AIMS Installation and Licensing Guide

(1)

AIMS

Installation and Licensing Guide

Version 9

2603 Camino Ramon Suite 110 San Ramon, CA 94583

Toll Free: 800-609-8610 Direct: 925-217-5170 FAX: 925-217-0853 Email: [email protected]

(2)

AIMS Installation and Licensing Guide Page 2

Limited Warranty

Avatier Corporation warrants that the overall performance of the software will be substantially in accordance with its documentation.

Avatier Corporation makes no warranty, representation, or promise not expressly set forth in this limited warranty. Avatier Corporation does not warrant that the software or documentation will satisfy your requirements, that the software and documentation are without defect or error, or that the operation of the software will be uninter- rupted. Avatier Corporation disclaims and excludes any and all implied warranties of merchantability, title, and fitness for a particular purpose.

Limitations on Liability and Remedies

Avatier Corporation’s liability arising from your use of the software and its documentation is limited to the total paid by or for you for the software package. Neither Avatier Corporation nor any of its licensers, employees, or agents shall be liable for any special, incidental, consequential, indirect, or punitive damages, even if advised of the possibility of those damages. This warranty gives you specific legal rights.

You may have others, which vary from state to state.

(3)

Table of Contents

1 AIMS INSTALLATION GUIDELINES 5

1.1 SERVER REQUIREMENTS 5

1.2 AIMSSERVER BUILD STEPS 7

1.3 SERVICE ACCOUNT REQUIREMENTS 7

1.4 DETERMINE THE LOCATION OF THE AIMSAUDIT LOGS AND AIMSCONFIGURATION FILES 8 1.5 IMPORTANT .NET AND ASPNETPERFORMANCE CONSIDERATIONS ERROR!BOOKMARK NOT DEFINED.

1.6 DR.WATSON PROCESS AND AIMS ERROR!BOOKMARK NOT DEFINED.

1.7 .NET1.1 AND .NET2.0/3.5RUNTIME DIFFERENCES 8

1.8 IMPORTANT INFORMATION FOR WEB AGENT (SOAP)BASED CONNECTORS 9

1.9 OBTAIN THE LATEST AIMSSOFTWARE 10

1.10 SOFTWARE INSTALLATION 11

2 LICENSING AIMS PRODUCTS 22

2.1 ACCESSING THE MAIN CONFIGURATION PAGE 22

2.2 APPLYING THE AIMSPRODUCT LICENSE 23

2.2.1 Online Licensing 23

2.2.2 Offline Licensing 25

(4)

Table of Figures

Figure 1 - Avatier Identity Management Server Installation Wizard 11

Figure 2 - Click Through License Agreement 12

Figure 3 - Destination Folder Selection Screen 13

Figure 4 - AIMS Service Account Configuration 14

Figure 5 - AIMS Products Selection Screen 15

Figure 6 - Enrollment Domain Selection Screen 16

Figure 7 - Domain Selection Screen 17

Figure 8 - Web Resources Configuration Dialog 18

Figure 9 - Web Site Configuration Notes 19

Figure 10 - Installation Progress Dialog 20

Figure 11 - Installation Wizard Completion Screen 21

Figure 12 - AIMS Main Configuration Screen 22

Figure 13 - License Status Screen 24

Figure 14 - Entering License Information 25

Figure 15 - Offline License Request Data 26

Figure 16 - Locate and Import Offline License File 26

(5)

1 AIMS Installation Guidelines

1.1 Server Requirements

It is strongly recommended that AIMS run on its own dedicated server

 Operating System:

32 Bit Operating System (2 options)

 Windows Server 2008 and all current Microsoft Security Patches

 Windows Server 2003 Standard SP2 if 4GB RAM, Enterprise edition if more than 4 GB RAM and all current Microsoft Security Patches.

64 Bit Operating System

 Windows Server 2008

 Windows Server 2008 R2

Internet Information Server

 On Server 2003:

 IIS 6

 ASPNET

 .NET 4.0 Runtime - The full .NET 4.0 installation is required, not just the .NET Client Profile component.

 ASPNET Allowed as a web service extension

 On Server 2008

 IIS 7

 ASPNET

 Basic, Windows Integrated and Anonymous access methods installed

 .NET 4.0 Runtime - The full .NET 4.0 installation is required, not just the .NET Client Profile component.

 ASPNET allowed as a web services extension

(6)

 CPU and RAM:

Physical Server

 Physical Server Minimum: Single CPU 3.0 GHz, 4 GB RAM

 Physical Server Recommended: Dual CPU 3.0 GHz, 8 GB RAM Virtual Server

 Virtual Server Minimum: Single CPU 3.0 Ghz, 4 GB RAM

 Virtual Server Recommended: Multiple CPU 3.0 GHz, 8 GB RAM

Note: Allocation of Multiple CPUs to a virtual guest operating system does not guarantee an improvement in performance since virtualization technologies use shared CPU cycles of the host machine. Check with your virtualization system administrator for the limitations of your virtual environment

(7)

1.2 AIMS Server Build Steps

It is extremely important that the server preparation tasks be performed in the following order:

 Build the base server

 Install IIS 6 for Windows 2003 or IIS 7 for Windows 2008

 Install the .NET 4.0 Framework (full standalone version).

In addition, you may want to verify that the following is not enforced in your

environment for the AIMS Server or the AIMS service account that will be created:

 Are there any group policies in place that will prevent anonymous access to the web structure directories that require anonymous access in AIMS? If yes, you will need to make exceptions to the GPO, to allow anonymous access to the needed directory structure in AIMS

 Has any baseline security product been installed on the server, either for the Operating System, or IIS that would prevent anonymous access? If yes, this security policy will need adjustment.

1.3 Installation and Service Account Requirements

Create an account that will be used to start the Avatier Identity Management Server service, and proxy all requests for the AIMS Suite of products.

This account needs to be:

 A member of the "domain admins" group

 A member of the AIMS server's local administrator’s group

 Granted the "logon as service" rights

(8)

1.4 Determine the Location of the AIMS Audit Logs and AIMS Configuration Files

AIMS Versions prior to 8.0 differ in their base installations with regard to the light weight database architecture used to store AIMS Audit Log and AIMS configuration settings. AIMS versions prior to version 8.0 stored their data in Microsoft Access format. Beginning with AIMS 8.0 all configuration and audit data is stored in VistaDB file format. After the initial installation of the AIMS suite, migrate the configuration and audit data to a more powerful database engine. AIMS supports its configuration files loaded to Microsoft SQL Server versions 2003, 2005, and 2008, as well as Oracle.

Customers who have already migrated their audit log data to MS SQL Server in a prior version of AIMS can continue to write their audit log data to their existing database.

Upon an upgrade of AIMS to version 9.0, all local Microsoft Access files used in the previous versions of AIMS will be converted to VistaDB format.

Once you have upgraded to 9.0 or have installed AIMS 9.0 from scratch, please contact [email protected] for complete instructions on migrating your configuration and audit log data to Microsoft SQL Server or Oracle.

1.5 .NET 1.1 and .NET 4.0 Runtime differences

Under the .NET 1.1 runtime environment, if an error condition was detected in the application pool. the .NET runtime environment logged the error, but continued to function. The .NET 4.0 runtime environment differs with respect to how multiple errors are handled. .NET 4.0 will actually stop and restart the application pool associated with the error.

Microsoft has provided a Backward compatibility mode in the .NET 4.0 runtime environment to handle situations where you want your application pool to remain active and continue services requests for the web application. Avatier recommends setting the backward compatibility mode for the .NET runtime environment.

To set the backward compatibility feature for .NET:

(9)

 Use Notepad or other pure text editor to edit file

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.config

 Modify

to

 Save the changes

1.6 Important Information for Web Agent (SOAP) Based Connectors

The following information is for customers who have installed and configured the AIMS web agent for the following targeted systems, and whose AIMS server is restricted from accessing the Microsoft Windows Update web site either due to firewall or other corporate restrictions.

The AIMS server uses SOAP over SSL to communicate with the installed web agents on the following platforms:

 IBM iSeries (AS400)

 IBM AIX

 LINUX

 HP-UX

 SUN SOLARIS

Microsoft’s Internet Explorer running on Windows Server 2003 SP2 does root

certificate checking for items that communicate with a server over SSL. If the ability to access the internet to check the root certificate that is installed on the AIMS server is restricted or prohibited by corporate policy, you will need to turn off root certificate checking on the AIMS server to avoid performance degradation of the product.

To turn off root certificate checking:

 From the AIMS server, click the start menu, then Settings/ Control Panel / Add- Remove Programs

 Select “Add/Remove Windows Components”

 Uncheck “Update Root Certificates” from the list and click the “next” button and follow the on-screen instructions.

(10)

1.7 Obtain the Latest AIMS Software

Please contact Avatier Support at [email protected] to obtain instructions on downloading the latest release of the AIMS 9.0 software.

(11)

1.8 Software Installation

Once the IIS server is properly configured, the AIMS installation file has been downloaded, and a Domain Admin Service Account has been created, the installation of Avatier Identity Management Suite can begin.

 Logon to the AIMS server as a Domain Admin (preferably the same account used for the AIMS Service Account).

 Place the AIMS installation file on the server in a temporary directory.

 Double-click on the AIMS installation file.

 The Welcome page of the Avatier Identity Management Server Installation Wizard will appear on the screen and will automatically move to the next screen after a few seconds unless CANCEL is clicked.

Figure 1 - Avatier Identity Management Server Installation Wizard

 Make sure that all other Windows applications are closed prior to running the AIMS installation. This will prevent any common files held open by other

(12)

applications from not being updated by the installation process. When all other Windows programs are closed, click on the NEXT> button.

Figure 2 - Click Through License Agreement

 This screen displays the Avatier AIMS click through license agreement. By clicking “I accept the license agreement”, the trial evaluation and eventual production use of the software are governed by this widely accepted and legally tested agreement. Please read the license, scroll down to the bottom, click on the “I accept…” radio button, and click NEXT>.

(13)

AIMS Installation and Licensing Guide Page 13 Figure 3 - Destination Folder Selection Screen

 Choose the default location for the software installation, or browse for alternate location then click NEXT>.

(14)

AIMS Installation and Licensing Guide Page 14 Figure 4 - AIMS Service Account Configuration

(15)

 This screen requires the AIMS Service Account credentials. AIMS and all AIMS modules including Password Bouncer Enterprise Edition will use the authority of this account to manage user accounts and passwords. Typically, the account needs to be a Windows Domain Administrator account with full permissions over each domain in which AIMS will manage accounts and passwords. The Service Account must be a member of local Administrators group on the AIMS server and be able to run locally as a service. Enter the following information in the

appropriate fields:

o The domain in which AIMS is being installed.

o The Service Account ID.

o The Service Account Domain Logon Password.

o The Service Account Domain Logon Password again to confirm the password.

 When the information is entered click NEXT>.

Figure 5 - AIMS Products Selection Screen

 Check / Uncheck the product selections then click NEXT>.

(16)

AIMS Installation and Licensing Guide Page 16 Figure 6 - Enrollment Domain Selection Screen

 This screen offers the selection of the User Enrollment Domain Type. This can either be Microsoft’s Active Directory or another LDAP source.

(17)

AIMS Installation and Licensing Guide Page 17 Figure 7 - Domain Selection Screen

 This screen provides the ability to browse and select all domains AIMS will be managing. Click on the browse button to see a list of identified and available domains. Select all the domains that will be included. Additional domains can be added or removed after AIMS is installed if needed. Click NEXT> to proceed.

(18)

AIMS Installation and Licensing Guide Page 18 Figure 8 - Web Resources Configuration Dialog

 This screen is informational and precedes the screen which will allow you to configure the web site that will be used to configure Password Bouncer. Click the “Next >” button to proceed.

(19)

AIMS Installation and Licensing Guide Page 19 Figure 9 - Web Site Configuration Notes

 AIMS will install as a virtual directory under the default web site.

(20)

AIMS Installation and Licensing Guide Page 20 Figure 10 - Installation Progress Dialog

 The progress of the installation is displayed.

(21)

AIMS Installation and Licensing Guide Page 21 Figure 11 - Installation Wizard Completion Screen

 When the installation has completed, simply click the “Finish” button.

(22)

2 Licensing AIMS Products

2.1 Accessing the Main Configuration Page

To begin the configuration of the Avatier Identity Management Suite, access the AIMS Configuration main screen.

 Open a web browser.

 Enter the URL of the AIMS configuration. By default, this URL is:

http://yourservername/aims/config.

 Enter your user id in the format domain\userid.

 Enter your password.

 The following screen will appear:

Figure 12 - AIMS Main Configuration Screen

The configuration screen of the Avatier Identity Management Suite is divided into three distinct sections.

(23)

 The left hand pane, called P1, is a hierarchal tree view of the AIMS product modules.

 The center pane, called P2, contains the options available for the items selected in P1.

 The right pane, called P3 will contain the configurable settings for the option selected in P2.

2.2 Applying the AIMS Product License

Before beginning the configuration of any of the AIMS modules, you must first license the product for use within your organization.

2.2.1 Online Licensing

If the AIMS server has a working Internet connection, and port 443 (SSL) is an allowed outbound protocol on your network:

 Click on Avatier Identity Management Suite in P1.

 Click on “License Status” in the P2 Options pane and the following screen will appear:

(24)

AIMS Installation and Licensing Guide Page 24 Figure 13 - License Status Screen

 Click on the “Install License” button in P3.

(25)

AIMS Installation and Licensing Guide Page 25 Figure 14 - Entering License Information

 Enter the license key that was sent to you from [email protected].

 Enter the email address that is associated with that license key.

 Click the “Get License” button.

 AIMS will connect via the Internet to the Avatier Licensing service and download the license to your AIMS server.

 When you receive the confirmation that the license has installed successfully, click the “Restart” button in P3 to restart the AIMS Web Application and apply the license.

2.2.2 Offline Licensing

If no working Internet connection is available from the AIMS server due to network topology, or a firewall that restricts outbound port 443, you can still license the product; however, it becomes a two step manual process.

(26)

The first step involves generating the file needed for the off-line license request and mailing it to [email protected]. The second step is placing the file that Avatier generates for you onto the AIMS server and importing it into the product.

To generate an offline license request:

Figure 15 - Offline License Request Data

 Fill in your company name and email address in the provided fields.

 Click the “Offline License” button.

 Save the file to a temporary location.

 Take the file and mail it to [email protected].

When Avatier receives the offline license request file, they will generate a license file for you, and return it to the email address you have specified in the offline license request file.

 Place the attached license file in a temporary location on the AIMS server.

Figure 16 - Locate and Import Offline License File

 Click the “Browse” button and locate the file.

 Click the “Import” button.

Once the license file has been applied, you will be returned to the “License Status”

screen. You will need to restart the AIMS web application. Click the “Restart”

button to perform this function.