Tag Archives: CA Identity

CA Governance Minder 12.6.3 on Linux/WebSphere/Oracle

16 Sep

Supported OS

Red Hat Enterprise Linux version 5.x ,6.x Architecture   64-bit

Supported Application Servers

IBM WebSphere ND (on RHEL only) ver 7.0 JDK · 1.6.0 (JDK version is IBM JDK that comes with Web Sphere version)

IBM WebSphere ND (on RHEL only) ver 8.5.5 JDK · 1.6.0, 1.7.x (JDK version is IBM JDK)

GM Installation

Governance Minder requires a Linux/Windows host for the J2EE container. In this environment GM will be installed on a WebSphere 8.5.5.5 Cluster. The backend database used is an Oracle 12C database server.

To begin the installation of the GM WebSphere environment you will need to install the Government Minder binaries. The install files can be downloaded from CA at www.ca.com or copied from the development server at CMS.

Pre-Requisites

Open Ports

netstat -an -o |grep “1098 1099 1577 4026 4444 4445 4446 5001 8009 8080 8083 8093 8094 9092”

If no results are returned good, if results are found. Use netstat –an –o –b to locate, you must redirect traffic from these ports prior to GM install

Create databases

Done – The dbutil utility in can be used to create the databases prior to install, this will not be used

JDK deployment

Install JDK 1.6.45

mkdir /opt/CA/

chmod 775 /opt/CA/

copy jdk-6u45-linux-x64.bin to /opt/CA/

cd /opt/CA/

chmod 775 jdk-6u45-linux-x64.bin

./jdk-6u45-linux-x64.bin

rm –f jdk-6u45-linux-x64.bin

echo export JAVA_HOME=/opt/CA/jdk1.6.0_45 > /etc/profile.d/jdk.sh

vi /etc/profile.d/jdk.sh

Add the following:

export PATH=$JAVA_HOME/bin:$PATH

Save and exit

Start a new shell and verify that your JAVA_HOME variable is set and your PATH is mapped to the JDK

java –version will return

Java(TM) SE Runtime Environment (build 1.6.0_45-b06)

Java HotSpot(TM) 64-Bit Server VM (build 20.45-b01, mixed mode)

Configure JAVA alternatives

This is to be used if there are multiple JDK’s on the system

/usr/sbin/alternatives –install /usr/bin/java java /usr/java/jdk1.6.0_45/bin/java 1500

/usr/sbin/alternatives –config java

Output:

[root@e48v111v bin]# /usr/sbin/alternatives –config java

You may see the following if there are 2 programs which provide ‘java’.

Selection   Command

———————————————–

*+ 1           /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java

   2           /usr/java/jdk1.6.0_45/bin/java

Enter to keep the current selection[+], or type selection number: 2

Select the new JDK (2) that was deployed

Verify JAVA version:

java –version

Should return java version 1.6.45 or above

Packages

The following packages must be installed

glibc-2.12-1.25.el6.i686.rpm

libX11-1.3-2.el6.i686.rpm

libxcb-1.5-1.el6.i686.rpm

libXtst-1.0.99.2-3.el6.i686.rpm

libXau-1.0.5-1.el6.i686.rpm

libXi-1.3-3.el6.i686.rpm

libXext-1.1-3.el6.i686.rpm

nss-softokn-freebl-3.12.9-3.el6.i686.rpm

dos2unix-3.1-37.el6.x86_64.rpm

Issue the following to install the required packages

yum install glibc-2.12-1.25.el6.i686 libX11-1.3-2.el6.i686 libxcb-1.5-1.el6.i686 libXtst-1.0.99.2-3.el6.i686 libXau-1.0.5-1.el6.i686 libXi-1.3-3.el6.i686 libXext-1.1-3.el6.i686 nss-softokn-freebl-3.12.9-3.el6.i686 dos2unix-3.1-37.el6.x86_64

Improve performance

rm /dev/random && mknod -m 644 /dev/random c 1 9

Output:

rm: remove character special file `/dev/random’? yes

Linux Environment Requirements

The install must be run as root

ulimit unlimited

umask 0022

Installation Instructions

mkdir /opt/CA/GM

chmod 775 /opt/CA/GM

cd /opt/CA/GM

The following files must be deployed in the /opt/CA/GM location

-rwxrwxr-x 1 root root   9944944 Aug 31 16:53 GEN06113240E.zip

-rwxrwxr-x 1 root root   22365919 Aug 31 16:53 GEN06113635E.zip

-rwxrwxr-x 1 root root   6508285 Aug 31 16:53 GEN06113840E.zip

-rwxrwxr-x 1 root root   7685405 Aug 31 16:53 GEN06114031E.zip

-rwxrwxr-x 1 root root 144821579 Aug 31 16:53 GEN06114144E.zip

-rwxrwxr-x 1 root root   21467559 Aug 31 16:53 GEN06114251E.zip

-rwxrwxr-x 1 root root   98058816 Aug 31 16:53 GEN06114404E.zip

-rwxrwxr-x 1 root root 128941761 Aug 31 16:53 GEN06114535E.zip

-rwxrwxr-x 1 root root 297298511 Aug 31 16:53 GEN06115951E.zip

-rwxrwxr-x 1 root root 293004965 Aug 31 16:53 GEN06120054E.zip

-rwxrwxr-x 1 root root   60494416 Aug 31 16:53 GEN06120210E.zip

-rwxrwxr-x 1 root root   2494281 Aug 31 16:53 GEN06120406E.zip

-rwxrwxr-x 1 root root   77711630 Aug 31 16:53 GEN06120508E.zip

-rwxrwxr-x 1 root root 246255121 Aug 31 16:53 GEN06120611E.zip

-rwxrwxr-x 1 root root     502996 Aug 31 16:53 GEN06121000E.zip

-rwxrwxr-x 1 root root     263826 Aug 31 16:53 GEN06120813E.zip

-rwxrwxr-x 1 root root 1020551602 Aug 31 16:53 GEN06120717E.zip

unzip ‘*.zip’

chmod 775 *

unzip CA-IdentityGovernance-12.6.03-Installer.zip

chmod 777 InstCAIdentityGovernance.bin

Run installer

./InstCAIdentityGovernance.bin

GM01

GM02

GM03

GM04

GM05

GM06

GM07

GM08

GM09

GM10

GM11

GM12

GM13

GM14/

Deploying Governance Minder on WebSphere

Oracle changes for JMS

This procedure describes how to create database users to synchronize Java Messaging Service (JMS) topics. Have the Oracle DBA’s issue the following as the system user, examine notes for complete privileges:

create user gvmBus identified by PASSWORD;

create user wpBus identified by PASSWORD;

grant select on pending_trans$ to gvmBus;

grant select on dba_2pc_pending to gvmBus;

grant select on dba_pending_transactions to gvmBus;

grant execute on dbms_xa to gvmBus;

grant select on pending_trans$ to wpBus;

grant select on dba_2pc_pending to wpBus;

grant select on dba_pending_transactions to wpBus;

grant execute on dbms_xa to wpBus;

commit;

Note:   The following specific privileges were used

GRANT CMS_CONNECT TO GVMBUS;

GRANT CMS_RESOURCE TO GVMBUS;

GRANT CONNECT TO GVMBUS;

GRANT GVMBUS_XA_ROLE TO GVMBUS;

GRANT RESOURCE TO GVMBUS;

ALTER USER GVMBUS DEFAULT ROLE ALL;

GRANT UNLIMITED TABLESPACE TO GVMBUS;

GRANT CMS_CONNECT TO WPBUS;

GRANT CMS_RESOURCE TO WPBUS;

GRANT CONNECT TO WPBUS;

GRANT RESOURCE TO WPBUS;

ALTER USER WPBUS DEFAULT ROLE ALL;

GRANT UNLIMITED TABLESPACE TO WPBUS;

Note:    The passwords for these users are the ones used in dataSources.py

Note:   The following privileges work to provide sufficient access

grant all privileges to gvmBus;

grant all privileges to wpBus;

Note:    The following privileges were not sufficient to start the GM Server

GRANT CREATE SESSION TO gvmBus WITH ADMIN OPTION;

GRANT CREATE SESSION TO wpBus WITH ADMIN OPTION;

Note:   The GVM_WorkPoint used in the commands below is based upon the WorkPoint schema name used in the GM GUI install steps previously

Hazelcast

This procedure describes how to configure Hazelcast. Hazelcast is an open source clustering and highly scalable Java data distribution operating environment that CA GovernanceMinder uses.

For the CA GovernanceMinder cluster integration, edit the hazelcast.xml file to adjust the Hazelcast lock mechanism. The Hazelcast.xml file is located in the eurekify.war file. Follow the following steps to modify the hazelcast.xml file.

mkdir /tmp/hazelcast

chmod 777 /tmp/hazelcast

cd /tmp/hazelcast

cp /opt/CA/GovernanceMinder/Server/rcm-websphere/eurekify.ear .

mv /opt/CA/GovernanceMinder/Server/rcm-websphere/eurekify.ear /opt/CA/GovernanceMinder/Server/rcm-websphere/eurekefy.ear.orig

jar xvf eurekify.ear eurekify.war

jar xvf eurekify.war WEB-INF/classes/hazelcast.xml

Note: If this is a multi server/clustered/federated configuration and only one the servers is available at the time of the install do not attempt to use both servers in the hazelcast.xml, this is unsupported

vi /tmp/hazelcast/WEB-INF/classes/hazelcast.xml

Change the group stanza password to be the WebSphere password, this needs to match the WAS Security you have setup, if there is no security setup, use the default values

<group>

<name>GM_WAS</name>

<password>PASSWORD</password>

</group>

Change the interfaces to include all servers in your WebSphere cluster

<tcp-ip enabled=”true”>

<interface>SHORTNAMEOFSERVER</interface>

</tcp-ip>

Recreate and place the modified .ear back in place

cd /tmp/hazelcast

jar uvf eurekify.war WEB-INF/classes/hazelcast.xml

jar uvf eurekify.ear eurekify.war

mv eurekify.ear /opt/CA/GovernanceMinder/Server/rcm-websphere

Review Python file parameters

vi /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts/dataSources.py

The password used was PASSWORD, so the four “db_pw” variables should have the install password.

Modify the gvmBus and wpBus user and passwords to match the user and passwords that were sent to the Oracle DBA’s in the previous steps

Set up the CA GovernanceMinder and Workpoint clusters.

Update the Custer Name and Server names in the gvmDefaults.py, the top 5 lines and bottom 2 are where modifications need to be made.

vi /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts/gvmDefaults.py

Top five Lines

Workpoint_Cluster_Name = “EUA-WP”

Workpoint_Server_Name_Format = “EUA-WP-S%d”

Workpoint_BusName = “wpBus”

Gvm_Cluster_Name = “EUA-GM”

Gvm_Server_Name_Format = “EUA-GM-S%d”

Bottom two lines, comment out the similar two lines with a # before

msJTDSdriverFullPath = “${WAS_INSTALL_ROOT}”+os.sep+essentialsDirName+os.sep+”JDBC”+os.sep+”jtds-1.2.jar”

ORACLEdriverFullPath = “${WAS_INSTALL_ROOT}”+os.sep+essentialsDirName+os.sep+”JDBC”+os.sep+”ojdbc6.jar”

Set up CA GovernanceMinder and setup CA GovernanceMinder and Workpoint Clusters

cd /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts

umask 0022

./DeployGVM.sh /opt/IBM/WebSphere/AppServer/bin/ >> deploy.log &

Note: The WebSphere directory to be used is the root directory of the application server and not the node or cluster locations of the wsadmin.sh script

Note: use tail –f deploy.log to examine log the last two commands should copy statements

Configure the CA GovernanceMinder folder

cd /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts

/opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jython -f setupEssentials.py >> setup.log &

This needs to be accomplished on each cluster server in a federated/cluster configuration. On each of the servers, repeat the following

cd /opt/CA

tar zcvf GMCluster.tar.gz GovernanceMinder/

copy the GMCluster.tar.gz to the other cluster members

On the other cluster members as root

ulimit unlimited

umask 0022

mkdir /opt/CA

chmod 775 /opt/CA

cd /opt/CA

cp GMCluster.tar.gz to this location

tar zxvf GMCluster.tar.gz

cd /opt/CA/GovernanceMinder/Server/rcm-websphere/WAS-Scripts

/opt/IBM/WebSphere/EntAppServer85-64/appServerbin/wsadmin.sh -lang jython -f setupEssentials.py

WebSphere Changes

Add JDBC provider

cp /oracle/product/12.1.0/db1/jdbc/lib/ojdbc6.jar /opt/IBM/WebSphere/AppServer/essentials/JDBC

Note:  The above assumes Oracle was installed on this machine and the database used was db1

Core Groups

Servers / Core groups / Core group bridge settings / Access point groups / DefaultAccessPointGroup / Core group access points

GM15

Select the core group and Show Detail, Select Bridge Interfaces, New

Select each of the Bridge interfaces (do this 4 times) listed in drop down and apply

GM16

Review changes and sync, the final list should look like this

GM17

Configure JDBC drivers and data sources on the WorkPoint cluster

This procedure describes how you install Oracle JDBC drivers and data sources on the WorkPoint cluster. Follow these steps for each of the JDBC providers, there will be six.

Resources / JDBC / JDBC Providers – The list should like this

GM18

Select each of the Oracle providers above

GM19

Select the Oracle11g Data provider for each

GM20

Review and synchronize changes for this provider, these steps should be done seven times total.

WebSphere Virtual Host Configuration

In Servers \ WebSphere Application Servers \ Application servers > EUA-GM-S1 > Ports

The WC_defaulthost is mapped to a port locate this value and that same port needs to be listed in Environment \ Virtual Hosts \ Default_host \ Host Alias

GM21

Restart Environment

/opt/IBM/WebSphere/AppServer/bin/stopManager.sh

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/stopNode.sh

/opt/IBM/WebSphere/AppServer/bin/startManager.sh

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/startNode.sh

JDBC Connection Verification

Verify the ojdbc6.jar is located in the WAS_install_root/essentials/JDBC/

Verify each of the JDBC resources by testing the connection in Resources \ JDBC \ DataSources

Select the following 6 and test connection

GM22

GM23

You need to receive a successful connection test for all 6

Start GM and WP applications

Servers / All Servers

GM24

Portal Verification

Verify each of the JDBC resources by testing the connection (has to wait until node is started)

This procedure describes how you verify a successful installation after you complete installing the product. When the CA GovernanceMinder installation is successful, you can access the CA GovernanceMinder Portal.

Follow these steps:

Select and start one server from the CA GovernanceMinder cluster, CA GovernanceMinder, and installed applications, including reports.

Review the started server logs and verify that no log errors exist.

Start all other servers in the CA GovernanceMinder cluster.

Review all the product cluster logs and verify that no errors exist in the logs.

You can access the Portal after a successful installation.

Open a browser and enter the following URL:

http://GM_Server_Name:9081/eurekify/portal/login

Log in using the following default administration credentials:

Username: AD1\EAdmin

Password: eurekify

CA Identity Minder Report Server Installation

16 Oct

The report server is highly sensitive to the environment that is being used and the following was needed
to be completed prior to install.

  • Update standard packages: yum update

You IP configuration must be fixed, you need to have your FQDN and short name in your
/etc/hosts file such as:

  • 192.168.83.24   idm-report.domain.com      idm-report
  • 127.0.0.1               localhost.domain.com localhost

Ensure 32bit compatibility libraries are installed

  • yum install compat-libstdc++-33-3.2.3-61.i386

Create a user and group for the Report Server

  • groupadd cabi
  • useradd -g cabi -d /home/cabi -m cabi

SE Linux Firewall port exception: 6400, 3306, 6410, 8080, 8443, 8005
As root (required) Run a terminal session

  • export LANG=en_US.utf8
  • export LC_ALL=en_US.utf8

./cabinstall.sh on the CD Rom Drive (in terminal)

  • System or User Install:    2 – System
  • MySQL Database Info:  User Id: sa

In a new terminal window

  • su – cabi
  • /opt/CA/SharedComponents/CommonReporting3/bobje/stopservers (errors)

In old terminal window (as root)

  • cd /tmp
  • grep makeccvt /var/log/audit/audit.log | audit2allow -M postgreylocal
  • semodule -i postgreylocal.pp
  • grep mozjsshell /var/log/audit/audit.log | audit2allow -M postgreylocal
  • semodule -i postgreylocal.pp

In terminal window as cabi

  • /opt/CA/SharedComponents/CommonReporting3/bobje/stopserver
  • /opt/CA/SharedComponents/CommonReporting3/bobje/startservers

Verify Install is successful

Install Service Pack 5

  • Logout of any session and relogin after install
  • ./biekpatch

Server initialization Scripts:

  • /opt/CA/SharedComponents/CommonReporting3/bobje/init/setupinit.sh

Reboot server
In terminal window as cabi

  • /opt/CA/SharedComponents/CommonReporting3/bobje/startservers

Verify that patch has been done

Installation of CA Provisioning Server Fails

10 Oct

Installation of the CA Provisioning server will fail due to SELinux which is configured to run by default on CentOS 5.8.  SELinux is explained in this link.  To accomplish a running CA IdentityMinder Provisioning Server the following two actions need to occur:

Here are the steps I used:

Step #1 – Get the Provisioning Server installed

Purpose:  This will prevent the Provisioning Server install to fail with a log message of: “Starting im_ps failed…” or “Connection refused”

(as root) Prior to installing CA ProvisioningServer

/usr/sbin/setenforce 0

(as root) After installation is complete

/usr/sbin/setenforce 1

Step #2 – Allow the Provisioning Server to run in SELinux

Purpose:  To allow the Provisioning Server to run without disabling SELinux completely and just isolating the CA slapd executable for a SELinux policy modification.

In a terminal session as root

su – imps

cd /opt/CA/IdentityManager/ProvisioningServer/bin

/opt/CA/IdentityManager/ProvisioningServer/bin/imps stop im_ps

/opt/CA/IdentityManager/ProvisioningServer/bin/imps start im_ps

You will receive the message: “Starting im_ps failed…”

Keep this terminal window open and start a new terminal as root

grep slapd /var/log/audit/audit.log | audit2allow -m postgreylocal > postgreylocal.te

cat postgreylocal.te – You should see something similar

module postgreylocal 1.0;

require {

type unconfined_t;

type usr_t;

class file execmod;

}

#============= unconfined_t ==============

allow unconfined_t usr_t:file execmod;

If it does than execute:

grep slapd /var/log/audit/audit.log | audit2allow -M postgreylocal

semodule -i postgreylocal.pp

Your slapd process has now been granted a SELinux policy to execute

Go back to your imps user terminal session and execute

/opt/CA/IdentityManager/ProvisioningServer/bin/imps start im_ps

You will receive a im_ps started successfully message (woot!)

CA IdentityMinder on CentOS

10 Oct

This will be a series on deploying, configuring and running CA IdentityMinder (12.6) on CentOS version 5.8 x86_64.  The goal is to deploy a development environment using a configuration solely CentOS servers wherever possible.    I will post articles of important configuration or deployment items as/when I uncover (and hopefully) resolve them.

Article #1 – Installation of CA Provisioning Server Fails

Article #2 – Report Server Install

Article #3 – WorkPoint Designer fails

Article #4 – TBD

You can contact me at Scott Pierce

CA IdM Java Memory Sizing

2 Apr

Overview:  Does your CA IdM crash or fail to start with “java out of memory” errors, if so this article can help

There are several items to consider for CA IdM and the amount of memory required.  The following are items that you need to be aware of:

CA IdM Policy Express cache – imsapi6.jar \ ehcache.xml \ default cache

Java VM Max and Minimum heap – -Xmx and -Xms memory settings

VMWare memory reservation – Set the reservation to Java max memory usage plus host OS

There are large number of configuration items that affect these parameters and how to set them.  I will detail our configuration and problems that occurred and explain how our solution was determined.

Our Environment: 

VMWare OSX 4.1, MS Windows 2003 Enterprise R2, WebSphere 6.X, Java JDK 1.5.X, CA IdM 12.5.3

Description of problem:  Operational for 8 months with no problems.  Development of new policy express changes.  Testing in test environment did not reveal any memory issues.   The WebSphere environment had no set Max or Minimum memory setting set.  When this was set to a Max of 1600 and a minimum of 256 in the test environment there were no problems.  When this was applied in Production the application would not start.  Thus, it was left at the default “no setting”.  When the new policy express policies were added, initially there were no problems.  Within a day the server WebSphere application server would report java.out.of.memory errors.  The application would remain up for a period of hours and fail, this began to occur more frequently as time passed.

Solution:  WebSphere default memory setting of “none”  actually result in the application starting with -Xms50 -Xmx256 which is not enough for CA Idm to start, WebSphere will than (eventually) restart CA IdM with -Xms256 -Xmx640.  This would allow CA IdM to start and work for a period of time, but eventually run out of memory from the high amount of policy cache items.  By modifying two items; ehcache.xml file within imsapi6.jar and modifying the  default cache parameter from 10K to 5K and setting the WebSphere java virtual machine settings to -Xms640 -Xmx1024.  With these settings I avoided memory failures.  The Verbose GC was set and CA IdM Java ran at ~560M of memory with these settings.  To reach an optimum setting of -Xms256 and -Xmx1600 it was necessary to set the VMWare memory reservation to 2.2Gb (1.6Gb for Java and .6Mb for Windows) there were no longer issues with setting the -Xmx1600 in WebSphere and the server starting and remaining operational with the original 10K ehcache setting