Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.0 LTS - Technical Insight Guide

One Identity Manager Data Governance Edition Technical Insight Guide Data Governance Edition network communications Data Governance service Data Governance agents Resource activity collection in Data Governance Edition Cloud managed hosts permission level to role mapping QAM module tables Configurable configuration file settings
Data Governance service configuration file settings Data Governance agent configuration file settings
Configurable registry settings PowerShell commands
Adding the PowerShell snap-ins Finding component IDs Data Governance Edition deployment Service account management Managed domain deployment Agent deployment Managed host deployment Account access management Resource access management Governed data management Classification management

CN=DataGovernance.Server

The Data Governance service SCP contains the following key elements, which are stored in its Active Directory attributes.

Table 1: DataGovernance.Server SCP
Attribute/Attribute Syntax Function Default Value

CN

Attribute syntax: String

SCP Name DataGovernance.Server

keywords

Attribute syntax: Multi-valued string

Used to store the following information to facilitate locating the SCP:

  • Database: Resource Activity database name (for example, DGE_DEFAULT)
  • DeploymentName
  • serverDNSName
  • serviceClassName
  • siteName
  • version
 

serviceBindingInformation

Attribute syntax: Multi-valued string

Contains the default tcp.net port and HTTP port

<XML>

serviceClassName

Attribute syntax: String

Used to store service class for authentication DataGovernance.Server

serviceDNSName

Attribute syntax: String

FQDN of the computer running the Data Governance service <Server FQDN>

serviceDNSNameType

Attribute syntax: String

The DNS record type of the host listed in the serviceDNSName A

Data Governance Edition required ports

Note: For agent deployments, open the following file and printer sharing ports:

  • TCP 135
  • UDP 137
  • UDP 138
  • TCP 139
  • TCP 445
Table 2: Ports required for communication
Port Direction Description

8721

Incoming

TCP (HTTP) port opened on the Data Governance server computer. This is the base port for the Data Governance REST API, used for communication with Data Governance server REST services, including the One Identity Manager clients and Windows PowerShell.

8722

Incoming

TCP (net.tcp) port opened on the Data Governance server computer. Used for communication with Data Governance agents, One Identity Manager clients, One Identity Manager web server, and PowerShell.

NOTE: The net.tcp port is configurable in the Data Governance Configuration wizard. The HTTP port (8721) listed above should always be 1 less than the net.tcp port. These first two ports align with the base addresses in the DataGovernanceEdition.Service.exe.config file under the IndexServerHost service. It is highly recommended that you only change this port using the Data Governance Configuration wizard to ensure the configuration file, One Identity Manager database and service connection points are updated properly; otherwise, you may lose connection with the Manager, the Data Governance service and/or Data Governance agents.

IMPORTANT: Do NOT use the Designer to change the QAMServer configuration parameters, including the Port parameter.

8723

Incoming

HTTP port used for communication with the One Identity Manager web server (/landing and /home pages).

18530 - 18630

Incoming

TCP port range opened on all agent computers. Used for communication with the Data Governance server. (The first agent on an agent host will use port 18530, and each subsequent agent on the same host will take the next available port, i.e., 18531, 18532, and so on.). In addition, this range is used to open a TCP listener for NetApp Cluster Mode hosts if resource activity collection is enabled.

Component communication

Server and database communication

Information about all Data Governance Edition infrastructural elements such as service accounts, managed hosts and the security index information collected by the Data Governance agents is stored in the One Identity Manager database. Processing of security index updates, access and activity queries or any infrastructural changes to the system involve communication between the Data Governance server and the database.

How is the database connection information stored securely?

The connection information used when communicating with the One Identity Manager database is stored in the Windows Registry on the Data Governance server. The connection information is written to the registry key "HKLM\SOFTWARE\One Identity\Broadway\Server" and is encrypted using the Microsoft Data Protection API.

Only the user account that encrypts the value can read it. If the account running the Data Governance server is changed, the database connection string has to be reset and re-encrypted.

Agent and server communication

Data Governance agents are semi-autonomous services running in a distributed environment. They are designed to remain fault tolerant in a fluctuating global network. In a typical organization, computers are rebooted, network outages occur, and systems are disrupted in any number of ways. Data Governance agents are set to automatically start when a server is restarted. Data Governance agents require an initial configuration from the server; however, they will continue to scan and collect activity per configuration even when unable to communicate with the Data Governance server. All the collected activity and security updates are synchronized with the Data Governance server when connectivity is restored.

How is this communication encrypted?

The communication uses encrypted WCF (Windows Communication Foundation) channels and the net.tcp protocol. .NET v4.5 is required on all agent host computers, except for SharePoint 2010 agents, which requires .NET v3.5.1.

Client and server communication

Data Governance client elements are embedded into the Manager client application. The user interface elements communicate with the Data Governance server and directly with the One Identity Manager database as needed.

Communication with the database is performed in the same way as any other One Identity Manager database communication, using the authentication information provided when the user launches the client tools.

When communicating with the Data Governance server, the client uses an encrypted WCF channel and the net.tcp protocol.

.NET 4.5.2 is required on the Data Governance server and client computers.

How is this communication authenticated?

When communicating directly with the One Identity Manager database, the client is authenticated using standard One Identity Manager authorization checks. For more information on this type of authentication, see Granting Access Permissions to One Identity Manager Schema in the One Identity Manager Configuration Guide.

When user interface elements communicate with the Data Governance server, the authentication is performed using the One Identity Manager role-based authentication checks using the logged on Windows identity. This can lead to a discrepancy in authentication between the client and server. If possible, it is recommended that the client user authenticates to One Identity Manager using the “Active Directory user account (role based)” authentication mechanism, so no ambiguity exists. This mechanism maps the logged on Active Directory account to a One Identity Manager employee and uses that employee’s application roles to determine what permissions they have.

NOTE: Regardless of the identity used to log in to the client application, it is the Employee associated with the logged in Windows account that is used for permissions checks when communicating with the Data Governance server.

Related Topics

Communication segments

Communication segments

This table describes each segment of communication that occurs in the Data Governance Edition system along with technical details for each type of communication.

Table 3: Data Governance Edition communication segments

From / To

Originating port Protocol Destination port

Data Governance service to One Identity Manager database

Actions involved:

  • Any queries or data manipulation that may be required.
  • Inserting of new data and selecting data to display in the Manager client.
Dynamic TCP

SQL Server port

NOTE: A request may go through the One Identity Manager Application Server if configured, instead of directly to the database.

Data Governance service to Resource Activity database

Actions involved:

  • Any queries or data manipulation that may be required.
  • Inserting of new data and generating reports on existing data.
Dynamic TCP

SQL Server

NOTE: A request may go through the One Identity Manager Application Server if configured, instead of directly to the database.

One Identity Manager service (job server) to Data Governance service

Actions involved:

  • Web service requests for self-service access.
Dynamic TCP

Specified by customer during installation.

Default value is 8722.

Data Governance service to Windows Server on which to install agent

Actions involved:

  • Deploy agent.
  • Uses the associated domain service account to copy installation files to a destination Windows Server using that server's administrative share (Admin$).
Dynamic SMB 445

Data Governance service to agent service

Actions involved:

  • Notify agent of an awaiting command.
  • The only thing the Data Governance service sends an agent service, unsolicited, is command messages. The agent then processes the command message and may initiate a request back to the server to get additional data that is associated with the command.
Dynamic TCP (using Windows authentication of the "Log On As" account of the Data Governance Service Windows Service)

Next unused port from the configured "BaseActivePort".

Default value of "BasesActivePort" is 18530.

Agent to Data Governance service

Actions involved:

  • Connection, Keep-Alive/Status, Queries/Reports.
  • An agent initiates the connection on startup. It periodically sends keep-alive and status messages as well as synchronization.
Dynamic TCP (using Windows authentication of the "Log On As" account of the agent's Windows Service)

Specified by customer during installation.

Default value is 8722.

Data Governance service to NetApp 7-Mode device with CIFS or NFS file system protocols enabled

Actions involved:

  • Configure FPolicy on NetApp 7-Mode filer.
  • Upon deployment of a managed host in 7-Mode, the Data Governance service connects to the NetApp filer and creates/configures an FPolicy if real-time security updates or resource activity collection is enabled.

This does not apply to NetApp Cluster Mode.

Dynamic RPC (using Windows authentication of the "Log On As" account of the Data Governance Windows Service)

Named pipe on NetApp filer:

<Host Name>\pipe\NETAPPSVC

Data Governance service to NetApp 7-Mode or Cluster device with NFS file system protocol enabled

Actions involved:

  • Browse resources.
  • When configuring the managed paths for a managed host, or using the Resource browser to browse the file system.
Dynamic HTTPS (using the username and password specified in the managed host configuration) 443

Agent to NetApp 7-Mode device with CIFS or NFS file system protocols enabled

Actions involved:

  • Configure FPolicy on NetApp 7-Mode filer.
  • Upon startup, establish a connection to the NetApp device if real-time security updates or resource activity collection is enabled.
Dynamic RPC (using Windows authentication of the "Log On As" account of the agent's Windows Service.

Named pipes on NetApp filer:

<Host Name>\pipe\NETAPPSVC

and

<Host Name>\pipe\ntapfpcp

NetApp 7-Mode to agent

Actions involved:

  • NetApp sends file screen requests when real-time security updates or resource activity collection is enabled.
  • The agent listens to a named pipe for incoming screen request messages from the NetApp filer for any monitored file system events.
Dynamic RPC

Named pipe:

<\pipe\ntapfprg_<Agent Instance ID>

Agent to NetApp Cluster Mode with CIFS or NFS file system protocols enabled

Actions involved:

  • Configure FPolicy on NetApp Cluster mode filer.
  • The NetApp Data LIF on which the file share is exposed must be the destination when resolving the host name. Also, the "Management Access" setting must be enabled on the LIF.
Dynamic HTTPS 443

NetApp Cluster Mode to Agent

Actions involved:

  • NetApp sends file screen requests when real-time security updates or resource activity collection is enabled.
  • The agent listens on a TCP port for incoming screen request messages from the NetApp filer for any monitored file system events.
Dynamic TCP

Next unused port from the configured "BaseActivePort".

Default value of "BasesActivePort" is 18530.

Agent to NetApp device with CIFS file system protocol enabled

Actions involved:

  • File system scanning.
  • The agent collects security information on all files and folders in the specified managed paths.
Dynamic CIFS/SMB (using Windows authentication of the "Log On As" account of the agent's Windows Service) 445

Data Governance service to EMC Celerra device

Actions involved:

  • View/update cepp.conf.
  • When real-time security updates or resource activity collection is enabled, you must configure the cepp.conf file on the EMC device.
Dynamic SSH 22

Data Governance service to EMC Isilon device with NFS file system protocol enabled

Actions involved:

  • Browse resources.
  • When configuring the managed paths for a managed host, or using the Resource browser to browse the file system.
Dynamic HTTPS (using the username and password specified in the managed host configuration)

Specified by customer when configuring managed host.

Default value is 443.

Agent service to EMC device with CIFS file system protocol enabled

Actions involved:

  • File system scanning.
  • The agent collects security information on all files and folders in the specified managed paths.
Dynamic CIFS/SMB (using Windows authentication of the "Log On As" account of the agent's Windows Service) 445

Agent service to EMC Isilon device with NFS file system protocol enabled

Actions involved:

  • File system scanning.
  • The agent collects security information on all files and folders in the specified managed paths.
Dynamic HTTPS (using the username and password specified in the managed host configuration)

Specified by customer when configuring managed host.

Default value is 443.

Agent to SharePoint SQL Server database

Actions involved:

  • Resource scanning.
  • Connects directly to the SharePoint SQL Server database on the local machine to perform resource scanning.
Dynamic TCP Default SQL Server port, typically 1433.

Data Governance service to Cloud API

Actions involved:

  • Browse resources.
  • When configuring the managed paths for a managed host, or using the Resource browser to browse for resources.
Dynamic REST over HTTP with OATH authentication Dynamic

Agent to Cloud API

Actions involved:

  • Resource scanning.
  • Upon startup, the agent collects all team groups and their members. Thereafter, this scan is performed once a day by default. The agent synchronizes to the server only if there is a change.
  • The agent collects security information of all files and folders in the specified managed paths.

NOTE: Managed paths are selected within the scope of the administrator on OneDrive for Business managed hosts.

Dynamic REST over HTTP with OATH authentication Dynamic

Web client to Data Governance service

Actions involved:

  • Web service requests for self-service access.
Dynamic TCP

Specified by customer during installation.

Default value is 8722.

Windows PowerShell to Data Governance service

Actions involved:

  • Data Governance API
  • Use the Data Governance API via web service requests to automate tasks or add custom behavior.
Dynamic TCP

Specified by customer during installation.

Default value is 8722.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating