Converse agora com nosso suporte
Chat com o suporte

Identity Manager 9.3 - Operational Guide

About this guide Simulating data changes in the Manager Scheduling operations activation times Re-applying templates in the Manager Exporting data with the Manager Analyzing data and data changes Analyzing process monitoring in the Manager Schedules in One Identity Manager Mail templates in One Identity Manager Password policies in One Identity Manager Working with change labels Checking data consistency Compiling a One Identity Manager database Transporting custom changes Importing data with the Data Import Importing and exporting individual files for the software update Creating a One Identity Manager database for test or development from a database backup Initializing DBQueue Processor the after extending the server hardware Command line programs Configuration of settings for the One Identity Manager tools

InstallManager.CLI.exe

The InstallManager.Cli.exe program provides support for the installation of One Identity Manager. You can run the program from the command line.

IMPORTANT: Run the installation using the command line console in administrator mode.

Calling syntax

InstallManager.Cli.exe

-m install|change|remove|uninstall

-r {Directory}

[-i {Directory}]

[-fu]

[-mod {ModuleIDs}]

[-d {Targets}]

[-p {Packages}]

[-l {Path}]

[-fo]

[-cs {Service name} {Properties}]

[-dc]

Table 49: Program parameters and options

Parameter or option

Alternative Description

-m

--mode

Installation mode. Permitted values are

  • install: Install new modules.

  • change: Update existing modules.

  • remove: Delete modules.

  • uninstall: Uninstall complete installation.

-r

--rootpath

Directory containing the installation sources.

-i

--installpath

(Optional) Directory in which to install.

-fo

--filesonly

(Optional) Only file actions will be run. No start menu entries or registry keys are generated and no services are installed.

NOTE: To run this operation, you do not require administration permissions.

-mod

--module

Space-delimited list of module IDs.

-d

--deploymenttarget

Space delimited list of machine roles.

-p

--packages

Space-delimited list of packages.

-l

--logfile

(Optional) Path to the log file.

-fu

--forceupdate

(Optional) All data will be reinstalled.

-cs

--changeservice

Changes the properties for registration of the service. The following values are expected:

  • Service name: Name of the service to be changed

  • Properties: New properties of the service with:

    • Name: Name of the service.

    • Display: Display name of the service.

    • Description: Description of the service.

    Example:

    "Name=<New name>;Display=<New display>;Description=<New Description>"

    You only need to specify the properties that are to be changed.

-dc

--deleteconfig

(Optional) Configuration data and logs are removed in uninstall mode.

-h

--help

Display program help.

Example: Installing a single module

InstallManager.Cli.exe

-m install

-r c:\sourcedir

-mod QER ADS SAP LDAP ATT

Example: Updating a machine role

InstallManager.Cli.exe

-m change

-r c:\sourcedir

-d Server\JobServer\ADS

Example: Uninstalling the One Identity Manager components

InstallManager.Cli.exe

-m uninstall

-i c:\installdir

-dc

DBCompilerCMD.exe

The DBCompilerCMD.exe program supports compiling a database.You can run the program from the command line.

Calling syntax

DBCompilerCMD.exe

/Conn="{Connection string}"

/Auth="Module={Authentication string}"

[/LogLevel=Off|Fatal|Error|Info|Warn|Debug|Trace]

[/IgnoreErrors=True|False]

[-W]

[/DumpModules]

[/Modules=[CompileScriptsCore] [ExtractWhereClauses] [FillMultiLanguage]]

[/SkipModules=[CompileScriptsCore] [ExtractWhereClauses] [FillMultiLanguage]]

/WaitTimeout

[-A]

[/AutoCompileCheckInterval]

[/AutoCompileWaitSeconds]

[/AutoCompileErrorWaitSeconds]

[-S]

[-C]

[-v]

Table 50: Program parameters and options
Parameter or option Description

-A

(Optional) Automatic compilation of the database. The database is monitored and compiled if necessary. This runs until the program is terminated with Ctrl + C.

-C

(Optional) Compile only modified parts of the system.

-S

(Optional) Messages are outputted to the console without timestamp or severity level.

-v

(Optional) Provides additional information (verbose).

-W

(Optional) Wait for the processing of DBQueue Processor tasks to complete before starting compilation.

/Auth

Authentication data. The authentication data depends on the authentication module used. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

/AutoCompileCheckInterval

(Optional) Interval in seconds to check if the database needs to be compiled.

Default: 30

/AutoCompileErrorWaitSeconds

(Optional) If an error occurs during compilation, the next compiler run is deferred by this time interval before actually being be performed.

Default: 60

/AutoCompileWaitSeconds

(Optional) After a compilation request is detected, compilation is deferred by this time interval before actually being be performed.

Default: 0

/Conn

Database connection parameter. A user with a minimum access level of Configuration user is required.

For more information about permissions, see the One Identity Manager Installation Guide and the One Identity Manager Authorization and Authentication Guide.

Alternatively, you can enter the name of the connection according to the registry HKEY_CURRENT_USER\Software\One Identity\One Identity Manager\Global\Connections.

/IgnoreErrors

(Optional) Specifies if error messages are ignored. Permitted values are True and False.

/LogLevel

(Optional) Scope of output to be processed. Permitted values are:

  • Off: No logging.

  • Fatal: All critical error messages are logged.

  • Error: All error messages are logged.

  • Info: All information is logged.

  • Warn: All warnings are logged.

  • Debug: Debugger outputs are logged. This setting should only be used for testing.

  • Trace: Highly detailed information is logged. This setting should only be used for analysis purposes. The log file quickly becomes large and cumbersome.

/Modules

(Optional) Space-delimited list of compiler modules to be compiled. Permitted values are:

  • CompileScriptsCore: Compile script components.

  • ExtractWhereClauses: Extract Where clauses and mark as secure.

  • FillMultiLanguage: Extract language-dependent texts.

Example:

FillMultiLanguage CompileScriptsCore

/DumpModules

(Optional) Deploying the compiler module without compiling.

/SkipModules

(Optional) Space-delimited list of compiler modules that must not be compiled.

Example:

FillMultiLanguage CompileScriptsCore

/WaitTimeout

Maximum waiting time for DBQueue.

Default: 00:10:00

-? |-h

Display program help.

Example:

DBCompilerCMD.exe

/Conn="Data Source=<Database server>;Initial Catalog=<Database name>;User ID=<Database user>;Password=<Password>"

/Auth="Module=DialogUser;User=<User name>;Password=<Password>"

-W

Quantum.MigratorCmd.exe

The Quantum.MigratorCmd.exe program supports migration of a One Identity Manager database. You can run the program from the command line.

Calling syntax for installation

quantum.migratorcmd.exe

--INSTALL

/Connection="{Connection string}"

/System=MSSQL

/Module={Module IDs}[+]

/Destination="{Directory}"

[/Password={Password}]

[/Admin="mode=create|check|extend;login={SQL Server login name};password={SQL Server login password}]

[/Login="User=Config|User;login={SQL Server login name};password={SQL Server login password}"]

[/Person="condition={Condition};password={Identity password}"]

[/User="DialogUser={System user};password={System user password}"]

[/PasswordPolicy="{Password policy settings}"]

[/Group="GroupName={Group name}"|skip]

[/LogLevel="Off|Fatal|Error|Info|Warn|Debug|Trace"]

[/PreCheck={[+|-] Precheck ID}]

[/Edition]

[/DialogDatabase]

[/Config]

[/PostSQL]

Calling syntax for updating

quantum.migratorcmd.exe

--UPDATE

/Connection="{Connection string}"

/Module={Module IDs}[+] /destination="{Directory}"

[/Admin="mode=create|check|extend;login={SQL Server login name};password={SQL Server login password}]

[/SysAdmin="Data Source=<Database server>;Initial Catalog=<Database name>;User ID=<Database user>;Password=<Password>"]

[/Login="User=Config|User;login={SQL Server login name};password={SQL Server login password}"]

[/Person="condition={Condition};password={Identity password}"]

[/User="DialogUser={System user};password={System user password}"]

[/PasswordPolicy="{Password policy settings}"]

[/Loglevel="Off|Fatal|Error|Info|Warn|Debug|Trace"]

[/PreCheck={[+|-] Precheck ID}]

[/KeepUpdatePhase]

[/DialogDatabase]

[/Config]

[/PostSQL]

[/ForceFullMigration]

Calling syntax for restoring a database

quantum.migratorcmd.exe

--RESTORE

/Connection="{Connection string}"

/Destination="{Directory}"

[/Admin="mode=create|check|extend;login={SQL Server login name};password={SQL Server login password}]

[/Login="User=Config|User;login={SQL Server login name};password={SQL Server login password}"]

[/Person="condition={Condition};password={Identity password}"]

[/User="DialogUser={System user};password={System user password}"]

[/PasswordPolicy="{Password policy settings}"]

[/Group="GroupName={Group name}"|skip]

[/LogLevel="Off|Fatal|Error|Info|Warn|Debug|Trace"]

[/PreCheck={[+|-] Precheck ID}]

[/KeepUpdatePhase]

[/DialogDatabase]

[/Config]

[/PostSQL]

Calling syntax for deleting a database

quantum.migratorcmd.exe

--DELETE

/Connection="{Connection string}"

/Destination="{Directory}"

Calling syntax for passing parameters as a file

quantum.migratorcmd.exe @File

Table 51: Program parameters and options
Parameter or option Description

--Delete

Deletes database including all files and SQL logins.

--Delta

For internal use only.

--Dump

For internal use only.

--Import

For internal use only.

--Install

Installs new database.

--Restore

This operation performs the necessary steps to make the database operational, such as initializing the DBQueue Processor or restoring logins.The operation can be performed after a database has been restored from a backup, for example on another server.

--Update

Updates database.

/Clear

For internal use only.

/Format

For internal use only.

/HashSize

For internal use only.

/KeepUpdatePhase

(Optional) If the parameter is set, the update phase is not reset to 0 after migration is complete (DialogDatabase.UpdatePhase).

/LogLevel

(Optional) Scope of output to be processed. Permitted values are:

  • Off: No logging.

  • Fatal: All critical error messages are logged.

  • Error: All error messages are logged.

  • Info: All information is logged.

  • Warn: All warnings are logged.

  • Debug: Debugger outputs are logged. This setting should only be used for testing.

  • Trace: Highly detailed information is logged. This setting should only be used for analysis purposes. The log file quickly becomes large and cumbersome.

/Password

(Optional) Initial password for the viadmin system user when a new database is installed.

/Condition

For internal use only.

/Config

(Optional) Global JSON configuration file for variables.

/Connection

Database connection parameter. A user with a minimum access level of Administrative user is required.

For more information about permissions, see the One Identity Manager Installation Guide and the One Identity Manager Authorization and Authentication Guide.

Alternatively, you can enter the name of the connection according to the registry HKEY_CURRENT_USER\Software\One Identity\One Identity Manager\Global\Connections.

/From

For internal use only.

/To

For internal use only.

/Destination

Source directory .

/DialogDatabase

Passes information about the database (DialogDatabase table). The value updates the entry for the database in the DialogDatabase table. This allows a new database to immediately create a valid entry in the DialogDatabase table.

Example: "CustomerName=<your name>;ProductionLevel=2"

/Edition

(Optional) Edition to be installed. Permitted values are:

  • DGE: One Identity Manager Data Governance Edition

  • STE: One Identity Manager Edition

/Group

(Optional) Creates custom permissions groups (DialogGroup.GroupName). To create several permissions groups, the parameter can be entered more than once.

Example:

/Group="GroupName=CCCCustomGroup"

The skip keyword can be used to skip creation of the permission groups. This means that no permissions groups are created.

Example:

/Group=skip

If the parameter is not provided, the default groups CCCEditPermissions, CCCViewPermissions, CCCEditRole, and CCCViewRole are created.

/Admin

(Optional) Mode for creating SQL logins if granular permissions are used.

  • mode: Specifies in which mode the SQL login is created.

    Permitted values are:

    • create : The SQL login does not exist yet and will be created.

    • check: The SQL login already exists. This checks the permissions for the SQL login. If the necessary permissions are missing, an error message is displayed.

    • extend: The SQL login already exists. This extends the permissions for the SQL login.

  • login: Name of the SQL login.

  • password: Password for the SQL login.

Example: Create a new SQL login "OneIM_Admin" with password "secret".

/admin="mode=create;Login=OneIM_Admin;Password=secret"

/Login

(Optional) Creates the other SQL logins if granular permissions are used. Multiple instances of this parameter are possible.

  • user: Name of the database user according to QBMDBPrincipal.UserName.

    Permitted values are:

    • Config: Configuration user.

    • User: End user.

  • login: Name of the SQL login.

  • password: Password for the SQ login.

Example: Creating SQL logins for configuration users and end users.

/login="User=Config;Login=OneIM_Config;Password=secret"

/login="User=User;Login=OneIM_User;Password=secret"

/Module

Comma delimited list of module IDs.

For UPDATE operation: If the module ID is followed by a plus sign (+), only this module is updated. If no plus sign is specified, all modules listed are updated.

/ModuleOwner

For internal use only.

/Operation

Alternative name of the operation.

Example: /operation=INSTALL

/PasswordPolicy

(Optional) Temporarily altered configuration of the default password policy. For example, this could be used to override the policy settings and permitted character sets (corresponding to the QBMPwdPolicy table). The configuration is only used while the program is running and is not saved in the database.

/PasswordPolicy="MinLen=12;MinNumbers=2"

/Person

(Optional) Configuration of an identity's password (Person.DialogUserPassword). Multiple instances of this parameter are possible.

  • condition: A valid SQL condition for the person table.

  • password: Password (plain text or password hash).

Example: Sets the "secret" password for the identity with the internal name "Sys, admin".

/person="Condition=InternalName='Sys, admin'; Password=secret"

/PostSQL

(Optional) Name of a file (*.sql) containing SQL queries that will be run after the database operation (Install/Update/Restore). This enables a database configuration without other programs.

/PreCheck

(Optional) Controls the handling of database pre-checks. The input is given as + or - followed by the ID for the pre-check. Multiple instances of this parameter are possible.

  • +ID: The pre-check is repaired. If the pre-check is not repairable, an error message is displayed.

  • -ID: Pre-check is ignored. This only works for optional tests.

    Example: /precheck=-JobqueueEmpty.

The ID can be taken from the PreCheck with ID '{0}' failed! error message.

/SysAdmin

Connection parameter for an administrative database connection.

/System

Database system. Permitted value is MSSQL.

/User

(Optional) Configuration of a system user's password (Person.DialogUserPassword). Multiple instances of this parameter are possible.

  • DialogUser: Name of the system user (DialogUser.UserName).

  • password: Password (plain text or password hash).

/ForceFullMigration

(Optional) Forces a complete check and repair of the default data during the schema update (Update). This procedure usually takes some time. If this option is not available, the schema is updated using a faster delta process.

@file

As an alternative to directly issuing commands, you can name a text file containing the commands. Every command is in a separate line.

-v

(Optional) Provides additional information (verbose).

-? | h

Display program help.

Example: Installing a database

quantum.migratorcmd.exe

--Install

/connection="Data Source=<Database server>;Initial Catalog=<Database>;User ID=<Database user>;Password=<Password>"

/module="TSB,ATT,CPL,HDS,POL,RMB,RMS,RPS"

/destination="C:\install"

Example: Restoring a database

quantum.migratorcmd.exe

--Restore

/connection="Data Source=<Database server>;Initial Catalog=<Database>;User ID=<Database user>;Password=<Password>"

/destination="C:\install"

/LogLevel=Warning

/precheck=-JobqueueEmpty

AppServer.Installer.CMD.exe

The AppServer.Installer.CMD.exe program supports installing and uninstalling of application servers. You can run the program from the command line.

NOTE: Run the installation using the command line console in administrator mode.

Calling syntax for installation

AppServer.Installer.CMD.exe

--conn={Connection string}

--auth={Authentication string}

--appname={Application name}

[--site={site}]

[--app-pool={Application pool}]

[--source-dir={Directory}]

[--deployment-target={Machine role}]

[--allow-http]

[--windows-auth]

[--db-windows-auth]

[--skip-file-permissions]

[--runtime-connection={Connection string}]

[--hdb-connection={History Database ID|Connection string}]

[/updateuser {User name} [/updateuserdomain {Domain}] [/updateuserpassword {Password}]]

[

--cert-mode=existing --cert-thumbprint={Thumbprint}

|

--cert-mode=new --cert-issuer {Issuer} [--cert-key=1024|2048|4096]

|

--cert-mode=newfile --cert-issuer {Issuer} [--cert-key=1024|2048|4096] [--cert-file={Path to certificate file}]

]

[--set-connection]

[--conn-id={History Database ID}]

[--verbose]

Calling syntax for uninstalling

AppServer.Installer.CMD.exe

--conn={Connection string}

--auth={Authentication string}

--appname={Application name}

--uninstall

Table 52: Program parameters and options

Parameter or option

Alternative

Description

--conn

--connection|

-c

Database connection parameter. To install an application server you require at least one user with the Configuration user access level.

For more information about permissions, see the One Identity Manager Installation Guide and the One Identity Manager Authorization and Authentication Guide.

Alternatively, you can enter the name of the connection according to the registry HKEY_CURRENT_USER\Software\One Identity\One Identity Manager\Global\Connections.

--auth

--auth-props|-a

Authentication data for the installation. The authentication data depends on the authentication module used.

For more information about authentication modules, see the One Identity Manager Authorization and Authentication Guide.

--appname

 

Application name.

--site

 

(Optional) Website on the Internet Information Services where the application is installed. If the parameter is not set, Default Web Site is used (default).

--app-pool

 

(Optional) Application pool. If this parameter is set, the installation is performed in the specified application pool. If this parameter is not set, a new application pool is installed (default).

--source-dir

-s

(Optional) Installation source. If this parameter is set, the installation is performed from the file system. If this parameter is not set, the installation is performed from the database (default).

--deployment-target

-t

(Optional) Machine role for the installation. This parameter can be used more than once. Alternatively, multiple machine role can be separated with a pipe [|]. If this parameter is not set, the Server | Web | Appserver machine role is used.

--allow-http

 

(Optional) If the parameter is set, HTTP is permitted. If this parameter is not available, HTTPS is used (default).

--windows-auth

-w

(Optional) Type of authentication used for the web application. If this parameter is set, Windows authentication is used. If this parameter is not set, anonymous authentication is used on IIS (default).

--db-windows-auth

 

(Optional) Type of authentication used for the One Identity Manager database. If this parameter is set, Windows authentication is used. If this parameter is not set, the SQL login from the connection parameters is used.

--skip-file-permissions

-f

(Optional) If this parameter is set, no permissions are allocated for the IIS_USRS user. If this parameter is not set, the permissions are allocated for the IIS_USRS user (default).

--runtime-connection

--run-conn

(Optional) Database connection parameters used as authentication for the One Identity Manager database, for example, if the application server is run with the end user access level. If this parameter is not set, the SQL login from the connection parameters is used for the installation (default).

--update-user

 

(Optional) User for updating. If no user is given, the same user account is used for the application pool.

--update-user-domain

 

Active Directory domain of the user.

--update-user-password

 

User password.

--cert-mode

 

(Optional) Type of certificate selection. Permitted values are:

  • existing: Uses an existing certificate.

  • new: Uses a new certificate.

  • newfile: Creates a new certificate file. (default)

--cert-thumbprint

 

Thumbprint of the certificate if an existing certificate is used.

--cert-issuer

 

Issuer of the certificate if a new certificate or a new certificate file is created.

Example: "CN=Application Server"

--cert-key

 

Length of the certificate’s key 1024, 2048 (default), and 4096 are permitted.

--cert-file

 

(Optional) Directory path and name of the certificate file if a new certificate file is created. If this parameter is not set, "App_Data\SessionCertificate.pfx" is used.

--hdb-connection

 

(Optional) History Database connection parameter. This value is a combination of the ID and the connection parameter (pipe (|) delimited).

Example: “<History Database ID>|key1=value1;key2=value2;...”

--set connection

-S

Changes the connection parameters for an installed application.

--conn-id

 

(Optional) Connection parameter identifier. If this parameter is not set, the application server’s own connection parameters are used.

--uninstall

-R

Removes the application server.

--verbose

-v

(Optional) Provides additional information (verbose).

--help

-h, -?

Display program help.

Parameter formats

Multiple-character options can be given in the following forms:

--conn="..."

--conn "..."

/conn="..."

/conn "..."

Single-character options can be given in the following forms:

-c="..."

-c "..."

/c="..."

/c "..."

Switches are allowed in the forms:

-R

/R

Example: Installing an application server

AppServer.Installer.CMD.exe

--conn="Data Source=<Database server>;Initial Catalog=<Database name>;User ID=<Database user>;Password=<Password>"

--auth="Module=DialogUser;User=<User name>;Password=<Password>"

--appname=MyApplicationServer

--allow-http

Example: Uninstalling an application server

AppServer.Installer.CMD.exe

--conn="Data Source=<Database server>;Initial Catalog=<Database name>;User ID=<Database user>;Password=<Password>"

--auth="Module=DialogUser;User=<User name>;Password=<Password>"

--appname=MyApplicationServer

--uninstall

Example: Changing the connection parameters of the application server

AppServer.Installer.CMD.exe

--set-connection

--appname=MyApplicationServer

--conn="Data Source=<Database server>;Initial Catalog=<Database name>;User ID=<Database user>;Password=<Password>"

Example: Changing the parameters for connecting a History Database

AppServer.Installer.CMD.exe

--set-connection

--appname=MyApplicationServer

--conn-id=<History Database ID>

--conn="Data Source=<Database server>;Initial Catalog=<Database name>;User ID=<Database user>;Password=<Password>"

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação