Install the Domain Orchestrator › Interactive Domain Orchestrator Installation › Install the Domain Orchestrator

Install the Domain Orchestrator

After the Third-Party Installer installs third-party components, the Third-Party installation wizard starts the Domain Orchestrator installation wizard.

This section describes how to install a nonclustered Domain Orchestrator or the first node of a clustered Domain Orchestrator.

Follow these steps:

1. On the Welcome page, click Next.
2. Accept the license agreement, and click Next.
3. Verify that the displayed path is the path to the Java Home Directory. If the path to the Java Home Directory is not displayed, complete the following steps:
   1. Click Browse
   2. Navigate to the correct location
   3. Select the Java Development Kit (JDK) to use. For example, select:

      C:\Program Files\Java\jdk1.7.0_21
      

   4. Click Next.

   The JDK is validated.

4. Monitor the progress as files are copied.
5. For CA Process Automation Domain Configuration, specify the following, which applies to all components:
   • Domain Orchestrator
   • Load balancer, if the Domain Orchestrator is a clustered Orchestrator
   • CA SiteMinder SPS, if configured

   Support Secure Communication

   Specifies whether the relevant components communicate over HTTPS (secure) or HTTP (basic).

   Selected

   Indicates that the entire communication channel is secure (uses HTTPS to communicate).

   Cleared

   Indicates that the entire communication channel uses HTTP to communicate.

6. To configure CA Process Automation for use with CA SiteMinder Secure Proxy Server (CA SiteMinder SPS), verify that all CA SiteMinder SPS prerequisites are met. Then, complete the following fields on the CA Process Automation Domain Configuration screen:

   Configure CA SiteMinder Single Sign-on (SSO)

   Select this check box to configure CA SiteMinder SPS with the Domain Orchestrator.

   Secure Proxy Server Host

   Defines a FQDN hostname of CA SiteMinder SPS.

   Secure Proxy Sever Port

   Defines the port number of CA SiteMinder SPS.

   Type of Server

   Specifies the type of installation as New Orchestrator.

7. Read the instructions and complete the Configuration Screen.

   Configure Load Balancer

   Specifies whether to install the Domain Orchestrator with the potential for clustering.

   Selected

   Install the Domain Orchestrator with the potential for clustering. Before you select this option, verify that you have completed the NGINX Load Balancer prerequisites or the F5 Load Balancer Prerequisites.

   Cleared

   Install the Domain Orchestrator with no potential for clustering.

   Load Balancer Worker Node

   Defines the name of the Load Balancer Worker Node. Because the first installation of the Domain Orchestrator is the first node in the cluster, this value is typically node1.

   If Apache is your load balancer, your entry must match the node name in the "worker.nodename.host" variable that is associated with this host in the Apache file apache_install_dir\conf\workers.properties. In the following example, the variable value, node1, is the value to assign here.

   worker.node1.host=DomainOrchestratorHostName
   

   If the workers.properties file specified worker.abc.host, then you would enter abc.

   If F5 is your load balancer, accept the default. (The value of the worker nodes is not relevant to F5, so there is no tie-back to the F5 prerequisites that you performed.)

   Default: node1 (Special characters, including dashes, are not supported.)

   Public Host Name

   Specifies the public host name for the Apache server, NGINX server, or the F5 server. For example:

   loadbalancerhost.mycompany.com
   

   • Set this field to the FQDN of the Apache, F5, or NGINX load balancer if you selected the Configure Load Balancer check box.

   Public Host Port Number

   Defines the HTTP port for the Load Balancer.

   If you change this value during the Apache, F5, or NGINX Load Balancer installation and configuration, update this value accordingly. This port is used with the Public Host Name value to browse to CA Process Automation. For example:

   http://public-host-name:80/itpam
   

   Default: 80

   Public Host Secure Port

   Defines the HTTPS port for the Load Balancer.

   This port is used with the Public Host Name value to browse to CA Process Automation. For example:

   https://public-host-name:443/itpam
   

   Default: 443

8. Click Next.
9. In the Company field, type your company name, and then click Next.

   CA Process Automation displays your entry as the This Product is Licensed To value when you click Help, About.

10. Type a certificate password, type it again, and then click Next.

    Certificate Password

    Defines the password that controls access to the keys that encrypt passwords and other critical data. Use this same password when you install any other Orchestrator or when you add cluster nodes to an Orchestrator. The certificate password is specific to a single CA Process Automation Domain.

    Confirm Certificate Password

    Matches your entry in this field with your entry in the Certificate Password field to verify the password.

    Important! In the Set Certificate Password page, before you click Next, record your Certificate Password entry in a secure location for later reference. This same certificate password is required when you install standalone Orchestrators or when you add cluster nodes.

11. (Windows only) Specify the following Start Menu preferences, then click Next.

    [Start menu folder name]

    Defines the name of the CA Process Automation Start menu folder if you cleared the Do Not Create a Start Menu Folder check box. Accept the default or type the name of the Start menu folder for CA Process Automation.

    Default: CA Process Automation 4.0

    Create shortcuts for all users

    Specifies whether the specified short menu folder name is displayed for all users who log in to the server with the CA Process Automation Domain Orchestrator.

    Selected: Display shortcuts.

    Cleared: Do not display shortcuts.

    Do not create a Start menu folder

    Specifies whether to create an entry for CA Process Automation in the Start menu.

    Selected: Create a Start menu entry for CA Process Automation.

    Cleared: Do not create a Start menu entry for CA Process Automation.

12. Complete the following fields to define how the Domain Orchestrator communicates with other CA Process Automation components and applications, then click Next.

    Server Host

    Defines one of the following properties:

    • The host name or IP address of the host system on which the Domain Orchestrator is deployed.
    • A DNS Alias that resolves to the host system.

    Display Name

    Defines the Domain Orchestrator name that appears in the CA Process Automation Configuration browser.

    • If you do not configure a load balancer, the Display Name is the same as the Server Host Name.
    • If you configure a load balancer, the Display Name is the FQDN of the server on which the load balancer is installed.

    Support Secure Communication

    Specifies whether communication to CA Process Automation is secure, as opposed to the standard basic communication. This value controls whether the HTTP port or the HTTPS port is enabled.

    Selected: Use the HTTPS protocol for communication.

    Cleared: Do not use the HTTPS protocol for communication. Use HTTP instead.

    Server Port

    Defines the port that the Domain Orchestrator uses to communicate with other Orchestrators and agents.

    Default: 80 (basic: HTTP), or 443 (secured: HTTPS)

    HTTP Port

    Defines the HTTP port that is used for the web server if the Support Secure Communication check box is cleared.

    Note: This port is part of the URL that is used to access CA Process Automation web services and the CA Process Automation login screen.

    Default: 8080

    HTTPS Port

    When you select Support Secure Communication, this field specifies the port used in the URL that accesses CA Process Automation Web services and the browser-based CA Process Automation UI.

    Default: 8443

    Note: Select “Support Secure Communication” to enable input to this field.

    JNDI Port

    Defines the Java naming server port that the web server uses.

    Note: This port must not be accessed from outside of this host system.

    Default: 1099

    RMI Port

    Defines the RMI port that the web server uses.

    Note: This port must not be accessed from outside of this host system.

    Default: 1098

    SNMP Port

    Defines the SNMP trap listener port for CA Process Automation.

    Default: 162

13. Accept the default path or browse to a temporary directory in which to run scripts. Click Next.

    This directory must be writable by all users.

14. Complete the following fields to define PowerShell settings, then click Next.

    Set PowerShell Execution Policy

    Specifies whether to enable the use of PowerShell.

    Selected: Enable the use of PowerShell, setting the PowerShell execution policy at the specified path to Remote Signed.

    Cleared: Do not enable the use of PowerShell.

    PowerShell Path on host machine

    CA Process Automation auto-detects the PowerShell path.

    Note: When you click Next, the installation program validates the provided PowerShell path.

15. Define the CA EEM security settings. The order in which fields are presented in this step is based on dependencies rather than the field order displayed in the UI.
    1. Complete the following required fields:

       EEM Server

       Defines the FQDN of the CA EEM server that CA Process Automation uses to authenticate and authorize CA Process Automation users. If you are configuring EEM for High Availability (HA), you can also define a backup CA EEM server. Use a comma as the delimiter between the server names.

       EEM Application Name

       Defines how the CA Process Automation application name appears in CA EEM. If you use the same CA EEM server with multiple CA Process Automation Domains, each CA Process Automation domain must have a unique EEM application name. The name that you enter here appears in the drop-down list of the CA EEM server login page.

       If you are upgrading, this field is already populated with the value used in the initial installation. This value preserves the CA EEM user group assignments, custom policies, and custom groups. CA EEM uses this value to identify this CA Process Automation domain.

       Default: Process Automation

       Use FIPS-Compliant Certificate

       Specifies whether to use FIPS-compliant certificates. This setting must match the CA EEM setting for FIPS Mode.

       Note: To determine the CA EEM setting for FIPS, click About in CA EEM; the Product Specifications include FIPS Disabled or FIPS Enabled.

       Selected: FIPS Mode is set to ON in CA EEM.

       Cleared: FIPS Mode is set to OFF in CA EEM.

    2. Specify your intent to register the specified application name for this CA Process Automation domain with CA EEM after completing this page. The registration process generates either FIPS-compliant certificates or non-FIPS compliant certificates, based on your selection. This check box appears above the Register button. Selection is the typical configuration.

       Register Application with CA EEM

       Specifies whether to register the "EEM Application Name" value for CA Process Automation with CA EEM and generate the certificate that CA Process Automation uses to connect to its application in the CA EEM server. The CA EEM SDK handles the connection. If prompted, indicate that you want to upgrade the CA Process Automation application in CA EEM.

       Selected: Enables the Register button. (See Step 16.) Disables the EEM Certificate File field. For a new installation of a Domain Orchestrator, always select this check box. When you complete the EEM Security Settings fields, click Register.

       Cleared: Disables the Register button. Enables the EEM Certificate File field.

    3. For a new installation, complete the following field only if you are not registering the application with CA EEM. Click Browse and find the location of the Certificate file. Once the certificate file uploads, the installer places it in this directory:

       install_dir/server/c2o/.c2orepository/public/certification
       

       Note: If you are upgrading, this field is automatically populated with the path to your certificate file.

       EEM Certificate File

       Defines the CA EEM certificate file to use for CA Process Automation. You can typically accept the default value.

       Defaults:

       PAM.cer if you selected the Use FIPS-Compliant Certificate check box.

       PAM.p12 if you cleared the Use FIPS-Compliant Certificate check box.

    4. Complete one of the following fields, if required.

       Certificate Key File

       If required (see Notes), click Browse and find the location of the certificate key, for example, the PAM.key file. Once the certificate file uploads, the installer places it in this directory:

       install_dir/server/c2o/.c2orepository/public/certification
       

       Notes:

       • If this is a new installation, this field is not required if you are using FIPS and you intend to register. (The registration process generates the certificate key file with the certificate.)
       • If this is a new installation, this field is required if you are using FIPS and you do not intend to register.
       • If you are upgrading, this field is populated with the path to your key file.

       EEM Certificate Password

       Required if you are not using FIPS. Defines the CA EEM Certificate password. This password protects the PAM.p12 certificate; CA Process Automation needs this password to open and use the PAM.p12 certificate.

    5. Complete the following fields only if you configure CA EEM to reference users from an external LDAP directory. Otherwise, skip this step.

       Default Active Directory Domain

       (Applicable only if you plan to reference multiple Active Directory domains when you configure CA EEM Release 12.51. See Step 17.) Specifies the AD domain to use as the default domain. CA Process Automation users belonging to the domain specified here can log in to CA Process Automation with their unqualified user name. Users belonging to other AD domains must specify their principal name (domain\username or username@domain) and password when they log in to CA Process Automation. This entry must match the Domain field entry for one of the multiple AD domains you configure for the CA EEM referenced user store.

       CA EEM must be suitably configured to authenticate with the username@domain form of the principal name.

       Note: See Configure CA EEM to Permit Referenced Users to Log in with Their Email Name.

       Enable NTLM Pass-Through Authentication

       Specifies whether CA EEM uses the NTLM protocol to authenticate CA Process Automation users.

       Selected: Enables NTLM pass-through authentication. CA EEM uses the NTLM protocol to authenticate users who browse to CA Process Automation.

       Cleared: Disables NTLM pass-through authentication. Users who browse to CA Process Automation must enter credentials in the CA Process Automation login dialog. CA EEM validates the credentials with the referenced Microsoft Active Directories to authenticates users.

16. Either register the configured "EEM Application Name" value with CA EEM or bypass registration. The registration process generates CA Process Automation certificates of the required length.
    • If this is a new installation, click Register, complete the following fields on the EEM Credentials window and click OK. Click OK when the Application Registered confirmation appears.

      EEM Admin Username

      Defines the CA EEM administrator user name. Type EiamAdmin.

      EEM Admin Password

      Defines the password for the EiamAdmin user account. If you installed CA EEM, enter the password that you created for the EiamAdmin user. Otherwise, contact the CA EEM administrator to get the password.

    • If using FIPS certificates, new ‘PAM.cer’ and ‘PAM.key’ certificates overwrite the existing certificates, if any. If not using FIPS certificates, the new PAM.p12 overwrites the existing certificate in CA Process Automation, if it exists. This certificate is password-protected with the password you entered in the EEM Certificate Password field. The EEM Certificate File is populated with a path and file name similar to this example:

      install_dir/server/c2o/.c2orepository/public/certification/PAM.p12
      

      Note: The certificates are not regenerated if you are prompted to upgrade the CA Process Automation application in CA Embedded Entitlements Manager, and you choose not to upgrade it.

    The following bulleted list describes the use cases:

    • New Installation with Registration: The installation process detects the CA EEM server version and choses the appropriate SDK.
    • New Installation without Registration: The installation process prompts you to choose an SDK based on the CA EEM release version. If you do not know the release version of the CA EEM server, log in to CA EEM and review the About information.

      

17. (Optional) If you want to test the CA EEM settings and you have configured CA EEM to reference from an external directory, you must first create a test user. A test user is a user you retrieve from a selected Active Directory and then assign to the PAMAdmins group. Follow these steps:
    1. Browse to the CA EEM that CA Process Automation uses. Use the following URL:

       https://hostname:5250/spin/eiam
       

       The CA Embedded Entitlements Manager dialog opens.

    2. From the Application drop-down list, select the name you configured in the EEM Application name field.
    3. Type EiamAdmin and the CA EEM administrator password that you configured.
    4. Click Log In.
    5. Click the Manage Identities tab.
    6. Under Search Users, where Global Users is selected, select Last Name or First Name and enter your first or last name in the Value field. Then, click Go. (Partial values are accepted.)

       Your name appears under Users in the Users pane.

    7. Double-click your name to display your loaded user account.

       Your user account has two User Details sections. The top section lets you define a group for your role in CA Process Automation. The bottom section, "Global User Details" contains information from the external directory.

    8. Click the Add Application User Details button under the top section.

       The Available User Groups list contains a group for each default role.

    9. Select PAMAdmins and click the right arrow to move that group to the Selected User Groups list.
    10. Click Save.
    11. Click Log Out.
18. (Optional) Test the CA EEM settings. This step requires you to enter the credentials of a user that is defined in CA EEM. If you are using CA EEM as a local directory (the default), you can enter credentials of one of the default users. If CA EEM points to an external directory, you enter your own credentials (if you completed the preceding step).
    1. Click Test CA EEM Settings.
    2. If using CA EEM as a local directory and this is a new installation, type pamadmin for Username, type pamadmin for Password, and click OK.
    3. If using a referenced user account from an external directory, type your user credentials as defined in the external directory. This is the account of the test user that you created in the preceding step.

    The Verify EEM Settings screen displays the following fields:

    Connect

    Indicates whether a connection can be established to the specified CA EEM server with the values provided in the CA EEM settings screen.

    Limits: OK, NOT OK

    Note: If the value evaluates to NOT OK, the following fields are not displayed.

    User provided belongs to User Group

    Indicates whether the user can be authenticated, that is, whether login is permitted.

    Limits: OK, NOT OK

    User is an Admin

    Indicates whether the user has authorization to perform administrator tasks. Members of the PAMAdmins group have this authorization.

    Limits: Yes, No

    EEM Upgrade

    Indicates whether the CA Process Automation application schema in the EEM server is upgraded. If the message "Upgrade not required" appears; click OK.

    Note: This field is displayed only when the value is NOT OK. When the value is NOT OK, upgrade the instance.

19. After you review the results, click OK, then click Next.
20. Complete the following fields to define the database that is to host the Library data store and the database server on which the database is installed.

    Type of Database

    Specifies the Database system type. Select a supported type from the drop-down list.

    Values: MySQL, MS SQL, Oracle

    Note: If this installation is for production use, best practice is to select either MS SQL or Oracle. MySQL is an appropriate choice for a lightly-loaded Domain Orchestrator.

    User Name

    For MS SQL and MySQL, defines a user name that is authorized to create and access the database on the database server. The account must have permissions to create the database on the server or ownership (DBO) for an existing database. The following values are auto-populated based on the database selection:

    • MS SQL: sa
    • MySQL: root

    For Oracle, defines an existing schema that is authorized to create and access the CA Process Automation database objects.

    Password

    Defines the password that is associated with the specified User Name.

    Database Server

    Defines the host name or IP address of the database server.

    • If you configured the Type of Database as MS SQL and you have only one SQL Server instance on the host server or if you selected another database type, specify the host name or IP address of the database server. (This entry refers to the default instance.)
    • If you configured the Type of Database as MS SQL and you have multiple SQL Server instances on the host server, specify the SQL Server named instance. Use the format host\instance, for example, dbserver.mycompany.com\pamdb.

    Database Port

    Defines the connection port that is configured on the target database instance.

    • For MS SQL, the default port is 1433.
    • For MySQL, the default port is 3306.
    • For Oracle, the default port is 1521.

    Repository Database

    Defines the name of the database in which to store Library objects and other data.

    Each Orchestrator can have its own repository, or library, data store. You can also share the library data store across Orchestrators. Each data store must have a unique name. Consider establishing a naming convention for your CA Process Automation data stores with this initial installation.

    Consider establishing a naming convention for the databases that contain your CA Process Automation data stores with this initial installation.

    Consider housing each data store in its own database for improved performance.

    • If you configured the Type of Database as SQL Server or MySQL, the installer will create a database that is named using the value specified in this field.
    • If you configured the Type of Database as Oracle, provide an Instance Name or SID. Note that this differs from an Oracle Service Name.

      Note: If you have an Oracle RAC Database or otherwise need to refer to a Service Name, you can configure that as a post-installation task. See Change the Database Configuration to Use an Oracle Service Name.

    Driver Jar

    Defines the JDBC driver JAR file for the specified database type. The drivers folder in the DVD1 folder of the installation media provides default drivers for Microsoft SQL Server and Oracle database servers.

    Defaults:

    SQL Server: jtds-1.3.jar

    Oracle: ojdbc14.jar

    MySQL: Click Browse, then navigate to the JAR file you downloaded (for example, mysql-connector-java-5.1.18-bin.jar).

    Database Collation

    Defines the rules for sorting data for MS SQL and Oracle. Case-sensitivity, accent marks, kana character types, and character width can be part of the rule set. This field is a drop-down list. It is best practice to accept the default value. This field is not applicable to MySQL.

    Default: SQL_Latin1_General_CP1_CI_AS

    Use Connection String

    Select this check box to provide connection string to connect to the Oracle database.

    Note: This check box is enabled for Oracle database only.

    Connection String

    Enter a jdbc connection string in one of the following formats:

    jdbc:oracle:thin:DatabaseServer:PortNumber:DatabaseName 
    

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=portnumber)) (CONNECT_DATA=(SERVICE_NAME=serviceid)))
    

21. Click Test Database Settings to test connectivity from CA Process Automation to the specified database instance using the specified database port and JAR file.

    If a message indicates that databases are missing, close the message and click Create Database. Except for Oracle, databases that the Orchestrator requires can be created during installation.

    Create Database

    Create the Repository (Library) data store if you specified MS SQL or MySQL.

    Note: When using an Oracle database, you already created the Repository (Library) schema as part of the Oracle database prerequisites.

    A message indicates that a database has been created with the name you provided. Click OK. Click Test Database again.

22. Click Next.
23. Enter the Runtime Database information, either manually or by copying specifications from your entries for the Repository Database. Click Create Database if the Type of Database is MSSQL or MySQL. Click Test Database Settings.

    The Runtime Database fields are similar to the Database Setting fields for the Repository (Library) Database except for two fields. See Step 20 for descriptions of other fields.

    copy from main repository

    Specifies whether to copy the Repository database (also known as Library data store) settings to the Runtime Database settings screen.

    Selected: Copies the Repository database (Library data store) settings to this dialog. This option can save you time if you are using the same database for both CA Process Automation data stores. If you select this option, type the Runtime data store name in the Runtime Database field. Then click Test Database Settings to test connectivity from the Domain Orchestrator to the database server port for the specified database instance. Then click Create Database to invoke the creation of the database for the Runtime data store.

    Cleared: Does not copy the Repository (Library) database settings to this dialog. This option is appropriate if you are using a different type of database for run-time data than you are using for library records.

    Runtime Database

    For MS SQL and MySQL, defines the name of the database in which CA Process Automation run-time instances are stored. No two Orchestrators can point to the same Runtime data store. We recommend that this database be different from the one used by the other data stores.

    For Oracle, defines the Instance Name or SID of the database in which CA Process Automation run-time instances are stored. No two Orchestrators can point to the same Runtime data store. We recommend that you use a different schema in this instance than the one used by the other data stores.

    You cannot share a Runtime data store across Orchestrators. (However, all nodes of an Orchestrator cluster share the same Runtime data store.)

24. Click Next.
25. Configure the Reporting data store in one of the following ways:
    • If you are using the same database for the Reporting data store that you are using for the Repository (Library) data store:
      1. Select the copy from main repository check box to automatically enter shared data.
      2. Type the name of the database that the Repository (Library) data store is using in the Reporting Database field.
      3. Click Test Database Settings.
    • If you are using a different database for the Reporting data store than you are using for the Repository data store (recommended):
      1. Clear the copy from main repository check box, if needed.
      2. Select the database type from the Type of Database drop-down list.
      3. Complete the User Name field based on the database type:

         For MS SQL or MySQL, enter a user name that is authorized to create and access the database on the database server. (For example, type sa for MS SQL; type root for MySQL.)

         For Oracle, enter a schema that is different from the one used by the Repository data store and which is authorized to create and access the reporting-related database objects.

      4. Complete the Reporting Database field based on the database type:

         For MS SQL and MySQL, type a unique name for the reporting database.

         For Oracle, retain the value unless you want to change the database instance.

      5. Click Test Database Settings.
      6. If the Type of Database is MS SQL or MySQL, click Create Database. (Do not click this button if the Reporting database runs on an Oracle database server.)

    See the following field descriptions:

    copy from main repository

    Specifies whether to copy Repository (Library) data store settings to the Reporting Database settings screen. The Reporting Database fields are similar to the Database Setting fields for the Repository (Library) Database except for two fields. See Step 20 for descriptions of other fields.

    Selected: Copies the Repository Database settings to this dialog. This option can save you time if you are using the same database for both CA Process Automation data stores.

    Cleared: Does not copy the Repository Database settings to this dialog. This option is appropriate if you are using a separate database for the reporting data store. We recommend that you dedicate a database for the reporting data store.

    Reporting Database

    Defines the name of the database that houses the reporting data store.

26. Click Next.
27. Select the additional JAR files, typically JDBC drivers that you want to include in the installation.

    By default, the JDBC drivers that are uploaded in the Third-Party Software installation are displayed and are not selected. You can use the Add Files button to add more JAR files.

    Select each JAR file that you want deployed. Verify that you selected all of the drivers that you want to deploy for JDBC Operator usage on CA Process Automation agents and Orchestrators. Use the Add Files button to add more drivers.

    It is not necessary to anticipate the needs of designers for JDBC drivers. A domain administrator can deploy JDBC drivers as they are needed.

    Note: For more information about adding and managing Orchestrator and agent resources, including JDBC JAR files, see the Content Administrator Guide.

    When you are satisfied with your selection of JAR files, click Next.

28. Monitor the installation progress. The installation program copies and signs all CA Process Automation components. Installation can take a few minutes.
29. Click Finish to exit the installation program.

    Installation of the Domain Orchestrator is complete.

    The initial startup of CA Process Automation after an upgrade or installation can take extra time while the product adjusts the database schema. A rough guide is one hour per GB of data; however, this will vary depending on DBMS vendor, machine specs, and volume of data. Start the Orchestrator. Verify the correct operation of this initial Orchestrator before proceeding with installing other system components.