Wikis - Page

Knowledge Doc: Opentext Identity Manager: Separating Workflow from Other Identity Applications

2 Likes

Issue:

The Identity Manager suite contains several applications, such as OSP, IDM Dashboard (IDMDash), IDM Provisioning (IDMProv), Workflow, SSPR, and FormRenderer, all running on the same server. In large production environments, performance issues have been observed, where workflow processing impacts the UI components and vice versa.

Solution:

By separating the Workflow application from the other components and running it as a standalone application, we can minimize interference between the applications. This approach will improve both reliability and performance.

 Procedure:

Below steps needs to be performed on a fresh sample IDM deployment with two SLES 15Sp6 servers using IDM 4.10. In this scenario, engine, idconsole and applications are installed in Server1 and one more instance of applications is installed in server2.

Prerequisites:

  1. Generate tomcat.ks with a wildcard certificate, including SAN (Subject Alternative Name) as the IP addresses of both servers.
  2. Copy tomcat.ks to both Server1 and Server2.

 Steps to be performed on Server1:

  1. Download IDM 4.10 ISO from the Software License and Download portal
  2. Run install.sh to install IDM Engine, Applications, and Identity Console. Refer to the official documentation: Installing OpenText Identity Manager
  3. Run configure.sh to configure IDM Engine and Identity Console. Refer to the official documentation: Configuring the OpenText Identity Manager Components
  4. Run configure.sh again with custom configuration to configure the applications.
  5. During configuration, choose the custom certificate generated in the prerequisites.
  6. Stop the Tomcat service.For example,systemctl stop netiq-tomcat.service
  7. Perform the following actions:
    1. Take a backup of workflow.war:
      cp /opt/netiq/idm/apps/tomcat/webapps/workflow.war /home/backup/
    2. Remove workflow.war, workflow directory from /opt/netiq/idm/apps/tomcat/webapps/:
      rm -rf /opt/netiq/idm/apps/tomcat/webapps/workflow.war /opt/netiq/idm/apps/tomcat/webapps/workflow
    3. Clear the temp and work directories under /opt/netiq/idm/apps/tomcat/:
      rm -rf /opt/netiq/idm/apps/tomcat/temp/*
      rm -rf /opt/netiq/idm/apps/tomcat/work/*
    4. Edit ism-configuration.properties: Change the com.netiq.wf.engine.url setting to point to Server2.
    5. Import tomcat.ks into idm.jks: For example,

      /opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -srcstorepass <password>

      -destkeystore /opt/netiq/idm/apps/tomcat/conf/idm.jks -deststorepass <password>.

                        f. Import tomcat.ks into cacerts inside the Java directory (/opt/netiq/common/jre/lib/security) used by the IDM Engine server. For example,

                            /opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -srcstorepass <password> 

                           -destkeystore /opt/netiq/common/jre/lib/security/cacerts -deststorepass <password>.

                       g. Restart eDirectory.For example,

                           ndsmanage stopall;ndsmanage startall.

                       h. Start the Tomcat service.For example,

                            systemctl start netiq-tomcat.service

     

    Steps to be performed on Server2:

    1. Download IDM 4.10 ISO from the Software License and Download portal
    2. Run install.sh to install the Identity applications.Refer to the official documentation: Installing OpenText Identity Manager
    3. Run configure.sh with custom configuration to configure the applications. Refer to the official documentation: Configuring the OpenText Identity Manager Components.
    4. During configuration, ensure the following:
      1. Select the existing database option.
      2. Provide a unique Workflow Engine ID (e.g., Node2).
      3. Specify the existing User Application Driver.
    5. Stop the Tomcat service.For example,systemctl start netiq-tomcat.service
    6. Perform the following actions:
      1. Take a backup of the /opt/netiq/idm/apps/tomcat/webapps/ directory: For example,
        mv /opt/netiq/idm/apps/tomcat/webapps/* /home/backup/
      2. Remove everything under /opt/netiq/idm/apps/tomcat/webapps/ except workflow.war: For example,
        cp /home/backup/workflow.war /opt/netiq/idm/apps/tomcat/webapps/
      3. Clear the temp and work directories under /opt/netiq/idm/apps/tomcat/.    For example,                                                                                                     rm -rf /opt/netiq/idm/apps/tomcat/temp/*                                                                                                                                                                    rm -rf /opt/netiq/idm/apps/tomcat/work/*
      4. Change ownership of workflow.war to novlua user: For example,
        chown novlua:novlua /opt/netiq/idm/apps/tomcat/webapps/workflow.war
        chmod 755 /opt/netiq/idm/apps/tomcat/webapps/workflow.war
      5. Take a backup of ism-configuration.properties, encrypt-keys.pkcs12, and ism-sensitive.properties from /opt/netiq/idm/apps/tomcat/conf: For example,
        mv /opt/netiq/idm/apps/tomcat/conf/ism-configuration.properties /home/backup/
        mv /opt/netiq/idm/apps/tomcat/conf/encrypt-keys.pkcs12 /home/backup/
        mv /opt/netiq/idm/apps/tomcat/conf/ism-sensitive.properties /home/backup/
      6. Edit configupdate.sh.properties under /opt/netiq/idm/apps/configupdate and change the CONTEXT_NAME value from "IDMProv" to                  "workflow".

      7. Launch Configupdate and perform the following actions:

                                 i) Under Authentication tab -> Change the OAuth Server url pointing to Server1.

                                 ii)Under IDM SSO Clients tab -> Update the URLs pointing to Server1.                         iii)Under IDM SSO Clients -> Advanced Options. Set RBPM to eDirectory SAML configuration to Auto.                         iv)Save the changes.
      8. Update  ism-configuration.properties with proper values for com.netiq.client.authserver.url.revoke,com.microfocus.idm.application.url and com.netiq.idm.forms.url.host and save the changes.

      9. Import tomcat.ks into idm.jks. For example,

                             /opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -srcstorepass <password>

                            -destkeystore /opt/netiq/idm/apps/tomcat/conf/idm.jks -deststorepass <password>

                        j. Import tomcat.ks into cacerts inside Java (/opt/netiq/common/jre/lib/security). For example,

                           /opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -srcstorepass <password> 

                            -destkeystore /opt/netiq/common/jre/lib/security/cacerts -deststorepass <password>

                        k Edit configupdate.sh.properties under /opt/netiq/idm/apps/configupdate and change the CONTEXT_NAME value from "IDMProv" to                                         "workflow".

                       m. Start the Tomcat service.For example,

                            systemctl start netiq-tomcat.service

                       n. Stop the FormRenderer service:For example,

                            /etc/init.d/netiq-golang.sh stop

    Labels:

    Support Tips/Knowledge Docs
    Comment List
    Related
    Recommended