Symantec IGA

Expand all | Collapse all

How to JumpStart an CA Identity Minder (IM) Sandbox Environment

Anon Anon

Anon AnonSep 01, 2012 04:44 AM

  • 1.  How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Aug 29, 2012 10:27 AM
      |   view attached
    Hello All,

    I put together a deck that I use for training associates and clients with the complex and integrated features that IM provides.
    This process is also useful for validating use-cases and what-if scenarios prior to any implementation within a development or production environment.





    From the deck:

    Purpose: The intent of this document and presentation is to increase the knowledge and confidence of consultants and clients with the CA Identity Minder/ Management solution, enterprise-class web application server and database, and a high performance directory solution.

    Audience: Help Desk Personnel, Project Managers, Business Analysts, Technical Analysts, Architects

    Effort expected: 8-16 hours
    Time counted from downloading to running a full provisioning use-case from a feed to an endpoint.
    As user become familiar with the process, the time expended will drop.

    Knowledge Required: Some experience with Linux commands (vi, su, ln, cp, etc.)
    Basic understanding of Directories, Databases, Java, Web Application Servers, Log4j

    Footprint: Environment will be able to run as a single image on a user workstation/laptop with minimal resources but provide a reasonable response for use-case testing.

    Steps: The methodology used will build the solution from the bottom-up, e.g. Virtual Tier/OS/Network tier, Data tier, Mid-Ware Tier, Top Application Tier, with clear milestones.

    Licenses: Community and/or developer license components will be used for non-CA software. {Note: User is expected to have access to licensed versions of CA software to follow along with the steps in the deck.}

    Final Note: This environment is expected to be used[u] ONLY for training, development, or a sandbox.  This environment should[u] NOT be used for a production or production like environment.




    As new software service packs become available, some of steps in the deck may become redundant or obsolete. YMMV. -_-

    Please provide feedback if you find this of use or see an area that needs clarification.



    Cheers,

    Alan Baugher


  • 2.  RE: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

     
    Posted Aug 29, 2012 06:42 PM
    Awesome Alan! Thanks for sharing this with the community! :grin:


  • 3.  RE: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Sep 01, 2012 04:44 AM
    Great job, thanks!


  • 4.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted May 13, 2015 01:14 PM

    Good information, thanks!  Anyone got anything like this for a Microsoft environment: Windows Server, Active Directory, SQL Server, etc.?



  • 5.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted May 15, 2015 07:34 PM

    Hi Ralph,

     

    I don't have a specific deck for the Win environment, but it is very similar process.

     

    Microsoft requires that it's licenses not be shared, so any image would need to be built by each user.

     

    Three (3) recommended changes:

     

    1) Use MS Windows 2012 R2 as the base OS,

    2) Use MS SQL Express (as the primary IM objectstore),   No need to use the full SQL database for sandbox env.   (Or you may still use Oracle XE).

    3) Use JBOSS EAP 6.3 GA with Java JDK 1.7 + JCE 1.7 (use developer license for JBOSS); the memory may be 2GB to 32 GB RAM (depending on your system available memory)

     

    I would still recommend use of CA Directory as the corporate user store, as a quick stand up userstore.

    If you decided to choose Active Directory (which will work) as the corporate user store, be aware that certain operations for provisioning to AD will be redundant as an "managed endpoint"; and care should be taken not to create a "data loop".

     

     

    Cheers,



  • 6.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted May 18, 2015 11:24 AM

    Thanks, Alan!



  • 7.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Oct 31, 2016 01:38 AM

    Hi Alan,

    Can you please help me out how to install CA Identity Suite on Windows Server I'm new with this Product can you please share any document for installation or screen shots

    Regards,

    Navin



  • 8.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Oct 31, 2016 03:10 PM

    Hi Naveen,

     

    One approach that may help, is to use & review the latest IDVA image of CA Identity Suite.   It can run on VMware ESXi, workstation, and player.

     

    It requires at least 10 GB RAM and 4vCPU & 50 GB HDD, so ensure your workstation is a quad cord with 16 GB ram if you wish to run it locally.   

     

    You can use this as your "comparison" environment and adjust to get near like behavior.

     

    Link Below:

    CA Identity Suite 12.6 SP8 Latest Cumulative Release Download - CA Technologies 

     

    ### ###  

    Alternatively, I have some examples of using silent install command line scripts for both Win and Linux.

     

    Here is one example where I deployed the entire suite via command line and properties files.

    This approach, I believe, removes the FUD from using "blackbox" installation GUIs.   You can see what is being updated and deployed; and if you don't like it, you can roll it back and re-install without the need for a reboot.

     

     

    DEV-OPS: CA Identity Manager & CA SSO - CLI Silent Response Scripts on Centos7 

     

     

     

     

    Win OS Examples:

     

    Example:  Install Jxplorer via CLI

     

    jxplorer-3.3.1rc2-windows-installer.exe --prefix E:\Programs\jxplorer --mode unattended

     

    Example:  Install Java JDK via CLI

     

    jdk-6u45-windows-x64.exe /qn /s AgreeToLicense=YES REBOOT=ReallySupress INSTALLDIR=E:\Programs\Java\jdk1.6.0_45_x64 INSTALLDIRPUBJRE=E:\Programs\Java\jre1.6.0_45_x64  /l* E:\temp\jdk6-install.log.log

     

    jdk-7u45-windows-x64.exe /s /INSTALLDIRPUBJRE=E:\Programs\Java\jre1.7.0_45_x64  /INSTALLDIR=E:\Programs\Java\jdk1.7.0_45_x64 /l* F:\temp\jdk7-install.log

     

    jdk-8u60-windows-x64.exe ADDLOCAL="ToolsFeature,SourceFeature,PublicjreFeature" INSTALLDIR=C:\Java\x64\jdk1.8.0_60 /INSTALLDIRPUBJRE=C:\Java\x64\jre1.8.0_60

     

    Note:  Please pull down the unlimited encypriotn librarys and update these for the JDK

    http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
    http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

     

     

     

    Example:  Install CA Directory via CLI   (create the cadir-impd.rsp first; a sample rsp file is provided with CA Dir)

     

    dxsetup.exe RESPONSE_FILE=z:\cadir-impd.rsp ETRDIR_DXADMIND_PASSWORD=Password01

     

     

    Example:  Install CA Provisioning Directory Schema  (create ini file first)

     

    GEN11172937E\Provisioning\ProvisioningDirectory\setup.exe -silent -options 02_impd_silent_userinput.ini

    May install with GUI first, and record the INI to make this easier:  setup.exe -options-record filename.ini

     

    Example:  Install CA Provisioning Server  (create ini file first)

     

    GEN11172937E\Provisioning\ProvisioningServer\setup.exe -silent -options 03_imps_silent_userinput_imps_+_ccs.ini

    May install with GUI first, and record the INI to make this easier:  setup.exe -options-record filename.ini

     

    Example:  Install CA Connector Xpress  (create ini file first)

     

    GEN11172937E\Provisioning\ConnectorXpress\setup.exe -silent -options 02_imps_connector_xpress_silent.ini

    May install with GUI first, and record the INI to make this easier:  setup.exe -options-record filename.ini

     

    Example:  Install CA Connector Server  (create ini file first)

     

    GEN11172937E\Provisioning\ConnectorServer\setup.exe -silent -options 03_iamcs_jcs_silent_userinput_with_ccs.ini

    May install with GUI first, and record the INI to make this easier:  setup.exe -options-record filename.ini

     

    Example:  Install CA Provisioning Manager GUI  (create ini file first)

    setup.exe -silent -options impm_silent_userinput.ini

    May install with GUI first, and record the INI to make this easier:  setup.exe -options-record filename.ini

     

    Example:   Install the CA Identity Portal

     

    SIGMA_1.6 [-f <path_to_installer_properties_file>

     

    Example:  Install CA Identity Governance

     

     Create silent install script:
     ./InstCAIdentityGovernance.bin -i console -r /installs/gm/gm_silent_response.txt

    Use silent install script:
     ./InstCAIdentityGovernance.bin -i silent -f "/installs/gm/gm_silent_response.txt"

     

     

     

    #####

     

     

    Uninstall Example:

    net stop im_ps
    net stop im_ccs
    net stop im_jcs

    E:
    cd E:\Programs\CA\Identity Manager\Provisioning Server\_uninst
    Uninstaller.exe
    cd E:\Programs\CA\Identity Manager\Provisioning Manager\_uninst
    Uninstaller.exe
    cd E:\Programs\CA\Identity Manager\Provisioning Directory\_uninst
    Uninstaller.exe  
    cd E:\Programs\CA\Identity Manager\install_config_info\im-uninstall
    uninstall.exe 

     

     

     

     

     

    ####

     

    See if this helps

     

     

     

    Cheers,

     

    A.



  • 9.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Nov 08, 2016 07:27 AM

    Hi Alan,

    Very Thank You Actually last week with help of your's documents i was finished CA Identity Suite on Window but while configuring CA IDM getting following issue can you please help me out



  • 10.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Nov 05, 2016 09:35 AM

    Hello Alan

     

    I'm not sure if there is additional material that accompanies the powerpoint deck, but here is my question.

    On slide 76, step 58, what was the intent on creating the orphan accounts? I don't see within the slide deck a procedure to eventually undo slide 58 and do the correlation against the associated global user.

     

    Should one go thru a process of creating the global users first and then running E/C? There are other steps that follow, but it avoids the orphanage scenario.

     

    What are your thoughts around global user pre-population for end points that contain thousands of accounts?

     

    Jose



  • 11.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Nov 07, 2016 01:04 AM

    Hi Jose,

     

    Short Answer:  Creating additional "buckets" for "orphan accounts" help eliminate false positives.

     

     

    Long Answer:

     

    By default the IMPS server usually only has two (2) accounts:   [default user] and etaadmin  (or idmadmin)

     

    Within the upper tier of the IME, you will see a IM task for orphan accounts; if you open/edit that task, you can view the screen associated.    Within that screen is the IMPS GU of [default user].

     

    Why this is?  When an Explore operation occurs, it is a basic query operation to a managed endpoint to discover accounts; and then when accounts are found; there is an I/O operation to create "pointer" entries within the IMPD to "know" the current state of the endpoint.   If on a 2nd explore operation, some of the accounts were removed OOB (out-of-band), then the "pointers" entries would be updated.   The "pointer" entries do not contain any information except for the location of the account, if it has an OU structure; otherwise the endpoint is treated as a flat OU userstore.   

     

    When Correlate process is chosen, there are several default mappings that are used.   I recommend reviewing these and removing the ones that match Full Name=Full Name.   Not much value if you have 100's John Smiths.    Keep the UserID (IMPS GU) = UserID (endpoint); as this is valuable.   And others if you have more than one unique identifier.   The more the better, as each preceding rule, will remove others from the list in memory, and will allow this process to be faster.

     

    If the endpoint accounts do NOT match any Correlation Rule, then they are correlated to [default user] (for always).

    This mix of endpoint accounts would be true orphans accounts, service accounts, 2nd admin accounts, special accounts (meeting rooms), etc.

     

    To remove the noise/clutter, it is helpful to create additional buckets for non-orphan accounts, to identify the true orphan accounts on a daily basis.

     

    Step 1: So create the following (mark these as special to allow NO updates at all to any correlated accounts).

    - Make make a duplicate of [default user] and update it accordingly for name and descriptions.

     

    [ad service accounts]

    [tss service accounts]

    [unix service accounts]

    [host abc service accounts]

    etc.

     

    Step 2: Then using the IMPS GUI, open two (2) User Windows Side By Side; using the cascade function.  

    Use one User window to search and display [default user]; then list the associated accounts for an endpoint type, e.g. AD.

    Use the other User window to search and display the new service account bucket, e.g. [ad service accounts]

     

    Step 3: Using your mouse, you can drag-n-drop any obvious service accounts, or meeting_room accounts to this new bucket.

     

    Repeat this process for every endpoint type or hostname, until ONLY true orphan accounts exist with [default user]

    Decide what to do with these.

          -  If mis-correlated, then re-attach them to the correct IMPS GU

          -  If unsure, open a ticket to document them and identify the "owner"

          - if sure, then delete them (not remove) but delete from the endpoint from the IMPS UI.

     

    Step 4:   Decide if you wish to expose these new "service IDs" to an local endpoint administrators to access via the IM UI.  If so, duplicate the IM Task for Orphan Accounts or Service Accounts.    Then Create a NEW Screen, and update the screen with the new IMPS GU names.     These new tasks will allow any IM Admin to view the IMPS GU accounts.

    Create new IM Admin Roles for the Endpoint Admin, and then attach these new IM Screens to these IM Admin Roles.  You may then associate these IM Admin Role to the select few endpoint admins.    If you wish to not give "full" management control, you may still wish to give VIEW access to these accounts; to help reduce FUD.

     

     

    Let me know if this helps.

     

    Cheers,

     

    Alan



  • 12.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Nov 07, 2016 08:14 AM

    Thanks for the explaination

     

    Jose



  • 13.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Apr 27, 2017 10:46 AM

    Hi Alan, congrats for sharing your effort! I am new to CA (worked with several other idm vendors). Now I am facing at least a project with this tools. It appears that with my basic CA account I can not download Identity Manager components, is this true right? I would like to know how can have some access to download components for making my own lab, independant of client's dev environment so I can test confs and devs before upload them. Thanks friend!



  • 14.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Posted Apr 27, 2017 02:40 PM

    Hi Docldap,

     

    When you authenticate to the CA Support Site, and login you will have access to any license software tied to the SiteID #.

    If one of your customers/partners has a license to CA software, and you have an email address with the same domain, e.g.   docldap@companyabc.com, you will be able to access the same solutions.

     

     

    If you don't have either of the two (2) options, you can request the standard 30 day trial licenses for most software.

    - Open a CA Support Ticket request a license

     

    Other options are new beta trial editions, e.g. 

    CA Identity Service Free Trial - CA Technologies 

     

     

    Or use the cumulative releases public links:

    CA Identity Suite 12.6 SP8 Latest Cumulative Release Download - CA Technologies 

     

     

    Cheers,

     

    A.



  • 15.  Re: How to JumpStart an CA Identity Minder (IM) Sandbox Environment

    Broadcom Employee
    Posted Jun 26, 2018 11:28 PM

    Hi all

     

    We published an official performance tuning guide for CAIM here:

     

    Performance Tuning - CA Identity Manager - 14.2 - CA Technologies Documentation 

     

    Hope you will find it helpful 

     

    Itamar