Novell IDENTITY MANAGER Remote Loader Guide
Novell®
www.novell.com
Remote Loader Guide
Identity Manager
novdocx (en) 17 September 2009
AUTHORIZED DOCUMENTATION
3.6.1
December 10, 2009
Identity Manager 3.6.1 Remote Loader Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 17 September 2009
Copyright © 2007-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 17 September 2009
novdocx (en) 17 September 2009
4 Identity Manager 3.6.1 Remote Loader Guide
Contents
About This Guide 7
1 Remote Loader Overview 9
1.1 Java Remote Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Installing the Remote Loader 13
3 Configuring the Remote Loader 15
3.1 Configuring the Remote Loader on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Configuring the Remote Loader for Linux/UNIX by Creating a Configuration File . . . . . . . . . . 18
3.2.1 Setting Environment Variables on Solaris, Linux, or AIX . . . . . . . . . . . . . . . . . . . . . 25
3.3 Configuring the Java Remote Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.4 Configuring the Identity Manager Drivers for Use with the Remote Loader . . . . . . . . . . . . . . . 34
3.5 Creating a Secure Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.5.1 Creating a Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.5.2 Exporting a Self-Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.5.3 Creating a Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
novdocx (en) 17 September 2009
4 Managing the Remote Loader 39
4.1 Starting the Remote Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.1.1 Starting the Remote Loader on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.1.2 Auto-Starting the Remote Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1.3 Starting the Remote Loader on Solaris, Linux, or AIX . . . . . . . . . . . . . . . . . . . . . . . . 42
4.2 Stopping the Remote Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
A Options for Configuring a Remote Loader 45
Contents 5
novdocx (en) 17 September 2009
6 Identity Manager 3.6.1 Remote Loader Guide
About This Guide
This guide contains detailed information about the Remote Loader. It explains how and when you
use the Remote Loader as part of your Identity Manager solution. It also contains configuration and
management information for the Remote Loader.
Chapter 1, “Remote Loader Overview,” on page 9
Chapter 2, “Installing the Remote Loader,” on page 13
Chapter 3, “Configuring the Remote Loader,” on page 15
Chapter 4, “Managing the Remote Loader,” on page 39
Appendix A, “Options for Configuring a Remote Loader,” on page 45
Audience
This guide is intended for Identity Manager administrators, partners, and consultants.
novdocx (en) 17 September 2009
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
Documentation Updates
For the most recent version of the Remote Loader Guide, visit the Identity Manager Documentation
Web site (http://www.novell.com/documentation/idm36/).
Additional Documentation
For documentation on Identity Manager, see the Identity Manager Documentation Web site (http://
www.novell.com/documentation/idm36/index.html).
Documentation Conventions
In Novell
items in a cross-reference path.
A trademark symbol (
trademark.
®
documentation, a greater-than symbol (>) is used to separate actions within a step and
®
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
About This Guide 7
novdocx (en) 17 September 2009
8 Identity Manager 3.6.1 Remote Loader Guide
1
Server
Identity Vault
Metadirectory engine
Dr iv er
Application
Identity Vault
Metadirectory engine
LDAP driver
Remote Loader instance
Remote Loader
Active Directory driver
Active Directory
Server
Application
Server
Remote Loader Overview
Identity Manager has an additional feature that extends Identity Manager functionality across
applications. It is called the Remote Loader, and it allows the driver to access the application without
having the Identity Vault and the Metadirectory engine installed on the same server as the
application. As part of the planning process when installing Identity Manager, you need to decide if
you are going to use the Remote Loader or not. This section defines what the Remote Loader is and
contains instructions for installing and configuring the Remote Loader.
There are two different ways to configure the installation of the Metadirectory engine. Figure 1-1
illustrates the first way. It shows that the Identity Vault, Metadirectory engine, and the driver shim
all are installed and running on the same server. The driver shim is configured to communicate with
the application and the Metadirectory engine.
Figure 1-1 All Components Installed on the Same Server
novdocx (en) 17 September 2009
1
Figure 1-2 illustrates both configurations. The LDAP driver is installed on the same server as the
Metadirectory engine and the Identity Vault. The Active Directory* driver is installed on different
servers with the Remote Loader. The Remote Loader allows the driver to access the application
without having the Identity Vault and Metadirectory engine installed on that same server.
Figure 1-2 A System Using the Remote Loader
Remote Loader Overview
9
The Remote Loader enables the Metadirectory engine to exchange data with the Identity Vault as
different processes and in different locations, including the following:
novdocx (en) 17 September 2009
As a separate process on the server where the Metadirectory engine is running: The
Metadirectory engine runs as part of an eDirectory
TM
process. The Identity Manager drivers can
run on the server where the Metadirectory engine is running. In fact, they can run as part of the
same process as the Metadirectory engine.
However, for strategic reasons and to simplifying troubleshooting, you might want the Identity
Manager driver to run as a separate process on the server.
If the driver is running as a separate process, the Remote Loader provides a communication
channel between the Metadirectory engine and the driver.
On a server that is not running the Metadirectory engine: Some of the Identity Manager
drivers are unable to run where the Metadirectory engine is running. The Remote Loader
enables you to run the Metadirectory engine in one environment while running an Identity
Manager driver on a server in a different environment. For example, you cannot run the Active
®
Directory driver on a Linux
server. The Metadirectory engine can run on the Linux Server
while the Remote Loader runs on an Active Directory server.
Scenario: Separate Servers. The Metadirectory engine is running on a Linux Server. You
need to run the Identity Manager Driver for Active Directory. This driver is unable to run
on a Linux Server because it must run in an Active Directory environment. You install and
run the Remote Loader on a Windows 2003 server. The Remote Loader provides a
communication channel between the Active Directory driver and the Metadirectory
engine.
Scenario: Non-Host. The Metadirectory engine is running on Solaris*. You need to
communicate with a NIS system where you want to provision user accounts. That system
usually doesn’t host the Metadirectory engine. You install the Remote Loader and the
Identity Manager Driver for NIS on the NIS system. The Remote Loader on the NIS
system runs the NIS driver and enables the Metadirectory engine and the NIS driver to
exchange data.
®
Novell
recommends that you use the Remote Loader configuration for use with your drivers where
possible. Use the Remote Loader even in cases where the connected system is on the same server as
the Metadirectory engine. The following benefits occur by running the driver with the Remote
Loader configuration:
eDirectory is protected from any exceptions encountered by the driver shim.
It improves the performance of the server running the Metadirectory engine, by offloading
driver commands to the remote application or database.
It allows you to run additional drivers on the server where the Metadirectory engine is not
installed.
1.1 Java Remote Loader
The remote loader can host a remote interface shim (DirXML application shim) on the DirXML
server. To control all the instances that host such remote interface shim, you use DirXML Java
Remote Loader.
The DirXML Java Remote Loader is a Java application, which runs on any system with JRE 1.3.0 or
1.4.2 (for optimal performance) and Java Sockets.
10 Identity Manager 3.6.1 Remote Loader Guide
novdocx (en) 17 September 2009
NOTE: You run the DirXML Java Remote Loader by using a shell script named
dirxml_jremote
.
Remote Loader Overview 11
novdocx (en) 17 September 2009
12 Identity Manager 3.6.1 Remote Loader Guide
2
Installing the Remote Loader
The Remote Loader can be installed as a 32-bit application or a 64-bit application. The installation
program detects the type of OS that is installed and then installs the corresponding version of the
Remote Loader. For the installation instructions, see “Installing the Remote Loader” in the Identity
Manager 3.6.1 Installation Guide.
novdocx (en) 17 September 2009
2
Installing the Remote Loader
13
novdocx (en) 17 September 2009
14 Identity Manager 3.6.1 Remote Loader Guide
3
Configuring the Remote Loader
The Remote Loader uses shims to communicate with the application. A shim is the file or files that
contains the code to processes the events that are synchronizing between the Identity Vault and the
application.
novdocx (en) 17 September 2009
3
The Remote Loader can host the Identity Manager application shims contained in
.jar
files. The Java* Remote Loader hosts only Java driver shims. It won’t load or host a native
(C++) driver shim.
Configuring the Remote Loader is a two-step process; the Remote Loader requires configuration
and the Driver object requires configuration. There are different configuration steps depending on if
you are using Windows or Linux/UNIX.
Section 3.1, “Configuring the Remote Loader on Windows,” on page 15
Section 3.2, “Configuring the Remote Loader for Linux/UNIX by Creating a Configuration
File,” on page 18
Section 3.3, “Configuring the Java Remote Loader,” on page 25
Section 3.4, “Configuring the Identity Manager Drivers for Use with the Remote Loader,” on
page 34
Section 3.5, “Creating a Secure Connection,” on page 35
.dll, .so
, or
3.1 Configuring the Remote Loader on Windows
You can configure the driver on Windows through a graphical utility called the Remote Loader
Console utility or from the command line.
The Remote Loader Console utility enables you to manage all Remote Loader instances for Identity
Manager drivers running on the Windows server. The utility is installed during the installation of
Identity Manager.
If you are upgrading, the Console detects and imports existing instances of the Remote Loader. (To
be automatically imported, driver configurations must be stored in the Remote Loader directory,
typically
c:\novell\remoteloader
1 Double-click the Remote Loader Console icon on the desktop to launch the Remote Loader
Console.
The Remote Loader Console allows you to start, stop, add, remove, and edit each instance of a
Remote Loader.
2 Click Add to add a Remote Loader instance of your driver on this server.
3 Use the information in the following table to configure the Remote Loader instance for your
driver.
Headings Description
Description Specify a description to identify the Remote Loader instance in
.) You can then use the Console to manage the remote drivers.
the Remote Loader Console utility.
Configuring the Remote Loader
15
Headings Description
Driver Select the Java class name for the driver. If you are using the
Active Directory driver, select ADDriver.dll. Table 3-3 on
page 33 contains a list of all of the Java class names for each
driver.
Config File Specify the name of the configuration file. The Remote Loader
Console places configuration parameters into this text file and
uses those parameters when it runs.
Communications IP Address: Specify the IP address where the Remote
Loader listens for connections from the Metadirectory
server.
Connection Port - Metadirectory Server: Specify the
TCP port on which the Remote Loader listens for
connections from the Metadirectory server.
The default TCP/IP port for this connection is 8090. With
each new instance you create, the default port number
automatically increases by one.
Command Port - Local host communication only:
Specify the TCP port number where a Remote Loader
listens for commands such as Stop and Change Trace
Level.
Each instance of the Remote Loader that runs on a
particular computer must have a different command port
number. The default command port is 8000. With each
new instance you create, the default port number
automatically increases by one.
novdocx (en) 17 September 2009
NOTE: By specifying different connection ports and command
ports, you can run multiple instances of the Remote Loader on
the same server, hosting different driver instances.
Remote Loader Password Specify the Remote Loader password. This password is used to
control access to a Remote Loader instance for a driver. It must
be the same case-sensitive password specified in the Enter the
Remote Loader Password field on the Identity Manager driver
configuration page. It is important that this password be difficult
to guess and be different from the driver object password.
Driver Object Password Specify the Driver Object password. The Remote Loader uses
this password to authenticate to the Metadirectory server. It
must be the same case-sensitive password specified in the
Driver Object Password field on the Identity Manager driver
configuration page. It is important that this password be difficult
to guess and be different from the Remote Loader password.
Secure Socket Layer (SSL)
Use an SSL Connection: You should always select this
option. It is used to encrypt the transfer of data between
the Remote Loader and the Metadirectory server.
Trusted Root File: This is the exported self-signed
TM
certificate from the eDirectory
Certificate Authority. For more information, see
Section 3.5, “Creating a Secure Connection,” on page 35.
tree’s Organization
16 Identity Manager 3.6.1 Remote Loader Guide
Headings Description
Trace File Trace Level: Specify a trace level greater than zero to
display a trace window that contains informational
messages from both the Remote Loader and the driver.
The most common setting is trace level 3. If the trace level
is set to 0, the trace window is not displayed.
Trace File: Specify a trace filename where trace
messages are written.
Each Remote Loader instance running on a particular
machine must use a different trace file. Trace messages
are written to the trace file only if the trace level is greater
than zero.
Maximum Disk Space Allowed for all Trace Logs
(Mb): Specify the approximate maximum size that the
trace file for this instance can occupy on disk.
NOTE: Use the tracing options only for troubleshooting issues.
Having the tracing enabled reduces the performance of the
Remote Loader. Do not leave the tracing enabled in production.
novdocx (en) 17 September 2009
Establish a Remote Loader
service for this driver instance
Select this option if you want the Remote Loader established as
a service. When this option is enabled, the operating system
automatically starts the Remote Loader when the computer
starts.
4 Specify the advanced configuration parameters. To do so:
4a Click Advanced to display the Advanced Configuration dialog box.
4b Modify the following settings as desired.
Parameter Description
Classpath Additional paths for the JVM to search for
package (.jar) and class (.class) files. Using
this parameter is the same as using the java classpath command. When entering multiple
class paths, separate them with a semicolon
(;) for a Windows JVM and a colon (:) for a
UNIX/Linux JVM.
JVM Options The options used when starting the JVM
instance of the driver.
Heap size The initial and maximum heap size for the
JVM instance.
4c Click OK, to save the advanced configuration information.
5 Click OK to save the configuration file.
If you need to change any of the parameters:
1 In the Remote Loader Console, select the Remote Loader instance from the Description
column.
Configuring the Remote Loader 17
Loading...