CA Identity Manager Configuration Guide › CA Identity Manager Environments › Create a CA Identity Manager Environment

Create a CA Identity Manager Environment

CA Identity Manager environments let you manage objects in a directory with a set of roles and tasks. Use the CA Identity Manager environment wizard to guide you through the steps to create a CA Identity Manager environment.

Note the following points before creating a CA Identity Manager environment:

• Assume that you are using an LDAP user store and you have configured a user container such as ou=People in the directory configuration file (directory.xml) for your CA Identity Manager directory. Verify that the users you select when you create the CA Identity Manager environment exist in that container. Selecting a user account that does not exist in the user container may cause failures.
• When you configure a CA Identity Manager environment to manage an LDAP user directory with a flat or flat user structure, the profile for the selected user must include the organization of the user. To help ensure that the profile of a user is configured correctly, add the name of the organization of the user to the physical attribute corresponding to the %ORG_MEMBERSHIP% well-known attribute in the directory.xml file. For example, when the physical attribute description is mapped to the %ORG_MEMBERSHIP% well-known attribute in the directory.xml file and the user belongs to the Employees organization, the profile of the user must contain the attribute/value pair description=Employees.

Follow these steps:

1. If CA Identity Manager uses a cluster of Policy Servers, stop all but one Policy Server.
2. If you have a cluster of CA Identity Manager nodes, stop all but one CA Identity Manager node.
3. In the Management Console, click Environments.
4. Click New.

   The CA Identity Manager environment wizard opens.

5. Supply the following information:
   • Environment name

     Specifies a unique name for the environment

   • Description

     Describes the environment

   • Protected alias

     Specifies a unique name, such as employees. This alias is added to the URL for accessing protected tasks in the CA Identity Manager environment. For example, when the alias is employees, the URL for accessing the employee environment is http://myserver.mycompany.com/iam/im/employees

     Note: The alias is case-sensitive and cannot contain spaces. We recommend using lowercase letters without punctuation or spaces when you specify the alias.

   • Base URL

     Specifies the URL for CA Identity Manager. The URL requires a hostname; it cannot include localhost. Also, do not include the alias, for example, http://myserver.mycompany.com/iam/im.

     If you are using a Web Agent, make sure that the Base URL is changed to reflect the URL of the Web Agent.

     Note: If you are using a Web Agent to protect CA Identity Manager resources, do not specify a port number in the Base URL field. If you are using a Web Agent and the Base URL contains a port number, the links to CA Identity Manager tasks doesnt not work properly.

     For more information about protecting CA Identity Manager resources, see the Installation Guide for your application server.

     Click Next.

6. Select a CA Identity Manager directory to associate with the environment you are creating, and click Next.
7. When the CA Identity Manager environment supports provisioning, select the appropriate provisioning server to use.

   Note: You are not prompted to select a provisioning server if you have selected a Provisioning directory as the CA Identity Manager directory.

8. Configure support for public tasks. Typically, these tasks are self-service tasks, such as self-registration or forgotten password tasks. Users do not need to log in to access public tasks.

   Note: To enable users to use self-service tasks, configure public task support.

   1. Specify a unique name that is added to the URL for accessing public tasks.

      Example: You would use the following URL to access the default self-registration task:

      http://myserver.mycompany.com/iam/im/alias/index.jsp?task.tag=SelfRegistration

      In this URL, alias is the unique name that you supply.

   2. Specify one of the following existing user accounts that serves as the public user account. CA Identity Manager uses this account to allow unknown users to access public tasks without having to supply credentials.
      • LDAP users enter the unique identifier or relative DN of the public user account. Make sure that this value is mapped to the %USER_ID% well-known. For example, if the DN of the user DN is uid=Admin1, ou=People, ou=Employees, ou=NeteAuto, type Admin1.
      • Relational database users type the value that is mapped to the %USER_ID% well-known attribute in the directory configuration file, or the unique identifier for the user.

   Click Validate to view the full identifier of the user.

9. Select the tasks and roles to create for this environment. You can do the following tasks:
   • Create default roles

     Creates a set of default tasks and roles that are initially available in the environment. Administrators can use these tasks and roles as templates for creating new tasks and roles in the User Console.

   • Create only the system manager role

     Creates only the System Manager role and the tasks which are associated with it.

     The System Manager role is required to access the environment.

     A System Manager can create new tasks and roles in the User Console.

   • Import roles from the file

     Imports a role definition file that you exported from another CA Identity Manager environment.

     Note: To use the CA Identity Manager environment, the role definitions file must include at least the System Manager role or a role that includes similar tasks.

     Select the Import roles from the file option button, and type the path and filename of the role definitions file or browse for the file to import.

10. Select Role Definitions files to create sets of default tasks for your environment, and click Next.

    Role Definitions files are XML files that define a set of tasks and roles that are required to support specific features. For example, if you want to manage Active Directory and UNIX NIS endpoints, select those Role Definitions files.

    Note: This step is optional. If you do not want to create additional default tasks to support new functionality, skip this screen.

11. Define a user to serve as the System Manager for this environment as follows:
    1. In the System Manager field, type the value that is mapped to the %USER_ID% well-known attribute in the directory configuration file, or specify one of the following user accounts:
       • LDAP users enter the unique identifier or relative DN of the user. For example, if the DN of the user DN is uid=Admin1, ou=People, ou=Employees, ou=NeteAuto, type Admin1.
       • Relational database users type the unique identifier for the user.
    2. Click Add.

       CA Identity Manager adds the complete identifier of the user to the list of users.

    3. Click Next.

    Note the following points when specifying the System Manager:

    • The System Manager must not be the same user as the administrator of the user store.
    • You can specify multiple System Managers for the Environment. However, you can only specify the initial System Manager in the Management Console. To specify additional System Managers, assign the System Manager role to the appropriate users in the User Console.
12. In the Inbound Administrator field, specify a CA Identity Manager administrator account that can execute admin tasks that are mapped to inbound mappings.

    The user must be able to execute all those tasks on any user. The Provisioning Synchronization Manager role contains the provisioning tasks that are included in the default inbound mappings.

13. Enter a password for the keystore, the database of keys that encrypt and decrypt data.

    Defining this password is a prerequisite to defining dynamic keys. You can modify the password after creating the environment using the System, Secret Keys task.

    A page summarizing the settings for the environment appears.

14. Review the settings for the environment. Click Previous to modify or click Finish to create the CA Identity Manager environment with the current settings.

    The Environment Configuration Output screen displays the progress of the environment creation.

15. Click Continue to exit the CA Identity Manager environment wizard.
16. Start the Environment.

    Clicking the environment name, then click Start.

17. If you stopped any Policy Servers in Step 1, restart them now.