116
HP Internet Usage Manager For the HP-UX, Redhat, Solaris, and Windows ® operating systems Software Version: 7.0 FP01 Installation Guide Document Release Date: November 2011 Software Release Date: E1130

IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

  • Upload
    others

  • View
    27

  • Download
    2

Embed Size (px)

Citation preview

Page 1: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

HP Internet Usage ManagerFor the HP-UX, Redhat, Solaris, and Windows ® operating systems

Software Version: 7.0 FP01

Installation Guide

Document Release Date: November 2011

Software Release Date: E1130

Page 2: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Legal NoticesWarranty

The only warranties for HP products and services are set forth in the express warranty statementsaccompanying such products and services. Nothing herein should be construed as constituting anadditional warranty. HP shall not be liable for technical or editorial errors or omissions containedherein.

The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Valid license from HP required for possession, use or copying.Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer SoftwareDocumentation, and Technical Data for Commercial Items are licensed to the U.S. Government undervendor's standard commercial license.

Copyright Notice

© Copyright 2011 Hewlett-Packard Development Company, L.P.

Trademark Notices

UNIX® is a registered trademark of The Open Group.

Microsoft® andWindows® are U.S. registered trademarks of Microsoft Corporation.

Intel® and Itanium® are registered trademarks of Intel Corporation in the US and other countries andare used under license.

Oracle® and Java are registered trademarks of Oracle and/or its affiliates. MySQL is a trademark ofOracle Corporation and/or its affiliates, and shall not be used without Oracle’s express writtenauthorization. Other names may be trademarks of their respective owners.

HP Internet Usage Manager (7.0 FP01)Page 2 of 116

Installation Guide

Page 3: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Documentation UpdatesThe title page of this document and the below print history contains the following identifying information:

l Document Edition, which changes each time the document is updated.

l Software Version number, which indicates the software version.

l Software Release Date, which indicates the release date of this version of the software.

To check for recent updates or to verify that you are using the most recent edition of a document, go to:

http://www.hp.com/support/usage

Contact your HP representative for additional support details.

The following table lists the version history since the last released edition.

Edition Version Release Date

Ninth Edition Version 5.0 December 20, 2006

Tenth Edition Version 5.0 Feature Pack 1 July 18, 2007

Eleventh Edition Version 5.0 Feature Pack 3 April 15, 2008

Twelfth Edition Version 5.1 May 8, 2008

Thirteenth Edition Version 6.0 November 18, 2008

Fourteenth Edition Version 6.0 Feature Pack 1 June 22, 2009

Fifteenth Edition Version 6.0 Feature Pack 2 May 6, 2010

Sixteenth Edition Version 7.0 October 10, 2010

Seventeenth Edition Version 7.0 Feature Pack 1 November 30, 2011

Print History

HP Internet Usage Manager (7.0 FP01)Page 3 of 116

Installation Guide

Page 4: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

SupportVisit the IUMCustomer Support web site at:

http://www.hp.com/support/usage

This web site provides contact information and details about the products, services, and support that IUMoffers. From this web site, you can download IUM software, patches, and documentation.

The IUM documentation set includes several other manuals in addition to the Release Notes and thisdocument. The latest versions of all IUMmanuals are available at the IUM customer support site as acompressed archive. Follow the below instructions to download the archive, unpack it onto your system,and access the manuals. The IUM documentation set also is included with your product installation,typically in C:\SIU\docs\manuals on Windows, and /opt/SIU/docs/manuals on UNIX.

To download the archive of the latest IUMmanuals:

1. Go to the IUM customer support web site: http://www.hp.com/support/usage.

2. When prompted, enter the user name and password listed in the HP IUM Release Notes.

3. At the customer support site, navigate to the Manuals page.

4. For your version and platform of IUM, click IUMDocumentation Set.

5. Save the downloaded file to a temporary directory on your system.

To unpack the documentation archive onWindows:

1. Open the downloaded file in WinZip.

2. Click Extract. The Extract dialog appears.

3. In the Extract To field, specify the <IUMHOME> directory where you installed the IUM files, forexample, C:\SIU.

4. Select the Overwrite existing files option.

5. Select the Use folder names option.

6. Click Extract.

7. Verify that the archive files were extracted to <IUMHOME>\docs\manuals, for exampleC:\SIU\docs\manuals.

8. Exit WinZip.

To unpack the documentation archive on UNIX:

1. Log in to the system as root.

2. Move the archive file to the home of your IUM installation, for example to /opt/SIU/<filename>.

3. Execute a command like one of the following:

4. unzip <filename>

HP Internet Usage Manager (7.0 FP01)Page 4 of 116

Installation Guide

Page 5: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

5. jar xvf <filename>

6. Verify that the archive files were extracted, for example to /opt/SIU/docs/manuals/.

7. Ensure that all users have read access to the files.

When the archive is unpacked, IUMmanuals are extracted into the IUM documentation directory underthe home of your IUM installation (for example, C:\SIU\docs\manuals\ onWindows or/opt/SIU/docs/manuals/ on UNIX). In addition, the manuals index page is overwritten with links toindividual manuals. Simply reload this page or retrace your steps to this page to view the latest IUMmanuals.

HP Internet Usage Manager (7.0 FP01)Page 5 of 116

Installation Guide

Page 6: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Contents

Installation Guide 1

Contents 6

Before Installation 10

System Requirements 11

Software Requirements 11

Hardware Requirements 12

Obtain an IUM License 12

Install the Java Development Kit 13

Ensure Network Access to the Configuration Server Host 14

Self-Publishing the Configuration Server’s IOR 14

Publishing the Configuration Server’s IOR using an External Server 15

Securing IOR URL Access for IUMHosts 16

Background 16

Prerequisite Steps 16

AddingWeb Server Certificate to IUMHost’s Java Environment Keystore 17

Configuring IUMHosts to Use the Secure IOR URL 18

Provide a Time Synchronization Mechanism 18

Specify Path toWeb Browser 19

Create aWindows Emergency Repair Disk 19

InstallingMultiple Instances of IUM on a System 19

Allowing Firewall Access 20

Complete the Installation Worksheet 20

Migrating IUM to MySQL 23

Overview 23

Migration Scenarios 24

System Requirements 24

HP Internet Usage Manager (7.0 FP01)Page 6 of 116

Page 7: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Supported Platforms 25

Licensing 25

Before the Migration 25

Installing the IUMMySQL Migration Toolkit 26

Running the Database Migration 33

Source/Target Setup 34

Object Selection 40

Object Mappings 43

Manual Editing 45

Schema Creation 45

DataMapping 48

Bulk Transfer 48

Summary 50

Migration Troubleshooting 51

Installing IUM 52

Installation Steps 52

Console Installation and Activation 66

Non-root Installation on UNIX 68

Unattended Install of IUM 69

Installation Troubleshooting 72

After Installation - Enabling the 64-Bit Version of IUM 72

Activating IUM 76

Activation Steps 76

Upgrading IUM 86

Planning the Upgrade 86

Upgrade Prerequisites 87

Replacement of Legacy Report Server Impacts 87

Disabling Security for a 5.0 Deployment 88

Installing the Upgrade 88

HP Internet Usage Manager (7.0 FP01)Page 7 of 116

Installation GuideContents

Page 8: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Activating Additional Components 90

Viewing Your License 90

Upgrading Your License 90

Securing IUM 92

Security Installation Prerequisites 93

LDAP Bind and Kerberos Authentication 93

Primary LDAP Server 93

Secondary LDAP Server 94

Kerberos Time Synchronization 94

Security Installation Steps 95

Step 1: Install IUM on First Host with Configuration Server 95

Step 2: Update the JVM 95

Step 3: Create the Security Properties File 96

Step 4: Verify the JCE Jurisdiction Policy 97

Step 5: Run secserveractivate to Process the Directory Layout Properties File 97

LDAP Bind Authentication Commands 97

Kerberos Authentication Commands 98

Step 6: Start the IUM Security Server 99

Step 7: Ensure Root Nodes from Directory Layout Properties File Present in LDAP 99

Step 8: Generate Security Information for Deployment (LDIF format) and Load into LDAPServer 100

Generate Security Information for the Reference DataManager 102

Step 9: Activate Security on the IUMHost 103

Step 10: Restart the Host Admin Agent 104

Step 11: Stop the Management Server 104

Step 12: Secure the Configuration Server 104

Step 13: Restart the Configuration Server 104

Step 14: Start the Management Server 105

Step 15: Verify the IUM Installation is Secure 105

Add Another Host to your Secure IUMDeployment 105

HP Internet Usage Manager (7.0 FP01)Page 8 of 116

Installation GuideContents

Page 9: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Add Another User to your Secure IUMDeployment 107

Choosing a Certificate Authority 107

Security Roles and Privileges 108

Disabling Security for a Deployment 109

Deactivating and Uninstalling IUM 112

Deactivating IUM Components 112

Uninstalling IUM onWindows 112

Uninstalling IUM on UNIX 113

Non-root Uninstall on UNIX 113

Unattended Uninstall of IUM 114

Uninstalling in Console Mode 114

HP Internet Usage Manager (7.0 FP01)Page 9 of 116

Installation GuideContents

Page 10: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Chapter 1

Before InstallationThis documentation provides instructions on:

l Preparing your system for installation, overall system requirements (software and hardware), othersoftware to install before you install IUM

l Database migration to MySQL

l Installation and activation steps

l Upgrade installation issues and steps

l Licensing

l Security setup steps

l Uninstall and deactivation

Ensure that you review this material completely before installing IUM.

System Requirements 11

Software Requirements 11

Hardware Requirements 12

Obtain an IUM License 12

Install the Java Development Kit 13

Ensure Network Access to the Configuration Server Host 14

Self-Publishing the Configuration Server’s IOR 14

Publishing the Configuration Server’s IOR using an External Server 15

Securing IOR URL Access for IUM Hosts 16

Background 16

Prerequisite Steps 16

AddingWeb Server Certificate to IUMHost’s Java Environment Keystore 17

Configuring IUMHosts to Use the Secure IOR URL 18

Provide a Time Synchronization Mechanism 18

Specify Path to Web Browser 19

Create a Windows Emergency Repair Disk 19

Installing Multiple Instances of IUM on a System 19

HP Internet Usage Manager (7.0 FP01)Page 10 of 116

Page 11: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

Allowing Firewall Access 20

Complete the Installation Worksheet 20

System RequirementsThis section lists basic software and hardware requirements for installing IUM. Check the IUM customersupport web site for the latest and most complete information on required software and hardware(http://www.hp.com/support/usage/supported/). See the IUM Release Notes for the web siteaddress and password.

Software Requirements

To run IUM, you must have all of the following:

l One of the supported operating systems, in addition to the required patch version of the chosenoperating system. Currently IUM supports:n HP-UX 11.23, 11.31 (PA-RISC), 11.23 (IA64), and 11.31 (IA64)

NOTE: If you are installing IUMwith the JRockit installer, the HP-UX operating system is notsupported. It can only be used with JDK 1.6.

n Red Hat Enterprise Linux 5 (x86, x86-64)

n Windows Server 2008 (x86, x86-64)

n Solaris 10 (SPARC)

l The Java Development Kit (JDK). See "Install the Java Development Kit" (on page 13) for details. Ifyou have purchased IUMwith the bundled JRockit Java Virtual Machine installer, then you do notneed the Oracle JDK.

NOTE: The Java Runtime Environment (JRE) is not sufficient. You must install the JDK.

l Depending on your operating system, supported database software, such as MySQL or Oracle (10gand 11g are supported). If you have purchased the HP MySQL product extension, you must stagethe MySQL-7.0-<platform>.iam.zip file (where <platform> refers to either the HP-UX, Linux,Solaris, or Windows version of the MySQL product extension) in a directory on your system. Bydefault, the IUM installer looks for this file in the same directory where you launch the IUM installer,and the file is required in order for MySQL to be installed with IUM. Product extension files can beobtained from the IUM customer support web site at http://www.hp.com/support/usage/. See theIUM Release Notes for more information on access.

NOTE: Per the licensing agreement, purchasers of the MySQL and JRockit product extensions(provided by IUM) are expressly prohibited from using these software packages for any purposeother than for IUM.

HP Internet Usage Manager (7.0 FP01)Page 11 of 116

Page 12: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

l Depending on your operating system, a supported web browser.

l On Linux only, this release requires version libstdc++.so.5 or later of the library libstdc++. Use acommand like one of the following to check your current version:

rpm -q libstdc++

find / -name libstdc++.so

To update this library, run the updater, usually in /usr/sbin/system-config-packages. Scroll down tothe “System” heading. Select “Compatibility Arch Support”, then “Details” on the right. Make sure“compat-libstdc++” is selected, then click Update. Use one of the above commands to verify yourinstalled version.

l If you plan to use IUM security, you must install or have access to an LDAP server. For example, youcould use Microsoft Active Directory, the ApacheDS LDAP server, or any other LDAP server. See"Securing IUM" (on page 92) for details.

l If you will not use IUM security, you do not need an LDAP server.

l If you plan to use the 64-bit version of IUM, make sure you have an operating system and JDK thatare 64-bit. See "After Installation - Enabling the 64-Bit Version of IUM" (on page 72) for moreinformation.

l Optionally, a web server or FTP server if you want to host the IOR URL outside of the configurationserver. See "Ensure Network Access to the Configuration Server Host" (on page 14) for moreinformation.

For complete details on the IUM software requirements, see the customer support web site athttp://www.hp.com/support/usage/supported/. You can log in to the support web site with the username and password provided in the IUM Release Notes.

Hardware Requirements

l Disk Space: OnWindows systems, includingMySQL and JRockit, approximately 600 MB (MySQLneeds 80 MB). On UNIX systems (except HP-UX), at least 450 MB in /opt and 150 MB in /var/opt.MySQL typically requires 160 MB on Solaris, and up to 340 MB on HP-UX systems.

l Temporary Disk Space: 100 MB in /tmp on all systems, used just during installation. Ensure that youhave the appropriate disk space based on the installation type (that is, if you are also installing theMySQL or JRockit product extensions).

l Memory: 1GB

NOTE: The disk space andmemory (RAM) required depend upon several factors, including thenumber and configuration of IUM components running on the host, and the volume of usage databeing processed and stored.

Obtain an IUM LicenseThe IUM license file is required for both installation and activation, and must reside on all hosts in thedeployment, not just the configuration server host. If you did not receive a license file when you

HP Internet Usage Manager (7.0 FP01)Page 12 of 116

Page 13: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

purchased IUM, obtain the license as follows:

l Visit the IUM customer support web site: http://www.hp.com/support/usage/. See the HP IUMRelease Notes for login and password.

l Contact your local HP Sales and Service Office

NOTE: When requesting your license, you must make the appropriate selections for any IUMproduct extensions, such as MySQL or JRockit (Real Time JVM). Licensing is required in order forthese product extensions to be available at the time of installation and activation.

You will receive a file named license.config as an e-mail attachment. While activating IUM on theselected host, you are prompted to supply the location of the license file. To store the license file on thehost:

1. Transfer the file to the host system. Put the file in a safe location where it will not be accidentallyremoved. Do not place it in an IUM product directory or it will be deleted when you uninstall.

2. Record the location of the license file in "Complete the Installation Worksheet" (on page 20).

During installation, you will have the opportunity to specify the location of the license file within the IUMinstaller (see Step 8 in "Installation Steps" (on page 52)). Later, when activating, the IUM activatorverifies all of your licensing options before activation can complete successfully (see Step 3a in"Activation Steps" (on page 76)).

Install the Java Development KitIf you are not installing the version of IUM bundled with its own Java Virtual Machine (JRockit), you mustinstall the JDK version 1.6.0_04 or any later 1.6-based version of the JDK before installing this releaseof IUM. A Java Runtime Environment (JRE) is not sufficient. If you plan to use the 64-bit version of IUM,make sure you have an operating system and JDK that has 64-bit support. See "After Installation -Enabling the 64-Bit Version of IUM" (on page 72) for more information.

NOTE: You should also install any platform-specific Java patches. The Java products on HP-UX andSolaris require patches from HP andOracle, respectively. Conversely, if you have the IUM installerincluded with JRockit, you do not need to install the Oracle JDK and can skip the steps below.

CAUTION: See the IUMCustomer Support web site (http://www.hp.com/support/usage/) for thespecific versions of Java that are supported by IUM. For the IUM customer support web site username and password, see the IUM Release Notes.

1. Obtain the JDK and Java patches.a. Download the JDK for HP-UX from http://www.hp.com/go/java.

b. Download the JDK for other platforms fromhttp://www.oracle.com/technetwork/java/javase/downloads/index.html.

c. Download required Java patches for your platform, if any.

HP Internet Usage Manager (7.0 FP01)Page 13 of 116

Page 14: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

2. Install the JDK and required patches, if any, according to the instructions accompanying thesoftware. During installation, IUM searches for the JDK on your system. To ensure that IUM findsthe JDK, install it in the default location.

3. Record the location of the JDK as described in "Complete the Installation Worksheet" (on page20).

TIP: If you will be using the optional IUM security module, you will have to apply encryption policies tothe Java runtime environments, including any JRE or JDK used by IUM. While this can be done laterwhen installing the security module, it is recommended to do it now while modifying your Javaenvironment. For instructions, see "Securing IUM" (on page 92).

Ensure Network Access to the Configuration Server HostWhen you install IUM, you first install IUMwith the configuration server on one host, then you installIUMwithout the configuration server on all remaining hosts. The configuration server stores andmanages the configuration for your deployment. All other IUM hosts and collectors download theirconfiguration from the configuration server when they start.

NOTE: All IUM processes communicate with the configuration server via CORBA interfaces. Whenthe configuration server first starts, it writes its CORBA address (known as the Interoperability ObjectReference or IOR) to a file called ConfigServer.ior, typically in C:\SIU\var\ onWindows and/var/opt/SIU/ on UNIX. The name of this file is stored with the keyword IORFILE in the SIU.iniproperty file. This is the physical location of the IOR file.

The configuration server must make its IOR (CORBA address) available to other IUM processes. IUMprocesses access the IOR through a URL, referred to as the IORURL. These IUM processes communicatewith the configuration server using its IOR. To make this IOR available to IUM processes, use one of thefollowing methods:

l Enable the configuration server to self-publish the IOR URL using an embedded HTTP server. This isthe simplest method.

l Publish the IOR URL using an external HTTP server, FTP server, or file server. Use this method whenthe simpler method described above is inadequate, for example, when you have systems ondifferent sides of a firewall. See "Publishing the Configuration Server’s IOR using an ExternalServer" (on page 15) for details.

l Publish the IOR URL over a secure HTTPS connection using an external HTTP server. See "SecuringIOR URL Access for IUMHosts" (on page 16) for details.

Self-Publishing the Configuration Server’s IOR

The configuration server can self-publish the IOR using an embedded HTTP server. You specify thisduring Activation by selecting the “Enable Hosting of IOR URL by Configuration Server” option (see Step3a in "Activation Steps" (on page 76)). This enables a built-in HTTP server that the configuration serveruses to provide its IOR to any other IUM process that needs to communicate with the configurationserver.

HP Internet Usage Manager (7.0 FP01)Page 14 of 116

Page 15: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

AdminAgent

Collector

HTTP Server

ConfigurationServer

Host A

Publishing the Configuration Server’s IOR using an External Server

You can publish the configuration server’s IOR using an external HTTP server, FTP server, or fileserver.

AdminAgent

Collector

ConfigurationServer

HTTP / FTP /File Server

Host A IOR

l Web server: The IORFILE is an absolute path name under the “document root” of the web server.The IORURL is relative to the document root. For example,http://bigServer3/siu/var/ConfigServer.ior.

l FTP server: The IORFILE is an absolute path name to the FTP user’s home directory hierarchy. TheIORURL is relative to the FTP user’s home directory. You can use anonymous FTP or a specific FTPuser account. The format of an FTP entry with a specific user is one of the following:

ftp://<user_name>:<password>@<host_name>/<file>

ftp://<user_name>:<password>@<host_name>:<port_number>/<file>>

The following example shows the ftp user name “siu” with a password “siupass” on a host with IPaddress 1.2.3.4 and the file “/var/opt/SIU/ConfigServer.ior”:

ftp://siu:[email protected]/var/opt/SIU/ConfigServer.ior

You can also use anonymous ftp, which has the advantage of not requiring a user and password. Inthis case, the configuration server writes its IOR under the ~ftp hierarchy and the IORURL is relativeto the ~ftp directory.

l File access (local or remote):

n Local Access: For example, file:/siu/var/ConfigServer.ior

n Windows File Share: You must map the remote server to a local drive letter. The IORFILE is anabsolute path name on the Windows share. For example, if the remote server “bigServer” andshare “share1” is mapped to the I: drive, the IORFILE isfile:/bigServer/share1/SIU/var/ConfigServer.ior. The IORURL then specifiesthe <share path>/<share relative path> as: file:/I:/SIU/var/ConfigServer.ior.

n NFS (Network File System for UNIX platforms) - The IORFILE is an absolute path name to the IORfile: /var/opt/SIU/ConfigServer.ior. The IORURL specifies the absolute path name:file:/net/bigServer3/var/opt/SIU/ConfigServer.ior.

HP Internet Usage Manager (7.0 FP01)Page 15 of 116

Page 16: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

NOTE: The configuration server must be able to write to this file, and the configuration server andthe access service (HTTP, FTP, Windows share or NFS file access) can be hosted on the samemachine or run on different machines.

The host admin agent is a process that runs on each IUM host and controls all other IUM processeson that host. OnWindows, the host admin agent runs as aWindows service under the Systemaccount. On UNIX, the host admin agent runs as a daemon as root.

The host admin agent requires access to the IOR file so it can communicate with the configurationserver. OnWindows, when the host admin agent is running as the default System user, the servicehas limited access to network resources such as shared drives. If your IOR file is on anotherWindows system and shared with the local system (that is, IORURL format isfile:/I:/SIU/var/ConfigServer.ior where the I: drive is a shared drive), you must use an account withaccess to that drive, not the default System account. For more information, see the IUMAdministrator’s Guide.

Securing IOR URL Access for IUM HostsYou can optionally set up secure HTTPS access to the IOR URL of the configuration server using anexternal HTTP server. This section describes how to configure secure access to the IOR URL.

Background

All IUM servers are based on Java. To secure the IOR URL access for the IUM configuration server, youmust configure the IUM host Java environment with the appropriate SSL authentication information. TheJava platform uses JSSE (Java Secure Socket Extension) to secure Internet communication based onSSL. The JSSE provides a truststore (a configurable keystore database) which is used to decide what totrust. When it verifies the identities of other clients or servers, it will retrieve trusted certificate authority(CA) certificates from its truststore.

Prerequisite Steps

This section describes the pre-configuration steps for securing IOR URL access. Configure an externalweb server with HTTPS support and the correct server certificate. For details on how to configure this,refer to “Publishing the Configuration Server’s IOR using an External Server” in "Securing IOR URLAccess for IUMHosts".

You can use either a self-signed certificate generated using the Java keytool (the keytool command toolis part of the JDK installation) or a web server certificate from a trusted Certificate Authority (CA), suchas VeriSign (http://www.verisign.com). To view the list of certificate authorities trusted by your installedJSSE, execute the following command located in /bin/keytool under your JDK installation directory:

keytool -list -keystore <JAVA_HOME>/jre/lib/security/cacerts

The following is a sample command:

keytool -list -keystore /opt/java1.6/jre/lib/security/cacerts

HP Internet Usage Manager (7.0 FP01)Page 16 of 116

Page 17: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

Once executed, the keytool will prompt for the password. The default password is “changeit“. Thedefault truststore file “cacerts” is located under the <JAVA_HOME>/jre/lib/security/ directory. If youhave multiple JDK installations on IUM host machines, make sure that you are using the JDK used duringthe IUM installation.

After generating the certificate, import it to the truststore of the IUM host machine’s Java environment.Refer to the following web sites for more details on keytool documentation, the certificate generationprocess and Tomcat web server SSL configuration.

l http://download.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html

l http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

The following sections guide you through subsequent procedures you need to perform on all the IUMhost machines.

Adding Web Server Certificate to IUM Host’s Java Environment Keystore

This section assumes that you have the web server certificate that you have used to configure the webserver for HTTPS support described under "Prerequisite Steps" (on page 16). If the web server uses acertificate signed by a certification authority (CA) trusted by JSSE, no further action is necessary. If theweb server uses a certificate signed by a self-signed root certificate or one issued by a certificateauthority which JSSE does not trust by default, you must configure your Java environment to acceptcertificates signed by this self-signed root certificate by performing the following steps:

1. Copy the self-signed root certificate that you have used while configuring the web server to alocation accessible to the host machine (say, RootCertificate.cer).

2. Add the root certificate to your default keystore using the command:

keytool -import -trustcacerts -alias <KEY_ENTRY_FRIENDLY_NAME> -file <ROOT_CERTFICATE_FILE> -keystore <JAVA_HOME>/jre/lib/security/cacerts

For example:

keytool -import -trustcacerts -alias serverCert -fileRootCertificate.cer -keystore /opt/java1.6/jre/lib/security/cacerts

The keytool will prompt for the password. Enter the default password “changeit“. You can changethe password if needed.

3. Type “yes” if it prompts you with the question “Trust this certificate?”

4. Verify that the certificate has been added successfully by entering the following command:

keytool -list -alias <KEY_ENTRY_FRIENDLY_NAME> -keystore <JAVA_HOME>/jre/lib/security/cacerts

For example:

keytool -list -alias serverCert -keystore/opt/java1.6/jre/lib/security/cacerts

Your IUM host Java environment is now initialized for SSL support.

HP Internet Usage Manager (7.0 FP01)Page 17 of 116

Page 18: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

IMPORTANT: Depending on your need, add the server certificate on all IUM host machines asdescribed above.

Configuring IUM Hosts to Use the Secure IOR URL

All IUM hosts must be configured to use the secure IOR URL in order to access the ConfigServer.ior fileusing HTTPS. This URL can be configured in the SIU.ini property file which is located in your installationdirectory, typically in C:\SIU\ onWindows and /etc/opt/SIU/ on UNIX. The URL is stored with thekeyword IORURL in the SIU.ini property file. Follow the steps below to modify the IORURL property inSIU.ini.

You can choose not to modify the IOR URL of the configuration server host machine andmodify only theIOR URL of all the other IUM servers running on other networked hosts. Perform the following steps onall your IUM host machines, with the possible exception of the configuration server host.

1. Stop the IUM admin agent running on the host machine, and stop the Launchpad if it is running. Seethe IUMAdministrator’s Guide for specific instructions.

2. Open the SIU.ini file located in the base directory of your installation in a text editor and search forthe keyword IORURL, for example IORURL= http://sys01.hp.com.

3. Change the value of IORURL keyword to the secure HTTPS URL. The format is as follows:

IORURL=https://<fully qualified domain name>:<port>/<IOR file URI>

The following example uses port 8443:

IORURL= https://sys01.hp.com:8443/SIU/var/ConfigServer.ior

The following example uses the default port 443:

IORURL= https://sys01.hp.com/SIU/var/ConfigServer.ior

NOTE: The fully-qualified domain name of the server (sys01.hp.com in the above example)must match the subject field Common Name (CN) of the web server certificate.

4. Verify that all the web servers are up and running, then start the IUM admin agent on your hostmachine. See the IUMAdministrator’s Guide for specific instructions.

5. Test the configuration by running the command:

siucontrol -c showProcs

Provide a Time Synchronization MechanismBecause the various IUM hosts generate time-synchronized data, you must employ a time-synchronization mechanism such as NTP (Network Time Protocol) to synchronize time on each IUMhost. You must also synchronize time on systems and devices, such as routers, that generate source datacontaining time information to be consumed or used by IUM collectors.

On HP-UX, the “-XX:+UseGetTimeOfDay” option is required, and is added by default by the IUMactivator. If you modify your JVMOPTS configuration attribute, ensure that this time setting is still

HP Internet Usage Manager (7.0 FP01)Page 18 of 116

Page 19: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

enabled. The option can be viewed and changed via the Launchpad in the host’s “Defaults”configuration node.

Also, add this option if any process spawned by the admin agent does not use the host’s defaults (that is,if the JVMOPTS attribute in the process “Properties” configuration node does not contain%DEFAULTS%).

Specify Path to Web BrowserIUM invokes a web browser to display the audit and reporting interface, as well as online help. Toenable the browser to launch automatically on UNIX, make sure that the mozilla executable is in yourPATH environment variable.

Create a Windows Emergency Repair DiskBefore and after installing IUM onWindows platforms, you should back up your Windows registry andmake an Emergency Repair Disk. See your Windows online help for specific instructions on how tocreate an Emergency Repair Disk.

Installing Multiple Instances of IUM on a SystemYou can install multiple instances of IUM on a single system. When installing IUM, provide a uniqueInstance Name to the install wizard (see Step 6, "Installation Steps" (on page 52)). Each instance orcopy of IUM installed on a system has a unique instance name. The instance name is used as part of theIUM installation directory. The instance name must begin with “SIU”, so for example, you could useSIU01, SIU02, and so forth.

Use the Instance Name when installing and uninstalling IUM. OnWindows systems, you specify thedirectory where you want IUM to be installed. On UNIX systems, IUM is installed in /opt/<Instancename>/, /var/opt/<Instance name>/ and /etc/opt/<Instance name>/.

Regarding ports that IUM uses, you can safely use the default port values for the first instance.However, when activating additional, multiple instances on the same system, you cannot accept thedefault port values, nor can you use the same values if you used them on a previously installed instance.Errors can occur if the same ports are used. For example, you should use unique port numbers for IORlisten, MySQL, and the web application server so they do not conflict with other IUM instances.

NOTE: If you need multiple MySQL database instances, you are responsible for installing andmaintaining them.

To avoid possible port conflicts and keep your various instances organized, it is recommended that youuse a port-numbering scheme that helps ensure each instance uses unique port values. As an example,for each new IUM instance, you could increment each required port value by 10 or 100.

IUM also uses the Apache Tomcat web server to run certain IUM components, such as the securityserver, repository server and web applications (Operations Console, reporting, and so on). A knownissue with Tomcat involves the installation of multiple instances of Tomcat on the same host, which resultsin Tomcat shutdown port conflicts. If you encounter this scenario and need to resolve this conflict, you

HP Internet Usage Manager (7.0 FP01)Page 19 of 116

Page 20: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

will need to manually change the Tomcat shutdown port in each instance’s server.xml file in%VARROOT%/securityserver/conf.

Apache Tomcat’s default shutdown ports are the following:

l 8005 - web applications

l 8007 - security server

l 8008 - repository server

The shutdown ports are configured using the <Server> element of the server.xml file:

<Server port="8005" shutdown="SHUTDOWN">

To install additional IUM instance(s) with attention to the unique port values, follow this process:

1. Install the new IUM instance without activating it.

2. Edit and change the shutdown port in the following server.xml files:a. <INSTALL_HOME>/newconfig/server.xml (for example, for a new instance change

port to 8015, then for the next instance, 8025, and so on for all server.xml files)

b. <VARROOT>/securityserver/conf/server.xml (for new instance, change port to8017)

c. <VARROOT>/repositoryserver/conf/server-secure.xml (for new instance,change port to 8018)

d. <VARROOT>/repositoryserver/conf/server-unsecure.xml (for new instance,change port to 8018)

3. Activate IUM and specify ports for all other IUM components according to your chosen portnumbering scheme (for example, adding “10” to each port value).

For more information on the server.xml file, see the IUMAdministrator’s Guide. Also see"Activating IUM" (on page 76) for more on the IUM activation process.

Allowing Firewall AccessIUM servers listen to CORBA requests at the port number specified in the optional attribute ListenPort.When configured in an individual server configuration, it allows static assignment of a port number to aserver, which is useful when the IUM server must use well-known ports to traverse firewalls. ListenPortmust be set on each individual server configuration in the deployment, under/deployment/<host>/<server>/. See the IUM Foundation Guide and Administrator’s Guide for moreinformation on configuration.

Complete the Installation WorksheetUse an installation worksheet to record your decisions about the IUM installation. You can enterinformation about your deployment in the sample worksheet.

HP Internet Usage Manager (7.0 FP01)Page 20 of 116

Page 21: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

Configuration Server Host:

The system where the IUM configuration server isrunning.

For example:

sys01.hp.com

IUM Instance Name:

The name of the IUM instance. Must begin with “SIU”.

For example:

SIU_01

Default is SIU.

Hosts and Collectors:

The IUM collectors in your deployment and thesystems that host them.

sys01.hp.com - RadiusCollector1

sys02.hp.com - Correlator2

sys02.hp.com - BillingOutptCollector3

sys03.hp.com - PrepaidServer1

IOR File Access:

The method by which an IUM host accesses the IORfile on the configuration server.

Configuration Server Self-Published access:http://sys01.hp.com:8158 orhttp://localhost:8158/

Anonymous FTP access:ftp://sys01.hp.com/SIU/var/ConfigServer.ior

HTTP access:http://sys01.hp.com/SIU/var/ConfigServer.ior

Remote file access on NT:file:/I:/SIU/var/ConfigServer.ior

Remote file access on UNIX:file:/net/sys01/var/opt/SIU/ConfigServer.ior

User name:

The username under which the IUM host admin agentserver runs (as a service onWindows or as adaemon on UNIX).

On UNIX, the default is root.

OnWindows, it defaults to System.

IUM License File Location: On UNIX, it is typically/etc/opt/SIU/license.config

OnWindows, typically C:\SIU\license.config

Installation Worksheet Examples

HP Internet Usage Manager (7.0 FP01)Page 21 of 116

Page 22: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 1: Before Installation

Java Development Kit Location: For example: On UNIX: /opt/java/jdk1.6.0_04

OnWindows: C:\ProgramFiles\Java\jdk1.6.0_04

LDAP Server Location: For example:

Primary: ldaps://enterpriseserver.hp.com:386Secondary: ldaps://iumserver.hp.com:386

Record information about your deployment in a similar worksheet as above. You will be prompted forsome of this information during activation. For a large deployment, you may need amore formalinventory of your deployment.

HP Internet Usage Manager (7.0 FP01)Page 22 of 116

Page 23: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Chapter 2

Migrating IUM to MySQLThe IUMMySQL Migration Toolkit allows you to convert and migrate your Solid database to MySQL. Ifyou are installing a new instance of IUM and are not upgrading from a previous version, you can skipthis material and go directly to "Installing IUM" (on page 52) and "Activating IUM" (on page 76).

Overview 23

Migration Scenarios 24

System Requirements 24

Supported Platforms 25

Licensing 25

Before the Migration 25

Installing the IUM MySQL Migration Toolkit 26

Running the Database Migration 33

Source/Target Setup 34

Object Selection 40

Object Mappings 43

Manual Editing 45

Schema Creation 45

DataMapping 48

Bulk Transfer 48

Summary 50

Migration Troubleshooting 51

OverviewThe Solid-to-MySQL migration process takes all of your IUM data in Solid and converts it to MySQL usingthe IUMMySQL Migration Tool. You can use the toolkit to convert the database both when the sourceand target databases are present (for immediate conversion), or you can use the toolkit with only thesource present and then save the database to a file for later use. When you install and activate IUM,you will be able to import this file so all components and configurations in your deployment can use thenew MySQL database. For more information on installation and activation of the MySQL productextension, see "Installing IUM" (on page 52) and "Activating IUM" (on page 76).

HP Internet Usage Manager (7.0 FP01)Page 23 of 116

Page 24: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

This document describes using the Windows version of the toolkit, in the context of aWindowsenvironment. The following sections discuss system requirements, migration scenarios, preparing forthe migration, installing the toolkit, and the step-by-step migration process.

Migration Scenarios

The toolkit can be executed either on the host where IUM is actually installed, or remotely. That is, youcan run it on another system and then point to the system being migrated from Solid to MySQL. Due topotential platform constraints, remote migration can be more suitable, though both scenarios areequally supported using the toolkit. Accordingly, both Windows and Linux versions of the toolkit areavailable if you are migrating from a different platform (for more information, see "SupportedPlatforms" (on page 25)).

Typically the migration toolkit is used when you have both your source and target databases available(“online” migration), but the IUMMySQL Migration Toolkit also supports migration of the sourcedatabase only, without requiring the target database to be present (an “offline” migration). As a result,the toolkit allows saving the database migration to files with all the necessary SQL-format statements,which can be used to import all database data. Otherwise, the migration tool can be executed whenboth the source and the target database are present. Before installing IUM 7.0, you should perform theSolid-to-MySQL migration first, so that the database files can be used by the activator to complete theupgrade and activation (see Step 3e, in "Activation Steps" (on page 76)).

System Requirements

Since the migration toolkit can be installed and run on a remote system other than the host deployment(that is, separate from your IUM deployment), it can have different system and platform requirementsthan IUM. To install and run the toolkit, JRE 1.6 is required on the system that will run it.

The supported upgrade path for migrating an IUM deployment requires IUM 6.0 as the base version,while versions prior to 6.0 are not supported (but if you are using an older version of IUM, you can alsoupgrade your deployment to 6.0 in preparation for an upgrade to 7.0). IUM 6.0, 6.0FP01, and6.0FP02 can be migrated from the Solid database to MySQL, to be used with 7.0.

The minimum hardware requirements to install the migration toolkit are:

l 60 MB of disk space to install the toolkit. For larger databases, ensure that you also have sufficientdisk space to accommodate the conversion.

NOTE: In addition to the installation disk space, the migration toolkit requires an amount of diskspace that is equal to the size of the source Solid database file (solid.db, found in the%BINROOT%/Solid/DB directory). When the migration is complete (see "Running the DatabaseMigration" (on page 33)), the exported SQL scripts will occupy disk space on your systemapproximately equivalent to the size of solid.db.

l 512 MB of RAM.

l A 10 Mbit/s Ethernet link to the source and target database hosts.

HP Internet Usage Manager (7.0 FP01)Page 24 of 116

Page 25: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Supported Platforms

Both aWindows and Linux version of the toolkit are available, but the Windows version of the IUMMySQL Migration Toolkit has more features and includes a graphical interface (described in this chapterfor demonstration purposes). Meanwhile, the Linux version uses a text/command-line interface and isnot as fully-featured, since for example, it does not allow editing of SQL statements manually during themigration (nor does the Windows command-line version).

NOTE: On Linux, the migration toolkit installer does have a graphical interface, and can beexecuted using the following command: ium-db-migration-7.0-setup-Linux.bin -igui. To run the text user interface and command-line interface, use the run_migration and run_migration_cli scripts, which are both available for execution in the Linux migration toolkit installationdirectory.

The following table summarizes the platforms where you can use the migration toolkit.

OperatingSystem

HardwarePlaforms Installer Toolkit Interface

Red HatLinux 4, 5

i386,x86_64

Commandline,graphicalinterface

Command-line and text user interface.

NOTE: Both command-line and text user interface havelimited functionality compared to the Windows graphicalversion. SQL statements cannot be manually edited.

WindowsXP, Vista

i386 Graphicalinterface

Graphical and command-line.

NOTE: Command-line does not allow manual editing of SQLstatements.

Platform Support

NOTE: The migration can be done without the target database present, since the migration toolkitdoes not require the MySQL server or other related database software to be installed prior to themigration. If you are using your own MySQL server, MySQL version 5.1 is supported (this is also theversion supported if you purchased the MySQL product extension with IUM).

Licensing

The IUMMySQL migration toolkit is intended for data transfer from the Solid database to MySQL, and isan extended version of the standardMySQL Migration Toolkit fromOracle. The toolkit is licensed underthe GPL, the terms of which must be accepted at installation (see "Installing the IUMMySQL MigrationToolkit" (on page 26); the license is also included in the migration toolkit install directory). HP providesthe source code as well as its custom additions along with the toolkit.

Before the MigrationBefore performing the migration, it is recommended that you clone your deployment on another testsystem. It is also essential that you:

HP Internet Usage Manager (7.0 FP01)Page 25 of 116

Page 26: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

l Stop all running collectors and processes.

l Ensure that Solid is still running on the system being migrated - this is critical for the migration tocomplete successfully.

Any IUM component should not have any pending transactions prior to the migration, since the toolkitdoes not support capturing any data still in transit. Migration is intended to occur when all collectors andprocesses are shut down so that there is a clean cutoff of the data. Accordingly, you must stop allcurrently running processes (IUM collectors, charging manager, file collection services, and so on). Alldatabase producers must be in a stopped state. Otherwise, the database migration cannot beaccomplished if any collectors or other IUM processes are live and still writing to the Solid database.

The quickest way to stop IUM processes is to close the Launchpad and stop the IUM admin agent. Usingthis method, the Solid database will still be running after shutting down the admin agent, since Solidneeds to be active when you perform the migration. If you decided to shut down IUM processesindividually (instead of all at once via the admin agent shutdown), ensure that you also stop the IUMmanagement server and the web application server.

NOTE: The migration process itself is non-destructive to the source. The source data in Solid is nottouched or changed during migration.

Installing the IUM MySQL Migration ToolkitBefore performing the migration, you must first install the IUMMySQL Migration Toolkit. This can bedone on either the IUM host to be migrated, or a remote system. The instructions in this documentassume the Windows version of the toolkit is being used to perform amigration for a remote system.

NOTE: Before proceeding, ensure that you have JRE 1.6 installed on the system that will be used torun the migration toolkit. You will be prompted to install the JRE if you attempt to run the migrationinstallation otherwise.

1. Run the ium-db-migration-7.0-setup-Windows.exe executable. Press Next to proceed with theinstallation.

HP Internet Usage Manager (7.0 FP01)Page 26 of 116

Page 27: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

2. Acknowledge the terms of the license and press Next.

HP Internet Usage Manager (7.0 FP01)Page 27 of 116

Page 28: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

3. Choose your preferred installation directory and any shortcut folder options.

HP Internet Usage Manager (7.0 FP01)Page 28 of 116

Page 29: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

4. Specify the Java Virtual Machine to be used by the installation (JRE 1.6 or higher).

5. Specify the path to the IUM configuration file that contains the database connections to import intothe installer.

HP Internet Usage Manager (7.0 FP01)Page 29 of 116

Page 30: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

This selection is available so you do not have to manually supply the database URL later and so themigration toolkit will have your database settings (and thereby will be available from the migrationtoolkit drop-down menu selections when you perform the migration). See the Source/Target Setupstage in "Running the Database Migration" (on page 33) for more information.

HP Internet Usage Manager (7.0 FP01)Page 30 of 116

Page 31: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

6. After pressing Next from the previous dialog, you will be shown a pre-installation summary of yourchoices before the install takes place.

HP Internet Usage Manager (7.0 FP01)Page 31 of 116

Page 32: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Press Install to begin the installation. Once the installation is complete and its success has beenconfirmed, press Done. You can now proceed with performing the database migration.

HP Internet Usage Manager (7.0 FP01)Page 32 of 116

Page 33: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Running the Database MigrationOverall the IUMMySQL Migration Toolkit functions in the same manner as the original migration toolkitprovided byOracle, except for the fact that Solid has been added as a source database to migrate, aswell as the ability to migrate without the target database present. Or, if you have your own MySQLdatabase, then you can run the migration with it as the target. If you need assistance during themigration, refer to the online help included in the toolkit.

The migration comprises the following tasks, which lead you through the corresponding sections of theinterface:

l Source/Target

l Object Selection

l Object Mapping

l Manual Editing

l Schema Creation

l DataMapping

l Bulk Transfer

l Summary

HP Internet Usage Manager (7.0 FP01)Page 33 of 116

Page 34: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Source/Target Setup

To start the migration toolkit, select Start -> All Programs -> IUMDBMigration Toolkit ->MySQLMigrationToolkit. The migration toolkit start-up dialog is displayed.

The migration toolkit checks for the correct Java version at start-up. See "Migration Troubleshooting"(on page 51) for more information troubleshooting if you encounter Java loader errors on start-up.Press Next to begin.

HP Internet Usage Manager (7.0 FP01)Page 34 of 116

Page 35: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Direct Migration is pre-selected for you. After pressing Next, the source database selection screen isdisplayed.

HP Internet Usage Manager (7.0 FP01)Page 35 of 116

Page 36: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

From the Database System drop-down list, select Solid Jdbc. The Connection Parameters portion of thedialog will then become available, prompting you for additional information regarding the sourcedatabase.

Next, you must specify the stored source database connection, obtained by the migration toolkit installerfrom the IUM configuration file you previously imported (see Step 5 in "Installing the IUMMySQLMigration Toolkit" (on page 26)). From the corresponding Stored Connection drop-down list, select theconnection. In this example, the “jdbc:solid://testbl460b:1313” selection automatically populates theassociated Username and Password fields for the database connection (this is just a name used by themigration toolkit to refer to your connection, and does not represent the actual connection URI thatbelongs in the Connection String field).

HP Internet Usage Manager (7.0 FP01)Page 36 of 116

Page 37: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

After confirming your selections, press Next. In the succeeding dialog, you can specify the targetdatabase parameters. Ensure that the Connection String field reflects the actual, absolute path, URL, orIP address of the machine hosting the Solid database being migrated, since the default string populatedhere will refer to the IUM hostname (andmay not correspond to the network path naming conventionthat your system uses to reference another network resource). For instance, if the IUM file you used toimport database connections into the installer resides on a different system than the actual databaseconnection, then the paths will be different and reflect the path of the configuration file, rather than theactual database connection.

NOTE: The database URL extracted from the configuration file (see Step 5 in "Installing the IUMMySQL Migration Toolkit" (on page 26)) may not be sufficient to access the source connection. Forexample, in some instances, the host name will be used, which cannot be resolved from the host onwhich the migration toolkit is running. In such a case, edit the URL manually in the Connection Stringfield, and specify the IP address or fully-qualified host name so that the source host is accessible bythe specified IP address or host name.

HP Internet Usage Manager (7.0 FP01)Page 37 of 116

Page 38: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

As mentioned previously, the IUMMySQL Migration Toolkit supports both scenarios, where both thesource and target database are present, or where you only have the source database and want toexport your database to an SQL script file for later migration. For the latter case, select No connectionfrom the Driver drop-down list. Otherwise, to migrate online (when you have both the source andtarget present), specify your MySQL JDBC Driver connection parameters and follow the remainder ofthe migration prompts.

HP Internet Usage Manager (7.0 FP01)Page 38 of 116

Page 39: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

At this point, you do not need to specify any target connection parameters, as the migration toolkit onlycreates a connection with the source database. Press Next to continue. The migration toolkit checks thesource database connection and retrieves the schema information.

HP Internet Usage Manager (7.0 FP01)Page 39 of 116

Page 40: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

After confirming the database connection is established, press Next to begin the Object Selectionportion of the migration process.

Object Selection

Select the source schemata extracted from your database. In the example below, this is “siu20”.

HP Internet Usage Manager (7.0 FP01)Page 40 of 116

Page 41: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Press Next when your source database schemata is selected. The Reverse Engineering process willthen commence.

HP Internet Usage Manager (7.0 FP01)Page 41 of 116

Page 42: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

After the process has completed successfully, press Next.

You can then review and select all object types (tables, and so on) that are to be migrated, and which (ifany) are to be ignored and not included in the migration. To see the details and select any objects toignore, press Detailed Selection. By default, all labels are selected.

HP Internet Usage Manager (7.0 FP01)Page 42 of 116

Page 43: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Next you can adjust anyObject Mapping settings.

Object Mappings

In the Object Mapping dialog, you can specify any schema and object mappings for the database, butfor the purposes of the IUM toolkit, all the default selected parameters are sufficient for a typicalmigration.

HP Internet Usage Manager (7.0 FP01)Page 43 of 116

Page 44: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Press Next to complete this step in the migration, and continue to the Manual Editing portion of themigration.

HP Internet Usage Manager (7.0 FP01)Page 44 of 116

Page 45: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Manual Editing

You can perform manual edits on the data to correct any mapping errors, but if no problems werefound as a result of the object mapping, you are informed of this in the next dialog (where no manualediting of SQL statements is required).

You can also select “Show all objects” from the Filter field, then press Advanced to edit the actual SQLstatements manually for each object. This can be useful for advanced users who want to have fullcontrol over the migration process and change the automatically-generated SQL statements. Next, youcan proceed with the Schema Creation section of the migration.

Schema Creation

You can create objects and transfer the data simultaneously, where both source and target databaseare present, connected, and whose data will be migrated if you have your own external MySQLdatabase. Or, for the scenario where the target is not present, you can export the database data togenerated SQL scripts to be filled with data as a data dump. For the simultaneous method, it isrecommended that at a minimum you save an object creation script for diagnostic purposes. TheCreates.sql script file needs to be created at this point so you can provide it to the IUM activator duringactivation (see "Activation Steps" (on page 76)).

HP Internet Usage Manager (7.0 FP01)Page 45 of 116

Page 46: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

The script you specify in the Filename field represents your database schemamigration script. Also,when selecting the option to create a script file, ensure that Create Objects Online is not selected. Aconfirmation is displayed to indicate the execution completed successfully.

HP Internet Usage Manager (7.0 FP01)Page 46 of 116

Page 47: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

A further dialog displays script/object creation problems, if any.

HP Internet Usage Manager (7.0 FP01)Page 47 of 116

Page 48: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Next, you can set up data transformation and data mapping options.

Data Mapping

As with the Schema Creation step, you can specify how you want to transfer the data, whether online,or offline by saving to an inserts file.

As with schema creation described in "Schema Creation" (on page 45), and for the scenario where thedata will be saved for later use, ensure that Transfer DataOnline is disabled, and that you only selectCreate Script File for Insert Statements. Specify the path to the script file, which represents the built datamigration script. After pressing Next, the bulk data transfer will commence (see "Bulk Transfer" (onpage 48)). The Inserts.sql script file needs to be created so you can provide it to the IUM activator duringactivation (see Step 3e, "Activation Steps" (on page 76)).

Bulk Transfer

After specifying bulk transfer and a script file for insert statements, the database transfer will proceed.This process could take some time depending on the size of your database.

HP Internet Usage Manager (7.0 FP01)Page 48 of 116

Page 49: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

A confirmation will display to indicate the transfer is complete. Press Advanced to review the log andensure there were no transfer errors.

HP Internet Usage Manager (7.0 FP01)Page 49 of 116

Page 50: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

Press Next to view the migration summary report.

Summary

Upon completion of the migration, you can view a report detailing the entire migration results.

Press Save Report to Disk to save a copy of the migration report. Press Generate Migration Script torecord all input selections you made during the migration, which can be used for a further unattendedmigration. The “creates.sql” and “inserts.sql” scripts that you saved earlier (see "Schema Creation" (onpage 45) and "DataMapping" (on page 48)) are intended for creating and populating the databaseobjects (such as tables and indices). These script files are generated for both cases, but in the secondcase (during an online migration) the script files are created on the fly.

The script files are standardMySQL scripts that you can process by (1) importing the “creates.sql” and“inserts.sql” files when you are upgrading and activating IUMwith the MySQL product extension files,directly into the activator, or (2) using the mysql command-line utility to create and populate thedatabase tables. For example, you can use mysql commands such as the following to import the datainto MySQL:

mysql -u username -p password database_name < creates.sql

mysql -u username -p password database_name < inserts.sql

Either method completes the upgrade process from Solid to MySQL, andmakes your data available foruse in IUM 7.0. See "Installing IUM" (on page 52) and "Activating IUM" (on page 76), for moreinformation on installing and activating the product. Also see "Upgrading IUM" (on page 86) for more

HP Internet Usage Manager (7.0 FP01)Page 50 of 116

Page 51: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 2: Migrating IUM to MySQL

details on upgrading, and the IUMAdministrator’s Guide for more information on the mysqlcommand-line utility.

Migration Troubleshootingl Java loader issues at migration toolkit start-up. An error may appear that says, “An error occurred

during the initialization of the runtime system. Please make sure you have the Java RuntimeEnvironment (JRE) 5.0 Update 8 or newer installed.” This can occur if you execute the migrationtoolkit executable (MySQLMigrationTool.exe) directly instead of using the Windows Start menushortcut (All Programs -> IUMDBMigration Toolkit -> MySQLMigrationToolkit). Also, if you stillexperience Java loader issues, ensure that the jvm.dll path contained in the run_migration.bat file iscorrect. For example, for JRE 1.6, and assuming the JRE is installed in C:\Program Files\Java\jre6,the path contained in this file is typically “C:\Program Files\Java\jre6\bin\client\jvm.dll” (thelocation can vary for different JRE installations). If there is a different path to another jvm.dll, themigration toolkit start-up will fail. For this case, ensure that the correct path to your JRE’s jvm.dll ispresent. Also, before editing run_migration.bat, ensure that you first close the migration toolkit.

l Migration toolkit failure during large database migration. When migrating a database with a verylarge amount of tables (about several thousand tables), the toolkit may fail with a JavaOut ofMemory Exception. In this case, the command-line version of the toolkit clearly reports about out ofmemory problems, while the graphical version outputs the following: “The schema could not bereverse engineered (error: 10008).” To prevent this error, the maximum Java heap size should beincreased. This can be done by adding a larger -Xmx parameter in the start-up scripts (run_migration and run_migration_cli on Linux, run_migration.bat and run_migration_cli.bat onWindows). Replace the set _JAVA_OPTIONS=-Xms64m -Xmx256m line with set _JAVA_OPTIONS=-Xms64m –Xmx512m.

HP Internet Usage Manager (7.0 FP01)Page 51 of 116

Page 52: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Chapter 3

Installing IUMThis topic describes how to install and activate a new instance of IUM on a clean system. Please read thismaterial completely before beginning installation.

Installation Steps 52

Console Installation and Activation 66

Non-root Installation on UNIX 68

Unattended Install of IUM 69

Installation Troubleshooting 72

After Installation - Enabling the 64-Bit Version of IUM 72

Installation Steps

TIP: If you downloaded the setup program from the web site or via FTP, make sure the file does nothave an extra extension. Some Web browsers add a “.html”, “.exe”, or “.zip” extension to the filename. If this happens, rename the file to remove the extra extension. Otherwise, the installation mayfail.

To install IUM:

1. Read "Before Installation" (on page 10) and ensure you meet what is described in "SystemRequirements" (on page 11).

2. Back up your system.

3. Copy the appropriate IUM setup program to the host system. Installation files vary depending on32- or 64-bit support, whether or not you use the core IUM installer that assumes you are usingyour own JDK, versus the installers bundled with the JRockit JVM, or if you have purchased theMySQL product extension. On a UNIX system, ensure the file has executable permissions.

OSSetup Program (for use with standaloneOracle JDK) Setup Program (JRockit JVM)

Windows IUM-7.0-setup-Windows.exe IUM-7.0-setup-Windows-JRockit32.exe

IUM-7.0-setup-Windows-JRockit64.exe

IUM Setup Programs

HP Internet Usage Manager (7.0 FP01)Page 52 of 116

Page 53: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

OSSetup Program (for use with standaloneOracle JDK) Setup Program (JRockit JVM)

HP-UX IUM-7.0-setup-HP-UX.bin

Linux IUM-7.0-setup-Linux.bin IUM-7.0-setup-Linux-JRockit32.bin

IUM-7.0-setup-Linux-JRockit64.bin

Solaris IUM-7.0-setup-Solaris.bin IUM-7.0-setup-Solaris-JRockit-SPARC9.bin

OS Setup Program

Windows MySQL-7.0-Windows.iam.zip

HP-UX MySQL-7.0-HP-UX.iam.zip

Linux MySQL-7.0-Linux.iam.zip

Solaris MySQL-7.0-Solaris.iam.zip

MySQL Setup Files

4. Execute the IUM installer program. The program searches for Java and displays the IUM InstallWizard.

HP Internet Usage Manager (7.0 FP01)Page 53 of 116

Page 54: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

5. Review and accept the license terms.

6. Specify the IUM instance ID for your new installation. The IUM installer also checks for pre-existingIUM instances on the machine, and summarizes what it finds, allowing you to choose betweenupgrading a previous installation, or installing a new one.

HP Internet Usage Manager (7.0 FP01)Page 54 of 116

Page 55: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

In this example, previous versions of IUMwere detected, but you can enter a new IUM Instance IDin the corresponding field to create a new installation. Otherwise, on a clean system with noprevious IUM installs, you will just be prompted to enter the ID for the new installation. For detailson an upgrade installation, see "Upgrading IUM" (on page 86).

7. Next, choose the destination install directory for this instance. The install directory will be namedaccording to your chosen Instance ID (specified in the previous step), and defaults to “C:\SIU_<instance_ID>” onWindows.

HP Internet Usage Manager (7.0 FP01)Page 55 of 116

Page 56: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

8. Specify the path to the IUM license file.

HP Internet Usage Manager (7.0 FP01)Page 56 of 116

Page 57: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

If you do not have a license file, visit the IUM customer support site (also see the IUM ReleaseNotes). Also see "Obtain an IUM License" (on page 12) for more information.

9. Specify whether you want to install additional IUM product extensions (for example, the MySQLdatabase).

NOTE: If you are not using the embeddedMySQL database (that is, you have your owndatabase) or are not installing any other IUM product extensions, you will be taken directly toStep 10 to make your JVM selections. If you later decide to use the MySQL database includedwith IUM, you must re-install and re-activate so that MySQL will be present and usable in yourIUM instance.

If installing additional product extensions, you are prompted for the location of the these files. Forexample, to install the MySQL database, specify the path to the “MySQL-7.0-Windows.iam.zip”file that you should have already downloaded from the customer support site and placed in yourinstall directory. Optionally, select Scan subdirectories if the install files are located in asubdirectory, so that the installer can locate them (by default the directory path specified in“product extensions directory” will be the directory from which you launched the IUM installer).

HP Internet Usage Manager (7.0 FP01)Page 57 of 116

Page 58: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

If you have correctly staged the optional product extension for the MySQL database on your filesystem, after clicking next, the IUM installer will detect it and indicate this accordingly.

HP Internet Usage Manager (7.0 FP01)Page 58 of 116

Page 59: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

10. For the IUM installer without the bundled JVM, specify the path to the chosen Java Virtual Machine.In this example, JDK 1.6.0_19 is present on the system. Otherwise, you can also specify the pathto another JVM if preferred.

HP Internet Usage Manager (7.0 FP01)Page 59 of 116

Page 60: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

If you are installing IUMwith the bundled JRockit JVM, the Choose Java Virtual Machine dialog willprompt you regarding which JVM you want to use.

HP Internet Usage Manager (7.0 FP01)Page 60 of 116

Page 61: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

In this example, the Oracle JDK was already present, and the installer defaults to this selection.However, if you purchased the JRockit JVM and want to use it, select Use the Java VM installedwith this application.

HP Internet Usage Manager (7.0 FP01)Page 61 of 116

Page 62: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

As shown above, the installer uses JRockit, while any other JVMs present on the system are notselected.

11. A summary of the installation settings is provided, to include any product extensions.

HP Internet Usage Manager (7.0 FP01)Page 62 of 116

Page 63: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

For a JRockit installation, the installation summary indicates the install path for JRockit (see Java VMInstallation Folder entry).

HP Internet Usage Manager (7.0 FP01)Page 63 of 116

Page 64: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

Click Next to start the installation with the specified settings.

12. Once the installation completes, you will be notified of the successful completion. Click Next toproceed with activating IUM.

HP Internet Usage Manager (7.0 FP01)Page 64 of 116

Page 65: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

13. Select Activate IUM if you want to proceed with activation immediately after installation, or toactivate IUM later from the command line. You can launch the activator wizard at any time via thecommand line, activate using a activation-specific command console, or activate in silent mode.You cannot, however, use IUMwithout activating it.

HP Internet Usage Manager (7.0 FP01)Page 65 of 116

Page 66: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

If not activating at this time, click Done. Otherwise, if you select Activate IUM and click Done, theactivator wizard is opened. See "Activating IUM" (on page 76) for activation steps.

If the installation failed, check the installation log file to review and resolve the problem, and run theprogram again. The setup program logs its activities and results to the IUM installation directory(whether successful or not) to two log files: Internet_Usage_Manager_InstallLog.log andMySQL_InstallLog.log. Additional debugging-related log files, for both the install and uninstall processes, can befound in your home directory (for example, C:\Documents and Settings\<username> onWindows, or/root on UNIX). These files take the form of ium-install0.log.0, ium-install0.log.1, or ium-uninstall0.log0, ium-uninstall0.log1, and will remain on your system whether IUM is present or not.

Console Installation and ActivationYou can also install and activate IUM in a text-only console mode, for cases where you do not have agraphical user interface, such as X windows on UNIX. Console installation and activation, however, aresupported on all of IUM’s platforms, whether Windows or UNIX.

NOTE: When the DISPLAY environment variable is not set on UNIX systems, the IUM installerautomatically switches to console mode, from the default graphical mode. Ensure that you unset theshell DISPLAY environment variable before installing in IUM console mode.

To install IUM in console mode, execute one of the following commands:

HP Internet Usage Manager (7.0 FP01)Page 66 of 116

Page 67: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

l OnWindows systems execute the following to install:

IUM-7.0-setup-Windows.exe -i console

l On UNIX systems execute the following:

IUM-7.0-setup-<type>.bin -i console

This launches a separate console window that prompts you to begin theinstallation.Preparing CONSOLE Mode Installation...====================================================================Internet Usage Manager (created with InstallAnywhere)--------------------------------------------------------------------====================================================================Introduction------------InstallAnywhere will guide you through the installation of InternetUsage Manager version 7.0.It is strongly recommended that you quit all programs beforecontinuing with this installation.Respond to each prompt to proceed to the next step in theinstallation.If you want to change something on a previous step, type 'back'.You may cancel this installation at any time by typing 'quit'.PRESS <ENTER> TO CONTINUE:

You can proceed with the IUM installation after agreeing to the license terms. After pressing Enter toview the entire license terms, and Y to agree, you are next prompted to specify the IUM instance ID.

Additional license authorizations and restrictions applicable to yoursoftware product are found at: http://www.hp.com/go/SWLicensingDO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N): y

===================================================================Enter IUM instance ID---------------------The installer detected the following installed IUM instance IDs: SIU_60, SIU_60FP01, SIU_60FP02, SIU_70_RC2.Enter a new IUM instance ID for a new installation of IUM, or anexisting instance ID if you are upgrading a previous version of IUM.

IUM instance ID (DEFAULT: SIU):

The remainder of the console installation is functionally similar to the installation options described in"Installation Steps" (on page 52). Follow the prompts in the console to complete the installation. Theprogress will be displayed and you will be notified of successful completion.

====================================================================Installing...-------------

[==============|==============|==============|==============]

HP Internet Usage Manager (7.0 FP01)Page 67 of 116

Page 68: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

[--------------|--------------|--------------|--------------]

====================================================================Installation Complete---------------------

Congratulations. Internet Usage Manager has been successfullyinstalled to:C:\SIU_70RC4Next, you need to activate the product by running the followingcommand:

>C:\SIU_70RC4\bin\activate

PRESS <ENTER> TO EXIT THE INSTALLER:

The console installer closes after pressing Enter. Also see "Uninstalling in Console Mode" (on page114) for more information on performing a console-based uninstall.

To activate in console mode, execute the activate console command, typically from C:\SIU\binonWindows or /opt/SIU/bin on UNIX. As with graphical-based activation, activation options arefunctionally similar, where you begin by specifying whether the host is a configuration server, portvalues, IOR and license file location, and so on.

C:\SIU_70RC4\bin>activate consoleIs the host a Config Server?: [false]: trueThis IUM instance will be activated as config server.Specify the repository server port: [8300]:

In the activation console, you can press enter at the prompts to accept the defaults (which are alsoindicated at the end of the prompt). Follow the prompts to proceed with the activation. Also see the IUMCommand Reference for a complete listing of the activate tool’s options and usage.

Non-root Installation on UNIXThis section describes how a non-root user can install IUM. Note that the root user must perform somesteps as specified below to enable the non-root user to install IUM.

1. Obtain the file nonrootprep.sh from your IUM install CD or the IUM download web site.

2. Log in as root on the system where you want to install IUM.

3. As root, run the non-root preparation script as follows:

nonrootprep.sh <User name> <IUM instance name>

where <User name> is the UNIX user login of the person who will install IUM and <IUM instancename> is a name you give this installation of IUM. You’ll use this IUM instance name when youinstall IUM in a later step.

4. Log in as the non-root user specified in the previous step.

HP Internet Usage Manager (7.0 FP01)Page 68 of 116

Page 69: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

5. Install and activate IUM as described in "Installation Steps" (on page 52). Specify the IUM instancename given in step 3 above. This installs IUM components at /opt/<Instance name>/,/var/opt/<Instance name>/ and /etc/opt/<Instance name>/ with <User name> as the owner ofthe IUM directories and files.

NOTE: The IUM instance name is tied to the user name. Only the specified user (or the root user) caninstall or uninstall that IUM instance. The IUM files and directories are owned by the specified user.Use the ls -l command to see the user name. The non-root user must have proper accesspermissions to all the files and directories used by the collectors.

Unattended Install of IUMThis section describes how you can install IUM unattended. That is, you can install it non-interactively bya single command as described below.

NOTE: If you are installing IUMwith the configuration server and with security, you must use theinteractive installation method described in "Installation Steps" (on page 52). You can then use themethod described here to install IUM on additional systems.

1. Copy the following files from the IUM install CD or the IUM download web site to the system whereyou want to install IUM:

n install_win32.opt on Windows systems or install_unix.opt on UNIX systems.

n The appropriate setup program listed in "Installation Steps" (on page 52).

2. Modify the file install_win32.opt for Windows systems and install_unix.opt for UNIX systems asappropriate for your system. Below are the install parameters you can modify.n IUM_INSTANCE_ID - Enter the name of this IUM installation instance. Instance names must start

with the characters “SIU”.

n USER_INSTALL_DIR - (Windows only) The chosen installation directory.

n IUM_LICENSE_DIR - The path to the IUM license. Default is /root on UNIX, or C:\\ onWindows.

n IUM_LICENSE_FILE - The IUM license file name. Default is license.config.

n ADDITIONAL_COMPONENT_FILE_<#> - Path to any additional product extensions, such asMySQL, where <#> is the number of additional extensions (0-6).

n IUM_JAVA - Path to the JDK 1.6.

Activation parameters are the following:

n ACTIVATE_IUM - Specify whether or not you want to activate IUM immediately after installation.true/TRUE to activate immediately, or false/FALSE to activate later.

NOTE: If ACTIVATE_IUM is set true, the following options are required. Otherwise, theseoptions are ignored.

HP Internet Usage Manager (7.0 FP01)Page 69 of 116

Page 70: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

n HOSTID - Specify the HOSTID for the node to be configured, ensuring that the HOSTID is notalready in use by IUM. If you want to use localhost, leave the field unchanged with the default.

n LANGUAGE - Specify one of four language values:o 1 - English (United States) (default)

o 2 - Japanese (Japan, SJIS)

o 3 - Japanese (Japan, JIS)

o 4 - Japanese (Japan, EUCJIS)

n IORURL - Enter the URL of the configuration server’s IOR (CORBA address).

n ISREPORTSERVER - Specify whether the IUM reporting web application is to be enabled on thisnode. Valid values are true/TRUE or false/FALSE.

n ISAUDITREPORT - Specify whether the IUM audit reporting web application is to be enabled onthis node. Valid values are true/TRUE or false/FALSE.

n ISOPSCONSOLE - Specify whether the IUMOperations Console web application is to beenabled on this node. Valid values are true/TRUE or false/FALSE.

n IS_RDM_APP - Specify whether the Reference DataManager web application is to be enabledon this node. Valid values are true/TRUE or false/FALSE.

n REPORTPORT - Enter the port number used by the web application server or Audit Reportserver. If either server is enabled, both servers use the same port. Valid values are 1 - 65535.

n ISPOLICYSERVER - Specify whether the IUM Policy server is to be enabled on this node. Youmust have a valid license for this component. Valid values are true/TRUE or false/FALSE.

n ISMANAGEMENTSERVER - Specify whether the Management server is to be activated on thisnode. Valid values are true/false.

n DBPORT - Enter the port number used by the database server. Change this value only if thedefault port cannot be used. Valid values are 1 - 65535.

n DBTYPE - Specify the type of database, whether EMBEDDED or EXTERNAL. If EXTERNAL,specify the following:o JDBC_DRIVER_JAR - The path to the JDBC driver.

o JDBC_DRIVER_CLASS - JDBC driver class.

o JDBC_DRIVER_URL - The JDBC driver URL.

o DATABASE_USER - The database user name.

o DATABASE_PASSWORD - Database password.

If you are installing IUMwith the configuration server, also modify the following:

n ISCONFIGSERVER - Specify whether this node is the configuration server. Valid values aretrue/TRUE or false/FALSE.

HP Internet Usage Manager (7.0 FP01)Page 70 of 116

Page 71: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

NOTE: If ISCONFIGSERVER set to true, all options below are required. Otherwise when setfalse, the below options are ignored.

n IORLOCATION - Enter the path where the file containing the configuration server’s IOR is to becreated.

n LICENSEFILE - Enter the name and location of your IUM license file.

n IORLISTEN - Specify whether the Configuration Server should host its IOR URL. If true, requiresa valid port number for IORPORT. Valid values for IORLISTEN are true/TRUE or false/FALSE.

n IORPORT - Enter the configuration server IOR listen port number, where the configurationserver is to serve requests for the IOR. IORLISTENmust also be set, and valid values are 1 -65535.

n SECURITYHOST - Enter the IP address or fully qualified host name where the security server isrunning. This is typically the host where the configuration server is running. For moreinformation about IUM security, see "Securing IUM" (on page 92).

n SECURITYPORT - Enter the port number on which the security server is listening. Default is8443.

n REPOSITORYHOST - Specify the host IP address on which the Repository Server is configured.Usually this is the same host as the configuration server.

n REPOSITORYPORT - Specify the port on which the repository server is listening. Default is8300.

3. Execute a command like one of the following to install, and then activate IUM respectively:

n OnWindows systems execute a command like the following to install:

IUM-7.0-setup-Windows.exe -i silent -f C:\install_win32.opt

Execute the following command to activate:

<SIUHome>\bin\activate silent -file C:\install_win32.opt

n If installing IUMwith security on Windows systems, execute a command such as the following:

IUM-7.0-setup-Windows.exe -i silent -f C:\install_win32.opt

Execute the following command to activate:

<SIUHome>\bin\activate silent -file C:\install_win32.opt -login<user> -password <password>

n On UNIX systems execute a command such as the following:

IUM-7.0-setup-<type>.bin -i silent -f install_unix.opt

Execute the following command to activate:

<SIUHome>/bin/activate silent -file install_unix.opt

n If installing IUMwith security on UNIX systems, execute a command such as the following:

HP Internet Usage Manager (7.0 FP01)Page 71 of 116

Page 72: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

IUM-7.0-setup-<type>.bin -i silent -f install_unix.opt

Execute the following command to activate:

<SIUHome>/bin/activate silent -file install_unix.opt -login<user> -password <password>

Provide an absolute path name to the install_*.opt file.

4. Check the following log files for any errors:n /tmp/ium_install.log and /opt/<Instance name>/iuminstall.log on UNIX

n C:\tmp\ium_install.log and <IUM home>\ium_install.log onWindows.

n C:\SIU\var\log\activate.log onWindows and /var/opt/SIU/log/activate.log on UNIX.

The installation log files at /tmp/ium_install.log and C:\tmp\ium_install.log are overwritten with theinstallation of each instance.

Installation TroubleshootingAs mentioned previously, when the DISPLAY environment variable is not set on UNIX systems, the IUMinstaller automatically switches to console mode, from the default graphical mode. In addition, if JVM1.6 is not specified in the PATH on UNIX systems, the installer can fail by default, expecting JVM 1.6 inthe PATH. To avoid this however, you can run the IUM installer as the following:

$>/tmp/IUM-7.0-setup-HP-UX.bin LAX_VM /opt/java6/bin/java

In this example, you can avoid errors by explicitly providing the path to the JVM 1.6 executable usingthe LAX_VM variable.

After Installation - Enabling the 64-Bit Version of IUMThe 64-bit version of IUM allows collectors and servers to use much larger memory space. Wheninstalling IUM, it runs in 32-bit mode by default, but you can run a 64-bit version of IUM servers onvarious 64-bit platforms. On 64-bit Windows and Linux operating systems, additional activation steps(as described below) are not necessary on such 64-bit platforms where 64-bit Java is already present.As a result, you do not need to enable 64-bit mode for these platforms.

However, for HP-UX and Solaris, the default JVM supports both 32- and 64-bit address spaces.Consequently, with these 64-bit platforms, the IUM installation will default to 32-bit mode, and so youmust follow these instructions to enable the 64-bit version of IUM. In addition, IUM can be returned tothe 32-bit version by following these same steps.

NOTE: If you are using the TimesTen database with IUM, ensure that both IUM and TimesTen areconfigured to run as 32-bit or 64-bit. Moreover, you can define the directory for shared libraries bysetting the LD_LIBRARY_PATH and SHLIB_PATH in the UNIX startup shutdown scripts, or you can setthe java.library.path in the Host Default Properties (Actions -> Host Default Properties).

NOTE: See the IUMCustomer Support web site at http://www.hp.com/support/usage/supported/for the specific versions of Java that are supported by IUM. For the user name and password toaccess the web site, see the IUM Release Notes.

HP Internet Usage Manager (7.0 FP01)Page 72 of 116

Page 73: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

To activate the 64-bit version of IUM, do the following:

1. Install IUM as described in "Installation Steps" (on page 52).

2. Determine where the Java executable file is for the version of the Java JDK you have installed. OnWindows, also locate the javaw.exe executable file. The following table shows sample directories.

The following are only typical locations of Java executables. Be sure to check the Java locationbefore installation.

Operating System Location

HP-UX 32-bit /opt/java1.6/bin/javaHP-UX uses the same Java executable for both 32- and 64-bit.

HP-UX 64-bit /opt/java1.6/bin/javaHP-UX uses the same Java executable for both 32- and 64-bit.

Solaris 32-bit /opt/java1.6/bin/javaSolaris uses the same Java executable for both 32- and 64-bit.

Solaris 64-bit /opt/java1.6/bin/javaSolaris uses the same Java executable for both 32- and 64-bit.

Linux 32-bit /opt/java1.6_32/bin/java

Linux 64-bit /opt/java1.6_64/bin/java

Windows 32-bit C:\Program Files\Java\jdk1.6.0_04\bin\java.exeC:\Program Files\Java\jdk1.6.0_04\bin\javaw.exe

Windows 64-bit C:\Program Files\Java\jdk1.6.0_04\bin\java.exeC:\Program Files\Java\jdk1.6.0_04\bin\javaw.exe

Typical Locations of Java Executable Files

3. Shut down all currently running IUM processes (other than the IUM Launchpad, configurationserver, and IUMHost Admin Agent).

4. Copy %CFGROOT%/SIUJava.ini to %CFGROOT%/SIUJava.ini.old.

5. In the Launchpad, select the host where you are activating the 64-bit version.

6. Select Actions -> Host Default Properties. This displays the properties that are used by default by allIUM processes running on the host. Shut down all currently running IUM processes (other than theIUM Launchpad, configuration server, and IUMHost Admin Agent).

7. Select Actions -> Host Default Properties. This displays the properties that are used by default by allIUM processes running on the host.

HP Internet Usage Manager (7.0 FP01)Page 73 of 116

Page 74: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

Operating System Sample JVM and JVMW Properties

HP-UX 32-bit JVM=/opt/java1.6/bin/javaJVMW=/opt/java1.6/bin/java

HP-UX 64-bit JVM=/opt/java1.6/bin/javaJVMW=/opt/java1.6/bin/java

Solaris 32-bit JVM=/opt/java1.6/bin/javaJVMW=/opt/java1.6/bin/java

Solaris 64-bit JVM=/opt/java1.6/bin/javaJVMW=/opt/java1.6/bin/java

Linux 32-bit JVM=/opt/java1.6_32/bin/javaJVMW=/opt/java1.6_32/bin/java

Linux 64-bit JVM=/opt/java1.6_64/bin/javaJVMW=/opt/java1.6_64/bin/java

Windows 32-bit JVM=C:\Program Files\Java\jdk1.6.0_04\bin\java.exeJVMW=C:\Program Files\Java\jdk1.6.0_04\bin\javaw.exe

Windows 64-bit JVM=C:\Program Files\Java\jdk1.6.0_04\bin\java.exeJVMW=C:\Program Files\Java\jdk1.6.0_04\bin\javaw.exe

Sample JVM and JVMW Properties

8. Click Ok to save your changes and exit the Launchpad.

9. Shut down the IUMHost Admin Agent by executing the following command on UNIX:

%BINROOT%/siucontrol -JVMargs %CFGROOT%/SIUJAva.ini.old -cstopAgent

OnWindows, execute:

net stop <SIU>_adminagentserver

See the IUMAdministrator’s Guide for more information.

10. If the node is a configuration server, stop the configuration server using the following command:

%BINROOT%/siucontrol -JVMargs %CFGROOT%/SIUJava.ini.old -nConfigserver -c Stop

11. Use the activateSIUJava command to activate the desired mode. For example, the followingactivates the 64-bit version of IUM and creates 64-bit command aliases for all IUM commands inthe BINROOT directory:

java -jar /opt/SIU/sbin/activateSIUJava.jar /opt/SIU -act64

The following activates the 32-bit version of IUM and creates 32-bit command aliases for all IUMcommands in the BINROOT directory:

HP Internet Usage Manager (7.0 FP01)Page 74 of 116

Page 75: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 3: Installing IUM

java -jar /opt/SIU/sbin/activateSIUJava.jar /opt/SIU -act32

The following just creates command aliases for all IUM commands in the BINROOT directory basedon the current size setting:

java -jar /opt/SIU/sbin/activateSIUJava.jar /opt/SIU -createAliases

For more information, see the IUMCommand Reference and the IUMAdministrator's Guide.

12. Restart the IUMHost Admin Agent. See the IUMAdministrator's Guide for specific instructions.

HP Internet Usage Manager (7.0 FP01)Page 75 of 116

Page 76: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Chapter 4

Activating IUMYou must activate IUM before you can use the product. The activation process performs several tasks:

l Verifies your license file, in addition to licensing for any IUM product extensions.

l Configures the access path to the configuration server.

l Starts the host admin agent andMySQL database as daemons or services.

l Starts the configuration server (on the first IUM host only).

l Loads all configuration information into the configuration server (on the first IUM host only).

l Starts the management server, Operations Console, audit report server, IUMweb applicationserver, and policy server, if specified.

l If you purchased the license for a mobile solution (GPRS, CDMA, or Prepaid Data) along with IUM,the wizard checks your license and activates these mobile components.

l Allows you to specify database properties, whether you are using the IUMMySQL productextension, or an external database that you provide. If you are upgrading from an earlier version ofIUM (6.0 or higher), you can also point the activator to your database dump files that weregenerated during the migration process from Solid to MySQL. See "Running the DatabaseMigration" (on page 33) for more information on database migration files.

NOTE: You must activate IUM on the configuration server host first.

Activation Steps1. For any host (configuration server host, in addition to all other hosts in the deployment), copy your

IUM license file to the system if you have not already done so. See "Obtain an IUM License" (onpage 12) for more information.

2. To start the IUMActivation Wizard, enter the following command at the command prompt:

$>activate

This launches the activate command-line tool, which is typically in C:\SIU\bin onWindows or/opt/SIU/bin on UNIX. By default, this command displays the Activation Wizard in graphicalinterface mode, also accomplished by entering activate gui. The activate tool also has aconsole mode that you can launch (activate console), and a silent mode for unattendedactivation (activate silent). The instructions below use the activate guimode ofactivation. See "Unattended Install of IUM" (on page 69) for an example of silent installation andactivation, and "Console Installation and Activation" (on page 66) for more information on consoleinstall and activation. Also see the IUMCommand Reference for a complete listing of the activatetool’s options and usage (whether for the gui, console and silentmodes).

HP Internet Usage Manager (7.0 FP01)Page 76 of 116

Page 77: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 4: Activating IUM

NOTE: The activate tool’s consolemode is a standalone activation option within activate, andis not part of, or related to the IUMCommand Console (rather, activate functions in a similarmanner as the secactivate, secserveractivate, and ldifgen command-line tools).For more information on the IUMCommand Console, see the IUMAdministrator's Guide.

3. Follow the instructions in the Activation Wizard by providing the activation information whenprompted.a. Specify the configuration server options.

o Host is Config Server—Enables this system to host the IUM configuration server for thedeployment. Select this option only on the first IUM host.

o Repository Port—Accept the default (8300) or specify an unused repository server port.

o Security Port—Accept the default (8443) or specify an unused security port.

o Enable hosting of IOR URL by Config Server—Enables the configuration server to self-publish its IOR using an embedded HTTP server. See "Ensure Network Access to theConfiguration Server Host" (on page 14).

o IOR Port Number—Accept the default or specify an unused port number at which theconfiguration server can listen to requests for its IOR.

HP Internet Usage Manager (7.0 FP01)Page 77 of 116

Page 78: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 4: Activating IUM

o Location to store Config Server connection properties (File IOR)—The configuration serverwrites its IOR to the file C:\<Instance name>\var\ConfigServer.ior on Windows or/var/opt/<Instance name>/ConfigServer.ior on UNIX by default. If you use one of theother ways of publishing the Configuration Server’s IOR (see "Ensure Network Access tothe Configuration Server Host" (on page 14)), specify the appropriate path name to yourexternal HTTP, FTP, or file server.

The name of this file is stored with the keyword IORFILE in the SIU.ini property file. This isthe physical location of the IOR file. To make this file available to other IUM processes, youcan either enable the configuration server to publish the IOR URL or copy this file to thedocument root of a web server, an FTP server, or some other access service.

o License File —Specify the location of the IUM license file. Your IUM license file enables youto use only those IUM components that you purchased. The license is required for bothinstallation and activation, and is also required for installation of all hosts, not just theconfiguration server host. Be sure to store your license file in a secure location.

b. Specify the configuration server URL.

Config Server URL—Specify the configuration server IOR URL. On the configuration serverhost, this is typically the path name of the file containing the IOR, with the “file:” prefix. Forexample, "file:/C:/<Instance name>/var/ConfigServer.ior" onWindows or

HP Internet Usage Manager (7.0 FP01)Page 78 of 116

Page 79: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 4: Activating IUM

"file:/var/opt/<Instance name>/ConfigServer.ior" on UNIX. On a system other than theconfiguration server host, this is typically the URL of the IOR hosted on the configuration server.See "Ensure Network Access to the Configuration Server Host" (on page 14) for details.

c. Specify the Host ID.

o Host ID—Specify a unique name for this host in the IUM deployment.

NOTE: The host name must not be “Security” as this is a reserved name. The host namealso cannot be “.” or “..”, and should not contain spaces or special characters.

o Language—Enables the Launchpad to display localized text.

NOTE: Only English language text files currently ship with IUM.

d. Specify additional applications to activate (the below figure shows an example activation dialogwhen re-running activation after an IUM patch install).

HP Internet Usage Manager (7.0 FP01)Page 79 of 116

Page 80: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 4: Activating IUM

o Activate IUM ReportingWeb Application—Enables the IUM Reporting web application torun on this host. See the IUM Foundation Guide for details on Reporting.

o Activate Audit ReportingWeb Application—Enables the IUMAudit Reporting webapplication to run on this host. See the IUM Foundation Guide for details on Audit and AuditReporting.

o Activate Operations Console Web Application—Enables the IUMOperations Console webapplication to run on this host. The Operations Console is a tool for the IUM operatormonitoring your IUM deployment that provides quick, easy to view status of all yourcharging managers, collectors and other IUM processes. See the Operations Console UserGuide for more information.

NOTE: To use the Operations Console, you must also activate the IUMManagementServer as described below. While you can activate the Operations Console on any IUMserver, you only need to activate the Management Server on one IUM host.

o Activate Reference DataManager Web Application—Enables the Reference DataManager web application to run on this host. The Reference DataManager is a web-basedtool that allows you to view, create, modify, and delete reference data stored in a relationaldatabase. After IUM activation, additional configuration steps are required to use the

HP Internet Usage Manager (7.0 FP01)Page 80 of 116

Page 81: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 4: Activating IUM

Reference DataManager web application. See the IUMAdministrator’s Guide for moreinformation on the remaining steps required to complete setup of the Reference DataManager application for your deployment.

o Port Number—Accept the default or specify an unused port number for the port on whichthe web application server will listen for connections. This refers to the port number used byIUMweb applications (Reporting, Audit Reporting, Operations Console, Reference DataManager), and when you browse to the IUMWeb Tools page at http://<Host or IPaddress>:8159 (assuming a default port of 8159). Also see the IUMAdministrator’s Guidefor more information on starting web applications, such as the Operations Console andReference DataManager.

o Activate Policy Server—If you plan to use policy-based SNMP collection on this host,enables the IUM Policy Server to run on this machine.

NOTE: Additional configuration is required to use the Policy Server for policy-basedSNMP data collection. See the IUMComponent Reference for details on theDynamicSnmpEncapsulator and the PolicyServer components.

e. Specify whether the database you are using for IUM is the (embedded) MySQL database, or anexternal database you provide and support. If you installedMySQL with IUM, the followingdatabase properties activation screen will be available.

HP Internet Usage Manager (7.0 FP01)Page 81 of 116

Page 82: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 4: Activating IUM

By default, the Embedded option is selected if you installedMySQL and your license includes it.You can specify the following:

o Embedded/Port—The Embedded option is selected by default for MySQL if you installed theMySQL product extension. You can also accept the default (3306) database port number inthe corresponding Port field, or specify another unused port number.

o Import data—If migrating your database from a previous version of IUM, select this optionand specify the path to the creates.sql and inserts.sql scripts that contain your migrated data.This allows you to import your data from the previous database and is used for an upgradeinstallation. If you are using an external database, this option is not available. For moreinformation on database migration, see "Migrating IUM to MySQL" (on page 23).

o External—If you have the IUMMySQL product extension, but choose to use your owndatabase, the activator allows for this flexibility. For this scenario (with the External optionselected), the External Database portion of the dialog becomes available, allowing you tospecify the external database settings.

o JDBC Driver jar file for your chosen database

o JDBC Driver class

o Database URI

HP Internet Usage Manager (7.0 FP01)Page 82 of 116

Page 83: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 4: Activating IUM

o User name

NOTE: The database user must have sufficient privileges to access and modify thedatabase from the IUM host.

o Password

If you installed IUMwithout the MySQL product extension, the activator assumes you are usingyour own database. Accordingly, the Embedded option is unavailable and External is selectedby default, as this is the only allowable option (this state will also be indicated by the “NotInstalled” message in the Embedded Database field).

NOTE:For an external scenario where IUMwas installed with no database, the ExternalDatabase settings are required andmust be provided before proceeding with the activation.

NOTE:The database must be case-insensitive to table names. Oracle is case-insensitive totable names, and does not require any additional configuration (seehttp://download.oracle.com/docs/cd/B19306_01/server.102/b14200/sql_elements008.htm). For MySQL, however, the lower_case_table_names system variablemust be set to a value of 1.

HP Internet Usage Manager (7.0 FP01)Page 83 of 116

Page 84: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 4: Activating IUM

After entering all external database details, you can click Test Connection to ensure you haveconnectivity.

f. Choose whether to activate the IUMmanagement server.

Activate IUMManagement Server—Enables the IUMManagement Server, which supports theOperations Console. To use the Operations Console, you must activate the managementserver on any single host in your deployment. You can activate and use the OperationsConsole on any or all of your IUM hosts.

NOTE: The Management Server does not support configuration with multiple webapplication servers on different hosts.

g. After all activation options have been specified, a final summary of your activation settings isprovided.

HP Internet Usage Manager (7.0 FP01)Page 84 of 116

Page 85: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 4: Activating IUM

h. After verifying the activation information, click Finish to commence activation.

4. Verify the installation by running the Launchpad:

Windows: Select Start -> Programs -> Internet Usage Manager -> <Instance name> -> LaunchPad.

UNIX: Execute /opt/SIU/bin/launchpad or /opt/<Instance name>/bin/launchpad.

5. In the Launchpad, verify that the Host Id and the Config Server processes listed in the left pane areactive (green icon).

If the activation failed, check the activation log file to review and resolve the problem, and run theprogram again. The activation program logs its activities and results to the file activate.log, typicallyin C:\SIU\var\log\ onWindows and /var/opt/SIU/log/ on UNIX.

If the activation failed, check the activation log file to review and resolve the problem, and run theprogram again. The activation program logs its activities and results to the file activate.log, typically inC:\SIU\var\log\ onWindows and /var/opt/SIU/log/ on UNIX.

HP Internet Usage Manager (7.0 FP01)Page 85 of 116

Page 86: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Chapter 5

Upgrading IUMThe following topics show you how to upgrade from a previous version of IUM to the current version. Ifyou have a complex deployment or are migrating from an IUM release before version 6.0, you shouldcontact an HP consultant with expertise in IUMwhile planning, testing, and executing the migration.

Planning the Upgrade 86

Upgrade Prerequisites 87

Replacement of Legacy Report Server Impacts 87

Disabling Security for a 5.0 Deployment 88

Installing the Upgrade 88

Planning the UpgradeIUM supports upgrading to the current version only from version 6.0. The upgrade process may involveseveral preparation steps depending on your IUM deployment. Carefully consider the followingguidelines before you perform an upgrade:

l To avoid interrupting the smooth operation of your current environment, perform the upgrade onone or more test systems first. You may need to obtain additional system and network resources forthis purpose, but the effort will almost certainly be worthwhile. In addition, should not have any otherin-progress activity occurring at time of the upgrade (such as creating new processes and so on).

l You should ensure that your deployment reflects the same version of IUM (that is, all hosts in yourdeployment must be upgraded to the latest version so all versions match).

l Back up your database before starting the upgrade, as well as your overall IUM deployment. See theIUMAdministrator’s Guide for more information on backup procedures. For an upgrade installation,the only data migration that IUM supports is from the prior (embedded) Solid database to MySQL.Refer to "Migrating IUM to MySQL" (on page 23) for details related to migrating your database fromSolid to MySQL, and supported IUM upgrade paths. During activation, you will be prompted for yourSolid-to-MySQL migration details so you can migrate your data into the new 7.0 upgrade installation(see "Activating IUM" (on page 76) for more information). Also, during the upgrade, the activatorwill migrate your IUM configuration to the target database. This process changes the database URIsand database Driver class attributes to point to the new MySQL database. If you need to return to aprevious IUM version, you must uninstall IUM 7.0, reinstall the previous version, and restore thedatabase from your backup.

l Record the details of your deployment, including such information as the network topology, names ofhosts, collectors, session servers and other IUM processes, and any other relevant details.

HP Internet Usage Manager (7.0 FP01)Page 86 of 116

Page 87: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 5: Upgrading IUM

l If you are upgrading IUMwith the JRockit JVM, the JVM properties (for example, heap size or othersettings in SIUJava.ini) from your previous Oracle JDK-based deployment are not understood byJRockit and will not be migrated when upgrading. To prepare for the upgrade, you should keep arecord of any of these custom settings in SIUJava.ini (in addition to backing up your overallconfiguration), remove the old JVM settings, and then reset your custom JVM settings thatcorrespond to JRockit after the upgrade. Any other Oracle JDK-based customizations in your pre-7.0 deployment, such as those in SIU.ini, the configuration server, or host default properties, mustalso be updated to the corresponding JRockit parameters. For more information on JRockitparameters and details related to migrating from the Oracle JDK to JRockit, seehttp://download.oracle.com/docs/cd/E13150_01/jrockit_jvm/jrockit/geninfo/diagnos/migrate.html.

Upgrade PrerequisitesThis section describes steps you must take before upgrading IUM:

l If you are upgrading from any version of IUM earlier than version 6.0, you must first upgrade to IUM6.0. After upgrading to 6.0, you can then follow the instructions here to upgrade to version 7.0.

l You must stop all running Launchpad sessions before starting the upgrade.

l You must first upgrade the system hosting the configuration server, then upgrade all other hosts.

l If you are upgrading a non-root instance of IUM, follow steps 1-4 described in "Non-root Installationon UNIX" (on page 68). These steps are required before a non-root instance can be upgraded.

l When installing a new host with JRockit in a secured IUM deployment, the JRockit JVMmust beupgraded to unlimited security before activation.

Replacement of Legacy Report Server Impacts

For an upgrade from IUM version 5.0 to 6.0, the following steps can apply since the former ReportServer from earlier versions of IUM has now been replaced with the new WebApplication Server(WebAppServer):

1. Before upgrading from IUM version 5.0 to 6.0, if you have made any changes to or added anyfiles to the former Report Server (located in C:\SIU\var\webserver onWindows, or/var/opt/SIU/var/webserver on UNIX), you should back up these files before upgrading.

2. After upgrading from IUM version 5.0 to 6.0, you should reapply any Report Server (WebApplication Server) changes you made in your previous installation to your new IUM 6.0installation.

3. After upgrading from IUM version 5.0 to 6.0, you can remove the old “ReportServer” directory(this is a process information directory created once the former Report Server process is started).Since the former Report Server has been replaced with the Web Application Server, the newlocation is C:\SIU\var\webappserver onWindows, or /var/opt/SIU/var/webappserver onUNIX.

HP Internet Usage Manager (7.0 FP01)Page 87 of 116

Page 88: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 5: Upgrading IUM

4. Lastly, remove the webserver directory, which is in C:\SIU\var\webserver onWindows, or/var/opt/SIU/var/webserver on UNIX.

If you have not modified the former Report Server in any way, or if you are not upgrading from IUMversion 5.0, you can ignore steps 1 and 2, but you should perform step 3.

Disabling Security for a 5.0 Deployment

Before upgrading to IUM 7.0, a 5.0 deployment must first be upgraded to IUM 6.0. This sectiondescribes how to disable the IUM security module in 5.0 (in preparation for upgrading to 6.0), withoutremoving the core IUM product.

NOTE: If you are upgrading from 6.0 to 7.0, however, security does not need to be disabled.

CAUTION: You must remove IUM security from the host with the configuration server last.

1. Disable security in the configuration server by executing the following command on the IUM hostsystem with the configuration server:

$SIUHOME/bin/secureconfigserver -c off -login <user> -pw <password>

2. Perform the following steps on each host not running the configuration server:

a. Close all IUM client applications such as the Launchpad or file service wizard.

b. Stop the host admin agent by executing the net stop command onWindows:

net stop SIU_AdminAgentServer

Alternatively, use the Windows Services control panel. Select Start -> Settings -> Control Paneland double-click on the Services icon. Select the SIU_AdminAgentServer service. Click theStop button.

c. Remove the file C:\SIU\var\security from your system.

d. Start the host admin agent service by executing the net start command onWindows:

net start SIU_Adminagentserver

Alternatively, use the Windows Services control panel. Select Start -> Settings -> Control Paneland double-click on the Services icon. Select the SIU_AdminAgentServer service. Click theStart button. See the IUMAdministrator's Guide for more information on stopping and startingthe admin agent.

3. Repeat the above steps a through d for the host with the configuration server.

Installing the UpgradeFollow the steps described in "Installation Steps" (on page 52). During installation, when you reach thedialog that prompts you for an IUM Instance ID, choose the instance ID of your previous IUM installationto upgrade.

HP Internet Usage Manager (7.0 FP01)Page 88 of 116

Page 89: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 5: Upgrading IUM

This will upgrade your previous version of IUM to version 7.0 using the same instance name, and it willbe available under the new “Internet Usage Manager 7.0” program group after the installation. Afterthe upgrade installation is complete, you can activate IUM according to the steps in "Activation Steps"(on page 76).

When selecting the Embedded option, and with MySQL set as the database for IUM components, allexisting configurations in your deployment will be updated to work with MySQL. This includes updatingof all values and configurations (including templates) corresponding to MySQL.

In the activation parameters—and for an upgrade installation where you have elected to use the IUMMySQL database—you can select the Import data option and provide the path to the “creates.sql” and“inserts.sql” files that were generated by the IUMMySQL Migration Tool (see "Running the DatabaseMigration" (on page 33)).

For more information on migrating your database from Solid to MySQL, see "Migrating IUM to MySQL"(on page 23). Otherwise, if you are using your own (external) database, these options are notapplicable, and you must instead specify the details for your database in the External Database portionof the activator (see "Activation Steps" (on page 76)).

HP Internet Usage Manager (7.0 FP01)Page 89 of 116

Page 90: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Chapter 6

Activating Additional ComponentsIf you purchased and installed IUM, then later purchase a license to use additional IUM collectors orproducts, you receive a new license file. The new license file contains the license for the additionalcollectors or products. This chapter shows you how to view and upgrade your IUM license in order toactivate and run additional IUM components.

Viewing Your License 90

Upgrading Your License 90

Viewing Your LicenseYour IUM license file enables you to use those components that you purchased. You receive one licensefile for all products. When you install IUM, the license is installed into the configuration tree at /License,with the license for additional products under this root. For example, if you purchased aMobileProduct, the CDMA license is installed at /License/CDMA and the GPRS license installed at/License/GPRS. You can then activate the Mobile Solution.

After installing and activating IUM, you can view your IUM license in the Launchpad by first opening theTools -> Deployment Editor menu item. You should see a /License node in the configuration tree.

l If no nodes are under /License, you only have a core IUM product license.

l If other nodes are under /License, you have licenses for other components. For example/License/CDMA contains the CDMA license and /License/GPRS contains the GPRS license. If youpurchased additional product extensions (such as MySQL or JRockit), these are available under/License/OEM.

Upgrading Your LicenseIf you upgrade your IUM license to activate new collectors or if your old license is about to expire, youmust obtain and install a new license file. See "Obtain an IUM License" (on page 12) or contact your HPrepresentative to obtain a new license file.

NOTE: If your license expires or is invalid for some other reason, the configuration server will stoprunning. You will not be able to start it until you obtain and install a new license file. The license fileneeds to be installed only on the configuration server host. The configuration server provides thelicense information for all IUM products to all IUM hosts.

After you receive the new license file, install it as follows.

1. Copy the new license.config file to a temporary directory.

2. Run the updatelicense command as follows:

HP Internet Usage Manager (7.0 FP01)Page 90 of 116

Page 91: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 6: Activating Additional Components

If security is not installed:

updatelicense -f <license file name>

If security is installed:

updatelicense -f <license file name> -login <username> -pw<password>

where <license file name> is the complete path and file name of the new license file, <username>is the account name of the IUM administrator and <password> is the password to that account. Theupdatelicense command is typically in C:\SIU\bin onWindows and /opt/SIU/bin/ on UNIX.This command backs up your current license file to license.config.old and copies the new licensefile to the proper location (as specified in the SIU.ini file).

3. Restart the configuration server (or start it if it is not running). You can restart it by selecting it in theLaunchpad and right-clicking it to display the Restart Config Server option. Or, also in theLaunchpad, use Actions -> Restart Config Server.

HP Internet Usage Manager (7.0 FP01)Page 91 of 116

Page 92: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Chapter 7

Securing IUMThis chapter describes how to secure the communication between all IUM components and users byinstalling and configuring the optional IUM security module.

IUM security provides a robust authentication and authorization environment based on industrystandards to ensure security compliance. It lets you leverage your existing IT infrastructure and providesthe ability to integrate with external authentication systems. It transparently supports multipleauthentication mechanisms and transport protocols.

With IUM security, you can implement role-based access control and capture activity information forauditing purposes. It provides a comprehensive and extensible declarative authorization model, andsupports multiple profiles of transport layer security (TLS) combining authentication with optional dataencryption.

Security Installation Prerequisites 93

LDAP Bind and Kerberos Authentication 93

Kerberos Time Synchronization 94

Security Installation Steps 95

Step 1: Install IUM on First Host with Configuration Server 95

Step 2: Update the JVM 95

Step 3: Create the Security Properties File 96

Step 4: Verify the JCE Jurisdiction Policy 97

Step 5: Run secserveractivate to Process the Directory Layout Properties File 97

Step 6: Start the IUM Security Server 99

Step 7: Ensure Root Nodes from Directory Layout Properties File Present in LDAP 99

Step 8: Generate Security Information for Deployment (LDIF format) and Load into LDAPServer 100

Step 9: Activate Security on the IUMHost 103

Step 10: Restart the Host Admin Agent 104

Step 11: Stop the Management Server 104

Step 12: Secure the Configuration Server 104

Step 13: Restart the Configuration Server 104

Step 14: Start the Management Server 105

HP Internet Usage Manager (7.0 FP01)Page 92 of 116

Page 93: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

Step 15: Verify the IUM Installation is Secure 105

Add Another Host to your Secure IUM Deployment 105

Add Another User to your Secure IUM Deployment 107

Choosing a Certificate Authority 107

Security Roles and Privileges 108

Disabling Security for a Deployment 109

Security Installation PrerequisitesBefore performing the actual configuration procedures described in "Security Installation Steps" (onpage 95), there are some background prerequisites you should be aware of first, in the areas of thesecurity authentication mechanisms that IUM employs, such as Kerberos and LDAP bind.

NOTE: This installation guide assumes you have access to and knowledge of LDAP directories andtools, and does not document LDAP itself.

LDAP Bind and Kerberos Authentication

If you plan to install IUM security, you must have access to an LDAP (Lightweight Directory AccessProtocol) server. For example, you could use Microsoft Active Directory, ApacheDS, OpenLDAP,RedHat Directory Server, or any other LDAP server. IUM stores security credentials and other securityinformation in an LDAP server and uses the LDAP server for authentication and authorization. Thissection discusses what is involved when configuring your LDAP server and how it impacts configuringIUM security.

IUM uses LDAP bind as the default authentication mechanism. However, if the LDAP server providesKerberos-based authentication, IUM can be configured to use Kerberos for authentication. Forexample, both Microsoft Active Directory and ApacheDS support Kerberos-based authentication.

Primary LDAP Server

What can first be considered is a scenario that uses two Microsoft Active Directory servers: one actingas the domain controller and the other as a subdomain. The primary LDAP server is the domaincontroller directory (as defined in terms of Microsoft Active Directory terminology), and contains theenterprise directory of all enterprise users. This allows integration of IUM security with an enterprisesecurity framework, and provides single sign-on with common credentials. The primary LDAP server isalso the authentication server and the Master directory (or the domain controller), that will hold all theuser accounts and be the original source of user authentication.

IUM assumes user accounts will be managed externally from IUM. For example, they are typicallycreated andmaintained by corporate IT. IUM security takes advantage of the corporate directoryinfrastructure and does not require modification of the corporate directory.

HP Internet Usage Manager (7.0 FP01)Page 93 of 116

Page 94: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

NOTE: These instructions use ldap://<primary-dir>:<port>/ as the URI reference to your primaryenterprise directory. For a secure connection, it is ldaps://<primary-dir>:<port>/. This URI is usedonly when the configured authentication mechanism is LDAP bind.

The KDC (Kerberos Key Distribution Center) host is typically the same as the primary LDAP directoryhost, and the KDC port number is 88 by default. The Kerberos realm name is the domain nameconverted to uppercase characters.

NOTE: The KDC host, KDC port, and Kerberos realm name parameters are required only whenusing Kerberos authentication instead of the default LDAP bind authentication.

When using Kerberos as the authentication mechanism, the authentication identifier must follow theKerberos principal name format, which is <name>@<Kerberos realm name>. For example,[email protected], where “scott” is the user name and “EXAMPLE.COM” is the Kerberos realmname. However, only the user name component is used to associate user capabilities in the secondaryLDAP directory that contains IUM-specific data. In this case, the secondary LDAP directory will use“scott” as the identifier to associate user capabilities for the Kerberos principal name“[email protected]”.

Secondary LDAP Server

NOTE: Installing the secondary LDAP server is optional, since you can configure IUM security using asingle directory. Use the following URI as the reference to your secondary enterprise directory:ldap://<secondary-dir>:<port>/ or for a secure connection: ldaps://<secondary-dir>:<port>/.

The secondary LDAP directory contains IUM-specific data about IUM hosts, processes and users,including the capabilities of each user. The secondary LDAP server is the authorization server. This isthe Child directory, which will be in charge of the IUM subdomain, and hold user and serverauthorization information. All IUM-related updates go into the secondary directory, keeping the masterdirectory static and read-only.

NOTE: This is not required but can be a beneficial capability.

Kerberos Time Synchronization

When using Kerberos authentication, time synchronization on servers in the deployment is crucial forthe proper functioning of IUM security. Since the security of Kerberos authentication is in part (pre-authentication) based upon the timestamps of tickets, it is critical to have machine times set correctly onservers exchanging data via Kerberos.

A short lifetime for tickets is used to prevent attackers from performing successful brute force attacks orreplay attacks. Since clock synchronization is vitally important in the security of the Kerberos protocol, iftimes are not synchronized, Kerberos will report authentication errors. Clients attempting toauthenticate from a server with an inaccurate time setting will be rejected by the KDC in authenticationattempts, due to the time difference with the KDC’s time. Consequently, you should synchronize time onall the hosts with an NTP time server, so that servers using Kerberos have their time automaticallysynchronized. Also see "Provide a Time Synchronization Mechanism" (on page 18) for moreinformation.

HP Internet Usage Manager (7.0 FP01)Page 94 of 116

Page 95: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

Security Installation StepsThe following is the overall process for securing an IUM deployment:

1. Install IUM on the first host of the deployment, where the configuration server will run. See"Installation Steps" (on page 52) and "Activation Steps" (on page 76) for complete instructions.

2. Update the Java JVM (Java Virtual Machine).

3. Create the IUM security server directory layout properties file using a template.

4. Verify the JVM JCE jurisdiction policy in your deployment environment.

5. Run the secserveractivate command to process the directory layout properties file (external-dir.properties) and set up the directory structure for IUM.

6. Start the IUM security server.

7. Ensure all root nodes specified in the directory layout properties file are present in LDAP.

8. Generate security information for the deployment (in LDIF format) and load it into the LDAP server.

9. Activate security on the IUM host.

10. Restart the host admin agent.

11. Stop the management server after the admin agent has finished starting.

12. Secure the configuration server.

13. Restart the configuration server.

14. Start the management server.

15. Verify that the IUM installation is secure.

Step 1: Install IUM on First Host with Configuration Server

Install IUM on the first host of the deployment, where the configuration server will run. See "InstallationSteps" (on page 52) and "Activation Steps" (on page 76) for complete instructions. Proceed to "Step 2:Update the JVM" (on page 95).

