1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. IDENTITY ASSURANCE SOLUTION 3.0.2 -...
  6. Installation manual

Novell IDENTITY ASSURANCE SOLUTION 3.0.2 Installation Manual

Hide thumbs Also See for IDENTITY ASSURANCE SOLUTION 3.0.2:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Manual
Novell
Identity Assurance Solution
w w w . n o v e l l . c o m
3 . 0 . 2
I N S T A L L A T I O N G U I D E
M a y 1 2 , 2 0 0 8

Advertisement

Table of Contents
loading

Related Manuals for Novell IDENTITY ASSURANCE SOLUTION 3.0.2

Summary of Contents for Novell IDENTITY ASSURANCE SOLUTION 3.0.2

  • Page 1 Identity Assurance Solution 3.0.2 Installation Guide Novell Identity Assurance Solution w w w . n o v e l l . c o m 3 . 0 . 2 I N S T A L L A T I O N G U I D E...

  • Page 2: Legal Notices

    Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.

  • Page 5: Table Of Contents

    Novell Identity Manager Support ........
  • Page 6 Installing the Novell Client Patch ........

  • Page 7: About This Guide

    ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash.
  • Page 8 Identity Assurance Solution 3.0.2 Installation Guide...

  • Page 9: Overview

    Overview ® Novell has partnered with third-party companies to build a solution that offers an integrated logical and physical control system that complies with Homeland Security Presidential Directive 12 (HSPD-12). HSPD-12 directs the implementation of a new standardized badging process, which is designed to enhance security, reduce identity fraud, and protect the personal privacy of those issued government identification.

  • Page 10: Identity Assurance Solution Components

    System Card Management System (CMS) CMS Driver for ActivIdentity* ActivID* Logical Access Control System (LACS) Novell Enhanced Smart Card Method (NESCM) Physical Access Control System (PACS) PACS Integration Driver for the Honeywell SmartPlus System A more detailed list of components and products is provided in Chapter 2, “Planning the Identity...

  • Page 11: Piv Life Cycle Driver

    1.2.1 PIV Life Cycle Driver The PIV Life Cycle driver acts as a traffic director for the solution. It verifies that all expected attributes are included in each step of the process and either allows the process to continue if all requirements are met, or halts the process if requirements are not met.

  • Page 12: Cms Driver

    Enrollment Driver Figure 1-2 After the information is entered into the Honeywell SmartPlus Enrollment server, the registrar sends the completed biometric data package to the driver for storage in the Identity Vault. The driver stores the biometric data and updates the fipsBioStatus attribute with a value of either Biometric Enrollment Complete or Biometric Enrollment Failure.
  • Page 13 Notifies Identity Manager of a Card Issued or a Credential Issued event from the Card Management System. Sends card information (card serial number, FIPS 201 required certificate, CHUID) back to Identity Manager. Sends a Card Termination Request to the Card Management System. The driver contains policies to detect events that indicate when data should be provisioned to or deprovisioned from the Card Management System.

  • Page 14: Pacs Integration Driver

    If the sponsor approves the PIV issuance, the CMS driver sends a User Add request to the Card Management System. If the User Add request is successful, the fipsCMSStatus attribute is set to CMS User Provisioning Complete. If the Add request fails, the fipsCMSStatus attribute is set to CMS User Provisioning Failed and the fipsCMSStatusReason attribute and fipsCMSStatusExplanation attribute explain why the process failed.

  • Page 15: Identity Assurance Solution Workflow

    Physical Access Control System Driver Figure 1-4 This modification event triggers the driver to send the applicant’s PIV card information to the Honeywell SmartPlus PACS system. If the information is sent and provisioned successfully, the fipsPACSStatus attributes is set to PACS Activation Ready. If the information fails to be sent to the system, the fipsPACSStatus is set to PACS Activation Failed and the fipsPACSStatusReason and fipsPACSStatusExplanation attributes contain the reason for the failure.

  • Page 16: What's Next

    A background check is also conducted on the applicant. 6. After the enrollment data is captured, the registrar submits it again to the Enrollment/Biometric Capture driver. 7. The Enrollment/Biometric Capture driver sends the enrollment data to the PIV Life Cycle driver.

  • Page 17: Planning The Identity Assurance Solution Installation

    Section 2.4, “What's Next,” on page 20 2.1 Minimum Requirements The following minimum requirements apply to this release: Section 2.1.1, “Novell Identity Manager Support,” on page 17 Section 2.1.2, “Identity Vault Server,” on page 18 Section 2.1.3, “User Enrollment/Biometric Capture Station,” on page 18 Section 2.1.4, “Card Management System,”...

  • Page 18: Identity Vault Server

    2.1.2 Identity Vault Server The Identity Vault server must be running Windows* 2003 Server SP1 or later. 2.1.3 User Enrollment/Biometric Capture Station The software being utilized for the User Enrollment Biometric Capture station for this release is Honeywell SmartPlus Enrollment software. Make sure this software is installed on the machine you are designating for this function.

  • Page 19: Web Browser

    2.2 Preparing the Software Identity Assurance Solution is made up of several software components: Section 2.2.1, “Novell Products that Need to be Downloaded and Installed,” on page 19 Section 2.2.2, “Third-Party Products that Need to be Installed,” on page 19 Section 2.2.3, “IAS CD Images,”...

  • Page 20: Contents Of Each Identity Assurance Solution Cd

    IAS Client Umbrella Install Novell Client 4.9.1 SP3 NICI 2.7.0.1 and NMAS Client 3.1.1.0 Novell Enhanced Smart Card Method (NESCM) 3.0.1 Novell Audit Platform Agent 2.0.2 2.4 What's Next To perform the installation, follow the instructions in Chapter 3, “Installing Identity Assurance Solution,”...

  • Page 21: Installing Identity Assurance Solution

    Installing Identity Assurance Solution This section describes or points to information on how to install all software components for the Identity Assurance Solution. IMPORTANT: The steps outlined in this section and in Chapter 4, “Configuring Identity Assurance Solution,” on page 33 must be performed in the order they are listed.

  • Page 22: Installing The Physical Access Control System

    8.8.1 from the Novell Download Web site (http://download.novell.com/index.jsp). For information on installing Novell eDirectory, see the Installing or Upgrading Novell eDirectory on Windows section of the Novell eDirectory 8.8 Installation Guide (http://www.novell.com/ documentation/edir88/edirin88/data/ahna7o7.html). By installing Novell eDirectory 8.8.1, you will also install the following components: NICI 2.7.0-1...

  • Page 23: Novell Identity Manager 3.5.1

    3.4.3 Novell Identity Manager 3.5.1 Purchase, download, and install Novell Identity Manager 3.5.1 from the Novell Download Web site (http://download.novell.com/index.jsp). For information on installing Novell Identity Manager, see the Installation section of the Novell Identity Manager 3.5 Documentation Web site (http://www.novell.com/documentation/idm35/ install/data/front.html).

  • Page 24: Installing Drivers

    You must complete the procedures for installing and configuring the NESCM method on a server as provided in the Novell Enhanced Smart Card Method Installation Guide (http://www.novell.com/ documentation/ias/index.html?page=/documentation/ias/nescm_install/data/bookinfo.html). 3.5 Installing Drivers Identity Assurance Solution contains five separate drivers. The following table describes which...

  • Page 25: Piv Workflow Driver

    “Configuring the Connected System (Remote Loader)” on page 26 Installing Identity Manager 3.5.1 for Connected Systems on the Enrollment Biometric Capture System For information on installing Novell Identity Manager on connected systems, see the “Installing the Connected Systems Option” section of the Identity Manager 3.5.1 Installation Guide (http:// www.novell.com/documentation/idm35/admin/data/bs35odr.html).
  • Page 26 2 Click Add to add a remote driver. 3 Specify a description for the remote driver. 4 Select com.novell.nds.dirxml.hwbio.HWBioEnrollmentDriver in the driver drop-down list. This is the Biometric Enrollment driver. If the driver is not listed, it means the driver has not been installed.

  • Page 27: Cms Driver For Actividentity Activid

    “Configuring the Connected System (Remote Loader)” on page 27 Installing Identity Manager 3.5.1 for Connected Systems on the Card Management System For information on installing Novell Identity Manager on connected systems, see the “Installing the Connected Systems Option” section of the Identity Manager 3.5.1 Installation Guide (http:// www.novell.com/documentation/idm35/admin/data/bs35odr.html).

  • Page 28: Pacs Integration Driver For The Honeywell Smartplus System

    “Configuring the Connected System (Remote Loader)” on page 29 Installing Identity Manager 3.5.1 for Connected Systems on the Physical Access Control System For information on installing Novell Identity Manager on connected systems, see the Installing the Connected Systems Option section of the Identity Manager 3.5.1 Installation Guide (http:// www.novell.com/documentation/idm35/admin/data/bs35odr.html).

  • Page 29: Post-Installation Tasks

    2 Click Add to add a remote driver. 3 Specify a description for the remote driver. 4 Select com.novell.nds.dirxml.driver.hwpacs.HWPACSDriver in the driver drop-down list. This is the Physical Access Control System (PACS) driver. If the driver is not listed, it means the driver has not been installed.

  • Page 30: Installing Workstations

    3 Read the license agreement and select I accept the terms of the license agreement, then click Next. 4 Select Novell Client and Enhanced Smart Card Method. (Optional) If you also want to audit Workstation Only logins, select Novell Audit Platform Agent. 5 Click Next.

  • Page 31: Installing The Novell Client Patch

    17 Fill in the customer information, then click Next. 18 Type the IP address or DNS name of the Secure Logging Server, then click Next. This is the IP address or DNS name of the Novell Audit server (the Identity Vault server that was set up previously).

  • Page 32: Workstation Configuration

    3.7.2 Workstation Configuration For information about configuring NESCM on a workstation, see the Novell Enhanced Smart Card Installation Guide (http://www.novell.com/documentation/ias/index.html?page=/documentation/ ias/nescm_install/data/bookinfo.html). 3.8 What's Next Configure the Identity Assurance Solution drivers by following the instructions in Chapter 4, “Configuring Identity Assurance Solution,” on page...

  • Page 33: Configuring Identity Assurance Solution

    Configuring Identity Assurance Solution This section describes how to use iManager to configure the drivers and how to install the User Application server. For overview information about each driver, see Section 1.2, “Driver Overviews,” on page Section 4.1, “Configuring the Drivers,” on page 33 Section 4.2, “Installing the User Application Server,”...
  • Page 34 3 Click Next. 4 Define the properties of the new driver set. 4a Specify the name of the driver set. 4b Browse to and select the context where the driver set will be created. 4c Browse to and select the server you want the driver set associated with. 4d Leave the Create a new partition on this driver set option selected.
  • Page 35 10a Click Add, browse to and select all objects that represent administrative roles, then exclude them from replication with the driver. Exclude the User object in the Identity Vault (for example, DriversUser) that you specified in Step 9. If you delete the User object, you have removed the rights from the driver.

  • Page 36: Configuring The Piv Workflow Driver

    The password value for the Named Password is the password for the PIV Workflow User. This is the admin user who is specified in the User Application Admin DN field during the configuration of the User Application driver object. For information on the User Application Admin DN field, see “User Application Admin DN”...

  • Page 37: Configuring The Enrollment Driver

    Parameter Description User App Server Address Specify your User Application Server address and port number. (Example: 137.65.159.42:8080). User App Server Context Specify your User Application Server context. (Example: IDM). 8 Click Next. 9 Select Define Security Equivalences. 9a Click Add, then browse to and select a user object that has the rights the driver needs to have on the server.
  • Page 38 Step 7 on page KMO Name Specify the name of the KMO object. See “Providing for Secure Data Transfer” (http://www.novell.com/documentation/idm/ index.html?page=/documentation/idm/admin/data/ bs35pi6.html#bs35pi6) for steps on how to create a KMO. URL of the Biometric Specify the URL of the Honeywell SmartPlus Enrollment server.

  • Page 39: Configuring The Honeywell Smartplus Enrollment System

    2 Open the tomcat_directory/webapps/PIV/WEB-INF/iws.cfg file in a text editor. 3 Add the following two lines at the bottom of this file: IDMS=NOVELL IDMS_NovellEnrollURL = http://127.0.0.1:Publisher_Port_Number The Publisher port number is located in the properties of the Enrollment driver. It can be any port that is not in use on the connected system.
  • Page 40 Specify the remote password. It is the same password as specified in Step 7 on page KMO name Specify the KMO name. See “Providing for Secure Data Transfer” (http://www.novell.com/ documentation/idm/index.html?page=/ documentation/idm/admin/data/ bs35pi6.html#bs35pi6) for steps on how to create a KMO.

  • Page 41: Configuring The Pacs Integration Driver

    8 Click Next. 9 Select Define Security Equivalences. 9a Click Add, then browse to and select a user object that has the rights the driver needs to have on the server. Many administrators use the Administrator User object in the Identity Vault for this task. However, you might want to create another object, such as a DriversUser, and assign sufficient rights to that user for the driver to function.
  • Page 42 Step 7 on page KMO Name Specify the name of the KMO object. See “Providing for Secure Data Transfer” (http://www.novell.com/documentation/idm/ index.html?page=/documentation/idm/admin/data/ bs35pi6.html#bs35pi6) for steps on how to create a KMO. URL of the Honeywell Specify the URL of the Honeywell SmartPlus PACS Integration SmartPlus PAC Server server.

  • Page 43: Optional) Using Designer To Customize Your Implementation

    4.2.1 Installing User Application for Provisioning If you are using Identity Manager 3.5.0, you can use the User Application for Provisioning version 3.5.0 that is included in the Novell Identity Manager 3.5.0 build. If you are using Identity Manager 3.5.1, use User Application for Provisioning version 3.6.0 (http://www.novell.com/documentation/...

  • Page 44: Installing The Ias Digital Signature Applet

    “Configuring the PIV Life Cycle Driver,” on page 33). For the user root, select the IAS Root/Users container. For the group root, select IAS Root/Groups container. IMPORTANT: After you install the IDM User Application for Provisioning product, you should configure JBoss* to only allow mutual authenticated SSL connections. For more information, see this JBoss Wiki page (http://wiki.jboss.org/wiki/Wiki.jsp?page=SSLSetup).

  • Page 45: What's Next

    6 Click OK. For more information on setting up e-mail notifications, see Configuring E-mail Notification (http:// www.novell.com/documentation/idm35/admin/data/bnpdcy4.html) in the Novell Identity Manager 3.5.1 Administration Guide. 4.4 What’s Next The Identity Assurance Solution is ready to use. For information on managing the Identity Assurance Solution, see the Identity Assurance Solution 3.0.2 Administration Guide (http://www.novell.com/documentation/ias302/...
  • Page 46 Identity Assurance Solution 3.0.2 Installation Guide...

  • Page 47: Troubleshooting The Identity Assurance Solution

    Troubleshooting the Identity Assurance Solution This section provides troubleshooting information for the Identity Assurance Solution installation. 5.1 Known Issues COULD_NOT_FIND_USER: Error while retrieving userAIMS_NO_SUCH_WALLET If you receive the above message in the Remote Loader trace when attempting to suspend a card in the CMS system and the card is not being suspended in the other systems, you must properly configure the card binding.
  • Page 48 Identity Assurance Solution 3.0.2 Installation Guide...

  • Page 49: Identity Assurance Solution

    SSL connections. See Section 4.2.1, “Installing User Application for Provisioning,” on page A.2 Novell Products ® For additional information on securely installing the Novell products in this solution, see the following resources: Novell eDirectory 8.8 Installation Guide (http://www.novell.com/documentation/edir88/ edirin88/data/ahna7o7.html) Novell iManager 2.6 Installation Guide (http://www.novell.com/documentation/imanager26/...

  • Page 50: Third-Party Products

    Novell Enhanced Smart Card Method Installation Guide (http://www.novell.com/ documentation/ias/index.html?page=/documentation/ias/nescm_install/data/bookinfo.html) Novell Client 4.91 for Windows XP/2003 Installation and Administration Guide (http:// www.novell.com/documentation/noclienu/index.html). Novell Audit 2.0.2 Installation Guide (http://www.novell.com/documentation/novellaudit20/ install/data/bktitle.html). A.3 Third-Party Products For information on securely installing the third-party products in this solution, see the documentation provided with the third-party software.
  • Page 51 The Identity Assurance Solution automatically does this configuration when the CMS driver is installed on the Card Management System. However, if you make changes to the Card Management System that overwrite the Novell Event Handler settings, you might need to manually perform this procedure.
  • Page 52 6a Add the following lines at the end of the List categories for logging section of this file: log4j.category.com.novell.nds.dirxml.novellplugin =INFO, novellplugin log4j.additivity.com.novell.nds.dirxml.novellplugin = false 6b Add the following lines at the end of this file (replace occurrences of CMS Dir below with the directory where CMS is installed): # NOVELL #--------------------------- log4j.appender.novellplugin =...
  • Page 53 Identity Manager 3.5.1 User Application: Migration Guide (http://www.novell.com/ documentation/idm35/migration/data/bookinfo.html). 4a Select the specific components that you need, or use the defaults. 5 Upgrade the Identity Manager User Application 3.5 to Novell IDM Roles Based Provisioning Module 3.6: 5a Set up the Prerequisites to Installation (http://www.novell.com/documentation/...
  • Page 54 7 When prompted, select Remove. IMPORTANT: Do not select Modify. 8 Rerun the iasSignerApplet.exe. 9 From the IDMDriver folder located on the IASModules_302 ISO, run the PIV Life Cycle Driver.exe . Identity Assurance Solution 3.0.2 Installation Guide...
  • Page 55 10 Save the configuration information on the driver. 11 In iManager, select Identity Manager > Identity Manager Overview > Edit Properties on the User Application driver. 12 Write down and save the values associated with this driver. You need these values when installing the new User Application driver.
  • Page 56 Identity Assurance Solution 3.0.2 Installation Guide...
  • Page 57 13 Delete the User Application driver. Make sure PIV Life Cycle Driver is up and running before adding the new User Application driver. Upgrading the Identity Assurance Solution from 3.0.1 to 3.0.2...
  • Page 58 14 Add the driver by selecting Add Driver, then select IAS PIVWorkflow-IDM3_5_0- V2.xml. Enter the values saved in Step 12 in the required fields. 15 Verify that the PIV Life Cycle driver is running by ensuring that the circle in the upper-right corner of the driver icon is green.
  • Page 59 19a Import the fips.sch schema file. 19b Import the fips.sch schema file a second time. The fips.sch file is in the c:\novell\nds directory. Disregard any schema errors and warnings during import. Upgrading the Identity Assurance Solution from 3.0.1 to 3.0.2...
  • Page 60 19c Select the option to migrate the User Application driver. 19d Deploy the User Application driver. Ignore the errors and warnings during deployment. 20 Configure and run configupdat.bat (located in c:\novell). 21 Verify that your values are correct, then click Save. For more information, see the Post-Installation Tasks (http://www.novell.com/documentation/...

  • Page 61: D Documentation Updates

    Updates were made to the following sections. The changes are explained below. D.2.1 Overview Location Change Entire Book Made editorial changes and updated the guide to current Novell documentation standards. D.3 February 20, 2008 Updates were made to the following sections. The changes are explained below. D.3.1 Overview...

Table of Contents