Entrust Identity Enterprise 13.

Database Configuration Guide

Document issue: 6.0

Date of Issue: October 2024

 Copyright © 2024 Entrust Corporation. All rights reserved.

Entrust and the hexagon design are trademarks, registered

trademarks and/or service marks of Entrust Corporation in
Canada and the United States and in other countries. All
Entrust product names and logos are trademarks, registered
trademarks and/or service marks of Entrust Corporation. All
other company and product names and logos are
trademarks, registered trademarks and/or service marks of
their respective owners in certain countries.

This information is subject to change as Entrust reserves

the right to, without notice, make changes to its products
as progress in engineering or manufacturing methods or
circumstances may warrant.

Export and/or import of cryptographic products may be

restricted by various regulations in various countries. Export
and/or import permits may be required.

2 Entrust Identity Enterprise 13.0 Database Configuration Guide

 TOC

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Revision information .......................................... 6
Documentation conventions .................................... 7
Note and Attention text ................................... 7
Related documentation ........................................ 9
Obtaining documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Documentation feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Obtaining technical assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Database overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Setting up the JDBC driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
The Entrust Identity Enterprise schema . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Estimating database size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Database for audit data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Backing up the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring an IBM DB2 database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Setting up the DB2 database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Preparing the DB2 database for installation . . . . . . . . . . . . . . . . . . . 26
Installing the Entrust Identity Enterprise schema file for DB2 . . . . . . 26
Installing the JDBC driver files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Gathering your configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Performance troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
 Configuring a MySQL database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Setting up the MySQL database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Preparing the MySQL database for installation . . . . . . . . . . . . . . . . . 34
Installing the Entrust Identity Enterprise schema file for MySQL . . . . 34
Installing the JDBC driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Gathering your configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Configuring an Oracle Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Setting up the Oracle database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Preparing the Oracle database for installation . . . . . . . . . . . . . . . . . 40
Installing the Entrust Identity Enterprise schema file for Oracle . . . . . 43
Installing the JDBC driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Gathering your configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring a PostgreSQL database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Setting up the PostgreSQL database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Preparing the PostgreSQL database for installation . . . . . . . . . . . . . 50
Installing the Entrust Identity Enterprise schema file for PostgreSQL . 50
Installing the JDBC driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Gathering your configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Post installation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Configuring an SQL Server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

Setting up the SQL Server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Preparing the SQL Server database for installation . . . . . . . . . . . . . . 58
Installing the Entrust Identity Enterprise schema file for SQL Server . 59
Installing the JDBC driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Gathering your configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

4 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
 About

About this guide

This guide provides an overview of how to configure Entrust Identity Enterprise to
operate with supported databases.
This chapter includes the following sections:
• “Revision information” on page 6
• “Documentation conventions” on page 7
• “Related documentation” on page 9
• “Obtaining documentation” on page 11
• “Obtaining technical assistance” on page 12

5
 Revision information
Table 1: Revisions in this document

Document issue Section Description

and date
6.0 “Configuring a PostgreSQL Updated the supported PostgreSQL versions.
database” on page 49
October 2024
5.0 Table 5: “Configuration Updated the description for Database URL.
data for PostgreSQL” on
May 2024
page 53
Table 6: “Configuration data Updated the description for Database URL.
for SQL Server” on page 65
4.0 “Preparing the Oracle Updated character set
database for installation” on
October 2022
page 40
Throughout Warning added to ensure file integrity is verified
and organizational protocols are followed when
downloading files.
3.0 Throughout Removed visible conditional text
January 2022
2.0 Table 6: “Configuration data Based on Microsoft recommendation, removed
for SQL Server” on page 65 selectMethod=cursor; from Database URL.
November 2021
“Configuration data for Updated JDBC driver class name class name
MySQL” on page 37 and note about useSSL parameter.
Throughout As of Release 13.0 Patch 315066, Entrust
IdentityGuard is known as Entrust Identity
Enterprise.
1.0 All sections First issue of this document for Entrust Identity
Enterprise 13.0.
December 2020

6 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Documentation conventions
Following are typographic conventions that may appear in this guide:

Table 2: Typographic conventions

Convention Purpose Example

Bold text Indicates graphical user Click Next.
(other than interface elements and
headings) wizards.
Italicized text Used for book or Entrust Identity Enterprise Deployment Guide
document titles.
Blue text Used for hyperlinks to Entrust TruePass supports the use of many types
other sections in the of digital ID.
document.
Underlined blue Used for Web links. For more information, visit our Web site at
text www.entrust.com.
Courier type Indicatesinstallationpaths, Use the entrust-configuration.xml file
file names, Windows to change certain options for Verification Server.
registry keys, commands,
and text you must enter.
Angle brackets Indicates variables (text By default, the entrust.ini file is located in
you must replace with <install_path>/conf/security/entrust.
<>
your organization’s ini.
correct values).
Square brackets Indicates optional dsa passwd [-ldap]
[courier type]
parameters.

Note and Attention text

Throughout this guide there are paragraphs set off by ruled lines above and below
the text. These paragraphs provide key information with two levels of importance, as
shown below.

Note:
Information to help you maximize the benefits of your Entrust product.

About this guide 7

Report any errors or omissions
 Attention:
Issues that, if ignored, may seriously affect performance, security, or the operation
of your Entrust product.

8 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Related documentation
Entrust Identity Enterprise is supported by a complete documentation suite:
• For instructions about installing and configuring the Entrust Identity
Enterprise Server, see the Entrust Identity Enterprise Installation Guide.
• For instructions about administering Entrust Identity Enterprise users and
groups, see the Entrust Identity Enterprise Administration Guide.
• For a full list and descriptions of the Entrust Identity Enterprise master user
shell commands, see the Entrust Identity Enterprise Master User Shell
Reference.
• For information about configuring Entrust Identity Enterprise to work with a
supported LDAP repository, see the Entrust Identity Enterprise Directory
Configuration Guide.
• For information about configuring Entrust Identity Enterprise to work with a
supported JDBC database, see the Entrust Identity Enterprise Database
Configuration Guide.
• For information about Entrust Identity Enterprise error messages, see the
Entrust Identity Enterprise Error Messages.
• For information about new features, limitations and known issues in the latest
release, see the Entrust Identity Enterprise Release Notes.
• For information about the Self-Service Module, see:
– Entrust Identity Enterprise Self-Service Module Installation and
Configuration Guide
– Entrust Identity Enterprise Self-Service Module Customization Guide
– Entrust Identity Enterprise Self-Service Module User Guide
• For information about integrating the authentication and administration
processes of your applications with Entrust Identity Enterprise, see the
Entrust Identity Enterprise Programming Guide that applies to your
development platform (either Java Platform or .NET).

About this guide 9

Report any errors or omissions
 Note:
If you are using a programming environment other than .NET or Java, you can
still connect applications to Entrust Identity Enterprise. Entrust Identity Enterprise
exposes a standard web-services interface for authentication and administration.
The server install ships the WSDL for these services in the
<IG_HOME>/client/doc directory. You can translate example code in the .NET
and Java guides into other languages.

• For Entrust Identity Enterprise product information and a data sheet, go to

http://www.entrust.com/products/

10 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Obtaining documentation
Entrust product documentation, white papers, technical integration guides, technical
notes, and a comprehensive Knowledge Base are available through Entrust TrustedCare
Online. If you are registered for our support programs, you can use our Web-based
Entrust TrustedCare Online support services at:
https://trustedcare.entrust.com/TrustedCare/

Documentation feedback
You can rate and provide feedback about Entrust product documentation by completing
the online feedback form. You can access this form by
• clicking the Report any errors or omissions link located in the footer of Entrust
PDF documents (see bottom of this page).
• following this link: http://go.entrust.com/documentation-feedback
Feedback concerning documentation can also be directed to the Customer Support
email address.
support@entrust.com

About this guide 11

Report any errors or omissions
 Obtaining technical assistance
Entrust recognizes the importance of providing quick and easy access to our support
resources. The following subsections provide details about the technical support and
professional services available to you.

Technical support
Entrust offers a variety of technical support programs to help you keep Entrust
products up and running. To learn more about the full range of Entrust technical
support services, visit our Web site at:
http://www.entrust.com/
If you are registered for our support programs, you can use our Web-based support
services.
Entrust TrustedCare Online offers technical resources including Entrust product
documentation, white papers and technical notes, and a comprehensive Knowledge
Base at:
https://trustedcare.entrust.com/TrustedCare/
If you contact Entrust Customer Support, please provide as much of the following
information as possible:
• your contact information
• product name, version, and operating system information
• your deployment scenario
• description of the problem
• copy of log files containing error messages
• description of conditions under which the error occurred
• description of troubleshooting activities you have already performed

Telephone numbers
For support assistance by telephone call one of the numbers below:
• 1-877-754-7878 in North America
• 1-613-270-3700 outside North America

Email address
The email address for Customer Support is:
support@entrust.com

12 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Professional Services
The Entrust team assists e-businesses around the world to deploy and maintain secure
transactions and communications with their partners, customers, suppliers and
employees. We offer a full range of professional services to deploy our e-business
solutions successfully for wired and wireless networks, including planning and design,
installation, system integration,deploymentsupport,andcustomsoftwaredevelopment.
Whether you choose to operate your Entrust solution in-house or subscribe to hosted
services, Entrust Professional Services will design and implement the right solution for
your e-business needs. For more information about Entrust Professional Services please
visit our Web site at:
http://www.entrust.com/services

Training
Through a variety of hands-on courses, Entrust delivers effective training for deploying,
operating, administering, extending, customizing and supporting any variety of Entrust
digital identity and information security solutions. Delivered by training professionals,
Entrust's professional training services help to equip you with the knowledge you need
to speed the deployment of your security platforms and solutions. Please visit our
training website at:
http://www.entrust.com/training

About this guide 13

Report any errors or omissions
14 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 1

Database overview
This chapter provides information about using a database repository with Entrust
Identity Enterprise. Information that is common to all supported databases is included
in this chapter. Information specific to each supported database is documented in a
separate chapter.

Note:
You must follow and complete the instructions in this configuration guide dedicated
to your specific database before you install Entrust Identity Enterprise. For
information about installing and configuring Entrust Identity Enterprise, refer to
the Entrust Identity Enterprise Installation Guide.

This chapter provides information that applies to all databases supported by Entrust
Identity Enterprise:
• “Setting up the JDBC driver” on page 16
• “The Entrust Identity Enterprise schema” on page 17
• “Estimating database size” on page 18
• “Database for audit data” on page 22
• “Backing up the database” on page 23

15
 Setting up the JDBC driver
Entrust Identity Enterprise communicates with the database using Java database
connectivity (JDBC), which is a standard SQL database interface.
Keep these points in mind when setting up JDBC:
• Obtain and install the appropriate version of the JDBC driver that supports
connectivity to your Entrust Identity Enterprise database.
• Install the driver in a location on the Entrust Identity Enterprise Server so that
Entrust Identity Enterprise can find the JAR files during configuration.
• Take note of that location, as you must provide it when you configure Entrust
Identity Enterprise later.

16 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
The Entrust Identity Enterprise schema
Each of the database-specific chapters in this book describes how to run the specific
Entrust Identity Enterprise schema file on your user database in preparation for
installing Entrust Identity Enterprise.
These files are accessible without installing Entrust Identity Enterprise by extracting
them as described in the Entrust Identity Enterprise Installation Guide.
In the same directory with the database-specific schema files are included drop files
for each database-type. The drop schema files are not used for a normal installation
or upgrade. The drop schema files are only used when removing the current instance
of Entrust Identity Enterprise to install a new instance.
After using the drop schema file, you run the appropriate schema file as described
in the database-specific chapters in this guide.

Database overview 17
Report any errors or omissions
 Estimating database size
No two databases will be the same. The number of policies, groups, roles, challenges,
and users will vary as will the attributes assigned to each and the authentication
methods used.
You can estimate the approximate disk space requirements of your Entrust Identity
Enterprise database using the applicable values below. Calculate the disk
requirements for an average user and multiply that by the number of users in your
system. Add to that number a value for all roles, all groups, all policies, and all
unassigned cards and tokens.

Note:
In its default configuration, Entrust Identity Enterprise does not index columns
used only for search and reporting operations. You can choose to index these
columns, but there is a performance cost in update and authentication
operations.

Table 1: Database disk space

Information Table names Data requirement

type

Global policy globalpolicy 0.5 KB.

Policies policy 2.5 KB per policy spread across the five

policy_cardspec tables.
policy_passwordpolicy
policy_temppinspec
policy_userspec

18 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Table 1: Database disk space (continued)

Information Table names Data requirement

type

Users users 1.5 KB minimum per user with one 5 by 10

aliases card, one temporary PIN and one alias. Most
user aliases
data is in the users table. Other tables contain
users’ Q&A challenges index entries.
challenges, cards
More space is needed for comments and
users’ assigned tokens extra aliases.
grid cards certificates Up to 1 MB per user (controlled by policy)
users’ assigned user_roles when mutual authentication secrets are
tokens included.
federations
users’ smartcredentials 100 bytes per user for a password. 50 bytes
certificates per user for each password history entry.
smartcredentialvariable Entrust Identity Enterprise policy determines
users’ roles s how many password history entries a user can
users’ digitalids have. The default is 8.
federations digitalid_clienttypes 50 to 100 bytes per user for each IP location
users’ smart biometrics entry. Entrust Identity Enterprise policy
credentials determines how many location entries a user
can have. The default is 5.
users’ digital
IDs 100 bytes per user for each question and
answer pair.
user’sbiometric
data 0.5 KB per user for each additional 5 by 10
card assigned.
0.5 KB per user when card usage tracking is
enabled (for example, least used challenge).
0.5 KB per user for token assigned.
2 KB per certificate.
200 bytes per federation.
1 KB per unpersonalized smart credential (no
photos, fingerprints, signatures, and so on). For
personalized smart credentials, the amount of
disk space required depends on what values
are required: minimum 100 KB per photo,
minimum 50 KB per signature, and minimum 25
KB per fingerprint.
0.5-1 KB per digital ID.
Up to 1 KB per user for each biometric data.

Database overview 19
Report any errors or omissions
 Table 1: Database disk space (continued)

Information Table names Data requirement

type

Roles roles 1.5-2.5 KB per role, depending on the number

of permissions assigned to the role.

Groups groups 0.5 KB per group.

IP Blacklist ipblacklist Up to 1 MB for the IP blacklist blob (varies

with the size of the list).

Preproduced, preproduced_cards 0.5 KB per preproduced card.

unassigned
cards

Loaded, unassigned_tokens 0.5 KB per unassigned token.

unassigned
tokens

Unassigned unassigned_smartcredent 0.5 KB per unassigned smart credential.

smart ials
credentials

Audits audits 0.5 KB per audit.

Transaction transcerts 4 KB per certificate.

certificates
Note: The number of transaction certificates
is likely to be very small, so this table will
have a minimal impact on space planning.

Partitions entpartitions 1 KB per partition.

