Microsoft BHOLD Suite SP1 Installation Guide

Applies To: Forefront Identity Manager 2010

Microsoft® BHOLD Suite Service Pack 1 (SP1) is a collection of applications that, when used with Microsoft Forefront Identity Manager 2010 R2 SP1 (FIM), adds effective role management, analytics, and attestation to FIM. Microsoft BHOLD Suite SP1 consists of the following modules:

• BHOLD Core

• Access Management Connector

• BHOLD FIM Integration

• BHOLD Model Generator

• BHOLD Analytics

• BHOLD Reporting

• BHOLD Attestation

What this document covers

This document explains how to plan your BHOLD deployment to meet your business needs and install each BHOLD module. For each module, relevant hardware, infrastructure, and software requirements, preinstallation network configuration, information required during setup, and postinstallation steps, if any, are detailed.

Prerequisite knowledge

This document assumes that you have a basic understanding of how to install software on server computers. It also assumes that you have basic knowledge of Active Directory® Domain Services, Microsoft Forefront Identity Manager 2010 R2 SP1 (FIM), and Microsoft SQL Server 2008 database software. A description of how to set up and configure dependent technologies such as AD DS and FIM is out of the scope of this documentation. For information about the functions that the Microsoft BHOLD modules perform, see Microsoft BHOLD Suite Concepts Guide.

Audience

This document is intended for IT planners, systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy Microsoft BHOLD Suite SP1.

BHOLD infrastructure considerations

Most often, the BHOLD and FIM are used in a large infrastructure environment. You can tailor your BHOLD and FIM architecture to meet your particular business needs. The following sections provide some possible architectural solutions. This overview is not a comprehensive list of all possible options, but suggests ways you can deploy BHOLD in your network.

This section covers the following topics:

• Single-server architecture

• Dual-server architecture

• Two-tier architecture

• SQL Server recommendations

Single-server architecture

For deployment in small organizations or for development purposes, you can install BHOLD and FIM on the same server as SQL Server and AD DS, as shown in the following figure.

When BHOLD Suite SP1 and the FIM Portal are installed together on a single server, you must create different host aliases (CNAME or A records) in DNS for BHOLD and for FIM. This allows separate service principal names (SPNs) to be created for the BHOLD and FIM services. For more information, see BHOLD Core Installation.

For guidance on installing FIM in a single-server configuration, see Common Configuration for Getting Started Guides in the Microsoft TechNet Library.

Dual-server architecture

Installing BHOLD Core and FIM on separate servers provides greater performance and flexibility for medium-size organizations that do not require a more complex deployment, such as that provided by multitier architectures. The following figure shows BHOLD and FIM installed on their own servers; the FIM server is also running SQL Server to provide database services to BHOLD and FIM. The FIM Synchronization Service running on the FIM server synchronizes changes between the FIM and BHOLD databases. Note that if end-user self-service is required, the BHOLD FIM Integration module must be installed on the same server as the FIM Service and FIM Portal. The BHOLD FIM Integration module requires that the FIM Service and the BHOLD FIM Integration module are installed on the same server.

Two-tier architecture

In most environments, especially those where performance is important, you should run the BHOLD Suite SP1, FIM, and SQL Server on separate servers (two-tier architecture). With a two-tier architecture, memory and CPU resources are dedicated for each tier. The following illustration shows one possible way to configure a two-tier architecture. The FIM Synchronization Service running on the FIM server synchronizes changes between the FIM and BHOLD databases. Note that if end-user self-service is required, the BHOLD FIM Integration module must be installed on the same server as the FIM Service and Portal.

SQL Server recommendations

If you are deploying BHOLD in a large organization, it is highly recommended that you follow these guidelines for setting up the Microsoft SQL Server database:

• Deploy SQL Server on a server separate from any FIM or BHOLD services.

• Isolate the log file from the data file at the physical disk level.

• If you are using RAID to provide storage redundancy, use RAID level 10 (1+0). Do not use RAID level 5.

• Be sure to configure the correct settings when using more than 2 GB of physical memory for the server running SQL Server.

• For optimum BHOLD performance, use Microsoft SQL Server 2008 R2.

For more information about SQL Server best practices, see Storage Top 10 Best Practices in the Microsoft TechNet Library.

Trusted certificates list update

Windows can be configured to validate certificate chains prior to starting a service. On such systems, a service cannot start if the executable code of the service was signed with a certificate that is not in the trusted certificates list (TCL) of the server. The Microsoft BHOLD Suite SP1 software is code signed using a code signing certificate chain that originates with the Microsoft Root Certificate Authority 2010 certificate.

Windows can be configured to retrieve root certificates from Microsoft over an Internet connection. On a disconnected system, however, Windows Server includes only those certificates that were present in the root program at a time before Windows was released. In releases of Windows Server prior to Windows Server 2010, these certificates will not include the root certificate needed for validating the BHOLD Suite SP1 code signing certificate chain. If you intend to install one or more Microsoft BHOLD Suite SP1 modules on a system that might not have an up-to-date TCL, you must download and install the root-update package, or use Group Policy to install the root-update package, before installing a BHOLD Suite SP1 module. For more information, see Windows root certificate program members.

Installing BHOLD Suite SP1 on Windows Server 2012

If you install BHOLD Suite SP1 on Windows Server 2012, the BHOLD web pages will not be available until you modify the applicationHost.config file located in C:\Windows\System32\inetsrv\config. In the <globalModules> section, add preCondition="bitness64 to the entry that begins <add name="SPNativeRequestModule" so that it reads as follows:

<add name="SPNativeRequestModule" image="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\isapi\spnativerequestmodule.dll" preCondition="bitness64"/>  

After editing and saving the file, run the iisreset command to reset the IIS server.

Upgrading BHOLD Suite

You cannot upgrade an existing BHOLD Suite installation to BHOLD Suite SP1. Instead, you must uninstall an existing BHOLD Suite installation before you can install any BHOLD Suite SP1 modules. If you have an existing BHOLD role model, you can upgrade the BHOLD database and use it when you install the BHOLD Core module of BHOLD Suite SP1. For more information, see Replacing BHOLD Suite with BHOLD Suite SP1.

BHOLD Suite SP1 module installation

The following topics describe how to install and configure the BHOLD Suite SP1 modules:

• BHOLD Core Installation

• Access Management Connector Installation

• BHOLD FIM Integration Installation

• BHOLD Model Generator Installation

• BHOLD Analytics Installation

• BHOLD Reporting Installation

• BHOLD Attestation Installation