Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Before you upgrade

Note the following information that should be taken into consideration before you begin the upgrade process.

One Identity Manager system requirements

Some of the system requirements for One Identity Manager have changed in version 8.1. Prior to upgrading Data Governance Edition, ensure that the minimum requirements for all of the One Identity Manager components are meet. See the One Identity Manager Installation Guide for full details on One Identity Manager's system requirements.

Upgrading an existing One Identity Manager installation

Review the One Identity Manager Release Notes for important information regarding upgrading an existing One Identity Manager installation to version 8.x. There are some additional steps that are required. For example:

  • You need at least one dialog user with administrative permissions that has a password assigned; otherwise, the schema update cannot be completed successfully.
  • You must upload and update some DLLs in your 7.x.x installation prior to upgrading to 8.x, otherwise auto-update will not work properly.
  • To successfully compile HTML applications with the Configuration wizard, you must download packages from the NPM repository. Ensure that the workstation running the Configuration wizard can establish a connection to the web site registry.npmjs.org.

    Alternatively, you can download the packages from a proxy server and make them available manually. For more information, see the knowledge base article: https://support.oneidentity.com/kb/266000.

One Identity Manager Database system requirements (SQL Server)

As of version 8.1, the One Identity Manager database must be running a minimum of Microsoft SQL Server 2016 Standard Edition, Service Pack 2 with the latest cumulative update. Earlier versions of SQL server are no longer supported.

TIP: Best practice: Create a copy of the One Identity Manager database before you upgrade.

Prior to running the Configuration Wizard (ConfigWizard.exe) to upgrade and configure the One Identity Manager database, set the database compatibility level to 130:

ALTER DATABASE <Database name>
SET COMPATIBILITY_LEVEL=130
GO
One Identity Manager permissions

During the installation or upgrade of the One Identity Manager database, you can specify whether you want to use a more fine-grained set of SQL permissions to access the SQL server. With this more granular permission set, the Configuration wizard creates SQL Server logins and database roles with the necessary permissions for administrative users, configuration users, and end users. For more detailed information about permissions, see the One Identity Manager Installation Guide.

If you select to use this more granular permission set, adjust the configuration parameter after updating the One Identity Manager. This affects, for example, the connection data for the database (DialogDatabase), the One Identity Manager Service, the Application Server, the administration and configuration tools, the web applications, the web services, and the connection data in synchronization projects.

Agent system requirements

As of Data Governance Edition version 7.0.2, there are new system requirements for Data Governance agents. Ensure your agents meet the system requirements:

  • .NET Framework 4.5 (or later) is required.
  • Agents running the Windows Server 2003 R2 operating system are no longer supported.
EMC system requirements

EMC Common Event Enabler (CEE) 7.1 is the minimum version now supported for scanning and resource activity collection.

  • If you are using EMC Celerra/VNX devices with multiple CIFS exposed virtual data movers, do not upgrade to Data Governance Edition version 7.0.2 (or later).
  • If you are using EMC Isilon devices or EMC Celerra/VNX devices with only physical CIFS exposed data movers, each Data Governance agent managing an EMC device must run on a different host server and point to its own local CEE 7.1. Each managed EMC storage device needs to specify the single CEE server where the Data Governance agent is running.

The Quest Shared EMC Connector server is no longer used as of Data Governance Edition version 7.0.2.

  • If Change Auditor is configured to collect activity from your EMC storage device using the Quest Shared EMC Connector, and you would like activity collection or aggregation in Data Governance Edition, you MUST configure Data Governance Edition to collect activity directly from Change Auditor. You will not be able to collect activity directly from your EMC device with both Change Auditor and Data Governance Edition.
  • If you have EMC managed hosts currently using the Quest Shared EMC Connector server, follow this procedure to ensure this connector service is removed from your Data Governance Edition deployment:

    1. Uninstall EMC CEE framework.
    2. Uninstall Quest Shared EMC Connector service (QCeeService).
    3. Install EMC CEE 7.1 framework on the same server as the Data Governance agent.
    4. Modify the following registry key to ensure "Dell" or "QuestSoftware" is no longer referenced:

      HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration

      • Enabled: Set to 0
      • Endpoint: Remove "Dell" or "QuestSoftware"
Custom agent registry settings

Legacy Data Governance agent registry settings are no longer available as of Data Governance Edition version 7.0.2. You can use the agent's configuration file to modify agent configurations that are not available in the Manager client. Previously set agent registry settings need to be reviewed and will need to be re-set using the corresponding configuration file setting or Manager setting. For more information on the configuration file settings available, see the One Identity Manager Data Governance Edition Technical Insight Guide.

Custom Data Governance server configuration settings

TIP: Best practice: Create a copy of the Data Governance server configuration file before you upgrade Data Governance Edition.

The upgrade process preserves any configuration changes previously made to the DataGovernanceEdition.Service.exe.config file (which can be found in the server directory: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server). For more information about the configuration file settings available, see the One Identity Manager Data Governance Edition Technical Insight Guide.

NOTE: Upgrades from pre-7.1.2 versions: Changes made to the configuration file will be lost when you upgrade. Refer to the copy you made of the configuration file to make the necessary configuration changes after the upgrade is complete.
Previously governed or published files

Beginning with Data Governance Edition version 7.0.2, you can no longer govern or publish files to the IT Shop. However,

  • Previously published (those that are both governed and published) files are still available in the IT Shop.
  • Previously governed (but not published) files can be published to the IT Shop.
NFS managed hosts

Beginning with version 7.0.2, Data Governance Edition supports the scanning of NAS devices with NFS file system protocol enabled, including NetApp 7-Mode, NetApp Cluster and EMC Isilon devices. If you want to take advantage of this new feature, be sure to add the UNIX module during the upgrade process. For more information, see Upgrading One Identity Manager Data Governance Edition.

If you upgrade to Data Governance Edition version 7.0.2 (or later), but do not add the UNIX module as part of the initial upgrade; but later want NFS support, you must select to upgrade the Data Governance Edition module in addition to adding the UNIX module when running the One Identity Manager Configuration wizard.

Upgrading One Identity Manager Data Governance Edition

In order to take advantage of the enhancements added to Data Governance Edition version 8.1.1, you must perform a full One Identity Manager Data Governance Edition upgrade, which includes:

  • Running the autorun.exe program to deploy the latest version of One Identity Manager Data Governance Edition.
  • Running the Configuration wizard to upgrade the One Identity Manager database.
  • Running the Data Governance Configuration wizard to upgrade the Data Governance service and connect to an existing (or install a new) Resource Activity database.
  • Upgrading the Data Governance agents.

To upgrade One Identity Manager Data Governance Edition

Note: These are simplified steps. Refer to the One Identity Manager Installation Guide or One Identity Manager Release Notes for full upgrade information for One Identity Manager and Deploying Data Governance service and creating Resource Activity database for more information regarding the Data Governance Configuration wizard.

  1. Run the JobQueueInfo.exe and wait for the queue to clear.
  2. Once the job queue is empty, stop the One Identity Manager service on the server handling queries from the Master SQL Server.
  3. Stop the Data Governance service.
  4. If you are upgrading the One Identity Manager database, stop any One Identity Manager Application Server that has a database connection open.
  5. For SQL server deployments, ensure that the SQL server agent is running.
  6. Log in to the server hosting the One Identity Manager workstation tools, run the One Identity Manager autorun.exe program, open the Installation page and install One Identity Manager Data Governance Edition.
  7. During the installation process:
    1. Accept the license agreement
    2. Confirm the installation source and destination (Installation folder).
    3. It is recommended that you select the Select installation modules from existing database check box. This automatically selects the proper modules to be enabled during the installation, based on the modules assigned to the system within the existing database.

      Note: If you have purchased additional One Identity Manager modules (for example, the Business Roles module), select the Add more modules to the selected Edition check box. An additional screen appears allowing you to select the additional modules to be installed.

      If you want to take advantage of the new NFS managed hosts feature, select the Unix module.

    4. Select the database connection string pertaining to the server/database to be updated.
    5. Confirm the machine roles (modules) to be installed on the current system.
  8. Once the installation has successfully completed, the last screen of the setup wizard prompts you to run some additional tools. Two of these tools are required for a successful upgrade:
    1. Configuration Wizard to upgrade and configure the One Identity Manager database.
    2. Data Governance Configuration to upgrade the Data Governance service and Resource Activity database.
  9. Run the Configuration Wizard and follow the prompts on the screens:
    1. Select Update database to upgrade the existing One Identity Manager database to the new version.
    2. Select the database connection string of the One Identity Manager database to be updated.
    3. Confirm the installation source (Source media) for the upgrade of the database.
    4. Before the update process begins, you must confirm that you have backed up your database.
    5. Ensure that the Data Governance module is selected.

      Also, if you want to take advantage of the new NFS managed host feature or have purchased additional One Identity Manager modules, select the Add new modules check box to select the modules to be installed. An additional screen appears allowing you to select the modules to be installed.

      Note: To enable the NFS managed hosts feature, add the Unix module.

    6. Resolve any errors listed on the Database check page. Click Redo check to confirm all errors have been resolved.

    7. On the Create a new login for administrators page, specify the SQL Server login to be used for administrative users.

      NOTE: This page only appears when updating a One Identity Manager database from versions 7.0, 7.1, or 8.0 to version 8.1.

      Select one of the following options:

      • Create new SQL Server logins for the database: Select this option if you want to use a more granular permission set on the SQL Server. Selecting this option, creates additional SQL Server logins and database roles with the necessary permissions for administrative users, configuration users, and end users.

        Enter the login name, password, and password confirmation for the new administrative SQL Server login.

        NOTE: You will be prompted for the credentials for the other SQL Server logins (system configuration users and end users) after the database has been migrated.

      • Use the current SQL Server login for the database: If you select this option, no additional SQL Server logins are created for the database. In this case, you cannot use the more granular permission set at the SQL Server level. The user you specified is used to connect to the database.

        NOTE: To change to a more granular permission set at a later date, contact One Identity support. To access the One Identity support portal, go to https://support.oneidentity.com/identity-manager/.

    8. When prompted, enter the One Identity Manager system administrator credentials to perform the database upgrade tasks. This can be the credentials for the viadmin account or those of another custom administrative system user account.

      Note: The Active Sessions dialog opens if there are active sessions connected to the database. For SQL server deployments, disconnect all sessions using the database by selecting the session and clicking Disconnect.

    9. The database will now recompile and update all the necessary files. In addition, after the database is upgraded all of the job servers, the Application Server, and the web portal will be automatically updated. Wait for the installation to finish. This can take some time depending on the amount of data and system performance.
    10. The Create SQL server logins page appears if you selected Create new SQL Server logins for the database. Enter the SQL Server login credentials for the system configuration users and end users.
  10. Run the Data Governance Configuration wizard and follow the prompts on the screens:
    1. Enter the SQL Server information for your One Identity Manager database.
    2. Deploy the service update to your current Data Governance service host, or connect to a previously installed Data Governance service host which has already been manually upgraded.
    3. Confirm the server's fully qualified domain name (FQDN), port, and Deployment name.
    4. Specify the account to be used to run the Data Governance service.

      NOTE: The Use LocalSystem account check box is selected by default indicating the local system account will be used to run the Data Governance service. If you clear this check box and specify a different service account, you must move the Service Principal Name (SPN) from the computer object. For more information, see the post installation step, Move Service Principal Name in Active Directory.
    5. Wait for the deployment to complete.
    6. Provide credentials to the Data Governance Resource Activity database.
    7. Confirm the database name and properties.
  11. Manually start the One Identity Manager job service.
  12. Open the Manager to upgrade the Data Governance agents. When prompted to perform updates, click Yes.

    NOTE: After upgrading the Data Governance service to version 8.x, existing agents will initially connect; however, after an agent restart, they will no longer connect, displaying a "Waiting to connect" state, and must be upgraded.

    Note: An agent upgrade may initiate a re-scan of the managed paths.

    Note: When you upgrade an agent on a computer that hosts multiple agents (agents on this host are scanning different managed hosts), the agent services will be upgraded for all the managed hosts (not just the one you selected).

    In cases where you have many agents scanning a single managed host (all watching different managed paths on the managed host), and you select to upgrade one of the agents through the Agents view, all the agents (on all computers scanning that host) will be upgraded.

    To upgrade Data Governance agents:

    1. In the Navigation view, select Data Governance | Agents.
    2. Right-click the agent and select Upgrade agent.

      Note: The Upgrade agent option is only available if a newer agent version is available. If you do not see the upgrade option, you are running the latest version and no upgrade is necessary.

      Note: You can multi-select agents to upgrade.

See Post installation configuration for additional configuration that may be required post upgrade.

Applying a hotfix to Data Governance Edition 8.x

Note: Beginning with version 7.0.1, the Data Governance Edition module can be updated and released independently of One Identity Manager. Therefore, for this release and all future Data Governance Edition releases (hot fixes or service pack releases), you will receive a new QAM folder that will replace the existing QAM folder installed with One Identity Manager Data Governance Edition 8.0.x (and later).

Before you begin:
  • Replace the existing QAM module with the QAM module provided in the hotfix release package. That is, replace the existing local <OneIM-Build>\Modules\QAM folder with the latest QAM folder you received.

Once this step has been completed, you will perform the following steps to upgrade the databases and services:

  • Run the autorun.exe program to deploy the latest version of One Identity Manager Data Governance Edition.
  • Run the Configuration wizard to upgrade the One Identity Manager database.
  • Run the Data Governance Configuration wizard to upgrade the Data Governance service and Resource Activity database.
  • Upgrade the Data Governance agents (optional).

To apply a One Identity Manager Data Governance Edition 8.x hotfix

Note: These are simplified steps. Refer to the One Identity Manager Installation Guide for full upgrade information for One Identity Manager and Deploying Data Governance service and creating Resource Activity database for more information regarding the Data Governance Configuration wizard.

  1. Run the JobQueueInfo.exe and wait for the queue to clear.
  2. Once the job queue is empty, stop the One Identity Manager service on the server handling queries from the Master SQL Server.
  3. Stop the Data Governance service.
  4. For SQL server deployments, ensure that the SQL server agent is running.
  5. Perform a One Identity Manager and Data Governance Edition upgrade:
    1. Log in to a server hosting the One Identity Manager administrative components and run the One Identity Manager autorun. From the autorun, open the Installation page and install One Identity Manager Data Governance Edition.
    2. Run the Configuration Wizard (ConfigWizard.exe) to upgrade and configure the One Identity Manager database.

      Note: You will be blocked from continuing if the job queue is not empty. You will be asked to stop the job service and close all open connections to the One Identity Manager database.

    3. Start the One Identity Manager job service.
    4. Run the Data Governance Wizard (Data Governance Configuration wizard.exe) to upgrade the Data Governance service and resource activity database.
  6. Open the Manager to upgrade the Data Governance agents. If prompted to perform updates, click Yes.

Remove Data Governance Edition

Use the following sequence to remove the Data Governance Edition components:

For information on removing the One Identity Manager components (job service and database), see the One Identity Manager documentation.

Related Documents