performing this task.
Setting Value
Name Aveksa8444
Protocol https
Listen Port 8444
External Listen Port 8444
Two Way SSL Enabled Checked
Client Certificate Enforced Checked
Custom Channel Private Key server
Alias
Custom Channel Private Key Pass Av3k5a15num83r0n3
Phrase
Confirm Custom Channel Private Av3k5a15num83r0n3
Key Pass Phrase
RSA Identity Governance and Lifecycle uses the SSL/TLS protocol to secure communications from
a browser or web services on Port 8443.
These settings are in the WebLogic application server. Use the latest available version of TLS to
provide the most secure communications.
Procedure
1. Use the following settings to configure the port. The channel settings are typically found in the
WebLogic console under Server > Protocols.
Setting Value
Name Aveksa8443
Protocol https
Listen Port 8443
External Listen Port 8443
Two Way SSL Enabled Checked
Client Certificate Enforced Unchecked
Custom Channel Private Key server
Alias
Custom Channel Private Key Pass Av3k5a15num83r0n3
Phrase
Confirm Custom Channel Private Av3k5a15num83r0n3
Key Pass Phrase
l Check Security Settings for the RSA Identity Governance and Lifecycle Application
Port Communications from a web browser or web services to RSA Identity Governance and
8443 Lifecycle. By default, port 8443 supports all TLS versions (v1, v1.1, v1.2). A client can
connect using any of the supported versions.
Port Internal communications with AFX and remote agents. By default, port 8444 supports all
8444 TLS versions (v1, v1.1, v1.2). A client can connect using any of the supported versions.
Important: When you upgrade RSA Identity Governance and Lifecycle, you override the secure
cookie setting. Make sure you enable secure cookies after upgrading RSA Identity Governance and
Lifecycle.
Procedure
1. Log in as root.
2. Open the weblogic.xml file that is located in the aveksa.war/WEB-INF directory path.
5. Recreate the RSA Identity Governance and Lifecycle EAR and redeploy the EAR. See Install
RSA Identity Governance and Lifecycle Using the Aveksa EAR File for more information.
l Security
l XSS/Scripting Security
The default settings comply with security best practices. For information about these settings, click
Help on the Security settings page.
l An LDAP-compliant authentication source, for example an Active Directory server. In this case,
RSA Identity Governance and Lifecycle collects account or identity data for all users who require
access. You must configure the account or identity collectors.
For instructions on setting up an authentication source, see Managing Log On Authentication Sources
in Help.
Scenario Section
Install AFX on your appliance or soft- Install the Local AFX Server on an Appliance or a
appliance server Soft-Appliance Server Using the Installation Script
Install AFX on a WebSphere or Install the Local AFX Server from a Downloaded Local
WebLogic server AFX Server
Install an additional AFX server Install an Additional AFX Server Instance on a Non-
instance on a host where RSA Identity AFX-Host Server
Governance and Lifecycle is not
installed (remote host)
Install AFX connector packages See Install the AFX Connector Packages.
If you purchased an RSA Identity Governance and Lifecycle appliance with an AFX license, AFX
is already installed on the appliance. You can enable AFX you are ready to use it. For instructions
on enabling AFX, see "Specifying System Settings" in Help.
Important: See AFX Hardware and Software Requirements before installing AFX and verify that
your deployment meets all requirements.
Storage
Follow the guidelines below to calculate the amount of storage required by your installation:
Note: Cap log file sizes to avoid filling disk space. To further reduce the risk of filling disk space,
you should also employ a monitoring tool. Each connector will consume on average 1 MB of disk
space daily. The actual amount will vary based on the volume of transactions.
Swap Space
Set to half (1/2) of Physical Memory — This value is set automatically by the application server.
You must adjust manually.
Processor
Processor requirements for deployment environments are listed as follows:
A development environment is intended for Dual Intel dual-core Xeon processors (E3110)
doing the deployment work, staging, and running at 3.0GHz on a 1333MHz FSB
functional testing for example. It is not for use
in large multi-user deployments.
A production environment is intended for typical Dual quad core Intel Xeon processors (E5420)
enterprise deployment of up to 500 concurrent running @ 2.5GHz on a 1333MHz FSB
users, 1000 applications, and 20 million
entitlements.
Disk Partitioning
Configure the minimum swap size relative to system memory size.
Required Software
l Red Hat Enterprise Linux Version 5 Update 10, Red Hat Enterprise Linux Version 6 Update 5, or
SuSE 11 Enterprise Linux SP3
Port Usage
8089 The default port for RESTful WebService connectors for receiving
asynchronous callback messages. This port is used by endpoints which process
AFX requests asynchronously to respond back to AFX after the request has
been processed. The response indicates if the request was successfully
processed.
Listening port for exclusive use by AFX
Install AFX
Important: RSA Identity Governance and Lifecycle v7.x must be installed before you install AFX
v7.x.
This section describes how to install AFX. RSA Identity Governance and Lifecycle auto-generates
an AFX server configuration named “AFX Server" where RSA Identity Governance and Lifecycle
is installed. There are two sequential phases in the AFX installation process:
1. Installing the AFX Server on an appliance or a soft-appliance server that has RSA Identity
Governance and Lifecycle installed on it, or installing it on a server that does not have RSA
Identity Governance and Lifecycle installed on it. This latter scenario is typically referred to as a
"remote AFX installation." It is applicable to AFX deployment when RSA Identity Governance
and Lifecycle is installed on the WebSphere or WebLogic platforms or when you want to install
AFX on a host where RSA Identity Governance and Lifecycle is not installed.
See the topic relevant to your installation scenario and complete the procedure in the topic:
l Install the AFX Server on an Appliance or a Soft-Appliance Server Using the Installation
Script
2. Installing the AFX connector packages for the AFX Server. See Install the AFX Connector
Packages.
Procedure
1. Log on to the appliance or server as the ‘root’ user.
Installation results for the AFX Server are written in the following log file on the installation
host:
/tmp/afx-install.log
3. If you are logged in as root, log out and log in to the installation host as the 'AVEKSA_OWNER'
user.
4. Start the AFX Server using the “afx” script located in the top level AFX installation directory.
For example, if AFX is installed in /home/oracle/AFX, enter:
/home/oracle/AFX/afx start
Next step
Install the AFX connector packages for this AFX release version. See Install the AFX Connector
Packages.
Procedure
1. Log on to RSA Identity Governance and Lifecycle.
3. If required, update the Default Truststore Password. You must update it if you have changed the
password for the default JDK truststore (for example, JAVA_HOME/jre/lib/security/cacerts) on
the AFX Server host.
4. Select Download Server Archive to download the local AFX Server archive. See Download an
AFX Server Archive.
7. Install the AFX Connector packages for this AFX version. See Install the AFX Connector
Packages.
Procedure
1. Log in to RSA Identity Governance and Lifecycle.
3. Create an AFX server configuration for the server instance you want to install on another host.
See "Creating AFX Servers" in Help for more information.
4. Select the AFX Server configuration that you just created and click Download Server Archive to
download the remote AFX server archive. See Download an AFX Server Archive.
5. See Install the AFX Server Using an Archive Downloaded from RSA Governance and Lifecycle
to install a new AFX server or update it on the remote machine.
6. Install the AFX Connector packages for this AFX release version. See Install the AFX
Connector Packages.
Install the AFX Server Using an Archive Downloaded from RSA Identity Governance
and Lifecycle
This section describes how to perform the following tasks after you copy and download the AFX
Server archive from RSA Identity Governance and Lifecycle:
l Install a new AFX Server.
Procedure
1. Create an unprivileged account (for example, afxuser) on the host where you plan to run the AFX
Server. For example:
This account is referred to as the “afx account” with the name “afxuser” throughout the
remainder of this procedure.
2. For the “afx account,” export JAVA_HOME and put $JAVA_HOME/bin in the PATH. JAVA_
HOME must point to a JAVA 1.7 installation.
4. Copy the AFX Server archive downloaded from RSA Identity Governance and Lifecycle to the
“afx account” home directory on the AFX Server machine (for example, /home/afxuser).
5. Go to the “afx account” home directory and expand the AFX Server archive. For example:
cd /home/afxuser
unzip AFXServer.zip
An AFX directory is created in the “afx account” home directory (for example,
/home/afxuser/AFX) containing the server files.
6. Change to the AFX directory and execute the setPerms.sh script located in AFX/bin to set file
permissions. For example:
cd /home/afxuser/AFX
sh bin/setPerms.sh
7. Follow the steps in “Install an AFX Server Service” below to install the AFX Server service.
Important: This procedures applies only when AFX and RSA Identity Governance and Lifecycle
are installed on different hosts. It is required for WebSphere and WebLogic installations.
Procedure
1. Connect to the AFX Server host as root user.
For example:
ln -s /home/afxuser/AFX/bin/afx_server /etc/init.d/afx_server
Procedure
1. Connect to the AFX Server host using the “afx account.”
3. Change the directory to the “afx account” home directory and rename the AFX folder to AFX-
backup, for example:
cd /home/afxuser
mv AFX AFX-backup
4. Copy the AFX Server archive that was downloaded from RSA Identity Governance and
Lifecycle to the “afx account” home directory on the AFX Server machine (/home/afxuser for
example).
5. Change directory to the “afx account” home directory and expand the AFX Server archive. For
example:
cd /home/afxuser
unzip AFXServer.zip
The “afx account” home directory (/home/afxuser/AFX for example) containing the server files
now contains an AFX directory.
6. Change to the AFX directory and execute the setPerms.sh script located in AFX/bin to set file
permissions. For example:
cd /home/afxuser/AFX
sh bin/setPerms.sh
7. Restore the ActiveMQ data directory (and its contents) from the prior installation backup to the
new AFX installation. Type:
cp -rfp <path-to-AFX-backup>/activemq/data <path-to-AFX>/activemq
where
l <path-to-AFX-backup> is the location of the backup
For example:
cp –rfp /home/afxuser/AFX-backup/activemq/data
/home/afxuser/AFX/activemq
Procedure
1. Log on to RSA Identity Governance and Lifecycle.
4. Select Next.
5. Check the Select all items box to select all connector templates listed for import.
6. Select Import to load all standard connector template packages for this released version into RSA
Identity Governance and Lifecycle.
7. If you are licensed for one or more AFX Premium Connectors, repeat steps 1 through 5 for AFX-
<product-version>-Premium-Connectors.zip (also located in the packages directory for RSA
Identity Governance and Lifecycle v6.9.x and later).
Note: After you have imported all connector packages, any previously imported connectors and
templates are updated to include the latest enhancements. Those enhancements include new
capabilities and settings, fixes for known issues, and any changes to ensure compatibility with AFX
Server v7.x.
l Client Certificate — A public certificate that identifies a client to which RSA Identity
Governance and Lifecycle establishes a secure connection.
l Trusted Authority Certificate — A root or intermediate certificate that is trusted and can be used
when validating a signed certificate.
Appendix A: Security and Authentication Management (RSA Appliance and Soft Appliance) 130
Installation Guide
Default RSA Identity Governance and Lifecycle keystores, passwords, and locations described in
the following sections:
l aveksa.keystore — The aveks.keystore file contains the self-signed certificates that identify the
RSA Identity Governance and Lifecycle application server when it communicates with a browser
via HTTPS. This default server certificate is created with keysize = 2048, validity = 18000 days,
and ALG = RSA. For upgrades, use the existing keystore.
The keystore is in: /home/oracle/keystore/aveksa.keystore
The password is: Av3k5a15num83r0n3
You can use this keystore to configure the default HTTPS access on port 8443. You can modify
this keystore to meet the security requirements of the default HTTPS access to RSA Identity
Governance and Lifecycle.
l server.keystore — The server.keystore file secures communication between agents and RSA
Identity Governance and Lifecycle. It contains a signed server certificate and the trusted
certificates used to sign the server certificate. This default certificate is created with keysize =
2048, validity = 18000 days, and ALG = RSA. The keystore is in:
/home/oracle/keystore/server.keystore. The password is Av3k5a15num83r0n3
The server.keystore is required for secure SSL port 8444 and used for communicating with remote
agents. You cannot modify this keystore.
l cacerts — The default truststore file is the cacerts file associated with the OpenJDK being used.
File: $JAVA_HOME/jre/lib/security/cacerts (for example: /etc/alternatives/java_sdk_
1.7.0/jre/lib/security/cacerts
The password is: changeit
l client.keystore — The client.keystore file is created and used by a RSA Identity Governance and
Lifecycle remote agent.
This keystore is downloaded with the remote agent software from the user interface when a
remote agent is created or edited. For more information, see "Working with Agents" in the Help.
The password is: Av3k5a15num83r0n3
Note: Unless specified otherwise, all of the command examples in this section use the default
passwords.
Keytool
Keytool is a certificate management utility. It is used to manage RSA Identity Governance and
Lifecycle certificates within the keystore that are referenced in this section. This keytool command
is in the JAVA_HOME directory.
Appendix A: Security and Authentication Management (RSA Appliance and Soft Appliance) 131
Installation Guide
You use Keytool to create a keystore file and manage the certificates in the keystore. The keytool
command uses an alias to reference the certificates. The alias is a simple well-known name
associated with a certificate in the file. When you use keytool, log in as the owner of the files you
want to work on. For example, log in as root to work with the cacerts file or as oracle to work with
the aveksa keystore files.
For more information about the keytool command, see the OpenJDK documentation.
Ciphers
The RSA Identity Governance and Lifecycle appliance is configured with two ciphers for SSL:
l TLS_RSA_WITH_AES_128_CBC_SHA
l TLS_RSA_WITH_AES_256_CBC_SHA
Procedure
keytool -list -storepass <Keystore Password> -keystore <Keystore File>
For example:
keytool -list -storepass Av3k5a15num83r0n3 -keystore server.keystore
Appendix A: Security and Authentication Management (RSA Appliance and Soft Appliance) 132
Installation Guide
Required steps:
a. Generate a new keystore and server certificate with your desired password.
b. Import any other certificates you require into the new keystore.
Procedure
keytool -genkeypair -keysize <keysize> -validity <#days> -alias <server-
cert-alias> -dname <domain-name> -keyalg <key algorithm> -file <Server_
cert_file> - keypass <Your Password> -storepass <Your Password> -keystore
<Keystore File>
For example:
keytool -genkeypair -keysize 2048 -validity 18000 -alias mycorpServer -
dname "CN=acm-
server.mycorp.com,OU=Aveksa,O=MyCorp,L=Waltham,S=Massachusetts,C=US" -
keyalg RSA-file server.cer -keypass new1Pass -storepass new1Pass -keystore
newPass.keystore
A new keystore file called newPass.keystore is created with an RSA Identity Governance and
Lifecycle server certificate with an alias of mycorpServer. The certificate is saved in the server.cer
file.
Note: If you had previously created and signed your server certificate you will need to repeat the
process of generating a certificate signing request and importing the signed certificate. See Using a
Signed Certificate for HTTP Access to RSA Identity Governance and Lifecycle for more
information
Appendix A: Security and Authentication Management (RSA Appliance and Soft Appliance) 133
Installation Guide
Procedure
1. Go to the jre/lib/security directory.
To back up certificates:
Back up the following directories from your current installation to a location where they can be
retrieved for restoration after the upgrade:
Appendix A: Security and Authentication Management (RSA Appliance and Soft Appliance) 134
Installation Guide
RSA Identity Governance and Lifecycle (Aveksa Compliance Manager) version 4.x,
5.0.x, 5.1.x:
/home/oracle/wildfly-<wildfly-
version>/server/default/deploy/aveksa.ear/aveksa.war/WEB-INF/certificates
RSA Identity Governance and Lifecycle (Aveksa Platform) version 5.5 or 6.x
To restore certificates:
1. Shut down Aveksa services as described in Stopping RSA Identity Governance and Lifecycle
Services.
2. From the backed up directories from the previous installation, copy certificate keystore files to
the deploy directory.
3. Start Aveksa services as described in Starting RSA Identity Governance and Lifecycle Services.
If you do not have the keystore files but you do have a Backup<aveksa-version>.tar file created
with the acm_backup.sh script, you can find those files in the following directories in
Backup<aveksa-version>.tar:
l RSA Identity Governance and Lifecycle version 4.x, 5.0.x, 5.1.x:
/home/oracle/wildfly-<wildfly-
version>/server/default/deploy/aveksa.ear/aveksa.war/WEB-
INF/certificates
Appendix A: Security and Authentication Management (RSA Appliance and Soft Appliance) 135
Installation Guide
Note: To enable WebLogic to use certificates signed using SHA-256, you must enable JSSE on the
WebLogic server.
Migrate the RSA Identity Governance and Lifecycle Server Certificate to SHA-256
Procedure
1. Click the Admin menu and select System > Security.
5. Log in to the installation machine as the ‘admin’ user and enter the following command:
sudo service aveksa_server stop
Procedure
1. Run the following command:
keytool -export -alias <Certificate alias> -file <Server_cert_file> -
storepass <Keystore Password> -keystore <Keystore File>
For example:
cd /home/oracle/keystore
Appendix A: Security and Authentication Management (RSA Appliance and Soft Appliance) 136
Installation Guide
This exports the server certificate into a file called server01.cer. This file can then be copied to
the necessary locations required for the given LDAP/AD system.
Procedure
1. Go the following directory:
cd /home/oracle/keystore
3. Delete any existing alias in the truststore using the following command:
keytool -delete -alias <ldap-alias> -storepass <Keystore Password> -
keystore aveksa.keystore
For example:
keytool -delete -alias ldap-user-store -storepass Av3k5a15num83r0n3 -
keystore aveksa.keystore
For example:
keytool -import -v -noprompt -trustcacerts -alias ldap-user-store -file
myldap.cer -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
Appendix A: Security and Authentication Management (RSA Appliance and Soft Appliance) 137
Installation Guide
Appendix B: Troubleshooting
l Troubleshooting an RSA Appliance or Soft Appliance
l Installation
l Start Up
l Runtime
Overview
This chapter describes potential problems you may encounter with deploying, starting, and running
RSA Identity Governance and Lifecycle on WildFly. The installation process produces log files that
can be examined for problems during the installation process:
l The /tmp/aveksa-install.log file is generated by the RSA Identity Governance and Lifecycle
installation
The Wildfly server and the RSA Identity Governance and Lifecycle application both provide log
files that can help you pinpoint configuration or runtime problems.
l The home/oracle/wildfly/standalone/log/server.log file is the Wildfly runtime log file.
The following RSA Identity Governance and Lifecycle log files are located in WildFly in the
/home/oracle/wildfly/standalone/log directory:
l The aveksaServerInfo.log file provides configuration information about the RSA Identity
Governance and Lifecycle application server configuration. This includes application version
information, Java JVM settings, database configuration, and application module configurations.
l The aveksaServer.log file provides information on the RSA Identity Governance and
Lifecycleserver execution. For information on managing aveksaServer.log views in the RSA
Identity Governance and Lifecycle user interface, see the Help topic, "Application Log
Administration."
l The create.log file provides information about interactions involved with deploying and/or
migrating schema changes to the database. Problems with the database deployment might cause
problems initializing the RSA Identity Governance and Lifecycle application. This log file might
be in a different location as it is created in the directory where the createSchema is run.
l patch.log file provides information about script-driven hot fix installations. This file is generated
when a patch is applied.
l The reporting-user-synonyms.log file provides information about updates to user synonyms in the
avdwdb data source.
l The public-schema-synonyms.log file provides information about updates to user synonyms in the
acmdb data source. This file is generated only when synonyms are updated.
Installation
Problem: You see the following output from the installer.
Installing Oracle...
Reason: The Oracle process determines if an NTP service is configured, and if it determines that it
is it requires that it is running. This problem can occur if the system is not connected to the internet.
Solution: Start the NTP deamon or follow these steps to disable and, as root, remove the ntpd files
and restart your installation:
1. Run these commands:
/sbin/service ntpd stop
chkconfig ntpd off
rm /etc/ntp.conf or, mv /etc/ntp.conf to /etc/ntp.conf.org
Start Up
If you encounter problems with starting RSA Identity Governance and Lifecycle after you have
completed post-deployment tasks, examine the aveksaServer.log file or the WildFly server.log file
for problem indicators.
Problem: The RSA Identity Governance and Lifecycle displays the following error message when
you attempt to access the application:
Unable to initialize security model. Security application not created.
The aveksa security application must be initialized first by the System
Operations Node(SON).
See documentation regarding server nodes and deployment.
Reason: The node that was started is not the System Operations Node (SON). The SON performs
the initialization of the security model. The SON must be started first. This could be caused by the
following circumstances:
l The SON in a clustered environment was not started and used to initialize the system before
starting other nodes.
l A data dump was moved from one system to another (a development system to a production
system for example) where the originating system is still registered as the SON. The system
stores a list of registered servers in the database and their role. The dump will contain the
information of the server that was the SON when the dump was taken.
Solution: Examine the aveksaServer.log file to determine the role of this node. Look for a line
similar to the following:
08:50:48,555 INFO [ServerNodeServiceProvider] Node Name : <Machine Name>
has been updated to Role General_Node
l If the application is in a cluster, start the SON first, and then start any other general nodes.
l If you have imported a new data dump, it is possible that an older machine is listed as the SON.
In this case, the server nodes table can be cleaned and the server can be estarted. The system will
then self register as the SON. You can determine the list of registered servers, status, and roles
by querying the T_SERVER_NODES table.
To list the known server(s), execute the following sql on the avuser:
select NODE_NAME, HOST_NAME, NODE_ROLE, NODE_STATUS from T_SERVER_NODES;
To Clear out the server node table, execute the following sql on the avuser schema:
Delete * from T_SERVER_NODES;
Problem: The migration fails when migrating the database when upgrading to a newer version of the
RSA Identity Governance and Lifecycle application. The following error messages appear in the
user interface or in the migrate.log file.:
java.sql.SQLException: ORA-14452: attempt to create, alter or drop an index
on temporary table already in use
or
Errors Detected:
ORA-14452
Examine the log file: migrate.log for more information. Consult the
installation guides if this is a known issue.
Reason: A table could not be modified during migration. This might be caused if a database session
is holding that table, possibly caused by another running node.
Solution: Verify that all nodes or other processes that may be accessing the schema are
shutdown/stopped. The following database query may provide information about what might be
holding a session to the database schema.
select machine, logon_time from v$session where username='AVUSER';
Ensure all instances of the the RSA Identity Governance and Lifecycle application have been
stopped.
It is highly recommended that you repeat the migration. You can do this by simply modifying the
“productVersion” parameter in the database T_SYSTEM_SETTINGS table, setting it to the product
version of the version from which you are upgrading.
For example:
UPDATE T_SYSTEM_SETTINGS SET VALUE='6.0.2'
Commit the changes, restart the application server, and then perform the migration.
Problem: The RSA Identity Governance and Lifecycle application displays the following error
message when you attempt to access the application:
The character set for the database is configured to WE8MSWIN1252; however,
AL32UTF8 is the required database character set. Please consult the
Database Guide to create a database instance that meets the product
requirements and then restart the application.
Runtime
If you encounter problems while RSA Identity Governance and Lifecycle is running, examine the
aveksaServer.log file for problem indicators.
Problem: RSA Identity Governance and Lifecycle logs the following error message:
HQ212051: Invalid concurrent session usage. Sessions are not supposed to be
used by more than one thread concurrently.: java.lang.Exception: trace
Note: See RSA Identity Governance and Lifecycle Security and Authentication Management for
information on managing certificates.
Problem: After using certificates the RSA Identity Governance and Lifecycleserver is
unresponsive.
Cited in the WildFly Server log file: /home/oracle/wildfly/standalone/log/server.log.
06/08/2012 10:37:31.925 ERROR (http-0.0.0.0-8443-Acceptor-0)
[org.apache.tomcat.util.net.JIoEndpoint] Socket accept failed
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
available certificate or key corresponds to the SSL cipher suites which are
enabled.
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket
(JSSESocketFactory.java:150
at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run
(JIoEndpoint.java:309)
at java.lang.Thread.run(Thread.java:662)
Solution: The CN of the FQDN of the certificate may be incorrect. Delete the existing certificate
and re-generate the a new server certificate.
Problem: Unable to login into RSA Identity Governance and Lifecycle with secure HTTPS. The
server.log file cites:
07/13/2012 16:22:11.516 INFO (main)
[org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-
0.0.0.0-8080
07/13/2012 16:22:11.557 ERROR (main)
[org.apache.coyote.http11.Http11Protocol] Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
Reason: The aveksa-standalone-full.xml file connection configuration has wrong keystore password.
Solution: Edit the server.xml and correct the keystore information. See Change the Default Aveksa
Keystore Password for more information.
Problem: Unable to login into RSA Identity Governance and Lifecycle with secure HTTPS. The
server.log file cites:
2012-07-17 07:29:50,431 INFO [org.apache.coyote.http11.Http11Protocol]
Initializing Coyote HTTP/1.1 on http-0.0.0.0-8080
2012-07-17 07:29:50,560 ERROR [org.apache.coyote.http11.Http11Protocol]
Error initializing endpoint
java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init
(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket
(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1073)
at org.apache.catalina.core.StandardService.initialize
(StandardService.java:668)
Reason: The keystore password and server certificate passwords do not match.
Solution: Generate the keystore file with a server certificate with the same password. See Change
the Default Aveksa Keystore Password for more information.
Problem: LDAP Collection test fails with SSL. The aveksaServer.log file cites the following:
Collector test failed:
com.aveksa.server.runtime.ServerException: Test request failed with
response: com.aveksa.server.runtime.ServerException:
com.aveksa.common.ConnectException: Error in get connection to
UserDirectory. Caused by javax.naming.CommunicationException: simple bind
failed: 10.110.13.91:636 [Root exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]. Caused by
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target. Caused by
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target. Caused by
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target Caused By Stack
com.aveksa.common.ConnectException: Error in get connection to
UserDirectory at
com.aveksa.collector.accountdata.LdapAccountDataReaderConfig.connect
(LdapAccountDataReaderConfig.java:250) at
com.aveksa.collector.accountdata.LdapAccountDataReader$AccountDataDirectory
Iterator.
Reason: ACM/SSL is not able to validate the certificate authority of the certificate from the LDAP
or AD server.
Solution: The information about the CA of the certificate of the LDAP or AD directory server must
be added to the truststore. Add the root/intermediate certificates for the CA to the truststore. See
Establishing a Secure LDAP/AD Connection for a Data Collector for more information.
Problem: The following error is logged multiple times and fills up the log:
ERROR (http-0.0.0.0-8444-Acceptor-0)
[org.apache.tomcat.util.net.JIoEndpoint] Socket accept failed
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
available certificate or key corresponds to the SSL cipher suites which are
enabled.
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket
(JSSESocketFactory.java:150)
at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run
(JIoEndpoint.java:309)
at java.lang.Thread.run(Thread.java:662)
Reason: A certificate being used by the system was removed from the aveksa.keystore, usually as
part of the process for replacing a certifcate.
Solution: Restore the aveksa.kesytore from a backup, and begin the process of replacing the
certifcate again. For more information, see Using a Signed Certificate for HTTP Access to RSA
Identity Governance and Lifecycle.
l Deployment
l Start Up
l Runtime
Overview
This chapter describes potential problems you may encounter with deploying, starting, and running
RSA Identity Governance and Lifecycle on WebSphere. The WebSphere server and the RSA
Identity Governance and Lifecycle application provide log files that can help you identify problems
that may occur during configuration or runtime.
The following directory includes the SystemErr.log and SystemOut.log files:
$WEBSPHERE_HOME/AppServer/profiles/AppSrv01/logs/server1
RSA Identity Governance and Lifecycle has several log files that are created in the deployed
application directory (ear) on WAS. Use your command line shell to determine the path to the ear.
The path to the ear is similar to:
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedA
pps/hostnameNode01Cell/aveksa.ear
Your path will vary based on your WebSphere install location, server name, hostname, node, and
cell. This path is referenced by EAR_PATH.
The following directory includes the aveksaServerInfo.log, aveksaServer.log, create.log, migrate.log,
patch.log, reporting-user-synonyms.log, and the public-schema-synonyms.log files:
$ EAR_PATH /aveksa.war/log
l The aveksaServerInfo.log file provides configuration information about the RSA Identity
Governance and Lifecycle application server configuration. This includes application version
information, Java JVM settings, database configuration, and application module configurations.
l The aveksaServer.log file provides information on the RSA Identity Governance and Lifecycle
server execution.
l The reporting-user-synonyms.log file provides information about updates to user synonyms in the
avdwdb data source.
146
Installation Guide
Deployment
Problem: Testing the JBDC data source connections fails, and the error message indicates a failure
to locate the ojdbc jar file.
Note: The version of the ojdbc jar file is the one specified when setting up Oracle JDBC Provider.
Solution: Make sure the DISTRIBUTION path specified for Oracle is correct. The path
specification is case sensitive.
Problem: The wpqmonitor.log file includes this error:
java.rmi.RemoteException: NamingException caught attempting to
locate the 'ServerConfigPvt_EJB' object. Please verify that the
server is running and the client configuration is correct.; nested
exception is:
javax.naming.ServiceUnavailableException: A communication failure
occurred while attempting to obtain an initial context with the
provider URL: "corbaloc:iiop:localhost:2809". Make sure that any
bootstrap address information in the URL is correct and that the
target name server is running. A bootstrap address with no port
specification defaults to port 2809. Possible causes other than an
incorrect bootstrap address or unavailable name server include the
network environment and workstation network configuration. [Root
exception is org.omg.CORBA.TRANSIENT: java.net.ConnectException:
Connection refused:host=vm-was-1-1.aveksa.local,port=2809 vmcid:
IBM minor code: E02 completed: No]; nested exception is:
java.rmi.RemoteException: NamingException caught attempting to
locate the 'ServerConfigPvt_EJB' object. Please verify that the
server is running and the client configuration is correct.; nested
exception is:
javax.naming.ServiceUnavailableException: A communication failure
occurred while attempting to obtain an initial context with the
provider URL: "corbaloc:iiop:localhost:2809". Make sure that any
bootstrap address information in the URL is correct and that the
target name server is running. A bootstrap address with no port
specification defaults to port 2809. Possible causes other than an
incorrect bootstrap address or unavailable name server include the
network environment and workstation network configuration. [Root
exception is org.omg.CORBA.TRANSIENT: java.net.ConnectException:
Connection refused:host=vm-was-1-1.aveksa.local,port=2809
Solution: Make sure the ACMProviderUrl setting is not defined as ACMProviderURL. Incorrect
case for “Url” causes the error.
147
Installation Guide
Problem: Problems with workflow execution. Examine the aveksaServer.log file. Check if it displays
the following error message:
java.rmi.RemoteException: NamingException caught attempting to
locate the 'ServerConfigPvt_EJB' object. Please verify that the
server is running and the client configuration is correct.; nested
exception is:
javax.naming.ConfigurationException: Malformed provider URL:
corbaloc:iiop${ACMProviderUrl}
Reason: The ACMProviderUrl was not configured.
Solution: Configure the ACMProviderUrl for the application server, then restart the server.
Problem: Problems with workflow execution. Examine the aveksaServer.log file. Check if it displays
the following error message:
java.rmi.RemoteException: NamingException caught attempting to
locate the 'ServerConfigPvt_EJB' object. Please verify that the
server is running and the client configuration is correct.; nested
exception is:
javax.naming.ServiceUnavailableException [Root exception is
java.net.UnknownHostException: xxvm-wls-1-3]; nested exception is:
Reason: The ACMProviderUrl may have been configured with wrong information.
Solution: Check for typos in the server name or format of the ACMProviderUrl values. (the example
above shows the server name xxvm-wls-1-3 that it is having problems resolving).
148
Installation Guide
4. Delete any java dump files created when the out-of-memory error occurred.
5. Delete all the Snap.* javacore.* heapdump.* files in the deployment manager directory.
Start Up
If you encounter problems with starting RSA Identity Governance and Lifecycle after you have
completed post-deployment tasks, check the RSA Identity Governance and Lifecycle and WAS log
files.
Problem: The migration fails when migrating the database during an upgrade to a newer version of
the RSA Identity Governance and Lifecycle application. The following error messages appear in the
user interface or in the migrate.log file.:
java.sql.SQLException: ORA-14452: attempt to create, alter or drop an index
on temporary table already in use
or
Errors Detected:
ORA-14452
Examine the log file: migrate.log for more information. Consult the
installation guides if this is a known issue.
Reason: A table could not be modified during migration. This might be caused if a database session
is holding that table, possibly caused by another running node.
Solution: Verify that all nodes or other processes that may be accessing the schema are
shutdown/stopped. The following database query may provide information about what might be
holding a session to the database schema.
select machine, logon_time from v$session where username='AVUSER';
Ensure all instances of the RSA Identity Governance and Lifecycle application have been stopped.
It is highly recommended that you repeat the migration. You can do this by simply modifying the
“productVersion” parameter in the database T_SYSTEM_SETTINGS table, setting it to the product
version of the version from which you are upgrading.
For example:
UPDATE T_SYSTEM_SETTINGS SET VALUE='6.0.2'
Commit the changes, restart the application server, and then perform the migration.
Problem: The RSA Identity Governance and Lifecycle displays the following error message when
you attempt to access the application:
Unable to initialize security model. Security application not created.
149
Installation Guide
Reason: The node that was started is not the System Operations Node (SON). The SON performs
the initialization of the security model. The SON must be started first. This could be caused by the
following circumstances:
l The SON in a clustered environment was not started and used to initialize the system before
starting other nodes.
l A data dump was moved from one system to another (a development system to a production
system for example) where the originating system is still registered as the SON. The system
stores a list of registered servers and their roles in the database. The dump contains the
information of the server that was the SON when the dump was taken.
Solution: Examine the aveksaServer.log file to determine the role of this node. Look for a line similar
to the following:
08:50:48,555 INFO [ServerNodeServiceProvider] Node Name : <Machine Name>
has been updated to Role General_Node
l If you have imported a new data dump, it is possible that an older machine is listed as the SON.
In this case, the server nodes table can be cleaned and the server can be started. The system will
then self register as the SON. You can determine the list of registered servers, status, and roles
by querying the T_SERVER_NODES table.
To list the known server(s), execute the following sql on the avuser:
select NODE_NAME, HOST_NAME, NODE_ROLE, NODE_STATUS from T_SERVER_NODES;
To Clear out the server node table, execute the following sql on the avuser schema:
Delete * from T_SERVER_NODES;
150
Installation Guide
Reason: It is important that the database is configured to the correct character set that may be used
within the product. Failure to do so may result in corrupted data in those tables where non-
conforming characters may be written.
Solution: See the Database Guide for information on configuring a database instance. If you have
data you wish to preserve please back up your database, create a new database that is configured
with the correct database character set, and import your data dump into the database.
Problem: RSA Identity Governance and Lifecycle application displays the following error message
when you attempt to access the application:
Unable to register service PersistenceService.
java.lang.ExceptionInInitializerError
Reason: On WebSphere 7.x and 8.0 you must associate a .jar file with the RSA Identity Governance
and Lifecycle application using the WebSphere shared library
Solution: Follow the instruction on configuring the shared library as described in Configure the
Shared Library.
Problem: RSA Identity Governance and Lifecycle application does not start. The SystemErr.log file
contains an error similar to the following:
[6/10/10 13:52:53:563 EDT] 00000030 SystemErr R Caused by:
javax.resource.spi.InvalidPropertyException: CWSJR1181E: The JMS activation
specification has invalid values - the reason(s) for failing to validate
the JMS activation specification are: [CWSJR1187E: The bus name on a JMS
activation specification must be given a value]
Reason: One of the activation specifications was created without the bus defined.
Solution: In the Admin Console, examine wpEventActSpec, wpServAutoActActSpec and
wpUtilActSpecResource > JMS > Activation Specifications.
151
Installation Guide
2. Examine the Bus Name field, and validate that wpBus is defined.
l Check that the custom property oracle9iLogTraceLevel for has no value set as described in
Create the JDBC Data Sources for data sources cited in aveksaServer.log file error messages like
these:
Caused by:
java.lang.NoSuchMethodError: oracle/jdbc/driver/OracleLog.setLogVolume(I)
V at com.ibm.ws.rsadapter.dbutils.impl.OracleUtilityImpl.setLogVolume
(OracleUtilityImpl.java:85)
or
06/01/2011 12:31:06.550 ERROR (server.startup : 0)
[com.aveksa.migration.jdbctool.CheckDatabase] Unable to get the acmdb
datasource
com.ibm.websphere.naming.CannotInstantiateObjectException: Exception
occurred while the JNDI NamingManager was processing a
javax.naming.Reference object. [Root exception is
com.ibm.websphere.naming.CannotInstantiateObjectException: Exception
occurred while the JNDI NamingManager was processing a
javax.naming.Reference object. [Root exception is
java.lang.reflect.InvocationTargetException]] at
com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookupExt
(Helpers.java:1000)
152
Installation Guide
Reason: The database users were not provided the required database privilege grants.
Solution: Provide the required privilege grants to the database users. See the Database Setup and
Management Guide for more information.
Problem: Application fails to start and log shows an error similar to the following:
java.lang.UnsupportedClassVersionError: JVMCFRE003 bad major version
Reason: The application server is configured to the wrong version of the Java SDK.
Solution: Set the Java SDK to the supported version.
1. Stop the server.
Runtime
Problem: Change request workflow processes not executing correctly. (Examine the SystemOut.log
file, which contains descriptions of errors regarding connection time outs.)
Reason: The WPDS data source was not configured with the required minimum connections pool
count of 150.
Solution: Configure the minimum connection pool count to 150.
153
Installation Guide
l Deployment
l Start Up
l Runtime
Overview
This section describes potential problems you may encounter with deploying, starting, and running
RSA Identity Governance and Lifecycle on WebLogic. The WebLogic server and RSA Identity
Governance and Lifecycle application both provide log files that can help you pinpoint problems that
may occur during configuration or with RSA Identity Governance and Lifecycle at runtime. The
WebLogic system log files can be accessed from paths similar to the following:
$WEBLOGIC_HOME/user_
projects/domains/<aveksaDomain>/servers/<Target Server>/logs
For example: /home/oracle/Oracle/Middleware/user_
projects/domains/aveksadomain/servers
/AdminServer/logs/AdminServer.log
$WEBLOGIC_HOME/user_projects/domains/<aveksaDomain>/logs
The standard output from the startWeblogic.sh can provided additional troubleshooting information.
RSA Identity Governance and Lifecycle has several log files that are created in the deployed
application directory (ear) on WebLogic. Use your command line shell to determine the path to the
ear. The path to the ear is similar to:
$WEBLOGIC_HOME/user_
projects/domains/aveksaDomain/servers/AdminServer/tmp/_WL_
user/aveksa/ldedze/aveksa.war/log
Your path will vary based on your WebLogic install location as well as your domain. This path is
referenced by EAR_PATH.
The following directory includes the aveksaServerInfo.log, aveksaServer.log, create.log, migrate.log,
patch.log, reporting-user-synonyms.log, and the public-schema-synonyms.log files:
$ EAR_PATH /aveksa.war/log
l The AveksaServerInfo.log file provides configuration information about the RSA Identity
Governance and Lifecycle application server configuration. This includes application version
information, Java JVM settings, database configuration, and application module configurations.
154
Installation Guide
l The aveksaServer.log file provides information on the RSA Identity Governance and Lifecycle
server execution.
l The create.log file provides information about interactions involved with deploying and/or
migrating schema changes to the database. Problems with the database deployment may cause
problems initializing the RSA Identity Governance and Lifecycle application.
l The reporting-user-synonyms.log file provides information about updates to user synonyms in the
avdwdb data source.
l The public-schema-synonyms.log file provides information about updates to user synonyms in the
acmdb data source.
Deployment
Problem: The deployment fails. The following error appears the in the AdminServer.log file:
<Error> <HTTP> <BEA-101163> <Could not load user defined listener:
com.aveksa.gui.core.filters.SessionTimeoutListener
java.lang.ClassNotFoundException:
com.aveksa.gui.core.filters.SessionTimeoutListener
at weblogic.utils.classloaders.GenericClassLoader.findLocalClass
(GenericClassLoader.java:296)
at weblogic.utils.classloaders.GenericClassLoader.findClass
(GenericClassLoader.java:269)
at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at weblogic.utils.classloaders.GenericClassLoader.loadClass
(GenericClassLoader.java:177)
Truncated. see log file for complete stacktrace
Reason: On a Solaris box, class files are truncated because the ACM-WebLogic.tar file was
extracted using the Solaris version of tar.
Solution: Extract the ACM-Weblogic.tar file using a tar utility that handles long path names
correctly, for example gtar from gnu.
155
Installation Guide
weblogic.ejb.container.deployer.BeanInfoImpl.calculateRunAsPrincip
al(BeanInfoImpl.java:1061)
weblogic.ejb.container.deployer.BeanInfoImpl.prepare
(BeanInfoImpl.java:1007)
Reason: The workpoint user for the security realm was not created or misconfigured.
Solution: Create/edit the security realm user, workpoint, and then stop and restart the server.
Problem: Problems with workflow execution. Examine the aveksaServer.log file. Check if it displays
the following error messages:
11/17/2011 14:11:46.870 ERROR ([ACTIVE] ExecuteThread: '2' for
queue: 'weblogic.kernel.Default (self-tuning)') [
java.rmi.RemoteException: NamingException caught attempting to
locate the 'ServerConfigPvt_EJB' object. Please verify that the
server is running and the client configuration is correct.; nested
exception is:
javax.naming.ServiceUnavailableException [Root exception is
java.net.UnknownHostException: xxvm-wls-1-3]; nested exception is:
Reason: The ACMProviderUrl may have been configured with wrong information.
156
Installation Guide
Solution: Check for typo's in the server name or format of the ACMProviderUrl values. (the example
above shows the server name xxvm-wls-1-3 that it is having problems resolving.
Problem: Problems with workflow execution; workflow fails. Examine hte aveksaServer.log file.
Check for the following error messages:
java.lang.RuntimeException: Illegal TXN State: Attempt to start
new transaction during rollback. Txn count=1
Solution: Check the JTA transaction timeout setting (see Configure JTA Timeout Setting). If the
setting is lower than 120 seconds, set it to 120. If it is already set to 120 or higher, contact Tech
Support.
Start Up
If you encounter problems with starting RSA Identity Governance and Lifecycle, you can check log
files for indications of where the problems occurred.
Log files can be accessed from paths similar to following:
$WEBLOGIC_HOME/user_projects/domains/<aveksaDomain>/servers/<Target
Server>/logs
$WEBLOGIC_HOME/user_projects/domains/<aveksaDomain>/logs
The standard output from the startWeblogic.sh can provided additional information.
Problem: The migration fails when migrating the database when upgrading to a newer version of the
RSA Identity Governance and Lifecycle application. The following error messages appear in the
user interface or in the migrate.log file.:
java.sql.SQLException: ORA-14452: attempt to create, alter or drop
an index on temporary table already in use
or
Errors Detected:
ORA-14452
Examine the log file: migrate.log for more information. Consult
the installation guides if this is a known issue.
Reason: A table could not be modified during migration. This might be caused if a database session
is holding that table, possibly caused by another running node.
Solution: Verify that all nodes or other processes that may be accessing the schema are
shutdown/stopped. The following database query may provide information about what might be
holding a session to the database schema.
select machine, logon_time from v$session where username='AVUSER';
Ensure all instances of the RSA Identity Governance and Lifecycle application have been stopped.
157
Installation Guide
It is highly recommended that you repeat the migration. You can do this by simply modifying the
“productVersion” parameter in the database T_SYSTEM_SETTINGS table, setting it to the product
version of the version from which you are upgrading.
For example:
UPDATE T_SYSTEM_SETTINGS SET VALUE='6.0.2'
Where the value ='productVersion'
Commit the changes, restart the application server, and then perform the migration.
Problem: The RSA Identity Governance and Lifecycle application displays the following error
message when you attempt to access the application:
The character set for the database is configured to WE8MSWIN1252;
however, AL32UTF8 is the required database character set. Please
consult the Database Guide to create a database instance that
meets the product requirements and then restart the application.
The error message is also included in the aveksaServer.log file.
Reason: It is important that the database is configured to the correct character set that may be used
within the product. Failure to do so may result in corrupted data in those tables where non-
conforming characters may be written.
Solution: See the Database Guide for information on configuring a database instance. If you have
data you wish to preserve please back up your database, create a new database that is configured
with the correct database character set, and import your data dump into the database.
Problem: You see the following ClassCastException error when starting the RSA Identity
Governance and Lifecycle application:
Unable to register service AuthenticationService.
java.lang.RuntimeException: java.lang.ClassCastException:
weblogic.jdbc.wrapper.WrapperSQLXML_oracle_xdb_XMLType cannot be cast to
oracle.sql.OPAQUE
158
Installation Guide
at weblogic.jdbc.wrapper.ResultSet_oracle_jdbc_driver_
ForwardOnlyResultSet.getOPAQUE(Unknown Source)
at com.aveksa.server.utils.ApplicationServerUtil.getOPAQUE
(ApplicationServerUtil.java:189)
at com.aveksa.server.db.StringToXMLTypeMapper.getOPAQUE
(StringToXMLTypeMapper.java:197)
at com.aveksa.server.db.StringToXMLTypeMapper.nullSafeGet
(StringToXMLTypeMapper.java:90)
at org.hibernate.type.CustomType.nullSafeGet(CustomType.java:109)
at org.hibernate.type.AbstractType.hydrate(AbstractType.java:104)
at org.hibernate.persister.entity.AbstractEntityPersister.hydrate
(AbstractEntityPersister.java:2283)
at org.hibernate.loader.Loader.loadFromResultSet(Loader.java:1527)
.....
Solution: Please verify that the Wrap Data Types option is deselected under the Connection Pool tab
> Advanced section. If you are required to deselect the option, you must restart WebLogic for the
option change to take effect.
Runtime
Problem: Change request workflow processes are not executing correctly. (Examine the standard out
log file, which contains descriptions of errors regarding connection time outs.)
Reason: The WPDS data source was not configured with the required minimum connections pool
count of 150.
Solution: Configure the minimum connection pool count to 150.
Problem: Problems with workflow execution. Examine the aveksaServer.log file. Check if it displays
the following error messages:
java.rmi.RemoteException: NamingException caught attempting to
locate the 'ServerConfigPvt_EJB' object. Please verify that the
server is running and the client configuration is correct.; nested
exception is:
javax.naming.ConfigurationException: Malformed provider URL:
corbaloc:iiop${ACMProviderUrl}
Reason: The ACMProviderUrl was not configured.
Solution: Configure the ACMProviderUrl for the application server, then restart the server.
159
Installation Guide
Problem: RSA Identity Governance and Lifecycle fails to start up. Examine the aveksaServer.log
file. Check if it displays errors similar to the following:
2012-08-07 03:16:48,727 [AlertMonitor] ERROR
com.workpoint.server.ejb.GenericBean - Exception occurred.
javax.naming.LinkException: [Root exception is
javax.naming.NameNotFoundException: While trying to lookup
'weblogic.jdbc.jts.WPDS' didn't find subcontext 'jdbc'. Resolved
'weblogic'; remaining name 'jdbc/jts/WPDS']; Link Remaining Name:
'weblogic.jdbc.jts.WPDS' at
weblogic.jndi.internal.WLNamingManager.getObjectInstance
(WLNamingManager.java:104)
Reason; The WPDS data source was not configured properly. This possibly occurred because the
JNDI name was not changed after upgrading to RSA Identity Governance and Lifecycle v6.5.
Solution: Examine the JNDI names for the WPDS/WPDS2/WPDS3 data sources and determine
whether they are set properly. The “weblogic.jdbc.jts.WPDS” name specification no longer is
supported in v6.5 or greater.
Problem: Workflows or change requests fail to execute. Examine the aveksaServer.log file. Check if
it displays errors similar to the following:
2013-03-05 00:19:19,682 [AlertQueryWPDS] ERROR
com.workpoint.monitor.support.AlertQueryThread - Unable to query
alert instances due to RemoteException.
com.workpoint.server.ejb.WorkPointEJBException: Internal error:
Cannot obtain XAConnection
weblogic.common.resourcepool.ResourceLimitException: No resources
currently available in pool WPDS to allocate to applications,
please increase the size of the pool and retry..
2013-03-05 00:19:19,692 [ScriptQueryWPDS] ERROR
com.workpoint.monitor.support.ScriptQueryThread - Unable to query
script instances due to RemoteException.
com.workpoint.server.ejb.WorkPointEJBException: Internal error:
Cannot obtain XAConnection
weblogic.common.resourcepool.ResourceLimitException: No resources
currently available in pool WPDS to allocate to applications,
please increase the size of the pool and retry..
2013-03-05 00:19:19,702 [JobQueryWPDS] ERROR
com.workpoint.monitor.support.JobQueryThread - Unable to query job
instances due to RemoteException.
160
Installation Guide
161
Installation Guide
Appendix C: Maintenance
l Maintaining an RSA Appliance or Soft Appliance
This task creates a dump (.dmp) file of the AVUSER schema. The file contains all of the application
data and some environment data about a particular system environment.
If you intend to import a dump from one machine to another (which must be running the same RSA
Identity Governance and Lifecycle version from which the dump was created), you may be required
to perform additional configuration on the target machine.
Recommendations
l Back up your database regularly or before making major changes to your system. For example,
create a backup of your appliance database before proceeding with re-installing or upgrading RSA
Identity Governance and Lifecycle software.
l Backup the database only when there is little or no activity running in the database. For example,
during scheduled maintenance periods when RSA Identity Governance and Lifecycle can be
safely shut down. RSA recommends that you shut down the RSA Identity Governance and
Lifecycle server before you export a database, but if you must run the back up while RSA Identity
Governance and Lifecycle is running, ensure that any crucial processes such as data collections,
review generation and others are not running before you begin the back up.
Procedure
1. Log in to the installation machine as the 'admin' user.
The -t option, provides a tag name that is appended to the standard export file name. The script
creates an export file named Export_AVDB_avuser_Backup_Pre_Upgrade.dmp file in the
directory specified by the -o option. If -o option is not specified, the export file is saved to
/home/oracle/AveksaExportImportDir/
Note: If you also want to compress the dump file, use the -g option.
Note: When using the -i option, ensure that the AVUSER and SYS database user passwords are
the same. Both users are involved in executing the command. For more information on changing
passwords, see Changing Database User Passwords.
Important: Starting with the 7.0.1 product release, a new data encryption handling mechanism is
in place which uses on disk data in conjunction with database data to perform data encryption.
When exporting the database and moving it to a new installation, you must also "pack up" the
encryption key data stored on disk (see Step 4) and moved it along with the database.
7. Zip up the master key data in the master key storage directory. This directory is identified by the
rsavialg.security.keydir environment variable. The default directory is /home/oracle/security.
You will unzip the master key data as part of the steps to import the database described in Import
the AVUSER Schema/Data for a Database Restoration/Load.
Note: In a clustered environment, if separate copies of the key data are stored on each cluster
node, then only one copy of a key data (any node's key data) needs to be backed up as all areas
should contain the same key data. However, when reinstalling the data , if a node has a local
directory specified for storage of keys, then the key data should be reinstalled to each of these
local directories (as specified by the rsavialg.security.keydir environment variable which each
node has set).
You can import an AVUSER schema/data backup to restore a database or load it on a new machine.
You perform the import procedure for the RSA Identity Governance and Lifecycle Oracle database
using the /home/oracle/database/DBA/AVDB/scripts/AVDB_Import_AVUSER.sh script alias,
avdbimport, provided with the installation. The script uses the Oracle impdp utility to import a dump
and perform additional processing steps after the dump is imported. Note that some data or
configurations may be specific to the environment from which the original dump was taken.
For example, server nodes may need to be updated; this is particularly true when moving clustered
environments. Or directory specific locations configured for collectors may need to change. After
you have imported the database, you must validate that the data is compatible with your database.
See Validate Compatibility of the Database Import for instructions.
Note: If you are using the AFX module and loading a database from a different installation, you
must update the certificates. For more information, see "Change an AFX Server SSL Certificate" in
the Access Fulfillment Express Guide.
l Process entitlements.
Procedure
1. Log in to the installation machine as the oracle user.
Important: Starting with the 7.0.1 product release, a new data encryption handling mechanism is
in place which uses on disk data in conjunction with database data to perform data encryption.
When exporting the database and moving it to a new installation, you must also "pack up" the
encryption key data stored on disk and move it along with the database (see Step 2).
2. Unzip the master key data in the master key storage directory.
This is the data that was zipped up in Step 4 in the procedure described in Back Up the RSA-
Supplied Database . (The master key storage directory is identified by the
rsavialg.security.keydir environment variable. The default directory is /home/oracle/security.)
Note: In a clustered environment, if separate copies of the key data are stored on each cluster
node, then only one copy of a key data (any node's key data) needs to be backed up as all areas
should contain the same key data. However, when reinstalling the data , if a node has a local
directory specified for storage of keys, then the key data should be reinstalled to each of these
local directories (as specified by the rsavialg.security.keydir environment variable which each
node has set).
Command options:
l The Dump_File_Name should not include the tag name or file extension (.dmp).
l Use the -t option if the exported dump file was saved with a tag name.
l Use the -i option along with the input directory name if the exported dump file was saved to an
output directory other than the default /home/oracle/AveksaExportImportDir/ directory.
Note: When using the -i option, ensure that the AVUSER and SYS database user passwords
are the same. Both users are involved in executing the command. For more information on
changing passwords, see Changing Database User Passwords.
l Use the -g option to uncompress the dump file if the -g option was used to compress the
exported dump file.
6. Start services:
service aveksa_server start
If you used the -i option to import the dump file, the log file is located in the input directory.
This is the log for the Oracle impdp import utility command. You can check the progress of the
import using the tail -f command on the log file.
/home/oracle/database/DBA/AVDB/logs/
The directory contains the log files for the import script that list all completed tasks. A log file
name in this directory is based on the Oracle Service name and/or Schema Owner if defined,
Import_${ORACLE_SERVICE_NAME}_${SCHEMA_OWNER}_History.log for example:
Import_AVDB_avuser_History.log
This directory is not in product releases greater than 6.5. Data dumps imported from older
versions will invoke this error because the directory is no longer created.
l ORA-39082: Object type TRIGGER:"AVUSER"."TRIG_AV_JOB_STATS_EMAIL_AI"
created with compilation warnings.
You may see this error message from an import of a database from a previous release because the
UTL_MAIL package is no longer installed in this release. This trigger is removed upon database
migration.
l ORA-31685: Object type MATERIALIZED_VIEW:"AVUSER"."MV_SYSTEMAPPSSUMMARY"
failed due to insufficient privileges.
You may see this error message following from a database import from a previous release
because this release no longer grants the ability to create materialized views. The view is
removed during database migration.
l ORA-39082: Object type PACKAGE_BODY:"AVUSER"."AV_JOBSTATS_PKG" created
with compilation warnings.
You may see this error message from a database import from a previous release because this
release no longer grants the ability to see the dba_extents table. The stored procedure that
references this table is removed during database migration.
l ORA-39082: Object type PACKAGE_BODY:"AVUSER"."??????_PKG" created with
compilation warnings.
You may see error messages like this from an database import from a previous release because of
changes to the schema or security privileges during the import. All stored procedure packages are
updated during database migration.
l isSoftAppliance = No
Procedure
1. Run the following SQL as avuser:
select * from T_SYSTEM_SETTINGS where PARAMETER like 'is%';
2. If the values above are not set to the correct values, run the following SQL to set them to the
correct values:
update T_SYSTEM_SETTINGS set VALUE='yes' where PARAMETER='isAppliance';
Note: For information on validating the compatibility of a database import on a remote database,
see the Database Setup and Management Guide.
l Whenever the version of the RSA Identity Governance and Lifecycle software is greater than the
version of the data in the database, for example, you created a fresh installation and you want to
use the data from a previous version, you must migrate the database.
l When you are importing a database dump created on an older version of RSA Identity
Governance and Lifecycle.
If RSA Identity Governance and Lifecycle is already installed and a migration is required, the
installation script displays a prompt that asks whether you want to migrate the database. In most
cases, the installer selects yes, and the migration is performed by the installation script. If the
migration is not performed during the upgrade installation, the RSA Identity Governance and
Lifecycle Initialization Status window prompts you to perform the migration when you attempt to
access RSA Identity Governance and Lifecycle.
Important: You must export the existing database to a backup file before you attempt to migrate the
database (if you did not previously create a database backup). See Back Up the RSA-Supplied
Database for more information.
Important: Starting with v7.0.1, a new data encryption handling mechanism is in place which uses
on disk data in conjunction with database data to perform data encryption. When exporting database
data and moving it to a new installation, you must also "pack up" the encryption key data stored on
disk and move it along with the database. For more information, see:
2. Stop services as described in Stopping RSA Identity Governance and Lifecycle Services.
Migration logs are available at the locations displayed. If there are errors shown under “Potential
errors,” this may indicate a problem with the migration of your database. Contact Technical
Support for assistance as necessary.
Migrate from within the RSA Identity Governance and Lifecycle application:
1. In the Initialization Status window, enter the migration password (AuthorizeMigration), and then
click Migrate.
2. Restart RSA Identity Governance and Lifecycle as described in Starting and Stopping RSA
Identity Governance and Lifecycle Services.
Note: This procedure does not apply to an RSA Appliance running Red Hat Ru3 or Ru8.
Important: The RSA appliance operating system installation process overwrites all data on the
appliance, including all network configuration data. There will be a new hostname and IP address as
a result of the operating system installation. RSA recommends that you note the hostname,
IP address, gateway, and DNS nameserver. Ensure that you back up all data before you install the
operating system.
You will perform the following steps to complete the RSA appliance operating system installation:
1. Verify installation requirements are met. See Operating System Installation Requirements.
2. Create a backup archive of your current installation and copy it to an external drive, and export
the database for your current installation and copy it to an external drive. See Operating System
Installation Prerequisites.
3. Get installation software, and create the installation media on a DVD. See Get the Operating
System Installation Software and Create the Installation DVD.
4. Install the operating system from a DVD. See Install the Operating System from the Installation
DVD.
When you have completed the operating system installation, install RSA Identity Governance and
LifecycleV7.0.2 using the Soft Appliance scenario. For more information, see Installation Scenarios.
l Media requirement:
o Single-sided, single-layer, 4.7GB-capacity DVD
l Upgrade requirement — To successfully migrate the RSA Identity Governance and Lifecycle
database during RSA Identity Governance and Lifecycle V7.0.2 software installation after you
install the operating system, the database must be from RSA product version 4.x or greater. The
database must be on a supported version of Oracle.
2. Stop RSA Identity Governance and Lifecycle services after you have confirmed that there are no
tasks running on the appliance. See Stopping Services for details.
3. Restart the database. See Starting and Stopping the Oracle Database and Oracle Services for
details.
4. Ensure that the appliance has a a minimum of 1 GB of free available disk space plus the current
size of the AVDB database (for the backup and upgrade process), and then back up the current
installation software and copy the backup archive to an external drive. This ensures that you are
capable of restoring your current installation if required. See Back up RSA Identity Governance
and Lifecycle for details.
Note: If you have custom indexes or views in place in your deployment, they will be lost during
upgrade process unless they have been rolled into the upgrade release. Contact RSA Support for
assistance as required.
5. Export the database for the current installation and copy the backup file to an external drive. See
Back Up the RSA-Supplied Database for details.
6. If you have SSL server or agent certificates that you would like to save and use with the new or
updated installation, save the server.keystore, serverui.keystores and client.keystore files in the
following directory:
Upgrading from 4.x
/home/oracle/jboss/server/default/deploy/aveksa.ear/aveksa.war/WEB-
INF/certificates
Back up the cacert file from the java directory. This file may contains any additional signing
certificates you may have added.
$JAVA_HOME/jre/lib/security/cacerts
Get the Operating System Installation Software and Create the Installation DVD
You must download operating system installation files to a computer (not the appliance) from RSA
Link at https://community.rsa.com/community/products/governance-and-lifecycle and create the
installation DVD that you will use to install the operating system on the appliance.
Procedure
1. Log in to RSA Link and download the image:
dvd-SLES-11SP3-ACM-7.0.0.iso
2. Burn the iso file image (do not copy as a data file) to the DVD using any industry-standard DVD
burner product. See the DVD burner documentation for details.
Procedure
1. Attach a keyboard, mouse and monitor to the appliance.
2. Insert the DVD in the DVD drive on the appliance, and power up the appliance.
3. Select F11 on the Dell screen for the boot menu, and then select boot from CDROM/DVDROM
under Hard drive. If the F11 boot menu is not available, use F2 to enter BIOS Setup and change
the boot order to boot from the CDROM/DVDROM.
A menu appears with options to "Boot from local disk" and "Install OS" for different appliance
models.
4. Use the arrow keys to highlight Install OS for the appliance model in the menu and press Enter.
If you use the BIOS Setup to change the boot order, you may be returned to the boot menu. If this
occurs, press CTRL+ALT+DEL to reboot and then press F2 to enter the BIOS Setup. Then,
restore the original boot order.
The installation program loads and performs a silent SUSE Enterprise Linux operating system
installation. The installation takes 20 to 30 minutes.
Note: The operating system on an RSA Appliance requires settings specific to the RSA Identity
Governance and Lifecycle application. For example, the partitions must be configured as described
in order for RSA Identity Governance and Lifecycle to install successfully.
Procedure
1. Boot from the SuSE 11 SP3 DVD and choose Installation.
2. Click Next.
2. Click Next.
2. Click Next.
1. Select the appropriate region and time zone for the server.
3. Click Next.
2. Click Next.
2. Click Next.
b. To add a partition on the /dev/sda screen, leave Primary partition selected and click Next.
c. To add a partition on the /dev/sda (screen 2), select Custom Size and type 2GB then click
Next.
d. To add a partition on /dev/sda (screen 3), Ext3 is the File System selected by default. Do
not change this value.
4. Click Finish.
a. Highlight and right click on /dev/sda and choose Add Partition again.
2. Click Finish.
l i. Custom Size is selected by default with the remainder of the drive space.
l i. Ext3 is the File System selected and Mount Point / is select by default.
2. Right click on the print server and choose Do not install. This will result in a greyed
checkbox.
3. Enable the option under Development for C/C++ Compiler and Tools and click OK.
1. Click Install.
3. It will prompt with a YaST2 reboot dialog after the installation is complete. Either wait for
the ten second countdown to auto reboot or click OK.
2. In the Domain Name field enter the suffix. For example, emc.com.
4. Click Next.
2. Click OK to the YaST2 warning that states To apply this change, a reboot is needed.
3. Click the Open hyperlink next to SSH port is blocked in the firewall section.
7. Click Next.
2. Click Next.
2. Populate the IP, subnet mask and hostname (using the fully qualified host.domain.com).
3. Under the Bond Slaves tab, enable the checkbox next to each ethX interface.
4. Click Next.
7. Click OK.
2. Click Next.
2. Click Next.
2. Click Next.
1. Create a user account and set a password. When creating an account do not use oracle or
admin.
1. When this screen displays, it will flicker. It will show a screen that is outside of Xwindows
briefly. Both of these behaviors are expected.
2. After the hardware probe is finished identifying the configuration, leave the default option to
Use Following Configuration selected.
3. Click Next.
2. Click Finish.
Note: These settings apply only if you are using the RSA-supplied local Oracle database.
Procedure
1. Log in as root with the password that was defined above in the section on Password for the
System Administrator "root" screen. The default password is Av3k5a.
6. Add the following Oracle required rpms from the SuSE DVD media. Pathing will vary based on
your DVD label.
cd /media/SLES-11-SP3-DVD-x86_6407031/suse/x86_64
rpm -ivh sysstat-8*x86_64.rpm
rpm -ivh nfs-kernel-server*x86_64.rpm
rpm -ivh libcap1-1*x86_64.rpm
NOTE: The character after libcap is the number one (1).
8. The operating system configuration required for our application to be installed is complete.
Reboot the host before you install:
sync
reboot
Procedure
1. Open the following file with a text editor:
/etc/sysconfig/SuSEfirewall2
2. Append the following port number string "21 22 1158 1555 8443 8444" to the FW_SERVICES_
EXT_TCP options line (space separated).
For example:
FW_SERVICES_EXT_TCP="21 22 1158 1555 8443 8444"
Note: Your internal IT staff might mandate additional ports to be added for infrastructure tools
such as monitoring programs.
3. Append the following port number string "0/0,0/0,tcp,443,8443 0/0,0/0,tcp,444,8444" to the FW_
REDIRECT options line (observing the comma and spacing syntax in the example).
For example:
FW_REDIRECT="0/0,0/0,tcp,443,8443 0/0,0/0,tcp,444,8444"
Procedure
1. Open the following file with a text editor:
/etc/sysconfig/iptables
2. Add lines like the following, for example, to your firewall section in iptables to open the ports:
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -
j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8444 -
j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1555 -
j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -
j ACCEPT
3. Add a network address translation section if you don’t have one to perform port redirection from
the standard https port. This section typically appears before the “*filter” section. If you already
have a *nat section, add the two REDIRECT lines. Replace bond0 with the name of your
primary network interface.
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i bond0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
8443
-A PREROUTING -i bond0 -p tcp -m tcp --dport 444 -j REDIRECT --to-ports
8444
COMMIT
4. Verify that your /etc/sysconfig/iptables file should look similar to the following:
##################### Start of insertion from Step 3 #####################
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i bond0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
8443
-A PREROUTING -i bond0 -p tcp -m tcp --dport 444 -j REDIRECT --to-ports
8444
COMMIT
5. Restart the iptables for the changes to take effect. Enter the following command:
"service iptables restart"
Procedure:
1. Connect the drive to the appliance.
c. Enter “p” to confirm that the partition was successfully created. You should see output
similar to the following:
Disk /dev/sdc: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
4. Create an ext3 file system on the newly created partition. For example:
mke2fs -j /dev/sdc1 /misc
where:
/dev/sdc is the device for the drive that you just added, and the “1” is for the first partition of that
drive.
Procedure
1. Log in to RSA Identity Governance and Lifecycle.
2. Access the Monitoring feature under the Admin tab to determine whether tasks are running.
Wait until all tasks have completed before proceeding with the upgrade.
If you are doing an appliance re-installation after an uninstall, you will be prompted for the ASM
partition during installation. You can check the previous setting with the following command:
If /tmp/Aveksa_System.cfg is not present, or this has no setting, you must determine the ASM
partition.
l For Dell R720 and Dell 2900 appliances, the ASM partition is sdb1.
You can confirm the ASM partition with the following command. You must precede the partition
name with /dev/.
For example:
sudo service oracleasm querydisk /dev/sdb1
Example output:
Disk "/dev/sdb1" is marked an ASM disk with the label "VOL1"
Procedure
1. Log on to the appliance as the admin user.
If RSA Identity Governance and Lifecycle is running, the following message displays:
Aveksa Compliance Manager Server is running
4. Go to /home/oracle/deploy.
The contents of the .ear are extracted to a directory in the following location:
/tmp/customizeACM/.
Note: If you do not specify the path to the .ear file, the script prompts you to use the currently
deployed .ear file. If you want to use the currently deployed .ear, enter yes. If you do not want
to use the currently deployed .ear, enter no.
7. When you finish modifying the files, run the customizeACM.sh script again to rebuild the .ear
file. From /home/oracle/deploy, enter
customizeACM.sh -d
l Archives the new .ear file to the following location, appending a time and date stamp to the
name: /home/oracle/archive.
Procedure
1. Log in to the installation machine as the ‘admin’ user.
Procedure
1. Log in to the installation machine as the ‘admin’ user.
4. You can check the status of the operations using the following command:
sudo service aveksa_server statusdb
You can check the status of database operations, including OEM operations, using the following
command:
sudo service aveksa_server statusoracle
Note: ACMWatchdog.sh will automatically start OEM if AVDB is running on the machine if
OEM was not explicitly stopped through "service aveska_server stopoem" or "service aveksa_
server stoporacle."
Important: RSA recommends that you copy the backup file to an external drive. Restoration of a
backup must be on a machine that has the same version of the backup installed. If, for example, you
were restoring a backup of v6.0.2, you would be required to install v6.0.2 on the restoration target
machine. You would also restore the database schema from the saved database dump. Depending on
the version you plan to restore, you may be required to install a new operating system, which
overwrites all data on the appliance. Consult the installation guide for your restoration version to
ensure you meet all system requirements for that version.
Back up the RSA Identity Governance and Lifecycle Application (Appliance and Soft-Appliance
Only)
This section outlines the steps to backup the RSA Identity Governance and Lifecycle configuration
settings so they can be restored if necessary.See Restore RSA Identity Governance and Lifecycle
for information on restoring an RSA Identity Governance and Lifecycle software backup.
Before You Begin the RSA Identity Governance and Lifecycle Backup
(Optional) Attach and mount an external drive to the installation host as desired for the backup.
Procedure
1. Stop all RSA Identity Governance and Lifecycle services:
Important: Keep the Backup<product-version>.tar file in a safe place where it can be accessed in
case you need to restore.
Procedure
1. Log in to the installation machine as the ‘admin’ user.
2. Stop services as described in Starting and Stopping RSA Identity Governance and Lifecycle
Services, and stop the database as described in Starting and Stopping the Oracle Database and
Oracle Services.
l 6.x backup: If you are restoring a backup from version 6.x or a maintenance release of 6.x and
a version of 6.x is already installed on the machine, go directly to Step 4.
If you are restoring a backup of 6.x on a machine that does not have version 6.x installed,
install 6.x before you restore, and then go to Step 4.
l Pre-6.x version backup: If you are restoring a backup from a pre-6.x version:
a. Uninstall v6.x (if it is installed) as described in Uninstalling RSA Identity Governance and
Lifecycle.
cd /home/oracle
tar xvf path/Backup<version>.tar Aveksa_System.cfg
c. Install the version you want to restore before you restore, and then go to Step 4. See the
installation guide for the version for version requirements, including operating system
requirements.
4. Copy the Backup<version>.tar file from the off-appliance drive where you copied the backup
to the following directory:
/home/oracle/AveksaExportImportDir
6. Enter the following command to restore the RSA Identity Governance and Lifecycle deployment:
sudo ./acm_restore.sh
7. Import a database dump corresponding to the version of the RSA Identity Governance and
Lifecycle software dump you just restored. See Importing AVUSER Schema/Data for a
Database Restoration/Load for more information.
9. Restart the database as described in Starting and Stopping the Oracle Database and Oracle
Services.
10. Start services as described in Starting RSA Identity Governance and Lifecycle Services.
l AVDWUSER
l ACMDB
l SYS
With the exception of SYS, which is a default Oracle database user, an appliance installation
creates these users with default passwords after the Oracle database is installed. In a customer-
supplied database installation scenario, the passwords are defined for the database users by the
DBA.
RSA Identity Governance and Lifecycle stores database user passwords encrypted. Database user
information is stored in the following locations:
l Aveksa_System.cfg — Stores high-level information about the RSA Identity Governance and
Lifecycle environment and the users used to access and work with RSA Identity Governance and
Lifecycle.
If you are required to change the password for a database user, it must first be changed within the
database before you change it in RSA Identity Governance and Lifecycle files. Repeat the following
procedure for each database user whose password you want to change. The AVUSER database user
is used as an example in the following procedure.
Procedure:
1. As the oracle user, change the database user password in the database using the following
SQL command syntax:
alter user AVUSER identified by <a_cleartext_password>;
2. As the oracle user, update the password property with the cleartext password you want to change
for the database user in /home/oracle/Aveksa_System.cfg. Remove the braces ( { } )when you
set the cleartext password unless they are actually part of the password.
AVUSER AVEKSA_PASS
AVDWUSER AVEKSA_REPORTS_PASS
ACMDB AVEKSA_PUBLIC_DB_PASS
PERFSTAT AVEKSA_AVPERF_PASS
SYS SYS_PASS
3. As the root user, encrypt the password by running the following command for the database user
from the /home/oracle/deploy directory:
./generateLoginKey.sh <avuser|avdwuser|acmdb|perfstat|sys>
Note: If logged in as the oracle user, preface the command with sudo (as in, sudo
./generateLoginKey.sh . . . .)
4. As the oracle user, update the security domain name under security subsystem with the encrypted
password you want to change in $AVEKSA_WILDFLY_
HOME/standalone/configuration/aveksa-standalone-full.xml:
AVUSER EncryptedPassword-AVDB
EncryptedPassword-WPDS
AVDWUSER EncryptedPassword-
AVDWDB
ACMDB EncryptedPassword-
ACMDB
PERFSTAT EncryptedPassword-
AVPERF
5. As the oracle user, restart RSA Identity Governance and Lifecycle to apply your changes:
acm restart
Procedure
Update the occurrences of perfstat username with the new username value in the following file:
/home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml
Search for instances of the EncryptAVPERFPassword in the file. Change the username field with
the configured user for statspack. For example:
<application-policy name="EncryptAVPERFPassword">
<authentication>
<login-module
code="org.wildfly.resource.security.SecureIdentityLoginModule"
flag="required">
<module-option name="username">MyStatsUserName</module-option>
<module-option name="password">-91f121c430503dd</module-option>
<module-option
name="managedConnectionFactoryName">wildfly.jca:service=LocalTxCM,na
me=avdb</module-option>
</login-module>
</authentication>
</application-policy>
You can also create a heap dump file at any time using the following commands:
service aveksa_server heap-dump — Creates a heap dump in /home/oracle directory.
service aveksa_server heap-dump-force — Forces the creation of a heap dump file in an
unresponsive process.
l Longer database statistics runs (as this table will be eligible for periodic statistics compilations)
Admin > Monitoring > Action button — Provides multiple data run deletion options. For more
information, see Prune the Statistics Table from the Monitoring Page.
Note: For more information on managing data runs, see the Help topic, "Managing Data Runs."
Procedure:
1. Go to Admin > Monitoring.
2. From the Action button, select the run deletion option you want to use to prune the statistics
table.
l modifynetworksettings.sh
You can run the scripts as root or as admin using the “sudo” command. For either or both
modifications, you must reboot the system for the changes to take effect.
Important: modifyhostname.sh requires the server to be stopped (service aveksa_server stop), but
Oracle must be running (service aveksa_server startoracle) if it is installed..
sudo modifyhostname.sh <hostname.domain name> // if running as admin
modifyhostname.sh <hostname.domain name> // if running as root
Important: modifynetworksettings.sh requires the server and oracle to be stopped (service aveksa_
server stop and service aveksa_server stoporacle).
sudo modifynetworksettings.sh <newIP> <newNetmask> <newGateway> // If
running as admin
modifynetworksettings.sh <newIP> <newNetmask> <newGateway> // If running as
root
Note: RSA recommends that you back up your database and any other data that may be lost during
the uninstallation process. This may include any localized files you have changed, keystores with
installed certificates, or configuration files that were modified.
Procedure
1. Log in to the installation machine as the ‘root’ user.
2. Stop all RSA Identity Governance and Lifecycle and Oracle services. See Stopping RSA Identity
Governance and Lifecycle Services and Starting and Stopping the Oracle Database and Oracle
Services for more information.
You can check results of the uninstall process in the uninstall log file in the /tmp directory. For
example:
/tmp/aveksa-uninstall.log.Dec-21-2011.07.42.26
RSA provides a sample authentication source that can be used for a demonstration or testing
installation that takes any known user name in the system with any password provided. The test
authentication module is often used to simplify the process of testing with large numbers of users.
The test module is associated with an identity collector that collects the identities into the system.
To set up the authentication module, you must create an authentication source. The JAAS module
required for the authentication source is pre-configured in the application server. This section
demonstrates how to create the authentication source named “TestAuthProvider.” You can use any
name, and you can create multiple test authentication modules for different Identity collectors.
You must restart RSA Identity Governance and Lifecycle after you configure the test authentication
module.
Procedure
Use the following SQL commands to insert the test authentication source, TestAuthProvider, into
database (the commands should be issued from the user: avuser):
INSERT INTO T_AUTH_CONFIGURATIONS
(ID, IDC_ID, AUTH_PROVIDER_NAME, AUTH_CONFIGURED_PROPERTIES,AUTH_PROVIDER_
TYPE,AUTH_PROVIDER_CLASS)
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 1, 'TestAuthenticator',
'<?xml version="1.0" encoding="UTF-8"?><properties></properties>',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
The example SQL configures the authentication source associated with the Identity collector with
IDC_ID = 1. This assumes the identity collector identified by IDC = 1, which is typically the first
identity collector configured in your environment. It may not be the correct ID for the collector you
want to associate with the test authentication module in your environment. Therefore, you should run
the SQL above with the IDC_ID of the collector you choose to associate with the authentication
module.
To get a list of the identity collectors and their IDs, run the following SQL:
select ID, Name from T_DATA_Collectors where collector_
type='DBIdentityCollector';
Note: You must restart RSA Identity Governance and Lifecycle after you configure the test
authentication module
l Localization Configuration
l https://<machine>:9443/aveksa/main
The ports referenced are typical default ports for WebSphere. These may vary. In that case, consult
the WebSphere administrator who installed the RSA Identity Governance and Lifecycle software for
the correct ports.
Procedure
1. Set up a working directory, “new_ear” for example.
3. Create a temporary ear directory, “ear_dir” for example, in the working directory.
197
Installation Guide
4. Create a temporary war directory, “war_dir” for example, in the working directory.
7. Complete any modification/changes to the files within the ear_dir or war_dir directories.
For example, if you created your database instance with non-default names (for AVUSER,
AVDWUSER, etc) or non-default database tablespace names, then you need to edit Aveksa_
System.cfg file to add the appropriate values to the aveksa.ear.
The aveksa.ear in the working directory now has been updated with the changes. You can now
specify the path for your modified ear for deployment updates. For example:
new_ear/aveksa.ear
10. Make sure the .ear file has read permissions for the account ID (for example, wasadmin) that
will need to open it.
Procedure
1. Log in to RSA Identity Governance and Lifecycle.
2. Click the Admin menu and select Monitoring to determine whether tasks are running.
Wait until all tasks have completed before proceeding with the upgrade.
198
Installation Guide
You do not need to open the port on any firewalls, but you must configure the port as described in
this task.
In a cluster, perform this task for each server.
Procedure
1. In the WebSphere console, click Servers > Server types > WebSphere application servers >
Select server.
2. Create a new Web container. Click Container Settings > Web Container Settings > Web
container transport chains > New.
l Host *
l Port: 8080
6. From the Environment menu, click Virtual Hosts > Default_host > Host Aliases > New.
l Host *
l Port: 8080
9. Restart the application server for the port changes to take effect.
Localization Configuration
RSA Identity Governance and Lifecycle can be localized to English, French, and German. By
default, the RSA Identity Governance and Lifecycle user interface is set to the language to which
your internet browser is set. This section describes how to create your own custom localization files
for additional languages.
Procedure
1. Translate the contents of the following file to the language you want to provide as a localization
option:
199
Installation Guide
aveksa.ear/aveksa.war/WEB-INF/classes/com/aveksa/gui
/strings.properties
where
XX is the ISO-639 two-letter code of the language you want to use. The following table contains
examples of the codes:
de German
fr French
ja Japanese
ko Korean
zh Chinese
3. Modify the Aveksa ear file with the additional localization file and then redeploy the file into the
application server and restart the server. For more information, see Modifying the Enterprise
Archive.
Note: Custom localization files are deleted when you upgrade system software. Therefore, before
you upgrade you must save any custom files to a location that is not on the system. Also, you must
update the translation as new strings are introduced to the product between releases. Localization of
online help is not currently supported.
l RSA Identity Governance and Lifecycle reporting engine user. The default name is
AVDWUSER.
l RSA Identity Governance and Lifecycle public database schema user. The default name is
ACMDB.
200
Installation Guide
Procedure
1. Open the aveksa.ear/aveksa.war/WEB-INF/Aveksa_System.cfg file for editing.
2. Replace the default (or previously specified non-default) name value with the names configured
for the database:
AVEKSA_USER=AVUSER
AVEKSA_REPORTS_USER=AVDWUSER
AVEKSA_PUBLIC_DB_USER=ACMDB
3. Modify and redeploy the Aveksa ear file with the changes you made to the Aveksa_System.cfg
file. See Modifying the Enterprise Archive for more information.
l DATA_1M
l DATA_25M
l DATA_50M
l INDX_256K
l INDX_1M
l INDX_25M
l INDX_50M
l DEFAULT_TABLESPACE
l TEMP_TABLESPACE
If non-default names are configured in the database, you must update the Aveksa_System.cfg file
and modify and redeploy the aveksa ear file.
201
Installation Guide
Procedure
1. Open the aveksa.ear/aveksa.war/WEB-INF/Aveksa_System.cfg file.
l DATA1_TABLESPACE=DATA_256K
l DATA2_TABLESPACE=DATA_1M
l DATA3_TABLESPACE=DATA_25M
l DATA4_TABLESPACE=DATA_50M
l INDX1_TABLESPACE=INDX_256K
l INDX2_TABLESPACE=INDX_1M
l INDX3_TABLESPACE=INDX_25M
l INDX4_TABLESPACE=INDX_50M
3. Designate a tablespace for the DEFAULT_TABLESPACE variable and, optionally, one for the
TEMP_TABLESPACE variable:
1. DEFAULT_TABLESPACE= DATA_1M
2. TEMP_TABLESPACE=TEMP
If, for example, you created 2 tablespaces for indexes (small, large) and 2 Tablespaces for data
(small, large) you might have an Aveksa_System.cfg that looks like this:
l DATA1_TABLESPACE=ACM_DATA_SMALL
l DATA2_TABLESPACE=ACM_DATA_SMALL
l DATA3_TABLESPACE=ACM_DATA_LARGE
l DATA4_TABLESPACE=ACM_DATA_LARGE
l INDX1_TABLESPACE=ACM_INDEX_SMALL
l INDX2_TABLESPACE=ACM_INDEX_SMALL
l INDX3_TABLESPACE=ACM_INDEX_LARGE
l INDX4_TABLESPACE=ACM_INDEX_LARGE
l DEFAULT_TABLESPACE=ACM_DATA_LARGE
202
Installation Guide
l AVDWUSER
l ACMDB
Procedure
1. From the Security menu, select, Global Security
2. Under Authentication, expand Java Authentication and Authorization Service and select J2C
authentication data.
l (Cluster) cells=MyCluster
4. Under the Class Loading section, select Use an isolated class loader for this shared library.
203
Installation Guide
3. Under the References section, click the Shared library references link.
4. Select the aveksa application, and then click Reference shared libraries.
5. On the Shared Library Mapping page, select Aveksa Shared Library from the Available list and
move it to the Selected list.
Procedure
1. Download the following files from RSA SecureCare Online:
l PatchInfo.txt: Contains information on the fixes provided by the patch and any prerequisites
that must be met before you install it.
l Patch_<version>_Release_Notes.pdf
204
Installation Guide
Procedure
1. From the Applications menu, select Enterprise Applications.
2. Select aveksa.
4. Click Uninstall.
RSA provides a sample authentication source that can be used for a demonstration or testing
installation that takes any known user name in the system with any password provided. The test
authentication module is often used to simplify the process of testing with large numbers of users.
The test module is associated with an identity collector that collects the identities into the system.
To set up the authentication module, you must create an authentication source. The JAAS module
required for the authentication source is pre-configured in the application server. This section
demonstrates how to create the authentication source named “TestAuthProvider.” You can use any
name, and you can create multiple test authentication modules for different Identity collectors.
You must restart RSA Identity Governance and Lifecycle after you configure the test authentication
module.
Procedure
Use the following SQL commands to insert the test authentication source, TestAuthProvider, into
database (the commands should be issued from the user: avuser):
INSERT INTO T_AUTH_CONFIGURATIONS
(ID, IDC_ID, AUTH_PROVIDER_NAME, AUTH_CONFIGURED_PROPERTIES,AUTH_PROVIDER_
TYPE,AUTH_PROVIDER_CLASS)
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 1, 'TestAuthenticator',
'<?xml version="1.0" encoding="UTF-8"?><properties></properties>',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
205
Installation Guide
The example SQL configures the authentication source associated with the Identity collector with
IDC_ID = 1. This assumes the identity collector identified by IDC = 1, which is typically the first
identity collector configured in your environment. It may not be the correct ID for the collector you
want to associate with the test authentication module in your environment. Therefore, you should run
the SQL above with the IDC_ID of the collector you choose to associate with the authentication
module.
To get a list of the identity collectors and their IDs, run the following SQL:
select ID, Name from T_DATA_Collectors where collector_
type='DBIdentityCollector';
Note: You must restart RSA Identity Governance and Lifecycle after you configure the test
authentication module
206
Installation Guide
l Restarting WebLogic
l Localization Configuration
l Changing Database User Schema Names in RSA Identity Governance and Lifecycle
http://<machine>:7001/aveksa/main
Procedure
1. From the menu, select Deployments.
Aveksa should be listed as an installed application.
207
Installation Guide
2. Select the checkbox beside the application and click the stop and start buttons to restart the
application.
Restarting RSA Identity Governance and Lifecycle restarts the local agent as well.
Procedure
1. Log in to RSA Identity Governance and Lifecycle.
2. Access the Monitoring feature under the Admin tab to determine whether tasks are running.
Wait until all tasks have completed before proceeding with the upgrade.
Restarting WebLogic
Use the WebLogic startWeblogic.sh script to start WebLogic, and use the stopWeblogic.sh script to
stop WebLogic. The scripts are located in the following directory:
$WEBLOGIC_HOME/user_projects/domains/aveksaDomain/bin
Procedure
1. Set up a working directory, “new_ear” for example.
3. Create a temporary ear directory, "ear_dir" for example, in the working directory.
208
Installation Guide
Procedure
1. Log on to the WebLogic console.
3. For each server where RSA Identity Governance and Lifecycle is installed, click the server
name and go to Protocol Tab > Channels > New.
l Name: Aveksa8080
l Protocol: http
Localization Configuration
RSA Identity Governance and Lifecycle can be localized to English, French, and German. By
default, the RSA Identity Governance and Lifecycle user interface is set to the language to which
your internet browser is set. This section describes how to create your own custom localization files
for additional languages.
Procedure
1. Translate the contents of the following file to the language you want to provide as a localization
option:
209
Installation Guide
aveksa.ear/aveksa.war/WEB-INF/classes/com/aveksa/gui
/strings.properties
de German
fr French
ja Japanese
ko Korean
zh Chinese
3. Modify the Aveksa ear file with the additional localization file and then redeploy the file into the
application server and restart the server. See Modifying the Enterprise Archive for more
information.
Note: Custom localization files are deleted when you upgrade system software. Therefore you must
save any files you create off the system before you upgrade. Also, you must update the translation as
new strings are introduced to the product between releases. Localization of online help is not
currently supported.
Changing Database User Schema Names in RSA Identity Governance and Lifecycle
This section describes how to change the RSA Identity Governance and Lifecycle database user
schema names for the following authentication users if the names in the database have changed:
l RSA Identity Governance and Lifecycle user. The default name is AVUSER.
l RSA Identity Governance and Lifecycle reporting engine user. The default name is
AVDWUSER.
l RSA Identity Governance and Lifecycle public database schema user. The default name is
ACMDB.
Procedure
1. Open the aveksa.ear/aveksa.war/WEB-INF/Aveksa_System.cfg file for editing.
2. Replace the default (or previously specified non-default) name value with the names configured
for the database:
210
Installation Guide
AVEKSA_USER=AVUSER
AVEKSA_REPORTS_USER=AVDWUSER
AVEKSA_PUBLIC_DB_USER=ACMDB
3. Modify and redeploy the Aveksa ear file with the changes you made to the Aveksa_System.cfg
file. See Modifying the Enterprise Archive for more information.
l DATA_1M
l DATA_25M
l DATA_50M
l INDX_256K
l INDX_1M
l INDX_25M
l INDX_50M
l DEFAULT_TABLESPACE
l TEMP_TABLESPACE
If non-default names are configured in the database, you must update the Aveksa_System.cfg file
and modify and redeploy the aveksa ear file.
Procedure
1. Open the aveksa.ear/aveksa.war/WEB-INF/Aveksa_System.cfg file.
l DATA1_TABLESPACE=DATA_256K
l DATA2_TABLESPACE=DATA_1M
l DATA3_TABLESPACE=DATA_25M
l DATA4_TABLESPACE=DATA_50M
211
Installation Guide
l INDX1_TABLESPACE=INDX_256K
l INDX2_TABLESPACE=INDX_1M
l INDX3_TABLESPACE=INDX_25M
l INDX4_TABLESPACE=INDX_50M
3. Designate a tablespace for the DEFAULT_TABLESPACE variable and, optionally, one for the
TEMP_TABLESPACE variable:
l DEFAULT_TABLESPACE= DATA_1M
l TEMP_TABLESPACE=TEMP
If, for example, you created 2 tablespaces for indexes (small, large) and 2 Tablespaces for data
(small, large) you might have an Aveksa_System.cfg that looks like this:
l DATA1_TABLESPACE=ACM_DATA_SMALL
l DATA2_TABLESPACE=ACM_DATA_SMALL
l DATA3_TABLESPACE=ACM_DATA_LARGE
l DATA4_TABLESPACE=ACM_DATA_LARGE
l INDX1_TABLESPACE=ACM_INDEX_SMALL
l INDX2_TABLESPACE=ACM_INDEX_SMALL
l INDX3_TABLESPACE=ACM_INDEX_LARGE
l INDX4_TABLESPACE=ACM_INDEX_LARGE
l DEFAULT_TABLESPACE=ACM_DATA_LARGE
l AVDWUSER
l ACMDB
212
Installation Guide
Procedure
1. Edit a JDBC data source for AVDB (Services > Data Sources).
Procedure
1. Open the hibernate-cfg.xml file that is located in the aveksa.war/WEB-INF directory path.
2. Replace the principle user value, “aveksaUser” and the default principle user password,
“Aveksa123,” with the new values you specified for the security realm in the following lines:
<property
name="hibernate.jndi.java.naming.security.principal">aveksaUser<
/property>
<property
name="hibernate.jndi.java.naming.security.credentials">Aveksa123
</property>
4. Open the weblogic.xml file that is located in the aveksa.war/WEB-INF directory path.
5. Change the principle user value from “aveksaUser” to the user you have defined in your security
realm.
<run-as-role-assignment>
<role-name>acmUsers</role-name>
<run-as-principal-name>aveksaUser</run-as-principal-name>
</run-as-role-assignment>
213
Installation Guide
7. Recreate the RSA Identity Governance and Lifecycle EAR and redeploy the EAR.
Procedure
1. Download the following files from RSA SecureCare Online:
l PatchInfo.txt: Contains information on the fixes provided by the patch and any prerequisites
that must be met before you install it.
l Patch_<version>_Release_Notes.pdf
Procedure
1. Open the Administrative Console.
4. Click Delete.
214
Installation Guide
RSA provides a sample authentication source that can be used for a demonstration or testing
installation that takes any known user name in the system with any password provided. The test
authentication module is often used to simplify the process of testing with large numbers of users.
The test module is associated with an identity collector that collects the identities into the system.
To set up the authentication module, you must create an authentication source. The JAAS module
required for the authentication source is pre-configured in the application server. This section
demonstrates how to create the authentication source named “TestAuthProvider.” You can use any
name, and you can create multiple test authentication modules for different Identity collectors.
You must restart RSA Identity Governance and Lifecycle after you configure the test authentication
module.
Procedure
Use the following SQL commands to insert the test authentication source, TestAuthProvider, into
database (the commands should be issued from the user: avuser):
INSERT INTO T_AUTH_CONFIGURATIONS
(ID, IDC_ID, AUTH_PROVIDER_NAME, AUTH_CONFIGURED_PROPERTIES,AUTH_PROVIDER_
TYPE,AUTH_PROVIDER_CLASS)
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 1, 'TestAuthenticator',
'<?xml version="1.0" encoding="UTF-8"?><properties></properties>',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
The example SQL configures the authentication source associated with the Identity collector with
IDC_ID = 1. This assumes the identity collector identified by IDC = 1, which is typically the first
identity collector configured in your environment. It may not be the correct ID for the collector you
want to associate with the test authentication module in your environment. Therefore, you should run
the SQL above with the IDC_ID of the collector you choose to associate with the authentication
module.
To get a list of the identity collectors and their IDs, run the following SQL:
select ID, Name from T_DATA_Collectors where collector_
type='DBIdentityCollector';
215
Installation Guide
3
7
Next, check the name, status, and type of those IDC_IDs to provide more information when
determining the appropriate IDC to configure using the list of IDC_ID's from the previous step. For
example:
select name, id, collector_type, status from t_data_collectors where id in
(3, 7);
NAME ID COLLECTOR_TYPE STATUS
----------------------- ---- ------------------------- ---------
Corp Ent User Collector 3 DBIdentityCollector Active
External Services Coltr 7 LdapIdentityCollector Active
So if you decide to configure the test authentication module against the corporate users from
Collector ID 3, specify that value for the IDC_ID in the SQL as shown below:
INSERT INTO T_AUTH_CONFIGURATIONS
(ID, IDC_ID, AUTH_PROVIDER_NAME,
AUTH_CONFIGURED_PROPERTIES,AUTH_PROVIDER_TYPE,AUTH_PROVIDER_CLASS)
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 3, 'TestAuthenticator',
'<?xml version="1.0" encoding="UTF-8"?><properties></properties>',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
Note: You must restart RSA Identity Governance and Lifecycle after you configure the test
authentication module
Note: If the installation failed and you must uninstall RSA Identity Governance and Lifecycle, see
Uninstalling for instructions.
216