Professional Documents
Culture Documents
Installation Guide
7.2.1
Contact Information
RSA Link at https://community.rsa.com contains a knowledgebase that answers common questions and
provides solutions to known problems, product documentation, community discussions, and case management.
Trademarks
RSA, RSA Security, the RSA Logo, and other trademarks, are trademarks of RSA Security LLC or its affiliates.
Other trademarks may be trademarks of their respective owners. For a list of RSA trademarks, go to
https://www.rsa.com/en-us/company/rsa-trademarks.
License agreement
This software and the associated documentation are proprietary and confidential to RSA Security LLC or its
subsidiaries, are furnished under license, and may be used and copied only in accordance with the terms of
such license and with the inclusion of the copyright notice below. This software and the documentation, and any
copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby
transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to
civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by RSA
Security.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements
applicable to third-party software in this product may be viewed by launching the RSA Identity Governance and
Lifecycle product and selecting the About menu. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.
Distribution
Use, copying, and distribution of any RSA Security software described in this publication requires an applicable
software license.
RSA Security LLC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." RSA SECURITY LLC MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Contents
Preface 12
Documentation Set 12
Port Requirements 15
Font Requirement 18
Required Packages 19
Font Requirement 20
Font Requirement 21
3
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Font Requirement 23
Font Requirement 24
Apply the Latest Operating System and Database Patch Updates to an Appliance 28
Error Messages 31
Using a Signed Certificate for HTTPS Access to RSA Identity Governance and Lifecycle 32
Step 4: Import a Signed Server Certificate into the RSA Identity Governance and Lifecycle Keystore35
4
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Error Messages 46
Configure Datasources 47
Using a Signed Certificate for HTTPS Access to RSA Identity Governance and Lifecycle 48
Step 4: Import a Signed Server Certificate into the RSA Identity Governance and Lifecycle Keystore51
Download and Install the RSA Identity Governance and Lifecycle Virtual Application OVA 53
Apply the Latest Operating System and Database Patch Updates to a Virtual Application 58
Error Messages 60
Configure Datasources 61
Using a Signed Certificate for HTTPS Access to RSA Identity Governance and Lifecycle 62
Step 4: Import a Signed Server Certificate into the RSA Identity Governance and Lifecycle Keystore65
5
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Configure JVM Settings 73
Install RSA Identity Governance and Lifecycle Using the Aveksa EAR File 81
Error Messages 86
Configure SSL for Internal Communication Between RSA Identity Governance and Lifecycle Components 87
Configure SSL for External Communications (Browser or Web Services to RSA Identity Governance and
Lifecycle) 89
6
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Configure WebLogic JVM Settings for RSA Identity Governance and Lifecycle 99
Configure JVM Settings 99
Install RSA Identity Governance and Lifecycle Using the Aveksa EAR File 106
Configure SSL for Internal Communication Between RSA Identity Governance and Lifecycle
Components 111
Import the RSA Identity Governance and Lifecycle Certificates into the WebLogic Keystores 112
To import the private key and the trusted certificate into the same keystore 113
Configure SSL for External Communications (Browser or Web Services to RSA Identity Governance
and Lifecycle) 114
Check Security Settings for RSA Identity Governance and Lifecycle 117
7
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Storage 119
Processor 120
Nproc Limits for Oracle User (Downloaded Server or Remote Machine) 121
Install the AFX Server on an Appliance or a Software Bundle Server Using the Installation Script 122
Install the AFX Server from a Downloaded Local AFX Server 122
Install an Additional New AFX Server Instance on a Non-RSA Identity Governance and Lifecycle Host 123
Install the AFX Server Using an Archive Downloaded from RSA Identity Governance and Lifecycle 123
Keytool 130
Ciphers 130
8
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Migrate the RSA Identity Governance and Lifecycle Server Certificate to SHA-256 134
Overview 137
Installation 138
Start Up 139
Runtime 140
Overview 145
Deployment 145
Start Up 146
Runtime 150
Overview 151
Deployment 152
Start Up 153
Runtime 155
Start Up 156
9
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Get the Operating System Installation Software and Create the Installation DVD 169
Starting and Stopping RSA Identity Governance and Lifecycle Services 177
Starting and Stopping the Oracle Database and Oracle Services 177
Backing Up and Restoring RSA Identity Governance and Lifecycle Software 178
Modifying the RSA Identity Governance and Lifecycle Enterprise Archive 188
10
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Check for Running Tasks in RSA Identity Governance and Lifecycle 189
Changing Database User Names in RSA Identity Governance and Lifecycle 191
Changing Database Tablespace Names in RSA Identity Governance and Lifecycle 191
Changing Database User Passwords in RSA Identity Governance and Lifecycle 192
Updating RSA Identity Governance and Lifecycle on WebSphere with a Patch 193
Starting and Stopping RSA Identity Governance and Lifecycle in WebLogic 196
Check for Running Tasks in RSA Identity Governance and Lifecycle 196
Modifying the RSA Identity Governance and Lifecycle Enterprise Archive 197
Changing Database User Schema Names in RSA Identity Governance and Lifecycle 198
Changing Database Tablespace Names in RSA Identity Governance and Lifecycle 199
Changing Database User Passwords in RSA Identity Governance and Lifecycle 200
Updating RSA Identity Governance and Lifecycle on WebLogic with a Patch 201
11
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Preface
This guide provides instructions for installing and configuring RSA Identity Governance and Lifecycle7.2.1. It is
intended for administrators and other trusted personnel.
Documentation Set
Document Description
Release Notes What's new in the release, fixed issues, known issues and workarounds.
Installation Guide Product installation instructions.
Upgrade and Migration Guide Instructions for upgrading your product version and data.
Database Setup and Management Instructions for setting up and managing a customer-supplied Oracle
Guide database for RSA Identity Governance and Lifecycle.
Instructions to set up and configure a WildFly application server cluster
Configuring WildFly Clusters
in an RSA Identity Governance and Lifecycle deployment.
Online Help All concepts and instructions you need to configure and use the product.
How to configure and manage RSA Identity Governance and Lifecycle.
Administrator's Guide
Contains a subset of the information provided in the Online Help.
Public Database Schema Reference The public view of the database schema.
You can also access the RSA Identity Governance and Lifecycle community at
https://community.rsa.com/community/products/governance-and-lifecycle/client-partner-community. This
private community is only available to RSA Identity Governance and Lifecycle customers, partners, and internal
RSA staff.
12 Preface
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Scenario Description
RSA-supplied hardware with all required components (operating system, database,
RSA Appliance application server and RSA Identity Governance and Lifecycle) pre-installed. Provides
an Oracle database.
RSA Identity Governance and Lifecycle software installed on customer-supplied
hardware that meets minimum physical requirements and runs a supported operating
system. The software bundle installation includes the application server and RSA
Software Bundle
Identity Governance and Lifecycle. It can also support an RSA-provided Oracle
database, or you can use your own Oracle database. This option is also commonly
referred to as the Soft Appliance.
RSA Identity Governance and Lifecycle OVA deployed on customer-supplied hardware
that meets minimum physical requirements. The virtual application installation
Virtual Application includes the application server and RSA Identity Governance and Lifecycle. Virtual
application installations require a customer-supplied database. RSA recommends that
the customer-supplied database runs on physical hardware.
An RSA Identity Governance and Lifecycle instance running as an application on a
WebSphere server. You deploy RSA Identity Governance and Lifecycle in your
WebSphere
environment, which includes other components that you supply, including a customer-
supplied Oracle database.
An RSA Identity Governance and Lifecycle instance running as an application on a
WebLogic server. You deploy RSA Identity Governance and Lifecycle in your
WebLogic
environment, which includes other components that you supply, including a customer-
supplied Oracle database.
AFX automates the access request fulfillment process by executing the fulfillments at
Access Fulfillment
the target endpoints. For AFX installation scenarios and information on installing AFX,
Express (AFX)
see AFX Installation.
For each scenario, this guide provides guidance for typical enterprise deployments up to 500 concurrent users,
up to 1000 applications, and up to 20 million entitlements.
RSA Identity Governance and Lifecycle supports WildFly application server clustering for the RSA Appliance and
Software Bundle, similar to previous releases for WebSphere and WebLogic installations. This support means
you can set up the following clustered scenarios:
l RSA Appliance. You can add multiple Software Bundles with an RSA Appliance. The Software Bundles
use an RSA-provided database on the RSA Appliance.
l Software Bundle. You can install multiple Software Bundles that use the same customer-supplied
database.
For more information, see the RSA Identity Governance and Lifecycle Solution Integration Guide: Configuring
Wildfly Clustering.
The RSA Identity Governance and Lifecycle Platform Datasheet and Support Matrix for each version is available
on RSA Link (https://community.rsa.com/). This document contains the most current details of the supported
environments and components, including supported browsers and browser configurations.
Note: Internet Explorer 11 using Compatibility View is not supported. Internet Explorer 11 running Enterprise
Mode cannot access RSA Identity Governance and Lifecycle.
Port Requirements
Port Use
21 FTP connections. Can be used to transfer collection data.
22 SSH connections
1158 Oracle Enterprise Manager Express
1555 Oracle Listener for the AVDB data source
Secure connection (using Secure Sockets Layer (SSL) and secure cookies)
8443
when you access RSA Identity Governance and Lifecycle. (default)
Secure communication between the RSA Identity Governance and Lifecycle
8444 application server and external components such as the remote agent and
AFX.
Internal communication. You might need to configure this port when RSA
Identity Governance and Lifecycle is installed on WebLogic or WebSphere.
8080
For more information, see Configuring Non-SSL Port Assignments for
WebLogic or Configuring Non-SSL Port Assignments for WebSphere.
An RSA Identity Governance and Lifecycle agent is software that runs on the data collection hosts and manages
the connection to RSA Identity Governance and Lifecycle. Agents may be required to be installed and configured
on remote machines due to network access restrictions that prevent the server-based agent from
communicating directly with data sources.
1. Configure the agent and RSA Identity Governance and Lifecycle to use SSL for secure communication.
For more information, see Check Settings for Secure Communication Ports (SSL/TLS).
2. Edit the agent configuration file to change the hostname from localhost to the hostname of the RSA
Identity Governance and Lifecycle server, or in a clustered environment, the System Operations Node
(SON).
You must provide your own database for WebLogic or WebSphere environments. In a software bundle or virtual
application deployment, you may either provide your own database or install the RSA-provided database on a
separate machine from the RSA Identity Governance and Lifecycle installation.
If you plan to use your own database, see the RSA Identity Governance and Lifecycle Database Setup and
Management Guide for instructions.
Note: RSA recommends installing the Oracle database on physical hardware rather than in a virtualized
environment. If you do install the database in a virtualized environment, ensure that the virtual machine is
marked dedicated and that the overall virtual machine server has sufficient memory and space. For more
information, reference Oracle's documentation about hosting a virtualized database.
Use the following table to record additional configuration parameters listed in the next table if your installation
meets any of the following conditions:
l You are installing a software bundle and the Oracle 12.1.0.2 database uses an Oracle Service Name that
is different than the Oracle SID.
l You are installing RSA Identity Governance and Lifecycle on WebLogic server.
l You are installing RSA Identity Governance and Lifecycle on WebSphere server.
Note: If you created the database instance with non-default names for the database users, you must use the
same usernames and passwords when prompted during installation.
The RSA Appliance contains RSA Identity Governance and Lifecycle pre-installed. Verify that you have all of the
necessary components.
RSA provided you with one of the following Dell server models: the R640 or R730.
l Power cord
l Ethernet cables (2)
l Bezel and rails
l Cat-5 network cables (2)
RSA Identity Governance and Lifecycle7.2.1 is pre-installed on the RSA Appliance. The following additional
software components are also pre-installed:
l Monitor
l Keyboard
l Crossover cable
Font Requirement
Before you install RSA Identity Governance and Lifecycle, ensure that DejaVu Fonts are available on the system.
RSA Identity Governance and Lifecycle requires these fonts for reporting.
Verify that the hardware on which you plan to install RSA Identity Governance and Lifecycle meets the hardware,
software, and network requirements listed in the following sections.
If you are installing Access Fulfillment Express (AFX), you need additional disk space for AFX software,
connectors, and log files. The following table lists the AFX requirements.
Note: If the AVEKSA_HOME and ORACLE_BASE partitions share the same volume, they require 20 GB disk
space in total.
Note: RSA Identity Governance and Lifecycle7.2.1 does not support Red Hat Enterprise Linux version 5.x or
6.x. Customers who have existing deployments on Red Hat Enterprise Linux 5.x must upgrade to a supported
operating system.
Note: RSA Identity Governance and Lifecycle software bundles using an RSA-supplied database do not support
automatic storage management (ASM).
Required Packages
Verify that required Oracle packages are installed on the same machine as the RSA Identity Governance and
Lifecycle software.
The following packages are required for Red Hat Enterprise Linux 7.2+ environments, and may need to be
explicitly installed in addition to the operating system.
l compat-libstdc++-33-3.2.3-72.el7.x86_64
l javapackages-tools
l bea-stax-api
l binutils-2.27-27.base.el7.x86_64
l compat-libcap1-1.10-7.el7.x86_64
l gcc-4.8.5-28.el7.x86_64
l gcc-c++-4.8.5-28.el7.x86_64
l glibc-2.17-222.el7.x86_64
l glibc-devel-2.17-222.el7.x86_64
l ksh
l libaio-0.3.109-13.el7.x86_64
l libaio-devel-0.3.109-13.el7.x86_64
l libgcc-4.8.5-28.el7.x86_64,libgcc
l libstdc++-4.8.5-28.el7.x86_64
l libstdc++-devel-4.8.5-28.el7.x86_64
l libXi-1.7.9-1.el7.x86_64
l libXtst-1.2.3-1.el7.x86_64
l make-3.82-23.el7.x86_64
l sysstat-10.1.5-13.el7.x86_64
l lcms2
l rhino
Font Requirement
Before you install RSA Identity Governance and Lifecycle, ensure that DejaVu Fonts are available on the system.
RSA Identity Governance and Lifecycle requires these fonts for reporting.
Verify that the environment in which you install the RSA Identity Governance and Lifecycle virtual application
meets the requirements listed in this section.
You can install the RSA Identity Governance and Lifecycle virtual application using VMware ESXi version 5.x or
higher.
Note: The following tables describe the minimum requirements for the virtual application. The hardware on
which the virtual application is deployed should exceed these minimums to ensure proper performance.
If you are installing Access Fulfillment Express (AFX), you need additional disk space for AFX software,
connectors, and log files. The following table lists the AFX requirements.
Note: If the /home partitions share the same volume, they require 7.2 GB disk space in total.
Virtual application deployments require the Oracle database to be installed on a separate machine. For more
information, see Database Requirements for the Virtual Application on page 21.
l Supply your own database that meets the requirements described in the RSA Identity Governance and
Lifecycle Database Setup and Management Guide.
l If licensed, download the RSA-provided database-only installation file RSA_IGL_
DatabaseOnly.tar.bz2 from RSA Link, which creates a standalone Oracle database server that is
configured with the appropriate tablespace, users, and schema for RSA Identity Governance and
Lifecycle.
The RSA-provided standalone database must be installed on a machine running the SLES 12 SP2, SP3,
or SP4, or RHEL 7.2+ operating systems.
Font Requirement
Before you install RSA Identity Governance and Lifecycle, ensure that DejaVu Fonts are available on the system.
RSA Identity Governance and Lifecycle requires these fonts for reporting.
The WebSphere application server where you install or upgrade RSA Identity Governance and Lifecycle must
meet the following requirements.
Component Requirement
Either of the following:
WebSphere Version
l IBM WebSphere Application Server Edition 8.5.5.x or 9.0
Component Requirement
l IBM WebSphere Application Server Network Deployment Edition 8.5.5.x or 9.0
Production minimum requirement: 32 GB
RAM Note: You must allocate at least 8 GB of RAM to the RSA Identity Governance and
Lifecycle server.
Operating System An operating system that supports WebSphere
An Oracle 12.1.0.2 instance configured to support RSA Identity Governance and
Lifecycle.
For more information about database requirements, see Verify Prerequisites for a
Database
Customer-Supplied Database on page 16.
l The application server instances (nodes) must have the configured Java language as en_US.
l RSA recommends that the RSA Identity Governance and Lifecycle application is the sole application
running on a server instance to ensure that the memory requirements are met.
l In a clustered environment, each node must be on a separate machine.
l In a clustered environment, each node must have a unique name. The display name of the server
instance in WebSphere is used as the unique node name in RSA Identity Governance and Lifecycle.
l Machine name
l Node name
l Server name
l Bootstrap address
Font Requirement
Before you install RSA Identity Governance and Lifecycle, ensure that DejaVu Fonts are available on the system.
RSA Identity Governance and Lifecycle requires these fonts for reporting.
The WebLogic application server where you install or upgrade RSA Identity Governance and Lifecycle must meet
the following requirements.
Component Requirement
WebLogic Version 12.1.x or 12.2.x
Production environment: 32 GB
RAM Note: You must allocate at least 8 GB of RAM to the RSA Identity Governance and
Lifecycle server.
Operating System An operating system that supports WebLogic
An Oracle 12.1.0.2 instance configured to support RSA Identity Governance and
Lifecycle.
For more information about database requirements, see Verify Prerequisites for a
Database
Customer-Supplied Database on page 16.
For information about configuring the customer-supplied database, see the Database
Setup and Management Guide.
Disk Space 600 MB available for RSA Identity Governance and Lifecycle
Java Oracle JDK 1.7 (supported, but deprecated) or 1.8 (recommended)
AVUSER password:
ACMDB password:
AVDWUSER password:
AVPERF username/password:
Oracle Database SID:
Oracle Host listener:
Oracle Listener Port:
Distribution path for RSA software:
In a clustered environment, the following information is also required for each node in the cluster.
You can see the server information in the WebLogic Administration Console under Environment > Servers.
l The application server instances (nodes) must have the configured Java language as en_US.
l RSA recommends that the RSA Identity Governance and Lifecycle application is the sole application
running on a server instance to ensure that the memory requirements are met.
l In a clustered environment, each node must be on a separate machine.
l In a clustered environment, each node must have a unique name. The display name of the server
instance in WebLogic is used as the unique node name in RSA Identity Governance and Lifecycle.
l In a clustered environment, record the following information for each node:
Font Requirement
Before you install RSA Identity Governance and Lifecycle, ensure that DejaVu Fonts are available on the system.
RSA Identity Governance and Lifecycle requires these fonts for reporting.
We no longer provide hard appliance with the Red Hat operating system. All our hard appliances are
preconfigured and shipped with SUSE (SLES 12) OS. Please contact support for EOPS Policy and extended
support.
Verify the hardware, software, and database requirements described in Chapter 2, Installation Prerequisites.
Procedure
1. Using the provided rack and bezel, install the appliance hardware in a secure area.
2. Attach a keyboard and monitor to the appliance.
3. Plug in and power on the appliance.
Note: The operating system is pre-installed on the RSA Appliance. If you need to re-install and configure the
SUSE operating system, see the Operating System Installation Overview section in Appendix C.
Refer to the Appliance Network Configuration sheet that shipped with the appliance for this information. You
may still need, or want, to modify this configuration information.
Procedure
1. Log on to the appliance in one of the following ways:
l Log on using the iDRAC IP address listed on the Appliance Network Configuration sheet.
l Log on and change the default password as follows:
a. At the login as prompt, enter admin.
b. At the password prompt, enter the password provided with the appliance.
c. Change the password after your initial login. Enter
where <new password> is the new password that you want to use for the admin account.
b. Log on as root.
c. Stop the RSA Identity Governance and Lifecycle service. Enter
The modifyhostname.sh script re-creates the server-side certificates with the new hostname. If
the installation includes the AFX module, you must re-create its client certificates to include the
new hostname. For more information, see Change an AFX Server SSL Certificate in the Help.
where <ns1> is the first name server and <ns2> is the backup name server.
cat /etc/resolv.conf
Where:
l <IP> is the IP address of the appliance
l <Netmask> is the subnet mask
l <Gateway> is the network gateway
setlocaltime <timezone>
where <timezone> is the abbreviation of a country and city in the same geographic location as the
appliance. For a list of valid time zone abbreviations, see /usr/share/zoneinfo.
For example, to set the time zone for an appliance located in New York, enter
setlocaltime America/New_York
reboot
8. After reboot, you must restart Oracle database services and RSA Identity Governance and Lifecycle.
Enter
You can log on to RSA Identity Governance and Lifecycle from any compatible Web browser.
The first time a system administrator logs on to the RSA Identity Governance and Lifecycle user interface, to
agree to the license, he or she must enter the Customer ID, Customer Name, and System Type. The
Customer ID value is provided by RSA and is provided to all customers through email. These values are logged
under diagnostic and system data.
Procedure
AveksaAdmin is the name of the administrator (super user) in the RSA Identity Governance and Lifecycle
system.
l Customer ID, which is provided by RSA and is provided to all customers through email.
l Customer Name, which is used in diagnostic and system data to identify the system.
l System Type indicates whether the system is for production purposes.
5. When prompted, enter the new password for the AveksaAdmin user in the New Password box.
The password must contain at least eight characters, including one upper and one lower case character,
and one number.
7. Click OK.
The appliance updater does not patch the RSA Identity Governance and Lifecycle application.
It is important to keep the operating system and database components of an RSA Identity Governance and
Lifecycle appliance up-to-date with the latest patches. RSA provides the Appliance Updater to achieve that goal.
It bundles a certified patch set for the operating system of an RSA appliance and the database on the appliance.
Downloading and running these patches closes vulnerabilities and addresses bugs.
Download and apply the appliance updater patches on a regular basis as new patches are released.
For more information, see the RSA Identity Governance and Lifecycle Appliance Updater Guide.
The Key Encryption Key (KEK) is the key used to encrypt all other encryption keys. After installation (or
upgrade), on first startup of RSA Identity Governance and Lifecycle, a unique KEK is created and stored in the
encryption key directory. The default location of the directory is /home/oracle/security. If the default directory
is not available or you want to set a different directory, you must create the directory, and then specify the
location in a Java system variable.
Procedure
1. Log in as root.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. Make sure you have a directory for storing the encryption key. For security purposes, the directory
should have the following settings:
l If the directory already exists, set its permissions to 700 (rwx------) and make sure that the
directory is owned by the same user under which RSA Identity Governance and Lifecycle is
running.
l If the directory does not exist, the parent directory must be writable for the user under which
RSA Identity Governance and Lifecycle is running. In this case, RSA Identity Governance and
Lifecycle will create the directory with the correct permissions.
l For a cluster, this same directory also needs to exist on each of the nodes.
3. Confirm that the Java system property "rsavialg.security.keydir" is set to the appropriate directory. Use
the steps for your platform in the following table to confirm or add the setting.
Platform: Instructions:
The property is in aveksa-standalone-full.xml
(/home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml):
<system-properties>
Standalone <property name="rsavialg.security.keydir" value="/home/oracle/security"/>
</system-properties>
The default value for the directory is "/home/oracle/security" Change this to the directory
where you will store the encryption key.
On the Domain Controller, the property is in domain.xml
(/home/oracle/wildfly/domain/configuration/domain.xml). Set the following values:
<system-properties>
<property name="rsavialg.security.keydir" value="/home/oracle/security"/>
Cluster </system-properties>
The default value for the directory is "/home/oracle/security" You should change this to the
directory where you will store the encryption key
The setting on the domain controller will be propagated to the other nodes in the cluster.
Make sure you have the same encryption key directory on each of the nodes.
4. Create a secure backup process to back up the keys in the encryption key directory. RSA Identity
Governance and Lifecycle generates these keys and stores them only in the designated directory.
If the keys are lost, any data encrypted with those keys will be irrecoverable. The backup process should
ensure that the keys are not compromised during the backup or after they are in the backup location.
Note: Anytime that you change the value of the Java system property after the keys have already been created
(meaning after you configured the property and brought the system up), you must bring down the system and
move the keys to the new location before bringing up the system again.
Procedure
1. Add the "rsavialg.security.strict.permissions.disabled" property to system properties and set the value
to "true" as shown for the platform type:
Platform: Instructions:
The property is in aveksa-standalone-full.xml
(/home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml):
Standalone <system-properties>
<property name="rsavialg.security.keydir" value="/home/oracle/security"/>
<property name="rsavialg.security.strict.permissions.disabled" value="true"/>
</system-properties>
On the Domain Controller, the property is in domain.xml
(/home/oracle/wildfly/domain/configuration/domain.xml). Set the following values:
Cluster <system-properties>
<property name="rsavialg.security.keydir" value="/home/oracle/security"/>
<property name="rsavialg.security.strict.permissions.disabled" value="true"/>
</system-properties>
l If the directory already exists, set its permissions such that the user (owner of the process
under which RSA Identity Governance and Lifecycle is running) has “rwx” access into this
directory. The owner of the directory need not be the same as the owner of the application
process, but the owner of the application process must be able to read and write into this
directory. This means “rwx” permissions have to be set for the appropriate file permission field
(owner, group, all) , which will allow the application process full access.
l If the directory does not exist, it is recommended that you create it. Set up the permissions on
the directory as specified in the previous item.
l If the directory does not exist and you do not create it, the application will attempt to create the
directory on first startup using default permissions and the directory will be owned by the same
user as the application process.
up given the requirements outlined in “Confirm the Setting for the Encryption Key Directory” (see
above).
Error Messages
The following table lists error messages that might display (in the AveksaServer.log) after you configure the
encryption key directory. The table lists default directory paths for the master encryption key directory
(/home/oracle/security) and its parent directory (/home/oracle). The suggested actions are performed on the
RSA Identity Governance and Lifecycle host.
A self-signed certificate is installed with the product. Though the self-signed certificate enables an HTTPS
connection, the client browser will always display a certificate warning before it allows a user to connect.
Replace the self-signed certificate with a certificate signed by a Certificate Authority (CA).
This section describes how to obtain a CA-signed certificate and use it to identify the server.
You can generate a new request and have the certificate signed by an internal CA, or you can request a server
certificate to be signed by a well-known CA to replace the default RSA Identity Governance and Lifecycle self-
signed server certificate.
Your company might require further configuration for the trusted CA or RSA Identity Governance and Lifecycle
server certificates on the application server.
When using an RSA Identity Governance and Lifecycle server certificate signed by an external or internal CA,
you must add the trusted root CA certificate file to the truststore prior to uploading the server certificate file.
Browsers and application servers often contain CA root certificates from well known CAs. Users may be required
to import the root/intermediate CA certificate file to their web browsers if the CA is not known. See the web
browser documentation for more information.
You can generate a new server certificate that meets your organization’s security requirements and fully
qualified domain name (FQDN). RSA Identity Governance and Lifecycle provides a default certificate with an
alias of “server.” You must define your own alias <server-cert-alias> for your generated server certificate.
You can delete the existing server certificate (the one using the server alias) from the aveksa.keystore file after
generating a new server certificate file in the aveksa.keystore file. Specify the options required for your server
certificate (FQDN, keysize, validity, security algorithms and so on).
Procedure
cd /home/oracle/keystore
cp aveksa.keystore aveksa.keystore.backup
For example:
This example defines in the FQDN a server on which RSA Identity Governance and Lifecycle is running, a
key size of 2048, and the length of time the certificate is valid (18000 days or ~50 years). The alias is
myCorpServer.
The alias cannot be the same as the alias used by any existing certificate. The CN value must be the
exact URL from which RSA Identity Governance and Lifecycle is accessed. If RSA Identity Governance
and Lifecycle is accessed from any other address, the certificate does not secure the connection. If the
certificate is accessed from multiple URLs on the same server, a Subject Alternative Name (SAN) must
be provided with all additional URLs when generating the certificate.
Certificates are trusted if signed by a CA. To obtain a signed certificate, you must first generate a Certificate
Signing Request (CSR) and submit to a CA. The CA returns the signed certificate and any other certificates
(intermediate and root certificates of the CA for example) that may be required for the signing authority to be
trusted.
Procedure
1. Log in as the oracle user, then go to the following directory:
cd /home/oracle/keystore
The CSR, acmserver.csr, is sent to a CA to be signed. The CA can be your internal CA or an external
company such as VeriSign. You would typically receive a signed certificate and any root/intermediate
certificates, for example, root.cer, and intermed.cer.
acm restart
If a certificate is created and signed by an internal or unknown CA, then the certificate chain of the signing CA
must be imported into the truststore. The certificate chain consists of a root certificate and any number of
intermediate certificates used to establish the validation of the signing CA. The certificate chain must be
imported in the correct order starting with the root certificate down the chain of any intermediate certificates.
You need root permissions to perform the task of importing certificates.
l $JAVA_HOME/jre/lib/security/jssecacerts
l $JAVA_HOME/jre/lib/security/cacerts
l Cacerts referred by your host machine. For example, in Red Hat Enterprise Linux 6, the default
truststore is /etc/pki/java/cacerts.
l Custom truststore which is assigned to the 'javax.net.ssl.trustStore' system property in JAVA_OPTS.
Procedure
1. Log in as root.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
cd $JAVA_HOME/jre_openjdk/lib/security
cp cacerts cacerts.backup
For example:
acm restart
Step 4: Import a Signed Server Certificate into the RSA Identity Governance and Lifecycle Key-
store
Procedure
1. Log in as the oracle user, then run the following commands:
cd /home/oracle/keystore
where
2. To verify that RSA Identity Governance and Lifecycle is using the new certificate, enter:
3. In the list of certificates, verify that Certficate[1] uses the alias of the new certificate and that other
certificates listed (Certificate[2], Certificate[3] and so on), are part of the certificate chain of the new
certificate.
4. If Certificate[1] uses the alias of the old certificate, delete the old certificate. Enter
acm restart
6. Verify that the new certificate is used when you access the application through a browser.
a. Log on to the RSA Identity Governance and Lifecycle application.
b. View the certificate information in the browser. Most browsers display a lock icon in the URL bar
that you can click to display certificate and security information.
c. If there is no root certificate, restart RSA Identity Governance and Lifecycle to register the root
certificate.
d. If the certificate information indicates that the root certificate is not trusted, either of the
following conditions may apply:
l The wrong root certificate was imported. In this case, you must obtain the correct root
certificate from the CA, import it into cacert, restore the aveksa.kesytore backup and
perform the steps in Setting Up a Signed Certificate for HTTP Access to RSA Governance
and Lifecycle.
l The signed certificate was imported before the trusted root certificate was imported. In
this case, you must restore the aveksa.kesytore backup and perform the steps in Setting
Up a Signed Certificate for HTTP Access to RSA Governance and Lifecycle.
To view the settings, in RSA Identity Governance and Lifecycle, click Admin > System, and click the Security
tab.
l Security
l XSS/Scripting Security
l Web Services and Mobile
The default settings comply with security best practices. For information about these settings, click Help on the
Security settings page.
RSA Identity Governance and Lifecycle provides a default user named AveksaAdmin. To provide access to other
users, you can define:
For instructions on setting up an authentication source, see Managing Log On Authentication Sources in Help.
l Verify the hardware, software, and database requirements described in Chapter 2, Review Installation
Prerequisites.
l You must have a valid license for RSA Identity Governance and Lifecycle.
Procedure
1. Download the following installation files:
a. Go to RSA Link (https://community.rsa.com/community/products/governance-and-lifecycle),
then click Log In and enter your user name and password.
b. Click RSA Identity Governance and Lifecycle.
c. Click Downloads > RSA Identity Governance and Lifecycle 7.2.1.
d. Click Version Upgrades.
e. Click the Upgrade link for your licensed RSA Identity Governance and Lifecycle asset.
f. Click Continue.
g. On the Order Detail page, click the menu icon and select Product List.
The Current tab lists the most recent release. The Archive tab lists previous releases.
l adoptjdk_8u252b09.tar.gz
l aveksa-<product-version>.tar.bz2
2. If you are using an RSA-supplied database, go back one screen, select Hardware Appliance Version
7.2.1, then download these files:
l linuxamd64_12102_database_1of2.zip
l linuxamd64_12102_database_2of2.zip
l linuxamd64_12102_grid_1of2.zip
l linuxamd64_12102_grid_2of2.zip
l oracle_12.1.0.2_patches_v001.zip
l asmlib-008_x64.tar.bz2
l cvupack_Linux_x86_64.zip
Procedure
1. Log in to the host as root or another user that is performing the installation.
Note: You are not required to use root, however non-root users are not able to update the sudoers file
or create a system service to start and stop the application. The application does not require a system
service to start and stop. The root user may be necessary to install the prerequisite JDK.
2. Create a directory for the packages. By default, this is /tmp/aveksa/packages. For example:
mkdir -p /tmp/aveksa/packages
Note: If the directory already exists, delete any files in the directory before you proceed.
unzip -t linuxamd64_12102_database_1of2.zip
The commands list the packages and indicate if errors were detected.
5. If it already exists in your environment, delete the directory where the RSA Identity Governance and
Lifecycle installation and product files are staged. For example:
/tmp/aveksa/staging
6. Expand the Aveksa package in a new staging directory, referred to in the following example as <aveksa_
staging_directory>. This can be any directory except in a hardware appliance, in which the
/tmp/aveksa/staging directory is required. For example:
mkdir -p <aveksa_staging_directory>
cd <aveksa_staging_directory>
tar <product_version>.tar.bz2
Depending on your environment and requirements, you can run the installation script as either the root user or
oracle user.
l Perform the Installation as the Root User on page 40. Use this method in the following scenarios:
l You are using an RSA-supplied database.
l You want to install the RSA Identity Governance and Lifecycle application as a service.
Note: The root user can install RSA Identity Governance and Lifecycle either as a service or a
non-service.
l Perform Installation as the Oracle User on page 42. Use this method in the following scenarios:
l You are using a remote database and you do not need to install services or use sudo
functionality.
The following flowchart illustrates the overall installation process for each option.
l Memory
l Disk space for partitions
l Operating system packages
l Network settings
l System configurations
The script displays information about the checks, and it indicates if a requirement is not met. After you resolve
the requirement, you can run the script again.
Installation scripts and any installation errors are recorded in the install log (/tmp/aveksa-install.log).
Procedure
1. Log in as root.
2. Respond yes or no to the prompt asking if you would like to install RSA Identity Governance and Lifecycle
as a service. If you select no, options related to services are not available.
cd /tmp/aveksa/staging
./install.sh
Note: By default, the installation script includes packages for Access Fulfillment Express module (AFX),
and the AFX menu is displayed in the user interface. AFX is not activated unless your license grants you
permissions to download and start the AFX server. For licensing, contact your RSA representative.
9. When prompted, enter N if you want to install RSA Identity Governance and Lifecycle with an RSA-
provided database, or Y to install a customer-supplied Oracle database.
If you entered Y, you will be prompted to provide information to identify your Oracle database. See Plan
the Customer-Supplied Database Configuration on page 16 for a list of the parameters (such as Oracle
listener hostname, port, SID, database users) that you need to input.
Note: If you created the database instance with non-default names for the database users, you must
use the same user names and passwords when prompted.
The installation begins. A summary displays the location of the package files, and information about the
Oracle database configuration.
10. If the summary of install information is correct for your system, enter "yes" at the following prompt:
11. If the summary of install information is incorrect, enter "no." The installation prompts you to provide the
correct information for each item.
12. If you want to install the version shown on the screen, enter yes.
13. Log out of all open sessions from the logged in account after the installation has finished. You need to log
in again to apply the environment changes to your session.
For information about actions performed during the installation, see the install log (/tmp/aveksa-install.log).
l Memory
l Disk space for partitions
l Operating system packages
l Network settings
l User and group settings
l System configurations
The script displays information about the checks, and it indicates if a requirement is not met. After you resolve
the requirement, you can run the script again.
Installation scripts and any installation errors are recorded in the install log (/tmp/aveksa-install.log).
Procedure
1. Log in to the application server as the root user.
2. Ensure that the user "oracle" exists and has the primary group assigned to "oinstall".
3. Run the following command:
chown -R oracle:oinstall /tmp/aveksa/staging
4. Run the following command:
cd $STAGING_DIR/deploy/JDK-scripts
./installJDK.sh
RSA Identity Governance and Lifecycle and AFX are installed in a non-service mode, and aveksa_server
and afx_server will not run as a service. They must be run from "$AVEKSA_HOME"/deploy/init.d/.
7. Log out of all open sessions after the installation has finished. You need to log in again to apply the
environment changes to your session.
For information about actions performed during the installation, see the install log (/tmp/aveksa-install.log).
On a Software Bundle, you need to open TCP ports on the firewall to allow communications with RSA Identity
Governance and Lifecycle.
To configure the firewall, see the section for your operating system:
After you complete the installation, you can log on to RSA Identity Governance and Lifecycle from any compatible
Web browser.
Procedure
1. On the appliance, open a browser and enter the following URL:
AveksaAdmin is the name of the administrator (superuser) in RSA Identity Governance and Lifecycle.
This password must contain at least 8 characters, including one upper and one lower case character,
and one number.
The appliance updater does not patch the RSA Identity Governance and Lifecycle application.
It is important to keep the operating system and database components of an RSA Identity Governance and
Lifecycle appliance up-to-date with the latest patches. For a Software Bundle, RSA provides the Appliance
Updater, which bundles a certified patch set for an RSA-supplied Oracle database. Downloading and running
these patches closes vulnerabilities and bugs.
Note: The customer-supplied operating system should be updated regularly with patches supplied by the
vendor.
Download and apply the appliance updater patches on a regular basis as updates are released.
For more information, see the RSA Identity Governance and Lifecycle Appliance Updater Guide.
The Key Encryption Key (KEK) is the key used to encrypt all other encryption keys. After installation (or
upgrade), on first startup of RSA Identity Governance and Lifecycle, a unique KEK is created and stored in the
encryption key directory. The default location of the directory is /home/oracle/security. If the default directory
is not available or you want to set a different directory, you must create the directory manually, and then specify
the location in a Java system variable.
Procedure
1. Log in to the system root.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. If your system has an existing directory to store the encryption key, set its permissions to 700 (rwx-----
-) and make sure that the directory owner is the user under which RSA Identity Governance and
Lifecycle is running.
If a directory for storing the encryption key does not exist, RSA Identity Governance and Lifecycle
creates the directory. Ensure that the user running RSA Identity Governance and Lifecycle has write
permissions to the parent directory.
Note: In a clustered environment, each node must contain a directory for the encryption key.
3. Confirm that the Java system property "rsavialg.security.keydir" is set to the appropriate directory. Use
the steps for your platform in the following table to confirm or add the setting.
Platform: Instructions:
The property is in aveksa-standalone-full.xml
(/home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml):
<system-properties>
Standalone <property name="rsavialg.security.keydir" value="/home/oracle/security"/>
</system-properties>
The default value for the directory is "/home/oracle/security" Change this if you use a
different directory to store the encryption key.
On the Domain Controller, the property is in domain.xml
(/home/oracle/wildfly/domain/configuration/domain.xml). Set the following values:
<system-properties>
Cluster <property name="rsavialg.security.keydir" value="/home/oracle/security"/>
</system-properties>
The default value for the directory is "/home/oracle/security" You should change this to the
directory where you will store your encryption key.
Platform: Instructions:
The setting on the domain controller will be propagated to the other nodes in the cluster.
Make sure you have the same encryption key directory on each of the nodes.
4. Create a secure backup process to back up the keys in the encryption key directory. RSA Identity
Governance and Lifecycle generates these keys and stores them only in the designated directory.
If the keys are lost, any data encrypted with those keys will be irrecoverable. We recommend that you
create a secure backup process for the keys and store the backup in a secure location.
Note: Anytime that you change the value of the Java system property after the keys have already been created
(meaning after you configured the property and brought the system up), you must bring down the system and
move the keys to the new location before bringing up the system again.
Procedure
1. Add the "rsavialg.security.strict.permissions.disabled" property to system properties and set the value
to "true" as shown for the platform type:
Platform: Instructions:
The property is in aveksa-standalone-full.xml
(/home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml):
Standalone <system-properties>
<property name="rsavialg.security.keydir" value="/home/oracle/security"/>
<property name="rsavialg.security.strict.permissions.disabled" value="true"/>
</system-properties>
On the Domain Controller, the property is in domain.xml
(/home/oracle/wildfly/domain/configuration/domain.xml). Set the following values:
Cluster <system-properties>
<property name="rsavialg.security.keydir" value="/home/oracle/security"/>
<property name="rsavialg.security.strict.permissions.disabled" value="true"/>
</system-properties>
l If the directory already exists, set its permissions such that the user (owner of the process
under which RSA Identity Governance and Lifecycle is running) has “rwx” access into this
directory. The owner of the directory need not be the same as the owner of the application
process, but the owner of the application process must be able to read and write into this
directory. This means “rwx” permissions have to be set for the appropriate file permission field
(owner, group, all) , which will allow the application process full access.
l If the directory does not exist, it is recommended that you create it. Set up the permissions on
the directory as specified in the previous item.
l If the directory does not exist and you do not create it, the application will attempt to create the
directory on first startup using default permissions and the directory will be owned by the same
user as the application process.
Error Messages
The following table lists error messages that might display (in the AveksaServer.log) after you configure the
encryption key directory. The table lists default directory paths for the master encryption key directory
(/home/oracle/security) and its parent directory (/home/oracle). The suggested actions are performed on the
RSA Identity Governance and Lifecycle host.
Configure Datasources
In a WildFly environment, you must update WildFly's datasources to properly detect database connectivity
issues. Perform the following procedure to enable the server to check the database connection every 30
seconds.
Procedure
1. Open the appropriate configuration file for your deployment type:
l Standalone: /home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml
l Cluster: /home/oracle/wildfly/domain/configuration/domain.xml
<validation>
<background-validation>true</background-validation>
<background-validation-millis>30000</background-validation-
millis>
<valid-connection-checker
class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.Oracle
ValidConnectionChecker"/>
<stale-connection-checker
class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.Oracle
StaleConnectionChecker"/>
<exception-sorter
class-name="com.aveksa.jdbc.OracleExceptionSorter"/>
</validation>
A self-signed certificate is installed with the product. Though the self-signed certificate enables an HTTPS
connection, the client browser will always display a certificate warning before it allows a user to connect.
Replace the self-signed certificate with a certificate signed by a Certificate Authority (CA).
This section describes how to obtain a CA-signed certificate and use it to identify the server.
You can generate a new request and have the certificate signed by an internal CA, or you can request a server
certificate to be signed by a well-known CA to replace the default RSA Identity Governance and Lifecycle self-
signed server certificate.
Your company might require further configuration for the trusted CA or RSA Identity Governance and Lifecycle
server certificates on the application server.
When using an RSA Identity Governance and Lifecycle server certificate signed by an external or internal CA,
you must add the trusted root CA certificate file to the truststore prior to uploading the server certificate file.
Browsers and application servers often contain CA root certificates from well known CAs. Users may be required
to import the root/intermediate CA certificate file to their web browsers if the CA is not known. See the web
browser documentation for more information.
You can generate a new server certificate that meets your organization’s security requirements and fully
qualified domain name (FQDN). RSA Identity Governance and Lifecycle provides a default certificate with an
alias of “server.” You must define your own alias <server-cert-alias> for your generated server certificate.
You can delete the existing server certificate (the one using the server alias) from the aveksa.keystore file after
generating a new server certificate file in the aveksa.keystore file. Specify the options required for your server
certificate (FQDN, keysize, validity, security algorithms and so on).
Procedure
1. Log on as the oracle user, then go to the keystore directory:
cd /home/oracle/keystore
cp aveksa.keystore aveksa.keystore.backup
For example:
This example defines in the FQDN a server on which RSA Identity Governance and Lifecycle is running, a
key size of 2048, and the length of time the certificate is valid (18000 days or ~50 years). The alias is
myCorpServer.
The alias cannot be the same as the alias used by any existing certificate. The CN value must be the
exact URL from which RSA Identity Governance and Lifecycle is accessed. If RSA Identity Governance
and Lifecycle is accessed from any other address, the certificate does not secure the connection. If the
certificate is accessed from multiple URLs on the same server, a Subject Alternative Name (SAN) must
be provided with all additional URLs when generating the certificate.
Certificates are trusted if signed by a CA. To obtain a signed certificate, you must first generate a Certificate
Signing Request (CSR) and submit to a CA. The CA returns the signed certificate and any other certificates
(intermediate and root certificates of the CA for example) that may be required for the signing authority to be
trusted.
Procedure
1. Log in as the oracle user, then go to the following directory:
cd /home/oracle/keystore
The CSR, acmserver.csr, is sent to a CA to be signed. The CA can be your internal CA or an external
company such as VeriSign. You would typically receive a signed certificate and any root/intermediate
certificates, for example, root.cer, and intermed.cer.
acm restart
If a certificate is created and signed by an internal or unknown CA, then the certificate chain of the signing CA
must be imported into the truststore. The certificate chain consists of a root certificate and any number of
intermediate certificates used to establish the validation of the signing CA. The certificate chain must be
imported in the correct order starting with the root certificate down the chain of any intermediate certificates.
You need root permissions to perform the task of importing certificates.
l $JAVA_HOME/jre/lib/security/jssecacerts
l $JAVA_HOME/jre/lib/security/cacerts
l Cacerts referred by your host machine. For example, in Red Hat Enterprise Linux 6, the default
truststore is /etc/pki/java/cacerts.
l Custom truststore which is assigned to the 'javax.net.ssl.trustStore' system property in JAVA_OPTS.
Procedure
1. Log in as root.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
cd $JAVA_HOME/jre_openjdk/lib/security
cp cacerts cacerts.backup
For example:
acm restart
Step 4: Import a Signed Server Certificate into the RSA Identity Governance and Lifecycle Key-
store
Procedure
1. Log in as the oracle user, then run the following commands:
cd /home/oracle/keystore
where
2. To verify that RSA Identity Governance and Lifecycle is using the new certificate, enter:
3. In the list of certificates, verify that Certficate[1] uses the alias of the new certificate and that other
certificates listed (Certificate[2], Certificate[3] and so on), are part of the certificate chain of the new
certificate.
4. If Certificate[1] uses the alias of the old certificate, delete the old certificate. Enter
acm restart
6. Verify that the new certificate is used when you access the application through a browser.
a. Log on to the RSA Identity Governance and Lifecycle application.
b. View the certificate information in the browser. Most browsers display a lock icon in the URL bar
that you can click to display certificate and security information.
c. If there is no root certificate, restart RSA Identity Governance and Lifecycle to register the root
certificate.
d. If the certificate information indicates that the root certificate is not trusted, either of the
following conditions may apply:
l The wrong root certificate was imported. In this case, you must obtain the correct root
certificate from the CA, import it into cacert, restore the aveksa.kesytore backup and
perform the steps in Setting Up a Signed Certificate for HTTP Access to RSA Governance
and Lifecycle.
l The signed certificate was imported before the trusted root certificate was imported. In
this case, you must restore the aveksa.kesytore backup and perform the steps in Setting
Up a Signed Certificate for HTTP Access to RSA Governance and Lifecycle.
To view the settings, in RSA Identity Governance and Lifecycle, click Admin > System, and click the Security
tab.
l Security
l XSS/Scripting Security
l Web Services and Mobile
The default settings comply with security best practices. For information about these settings, click Help on the
Security settings page.
RSA Identity Governance and Lifecycle provides a default user named AveksaAdmin. To provide access to other
users, you can define:
For instructions on setting up an authentication source, see Managing Log On Authentication Sources in Help.
1. Download and Install the RSA Identity Governance and Lifecycle Virtual Application OVA on page 53
2. Set Up the Database for the Virtual Application on page 54
3. Set Up the RSA Identity Governance and Lifecycle Virtual Application on page 54
4. Log on to RSA Identity Governance and Lifecycle on page 57
5. Apply the Latest Operating System and Database Patch Updates to a Virtual Application on page 58
6. Confirm the Setting for the Encryption Key Directory on page 58
7. Implement Security Best Practices on page 62
8. Setting Up User Access to RSA Identity Governance and Lifecycle on page 117
RSA distributes the RSA Identity Governance and Lifecycle virtual application as an OVA file, which you
download and install as a virtual application. To deploy the virtual application, you must use VMware ESXi
version 5.x or higher.
Procedure
1. Go to RSA Link (https://community.rsa.com/community/products/governance-and-lifecycle), then click
Log In and enter your user name and password.
2. Click RSA Identity Governance and Lifecycle 7.2.1
3. Click Version Upgrades.
4. Click the Upgrade link for your licensed RSA Identity Governance and Lifecycle asset.
5. Click Continue.
6. On the Order Detail page, click the menu icon and select Product List.
The Current tab lists the most recent release or patch. The Archive tab lists previous releases and
patches.
7. Click the appropriate tab, and select the name of the release to download.
8. Download the OVA file:
RSA_IGL.x86_64-<VersionNumber>.ova
9. Follow the documentation for your virtual infrastructure to install the OVA, using the following
configuration settings:
Setting Value
CPU 4 CPUs, with 1 core per socket
Memory 16 GB or greater
Hard Disk Retain the default value
The virtual application requires a database that is installed on physical hardware. Before setting up the virtual
application, set up the database.
Before You Begin
l Verify Prerequisites for a Customer-Supplied Database on page 16.
l If you plan to deploy your own customer-supplied database, refer to the RSA Identity Governance and
Lifecycle Database Setup and Management Guide for requirements and instructions.
Procedure
1. Log into the database installation machine as root.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. Extract the file RSA_IGL_DatabaseOnly.tar.bz2 to the /tmp directory using the following command:
./installDatabaseOnly.sh
When the script completes, a standalone Oracle database server is configured with the appropriate
tablespace, users, and schema for RSA Identity Governance and Lifecycle. Logs are accessible in the
/tmp/aveksa-install.log directory.
4. Log out of all open sessions from the root account after the installation has finished. You need to log in
again to apply the environment changes to your session.
Use the RSA Identity Governance and Lifecycle virtual application setup interface to configure the virtual
application. The setup interface automatically guides you through each step of the virtual application
configuration.
Use the arrow keys to move between form fields, and the Tab key to select options at the bottom of each screen.
l Verify that the application server and database are configured to use the same region and time zone. To
determine and synchronize the time zone, do the following:
1. As the user sysdba, run the following query:
3. If the values from steps 1 and 2 are not identical, execute the following SQL statements:
shutdown immediate;
startup;
Procedure
1. Power on the virtual machine and log in as root using the standard password.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. At the prompt asking if you want to set up RSA Identity Governance and Lifecycle, use TAB to select Yes,
and press Enter.
3. Configure the network settings for the virtual application:
a. On the Main Menu screen, ensure that 1 Network Setup is selected, select OK, and press
Enter.
b. On the Network Configuration screen, enter the fully qualified domain name (FQDN), the IPv4 or
IPv6 IP Address, Netmask, and the default Gateway for your RSA Identity Governance and
Lifecycle deployment, then select Submit, and press Enter.
The network automatically restarts.
c. At the prompt asking if you want to verify the network, select Yes to verify your network
configuration or No to skip the test, and press Enter.
d. If you performed the network test, select OK after the test completes and press Enter.
connection.
c. Select OK and press Enter.
6. Configure the Oracle database as follows. If you are migrating from an older OVA, provide the same
database details.
a. Ensure that 4 DB Setup is selected, select OK, and press Enter.
b. Enter the following details for your deployment, if applicable:
l Oracle Listening hostname
l Oracle Listener port
l Oracle SID
l Oracle Service Name
l Oracle Connection ID
l Aveksa (AveksaAdmin) user name
l Aveksa (AveksaAdmin) user password
l Reports user name
l Reports user password
l Public db user name
l Public db user password
l Statspack user name
l Statspack user password
8. (Optional) To disable the setup interface from automatically running after logging into the virtual
application as root:
a. Select 6 Disable, select OK, and press Enter.
b. At the confirmation message, select Yes, and press Enter.
configured.
b. Select OK, and press Enter.
10. (Optional) To turn the color mode on or off for the status labels, Select 8 Turn on/off color mode,
select OK, and press Enter.
When color mode is enabled, the virtual application setup interface color-codes the status label for each
configuration step. When disabled, the status labels appear as standard text. This option can help with
status readability.
Procedure
1. Power on the virtual machine and log in as root using the standard password.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
/usr/local/bin/run-setup
Procedure
1. Power on the virtual machine and log in as root using the standard password.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. Update /root/ .bash_profile by removing the # character from the following line:
#run-setup
The virtual application setup interface will automatically run at the next login.
After you complete the installation, you can log on to RSA Identity Governance and Lifecycle from any compatible
Web browser.
Procedure
1. On the appliance, open a browser and enter the following URL:
AveksaAdmin is the name of the administrator (superuser) in RSA Identity Governance and Lifecycle.
This password must contain at least 8 characters, including one upper and one lower case character,
and one number.
The appliance updater does not patch the RSA Identity Governance and Lifecycle application.
It is important to keep the operating system and database components of an RSA Identity Governance and
Lifecycle deployment up-to-date with the latest patches. The virtual application OVA contains the most up-to-
date version of the operating system. To update the operating system and database for your virtual application,
you can either download a later version of the OVA, or use the Appliance Updater.
RSA provides the Appliance Updater to achieve that goal. It bundles a certified patch set for the operating
system of an RSA appliance and the database on the appliance. Downloading and running these patches closes
vulnerabilities and addresses bugs.
Download and apply the appliance updater patches on a regular basis as new patches are released.
For more information, see the RSA Identity Governance and Lifecycle Appliance Updater Guide.
The Key Encryption Key (KEK) is the key used to encrypt all other encryption keys. After installation (or
upgrade), on first startup of RSA Identity Governance and Lifecycle, a unique KEK is created and stored in the
encryption key directory. The default location of the directory is /home/oracle/security. If the default directory
is not available or you want to set a different directory, you must create the directory, and then specify the
location in a Java system variable.
