Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Installation Guide

About this guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing additional modules for a existing One Identity Manager installation Installing and updating an application server Installing the API Server Installing, configuring, and maintaining the Web Designer Web Portal Installing and updating the Manager web application Logging in to One Identity Manager tools Troubleshooting Advanced configuration of the Manager web application Machine roles and installation packages Configuration parameters for the email notification system How to configure the One Identity Manager database using SQL Server AlwaysOn availability groups

Load balancing of the Manager web application

The Manager web application provides simple load balancing in order to distribute user sessions and the resulting load across multiple processes or even servers. To do this, the application is installed multiple times on the same or on other servers.

All collaborating applications that can be logged into, are declared in the applications' Application pool. The selection algorithm for load distribution distributes user logins across the defined applications.

NOTE: Even if only one application is installed, it must be defined in your application pool, otherwise you cannot log in.

Table 51: Supported algorithms for load balancing
Algorithm Description

DistributeEqually

This algorithm distributes user logins such that each application in one language has the same number of active users, if possible. This algorithm is the default and is required in 99% of cases.

DistributeSuccessively

This algorithm distributes user logins by order of application definition in the application pool. First of all, all user logins are forwarded to the first application in the desired language. When this has reached it maximum load, logins are forwarded to the next application.

Load balancing solves the following problems:

  • Multilingual

    Language is fixed for per application so that an application can only provide user sessions in one language. If users can log in with multiple languages, at least one application must be installed for each language.

  • Bypassing resource limitations

    If multiple web applications are installed and these are assigned to different Internet Information Services application pools, these are started in separate processes.

  • Increasing performance

    Performance can be noticeably improved by installing on several servers.

  • Redundancy

    Multiple installation does not necessary complete outage if just one of the installed application fails.

Related topics

Manager web application single sign-on

The Manager web application supports a single sign-on mechanism that enables authentication of a user without the user having to repeatedly enter their user name and password.

Prerequisites required:

  • Anonymous access disabled.

  • Configuration of an authentication module capable of single sign-on.

    For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

  • Permissions in the application’s own application pool

You can disable anonymous access on the web server. This means the user's browser must provide the data required for authentication.

To disable the anonymous access

  1. open the configuration of the Manager web application in the Internet Information Services and activate the configuration for Authentication.

  2. Change the value of the status to disabled in Anonymous Authentication.

Related topics

Machine roles and installation packages

Table 52: Machine role and installation package options
Machine role Description of the installation package

Workstation

 

Contains all basic components for installing tools on an administrative workstation.

Administration

Contains One Identity Manager administration tools required by default users to fulfill their tasks with One Identity Manager. In addition to the tools that ensure basic functionality for working with One Identity Manager, the administration machine role includes the Manager as a main administration tool.

Configuration

Contains all One Identity Manager tools for the default user and additional programs for configuring the system. These include, for example, the Configuration Wizard, Database Compiler, Database Transporter, Crypto Configuration, Designer, Web Designer, and configuration tools for the One Identity Manager Service.

Development & Testing

Contains the One Identity Manager tools for developing and testing custom scripts and forms, for example, the System Debugger.

Monitoring

Contains One Identity Manager programs for monitoring the system status, for example, the Job Queue Info program.

Documentation

 

Contains One Identity Manager documentation in different languages.

Server

 

Contains all the basic components for setting up a server.

Job server

Contains the One Identity Manager Service and basic processing components. Additional machine roles contain connectors for synchronizing individual target systems.

Configuration parameters for the email notification system

Use the following configuration parameters to configure the email notification system.

Table 53: General configuration parameters for mail notification

Configuration parameter

Meaning

Common | InternationalEMail

Specifies whether international domain names and unicode characters are supported in email addresses.

IMPORTANT: The mail server must also support this function. If necessary, you must override the script VID_IsSMTPAddress

Common | MailNotification

Specifies whether the configuration subparameters that deal with notifications take effect.

Common | MailNotification | AcceptSelfSignedCert

Specifies whether self-signed certificates for TLS connections are accepted.

Common | MailNotification | AllowServerNameMismatchInCert

Specifies whether server names that do not match are permitted by certificates for TLS connections.

Common | MailNotification | DefaultAddress

Default email address of the recipient of the notifications.

Common | MailNotification | DefaultCulture

Default language used to send email notifications if a language cannot be determined for a recipient. All the languages from the QBMCulture table are permitted.

Common | MailNotification | DefaultLanguage

Default language for sending email notifications. All languages that are enabled in the DialogLanguage table are permitted.

Common | MailNotification | DefaultSender

Sender's default email address for sending automatically generated notifications.

Syntax:

sender@example.com

Example:

NoReply@company.com

You can enter the sender's display name in addition to the email address. In this case, ensure that the email address is enclosed in chevrons (<>).

Example:

One Identity <NoReply@company.com>

Common | MailNotification | Encrypt

Specifies whether emails are encrypted.

Common | MailNotification | Encrypt | ConnectDC

Domain controller of the requested domain to use.

Common | MailNotification | Encrypt | ConnectPassword

Password of the user account. This is optional.

