Defender 5.9.3 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Integration with Cloud Access Manager Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Encrypting database

Encrypting database

By default, the Defender Management Portal database is not encrypted. However, as this database contains a service account password used by the Defender Management Portal, you may want to encrypt the database.

To encrypt the database

  1. In IIS Manager, stop the Defender Web Interface site.
  2. On the Defender Management Portal computer, run DBEncrypt.exe located in the folder %ProgramFiles%\One Identity\Defender\Management Portal\Tools, and complete the dialog box that appears:
    1. Select the Encrypt Database check box.
    2. In the New Password and Confirm New Password boxes, type the password with which you want to encrypt the database.
    3. Click Apply, and then close the dialog box.
  3. In the Web.config file, update the database connection string with the new password:
    1. In a text editor, open the Web.config file located in the folder %ProgramFiles%\One Identity\Defender\Management Portal\WWW
    2. In the Web.config file, locate the <connectionStrings> element, and modify the SelfReg.sdf connection string within that element to include the new password. Example:

      connectionString="data source=|DataDirectory|\SelfReg.sdf;Max Database Size=4091;password=NewDatabasePassword"

      where NewDatabasePassword is the password you have set in Step 2 of this procedure.

    3. Save and close the Web.config file.
  4. Use the aspnet_regiis.exe tool to encrypt the database connection string in the Web.config file, so that the password is not displayed as plain text. You can find aspnet_regiis.exe in one of these folders:
    • On an x86 system - %WinDir%\Microsoft.NET\Framework\v2.0.50727
    • On an x64 system - %WinDir%\Microsoft.NET\Framework64\v2.0.50727

    Sample command to encrypt the database connection string on an x86 system:

    %WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" "%ProgramFiles%\One Identity\Defender\Management Portal\WWW" -prov "DataProtectionConfigurationProvider"

  5. In IIS Manager, start the Defender Web Interface site.

Changing password for encrypted database

Changing password for encrypted database

To change the password

  1. In IIS Manager, stop the Defender Web Interface site.
  2. On the Defender Management Portal computer, run DBEncrypt.exe located in the folder %ProgramFiles%\One Identity\Defender\Management Portal\Tools, and complete the dialog box that appears:
    1. In the Old Password box, type the password with which the database was encrypted.
    2. In the New Password and Confirm New Password boxes, type the new password with which you want to encrypt the database.
    3. Click Apply, and then close the dialog box.
  3. Use the aspnet_regiis.exe tool to decrypt the database connection string in the Web.config file, so that you can specify the new password in that file. You can find aspnet_regiis.exe in one of these folders:
    • On an x86 system - %WinDir%\Microsoft.NET\Framework\v2.0.50727
    • On an x64 system - %WinDir%\Microsoft.NET\Framework64\v2.0.50727

    Sample command to decrypt the database connection string in the Web.config file on an x86 system:

%WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" "%ProgramFiles%\One Identity\Defender\Management Portal\WWW"

  1. In the Web.config file, update the database connection string with the new password:
    1. In a text editor, open the Web.config file located in the folder %ProgramFiles%\One Identity\Defender\Management Portal\WWW
    2. In the Web.config file, locate the <connectionStrings> element, and modify the SelfReg.sdf connection string within that element to include the new password. Example:

      connectionString="data source=|DataDirectory|\SelfReg.sdf;Max Database Size=4091;password=NewDatabasePassword"

      where NewDatabasePassword is the password you have set in Step 2 of this procedure.

    3. Save and close the Web.config file.
  2. Use the aspnet_regiis.exe tool to encrypt the database connection string in the Web.config file, so that the password is not displayed as plain text. You can find aspnet_regiis.exe in one of these folders:
    • On an x86 system - %WinDir%\Microsoft.NET\Framework\v2.0.50727
    • On an x64 system - %WinDir%\Microsoft.NET\Framework64\v2.0.50727

    Sample command to encrypt the database connection string on an x86 system:

    %WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" "%ProgramFiles%\One Identity\Defender\Management Portal\WWW" -prov "DataProtectionConfigurationProvider"

  3. In IIS Manager, start the Defender Web Interface site.

Decrypting database

Decrypting database

To decrypt the database

  1. On the Defender Management Portal computer, run DBEncrypt.exe located in the folder %ProgramFiles%\One Identity\Defender\Management Portal\Tools, and complete the dialog box that appears:
    1. Clear the Encrypt Database check box.
    2. In the Old Password box, type the password with which the database was encrypted.
    3. Click Apply, and then close the dialog box.
  2. Use the aspnet_regiis.exe tool to decrypt the database connection string in the Web.config file. You can find aspnet_regiis.exe in one of these folders:
    • On an x86 system - %WinDir%\Microsoft.NET\Framework\v2.0.50727
    • On an x64 system - %WinDir%\Microsoft.NET\Framework64\v2.0.50727

    Sample command to decrypt the database connection string in the Web.config file on an x86 system:

    %WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" "%ProgramFiles%\One Identity\Defender\Management Portal\WWW"

  3. In the Web.config file, update the database connection string to remove the password:
    1. In a text editor, open the Web.config file located in the folder %ProgramFiles%\One Identity\Defender\Management Portal\WWW
    2. In the Web.config file, locate the <connectionStrings> element, and modify the SelfReg.sdf connection string within that element to remove the password. Example:

      connectionString="data source=|DataDirectory|\SelfReg.sdf;Max Database Size=4091"

    3. Save and close the Web.config file.

Defender Security Server log cache

Defender Security Server log cache

Each Defender Security Server generates logs, which are retrieved by the Log Receiver Service running on the Defender Management Portal computer. The retrieved logs are then used to do the following:

  • Display authentication statistics on the Dashboard tab of the Defender Management Portal.
  • Provide troubleshooting information on the Helpdesk tab of the Defender Management Portal.
  • Display information on the Actions tab of the Defender Management Portal.

Defender Security Servers deployed in your environment automatically detect the Log Receiver Service and provide their logs to the service.

In situations where the connection between the Defender Security Server and the Log Receiver Service is interrupted, the logs to be sent to the service are cached in a .dat file on the Defender Security Server. After the connection is restored, the log data cached in the .dat file is sent to the Log Receiver Service.

If the Log Receiver Service is running and the connection between this service and the Defender Security Server is working properly, the .dat file should not grow in size.

On a Defender Security Server, you can find the .dat file in the following folder:

%ProgramFiles%\One Identity\Defender\Security Server\Logs

The name of the .dat file has the following format:

<ServerName>.LogQueue.dat

Where <ServerName> is the name of the computer on which the Defender Management Portal is installed.

Documentos relacionados