Service Configuration
There are two Service Configuration screens: one for the production environment and one for the disaster recovery environment.
Important
The services distribution should be planned before installation. SailPoint installation experts are available to discuss these options with you.
For each environment, this screen is used for associating services with the relevant servers defined in the Services Configuration window.
To configure services, complete the following steps:
- In the Action Select window, select the Create / Edit configuration installation option.
-
Select Next to display the Service Configuration window.
Use the scroll bar to see all the configuration input fields. -
Select the server to use in the production environment for each service. The dropdown list of available servers only includes production servers.
Note
When allocating services to servers, make sure any servers dedicated to high availability are not used for the first instance of any services.
Service Ports - Enter the relevant port information. Make sure to adjust firewall rules, if required.
Agent Configuration Manager - The Agent Configuration Manager service is a prerequisite for installing all other services. Therefore, the server configured for the Agent Configuration Manager must be installed first.
RabbitMQ - File Access Manager uses an open-source message broker, RabbitMQ, to distribute operations across multiple services. The File Access Manager Administrator Guide has more information on horizontal scaling in this service.
The connection between the message broker and File Access Manager services is secured with SSL.
An account is required to handle internal processes between the message broker and File Access Manager server. Credentials can be created automatically or inserted manually.
Important
When installed in a High-availability environment, RabbitMQ is used to synchronize data between IIS servers, ensuring all users see up-to-date data on the website. If your installation uses more than one IIS, make sure to install RabbitMQ.
Note
When installing RabbitMQ, the user completing the installation must have a valid %homepath% variable. During the installation, the erlang.cookie will be copied over using this variable, which could cause the installation to fail if not set.
Note
RabbitMQ is mandatory for version 8.4 and onward.
Event Manager - The Event Manager Service can be duplicated and installed on multiple servers.
Central Data Classification - File Access Manager allows multiple instances of installed Central Data Classification services. The Architecture section of the File Access Manager Administrator Guide has additional information on installation planning.
- Click the + next to the port to add instances.
- Click the x to remove instances.
Central Permissions Collection - File Access Manager allows multiple instances of installed Central Permissions Collection services. The Architecture section of the File Access Manager Administrator Guide has additional information on installation planning.
Provide a unique name for each service. This name will be displayed during the application configuration wizard when defining a new application in the File Access Manager Administrative Client.
File Access Manager supports installing a non-dedicated Permissions Collector service to handle multiple applications on the same service. You can also install a dedicated Permissions Collector service for an application. The Collector Installation Guide has additional information.
Note
Requires a distinguished name.
Caution
Removing a Central Permission Collector may orphan associated collectors. Any orphaned collectors should be uninstalled through the Collector Installation Manager.
Business Website - The Business Website installs IIS if it is not yet installed.
Configuring High Availability Services
Perform the following:
- Add an additional instance of the service by clicking the + icon next to the service on the configuration panel.
- Configure the installer to install the service on a parallel server allocated for high availability.
- Configure your load balancer to select between these instances.
Important
The load balancer should be configured for SSL passthrough. It should not terminate the client TLS connection and create a new one between the load balancer and the server. This will cause an authentication error since each client has its own client certificate.
Service | Listening port |
---|---|
Agent Configuration Manager | 8000 |
Business Website | 80 / 443 |
Event Manager | 8001 |
User Interface | 8005 |
Important
Event Managers use RabbitMQ as the Load Balancer as of 8.4.
Elasticsearch Configuration
After the Service Configuration screen, select Next to open the Elasticsearch Configuration screen.
In the Cluster Node Settings, configure the desired number of nodes that will comprise the Elasticsearch cluster.
Assign each node to a dedicated server and specify the path for the Elasticsearch database folder.
Note
At least three nodes are recommended.
The Credentials Settings section is used to specify a username and password. If left unchecked, a default username and password will be used.
Select Next to open the Disaster Recovery Service Configuration screen. Repeat the service configuration for the Disaster Recovery environment. The list of servers on this screen will be servers defined previously as Disaster Recovery servers.
Select Next to open the Elasticsearch Disaster Recovery Configuration screen. Repeat the Elasticsearch configuration for the Disaster Recovery environment. The list of servers on this screen will be servers defined previously as Disaster Recovery servers.
Note
The Disaster Recovery Service Configuration screen and Elasticsearch Disaster Recovery Configuration screen will only display if there is at least one Disaster Recovery server defined.
Note
For the Backup Settings section, configure the Elasticsearch backup repository path and settings as explained in the Activity Backup guide.
After the Elasticsearch Configuration screen, select Next to open the Load Balancer Configuration screen.
Note
This screen will only be displayed if there is at least one service with multiple instances.
Load Balancer Configuration
The Load Balancer Configuration screen lists all the services that support high availability. Services that have not been defined with multiple instances in the previous stage will be grayed out.
- Server Address: The server address of the high availability server allocated for this service.
- Port: The port should be unique.
Note
The Load Balancer ports can be different from the ones described in Inter-service Communication.
Website Configuration
After configuring the services, the Web Configuration screen will display.
IIS Settings
These settings allow for a non-default IIS installation.
- Change the site name and physical path. File Access Manager will install its websites on the specified location.
Note
Both site name and directory path must be changed for a non-default installation.
Website Authentication Mode
Now you can decide from the following options the type of authentication mode.
- Windows: Using an Active Directory identity store.
- SAML 2.0:
- Refer to the SAML and SSO Installation Guide for more information.
- Using a 3rd party authentication store, such as Okta, ADFS, or Azure.
Selecting SAML 2.0 on the*Website Authentication Mode opens the SSO provider identification fields:
- Entity ID: The application name of the relevant SSO provider.
- Metadata URL: The URL to the relevant SSO provider.
These fields are defined when creating an application in the relevant SSO provider. If you haven’t created them yet, see the relevant section within the SAML and SSO Installation Guide:
- Creating an ADFS Application
- Creating an Azure Application
- Creating an Okta Application
Alternatively, you can continue with the installation without creating an authentication store.
Configuration Summary
- Select the Save Configuration Only option.
- Select Next.
Storing the Configuration
The installation process using the server installer creates a text file containing the commands for installation of the services on any server defined in the configuration.
The configuration itself is stored in the database.
Depending on the method of installation, select the next action (see Performing the Installation).
- Select Save Configuration Only to save the configuration without installing on this server.
- Select Save Configuration and Perform current Server’s Installation Tasks to start the installation of the services on the current server.
Select Next to install the services on the current server.
If the services installed require a system restart, the installer will open a popup message requesting a restart. After the restart, run the installer again to continue the installation process.