Step 2: Update the JVM

Update the JVM (Java Virtual Machine). You must apply encryption policies to the Java runtimeenvironments, including any JRE or JDK used by IUM as follows.

NOTE: Before overwriting the property and zip files as described here, back them up.

For the JRE version 1.6, download the Java Cryptography Extension (JCE) Unlimited StrengthJurisdiction Policy Files 6 fromhttp://www.oracle.com/technetwork/java/javase/downloads/index.html. This will download a jce_policy-6.zip file. Copy it to %JRE1.6_HOME%\jre\lib\security and unzip it. The following files will becreated or will replace existing files in the directory:

HP Internet Usage Manager (7.0 FP01)Page 95 of 116

Page 96: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

l local_policy.jar - Unlimited strength local policy file

l US_export_policy.jar - Unlimited strength US export policy file

NOTE: Due to import control restrictions, the version of the JCE policy files that are bundled in theJDK environment allow “strong” but limited cryptography. This may impose serious limitations to IUMsecurity modules while those are in testing. The jurisdiction policy files are available in a separatedownload bundle and contain no restrictions on cryptographic strengths. These files do not containany encryption functionality since this functionality is already supported in the JDK or extensionlibraries such as Bouncy Castle. Refer to the README file in the bundle for additional information. Ifyou purchased the JRockit JVMwith IUM, it must also be updated with unlimited encryption.

Proceed to "Step 3: Create the Security Properties File" (on page 96).

Step 3: Create the Security Properties File

Create the IUM security properties file that defines the directory layout, based on the provided examplelayout properties file. Locate the example properties file in:

$VARROOT/securityserver/conf/external-dir.properties.example

or

$VARROOT/securityserver/conf/external-dir.properties.active-directory.example for ActiveDirectory)

Use this file as a basis for your own properties file that you can modify as needed. $VARROOTrepresents the “var” directory where IUM is installed, for example C:\SIU\var onWindows or/var/opt/SIU on UNIX. This file contains the default directory structure of the IUM security informationand is shown in the diagram below. It assumes your user data is already contained in your primaryenterprise directory. You must create a file based on the file external-dir.properties.example (or basedon the file external-dir.properties.active-directory.example for Active Directory) to represent yourdirectory structure. The following figure illustrates the LDAP primary and secondary server domains.

HP Internet Usage Manager (7.0 FP01)Page 96 of 116

Page 97: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

Proceed to "Step 4: Verify the JCE Jurisdiction Policy" (on page 97).

Step 4: Verify the JCE Jurisdiction Policy

Verify the JVM JCE jurisdiction policy in your environment by executing the following command:

$SIUHOME/bin/secactivate encr

If this command prints “UNLIMITED”, proceed with security server activation as described in the nextstep. If the command prints “LIMITED”, go back to "Step 2: Update the JVM" (on page 95) to configureyour JVMwith the unlimited JCE jurisdiction policy.

Proceed to "Step 5: Run secserveractivate to Process the Directory Layout Properties File" (on page 97).

Step 5: Run secserveractivate to Process the Directory Layout Properties File

Run one of the following secserveractivate commands to process the external-dir.properties fileand set up your directory structure for IUM. See the IUMCommand Reference for details on thiscommand.

LDAP Bind Authentication Commands

To activate the security server with LDAP bind as the authentication mechanism, use these commands.

For Microsoft Active Directory:

$SIUHOME/bin/secserveractivate init-loginldapserver "ldap://primaryserver:10389/"

HP Internet Usage Manager (7.0 FP01)Page 97 of 116

Page 98: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

-lookupldapserver "ldap://secondaryserver:10389/"-layout my-edited-external-dir.properties-user "CN=Administrator,CN=Users,DC=example,DC=hp,DC=com"-password "password" -force

For ApacheDS:

$SIUHOME/bin/secserveractivate init-loginldapserver "ldap://primaryserver:10389/"-lookupldapserver "ldap://secondaryserver:10389/"-layout my-edited-external-dir.properties-user "uid=admin,ou=system"-password "secret" -force

NOTE: The -layout option must point to the external-dir.properties file created in "Step 3: Createthe Security Properties File" (on page 96).

Keep in mind these points when executing secserveractivate with LDAP bind authentication:

l Specify the primary (authentication) LDAP server after the -loginldapserver option.

l Specify the secondary (authorization) LDAP server after the -lookupldapserver option.

l Specify the location of the my-edited-external-dir.properties file that you created in the previous stepafter the -layout option.

l Specify the user name and password of a user that has read access to the secondary LDAP serverafter the -user option and the -password option, respectively (this typically is not an IUM usercredential).

l Specify the -force option to update the configuration files.

Kerberos Authentication Commands

To activate the security server with Kerberos as the authentication mechanism, use these commands.

For Microsoft Active Directory:

$SIUHOME/bin/secserveractivate init-krb -kdchost "<kdc host name>" -kdcport "<kdc port>"-dr "<kerberos realm name>"-lookupldapserver "ldap://secondaryserver:10389/"-layout my-edited-external-dir.properties-user "CN=Administrator,CN=Users,DC=example,DC=hp,DC=com"-password "password" -force

For Apache DS:

$SIUHOME/bin/secserveractivate init-krb -kdchost "<kdc host name>" -kdcport "<kdc port>"-dr "<kerberos realm name>"-lookupldapserver "ldap://secondaryserver:10389/"-layout my-edited-external-dir.properties

HP Internet Usage Manager (7.0 FP01)Page 98 of 116

Page 99: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

-user "uid=admin,ou=system"-password "secret" -force

NOTE: The -layout option must point to the external-dir.properties file created in "Step 3: Createthe Security Properties File" (on page 96).

Keep in mind these points when executing secserveractivate with Kerberos authentication:

l Specify the Kerberos Key Distribution Center host after the -kdchost option.

l Specify the Kerberos Key Distribution Center port after the -kdcport option.

l Specify the Kerberos realm name after the -dr option.

l Specify the secondary (authorization) LDAP server after the -lookupldapserver option.

l Specify the location of the external-dir.properties.example file that you edited in the previous stepafter the -layout option ($VARROOT represents the “var” directory where IUM is installed, forexample C:\SIU\var onWindows or /var/opt/SIU on UNIX).

l Specify the user name and password of a user that has read access to the secondary LDAP serverafter the -user option and the -password option, respectively (this typically is not an IUM usercredential).

l Specify the -force option to update the configuration files.

Proceed to "Step 6: Start the IUM Security Server" (on page 99). Also see "Security InstallationPrerequisites" (on page 93) for more information on time synchronization issues with Kerberos.

Step 6: Start the IUM Security Server

Start the IUM security server using the following command:

$SIUHOME/bin/securityserver init

The securityserver command will create a certificate authority and generate all requiredcertificates. To ensure this takes effect, restart the security server as follows:

$SIUHOME/bin/securityserver stop$SIUHOME/bin/securityserver start

Proceed to "Step 7: Ensure Root Nodes from Directory Layout Properties File Present in LDAP" (on page99).

Step 7: Ensure Root Nodes from Directory Layout Properties File Present inLDAP

Ensure all the root nodes specified in the directory layout properties file (external-dir.properties) arepresent in LDAP. For example, if the following properties were specified:

com.hp.usage.security.directory.config.root_context =dc=example,dc=hp,dc=comcom.hp.usage.security.directory.config.group_dn_pattern =cn={Group},ou=IUMGroups,{RootContext}

HP Internet Usage Manager (7.0 FP01)Page 99 of 116

Page 100: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

com.hp.usage.security.directory.config.user_dn_pattern =uid={User},ou=IUMUsers,{RootContext}com.hp.usage.security.directory.config.host_dn_pattern =ou={Host},ou=IUMHosts,{RootContext}

The following nodes must be present in the directory:

dn: ou=IUMGroups,dc=example,dc=hp,dc=comdn: ou=IUMUsers,dc=example,dc=hp,dc=comdn: ou=IUMHosts,dc=example,dc=hp,dc=com

If such nodes are not yet present, they can be created using an example LDIF such as below:

dn: ou=IUMGroups,dc=example,dc=hp,dc=comobjectClass: organizationalUnitobjectClass: topou: IUMGroups

dn: ou=IUMUsers,dc=example,dc=hp,dc=comobjectClass: organizationalUnitobjectClass: topou: IUMHosts

dn: ou=IUMHosts,dc=example,dc=hp,dc=comobjectClass: organizationalUnitobjectClass: topou: IUMUsers

For Microsoft Active Directory, such an LDIF file would look like the following:

dn: CN=Groups,DC=iumtest,DC=cup,DC=hp,DC=comobjectClass: containerobjectClass: topcn: Groups

NOTE: dn: CN=Groups,DC=iumtest,DC=example,DC=hp,DC=com and dn:CN=Computers,DC=iumtest,DC=example,DC=hp,DC=com may already be part of theDC=iumtest,DC=example,DC=hp,DC=com domain.

Proceed to "Step 8: Generate Security Information for Deployment (LDIF format) and Load into LDAPServer" (on page 100).

Step 8: Generate Security Information for Deployment (LDIF format) andLoad into LDAP Server

Configure the LDAP server to contain IUM security information for the deployment, and load it into thesecondary LDAP server. Use the ldifgen command as described below to generate LDIF (LDAP DataInterchange Format) files with user roles, and load the LDIF files into the secondary LDAP directory.Each user role is implemented as a group, which contains the list of users who have that role. Each rolemeanwhile encompasses a set of privileges. Also see the IUMCommand Reference for moreinformation on ldifgen.

HP Internet Usage Manager (7.0 FP01)Page 100 of 116

Page 101: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

1. Create role records in the form of LDAP group entries. Use the ldifgen command:

ldifgen

2. Create a host record for the main IUM host (where the configuration server is running) for theLDAP directory. Use an ldifgen command like the following:

n For Microsoft Active Directory LDAP server:

ldifgen gen -type active-directory -host "<IUM host name>" -configsvr

n For ApacheDS LDAP server:

ldifgen gen -type apache-ds-host "<IUM host name>" -configsvr

n For RedHat Directory Server:

ldifgen gen -type redhat-host "<IUM host name>" -configsvr

n For OpenLDAP server:

ldifgen gen -type open-ldap -host "<IUM host name>" -configsvr

NOTE: When adding a new non-ConfigServer node in a secured deployment, you must usethe ldifgen tool on a different node (that is, a pre-existing node that has been activated).

3. To create a record for the management server, the operations console server, the report server, orthe audit reports server (which themselves live in the web application server container) for theLDAP directory (if you have a corresponding server configured for the given host), any of thefollowing ldifgen command parameters could be specified and combined.

NOTE: There can only be one configuration server, management server, operations consoleserver, report server, and audit reports server per deployment.

n For Microsoft Active Directory LDAP server:

ldifgen gen -type active-directory -host "<IUM host name>" -management "<management server name>" -opsconsole -reporting -auditreports

n For ApacheDS LDAP server:

ldifgen gen -type apache-ds -host "<IUM host name>" -management"<management server name>" -opsconsole -reporting -auditreports

n For RedHat Directory server:

ldifgen gen -type redhat -host "<IUM host name>" -management"<management server name>" -opsconsole -reporting -auditreports

n For OpenLDAP server:

ldifgen gen -type open-ldap -host "<IUM host name>" -management"<management server name>" -opsconsole -reporting -auditreports

4. Create a security administrative user record for the LDAP directory. Use an ldifgen command like

HP Internet Usage Manager (7.0 FP01)Page 101 of 116

Page 102: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

the following, and give at least full SecurityAdmin privileges to this security administrative user. See"Security Roles and Privileges" (on page 108) for the complete list of roles.

n For Microsoft Active Directory LDAP server:

ldifgen gen -type active-directory -user "<security admin username>" -roles "User,SecurityAdmin" -password <password>

n For ApacheDS LDAP server:

ldifgen gen -type apache-ds -user "<security admin user name>" -roles "User,SecurityAdmin" -password <password>

n For RedHat Directory server:

ldifgen gen -type redhat -user "<security admin user name>" -roles "User,SecurityAdmin" -password <password>

n For OpenLDAP server:

ldifgen gen -type open-ldap -user "<security admin user name>" -roles "User,SecurityAdmin" -password <password>

5. Upload all $VARROOT/ldif/<user name>/user-add-<user name>.ldif files into the primary LDAPserver (ApacheDS, OpenLDAP, RedHat DS), or use vendor-specific administrative tools to createrequired user profiles (Microsoft Active Directory, RedHat DS).

6. Upload all the remaining generated LDIF files into the secondary LDAP server (in a single-directoryconfiguration, this is the same as the primary LDAP server). This consists of the following files,depending on your hosts and users. Use the tools that came with your LDAP server to upload theLDIF files. For instance, use java -jar apacheds-tools.jar import -f <ldiffile name> to upload LDIF files into the Apache DS server from the command line.

n $VARROOT/ldif/group-add.ldif

n $VARROOT/ldif/<IUM host name>/host-add-<host name>.ldif

n $VARROOT/ldif/<IUM host name>/configsvr-add.ldif

n $VARROOT/ldif/<IUM host name>/management-add.ldif

n $VARROOT/ldif/<IUM host name>/operationsconsole-add.ldif

n $VARROOT/ldif/<IUM host name>/reporting-add.ldif

n $VARROOT/ldif/<IUM host name>/auditreports-add.ldif

n $VARROOT/ldif/<user name>/user-groups-add-<user name>.ldif

n $VARROOT/ldif/<IUM host name>/rdm-add.ldif

Generate Security Information for the Reference Data Manager

Take the following steps if you have activated and are using the Reference DataManager webapplication:

HP Internet Usage Manager (7.0 FP01)Page 102 of 116

Page 103: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

1. After running the groups-add.ldif, verify that the LDAP structure has two new roles: RefdataReadand RefdataWrite created. For more information on RDM roles, see the IUM Administrator'sGuide.

2. In "Step 8: Generate Security Information for Deployment (LDIF format) and Load into LDAPServer" (on page 100), add the "–rdm" option for the ldifgen commands step (#3) above, butchange to the following:

ldifgen gen -type apache-ds -host "<IUM host name>" -management"<management server name>" -opsconsole -reporting –auditreports –rdm

3. On running the above command, two additional LDIF files are generated (rdm-add.ldif, rdm-remove.ldif), which need to be imported. The location of the files is $VARROOT/ldif/<IUM hostname>/rdm-add.ldif. Along with all other LDIF files, import rdm-add.ldif.

Otherwise, proceed to "Step 9: Activate Security on the IUMHost" (on page 103). For moreinformation on Reference DataManager setup and usage, see the IUM Administrator's Guide.

Step 9: Activate Security on the IUM Host

Activate security on the IUM host by running the security activation command (secactivate). Use theadministrative user and password you created in the previous step (see "Step 8: Generate SecurityInformation for Deployment (LDIF format) and Load into LDAP Server" (on page 100)). For moreinformation on the secactivate command, see the IUMCommand Reference for more information.

$SIUHOME/bin/secactivate.exe init -server localhost -port 8443 -storepass <key store password> -force -- login -user <security adminuser> -password <security admin password> -- hostkey

Keep in mind the following when executing secactivate:

l Specify the server name of the host where the security server is running after the -server option.

l Specify port number 8443 after the -port option.

l Specify the user and password of an IUM user that has ServerAdmin privileges in the -user and -password options.

l Specify the password of the key store after the -storepass option.

NOTE: Double hyphens (--) separate additional commands after init (login and then hostkey).Such secactivate commands executed from the same command line with other commands suchas the above require this separation.

These commands can also be performed in an interactive mode. For example:

$SIUHOME/bin/secactivate.exesecactivate>init -server localhost -port 8443 -storepass <password> -forcesecactivate>loginLDAP loginUsername: <security admin user>

HP Internet Usage Manager (7.0 FP01)Page 103 of 116

Page 104: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

Password: *****secactivate>hostkey -force

Proceed to "Step 10: Restart the Host Admin Agent" (on page 104).

Step 10: Restart the Host Admin Agent

Restart the host admin agent. You can use the followingWindows commands:

net stop SIU_Adminagentserver

$SIUHome/bin/securityserver stop

net start SIU_Adminagentserver

Alternatively, use the Windows Services control panel. Select Start -> Settings -> Control Panel anddouble click on the Services icon. Select the SIU_AdminAgentServer service. Click the Start button. Seethe IUMAdministrator's Guide for more information on stopping and starting the admin agent.

NOTE: Once the security server is activated, and IUM is restarted as shown above, the admin agentwill start the security server. In addition, the admin agent will also stop the security server as part ofits own shutdown.

NOTE: Ensure that all IUM processes are fully started before executing "Step 11: Stop theManagement Server " (on page 104).

Step 11: Stop the Management Server

Stop the management server after the admin agent has finished starting:

$SIUHOME/bin/siucontrol -c stopProc -n ManagementServer -login <user>-pw <password>

Proceed to "Step 12: Secure the Configuration Server" (on page 104).

Step 12: Secure the Configuration Server

Secure the configuration server by running the secureconfigserver command:

$SIUHOME/bin/secureconfigserver -c on -login <user> -pw <password>

Specify the user name and password of the IUM user (any user can enable the configuration server).Proceed to "Step 13: Restart the Configuration Server" (on page 104).

Step 13: Restart the Configuration Server

Restart the configuration server by using either the siucontrol command or the Launchpad. In theLaunchpad, select the ConfigServer process and use the Actions -> Restart Config Server menu. Or,use the following siucontrol command:

$SIUHOME/bin/siucontrol -n ConfigServer -c RestartProc -login <user> -pw <password

HP Internet Usage Manager (7.0 FP01)Page 104 of 116

Page 105: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

Specify the user name and password of an IUM user that has ServerAdmin andMonitor privileges.Proceed to "Step 14: Start the Management Server" (on page 105).

Step 14: Start the Management Server

Use the following siucontrol command to start the management server:

$SIUHOME/bin/siucontrol -c startProc -n ManagementServer -login <user>-pw <password>

Proceed to "Step 15: Verify the IUM Installation is Secure" (on page 105).

Step 15: Verify the IUM Installation is Secure

Verify that the IUM installation is secure by verifying one or more of the following:

l Run the Launchpad and log in as one of the users you set up. You should see all the processes listedwith the correct status.

l Check the host admin agent log file. No error messages should be present.

l Create, start or stop a demo collector. Check the host log file to make sure no errors are reportedfor the collector.

Add Another Host to your Secure IUM DeploymentPerform the following to steps to add another host to a secure IUM deployment.

1. Ensure IUM is installed and secure on the first host in the deployment. This is the host where theconfiguration server is running.

NOTE: On the second (and each subsequent) host, the JVM JCE should be with set to anunlimited jurisdiction policy. Accordingly, for each new host you will add to the securedeployment, ensure that you perform "Step 4: Verify the JCE Jurisdiction Policy" (on page 97).

The embedded JRockit JVM also requires an update for unlimited JCE, as with any externalJVM.

2. Create a host record for the IUM host for the LDAP directory. For each host in your IUMdeployment, a corresponding record in the LDAP directory must be created prior to activatingsecurity. Use an ldifgen command like the following. For more details on the ldifgen command,see the IUMCommand Reference.

n For Microsoft Active Directory LDAP server:

ldifgen gen -type active-directory -host "<IUM host name>"

n For ApacheDS LDAP server:

ldifgen gen -type apache-ds -host "<IUM host name>"

HP Internet Usage Manager (7.0 FP01)Page 105 of 116

Page 106: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

NOTE: This step can only be performed on the host where the security server has beenactivated.

3. The ldifgen command creates an LDIF file you must upload to your secondary LDAP server.Upload the generated LDIF file into the secondary LDAP server using the tools that came with yourLDAP server. The name of the resulting LDIF file depends on the host name you provided (shownbelow):

$VARROOT/ldif/<host name>/host-add-<host name>.ldif

4. Install IUM on the new host. See "Installing IUM" (on page 52) and "Activating IUM" (on page 76).

NOTE: If you are adding another host with the embedded JRockit JVM, it should be alsoupdated with the corresponding encryption policies described earlier in "Step 2: Update theJVM" (on page 95).

5. Run the activate command as described in "Activation Steps" (on page 76). The activatecommand is in the $SIUHOME/bin directory.

activate

6. When the Security Host Information window is displayed as shown below, enter the requestedinformation and click Ok.

n Security Server Host - Enter the IP address or host name of the system where the IUM securityserver is running. This is typically the host where the configuration server is running.

n Security Server Port - Enter the port number of the security server. This is typically port number8443.

n Admin User Name - Enter the user name of an IUM user that has administrative privileges. Inparticular, this user must have the ServerAdmin, UserAdmin and SecurityAdmin roles. See"Add Another User to your Secure IUMDeployment" (on page 107) for information on usersand roles.

n Admin User Password - Enter the password for the administrative user.

7. Complete the activation steps as described in "Activation Steps" (on page 76).

HP Internet Usage Manager (7.0 FP01)Page 106 of 116

Page 107: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

Add Another User to your Secure IUM DeploymentTo add another user to a secure IUM deployment, first create a user record for the LDAP directory. Usean ldifgen command like one of the following examples, and give appropriate privileges to eachuser. See "Security Roles and Privileges" (on page 108) for the complete list of roles and privileges. Formore information on the ldifgen command, see the IUMCommand Reference.

For example, the following command creates an administrative “superuser” by giving all privilegesexcept security administration.

l For Microsoft Active Directory LDAP server:

ldifgen gen -type active-directory -user "<admin superuser name>" -roles "User,Query,Monitor,ConfigRead,ConfigWrite,ServerAdmin"

l For ApacheDS LDAP server:

ldifgen gen -type apache-ds -user "<admin superuser name>" -roles"User,Query,Monitor,ConfigRead,ConfigWrite,ServerAdmin"

Meanwhile, the following command creates a user with fewer privileges.

l For Microsoft Active Directory LDAP server:

ldifgen gen -type active-directory -user "<user name>" -roles"User,Query,Monitor,ConfigRead,ConfigWrite"

l For ApacheDS LDAP server:

ldifgen gen -type apache-ds -user "<user name>" -roles"User,Query,Monitor,ConfigRead,ConfigWrite"

The ldifgen command creates an LDIF file you must upload to the secondary LDAP server. Upload thegenerated LDIF file into the secondary LDAP server using the tools that came with your LDAP server. Thename of the resulting LDIF file depends on the user name you provided (shown below):

$VARROOT/ldif/<user name>/user-add-<user name>.ldif

Choosing a Certificate AuthorityThere are three options when setting up your certificate authority:

1. Use the default certificate. By default, IUM includes a default certificate to enable secure (SSL) webconnections, but this certificate is provided by HP as a starter certificate and would be the same forany default deployment.

NOTE: The default certificate provides basic secure connectivity but should only be used on atemporary basis. It will not protect against some kinds of attacks, such as server addressspoofing. Additionally, using the default certificate will also produce browser warnings. The firstwarning will concern the certificate authority not being trusted. Further warnings will relate to amismatching server IP address, since the default certificate does not have an IP addressspecified within it.

HP Internet Usage Manager (7.0 FP01)Page 107 of 116

Page 108: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

2. Optionally, use the keytool command to generate a self-signed certificate and a key store toreplace the default certificate. You can use it to generate a certificate without involving an externalauthority, in order to replace the default certificate included with IUM. Using keytool, however, willsecure connectivity but some browser warnings will be generated. To execute keytool:

keytool -genkey -keyalg "RSA" -dname "CN=<IP_ADDRESS>" -validity<DAYS> -alias IUMWeb -keystore keystore.ks -storepass "<PASSWORD>"-keypass "<PASSWORD>"

3. Use an externally-generated certificate signed by a recognized authority, such as VeriSign orotherwise. This is the most secure and user-friendly option for web applications.

After enabling a certificate authority other than the default, restart the web server to activate the newsecurity settings.

Security Roles and PrivilegesThis section describes IUM roles and corresponding privileges. When you set up users for IUM toolssuch as the Launchpad, the Operations Console, and IUM commands (ldifgen), you must give each userthe roles that allows them to perform the tasks they need to perform. See the following tables for IUMroles and the privileges accorded to each role.

User Role Privilege

User Designates a person who will use IUM (as opposed to an IUM host or process.) Givethis role to every user.

Monitor Allows the user to view the status of IUM processes. See also the Diagnostics role.

Diagnostics Allows the user to run diagnostics activities such as viewing log files and processstatistics. See also the Monitor role.

ConfigRead Allows the user to view the deployment configurations in the configuration server, forexample through the Launchpad or the saveconfig command. In the OperationsConsole, this allows the user to see the deployment topology of charging managers,collectors and so forth.

Query Allows the user to query the data of an IUM process such as a collector or chargingmanager using, for example the Launchpad or the siuquery command.

ReportUser Allows access to web applications, such as Reports and Audit Reports. Users musthave this role in order to access web applications.

RefdataRead View Reference DataManager tables that belong to the DEFAULT category.

RefdataWrite View and edit Reference DataManager tables that belong to the DEFAULT category.

IUM User Roles and Privileges

The following table describes administrative roles and privileges.

HP Internet Usage Manager (7.0 FP01)Page 108 of 116

Page 109: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

Admin Role Privilege

ConfigWrite Allows the user to modify the configurations in the configuration server, for examplethrough the Launchpad or the loadconfig command.

CAUTION: This capability allows a user to modify your IUM deployment.

ServerAdmin Allows the user to perform administrative operations on IUM processes, for examplestart, stop and clean up charging managers, collectors, file services and other IUMprocesses. Also allows the user to perform administrative actions on the IUM securityserver such as generating the host key.

CAUTION: This capability allows a user to modify your IUM deployment.

SecurityAdmin Designates the IUM security administrator. Allows the user to perform all security-related activities such as security setup and configuration.

CAUTION: This capability allows a user to modify your IUM deployment.

Management Allows the user to create, delete and modify groups of servers in the IUMOperations Console. For more information about the Operations Console, see theOperations Console User Guide.

UserAdmin This role is deprecated and is only retained for backward compatibility.

ReportAdmin Allows report management, such as creating, editing, and deleting of reports.ReportAdmin is required to access the Web Application server and Audit Reportserver for access to IUMweb applications andmanaging reports when security isenabled. ReportAdmin is needed if you create, edit, or delete reports (while incontrast, only ReportUser is needed to just view the reports).

IUM Administrator Roles and Privileges

The following table lists additional IUM roles only for IUM hosts and processes.

HostRole Description

Server Designates an IUM server such as a charging manager, a collector, the configurationserver, the Launchpad and so forth.

Host Designates an IUM host system where IUM processes are running.

IUM Host Roles

Disabling Security for a DeploymentThis section describes how to remove the IUM security module without removing the core IUM product.

CAUTION: You must remove IUM security from the host with the configuration server last.

HP Internet Usage Manager (7.0 FP01)Page 109 of 116

Page 110: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

1. Disable security in the configuration server by typing the following command on the IUM hostsystem with the configuration server:

$SIUHOME/bin/secureconfigserver -c off -login -<user> -pw<password>

NOTE: It is recommended you should already have stopped the management server prior toexecuting this command.

NOTE: You must first have the ConfigWrite privilege as a prerequisite to running thesecureconfigserver command.

2. (For non-security server hosts) Refer to step 3 below and perform steps 3a, 3b and 3e.

3. (For the host running the security server) Perform the following steps:

As of the current release, the security server and configuration server are always the same host.

a. Close all IUM client applications such as the Launchpad or file service wizard.

b. Stop the host admin agent. You can use the followingWindows “net stop” command:

net stop SIU_AdminAgentServer

Alternatively, use the Windows Services control panel. Select Start -> Settings -> Control Paneland double-click on the Services icon. Select the SIU_AdminAgentServer service. Click theStop button.

For HP-UX: /sbin/init.d/SIU stop_agent

For Linux and Solaris: /etc/init.d/SIU stop_agent

c. Stop the SecurityServer as follows:

$SIUHOME/bin/securityserver stop

d. For only a host that runs the security server, execute the following command:

$SIUHOME/bin/secserveractivate uninstall

This commandmodifies the %VARROOT%/activateIUM.ini file to deactivate the security server.

e. For all other hosts (that is, that are not running the security server), execute the followingcommand to deactivate security:

$SIUHOME/bin/secactivate uninstall

This removes the %VARROOT%/security file to disable security, and also removes the hostkeystore file.

4. Restart the host admin agent service on all servers. You can use the followingWindows “net start”command:

net start SIU_AdminAgentServer

HP Internet Usage Manager (7.0 FP01)Page 110 of 116

Page 111: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 7: Securing IUM

Alternatively, use the Windows Services Control Panel. Use the Start -> Settings -> Control Panel -> Services icon. Select the SIU_AdminAgentServer service. Click the Start button.

For HP-UX: /sbin/init.d/SIU start_agent

For Linux and Solaris: /etc/init.d/SIU start_agent

NOTE: Restart the IUM host containing the configuration server first, then all other hosts.

HP Internet Usage Manager (7.0 FP01)Page 111 of 116

Page 112: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Chapter 8

Deactivating and Uninstalling IUMThe deactivate command allows you to deactivate IUM components on a host. The uninstall processwill also remove any additional OEM components you have installed, such as MySQL.

Deactivating IUM Components 112

Uninstalling IUM on Windows 112

Uninstalling IUM on UNIX 113

Non-root Uninstall on UNIX 113

Unattended Uninstall of IUM 114

Uninstalling in Console Mode 114

Deactivating IUM ComponentsIUM provides the deactivate command typically in /opt/SIU/bin on UNIX and C:\SIU\bin onWindowsto deactivate one or all IUM components. To deactivate a component or IUM entirely, provide thecomponent name as an argument to the command as follows:

Component Command

IUMWebApplication Server deactivate -webappServer

IUM deactivate -product IUM

Deactivate IUM Components

To activate the component on another host, execute the Activation Wizard on that host as described in"Activating IUM" (on page 76) and select the appropriate component.

Uninstalling IUM on WindowsTo uninstall IUM onWindows:

1. If you plan to reinstall IUM:

a. Save the IUM configuration using the Launchpad. Select Deployment -> File and select ExportConfiguration. See the IUMAdministrator’s Guide for details.

b. Copy your IUM license file (if it is below the IUM installation directory) to a different location.

2. Stop the Launchpad if it is running.

3. Select Start -> Programs -> Internet Usage Manager -> <Instance name> -> Uninstall IUM.

HP Internet Usage Manager (7.0 FP01)Page 112 of 116

Page 113: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 8: Deactivating and Uninstalling IUM

Alternatively you can select Start -> Settings -> Control Panel and double click on Add/RemovePrograms. Select HP Internet Usage Manager and click Add/Remove.

The Install wizard is displayed. Follow the instructions on the screen. The wizard automaticallystops the host admin agent andMySQL database server and removes IUM files.

4. Remove any remaining IUM files in the directory where IUMwas installed. The uninstall dialog willprovide a summary of the files it could not remove but that you can remove manually.

Uninstalling IUM on UNIXTo uninstall IUM on UNIX:

1. If you plan to reinstall IUM:

a. Save the IUM configuration using the Launchpad. Select Deployment -> Configure and clickSave Configuration. See the IUMAdministrator’s Guide for details.

b. Copy your IUM license file (if it is below the IUM installation directory) to a different location.

2. Stop the Launchpad if it is running.

3. Log in as root and execute the following command:

/opt/<instance name>/_uninstall_ium/uninstall

where <instance name> is the name of your IUM instance (SIU by default). The Install wizard isdisplayed. Follow the instructions on the screen. The wizard automatically stops the host adminagent andMySQL database server and removes IUM files.

NOTE: Do not invoke the uninstall program while logged in to the directory /opt/<instancename>/_uninstall_ium. If you do, the wizard cannot remove the directory.

4. Remove any remaining IUM files in /opt/SIU, /var/opt/SIU, and /etc/opt/SIU.

Non-root Uninstall on UNIXThis section describes how a non-root user can uninstall IUM. Only the non-root user (or root) thatinstalled the IUM instance can uninstall that IUM instance. Note that the root user must perform somesteps as specified below to complete the uninstall.

1. Log in as the non-root user that installed the instance of IUM you want to remove.

2. Uninstall IUM as described in "Uninstalling IUM on UNIX" (on page 113), except log in as the userthat installed that instance of IUM.

3. Log in as root.

4. As the root user, run the non-root unprepare script as follows:

nonrootunprep.sh <IUM instance name>

where <IUM instance name> is the name you gave this installation of IUM.

HP Internet Usage Manager (7.0 FP01)Page 113 of 116

Page 114: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 8: Deactivating and Uninstalling IUM

NOTE: The IUM instance name is tied to the user name. Only that user (or root) can install oruninstall that IUM instance.

Unattended Uninstall of IUMThe following describes how IUM can be uninstalled unattended. That is, it can be uninstalled non-interactively by a single command as described below.

To uninstall unattended, execute one of the following commands:

l OnWindows systems execute the following command:

<Install home>\_uninstall_ium\uninstall.exe -i silent

l If running IUMwith security on Windows systems, execute the following command:

<Install home>\_uninstall_ium\uninstall.exe -DiumUser=<user name> -DiumPass=<password> -i silent

l On UNIX systems execute the following command:

/opt/<Instance name>/_uninstall_ium/uninstall -i silent

l If running IUMwith security on UNIX systems, execute the following command:

/opt/<Instance name>/_uninstall_ium/uninstall -DiumUser=<user name>-DiumPass=<password> -i silent

Check the uninstall log files in your home directory for any errors (for example, C:\Documents andSettings\<username> onWindows, or /root on UNIX). These files take the form of ium-uninstall0.log0,ium-uninstall0.log1, and so on. If the uninstall went correctly, you can remove these files and the IUMhome directory. These log files will remain on your system whether or not IUM is installed.

Uninstalling in Console ModeYou can uninstall IUM in console mode, in much the same manner as the console installation andactivation modes discussed in "Console Installation and Activation" (on page 66). Take the followingsteps below to uninstall via the console.

Execute one of the following commands:

l OnWindows systems execute the following command:

<Install home>\_uninstall_ium\uninstall.exe -i console

l If running IUMwith security on Windows systems, execute the following command:

<Install home>\_uninstall_ium\uninstall.exe -DiumUser=<user name> -DiumPass=<password> -i console

l On UNIX systems execute the following command:

/opt/<Instance name>/_uninstall_ium/uninstall -i console

l If running IUMwith security on UNIX systems, execute the following command:

HP Internet Usage Manager (7.0 FP01)Page 114 of 116

Page 115: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …

Installation GuideChapter 8: Deactivating and Uninstalling IUM

/opt/<Instance name>/_uninstall_ium/uninstall -DiumUser=<user name>-DiumPass=<password> -i console

After entering the console-based uninstall command, the following is displayed:

Preparing CONSOLE Mode Uninstallation...===============================================================

Internet Usage Manager (created with InstallAnywhere)---------------------------------------------------------------

===============================================================Uninstall Internet Usage Manager--------------------------------

About to uninstall...

Internet Usage Manager

This will remove features installed by InstallAnywhere. It willnot remove files and folders created after the installation.

PRESS <ENTER> TO CONTINUE:

Press Enter to proceed with the uninstall. The command console window exits after the uninstall iscomplete.

NOTE: (UNIX only) When uninstalling in console mode, the DISPLAY environment variable shouldbe set and pointing to the proper X Server. It is also recommended that you manually stop all IUMservices before uninstalling in console mode.

HP Internet Usage Manager (7.0 FP01)Page 115 of 116

Page 116: IUM Installation Guide - Hewlett Packardh20628. · LegalNotices Warranty TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatements …