Chat now with support
Chat mit Support

Identity Manager 9.3 - Configuration Guide

About this guide One Identity Manager software architecture Customizing the One Identity Manager default configuration Customizing the One Identity Manager base configuration One Identity Manager schema basics The full-text search in One Identity Manager Localization in One Identity Manager Process orchestration in One Identity Manager
Mapping processes in One Identity Manager Setting up Job servers
The One Identity Manager Service functionality Tracking changes with process monitoring Conditional compilation using preprocessor conditions Scripts in One Identity Manager
Visual Basic .NET scripts usage Notes on using date values Tips for using PowerShell scripts Using dollar ($) notation Using base objects Calling functions Pre-scripts for use in processes and process steps Using session services Using #LD-notation Displaying messages in the user interface Referencing packages and files in scripts Script library Support for processing scripts in the Script Editor Creating and editing scripts in the Script Editor Copying scripts in the Script Editor Testing scripts in the Script Editor Testing script compilation in the Script Editor Committing and compiling script changes Overriding scripts Permissions for running scripts Editing and testing script code with the System Debugger Extended debugging in the Object Browser
One Identity Manager query language Editing the user interface
Object definitions for the user interface User interface navigation Forms for the user interface Statistics in One Identity Manager Extending the Launchpad Task definitions for the user interface Applications for configuring the user interface Icons and images for configuring the user interface Using predefined database queries
Reports in One Identity Manager Adding custom tables or columns to the One Identity Manager schema Web service integration One Identity Manager as SCIM 2.0 service provider Processing DBQueue Processor tasks Structure of the Jobservice.cfg configuration file

Configuring the AppServerJobProvider

The AppServerJobProvider retrieves the process steps from the application server and sends them to a Job destination. You configure the Job provider in the Process collection module.

Table 65: AppServerJobProvider parameters

Parameters

Description

Authentication data (AuthenticationString)

Select the authentication module. Depending on the authentication module, other data may be required, for example, user, and password. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

Max. number of pending requests (RequestQueueLimit)

The process requests are internally cached. This parameter defines the maximum number of cache entries. The default value is 1000.

Max. number of pending results (ResultQueueLimit)

The process results are internally cached. This parameter defines the maximum number of cache entries. The default value is 10000.

Connection parameter (ConnectString)

Web address (URL) of the application server.

Related topics

Configuring the JobServiceDestination

The JobServiceDestination module of the One Identity Manager Service performs the actual handling of process steps. A JobServiceDestination requests the process steps from the job provider, processes them using process components and returns the result.

Table 66: JobServiceDestination parameters

Parameters

Description

Number of external slots (ExternalSlots)

Maximum number of external processes (StdioProcessor.exe) opened by the One Identity Manager Service for handling process components.

Number of internal slots (InternalSlots)

Number of internal process provided by the One Identity Manager Service for the internal handling of process components.

File with private key (PrivateKey)

File with encryption information. The default file is private.key.

The encryption file has to be in the installation directory of all servers with One Identity Manager Service. If the One Identity Manager Service finds a private key on start up, it places it in the user-specific key container and deletes the file from the hard drive.

To create a key file and encrypt database information, use the Crypto Configuration program.

NOTE: If you are working with an encrypted One Identity Manager database, see the notes on working with an encrypted database in the One Identity Manager Installation Guide.

ProviderID

if more than one Job provider is being processed by the One Identity Manager Service, enter the name of the Job provider to be used. If this is empty the first Job provider is used.

Private key identifier (PrivateKeyId)

Identifier of the private key. If no ID is specified, a search is performed for the private.key file.

Use this parameter if you work with several private keys, for example, if One Identity Manager Service data must be exchanged between two encrypted One Identity Manager databases. Enter the private keys in the File with private key module. If One Identity Manager only uses an encrypted database, you can alternatively enter the key file in the File with private key parameter (PrivateKey).

Max. external processor reusage count (MaxExternalSlotReuse)

Specifies how often an external processor can be reused before the process is unloaded and restarted. The value 0 indicates that the process is only unloaded when no longer in use. The default value is 100.

Process request interval (StartInterval)

Interval in seconds after which the One Identity Manager Service requests new process steps The default value is 90 seconds. Suggestions for configuring the time interval are calculated from Job server statistical data.

Queue

Queue identifier The process steps are requested by the Job queue using this queue identifier. A Job server must be known in the One Identity Manager database for each queue.

RequestTimeout

Specifies when a process request has failed and is resent.

Timeout format:

day.hour:minutes:seconds

Environment variables for external slots (ExternalSlotEnvironment)

List of environment variables to set for external slot processes. Enter the variables in a pipe (|) delimited list.

Syntax:

Variable1=value1|Variable2=value2...

Encryption method (EncryptionScheme)

Encryption method used

Permitted values are:

  • RSA: RSA encryption with AES for large data (default).

  • FIPSCompliantRSA: FIPS certified RSA with AES for large data. This method is used if encryption must match the FIPS 104-2 standard. The local security policy Use FIPS compliant algorithms for encryption, hashing, and signing must be enabled.

Interval for calculating statistics (StatisticInterval)

Interval in seconds in which the One Identity Manager Service delivers statistic information on processing speed to the database. The default value is set to 4 times the process request interval. Suggestions for configuring the time interval are calculated from Job server statistical data.

Related topics

General configuration settings of the One Identity Manager Service

In the Configuration module, you can adjust the One Identity Manager Service's general configuration settings.

Table 67: Configuration module parameters

Parameters

Description

VerboseLogging

Set the parameter to obtain more detailed messages on starting and stopping the One Identity Manager Service.

DebugMode

In DebugMode, One Identity Manager Service writes additional information to the log file. For example, all the parameters and results that are passed to a component are written to the log file.

NOTE: This parameter is used for localizing errors. It is not recommended to set this parameter in normal working conditions on performance grounds.

ComponentDebugMode

When set, individual One Identity Manager Service process components write additional process information to a log file.

NOTE: This parameter is used for localizing errors. It is not recommended to set this parameter in normal working conditions on performance grounds.

HTTP Header (HTTPHeader)

HTTP header for status page. Pipe (|) delimited list of headers in the form: "name1: value1|name2: value2".

Supported values are:

  • X-Frame options: SAMEORIGIN

  • X-Content type options: nosniff

  • Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data:;font-src 'self' data:

  • X-XSS-Protection: 1; mode=block

Example:

"X-Frame-Options: SAMEORIGIN|X-Content-Type-Options:nosniff"

HTTPAddress

If One Identity Manager Service is running on a computer with several network cards, you can use this parameter to define which service should work over which IP address. If no IP address is entered, then all of them are used.

HTTPPort

Every One Identity Manager Service automatically works as an HTTP server. This parameter specifies the port that One Identity Manager Service works with. The default value is port 1880.

The HTTP server is addressed by:

http://<server name>:<port number>

Do not protect private keys (DoNotProtectPrivateKeys)

If the One Identity Manager Service finds a private key in the installation directory on startup, it places the key in the Windows internal key container of its service account and deletes the file from the hard drive. If this option is enabled, the key files are not moved to the key container.

Logging of Job provider and running instance (LogDestinationAndProviderId)

Specifies whether the job provider ID and running instance are output in the log messages of the process step.

Do not write the configuration back to the database (DoNotWriteConfigBack) By default, the service configuration is written to the database. To prevent this, enable this option.

Secrets folder (SecretsFolder)

Path the secret files' repository that can be used by the parameters. The path can take the form %Name%. Default value is %SECRETS%.

Secrets allowed as replacements (SecretsAllowList)

Comma-delimited list of secret names that are allowed as replacements in parameters. In the directory under SecretsFolder, there must be a file with the name of the secret that contains the value.

Syntax:

&SECRET(Name)&

Example:

&SECRET(API_KEY)&

In the %SECRETS% folder, there must be a API_KEY file containing the value.

Language

Language used for error messages and outputs from the One Identity Manager Service. Permitted values are German and English. The default value is English.

UseSSL

Specifies whether the HTTP server is to provide secure connections. If this option is enabled, you can access the server from your browser using HTTPS.

The One Identity Manager Service uses System.Net.HttpListener for the web interface. For more information on how to configure certificates, see How to: Configure a port with an SSL certificate.

DoNotProtectCryptedValues

Nomally, encrypted values from the Jobservice.cfg are additionally protected by the data protection API. This prevents use by other accounts or servers. This option switches of additional protection to use it on other cluster nodes, for example.

NOTE: If you set this option, it causes problems if the database being synchronized against the One Identity Manager Service database is not encrypted. Therefore, ensure that database encryption is enabled.

Wait time if start failed (WaitTimeOnFailedStart)

The time to wait after a failed start before a retry is carried out. The default value is 90 seconds.

Timeout format:

hours:minutes:seconds

Retries on failed start (RetriesOnFailedStart)

Number of retries for the One Identity Manager Service to start up. The default value is 5.

Configuring the FileLogWriter for logging

The FileLogWriter writes messages from One Identity Manager Service to a log file. The log file can be displayed in a browser. You configure the FileLogWriter in the LogWriter module.

You call up the log file with the appropriate URL.

http://<server name>:<port number>

The default value is port 1880.

Table 68: FileLogWriter parameters

Parameters

Description

Number of history logs (HistorySize)

Maximum number of log files. If several log files exist, the oldest backup file is deleted when a new log file is created so that the limit is not exceeded.

Max. length of parameters (ParamMaxLength)

Maximum number of characters allowed in a process step parameter so that they are written to the log file.

Max. log file size (MB) (MaxLogSize)

Maximum size in MB of the log file. Once the log file has reached the limit, it is renamed as a backup file and a new log file is created.

Log file (OutputFile)

Name of the log file, including the directory name. Log information for the One Identity Manager Service is written to this file.

IMPORTANT: The directory specified for the file must exist. If the file cannot be created, no error output is possible. Error messages then appear under Windows operating systems in the event log or under Linux operating systems in /var/log/messages.

Process step log lifetime (JobLogLifeTime)

Retention time for process step logs. After this expires, the logs are deleted.

Timeout format:

day.hour:minutes:seconds

For test purposes, you can enable logging of individual process steps in the Job Queue Info. The processing messages of the process step is written to a separate log with the Debug NLog severity. The files are stored in the log directory.

Repository structure:

<Log directory>\JobLogs\<First 4 digits of the UID_Job>\Job_<UID_Job>_<yyyymmdd>_<Timestamp>.log

LogSeverity

Severity levels of the logged messages.

Permitted values are:

  • Info: All messages are written to the event log. The event log quickly becomes large and confusing.

  • Warning: Only warnings and exception errors are written to the event log (default).

  • Serious: Only exception messages are written to the event log.

Add server name (AddServerName)

Specifies whether the server name is to be added to the log entries.

Log rename interval (LogLifeTime)

In order to avoid unnecessarily large log files, the module supports the functionality of exchanging the log file with a history list. The LogLifeTime specifies the maximum life of a log file before it is renamed as backup. If the log file has reached its maximum age, the file is renamed (for example, as JobService.log_20040819-083554) and a new log file is started.

Timeout format:

day.hour:minutes:seconds

Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen