Identity Security / Products / Tooling

SailPoint IdentityIQ: Move Over, Rover

Chris Oliveby Chris Olive

(This post was originally posted just over a decade ago on April 7, 2013. Technology has come quite a way since then. While it is possible to run SailPoint IdentityIQ “bare metal” on your laptop, I’d really recommend a containerized approach at this point. But I’ve converted this from my old site to this new site as-is because I believe the fundamentals of an SailPoint IdentityIQ installation are brought out in this article. That can still help in certain situations. –Chris :: April 16, 2023)

I’m getting ready to do some customer training on SailPoint IdentityIQ v6.0. Getting ready for the trip has been a good impetus to get my rear end in gear and get up to date. I’ve been running SailPoint IdentityIQ v5.5 “bare metal” on my MacBook Pro pretty much since SailPoint IdentityIQ v5.5 was released. I have procrastinated getting SailPoint IdentityIQ v6.0 installed on my laptop. (Mainly because I have SailPoint IdentityIQ v6.0p5 running in the mad scientist lab on ESXi accessible via VPN.)

Side By Side Approach

So, it was time to install SailPoint IdentityIQ v6.0, but… I don’t and didn’t want to obliterate my SailPoint IdentityIQ v5.5p6 installation; I have too many customizations, test applications, and rules I don’t want to lose and still want to be able to run live. I’ve been running SailPoint IdentityIQ with a context root of /identityiq and with a MySQL database user of identityiq.

When I run multiple versions of SailPoint IdentityIQ side by side on the same machine, I’ve adopted the practice of running each installation as /iiqXY where XY is the version number. So I wanted to run /iiq55 and /iiq60 side by side from the same application server. (I could also take the approach of running multiple instances of the application server and run one installation from one port, say 8080, and another from another port, say 8081.)

So how to “lift and load” the existing installation at /identityiq to /iiq55 without reinstalling everything and re-aggregating all my sources? Here’s what I did.

DISCLAIMER: I’m neither advocating nor de-advocating this. Do this at your own risk, especially if your environment differs from mine. I make no claims or warranty of any kind. This worked for me. If it helps you… great.

The Environment

Here was my environment:

Operating System Mac OS X, Mountain Lion, v10.8.3
Application Server Apache Tomcat v6.0.35
JRE Java SE JRE (build 1.6.0_43-b01-447-11M4203) (64-bit)
SailPoint IIQ SailPoint IIQ v5.5p6
IIQ Database MySQL 5.5.15

Shut Everything Down

First, I shut everything down. This basically meant just spinning down the entire Tomcat application server. The command you might use and the location of your application server scripts may differ:

$ cd /Library/Apache/Tomcat6/bin
$ ./shutdown.sh

Backup And Reload The Database

Next, I needed to backup the existing SailPoint IdentityIQ database:

$ mysqldump -u root -p identityiq > mysql-identityiq-dump-2013-04-06.sql

In this particular case, when I inspected the contents of the dump from MySQL, I saw that none of the database objects were referenced using the schema.object notation. (Example: Such as identityiq.spt_links as is one of the SailPoint IdentityIQ tables used.) Nor did the dump contain a MySQL USE statement.

This meant reloading the data in a new iiq55 database was going to be fairly easy and straightforward:

$ mysql -u root -p
Enter password: supersecret:-)
mysql> create database iiq55;
mysql> use iiq55;
mysql> source mysql-identityiq-dump-2013-04-06.sql;
...lots of output as objects are created...

Adding New Database Service Account

As another rule of thumb, I like my database service accounts to match the context root I am going to use. Since I was switching from /identityiq as the context root, I wanted the service account name in the database to match. So I wanted to switch from identityiq to iiq55 as the service account:

mysql> use mysql;
mysql> insert into user (host,user,password) values \
       ('localhost','iiq55',password('supersecret'));
mysql> insert into db values ('localhost','iiq55','iiq55', \
       'Y','Y','Y','Y', 'Y','Y','Y','Y','Y','Y','Y','Y','Y', \
       'Y','Y','Y','Y','Y','Y');
mysql> flush privileges;

NOTE: You can use the regular MySQL administrative and user commands to accomplish the same things. I’m an old school MySQL admin, so I just added the proper values to the mysql meta-database and was done with it.

Changing Context Root

With my SailPoint IdentityIQ data loaded into a new database, I needed to address the issue of changing the application context root for the Tomcat application server from /identityiq to /iiq55. With Tomcat this is incredibly straightforward. I simply changed the name of the application directory and WAR to the context root I wanted. When Tomcat was later restarted, it loaded SailPoint IdentityIQ using the context root I wanted:

$ cd /Library/Apache/Tomcat6/webapps
$ ll
drwxr-xr-x@ 12 chris  admin       408 Feb  2  2011 ROOT/
drwxr-xr-x   6 chris  admin       204 Jul 12  2012 ServerInfo/
-rw-r--r--   1 chris  admin      7489 Jul 12  2012 ServerInfo.war
drwxr-xr-x@ 45 chris  admin      1530 Feb  2  2011 docs/
drwxr-xr-x@  6 chris  admin       204 Feb  2  2011 examples/
drwxr-xr-x@  8 chris  admin       272 Feb  2  2011 host-manager/
drwxr-xr-x  52 chris  admin      1768 Aug 31  2011 idm/
-rw-r--r--   1 chris  admin  91053099 Aug 31  2011 idm.war
drwxr-xr-x  48 chris  admin      1632 Apr  7 00:53 identityiq/
-rw-r--r--   1 chris  admin  98117489 Jul 12  2011 identityiq.war
drwxr-xr-x@  9 chris  admin       306 Feb  2  2011 manager/
drwxr-xr-x  10 chris  admin       340 Mar  7  2012 rbacx/
-rw-r--r--   1 chris  admin  56004548 Mar  7  2012 rbacx.war
$ mv identityiq iiq55
$ mv identityiq.war iiq55.war

(Note above we see a number of other WAR deployments including a ServerInfo servlet I’ve written to provide a full environment tactical display and Sun Identity Manager along with OIA, none of which are affected except the entire application server was stopped — which was necessary for Tomcat and would be also for auto-deploy application servers like JBoss AS for instance.)

At this point, it wasn’t time to restart the application server just yet, but our context root was effectively switched from identityiq to iiq55 at this point.

UPDATE 4/7/2013: For Tomcat and potentially for other auto-deploy servers like JBoss AS… If I were to do this over again, I would have deleted the identityiq.war and renamed the ./identityiq subdirectory to iiq55.

Depending on order of operations and what Tomcat is doing internally to maintain context roots, the old identityiq.war — which was the base SailPoint IdentityIQ v5.5 WAR — could have redeployed when Tomcat started up. That would wipe out all v5.5p6 patch changes. In my case, I unjarred the identityiq-5.5p6.jar in the application root to make sure I still had the latest WAR artifacts:

$ cd /Library/Apache/Tomcat6/webapps/iiq55
$ jar xvf /path/to/identityiq-5.5p6.jar
...Lots of little Java gremlins unjarred output...

Pointing IIQ To New Database

From here, all that’s left to do is point SailPoint IdentityIQ to the new database that has our old data in it. To do this, we need to modify /path/to/webapps/iiq55/WEB-INF/classes/iiq.properties to use the “new” database and database service account as well as update the encrypted password:

$ cd /Library/Apache/Tomcat6/webapps/iiq55/WEB-INF/classes
$ ## Encrypt the password:
$ ../bin/iiq encrypt supersecret
1:R/BZIwjY6auumd4qCR8Jvg==
$ vi iiq.properties
...look for and edit the appropriate lines...
#dataSource.username=identityiq
dataSource.username=iiq55
#dataSource.password=1:iCAlakm5CVUe7+Q6hVJIBA==
dataSource.password=1:R/BZIwjY6auumd4qCR8Jvg==
   :
   :
dataSource.url=jdbcMySQL//localhost/iiq55?useServerPrepStmts=true&tinyInt1isBit=true&useUnicode=true&characterEncoding=utf8
:wq

At this point, SailPoint IdentityIQ was pointing to the “new” database iiq55.

Handling Proxying

I do run a front-end HTTP reverse proxy on my laptop as well. (More about front-ending your SailPoint IdentityIQ installation through an HTTP reverse proxy setup and why you would do this in a production setting in an upcoming article!) So I needed to update my proxy settings in the HTTP config for Apache:

$ vi /etc/apache2/extra/httpd-proxy.conf
...Edit the appropriate lines...
ProxyPass /iiq55/        http://localhost:8080/iiq55/
ProxyPassReverse /iiq55/ http://localhost:8080/iiq55/
:wq
$ ## Restart Apache
$ httpd -k restart

Spin ‘er Up!

I could now start my Tomcat server and let ‘er rip:

$ cd /Library/Apache/Tomcat6/bin
$ ./startup.sh

I browsed to: http://localhost/iiq55/ and everything worked just as expected.

Summary

So to summarize, the steps from a high level to move SailPoint IdentityIQ v5.5p6 over and make room for SailPoint IdentityIQ v6.0p5 were:

  1. (1) Shut down Tomcat
  2. (2) Backup the identityiq database
  3. (3) Create the new iiq55 database, “use” it, and reload (source) from the database backup
  4. (4) Create the new iiq55 service account in MySQL
  5. (5) Rename my application directory and WAR to establish a new context root
  6. (6) Point SailPoint IdentityIQ to the new database using the new credentials (w/encrypted password from iiq encrypt command)
  7. (7) Update front-end HTTP reverse proxy settings and restart Apache (optional for most)
  8. (8) Startup Tomcat

Now I’m ready to install a fresh copy of SailPoint IdentityIQ v6.0p5 on my laptop using the context root and service account name of iiq60. I’ll use the Tomcat manager to turn these on and off as I need them, or, assuming I have enough memory, I can actually run these side by side on my laptop. (Many of the steps I need to take will be similar to what it took to move identityiq to iiq55.)

Cheers from the Twin Cities!

Chris Olive

Chris Olive is a seasoned and passionate cybersecurity strategist, evangelist, consultant, trusted advisor, and hands-on technologist with over two decades of cybersecurity consulting experience in the US/UK governments, the Fortune 500, and large international companies all over the world. Chris has primary expertise in Identity Access Management and Identity Governance & Administration along with professional experience and expertise in Ethic Hacking & Penetration Testing, Secure Development, and Data Security & Encryption. Chris is a frequent writer, speaker, and evangelist on a range of cybersecurity topics. Chris is currently a Senior National Security Advisor & Architect for CDW -- a worldwide leader and innovator in solutioning, architecting, and delivering secure information technology solutions on-prem, in the cloud, multi-cloud, hybrid, or co-hosted leveraging the world's largest, best, and most trusted brands.

View all posts by Chris Olive →

You might also like

Considerations Around Application Encryption

Why Common IAM Solutions for Identity-based Attacks Aren’t Really Working

The Problem of Non-User IDs in Organizations Today