Cybersecurity
DevOps Cloud
IT Operations Cloud
Issue:
The Identity Manager suite contains several applications, such as OSP, IDM Dashboard (IDMDash), IDM Provisioning (IDMProv), Workflow, SSPR, and FormRenderer, all running on the same server. In large production environments, performance issues have been observed, where workflow processing impacts the UI components and vice versa.
Solution:
By separating the Workflow application from the other components and running it as a standalone application, we can minimize interference between the applications. This approach will improve both reliability and performance.
Procedure:
Below steps needs to be performed on a fresh sample IDM deployment with two SLES 15Sp6 servers using IDM 4.10. In this scenario, engine, idconsole and applications are installed in Server1 and one more instance of applications is installed in server2.
Prerequisites:
Steps to be performed on Server1:
/opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -srcstorepass <password>
-destkeystore /opt/netiq/idm/apps/tomcat/conf/idm.jks -deststorepass <password>.
f. Import tomcat.ks into cacerts inside the Java directory (/opt/netiq/common/jre/lib/security) used by the IDM Engine server. For example,
/opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -srcstorepass <password>
-destkeystore /opt/netiq/common/jre/lib/security/cacerts -deststorepass <password>.
g. Restart eDirectory.For example,
ndsmanage stopall;ndsmanage startall.
h. Start the Tomcat service.For example,
systemctl start netiq-tomcat.service
Steps to be performed on Server2:
Edit configupdate.sh.properties under /opt/netiq/idm/apps/configupdate and change the CONTEXT_NAME value from "IDMProv" to "workflow".
Launch Configupdate and perform the following actions:
i) Under Authentication tab -> Change the OAuth Server url pointing to Server1.
ii)Under IDM SSO Clients tab -> Update the URLs pointing to Server1. iii)Under IDM SSO Clients -> Advanced Options. Set RBPM to eDirectory SAML configuration to Auto. iv)Save the changes.Update ism-configuration.properties with proper values for com.netiq.client.authserver.url.revoke,com.microfocus.idm.application.url and com.netiq.idm.forms.url.host and save the changes.
Import tomcat.ks into idm.jks. For example,
/opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -srcstorepass <password>
-destkeystore /opt/netiq/idm/apps/tomcat/conf/idm.jks -deststorepass <password>
j. Import tomcat.ks into cacerts inside Java (/opt/netiq/common/jre/lib/security). For example,
/opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -srcstorepass <password>
-destkeystore /opt/netiq/common/jre/lib/security/cacerts -deststorepass <password>
k Edit configupdate.sh.properties under /opt/netiq/idm/apps/configupdate and change the CONTEXT_NAME value from "IDMProv" to "workflow".
m. Start the Tomcat service.For example,
systemctl start netiq-tomcat.service
n. Stop the FormRenderer service:For example,
/etc/init.d/netiq-golang.sh stop