Differences

This shows you the differences between two versions of the page.

--- en:services:general_services:idm:installing_remote_loader_software [2024/09/05 14:48] – [Installation] ggroesc
+++ en:services:general_services:idm:installing_remote_loader_software [2024/09/05 15:04] (current) – [Overview] ggroesc
@@ Line 1: / Line 1: @@
+======  Remote loader installation  ======
+=====  Overview =====
+The remote loader is used to synchronize data between the meta directory and the connected system (AD, LDAP, MySQL, etc).
+It is required to open the communication port (default 8090 (TCP) incoming) for the following IP addresses within your firewall:
+<code>
+.76.9.64/28
+</code>
+For system requirements see: [[https://www.netiq.com/documentation/identity-manager-48/system-requirements-identity-manager-48x/data/system-requirements-identity-manager-48x.html|System requirements]]
+=====  Installation on Windows  =====
+Remote loader files: [[https://idm.gwdg.de/RemoteLoader/RemoteLoader4.8WindowsSetup.zip|- download -]]\\
+Remote loader service pack: [[https://idm.gwdg.de/RemoteLoader/RemoteLoader4.8WindowsSP6.zip|- download -]]\\
+Sectigo-chain: [[https://idm.gwdg.de/RemoteLoader/Sectigo-chain.zip|- download -]]\\
+Documentation remote loader installation (NetIQ) P. 47 ff: [[https://www.netiq.com/documentation/identity-manager-48/pdfdoc/setup_windows/setup_windows.pdf#page=47|- link -]]\\
+Documentation remote loader configuration (NetIQ) P. 32 ff: [[https://www.netiq.com/documentation/identity-manager-48/pdfdoc/driver_admin/driver_admin.pdf#b18xta1v|- link -]]\\
+Documentation Creating an Administrative Account (NetIQ) P. 26 ff: [[https://www.netiq.com/documentation/identity-manager-48-drivers/pdfdoc/ad/ad.pdf#page=26|- link -]]\\
+PW-Filter installation P 47 ff: [[https://www.netiq.com/documentation/identity-manager-48-drivers/pdfdoc/ad/ad.pdf#page=47|- link -]]
+====  Installation  ====
+  * We strongly recommend not to install directly on a domain controller but using a member server of the domain
+  * Download remote loader files and Remote loader service pack
+  *  Download Sectigo chain
+  *  Extract remote loader files and certificate
+  *  If necessary unblock extracted files e.g. ''childitem -path C:\Downloads\RemoteLoader4.8Setup -recurse | unblock-file''
+  *  Run ''install.exe''
+     * Recommendation: Do not install directly on a domain controller but on a active directory member server.
+  *  Accept license agreement (can be ignored - is associated with IDENTITY MANAGER server software not the remote loader)
+  * Run ''IdentityManagerServer\install.exe'' of service pack
+  * How to verify if SP is installed.
+     * Go to the installation path (Default: C:\NetIQ\IDM\RemoteLoader\64bit). Open preferences of file ''dirxml_remote.exe''.
+     * Switch to details tab. Check if productversion is 4.8.__6__.0 where __6__ ist the Number of the downloaded SP.
+====  Configuration  ====
+  * Run rlconsole.exe within the installation path **as administrator** (Default: C:\NetIQ\IDM\RemoteLoader)
+  * Click add
+  * Add description
+  * Choose driver (eg. ADDriver.dll)
+  * Choose the IP address where to listen (Default: All)
+  * Set communication port (Default: 8090)
+  * Set remote loader password (required by GWDG)
+    * Requirements: At least 12 character of upper and lower case letters and digits (no special character)
+  * Set driver object password (required by GWDG)
+    * Requirements: At least 12 character of upper and lower case letters and digits (no special character)
+  * Activate SSL
+  * Choose path to //Sectigo-chain.b64//
+  * Check "Remote Loader-Service für diese Treiber-Instanz erstellen"
+  * Accept (don't start the remote loader service)
+  * Open windows services (services.msc) identify the "DirXML Loader" Service and enter the active directory user as service logon account
+  * Start the remote loader
+====  Active Directory User ====
+  * The user who runs the service has to be in the **local** administrator group (Local Users and Groups -> Groups -> Administrators).
+  * Necessary user right: "Replicating Directory Changes" (**not** Replication Directory Changes All) for all object and all descendant objects for the domain
+    * Domain -> Properties -> Tab Security -> Advanced -> Add
+    * Choose user -> "clear all" -> check  "Replicating Directory Changes"
+  * Necessary user right: "Log on as a service"
+  * Full access for relevant objects in ou/container
+    * Container -> Properties -> Security -> Advanced -> Add -> choose user -> Descendant User objects/Descendant Group objects -> check "Full control"
+=====  Installation on Linux  =====
+The installation on Linux systems differs between certified systems (eg SLES 15, RHEL 8, etc. [[https://www.netiq.com/documentation/identity-manager-48/system-requirements-identity-manager-48x/data/system-requirements-identity-manager-48x.html|see ]]) and non-certified systems.
+If you are using a non-certified system eg. Ubuntu the Java remote loader has to  be installed.
+====  Installation on certified Linux systems  ====
+Remote loader files: [[https://idm.gwdg.de/RemoteLoader/RemoteLoader4.8LinuxSetup.zip|- download -]]\\
+Remote loader service pack: [[https://idm.gwdg.de/RemoteLoader/RemoteLoader4.8LinuxSP6.zip|- download -]]\\
+Sectigo-chain: [[https://idm.gwdg.de/RemoteLoader/Sectigo-chain.zip|- download -]]\\
+Documentation remote loader installation (NetIQ) P. 65ff: [[https://www.netiq.com/documentation/identity-manager-48/pdfdoc/setup_linux/setup_linux.pdf#installidentitymanagerlinux|- link -]]
+===  Prerequisites  ===
+  *  Download remote loader files
+  *  Download Sectigo chain certificate
+  *  Extract the certificate
+==  CentOS  ==
+The 32Bit version of glibc has to be installed on x86_64 systems:
+<code>
+yum install glibc.i686
+</code>
+===  Installation  ===
+  *  Extract remote loader
+  *  Edit file  **silent.properties**
+    *  METADIRECTORY_SERVER_SELECTED=false
+    *  WEB_ADMIN_SELECTED=false
+    *  UTILITIES_SELECTED=false
+    *  Choose remote loader
+      *  32 Bit
+        *  CONNECTED_SYSTEM_SELECTED=true
+        *  X64_CONNECTED_SYSTEM_SELECTED=false
+      *  64 Bit
+        *  CONNECTED_SYSTEM_SELECTED=false
+        *  X64_CONNECTED_SYSTEM_SELECTED=true
+  *  Run the following commands as root in the setup directory:
+<code>
+chmod -R 755 *
+./idm_linux.bin -i silent -f silent.properties
+</code>
+====  Installation on **non-certified** Linux systems  ====
+Remote Loader files: [[https://idm.gwdg.de/RemoteLoader/JavaRemoteLoader4.8.7.zip|- download -]]\\
+Sectigo-chain: [[https://idm.gwdg.de/RemoteLoader/Sectigo-chain.zip|- download -]]\\ Documentation remote loader installation (NetIQ) P. 75ff: [[https://www.netiq.com/documentation/identity-manager-48/pdfdoc/setup_linux/setup_linux.pdf#installlinuxjavaremoteloader|- link -]]
+===  Prerequisites  ===
+  *  Download remote loader files
+  *  Download Sectigo chain certificate
+  *  Extract the certificate
+  *  JRE Java8u112, at a minimum is required
+    * Java has to be in PATH variable! <code>
+PATH=$PATH:/path/to/java/bin/
+</code>
+  * Apache Log4j is necessary and need to be in the ''CLASSPATH''
+===  Install Java remote loader  ===
+  *  Extract Java remote loader
+  *  Make ''dirxml_jremote'' and ''create_keystore'' executable
+===  Configuration  ===
+  * Change into installation directory eg. ///opt/novell/eDirectory///
+  * Create keystore file <code>./create_keystore Sectigo-chain.b64</code>
+  * Edit dirxml_jremote
+    * Replace the path for the jarlist with the actual installation path <code>jarlist=`ls /opt/novell/eDirectory/lib/dirxml/classes/*.jar`
+jarlist=`ls /<installation path>/lib/*.jar`</code>
+    * Add core and api jar of log4j to CLASSPATH e.g. <code> CLASSPATH=/usr/share/java/log4j-core.jar:/usr/share/java/log4j-api.jar
+</code>
+  *  Add/Edit **config8000.txt**
+     * Example LDAP Konfiguration: <code>
+-commandport 8000
+-connection "port=8090 keystore='<installation path>/dirxml.keystore' storepass=dirxml"
+-trace 4
+-tracefile ./trace8000.log
+-tracefilemax 10M
+-class com.novell.nds.dirxml.driver.ldap.LDAPDriverShim
+</code>
+  *  Set remote loader and driver object password
+    * Both are required by GWDG and need to be set in the complement driver
+    * Password requirements: At least 12 character of upper and lower case letter and digits (**no special character**) <code>
+./dirxml_jremote -config config8000.txt -sp <remote loader password> <driver object password>
+</code>
+  *  Run the Java remote loader: <code>
+./dirxml_jremote -config config8000.txt
+</code>
+==== Remote loader start script example ====
+<code>
+#!/bin/sh
+INSTDIR=/opt/novell/eDirectory
+USER=ldap
+export PATH=/usr/local/bin:$PATH
+cd $INSTDIR
+case "$1" in
+  stop)
+    kill `ps aux | grep '[d]irxml_remote' | awk '{ print $2}'`
+    ;;
+  start|*)
+    echo -n " rloader"
+    exec > /dev/null 2>&1
+    touch trace8000.log
+    chown $USER trace8000.log
+    su $USER -c "$INSTDIR/dirxml_jremote -config $INSTDIR/config8000.txt &"
+    ;;
+esac
+</code>
+==== Remote loader unit file example ====
+  * Requires user: remoteloader and group: remoteloader
+  * touch trace8000.log && chown remoteloader:remoteloader trace8000.log
+<code>
+[Unit]
+Description=IDM Remote Loader
+After=docker.service
+[Service]
+Type=simple
+ExecStart=/opt/novell/remoteloader/dirxml_jremote -config config8000.txt
+WorkingDirectory=/opt/novell/remoteloader
+User=remoteloader
+Group=remoteloader
+Restart=on-failure
+[Install]
+WantedBy=multi-user.target
+</code>
+==== Univention Corporate Server ====
+Import Univention CA to Keystore to allow self signed LDAP certificate
+**LDAP Certificate must also be available in Keystore**
+<code>
+keytool -import -trustcacerts -alias univention-ca -file /opt/idm/univention-ca.pem -keystore dirxml.keystore
+keytool -import -trustcacerts -alias ldap -file /opt/idm/ldap.pem -keystore dirxml.keystore
+</code>