Chat now with support
Chat mit Support

Identity Manager 8.2.1 - Data Archiving Administration Guide

Advanced configuration for transferring data

There are the following scenarios for transferring data between the One Identity Manager database and the One Identity Manager History Database. These require further configuration.

Scenario 1

The One Identity Manager History Database and the One Identity Manager database are on the same server.

NOTE: If you work with sa, no other steps are required.

If you are working with granular permissions at server and database level, use the Designer to create a database user in the One Identity Manager for transferring data.

To set up the database user in the One Identity Manager database

  1. In the Designer, select the Base data > Security settings > Database server permissions > Database server login category.

  2. Click and enter the following information:

    • Login name: The user's SQL Server login name used for process handling in the One Identity Manager History Database (DialogDatabase.ConnectionString).

    • Database user: Name of the database user.

  3. Select the Database and server roles tab and assign the Database: Data archiving role.

  4. Save the changes.

The DBQueue Processor creates the OneIMHistoryRoleDB database role and the database users in the One Identity Manager database. The database user is connected with the SQL Server login and added in the database role.

Scenario 2

The One Identity Manager History Database and the One Identity Manager database are on the different servers. The linked server is created by the One Identity Manager History Database's One Identity Manager Service.

NOTE: If you work with sa, no other steps are required.

If you are working with granular permissions at server and database level, additional permissions are required for creating a linked server and for data transfer.

  • To create a linked server, the user for process handling in the One Identity Manager History Database (DialogDatabase.ConnectionString) requires the following permissions at server level:

    • Permission alter any linked server

      This permission is required for creating and deleting a linked server. The linked server allows distributed queries to be run.

    • Permission alter any login

      This permission is required for creating and deleting a login name assignment on the local server and a login name on the linked server.

  • Create a SQL Server login for data transfer on the database server that hosts the One Identity Manager database.

  • In the Designer, create a database user in the One Identity Manager database.

    To set up the database user in the One Identity Manager database

    1. In the Designer, select the Base data > Security settings > Database server permissions > Database server login category.

    2. Click

      and enter the following information:

        Login nameSQL Server:
      • login for data transfer.

        Database user
      • : Database user.

    3. Select the Database and server roles tab and assign the Database: Data archiving role.

    4. Save the changes.

    The DBQueue Processor creates the OneIMHistoryRoleDB database role and the database users in the One Identity Manager database. The database user is connected with the SQL Server login and added in the database role.

Scenario 3

The One Identity Manager History Database and the One Identity Manager database are on the different servers. There is a linked server available.

  • Create a SQL Server login for data transfer on the database server that hosts the One Identity Manager database.

  • In the Designer, create a database user in the One Identity Manager database.

    To set up the database user in the One Identity Manager database

    1. In the Designer, select the Base data > Security settings > Database server permissions > Database server login category.

    2. Click and enter the following information:

      Login name: SQL Server login for data transfer.

      Database user: Database user.

    3. Select the Database and server roles tab and assign the Database: Data archiving role.

    4. Save the changes.

    The DBQueue Processor creates the OneIMHistoryRoleDB database role and the database users in the One Identity Manager database. The database user is connected with the SQL Server login and added in the database role.

  • Set up the linked server and reference the SQL Server login for data transfer.

    To provide a linked server, it is recommended to use the sp_addlinkedserver, sp_setNetname, and sp_addlinkedsrvlogin SQL procedures.

  • Keep the link server names ready. You need them when you declare the source database in the One Identity Manager History Database.

  • In the One Identity Manager History Database, set the configuration parameter HDB | UseNamedLinkedServer.

Tips for using more than one SQL Server

NOTE: If the One Identity Manager History Database database and the One Identity Manager database are on different servers, only matching versions and patches of the operating system and database system are supported.

If the One Identity Manager History Database and the One Identity Manager database are on different database servers, the following prerequisites for data acquisition must be guaranteed on both servers:

  • The services Microsoft Distributed Transaction Coordinator(DTC), RPC Client, and Security Accounts Manager are started.

  • For network communications between the servers, check the firewall settings and, if required, adjust them according to the recommendations of the operating system in use. For more information, refer to the operating system documentation.

  • Enable the following options in the DTC security settings:

    • Network DTC access

    • Allow remote clients

    • Allow inbound

    • Allow outbound

    • No authentication required

    Configure the security settings in the Microsoft Management Console with the Component Services snap-in.

The timeout for remote queries should be increased on the database server containing the One Identity Manager database if large amounts of data are transferred from the One Identity Manager History Database database to the One Identity Manager. The default setting is 600 seconds, which corresponds to 10 minutes latency. If the timeout expires, data transfer is stopped. The timeout for remote queries should be orientated on the runtime interval of the data transfer schedule.

You can query the timeout with the following statement:

select * from sys.configurations where name like '%remote query timeout%'

To change the timeout for remote queries, use the following statement:

exec sp_configure 'remote query timeout (s)',<new value>

RECONFIGURE WITH OVERRIDE

where:

<new value> = new timeout value in seconds

Tips for using integrated Windows authentication

If you use Windows integrated authentication, the data transfer takes place with the One Identity Manager History Database's One Identity Manager Service user account.

If the One Identity Manager History Database, One Identity Manager Service, and the One Identity Manager database are on different servers, the following prerequisites have to be fulfilled:

  • The One Identity Manager Service user account requires a Service Principal Name (SPN) for authentication. This can be created with the following command line:

    SetSPN -A HTTP/<Full domain name> <Domain>\<user account>

  • The One Identity Manager Service user account must be available for delegation and use Kerberos for authentication.

    To do this, set the option Trust this user for delegation to any service (Kerberos only) on the Delegations tab in the Microsoft Management Console for Active Directory users and computers.

  • The SQL Server service requires a Service Principal Name for authentication. You can check this with the following command line call:

    SetSPN -L <name of database>

Setting up a One Identity Manager Service for the One Identity Manager History Database

The One Identity Manager Service service ensures data transfer from the One Identity Manager database to the One Identity Manager History Database.

The system prerequisites for installing the One Identity Manager Service on an server and the permissions required for the service account are described in the One Identity Manager Installation Guide. For more information about configuring the One Identity Manager Service, see the One Identity Manager Configuration Guide.

The following methods are available for installing the One Identity Manager Service on a server:

  • Use the Configuration Wizard to set up the server during initial installation. Use the Configuration Wizard to configure the service and install the service remotely on a server. For detailed information, see One Identity Manager Installation Guide.

  • Use the Server Installer to create the Job server with its machine roles and server functions in the database. Use the Server Installer to configure the service and install the service remotely on a server. For detailed information, see One Identity Manager Installation Guide.

  • Use the Designer, to create a Job server with the machine roles and server functions, configure the service on the server and install the service remotely. For detailed information, see One Identity Manager Configuration Guide.

  • If remote installation is not possible, you can install the service components locally on a server with the installation wizard. For more information, see Installing One Identity Manager History Database components.

Scenarios for distributing the One Identity Manager Service on the servers.
  • Install the One Identity Manager Service for the One Identity Manager database and the One Identity Manager Service for the One Identity Manager History Database on different servers.

  • Install the One Identity Manager Service for the One Identity Manager database and the One Identity Manager Service for the One Identity Manager History Database on the same server.

    For this scenario, change the installation directory, name, display name, and description of the One Identity Manager Service for theOne Identity Manager History Database.

    • If you install the service components locally on a server using the installation wizard, on the Change service properties page, change the name, display name, and description of the One Identity Manager Service for the One Identity Manager History Database. For more information, see Installing One Identity Manager History Database components.

    • If you use the Configuration Wizard, the Server Installer or the Designer to install the service remotely, you can change the installation directory, name, display name, and description of the One Identity Manager Service for the One Identity Manager History Database during the installation by using the advanced options.

Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen