Installation
The following chapter provides details about the Identity Governance installation.
Provided Files
The installer is provided in the identity-governance-7.1.0.zip
archive on the ForgeRock BackStage Downloads site. The top-level directory contains the following files and directories:
-
install.sh. Linux installer.
-
install.bat: Windows installer.
-
governance.groovy: Common installer, invoked by both Linux and Windows installers.
-
governance.properties: Properties file that can be used in place of interactive input with the installers.
-
legal-notices: Contains the ForgeRock license agreement and any third party licensing agreements.
-
openidm: Files to be installed in the IDM home directory. These files include configuration files, scripts, workflows, CLI tools, user interface configuration and file fragments that will be injected into existing files.
-
integrations: Files and scripts used to make adjustments to out of the box ForgeRock IDM configuration files.
Installation Instructions
-
Unzip the
identity-governance-7.1.0.zip
to a temporary directory then navigate to the directory that was unzipped. -
Run the following command to initiate the installer:
For Windows: install.bat [--properties filename | -p filename] For Linux: ./install.sh [--properties filename | -p filename]
The installer prints updates to the console until successful completion.
The command can be run with the following optional argument:
* --properties
or
: Provides a properties file for script input. If no properties file is specified, the user must input the following properties at run time.–p <location/of/properties/file>
Use the following parameters when installing:
-
openidm_location: File location of IDM home directory.
-
project_location: File location of IDM project directory, if used. This is an optional property that will default to the
openidm_location
if left blank. -
identity_governance_installer_location: Location where the installer is being run from.
-
openidm_version: The version of IDM you are installing IGA with.
This property respects major and minor versions. For example, 7.1
. Do not use patch release versions. -
initial_install: If this is the first install in a cluster of installs, provide this parameter.
Names are those found in the properties file. If a properties file is not used, equivalent input will be gathered directly from the installer. |
-
After installation completes, the IDM server must be restarted.
Clustered Environment
The installer script can only be run once per environment. In a clustered environment, you must run manual steps to copy artifacts to subsequent nodes once the install has run on the initial node.
The following requires replication on each node after the first:
-
Copy the following files from the installer zip into the IDM installation directory:
-
Everything in the
./openidm/script
directory, copied into the script directory of the installation. -
Everything in the
./openidm/conf
directory, copied into the conf directory of the installation. -
Everything in the
./openidm/workflow
directory, copied into the workflow directory of the installation. -
Everything in the
./openidm/tools
directory, copied into the tools directory of the installation. -
The entire
./openidm/governance
directory, copied into the openidm installation directory. -
The entire
./legal-notices
directory, copied into the openidm installation directoryl
-
-
Copy the following files from the first node’s IDM installation directory:
-
openidm/script/access.js
-
openidm/conf/managed.json
-
openidm/conf/policy.json
-
Post-Installation Instructions
The UI context for Identity Governance can be found by navigating to /governance from your IDM server URL.
Additional configuration is needed on each node as described below:
-
Administrator Roles. For a user to access the administrator functionality of Identity Governance, they must be assigned the intended internal authorization role (
governance-administrator
,access-request-admin
, orglossary-admin
) that was created during installation. Note that if you are assigning the role to the currently logged in user you must log out and back in again for the role to take effect, and internal users (e.g.,openidm-admin
) are not supported by Identity Governance}. -
Enable Workflow. If planning to use the IDM workflow functionality for certification remediation or custom request flows, Identity Governance requires workflow to be enabled in the IDM administrator configuration. To do so, navigate to Configuration > System Preferences > Workflow and toggle the
Enable
setting. -
Setting the membershipProperties configuration. Administrators have the ability to determine which default managed user property will be used to determine membership for group assigned approvals, either roles or authzRoles. If ‘roles’ is selected, users that are assigned a managed role to their Provisioning Roles attribute (‘roles’ in the schema) will be eligible to approve tasks assigned to that managed role. If ‘authzRoles’ is selected, users that are assigned a role to their Authorization Roles attribute (‘authzRoles’) will be eligible to approve tasks assigned to that role. In previous versions of Access Request this was always determined by the Authorization Roles property.
To edit this configuration, open the file found at
openidm/conf/commons.json
and edit themembershipProperties
array value. By default the configuration contains both‘authzRoles’
and‘roles’
as options; however, it is recommended that only one is chosen. Note that only those two properties are currently supported as options for determining group membership. -
Event-Driven Certifications. In order to enable event based certifications for managed users or other managed objects, the following snippet of code (in JavaScript) must be added to the
onUpdate
hook for each individual object that you want to create certifications for:require('script/idg/onUpdateManagedObject.js').triggerCerts(oldObject,newObject, 'user');
where ‘user’ should correspond to the managed object you are editing (e.g., ‘role’, ‘assignment’, etc.)
-
Reactive Policy Scans. In order to enable reactive policy scans on managed users, the following snippet of code (in JavaScript) must be added to the postUpdate hook for the managed user object:
if(request.method.equals('update') || request.method.equals('patch')) openidm.action('governance/policyScan', 'reactive', { userId: object._id });
After installation steps are complete, it is recommended that the installer ZIP and the created installation folders and files be removed from the server.
Installer Backups
As part of the installation process, backups of any IDM files that are changed or edited are created within the openidm/backup
folder. The file names follow the pattern of <original file name>.pre-accessreview-install-<timestamp>
`, and are located within the same subdirectories of the backup folder as they would be in the original openidm
directory.
IDM/AM Integration for 7.X
If installing Identity Governance into an IDM environment that is configured to authenticate through Access Management, you must configure an OAuth client in AM for the Governance context.
To start, refer to section 2.4.2 of the ForgeRock Platform Setup Guide.
In step 5 of the section, instructions are given to configure a client for the end-user-ui. For Identity Governance, please repeat those steps with the following adjustments:
-
Client ID:
identity-governance-ui
-
Core:
-
Redirect URIs: <IDM domain>/governance/appAuthHelperRedirect.html
-
-
Advanced:
-
Subject Type: Public
-
In the ForgeRock Platform admin interface, click Applications, and then Add Application. The data entered in this form should match the configurations included in the AM client.
The compatible IDM versions are 7.X and onwards. |
Patching/Updating Process
If installing a patch update to the current installation, run the following steps to ensure proper installation of the update.
For updating a major version of the product (e.g. 2.5 > 3.0), consult the release notes for any instructions on the upgrade process.
-
Check the patch/update zip for a README file and confirm if there are any additional actions that need to be taken for the specific patch or update. Any steps found within this file should take precedence over the steps found below.
-
Manually create a backup of the following directories with the openidm installation:
/conf
,/script/idg
,/script/commons
,/governance
, and/workflow
. -
Unzip the provided patch/update into the
openidm
directory -
Restart the IDM server.
In the event the update needs to be backed out or reverted, simply copy the backup directories to the [path]openidm directory to overwrite the new changes and restart the server once again. |