Common | MailNotification | Encrypt | ConnectUser

User account for querying Active Directory. This is optional.

Common | MailNotification | Encrypt | DomainDN

Distinguished name of the domain to request.

Common | MailNotification | Encrypt | EncryptionCertificateScript

This configuration parameter contains the script that supplies a list of encrypted certificates (default: QBM_GetCertificates).

Common | MailNotification | NotifyAboutWaitingJobs

Specifies whether a message should be sent if the process steps have a particular status in the Job queue.

Common | MailNotification | SignCertificateThumbprint

SHA1 thumbprint of the certificate to use for the signature. This can be in the computer's or the user's certificate store.

NOTE: Ensure that the private key in the certificate is marked as exportable.

Common | MailNotification | SMTPAccount

User account name for authentication on an SMTP server.

Common | MailNotification | SMTPDomain

User account domain for authentication on the SMTP server.

Common | MailNotification | SMTPPassword

User account password for authentication on the SMTP server.

Common | MailNotification | SMTPPort

Port of the SMTP service on the SMTP server. Default: 25

Common | MailNotification | SMTPRelay

SMTP server for sending email notifications. If a server is not given, localhost is used.

Common | MailNotification | SMTPUseDefaultCredentials

Specifies which credentials are used for authentication on the SMTP server.

If this parameter is set, the One Identity Manager Service login credentials are used for authentication on the SMTP server.

If the configuration parameter is not set, the login data defined in the Common | MailNotification | SMTPDomain and Common | MailNotification | SMTPAccount or Common | MailNotification | SMTPPassword configuration parameters is used. (Default)

Common | MailNotification | TransportSecurity

Encryption method for sending email notifications. If none of the following options are given, the port is used to define the behavior (port 25: no encryption, port 465: with SSL/TLS encryption).

Permitted values are:

  • Auto: Identifies the encryption method automatically.

  • SSL: Encrypts the entire session with SSL/TLS.

  • STARTTLS: Uses the STARTTLS mail server extension. Switches TLS encryption after the greeting and loading the server capabilities. The connection fails if the server does not support the STARTTLS extension.

  • STARTTLSWhenAvailable: Uses the STARTTLS mail server extension if available. Switches on TLS encryption after the greeting and loading the server capabilities, however, only if it supports the STARTTLS extension.

  • None: No security for the transport layer. All data is sent as plain text.

Common | MailNotification | VendorNotification

Email address of your company's contact person. The email address is used as the return address for notifying vendors.

If the configuration parameter is set, One Identity Manager generates a list of system settings once a month and sends the list to One Identity. This list does not contain any personal data. You can check the latest system information at any time by selecting Help > Info in the menu.

The list will be reviewed by our customer support team, who will look for material changes in a proactive effort to identify potential issues before they materialize on your system. The lists may be used by our R&D staff for analysis, diagnosis, and replication for testing purposes. We will keep and refer to this information for as long as your company remains on support for this product.

Table 54: Additional parameters for email notifications
Configuration parameters Description

QER | Attestation | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about attestation cases. Replace the default address with a valid email address.

QER | ComplianceCheck | EmailNotification | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about rule checking. Replace the default address with a valid email address.

QER | ITShop | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about requests. Replace the default address with a valid email address.

QER | Policy | EmailNotification | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications when company policies are checked. Replace the default address with a valid email address.

QER | RPS | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about report subscriptions. Replace the default address with a valid email address.

TargetSystem | ADS | DefaultAddress

Default email address of the recipient for notifications about actions in the Active Directory target system.

TargetSystem | ADS | Exchange2000 | DefaultAddress

Default email address of the recipient for notifications about actions in the Microsoft Exchange target system.

TargetSystem | ADS | MemberShipRestriction | MailNotification

Default email address for sending warning emails.

TargetSystem | AzureAD | DefaultAddress

Default email address of the recipient for notifications about actions in the Azure Active Directory target system.

TargetSystem | AzureAD | ExchangeOnline | DefaultAddress

Default email address of the recipient for notifications about actions in the Exchange Online target system.

TargetSystem | CSM | DefaultAddress

Default email address of the recipient for notifications about actions in the cloud target system.

TargetSystem | EBS | DefaultAddress

Default email address of the recipient for notifications about actions in the Oracle E-Business Suite target system.

TargetSystem | LDAP | DefaultAddress

Default email address of the recipient for notifications about actions in the LDAP target system.

TargetSystem | NDO | DefaultAddress

Default email address of the recipient for notifications about actions in the HCL Domino target system.

TargetSystem | SAPR3 | DefaultAddress

Default email address of the recipient for notifications about actions in the SAP R/3 target system.

TargetSystem | SharePoint | DefaultAddress

Default email address of the recipient for notifications about actions in the SharePoint target system.

TargetSystem | Unix | DefaultAddress

Default email address of the recipient for notifications about actions in the Unix-based target system.

TargetSystem | UNS | DefaultAddress

Default email address of the recipient for notifications about actions in the custom target system.

TargetSystem | PAG| DefaultAddress

Default email address of the recipient for notifications about actions in the Privileged Account Management system.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating