The Data Governance service SCP contains the following key elements, which are stored in its Active Directory attributes.
Table 1: DataGovernance.Server SCP
|
CN
Attribute syntax: String |
SCP Name |
DataGovernance.Server |
|
keywords
Attribute syntax: Multi-valued string |
Used to store the following information to facilitate locating the SCP:
- Database: Resource Activity database name (for example, DGE_DEFAULT)
- DeploymentName
- serverDNSName
- serviceClassName
- siteName
- version
|
|
|
serviceBindingInformation
Attribute syntax: Multi-valued string |
Contains the default tcp.net port and HTTP port |
<XML> |
|
serviceClassName
Attribute syntax: String |
Used to store service class for authentication |
DataGovernance.Server |
|
serviceDNSName
Attribute syntax: String |
FQDN of the computer running the Data Governance service |
<Server FQDN> |
|
serviceDNSNameType
Attribute syntax: String |
The DNS record type of the host listed in the serviceDNSName |
A |
Note: For agent deployments, open the following file and printer sharing ports:
- TCP 135
- UDP 137
- UDP 138
- TCP 139
- TCP 445
Table 2: Ports required for communication
|
8721 |
Incoming |
TCP (HTTP) port opened on the Data Governance server computer. This is the base port for the Data Governance REST API, used for communication with Data Governance server REST services, including the One Identity Manager clients and Windows PowerShell. |
|
8722 |
Incoming |
TCP (net.tcp) port opened on the Data Governance server computer. Used for communication with Data Governance agents, One Identity Manager clients, One Identity Manager web server, and PowerShell.
NOTE: The net.tcp port is configurable in the Data Governance Configuration wizard. The HTTP port (8721) listed above should always be 1 less than the net.tcp port. These first two ports align with the base addresses in the DataGovernanceEdition.Service.exe.config file under the IndexServerHost service. It is highly recommended that you only change this port using the Data Governance Configuration wizard to ensure the configuration file, One Identity Manager database and service connection points are updated properly; otherwise, you may lose connection with the Manager, the Data Governance service and/or Data Governance agents.
IMPORTANT: Do NOT use the Designer to change the QAMServer configuration parameters, including the Port parameter. |
|
8723 |
Incoming |
HTTP port used for communication with the One Identity Manager web server (/landing and /home pages). |
|
18530 - 18630 |
Incoming |
TCP port range opened on all agent computers. Used for communication with the Data Governance server. (The first agent on an agent host will use port 18530, and each subsequent agent on the same host will take the next available port, i.e., 18531, 18532, and so on.). In addition, this range is used to open a TCP listener for NetApp Cluster Mode hosts if resource activity collection is enabled. |
Server and database communication
Information about all Data Governance Edition infrastructural elements such as service accounts, managed hosts and the security index information collected by the Data Governance agents is stored in the One Identity Manager database. Processing of security index updates, access and activity queries or any infrastructural changes to the system involve communication between the Data Governance server and the database.
How is the database connection information stored securely?
The connection information used when communicating with the One Identity Manager database is stored in the Windows Registry on the Data Governance server. The connection information is written to the registry key "HKLM\SOFTWARE\One Identity\Broadway\Server" and is encrypted using the Microsoft Data Protection API.
Only the user account that encrypts the value can read it. If the account running the Data Governance server is changed, the database connection string has to be reset and re-encrypted.
Agent and server communication
Data Governance agents are semi-autonomous services running in a distributed environment. They are designed to remain fault tolerant in a fluctuating global network. In a typical organization, computers are rebooted, network outages occur, and systems are disrupted in any number of ways. Data Governance agents are set to automatically start when a server is restarted. Data Governance agents require an initial configuration from the server; however, they will continue to scan and collect activity per configuration even when unable to communicate with the Data Governance server. All the collected activity and security updates are synchronized with the Data Governance server when connectivity is restored.
How is this communication encrypted?
The communication uses encrypted WCF (Windows Communication Foundation) channels and the net.tcp protocol. .NET v4.5 is required on all agent host computers, except for SharePoint 2010 agents, which requires .NET v3.5.1.
Client and server communication
Data Governance client elements are embedded into the Manager client application. The user interface elements communicate with the Data Governance server and directly with the One Identity Manager database as needed.
Communication with the database is performed in the same way as any other One Identity Manager database communication, using the authentication information provided when the user launches the client tools.
When communicating with the Data Governance server, the client uses an encrypted WCF channel and the net.tcp protocol.
.NET 4.5.2 is required on the Data Governance server and client computers.
How is this communication authenticated?
When communicating directly with the One Identity Manager database, the client is authenticated using standard One Identity Manager authorization checks. For more information on this type of authentication, see Granting Access Permissions to One Identity Manager Schema in the One Identity Manager Configuration Guide.
When user interface elements communicate with the Data Governance server, the authentication is performed using the One Identity Manager role-based authentication checks using the logged on Windows identity. This can lead to a discrepancy in authentication between the client and server. If possible, it is recommended that the client user authenticates to One Identity Manager using the “Active Directory user account (role based)” authentication mechanism, so no ambiguity exists. This mechanism maps the logged on Active Directory account to a One Identity Manager employee and uses that employee’s application roles to determine what permissions they have.
NOTE: Regardless of the identity used to log in to the client application, it is the Employee associated with the logged in Windows account that is used for permissions checks when communicating with the Data Governance server.
Related Topics
Communication segments
This table describes each segment of communication that occurs in the Data Governance Edition system along with technical details for each type of communication.
Table 3: Data Governance Edition communication segments
|
Data Governance service to One Identity Manager database
Actions involved:
- Any queries or data manipulation that may be required.
- Inserting of new data and selecting data to display in the Manager client.
|
Dynamic |
TCP |
SQL Server port
NOTE: A request may go through the One Identity Manager Application Server if configured, instead of directly to the database. |
|
Data Governance service to Resource Activity database
Actions involved:
- Any queries or data manipulation that may be required.
- Inserting of new data and generating reports on existing data.
|
Dynamic |
TCP |
SQL Server
NOTE: A request may go through the One Identity Manager Application Server if configured, instead of directly to the database. |
|
One Identity Manager service (job server) to Data Governance service
Actions involved:
- Web service requests for self-service access.
|
Dynamic |
TCP |
Specified by customer during installation.
Default value is 8722. |
|
Data Governance service to Windows Server on which to install agent
Actions involved:
- Deploy agent.
- Uses the associated domain service account to copy installation files to a destination Windows Server using that server's administrative share (Admin$).
|
Dynamic |
SMB |
445 |
|
Data Governance service to agent service
Actions involved:
- Notify agent of an awaiting command.
- The only thing the Data Governance service sends an agent service, unsolicited, is command messages. The agent then processes the command message and may initiate a request back to the server to get additional data that is associated with the command.
|
Dynamic |
TCP (using Windows authentication of the "Log On As" account of the Data Governance Service Windows Service) |
Next unused port from the configured "BaseActivePort".
Default value of "BasesActivePort" is 18530. |
|
Agent to Data Governance service
Actions involved:
- Connection, Keep-Alive/Status, Queries/Reports.
- An agent initiates the connection on startup. It periodically sends keep-alive and status messages as well as synchronization.
|
Dynamic |
TCP (using Windows authentication of the "Log On As" account of the agent's Windows Service) |
Specified by customer during installation.
Default value is 8722. |
|
Data Governance service to NetApp 7-Mode device with CIFS or NFS file system protocols enabled
Actions involved:
- Configure FPolicy on NetApp 7-Mode filer.
- Upon deployment of a managed host in 7-Mode, the Data Governance service connects to the NetApp filer and creates/configures an FPolicy if real-time security updates or resource activity collection is enabled.
This does not apply to NetApp Cluster Mode. |
Dynamic |
RPC (using Windows authentication of the "Log On As" account of the Data Governance Windows Service) |
Named pipe on NetApp filer:
<Host Name>\pipe\NETAPPSVC |
|
Data Governance service to NetApp 7-Mode or Cluster device with NFS file system protocol enabled
Actions involved:
- Browse resources.
- When configuring the managed paths for a managed host, or using the Resource browser to browse the file system.
|
Dynamic |
HTTPS (using the username and password specified in the managed host configuration) |
443 |
|
Agent to NetApp 7-Mode device with CIFS or NFS file system protocols enabled
Actions involved:
- Configure FPolicy on NetApp 7-Mode filer.
- Upon startup, establish a connection to the NetApp device if real-time security updates or resource activity collection is enabled.
|
Dynamic |
RPC (using Windows authentication of the "Log On As" account of the agent's Windows Service. |
Named pipes on NetApp filer:
<Host Name>\pipe\NETAPPSVC
and
<Host Name>\pipe\ntapfpcp |
|
NetApp 7-Mode to agent
Actions involved:
- NetApp sends file screen requests when real-time security updates or resource activity collection is enabled.
- The agent listens to a named pipe for incoming screen request messages from the NetApp filer for any monitored file system events.
|
Dynamic |
RPC |
Named pipe:
<\pipe\ntapfprg_<Agent Instance ID> |
|
Agent to NetApp Cluster Mode with CIFS or NFS file system protocols enabled
Actions involved:
- Configure FPolicy on NetApp Cluster mode filer.
- The NetApp Data LIF on which the file share is exposed must be the destination when resolving the host name. Also, the "Management Access" setting must be enabled on the LIF.
|
Dynamic |
HTTPS |
443 |
|
NetApp Cluster Mode to Agent
Actions involved:
- NetApp sends file screen requests when real-time security updates or resource activity collection is enabled.
- The agent listens on a TCP port for incoming screen request messages from the NetApp filer for any monitored file system events.
|
Dynamic |
TCP |
Next unused port from the configured "BaseActivePort".
Default value of "BasesActivePort" is 18530. |
|
Agent to NetApp device with CIFS file system protocol enabled
Actions involved:
- File system scanning.
- The agent collects security information on all files and folders in the specified managed paths.
|
Dynamic |
CIFS/SMB (using Windows authentication of the "Log On As" account of the agent's Windows Service) |
445 |
|
Data Governance service to EMC Celerra device
Actions involved:
- View/update cepp.conf.
- When real-time security updates or resource activity collection is enabled, you must configure the cepp.conf file on the EMC device.
|
Dynamic |
SSH |
22 |
|
Data Governance service to EMC Isilon device with NFS file system protocol enabled
Actions involved:
- Browse resources.
- When configuring the managed paths for a managed host, or using the Resource browser to browse the file system.
|
Dynamic |
HTTPS (using the username and password specified in the managed host configuration) |
Specified by customer when configuring managed host.
Default value is 443. |
|
Agent service to EMC device with CIFS file system protocol enabled
Actions involved:
- File system scanning.
- The agent collects security information on all files and folders in the specified managed paths.
|
Dynamic |
CIFS/SMB (using Windows authentication of the "Log On As" account of the agent's Windows Service) |
445 |
|
Agent service to EMC Isilon device with NFS file system protocol enabled
Actions involved:
- File system scanning.
- The agent collects security information on all files and folders in the specified managed paths.
|
Dynamic |
HTTPS (using the username and password specified in the managed host configuration) |
Specified by customer when configuring managed host.
Default value is 443. |
|
Agent to SharePoint SQL Server database
Actions involved:
- Resource scanning.
- Connects directly to the SharePoint SQL Server database on the local machine to perform resource scanning.
|
Dynamic |
TCP |
Default SQL Server port, typically 1433. |
|
Data Governance service to Cloud API
Actions involved:
- Browse resources.
- When configuring the managed paths for a managed host, or using the Resource browser to browse for resources.
|
Dynamic |
REST over HTTP with OATH authentication |
Dynamic |
|
Agent to Cloud API
Actions involved:
- Resource scanning.
- Upon startup, the agent collects all team groups and their members. Thereafter, this scan is performed once a day by default. The agent synchronizes to the server only if there is a change.
- The agent collects security information of all files and folders in the specified managed paths.
NOTE: Managed paths are selected within the scope of the administrator on OneDrive for Business managed hosts. |
Dynamic |
REST over HTTP with OATH authentication |
Dynamic |
|
Web client to Data Governance service
Actions involved:
- Web service requests for self-service access.
|
Dynamic |
TCP |
Specified by customer during installation.
Default value is 8722. |
|
Windows PowerShell to Data Governance service
Actions involved:
- Data Governance API
- Use the Data Governance API via web service requests to automate tasks or add custom behavior.
|
Dynamic |
TCP |
Specified by customer during installation.
Default value is 8722. |
