| Subcribe via RSS

SailPoint IIQ: Move Over, Rover

I’m getting ready to do some customer training on Sailpoint IIQ v6.0. Getting ready for the trip has been a good impetus to get my rear end in gear and get up to date. I’ve been running Sailpoint IIQ v5.5 “bare metal” on my MacBook Pro pretty much since Sailpoint IIQ v5.5 was released. I have procrastinated getting Sailpoint IIQ v6.0 installed on my laptop. (Mainly because I have Sailpoint IIQ v6.0p5 running in the mad scientist lab on ESXi accessible via VPN.)

Side By Side Approach

So, it was time to install Sailpoint IIQ v6.0, but… I don’t and didn’t want to obliterate my Sailpoint IIQ v5.5p6 installation; I have too many customizations, test applications and rules I don’t want to loose and still want to be able to run live. I’ve been running Sailpoint IIQ with a context root of /identityiq and with a MySQL database user of identityiq.

When I run multiple versions of Sailpoint IIQ side by side on the same machine, I’ve adopted the practice of running each installation as /iiqXY where XY is the version number. So I wanted to run /iiq55 and /iiq60 side by side from the same application server. (I could also take the approach of running multiple instances of application server and run one installation from one port, say 8080, and another from another port, say 8081.)

So how to “lift and load” the existing installation at /identityiq to /iiq55 without reinstalling everything and re-aggregating all my sources? Here’s what I did.

DISCLAIMER: I’m neither advocating nor de-advocating this. Do this at your own risk, especially if your environment differs from mine. I make no claims or warranty of any kind. This worked for me. If it helps you… great.

The Environment

Here was my environment:

Operating System Mac OS X, Mountain Lion, v10.8.3
Application Server Apache Tomcat v6.0.35
JRE Java SE JRE (build 1.6.0_43-b01-447-11M4203) (64-bit)
SailPoint IIQ SailPoint IIQ v5.5p6
IIQ Database MySQL 5.5.15

Shut Everything Down

First, I shut everything down. This basically meant just spinning down the entire Tomcat application server. The command you might use and the location of your application server scripts may differ:

$ cd /Library/Apache/Tomcat6/bin
$ ./shutdown.sh

Backup And Reload The Database

Next, I needed to backup the existing Sailpoint IIQ database:

$ mysqldump -u root -p identityiq > mysql-identityiq-dump-2013-04-06.sql

In this particular case, when I inspected the contents of the dump from MySQL, I saw that none of the database objects were referenced using the schema.object notation. (Example: Such as identityiq.spt_links as is one of the Sailpoint IIQ tables used.) Nor did the dump contain a MySQL USE statement.

This meant reloading the data in a new iiq55 database was going to be fairly easy and straight-forward:

$ mysql -u root -p
Enter password: supersecret:-)
mysql> create database iiq55;
mysql> use iiq55;
mysql> source mysql-identityiq-dump-2013-04-06.sql;
...lots of output as objects are created...

Adding New Database Service Account

As another rule of thumb, I like my database service accounts to match the context root I am going to use. Since I was switching from /identityiq as the context root, I wanted the service account name in the database to match. So I wanted to switch from identityiq to iiq55 as the service account:

mysql> use mysql;
mysql> insert into user (host,user,password) values \
       ('localhost','iiq55',password('supersecret'));
mysql> insert into db values ('localhost','iiq55','iiq55', \
       'Y','Y','Y','Y', 'Y','Y','Y','Y','Y','Y','Y','Y','Y', \
       'Y','Y','Y','Y','Y','Y');
mysql> flush privileges;

NOTE: You can use the regular MySQL administrative and user commands to accomplish the same things. I’m an old school MySQL admin, so I just added the proper values to the mysql meta-database and was done with it.

Changing Context Root

With my Sailpoint IIQ data loaded into a new database, I needed to address the issue of changing the application context root for the Tomcat application server from /identityiq to /iiq55. With Tomcat this is incredibly straight-forward. I simply changed the name of the application directory and WAR to the context root I wanted. When Tomcat was later restarted, it loaded Sailpoint IIQ using the context root I wanted:

$ cd /Library/Apache/Tomcat6/webapps
$ ll
drwxr-xr-x@ 12 chris  admin       408 Feb  2  2011 ROOT/
drwxr-xr-x   6 chris  admin       204 Jul 12  2012 ServerInfo/
-rw-r--r--   1 chris  admin      7489 Jul 12  2012 ServerInfo.war
drwxr-xr-x@ 45 chris  admin      1530 Feb  2  2011 docs/
drwxr-xr-x@  6 chris  admin       204 Feb  2  2011 examples/
drwxr-xr-x@  8 chris  admin       272 Feb  2  2011 host-manager/
drwxr-xr-x  52 chris  admin      1768 Aug 31  2011 idm/
-rw-r--r--   1 chris  admin  91053099 Aug 31  2011 idm.war
drwxr-xr-x  48 chris  admin      1632 Apr  7 00:53 identityiq/
-rw-r--r--   1 chris  admin  98117489 Jul 12  2011 identityiq.war
drwxr-xr-x@  9 chris  admin       306 Feb  2  2011 manager/
drwxr-xr-x  10 chris  admin       340 Mar  7  2012 rbacx/
-rw-r--r--   1 chris  admin  56004548 Mar  7  2012 rbacx.war
$ mv identityiq iiq55
$ mv identityiq.war iiq55.war

(Note above we see a number of other WAR deployments including a ServerInfo servlet I’ve written to provide a full environment tactical display and Sun Identity Manager along with OIA, none of which are affected except the entire application server was stopped — which was necessary for Tomcat and would be also for auto-deploy application servers like JBoss AS for instance.)

At this point, it wasn’t time to restart the application server just yet, but our context root was effectively switched from identityiq to iiq55 at this point.

UPDATE 4/7/2013: For Tomcat and potentially for other auto-deploy servers like JBoss AS… If I were to do this over again, I would have deleted the identityiq.war and renamed the ./identityiq subdirectory to iiq55.

Depending on order of operations and what Tomcat is doing internally to maintain context roots, the old identityiq.war — which was the base Sailpoint IIQ v5.5 WAR — could have redeployed when Tomcat started up. That would wipe out all v5.5p6 patch changes. In my case, I unjarred the identityiq-5.5p6.jar in the application root to make sure I still had the latest WAR artifacts:

$ cd /Library/Apache/Tomcat6/webapps/iiq55
$ jar xvf /path/to/identityiq-5.5p6.jar
...Lots of little Java gremlins unjarred output...

Pointing IIQ To New Database

From here, all that’s left to do is point Sailpoint IIQ to the new database that has our old data in it. To do this, we need to modify /path/to/webapps/iiq55/WEB-INF/classes/iiq.properties to use the “new” database and database service account as well as update the encrypted password:

$ cd /Library/Apache/Tomcat6/webapps/iiq55/WEB-INF/classes
$ ## Encrypt the password:
$ ../bin/iiq encrypt supersecret
1:R/BZIwjY6auumd4qCR8Jvg==
$ vi iiq.properties
...look for and edit the appropriate lines...
#dataSource.username=identityiq
dataSource.username=iiq55
#dataSource.password=1:iCAlakm5CVUe7+Q6hVJIBA==
dataSource.password=1:R/BZIwjY6auumd4qCR8Jvg==
   :
   :
dataSource.url=jdbc:mysql://localhost/iiq55?useServerPrepStmts=true&tinyInt1isBit=true&useUnicode=true&characterEncoding=utf8
:wq

At this point, Sailpoint IIQ was pointing to the “new” database iiq55.

Handling Proxying

I do run a front-end HTTP reverse proxy on my laptop as well. (More about front-ending your Sailpoint IIQ installation through an HTTP reverse proxy setup and why you would do this in a production setting in an upcoming article!) So I needed to update my proxy settings in the HTTP config for Apache:

$ vi /etc/apache2/extra/httpd-proxy.conf
...Edit the appropriate lines...
ProxyPass /iiq55/        http://localhost:8080/iiq55/
ProxyPassReverse /iiq55/ http://localhost:8080/iiq55/
:wq
$ ## Restart Apache
$ httpd -k restart

Spin ‘er Up!

I could now start my Tomcat server and let ‘er rip:

$ cd /Library/Apache/Tomcat6/bin
$ ./startup.sh

I browsed to: http://localhost/iiq55/ and everything worked just as expected.

Summary

So to summarize, the steps from a high level to move Sailpoint IIQ v5.5p6 over and make room for Sailpoint IIQ v6.0p5 were:

  1. (1) Shut down Tomcat
  2. (2) Backup the identityiq database
  3. (3) Create the new iiq55 database, “use” it, and reload (source) from the database backup
  4. (4) Create the new iiq55 service account in MySQL
  5. (5) Rename my application directory and WAR to establish a new context root
  6. (6) Point Sailpoint IIQ to the new database using the new credentials (w/encrypted password from iiq encrypt command)
  7. (7) Update front-end HTTP reverse proxy settings and restart Apache (optional for most)
  8. (8) Startup Tomcat

Now I’m ready to install a fresh copy of Sailpoint IIQ v6.0p5 on my laptop using the context root and service account name of iiq60. I’ll use the Tomcat manager to turn these on and off as I need them, or, assuming I have enough memory, I can actually run these side by side on my laptop. (Many of the steps I need to take will be similar to what it took to move identityiq to iiq55.)

Cheers from the Twin Cities!

Comments are closed.