Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment About us

Compatibility with Change Auditor for NetApp

If you are using Quest Change Auditor for NetApp to monitor a filer that is also being scanned by Data Governance Edition, you have two options available.

Option 1: Collect activity directly from the Change Auditor database

When Change Auditor is installed, you can configure Data Governance Edition to collect resource activity directly from Change Auditor. When enabled, Change Auditor collects the selected activity events every 15 minutes on all managed hosts. The events received from Change Auditor are harvested by the Data Governance server, aggregated and placed directly into the Data Governance Resource Activity database.

When using Change Auditor to collect resource activity, NetApp managed hosts will not place an FPolicy for Data Governance Edition on the NetApp filer.

In addition, when using Change Auditor to collect resource activity, it is recommended to clear the Collect activity for real-time security updates option for NetApp managed hosts. The agents managing these host types should be configured to scan on a schedule and not run once. The performance gain in using Change Auditor's event collection will be lost if the Data Governance agent is also collecting activity from these storage devices for security updates.

For more information on configuring Data Governance Edition to collect resource activity directly from Change Auditor, see Configuring Change Auditor to collect resource activity

Option 2: Collect activity using Data Governance Edition

You can use Data Governance Edition to collect resource activity; however, for NetApp 7-Mode managed hosts, you must disable real-time security monitoring. You can disable security monitoring from the Resource Activity tab of the Managed Host Settings dialog.

To disable security monitoring

Note: This approach has the effect of setting the NetApp FPolicy option cifs_setattr to off.

You can verify this by running the following command on the NetApp filer: >fpolicy options <Agent instance>

Where <Agent instance> is in the following format: DGE_<DeploymentName>_<FQDN of managed host>

You will still see setattr as a monitored operation in FPolicy.

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. In the Managed hosts view, select the required managed host.
  3. Select Edit host settings in the Tasks view or right-click menu.
  4. Open the Resource Activity page of the Managed Hosts Setting dialog and click the check box to clear the Security change event.
  5. After making the required change, click OK to save your selections and close the dialog.

Note: This will need to be done for every NetApp agent. If it is necessary to disable “Security change” due to compatibility settings with Change Auditor for NetApp, ensure the Resource Activity setting is modified prior to the start of the agent scan.

Appendix: EMC managed host deployment

EMC storage devices are added to the Data Governance Edition deployment as managed hosts with remote agents. Due to the EMC architecture, you must complete the following procedures when you add an EMC storage device as a managed host.

Configuring CEE framework

Data Governance Edition 7.0.2 (and higher) requires the EMC Common Event Enabler (CEE) 7.1 (or higher) framework to collect resource activity from an EMC storage device. The Data Governance agent will register with EMC CEE as a VCAPS endpoint. EMC CEE must be installed on the same server as the Data Governance agent. If you are collecting resource activity from the EMC storage device, you can only specify one agent to manage the EMC host.

To configure CEE framework

  • Install the EMC CEE framework on one or more Windows servers.

Note: EMC CEE must be installed on the same server as the Data Governance agent.

Next steps:

Creating the cepp.conf file (Celerra or VNX devices)

You must create a configuration file (cepp.conf file) before using the CEPA auditing feature to monitor file system activity on EMC Celerra or VNX storage devices. The cepp.conf file contains the information needed to connect Data Movers to the Windows computers where the CEE software is installed. It also defines the type of file system events that Data Governance Edition can collect from the EMC device.

To create and configure cepp conf file

  1. Using an SSH client (such as Putty.exe), connect to Control Station using its IP and port (the default is 22).
  2. Login using administrative credentials. The default user name and password on a Celerra system are nasadmin/nasadmin.
  3. Copy or create the cepp.conf file.

    • To copy the current configuration file from the Data Mover, run the following command: server_file movername -get.cepp.conf cepp.conf

      Where: movername is the name of your Data Mover. The default name is server_2.

    • To create the configuration file, open the VI text editor (or other preferred text editor) by running the following command: vi cepp.conf
  4. Using the text editor, edit the cepp.conf file and ensure the following configuration parameters are in the file:

    pool name=poolname servers=server1|server2 postevents=event1|event2|...

    Where: poolname is the name assigned to the set of Windows servers where the Event Enabler software from EMC is installed.

    Where: server1|server2 is the fully-qualified domain name of the Windows computers hosting the Event Enabler (CEE) software from EMC. If you have more than one server, separate them with a vertical bar (|).

    Where: event1|event2|... are the EMC events to be collected during security scans and activity collection. When specifying multiple events, separate them with a vertical bar (|).

    Note: Do not register for pre-events or post-err-events in the cepp.conf. These events are ignored by the Data Governance agent and add undue load on the EMC device.

    The following table shows events (postevents=) that can be registered in the cepp.conf and their mapping to Data Governance events that can be collected during security scanning and activity tracking.

    EMC cepp.conf event

    Data Governance Edition event
    CreateFile|CreateDir Create
    DeleteFile|DeleteDir Delete
    RenameDir Rename
    SetAclFile|SetAclDir SecurityChange
    CloseModified Write
    CloseUnmodified Read

    NOTE: If you configure your EMC managed host to collect real-time security changes and apply them to scanned data, you must include the following events:

    ...postevents=CreateFile|CreateDir|DeleteFile|DeleteDir|RenameDir|SetAclFile|SetAclDir

    For performance reasons, you may want to filter out the events that are not required, such as CloseUnmodified which are the "Read" events.

  5. Save the file. (Press Escape then type :wq)

  6. Run the following commands in the SSH client to publish the file to the Data Mover and restart the CEPA facility:

    server_cepp movername -service -stop

    server_file movername -put cepp.conf cepp.conf

    server_cepp movername -service -start

    Where: movername is the name of your Data Mover. The default name is server_2.

  7. Verify the CEPA status by running the following command:

    server_cepp movername -service -status

  8. Verify the pool configuration by running the following command:

    server_cepp movername -pool -info

Related Documents