Note: The number of transaction certificates
is likely to be very small, so this table will
have a minimal impact on space planning.

CA certificates cacertificates 4 KB per certificate.

Smart smartcredential_printmo For layouts, the amount of disk space required

credentialpolicy dules depends on what values are required (such as
(print modules, smartcredential_definit the number of graphics, photos, and security
definitions, ions features). Some default layouts are 2 MB in
applets, size, while others are much smaller.
graphics, and smartcredential_applets
100 KB minimum per graphic.
layouts) smartcredential_graphic
s 100 KB minimum per applet.
smartcredential_layouts 10 KB for each smart credential definition and
print module.

20 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Table 1: Database disk space (continued)

Information Table names Data requirement

type

Digital ID digitalid_configs 2 KB per digital ID configuration.

configurations

Managed CAs managed_cas 100 KB per managed CA.

Physical pacs 5 KB per PACS

Access
Systems
(PACS)

Proxies proxies 5 KB per proxy

For information on creating policies, groups, and users, refer to the Entrust Identity
Enterprise Server Administration Guide.

Database overview 21
Report any errors or omissions
 Database for audit data
You can log audits to a database for later reporting, if desired. You must configure
this feature if you want to use the Entrust Identity Enterprise reporting facility to
create audit reports.
Your audits can be stored in the same database as your users are stored, or you
can configure a separate database (a separate database is recommended). You can
configure Entrust Identity Enterprise to store only the audits you choose, or you can
send all audits to the database.
Each audit requires approximately 500 bytes of storage. See the Entrust Identity
Enterprise Server Administration Guide for details about calculating how many audit
records your system could be generating over a given period of time.
The database size required to store Entrust Identity Enterprise audits is also affected
by the settings of the audit cleaning properties in Entrust Identity Enterprise. See the
Entrust Identity Enterprise Server Administration Guide for descriptions of the audit
cleaning properties.

22 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Backing up the database
Your database stores all your Entrust Identity Enterprise user, policy, group, card,
token, certificate, and PVN data. A database failure can result in the loss of user
information, and may require that you reissue Entrust Identity Enterprise cards or
tokens.

Attention:
Back up your database on a regular basis. See the Entrust Identity Enterprise
Installation Guide for backup instructions.

Database overview 23
Report any errors or omissions
24 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 2

Configuring an IBM DB2 database

This chapter provides instructions for configuring an IBM DB2 Universal database to
operate with Entrust Identity Enterprise.
Entrust Identity Enterprise supports IBM DB2 Universal versions 11.1 and 11.5.
The DB2 database administrator must be involved in planning and carrying out specific
tasks.
This chapter includes the following sections:
• “Setting up the DB2 database” on page 26.
• “Gathering your configuration data” on page 29.

25
 Setting up the DB2 database
Before you install Entrust Identity Enterprise, you must prepare the DB2 database.
This section includes:
• “Preparing the DB2 database for installation” on page 26
• “Installing the Entrust Identity Enterprise schema file for DB2” on page 26
• “Installing the JDBC driver files” on page 27
Complete the procedures in this chapter before you install Entrust Identity Enterprise.

Note:
When preparing a DB2 database for Entrust Identity Enterprise, keep in mind the
languages that you need to support. For international English or non-English
environments, consult your DB2 documentation for more information on setting the
language variable.

Preparing the DB2 database for installation

Create a separate database for Entrust Identity Enterprise data. Make sure it has the
correct language setting. Here’s one example:
db2 create database entrust using codeset UTF-8 TERRITORY US
Also create a database user login account for use by Entrust Identity Enterprise. You
should provide sufficient privileges so that this user can administer and own the
Entrust Identity Enterprise database schema and data, including the database tables.

Installing the Entrust Identity Enterprise schema file for DB2

After you prepare the database, create the Entrust Identity Enterprise database tables
using the SQL command files included in the Entrust Identity Enterprise installation
package.
Extract the applicable archive file for your operating system. Refer to the Entrust
Identity Enterprise Installation Guide for details.

Attention:
Prior to any installation, ensure the integrity of all files being imported. Follow your
organizational standards and procedures, and ensure that all files are obtained
from a trusted source.

26 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 The schema files for DB2 are available under the IG_130/sql directory included with
the Entrust Identity Enterprise installation package. You can access them without
having to install Entrust Identity Enterprise. Run the applicable schema file as the
newly created Entrust Identity Enterprise database user.
Choose the appropriate schema file:
• If you are installing a new version of Entrust Identity Enterprise 13.0, use the
file db2_v130_schema.sql.
• If you are upgrading from Entrust Identity Enterprise 12.0, use the file
db2_v120_to_v130_upgrade.sql.
• If you are upgrading from an earlier version of Entrust Identity Enterprise,
you must first upgrade to release 12.0 and then follow the guidance for
upgrading from release 12.0. See the Entrust IdentityGuard 12.0 Installation
Guide.
Before you run the selected schema file, you must edit it for your installation.

To edit and run the SQL file

1 Copy the schema file to a working directory on the database server.
2 Open the schema file in an editor and insert lines like the following at the top
of the file:
connect to <igdb> user <igadmin> using <igpass>;
set schema <schemaname>;
Where:
• <igdb> is the name of the DB2 database created for Entrust Identity
Enterprise.
• <igadmin> is the Entrust Identity Enterprise database user.
• <igpass> is the Entrust Identity Enterprise database password.
• <schemaname> is name of the schema.
3 Save and run the copied schema file on the database server. Here’s an example
using the DB2 command:
db2 -tf <schema-file>
Where <schema-file> is the full path name of the schema file you edited

Installing the JDBC driver files

Locate the correct JDBC driver files. These are provided with your database software
or from a third-party vendor.
Entrust Identity Enterprise supports DB2 using the DB2 JDBC universal driver file
db2jcc4.jar. This is a platform-independent, type-4 driver that uses Java to
connect directly to DB2.

Configuring an IBM DB2 database 27

Report any errors or omissions
 Place the JAR file in a location on the Entrust Identity Enterprise Server where the
person installing Entrust Identity Enterprise can find it during configuration.

28 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Gathering your configuration data
You can now install Entrust Identity Enterprise. This section describes how to prepare
for this installation. Refer to the Entrust Identity Enterprise Installation Guide for
complete instructions.
As part of the Entrust Identity Enterprise installation procedure, the installer will
present questions or options about the database and JDBC files. Make a note of the
information requirements in the following table.

Table 2: Configuration data for DB2

Configuration data Description

JDBC driver JAR file name db2jcc4.jar

When installing an initial/primary instance, you must copy this
file to the $IGHOME/lib/db folder. The installation wizard
provides a reminder about this step.
Note: The JDBC files listed here are the minimum versions
supported. You can use higher build versions of these files.
Keep in mind that the newest builds of the JAR file may not
have been tested with Entrust Identity Enterprise.

JDBC driver class name You will be asked for the JDBC driver class you are using:
com.ibm.db2.jcc.DB2Driver

Database URL The URL will look like this:

jdbc:db2://<dbhost>:<dbport>/<mydbname>:retrieveMe
ssagesFromServerOnGetMessage=true;
Where:
• dbhost is the name of the server that hosts the DB2
database
• dbport is the port number the database server listens
to. The default port number is 50000.
• mydbname is the name of the database created for Entrust
Identity Enterprise
• retrieveMessagesFromServerOnGetMessage=true;
Optional: During a connection to a data server, set the
this property to true if you want full message text from
an SQLException.getMessage call.

DB2 database user Provide the name or ID of the account that Entrust Identity
Enterprise will use to log in and access your DB2 database.
Entrust Identity Enterprise uses this name together with the
database user password to log in to your database.

Configuring an IBM DB2 database 29

Report any errors or omissions
 Table 2: Configuration data for DB2 (continued)

Configuration data Description

DB2 database user password Specify the password assigned to the DB2 database user.
Entrust Identity Enterprise uses this password together with
the database user to log in to your database.

DB2 database schema name Specify your database schema name. This name must match
the Entrust Identity Enterprise database user name value. If it
does not match, initialization will fail.

Performance troubleshooting
Problem: Unsatisfactory response times for administration and authentication requests
using tokens or grid cards.
Explanation: Slow responses times could be caused by inefficient database queries.
This is most likely to occur if users have multiple tokens or grids and the number
of characters stored in the database columns for these authenticators exceeds the
default line lengths.
Solution: A database administrator can add a setting to the DB2 schema file to
better accommodate the size of INLINE blobs for DB2. This is not configured in the
DB2 schema packaged with Entrust Identity Enterprise server because it is not always
necessary and loading a schema with this change would cause errors in configurations
with smaller tablespace page sizes (<16k).

Note:
This solution requires use of a tablespace page size larger than 16k.

If your tablespace page size is 16K or larger and you want to implement this solution,
complete the following steps.
1 In DB2, enter the following command to allow any row length:
db2 update db cfg using extended_row_sz enable
2 Make a copy of the default DB2 schema file, db2_v130_schema.sql.
3 Open the copy in DB2, then add the following lines to allow the appropriate line
lengths.
ALTER TABLE users
ALTER COLUMN cards
SET INLINE LENGTH 2700;

30 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 ALTER TABLE users
ALTER COLUMN tokens
SET INLINE LENGTH 2200;
4 Load the updated schema file.

Configuring an IBM DB2 database 31

Report any errors or omissions
32 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 3

Configuring a MySQL database

This chapter provides instructions for configuring a MySQL database to operate with
Entrust Identity Enterprise.
Entrust Identity Enterprise supports MySQL versions 5.6, 5.7, and 8.x.
The MySQL database administrator must be involved in planning and carrying out
specific tasks.
This chapter includes the following sections:
• “Setting up the MySQL database” on page 34.
• “Gathering your configuration data” on page 37.

33
 Setting up the MySQL database
Before you install Entrust Identity Enterprise, you must prepare the MySQL database.
This section includes:
• “Preparing the MySQL database for installation” on page 34
• “Installing the Entrust Identity Enterprise schema file for MySQL” on
page 34
• “Installing the JDBC driver” on page 36
Remember to complete the procedures in this configuration guide before you install
Entrust Identity Enterprise.

Preparing the MySQL database for installation

Create a separate schema for Entrust Identity Enterprise data.
You also need to create a database user for use by Entrust Identity Enterprise with the
following privileges on the schema that will hold the Entrust Identity Enterprise data:
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, and
ALTER.
This user will administer and own the Entrust Identity Enterprise database schema and
data, including the database tables.

Note:
When preparing a MySQL database for Entrust Identity Enterprise, keep in mind
the language and character set requirements of the country in which it will run.
See the latest MySQL reference manual.

Attention:
The MySQL repository name cannot contain a hyphen (-). When the repository
name includes a hyphen, the repository may not initialize correctly.

Installing the Entrust Identity Enterprise schema file for MySQL

After you create the Entrust Identity Enterprise database user and prepare the
schema, you can create the Entrust Identity Enterprise database tables using the
schema command file included in the Entrust Identity Enterprise installation package.

34 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Extract the applicable archive file for your operating system. Refer to the Entrust
Identity Enterprise Installation Guide for details.
The schema files for MySQL are available under the IG_130/sql directory included
with the Entrust Identity Enterprise installation package. You can access them without
having to install Entrust Identity Enterprise. Run the applicable schema file as the
newly created Entrust Identity Enterprise database user.

Attention:
Prior to any installation, ensure the integrity of all files being imported. Follow your
organizational standards and procedures, and ensure that all files are obtained
from a trusted source.

Choose the appropriate schema file:

• If you are installing a new version of Entrust Identity Enterprise 13.0, use the
file mysql_v130_schema.sql.
• If you are upgrading from Entrust Identity Enterprise 12.0, use the file
mysql_v120_to_v130_upgrade.sql.
• If you are upgrading from an earlier version of Entrust Identity Enterprise,
you must first upgrade to release 12.0 and then follow the guidance for
upgrading from release 12.0. See the Entrust IdentityGuard 12.0 Installation
Guide.

Running the SQL file

There are several ways to run the above SQL files. The following example uses the
mysql command-line utility.

To run the SQL file

1 Copy the applicable schema file to a working directory on the database server.
2 Enter this command on the database server:
mysql
Enter the database server password when prompted.
3 In MySQL, enter the following commands:
use <database-name>;
\. <schema-file>

Configuring a MySQL database 35

Report any errors or omissions
 Where:
• <database-name> is the name of the database you created for Entrust
Identity Enterprise
• <schema-file> is the full path name to the sql file

Installing the JDBC driver

Locate the correct JDBC driver file. It is provided with your database software or
from a third-party vendor.

Attention:
Prior to any installation, ensure the integrity of all files being imported. Follow your
organizational standards and procedures, and ensure that all files are obtained
from a trusted source.

Entrust Identity Enterprise supports MySQL’s Connector/J JDBC client driver. This is a
platform-independent, type-4 driver that has a complete JDBC feature set that
supports the capabilities of MySQL. The driver does not require you to have MySQL
client software installed, but does require that you configure the database server with
a TCP/IP listener.
Place the JAR file in a location on the Entrust Identity Enterprise Server where the
person installing Entrust Identity Enterprise can find it during configuration.

36 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Gathering your configuration data
You can now install Entrust Identity Enterprise. This section describes how to prepare
for this installation. Refer to the Entrust Identity Enterprise Installation Guide for
complete installation instructions.
As part of the Entrust Identity Enterprise installation procedure, the installer will
present questions or options about the database and JDBC files. Make a note of the
information requirements in the following table.

Table 3: Configuration data for MySQL

Configuration data Description

JDBC driver JAR file name mysql-connector-java-8.0.x.jar

When installing an initial/primary instance, you must copy this
file to the $IGHOME/lib/db folder. The installation wizard
provides a reminder about this step.
Note: The JDBC files listed here are the minimum versions
supported. You can use higher build versions of these files.
Keep in mind that the newest builds of the JAR file may not
have been tested with Entrust Identity Enterprise.

JDBC driver class name You will be asked for the MySQL JDBC driver class you are
using:
com.mysql.cj.jdbc.Driver

Database URL Each JDBC driver defines its own syntax for the URL. Consult
the driver documentation for details. For the MySQL driver,
the URL will look like this:
jdbc:mysql://<dbhost>:<dbport>/<mydbname>
Where:
• dbhost is the name of the server that hosts the MySQL
database
• dbport is the database server port number (the default
is 3306)
• mydbname is the name of the database created for Entrust
Identity Enterprise that uniquely distinguishes it from any
other database on your system
Note: If you do not want to request an SSL connection,
include the ?useSSL=false parameter in the URL.
Example:
jdbc:mysql://db1.mycorp.com:3306/igdb?useSSL=false

Configuring a MySQL database 37

Report any errors or omissions
 Table 3: Configuration data for MySQL (continued)

Configuration data Description

MySQL database user name Specify the name or ID of the account you created earlier
under “Preparing the MySQL database for installation” on
page 34. Entrust Identity Enterprise uses this name together
with the database user password to log in to and access your
database.

MySQL database user password Provide the password assigned to the MySQL database user.
Entrust Identity Enterprise uses this password together with
the database user to log in to your database.

MySQL database schema name Specify your database schema name. This is typically the
same as my dbname component of the database URL.

38 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 4

Configuring an Oracle Database

This chapter provides instructions for configuring an Oracle Database to operate with
Entrust Identity Enterprise.
Entrust Identity Enterprise supports Oracle Database versions 12c, 18c, and 19c.
The Oracle Database administrator must be involved in planning and carrying out
specific tasks.
This chapter includes the following sections:
• “Setting up the Oracle database” on page 40.
• “Gathering your configuration data” on page 46.

39
 Setting up the Oracle database
Before you install Entrust Identity Enterprise, you must prepare the Oracle database.
This section includes:
• “Preparing the Oracle database for installation” on page 40
• “Installing the Entrust Identity Enterprise schema file for Oracle” on page 43
• “Installing the JDBC driver” on page 45
Remember to complete the procedures in this configuration guide before you install
Entrust Identity Enterprise.

Preparing the Oracle database for installation

Create a separate tablespace for Entrust Identity Enterprise data; that is, do not use
the System tablespace. In addition, create another tablespace for temporary data
created by Oracle operations such as sorting.
You also need to create a database user for use by Entrust Identity Enterprise with the
following privileges:
• Resource
• Create session
• Create view
• Create procedure
This user will administer and own the Entrust Identity Enterprise database schema and
data, including the database tables.

Note:
When preparing an Oracle database for Entrust Identity Enterprise, keep in mind
the language and character set requirements of the country in which it will run.
If needed, use the NLS_LANG parameter to set the working language. It is set
as a local environment variable on Linux. Entrust Identity Enterprise products use
Unicode AL32UTF8 as the default:

% setenv NLS_LANG AMERICAN_AMERICA.AL32UTF8

Consult the Oracle Database documentation for more information about setting
language and character sets.

The following procedure is an example of how to use SQL*Plus to create a tablespace

and database user for Entrust Identity Enterprise. See the Oracle Database
documentation for more information about creating tablespaces and database users.

40 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
To create a tablespace and database user for Entrust Identity Enterprise
1 Log in to SQL*Plus as a user with the SYSDBA privilege. For example:
sqlplus SYSTEM as SYSDBA
If prompted, enter the password for the database user.
2 If you are using the Pluggable database (multi-tenant) feature of Oracle Database:
a To see a list of pluggable databases and whether they are ready, enter the
following command:
SELECT name, open_mode FROM v$pdbs ORDER BY name;
A list of pluggable databases appears, along with their OPEN_MODE value:
NAME OPEN_MODE
------------------------------ ----------
PDB$SEED READ ONLY
PDBORCL MOUNTED
b If the pluggable database is not open (the OPEN_MODE value is not READ
WRITE), enter the following command to open the pluggable database:
alter pluggable database <pdb_name> open;
Where <pdb_name> is the name of the pluggable database. For example:
alter pluggable database pdborcl open;
c Switch to the pluggable database.
alter session set container=<pdb_name>;
Where <pdb_name> is the name of the pluggable database. For example:
alter session set container=pdborcl;
3 Create a tablespace for Entrust Identity Enterprise.
For example, to create a BIGFILE tablespace:
CREATE BIGFILE TABLESPACE <tablespace name>
DATAFILE '<data file>'
SIZE 512M
AUTOEXTEND ON
NEXT 128M
MAXSIZE unlimited
EXTENT MANAGEMENT LOCAL AUTOALLOCATE
ONLINE
PERMANENT
;

Configuring an Oracle Database 41

Report any errors or omissions
 Where:
• <tablespace name> is a name for the tablespace that will contain Entrust
Identity Enterprise data.
• <data file> is a file name for the tablespace data file.
For example:
CREATE BIGFILE TABLESPACE identityguard
DATAFILE 'identityguard.dbf'
SIZE 512M
AUTOEXTEND ON
NEXT 128M
MAXSIZE unlimited
EXTENT MANAGEMENT LOCAL AUTOALLOCATE
ONLINE
PERMANENT
;
4 Enter the following lines to create a database user for Entrust Identity Enterprise.
This user will own the tablespace you created in the previous step.
CREATE USER <user name> IDENTIFIED BY <password>
DEFAULT TABLESPACE <tablespace name>
TEMPORARY TABLESPACE TEMP
;
Where:
• <user name> is a user name for the Entrust Identity Enterprise database
user. Entrust Identity Enterprise will connect to the database using this
database user.
• <password> is a password for the database user.
• <tablespace name> is the name of the tablespace you created to contain
Entrust Identity Enterprise data.
For example:
CREATE USER iguser IDENTIFIED BY example_password
DEFAULT TABLESPACE identityguard
TEMPORARY TABLESPACE TEMP
;
5 Create a new role with the required privileges:
CREATE ROLE <role name>;

42 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 GRANT resource, create session, create view, create procedure TO
<role name>;
Where <role name> is a name for the new role. For example:
CREATE ROLE IdentityGuardRole;
GRANT resource, create session, create view, create procedure TO
IdentityGuardRole;
6 Granted the new role to the Entrust Identity Enterprise database user:
GRANT <role name> TO <user name>;
Where:
• <role name> is the name of the role.
• <user name> is the user name of the database user you created for Entrust
Identity Enterprise.
For example:
GRANT IdentityGuardRole TO iguser;
7 Enter the following commands to grant the database user privileges on the
tablespace:
ALTER USER iguser QUOTA 100M ON <tablespace name>;
GRANT UNLIMITED TABLESPACE TO <user name>;
Where:
• <role name> is the name of the role.
• <user name> is the user name of the database user you created for Entrust
Identity Enterprise.
For example:
GRANT UNLIMITED TABLESPACE TO iguser;
ALTER USER iguser QUOTA 100M ON identityguard;
These commands prevent "ORA-01950: no privileges on tablespace"
errors.
8 Exit SQL*Plus.

Installing the Entrust Identity Enterprise schema file for Oracle

After you create the Entrust Identity Enterprise database user and prepare the
tablespaces, you can create the Entrust Identity Enterprise database tables using one
of the schema command files included in the Entrust Identity Enterprise installation
package.
Extract the applicable archive file for your operating system. Refer to the Entrust
Identity Enterprise Installation Guide for details.

Configuring an Oracle Database 43

Report any errors or omissions
 Attention:
Prior to any installation, ensure the integrity of all files being imported. Follow your
organizational standards and procedures, and ensure that all files are obtained
from a trusted source.

The schema files for Oracle are available under the IG_130/sql directory. You can
access them without having to install Entrust Identity Enterprise. Run them as the
newly created Entrust Identity Enterprise database user.
Choose the appropriate schema file:
• If you are installing a new version of Entrust Identity Enterprise 13.0, use the
file oracle_v130_schema.sql.
• If you are upgrading from Entrust Identity Enterprise 12.0, use the file
oracle_v120_to_v130_upgrade.sql.
• If you are upgrading from an earlier version of Entrust Identity Enterprise,
you must first upgrade to release 12.0 and then follow the guidance for
upgrading from release 12.0. See the Entrust IdentityGuard 12.0 Installation
Guide.
There are several ways to run the SQL files. The following example shows how to
install the or upgrade the Entrust Identity Enterprise schema in Oracle Database using
SQL*Plus.

To install the Entrust Identity Enterprise schema for Oracle Database using
SQL*Plus
1 Copy the applicable schema file to a working directory on the database server.
2 Log in to SQL*Plus as the Entrust Identity Enterprise user account you created
earlier. For example:
sqlplus iguser
or, if you are connecting to a pluggable database:
sqlplus iguser/example_password@//localhost:1521/pdborcl.example.c
om
If prompted, enter the password for the database user.
3 Enter the following command:
@<schema-file>
Where <schema-file> is the full path and file name of the applicable schema
file. For example:
@/tmp/IG_130/sql/oracle_v130_schema.sql

44 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Installing the JDBC driver
Locate the correct JDBC driver file. It is provided with your database software or
from a third-party vendor.

Attention:
Prior to any installation, ensure the integrity of all files being imported. Follow your
organizational standards and procedures, and ensure that all files are obtained
from a trusted source.

Entrust Identity Enterprise supports Oracle’s JDBC thin client driver for the Oracle
Database, such as ojdbc10.jar. This driver is a platform-independent, type-4 driver
that uses Java to connect directly to Oracle. It implements Oracle's SQL *Net/Net8
and TTC adapters using its own TCP/IP-based Java socket implementation. The driver
does not require you to have Oracle client software installed, but does require that
you configure the database server with a TCP/IP listener.
Place the JAR file in a location on the Entrust Identity Enterprise Server where the
person installing Entrust Identity Enterprise can find it during configuration.

Configuring an Oracle Database 45

Report any errors or omissions
 Gathering your configuration data
You can now install Entrust Identity Enterprise. This section describes how to prepare
for this installation. Refer to the Entrust Identity Enterprise Installation Guide for
complete installation instructions.
As part of the Entrust Identity Enterprise installation procedure, the installer will
present questions or options about the database and JDBC files. Make a note of the
information requirements in the following table.

Table 4: Configuration data for Oracle Database

Configuration data Description

JDBC driver JAR file name ojdbc10.jar

When installing an initial/primary instance, you must copy this
file to the $IGHOME/lib/db folder. The installation wizard
provides a reminder about this step.
Note: The JDBC files listed here are the minimum versions
supported. You can use higher build versions of these files.
Keep in mind that the newest builds of the JAR file may not
have been tested with Entrust Identity Enterprise.

JDBC driver class name You will be asked for the Oracle JDBC driver class you are
using:
oracle.jdbc.driver.OracleDriver

46 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Table 4: Configuration data for Oracle Database (continued)

Configuration data Description

Database URL Each JDBC driver defines its own syntax for the URL. Consult
the driver documentation for details.
Attention: The Database URL cannot contain spaces. Entrust
Identity Enterprise interprets space separated URLs as
multiple URLs for use in failover scenarios.
For a container database with the Oracle thin client driver,
the URL will typically look like this:
jdbc:oracle:thin:@<dbhost>:<dbport>:<SID>
Where:
• <dbhost> is the name of the server that hosts the
Oracle database.
• <dbport> is the database server port number (the
default is 1521).
• <SID> is the ID that uniquely distinguishes your Oracle
database from any other database that may be on your
system.
For example:
jdbc:oracle:thin:@oracledb.example.com:1521:orcl

For a pluggable database with the Oracle thin client driver,

the URL will typically look like this:
jdbc:oracle:thin:@<dbhost>:<dbport>/<server>
Where:
• <dbhost> is the name of the server that hosts the
Oracle database.
• <dbport> is the database server port number (the
default is 1521).
• <server> is the ID that uniquely distinguishes your
pluggable database from any other pluggable database that
may be on your system.
For example:
jdbc:oracle:thin:@oracledb.example.com:1521/pdborc
l.example.com

Configuring an Oracle Database 47

Report any errors or omissions
 Table 4: Configuration data for Oracle Database (continued)

Configuration data Description

Oracle database user Specify the name or ID of the database account through
which Entrust Identity Enterprise logs in and accesses your
Oracle database. Entrust Identity Enterprise uses this name
together with the database user password to log in to your
database.

Oracle database user password Provide the password assigned to the Oracle database user.
Entrust Identity Enterprise uses this password together with
the database user name to log in to your database.

Oracle database schema name Specify your database schema name. This name must match
the Entrust Identity Enterprise database user name value. If it
does not match, initialization will fail.

48 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 5

Configuring a PostgreSQL database

This chapter provides instructions for configuring a PostgreSQL database to operate
with Entrust Identity Enterprise.
Entrust Identity Enterprise supports PostgreSQL versions 12, 15, and 16.
The PostgreSQL database administrator must be involved in planning and carrying out
specific tasks.
This chapter includes the following sections:
• “Setting up the PostgreSQL database” on page 50.
• “Gathering your configuration data” on page 53.
• “Post installation steps” on page 56

49
 Setting up the PostgreSQL database
Before you install Entrust Identity Enterprise, you must prepare the PostgreSQL
database.
This section includes:
• “Preparing the PostgreSQL database for installation” on page 50
• “Installing the Entrust Identity Enterprise schema file for PostgreSQL” on
page 50
• “Installing the JDBC driver” on page 52
Remember to complete the procedures in this configuration guide before you install
Entrust Identity Enterprise.

Preparing the PostgreSQL database for installation

Create a separate database for Entrust Identity Enterprise data.
Create a PostgreSQL database user login account for use by Entrust Identity
Enterprise. The user’s role should provide sufficient privileges so that this user can
administer and own the Entrust Identity Enterprise database schema and data,
including the database tables.

Note:
When preparing a PostgreSQL database for Entrust Identity Enterprise, keep in
mind the language and character set requirements of the country in which it will
run. See the latest PostgreSQL reference manual.

Installing the Entrust Identity Enterprise schema file for

PostgreSQL
After you prepare the database, create the Entrust Identity Enterprise database tables
using the applicable command file included in the Entrust Identity Enterprise
installation package.
Extract the applicable archive file for your operating system. Refer to the Entrust
Identity Enterprise Installation Guide for details on obtaining the file.

50 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 Attention:
Prior to any installation, ensure the integrity of all files being imported. Follow your
organizational standards and procedures, and ensure that all files are obtained
from a trusted source.

The schema files for PostgreSQL are available under the IG_130/sql directory
included in the Entrust Identity Enterprise installation package. You can access them
without having to install Entrust Identity Enterprise. Run the applicable schema file as
the newly created Entrust Identity Enterprise database user.
Choose the appropriate schema file:
• If you are installing a new version of Entrust Identity Enterprise 13.0, use the
file postgresql_v130_schema.sql.
• If you are upgrading from Entrust Identity Enterprise 12.0, use the file
postgresql_v120_to_v130_upgrade.sql.
• If you are upgrading from an earlier version of Entrust Identity Enterprise,
you must first upgrade to release 12.0 and then follow the guidance for
upgrading from release 12.0. See the Entrust IdentityGuard 12.0 Installation
Guide.

To load the SQL schema

1 Copy the applicable schema file to a working directory on the database server.
2 Open a command window and change to the directory where you copied the
schema file.
3 Connect to the database using the psql command, like this:
<path>\psql <dbname> <admin-name>
Where:
• <path> is the location of the PSQL program
• <dbname> is the database name
• <admin-name> is the database user you created who owns the database
For example, on Windows, enter a command like this:
"C:\Program Files\PostgreSQL\12\bin\psql" IG-db IGAdmin1
You are prompted for the <admin-name> password.
4 At the psql prompt (for example: IG-db=#), enter the command to import the
schema file like this:
\i postgresql_v130_schema.sql
or

Configuring a PostgreSQL database 51

Report any errors or omissions
 \i postgresql_v120_to_v130_upgrade.sql
5 Exit the PSQL program.
\q

Installing the JDBC driver

Locate the correct JDBC driver file. It is provided with your database software or
from a third-party vendor.

Attention:
Prior to any installation, ensure the integrity of all files being imported. Follow your
organizational standards and procedures, and ensure that all files are obtained
from a trusted source.

Entrust Identity Enterprise supports PostgreSQL type-4 JDBC drivers. These are
platform-independent drivers that use Java to connect directly to PostgreSQL. The
drivers do not require you to have PostgreSQL client software installed on the Entrust
Identity Enterprise platform.
Place the applicable JAR file in a location on the Entrust Identity Enterprise Server
where the person installing Entrust Identity Enterprise can find it during configuration.

52 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Gathering your configuration data
You can now install Entrust Identity Enterprise. This section describes how to prepare
for this installation. Refer to the Entrust Identity Enterprise Installation Guide for
complete installation instructions.
As part of the Entrust Identity Enterprise installation procedure, the installer will
present questions or options about the database and JDBC files. Make a note of the
information requirements in the following table.

Table 5: Configuration data for PostgreSQL

Configuration data Description

JDBC driver JAR file name postgresql-42.2.x.jar

When installing an initial/primary instance, you must copy this
file to the $IGHOME/lib/db folder. The installation wizard
provides a reminder about this step.
Note: The JDBC files listed here are the minimum versions
supported. You can use higher build versions of these files.
Keep in mind that the newest builds of the JAR file may not
have been tested with Entrust Identity Enterprise.

JDBC driver class name You will be asked for the name of the PostgreSQL JDBC
driver class you are using: org.postgresql.Driver.

Configuring a PostgreSQL database 53

Report any errors or omissions
 Table 5: Configuration data for PostgreSQL (continued)

Configuration data Description

Database URL Each JDBC driver defines its own syntax for the URL. Consult
the driver documentation for details. For the PostgreSQL
driver, the URL will look like this:
jdbc:postgresql://<dbhost>:<dbport>/<dbname>
or
if you have configured the PostgreSQL server to
accept encrypted connection (SSL) then the URL
will look like:
jdbc:postgresql://<dbhost>:<dbport/<dbname>?sslmod
e=require

Note: This is the minimum settings for

the Database URL to use the encrypted
connection. If you want to further
secure the connection, please refer:
PostgreSQL documentation :
Using SSL | pgJDBC (postgresql.org) and
you need to modify the Database URL
accordingly.
Here is the link to configure
PostgreSQL for encrypted connections on
Windows:
PostgreSQL: Windows, Encrypted
Connection (SSL) - Method Dev

Where:
• <dbhost> is the name of the server that hosts the
PostgreSQL database.
• <dbport> is the database server port number (the
default is 5432).
• <dbname> is the name of your PostgreSQL database.

PostgreSQL database user Provide the name or ID of the account through which Entrust
Identity Enterprise logs in and accesses your PostgreSQL
database. Entrust Identity Enterprise uses this name together
with the database user password to log in to your database.

54 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Table 5: Configuration data for PostgreSQL (continued)

Configuration data Description

PostgreSQL database user Specify the password assigned to the PostgreSQL database
password user. Entrust Identity Enterprise uses this password together
with the database user to log in to your database.

PostgreSQL database schema Specify your database schema name. It is public by default.
name

Configuring a PostgreSQL database 55

Report any errors or omissions
 Post installation steps
Follow the steps below to complete the PostgreSQL configuration.

To complete the post-installation steps

1 Locate the postgresql.conf configuration file on your database server, and
add the following setting (if it is not already present):
standard_conforming_strings = on
2 If you installed Entrust Identity Enterprise on a separate computer from your
PostgreSQL server, you must complete the following steps so that the
PostgreSQL server allows connections from Entrust Identity Enterprise:
a In the postgresql.conf file, modify the listen_addresses setting to
include the address of Entrust Identity Enterprise.
b In the pg_hba.conf file, enable host-based authentication for the server
that will host Entrust Identity Enterprise. For details about this file, see the
PostgreSQL documentation.
c Restart the PostgreSQL server.

56 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 6

Configuring an SQL Server database

This chapter provides instructions for configuring a Microsoft SQL Server database to
operate with Entrust Identity Enterprise.
Entrust Identity Enterprise supports Microsoft SQL Server 2012, 2012 R2, 2014,
2016, 2017, 2019 and 2022. Express Edition is supported only for database audits.
The SQL Server database administrator must be involved in planning and carrying out
specific tasks.
This chapter includes the following sections:
• “Setting up the SQL Server database” on page 58.
• “Gathering your configuration data” on page 65.

57
 Setting up the SQL Server database
Before you install Entrust Identity Enterprise, you must prepare the SQL Server
database.
This section includes:
• “Preparing the SQL Server database for installation” on page 58
• “Installing the Entrust Identity Enterprise schema file for SQL Server” on
page 59
• “Installing the JDBC driver” on page 63
Remember to complete the procedures in this configuration guide before you install
Entrust Identity Enterprise.

Note:
When preparing an SQL Server database for Entrust Identity Enterprise, keep in
mind the languages that you need to support. For international English or
non-English environments, consult your SQL Server documentation for more
information on setting the language variable.

Preparing the SQL Server database for installation

Create a separate database for Entrust Identity Enterprise data. This database should
not be set up with administrator (dbo) privileges.

To create an SQL Server database and user account

1 Create a database that will hold the Entrust Identity Enterprise data.
When you create the schema for Entrust Identity Enterprise, give it a descriptive
name such as igadmin. If the schema does not yet exist, it will be created
automatically. If you do not name the schema explicitly, the schema name will
default to dbo.
2 To improve database concurrency, particularly with long list operations in Entrust
Identity Enterprise, turn read_committed_snapshot on. For example:
alter database igadmin
set read_committed_snapshot on
go
In the above example, igadmin is the name of the database for Entrust Identity
Enterprise. For more information about the read_committed_snapshot
setting, see the SQL Server documentation.

58 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 3 Create a database user login account (igadmin, for example) and set this user's
default database to the database you just created.
4 Give the user access to the new database, and permit these roles:

Note:
The db_owner and db_ddladmin roles are required for adding the Entrust Identity
Enterprise schema, but are not needed for normal Entrust Identity Enterprise
operations. After adding the Entrust Identity Enterprise schema, you can
optionally remove the db_owner and db_ddladmin roles from the database user.

• public
• db_owner
• db_ddladmin
• db_datareader
• db_datawriter

Installing the Entrust Identity Enterprise schema file for SQL

Server
After you prepare the database, create the Entrust Identity Enterprise database tables
using the applicable command file included in the Entrust Identity Enterprise
installation package.
Extract the applicable archive file for your operating system. Refer to the Entrust
Identity Enterprise Installation Guide for details.
The schema files for SQL Server are available under the IG_130/sql directory
included in the Entrust Identity Enterprise installation package. You can access them
without installing Entrust Identity Enterprise.

Attention:
Prior to any installation, ensure the integrity of all files being imported. Follow your
organizational standards and procedures, and ensure that all files are obtained
from a trusted source.

Run the applicable schema file as the newly created Entrust Identity Enterprise
database user.

Configuring an SQL Server database 59

Report any errors or omissions
 Choose the appropriate schema file:
• If you are installing a new version of Entrust Identity Enterprise 13.0, use the
file sqlserver_v130_schema.sql.
• If you are upgrading from Entrust Identity Enterprise 12.0, use the file
sqlserver_v120_to_v130_upgrade.sql.
• If you are upgrading from an earlier version of Entrust Identity Enterprise,
you must first upgrade to release 12.0 and then follow the guidance for
upgrading from release 12.0. See the Entrust IdentityGuard 12.0 Installation
Guide.
Before you run the schema file, you must edit it for your installation.

To edit and run the SQL file

1 Copy the applicable schema file to a working directory on the database server.
2 Open it in an editor. It looks likes this:

3 Uncomment the line USE igdb; and replace igdb with the name of the
database created for Entrust Identity Enterprise. Usually, the database is named
to match the name of the user that owns the database. To uncomment, remove
the dashes and leading space ( --).
4 Save the schema file on the database server. Usually, the schema is named to
match the name of the user that owns the database.
5 Double-click the schema file.

60 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 A login prompt appears. For example:

6 Enter the user name and password of the database login account created for
Entrust Identity Enterprise.
7 Click Connect.

Configuring an SQL Server database 61

Report any errors or omissions
 The schema appears in Microsoft SQL Server Management Studio. For example:

8 Click inside the schema file (middle pane) to enable the Execute button.
9 Click Execute.
Your schema file loads.
Now, verify the schema name to which the Entrust Identity Enterprise objects are
associated.

To verify the database schema

1 Open the database.
2 View the tables. The list of tables includes the associated schema name for each
table.
3 Look for the Entrust Identity Enterprise table called tokens. The associated
schema should not be dbo; that is, it should not have administrator privileges.
4 If the schema is dbo, it probably means that the server roles were assigned
while you were creating the database user. If the schema is dbo:

62 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 a Modify the database properties to change the schema name from dbo to
igadmin (or whatever name you gave the schema above).
b Drop the Entrust Identity Enterprise tables.
c Reload the Entrust Identity Enterprise schema.

Installing the JDBC driver

Locate the correct JDBC driver file.

Attention:
Prior to any installation, ensure the integrity of all files being imported. Follow your
organizational standards and procedures, and ensure that all files are obtained
from a trusted source.

• For Microsoft SQL Server 2022, download and unpack the Microsoft JDBC
Driver 12.6 for SQL Server package from
https://learn.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sq
l-server?view=sql-server-ver16#:~:text=Java%2Denabled%20applet.-,Download,-Version%201
2.6%20is
• For Microsoft SQL Server 2019, download and unpack the Microsoft JDBC
Driver 8.4 for SQL Server package from
https://docs.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sq
l-server?view=sql-server-ver15
Entrust Identity Enterprise uses the AdoptOpenJDK 11, so from the downloaded
package, select the mssql-jdbc-8.4.1.jre11.jar file. Place the JAR
file in a location on the Entrust Identity Enterprise Server where the person
installing Entrust Identity Enterprise can find it during configuration.
• For Microsoft SQL Server 2017, download and unpack the Microsoft JDBC
Driver 7.0 for SQL Server package from
https://www.microsoft.com/en-us/download/details.aspx?id=58505
Entrust Identity Enterprise uses the AdoptOpenJDK 11, so from the downloaded
package, select the mssql-jdbc-7.4.1.jre11.jar file. Place the JAR
file in a location on the Entrust Identity Enterprise Server where the person
installing Entrust Identity Enterprise can find it during configuration.
• For Microsoft SQL Server 2016, download and unpack the Microsoft JDBC
Driver 7.4 for SQL Server package from
https://www.microsoft.com/en-us/download/details.aspx?id=58505
Entrust Identity Enterprise uses the AdoptOpenJDK 11, so from the downloaded
package, select the mssql-jdbc-7.4.1.jre11.jar file. Place the JAR

Configuring an SQL Server database 63

Report any errors or omissions
 file in a location on the Entrust Identity Enterprise Server where the person
installing Entrust Identity Enterprise can find it during configuration.

64 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Gathering your configuration data
You can now install Entrust Identity Enterprise. This section describes how to prepare
for this installation. Refer to the Entrust Identity Enterprise Installation Guide for
complete installation instructions.
As part of the Entrust Identity Enterprise installation procedure, the installer will
present questions or options about the database and JDBC files. Make a note of the
information requirements in Table 6.

Table 6: Configuration data for SQL Server

Configuration data Description

JDBC driver JAR file name You will be asked for the name of the JDBC file during
installation. For example, one listed in “Installing the JDBC
driver” on page 63:
When installing an initial/primary instance, you must copy this
file to the $IGHOME/lib/db folder. The installation wizard
provides a reminder about this step.
Note: The JDBC files listed here are the minimum versions
supported. You can use higher build versions of these files.
Keep in mind that the newest builds of the JAR file may not
have been tested with Entrust Identity Enterprise.

JDBC driver class name You will be asked for the name of the SQL Server JDBC
driver class you are using.
com.microsoft.sqlserver.jdbc.SQLServerDriver

Configuring an SQL Server database 65

Report any errors or omissions
 Table 6: Configuration data for SQL Server (continued)

Configuration data Description

Database URL Each JDBC driver defines its own syntax for the URL. Consult
the driver documentation for details.
For the SQL Server thin client driver, the URL will look like:
jdbc:sqlserver://<dbhost>:<dbport>;
databaseName=<dbname>;
or
if you have configured the MS SQL Server to accept
encrypted connection (SSL) then the URL will look
like:
jdbc:sqlserver:/<dbhost>/:<dbport>;
databaseName=<dbname>;encrypt=true;trustServerCert
ificate=true;
Note: This is the minimum settings for the
Database URL to use the encrypted connection. If
you want to further secure the connection,
please refer MS SLQ Server documentation :
Configure SQL Server Database Engine for
encryption - SQL Server | Microsoft Learn
https://learn.microsoft.com/en-us/dotnet/framew
ork/data/adonet/connection-string-syntax#connec
ting-and-attaching-to-sql-server-express-user-i
nstances
And you need to modify the Database URL
accordingly.

Where:
• dbhost is the name of the server that hosts the SQL
Server database
• dbport is the database server port number, for example:
1433
• dbname is the name of your SQL Server database

SQL Server database user You will be asked for the user name and password of the
password SQL Server database user. You created this user in “To create
an SQL Server database and user account” on page 58.
Entrust Identity Enterprise uses this password together with
the database user to log in to your database.

66 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
Table 6: Configuration data for SQL Server (continued)

Configuration data Description

SQL Server database schema Specify your database schema name. It is dbo by default
name for a user who has administrator privileges, but for a
production system, it is typically the name of the user account
of the owner of the database.

Configuring an SQL Server database 67

Report any errors or omissions
68 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0
Report any errors or omissions
 Index
IndexIndex
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
C J
configuration JDBC
DB2 29 for DB2 27
MySQL 37 for MySQL 36
Oracle 46 for Oracle 45
PostgreSQL 53 for PostgreSQL 52
SQL Server 65 for SQL Server 63
Customer support 12 setting up 16

D L
database language
backup 23 DB2 26
DB2 25 MySQL 34
for audit data 22 Oracle 40
MySQL 33 PostgreSQL 50
Oracle 39 SQL Server 58
PostgreSQL 49
sizing 18
SQL Server 57 M
DB2 25 MySQL
configuration 29 configuration 37
language 26 database 33
schema files 27, 35 JDBC 36
drop schema, description 17 language 34
schema file 34
G
Getting help O
Technical Support 12 Oracle
configuration 46
database 39
I JDBC 45
installation language 40
DB2 26 schema file 43
MySQL 34
Oracle 43
PostgreSQL 50 P
SQL Server 59 PostgreSQL 49
configuration 53

69
 - A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
database 49
JDBC 52
language 50
schema file 51
Professional Services 13

S
schema file
DB2 26
drop schema 17
edit for DB2 27
edit for SQL Server 60
MySQL 34
Oracle 43
PostgreSQL 51
SQL Server 60
SQL Server
configuration 65
database 57
language 58
schema file 60

T
Technical Support 12
typographic conventions 7

70 Entrust Identity Enterprise 13.0 Database Configuration Guide Document issue: 6.0