000034089 - How to install Access Fulfillment Express (AFX) for use with RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Nov 15, 2016Last modified by RSA Customer Support on Jan 5, 2020
Version 9Show Document
  • View in full screen mode

Article Content

Article Number000034089
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.x
 
IssueThis article presents step by step instructions on how to install or reinstall Access Fulfillment Express (AFX) in RSA Identity Governance & Lifecycle.
ResolutionThis section describes the process for installing AFX. There are two main components to the AFX installation process: configuring/installing the AFX server and importing the AFX connector packages. The AFX server can either be installed on the same machine as the RSA Identity Governance & Lifecycle application or on a remote machine.

IMPORTANT: Prior to installing AFX, you must have completed the installation procedure for the RSA Identity Governance & Lifecycle version required by the version of AFX you intend to install.

Installing AFX Server using an installation script. 


Note: This installation may only be done on an RSA Identity Governance & Lifecycle hardware or software appliance.

The RSA Platform will auto generate a local AFX Server configuration named AFX Server for installing an AFX Server on an RSA Identity Governance & Lifecycle appliance. To install the local AFX Server on an RSA appliance, follow the steps below.



  1. Connect to the RSA Identity Governance & Lifecycle appliance. If you are performing a new installation, log on as the root user; if this is an AFX upgrade, log on as the afx user (by default this is the oracle user). Details for defining an alternate afx user are in the next section.
  2. To install the AFX connectors as part of the installation, copy the AFX connector package to /tmp/aveksa/staging directory. Note: AFX connectors may be installed as a separate step after the installation process. In that case, make sure there is no connector package in /tmp/aveksa/staging.
  3. Run the AFX Server installation script.


cd /tmp/aveksa/staging/deploy
sudo ./installAFX.sh -q


The installation script will run silently and does the following:



  • Installs AFX Server files to $AVEKSA_HOME/AFX - by default this is /home/oracle/AFX.
  • Configures server SSL certificates.
  • Registers the afx_server service.
  • Configures profiles for AVEKSA_OWNER, AVEKSA_ADMIN, and root users for initializing the AFX Server environment.

Note: Installation details for the AFX Server are written to /tmp/afx-install.log on the installation machine.



  1. Logout and log back in to the RSA appliance as the afx user.
  2. Start the AFX Server. 


service afx_server start


  1. If not done as part of the installation, install the AFX connector packages for this AFX release version by following the steps at the end of this article under Installing AFX Connector Packages.

Installing AFX Server using a downloaded AFX Server Archive.



New AFX Installation



  1. Determine what account will be used to run AFX. This account is the afx user. If this is a local installation, you may use the existing oracle account as the afx user. If not, then create an unprivileged afx user account by following these steps:

    1. As the root user, login to the server where AFX is to be installed. Alternatively, login as a non-root user and change to a superuser using su
    2. Create the afx user and the home directory for the afx user. 


useradd {afxuser} -G users -d /home/{afxuser}


  1. Update the ownership of the new afx account just created. 


chown {afxuser}:users /home/{afxuser}


  1. Export JAVA_HOME and put $JAVA_HOME/bin on the PATH. Note that JAVA_HOME must point to the same JAVA version as the RSA Identity Governance & Lifecycle application.

  1. Download the AFXServer.zip from the RSA Identity Governance & Lifecycle User Interface under AFX > Servers AFX Server > Download Server Archive.
  2. Transfer the AFXServer.zip  from your PC to the AFX server machine using a tool like WinSCP or another SFTP client and place the files under /home/{afxuser}.
  3. As the afx user, login to the server where AFX is to be installed and unpack the AFXServer.zip file.


cd /home/{afxuser}
unzip AFXServer.zip


  1. This will create a directory called AFX in the afx user home directory.


/home/{afxuser}/AFX


  1. Navigate to the AFX/bin directory and run the script to set permissions.


cd /home/{afxuser}/AFX/bin
sh ./setPerms.sh


  1. Configure the AFX Server service.

  1. Login as the root user.
  2. Create a symbolic link for the afx_server service to point to /etc/init.d/afx_server.


ln -s /home/{afxuser}/AFX/bin/afx_server /etc/init.d/afx_server


  1. Activate the system service.


chkconfig --add afx_server
chkconfig afx_server on


  1. Configure the AFX environment.

  1. Login as the root user.
  2. Edit (vi) /home/{afxuser}/AFX/bin/setAFXEnv.sh and set the AFX home directory variable for AFX_HOME to AFX_HOME=/home/{afxuser}/AFX.



cp /home/{afxuser}/AFX/bin/setAFXEnv.sh /home/{afxuser}
cp /home/{afxuser}/AFX/bin/setAFXEnv.sh /root
If the afx user is the oracle user:
   chown oracle:oinstall /home/oracle/setAFXEnv.sh
If the afx user is a different user from oracle:
  chown {afxuser}:users /home/{afxuser}/setAFXEnv.sh




  1. Edit the .bash_profile under /root and /home/{afxuser} and add the below command which will source the script of environment variables at each login. Note the leading dot in the command.



. ./setAFXEnv.sh



  1. Login as the afx user.
  2. Start AFX. Note: Always start AFX as the afx user.


service afx_server start


  1. Check that your AFX environment variables are set correctly using the following command as the afx user.


env | grep AFX


The output will look similar to the below. In this example, the afx user is the oracle user.



MMC_HOME=/home/oracle/AFX/mmc-console
OLDPWD=/home/oracle/AFX/mmc-console/logs
ACTIVEMQ_HOME=/home/oracle/AFX/activemq
MULE_HOME=/home/oracle/AFX/esb
AFX_HOME=/home/oracle/AFX



Existing AFX Installation



  1. Download the AFXServer.zip from the RSA Identity Governance & Lifecycle User Interface under AFX > Servers AFX Server > Download Server Archive.
  2. Download server.keystore from the User Interface under Admin > System > Security tab  > Download Server Certificate Store for Agent SSL Connections.
  3. Transfer the AFXServer.zip and server.keystore from your PC to the AFX Server machine using a tool like WinSCP or another SFTP client and place the files under /home/{afxuser}.
  4. As the afx user, login to the server where AFX is installed.
  5. Shutdown AFX and check that no AFX processes remain. Note: Always stop AFX as the afx user.


service afx_server stop
ps -ef | grep AFX



  1. Kill any remaining AFX processes, where xxxx are any AFX processes still running.


kill -9 xxxx


  1. Backup the pre-existing AFX directory.


mv AFX AFX.backup_<date>


  1. Unpack the AFXServer.zip file.


cd /home/{afxuser}
unzip AFXServer.zip


  1. This will create a directory called AFX in the afx user home directory.


/home/{afxuser}/AFX


  1. Navigate to the AFX/bin directory and run the script to set permissions.


cd /home/{afxuser}/AFX/bin
sh ./setPerms.sh



  1. Start AFX. Note: Always start AFX as the afx user.


service afx_server start


  1. Check that your AFX environment variables are set correctly using the following command as the afx user.


env | grep AFX


The output will look similar to the below. In this example, the afx user is the oracle user.



MMC_HOME=/home/oracle/AFX/mmc-console
OLDPWD=/home/oracle/AFX/mmc-console/logs
ACTIVEMQ_HOME=/home/oracle/AFX/activemq
MULE_HOME=/home/oracle/AFX/esb
AFX_HOME=/home/oracle/AFX


  1. If you are re-installing AFX after having re-installed RSA Identity Governance & Lifecycle or after importing a database from a different environment, the server.keystore in the filesystem (/home/{afxuser}/keystore/server.keystore) may not match what is in the database (the file you downloaded from the user interface in step 3 and placed into /home/{afxuser}/server.keystore.) You may use keytool to view the fingerprints for each and if what was downloaded from the user interface differs from what exists in the keystore directory, then replace the existing server.keystore file with the downloaded server.keystore file and restart the RSA Identity Governance & Lifecycle and AFX applications.

  1. Perform the following steps as the afx user. 


keytool -list -alias aveksa_ca -storepass Av3k5a15num83r0n3 -keystore /home/{afxuser}/server.keystore
keytool -list -alias aveksa_ca -storepass Av3k5a15num83r0n3 -keystore /home/{afxuser}/keystore/server.keystore


  1. If the certificate fingerprint matches from both keystores, you do not need to perform the following steps.


cd /home/{afxuser}/keystore
mv server.keystore server.keystore.backup<date>
cp /home/{afxuser}/server.keystore .
service afx_server stop
service aveksa_server restart
service afx_server start


 



Installing AFX Connector Packages


The following steps detail the process for installing/importing connector packages for AFX.

  1. Login to RSALink and download the AFX standard connectors zip for your specific AFX version and patch level. The connector zip file is of the format AFX-<version>-Standard-Connectors.zip and AFX-<version>-Premium-Connectors.zip. For more information on downloading RSA Identity Governance & Lifecycle software from RSALink, please see RSA Knowledge Base Article 000033845 -- How to download patch files for RSA Identity Governance & Lifecycle.
  2. Login to the RSA Identity Governance & Lifecycle user interface and go to AFX > Import > Choose File.
  3. Browse to the AFX-<version>-Standard-Connectors.zip file you downloaded from RSALink.
  4. Select Next.
  5. Check the Select all items box to select all connector templates listed for Import.
  6. Select Import to load all standard connector template packages for this release version into the RSA Application.
  7. If you are licensed for one or more AFX Premium Connector(s), repeat the above steps for AFX-<version>-Premium-Connectors.zip.
  8. NOTE: Once the operation completes, connectors and templates in the system that were created from an older version of a package that was imported will be migrated to include enhancements available in the newer version such as new capabilities and settings, fixes for known issues, and any necessary changes to ensure compatibility with the AFX Server for the currently installed release version.

Attachments

    Outcomes