Procedure
1. Log in as root.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. Make sure you have a directory for storing the encryption key. For security purposes, the directory
should have the following settings:
l If the directory already exists, set its permissions to 700 (rwx------) and make sure that the
directory is owned by the same user under which RSA Identity Governance and Lifecycle is
running.
l If the directory does not exist, the parent directory must be writable for the user under which
RSA Identity Governance and Lifecycle is running. In this case, RSA Identity Governance and
Lifecycle will create the directory with the correct permissions.
l For a cluster, this same directory also needs to exist on each of the nodes.
3. Confirm that the Java system property "rsavialg.security.keydir" is set to the appropriate directory. Use
the steps for your platform in the following table to confirm or add the setting.
Platform: Instructions:
The property is in aveksa-standalone-full.xml
(/home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml):
<system-properties>
Standalone <property name="rsavialg.security.keydir" value="/home/oracle/security"/>
</system-properties>
The default value for the directory is "/home/oracle/security" Change this to the directory
where you will store the encryption key.
On the Domain Controller, the property is in domain.xml
(/home/oracle/wildfly/domain/configuration/domain.xml). Set the following values:
<system-properties>
<property name="rsavialg.security.keydir" value="/home/oracle/security"/>
Cluster </system-properties>
The default value for the directory is "/home/oracle/security" You should change this to the
directory where you will store the encryption key
The setting on the domain controller will be propagated to the other nodes in the cluster.
Make sure you have the same encryption key directory on each of the nodes.
4. Create a secure backup process to back up the keys in the encryption key directory. RSA Identity
Governance and Lifecycle generates these keys and stores them only in the designated directory.
If the keys are lost, any data encrypted with those keys will be irrecoverable. The backup process should
ensure that the keys are not compromised during the backup or after they are in the backup location.
Note: Anytime that you change the value of the Java system property after the keys have already been created
(meaning after you configured the property and brought the system up), you must bring down the system and
move the keys to the new location before bringing up the system again.
Procedure
1. Add the "rsavialg.security.strict.permissions.disabled" property to system properties and set the value
to "true" as shown for the platform type:
Platform: Instructions:
The property is in aveksa-standalone-full.xml
(/home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml):
Standalone <system-properties>
<property name="rsavialg.security.keydir" value="/home/oracle/security"/>
<property name="rsavialg.security.strict.permissions.disabled" value="true"/>
</system-properties>
On the Domain Controller, the property is in domain.xml
(/home/oracle/wildfly/domain/configuration/domain.xml). Set the following values:
Cluster <system-properties>
<property name="rsavialg.security.keydir" value="/home/oracle/security"/>
<property name="rsavialg.security.strict.permissions.disabled" value="true"/>
</system-properties>
l If the directory already exists, set its permissions such that the user (owner of the process
under which RSA Identity Governance and Lifecycle is running) has “rwx” access into this
directory. The owner of the directory need not be the same as the owner of the application
process, but the owner of the application process must be able to read and write into this
directory. This means “rwx” permissions have to be set for the appropriate file permission field
(owner, group, all) , which will allow the application process full access.
l If the directory does not exist, it is recommended that you create it. Set up the permissions on
the directory as specified in the previous item.
l If the directory does not exist and you do not create it, the application will attempt to create the
directory on first startup using default permissions and the directory will be owned by the same
user as the application process.
Error Messages
The following table lists error messages that might display (in the AveksaServer.log) after you configure the
encryption key directory. The table lists default directory paths for the master encryption key directory
(/home/oracle/security) and its parent directory (/home/oracle). The suggested actions are performed on the
RSA Identity Governance and Lifecycle host.
Configure Datasources
In a WildFly environment, you must update WildFly's datasources to properly detect database connectivity
issues. Perform the following procedure to enable the server to check the database connection every 30
seconds.
Procedure
1. Open the appropriate configuration file for your deployment type:
l Standalone: /home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml
l Cluster: /home/oracle/wildfly/domain/configuration/domain.xml
<validation>
<background-validation>true</background-validation>
<background-validation-millis>30000</background-validation-
millis>
<valid-connection-checker
class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.Oracle
ValidConnectionChecker"/>
<stale-connection-checker
class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.Oracle
StaleConnectionChecker"/>
<exception-sorter
class-name="com.aveksa.jdbc.OracleExceptionSorter"/>
</validation>
A self-signed certificate is installed with the product. Though the self-signed certificate enables an HTTPS
connection, the client browser will always display a certificate warning before it allows a user to connect.
Replace the self-signed certificate with a certificate signed by a Certificate Authority (CA).
This section describes how to obtain a CA-signed certificate and use it to identify the server.
You can generate a new request and have the certificate signed by an internal CA, or you can request a server
certificate to be signed by a well-known CA to replace the default RSA Identity Governance and Lifecycle self-
signed server certificate.
Your company might require further configuration for the trusted CA or RSA Identity Governance and Lifecycle
server certificates on the application server.
When using an RSA Identity Governance and Lifecycle server certificate signed by an external or internal CA,
you must add the trusted root CA certificate file to the truststore prior to uploading the server certificate file.
Browsers and application servers often contain CA root certificates from well known CAs. Users may be required
to import the root/intermediate CA certificate file to their web browsers if the CA is not known. See the web
browser documentation for more information.
You can generate a new server certificate that meets your organization’s security requirements and fully
qualified domain name (FQDN). RSA Identity Governance and Lifecycle provides a default certificate with an
alias of “server.” You must define your own alias <server-cert-alias> for your generated server certificate.
You can delete the existing server certificate (the one using the server alias) from the aveksa.keystore file after
generating a new server certificate file in the aveksa.keystore file. Specify the options required for your server
certificate (FQDN, keysize, validity, security algorithms and so on).
Procedure
1. Log on as the oracle user, then go to the keystore directory:
cd /home/oracle/keystore
cp aveksa.keystore aveksa.keystore.backup
For example:
This example defines in the FQDN a server on which RSA Identity Governance and Lifecycle is running, a
key size of 2048, and the length of time the certificate is valid (18000 days or ~50 years). The alias is
myCorpServer.
The alias cannot be the same as the alias used by any existing certificate. The CN value must be the
exact URL from which RSA Identity Governance and Lifecycle is accessed. If RSA Identity Governance
and Lifecycle is accessed from any other address, the certificate does not secure the connection. If the
certificate is accessed from multiple URLs on the same server, a Subject Alternative Name (SAN) must
be provided with all additional URLs when generating the certificate.
Certificates are trusted if signed by a CA. To obtain a signed certificate, you must first generate a Certificate
Signing Request (CSR) and submit to a CA. The CA returns the signed certificate and any other certificates
(intermediate and root certificates of the CA for example) that may be required for the signing authority to be
trusted.
Procedure
1. Log in as the oracle user, then go to the following directory:
cd /home/oracle/keystore
The CSR, acmserver.csr, is sent to a CA to be signed. The CA can be your internal CA or an external
company such as VeriSign. You would typically receive a signed certificate and any root/intermediate
certificates, for example, root.cer, and intermed.cer.
acm restart
If a certificate is created and signed by an internal or unknown CA, then the certificate chain of the signing CA
must be imported into the truststore. The certificate chain consists of a root certificate and any number of
intermediate certificates used to establish the validation of the signing CA. The certificate chain must be
imported in the correct order starting with the root certificate down the chain of any intermediate certificates.
You need root permissions to perform the task of importing certificates.
l $JAVA_HOME/jre/lib/security/jssecacerts
l $JAVA_HOME/jre/lib/security/cacerts
l Cacerts referred by your host machine. For example, in Red Hat Enterprise Linux 6, the default
truststore is /etc/pki/java/cacerts.
l Custom truststore which is assigned to the 'javax.net.ssl.trustStore' system property in JAVA_OPTS.
Procedure
1. Log in as root.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
cd $JAVA_HOME/jre_openjdk/lib/security
cp cacerts cacerts.backup
For example:
acm restart
Step 4: Import a Signed Server Certificate into the RSA Identity Governance and Lifecycle Key-
store
Procedure
1. Log in as the oracle user, then run the following commands:
cd /home/oracle/keystore
where
2. To verify that RSA Identity Governance and Lifecycle is using the new certificate, enter:
3. In the list of certificates, verify that Certficate[1] uses the alias of the new certificate and that other
certificates listed (Certificate[2], Certificate[3] and so on), are part of the certificate chain of the new
certificate.
4. If Certificate[1] uses the alias of the old certificate, delete the old certificate. Enter
acm restart
6. Verify that the new certificate is used when you access the application through a browser.
a. Log on to the RSA Identity Governance and Lifecycle application.
b. View the certificate information in the browser. Most browsers display a lock icon in the URL bar
that you can click to display certificate and security information.
c. If there is no root certificate, restart RSA Identity Governance and Lifecycle to register the root
certificate.
d. If the certificate information indicates that the root certificate is not trusted, either of the
following conditions may apply:
l The wrong root certificate was imported. In this case, you must obtain the correct root
certificate from the CA, import it into cacert, restore the aveksa.kesytore backup and
perform the steps in Setting Up a Signed Certificate for HTTP Access to RSA Governance
and Lifecycle.
l The signed certificate was imported before the trusted root certificate was imported. In
this case, you must restore the aveksa.kesytore backup and perform the steps in Setting
Up a Signed Certificate for HTTP Access to RSA Governance and Lifecycle.
To view the settings, in RSA Identity Governance and Lifecycle, click Admin > System, and click the Security
tab.
l Security
l XSS/Scripting Security
l Web Services and Mobile
The default settings comply with security best practices. For information about these settings, click Help on the
Security settings page.
RSA Identity Governance and Lifecycle provides a default user named AveksaAdmin. To provide access to other
users, you can define:
For instructions on setting up an authentication source, see Managing Log On Authentication Sources in Help.
l Verify that your machine meets the prerequisites for hardware, software, and database described in
Chapter 2, Installation Prerequisites.
l Personnel performing the installation should be a trained System Administrator in WebSphere
Application Server Network Deployment.
l Determine if you need to use a modified version of RSA Identity Governance and Lifecycle. See If You
Need a Modified Version of RSA Identity Governance and Lifecycle.
l Confirm that a cluster is already configured for an RSA Identity Governance and Lifecycle deployment.
You need information about each application server instance in the cluster. For background information
about running RSA Identity Governance and Lifecycle in a cluster, see Clustered Application Server and
Oracle RAC Implementation Environments.
l Modifying the Enterprise Archive for information on setting up a customization directory where you can
configure custom RSA Identity Governance and Lifecycle settings for WebSphere.
l Setting Up RSA Identity Governance and Lifecycle > Integrations in Help for customizing settings for
integration with any of the following:
instance running RSA Identity Governance and Lifecycle is called a node. The application server administers the
nodes collectively as a cluster that shares a common database to provide a scalable environment. Nodes self-
register with the database on startup.
Each node can support up to 250 client sessions. There are two types of nodes:
l A single System Operations Node (SON), which handles operations, such as data collections, agent
management, review generation, and policy processing.
l One or more general nodes, which handles user interface processing.
For more information, see the Help topic, "Managing Server Cluster Nodes."
The following describe each RAC component and recommendations for RSA Identity Governance and Lifecycle:
l Oracle RAC Database Instances — An Oracle RAC installation typically includes two or more database
instances, each with its own memory and local working cache. Each node requires two network
interfaces to communicate with both application servers on the public network and private network that
is used for both shared storage and the cluster .
RSA recommends that each database node has a local hard disk that holds the individual Oracle
clusterware and Oracle database homes in addition to the operating system and local swap files.
l Private Network — The private network used for coordinating cluster activities and the network that
accesses the shared storage system. The private network allows the Oracle cluster to the access Cluster
Ready Services (CRS)/Voting disk. Because RSA Identity Governance and Lifecycle operates in a mixed
Online Transaction Processing (OLTP) and Decision Support System (DSS) mode, many installations
benefit from a faster 10-Gbit network to support the caching requirements of DSS operations such as
collections and report generation.
l Shared Storage — RSA Identity Governance and Lifecycle supports Storage Area Network (SAN) systems
with multiple disk volumes. SANs with RAID 5 or RAID0+1 provide the required read-write performance
for the Oracle RAC.
The shared storage system, along with Oracle Automatic Storage Management (ASM), provides three
types of storage for the cluster that will be assigned to Logical Unit Numbers (LUN). Traditional Oracle
tablespace storage will occupy most of the space and will be stored in the LUN "VOL1." A second LUN,
will be created for cluster activities and will be assigned to the LUN "CRS1."
The third LUN will provide a general purpose "cluster-aware" file system that will be shared with all of
the members of the cluster and will be assigned to the LUN "FS1." Oracle requires this "cluster-aware"
file system be used when setting up Oracle directories in a cluster. Because RSA Identity Governance
and Lifecycle requires the AVEKSA_EXPORTIMPORT_DIRECTORY, we recommend a configuration that
uses Oracle Automatic Storage Management Cluster File System (Oracle ACFS) to create a mountable
volume usable by the operating system itself.
Procedure
1. Log on to the machine hosting the WebSphere application server.
2. Choose a download directory.
3. Download the installation files:
a. Go to RSA Link (https://community.rsa.com/community/products/governance-and-lifecycle),
then click Log In and enter your user name and password.
b. Click RSA Identity Governance and Lifecycle.
c. Click Downloads > RSA Identity Governance and Lifecycle 7.2.1.
d. Click Version Upgrades.
e. Click the Upgrade link for your licensed RSA Identity Governance and Lifecycle asset.
f. Click Continue.
g. On the Order Detail page, click the menu icon and select Product List.
The Current tab lists the most recent release. The Archive tab lists previous releases.
cd /opt
This command creates an ACM-WebSphere directory containing all required software components. The
directory location is referred to as DISTRIBUTION in this chapter.
Use the WebSphere console to perform all installation and configuration steps. See your WebSphere
administrator for the URL and access credentials. All values are expected to be set to the default values, unless
otherwise specified.
Application server resources must be created with the correct scope, which differs between distributed
application servers (clustered) and a standalone server. When configuring for a clustered environment, you
might need to synchronize or restart nodes. See the Database Configuration Values for more information.
you must increase the memory on the deployment manager used to deploy to the nodes. The default memory for
the deployment manager (dmgr) is insufficient for this task.
Also ensure your hardware has sufficient physical memory for those requirements. Use this procedure to
modify the following JVM memory parameters for RSA Identity Governance and Lifecycle:
l Maximum JVM heap Size. 8 GB is the minimum requirement for a production environment. Additional
memory may be required based on the size of the data and the number of concurrent users. For
example, 32 GB is expected to support up to 300 concurrent users.
The JVM argument is –Xmx. For example (8 GB): –Xmx8192m. Set the memory based on your deployment
requirements.
Note: JDK 1.7 additionally requires a maximum permanent generation heap size of at least 512 MB: –
XX:MaxPermSize=512m
This command is deprecated in JDK 1.8.
Procedure
1. In the WebSphere console, to select the server, click Servers > Server types > WebSphere application
servers > Select server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
3. Under the Configuration tab, select Server Infrastructure > Java and Process Management > Process
Definition.
4. Under Additional Properties, select Java Virtual Machine.
5. Set the following maximum heap value (or greater as necessary):
Configure JVM Settings
Use the WebSphere console to configure the appropriate JVM settings for your deployment.
Note: RSA Identity Governance and Lifecycle requires UTF-8 character encoding . Ensure that the JVM settings
are set to UTF-8 for each standalone or clustered server on which it is deployed..
Procedure
1. In the WebSphere console, to select the server, click Servers > Server types > WebSphere
application servers > Select server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
3. Under the Configuration tab, select Server Infrastructure > Java and Process Management >
Process Definition.
4. Under Additional Properties, select Java Virtual Machine.
-Dclient.encoding.override=UTF-8 -Dfile.encoding=UTF-8
b. Add the following setting to specify the protocol, such as http or https, that your deployment
uses:
-Dwp-client-protocol=<protocol>
c. In deployments that use a load balancer, such as a clustered environment, add the following
setting:
-Dwp-client-hostname=<hostname>
d. If your deployment does not use the default port setting for HTTP, add the following setting:
-Dwp-client-hostport=<hostport>
Note: Use only one space between arguments in the JVM arguments field. For example:
–XX:MaxPermSize=512m -Dclient.encoding.override=UTF-8 -Dfile.encoding=UTF-8
l RSA Identity Governance and Lifecycle user. The default name is AVUSER.
l RSA Identity Governance and Lifecycle reporting engine user. The default name is AVDWUSER.
l RSA Identity Governance and Lifecycle public database schema user. The default name is ACMDB.
l RSA Identity Governance and Lifecycle Statistics Report user. The default name is AVPERF. This user is
required only if Oracle Statspack is installed on the database and you want to include Statspack data in
RSA Identity Governance and Lifecycle Statistics Reports. If you do not have the statspack on your
database do not create the avperf objects — user and data source. However, you must enter a value in
the resource mapping during deployment. See the Database Setup and Management Guide for
information on Statspack installation.
Note: If you created your database instance with non-default names, you must use the same user names and
passwords when you create the authentication users and aliases.
Procedure
1. In the WebSphere console, from the Security menu, select Global Security.
2. Under Authentication, expand Java Authentication and Authorization Service and select J2C
authentication data.
l AVDWUSER
l Alias: avdwuser
l User ID: <avdwuser>
l Password: <avdwuser password>
l Description: ACM avdwuser
l ACMDB
l Alias: acmdb
l User ID: <acmdb>
l Password: <acmdb password>
l Description: ACM acmdb
l AVPERF
l Alias: avperf
l User ID: <perfstat>
l Password: <perfstat password>
l Description: Statspack user
Procedure
1. In the WebSphere console, from the Resources menu, select JDBC > JDBC Providers.
2. Set the scope:
l (Standalone) Node=<machine-name>Node01, server=server1)
l (Cluster) cluster=MyCluster
${ORACLE_JDBC_DRIVER_PATH}/ojdbc8-12.2.0.1.0.jar
${ORACLE_JDBC_DRIVER_PATH}/xdb6-12.2.0.1.0.jar
${ORACLE_JDBC_DRIVER_PATH}/xmlparserv2_sans_jaxp_services-
12.2.0.1.0.jar
6. In the Directory location forojdbc8-12.2.0.1.0.jar section, enter the location of the following JDBC jar
files: ojdbc8-12.2.0.1.0.jar, xdb6-12.2.0.1.0.jar,xmlparserv2_sans_jaxp_services-12.2.0.1.0.jar.
7. Save changes to the master configuration.
8. (Clusters only) Restart the server and node agents after configuration of the JDBC Provider and before
the creation of the JDBC data sources.
The following default RSA Identity Governance and Lifecycle database user schema names are used in this task:
l RSA Identity Governance and Lifecycle user. The default name is AVUSER.
l RSA Identity Governance and Lifecycle reporting engine user. The default name is AVDWUSER.
l RSA Identity Governance and Lifecycle public database schema user. The default name is ACMDB.
l RSA Identity Governance and Lifecycle Statistics Report user. The default name is AVPERF. This user is
required only if Oracle Statspack is installed on the database and you want to include Statspack data in
RSA Identity Governance and Lifecycle Statistics Reports. Statspack can provide useful runtime
diagnostic information. See the Database Setup and Management Guide for information on Statspack
installation. The data source is optional, but you must enter a value in the resource mapping during
deployment.
Note: If you created the database instance with non-default names, you must use the same user names and
passwords when you create the JDBC data sources. See the Database Setup and Management Guide to ensure
that the database instance meets RSA Identity Governance and Lifecycle product requirements. To configure the
JDBC data sources, you need the Oracle SID, Oracle listener hosts, Oracle listener port, and Oracle service
name.
This task describes how to create the following required JDBC data sources:
l avdb
l avdwdb
l acmdb
l avperf — Required only if Oracle Statspack is installed on the database and you want to include
Statspack data in RSA Identity Governance and Lifecycle Statistics Reports. This optional data source
provides valuable runtime diagnostic information.)
Test each data source after you create it to validate the connection configuration.
Procedure
1. In the WebSphere console, from the Resources menu, select JDBC > Data Sources.
2. Set the scope:
l (Standalone) Node=<machine-name>Node01, server=server1)
l (Cluster) cluster=MyCluster
l Data store helper class name: Oracle 10g or Oracle 11g (whichever is used for RSA
Identity Governance and Lifecycle)
l Component-managed authentication alias: avuser
l Data store helper class name: Oracle 10g, Oracle 11g, or Oracle 12c (whichever is used
for RSA Identity Governance and Lifecycle)
l Component-managed authentication alias: avdwuser
l Non-transactional data source: Yes
l Data store helper class name: Oracle 10g, Oracle 11g, or Oracle 12c (whichever is used
for RSA Identity Governance and Lifecycle)
l Component-managed authentication alias: acmdb
l Data store helper class name: Oracle 10g, Oracle 11g, or Oracle 12c (whichever is used
for RSA Identity Governance and Lifecycle)
4. Edit each data source configuration and save changes to the master configuration after each edit:
l For all data sources:
a. Select Resources > JDBC > Data Sources > data source.
b. Select WebSphere Application Server Data Source properties under Additional Properties.
c. Go to the Connection Validation Properties section.
d. Select Validate new connections.
e. Select Validate existing pooled connections.
f. Click Validation by JDBC Driver.
g. Set Timeout: 30 seconds.
h. Save the changes for all data sources.
l Restart the application server after saving changes to the data sources.
5. From the Data source page, test the connections to the data sources by selecting each data source and
click Test Connection.
You must define wpUtilQueue for the RSA Identity Governance and Lifecycle workflow engine. The workflow
engine handles the processing of access requests.
Procedure
1. In the WebSphere console, from the Service integration menu, select Buses.
2. Click New and create the wpBus bus:
Name: wpBus
Note: In a cluster, the next page prompts to select the Messaging Engine policy assistance
settings. Please consult your WebSphere vendor for recommendations. The most commonly used
setting is "Scalability."
Note: The Bus Member is associated with a message store that is required. By default this is a
file store within the WebSphere installation.
Note: In a cluster, all servers must access the message store for the messaging engine. This is
more easily done using a data store configuration, but can be done using a file store if all servers
can access the file location.
l Message store: Select File Store or Data Store. Configure the store for your environment:
l File store requires directory path information for logging to the file system.
l Data store requires information for data access. You need to provide the pre-configured
data-source JNDI name and authentication alias.
l Identifier: acmMessageTopic
Procedure
1. In the WebSphere console, from the Resources menu, select JMS > JMS Provider.
l (Cluster) cluster=MyCluster
l Name: wpUtilQueue
Install RSA Identity Governance and Lifecycle Using the Aveksa EAR
File
This section describes how to install the RSA Identity Governance and Lifecycle application by using the Aveksa
EAR File.
l Identify which node is the system operations node (SON). By default, the initial server instance is the
system operations node (SON) on any newly created cluster.
l Installation requires a single connection to the database for setup and migration. Use a single node and
make sure only one server instance is running. While this can be any node, RSA recommends using the
SON node for the installation or upgrade process.
l If migrating or patching a clustered deployment, you are required to run the SON without any other
active nodes before using the system. The SON must be started after installation is complete to properly
instantiate any workflow updates and ensure that any new RSA Identity Governance and Lifecycle
security model changes are initialized.
Procedure
1. In the WebSphere console, initiate the installation:
a. From Applications menu, select Application Types > websphere enterprise applications, and
click Install.
b. Browse to the aveksa.ear file in the DISTRIBUTION folder or in the customization directory
(specified in Modifying the RSA Identity Governance and Lifecycle Enterprise Archive on page
188) as required.
3. (Clusters only) Select Map Modules to Servers. Select all modules, select the scope from the list of
Clusters and Servers, and click Apply. The server associated with the module should be listed as the
cluster. Click Next.
4. Select "Prompt me only when additional information is required," and click Next.
5. Select Bind listeners for message-driven beans and activation specification for each EJB module. Set the
Target Resource JNDI Name as follows:
l SubscriberMDB: jms/acmSubscriberActSpec
l (WebSphere 9.0.0.x only) Destination JNDI name:
topic/acmMessageTopic
6. Select Map resource references to resources. Most of the Target Resource JNDI Names are defined by
default. You must configure six additional resources: two resources for the subscriber Message bean
(SubscriberMDB) and four JDBC resources for the Aveksa application. Enter the following values:
l In the DataSource section, configure DataSource Target Resource JNDI name for the
SubscriberMDB EJB. For jdbc/avdb, browse avdb to or enter jdbc/avdb.
At the bottom of the page, configure DataSource Target Resource JNDI names for the Aveksa application.
To map topic/acmMessageTopic to the resource, in the Target Resource JNDI field, enter
topic/acmMessageTopic.
Because the entire database schema for RSA Identity Governance and Lifecycle must be created during
the initial post-installation restart, the process might take several minutes.
You can view the SystemOut.log file to check the restart progress. The file is located in the path similar
to: $WEBSPHERE_HOME/AppServer/profiles/AppSrv01/logs/server1. See Troubleshooting a
WebSphere Installation on page 145 for more information on log files.
13. Verify your installation by accessing RSA Identity Governance and Lifecycle through your WebSphere
server port at: http://<server or node name>:9080/aveksa/main.
Note: Port 9080 is the standard WebSphere server port, but your deployment might use a different
port.
Once the SON node is started and validated, all other nodes can be started. For information on how to
manage RSA Identity Governance and Lifecycle instance nodes in the cluster, see the Help topic,
"Managing Server Cluster Nodes."
This task describes how to install the RSA Identity Governance and Lifecycle Workflow Architect. You use the
Workflow Architect to view and edit workflows for change requests.
During the deployment process, a cluster requires a single connection to the database for setup and migration.
Make sure you use a single node during the process and that only one server instance is running.
Procedure
1. In the WebSphere console, Initiate the installation:
a. From Applications menu, select Application Types > Websphere Enterprise Applications, and
click Install.
b. Browse to the aveksaWFArchitect.ear file in the DISTRIBUTION folder.
3. (Clusters only) Select Map Modules to Servers. Select all modules, select the scope from the list of
Clusters and Servers, and click Apply. The server associated with the module should be listed as the
cluster. Click Next.
4. In the Map Virtual Hosts for Web Modules screen, click Next.
5. (WebSphere 9.0.0.x only) In the Metadata for modules screen, enable the metadata-complete attribute
checkbox and click Next.
6. Complete the installation of the EAR. This process takes several minutes to complete.
7. Save changes to the master configuration.
Deploy the Aveksa EAR. See Install RSA Identity Governance and Lifecycle Using the Aveksa EAR File.
4. Under the Class Loading section, select Use an isolated class loader for this shared library.
1. From the WebSphere admin console, go to Applications > Application Types > WebSphere enterprise
applications.
2. Select the aveksa application on the Enterprise Applications page.
3. Under the References section, click the Shared library references link.
4. Select the aveksa application, and then click Reference shared libraries.
5. On the Shared Library Mapping page, select Aveksa Shared Library from the Available list and move it to
the Selected list.
6. Click OK to save changes.
The Key Encryption Key (KEK) is the key used to encrypt all other encryption keys. The installation (or upgrade)
creates a unique KEK and stores it in the encryption key directory. The default location of the directory is
/home/oracle/security. If the default directory is not available or you want to set a different directory, you must
create the directory, and then specify the location in a Java system variable.
Procedure
1. Log in to the system as root.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. Make sure you have a directory for storing the encryption key. For security purposes, the directory
should have the following settings:
l If the directory already exists, set its permissions to 700 (rwx------) and make sure that the
directory is owned by the same user under which RSA Identity Governance and Lifecycle is
running.
l If the directory does not exist, the parent directory must be writable for the user under which
RSA Identity Governance and Lifecycle is running. In this case, RSA Identity Governance and
Lifecycle will create the directory with the correct permissions.
3. Set a Java system property "rsavialg.security.keydir" to the directory where the encryption key is stored.
Perform these steps in the Admin console for WebSphere:
1. To select the server, click Servers > Server types > WebSphere application servers > Select
server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
3. Under the Configuration tab, select Server Infrastructure > Java and Process Management >
Process Definition.
4. Under Additional Properties, select Java Virtual Machine > Custom Properties.
5. Select New, then enter:
Name: rsavialg.security.keydir
4. Create a secure backup process to back up the keys that are in the encryption key directory. RSA Identity
Governance and Lifecycle generates these keys and stores them only in the designated directory.
If the keys are lost, any data encrypted with those keys will be irrecoverable. The backup process should
ensure that the keys are not compromised, or otherwise exposed, during the backup or after they are in
the backup location.
Note: Anytime that you change the value of the Java system property after the keys have already been created
(meaning after you configured the property and brought the system up), you must bring down the system and
move the keys to the new location before bringing up the system again.
Procedure
1. In the Admin console, add a java system property named "rsavialg.security.strict.permissions.disabled"
property and set the value to "true" as shown for the platform type:
1. To select the server, click Servers > Server types > WebSphere application servers > Select
server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
3. Under the Configuration tab, select Server Infrastructure > Java and Process Management >
Process Definition.
4. Under Additional Properties, select Java Virtual Machine > Custom Properties.
5. Select New, then enter:
Name: rsavialg.security.strict.permissions.disabled
Value: true
If the directory already exists, set its permissions such that the user (owner of the process under which
RSA Identity Governance and Lifecycle is running) has “rwx” access into this directory. The owner of the
directory need not be the same as the owner of the application process, but the owner of the application
process must be able to read and write into this directory. This means “rwx” permissions have to be set
for the appropriate file permission field (owner, group, all) , which will allow the application process full
access.
If the directory does not exist, it is recommended that you create it. Set up the permissions on the
directory as specified in the previous item.
If the directory does not exist and you do not create it, the application will attempt to create the directory
on first startup using default permissions and the directory will be owned by the same user as the
application process.
Error Messages
The following table contains a list of error messages that might display (in the AveksaServer.log) after you
configure the encryption key directory. The table lists default directory paths for the encryption key directory
(/home/oracle/security) and its parent directory (/home/oracle). The suggested actions are performed on the
RSA Identity Governance and Lifecycle host.
AFX servers and remote agents use an self-signed certificate when communicating with the RSA Identity
Governance and Lifecycle server over an Secure Sockets Layer (SSL) connection. This self-signed certificate
and the RSA Identity Governance and Lifecycle server certificate signed by the Certificate Authority (CA) reside
in the RSA Identity Governance and Lifecycle keystore file server.keystore. This server.keystore file is used as a
keystore and truststore as it contains RSA Identity Governance and Lifecycle server certificates and the chained
trusted certificate of the RSA Identity Governance and Lifecycle CA. RSA Identity Governance and Lifecycle
trusts connections with AFX servers and remote agents because their certificates have been signed by the RSA
Identity Governance and Lifecycle CA.
To enable SSL communications between RSA Identity Governance and Lifecycle and AFX or agents, you must
make the server.keystore available to WebSphere by completing the following high-level tasks:
Procedure
1. Download the server.keystore file from RSA Identity Governance and Lifecycle to the WebSphere server.
2. Create a keystore in WebSphere using the downloaded server.keystore.
3. Configure SSL in WebSphere using the server.keystore.
4. Configure the SSL port.
Note: If an agent is installed on a remote machine, you must configure the agent and RSA Identity Governance
and Lifecycle to use SSL for communication. You must edit the agent’s configuration file to change the hostname
from localhost to the hostname of the RSA Identity Governance and Lifecycle server, or in a cluster, the SON.
Additionally, you must configure the agent and server to use certificates as described in Help in Security: SSL
Configuration and Authentication.
If the WebSphere server does not contain any keystores, you must do the following before configuring SSL the
RSA Identity Governance and Lifecycle :
l Obtain private keys and digital certificates from a trusted CA, such as Verisign, Inc. or Entrust.net.
l In WebSphere, create the keystore.
l Load the private keys and trusted CAs into the keystore.
Procedure
1. Log into RSA Identity Governance and Lifecycle as an administrator, for example, AveksaAdmin.
2. Go to Admin > System > Security.
3. Under Security, click Download.
4. When prompted, click Save.
5. Specify where to save the server.keystore file, and click Save.
6. Copy the file to the WebSphere server.
7. Write down the location of the file. You must specify this location when you create the keystore on the
WebSphere server.
To create a keystore, see your WebSphere documentation. Use the following information when entering keystore
properties:
Property Value
Name Aveksa Agent Keystore
Management Scope <server scope.>
Path <full path to the server.keystore file on the WebSphere server>
Password Av3k5a15num83r0n3
Confirm Password Av3k5a15num83r0n3
Type JKS
To configure SSL, see your WebSphere documentation. Use the following information when you enter the
properties:
Property Value
Name Aveksa Agent SSL
TrustStore Name Aveksa Keystore
KeyStore Name Aveksa Keystore
Default Server Alias server
Property Value
Default Client Alias server
Standalone - select server scope
Management scope
Cluster - select cluster scope
Procedure
1. In the WebSphere console, click Security > SSL certificate and key management > SSL configurations.
2. Select the associated Aveksa Agent SSL configuration.
3. Under Additional Properties, select Quality of Protection (QoP) settings.
4. Under Client authentication, select Required.
5. Under Protocol, select TLSv1.2.
6. Click OK to save the changes.
7. Restart WebSphere.
Procedure
1. In the WebSphere console, configure a web container transport chain using the following settings and
save the transport chain to the master configuration:
Setting Value
Transport Name WCAveksa8444
Transport chain Template WebContainer-Secure
Port Name ACMPort8444
Host *
Port 8444
2. Edit the WCAveska8444 transport chain and modify SSL inbound channel (SSL_4) to use the SSL
configuration specific to this endpoint: Aveksa Agent SSL.
3. Create a new host alias for the default_host using the following settings and save the changes to the
master configuration:
Setting Value
Host *
Port 8444
To secure the administration of RSA Identity Governance and Lifecycle through a web browser and to secure the
web services that connect to RSA Identity Governance and Lifecycle, you must configure HTTPS access on the
WebSphere server, if it's not already configured.
l Create a keystore and configure SSL using certificates from an internal or third-party CA.
l Create a port to use for communication from a browser or web services.
To create a keystore, see your WebSphere documentation. Use the following information when you are entering
the keystore properties:
Property Value
Name Aveksa Keystore
Management Scope <server scope.>
Path <full path to the server.keystore file on the WebSphere server.>
Password <keystore password>
Confirm Password <keystore_password>
Type JKS
When you connect to RSA Identity Governance and Lifecycle using a browser, the RSA Identity Governance and
Lifecycle server identifies itself using a certificate. RSA recommends that you use a signed certificate.
A self-signed certificate is installed with the product. This certificate enables an HTTPS connection, but the
client browser always displays a warning before allowing a user to connect. RSA recommends that you replace
the self-signed certificate with a certificate signed by a Certificate Authority (CA).
To configure SSL, see your WebSphere documentation. Use the following information when entering properties:
Property Value
Name Aveksa SSL
TrustStore Name Aveksa Keystore
KeyStore Name Aveksa Keystore
Default Server Alias <server_alias>
Default Client Alias <server alias>
Standalone - select server scope
Management scope
Cluster - select cluster scope
Procedure
1. In the WebSphere console, configure a web container transport chain using the following settings and
save the transport chain to the master configuration:
Setting Value
Transport Name WCAveksa9443
Transport chain Template WebContainer-Secure
Port Name ACMPort9443
Host *
Port 9443
2. Edit the WCAveska9443 transport chain and modify SSL inbound channel (SSL_4) to use the SSL
configuration specific to this endpoint: Aveksa SSL.
3. Create a new host alias for the default_host using the following settings and save the changes to the
master configuration:
Setting Value
Host *
Port 9443
RSA Identity Governance and Lifecycle authentication sources require the configuration of a corresponding JAAS
module in WebSphere. In a clustered environment, configuration is required on each application server
instance.
RSA Identity Governance and Lifecycle displays configuration properties required to set up the authentication
source in WebSphere in the RSA Identity Governance and Lifecycle user interface under the Admin > System
> Authentication tab for a given Authentication source. Use this list of properties, including any encrypted
password, to set up the JAAS configuration within WebSphere.
For more information, see "Creating a New Authentication Source" in the RSA Identity Governance and Lifecycle
Administrator's Guide.
Procedure
1. Open the WebSphere Administrative Console.
2. From the Security menu, select Global Security.
3. Under Authentication, expand Java Authentication and Authorization Service and select Application
Logins.
4. Click New to create the Login Module Alias:
Authentication Strategy: <Authentication Source Name> This is the name of the authentication source in
RSA Identity Governance and Lifecycle.
5. Click Apply.
6. In the JAAS Login Modules section, click New to define the Login Module class name.
7. Click Apply.
8. In the Custom properties section, click New.
9. Enter the authentication source parameters values. The values must match those configured for the
authentication source you created in RSA Identity Governance and Lifecycle. The list of configuration
property values will vary, depending on the type of the authentication source and the data used to
configure it.
You can strengthen security by using these recommended settings, where possible.
Procedure
1. In the WebSphere console, from the Servers menu, click WebSphere Application Servers > <server-
name>
2. Under Container Settings, click Session Management.
3. Click Enable Cookies.
4. Enable the Restrict Cookies to HTTPS Sessions setting.
5. Click OK to save the changes.
RSA Identity Governance and Lifecycle is now accessible only over the SSL port configured in the
WCInboundDefaultSecure web container.
To view the settings, in RSA Identity Governance and Lifecycle, click Admin > System, and click the Security
tab.
l Security
l XSS/Scripting Security
l Web Services and Mobile
The default settings comply with security best practices. For information about these settings, click Help on the
Security settings page.
RSA Identity Governance and Lifecycle provides a default user named AveksaAdmin. To provide access to other
users, you can define:
For instructions on setting up an authentication source, see Managing Log On Authentication Sources in Help.
l Make sure your machine meets the prerequisites for hardware, software, and database described in
Chapter 2, Installation Prerequisites.
l You should have a working knowledge of WebLogic, privileges to deploy RSA Identity Governance and
Lifecycle within the environment, and know how to stop and start WebLogic Server instances as
required.
l Confirm that a cluster is already configured for an RSA Identity Governance and Lifecycle deployment.
You need information about each application server instance in the cluster. For background information
about running RSA Identity Governance and Lifecycle in a cluster, see Clustered Application Server and
Oracle RAC Implementation Environments.
l For WebLogic Server versions 10.3.6 through 12.1.3, ensure that the WebLogic Server has been
patched to address WebLogic bug #18633088.
l Add the following Java option to the WebLogic server start-up script:
-Dweblogic.deploy.MaxPostSize=“1610612736”
l Modifying the Enterprise Archive for information on setting up a customization directory where you can
configure custom RSA Identity Governance and Lifecycle settings for WebLogic.
l The Help for information on customizing settings in the “customization” directory for integration with
any of the following:
l Novell Identity Manager
l Sun Identity Manager
l IBM Tivoli Identity Manager
Each node can support up to 250 client sessions. There are two types of nodes:
l A single System Operations Node (SON), which handles operations, such as data collections, agent
management, review generation, and policy processing.
l One or more general nodes, which handles user interface processing.
For more information, see the Help topic, "Managing Server Cluster Nodes."
The following describe each RAC component and recommendations for RSA Identity Governance and Lifecycle:
l Oracle RAC Database Instances — An Oracle RAC installation typically includes two or more database
instances, each with its own memory and local working cache. Each node requires two network
interfaces to communicate with both application servers on the public network and private network that
is used for both shared storage and the cluster .
RSA recommends that each database node has a local hard disk that holds the individual Oracle
clusterware and Oracle database homes in addition to the operating system and local swap files.
l Private Network — The private network used for coordinating cluster activities and the network that
accesses the shared storage system. The private network allows the Oracle cluster to the access Cluster
Ready Services (CRS)/Voting disk. Because RSA Identity Governance and Lifecycle operates in a mixed
Online Transaction Processing (OLTP) and Decision Support System (DSS) mode, many installations
benefit from a faster 10-Gbit network to support the caching requirements of DSS operations such as
collections and report generation.
l Shared Storage — RSA Identity Governance and Lifecycle supports Storage Area Network (SAN) systems
with multiple disk volumes. SANs with RAID 5 or RAID0+1 provide the required read-write performance
for the Oracle RAC.
The shared storage system, along with Oracle Automatic Storage Management (ASM), provides three
types of storage for the cluster that will be assigned to Logical Unit Numbers (LUN). Traditional Oracle
tablespace storage will occupy most of the space and will be stored in the LUN "VOL1." A second LUN,
will be created for cluster activities and will be assigned to the LUN "CRS1."
The third LUN will provide a general purpose "cluster-aware" file system that will be shared with all of
the members of the cluster and will be assigned to the LUN "FS1." Oracle requires this "cluster-aware"
file system be used when setting up Oracle directories in a cluster. Because RSA Identity Governance
and Lifecycle requires the AVEKSA_EXPORTIMPORT_DIRECTORY, we recommend a configuration that
uses Oracle Automatic Storage Management Cluster File System (Oracle ACFS) to create a mountable
volume usable by the operating system itself.
Procedure
1. Log on to the machine hosting the WebLogic application server.
2. Choose a download directory (/opt for example).
3. Download the installation files:
a. Go to RSA Link (https://community.rsa.com/community/products/governance-and-lifecycle),
then click Log In and enter your user name and password.
b. Click RSA Identity Governance and Lifecycle.
The Current tab lists the most recent release. The Archive tab lists previous releases.
cd /opt
Note: On Solaris, use a tar utility that handles long filenames such
as GNU tar.
This step creates an ACM-WebLogic directory that includes all software components required for the
installation. The directory location is referred to as DISTRIBUTION in this chapter.
Use the WebLogic console to perform all installation and configuration steps. See your WebLogic administrator
for the URL and access credentials.
Note: Restart the application server instance after you change JVM settings described in this section.
Procedure
1. Start WebLogic using the domain 'startWebLogic.sh' command. For example:
$DOMAIN_HOME/bin/startWebLogic.sh
2. From your browser, access the WebLogic Administration Console using the following URL:
http://<hostname>:7001/console
Configure JVM Settings
Use the WebLogic console to configure the appropriate JVM settings for your deployment.
Note: RSA Identity Governance and Lifecycle requires UTF-8 character encoding. Ensure that the JVM settings
are set to UTF-8 for each managed server on which it is deployed, standalone or cluster.
Procedure
1. In the WebLogic console, to select the server, click Environment > Servers > Select server.
2. Choose the server used for RSA Identity Governance and Lifecycle.
3. Select Configuration tab > Server Start tab.
4. Under Arguments, perform the following steps:
a. Enter the following to set the character encoding:
-Dclient.encoding.override=UTF-8 -Dfile.encoding=UTF-8
b. Add the following setting to specify the protocol, such as http or https, that your deployment
uses:
-Dwp-client-protocol=<protocol>
c. In deployments that use a load balancer, such as a clustered environment, add the following
setting:
-Dwp-client-hostname=<hostname>
d. If your deployment does not use the default port setting for HTTP, add the following setting:
-Dwp-client-hostport=<hostport>
5. Click Save.
l Maximum JVM heap Size. 8 GB is the minimum requirement for a production environment. Additional
memory may be required based on the size of the data and the number of concurrent users. For
example, 32 GB is expected to support up to 300 concurrent users.
If you use custom scripts to start the WebLogic application server, these methods might not map to your
environment. Consult the WebLogic administrator on how the JVM arguments are set for your environment.
The JVM startup options are in the setDomainEnv.sh script by default. You can edit the JVM settings for the
domain in which you will deploy RSA Identity Governance and Lifecycle. For example, from $WEBLOGIC_
HOME/user_projects/domains/<domain_name>/bin, you can add commands for USER_MEM_ARGS near the
beginning of the setDomainEnv script, where WL_HOME is set, to override the default memory settings:
export USER_MEM_ARGS
If you require other memory settings, make sure you retain those settings along with RSA Identity Governance
and Lifecycle settings. For example:
To set the JVM arguments using this method, log in to the Admin Console and perform these steps:
Procedure
1. To select the server, click Environment > Servers > Select server.
2. On the Configuration tab, select Server Start tab.
3. In the Arguments field, add: -Xmx8192m
Procedure
1. Open WebLogic admin console.
2. Go to Services > JTA.
3. Change the Timeout setting from 30 (default) to 120.
Perform all installation and configuration steps from the WebLogic Administration Console. All values are
expected to be set to the default values, unless otherwise specified. Make sure the application server resources
are created with the correct scope, which is different between clusters and standalone servers. When you
configure resources for a cluster, you might need to synchronize nodes or restart nodes. See the Database
Configuration Values for more information.
Procedure
1. Start WebLogic using your domain 'startWebLogic.sh' command. For example:
$DOMAIN_HOME/bin/startWebLogic.sh
http://<hostname>:7001/console
Note: If you change security realm user information after the RSA Identity Governance and Lifecycle EAR has
been deployed, you must change corresponding settings in the EAR and then redeploy the EAR. See Changing
the Security Realm User and Group Information for more information.
Procedure
1. Log on to the WebLogic console.
2. Select Security Realms.
3. Select myRealm > Users and Groups tab and create the users and groups as follows:
l Create a acmUsers group from the Groups tab:
a. Click New.
b. Enter:
Name: acmUsers
c. Click OK.
l Name: WorkPointUsers
c. Click OK.
a. Name: aveksaUser
c. Password: Aveksa123
c. Click OK.
Name: workpoint
c. Click OK.
4. Add the users you created to the groups you created from the Users and Groups > Users tab:
l Add the aveksaUser user to the acmUsers group:
a. Click aveksaUser.
b. Select the Groups tab.
c. Move acmUsers from the Available list to the Chosen list.
d. Click Save.
The following default RSA database user schema names are used in this task:
l RSA Identity Governance and Lifecycle user. The default name is AVUSER.
l RSA Identity Governance and Lifecycle reporting engine user. The default name is AVDWUSER.
l RSA Identity Governance and Lifecycle public database schema user. The default name is ACMDB.
l RSA Identity Governance and Lifecycle Statistics Report user. The default name is AVPERF. This user is
required only if Oracle Statspack is installed on the database and you want to include Statspack data in
Aveksa Statistics Reports. If you remove or disable Statspack on your database, remove the AVPERF data
source and restart the database.
Note: If you created the database instance with non-default names, you must use the same user names and
passwords when you create the JDBC data sources. See the Database Setup and Management Guide to ensure
that the database instance meets the RSA Identity Governance and Lifecycle product requirements. To configure
JDBC data sources, you need the Oracle SID, Oracle listener hosts, Oracle listener port, and Oracle service
name. In addition to configuration information, you need to know if the Oracle database being used is a standard
Oracle or Oracle RAC implementation. You might require the assistance of your Oracle database administrator
(DBA) to provide the information needed to create the data sources or resolve any issues with connectivity.
Repeat this procedure for the data sources listed in the following table. This table provides additional
information needed for the data source creation process. Each created data source yields an Oracle connection
URL to test. If the data source is configured incorrectly, the connection test fails. An Oracle DBA might be
necessary to resolve the issue.
Procedure
The Oracle RAC configuration may have two options for providing Oracle connection
information: Provide the complete connection URL or provide connection information
for WebLogic to create the URL.
4. Configure the data source using the following table of configuration details. Use the default values
unless otherwise specified.
Standalone Database RAC Database
Data Source Name from preceding Data Source Name from preceding
Name
table table
Scope Global Global
JNDI Name JNDI Name from preceding table JNDI Name from preceding table
Driver (Thin) for Instance connections (Thin) for GridLink connections
AVDB, ACMDB, and AVPERF - AVDB, ACMDB, and AVPERF -
Supports Global Selected Selected
Transactions
AVDWDB - Deselected AVDWDB - Deselected
One Phase Commit Selected Selected
Database/Service Name
Host Name
Port See DBA for Oracle Connection Information
Database User
Password
URL Value is populated by WebLogic May be populated or set explicitly
5. Test the Configuration. If the connection test fails, review the Oracle connection information.
6. Under Target, select the target server or cluster.
7. Save the configuration.
8. Repeat steps 3-7 for each of the data sources.
9. Edit the configuration for each data source:
a. Go to the Connection Pool tab, expand the Advanced settings, then deselect Wrap Data Types.
b. Configure the Set Maximum Capacity value according to the following table:
Data Source Maximum Capacity Value
AVDB 300
ACMDB 15
AVDWDB 50
AVPERF default value
10. (Optional) Secure each data source with a security policy. You can enable security after installing RSA
Identity Governance and Lifecycle.
Note: The settings here are dependent on the users and groups defined in Create Security Realm Users
and Groups.
g. Select Add.
h. Select Finish.
i. Select Save.
j. Restart WebLogic.
Procedure
1. To create a JMS server or servers. Click Services > Messaging > JMS Servers > New.
On a standalone system, configure a single server with the AdminServer as the target. For a cluster,
create a JMS server for each server instance or node. See the Database Configuration Values for
installing in a clustered environment.
l Name: acmJMSServer1
l Persistent Store: Select a preconfigured Persistent Store or click New to create one with the
required information for the given persistent store type. Set the persistent store target to match
the target for this JMS server.
l New (Persistent Store) Choose Type: File Store or JDBC Store
l Name: Provide a name for the store. For example: Server1FileStore
l Target: Choose the target server instance. Choose the server for a cluster configuration.
For example: Node1
l Directory (File Store): Provide the directory on the server where the persistent store is
kept.
l Data Source (JDBC Store): <Configured datasource>
l Prefix Name (JDBC Store): Prefix for the table name for the store. For example, server1,
would result in table SERVER1WLSTORE.
2. Create a new JMS Module. Click Services > Messaging > JMS Modules > New.
l Name: acmJMSModule
l Descriptor File Name: Leave blank.
l Target: Choose the target server or the cluster name.
4. Add the required resource to the acmJMSModule. Select acmJMSModule, select the Configuration tab for
each new resource, and click New.
a. New Queue:
l Type: Queue or a Distributed Queue for a clustered environment
l Name: wpUtilQueue
l JNDI Name: queue/wpUtilQueue
l Subdeployment: Select acmSubDeployments
l Target: Required targets are selected by default as part of the subdeployment.
b. Edit the acmConnectionFactory: From the Default Delivery tab, set the Default Delivery Mode to
Non-Persistent.
c. New Topic:
l Type: Topic or Distributed Topic for a clustered environment.
l Name: acmMessageTopic
l JNDI Name: topic/acmMessageTopic
l Subdeployment: Select acmSubDeployment
l Target: Required targets are selected by default as part of the subdeployment.
Install RSA Identity Governance and Lifecycle Using the Aveksa EAR
File
This section describes how to install the RSA Identity Governance and Lifecycle application by using the Aveksa
EAR file.
l Identify which node is the system operations node (SON). By default, the initial server instance is the
system operations node (SON) on any newly created cluster.
l Installation requires a single connection to the database for setup and migration. Use a single node and
make sure only one server instance is running. While this can be any node, RSA recommends using the
SON node for the installation or upgrade process.
l If migrating or patching a clustered deployment, you are required to run the SON without any other
active nodes before using the system. The SON must be started after installation is complete to properly
instantiate any workflow updates and ensure that any new RSA Identity Governance and Lifecycle
security model changes are initialized.
Procedure
1. Log on to the WebLogic console.
2. Select Deployments > Install.
3. Browse to aveksa.ear. For example: ACM-WebLogic /aveksa.ear. The path may differ for a hotfix or a
customized aveksa.ear.
4. Install this deployment as an application.
5. (For clusters only) Select deployment targets: cluster.
6. In the Set Name field, enter: aveksa
7. Choose the default selection: Copy this application to every target for me under Source accessibility.
8. In Additional configuration, choose: No, I will review the configuration later.
9. Start the RSA Identity Governance and Lifecycle application. In a cluster, start the application on the
single designated deployment node only.
In a cluster, the first managed server you start deploys and initializes the database schema, which
might take several minutes.
You can check installation progress by viewing the WebLogic Admin Server log file. See Troubleshooting
a WebLogic Installation on page 151 for more information on log files.
10. Validate the installation by accessing RSA Identity Governance and Lifecycle from
http://localhost:7001/aveksa/main.
Once the SON node is started and validated, all other nodes can be started. For information on how to
manage RSA Identity Governance and Lifecycle instance nodes in the cluster, see the Help topic,
"Managing Server Cluster Nodes."
This task describes how to install the RSA Identity Governance and Lifecycle Workflow Architect application. You
can use the Workflow Architect to view and edit workflows for change requests.
During the deployment process, a cluster requires a single connection to the database for setup and migration.
Make sure you use a single instance and ensure that no other instances are running.
Procedure
The Key Encryption Key (KEK) is the key used to encrypt all other encryption keys. The installation (or upgrade)
creates a unique KEK and stores it in the encryption key directory. The default location of the directory is
/home/oracle/security. If the default directory is not available or you want to set a different directory, you must
create the directory, and then specify the location in a Java system variable.
Procedure
1. Log in to the system as administrator with root privileges.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. Make sure you have a directory for storing the encryption key. For security purposes, the directory
should have the following settings:
l If the directory already exists, set its permissions to 700 (rwx------) and make sure that the
directory is owned by the same user under which RSA Identity Governance and Lifecycle is
running.
l If the directory does not exist, the parent directory must be writable for the user under which
RSA Identity Governance and Lifecycle is running. In this case, RSA Identity Governance and
Lifecycle will create the directory with the correct permissions.
3. Set a Java system property "rsavialg.security.keydir" to the directory where the encryption key is stored.
The location of this property depends on the platform you are running on and also whether RSA Identity
Governance and Lifecycle is standalone or running in a cluster.
There are two ways to set JVM arguments in WebLogic installations. These methods might not map to
your environment if you use custom scripts for starting a WebLogic application server instance. See
your WebLogic administrator to configure the JVM setting for your environment.
l Edit the WebLogic Domain startup environment script. This is typically done on a standalone
system and is required if using the AdminServer as the instance where you are deploying RSA
Identity Governance and Lifecycle.
Edit the setDomainEnv.sh file for the domain in which you will be deploying the RSA Identity
Governance and Lifecycle application.
export JAVA_OPTIONS
JAVA_OPTIONS="$JAVA_OPTIONS
-Drsavialg.security.keydir="/wls/masterkeystorage"
JAVA_OPTIONS="$JAVA_OPTIONS -Drsavialg.security.keydir="/wls/masterkeystorage"
l Use the Administration Console to specify JVM arguments for a server instance. This is typically
used if your servers are managed through NodeManager.
Note: Anytime that you change the value of the Java system property after the keys have already been created
(meaning after you configured the property and brought the system up), you must bring down the system and
move the keys to the new location before bringing up the system again.
Procedure
1. Add a java system property named "rsavialg.security.strict.permissions.disabled" property and set the
value to "true" as shown for the platform type:
There are two ways to set JVM arguments in WebLogic installations. These methods might not map to
your environment if you use custom scripts for starting a WebLogic application server instance. See
your WebLogic administrator to configure the JVM setting for your environment.
l Edit the WebLogic Domain startup environment script. This is typically done on a standalone
system and is required if using the AdminServer as the instance where you are deploying RSA
Identity Governance and Lifecycle.
Edit the setDomainEnv.sh file for the domain in which you will be deploying the RSA Identity
Governance and Lifecycle application.
JAVA_OPTIONS="$JAVA_OPTIONS -Drsavialg.security.strict.permissions.disabled=true"
export JAVA_OPTIONS
JAVA_OPTIONS="$JAVA_OPTIONS
-Drsavialg.security.strict.permissions.disabled="true"
JAVA_OPTIONS="$JAVA_OPTIONS -Drsavialg.security.strict.permissions.disabled="true"
l Use the Administration Console to specify JVM arguments for a server instance. This is typically
used if your servers are managed through NodeManager.
If the directory already exists, set its permissions such that the user (owner of the process under which
RSA Identity Governance and Lifecycle is running) has “rwx” access into this directory. The owner of the
directory need not be the same as the owner of the application process, but the owner of the application
process must be able to read and write into this directory. This means “rwx” permissions have to be set
for the appropriate file permission field (owner, group, all) , which will allow the application process full
access.
If the directory does not exist, it is recommended that you create it. Set up the permissions on the
directory as specified in the previous item.
If the directory does not exist and you do not create it, the application will attempt to create the directory
on first startup using default permissions and the directory will be owned by the same user as the
application process.
Error Messages
The following table lists error messages that might display (in the AveksaServer.log) after you configure the
encryption key directory. The table lists default directory paths for the encryption key directory
(/home/oracle/security) and its parent directory (/home/oracle). The suggested actions are performed on the
RSA Identity Governance and Lifecycle host.
RSA Identity Governance and Lifecycle contains the server.keystore file which is used as a keystore and
truststore. This file contains
RSA Identity Governance and Lifecycle trusts connections with AFX servers and remote agents because their
certificates have been signed by the RSA Identity Governance and Lifecycle CA.
To enable SSL between RSA Identity Governance and Lifecycle and AFX or agents, you must make the
server.keystore available to WebLogic by completing the following tasks:
Procedure
1. Download the server.keystore file from RSA Identity Governance and Lifecycle to the WebLogic server.
2. Import the certificates from the downloaded server.keystore into the WebLogic keystore.
3. Configure the SSL port.
If the WebLogic server does not contain the keystores and certificates required to use SSL, you must perform
the following configuration tasks before you configure the RSA Identity Governance and Lifecycle application to
use SSL:
l Obtain private keys and digital certificates from a reputable certificate authority, such as Verisign, Inc.
or Entrust.net.
l Create the identity keystore and the trusted keystore.
l Load the private keys and trusted certificate authorities (CAs) into the keystores.
For instructions on how to perform these tasks, see the WebLogic documentation.
Procedure
1. Log on to RSA Identity Governance and Lifecycle as an administrator user, for example, AveksaAdmin.
2. Go to Admin > System > Security.
3. Under Security, click Download.
4. When prompted, click Save.
5. Specify where to save the server.keystore file, and click Save.
6. Copy the file to the WebLogic server.
7. Write down the location of the file. You must specify this location when you import the certificates into
the keystore on the WebLogic server.
Import the RSA Identity Governance and Lifecycle Certificates into the
WebLogic Keystores
To communicate with the AFX server and RSA Identity Governance and Lifecycle agents, the WebLogic server
running RSA Identity Governance and Lifecycle needs to know of the certificates contained in the
server.keystore file. Use the WebLogic keytool utility to import the certificates.
WebLogic contains two keystores: an identity keystore and a trusted keystore. Use the keytool to import the
trusted certificate (also known as the CA) into the trusted keystore and the private key into the identity keystore.
If your WebLogic server uses the same keystore trust and identity, you can import the private key and the
trusted certificate into the single keystore.
The following sections provide the command parameters to use when you run the keytool.
Procedure
Log on to the WebLogic server and type the following at a command prompt:
where
Procedure
Log on to the WebLogic server and type the following at a command prompt:
where
To import the private key and the trusted certificate into the same keystore
Procedure
Log on to the WebLogic server and type the following at a command prompt:
where
Procedure
1. In WebLogic, create a new network channel using the following settings. In the WebLogic console, the
channnel settings are typically found under Server > Protocols. See the WebLogic documentation for
details on performing this task.
Setting Value
Name Aveksa8444
Protocol https
Listen Port 8444
External Listen Port 8444
Two Way SSL Enabled Checked
Client Certificate Enforced Checked
Custom Channel Private Key Alias server
The WebLogic server uses HTTPS to secure the administration of RSA Identity Governance and Lifecycle through
a web browser, and to secure RSA Identity Governance and Lifecycle web service connections. If HTTPS is not
already configured, you need to configure SSL and enable the SSL listening port for HTTPS. Use certificates that
you obtained from a third-party or internal CA.
RSA Identity Governance and Lifecycle uses the SSL/TLS protocol to secure communications from a browser or
web services on Port 8443.
These settings are in the WebLogic application server. Use the latest available version of TLS to provide the most
secure communications.
Procedure
1. Use the following settings to configure the port. The channel settings are typically found in the
WebLogic console under Server > Protocols.
Setting Value
Name Aveksa8443
Protocol https
Listen Port 8443
External Listen Port 8443
Two Way SSL Enabled Checked
Client Certificate Enforced Unchecked
Custom Channel Private Key Alias server
RSA Identity Governance and Lifecycle authentication sources require the configuration of a corresponding JAAS
module in WebLogic. In a clustered environment configuration is required on each application server instance.
RSA Identity Governance and Lifecycle displays configuration properties required to set up the authentication
source in WebLogic in the RSA Identity Governance and Lifecycle user interface under the Admin > System >
Authentication tab for a given Authentication source. Use this list of properties, including any encrypted
password, to set up the JAAS configuration within WebLogic. For more information, see the Help topic, "Creating
a New Authentication Source."
You may require additional authorization sources for your particular environment.
The configuration is typically stored in a jaas config file and the information takes the following form:
"debug"="false" ;
} ;
The AuthenticationSourceName is the name of the authentication source in RSA Identity Governance and
Lifecycle. Enter the authentication source parameter names and values. The values must match those
configured for the authentication source you create in RSA Identity Governance and Lifecycle.
l AuthUserAttribute: cn
l BindDn: Admin@mycorp.com
l BindPassword: In the authentication source display, click Copy Encrypted Password for this value.
l ConnectionUrl: ldap://<machine-ip>:<port>
l UseSSL: no
l UserBaseDN: OU=accounts,DC=mycorp,DC=com
l UserSearchAttribute: cn
l UserSearchScope: 2
l SearchFilterForUsers: <optional>
Example information entered in the JAAS configuration file where the ACM module name is:
com.aveksa.server.authentication.AveksaJndiLoginModule.
For the example above the information in the jaas configuration file would look like:
TestLDAP{
com.aveksa.server.authentication.AveksaJndiLoginModule required
"AuthUserAttribute"="cn"
"BindDn"="OU=accounts,OU=admins"
"BindPassword"="myencryptedpassword"
"ConnectionUrl"="ldap://<machine-ip>:<port>"
"UseSSL"="no"
"UserBaseDN"="Admin@mycorp.com"
"UserSearchAttribute"="cn"
"UserSearchScope"="2"
"debug"="false";
};
For a test authentication source, in this example named TestAuthProvider, add the following to jaas.conf:
TestAuthProvider{
com.aveksa.server.authentication.TestLoginModule required
"debug"="false";
};
The configuration information is stored in a JAAS configuration file that is referenced by the WebLogic
application server. If your WebLogic server or servers in a clustered environment do not currently use a JAAS
configuration file, create a jaas.conf file. Enter the authentication configuration information in the JAAS
configuration file.
You must restart of the server for the settings to take effect. If this is a new file you have created, you must
identify the new file to the application server by using the following JAVA argument at startup:
-Djava.security.auth.login.config=/<path>/jaas.conf
This can be added to the JAVA_PROPERTIES in the setDomainEnv.sh script for the managed server, which is the
default environment script typically used to start a WebLogic server.
It may also be specified in the “Arguments” field for the “Start Server” tab for the server configuration. Consult
your WebLogic administrator for the appropriate place to add arguments at startup for your application server.
In a clustered environment each managed server must reference a valid JAAS configuration. If RSA Identity
Governance and Lifecycle cannot find the configured JAAS authentication at login time, the following error
message appears:
No Configuration was registered that can handle the configuration named <AuthenticationSourceName >
Validate the jaas configuration file and that the managed server has been configured for and can locate the jaas
configuration file. This can be added to the JAVA_PROPERTIES in the setDomainEnv script for the server. Also
validate that the name is correct in the config file.
When you upgrade RSA Identity Governance and Lifecycle, you override the secure cookie setting. Make sure
you enable secure cookies after upgrading RSA Identity Governance and Lifecycle.
Procedure
1. Log in as root.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. Open the weblogic.xml file that is located in the aveksa.war/WEB-INF directory path.
3. Add the secure cookie session descriptor:
<session-descriptor>
<cookie-secure>true</cookie-secure>
</session-descriptor>
To view the settings, in RSA Identity Governance and Lifecycle, click Admin > System, and click the Security
tab.
l Security
l XSS/Scripting Security
l Web Services and Mobile
The default settings comply with security best practices. For information about these settings, click Help on the
Security settings page.
RSA Identity Governance and Lifecycle provides a default user named AveksaAdmin. To provide access to other
users, you can define:
l An LDAP-compliant authentication source, for example an Active Directory server. In this case, RSA
Identity Governance and Lifecycle collects account or identity data for all users who require access. You
must configure the account or identity collectors.
For instructions on setting up an authentication source, see Managing Log On Authentication Sources in Help.
Scenario Section
Install AFX on your appliance or soft- Install the Local AFX Server on an Appliance or a Software
appliance server Bundle Server Using the Installation Script
Install AFX on a WebSphere or WebLogic
Install the Local AFX Server from a Downloaded Local AFX Server
server
Install an additional AFX server instance on a
Install an Additional AFX Server Instance on a Non-AFX-Host
host where RSA Identity Governance and
Server
Lifecycle is not installed (remote host)
Install AFX connector packages See Install the AFX Connector Packages.
If you purchased an RSA Identity Governance and Lifecycle appliance with an AFX license, AFX is already
installed on the appliance. You can enable AFX you are ready to use it. For instructions on enabling AFX, see
"Specifying System Settings" in Help.
See AFX Hardware and Software Requirements before installing AFX and verify that your deployment meets all
requirements.
When RSA Identity Governance and Lifecycle and AFX are installed on different hosts, follow the guidelines in
this section. When AFX is installed on the same physical system as the RSA Identity Governance and Lifecycle,
use the higher values in the guidelines. For example, if base RSA Identity Governance and Lifecycle installation
requires 16GB of RAM and AFX installation requires 32GB, use 32GB.
Storage
Follow the guidelines below to calculate the amount of storage required by your installation:
Note: Cap log file sizes to avoid filling disk space. To further reduce the risk of filling disk space, you should
also employ a monitoring tool. Each connector will consume on average 1 MB of disk space daily. The actual
amount will vary based on the volume of transactions.
Swap Space
Set to half (1/2) of Physical Memory — This value is set automatically by the application server. You must adjust
manually.
Processor
Processor requirements for deployment environments are listed as follows:
Disk Partitioning
Configure the minimum swap size relative to system memory size.
Required Software
l Java: AdoptOpenJDK 1.8
Port Usage
JAVA RMI port used for retrieving JVM utilization information.
1099
Used by AFX, ActiveMQ, and MMC.
AFX management JMX port
1199
Listening port for exclusive use by AFX
Communication between ESB and AFX Management
7777
Listening port for exclusive use by AFX
8089 The default port for RESTful WebService connectors for receiving asynchronous callback
Port Usage
messages. This port is used by endpoints which process AFX requests asynchronously
to respond back to AFX after the request has been processed. The response indicates if
the request was successfully processed.
Note: You must log in as the root account to ensure that the proper permissions are granted. This procedure
may not work using any other account.
Install AFX
RSA Identity Governance and Lifecycle v7.x must be installed before you install AFX v7.x.
This section describes how to install AFX. RSA Identity Governance and Lifecycle auto-generates an AFX server
configuration named “AFX Server" where RSA Identity Governance and Lifecycle is installed. There are two
sequential phases in the AFX installation process:
1. Installing the AFX Server on an appliance or a Software Bundle server that has RSA Identity Governance
and Lifecycle installed on it, or installing it on a server that does not have RSA Identity Governance and
Lifecycle installed on it. This latter scenario is typically referred to as a "remote AFX installation." It is
applicable to AFX deployment when RSA Identity Governance and Lifecycle is installed on the WebSphere
or WebLogic platforms or when you want to install AFX on a host where RSA Identity Governance and
Lifecycle is not installed.
See the topic relevant to your installation scenario and complete the procedure in the topic:
l Install the AFX Server on an Appliance or a Software Bundle Server Using the Installation Script
l Install an Additional AFX Server Instance on a Non-AFX-Host
2. Installing the AFX connector packages for the AFX Server. See Install the AFX Connector Packages.
Procedure
1. Log on to the appliance or server as the root user.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
cd <aveksa-staging-directory>/deploy/AFX-scripts/
./installAFX.sh -q
Installation results for the AFX Server are written in the following log file on the installation host:
/tmp/afx-install.log
3. If you are logged in as root, log out and log in to the installation host as the 'AVEKSA_OWNER' user.
4. Start the AFX Server using the “afx” script located in the top level AFX installation directory. For example,
if AFX is installed in /home/oracle/AFX, enter:
/home/oracle/AFX/afx start
Next step
Install the AFX connector packages for this AFX release version. See Install the AFX Connector Packages.
Procedure
1. Log on to RSA Identity Governance and Lifecycle.
2. Click AFX > Servers > AFX Server.
3. If required, update the Default Truststore Password. You must update it if you have changed the
password for the default JDK truststore (for example, JAVA_HOME/jre/lib/security/cacerts) on the AFX
Server host.
4. Select Download Server Archive to download the local AFX Server archive. See Download an AFX Server
Archive.
5. Install a new AFX Server or update it on this host. See Install
a New AFX Server, Install an AFX Server Service, or Update an AFX Server Installation for instructions.
6. Start the AFX server as described in Start the AFX Server.
7. Install the AFX Connector packages for this AFX version. See Install the AFX Connector Packages.
Procedure
1. Log in to RSA Identity Governance and Lifecycle.
2. Click AFX > Servers.
3. Create an AFX server configuration for the server instance you want to install on another host. See
"Creating AFX Servers" in Help for more information.
4. Select the AFX Server configuration that you just created and click Download Server Archive to download
the remote AFX server archive. See Download an AFX Server Archive.
5. See Install the AFX Server Using an Archive Downloaded from RSA Governance and Lifecycle to install a
new AFX server or update it on the remote machine.
6. Install the AFX Connector packages for this AFX release version. See Install the AFX Connector Packages.
Install the AFX Server Using an Archive Downloaded from RSA Identity
Governance and Lifecycle
This section describes how to perform the following tasks after you copy and download the AFX Server archive
from RSA Identity Governance and Lifecycle:
This section describes how to install a new server from an AFX Server archive.
Procedure
1. Create an unprivileged account (for example, afxuser) on the host where you plan to run the AFX Server.
For example:
Note: You must log in as the root account to ensure that the proper permissions are granted.
This procedure may not work using any other account.
mkdir /home/afxuser
This account is referred to as the “afx account” with the name “afxuser” throughout the remainder of
this procedure.
2. For the “afx account,” export JAVA_HOME and put $JAVA_HOME/bin in the PATH. JAVA_HOME must
point to a JAVA 1.8 installation.
3. Connect to the AFX Server machine using the “afx account.”
4. Copy the AFX Server archive downloaded from RSA Identity Governance and Lifecycle to the “afx
account” home directory on the AFX Server machine (for example, /home/afxuser).
5. Go to the “afx account” home directory and expand the AFX Server archive. For example:
cd /home/afxuser
unzip AFXServer.zip
An AFX directory is created in the “afx account” home directory (for example, /home/afxuser/AFX)
containing the server files.
6. Change to the AFX directory and execute the setPerms.sh script located in AFX/bin to set file
permissions. For example:
cd /home/afxuser/AFX
sh bin/setPerms.sh
7. Follow the steps in “Install an AFX Server Service” below to install the AFX Server service.
8. Start the AFX Server as described in Start the AFX Server.
The AFX Server service is optional but it is highly recommended to ensure that when your AFX Server host is
restarted, the AFX Server instance is properly shutdown and started.
This procedures applies only when AFX and RSA Identity Governance and Lifecycle are installed on different
hosts. It is required for WebSphere and WebLogic installations.
Procedure
1. Connect to the AFX Server host as root user.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
ln -s <path-to-AFX>/bin/afx_server /etc/init.d/afx_server
For example:
ln -s /home/afxuser/AFX/bin/afx_server /etc/init.d/afx_server
3. For SLES 12 only, as root, use the following command to copy necessary files:
cp -as path-to-AFX/bin/systemd/legacy-actions
/usr/lib/initscripts/legacy-actions
chkconfig afx_server on
This section describes how to update an AFX Server installation with the archive in a scenario where you are
required to re-install your AFX Server.
Procedure
1. Connect to the AFX Server host using the “afx account.”
2. Stop the AFX Server as described in Stop the AFX Server.
3. Change the directory to the “afx account” home directory and rename the AFX folder to AFX-backup, for
example:
cd /home/afxuser
mv AFX AFX-backup
4. Copy the AFX Server archive that was downloaded from RSA Identity Governance and Lifecycle to the “afx
account” home directory on the AFX Server machine (/home/afxuser for example).
5. Change directory to the “afx account” home directory and expand the AFX Server archive. For example:
cd /home/afxuser
unzip AFXServer.zip
The “afx account” home directory (/home/afxuser/AFX for example) containing the server files now
contains an AFX directory.
6. Change to the AFX directory and execute the setPerms.sh script located in AFX/bin to set file
permissions. For example:
cd /home/afxuser/AFX
sh bin/setPerms.sh
7. Restore the ActiveMQ data directory (and its contents) from the prior installation backup to the new AFX
installation. Type:
where
For example:
cp –rfp /home/afxuser/AFX-backup/activemq/data
/home/afxuser/AFX/activemq
Procedure
1. Log on to RSA Identity Governance and Lifecycle.
2. Select AFX > Import.
3. Browse to the AFX-<product-version>-Standard-Connectors.zip file.
4. Select Next.
5. Check the Select all items box to select all connector templates listed for import.
6. Select Import to load all standard connector template packages for this released version into RSA Identity
Governance and Lifecycle.
7. If you are licensed for one or more AFX Premium Connectors, repeat steps 1 through 5 for AFX-
<product-version>-Premium-Connectors.zip (also located in the packages directory for RSA Identity
Governance and Lifecycle v6.9.x and later).
Note: After you have imported all connector packages, any previously imported connectors and templates are
updated to include the latest enhancements. Those enhancements include new capabilities and settings, fixes
for known issues, and any changes to ensure compatibility with AFX Server v7.x.
Procedure
1. Log in to RSA Identity Governance and Lifecycle.
3. From the list of AFX Server configurations, select the server that you want to download.
4. From the AFX Server configuration detail page, click Download Server Archive.
Note: It may take several minutes for the system to generate the AFX Server archive for download.
5. Specify the download location when prompted by the browser and save the AFX Server archive.
6. Install the archive. See Install the AFX Server Using an Archive Downloaded from RSA.
<path-to-AFX>/afx start
For SLES 12
<path-to-AFX>/afx stop
For SLES 12
To configure memory management in ActiveMQ to handle bulk change request items, you may need to modify
the following ActiveMQ settings.
1. The queue can handle messages for a change request with about 500 change request items for an
AFX connector. To handle a larger number of items than this default, update the settings as follows.
a. Edit AFX\activemq\conf\activemq.xml.
b. Find the policyEntry tag and modify the memoryLimit attribute value based on the
requirement, as shown below, then save the changes.
2. The queue can handle approximately 50 AFX connectors for provisioning the change request items in
parallel with the default settings. To configure a larger number of connectors than default allows, based
on the requirement modify memoryUsage value accordingly.
Example:
Memory usage for an AFX connector needs approximately 5 MB. 5MB multiplied by 50 connectors is a
total of 250 MB, which is the default.
The memory usage is calculated based on the memoryLimit values in point 1.
a. Edit AFX\activemq\conf\activemq.xml.
b. Find the memoryUsage tag and modify the limit attribute value based on the requirement.
<memoryUsage>
<memoryUsage limit="256 mb"/>
</memoryUsage
c. Find the tempUsage tag and modify the limit attribute value same as memoryUsage value.
<tempUsage>
<tempUsage limit="256 mb"/>
</tempUsage>
d. Find the storeUsage tag and modify the limit based on changes of memoryUsage value.
<storeUsage>
<storeUsage limit="1 gb"/>
</storeUsage>
e. Save changes.
3. Based on the requirements and memory configuration changes, the ActiveMQ heap size must be
updated. The recommended heap size is between 2 and 4 GB.
SSL is used to secure communication between RSA Identity Governance and Lifecycle and clients such as a
collector’s back-end server, AFX server, RSA agent, or a browser. SSL uses certificates which are stored in a
keystore repository. RSA Identity Governance and Lifecycle provides separate keystores for HTTPS
communications:
By default, RSA Identity Governance and Lifecycle uses a self-signed certificate, which a user can accept when
logging in to RSA Identity Governance and Lifecycle. This server certificate is used to authenticate the identity of
the RSA Identity Governance and Lifecycle server.
To enable the secure connection, RSA Identity Governance and Lifecycle requires knowledge of the clients’
public certificates, and the clients require the RSA Identity Governance and Lifecycle server’s public certificate
to identify each other.
RSA Identity Governance and Lifecycle also uses a truststore to validate the authenticity of certificates by a CA.
RSA Identity Governance and Lifecycle uses the OpenJDK as the truststore containing the certificates of all the
well- known CAs.
Become familiar with the following terms that are referenced throughout the remainder of the discussion about
certificates:
l RSA Identity Governance and Lifecycle Server Certificate — Identifies the RSA Identity Governance and
Lifecycle's server.
l Client Certificate — A public certificate that identifies a client to which RSA Identity Governance and
Lifecycle establishes a secure connection.
l Trusted Authority Certificate — A root or intermediate certificate that is trusted and can be used when
validating a signed certificate.
Default RSA Identity Governance and Lifecycle keystores, passwords, and locations described in the following
sections:
l aveksa.keystore — The aveksa.keystore file contains the self-signed certificates that identify the RSA
Identity Governance and Lifecycle application server when it communicates with a browser via HTTPS.
This default server certificate is created with keysize = 2048, validity = 18000 days, and ALG = RSA.
For upgrades, use the existing keystore.
You can use this keystore to configure the default HTTPS access on port 8443. You can modify this
Appendix A: Security and Authentication Management (RSA Appliance and Software Bundle) 129
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
keystore to meet the security requirements of the default HTTPS access to RSA Identity Governance and
Lifecycle.
l server.keystore — The server.keystore file secures communication between agents and RSA Identity
Governance and Lifecycle. It contains a signed server certificate and the trusted certificates used to sign
the server certificate. This default certificate is created with keysize = 2048, validity = 18000 days, and
ALG = RSA. The keystore is in: /home/oracle/keystore/server.keystore. The password is
Av3k5a15num83r0n3
The server.keystore is required for secure SSL port 8444 and used for communicating with remote
agents. You cannot modify this keystore.
l client.keystore — The client.keystore file is created and used by a RSA Identity Governance and Lifecycle
remote agent.
This keystore is downloaded with the remote agent software from the user interface when a remote
agent is created or edited. For more information, see "Working with Agents" in the Help.
Note: Unless specified otherwise, all of the command examples in this section use the default passwords.
Keytool
Keytool is a certificate management utility. It is used to manage RSA Identity Governance and Lifecycle
certificates within the keystore that are referenced in this section. This keytool command is in the JAVA_HOME
directory.
You use Keytool to create a keystore file and manage the certificates in the keystore. The keytool command uses
an alias to reference the certificates. The alias is a simple well-known name associated with a certificate in the
file. When you use keytool, log in as the owner of the files you want to work on. For example, log in as root to
work with the cacerts file or as oracle to work with the aveksa keystore files.
For more information about the keytool command, see the OpenJDK documentation.
Ciphers
The RSA Identity Governance and Lifecycle appliance is configured with two ciphers for SSL:
l TLS_RSA_WITH_AES_128_CBC_SHA
l TLS_RSA_WITH_AES_256_CBC_SHA
130 Appendix A: Security and Authentication Management (RSA Appliance and Software Bundle)
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
This section describes how to list certificates in your keystore, change default keystore and truststore
passwords, and restore SSL server or agent certificates after an upgrade.
For example:
The WildFly application server on which RSA Identity Governance and Lifecycle runs requires that the
keystore password and the generated server key (certificate) password are identical. If you want a
keystore with a different password, a new keystore file must be created with the new password. You
must also generate a new server certificate with the new password and re-import any additional
certificates. Also, the aveksa-standalone-full.xml file within WildFly that configures the SSL ports must
be updated with the new password information.
Required steps:
a. Generate a new keystore and server certificate with your desired password.
b. Import any other certificates you require into the new keystore.
c. Back up the current keystore.
d. Copy your new keystore to the aveksa.keystore.
e. Edit the aveksa-standalone-full.xml file with new password.
Procedure
keytool -genkeypair -keysize <keysize> -validity <#days> -alias <server-
cert-alias> -dname <domain-name> -keyalg <key algorithm> -file <Server_
cert_file> - keypass <Your Password> -storepass <Your Password> -keystore
<Keystore File>
For example:
Appendix A: Security and Authentication Management (RSA Appliance and Software Bundle) 131
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
dname "CN=acm-
server.mycorp.com,OU=Aveksa,O=MyCorp,L=Waltham,S=Massachusetts,C=US" -
keyalg RSA-file server.cer -keypass new1Pass -storepass new1Pass -keystore
newPass.keystore
A new keystore file called newPass.keystore is created with an RSA Identity Governance and Lifecycle server
certificate with an alias of mycorpServer. The certificate is saved in the server.cer file.
Note: If you had previously created and signed your server certificate you will need to repeat the process of
generating a certificate signing request and importing the signed certificate. See Using a Signed Certificate for
HTTP Access to RSA Identity Governance and Lifecycle for more information
1. Go to /home/oracle/wildfly/standalone/configuration.
2. Edit the aveksa-standalone-full.xml file for connection port 8443.
3. Restart RSA Identity Governance and Lifecycle.
acm restart
Procedure
1. Go to the jre/lib/security directory.
2. Run this command:
132 Appendix A: Security and Authentication Management (RSA Appliance and Software Bundle)
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
acm restart
To back up certificates:
Back up the following directories from your current installation to a location where they can be retrieved for
restoration after the upgrade:
RSA Identity Governance and Lifecycle (Aveksa Compliance Manager) version 4.x, 5.0.x, 5.1.x:
/home/oracle/wildfly-<wildfly-
version>/server/default/deploy/aveksa.ear/aveksa.war/WEB-INF/certificates
RSA Identity Governance and Lifecycle (Aveksa Platform) version 5.5 or 6.x
To restore certificates:
1. Shut down Aveksa services as described in Stopping RSA Identity Governance and Lifecycle Services.
2. From the backed up directories from the previous installation, copy certificate keystore files to the deploy
directory.
l For upgrades from any pre-v5.5 version:
/home/oracle/keystore/aveksa.keystore
/home/oracle/keystore
3. Start Aveksa services as described in Starting RSA Identity Governance and Lifecycle Services.
If you do not have the keystore files but you do have a Backup<aveksa-version>.tar file created with the
acm_backup.sh script, you can find those files in the following directories in Backup<aveksa-
version>.tar:
l RSA Identity Governance and Lifecycle version 4.x, 5.0.x, 5.1.x:
/home/oracle/wildfly-<wildfly-
version>/server/default/deploy/aveksa.ear/aveksa.war/WEB-
INF/certificates
/home/oracle/wildfly-<wildfly-
version>/server/default/deploy/keystore
Appendix A: Security and Authentication Management (RSA Appliance and Software Bundle) 133
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
RSA Identity Governance and Lifecycle contains certificates that allow you to secure communication with AFX
servers, remote agents, web browsers and web services using Secure Sockets Layer (SSL). RSA Identity
Governance and Lifecycle signs all new certificates using the SHA-256 algorithm. Your existing server and
client certificates are not affected if you have upgraded from an earlier product version, but RSA recommends
that you migrate your server certificate and your AFX and remote agent certificates to SHA-256 after you have
upgraded.
Note: To enable WebLogic to use certificates signed using SHA-256, you must enable JSSE on the WebLogic
server.
You can use SSL to secure the connection between RSA Identity Governance and Lifecycle and a collector
endpoint by importing the endpoint server certificate into the truststore on the RSA Identity Governance and
Lifecycle application server.
Note: This procedure describes how to directly update the cacerts truststore file using the keytool. This is only
one method to update certificate truststore information. Your organization may use other tools or methods for
updating truststores.
Obtain the server certificate for your endpoint, such as Active Directory or Novell. Consult your administrator for
this information.
Procedure
1. Log in as root, and go to the truststore directory. The location of the truststore varies based on your
environment.
134 Appendix A: Security and Authentication Management (RSA Appliance and Software Bundle)
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
If the server uses the system property javax.net.ssl.trustStore to override the default settings in
either standalone.xml or domain.xml, the certificate should be added to the custom truststore.
l In a WebSphere Application Server environment, obtain the SSL configuration settings for the
selected scope, either the node or the server. Import the certificate to the selected
SSL configuration.
If the truststore is defined using the custom property on the JVM, the custom truststore is used
instead of the SSL Configuration Repositories settings in the WebSphere administration console.
To determine if the configuration uses custom properties, log on to the WebSphere console and
select Servers > Application Servers > server_name > Process Definition > Java Virtual
Machine > Custom Properties, and see the following truststore javax
properties: javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword, and
javax.net.ssl.trustStoreType.
cp cacerts cacerts.backup
4. Restart RSA Identity Governance and Lifecycle using the following command:
acm restart
The RSA Identity Governance and Lifecycle server can establish secure communication via SSL. To establish this
communication, the server must contain the public certificates used to identify the systems to which it connects
via SSL. The other systems must have trust in the RSA Identity Governance and Lifecycle server via a server
public certificate.
This process involves adding a public certificate to the RSA Identity Governance and Lifecycle server keystore as
Appendix A: Security and Authentication Management (RSA Appliance and Software Bundle) 135
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
well as adding the RSA Identity Governance and Lifecycle server's public certificate to the remote
system/application’s keystore. Also, if the public certificates of the connecting systems are signed, you must
import the certification authority's root CA certificate file as well.
Note: As of RSA Identity Governance and Lifecycle version 7.1.1, the JRE has been upgraded to Java 8. By
default, Java 8 enforces endpoint identification on LDAPS connections to improve the robustness of the
connections. After upgrading, Active Directory collectors that use SSL that were previously able to connect
might be unable to connect. View the aveksaServer.log for details about connection failures. If this occurs,
ensure that the certificate of the host configured in the collector settings has the correct subject alternative
name attributes available that match the hostname.
Procedure
1. Run the following command:
For example:
cd /home/oracle/keystore
This exports the server certificate into a file called server01.cer. This file can then be copied to the
necessary locations required for the given LDAP/AD system.
acm restart
136 Appendix A: Security and Authentication Management (RSA Appliance and Software Bundle)
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Appendix B: Troubleshooting
l Overview
l Installation
l Start Up
l Runtime
l Certificate and Keystore Management
Overview
This chapter describes potential problems you may encounter with deploying, starting, and running RSA
Identity Governance and Lifecycle on WildFly. The installation process produces log files that can be examined
for problems during the installation process:
l The /tmp/aveksa-install.log file is generated by the RSA Identity Governance and Lifecycle installation
l The /tmp/aveksa/oracle.log file is associated with the Oracle installation.
The Wildfly server and the RSA Identity Governance and Lifecycle application both provide log files that can help
you pinpoint configuration or runtime problems.
The following RSA Identity Governance and Lifecycle log files are located in WildFly in the
/home/oracle/wildfly/standalone/log directory:
l The aveksaServerInfo.log file provides configuration information about the RSA Identity Governance and
Lifecycle application server configuration. This includes application version information, Java JVM
settings, database configuration, and application module configurations.
l The aveksaServer.log file provides information on the RSA Identity Governance and Lifecycleserver
execution. For information on managing aveksaServer.log views in the RSA Identity Governance and
Lifecycle user interface, see the Help topic, "Application Log Administration."
l The create.log file provides information about interactions involved with deploying and/or migrating
schema changes to the database. Problems with the database deployment might cause problems
initializing the RSA Identity Governance and Lifecycle application. This log file might be in a different
location as it is created in the directory where the createSchema is run.
l patch.log file provides information about script-driven hot fix installations. This file is generated when a
patch is applied.
l The reporting-user-synonyms.log file provides information about updates to user synonyms in the
avdwdb data source.
l The public-schema-synonyms.log file provides information about updates to user synonyms in the
acmdb data source. This file is generated only when synonyms are updated.
Installation
Problem: You see the following output from the installer.
Installing Oracle...
INFO: *********************************************
INFO: Network Time Protocol (NTP): This task verifies cluster time
synchronization on clusters that use Network Time Protocol (NTP).
INFO: Severity:CRITICAL
INFO: OverallStatus:VERIFICATION_FAILED
INFO:
Reason: The Oracle process determines whether an NTP service is configured and running. This problem can
occur if the system is not connected to the internet.
Solution: Start the NTP deamon or follow these steps to disable and, as root, remove the ntpd files and restart
your installation:
Start Up
If you encounter problems with starting RSA Identity Governance and Lifecycle after you have completed post-
deployment tasks, examine the aveksaServer.log file or the WildFly server.log file for problem indicators.
Problem: The RSA Identity Governance and Lifecycle displays the following error message when you attempt to
access the application:
Reason: The node that was started is not the System Operations Node (SON). The SON performs the
initialization of the security model. The SON must be started first. This could be caused by the following
circumstances:
l The SON in a clustered environment was not started and used to initialize the system before starting
other nodes.
l A data dump was moved from one system to another (a development system to a production system for
example) where the originating system is still registered as the SON. The system stores a list of
registered servers in the database and their role. The dump will contain the information of the server
that was the SON when the dump was taken.
Solution: Examine the aveksaServer.log file to determine the role of this node. Look for a line similar to the
following:
l If the application is in a cluster, start the SON first, and then start any other general nodes.
l If you have imported a new data dump, it is possible that an older machine is listed as the SON. In this
case, the server nodes table can be cleaned and the server can be restarted. The system will then self
register as the SON. You can determine the list of registered servers, status, and roles by querying the
T_SERVER_NODES table.
To list the known server(s), execute the following sql on the avuser:
select NODE_NAME, HOST_NAME, NODE_ROLE, NODE_STATUS from T_SERVER_NODES;
To Clear out the server node table, execute the following sql on the avuser schema:
Delete * from T_SERVER_NODES;
Problem: The migration fails when migrating the database when upgrading to a newer version of the RSA
Identity Governance and Lifecycle application. The following error messages appear in the user interface or in
the migrate.log file.:
or
Errors Detected:
ORA-14452
Examine the log file: migrate.log for more information. Consult the
installation guides if this is a known issue.
Reason: A table could not be modified during migration. This might be caused if a database session is holding
that table, possibly caused by another running node.
Solution: Verify that all nodes or other processes that may be accessing the schema are shutdown/stopped.
The following database query may provide information about what might be holding a session to the database
schema.
Ensure all instances of the the RSA Identity Governance and Lifecycle application have been stopped.
It is highly recommended that you repeat the migration. You can do this by simply modifying the
“productVersion” parameter in the database T_SYSTEM_SETTINGS table, setting it to the product version of the
version from which you are upgrading.
For example:
Commit the changes, restart the application server, and then perform the migration.
Problem: The RSA Identity Governance and Lifecycle application displays the following error message when you
attempt to access the application:
Reason: It is important that the database is configured to the correct character set that may be used within the
product. Failure to do so may result in corrupted data in those tables where non-conforming characters may be
written.
Solution: See the Database Guide for information on configuring a database instance. If you have data you wish
to preserve please back up your database, create a new database that is configured with the correct database
character set, and import your data dump into the database.
Runtime
If you encounter problems while RSA Identity Governance and Lifecycle is running, examine the
Problem: RSA Identity Governance and Lifecycle logs the following error message:
Note: See RSA Identity Governance and Lifecycle Security and Authentication Management for information on
managing certificates.
Problem: After using certificates the RSA Identity Governance and Lifecycle server is unresponsive.
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket
(JSSESocketFactory.java:150
at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run
(JIoEndpoint.java:309)
at java.lang.Thread.run(Thread.java:662)
Solution: The CN of the FQDN of the certificate may be incorrect. Delete the existing certificate and re-generate
a new server certificate.
Problem: Unable to login into RSA Identity Governance and Lifecycle with secure HTTPS. The server.log file
cites:
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
Reason: The aveksa-standalone-full.xml file connection configuration has wrong keystore password.
Solution: Edit the aveksa-standalone-full.xml and correct the keystore information. See Change the Default
Aveksa Keystore Password for more information.
Problem: Unable to login into RSA Identity Governance and Lifecycle with secure HTTPS. The server.log file
cites:
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init
(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket
(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1073)
at org.apache.catalina.core.StandardService.initialize
(StandardService.java:668)
Reason: The keystore password and server certificate passwords do not match.
Solution: Generate the keystore file with a server certificate with the same password. See Change the Default
Aveksa Keystore Password for more information.
Problem: LDAP Collection test fails with SSL. The aveksaServer.log file cites the following:
Reason: ACM/SSL is not able to validate the certificate authority of the certificate from the LDAP or AD server.
The root or intermediate CA of the certificate of the AD/LDAP server is not added to the truststore referred by the
host.
Solution: The information about the CA of the certificate of the LDAP or AD directory server must be added to
the truststore. Add the root/intermediate certificates for the CA to the truststore. For more information, see Step
3: Import a Trusted Certificate on page 64.
JAVA_OPTS="$JAVA_OPTS -
Djavax.net.debug=ssl:session:sslctx:sessioncache:keymanager:trustmana
ger"
3. Perform the test collection and check the aveksaServer.log. Look for the log: 'trustStore is:'. The location
given in this log statement is the default truststore referred by your host.
4. Once the truststore is identified, add the trusted certificates to the truststore.
5. Remove the above added line from standalone.conf by commenting it out:
#JAVA_OPTS="$JAVA_OPTS -
Djavax.net.debug=ssl:session:sslctx:sessioncache:keymanager:trustmana
ger"
Problem: The following error is logged multiple times and fills up the log:
ERROR (http-0.0.0.0-8444-Acceptor-0)
[org.apache.tomcat.util.net.JIoEndpoint] Socket accept failed
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket
(JSSESocketFactory.java:150)
at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run
(JIoEndpoint.java:309)
at java.lang.Thread.run(Thread.java:662)
Reason: A certificate being used by the system was removed from the aveksa.keystore, usually as part of the
process for replacing a certifcate.
Solution: Restore the aveksa.kesytore from a backup, and begin the process of replacing the certifcate again.
For more information, see Using a Signed Certificate for HTTP Access to RSA Identity Governance and Lifecycle.
l Overview
l Deployment
l Start Up
l Runtime
l Post-Deployment or Upgrade of RSA Identity Governance and Lifecycle
Overview
This chapter describes potential problems you may encounter with deploying, starting, and running RSA
Identity Governance and Lifecycle on WebSphere. The WebSphere server and the RSA Identity Governance and
Lifecycle application provide log files that can help you identify problems that may occur during configuration or
runtime.
$WEBSPHERE_HOME/AppServer/profiles/AppSrv01/logs/server1
RSA Identity Governance and Lifecycle has several log files that are created in the deployed application directory
(ear) on WAS. Use your command line shell to determine the path to the ear. The path to the ear is similar to:
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/hostnameNode01Cell/aveksa.ear
Your path will vary based on your WebSphere install location, server name, hostname, node, and cell. This path
is referenced by EAR_PATH.
The following directory includes the aveksaServerInfo.log, aveksaServer.log, create.log, migrate.log, patch.log,
reporting-user-synonyms.log, and the public-schema-synonyms.log files:
$ EAR_PATH /aveksa.war/log
l The aveksaServerInfo.log file provides configuration information about the RSA Identity Governance and
Lifecycle application server configuration. This includes application version information, Java JVM
settings, database configuration, and application module configurations.
l The aveksaServer.log file provides information on the RSA Identity Governance and Lifecycle server
execution.
l The reporting-user-synonyms.log file provides information about updates to user synonyms in the
avdwdb data source.
Deployment
Problem: Testing the JBDC data source connections fails, and the error message indicates a failure to locate the
ojdbc jar file.
Note: The version of the ojdbc jar file is the one specified when setting up Oracle JDBC Provider.
Solution: Make sure the DISTRIBUTION path specified for Oracle is correct. The path specification is case
sensitive.
Examine the SystemOut.log file for the server. Look for messages similar to the following:
8/14/13 14:35:59:509 EDT] 00000004 DefaultTokenP E HMGR0150E: An attempt to create a token to secure the High
Availability Manager connection failed. The exception is java.lang.OutOfMemoryError
at java.lang.Object.clone(Native Method)
Solution: Increase the memory for the Deployment manager (not the node on which the application runs) from
the WebSphere console:
Start Up
If you encounter problems with starting RSA Identity Governance and Lifecycle after you have completed post-
deployment tasks, check the RSA Identity Governance and Lifecycle and WAS log files.
Problem: The migration fails when migrating the database during an upgrade to a newer version of the RSA
Identity Governance and Lifecycle application. The following error messages appear in the user interface or in
the migrate.log file.:
or
Errors Detected:
ORA-14452
Examine the log file: migrate.log for more information. Consult the
installation guides if this is a known issue.
Reason: A table could not be modified during migration. This might be caused if a database session is holding
that table, possibly caused by another running node.
Solution: Verify that all nodes or other processes that may be accessing the schema are shutdown/stopped. The
following database query may provide information about what might be holding a session to the database
schema.
Ensure all instances of the RSA Identity Governance and Lifecycle application have been stopped.
It is highly recommended that you repeat the migration. You can do this by simply modifying the
“productVersion” parameter in the database T_SYSTEM_SETTINGS table, setting it to the product version of the
version from which you are upgrading.
For example:
Commit the changes, restart the application server, and then perform the migration.
Problem: The RSA Identity Governance and Lifecycle displays the following error message when you attempt to
access the application:
Reason: The node that was started is not the System Operations Node (SON). The SON performs the
initialization of the security model. The SON must be started first. This could be caused by the following
circumstances:
l The SON in a clustered environment was not started and used to initialize the system before starting
other nodes.
l A data dump was moved from one system to another (a development system to a production system for
example) where the originating system is still registered as the SON. The system stores a list of
registered servers and their roles in the database. The dump contains the information of the server that
was the SON when the dump was taken.
Solution: Examine the aveksaServer.log file to determine the role of this node. Look for a line similar to the
following:
08:50:48,555 INFO [ServerNodeServiceProvider] Node Name : <Machine Name> has been updated to
Role General_Node
l If the application is in a cluster, start the SON first, and then start any other general nodes.
l If you have imported a new data dump, it is possible that an older machine is listed as the SON. In this
case, the server nodes table can be cleaned and the server can be started. The system will then self
register as the SON. You can determine the list of registered servers, status, and roles by querying the
T_SERVER_NODES table.
To list the known server(s), execute the following sql on the avuser:
To Clear out the server node table, execute the following sql on the avuser schema:
Delete * from T_SERVER_NODES;
Problem: The RSA Identity Governance and Lifecycle application displays the following error message when you
attempt to access the application:
Reason: It is important that the database is configured to the correct character set that may be used within the
product. Failure to do so may result in corrupted data in those tables where non-conforming characters may be
written.
Solution: See the Database Guide for information on configuring a database instance. If you have data you wish
to preserve please back up your database, create a new database that is configured with the correct database
character set, and import your data dump into the database.
Problem: RSA Identity Governance and Lifecycle application displays the following error message when you
attempt to access the application:
java.lang.NoSuchMethodError: javax/persistence/OneToMany.orphanRemoval()Z
at org.hibernate.cfg.AnnotationBinder.processElementAnnotations
(AnnotationBinder.java:1912)
at org.hibernate.cfg.AnnotationBinder.processIdPropertiesIfNotAlready
(AnnotationBinder.java:796)
at org.hibernate.cfg.AnnotationBinder.bindClass(Annot . . . .)
Reason: On WebSphere 7.x and 8.0 you must associate a .jar file with the RSA Identity Governance and
Lifecycle application using the WebSphere shared library
Solution: Follow the instruction on configuring the shared library as described in Configure the RSA Identity
Governance and Lifecycle Shared Library.
Problem: RSA Identity Governance and Lifecycle application does not start. The SystemErr.log file contains an
error similar to the following:
Reason: One of the activation specifications was created without the bus defined.
l In the WebSphere Admin console, validate the data source is configured with the correct JNDI name,
jdbc/avdb for avdb data source for example.
l Check that the custom property oracle9iLogTraceLevel for has no value set as described in Create the
JDBC Data Sources for data sources cited in aveksaServer.log file error messages like these:
Caused by:
java.lang.NoSuchMethodError:
oracle/jdbc/driver/OracleLog.setLogVolume(I)V at
com.ibm.ws.rsadapter.dbutils.impl.OracleUtilityImpl.setLogVolume
(OracleUtilityImpl.java:85)
or
com.ibm.websphere.naming.CannotInstantiateObjectException: Exception
occurred while the JNDI NamingManager was processing a
javax.naming.Reference object. [Root exception is
com.ibm.websphere.naming.CannotInstantiateObjectException: Exception
occurred while the JNDI NamingManager was processing a
javax.naming.Reference object. [Root exception is
java.lang.reflect.InvocationTargetException]] at
com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookupExt
(Helpers.java:1000)
Reason: The database users were not provided the required database privilege grants.
Solution: Provide the required privilege grants to the database users. See the Database Setup and Management
Guide for more information.
Problem: Application fails to start and log shows an error similar to the following:
Reason: The application server is configured to the wrong version of the Java SDK.
Runtime
Problem: Change request workflow processes do not execute correctly according to the standard output log file,
which contains descriptions of connection timeout errors.
Reason: The connection pool count for the AVDB data source may need a higher value.
Solution: Increase the connection pool count by a system-appropriate value until the errors stop occurring.
Reason: The database source may have been configured with the wrong user. For example, the "acmdb"
database source is configured with the "avuser" user. This may cause Creation or Migration SQL scripts to be
executed as the wrong user.
For example, if the "acmdb" data source is configured with the "avuser" user and not "acmdb," the end of the
migrate.log file will indicate that the avuser views have been dropped as indicated (v_*).
Solution: Examine the avdb, avdwdb and acmdb data sources configured on the application server. Validate the
correct user credentials are set, and then re-deploy the application.
l Overview
l Deployment
l Start Up
l Runtime
l Post-Deployment or Upgrade of RSA Identity Governance and Lifecycle
Overview
This section describes potential problems you may encounter with deploying, starting, and running RSA
Identity Governance and Lifecycle on WebLogic. The WebLogic server and RSA Identity Governance and
Lifecycle application both provide log files that can help you pinpoint problems that may occur during
configuration or with RSA Identity Governance and Lifecycle at runtime. The WebLogic system log files can be
accessed from paths similar to the following:
$WEBLOGIC_HOME/user_projects/domains/<aveksaDomain>/servers/<Target Server>/logs
$WEBLOGIC_HOME/user_projects/domains/<aveksaDomain>/logs
The standard output from the startWeblogic.sh can provided additional troubleshooting information. RSA
Identity Governance and Lifecycle has several log files that are created in the deployed application directory
(ear) on WebLogic. Use your command line shell to determine the path to the ear. The path to the ear is similar
to:
$WEBLOGIC_HOME/user_projects/domains/aveksaDomain/servers/AdminServer/tmp/_WL_
user/aveksa/ldedze/aveksa.war/log
Your path will vary based on your WebLogic install location as well as your domain. This path is referenced by
EAR_PATH.
The following directory includes the aveksaServerInfo.log, aveksaServer.log, create.log, migrate.log, patch.log,
reporting-user-synonyms.log, and the public-schema-synonyms.log files:
$ EAR_PATH /aveksa.war/log
l The AveksaServerInfo.log file provides configuration information about the RSA Identity Governance and
Lifecycle application server configuration. This includes application version information, Java JVM
settings, database configuration, and application module configurations.
l The aveksaServer.log file provides information on the RSA Identity Governance and Lifecycle server
execution.
l The create.log file provides information about interactions involved with deploying and/or migrating
schema changes to the database. Problems with the database deployment may cause problems
initializing the RSA Identity Governance and Lifecycle application.
l The migrate.log file provides information about database migration phases.
l The patch.log provides information about script-driven hot fix installations.
l The reporting-user-synonyms.log file provides information about updates to user synonyms in the
avdwdb data source.
l The public-schema-synonyms.log file provides information about updates to user synonyms in the
acmdb data source.
Deployment
Problem: The deployment fails. The following error appears the in the AdminServer.log file:
java.lang.ClassNotFoundException: com.aveksa.gui.core.filters.SessionTimeoutListener
at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:296)
at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClassLoader.java:269)
at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:177)
Reason: On a Solaris box, class files are truncated because the ACM-WebLogic.tar file was extracted using the
Solaris version of tar.
Solution: Extract the ACM-Weblogic.tar file using a tar utility that handles long path names correctly, for
example gtar from gnu.
10 4:31:00 PM EDT> <Error> <Deployer> <BEA-149265> <Failure occurred in the execution of deployment
request with
Solution: Create the security realm user, workpoint, and continue with the deployment.
The run-as security principal, 'workpoint', chosen for the EJB 'ServerAutomatedActivityMDBean
(Application: avekponent: wpServer.jar)' is not a valid user principal in the current security
realm. Please specify a valid user for the EJB to use.
weblogic.ejb.container.deployer.BeanInfoImpl.calculateRunAsPrincipal(BeanInfoImpl.java:1061)
weblogic.ejb.container.deployer.BeanInfoImpl.prepare(BeanInfoImpl.java:1007)
Reason: The workpoint user for the security realm was not created or misconfigured.
Solution: Create/edit the security realm user, workpoint, and then stop and restart the server.
Problem: Problems with workflow execution; workflow fails. Examine hte aveksaServer.log file. Check for the
following error messages:
java.lang.RuntimeException: Illegal TXN State: Attempt to start new transaction during rollback.
Txn count=1
Solution: Check the JTA transaction timeout setting (see Configure JTA Timeout Setting). If the setting is lower
than 120 seconds, set it to 120. If it is already set to 120 or higher, contact Tech Support.
cd /home/oracle/Oracle/Middleware/Oracle_Home/user_projects/domains/base_
domain/bin
vi setDomainEnv.sh
For WebLogic Server versions 12.2.1.3.0 and above, disable the FAN setting by adding
-Doracle.jdbc.fanEnabled=false to the end of JAVA_OPTIONS.
Start Up
If you encounter problems with starting RSA Identity Governance and Lifecycle, you can check log files for
indications of where the problems occurred.
$WEBLOGIC_HOME/user_projects/domains/<aveksaDomain>/servers/<Target Server>/logs
$WEBLOGIC_HOME/user_projects/domains/<aveksaDomain>/logs
The standard output from the startWeblogic.sh can provided additional information.
Problem: The migration fails when migrating the database when upgrading to a newer version of the RSA
Identity Governance and Lifecycle application. The following error messages appear in the user interface or in
the migrate.log file.:
or
Errors Detected:
ORA-14452
Examine the log file: migrate.log for more information. Consult the installation guides if this is
a known issue.
Reason: A table could not be modified during migration. This might be caused if a database session is holding
that table, possibly caused by another running node.
Solution: Verify that all nodes or other processes that may be accessing the schema are shutdown/stopped. The
following database query may provide information about what might be holding a session to the database
schema.
Ensure all instances of the RSA Identity Governance and Lifecycle application have been stopped.
It is highly recommended that you repeat the migration. You can do this by simply modifying the
“productVersion” parameter in the database T_SYSTEM_SETTINGS table, setting it to the product version of the
version from which you are upgrading.
For example:
Commit the changes, restart the application server, and then perform the migration.
Problem: The RSA Identity Governance and Lifecycle application displays the following error message when you
attempt to access the application:
The character set for the database is configured to WE8MSWIN1252; however, AL32UTF8 is the required
database character set. Please consult the Database Guide to create a database instance that meets
the product requirements and then restart the application.
Reason: It is important that the database is configured to the correct character set that may be used within the
product. Failure to do so may result in corrupted data in those tables where non-conforming characters may be
written.
Solution: See the Database Guide for information on configuring a database instance. If you have data you wish
to preserve please back up your database, create a new database that is configured with the correct database
character set, and import your data dump into the database.
Reason: The database users where not provided the required database privilege grants.
Solution: Provide the required privilege grants to the database users. See the Database Setup and Management
Guide for more information.
Problem: You see the following ClassCastException error when starting the RSA Identity Governance and
Lifecycle application:
at weblogic.jdbc.wrapper.ResultSet_oracle_jdbc_driver_
ForwardOnlyResultSet.getOPAQUE(Unknown Source)
at com.aveksa.server.utils.ApplicationServerUtil.getOPAQUE
(ApplicationServerUtil.java:189)
at com.aveksa.server.db.StringToXMLTypeMapper.getOPAQUE
(StringToXMLTypeMapper.java:197)
at com.aveksa.server.db.StringToXMLTypeMapper.nullSafeGet
(StringToXMLTypeMapper.java:90)
at org.hibernate.type.CustomType.nullSafeGet(CustomType.java:109)
at org.hibernate.type.AbstractType.hydrate(AbstractType.java:104)
at org.hibernate.persister.entity.AbstractEntityPersister.hydrate
(AbstractEntityPersister.java:2283)
at org.hibernate.loader.Loader.loadFromResultSet(Loader.java:1527)
.....
Solution: Please verify that the Wrap Data Types option is deselected under the Connection Pool tab > Advanced
section. If you are required to deselect the option, you must restart WebLogic for the option change to take
effect.
Runtime
Problem: Change request workflow processes do not execute correctly according to the standard output log file,
which contains descriptions of connection timeout errors.
Reason: The connection pool count for the AVDB data source may need a higher value.
Solution: Increase the connection pool count by a system-appropriate value until the errors stop occurring.
Reason: The database source may have been configured with the wrong user. For example, the "acmdb"
database source is configured with the "avuser" user. This may cause Creation or Migration SQL scripts to be
executed as the wrong user.
For example, if the "acmdb" data source is configured with the "avuser" user and not "acmdb," the end of the
migrate.log file will indicate that the avuser views have been dropped as indicated (v_*).
Solution: Examine the avdb, avdwdb and acmdb data sources configured on the application server. Validate the
correct user credentials are set, and then re-deploy the application.
Troubleshooting AFX
This chapter describes potential problems you may encounter with deploying, starting, and running AFX server.
The installation process using installation script(installAFX.sh) produces log files that can be examined for
problems during the installation process:
Note: Always make sure that RSA Identity Governance and Lifecycle is up and running before you start the AFX
server.
Start Up
Problem: AFX Server fails to start with message: WARNING!! Timed out waiting for AFX applications to start
The AFX log files located in $AFX_HOME/esb/logs contain the following errors:
In the mule_ee.log:
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild
(SunCertPathBuilder.java:197)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
In the esb.AFX-MAIN.log:
In the esb.AFX-INIT.log:
Reason: This usually indicates that the AFX SSL certificate and/or ID currently configured for this installation
do not match with records in the RSA Identity Governance and Lifecycle database. You may encounter this
problem in the following scenarios:
l The AFX SSL certificate was regenerated using the RSA Identity Governance and Lifecycle application but
the AFX installation was not updated with keystore containing the new certificate. In this case, please
update the AFX installation with latest keystore available for download from RSA Identity Governance and
Lifecycle application.
l RSA Identity Governance and Lifecycle certificate store has been changed but neither the RSA Identity
Governance and Lifecycle server nor AFX installations have been updated with respective keystore
containing new certificate and CA entries. In this case, please update both the RSA Identity Governance
and Lifecycle server and AFX installations with latest respective keystore available for download in the
RSA Identity Governance and Lifecycle application.
l RSA Identity Governance and Lifecycle database was refreshed / restored using a backup that was
generated on another environment (e.g., backup of Production system database was restored on the QA
system database). In this case, additional steps are required to get the SSL certificate configuration in
the database in sync with what's deployed on the RSA Identity Governance and Lifecycle & AFX server
machine(s). Please change the RSA Identity Governance and Lifecycle certificate store and then update
both the RSA Identity Governance and Lifecycle server and AFX installations with latest respective
keystore available for download in the RSA Identity Governance and Lifecycle application.
Solution: Update server.keystore and client.keystore for all remote agents and AFX.
1. Log in to RSA Identity Governance and Lifecycle, and go to Admin > System > Security. In a clustered
environment, perform this step on the single system operations node (SON).
2. Click Change Certificate Store, and click OK to change the root certificate and CA.
3. Click Download and save the server.keystore file to a location on your computer.
4. Go to AFX > Servers, click Change Certificate Store, and click OK to change the client certificate.
5. Click Download and save the client.keystore file to a location on your computer.
6. Stop the ACM and AFX servers.
7. Copy the new server.keystore file to the location on the server where your web server reads the
keystore. For example, $AVEKSA_HOME/keystore.
8. Copy the new client.keystore file to the AFX server under <AFX-server-root>/esb/conf.
9. Update the client.keystore files from the remote agents after you download the corresponding
client.keystore from RSA Identity Governance and Lifecycle.
10. Restart the ACM and AFX servers and verify connectivity with the endpoints.
Issue: Unable to start AFX as either the root or oracle user, and one of the following is displayed:
As root:
As oracle:
Solution: The AFX server should be started using either the oracle user or afxuser only. Do not use root to start
the AFX Server.
*****************************************************
*****************************************************
*****************************************************
Install Summary:
----------------
AFX_STAGING_DIR /tmp/AFX
AFX_HOME /home/oracle/AFX
MULE_HOME /home/oracle/AFX/mule
ACTIVEMQ_HOME /home/oracle/AFX/activemq
MMC_HOME /home/oracle/AFX/mmc-console
JAVA_HOME /etc/alternatives/java_sdk_1.7.0
JAVA_CMD_DIR /etc/alternatives/java_sdk_1.7.0/bin
AFX_OWNER oracle
AFX_GROUP oinstall
----------------
FATAL ERROR!! Failed to create SSL certificate for AFX server using Aveksa
CA
*****************************************************
Appendix C: Maintenance
This task creates a dump (.dmp) file of the AVUSER schema. The file contains all of the application data and
some environment data about a particular system environment.
If you intend to import a dump from one machine to another (which must be running the same RSA Identity
Governance and Lifecycle version from which the dump was created), you may be required to perform
additional configuration on the target machine.
Recommendations
l Back up your database regularly or before making major changes to your system. For example, create a
backup of your appliance database before proceeding with re-installing or upgrading RSA Identity
Governance and Lifecycle software.
l Shut down the RSA Identity Governance and Lifecycle server and AFX before you export a database.
While it is possible to run a backup while RSA Identity Governance and Lifecycle is running, you must
ensure that any crucial data intensive processes, including data collections and review generation, are
not running before you begin the back up. Running a backup with active data-processing in process
may leave backed up data in an inconsistent state.
l To ensure that you only back up essential data, you can use the data purging feature to routinely purge
older data that is not needed for your deployment, and you can use the data archiving feature to archive
older data for auditing purposes. For more information on these features, see the Help topics "Managing
Data Archiving" and "Managing Data Purging".
Procedure
1. Log in to the installation machine as the root user.
The -t option, provides a tag name that is appended to the standard export file name. The script creates
an export file named Export_AVDB_avuser_Backup_Pre_Upgrade.dmp file in the directory specified by
the -o option. If -o option is not specified, the export file is saved to
/home/oracle/AveksaExportImportDir/
Note: If you also want to compress the dump file, use the -g option.
Note: When using the -i option, ensure that the AVUSER and SYS database user passwords are the
same. Both users are involved in executing the command. For more information on changing passwords,
see Changing Database User Passwords on page 180.
/home/oracle/AveksaExportImportDir/Export_AVDB_avuser_Backup_Pre_
Upgrade.log
Starting with the 7.0.1 product release, a new data encryption handling mechanism is in place which
uses on disk data in conjunction with database data to perform data encryption. When exporting the
database and moving it to a new installation, you must also "pack up" the encryption key data stored on
disk (see Step 4) and moved it along with the database.
7. Zip up the master key data in the master key storage directory. This directory is identified by the
application server system property: rsavialg.security.keydir. By default, this directory is
/home/oracle/security.
You will unzip the master key data as part of the steps to import the database described in Import the
AVUSER Schema/Data for a Database Restoration/Load on page 163.
Note: In a clustered environment, if separate copies of the key data are stored on each cluster node,
then only one copy of a key data (any node's key data) needs to be backed up as all areas should contain
the same key data. However, when reinstalling the data , if a node has a local directory specified for
storage of keys, then the key data should be reinstalled to each of these local directories (as specified by
the rsavialg.security.keydir environment variable which each node has set).
You can import an AVUSER schema/data backup to restore a database or load it on a new machine. You perform
the import procedure for the RSA Identity Governance and Lifecycle Oracle database using the
/home/oracle/database/DBA/AVDB/scripts/AVDB_Import_AVUSER.sh script alias, avdbimport, provided with
the installation. The script uses the Oracle impdp utility to import a dump and perform additional processing
steps after the dump is imported. Note that some data or configurations may be specific to the environment
from which the original dump was taken.
For example, server nodes may need to be updated; this is particularly true when moving clustered
environments. Or directory specific locations configured for collectors may need to change. After you have
imported the database, you must validate that the data is compatible with your database. See Validate
Compatibility of the Database Import for instructions.
Note: If you are using the AFX module and loading a database from a different installation, you must update the
certificates. For more information, see "Change an AFX Server SSL Certificate" in the Access Fulfillment Express
Guide.
Procedure
1. Log in to the installation machine as the oracle user.
Starting with the 7.0.1 product release, a new data encryption handling mechanism is in place which
uses on disk data in conjunction with database data to perform data encryption. When exporting the
database and moving it to a new installation, you must also "pack up" the encryption key data stored on
disk and move it along with the database (see Step 2).
2. Unzip the master key data in the master key storage directory.
This is the data that was zipped up in Step 4 in the procedure described in Back Up the RSA-Supplied
Database . (The master key storage directory is identified by the rsavialg.security.keydir environment
variable. The default directory is /home/oracle/security.)
Note: In a clustered environment, if separate copies of the key data are stored on each cluster node,
then only one copy of a key data (any node's key data) needs to be backed up as all areas should contain
the same key data. However, when reinstalling the data , if a node has a local directory specified for
storage of keys, then the key data should be reinstalled to each of these local directories (as specified by
the rsavialg.security.keydir environment variable which each node has set).
Command options:
l The Dump_File_Name should not include the tag name or file extension (.dmp).
l Use the -t option if the exported dump file was saved with a tag name.
l Use the -i option along with the input directory name if the exported dump file was saved to an
output directory other than the default /home/oracle/AveksaExportImportDir/ directory.
Note: When using the -i option, ensure that the AVUSER and SYS database user passwords are
the same. Both users are involved in executing the command. For more information on changing
passwords, see Changing Database User Passwords.
l Use the -g option to uncompress the dump file if the -g option was used to compress the
exported dump file.
6. Start services:
/home/oracle/AveksaExportImportDir/
If you used the -i option to import the dump file, the log file is located in the input directory.
This is the log for the Oracle impdp import utility command. You can check the progress of the import
using the tail -f command on the log file.
/home/oracle/database/DBA/AVDB/logs/
The directory contains the log files for the import script that list all completed tasks. A log file name in
this directory is based on the Oracle Service name and/or Schema Owner if defined, Import_${ORACLE_
SERVICE_NAME}_${SCHEMA_OWNER}_History.log for example:
Import_AVDB_avuser_History.log
8. If the database schema requires migration, RSA Identity Governance and Lifecycle prompts you to
migrate the schema when you log in to the user interface. Under Schema Migration, enter the password
AuthorizeMigration, and click Migrate Schema.
This directory is not in product releases greater than 6.5. Data dumps imported from older versions will
invoke this error because the directory is no longer created.
You may see this error message from an import of a database from a previous release because the UTL_
MAIL package is no longer installed in this release. This trigger is removed upon database migration.
You may see this error message following from a database import from a previous release because this
release no longer grants the ability to create materialized views. The view is removed during database
migration.
You may see this error message from a database import from a previous release because this release no
longer grants the ability to see the dba_extents table. The stored procedure that references this table is
removed during database migration.
You may see error messages like this from an database import from a previous release because of
changes to the schema or security privileges during the import. All stored procedure packages are
updated during database migration.
l ORA-00942: table or view does not exist created with exception errors
for retrieval of T_AV_AUDIT_LOG_EVENT_SETTINGS table.
This error can occur at initialization because the table did not exist before version 7.0.
After you import the database on your system, determine whether the database dump is compatible for an RSA
Identity Governance and Lifecycle database installation on an appliance. Determine whether these system
settings from the imported dump are set as follows:
l isAppliance = Yes
l isSoftAppliance = No
Procedure
1. Run the following SQL as avuser:
2. If the values above are not set to the correct values, run the following SQL to set them to the correct
values:
l When you are upgrading your RSA Identity Governance and Lifecycle software. An RSA software
upgrade automatically migrates the database when you install on an RSA appliance or a compatible
server, which includes the RSA Appliance, Software Bundle, Websphere, and WebLogic installations.
l Whenever the version of the RSA Identity Governance and Lifecycle software is greater than the version
of the data in the database, for example, you created a fresh installation and you want to use the data
from a previous version, you must migrate the database.
l When you are importing a database dump created on an older version of RSA Identity Governance and
Lifecycle.
If RSA Identity Governance and Lifecycle is already installed and a migration is required, the installation script
displays a prompt that asks whether you want to migrate the database. In most cases, the installer selects yes,
and the migration is performed by the installation script. If the migration is not performed during the upgrade
installation, the RSA Identity Governance and Lifecycle Initialization Status window prompts you to perform the
migration when you attempt to access RSA Identity Governance and Lifecycle.
You must export the existing database to a backup file before you attempt to migrate the database (if you did not
previously create a database backup). See Back Up the RSA-Supplied Database for more information.
Note: Before you migrate the database, ensure that the product tables are not compressed. If the tables are
compressed, the migration process may perform operations that generate an Oracle error such as ORA-39726.
Starting with v7.0.1, a new data encryption handling mechanism is in place which uses on disk data in
conjunction with database data to perform data encryption. When exporting database data and moving it to a
new installation, you must also "pack up" the encryption key data stored on disk and move it along with the
database. For more information, see:
/home/oracle/deploy/migrate.sh
...
Migration logs are available at the locations displayed. If there are errors shown under “Potential errors,”
this may indicate a problem with the migration of your database. Contact Technical Support for
assistance as necessary.
Migrate from within the RSA Identity Governance and Lifecycle application:
1. In the Initialization Status window, enter the migration password (AuthorizeMigration), and then click
Migrate.
2. Restart RSA Identity Governance and Lifecycle as described in Starting and Stopping RSA Identity
Governance and Lifecycle Services.
The RSA appliance operating system installation process overwrites all data on the appliance, including all
network configuration data. There will be a new hostname and IP address as a result of the operating system
installation. RSA recommends that you note the hostname, IP address, gateway, and DNS nameserver. Ensure
that you back up all data before you install the operating system.
Perform the following steps to complete the RSA appliance operating system installation or upgrade:
3. If you are upgrading your appliance operating system from SLES 11, Determine and Record SLES 11
System Details on page 169.
4. Get the Operating System Installation Software and Create the Installation DVD on page 169.
5. Install the Operating System from the Installation DVD on page 170
6. Configure a Network Bond on a Hardware Appliance on page 170.
7. Install RSA Identity Governance and Lifecycle7.2.1 using the Software Bundle scenario. For more
information, see Installation Scenarios on page 13.
8. If upgrading from SUSE Enterprise Linux 11, restore your RSA Identity Governance and Lifecycle. For
instructions, see Restore RSA Identity Governance and Lifecycle on page 179.
l Media requirement:
o Single-sided, single-layer, 4.7GB-capacity DVD
l Upgrade requirement — To successfully migrate the RSA Identity Governance and Lifecycle database
during RSA Identity Governance and Lifecycle 7.2.1 software installation after you install the operating
system, the database must be from RSA product version 4.x or greater. The database must be on a
supported version of Oracle.
You must do the following before you perform the operating system installation:
1. Make sure tasks (collections, policies, reports, or reviews for example) are not running on the appliance.
See Check for Running Tasks on an Appliance or Server for details.
2. Stop RSA Identity Governance and Lifecycle services after you have confirmed that there are no tasks
running on the appliance. See Stopping Services for details.
3. Restart the database. See Starting and Stopping the Oracle Database and Oracle Services for details.
4. Ensure that the appliance has a a minimum of 1 GB of free available disk space plus the current size of
the AVDB database (for the backup and upgrade process), and then back up the current installation
software and copy the backup archive to an external drive. This ensures that you are capable of
restoring your current installation if required. See Back up RSA Identity Governance and Lifecycle for
details.
Note: If you have custom indexes or views in place in your deployment, they will be lost during upgrade
process unless they have been rolled into the upgrade release. Contact RSA Support for assistance as
required.
5. Export the database for the current installation and copy the backup file to an external drive. See Back
Up the RSA-Supplied Database for details.
6. If you have SSL server or agent certificates that you would like to save and use with the new or updated
installation, save the server.keystore, serverui.keystores and client.keystore files in the following
directory:
/home/oracle/jboss/server/default/deploy/aveksa.ear/aveksa.war/WEB-
INF/certificates
Back up the cacert file from the java directory. This file may contains any additional signing certificates
you may have added.
$JAVA_HOME/jre/lib/security/cacerts
Before you upgrade your appliance operating system to SLES12, record the details of your existing SLES 11
system. This procedure describes how to find the information that you need when you configure the SLES 12
network bond.
Procedure
1. Use the ifconfig to determine the following network bond details for your SLES 11 system, and record
each item in the system details worksheet:
a. The bond0 IP Address is preceded by inet addr:.
For example, in inet addr:1.2.3.4, the bond0 IP address is 1.2.3.4.
b. The bond0 Broadcast Address is preceded by Bcast:.
For example, in Bcast: 1.2.3.255, the bond0 broadcast address is 1.2.3.255.
c. The bond0 Netmask Address is preceded by Mask:.
For example, in Mask: 255.255.255.0, the bond0 netmask address is 255.255.255.0.
2. Use the netstat -rn command to determine the Default Gateway, and record its address in the
system details worksheet. The default gateway contains a destination of 0.0.0.0.
3. Use the hostname -f command to determine the Fully Qualified Domain Name (FQDN) of the
appliance, and record it in the system details worksheet.
4. Enter the first part of the FQDN in the Hostname field of the system details worksheet. For example, if
the FQDN is machine.example.com, machine is the hostname.
5. Use the hostname -d command to determine the Domain Name, and record it in the system details
worksheet.
bond0 IP Address:
bond0 Broadcast Address:
bond0 Netmask Address:
Default Gateway:
Fully Qualified Domain Name (FQDN):
Hostname:
Domain Name:
Get the Operating System Installation Software and Create the Installation DVD
You must download operating system installation files to a computer (not the appliance) from RSA Link at
https://community.rsa.com/community/products/governance-and-lifecycle and create the installation DVD
that you will use to install the operating system on the appliance.
Procedure
1. Log in to RSA Link and download the appropriate SLES 12 ISO image for your deployment.
2. Burn the iso file image (do not copy as a data file) to the DVD using any industry-standard DVD burner
product. See the DVD burner documentation for details.
Use the DVD to install the SUSE Enterprise Linux 64-bit operating system.
Procedure
1. Attach a keyboard, mouse and monitor to the appliance.
2. Insert the DVD in the DVD drive on the appliance, and power up the appliance.
3. Select F11 on the Dell screen for the boot menu, and then select boot from CDROM/DVDROM under Hard
drive. If the F11 boot menu is not available, use F2 to enter BIOS Setup and change the boot order to
boot from the CDROM/DVDROM.
A menu appears with options to "Boot from local disk" and "Install OS" for different appliance models.
4. Use the arrow keys to highlight Install OS for the appliance model in the menu and press Enter.
If you use the BIOS Setup to change the boot order, you may be returned to the boot menu. If this
occurs, press CTRL+ALT+DEL to reboot and then press F2 to enter the BIOS Setup. Then, restore the
original boot order.
The installation program loads and performs a silent SUSE Enterprise Linux operating system
installation. The installation takes 20 to 30 minutes.
After you upgrade your hardware appliance to SLES 12, you must add a network bond device. This procedure is
only required for SLES 12 installed on hardware appliances.
Procedure
1. Log in to the hardware appliance as the root user.
2. To open a terminal session, click Applications > System Tools > Terminal.
3. Enter the following command to invoke the YaST2 administration tool:
yast
6. From the Device Type menu, select Bond. Leave the default Configuration Name, which is bond0,
and click Next.
The Network Card Setup screen appears.
7. On the Address tab, enter the following values:
l IP Address - the bond0 IP Address value from the SLES 11 System Details Worksheet
l Subnet Mask - the bond0 Netmask Address from the SLES 11 System Details Worksheet
l Hostname - the Hostname from the SLES 11 System Details Worksheet
8. Select the Bond Slaves tab, and select the slave network cards to assign to the network bond.
9. Click Next.
10. Select the Hostname/DNS tab, and enter the following values:
l Hostname - the Hostname from the SLES 11 System Details Worksheet
l Domain Name - the Fully Qualified Domain Name from the SLES 11 System Details
Worksheet
l Name Server - The IP address of your domain name server (DNS)
l Domain Search - The domain name used to resolve hostnames without a specified domain.
11. Select the Routing tab, and in the Default IPv4 Gateway field, enter the Default Gateway from the
SLES 11 System Details Worksheet. Leave the Device menu at its default value.
12. Click OK, and exit YaST2.
13. In the terminal window, enter the following command to view the network configuration:
ifconfig -a | less
15. Enter the following command to verify that the Default Gateway matches the value specified in the
SLES 11 System Details Worksheet. The default gateway has a corresponding destination of 0.0.0.0.
netstat -rn
16. Reboot the system, and perform the following steps to confirm that the appliance network has been
successfully configured:
a. Repeat steps 14-16.
b. Connect to this appliance from a remote client using SSH.
Procedure
1. Open the following file with a text editor:
/etc/sysconfig/SuSEfirewall2
2. Append the following port number string "21 22 1158 1555 8443 8444" to the FW_SERVICES_EXT_TCP
options line (space separated).
For example:
Note: Your internal IT staff might mandate additional ports to be added for infrastructure tools such as
monitoring programs.
3. Append the following port number string "0/0,0/0,tcp,443,8443 0/0,0/0,tcp,444,8444" to the FW_
REDIRECT options line (observing the comma and spacing syntax in the example).
For example:
FW_REDIRECT="0/0,0/0,tcp,443,8443 0/0,0/0,tcp,444,8444"
/etc/init.d/SuSEfirewall2_init restart
/etc/init.d/SuSEfirewall2_setup restart
Procedure
1. Open the following file with a text editor:
/etc/sysconfig/iptables
2. Add lines like the following, for example, to your firewall section in iptables to open the ports:
3. Add a network address translation section if you don’t have one to perform port redirection from the
standard https port. This section typically appears before the “*filter” section. If you already have a *nat
section, add the two REDIRECT lines. Replace bond0 with the name of your primary network interface.
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
COMMIT
4. Verify that your /etc/sysconfig/iptables file should look similar to the following:
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:RH-Firewall-1-INPUT -
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
COMMIT
5. Restart the iptables for the changes to take effect. Enter the following command:
Procedure:
1. Connect the drive to the appliance.
2. Run the following command to find the attached drive:
fdisk -l | less
fdisk /dev/sdc
4. Create an ext3 file system on the newly created partition. For example:
where:
/dev/sdc is the device for the drive that you just added, and the “1” is for the first partition of that drive.
Wait until all tasks have completed before proceeding with the upgrade.
If you are doing an appliance re-installation after an uninstall, you will be prompted for the ASM partition during
installation. You can check the previous setting with the following command:
If /tmp/Aveksa_System.cfg is not present, or this has no setting, you must determine the ASM partition.
l For Dell R720 and Dell 2900 appliances, the ASM partition is sdb1.
l For all other appliances, the ASM partition is sda3.
You can confirm the ASM partition with the following command. You must precede the partition name with /dev/.
For example:
Example output:
Procedure
1. Log on to the appliance as the admin user.
2. Verify that RSA Identity Governance and Lifecycle is running. Enter
If RSA Identity Governance and Lifecycle is running, the following message displays:
The contents of the .ear are extracted to a directory in the following location: /tmp/customizeACM/.
Note: If you do not specify the path to the .ear file, the script prompts you to use the currently deployed
.ear file. If you want to use the currently deployed .ear, enter yes. If you do not want to use the currently
deployed .ear, enter no.
customizeACM.sh -d
l Archives the new .ear file to the following location, appending a time and date stamp to the
name: /archive.
l Deploys the new customized .ear file.
This procedure starts the RSA Identity Governance and Lifecycle server and all services.
Procedure
1. Log in to the installation machine as the ‘admin’ user.
2. Enter the following command:
You are required to stop the RSA Identity Governance and Lifecycle server and all services prior to upgrading
RSA software.
Procedure
1. Log in to the installation machine as the ‘admin’ user.
2. Enter the following command:
Note: This procedure pertains to an RSA appliance database scenario. In a customer-supplied database
scenario, consult the DBA for the database.
4. You can check the status of the operations using the following command:
You can check the status of database operations, including OEM operations, using the following
command:
Note: ACMWatchdog.sh will automatically start OEM if AVDB is running on the machine if OEM was not
explicitly stopped through "service aveska_server stopoem" or "service aveksa_server stoporacle."
RSA recommends that you copy the backup file to an external drive. Restoration of a backup must be on a
machine that has the same version of the backup installed. If, for example, you were restoring a backup of
v6.0.2, you would be required to install v6.0.2 on the restoration target machine. You would also restore the
database schema from the saved database dump. Depending on the version you plan to restore, you may be
required to install a new operating system, which overwrites all data on the appliance. Consult the installation
guide for your restoration version to ensure you meet all system requirements for that version.
The following procedure applies only to appliance, software bundle, and virtual application deployments.
This section outlines the steps to backup the RSA Identity Governance and Lifecycle configuration settings so
they can be restored if necessary. See Restore RSA Identity Governance and Lifecycle for information on
restoring a software backup.
Procedure
1. Log in as the root user.
2. Stop AFX if it is installed:
<path-to-AFX>/afx stop
cd <aveksa_staging_directory>/deploy/ACM-scripts/
./acm_backup.sh
The command creates a file named Backup<product version>.tar in the following directory:
ORACLE_HOME/AveksaExportImportDir
Keep the Backup<product-version>.tar file in a safe place where it can be accessed in case you need to restore.
This procedure describes how to restore the software installation from a backup file. The restore script
performs its operations by overlaying changes onto an existing environment installed to the same version from
which the backup was taken.
Note: You can restore a product version only on a machine that has the same version installed. You must also
use a database dump from the same version to restore the database data and associated KEK and keystore files.
Procedure
1. Log in to the installation machine as the root user.
2. Copy the Backup<version>.tar file from the off-appliance drive where you copied the backup to the
following directory:
/home/oracle/AveksaExportImportDir
/home/oracle/deploy
4. Enter the following command to restore the RSA Identity Governance and Lifecycle deployment:
./acm_restore.sh
5. Import a database dump corresponding to the version of the RSA Identity Governance and Lifecycle
software dump you just restored. See Importing AVUSER Schema/Data for a Database Restoration/Load
for more information.
6. Migrate the database as describe in Migrating the Database.
7. Restart the database as described in Starting and Stopping the Oracle Database and Oracle Services.
8. Start services as described in Starting RSA Identity Governance and Lifecycle Services.
Procedure
1. Shut down all application servers that use the database instance.
2. Shut down the database.
3. Move the database to the new host or change the host's name and/or IP address.
4. Start the database instance.
5. On the application server host:
a. In /home/oracle/Aveksa_System.cfg, update the following variables:
Setting Variable
Oracle IP REMOTE_ORACLE_IP=
Port REMOTE_ORACLE_PORT=
SID ORACLE_SID=
<connection-url>jdbc:oracle:thin:@//HOST:PORT/SID
For example
<connection-url>jdbc:oracle:thin:@//myOracleBox:1521/avdb60
d. System scripts may reference the Oracle SID. Update the setDeployEnv.sh script in the
/home/oracle and /root directories with the applicable SID for your environment to ensure that
the scripts to execute properly.
export ORACLE_SID=AVDB
l AVUSER
l AVDWUSER
l ACMDB
With the exception of SYS, which is a default Oracle database user, an appliance installation creates these users
with default passwords after the Oracle database is installed. In a customer-supplied database installation
scenario, the passwords are defined for the database users by the DBA.
RSA Identity Governance and Lifecycle stores database user passwords encrypted. Database user information is
stored in the following locations:
l Aveksa_System.cfg — Stores high-level information about the RSA Identity Governance and Lifecycle
environment and the users used to access and work with RSA Identity Governance and Lifecycle.
If you are required to change the password for a database user, it must first be changed within the database
before you change it in RSA Identity Governance and Lifecycle files. Repeat the following procedure for each
database user whose password you want to change. The AVUSER database user is used as an example in the
following procedure.
Procedure:
1. As the oracle user, change the database user password in the database using the following
SQL command syntax:
2. As the oracle user, update the password property with the cleartext password you want to change for
the database user in /home/oracle/Aveksa_System.cfg. Remove the braces ( { } )when you set the
cleartext password unless they are actually part of the password.
3. As the root user, encrypt the password by running the following command for the database user from
the /home/oracle/deploy directory:
./generateLoginKey.sh <avuser|avdwuser|acmdb|perfstat|sys>
4. As the oracle user, update the security domain name under security subsystem with the encrypted
password you want to change in $AVEKSA_WILDFLY_HOME/standalone/configuration/aveksa-
standalone-full.xml:
Security Domain
Database Username
Name
EncryptedPassword-
AVUSER
AVDB
EncryptedPassword-
AVDWUSER
AVDWDB
EncryptedPassword-
ACMDB
5. As the oracle user, restart RSA Identity Governance and Lifecycle to apply your changes:
acm restart
Procedure
Update the occurrences of perfstat username with the new username value in the following file:
/home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml
Search for instances of the EncryptAVPERFPassword in the file. Change the username field with the configured
user for statspack. For example:
<application-policy name="EncryptAVPERFPassword">
<authentication>
<login-module
code="org.wildfly.resource.security.SecureIdentityLoginModule"
flag="required">
<module-option name="username">MyStatsUserName</module-
option>
<module-option name="password">-91f121c430503dd</module-
option>
<module-option
name="managedConnectionFactoryName">wildfly.jca:service=Loc
alTxCM,name=avdb</module-option>
</login-module>
</authentication>
</application-policy>
acm-heap-dump-date.hprof
You can also create a heap dump file at any time using the following commands:
service aveksa_server heap-dump-force — Forces the creation of a heap dump file in an unresponsive process.
If unnecessary records are not pruned (or deleted) from this table it can become extremely large. This is
detrimental in the following ways:
Admin > Monitoring > Action button — Provides multiple data run deletion options. For more information, see
Prune the Statistics Table from the Monitoring Page.
Note: For more information on managing data runs, see the Help topic, "Managing Data Runs."
Procedure:
l modifyhostname.sh
l modifynetworksettings.sh
You must run these commands as the root user. For either or both modifications, you must reboot the system
for the changes to take effect.
Note: Do not use this procedure for virtual application deployments. To change the hostname or network
settings on a virtual application, use the RSA Identity Governance and Lifecycle virtual application setup
interface. For more information, see Set Up the RSA Identity Governance and Lifecycle Virtual Application on
page 54.
modifyhostname.sh requires the server to be stopped (service aveksa_server stop), but Oracle must be
running (service aveksa_server startoracle) if it is installed..
modifynetworksettings.sh requires the server and oracle to be stopped (service aveksa_server stop and service
aveksa_server stoporacle).
Where:
After you modify the hostname, you must perform the following steps to update the server.keystore and
client.keystore.
1. Log in to RSA Identity Governance and Lifecycle, and go to Admin > System > Security. In a clustered
environment, perform this step on the single system operations node (SON).
2. Click Change Certificate Store, and click OK to change the root certificate and CA.
3. Click Download and save the server.keystore file to a location on your computer.
4. Go to AFX > Servers, click Change Certificate Store, and click OK to change the client certificate.
5. Click Download and save the client.keystore file to a location on your computer.
6. Stop the ACM and AFX servers.
7. Copy the new server.keystore file to the location on the server where your web server reads the
keystore. For example, $AVEKSA_HOME/keystore.
8. Copy the new client.keystore file to the AFX server under <AFX-server-root>/esb/conf.
9. Update the client.keystore files from the remote agents after you download the corresponding
client.keystore from RSA Identity Governance and Lifecycle.
10. Restart the ACM and AFX servers and verify connectivity with the endpoints.
Note: RSA recommends that you back up your database and any other data that may be lost during the
uninstallation process. This may include any localized files you have changed, keystores with installed
certificates, or configuration files that were modified.
Procedure
1. Log in to the installation machine as the ‘root’ user.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using any other account.
2. Stop all RSA Identity Governance and Lifecycle and Oracle services. See Stopping RSA Identity
Governance and Lifecycle Services and Starting and Stopping the Oracle Database and Oracle Services
for more information.
3. Navigate to the following directory:
cd /tmp/aveksa/staging/deploy
./uninstall.sh
You can check results of the uninstall process in the uninstall log file in the /tmp directory. For example:
/tmp/aveksa-uninstall.log.Dec-21-2011.07.42.26
RSA provides a sample authentication source that can be used for a demonstration or testing installation that
takes any known user name in the system with any password provided. The test authentication module is often
used to simplify the process of testing with large numbers of users. The test module is associated with an
identity collector that collects the identities into the system.
To set up the authentication module, you must create an authentication source. The JAAS module required for
the authentication source is pre-configured in the application server. This section demonstrates how to create
the authentication source named “TestAuthProvider.” You can use any name, and you can create multiple test
authentication modules for different Identity collectors.
You must restart RSA Identity Governance and Lifecycle after you configure the test authentication module.
Procedure
Use the following SQL commands to insert the test authentication source, TestAuthProvider, into database (the
commands should be issued from the user: avuser):
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 1, 'TestAuthenticator',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
The example SQL configures the authentication source associated with the Identity collector with IDC_ID = 1.
This assumes the identity collector identified by IDC = 1, which is typically the first identity collector configured
in your environment. It may not be the correct ID for the collector you want to associate with the test
authentication module in your environment. Therefore, you should run the SQL above with the IDC_ID of the
collector you choose to associate with the authentication module.
To get a list of the identity collectors and their IDs, run the following SQL:
IDC_ID
----------
Next, check the name, status, and type of those IDC_IDs to provide more information when determining the
appropriate IDC to configure using the list of IDC_ID's from the previous step. For example:
So if you decide to configure the test authentication module against the corporate users from Collector ID 3,
specify that value for the IDC_ID in the SQL as shown below:
AUTH_CONFIGURED_PROPERTIES,AUTH_PROVIDER_TYPE,AUTH_PROVIDER_CLASS)
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 3, 'TestAuthenticator',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
Note: You must restart RSA Identity Governance and Lifecycle after you configure the test authentication
module
l http://<machine>:9080/aveksa/main
l https://<machine>:9443/aveksa/main
The ports referenced are typical default ports for WebSphere. These may vary. In that case, consult the
WebSphere administrator who installed the RSA Identity Governance and Lifecycle software for the correct
ports.
Procedure
1. Set up a working directory, “new_ear” for example.
2. Copy the aveksa.ear file to the working directory.
3. Create a temporary ear directory, “ear_dir” for example, in the working directory.
4. Create a temporary war directory, “war_dir” for example, in the working directory.
5. Unzip aveksa.ear in the temporary ear directory (ear_dir):
cd ear_dir
cd ../war_dir
188
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
7. Complete any modification/changes to the files within the ear_dir or war_dir directories.
For example, if you created your database instance with non-default names (for AVUSER, AVDWUSER,
etc) or non-default database tablespace names, then you need to edit Aveksa_System.cfg file to add the
appropriate values to the aveksa.ear.
cd war_dir
cd ../ear_dir
The aveksa.ear in the working directory now has been updated with the changes. You can now specify
the path for your modified ear for deployment updates. For example:
new_ear/aveksa.ear
10. Make sure the .ear file has read permissions for the account ID (for example, wasadmin) that will need to
open it.
Wait until all tasks have completed before proceeding with the upgrade.
You do not need to open the port on any firewalls, but you must configure the port as described in this task.
Procedure
1. In the WebSphere console, click Servers > Server types > WebSphere application servers > Select
server.
2. Create a new Web container. Click Container Settings > Web Container Settings > Web container
transport chains > New.
3. Configure the following settings:
l Transport Name: WCAveksa8080
l Transport chain Template: default chain template Chain_1
189
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Localization Configuration
RSA Identity Governance and Lifecycle can be localized to English, French, and German. By default, the RSA
Identity Governance and Lifecycle user interface is set to the language to which your internet browser is set.
This section describes how to create your own custom localization files for additional languages.
Procedure
1. Translate the contents of the following file to the language you want to provide as a localization option:
aveksa.ear/aveksa.war/WEB-INF/classes/com/aveksa/gui
/strings.properties
aveksa.ear/aveksa.war/WEB-INF/classes/com/aveksa/gui
/strings_XX.properties
where
XX is the ISO-639 two-letter code of the language you want to use. The following table contains
examples of the codes:
de German
fr French
ja Japanese
ko Korean
zh Chinese
3. Modify the Aveksa ear file with the additional localization file and then redeploy the file into the
application server and restart the server. For more information, see Modifying the Enterprise Archive.
Note: Custom localization files are deleted when you upgrade system software. Therefore, before you upgrade
you must save any custom files to a location that is not on the system. Also, you must update the translation as
190
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
new strings are introduced to the product between releases. Localization of online help is not currently
supported.
l RSA Identity Governance and Lifecycle user. The default name is AVUSER.
l RSA Identity Governance and Lifecycle reporting engine user. The default name is AVDWUSER.
l RSA Identity Governance and Lifecycle public database schema user. The default name is ACMDB.
Procedure
1. Open the aveksa.ear/aveksa.war/WEB-INF/Aveksa_System.cfg file for editing.
2. Replace the default (or previously specified non-default) name value with the names configured for the
database:
AVEKSA_USER=AVUSER
AVEKSA_REPORTS_USER=AVDWUSER
AVEKSA_PUBLIC_DB_USER=ACMDB
3. Modify and redeploy the Aveksa ear file with the changes you made to the Aveksa_System.cfg file. See
Modifying the Enterprise Archive for more information.
l DATA_256K
l DATA_1M
l DATA_25M
l DATA_50M
l INDX_256K
l INDX_1M
l INDX_25M
l INDX_50M
l DEFAULT_TABLESPACE
l TEMP_TABLESPACE
If non-default names are configured in the database, you must update the Aveksa_System.cfg file and modify
and redeploy the aveksa ear file.
Procedure
191
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
3. Designate a tablespace for the DEFAULT_TABLESPACE variable and, optionally, one for the TEMP_
TABLESPACE variable:
1. DEFAULT_TABLESPACE= DATA_1M
2. TEMP_TABLESPACE=TEMP
If, for example, you created 2 tablespaces for indexes (small, large) and 2 Tablespaces for data (small,
large) you might have an Aveksa_System.cfg that looks like this:
l DATA1_TABLESPACE=ACM_DATA_SMALL
l DATA2_TABLESPACE=ACM_DATA_SMALL
l DATA3_TABLESPACE=ACM_DATA_LARGE
l DATA4_TABLESPACE=ACM_DATA_LARGE
l INDX1_TABLESPACE=ACM_INDEX_SMALL
l INDX2_TABLESPACE=ACM_INDEX_SMALL
l INDX3_TABLESPACE=ACM_INDEX_LARGE
l INDX4_TABLESPACE=ACM_INDEX_LARGE
l DEFAULT_TABLESPACE=ACM_DATA_LARGE
Modify and deploy the aveksa.ear file application server. See Modifying the Enterprise Archive for more
information.
l AVUSER
l AVDWUSER
l ACMDB
Procedure
1. From the Security menu, select, Global Security
2. Under Authentication, expand Java Authentication and Authorization Service and select J2C
authentication data.
192
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
RSA recommends that you then test the connections for the ACM JDBC data sources.
A patch is version specific, that is, it can only be installed on the base version for which it was developed. For
example, you cannot update product version X with a version Y patch without first installing version Y. Also,
patches are cumulative, that is, they include all fixes included in previous patches. For example, if P02 (patch
version 02) was previously installed you can install P05 without having to first install P03 and P04. RSA
recommends that you do not attempt to install a previous version of a patch over a later version of a patch.
Procedure
1. Download the following files from RSA SecureCare Online:
l PatchInfo.txt: Contains information on the fixes provided by the patch and any prerequisites that
must be met before you install it.
l Patch_<version>_Release_Notes.pdf
l ACM-WebSphere-<product version>_P0<version number>.tar.gz
Follow the instructions in the Upgrade and Migration Guide to deploy the ear file. This involves a full
install of the ear. Any modifications made in your installation will also need to be made to the hotfix ear
before deployment. See Modifying the Enterprise Archive for more information.
RSA provides a sample authentication source that can be used for a demonstration or testing installation that
takes any known user name in the system with any password provided. The test authentication module is often
193
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
used to simplify the process of testing with large numbers of users. The test module is associated with an
identity collector that collects the identities into the system.
To set up the authentication module, you must create an authentication source. The JAAS module required for
the authentication source is pre-configured in the application server. This section demonstrates how to create
the authentication source named “TestAuthProvider.” You can use any name, and you can create multiple test
authentication modules for different Identity collectors.
You must restart RSA Identity Governance and Lifecycle after you configure the test authentication module.
Procedure
Use the following SQL commands to insert the test authentication source, TestAuthProvider, into database (the
commands should be issued from the user: avuser):
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 1, 'TestAuthenticator',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
The example SQL configures the authentication source associated with the Identity collector with IDC_ID = 1.
This assumes the identity collector identified by IDC = 1, which is typically the first identity collector configured
in your environment. It may not be the correct ID for the collector you want to associate with the test
authentication module in your environment. Therefore, you should run the SQL above with the IDC_ID of the
collector you choose to associate with the authentication module.
To get a list of the identity collectors and their IDs, run the following SQL:
IDC_ID
----------
Next, check the name, status, and type of those IDC_IDs to provide more information when determining the
appropriate IDC to configure using the list of IDC_ID's from the previous step. For example:
194
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
So if you decide to configure the test authentication module against the corporate users from Collector ID 3,
specify that value for the IDC_ID in the SQL as shown below:
AUTH_CONFIGURED_PROPERTIES,AUTH_PROVIDER_TYPE,AUTH_PROVIDER_CLASS)
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 3, 'TestAuthenticator',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
Note: You must restart RSA Identity Governance and Lifecycle after you configure the test authentication
module
195
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
is typically available for HTTP on port 7001 for WebLogic, this may vary depending on your system. Contact
Unless there is a web proxy fronting the application server, you can access RSA Identity Governance and
Lifecycle using the following URL:
http://<machine>:7001/aveksa/main
Procedure
1. From the menu, select Deployments.
2. Select the checkbox beside the application and click the stop and start buttons to restart the application.
Restarting RSA Identity Governance and Lifecycle restarts the local agent as well.
Procedure
1. Log in to RSA Identity Governance and Lifecycle.
2. Access the Monitoring feature under the Admin tab to determine whether tasks are running.
Wait until all tasks have completed before proceeding with the upgrade.
196
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Restarting WebLogic
Use the WebLogic startWeblogic.sh script to start WebLogic, and use the stopWeblogic.sh script to stop
WebLogic. The scripts are located in the following directory:
$WEBLOGIC_HOME/user_projects/domains/aveksaDomain/bin
Procedure
1. Set up a working directory, “new_ear” for example.
2. Copy the aveksa.ear file to the working directory.
3. Create a temporary ear directory, "ear_dir" for example, in the working directory.
4. Unzip aveksa.ear in the ear_dir directory:
cd ear_dir
For example, if you created your database instance with non-default names (for AVUSER, AVDWUSER,
etc) or non-default database tablespace names, then you need to edit Aveksa_System.cfg file to add the
appropriate values to the aveksa.ear.
cd ear_dir
The aveksa.ear in the working directory now has been updated with the changes. You can now specify
the path for your modified ear for deployment updates. For example:
new_ear/aveksa.ear
You do not need to open the port on any firewalls, but you must configure the port as described in this task.
Procedure
1. Log on to the WebLogic console.
2. Select Environment > servers.
3. For each server where RSA Identity Governance and Lifecycle is installed, click the server name and go
to Protocol Tab > Channels > New.
197
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Localization Configuration
RSA Identity Governance and Lifecycle can be localized to English, French, and German. By default, the RSA
Identity Governance and Lifecycle user interface is set to the language to which your internet browser is set.
This section describes how to create your own custom localization files for additional languages.
Procedure
1. Translate the contents of the following file to the language you want to provide as a localization option:
aveksa.ear/aveksa.war/WEB-INF/classes/com/aveksa/gui
/strings.properties
aveksa.ear/aveksa.war/WEB-INF/classes/com/aveksa/gui
/strings_XX.properties
fr French
ja Japanese
ko Korean
zh Chinese
3. Modify the Aveksa ear file with the additional localization file and then redeploy the file into the
application server and restart the server. See Modifying the Enterprise Archive for more information.
Note: Custom localization files are deleted when you upgrade system software. Therefore you must save any
files you create off the system before you upgrade. Also, you must update the translation as new strings are
introduced to the product between releases. Localization of online help is not currently supported.
l RSA Identity Governance and Lifecycle user. The default name is AVUSER.
l RSA Identity Governance and Lifecycle reporting engine user. The default name is AVDWUSER.
198
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
l RSA Identity Governance and Lifecycle public database schema user. The default name is ACMDB.
Procedure
1. Open the aveksa.ear/aveksa.war/WEB-INF/Aveksa_System.cfg file for editing.
2. Replace the default (or previously specified non-default) name value with the names configured for the
database:
AVEKSA_USER=AVUSER
AVEKSA_REPORTS_USER=AVDWUSER
AVEKSA_PUBLIC_DB_USER=ACMDB
3. Modify and redeploy the Aveksa ear file with the changes you made to the Aveksa_System.cfg file. See
Modifying the Enterprise Archive for more information.
l DATA_256K
l DATA_1M
l DATA_25M
l DATA_50M
l INDX_256K
l INDX_1M
l INDX_25M
l INDX_50M
l DEFAULT_TABLESPACE
l TEMP_TABLESPACE
If non-default names are configured in the database, you must update the Aveksa_System.cfg file and modify
and redeploy the aveksa ear file.
Procedure
1. Open the aveksa.ear/aveksa.war/WEB-INF/Aveksa_System.cfg file.
2. Replace the default name with a non-default name as follows:
l DATA1_TABLESPACE=DATA_256K
l DATA2_TABLESPACE=DATA_1M
l DATA3_TABLESPACE=DATA_25M
l DATA4_TABLESPACE=DATA_50M
l INDX1_TABLESPACE=INDX_256K
l INDX2_TABLESPACE=INDX_1M
199
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
l INDX3_TABLESPACE=INDX_25M
l INDX4_TABLESPACE=INDX_50M
3. Designate a tablespace for the DEFAULT_TABLESPACE variable and, optionally, one for the TEMP_
TABLESPACE variable:
l DEFAULT_TABLESPACE= DATA_1M
l TEMP_TABLESPACE=TEMP
If, for example, you created 2 tablespaces for indexes (small, large) and 2 Tablespaces for data (small,
large) you might have an Aveksa_System.cfg that looks like this:
l DATA1_TABLESPACE=ACM_DATA_SMALL
l DATA2_TABLESPACE=ACM_DATA_SMALL
l DATA3_TABLESPACE=ACM_DATA_LARGE
l DATA4_TABLESPACE=ACM_DATA_LARGE
l INDX1_TABLESPACE=ACM_INDEX_SMALL
l INDX2_TABLESPACE=ACM_INDEX_SMALL
l INDX3_TABLESPACE=ACM_INDEX_LARGE
l INDX4_TABLESPACE=ACM_INDEX_LARGE
l DEFAULT_TABLESPACE=ACM_DATA_LARGE
4. Save and close the aveksa.ear/aveksa.war/WEB-INF/Aveksa_System.cfg file.
Modify and deploy the aveksa.ear file application server. See Modifying the Enterprise Archive for more
information.
l AVUSER
l AVDWUSER
l ACMDB
Procedure
1. Edit a JDBC data source for AVDB (Services > Data Sources).
2. Click the data source.
3. From Configuration, select the Connection Pool tab.
4. Edit the Password field with the new password.
RSA recommends that you then test the connections for the JDBC data sources.
200
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Once you have changed security realm settings (as described in Create Security Realm Users and Groups) and
exploded the EAR, you can change a user’s password and change the principle user. All changes you make to
files in the EAR must match those made to security realm settings.
Procedure
1. Open the hibernate-cfg.xml file that is located in the aveksa.war/WEB-INF directory path.
2. Replace the principle user value, “aveksaUser” and the default principle user password, “Aveksa123,”
with the new values you specified for the security realm in the following lines:
<property name="hibernate.jndi.java.naming.security.principal">aveksaUser</property>
<property name="hibernate.jndi.java.naming.security.credentials">Aveksa123</property>
<run-as-role-assignment>
<role-name>acmUsers</role-name>
<run-as-principal-name>aveksaUser</run-as-principal-name>
</run-as-role-assignment>
A patch is version specific, that is, it can only be installed on the base version for which it was developed. For
example, you cannot update product version X with a version Y patch without first installing version Y. Also,
patches are cumulative, that is, they include all fixes included in previous patches. For example, if P02 (patch
version 02) was previously installed you can install P05 without having to first install P03 and P04. RSA
recommends that you do not attempt to install a previous version of a patch over a later version of a patch.
Procedure
1. Download the following files from RSA SecureCare Online:
l PatchInfo.txt: Contains information on the fixes provided by the patch and any prerequisites that
must be met before you install it.
l Patch_<version>_Release_Notes.pdf
l ACM-WebLogic-<product version>_P0<version number>.tar.gz
Follow the instructions in the Upgrade and Migration Guide to deploy the ear file. This involves a full
201
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
install of the ear. Any modifications made in your installation will also need to be made to the hotfix ear
before deployment. See Modifying the Enterprise Archive for more information.
Procedure
1. Open the Administrative Console.
2. Go to Deployments, and select aveksa.
3. Stop the aveksa application if it is running.
4. Click Delete.
RSA provides a sample authentication source that can be used for a demonstration or testing installation that
takes any known user name in the system with any password provided. The test authentication module is often
used to simplify the process of testing with large numbers of users. The test module is associated with an
identity collector that collects the identities into the system.
To set up the authentication module, you must create an authentication source. The JAAS module required for
the authentication source is pre-configured in the application server. This section demonstrates how to create
the authentication source named “TestAuthProvider.” You can use any name, and you can create multiple test
authentication modules for different Identity collectors.
You must restart RSA Identity Governance and Lifecycle after you configure the test authentication module.
Procedure
Use the following SQL commands to insert the test authentication source, TestAuthProvider, into database (the
commands should be issued from the user: avuser):
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 1, 'TestAuthenticator',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
The example SQL configures the authentication source associated with the Identity collector with IDC_ID = 1.
This assumes the identity collector identified by IDC = 1, which is typically the first identity collector configured
in your environment. It may not be the correct ID for the collector you want to associate with the test
authentication module in your environment. Therefore, you should run the SQL above with the IDC_ID of the
collector you choose to associate with the authentication module.
To get a list of the identity collectors and their IDs, run the following SQL:
202
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
IDC_ID
----------
Next, check the name, status, and type of those IDC_IDs to provide more information when determining the
appropriate IDC to configure using the list of IDC_ID's from the previous step. For example:
So if you decide to configure the test authentication module against the corporate users from Collector ID 3,
specify that value for the IDC_ID in the SQL as shown below:
AUTH_CONFIGURED_PROPERTIES,AUTH_PROVIDER_TYPE,AUTH_PROVIDER_CLASS)
VALUES(AUTH_CONFIGURATION_SEQUENCE.nextval, 3, 'TestAuthenticator',
'TestAuthProviderType',
'com.aveksa.server.authentication.TestLoginModule');
Note: You must restart RSA Identity Governance and Lifecycle after you configure the test authentication
module
This procedure describes how to uninstall AFX from an appliance or software bundle server using the uninstall
script. You might perform this procedure if the installation process fails on an RSA appliance or on a Software
Bundle server where RSA Identity Governance and Lifecycle is installed.
Note: RSA recommends that you back up your data that may be lost during the uninstallation process. This
may include any localized files you have changed, keystores with installed certificates, or configuration files that
were modified.
203
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
Procedure
1. Log in to the installation machine as the root user.
Note: You must log in as the root account to ensure that the proper permissions are granted. This
procedure may not work using a different account.
2. Stop the AFX server. For instructions, see Stop the AFX Server on page 127.
3. Navigate to the following directory:
cd <aveksa-staging-directory>/deploy/AFX-scripts/
./uninstallAFX.sh
You can check results of the uninstall process in the uninstall log file in the /tmp directory.
For example:
/tmp/afx-uninstall.log.Dec-21-2011.07.42.26
Note: RSA recommends that you back up your data that may be lost during the uninstallation process. This
may include any localized files you have changed, keystores with installed certificates, or configuration files that
were modified.
Procedure
1. Log in to the AFX server using the afx account.
2. Stop the AFX server. For instructions, see Stop the AFX Server on page 127.
3. If the afx_server service is installed and configured, perform these steps to remove the afx_server
service. Otherwise, skip this step.
a. Log in as root to the AFX server.
b. Unregister the service:
rm /etc/init.d/afx_server
cd /home/afxuser
rm -rf AFX
204
RSA Identity Governance and Lifecycle Installation Guide 7.2.1
After you complete the installation process, log in to the RSA Identity Governance and Lifecycle user interface
and check RSA Identity Governance and Lifecycle capabilities:
Note: If the installation failed and you must uninstall RSA Identity Governance and Lifecycle, see Uninstalling
for instructions.
205