One Identity Manager 8.0. Installation Guide

Transcription

1 One Identity Manager 8.0 Installation Guide

2 Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of One Identity LLC. The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity do not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: One Identity LLC. Attn: LEGAL Dept 4 Polaris Way Aliso Viejo, CA Refer to our Web site ( for regional and international office information. Patents One Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at Trademarks One Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at All other trademarks are the property of their respective owners. Legend WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. One Identity Manager Installation Guide Updated - November 2017 Version - 8.0

3 Contents About this Guide 8 One Identity Manager Overview 9 One Identity Manager Editions 9 One Identity Manager Architecture 10 One Identity Manager Tools 13 Which Components and Front-ends Work with an Application Server? 17 Installation Prerequisites 19 Minimum System Requirements for the Database Server 20 Additional System Requirements for Implementing an SQL Server Database 21 Additional System Requirements for Implementing an Oracle Database 22 Minimum System Requirements for Administrative Workstations 24 Minimum System Requirements for the Service Server 25 Minimum System Requirements for the Web Server 27 Minimum System Requirements for the Application Server 29 Users and Permissions for One Identity Manager 30 Permissions for SQL Server Database Users 32 Permissions for Oracle Database Users 33 Setting up Permissions for Creating an HTTP Server 35 Communications Port and Firewall Configuration 36 Installing One Identity Manager 37 Before You Start Installing One Identity Manager 38 Installing One Identity Manager Components 39 Installing One Identity Manager on a Windows Terminal Server 41 Installing and Configuring a One Identity Manager Database 42 Starting the Configuration Wizard 44 Creating a New SQL Server Database 45 Using an Existing Empty SQL Server Database 47 Setting up a new Oracle Database User 48 Using an Existing Empty Oracle Database User 50 Editing the Database 51 3

4 Entering System Data 52 Installing the One Identity Manager Service for the Database 54 Configuring a One Identity Manager Database for Testing, Development or Production 56 Encrypting Data in a Database 57 Creating a New Database Key and Encrypting Database Data 58 Modifying a Database Key and Encrypting Database Data 59 Re-encrypting Database Data 60 Decrypting Database Data 61 Advice for Working with an Encrypted One Identity Manager Database 62 Vendor Notification in One Identity Manager 63 Enabling Vendor Notification 64 Checking for Vendor Notification 64 Disabling Vendor Notification 65 Installing and Configuring the One Identity Manager Service 66 Displaying the One Identity Manager Service Log File 69 Changing the User Account or One Identity Manager Service Start Type 70 The One Identity Manager Service in a Cluster 71 Registering the One Identity Manager Service in a Cluster 72 Installing and Configuring the One Identity Manager Service in a Cluster 73 Updating One Identity Manager 75 Updating One Identity Manager Components 76 Updating One Identity Manager Components with the Installation Wizard 77 Updating the One Identity Manager Database 78 Updating the One Identity Manager Database with the Configuration Wizard 79 Updating the SQL Server Database 80 Updating the Oracle Database user 82 Editing the Database during Update 84 Installing a Hotfix in the One Identity Manager Database 85 Displaying Contents of a Transport Package with the Database Transporter 86 Importing a Transport Package with the Database Transporter 87 Importing Files with the Software Loader 88 Automatic Updating of the One Identity Manager 90 Basics for Automatic Update 91 Implementing Automatic Software Update 93 4

5 Installing and Updating a One Identity Manager Application Server 96 Installing a One Identity Manager Application Server 96 Updating a One Identity Manager Application Server 100 Displaying One Identity Manager Application Server Status 100 Uninstalling a One Identity Manager Application Server 101 Installing, Configuring and Maintaining the Web Portal 102 Installing the Web Portal 102 Installing the Web Portal over the Command Line 106 Uninstalling the Web Portal 110 Configuring the Web Portal 110 Database Connection 111 Web project 112 Log 113 Automatic update 114 Web Settings 115 Cache 115 Debugger Service 115 Search Service 116 Web Portal Maintenance 116 Runtime Monitoring 117 Security 117 Viewing Log Files and Exceptions 117 Using Automatic Updating for the Web Portal 118 Maintenance Mode 118 Manual Updating 119 Monitoring with Help from Performance Counters 119 Installing the Operations Support Web Portal 121 Installing and Updating the Manager Web Application 122 Installing the Manager Web Application 122 Updating the Manager Web Application 125 Uninstalling the Manager Web Application 126 Logging into One Identity Manager Tools 127 Logging into a One Identity Manager Database as a Database User 128 Logging into One Identity Manager Administration Tools as a System User 133 5

6 Enabling other Authentication Modules 134 Enabling other Login Languages 135 Troubleshooting 136 Displaying the Transport History and Testing the One Identity Manager Version 136 Handling Errors and Warnings during System Compilation 137 Checking Data Consistency 138 DBQueue Processor does not process tasks 139 Error: Enter address in configuration parameter 141 Database error 50000: Job queue is not empty. This may cause in deadlocks while compiling database. 148 Error: Database error migrating a database in an SQL Server AlwaysOn availability group 148 Appendix: One Identity Manager Authentication Modules 150 Appendix: Creating a One Identity Manager Database for a Test or Development Environment from a Database Backup 179 Appendix: Manager Web Application Extended Configuration 181 General known issues 182 Database Connection 182 Security 183 Debugging 184 Performance 185 File Download 185 ASP.Net Basic Settings 186 Directories 186 Application Pool 187 Plugins 188 Load Balancing 188 Single Sign-On 189 Appendix: Machine Roles and Installation Packages 191 Appendix: Settings for a New SQL Server Database 193 About us 195 Contacting us 195 Technical support resources 195 6

7 Index 196 7

8 1 About this Guide This guide describes the installation and initial start up of the One Identity Manager. You will gain an overview of the One Identity Manager architecture and the functionality of the various One Identity Manager tools. You also gain information about which prerequisites you require for installing One Identity Manager, how to set up, install and update One Identity Manager components. This guide is intended for end users, system administrators, consultants, analysts, and any other IT professionals using the product. NOTE: This guide describes One Identity Manager functionality available to the default user. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions. About this Guide 8

9 2 One Identity Manager Overview One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence. With this product, you can: Implement group management using self service and attestation for Active Directory with the One Identity Manager Active Directory Edition Simplify access decisions for restructuring data with the One Identity Manager Data Governance Edition Realize Access Governance demands cross-platform within your entire company with One Identity Manager Every one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions. One Identity Manager Editions One Identity Manager is available in the following editions. Table 1: One Identity Manager Editions Edition One Identity Manager One Identity Manager Active Directory Edition Description This edition contains all management modules (IT Shop & workflow, delegation, system role and business role management, role mining, risk assessment, attestation, compliance, company policies, report subscriptions) as well as Unified Namespace and connectors for Active Directory. This editions contains all the functionality required for Active Directory support including connectors for Active Directory, attestation, IT Shop & workflows and report functions. One Identity Manager Overview 9

10 Edition One Identity Manager Data Governance Edition Description This editions contains the features required for data governance support including the connectors for Active Directory and SharePoint, risk assessment, attestation, compliance, company policies, delegation, report subscriptions and the Data Governance service. One Identity Manager Architecture Figure 1: Overview of One Identity Manager Components One Identity Manager consists of the following components: Database The database represents the One Identity Manager kernel. It fulfills the main tasks, which are managing data and calculating inheritance. Object properties can be inherited along the hierarchical structures, such as, departments, cost centers, location or business roles. In the case of data management, the database maps the managed target systems, ERP structures as well as the compliance rules and access permissions. The database is separated into two logical parts, payload and metadata. The payload contains all the information required to maintaining data, such as information about One Identity Manager Overview 10

11 employees, user accounts, groups, memberships and operating data, approval workflows, attestation, recertification and compliance rules. The metadata contains descriptions for the payload, such as, scripts for formatting rules and value templates or specific interaction. One Identity Manager s entire system configuration, all the front-end control settings and the queues for asynchronous processing of data and processes are also part of the metadata. Recalculation of inheritance is started by the database trigger logic. The triggers queue processing tasks in a task list called the "DBQueue". The DBQueue Processor processes these tasks and recalculates inheritance of the respective database objects. The table "Jobqueue" is used for storing processing tasks that are run from the object layer. The database systems SQL Server or Oracle Database can be implemented. Server Service One Identity Manager uses so called 'processes' for mapping business processes. A process consists of process steps, which represent processing tasks and are joined by predecessor/successor relations. This functionality allows flexibility when linking up actions and sequences on object events. Processes are modeled using process templates. A process generator (Jobgenerator) is responsible for converting script templates in processes and process steps into a concrete process in the Job queue. The server service "One Identity Manager Service" ensures distribution in the network of data managed in the One Identity Manager database. The One Identity Manager Service performs data synchronization between the database and any connected target systems and executes actions at the database and file level. The One Identity Manager Service retrieves process steps from the JobQueue. Process steps are executed by process components. One Identity Manager Service also creates an instance of the required process component and passes the parameters to the process step. Decision logic monitors the execution of the process steps and determines how processing should continue depending on the results of the executed process components. The One Identity Manager Service enables parallel processing of process steps because it can create several instances of process components. The One Identity Manager Service is the only One Identity Manager component authorized to make changes in the target system. Application server Clients connect to an application server storing business logic. The application server provides a connection pool for accessing the database and ensures a secure connection to the database. Clients send their queries to the application server, which processes the objects, for example, by determining values using templates and sending the results back to the clients. The data from the application is sent to the database when an object is saved. Clients can alternatively work without external application servers, by keeping the object layer themselves and accessing the database layer directly. In this case, only the part of the object layer required for the acquisition process is mapped in the clients. One Identity Manager Overview 11

12 Web server There is an application running on a web server based on a web page render engine for implemented browser-based user interfaces. Users use a web browser to access the website that has been dynamically set up and customized for them. Data exchange between database and web server can take place directly or through the application server. Front-Ends There are different front-ends for different tasks. For example, a different front-end is used to configure One Identity Manager as that for managing employee data. The contents to be displayed and the extent to which it can be altered is determined in conjunction with the access rights of the respective user through the object layer. Available front-end solutions are client and browser based. Figure 2: Overview of One Identity Manager Components without Application Server Related Topics One Identity Manager Tools on page 13 Which Components and Front-ends Work with an Application Server? on page 17 One Identity Manager Overview 12

13 One Identity Manager Tools There are different tools for different tasks. For example, a different tool is used to configure One Identity Manager as that for managing employee data. The contents to be displayed and the extent to which it can be altered is determined in conjunction with the access rights of the respective user through the object layer. Table 2: Overview of One Identity Manager Tools Tool Launchpad Web Portal Short description The Launchpad is the central tool for starting administration tools and One Identity Manager configuration tools. Use the Launchpad to check the existing One Identity Manager installation and start One Identity Manager tools for executing individual tasks. The Launchpad can be customized. You can define your own menu items and action for the Launchpad in the Designer. The Web Portal is a web based application for all One Identity Manager users. The Web Portal provides strict workflows in the following areas: Change employee master data and own password Edit or enter employee master data for staff. Search, request, cancel or renew products in the IT Shop. Delegate own roles. Edit assigned approvals, attestation instances and rule violations. In the info system, you see several evaluations, for example, about your own requests and attestation instances, employee numbers, approvals, rule violations, or the Unified Namespace. The Web Portal requires a web server. Users use a web browser to access the website that has been dynamically set up and customized for them. Once the web server has been configured and a web project in Web Designer has been shared, you can start the Web Portal in your own web browser. Manager The Manager is the main administration tool for setting up information about employees and their identities. It displays and maintains all the data required for the administration of employees, their user accounts, permissions and company specific roles in a One Identity Manager network. Company resources employees require can be entered and assigned to them. You can also use the Manager to: Define custom IT policies Set up an IT Shop to request company resources and assignments from One Identity Manager Overview 13

14 Tool Short description Set up special approval processes for authorizing requests and checking compliance to IT policy Set up attestation procedures for regularly testing the correctness of data about employees or roles and their assignments By implementing One Identity Manager application roles, every One Identity Manager user obtains only those access permissions they require to fulfill necessary administrative duties. Manager functionality can be provided by web applications. Synchronization Editor Analyzer Job Queue Info Configuration Wizard Designer You use the Synchronization Editor to connect different target systems to One Identity Manager. Use this tool to configure data synchronization for any target system and specify which target system data is mapped to the One Identity Manager database. You also define the object properties mapping and the synchronization sequence as a workflow. Use the Analyzer to automatically detect and analyze data correlations in the database. This information can be used to replace direct permissions assignments with indirect assignments, therefore reducing the administration effort. Job Queue Info supports the control of the current state of a service running on the One Identity Manager network. It displays, in a detailed and comprehensive manner, requests in the job queue and the different One Identity Manager Service requests on the servers. The tool provides on-the-fly status information and makes fast error detection possible. The Configuration Wizard tool installs a database on a SQL Server or an Oracle Database database system for use in a One Identity Manager network. All the One Identity Manager schema tables, data types and database procedures are loaded into the database with the Configuration Wizard. The database roles are added with permissions for the One Identity Manager schema. Automatic version control is integrated into the One Identity Manager, ensuring that One Identity Manager components are always consistent with each other and with the database. If program updates are implemented that change the structure (for example, table extensions), then the database must perform a migration. The Configuration Wizard executes this schema installation depending on the current status of the schema. The Designer is the main tool for configuring the One Identity Manager. The program offers an overview of the entire One Identity Manager data model. It enables the configuration of global system settings, for example, language or configuration parameters, as well as customizing the user interface for the different administration tools. The rights One Identity Manager Overview 14

15 Tool Short description structure for different administrative tasks of individual users and user groups is also set up with the Designer. Another important task is the definition of workflows for technically illustrating the administration procedures in the company. The Designer provides various editors for the One Identity Manager system configuration. The range of functions and the operating methods of the editors matches the demands of differing configurations. Web Designer Data Import Crypto Configuration Database Compiler Report Editor Schema Extension The Web Designer is used to configure and expand a Web Portal. It makes functions available for customizing Web Portals and for designing new workflows. Data Import has a program called "One Identity Manager" which provides a simple solution for importing data from other systems. Use this program if you want to import company resource data from external sources into your database. The program supports importing from files and importing directly from other database systems. You can import data immediately. You also have the option to import data from customized processes using the import scripts that are created. The import definition is saved so that you can use it for future data imports. In certain circumstances it is necessary store encrypted information in the database. Encryption is carried out by the program "Crypto Configuration". This program creates a code file and converts the contents of the affected database column. The coded information is stored in the database. The One Identity Manager database must be compiled after changes to configuration data. After importing a migration package or a full custom configuration package, compiling the database is started immediately from the Configuration Wizard or Database Transporter. The Database Compiler compiles the One Identity Manager database after importing hotfixes or when changes have been made to processes, scripts, formatting rules, object definitions, task definitions, and preprocessor relevant configuration parameters. With the Report Editor, you can group One Identity Manager object data together into reports. You can group, accumulate, and graphically represent this data. Some of our own reports are supplied with the initial migration. However, you can also create your own reports with the Report Editor. The Schema Extension extends the existing application data schema of the One Identity Manager database with customer specific tables and columns. Using the object technology in the One Identity Manager, it is possible to do this on a database level such that these additions are available with full functionality at the object level. One Identity Manager Overview 15

16 Tool System Debugger Database Transporter HistoryDB Manager Job Service Configuration License Meter Software Loader Server Installer Short description Use the System Debugger to create, start and debug scripts. Existing scripts in your One Identity Manager database are imported into a Visual Studio script library. There, you can edit and test the scripts. Subsequently, you decide whether your changes should be transferred to the One Identity Manager database. The Database Transporter transfers objects and custom changes as well as custom database procedures, triggers, functions, and sets from the One Identity Manager database (source) to another One Identity Manager database (target). One Identity Manager historical data is transferred at regular intervals into a One Identity Manager History Database. Therefore, the One Identity Manager History Database provides an archive of change information. The HistoryDB Manager tool displays the data in the One Identity Manager History Database. Use the HistoryDB Manager to setup access to the source databases. Job Service Configuration is used to create and customize the configuration file for One Identity Manager Service. One Identity Manager Service and its plugins are configured with this file. The configuration file is necessary both for One Identity Manager Service on a Windows based operating system and also for the Linux daemon. Use the License Meter wizard to execute a licenses count in your One Identity Manager database. The wizard creates a report with license relevant information. Use the Software Loader to load new or modified files, for example custom form archives, in the One Identity Manager database in order to distribute them to One Identity Manager network workstations and Job servers using automatic software updating. Use the Server Installer to install and configure the One Identity Manager Service. The program executes remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Related Topics Which Components and Front-ends Work with an Application Server? on page 17 One Identity Manager Overview 16

17 Which Components and Front-ends Work with an Application Server? The following list tells you which One Identity Manager components can work with an application server. Some front-ends only work have limited functionality to work with an application server. Table 3: One Identity Manager Components and Application Servers Component Connection through Application Server? Restrictions Launchpad Yes Certain application, which you can start from the Launchpad, require a direct connection to the database. Web Portal Yes Manager Yes The consistency check is not supported. Compliance rule simulation is not supported. Some forms are not supported. Manager web application Synchronization Editor Analyzer Job Queue Info Configuration Wizard Yes Yes Yes No No Some forms are not supported. Designer Yes The consistency check is not supported. Process simulation is not supported. Database compilation is not supported. Web Designer Data Import Crypto Configuration Database Compiler Yes Yes No No One Identity Manager Overview 17

18 Component Connection through Application Server? Restrictions Report Editor Yes SQL query testing is not supported. Schema Extension System Debugger Database Transporter HistoryDB Manager License Meter Software Loader SPML web application SOAP Web Service One Identity Manager Service Server Installer No Yes No Yes Yes Yes No No Yes Yes One Identity Manager Overview 18

19 3 Installation Prerequisites The following installation prerequisites represent only the minimum requirements for installing and unlimited operation of One Identity Manager. These prerequisites can be used as a starting point for other planning, depending on the size of the project and which business processes and business transactions are supported. Determining hardware capacities and any further development is part of project planning and dependent on the Identity Management project specification. Particular attention must be paid to I/O performance (in throughput and latency) and in SAN environments in particular, a targeted performance analysis of the specify infrastructure is recommended before implementation. Every One Identity Manager installation can be virtualized. Ensure that performance and resources are available to the respective One Identity Manager component according to system requirements. Ideally, resource assignments for the database server are fixed. Virtualization of a One Identity Manager installation should only be attempted by experts with well-based knowledge of virtualization techniques. For more information about virtual environments, see Product Support Policies. NOTE: Other system requirements for individual One Identity Manager models are listed in the corresponding documentation for those specific modules. Detailed information about this topic Minimum System Requirements for the Database Server on page 20 Additional System Requirements for Implementing an SQL Server Database on page 21 Additional System Requirements for Implementing an Oracle Database on page 22 Minimum System Requirements for Administrative Workstations on page 24 Minimum System Requirements for the Service Server on page 25 Minimum System Requirements for the Web Server on page 27 Minimum System Requirements for the Application Server on page 29 Users and Permissions for One Identity Manager on page 30 Permissions for SQL Server Database Users on page 32 Permissions for Oracle Database Users on page 33 Installation Prerequisites 19

20 Setting up Permissions for Creating an HTTP Server on page 35 Communications Port and Firewall Configuration on page 36 Minimum System Requirements for the Database Server One Identity Manager supports the following database systems: SQL Server Oracle Database The following system prerequisites must be met in order to install the database on a server. Table 4: Minimum System Requirements - Database Server Processor 8 physical cores 2.5 GHz+ NOTE: 16 physical cores are recommended on the grounds of performance. Memory Hard drive storage operating system 16 GB+ RAM 100 GB Windows operating system Following versions are supported: Windows Server 2008 (non-itanium based 64-bit) Service Pack 2 or later Windows Server 2008 R2 (non-itanium based 64-bit) Service Pack 1 or later Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 UNIX and Linux operating systems Note the minimum requirements given by the operating system manufacturer for Oracle databases. Installation Prerequisites 20

21 NOTE: In virtual environments, you must ensure that the VM host provides performance and resources to the database server according to system requirements. Ideally, resource assignments for the database server are fixed. Furthermore, optimal I/O performance must be provided, in particular for the database server. For more information about virtual environments, see Product Support Policies. Related Topics Additional System Requirements for Implementing an SQL Server Database on page 21 Additional System Requirements for Implementing an Oracle Database on page 22 Permissions for SQL Server Database Users on page 32 Permissions for Oracle Database Users on page 33 Additional System Requirements for Implementing an SQL Server Database To implement an SQL Server database, you must provide an installed and configured database server which fulfills the following minimum requirements in order to install the One Identity Manager schema. Table 5: Additional System Requirements for Implementing an SQL Server Database Software SQL Server Following versions are supported: SQL Server 2016 Standard Edition, Service Pack 1 or later SQL Server 2017 Standard Edition NOTE: The SQL Server Enterprise Edition is recommended on performance grounds. SQL Server Management Studio (recommended) Compatibility level for databases Default collation SQL Server 2016 (130) Case insensitive Installation Prerequisites 21

22 Recommendation: SQL_Latin1_General_CP1_CI_AS NOTE: The collation "SQL_Latin1_General_CP1_CI_AS" is expected on One Identity Manager schema installation and applied to the database as required. Default language for database server users Language for database users Additional requirements English English Start the SQL Server Agent in the SQL Server Service Management Portal. You can log in on an SQL Server Agent as a domain user with Windows authentication or with a local system account. NOTE: Performance may worsen if table variables are implemented. Microsoft provides a fix for this. You must set the trace flag 2453 in this case. You can set the start parameter in the server start options to -T2453. For more information, see and Related Topics Minimum System Requirements for the Database Server on page 20 Permissions for SQL Server Database Users on page 32 Additional System Requirements for Implementing an Oracle Database If you use an Oracle database, you must provide an installed and configured database server, which meets the following minimum requirements for installing the One Identity Manager schema. NOTE: To ensure that One Identity Manager functions properly, a database server with standard installation configuration settings is expected. Table 6: Additional System Requirements for Implementing an Oracle Database Software Oracle Database Following versions are supported: Oracle Database 12c Standard Edition or Enterprise Edition NOTE: It strongly recommended you apply the patches for Oracle bugs (Doc ID ) and ( Doc ID ) 22 Installation Prerequisites

23 NOTE: It strongly recommended you apply the patches for Oracle bugs (Doc ID ) and ( Doc ID ) Oracle Client Tools This version should correspond at least to the version of the database in use. Note the recommendation of Oracle with respect to the Client Tools you want to implement. In a 64-bit system the Oracle clients are required in 64-bit and 32-bit versions. NOTE: The use of Oracle Client Tools is only supported by One Identity Manager under Windows operating systems. NOTE: If a direct connection is possible to the Oracle database by TCP/IP, the Oracle client is not necessary. The One Identity Manager connector integrated in Oracle sets up the database connection. NOTE: Use of Oracle Real Application Clusters and other Oracle database configurations, which either require input of several "ADDRESS" entries for one "net_service_ name" in the client-side tnsnames.ora or additional entries in the client-side sqlnet.ora if access to the Oracle database is through the Oracle client. Character set Tablespace Unicode (AL32UTF8) and option "Oracle Text" Parameter NLS_LENGHT_SEMANTICS with value "CHAR" An initial tablespace must be set up. The tablespace must have a block size of at least 8 kbytes. NOTE: If systems are implemented which have several nodes (for examples, clusters), all the nodes must have the same patch level. Related Topics Minimum System Requirements for the Database Server on page 20 Permissions for Oracle Database Users on page 33 Installation Prerequisites 23

24 Minimum System Requirements for Administrative Workstations One Identity Manager administration and configuration tools are installed on an administrative workstation in order to edit and display data. The following system prerequisites must be guaranteed for installing tools on an administrative workstation. Table 7: Minimum System Requirements - Administrative Workstations Processor Memory Hard drive storage Operating system 4 physical cores 2.5 GHz+ 4 GB+ RAM 1 GB Windows operating system Supports versions: Windows Vista with the current service pack Windows 7 (32-bit or non-itanium 64-bit) with the current service pack Windows 8 (32-bit or 64-bit) with the current service pack Windows 8.1 (32-bit or 64-bit) with the current service pack Windows 10 (32-bit or 64-bit) with version 1511 or later Additional software Microsoft.NET Framework Version or later NOTE: Microsoft.NET Framework version 4.6 is not supported. Windows Installer Supported browsers Internet Explorer 11 or later Firefox (Release Channel) Chrome (Release Channel) Microsoft Edge (Release Channel) Table 8: Additional System Requirements for Implementing an Oracle Database Additional software Windows operating system Oracle Client Tools This version should correspond at least to the version of the database in use. Note the recommendation of Oracle with respect to the Client Tools you want to implement. Installation Prerequisites 24

25 In a 64-bit system the Oracle clients are required in 64-bit and 32-bit versions. NOTE: The use of Oracle Client Tools is only supported by One Identity Manager under Windows operating systems. NOTE: If a direct connection is possible to the Oracle database by TCP/IP, the Oracle client is not necessary. The One Identity Manager connector integrated in Oracle sets up the database connection. NOTE: Use of Oracle Real Application Clusters and other Oracle database configurations, which either require input of several "ADDRESS" entries for one "net_service_ name" in the client-side tnsnames.ora or additional entries in the client-side sqlnet.ora if access to the Oracle database is through the Oracle client. Minimum System Requirements for the Service Server The server service "One Identity Manager Service" ensures distribution in the network of data managed in the One Identity Manager database. The One Identity Manager Service performs data synchronization between the database and any connected target systems and executes actions at the database and file level. The following system prerequisites must be fulfilled to install the One Identity Manager Service on a server. Table 9: Minimum System Requirements - Services Server Processor Memory Hard drive storage operating system 8 physical cores 2.5 GHz+ 16 GB RAM 40 GB Windows operating system Following versions are supported: Windows Server 2008 (non-itanium based 64-bit) Service Pack 2 or later Installation Prerequisites 25

26 Windows Server 2008 R2 (non-itanium based 64-bit) Service Pack 1 or later Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Linux operating system Linux operating system (64 bit), supported by the Mono project or Docker images provided by the Mono project. Additional software Windows operating system Microsoft.NET Framework Version or later NOTE: Microsoft.NET Framework version 4.6 is not supported. NOTE: Take the target system manufacturer's recommendations for connecting the target system into account. Windows Installer Linux operating system Mono 4.6 or later Table 10: Additional System Requirements for Implementing an Oracle Database Additional software Windows operating system Oracle Client Tools This version should correspond at least to the version of the database in use. Note the recommendation of Oracle with respect to the Client Tools you want to implement. In a 64-bit system the Oracle clients are required in 64-bit and 32- bit versions. NOTE: The use of Oracle Client Tools is only supported by One Identity Manager under Windows operating systems. NOTE: If a direct connection is possible to the Oracle database by TCP/IP, the Oracle client is not necessary. The One Identity Manager connector integrated in Oracle sets up the database connection. Installation Prerequisites 26

27 NOTE: Use of Oracle Real Application Clusters and other Oracle database configurations, which either require input of several "ADDRESS" entries for one "net_ service_name" in the client-side tnsnames.ora or additional entries in the client-side sqlnet.ora if access to the Oracle database is through the Oracle client. Linux operating system Direct TCP/IP access is required to use an Oracle database system. A connection to Oracle Real Application Clusters is not supported under Linux operating systems. Related Topics Users and Permissions for One Identity Manager on page 30 Minimum System Requirements for the Web Server The following system prerequisites must be fulfilled to install the Web Portal on a Web Server. Table 11: System Requirements - Web Server Processor Memory Hard drive storage operating system 4 physical cores 1.65 GHz+ 4 GB RAM 40 GB Windows operating system Following versions are supported: Windows Server 2008 (non-itanium based 64-bit) Service Pack 2 or later Windows Server 2008 R2 (non-itanium based 64-bit) Service Pack 1 or later Windows Server 2012 Windows Server 2012 R2 Installation Prerequisites 27

28 Windows Server 2016 Linux operating system Linux operating system (64 bit), supported by the Mono project or Docker images provided by the Mono project. Note the operating system manufacturer's minimum requirements for Apache HTTP Server. Additional software Windows operating system Microsoft.NET Framework Version or later NOTE: Microsoft.NET Framework version 4.6 is not supported. Windows Installer Microsoft Internet Information Service 7, 7.5, 8, 8.5 or 10 with ASP.NET and Role Services: Web Server > Common HTTP Features > Static Content Web Server > Common HTTP Features > Default Document Web Server > Application Development > ASP.NET Web Server > Application Development >.NET Extensibility Web Server > Application Development > ISAPI Extensions Web Server > Application Development > ISAPI Filters Web Server > Security > Basic Authentication Web Server > Security > Windows Authentication Web Server > Performance > Static Content Compression Web Server > Performance > Dynamic Content Compression Linux operating system NTP - Client Mono 4.6 or later Apache HTTP Server 2.0 or 2.2 with the following modules: mod_mono rewrite ssl (optional) Installation Prerequisites 28

29 Minimum System Requirements for the Application Server The application server provides a connection pool for accessing the database and stores business logic. You must fulfill the following system prerequisites for installing the One Identity Manager on an application server. Table 12: System Requirements - Application Server Processor Memory Hard drive storage Operating system 8 physical cores 2.5 GHz+ 8 GB RAM 40 GB Windows operating system Following versions are supported: Windows Server 2008 (non-itanium based 64-bit) Service Pack 2 or later Windows Server 2008 R2 (non-itanium based 64-bit) Service Pack 1 or later Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Linux operating system Linux operating system (64 bit), supported by the Mono project or Docker images provided by the Mono project. Note the operating system manufacturer's minimum requirements for Apache HTTP Server. Additional software Windows operating system Microsoft.NET Framework Version or later NOTE: Microsoft.NET Framework version 4.6 is not supported. Windows Installer Microsoft Internet Information Service 7, 7.5, 8, 8.5 or 10 with ASP.NET and Role Services: Web Server > Common HTTP Features > Static Content Web Server > Common HTTP Features > Default Document Web Server > Application Development > ASP.NET Installation Prerequisites 29

30 Web Server > Application Development >.NET Extensibility Web Server > Application Development > ISAPI Extensions Web Server > Application Development > ISAPI Filters Web Server > Security > Basic Authentication Web Server > Security > Windows Authentication Web Server > Performance > Static Content Compression Web Server > Performance > Dynamic Content Compression Linux operating system NTP - Client Mono 4.6 or later Apache HTTP Server 2.0 or 2.2 with the following modules: mod_mono rewrite ssl (optional) Users and Permissions for One Identity Manager Table 13: Users for One Identity Manager Users Database Users for Installing One Identity Manager Database Users for One Identity Manager in Operation Database Users for Permissions SQL Server: For more information, see Permissions for SQL Server Database Users on page 32. Oracle Database: For more information, see Permissions for Oracle Database Users on page 33. SQL Server: For more information, see Permissions for SQL Server Database Users on page 32. Oracle Database: For more information, see Permissions for Oracle Database Users on page 33. SQL Server: Installation Prerequisites 30

31 Users End Users User for Logging into One Identity Manager User account for the One Identity Manager Service Permissions End users that only work with the Web Portal, for example, only have to be members of the database role "basegroup". Oracle Database: For more information, see Permissions for Oracle Database Users on page 33. One Identity Manager uses different authentication modules for logging in to administration tools. Authentication modules identify the system users to be used and load the user interface and database resource editing permissions depending on their permission group memberships. For more information, see Appendix: One Identity Manager Authentication Modules on page 150. The user account for the One Identity Manager Service requires access rights to carry out operations at file level (issuing user rights, adding directories and files to be edited). The user account must belong to the group "Domain Users". The user account must have the extended access right "Log on as a service". The user account requires access rights to the internal web service. NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access rights for the internal web service with the following command line call: netsh http add urlacl url= address>:<port number>/ user="nt AUTHORITY\NETWORKSERVICE" The user account needs full access to the One Identity Manager Service installation directory in order to automatically update the One Identity Manager. In the default installation the One Identity Manager is installed under: %ProgramFiles(x86)%\One Identity (on 32-bit operating systems) %ProgramFiles%\One Identity (on 64-bit operating systems) NOTE: Other target system specific permissions may be required for synchronizing the One Identity Manager with each target system. These permissions are explained in the corresponding guide. For more information, see Setting up Permissions for Creating an HTTP Server on page 35. Installation Prerequisites 31

32 Permissions for SQL Server Database Users NOTE: Select "English" as default language. Database user permissions can be divided into two user types: End user End users that only work with the Web Portal, for example, only have to be members of the database role "basegroup". Administrative user Administrative users require the permissions listed in below. Here, you can differentiate between permissions for installation and permissions for normal operations. To use One Identity Manager functions to the full, you require the following permissions. Table 14: Permissions for Database Users under SQL Server Permission For Database Required for Installation Required to Operate Required For Server role "dbcreator"* x - Creating the database. Server role "processadmin" Database role "db_ owner" Database role "basegroup"** One Identity Manager One Identity Manager - x Activities for testing and closing the connection is required. x x Creating the database Database operations. - x Internal permissions roles for database objects. Permissions "Execute" Master x x Starting the SQL server agent. Database role "SQLAgentUserRole" Database role "db_ Datareader" Database role "SQLAgentOperatorRole" msdb - x Running database schedules. msdb - x Reading and changing database schedules. msdb x x Defining database schedules. Permissions "Connect" tempdb x x Checks for single-user Installation Prerequisites 32

33 Permission For Database Required for Installation Required to Operate Required For mode requirement during start up. *) The permissions are only required if the database is created using the Configuration Wizard. **) The database role "basegroup" is added during initial schema installation of the One Identity Manager by default. NOTE: If the user account for the database user is changed after migration the new database user must be entered as the owner of the database schedule afterwards. Otherwise errors occur when running the database schedules. Tips for Using Integrated Windows Authentication Integrated One Identity Manager Service authentication can be used for the Windows and web applications without restriction. Integrated Windows authentication can be used for FAT clients. Use of Windows groups for logging in is supported. To ensure functionality it is strongly recommended you use SQL Server login. To implement Windows authentication Set up an SQL Server login for the user account on the database server. Enter "dbo" as default schema. Assign the required permissions SQL server login. For more information, see Table 14 on page 32. Permissions for Oracle Database Users You should set up your own database user to use the database. You can create the database user with the Configuration Wizard or manually. NOTE: The database users involved, must get their permissions directly. When the permissions are assigned through database roles it may lead to Oracle errors when data queries are executed because of permission restrictions. Permissions for Oracle Database Installations The following permissions are required for an Oracle Database installation, in addition to default privileges, to use functionality in full. Installation Prerequisites 33

34 Table 15: Permissions for Database Users Permission GRANT ALTER SESSION TO <user> GRANT ANALYZE ANY TO <user> GRANT CONNECT TO <user> GRANT CREATE JOB TO <user> GRANT CREATE PROCEDURE TO <user> GRANT CREATE SEQUENCE TO <user> GRANT CREATE SYNONYM TO <user> GRANT CREATE TABLE TO <user> GRANT CREATE TRIGGER TO <user> GRANT CREATE TYPE TO <user> GRANT CREATE VIEW TO <user> GRANT EXCEUTE ON DBMS_PIPE TO <user> GRANT Required For Changing own user session settings. The permissions are used to execute the procedure DBMS_STATS.FLUSH_ DATABASE_MONITORING_INFO while calculating statistics, These permissions are not required if no statistics are being determined. Connecting database. Creating database schedules. Creating schema objects. Creating schema objects. Creating schema objects. Creating schema objects. Creating schema objects. Creating schema objects. Creating schema objects. Communication of single processing steps concurrently with the DBQueue Processor main routine. Access to package for general encryption routines. Installation Prerequisites 34

35 Permission Required For EXECUTE ON DBMS_CRYPTO TO <user> GRANT EXECUTE ON DBMS_LOCK TO <user> GRANT SELECT ON GV_ $OSSTAT TO <user> GRANT SELECT ON GV_ $SESSION TO <user> Uses the sleep method for relaying processing in the DBQueue Processor, for example, to wait for single processing steps to end. Loading information about the current server version. Loading data from the current session. These permissions are also required to switch the database into single-user mode. Setting up Permissions for Creating an HTTP Server The One Identity Manager Service log files can be displayed through an HTTP server ( name>:<port number>). A user must have the appropriate permissions in order to open an HTTP server. The administrator must grant URL approval to the user to do this. This can be executed with the following command line call: netsh http add urlacl url= number>/ user=<domain>\<user name> If the One Identity Manager Service has to run under the Network Service (NT Authority\NetworkService) user account, explicit permissions for the internal web service must be granted under Windows Server 2008 (R2). This can be executed with the following command line call: netsh http add urlacl url= address>:<port number>/ user="nt AUTHORITY\NETWORKSERVICE" The result can also be verified using the following command line call: netsh http show urlacl Installation Prerequisites 35

36 Communications Port and Firewall Configuration One Identity Manager is made up of several components that can be executed in different network segments. In addition, One Identity Manager requires access to various network services, which can also be installed in different network segments. You must open various ports depending on which components and services you want to install behind the firewall. The following ports are required: Table 16: Communications port Default port SQL Server: 1433 Oracle: 1521 Description Port for communicating with the database Port for the HTTP based protocol of the One Identity Manager Service Port for access tests with the Synchronization Editor. 80 Port for accessing web applications. 88 Kerberos authentication system. (if Kerberos authentication is implemented). 135 Microsoft EPMAP (End Point Mapper) (also DCE/RPC Locator Service) 137 NetBIOS Name Service 139 NetBIOS Session Service Other ports for connecting to target systems are also required. These ports are listed in the corresponding guides. Installation Prerequisites 36

37 4 Installing One Identity Manager The following steps are required to install One Identity Manager. 1. Installation of One Identity Manager tools on the administrative workstation on which the One Identity Manager database schema installation will be started. 2. Installation of the One Identity Manager schema with the Configuration Wizard. 3. Setting up the server, which handles the SQL processes. a. This server must be entered in the database as a Job server with the server function "SQL processing server". b. A One Identity Manager Service with direct access to the One Identity Manager database must be installed and configured on the server. NOTE: Several SQL processing servers can be set up to spread the load of SQL processes. 4. Setting up an update server for automatic software updating of other servers. a. This server must be entered in the database as a Job server with the server function "Update server". b. A One Identity Manager Service with direct access to the One Identity Manager database must be installed and configured on the server. NOTE: You can proceed with setting up an SQL processing server and the update server using the Configuration Wizard. For more information, see Installing the One Identity Manager Service for the Database on page 54. You can also install the following: Install more workstations Install more server with One Identity Manager Service Install an application server Install the Web Portal on a Web server Install the Manager web application on a Web server Install more Web services like SPML Web service or SOAP Web Service. For detailed information about installing the web service, see the One Identity Manager Configuration Guide. Installing One Identity Manager 37

38 You can install and update One Identity Manager on the following types. Use the installation wizards to install One Identity Manager components on workstations for the first time. Use the installation wizards to install the One Identity Manager Service on servers for the first time or remote with the Server Installer. To update an existing installation use the auto update software. Use the installation wizard to manually update individual workstations and servers. Fore more detailed information about updating the One Identity Manager, see Updating One Identity Manager on page 75. Detailed information about this topic Before You Start Installing One Identity Manager on page 38 Installing One Identity Manager Components on page 39 Installing and Configuring a One Identity Manager Database on page 42 Installing and Configuring the One Identity Manager Service on page 66 Installing a One Identity Manager Application Server on page 96 Installing the Web Portal on page 102 Installing and Updating the Manager Web Application on page 122 Before You Start Installing One Identity Manager Before installing the One Identity Manager ensure that the minimal hardware and software requirements are met on workdesks and servers. End all programs and service components otherwise installation cannot begin. NOTE: There is a separate upgrade package for updating from One Identity Manager version 6.x to One Identity Manager version 7.0. Direct your inquiries to the support desk. To access the Support Portal, go to Detailed information about this topic Installation Prerequisites on page 19 Installing One Identity Manager on page 37 Updating One Identity Manager on page 75 Installing One Identity Manager 38

39 Installing One Identity Manager Components An installation wizard is available to help you through the installation of One Identity Manager components on workstations and servers. NOTE: Always start installing administration and configuration tools on an administrative workstation if possible. To install One Identity Manager components 1. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. 2. Switch to the Installation tab, select the edition and click Install. 3. The installation wizard is started. Select the language for the installation wizard on the start page and click Next. 4. Confirm the conditions of the license. 5. Specify the data for installation source and target on the Installation settings page. Select the directory with the installation files under Installation source. Select the directory into which to install the One Identity Manager files under Installation folder. NOTE: To make set more options, click on the arrow button next to the text box. Here, you can specify whether you are installing on a 64-bit or a 32-bit operating system. Do not set any more options for a default installation. Set the option Select installation modules from existing database of installation data about the existing One Identity Manager database should be loaded. NOTE: Leave this option empty to install the workstation on which you start the One Identity Manager schema installation. To add more One Identity Manager modules to the selected edition, set the option Add more modules to the selected Edition. Click Next. 6. Select the additional modules to install on the Module selection page and click Next. NOTE: This page is only shown if you set the option Add more modules to the selected Edition. Installing One Identity Manager 39

40 7. Enter the database connection data on the Connect to database page. NOTE: This page is only displayed if you have set the option Select installation modules from database. a. Select the connection in "Select connection". - OR - Click on Add new connection, select a system type and enter connection data. Table 17: SQL Server Database Connection Data Data Server Windows authentication User Password Database Description Database server. Specifies whether Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication. Database user. Database user password. Database. Table 18: Oracle Database Connection Data Data Direct access (without Oracle client) Server Port Service name User Password Data source Description Set this option for direct access. Deactivate this option for access via Oracle Clients. Which connection data is required, depends on how this option is set. Database server. Oracle instance port. Service name. Oracle database user. Database user password. TNS alias name from TNSNames.ora. b. Select the authentication module in "Authentication method" and enter the login data for system identification. Installing One Identity Manager 40

41 The login data you require depends on the authentication module selected. c. Click Next. 8. Specify machine roles on the Assign machine roles page and click Next. NOTE: Machine roles which match One Identity Manager modules are already selected. All machine subroles are selected when you select the machine role. You can deselect individual packages. 9. You can start different programs for further installation on the last page of the install wizard. To run the One Identity Manager installation, start the Configuration Wizard and following the Configuration Wizard instructions. NOTE: Only run this step on the workstation on which you start the One Identity Manager installation. Start the program One Identity Manager Service to configure the Job Service Configuration. NOTE: Only run this step on servers on which the One Identity Manager Service is installed. 10. Click Finish to close the installation wizard. 11. Close the autorun program. The One Identity Manager is installed for all user accounts on the workstation or server. In the default installation the One Identity Manager is installed under: %ProgramFiles(x86)%\One Identity (on 32-bit operating systems) %ProgramFiles%\One Identity (on 64-bit operating systems) Related Topics Before You Start Installing One Identity Manager on page 38 Installation Prerequisites on page 19 One Identity Manager Tools on page 13 Installing One Identity Manager on a Windows Terminal Server on page 41 Installing and Configuring a One Identity Manager Database on page 42 Appendix: Machine Roles and Installation Packages on page 191 Installing One Identity Manager on a Windows Terminal Server To install One Identity Manager tools on a Windows terminal server you need to ensure that the Windows terminal server has been fully installed and configured. This includes profile Installing One Identity Manager 41

42 handling in particular as well as permissions for Windows terminal server use. NOTE: Ensure that in an Active Directory Domain, users also have relevant permissions to use the Windows terminal server self. To install One Identity Manager components on a Windows terminal server 1. Log in with a user account, which has administrator permissions on the Windows terminal server. Log in through a console connection is recommended. This is called by Start/Run: mstsc /Console /v:<servername> where <servername> must be replaced by the terminal server's server name (without leading "\"). 2. Open the command line console (CMD.exe) and switch the Windows terminal server into software installation mode with help of the command CHANGE USER /INSTALL. 3. Start the One Identity Manager Installation Wizard and install the One Identity Manager components as described. 4. End the software installation mode on the Windows terminal server with the command CHANGE USER /EXECUTE in the command line console. After the installation is complete, anyone who is an authorized Windows terminal server user can start the One Identity Manager tools and use them. For more information about software installation on Windows terminal servers, refer to the Windows operating system documentation you are using. Related Topics Installing One Identity Manager Components on page 39 Installing and Configuring a One Identity Manager Database The following prerequisites must be fulfilled on the workstation from which you want to start the One Identity Manager database setup: Installing the "Configuration Wizard" program Use the install wizard to install the program. To do this, select the installation type "Workstation" and the installation package "Configuration" in the install wizard. Access to installation sources NOTE: If you copy the installation files to a repository, you must ensure the directory tree remains intact. Installing One Identity Manager 42

43 In order to set up a database on a database server for use in the One Identity Manager environment use the "Configuration Wizard". The database systems SQL Server or Oracle Database can be implemented. Installation and configuration under SQL Server and Oracle Database is similar. The Configuration Wizard executes the following steps. 1. Installs the One Identity Manager schema in a database. The One Identity Manager schema can be installed in an existing database. Alternatively, the Configuration Wizard can create a new database and install the One Identity Manager schema. 2. Creates administrative system users and permissions groups. 3. Installing and configuring an One Identity Manager Service with direct access to the database for handling SQL processes and automatic server software updates. NOTE: Further steps are executed in One Identity Manager depending on the Edition and Configuration Wizard modules. Other steps are required to configure the One Identity Manager database following the schema installation: Configure the database for a test, development or live system. Other system settings may be required for putting individual functions into operation in One Identity Manager. Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements. Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. You can find an overview of all configuration parameters in the category Base data General Configuration parameters in the Designer. In certain circumstances, it is necessary to store encrypted information in the One Identity Manager database. Use the program "Crypto Configuration" to do this. You can log changes to data and information from process handling in One Identity Manager. All entries logged in One Identity Manager are initially saved in the One Identity Manager database. The proportion of historical data to total volume of a One Identity Manager database should not exceed 25%. Otherwise performance problems may arise. You must ensure that log entries are regularly removed from the One Identity Manager database and archived. For more information about process monitoring and process history, see the One Identity Manager Configuration Guide. For more information about archiving data, see the One Identity Manager Data Archiving Administration Guide. Installing One Identity Manager 43

44 Detailed information about this topic Starting the Configuration Wizard on page 44 Creating a New SQL Server Database on page 45 Using an Existing Empty SQL Server Database on page 47 Setting up a new Oracle Database User on page 48 Using an Existing Empty Oracle Database User on page 50 Editing the Database on page 51 Entering System Data on page 52 Installing the One Identity Manager Service for the Database on page 54 Configuring a One Identity Manager Database for Testing, Development or Production on page 56 Encrypting Data in a Database on page 57 Vendor Notification in One Identity Manager on page 63 Error: Enter address in configuration parameter on page 141 Related Topics Minimum System Requirements for the Database Server on page 20 Installing One Identity Manager Components on page 39 Starting the Configuration Wizard IMPORTANT: Always start the Configuration Wizard on an administrative workstation. If you start the Configuration Wizard on a server on which you also want to configure an One Identity Manager Service, simply jump the section "Install service" for the local server in the Configuration Wizard. To start the Configuration Wizard straight from the installation wizard. Start the Configuration Wizard on the last page of the installation wizard. To run the Configuration Wizard from the Windows Start menu Select Start One Identity One Identity Manager Configuration Configuration Wizard. Related Topics Installing One Identity Manager Components on page 39 Installing One Identity Manager 44

45 Creating a New SQL Server Database NOTE: Only execute these steps, if you want to set up a new database with the Configuration Wizard for which you are installing the One Identity Manager schema. There must be a database with permission for installing a One Identity Manager database available. For more information, see Permissions for SQL Server Database Users on page 32. To create a new database with the Configuration Wizard 1. Start the Configuration Wizard. 2. Select the option Create and install a database on the start page of the Configuration Wizard. 3. Enter the data for logging into the database server on the Create administrative connection page. a. Select the database system SQL Server from Connection data. b. Enter the connection data for the database server. Table 19: Connection data Input Server Description Database server. To deselect a database server Enter the server name. - OR - Select a server from the list. Windows authentication User Password Specifies whether Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication. Database user. Database user password. NOTE: The connection data is transferred to the corresponding database entry in One Identity Manager on initial schema installation. NOTE: Use Extended to make further changes to the database connection configuration settings. 4. Enter the information required for creating a new database on the Create database page. Installing One Identity Manager 45

46 a. Enter the following database information in the "Database properties" section. Table 20: Database Properties Input Database name Data directory Description Name of the database. Directory for the data files. You can choose from: <default> <browse> Directory name The database server's default installation directory. Selecting a directory using the file browser. Directory already containing data files. Log directory Directory for the transaction log. You can choose from: <default> <browse> Directory name The database server's default installation directory. Selecting a directory using the file browser. Directory already containing transaction logs. Initial size Initial size of the database files. You can choose from: <default> <custom> Different recommended sizes Default database server preset. Spare. Depending on the number of employees to be managed. b. Select the directory with the installation files in the "Installation source" section. 5. Select the configuration module on the Select configuration module. If you started the Configuration Wizard from the install wizard, the configuration modules for the selected edition are already activated. Check the module selection in this case. Select the configuration module at this point if you started the Configuration Wizard directly. Dependent configuration modules are selected automatically. Installing One Identity Manager 46

47 6. Next step: The installation steps are shown in the Processing database page. Installation and configuration of the database is automatically carried out by the Configuration Wizard. For more information, see Editing the Database on page 51. Related Topics Starting the Configuration Wizard on page 44 Using an Existing Empty SQL Server Database on page 47 Appendix: Settings for a New SQL Server Database on page 193 Using an Existing Empty SQL Server Database NOTE: Execute this step, if you want to install the One Identity Manager schema for an existing database user with the Configuration Wizard. There must be a database with permission for installing a One Identity Manager database available. For more information, see Permissions for SQL Server Database Users on page 32. A database must be provided with the following settings: Collation: SQL_Latin1_General_CP1_CI_AS Compatibility level: SQL Server 2016 (130) To use an existing empty database in the Configuration Wizard 1. Start the Configuration Wizard. 2. Select the option Create and install a database on the start page of the Configuration Wizard. 3. Enter the data for logging into the database server on the Create administrative connection page. a. Select the database system SQL Server from Connection data. b. Enable Advanced. c. Enable Use an existing database for installation. d. Enter the connection data for the database server. Table 21: SQL Server Database Connection Data Data Server Description Database server. Installing One Identity Manager 47

48 Data Windows authentication User Password Database Description Specifies whether Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication. Database user. Database user password. Database. NOTE: The connection data is transferred to the corresponding database entry in One Identity Manager on initial schema installation. NOTE: Use Extended to make further changes to the database connection configuration settings. e. Select the directory with the installation files in the "Installation source" section. 4. Select the configuration module on the Select configuration module. If you started the Configuration Wizard from the install wizard, the configuration modules for the selected edition are already activated. Check the module selection in this case. Select the configuration module at this point if you started the Configuration Wizard directly. Dependent configuration modules are selected automatically. 5. Next step: The installation steps are shown in the Processing database page. Installation and configuration of the database is automatically carried out by the Configuration Wizard. For more information, see Editing the Database on page 51. Related Topics Starting the Configuration Wizard on page 44 Creating a New SQL Server Database on page 45 Setting up a new Oracle Database User NOTE: Only execute these steps, if you want to set up a new database user with the Configuration Wizard for which you are installing the One Identity Manager schema. Use the Configuration Wizard to create a new database user on a database server. The schema is created for this database user during migration. NOTE: An initial tablespace has to exist on the database server before a new database user can be created. The tablespace must have a block size of at least 8 kbytes. Installing One Identity Manager 48

49 To create a new database user 1. Start the Configuration Wizard. 2. Select the option Create and install a database on the start page of the Configuration Wizard. 3. Enter the data for logging into the database server on the Create administrative connection page. a. Select the database system Oracle Database from Connection data. b. Enter the connection data for the Oracle instance. Table 22: Connection Data Input Server Port Service Name User Password Description Database server. Oracle instance port. Service name. Oracle user with SYSDBA permissions. User password. 4. Enter the database user information on the page Create Oracle user. a. Enter the Oracle user s properties. Table 23: Oracle User Properties Input User name Password Password retry Tablespace Temp. Tablespace Description Database user for which the schema should be created. This database user is used for the subsequent migration. Database user password. Database user password. Tablespace, in which the schema should be created. Tablespace, in which the schema should be created. The Configuration Wizard creates the database user with the required permissions. b. Select the directory with the installation files in the "Installation source" section. 5. Select the configuration module on the Select configuration module. Installing One Identity Manager 49

50 If you started the Configuration Wizard from the install wizard, the configuration modules for the selected edition are already activated. Check the module selection in this case. Select the configuration module at this point if you started the Configuration Wizard directly. Dependent configuration modules are selected automatically. 6. Next step: The installation steps are shown in the Processing database page. Installation and configuration of the database is automatically carried out by the Configuration Wizard. For more information, see Editing the Database on page 51. Related Topics Starting the Configuration Wizard on page 44 Using an Existing Empty Oracle Database User on page 50 Permissions for Oracle Database Users on page 33 Using an Existing Empty Oracle Database User NOTE: Execute this step, if you want to install the One Identity Manager schema for an existing database user with Configuration Wizard. A database user with the required permissions must be available. For more information, see Permissions for Oracle Database Users on page 33. To use an existing empty database user in the Configuration Wizard 1. Start the Configuration Wizard. 2. Select the option Create and install a database on the start page of the Configuration Wizard. 3. Enter the data for logging into the database server on the Create administrative connection page. a. Select the database system Oracle Database from Connection data. b. Enable Advanced. c. Enable the option Use an existing Oracle user for installation. d. Enter the connection data for the Oracle instance. Table 24: Oracle Database Connection Data Data Direct access (without Oracle client) Description Set this option for direct access. Installing One Identity Manager 50

51 Data Description Deactivate this option for access via Oracle Clients. Which connection data is required, depends on how this option is set. Server Port Service name User Password Data source Database server. Oracle instance port. Service name. Oracle database user. Database user password. TNS alias name from TNSNames.ora. e. Select the directory with the installation files in the "Installation source" section. 4. Select the configuration module on the Select configuration module. If you started the Configuration Wizard from the install wizard, the configuration modules for the selected edition are already activated. Check the module selection in this case. Select the configuration module at this point if you started the Configuration Wizard directly. Dependent configuration modules are selected automatically. 5. Next step: The installation steps are shown in the Processing database page. Installation and configuration of the database is automatically carried out by the Configuration Wizard. For more information, see Editing the Database on page 51. Related Topics Starting the Configuration Wizard on page 44 Setting up a new Oracle Database User on page 48 Editing the Database The Configuration Wizard performs the following steps when processing the database: Schema installation Before the schema installation can take place the Configuration Wizard tests the database. Error messages are displayed in a separate window. The errors must be corrected manually. The schema installation cannot be started until these are resolved. Installing One Identity Manager 51

52 All the tables, data types, database procedures that are required are loaded into the database through migration. The database role basegroup" is added and these roles are given full permissions to the database objects. The selected Editions and configuration modules are enabled. During migration, calculation tasks are queued in the database. These are processed by the DBQueue Processor. When a schema is installed with the Configuration Wizard, migration date and migration revision are recorded in the database's transport history. System compilation Scripts, templates and processes are declared in the database. The authentication module "system user" with the system user "viadmin" is used for compiling. Automatic update In order to distribute One Identity Manager files using the automatic software updating mechanism, the files are loaded into the One Identity Manager database. To run database processing in the Configuration Wizard 1. The installation steps are shown in the Processing database page. Installation and configuration of the database is automatically carried out by the Configuration Wizard. This procedure may take some time depending on the amount of data and system performance. Set the option Advanced to obtain detailed information about processing steps and the migration log. Once processing is complete, click Next. 2. Next step: Enter the customer data and create administrative users on the System information page. For more information, see Entering System Data on page 52. Related Topics Handling Errors and Warnings during System Compilation on page 137 Automatic Updating of the One Identity Manager on page 90 Displaying the Transport History and Testing the One Identity Manager Version on page 136 Entering System Data A system user is required for authentication in One Identity Manager. One Identity Manager provides various system users whose permissions are matched to the different tasks. For more detailed information about system users, access rights and granting permissions, see the One Identity Manager Configuration Guide. The system user "viadmin" is the default system user for the One Identity Manager. This system user can be used to compile and initialize the One Identity Manager database and for the first user login to the administration tools. Installing One Identity Manager 52

53 IMPORTANT: The system user "viadmin" is not for use in a live environment! Set up your own system users with the appropriate permissions. To enter system data in the Configuration Wizard 1. Enter the customer data and create administrative users on the System information page. a. Enter the company's full name in the "Customer data" section. b. Configure the predefined system users in the "system user" section and enter your own system users. Enter a password and password confirmation for the predefined system users. To create custom system users, click and enter the name, password and password confirmation. Custom system users are created as administrative system users by the Configuration Wizard. Administrative system users are automatically added to all non role-based permissions groups and are given "viadmin" system user permissions. TIP: Use <...> next to a system user's name to configure more settings for the system user. You can modify these settings later in the Designer. c. The Configuration Wizard creates custom permissions groups, which you can use to define permissions for any custom schema extensions you require. The permissions groups "CCCViewPermissions" and "CCCEditPermissions" are created for non role-based login. Administrative system users are automatically added to these permissions groups. The permissions groups "CCCViewRole" and "CCCEditRole" are created for role-based login. d. Create more permissions groups as required. Set the Advanced option and click in the "Permissions groups" section. Enter the name for the permissions group. Label your own permissions groups with the prefix 'CCC' Set the option Role-based for your own permissions groups. 2. Next step: On the Service installation page, install and configure the One Identity Manager Service for a Job sever with the server functions "SQL processing server" and "Update server". For more information, see Installing the One Identity Manager Service for the Database on page 54. Installing One Identity Manager 53

54 Installing the One Identity Manager Service for the Database IMPORTANT: If you are working with an encrypted One Identity Manager database, see Advice for Working with an Encrypted One Identity Manager Database on page 62. The One Identity Manager Service handles defined processes. The service has to be installed on the One Identity Manager network server to execute the processes. The server must be declared as a "Job server" in the One Identity Manager database. A Job server installed with the One Identity Manager database is created already in the One Identity Manager database during initial schema installation. This Job server includes the server functions "SQL processing server" and "Update server". The SQL processing server handles SQL processes. The update sever ensures that software is updated automatically on other servers. The SQL processing server and the update server require a direct connection to the One Identity Manager database to handle processes. You use the Configuration Wizard to install the One Identity Manager Service on a server for handling these processes. The Configuration Wizard executes the following steps. Installs the One Identity Manager Service components Configuring the One Identity Manager Service Starting the One Identity Manager Service NOTE: The program executes remote installation of the One Identity Manager Service. Remote installation is only supported within a domain or a trusted domain. Local installation of the service is not possible with this program. If you started the Configuration Wizard on a server on which you also want to configure a One Identity Manager Service, you miss out the section "Installing a service server". Install the One Identity Manager Service with the installation wizard in this case. To not install the One Identity Manager Service in the Configuration Wizard 1. Set the option Skip service installation on the Service installation page. 2. Click Finish on the last page of the Configuration Wizard. Installing One Identity Manager 54

55 To configure the One Identity Manager Service in the Configuration Wizard 1. Enter the service's installation data on the Service installation page. a. Enter the following information to install the One Identity Manager Service. Table 25: Installation Data Data Computer Description Server on which to install and start the service from. To select a server Enter a name for the server. - OR - Select a entry from the list. Service account. Installation account Machine role User account data for the One Identity Manager Service. To enter a user account for the service Set the option Local system account. This starts the One Identity Manager Service under the account "NT AUTHORITY\SYSTEM". - OR - Enter user account, password and password confirmation. Data for the administrative user account to install the service. To enter an administrative user account for installation Enable Advanced. Enable the option Current user. This uses the user account of the current user. - OR - Enter user account, password and password confirmation. Specify the machine role. The machine role "Job server" is already specified, by default. You can add more machine roles. b. Check the One Identity Manager Service configuration. Enable Advanced. NOTE: The initial service configuration is predefined already. If further changes need to be made to the configuration, you can do this later with the Designer. For more detailed information about configuring the service, see the One Identity Manager Configuration Guide. Installing One Identity Manager 55

56 c. Click Next to start installing the service. Installation of the service occurs automatically and may take some time. 2. Click Finish on the last page of the Configuration Wizard. NOTE: The service is entered with the name One Identity Manager Service in the server's service administration. Related Topics Minimum System Requirements for the Service Server on page 25 Advice for Working with an Encrypted One Identity Manager Database on page 62 Installing and Configuring the One Identity Manager Service on page 66 Configuring a One Identity Manager Database for Testing, Development or Production Use the staging level of the One Identity Manager database to specify whether a test database, development database or a live database is being dealt with. A number of configuration settings are controlled by the staging level. These are set when you modify the staging level. Table 26: Database Settings for Development, Test and Live Environments Setting Database Staging Level Development Environment Test Environment Live Environment Color of the One Identity Manager tools status bar. Maximum DBQueue Processor runtime Maximum number of slots for DBQueue Processor none Green Yellow 20 minutes 40 minutes 120 minutes 3 5 Maximum number of slots according to the hardware configuration To modify a database staging level 1. Open the Launchpad and select Database staging level. This starts the Designer database editor. Installing One Identity Manager 56

57 2. Select the database and change the value of the property Staging level to "Test environment", "Development system" or "Development system". 3. Select Database Commit to database... in the Designer and click Save. The DBQueue Processor configuration settings are configured for normal operations and must not be modified normally. The number of configuration settings is reduced in the case of test and development environments because there may be more databases on one server. If you have to change the settings for test or development environments on performance grounds, you must modify the following configuration parameter settings in the Designer. Table 27: Configuration Parameters for the DBQueue Processor Configuration parameter QBM\DBQueue\CountSlotsMax QBM\DBQueue\KeepAlive Meaning This configuration parameter specifies the number of maximum slots available. Enter the value 0 to use the maximum number of slots according to the hardware configuration. This configuration parameter regulates the maximum runtime of the central dispatcher. Tasks on slots currently in use are still processed when the timeout expires. Then the slot database schedules are stopped and the central dispatches exits. The lowest permitted value for runtime is 5 minutes; the highest value is 720 minutes. Related Topics Appendix: Creating a One Identity Manager Database for a Test or Development Environment from a Database Backup on page 179 Encrypting Data in a Database In certain circumstances, it is necessary to store encrypted information in the One Identity Manager database. Specify the encryption method to use by setting the configuration parameter "Common\EncryptionScheme" in the Designer. Installing One Identity Manager 57

58 Table 28: Values of Configuration Parameter "Common\EncryptionScheme" Value RSA FIPSCompliantRSA Description RSA encryption with AES for large data (default). FIPS certified RSA with AES for large data. This method is used if encryption must match the FIPS standard. The local security policy "Use FIPS compliant algorithms for encryption, hashing, and signing" must be enabled. NOTE: If you have not set the configuration parameter "Common\EncryptionScheme", RSA is used. Encryption is carried out by the program "Crypto Configuration". With this program an encryption file is created and the contents of the database columns that are effected are converted. The encrypted data is stored in the database table DialogDatabase. NOTE: It is recommended that you create a backup before encrypting the database information in a database. Then you can restore the previous state if necessary. Detailed information about this topic Creating a New Database Key and Encrypting Database Data on page 58 Modifying a Database Key and Encrypting Database Data on page 59 Re-encrypting Database Data on page 60 Decrypting Database Data on page 61 Advice for Working with an Encrypted One Identity Manager Database on page 62 Creating a New Database Key and Encrypting Database Data NOTE: It is recommended that you create a backup before encrypting the database information in a database. Then you can restore the previous state if necessary. To create a new database key and encrypt the One Identity Manager database 1. Open Launchpad and select Encrypt database. This starts the program "Crypto Configuration". 2. Click Next on the start page. 3. Enter valid connection credentials for the One Identity Manager database on the New database connection page and click Next. Installing One Identity Manager 58

59 4. Select Create or change database key on the Select action page and click Next. 5. Select There was no encryption yet on the Private key page and click Next. 6. Create a new key on the New private key page. a. Click Create key. b. Select the directory path for saving the file using the file browser and enter a name for the key file. c. Click Save. The key file (*.key) is created. The file browser is closed. Path and file name are displayed under <Private key>. d. Click Next. This establishes which data is encrypted. 7. The data is displayed on the Convert database page. a. Click Convert. b. Confirm the following two security questions with Yes. The data encryption is started. Conversion progress is displayed. c. Click Next. 8. Click Finish on the last page to end the program. Related Topics Modifying a Database Key and Encrypting Database Data on page 59 Re-encrypting Database Data on page 60 Decrypting Database Data on page 61 Advice for Working with an Encrypted One Identity Manager Database on page 62 Modifying a Database Key and Encrypting Database Data NOTE: To change a database key, you need the key file with the old database key. The key is change and saved in a new key file. NOTE: It is recommended that you create a backup before encrypting the database information in a database. Then you can restore the previous state if necessary. To change a database key and encrypt the One Identity Manager database 1. Open Launchpad and select Encrypt database. This starts the program "Crypto Configuration". 2. Click Next on the start page. Installing One Identity Manager 59

60 3. Enter valid connection credentials for the One Identity Manager database on the New database connection page and click Next. 4. Select Create or change database key on the Select action page and click Next. 5. Load the existing key on the Private key page. a. Select Encryption was enabled. b. Click Load key. c. Select the file (*.key) with the old database key using the file browser. d. Click Open. The file browser is closed. Path and file name are shown. e. Click Next. 6. Create a new key on the New private key page. a. Click Create key. b. Select the directory path for saving the file using the file browser and enter a name for the key file. c. Click Save. The key file (*.key) is created. The file browser is closed. Path and file name are displayed under <Private key>. d. Click Next. This establishes which data is encrypted. 7. The data is displayed on the Convert database page. a. Click Convert. b. Confirm the following two security questions with Yes. The data encryption is started. Conversion progress is displayed. c. Click Next. 8. Click Finish on the last page to end the program. Related Topics Creating a New Database Key and Encrypting Database Data on page 58 Re-encrypting Database Data on page 60 Decrypting Database Data on page 61 Advice for Working with an Encrypted One Identity Manager Database on page 62 Re-encrypting Database Data Use this method when you mark more database columns with the option Encrypted and the database is already encrypted. Installing One Identity Manager 60

61 NOTE: It is recommended that you create a backup before encrypting the database information in a database. Then you can restore the previous state if necessary. To repeat One Identity Manager database encryption using an existing database key 1. Open Launchpad and select Encrypt database. This starts the program "Crypto Configuration". 2. Click Next on the start page. 3. Enter valid connection credentials for the One Identity Manager database on the New database connection page and click Next. 4. Select Encrypt using existing key on the Select action page and click Next. This establishes which data is encrypted. 5. The data is displayed on the Convert database page. a. Click Convert. b. Confirm the following two security questions with Yes. The data encryption is started. Conversion progress is displayed. c. Click Next. 6. Click Finish on the last page to end the program. Related Topics Creating a New Database Key and Encrypting Database Data on page 58 Modifying a Database Key and Encrypting Database Data on page 59 Decrypting Database Data on page 61 Advice for Working with an Encrypted One Identity Manager Database on page 62 Decrypting Database Data NOTE:You need the file with the database key for this. NOTE: It is recommended that you create a backup before encrypting the data in a database. Then you can restore the previous state if necessary. To decrypt the One Identity Manager database 1. Open Launchpad and select Encrypt database. This starts the program "Crypto Configuration". 2. Click Next on the start page. 3. Enter valid connection credentials for the One Identity Manager database on the New database connection page and click Next. Installing One Identity Manager 61

62 4. Select Decrypt data on the Select action page and click Next. This establishes which data is encrypted. 5. The data is displayed on the Convert database page. a. Click Convert. b. Confirm the following two security questions with Yes. c. The data encryption is started. Conversion progress is displayed. d. Select the file (*.key) with the old database key using the file browser. e. Click Open. The file browser is closed. The data decryption is started. Conversion progress is displayed. f. Click Next. 6. Click Finish on the last page to end the program. Related Topics Creating a New Database Key and Encrypting Database Data on page 58 Modifying a Database Key and Encrypting Database Data on page 59 Re-encrypting Database Data on page 60 Advice for Working with an Encrypted One Identity Manager Database on page 62 Advice for Working with an Encrypted One Identity Manager Database If you encrypt a One Identity Manager database, you must declare the database key to the One Identity Manager Service. CAUTION: If the One Identity Manager Service finds a private key on start up, it places it in the key container and deletes the file from the hard drive. So save the private key at another location in addition to the service install directory! To declare the database key Declare the following information in the One Identity Manager Service configuration file. Use Job Server Editor in Designer or the program "Job Service Configuration" to edit the configuration file. Installing One Identity Manager 62

63 Table 29: Configuration of One Identity Manager Service for Encryption Configuration Module JobServiceDestination JobServiceDestination Parameter File with private key (PrivateKey) Encryption scheme (EncryptionScheme) Meaning Enter the file with the encryption information. The default file is private.key. Specify the encryption scheme you want to use Save the key file created in the service s install directory. Open the services utility and restart the service "One Identity Manager Service". NOTE: The file with the private key must exist in the server's installation directory on all servers with an active One Identity Manager Service. NOTE: If you change the One Identity Manager Service user account, you must save the key file in the service s install directory again. Detailed information about this topic Encrypting Data in a Database on page 57 Vendor Notification in One Identity Manager Give us the opportunity to keep you up-to-date. The interfaces to other systems are being developed continually. Enable vendor notifications to receive news about important program updates for your system. If vendor notification is enabled, One Identity Manager generates a list of system settings once a month and sends it to One Identity. This list does not contain any personal data. The list will be reviewed by our customer support team who will look for material changes in a proactive effort to identify potential issues before they materialize on your system. The lists may be used by our R&D staff for analysis, diagnosis, and replication for testing purposes. We will keep and refer to this information for as long as your company remains on support for this product. NOTE: You may review the most recent list at any time from in the HELP INFO... menu. Detailed information about this topic Enabling Vendor Notification on page 64 Checking for Vendor Notification on page 64 Disabling Vendor Notification on page 65 Installing One Identity Manager 63

64 Enabling Vendor Notification Prerequisite for Vendor Notification A Job server is configured as SMTP host for sending mail in One Identity Manager. The configuration parameters for notification are configured. For more detailed information about setting up mail notification systems in One Identity Manager, see the One Identity Manager Configuration Guide. To enable a vendor notification 1. Start the Launchpad and log in on the One Identity Manager database. NOTE: You can only configure vendor notification with the staging level "Live Environment" in a One Identity Manager database using the Launchpad. 2. Select Configure vendor notification and click Start. This starts the Designer and opens the Configuration Parameter Editor. 3. Set the configuration parameter "Common\MailNotification\VendorNotification" and enter the address of your company's contact. The address is used as the return address for notifying vendors. 4. Select the Database Commit to Database in the Designer and click Save. Detailed information about this topic Checking for Vendor Notification on page 64 Disabling Vendor Notification on page 65 Error: Enter address in configuration parameter on page 141 Checking for Vendor Notification NOTE: You can only configure vendor notification with the staging level "Live Environment" in a One Identity Manager database using the Launchpad. To check whether vendor notification is enabled Start the Launchpad and log in on the One Identity Manager database. Look at the Configure vendor notification In the installation view to see is the functionality is enabled. Detailed information about this topic Enabling Vendor Notification on page 64 Disabling Vendor Notification on page 65 Installing One Identity Manager 64

65 Disabling Vendor Notification NOTE: You can only configure vendor notification with the staging level "Live Environment" in a One Identity Manager database using the Launchpad. To disable a vendor notification 1. Start the Launchpad and log in on the One Identity Manager database. 2. Select Configure vendor notification and click Start. This starts the Designer and opens the Configuration Parameter Editor. 3. Disable the configuration parameter "Common\MailNotification\VendorNotification". 4. Select the Database Commit to Database in the Designer and click Save. Related Topics Enabling Vendor Notification on page 64 Checking for Vendor Notification on page 64 Installing One Identity Manager 65

66 5 Installing and Configuring the One Identity Manager Service IMPORTANT: If you are working with an encrypted One Identity Manager database, see Advice for Working with an Encrypted One Identity Manager Database on page 62. The One Identity Manager Service handles defined processes. The service has to be installed on the One Identity Manager network server to execute the processes. The server must be declared as a "Job server" in the One Identity Manager database. NOTE: You can proceed with setting up an SQL processing server and the update server using the Configuration Wizard. For more information, see Installing the One Identity Manager Service for the Database on page 54. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the Job queue using exactly this queue name. Enter this queue name in the One Identity Manager Service configuration file. Create a corresponding Job server entry for every queue. Use the Server Installer to install the One Identity Manager Service. This program executes the following steps. Setting up a Job server. Specifying machine roles and server function for the Job server. Remote installation of One Identity Manager Service components corresponding to the machine roles. Configures the One Identity Manager Service. Starts the One Identity Manager Service. NOTE: The program executes remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain. Installing and Configuring the One Identity Manager Service 66

67 To install and configure the One Identity Manager Service remotely on a server 1. Start the program Server Installer on your administrative workstation. 2. Enter valid data for connecting to One Identity Manager on the Database connection page and click Next. 3. Specify on which server you want to install the One Identity Manager Service on the Server properties page. a. Select a job server in the Server menu. - OR - Click Add to add a new job server. b. Enter the following data for the Job server. Table 30: Job Servers Properties Property Server Queue Full server name Description Name of the Job servers. Name of queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the job queue using exactly this queue name. The queue identifier is entered in the One Identity Manager Service configuration file. Full name of the server in DNS syntax. Example: <name of server>.<fully qualified domain name> NOTE: Use the Advanced option to edit other Job server properties. You can use the Designer to change properties at a later date. 4. Specify which job server roles to include in One Identity Manager on the Machine role page. Installation packages to be installed on the Job server are found depending on the selected machine role. 5. Specify the server's functions in One Identity Manager on the Server functions page. One Identity Manager processes are handled depending on the server function. The server's functions depend on which machine roles you have selected. You can limit the server's functionality further here. Windows PowerShell 6. Check the One Identity Manager Service configuration on the Service settings page. NOTE: The initial service configuration is already predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For more detailed information about configuring the service, see One Identity Manager Configuration Guide. Installing and Configuring the One Identity Manager Service 67

68 7. To configure remote installations, click Next. 8. Confirm the security prompt with Yes. 9. Select the directory with the install files on the Select installation source page. 10. Select the file with the private key on the page Select private key file. NOTE: This page is only displayed when the database is encrypted. 11. Enter the service's installation data on the Service access page. Table 31: Installation Data Data Computer Description Server on which to install and start the service from. To select a server Enter the server name. - OR - Select a entry from the list. Service account Installation account One Identity Manager Service user account data. To enter a user account for the One Identity Manager Service Set the option Local system account. This starts the One Identity Manager Service under the account "NT AUTHORITY\SYSTEM". - OR - Enter user account, password and password confirmation. Data for the administrative user account to install the service. To enter an administrative user account for installation. Enable Advanced Enable the option Current user. This uses the user account of the current user. - OR - Enter user account, password and password confirmation. 12. Click Next to start installing the service. Installation of the service occurs automatically and may take some time. Installing and Configuring the One Identity Manager Service 68

69 13. Click Finish on the last page of the Server Installer. NOTE: The is entered with the name "One Identity Manager Service" in the server's service administration. To install and configure the One Identity Manager Service manually on a server Install One Identity Manager components with the installation wizard. Configure One Identity Manager Service with the program "Job Service Configuration". Declare the Job server in the Designer. Create a corresponding Job server entry for every queue. Fore more detailed information about updating the One Identity Manager Service, see Updating One Identity Manager on page 75. Related Topics Minimum System Requirements for the Service Server on page 25 Advice for Working with an Encrypted One Identity Manager Database on page 62 Displaying the One Identity Manager Service Log File on page 69 Changing the User Account or One Identity Manager Service Start Type on page 70 Installing One Identity Manager Components on page 39 The One Identity Manager Service in a Cluster on page 71 Appendix: Machine Roles and Installation Packages on page 191 Displaying the One Identity Manager Service Log File The One Identity Manager Service log file can be displayed in a browser. To display the One Identity Manager Service log file in a browser You call up the log file with the appropriate URL. name>:<port number> The default value is port To open the One Identity Manager Service log file in Job Queue Info Select the Job server in the Service status view and select Open in browser in the context menu. The One Identity Manager Service HTTP server for the Job server is queried and the varying One Identity Manager Service services are displayed. Installing and Configuring the One Identity Manager Service 69

70 Figure 3: One Identity Manager Service Log File The messages to be displayed on the web page can be filter interactively. There is a menu on the website for this. Only text contained in the log file can be displayed in this case. If, for example, the message type is set to "Warning", no "Info" messages can be shown even if the appropriate filter is chosen. The log output is color coded to make it easier to identify. Table 32: Log File Color Code Color Green Yellow Red Meaning Processing successful. Warnings occurred during processing. Fatal errors occurred during processing. NOTE: If you want to retain the color information to send by mail, you need to save the complete web page. Changing the User Account or One Identity Manager Service Start Type When One Identity Manager Service is installed the service is already entered in the "Services" on the computer. To customize login data and the way the service is started 1. Open the server's service administration and select the entry One Identity Manager Service in the list of services. 2. Open service properties with the context menu item Properties. Installing and Configuring the One Identity Manager Service 70

71 3. Change the start type on the General tab (if required). The start type "automatic" is recommended. 4. Change the user account under which the service runs on the Login tab. 5. Click Apply. 6. Close the service's properties with OK. 7. Start the service from the context menu item Start. If the One Identity Manager Service cannot be started an appropriate message is written to the server event log. NOTE: If you change the One Identity Manager Service user account, you must save the service's configuration file in the service s install directory again. NOTE: If you are working with an encrypted One Identity Manager database, see Advice for Working with an Encrypted One Identity Manager Database on page 62. Related Topics Minimum System Requirements for the Service Server on page 25 Users and Permissions for One Identity Manager on page 30 The One Identity Manager Service in a Cluster The idea of a cluster solution is to make the system highly available. The aim is to limit system failure to only a few seconds if a hardware or software component fails. This can be achieved with the installation of a Windows cluster solution (only possible with Enterprise servers). The following diagram shows such a solution. Installing and Configuring the One Identity Manager Service 71

72 Figure 4: Example of a Cluster Solution This cluster is made up of 2 physical computers "Server A" and "Server B" that use the same disk array and have their own individual system hard drive. Every server has a Windows operating system. Both servers are installed identically so that in the case of failure one server can take over from the other. All redundant system components are managed by the cluster manager. From an external point of view, the cluster is addressed as a single, virtual server "Server C". The service or user that is accessing the service is automatically connected to the physical server that is currently carrying out the work in the cluster. If one of the servers fails, then the redundant server in the cluster automatically takes over. The virtual server remains the contact partner, only the physical server that is running, changes. Detailed information about this topic Registering the One Identity Manager Service in a Cluster on page 72 Installing and Configuring the One Identity Manager Service in a Cluster on page 73 Registering the One Identity Manager Service in a Cluster Once registered, the One Identity Manager Service is governed by cluster handling for site resilience and load balancing. The service is installed on a virtual server which simulates Installing and Configuring the One Identity Manager Service 72

73 the cluster. All computer related operations and service data operate, transparently, with the virtual server and not the real computer (cluster nodes). This also applies to clients that contact the service through the server name, for example RPC (ORPC, DCOM), TCP/IP (Winsock, Named Pipes), HTTP. Because the service is in the context of the virtual server, note the following facts: Service specific setting on the nodes where the virtual server sits are replicated on all other nodes! The service, therefore, always has the same configuration independent of the node on which it is actually started. The service is always started only on the current node of the virtual server (the virtual server's current node). The service is stopped on all other nodes. The service is booted and shutdown with the virtual server. If the cluster is not enabled, the service is stopped on all nodes. Services on nodes are brought automatically in the required state (manual or stopped) before registration by the program. Related Topics The One Identity Manager Service in a Cluster on page 71 Installing and Configuring the One Identity Manager Service in a Cluster on page 73 Installing and Configuring the One Identity Manager Service in a Cluster The installation of server components from the One Identity Manager installation medium needs to be done on all the physical nodes of the cluster. NOTE: When you are configuring the JobServiceDestination, the parameter "Queue" must contain the name of the virtual server. After saving the configuration, the configuration file in the One Identity Manager Service installation directory needs to be copied to all the physical nodes. The name of the configuration file may not be changed. NOTE: One Identity Manager Service configuration is not part of a cluster resource. Thus, each node keeps its own configuration. For this reason, it is necessary to ensure that the configuration files on the physical nodes are consistent. If this is not the case, correct functionality cannot be guaranteed after changing cluster nodes. Setting up a Cluster Resource for the One Identity Manager Service Set up a new cluster resource for the One Identity Manager Service in the program "Cluster Administrator" and make it online. Refer to the Microsoft Technet website ( about this procedure. Note the following when creating the cluster resource: Installing and Configuring the One Identity Manager Service 73

74 Select "Generic Service" as resource type. Select the following One Identity Manager Service dependencies. Cluster IP address Cluster name Quorum (for example disk: D) Do not enter anymore registration keys. NOTE: After setting up the One Identity Manager Service in a cluster system it is advisable to simulate a failover so that possible problems with the cluster do not arise during live operations. Storing the One Identity Manager Service log file on a Shared Volume Set up a new cluster resource for the in the program "Cluster Administrator" and make it online. Note the following when creating the cluster resource: Select "File Share" as resource type. Select the following dependencies: - One IdentityOne Identity Manager Service Customize the directory path in the Logwriter's "Log file" parameter (OutPutFile) in the One Identity Manager Service configuration file. Copy the configuration file to all the physical cluster nodes in the One Identity Manager Service install directory after you have changed it. Related Topics The One Identity Manager Service in a Cluster on page 71 Registering the One Identity Manager Service in a Cluster on page 72 Installing and Configuring the One Identity Manager Service 74

75 6 Updating One Identity Manager Updating One Identity Manager tools includes updating the One Identity Manager database and the existing installations on One Identity Manager network workstations and servers. Database updates are necessary when hotfixes and service packs or complete version updates are available for One Identity Manager. Hotfix A hotfix contains corrections to the default configuration of the current main version but no extension of functionality. A hotfix can supply patches for issues solved in synchronization projects. Service pack A service pack contains minimal extensions of functionality and all the modifications since the last main version that were already included in the hotfixes. A service pack can supply patches with new functions for synchronization projects. Version change A version change means that significant extensions of functionality have been made and involves a complete re-installation. A version change can supply milestones for updating synchronization projects. Milestones group together all patches for solved issues and patches required for new features of the previous version. To update the One Identity Manager 1. Update the administrative workstation, on which the One Identity Manager database schema update is started. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. 2. Complete the One Identity Manager Service on the update server. 3. Make a backup of the One Identity Manager database. 4. Run the One Identity Manager database schema update. Start the Configuration Wizard on the administrative workstation. 5. Update the One Identity Manager Service on the update server. Updating One Identity Manager 75

76 Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. 6. Start the One Identity Manager Service on the update server. 7. Update other installations on workstations and servers. You can use the automatic software update method for updating existing installations. NOTE: In certain circumstances, it may be necessary to update the other workstations and Job servers manually. This might be required, for example, if there are a significant number of new changes with a One Identity Manager version update, which do not allow the use of automatic update. 8. Any required changes to system connectors or the synchronization engine are made available when you update One Identity Manager. These changes must be applied to existing synchronization projects to prevent target system synchronizations that are already set up, from failing. For more detailed information about applying patches, see the One Identity Manager Target System Synchronization Reference Guide. Detailed information about this topic Updating One Identity Manager Components on page 76 Updating the One Identity Manager Database on page 78 Automatic Updating of the One Identity Manager on page 90 Updating One Identity Manager Components You can implement automatic software updating for updating more workstations and servers. In certain circumstances, it may be necessary to update the other workstations and servers manually with the installation wizard. This might be required, for example, if there are a significant number of new changes with a One Identity Manager version update, which do not allow the use of automatic update. IMPORTANT: Update the workstation on which the schema installation One Identity Manager database is started, with the installation wizard. Update the One Identity Manager Service on the update server with the installation wizard. Updating One Identity Manager 76

77 Detailed information about this topic Updating One Identity Manager Components with the Installation Wizard on page 77 Automatic Updating of the One Identity Manager on page 90 Updating One Identity Manager Components with the Installation Wizard To update a workstation manually 1. Install the new version with the installation wizard. a. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. b. Switch to the Installation tab, select the edition and click Install. This starts the installation wizard. c. Follow the installation instructions. IMPORTANT: Select the directory you used for your previous installation as the installation directory on the Installation settings page. Otherwise the components are not updated and a new installation is created in the second directory instead. To update the One Identity Manager Service manually 1. Open the server s service administration program and stop the "One Identity Manager Service". 2. Install the new version with the installation wizard. a. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. b. Switch to the Installation tab, select the edition and click Install. This starts the installation wizard. c. Follow the installation instructions. IMPORTANT: Select the directory you used for your previous installation as the installation directory on the Installation settings page. Otherwise the components are not updated and a new installation is created in the second directory instead. d. In case the previous installation of the One Identity Manager Service used a different service account than the local system account, make sure you reconfigure the One Identity Manager Service properties accordingly. Enter the service account to be used. 3. Start the One Identity Manager Service in the service administration program. Updating One Identity Manager 77

78 Detailed information about this topic Installing One Identity Manager Components on page 39 Updating the One Identity Manager Database Automatic version control is integrated into the One Identity Manager, ensuring that One Identity Manager components are always consistent with each other and with the database. If program extensions that change the structure are implemented, for example, table extensions, the database needs to be updated. You need to update the database if hotfixes and service packs for your installed version of the One Identity Manager are available or complete version updates. In addition, you are repeatedly required to transfer custom changes from a development database into the live database. The One Identity Manager schema is customized by loading so-called transport packages. One Identity Manager recognizes the following types of transport packages that can be copied to the database depending on requirements. IMPORTANT: Test changes in a test system before you load a transport package in a productive system. Table 33: Transport Package Transport Package Type Migration package Hotfix package Custom configuration package Description Migration packages are provided by for the initial database schema installation, for service pack and complete version updates. A migration package contains all the necessary tables, data types, database procedures and the default One Identity Manager configuration. Hotfix packages are provided to load individual corrections to the default configuration such as templates, scripts, processes or files into the database. NOTE: If a hotfix only contains modified files, load these files into the database using the "Software Loader" program. A custom configuration package is used to exchange customer specific changes between the development, test and productive system database. This transport package is created by the customer and loaded into the database. Tool Used Configuration Wizard Database Transporter Software Loader Database Transporter Updating One Identity Manager 78

79 NOTE: If more custom configuration adjustments are made to a One Identity Manager database, then create a custom configuration package and import this transport package in the target database with the Database Transporter. There is no support for merging a hotfix package with a custom configuration package into one transport package. Related Topics Updating the SQL Server Database on page 80 Updating the Oracle Database user on page 82 Installing a Hotfix in the One Identity Manager Database on page 85 Updating the One Identity Manager Database with the Configuration Wizard IMPORTANT: Test changes in a test system before you load a migration package in a productive system. Use the Configuration Wizard to update the One Identity Manager database if you have received a service pack or complete version update. The program "Configuration Wizard" updates the database depending on the current version of the One Identity Manager database and transfers the actual version into the version history. During the update, calculation tasks are queued in the database. These are processed by the DBQueue Processor. Processing calculation tasks may take some time depending on the amount of data and system performance. This is particularly the case, if you save large amounts of historical data in the One Identity Manager database such as change data or data from process handling. Therefore, ensure that you have configured an appropriate procedure for archiving the data before you update the database. For more information about archiving data, see the One Identity Manager Data Archiving Administration Guide. NOTE: Always start the Configuration Wizard on an administrative workstation! IMPORTANT: Ensure that the administrative system user who is going to compile the database, has a password, before you update the One Identity Manager schema to version 8.0. Otherwise the schema update cannot be completed successfully. Detailed information about this topic Updating the SQL Server Database on page 80 Updating the Oracle Database user on page 82 Editing the Database during Update on page 84 Updating One Identity Manager 79

80 Updating the SQL Server Database Use the Configuration Wizard to update the One Identity Manager database if you have received a service pack or complete version update. NOTE: The database is updated in single-user mode. Disconnect all existing database connection before starting migration. After the update has completed, the database is automatically switched to multiuser mode. If it is not possible, you receive a message in which you can manually switch to multiuser mode. You may experience problems activating single-user mode when using database mirroring. NOTE: Always start the Configuration Wizard on an administrative workstation! IMPORTANT: Ensure that the administrative system user who is going to compile the database, has a password, before you update the One Identity Manager schema to version 8.0. Otherwise the schema update cannot be completed successfully. To update a database 1. Start the Configuration Wizard. 2. Select the option Update database on the Configuration Wizard's start page. 3. Select the database and install directory on the Select database page. a. Select the database from the list in "Select connection". - OR - Select the SQL Server database system under Add new connection and enter the database connection data. Table 34: SQL Server Database Connection Data Data Server Windows authentication User Password Database Description Database server. Specifies whether Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication. Database user. Database user password. Database. Updating One Identity Manager 80

81 NOTE: Use Extended to make further changes to the database connection configuration settings. b. Select the directory with the installation files in the "Installation source" section. 4. Configuration modules and version information are shown in the Product description page. a. Select the module you want to update. b. Confirm that you have an up-to-date backup of database. c. Set the option Add other modules to select other modules. 5. Select the additional module on the Select configuration modules page. NOTE: This page is only shown if you set the option Add more modules. NOTE: If you add more modules, your custom administrative users obtain the permissions for this module. 6. Other users with existing connections to the database are displayed on the Active sessions page. Disconnect the connections on order to start database processing. 7. Error that prevent processing the database are displayed on the Database check page. Correct the error before you continue updating. 8. The installation steps are shown in the Processing database page. Installation and configuration of the database is automatically carried out by the Configuration Wizard. TIP: Set the option Advanced to obtain detailed information about processing steps and the migration log. a. You must login as an administrative user to compile the system. Enter a user name and password for the administrative system user. Click Log in. b. Once processing is complete, click Next. 9. You can configure the vendor notification on the page, Configure vendor notification. If vendor notification is enabled, One Identity Manager generates a list of system settings once a month and sends it to One Identity. This list does not contain any personal data. The list will be reviewed by our customer support team who will look for material changes in a proactive effort to identify potential issues before they materialize on your system. The lists may be used by our R&D staff for analysis, diagnosis, and replication for testing purposes. We will keep and refer to this information for as long as your company remains on support for this product. Updating One Identity Manager 81

82 a. To use the function, set the option Enable vendor notification and enter your company's contact address in address for contact. The address is used as the sender address for notifying vendors. b. Set the option Disable vendor notification if you do not want to use this functionality. 10. Click Finish on the last page of the Configuration Wizard. Related Topics Starting the Configuration Wizard on page 44 Editing the Database during Update on page 84 Troubleshooting on page 136 Vendor Notification in One Identity Manager on page 63 Updating the Oracle Database user Use the Configuration Wizard to update the One Identity Manager database if you have received a service pack or complete version update. NOTE: Always start the Configuration Wizard on an administrative workstation! IMPORTANT: Ensure that the administrative system user who is going to compile the database, has a password, before you update the One Identity Manager schema to version 8.0. Otherwise the schema update cannot be completed successfully. To update a database user 1. Start the Configuration Wizard. 2. Select the option Update database on the Configuration Wizard's start page. 3. Select the database and install directory on the Select database page. a. Select the database from the list in "Select connection". - OR - Select the Oracle Database database system under Add new connection and enter the database connection data. Table 35: Oracle Database Connection Data Data Direct access (without Oracle client) Description Set this option for direct access. Deactivate this option for access via Oracle Clients. Updating One Identity Manager 82

83 Data Description Which connection data is required, depends on how this option is set. Server Port Service name User Password Data source Database server. Oracle instance port. Service name. Oracle database user. Database user password. TNS alias name from TNSNames.ora. NOTE: Use Extended to make further changes to the database connection configuration settings. b. Select the directory with the installation files in the "Installation source" section. 4. Configuration modules and version information are shown in the Product description page. a. Select the module you want to update. b. Confirm that you have an up-to-date backup of database. c. Set the option Add other modules to select other modules. 5. Select the additional module on the Select configuration modules page. NOTE: This page is only shown if you set the option Add more modules. NOTE: If you add more modules, your custom administrative users obtain the permissions for this module. 6. Other users with existing connections to the database are displayed on the Active sessions page. Disconnect the connections on order to start database processing. 7. Error that prevent processing the database are displayed on the Database check page. Correct the error before you continue updating. 8. The installation steps are shown in the Processing database page. Installation and configuration of the database is automatically carried out by the Configuration Wizard. TIP: Set the option Advanced to obtain detailed information about processing steps and the migration log. Updating One Identity Manager 83

84 a. You must login as an administrative user to compile the system. Enter a user name and password for the administrative system user. Click Log in. b. Once processing is complete, click Next. 9. You can configure the vendor notification on the page, Configure vendor notification. If vendor notification is enabled, One Identity Manager generates a list of system settings once a month and sends it to One Identity. This list does not contain any personal data. The list will be reviewed by our customer support team who will look for material changes in a proactive effort to identify potential issues before they materialize on your system. The lists may be used by our R&D staff for analysis, diagnosis, and replication for testing purposes. We will keep and refer to this information for as long as your company remains on support for this product. a. To use the function, set the option Enable vendor notification and enter your company's contact address in address for contact. The address is used as the sender address for notifying vendors. b. Set the option Disable vendor notification if you do not want to use this functionality. 10. Click Finish on the last page of the Configuration Wizard. Related Topics Starting the Configuration Wizard on page 44 Editing the Database during Update on page 84 Troubleshooting on page 136 Vendor Notification in One Identity Manager on page 63 Editing the Database during Update Installation and configuration of the database is automatically carried out by the Configuration Wizard. This procedure may take some time depending on the amount of data and system performance. The Configuration Wizard performs the following steps: Schema installation Before the schema installation can take place the Configuration Wizard tests the database. Error messages are displayed in a separate window. The errors must be corrected manually. The schema installation cannot be started until these are resolved. Updating One Identity Manager 84

85 All the tables, data types, database procedures that are required are loaded into the database through migration. The following operations are run when a migration package is imported into a One Identity Manager database. Table 36: Operations for importing a Migration Package Operations Insert Update Delete Description A new object with key values is added in the target database if no object is found through an alternative key. If an object is found in the target database through an alternative key, this object is updated. Objects that are no longer needed are deleted. During migration, calculation tasks are queued in the database. These are processed by the DBQueue Processor. When a schema is installed with the Configuration Wizard, migration date and migration revision are recorded in the database's transport history. System compilation Scripts, templates and processes are declared in the database. The authentication module "system user" with the given system user is used for compiling. Automatic update In order to distribute One Identity Manager files using the automatic software updating mechanism, the files are loaded into the One Identity Manager database. Related Topics Troubleshooting on page 136 Automatic Updating of the One Identity Manager on page 90 Displaying the Transport History and Testing the One Identity Manager Version on page 136 Installing a Hotfix in the One Identity Manager Database IMPORTANT: Test changes in a test system before you install a hotfix in a productive system. Hotfix packages contain: Transport packages which contain changes to the default configuration, such as templates, scripts, processes in the One Identity Manager database Modified files, such as *.exe, *.dll or *.vif Updating One Identity Manager 85

86 When you receive a transport package with a hotfix, use the program "Database Transporter" to update the One Identity Manager database. When you import a transport package with the Database Transporter, the import date and description, the database version and the transport package name are recorded in the transport history of the target database. If a hotfix contains a modified file, copy the file to the install directory of the test computer for testing. To distribute files using automatic software update to all workstations and server, import the files into the One Identity Manager database with the program "Software Loader". NOTE: If more custom configuration adjustments are made to a One Identity Manager database, then create a custom configuration package and import this transport package in the target database with the Database Transporter. There is no support for merging a hotfix package with a custom configuration package into one transport package. Detailed information about this topic Displaying Contents of a Transport Package with the Database Transporter on page 86 Importing a Transport Package with the Database Transporter on page 87 Importing Files with the Software Loader on page 88 Displaying the Transport History and Testing the One Identity Manager Version on page 136 Displaying Contents of a Transport Package with the Database Transporter You can display the contents of a transport package with the Database Transporter before you import. NOTE: Always start the Database Transporter on an administrative workstation! To display the contents of a transport package 1. Start the Launchpad and select Transport custom modifications. This starts the program "Database Transporter". 2. Select Show transport file on the start page. 3. Select the transport package file browser and click Open. 4. Click Next on the Select transport file page. Updating One Identity Manager 86

87 5. The contents of the transport file are displayed on the Show transport file. To display the order for importing objects a. Us + to open an entry in the transport file and select Sort in import order from the context menu. b. Click OK and enter the database connection data. This step is only required when you established the first in the order. The order in which the entry's objects are imported into the database is found. c. Repeat this step for all other entries for which you want to determine the import order. 6. Click Finish on the last page to end the program. Related Topics Importing a Transport Package with the Database Transporter on page 87 Importing a Transport Package with the Database Transporter NOTE: To import transport packages with the Database Transporter, the current user must be authorized to use the program function "Allows transport packages to be imported into the database (Transport_Import)". NOTE: Always start the Database Transporter on an administrative workstation! To import a transport package 1. Start the Launchpad and select Transport custom modifications. This starts the program "Database Transporter". 2. Select Import transport file on the start page. 3. Enter the connection credentials for the One Identity Manager database, into which you want to import the transport package, on the Select the database connection page. 4. Select the transport package file browser and click Open. 5. Specify your import options on the Select transport file. a. To create an import log file, set the option Create import log file. The log file is saved in the output directory of the transport file. b. To import individual objects, set the option Import objects singly and ignore errors. Updating One Identity Manager 87

88 Errors, which might occur during importing are ignored and displayed when importing is complete. If this option is not set, the import is stopped when an error occurs. 6. Import steps and import progress are displayed on the Importing transport data page. The import procedure can take some time. Calculation tasks are queued for the DBQueue Processor on termination. 7. If changes have been made to the system configuration, for example, processes or scripts imported, you have to compile the database after the tasks have been processed. Compilation is started automatically once importing is complete. 8. Click Finish on the last page to end the program. NOTE: Use the button to save errors that occur whilst importing. When you import a transport package with the Database Transporter, the import date and description, the database version and the transport package name are recorded in the transport history of the target database. Related Topics Displaying Contents of a Transport Package with the Database Transporter on page 86 Displaying the Transport History and Testing the One Identity Manager Version on page 136 Importing Files with the Software Loader NOTE: Always start the Software Loader on an administrative workstation! To import files 1. Open the Launchpad and select Files for software update. This starts the program "Software Loader". 2. Select Import into database on the start page. 3. Enter the One Identity Manager database connection credentials on the Connect to database page. 4. Specify the file to be imported on the Select files page. a. Select the base directory where the files can be found. The status and file size of all the files in the selected directory are displayed in the file list. The status is determined from the file information in the database. To test the file version, the file size and the hash value are determined and compared to the entry in the database. NOTE: Take note when selecting the base directory that a directory tree is not created accidentally. Updating One Identity Manager 88

89 Table 37: Status Meaning Status Version unknown File unknown Version OK Version changed Meaning The file belongs to the known files but has not been loaded into the database yet. There is no version information in the database. This file is new. The file is in the list of known files but has not been loaded in the database yet. There is no version information in the database. The file version matches the version in the database. This version of the file has change with respect to the version in the database. b. Mark the files to be loaded into the One Identity Manager database. You can multi-select files with SHIFT + SELECT or CTRL + SELECT. TIP: Click with the mouse in a column header to sort by the selected column. TIP: Modified files can be preselected in the context menu. Table 38: Meaning of Context Menu Items Context Menu Item Meaning Open all directories All the directories are opened. Open all modified files All the files with the status "Version changed" are selected. Files in the subdirectories are only selected if the directories are opened beforehand. 5. Apply a change label on the Select change label page. Issue a change label to mark files in order to simplify the transfer of new files between various databases (test database, development database, operational database). Change labels are offered in the program "Database Transporter" as export criteria when a customer transport package is created. a. Select Assign files to following change label. b. Select the change label using the button next to this option. 6. The files are loaded straight from the One Identity Manager database. After successfully loading the files into the database, the semaphore value "Softwarerevision" is updated in the database by the DBQueue Processor. In this Updating One Identity Manager 89

90 way, the files to be updated are added to the update file list at the next semaphore test and distributed to the workstations and servers. 7. Specify other file settings on the Assign machine roles page. a. Assign a computer role to the files. b. To specify other settings, click... next to the file name. Table 39: Other File Settings Setting Source directory Create backup No update Description Path in the installation source. A copy of the file is made if the software is updated automatically. The file is not updated automatic software update. 8. Click Finish on the last page to end the program. Related Topics Automatic Updating of the One Identity Manager on page 90 Appendix: Machine Roles and Installation Packages on page 191 Automatic Updating of the One Identity Manager Particularly local installation and updating of software can prove to be a problem due to the distributed structure of servers and workstations. To help guarantee an acceptable workload for network administrators, a method for updating One Identity Manager automatically has been developed for One Identity Manager. Apart from updating the usual One Identity Manager installation files, new custom files can be simply added to the procedure and are, therefore, distributed to workstations and servers in the One Identity Manager network using the automatic software updating mechanism. Detailed information about this topic Basics for Automatic Update on page 91 Implementing Automatic Software Update on page 93 Updating One Identity Manager 90

91 Basics for Automatic Update All files in a One Identity Manager installation are saved with their name and binary code in the One Identity Manager database. The affiliation to machine roles and installation packages are entered for each file. In addition, the file size and hash values are stored in the database for each file in order to identify them. The necessary files are loaded into the database and updated when a hotfix, a service pack or a full version update One Identity Manager is run. A semaphore "Softwarerevision" is maintained in the database. When a file is added, changed or deleted in the database, the semaphore value is recalculated by the DBQueue Processor. In every One Identity Manager installation directory there is a file Softwarerevision.viv. This file contains the following information: The installation revision number The revision number is determined by the semaphore value 'softwarerevision in the database. The start time of the last modification In addition, you will find the file InstallState.config in the installation directory of all One Identity Manager installations. This file contains information about the installed machine roles, installation packages and files. Whether a software update is required depends on the comparison of semaphore values from the database and the file. If semaphore values vary, machine roles for the computer or server are determined based on the InstallState.config. Each file belonging to a machine role is check to see if the file is known to the database. If the file exists in the data, the following checks are made: Has the file size changed? If this is the case, the file is added to the list of files to be updated. Has the hash value changed? If this is the case, the file is added to the list of files to be updated. New files that have been loaded into the One Identity Manager database through a hotfix, a service pack or a version update are also added to the list. All the files in the list are updated. All actions are logged in the file update.log. After the update has finished, the current semaphore value is copied from the database to the file softwarerevision.viv. Automatic Updating of One Identity Manager Tools When a program starts up, VI.DB.dll creates a connection to the database and carries out the semaphore test. If the file softwarerevision.viv is not found, a new file is added. If the One Identity Manager installation directory does not have write access, an error message is displayed and the software update continues. The update program (Updater.exe) expects a login by an administrator when user account control is active, assuming the logged in user does not have administration permissions for the installation directory (for example %ProgramFiles%). If installation takes place in a Updating One Identity Manager 91

92 directory without user account control, the query does not apply. Then the update process is started. To prevent further applications from starting during the update, a file called Update.lock is created in the installation directory. The trigger program and the update program (updater.exe) write their process ID s in the file. The Update.lock file is deleted from the installation directory once updating has been successfully completed. The program is then restarted. To ensure that automatic updating is restarted when an application is restarted after quitting unexpectedly, Update.lock files older than two hours are ignored. If none of the processes whose ID s are saved in the Update.lock file exist on the workstation when the application is restarted, the Update.lock file is also ignored and the update is restarted. The semaphore test is carried out by VI.DB.dll on a cyclical basis during normal operations. If a file is identified for update, the update process is started automatically. User Intervention in Automatic Updating of One Identity Manager Tools Once the automatic One Identity Manager tool update has been identified on a workstation, the user is prompted to close all open programs. Updating starts after the user has closed all the programs. The configuration parameter "Common\AutoUpdate\AllowOutOfTimeApps" controls whether One Identity Manager tools users can decide when their workstation is updated. Users have no possibility to intervene in the update if the configuration parameter is not set. The update is executed immediately. If the configuration parameter is set, the logged in user is prompted with a message. The user can decide whether the One Identity Manager tools update takes place on the workstation straight away or at a later time. If the user does not want to update immediately, he can continue working. The update is started the next time the program is started. Updating the One Identity Manager Service Automatically Automatic software updating is the default method for updating the One Identity Manager Service on servers. However, the update method takes into account that it may be essential to exclude certain servers from being updated automatically and to update them manually. The One Identity Manager Service returns the actual state of the semaphore "SoftwareRevision" after each request following a process step. If this value differs from the value in the database, the Job server is labeled with "updating" in the database and no more normal process steps are sent to it. A Job server update is executed depending on the method set in the configuration parameter "Common\Autoupdate\ServiceUpdateType". First, the start time of the last change is determined from the file SoftwareRevision.viv. A list is compiled of all files with additional information specifying whether each file is new or not. This list is evaluated on the Job server to be updated and another list is compiled specifying which files will be updated. One Identity Manager Service is restarted if any one of the files has changed on the Job server. After the update is completed, the Job server label is reset in the database. Updating One Identity Manager 92

93 Automatically Updating Web Applications In principle, web applications support automatic software update. However, a few web applications may require extra configuration to take part in automatic software update. NOTE: The following permissions are required for automatic updating: The user account for updating required write permissions for the application directory. The user account for updating requires the local security policy "Log on as a batch job". The user account, under which the application pool runs, requires the local security policies "Replace a process level token" and "Adjust memory quotas for a process". Updating the web application requires restarting the application. The web application is restarted automatically by the web server when it has been idle for a defined length of time. This may take some time or be prevented if continuous user requests. Some web application offer you the option to restart manually. If the web application update is identified, new files are copied from the database to a temporary directory on the server. The Updater.exe is started. It waits until the web application process is shutdown. Updater.exe copies the files from the temporary directories into the web application directory. Related Topics Implementing Automatic Software Update on page 93 Updating a One Identity Manager Application Server on page 100 Using Automatic Updating for the Web Portal on page 118 Updating the Manager Web Application on page 125 Implementing Automatic Software Update IMPORTANT: Update the workstation on which the schema installation One Identity Manager database is started, with the installation wizard. Update the One Identity Manager Service on the update server with the installation wizard. Permissions for Automatic Software Update It is recommended that you apply full access rights to the One Identity Manager installation directory for automatic updating of One Identity Manager tools. Updating One Identity Manager 93

94 The service's user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager. To implement automatic software updating 1. Ensure that an update server is set up. This server ensures that the other servers are updated automatically. a. This server must be entered in the database as a Job server with the server function "Update server". b. A One Identity Manager Service with direct access to the database must be installed and configured on the server. c. Exclude this server from automatic update. Set the option No automatic software update in the Designer on the Job server with the server function "Update server". 2. Set the configuration parameter "Common\Autoupdate" in the Designer. If the configuration parameter is set, One Identity Manager files, which do not have the current revision status, are updated automatically. If the configuration parameter is not set, there is no automatic software update. 3. Use the configuration parameter "Common\AutoUpdate\AllowOutOfTimeApps" to specify whether One Identity Manager tools users can decide when their workstation is updated. If the configuration parameter is set, users of One Identity Manager tools are prompted to decided whether they want to update now or later. If the configuration parameter is not set, One Identity Manager tools are updated immediately. 4. Specify which method to use for updating the One Identity Manager Service in the configuration parameter "Common\Autoupdate\ServiceUpdateType". Table 40: Method for Configuration Parameter "Common\Autoupdate\ServiceUpdateType" Method Queue DB Auto Meaning A process for distributing files is queued in the Job queue. The files are loaded straight from the database. Implement this procedure if all Job servers have a direct connection to the database. All root servers are filled straight from the database. A process is set up in the Job queue for all leaf servers. The root servers must have a direct database connection for this method. 5. Set No automatic software update in the Designer on a Job server to exclude it from automatic update. 6. Web applications may require some individual configuration settings. Check the configuration settings. Updating One Identity Manager 94

95 Related Topics Basics for Automatic Update on page 91 Updating One Identity Manager Components on page 76 Using Automatic Updating for the Web Portal on page 118 Updating the Manager Web Application on page 125 Updating One Identity Manager 95

96 7 Installing and Updating a One Identity Manager Application Server The application server provides a connection pool for accessing the database. Clients send their queries to the application server, which processes the objects, for example, by determining values using templates and sending the results back to the clients. The data from the application is sent to the database when an object is saved. NOTE: To use full text search in the Web Portal or the Manager, you need an application server with an search service installed on it. Before installation ensure that the minimal hardware and software prerequisites are fulfilled on the server. Detailed information about this topic Minimum System Requirements for the Application Server on page 29 Installing a One Identity Manager Application Server on page 96 Updating a One Identity Manager Application Server on page 100 Displaying One Identity Manager Application Server Status on page 100 Uninstalling a One Identity Manager Application Server on page 101 Installing a One Identity Manager Application Server The application server provides a connection pool for accessing the database. Clients send their queries to the application server, which processes the objects, for example, by determining values using templates and sending the results back to the clients. The data from the application is sent to the database when an object is saved. Before installation ensure that the minimal hardware and software prerequisites are fulfilled on the server. IMPORTANT: Start the application server installation locally on the server. Installing and Updating a One Identity Manager Application Server 96

97 To install an application server 1. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. 2. Go to the Installation tab and select the entry Web based components and click Install. Starts the Web Installer. 3. Select Install application server on the Web Installer start page and click Next. 4. Enter connection credential for the One Identity Manager database on the Database connection page and click Next. 5. Configure the following settings on the Select setup target page and click Next. Table 41: Settings for the Installation Target Setting Application name Target in IIS Enforce SSL URL Install dedicated application pool Application pool Identity Web Authentic- Description Name used as application name, as in the title bar of the browser, for example. Internet Information Services web page on which to install the application. Specifies whether insecure websites are available for installation. If the option is set, only sites secured by SSL can be used for installing. This setting is the default value. If this option is not set, insecure websites can be used for installing. The application's Uniform Resource Locator (URL). Specifies whether an application pool is installed for each application. This allows applications to be set up independently of one another. If this option is set, each application is installed in its own application pool. The application pool to use. This can only be entered if the option Install dedicated application pool is not set. The application pool is formatted with the following syntax, if the default value "DefaultAppPool" is used. <application name>_pool Permissions for executing an application pool. A default identity or a user defined user account can be used. The user account is formatted with the following syntax, if the default value "ApplicationPoolIdentity" is used. IIS APPPOOL\<application name>_pool If you want to authorize another user, click... next to the text box and enter the user and password. Specifies the type for authentication against the web Installing and Updating a One Identity Manager Application Server 97

98 Setting ation Database authentication Description application. You have the following options: Windows Authentication (Single Sign-On) The user is authenticated against the Internet Information Services using their Windows user account and the web application logs in the employee assigned to the user account as role-based. If single sign-on is not possible, the user is diverted to a login page. You can only select this authentication method is Windows authentication is installed. Anonymous Login is possible without Windows authentication. The user is authenticated against the Internet Information Services and the web application anonymously and the web application is directed to a login page. NOTE: You can only see this section if you have selected an SQL database connection in Database connection. Specifies the type for authentication against the One Identity Manager database. You have the following options: Windows authentication The web application is authenticated against the One Identity Manager database using the Windows account under which your application pool is running. Login is possible with a user defined user account or a default identity for the application pool. SQL Authentication Login is only possible through a user defined user accounts. Authentication is done using user name and password. This access data is saved in the web application configuration as computer specific encrypted. 6. Specify machine roles on the Assign machine roles page and click Next. This enables the machine roles for the application server. The machine roles "Search Service" and "Search Indexing Service" are required for indexing the full text search. These machine roles are always used together. NOTE: If you want to use full text search in the Web Portal, you must have an application server installed with the search service. 7. Specify the certificate for setting and test session tokens on the Set session token certificate and click Next. Installing and Updating a One Identity Manager Application Server 98

99 NOTE: The certificate must have a key length of at least 1024 bits. a. To create a new certificate Select the item "Create new certificate" under Session token certificate. Enter the issuer of the certificate under Certificate issuer. Specify the length of the certificate's key under Key size. The certificate is entered in the application server's certificate management. b. To use an existing certificate Select the entry "Use existing certificate" under Session token certificate. Select the certificate under Select certificate. c. To create a new certificate file Select "Create new certificate" under Session token certificate. Enter the issuer of the certificate under Certificate issuer. Specify the length of the certificate's key under Key size. 8. Specify the user account for automatic updating of the application server on the Set update credentials page. The user account is used to add or replace files in the application directory. Set the option Use IIS credentials for update if you want to use the user account, under which the application is run, for updates. Set the option Use other credentials for updates if you want to use another user account and enter the domain, user name and password for the user. NOTE: The following permissions are required for automatic updating: The user account for updating required write permissions for the application directory. The user account for updating requires the local security policy "Log on as a batch job". The user account, under which the application pool runs, requires the local security policies "Replace a process level token" and "Adjust memory quotas for a process". 9. Installation progress is displayed on the Setup is running page. After installation is complete, click Next. The Web Installer generates the web application and the corresponding configuration files (web.config) for each folder. 10. Click Finish on the last page to end the program. NOTE: Default values are used for the configuration settings during installation. You can keep these values. It is recommended you check the settings. Installing and Updating a One Identity Manager Application Server 99

100 Related Topics Minimum System Requirements for the Application Server on page 29 Updating a One Identity Manager Application Server on page 100 Displaying One Identity Manager Application Server Status on page 100 Installing the Web Portal on page 102 Appendix: Machine Roles and Installation Packages on page 191 Updating a One Identity Manager Application Server NOTE: It is recommended only to perform automatic update in special maintenance windows in which the application is not available to users and a reboot of the application can be done manually without causing any problems. The application is updated automatically. To run an update, first load the files to be updated into the One Identity Manager database. The necessary files are loaded into the database and updated when a hotfix, a service pack or a full version update One Identity Manager is run. The test is executed when the application starts and then at 5 minute intervals. New files are loaded from the database as they are identified. The files cannot be updated as long as the application is running because it locks the files whose changes result in rebooting the application and all active user session are lost. For this reason, updating takes place when the application is restarted. The application is restarted automatically by the web server when it has been idle for a defined length of time. This may take some time or be prevented if continuous user requests. To start the update manually, open the application's status page in the browser and select Update immediately from the current user's menu. Related Topics Displaying One Identity Manager Application Server Status on page 100 Automatic Updating of the One Identity Manager on page 90 Displaying One Identity Manager Application Server Status The application server can be reached over a browser under: Installing and Updating a One Identity Manager Application Server 100

101 name> name> TIP: You can open the web server's status display in Job Queue Info. Select the menu item View Server state in the Job Queue Info and display the web server's state on the Web servers tab by using Open in browser in the context menu. You will see different status information. Status information for the application server are displayed as performance counters. In addition, API documentation is available here. Uninstalling a One Identity Manager Application Server To uninstall a web application 1. To uninstall a web application, use the Web Installer. a. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. b. Go to the Installation tab and select Web-based components and click Install. This starts the Web Installer. - OR - c. Start the Web Installer from Start One Identity One Identity Manager Configuration Web Installer. 2. Select Uninstall a One Identity Manager web application on the Web Installer start page and click Next. 3. All installed web applications are displayed on the page, Uninstall a One Identity Manager web application. a. Select the web application you want to remove by double-clicking on it. b. Select the authentication module in the Authentication method section and authenticate yourself. c. Click Next to start uninstalling. d. Confirm the security prompt with Yes. 4. The uninstall progress is displayed on the Setup is running page. After installation is complete, click Next. 5. Click Finish on the last page to end the program. Installing and Updating a One Identity Manager Application Server 101

102 8 Installing, Configuring and Maintaining the Web Portal You can use the Web Installer to install, configure and update the Web Portal. The following describes the steps necessary for installing the Web Portal on a Windows server and for getting the standard version up and running. The configuration settings are explained using their corresponding, possible values. Detailed information about this topic Installing the Web Portal on page 102 Uninstalling the Web Portal on page 110 Configuring the Web Portal on page 110 Web Portal Maintenance on page 116 Installing the Web Portal Before installation ensure that the minimal hardware and software prerequisites are fulfilled on the server. NOTE: If you want to use full text search in the Web Portal, you must have an application server installed with the search service. IMPORTANT: Start the Web Portal installation locally on the server. To install the Web Portal 1. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. 2. Go to the Installation tab and select the entry Web based components and click Install. Starts the Web Installer. 3. Select Install Web Portal on the Web Installer start page and click Next. Installing, Configuring and Maintaining the Web Portal 102

103 4. Enter connection credential for the One Identity Manager database on the Database connection page and click Next. Different settings are displayed on the Select setup target page, depending on which database connection you use. 5. Configure the following settings on the Select setup target page and click Next. Table 42: Settings for the Installation Target Setting Application name Target in IIS Enforce SSL URL Install dedicated application pool Application pool Identity Web Authentication Description Name used as application name, as in the title bar of the browser, for example. Internet Information Services web page on which to install the application. Specifies whether insecure websites are available for installation. If the option is set, only sites secured by SSL can be used for installing. This setting is the default value. If this option is not set, insecure websites can be used for installing. The application's Uniform Resource Locator (URL). Specifies whether an application pool is installed for each application. This allows applications to be set up independently of one another. If this option is set, each application is installed in its own application pool. The application pool to use. This can only be entered if the option Install dedicated application pool is not set. The application pool is formatted with the following syntax, if the default value "DefaultAppPool" is used. <application name>_pool Permissions for executing an application pool. A default identity or a user defined user account can be used. The user account is formatted with the following syntax, if the default value "ApplicationPoolIdentity" is used. IIS APPPOOL\<application name>_pool If you want to authorize another user, click... next to the text box and enter the user and password. Specifies the type for authentication against the web application. You have the following options: Windows Authentication (Single Sign-On) The user is authenticated against the Internet Information Services using their Windows user account Installing, Configuring and Maintaining the Web Portal 103

104 Setting Description and the web application logs in the employee assigned to the user account as role-based. If single sign-on is not possible, the user is diverted to a login page. You can only select this authentication method is Windows authentication is installed. Anonymous Login is possible without Windows authentication. The user is authenticated against the Internet Information Services and the web application anonymously and the web application is directed to a login page. Database authentication NOTE: You can only see this section if you have selected an SQL database connection in Database connection. Specifies the type for authentication against the One Identity Manager database. You have the following options: Windows authentication The web application is authenticated against the One Identity Manager database using the Windows account under which your application pool is running. Login is possible with a user defined user account or a default identity for the application pool. SQL Authentication Login is only possible through a user defined user accounts. Authentication is done using user name and password. This access data is saved in the web application configuration as computer specific encrypted. If you have selected a direct database connection in step 4, the page Select application server is opened. Application server data is required if you want to use full text search. You can enter the application server in the configuration file at a later date. 6. Enter the application server on which full text search is installed, on the Select application server page. a. Click the link Select application server. b. Enter the web address in URL:, confirm with OK and click Next. 7. On the next page, specify the following extended settings for installing and click Next. Installing, Configuring and Maintaining the Web Portal 104

105 a. Select the installation source in Installation source. Select Load from database if files are to be found in the database. If files are stored on the installation medium, select Install from local folder and enter the path. b. Select the desired web project in Web project. If you do not need to set more options, the message No authentication data required is displayed. If other settings are required, proceed as follows: Click the button next to Authentication for sub projects is missing. Mark the project marked in red in the edit window. Select the desired authentication method under Authentication Methods and enter the required login data. Click OK. For more information, see Web project on page 112. c. Specify the user account for automatic updating of the Web Portal under Set update credentials. The user account is used to add or replace files in the application directory. Set the option Use IIS credentials for update if you want to use the user account, under which the application is run, for updates. Set the option Use other credentials for updates if you want to use another user account and enter the domain, user name and password for the user. NOTE: The following permissions are required for automatic updating: The user account for updating required write permissions for the application directory. The user account for updating requires the local security policy "Log on as a batch job". The user account, under which the application pool runs, requires the local security policies "Replace a process level token" and "Adjust memory quotas for a process". 8. Installation progress is displayed on the Setup is running page. After installation is complete, click Next. The Web Installer generates the web application and the corresponding configuration files for each folder. You should be able to use the web application immediately. NOTE: If you install the web application with HTTPS, how cookies are transferred in HTTPS is set up in the Web Installer. Take into account that this value must be set manually if you make changes to the web application SSL settings at a later date. Installing, Configuring and Maintaining the Web Portal 105

106 9. You can test starting the web application on the Validate installation page. The base URL is displayed for mail distribution. Select another URL in Change to if required and click Next. 10. Click Finish on the last page to end the program. To make a modification Enter an example value <httpcookies requiressl="true"> in web.config under the element <system.web>. The Web Installer uses the default value for most configuration settings. You can use these values normally. It is recommended you check the settings with the help of the Web Designer Configuration Editor. Related Topics Minimum System Requirements for the Web Server on page 27 Installing a One Identity Manager Application Server on page 96 Configuring the Web Portal on page 110 Installing the Web Portal over the Command Line An alternative to installing with autorun.exe is using the WebDesigner.InstallerCMD.exe in the command line console. This method can install or uninstall the Web Portal. NOTE: You must in carry out installation using the command line console as an administrator. You can call up the help text by entering /?. Calling syntax "Call help" WebDesigner.InstallerCMD.exe Calling syntax "Install Web Portal" WebDesigner.InstallerCMD.exe [/prov {provider}] /conn {connectionstring} /authprops {authentication} /appname {appname} /site {Site} [/sourcedir {dir}] [/apppool {AppPool}] [/webproject {Webproject}] [/constauthproj {subproject name} /constauth {authentication}] [/searchserviceurl {url}] [/updateuser {username} [/updateuserdomain {domain}] [/updateuserpassword {password}]] [/allowhttp {true false}] [-f] [-w] [-s] Installing, Configuring and Maintaining the Web Portal 106

107 Table 43: Program parameters Parameters /Prov /Conn /authprops /appname /site /sourcedir /apppool /webproject /constauthproj /constauth /searchserviceurl /allowhttp /updateuser /updateuserdomain /updateuserpassword Description Database provider. Database connection parameter. Authentication with dialog authentication. Application name. Website. Source directory when installing file system. Application pool. Name of the web project. Name of sub project. Authentication settings for the sub project. Application server for search function availability. Allow http. User for the update. Active Directory domain for the update user. Update user's password. -W Windows authentication instead of anonymous on IIS. Example of an installation with direct connection against an SQL Server database. Make the following parameter settings in the example. SQL Server database connection In the default website Application name "testqs" Authentication with system user "testadmin" As application server for search function availability Permit http WebDesigner.InstallerCMD.exe /conn "Data Source=dbserver.testdomain.lan;Initial Catalog=IdentityManager; Integrated Security=False;User ID=admin;Password=password" /site "Default Web Site" /appname testqs /authprops "Module=DialogUser;User=testadmin;Password=" /searchserviceurl /allowhttp true Installing, Configuring and Maintaining the Web Portal 107

108 Example of an installation with a direct connection against an Oracle database Make the following parameter settings in the example. Oracle database connection In the default website Application name "testoraqs" Authentication with system user "testadmin" Authentication for the sub project "test_userregistration_web" with system user "Subadmin" WebDesigner.InstallerCMD.exe /prov "VI.DB.Oracle.ViOracleFactory, VI.DB.Oracle" /conn "User Id=IdentityManager; Password=Password;Server=testoraqs.lan;Direct=True;Service Name=test;Port=1521" /site "Default Web Site" /appname testoraqs /authprops "Module=DialogUser;User=testadmin;Password=" /constauthproj test_userregistration_web /constauth "Module=DialogUser;User=Subadmin;Password=" Example of an installation with a connection against the application server Make the following parameter settings in the example. Connection to application In the default website Application name "testviaappserver" with Windows authentication as web authentication With update user "JohnDoe" And update application "MyDomain.lan" WebDesigner.InstallerCMD.exe /prov "QBM.AppServer.Client.ServiceClientFactory, QBM.AppServer.Client" /conn "URL= /site "Default Web Site" /appname testviaappserver /authprops "Module=DialogUser;User=testadmin;Password=" -w /updateuser JohnDoe /updateuserdomain MyDomain.lan /updateuserpassword topsecret Calling syntax "Install on command line without WebDesigner.InstallerCMD.exe" WebDesigner.ConfigFileEditor.exe -constauth../web.config "test_userregistration_web" "Module=DynamicPerson;User[test_USER]=xyz;(Password)Password[test_Password]=xyz; (Hidden)IgnoreMasterIdentities=;(Hidden)Product=Manager" Installing, Configuring and Maintaining the Web Portal 108

109 Table 44: Program parameters Parameters -constauth Description Authentication settings for the sub project. Make the following parameter settings in the example. Authentication for the sub project "test_userregistration_web" with the user "test_user". Calling syntax "Uninstall Web Portal" WebDesigner.InstallerCMD.exe [/prov {provider}] /conn {connectionstring} /authprops {authentication} /appname {appname} [/site {Site}] -R Table 45: Program parameters Parameters /Prov /Conn /authprops /appname /site Description Database provider. Database connection parameter. Authentication with dialog authentication. Application name. Website. -r Removes the application. Example of uninstalling the web application with a connection against an application server WebDesigner.InstallerCMD.exe /prov "QBM.AppServer.Client.ServiceClientFactory, QBM.AppServer.Client" /conn "URL= /appname testviaappserver /authprops "Module=DialogUser;User=testadmin;Password=" -R Calling syntax "Uninstall earlier Web Portal versions (<=6.x)" WebDesigner.InstallerCMD.exe /appname {appname} [/site {Site}] -R Table 46: Program parameters Parameters /appname Description Application name. Installing, Configuring and Maintaining the Web Portal 109

110 Parameters /site Description Website. -r Removes the application. Uninstalling the Web Portal To uninstall a web application 1. To uninstall a web application, use the Web Installer. a. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. b. Go to the Installation tab and select Web-based components and click Install. This starts the Web Installer. - OR - c. Start the Web Installer from Start One Identity One Identity Manager Configuration Web Installer. 2. Select Uninstall a One Identity Manager web application on the Web Installer start page and click Next. 3. All installed web applications are displayed on the page, Uninstall a One Identity Manager web application. a. Select the web application you want to remove by double-clicking on it. b. Select the authentication module in the Authentication method section and authenticate yourself. c. Click Next to start uninstalling. d. Confirm the security prompt with Yes. 4. The uninstall progress is displayed on the Setup is running page. After installation is complete, click Next. 5. Click Finish on the last page to end the program. Configuring the Web Portal Web Portal configuration covers a number of settings. The web application configuration is saved in the web application configuration files web.config, NLog.config and monitor.config which are in the web application root directory and in the table QBMWebApplication of the One Identity Manager database respectively. Use the Web Designer Configuration Editor (WebDesigner.ConfigFileEditor.exe), to edit the configuration file. Installing, Configuring and Maintaining the Web Portal 110

111 Connection strings and login data are automatically encrypted in the configuration files noted above with the default Microsoft ASP.NET cryptography. To configure a web application 1. Start the Web Designer Configuration EditorWebDesigner.ConfigFileEditor.exe, which you will find in the setup folder. This opens the Open configuration file window. 2. Select the configuration file web.config in the Open configuration file view and click Open. 3. Select the authentication type required and log in. This opens a Web Designer Configuration Editor dialog box. Set the account options in each section. Detailed information about this topic Database Connection on page 111 Web project on page 112 Log on page 113 Automatic update on page 114 Web Settings on page 115 Cache on page 115 Debugger Service on page 115 Search Service on page 116 Database Connection The database connection is normally already selected. You can also select a new database connection. To select a new database connection 1. Click Enter new connection in the Database connection section. This opens the dialog box Add new connection. 2. Select one of the system types available and click Next. This displays a view with more settings. NOTE: You will see different options depending on the settings you already selected. 3. If you have selected the system type SQL server, you are shown the following settings: Installing, Configuring and Maintaining the Web Portal 111

112 a. Select in Server the server you want. b. Enable the check box Windows authentication to use this authentication. c. Enter in User the user name you want to use to log in. d. Enter in Password the corresponding password for this user name. e. Select in Database the database you want. - OR - If you have selected the system type Oracle, you are shown the following settings: NOTE: At this point, only those edit options not already mentioned in the SQL server settings are mentioned here. a. Enable the check box Direct access (without client). b. Enter the information required in Server, port, service name, user and password. - OR - If you have selected the system type Application server you will be shown the following options. a. Enter the connection data in URL. 4. Click Finish. Your settings are saved and you are returned to the Web Designer Configuration Editor. NOTE: Select either Test connection or Advanced options in the Options menu, if required. Related Topics Logging into a One Identity Manager Database as a Database User on page 128 Web project To select a web project and an authentication module 1. Select the project you want to use in the web application in Web project. NOTE: Normally, login data for the subproject of the selected web project is entered separately. If the subproject is missing authentication data, a message and a button are displayed. 2. Select the module you want in Authentication module. Installing, Configuring and Maintaining the Web Portal 112

113 NOTE: This module is the main authentication module used for authentication employees. Some module support single sign-on. In such cases, a corresponding message is shown beneath selection. If you selected an authentication module which does not support single sign-on, you can select another module for manual login. 3. Enable the check box Debugging if you want to use the debugging environment. 4. Enter the client ID in Client ID for OAuth authentication if you want to implement this authentication method. NOTE: The web application is identified automatically with OAuth authentication. To enter or change authentication data for a sub project 1. Click the button next to Authentication for sub projects is missing. This open the dialog box Authentication data. 2. Mark the project marked in red in the edit window. The Authentication method is enabled and can be edited. 3. Click System user to select another authentication method if necessary. 4. Enter the login data User and Password. 5. Click Save login. 6. Click OK. Log The Log section is subdivided into the following views: General known issues Application log Event log Database log In the General view, you see general information about your web application, which you can edit in text boxes. This information is: Application - the name of your web application Company name - the name of the company using the web application Product name - the name of the software producer Log directory - the directory where your web application saves log files. The web server process must have write access to this folder. In the Application log view, you can make the following settings: Installing, Configuring and Maintaining the Web Portal 113

114 Severity: Options from Off to Trace are possible here. This filter control which messages are written to the log file. Archive every: Here you can set how often the application log is saved. Settings rang from None to Minutes. Archive numbering: Here you can set whether archive data for the application log is numbered in ascending or descending order. The following settings are available to you in the Event log view: Severity: As already mentioned in Application log, you specify here which messages are written to the log file. The Database log view only logs processing of database queries. The following settings are available: Severity: As already mentioned in Application log, you specify here which messages are written to the log file. Options from Off to Trace are possible here. Archive every: Here you can set how often the database log is saved. Settings rang from None to Minutes. Archive numbering: Here you can set whether archive data for the database log is numbered in ascending or descending order. Automatic update NOTE: If you enable automatic application updates, the configuration parameter "Common\Autoupdate" must be set in addition to the the function Enable automatic updates. To update a web application automatically 1. Enable Enable automatic updates. 2. Select between the options. a. Use IIS permissions for updating. b. Use a special account for updating If you have selected the option Use other credentials for updates, enter additional information in the following fields. Table 47: Information Required using other Update Credentials. Data Domain Description Active Directory user account's domain. TIP: If you want to use a local user account, enter. or the computer name as domain. Installing, Configuring and Maintaining the Web Portal 114

115 Data User name Password Repeat password Description Name of the Active Directory user account. Password of the Active Directory user account. Repeated input of the password. Web Settings This is the Web settings section of the Web Designer Configuration Editor. To make changes in the "Web settings" section 1. Select the product to be configured from Product. 2. Enter the information you want in HTML headers. 3. Select which page is shown after logging off, in After logging off. 4. Enter idle time after the session has expired in Close session after idle time (minutes). NOTE: Enter the value 0 if you want the session to remain open despite being idle. 5. Enable the check box Compressed HTTP transfer. HTTP compression takes place with this setting. Cache Use this area to view the location of the cache and assembly directories. Both text boxes can be edited. To edit the repository for the cache and assembly directories 1. Click in one of the text boxes. a. Cache directory b. Assembly cache 2. Overwrite the path with the path in which you want to store cached data in the future. Debugger Service Use this setting to configure the WCF connection. Installing, Configuring and Maintaining the Web Portal 115

116 To configure the WCF connection 1. Enable the Limit port range option. 2. Limit the values in both numeric fields. Search Service Prerequisites for using full text search in the Web Portal is an application server installed with the search service. If you run the Web Portal directly over an application server installed with the search service, you can use the full text search immediately. If you run the Web Portal over an application server with a search service installed or with a direct database connection, enter an application service with an installed search service in this configuration section. Full text search is available in the Web Portal once this has been done. To enter an application server at a later date 1. Click Select application server. 2. Enter the application server's web address in the text box URL. 3. Test the connection by selecting Test connection from the Options menu. 4. Edit other optional settings by selecting Advanced settings from the Options menu. 5. To accept the settings, click OK. Certain important columns are already indexed for full text search in the default installation. You configure more columns for full text searching if you require. For more detailed information about configuring column for full text search, see the One Identity Manager Configuration Guide. For more detailed information about using the full text search in the Web Portal, see the One Identity Manager Web Portal User Guide. Related Topics Installing a One Identity Manager Application Server on page 96 Web Portal Maintenance In the following, all maintenance options available to a One Identity Manager web application are listed and described. Installing, Configuring and Maintaining the Web Portal 116

117 Detailed information about this topic Runtime Monitoring on page 117 Security on page 117 Viewing Log Files and Exceptions on page 117 Using Automatic Updating for the Web Portal on page 118 Maintenance Mode on page 118 Manual Updating on page 119 Monitoring with Help from Performance Counters on page 119 Runtime Monitoring The One Identity Manager web application contains a runtime monitoring tool. This tool can access the web application through a special URL: Security Access to this page is configured through the following settings in the web application's configuration file (web.config). The default setting only allows members of the administrator role to access the runtime monitor. <?xml version="1.0"?> <!-- Permission to use WebDesigner runtime monitor --> <authorization> <allow roles="builtin\administrators" /> <deny users="*" /> </authorization> For more information about changing this setting, see the ASP.NET documentation. Viewing Log Files and Exceptions The Log files tab of the Runtime Monitor allows you to view log files generated by web applications. You can filter these file and search by strings. The log files are saved physically in the log directory, which is defined in the configuration (for example, "./Logs"). Installing, Configuring and Maintaining the Web Portal 117

118 The Exceptions tab of the Runtime Monitor enables you to view the log messages relating to exceptions. These messages are collected by exception and sorted by frequency of occurrence. The first exception in the list is the most commonly occurring exception. NOTE: The Web Installer writes important events to the Windows application log file. You can view this log file in the Windows Event Viewer if there are problems or errors during the Web Portal installation. Using Automatic Updating for the Web Portal The One Identity Manager web application is integrated into automatic updating of One Identity Manager. Important: A software update means the web application will be restarted. Automatic update of the web application contains the following steps: The web application recognizes that a new software version is available in the database. New files are copied from the database into temporary directories on the server. The Updater.exe is started. It waits until the web application process is shutdown. (For more information about automatic shutdown, see the IIS documentation). Updater.exe copies the files from the temporary directories into the web application directory. Related Topics Manual Updating on page 119 Automatic update on page 114 Automatic Updating of the One Identity Manager on page 90 Maintenance Mode A web application can be switched to Maintenance mode to perform maintenance. Running sessions are not affected in maintenance mode. However, no new sessions are permitted. Users viewing the web application are displayed the contents of the file Maintenance.html which is in the root directory of the web application. You can freely edit this file to show users details about maintenance work. Maintenance mode is enabled by adding the file Maintenance.mode to the directory App_Data of the web application (and is disabled by deleting it). Maintenance mode can also be switched on the Runtime Monitor page. You can use maintenance mode to allow an automatic update at a specified time. Installing, Configuring and Maintaining the Web Portal 118

119 Manual Updating Use of the update process described above is preferred. You can, however, update the web application manually by copying updated files into the bin folder of the web application. Note that each write access to the web application's bin folder causes the web application to restart. This means, all active sessions of the application are closed and all files unsaved are lost. For this reason, you should only run a manual update of the web application if there are no active sessions. Only files in the web application's bin folder are controlled by automatic update. Related Topics Using Automatic Updating for the Web Portal on page 118 Monitoring with Help from Performance Counters When you install a web application, performance counters are registered, which provide information about the state of the application. Performance indicators can be installed later. NOTE: Prerequisites for this are that the web application is installed on a Windows Server and has sufficient permissions to offer performance counters. It may be necessary to add the application pool user account to the local group Performance monitoring user for this. Apart from this, the web application must be running in order to select the performance indicators. To post-install performance indicators 1. Open the Web Designer Configuration Editor. 2. Click Web settings and Create Windows performance indicators. After this is successfully completed, an installation prompt is displayed. 3. Confirm the prompt with OK. To view performance counters 1. Log in to the server on which the web application is installed. 2. Start Windows's performance monitor. 3. Select Performance monitor on the left-hand side of the dialog box. 4. Click in the performance monitor view. 5. Mark One Identity ManagerWeb Portal in the Add Counters dialog box under Available counters and open the entry. Installing, Configuring and Maintaining the Web Portal 119

120 This displays performance indicators for the web application. The following indicators are available. AJAX calls: Number of asynchronous handled HTTP queries Objects: Number of active database objects Exceptions: Number of exception that have occurred Forms: Number of active forms HTML requests: Number of HTML page requests PID: Number of process IDs Contexts: Number of active module objects Sessions: Number of active sessions Session total: Total number of sessions since the application started 6. Enter any new performance indicators you wish and select the web application under Instances of selected object:. TIP: You can only view web applications which are currently running. If you install a new web application, it may take a few minutes before the list of available web applications including the new one is available. Installing, Configuring and Maintaining the Web Portal 120

121 Installing the Operations Support Web Portal Before installation ensure that the minimal hardware and software prerequisites are fulfilled on the server. NOTE: The Operations Support Web Portal is an extension of the default Web Portal and uses its CSS files. A compiled and running Web Portal is prerequisite for usage. To install the Operations Support Web Portal 1. Install the Web Portal. 2. Copy the folder "Modules\QER\dvd\AddOn\Operations Support Web Portal" to the Web Portal folder. You can rename the folder to "OperationSupport", for example. 3. Copy the following files into the Web Portal's "bin" folder. a. Modules\QER\install\bin\QER.WebRuntime.WebApi.dll b. Modules\QBM\install\bin\QBM.CompositionApi.Web.dll 4. Ensure that the MIME type for JSON is configured in the IIS. a..json = application/json For more information, refer to The installation is complete and you can call the Operations Support Web Portal under Installing the Operations Support Web Portal 121

122 9 Installing and Updating the Manager Web Application Manager functionality can be provided by web applications. Before installation ensure that the minimal hardware and software prerequisites are fulfilled on the server. Detailed information about this topic Minimum System Requirements for the Web Server on page 27 Installing the Manager Web Application on page 122 Updating the Manager Web Application on page 125 Uninstalling the Manager Web Application on page 126 Appendix: Manager Web Application Extended Configuration on page 181 Installing the Manager Web Application One Identity Manager requires each web application to be defined in one language. If you wish to publish an application in two languages, you must install two separate applications. The Web Installer installs one application per language by default. You can define a language pool for these applications if several application are running at once. If a user calls up a web application from the language pool, he is automatically diverted to the web application which matches his language. It is, therefore, not important to declare all the web application URLs in the language pool. This mechanism also allows you to achieve simple load balancing. IMPORTANT: Start the Manager web application installation on the server. To install the Manager web application 1. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. Installing and Updating the Manager Web Application 122

123 2. Go to the Installation tab and select the entry Web based components and click Install. Starts the Web Installer. 3. Select Install Manager web application on the Web Installer start page and click Next. 4. Enter connection credential for the One Identity Manager database on the Database connection page and click Next. 5. Configure the following settings on the Select setup target page and click Next. Table 48: Settings for the Installation Target Setting Application name Target in IIS Enforce SSL URL Install dedicated application pool Application pool Identity Web Authentication Description Name used as application name, as in the title bar of the browser, for example. Internet Information Services web page on which to install the application. Specifies whether insecure websites are available for installation. If the option is set, only sites secured by SSL can be used for installing. This setting is the default value. If this option is not set, insecure websites can be used for installing. The application's Uniform Resource Locator (URL). Specifies whether an application pool is installed for each application. This allows applications to be set up independently of one another. If this option is set, each application is installed in its own application pool. The application pool to use. This can only be entered if the option Install dedicated application pool is not set. The application pool is formatted with the following syntax, if the default value "DefaultAppPool" is used. <application name>_pool Permissions for executing an application pool. A default identity or a user defined user account can be used. The user account is formatted with the following syntax, if the default value "ApplicationPoolIdentity" is used. IIS APPPOOL\<application name>_pool If you want to authorize another user, click... next to the text box and enter the user and password. Specifies the type for authentication against the web application. You have the following options: Windows Authentication (Single Sign-On) Installing and Updating the Manager Web Application 123

124 Setting Description The user is authenticated against the Internet Information Services using their Windows user account and the web application logs in the employee assigned to the user account as role-based. If single sign-on is not possible, the user is diverted to a login page. You can only select this authentication method is Windows authentication is installed. Anonymous Login is possible without Windows authentication. The user is authenticated against the Internet Information Services and the web application anonymously and the web application is directed to a login page. Database authentication NOTE: You can only see this section if you have selected an SQL database connection in Database connection. Specifies the type for authentication against the One Identity Manager database. You have the following options: Windows authentication The web application is authenticated against the One Identity Manager database using the Windows account under which your application pool is running. Login is possible with a user defined user account or a default identity for the application pool. SQL Authentication Login is only possible through a user defined user accounts. Authentication is done using user name and password. This access data is saved in the web application configuration as computer specific encrypted. 6. Specify other application specific settings on the Configuration page. a. Select the culture code for the language in Culture. The language influences how dates and numbers displayed amongst other things. b. The web application requires access permissions to itself. If you select the authentication type "Windows authentication (single sign-on)" for web authentication, enter the user's domain, user account and password. No other data is required for anonymous authentication. c. Click Next. 7. Installation progress is displayed on the Setup is running page. Once installation is complete, click Next. The Web Installer generates the web application and the corresponding configuration files (web.config) for each folder. Installing and Updating the Manager Web Application 124

125 8. Click Finish on the last page to end the program. NOTE: The Web Installer uses default values for the configuration settings. You can keep these values. It is recommended you check the settings with the help of the Manager Web Configuration Editor. The Manager web application can be reached over a browser under: name> name> TIP: You can open the web server's status display in Job Queue Info. Select the menu item View Server state in the Job Queue Info and display the web server's state on the Web servers tab by using Open in browser in the context menu. Related Topics Updating the Manager Web Application on page 125 Appendix: Manager Web Application Extended Configuration on page 181 Updating the Manager Web Application NOTE: It is recommended only to perform automatic update in special maintenance windows in which the application is not available to users and a reboot of the application can be done manually without causing any problems. The application update happens automatically if the plugin "Auto update" is enabled for the web application. NOTE: The following permissions are required for automatic updating: The user account for updating required write permissions for the application directory. The user account for updating requires the local security policy "Log on as a batch job". The user account, under which the application pool runs, requires the local security policies "Replace a process level token" and "Adjust memory quotas for a process". To run an update, first load the files to be updated into the One Identity Manager database. The necessary files are loaded into the database and updated when a hotfix, a service pack or a full version update One Identity Manager is run. The plugin "Auto update" runs a test when the application starts and then at 5 minute intervals. New files are loaded from the database as they are identified. The plugin "Auto update" cannot update files as long as the application is running because it locks the files whose changes result in rebooting the application and all active user session are lost. For this reason, updating takes place when the application is restarted. Installing and Updating the Manager Web Application 125

126 The application is restarted automatically by the web server when it has been idle for a defined length of time. This may take some time or be prevented if continuous user requests. Related Topics Automatic Updating of the One Identity Manager on page 90 Appendix: Manager Web Application Extended Configuration on page 181 Uninstalling the Manager Web Application To uninstall a web application 1. To uninstall a web application, use the Web Installer. a. Execute the program autorun.exe from the root directory on the One Identity Manager installation medium. b. Go to the Installation tab and select Web-based components and click Install. This starts the Web Installer. - OR - c. Start the Web Installer from Start One Identity One Identity Manager Configuration Web Installer. 2. Select Uninstall a One Identity Manager web application on the Web Installer start page and click Next. 3. All installed web applications are displayed on the page, Uninstall a One Identity Manager web application. a. Select the web application you want to remove by double-clicking on it. b. Select the authentication module in the Authentication method section and authenticate yourself. c. Click Next to start uninstalling. d. Confirm the security prompt with Yes. 4. The uninstall progress is displayed on the Setup is running page. After installation is complete, click Next. 5. Click Finish on the last page to end the program. Installing and Updating the Manager Web Application 126

127 10 Logging into One Identity Manager Tools When you start one of the One Identity Manager tools, a default connection dialog box opens. Figure 5: Default connection dialog When you log in, you need to be aware of the difference between a database user and a user of individual One Identity Manager tools (system user). More than one system user may work with the same database account. Login takes place in two steps: Logging into One Identity Manager Tools 127

128 Selecting the database connection to log in to the database Selecting the authentication method and finding the system user for logging in Permitted system user IDs are determined by the authentication module you select. The One Identity Manager provides different authentication parameters. NOTE: When you start the program, it tries to restore the last used connection. This might lead to a delay resulting in an error if you frequently swap between connections to other database servers. To prevent the previous connection restoring, create the following registry key: HKEY_CURRENT_USER\Software\One Identity\One Identity Manager\Global\Settings\ [RestoreLastConnection]="false" Detailed information about this topic Logging into a One Identity Manager Database as a Database User on page 128 Logging into One Identity Manager Administration Tools as a System User on page 133 Enabling other Authentication Modules on page 134 Appendix: One Identity Manager Authentication Modules on page 150 Enabling other Login Languages on page 135 Logging into a One Identity Manager Database as a Database User To select an existing connection Select the connection under "Select Connection" in the connection dialog box. NOTE: Newly created connection are only shown in the list after the program has been restarted. To create a new connection to a One Identity Manager database under SQL Server 1. Click Add new connection under "Select Connection" and select the system type SQL Server. 2. Click Next. Logging into One Identity Manager Tools 128

129 3. Enter the connection data for the database server. Table 49: SQL Server Database Connection Data Data Server Windows authentication User Password Database Description Database server. Specifies whether Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication. Database user. Database user password. Database. 4. Select Test connection in the Options menu. This attempts to connect the database with the given connection data. You are prompted to confirm a message about the test. NOTE: Use Options Advanced options to make further changes to the database connection configuration settings. 5. Click Finished. Figure 6: Connection Data Dialog Box under SQL Server Logging into One Identity Manager Tools 129

130 To create a new connection to a One Identity Manager database under Oracle 1. Click Add new connection under "Select Connection" and select the system type Oracle. 2. Click Next. 3. Enter the connection data for the Oracle instance. Table 50: Oracle Database Connection Data Data Direct access (without Oracle client) Server Port Service name User Password Data source Description Set this option for direct access. Deactivate this option for access via Oracle Clients. Which connection data is required, depends on how this option is set. Database server. Oracle instance port. Service name. Oracle database user. Database user password. TNS alias name from TNSNames.ora. 4. Select Test connection in the Options menu. This attempts to connect the database with the given connection data. You are prompted to confirm a message about the test. NOTE: Use Options Advanced options to make further changes to the database connection configuration settings. 5. Click Finished. Logging into One Identity Manager Tools 130

131 Figure 7: Connection Data Dialog Box under Oracle To set up a new connection to the application server 1. Click Add new connection under "Select Connection" and select the system type Application server. 2. Click Next. 3. Enter the address (URL) for the application server. 4. If you access an application server secured through SSL/TLS, configure additional settings for the certificate: Logging into One Identity Manager Tools 131

132 If the certificate's server name matches the application server's URL and, if the server certificate can be successfully validated, the server name displayed in green next the URL. By clicking on the server name next to the URL, you can get information about the certificate. You can select a certificate required for logging in, under Pin server certificate. If the certificate's server name does not match the application server's URL or, if the server certificate cannot be successfully verified, the server name displayed in red next the URL. You decide whether to trust the certificate. If a client certificate is expected according to the SSL settings, select the certificate under Select client certificate and decide how to verify the certificate. You can choose between "Find by subject name", "Find by issuer name" and "Find by thumbprint". If you want use a self-signed certificate, set the option Accept self-signed certificate. 5. Select Test connection in the Options menu. This attempts to connect the database with the given connection data. You are prompted to confirm a message about the test. NOTE: Use Options Advanced options to make further changes to the database connection configuration settings. 6. Click Finished. Figure 8: Dialog box for connecting to the application server To delete a connection 1. Select the connection under "Select Connection". 2. Press DEL. Logging into One Identity Manager Tools 132

133 3. Confirm the security prompt with Yes. The database connection is no longer displayed in the connection dialog. Related Topics Logging into One Identity Manager Administration Tools as a System User on page 133 Logging into One Identity Manager Administration Tools as a System User Following the database login, the user must log in as a system user to the started program. Permitted system user IDs are determined by the authentication module you select. To log in to One Identity Manager tools with a system user identifier 1. Select the authentication module under "Authentication method" in the connection dialog box. This displays a list of all available authentication modules. 2. Enter the login data for the system user ID. Which login data you require depends on the authentication module selected. 3. Click Log in. The connection data is saved and made available for the next login. Logging into One Identity Manager Tools 133

134 Figure 9: Connection Dialog Box with Administration Tool Login If you have entered a system user ID that is not supported by the selected authentication module, the following error message appears: [810284] Failed to authenticate user. [810015] Login for user {0} failed. [810017] Wrong user name or password. Repeat the login by selecting another authentication module or another system user ID. NOTE: After initial schema installation, only the authentication modules "system user" and "ComponentAuthenticator" and the role-based authentication modules are enabled in the One Identity Manager. Related Topics Logging into a One Identity Manager Database as a Database User on page 128 Appendix: One Identity Manager Authentication Modules on page 150 Enabling other Authentication Modules One Identity Manager uses different authentication modules for logging in to administration tools. Authentication modules identify the system users to be used and load the user Logging into One Identity Manager Tools 134

135 interface and database resource editing permissions depending on their permission group memberships. NOTE: After initial schema installation, only the authentication modules "system user" and "ComponentAuthenticator" and role-based authentication modules are enabled in the One Identity Manager. NOTE: You can log into One Identity Manager tools with all authentication modules which can be selected in the user interface and are listed in the connection dialog box. If necessary, you should ensure that users determined through the authentication module, own the required permissions to use the program. To enable other authentication modules 1. Select the category Base Data Security settings Authentication modules in the Designer. 2. Select the authentication module and set the option Enabled to "True". 3. Save the changes to the database using Database Commit to database Click Save. This allows you to log in to the assigned application using this authentication module. Ensure that users found through the authentication module have the required permissions to use the program. Related Topics Appendix: One Identity Manager Authentication Modules on page 150 Enabling other Login Languages The display text appears in the language that the user logged on to the tool with. When you log in the first time, the system language is used for displaying the user interface. The user can change the login language in any administration tool. This sets the language globally for all the tools that the user uses. Therefore the user does not have to set the login language in every tool separately. Changes to the login language take effect after the tool has been restarted. All languages set with the option Select in front-end are available as login language. To make other login language available 1. Select the category Base Data Localization Cultures in the Designer. 2. Select the language. 3. Set the option Select in front-end. Logging into One Identity Manager Tools 135

136 11 Troubleshooting Displaying the Transport History and Testing the One Identity Manager Version When a schema is installed with the Configuration Wizard, migration date and migration revision are recorded in the database's transport history. When you import a transport package with the Database Transporter, the import date and description, the database version and the transport package name are recorded in the transport history of the target database. To display transport history Start the Designer and select the menu item Help Transport history. To obtain an overview of the system configuration Start the Designer or the Manager and select the menu item Help Info. The System information tab gives you an overview of your system configuration. Have this information available when you contact support. NOTE: This report is sent once a month to One Identity after you have enabled vendor notification. Related Topics Vendor Notification in One Identity Manager on page 63 Troubleshooting 136

137 Handling Errors and Warnings during System Compilation NOTE: Any compiler errors and warnings are recorded during compilation. You can view compiler errors and warnings after compilation is complete. Use Save log to file... in the context menu to save the compilation log. Correct the error after compilation is finished. Compile the database again after correcting the errors. To do this, start compilation in Designer using Database Compile database... To display messaging during compilation and saving Select Display to display a message. This opens an error message window. In addition, a more detailed description of the error is displayed. Configure the amount of information to be displayed using the options in the error message window. Open the configuration with the button and enable or disable the options you want. Table 51: Options for Displaying Error Messages Option Show previous errors Show One Identity error numbers Show error positions Wrap long lines Show only user relevant Show asynchronous calls Show crash report Meaning Specifies whether all previous errors that lead to the current error, should also be shown. Specifies whether internal error numbers are shown. Specifies whether error position are also shown in the program code. Specifies whether long error messages are wrapped. Specifies whether all error messages or only message classified as "user relevant" are shown. Specifies whether error messages in asynchronous method calls are shown. Specifies whether error messages from the crash recorder are shown. NOTE: The button Send as mail creates a new message in the default mail program and copies over the error text. To save all the messages in a file, select the entry and select Save log to file... from the context menu. To add a message to the clipboard, select the entry and user CTRL + C. Troubleshooting 137

138 If errors occur, these are shown immediately in a separate log window during compilation. If you double click on the error message with the mouse you jump to the corresponding line in the source code view (upper part of the window). You can only view the source code you cannot edit it. Use the Save button to save the error messages to file. Use the Close button to close the error log. Then the compilation continues. Figure 10: Error Message Log Checking Data Consistency The consistency check provides different tests for analyzing data objects and to ascertain the current state of their data. You can use your own tests as well as the predefined one and repair the data if necessary. NOTE: You should run a consistency check at regular intervals or after major changes to the system configuration. You can run consistency checks in the Manager and in the Designer. Database tests are run in their entirety in the Manager and the Designer. In the case of table tests and object tests in the Manager, the application model is tested and in the Designer, the system model is tested. Troubleshooting 138