Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.1.1 - Deployment Guide

Introduction Data Governance Edition system requirements Install One Identity Manager Data Governance Edition Deploy Data Governance Edition components Post installation configuration Authentication using service accounts and managed domains Working with managed hosts and agents Upgrade Data Governance Edition Remove Data Governance Edition Troubleshooting Appendix: NetApp managed host deployment Appendix: EMC managed host deployment Appendix: SharePoint managed host deployment

Deploying multiple Data Governance services

When deploying multiple Data Governance services within the same forest in your organization, each Data Governance Edition deployment is responsible for managing specific servers and there is no cross-over between Data Governance services; therefore, data from one deployment is not available in another deployment.

Keep the following considerations in mind when deploying multiple Data Governance services in a single forest:

One Identity Manager:
  • Each One Identity Manager installation can only have one Data Governance service and one Data Governance Edition deployment.
  • Each Data Governance Edition deployment must connect to a separate One Identity Manager database.
  • Each Data Governance Edition deployment uses different One Identity Manager services (job servers).
Data Governance services:
  • Each Data Governance service must be installed on a separate server and be assigned a unique deployment name.
Data Governance agents:
  • Agent-hosted servers belong to one Data Governance Edition deployment, and cannot be accessed by other deployments.
  • You can deploy multiple Data Governance agents on a server; however, all of these agents must belong to the same Data Governance Edition deployment.

The following procedure assumes that a Data Governance Edition deployment has been installed following the procedures described in Deploying Data Governance service and creating Resource Activity database. This procedure explains how to install additional Data Governance Edition deployments:

To install subsequent Data Governance Edition deployments

  1. Run the Autorun.exe and install a new One Identity Manager Data Governance Edition installation.
  2. Once the installation has successfully completed, use the options on the last page of the setup wizard to run the following:
    1. Run the Configuration Wizard to create and configure a new One Identity Manager database.
    2. Run the Job Service Configuration to configure a new One Identity Manager service.
  3. Run the Data Governance configuration wizard using one of the following methods:
    • If you still have the One Identity Manager Data Governance Edition setup wizard open, click the Run button to the left of the Data Governance Configuration option on the last page of the wizard.
    • Otherwise, locate and select the Data Governance Configuration Wizard.exe file, which is located in the %ProgramFiles%\One Identity\One Identity Manager\ directory. Ensure you right-click and select Run as Administrator.
  4. On the One Identity Manager database page, specify the information required to connect to the One Identity Manager database. This must be a different One Identity Manager database for each Data Governance Edition deployment.
  5. On the Data Governance Edition Configuration page, select the Install or Upgrade the Data Governance service option and provide the following information:
    1. Server: Enter the fully qualified domain name of the server where this Data Governance service will be installed. Ensure that you specify a server that does NOT already host a Data Governance service.
    2. Port: Enter the port number to be used to communicate with the specified Data Governance service. In a new Data Governance Edition deployment, this field displays the default net.tcp port of 8722.
    3. Deployment: Enter a unique name to be assigned to this Data Governance Edition deployment. Ensure that this name is unique and is not being used by another Data Governance Edition deployment in the forest.

      The deployment name is required; has a maximum length of 30 characters; and can only contain alphanumeric characters and underscores (no spaces allowed).

      NOTE: The deployment name is also used in the Data Governance Resource Activity database name (that is, DGE_<DeploymentName>) and that name also has a limit of 30 characters. So, if you specify a 30 character deployment name, the new activity database name will only use <DeploymentName>.

    4. Leave the Add the current user to the One Identity Manager Employees with Data Governance application roles check box selected to have the Data Governance service assign the current user account the Data Governance application roles and target system role in each domain found during the forest topology harvest.

    Click Next.

    Note: If the Next button is disabled, ensure that you have selected a server that does not already host a Data Governance service and have entered a unique deployment name that is not being used by another Data Governance Edition deployment in the forest.

  6. In the Service Account Setting dialog, specify the account to be used to run the Data Governance service.

    1. When SQL authentication is being used for the One Identity Manager database authentication method (that is, the Windows authentication check box is cleared on the One Identity Manager database page):

      • The Use LocalSystem account check box is selected by default indicating the local system account will be used to run the Data Governance service.
      • To use a service account other than the local system account, clear the Use LocalSystem account check box and enter the Windows credentials of the service account to be used.

    2. When Windows authentication is being used for the One Identity Manager database authentication method (that is, the Windows authentication check box is selected on the One Identity Manager database page):

      • The Use LocalSystem account check box is disabled and you must enter the Windows credentials of the service account to be used.

    NOTE: When you use a service account, you must move the Service Principal Name (SPN) from the computer object. For more information, see Move Service Principal Name in Active Directory.

    After specifying the account to be used for the Data Governance service, click OK.

  7. Wait for the installation process to complete, click Finish to close the Data Governance server installation dialog.
  8. On the Data Governance activity database server - Create connection page, specify the connection information for the server where a new Data Governance Resource Activity database is to be created.
  9. On the Data Governance activity database server - Database Properties page, click Next to accept the default database name for which the schema for the Data Governance Resource Activity database should be created and to accept the default database options.

    The Database name field is pre-populated with DGE_<DeploymentName>. Where <DeploymentName> is the name assigned to the Data Governance Edition deployment on the previous wizard page. If the total length of the activity database name exceeds 30 characters, then the new default activity database name will only use <DeploymentName>.

    To change the name, enter the new name to be assigned to the database. The database name is required; has a maximum length of 30 characters; and can only contain alphanumeric characters and underscores (no spaces allowed).

    If you change the database name, ensure that it is unique and is not being used by any other Data Governance Resource Activity database. Do NOT connect a new deployment to an existing database.

  10. Once the installation and configuration has completed, click Next.
  11. Click Finish to close the Data Governance Configuration wizard.
  12. If applicable, click Finish to close the One Identity Manager Data Governance setup wizard.

Before you can gather information on the data in your environment, perform the necessary post-installation configuration tasks. For more information, see Post installation configuration.

Tips for connecting to and installing agents in a multi-Data Governance Edition deployment:
  • When launching the Manager, in the Select Connection field, select the One Identity Manager database to which the required deployment is connected.
  • If you attempt to install an agent to a server that already has an agent on it, and that agent already belongs to another Data Governance Edition deployment, you will receive a status of 'Installing agent failed'. Open the Agents view and you will see an agent status of 'Agent host belongs to another deployment'. The Configuration Message property on the Agent Details master data page will contain additional information, including the name of the deployment that is already using this agent.

Updating One Identity Manager to a Data Governance Edition deployment

If you already have One Identity Manager 8.1.1 installed, you can add Data Governance Edition using the following steps:

  • Enable the Data Governance (QAM) components in the Designer
  • Run the Data Governance Configuration wizard to deploy the Data Governance Edition components

Note: If you are running the Designer from the computer hosting the One Identity Manager database or a job service, you must stop the One Identity Manager service when prompted to update. Once the update has completed, restart the service.

Administrative access is required on the local computer for this process to complete successfully.

Note: Use the job server editor in the Designer application to confirm the "Data Governance connector" flag is set for any job server to be used to run Data Governance Edition report requests from the web portal. For more information, see Post installation configuration.

To enable Data Governance Edition components

  1. Open the Designer and select Base Data | General | Configuration parameters.
  2. In the Tasks view, select Edit configuration parameters.
  3. Expand TargetSystem | ADS | QAM.

  4. Select the QAM check box and click the Commit to database toolbar button.

  5. Click Save on the confirmation dialog.

  6. Select the Database menu, then Compile database and follow the wizard.

To configure and deploy Data Governance Edition components

  1. Run the Data Governance Configuration wizard from the One Identity Manager installation directory: %ProgramFiles%\One Identity\One Identity Manager\Data Governance Configuration Wizard.exe.

  2. Read the Configuration wizard welcome page and click Next.
  3. On the One Identity Manager database page, specify the information required to connect to the One Identity Manager database.

    1. Server: Select the server where the One Identity Manager database is installed.
    2. Windows authentication: If you selected Windows authentication for the One Identity Manager database, select this check box. If you selected SQL authentication for the One Identity Manager database, make sure this check box is cleared.
    3. User: Enter the user account to be used to access the One Identity Manager database server.
    4. Password: Enter the password associated with the user account.
    5. Database: Select the One Identity Manager database.

    Click Next.

  4. On the Data Governance Edition Configuration page, select Install or Upgrade the Data Governance service and provide the following information:

    1. Server: Enter the fully qualified domain name of the server where the Data Governance service will be installed.
    2. Port: This field displays the net.tcp port opened on the Data Governance server computer. In a new Data Governance Edition deployment, the default net.tcp port is 8722. To change this value, enter the port number to be used to communicate with the Data Governance service.

      NOTE: The HTTP port aligns with the net.tcp port and automatically selects -1 from the port specified here. The HTTP port is used by the Data Governance agents if WCF fails.
    3. Deployment: This field displays the deployment name assigned to the Data Governance Edition deployment. In a new Data Governance Edition deployment, the default deployment name is DEFAULT.

      To change this value, enter the name to be associated with this deployment of Data Governance Edition. The deployment name is required; has a maximum length of 30 characters; and can only contain alphanumeric characters and underscores (no spaces allowed).

      NOTE: The deployment name is also used in the Data Governance Resource Activity database name (that is, DGE_<DeploymentName>) and that name also has a limit of 30 characters. So, if you specify a 30 character deployment name, the new activity database name will only use <DeploymentName>.

      NOTE: When deploying multiple Data Governance Edition deployments in a forest, specify a different server for the Data Governance service and a unique deployment name for each deployment. For more information, see Deploying multiple Data Governance services.

    Leave the Add the current user to the One Identity Manager Employees with Data Governance application roles check box selected. The Data Governance service automatically assigns the current user account the Data Governance application roles and target system role in each domain found during the forest topology harvest.

    NOTE: The Data Governance service obeys the current One Identity Manager "Edit Configuration Parameters"\TargetSystem\ADS\PersonExcludeList, which by default is:

    ADMINISTRATOR | GUEST | KRBTGT | TSINTERNETUSER | IUSR_.* | IWAM_.* | SUPPORT_.* |.*\$

    This means that ANY Active Directory account sAMAccount name that matches any of the names specified in this exclude list, including 'administrator' will not be added as a One Identity Manager Employee with the assigned Data Governance application roles, even if the current user running the configuration wizard is the administrator account.

    Click Next.

  5. In the Service Account Setting dialog, specify the account to be used to run the Data Governance service.

    1. When SQL authentication is being used for the One Identity Manager database authentication method (that is, the Windows authentication check box is cleared on the One Identity Manager database page):

      • The Use LocalSystem account check box is selected by default indicating the local system account will be used to run the Data Governance service.
      • To use a service account other than the local system account, clear the Use LocalSystem account check box and enter the Windows credentials of the service account to be used.

        NOTE: If you specify a service account, you must move the Service Principal Name (SPN) from the computer object. For more information, see Move Service Principal Name in Active Directory.
    2. When Windows authentication is being used for the One Identity Manager database authentication method (that is, the Windows authentication check box is selected on the One Identity Manager database page):

      • The Use LocalSystem account check box is disabled and you must enter the Windows credentials of the service account to be used.

    After specifying the account to be used for the Data Governance service, click OK.

  6. Wait for the installation process to complete, click Finish to close the Data Governance server installation dialog.

  7. On the Data Governance activity database server - Create connection page, enter the connection information for the server where the Data Governance Resource Activity database will be created:
    1. Server: Select the server where the Data Governance Resource Activity database is to be created.
    2. Windows Authentication: If you select Windows Authentication for the One Identity Manager database authentication method, enter the Windows credentials for the account that will run the Data Governance service.

      NOTE: If you selected SQL server authentication for the One Identity Manager database authentication method, use SQL authentication here as well. If you selected Windows authentication for the One Identity Manager database authentication method, you can select either SQL authentication or Windows authentication for the resource activity database.
    3. User: Enter the user account to be used to access the Data Governance Resource Activity database server.
    4. Password: Enter the password associated with the user account.

    Click Next.

  8. On the Data Governance activity database server - Database Properties page, click Next to accept the default database name for which the schema for the Data Governance Resource Activity database should be created and to accept the default database options.

    The Database name field is pre-populated with DGE_<DeploymentName>. Where <DeploymentName> is the name assigned to the Data Governance Edition deployment on the previous wizard page. If the total length of the activity database name exceeds 30 characters, then the new default activity database name will only use <DeploymentName>.

    To change the name, enter the new name to be assigned to the database. The database name is required; has a maximum length of 30 characters; and can only contain alphanumeric characters and underscores (no spaces allowed).

    IMPORTANT: When installing multiple Data Governance Edition deployments in the same forest, ensure that each deployment is connecting to a database with a unique name. Do NOT connect a new deployment to an existing database.
  9. Once the installation and configuration has completed, click Next.
  10. Click Finish to close the Data Governance Configuration wizard.
  11. If applicable, click Finish to close the One Identity Manager setup wizard.

Before you can gather information on the data in your environment, perform the necessary post-installation configuration tasks. For more information, see Post installation configuration.

Post installation configuration

Ensure the following post installation configuration tasks have been completed to ensure a successful Data Governance Edition deployment.

Note: When deploying multiple Data Governance services in a forest, be sure to perform these post installation configuration tasks for each Data Governance Edition deployment.

Move Service Principal Name in Active Directory

If you use a service account other than "LocalSystem" for the Data Governance server, you must move the Service Principal Name (SPN) in Active Directory.

NOTE: This applies if you specify a service account other than "LocalSystem" during the initial configuration or if you change the Data Governance service account after the initial configuration.

To move the SPN in Active Directory

  1. Stop the Data Governance service.
  2. Run the following setspn commands from a Command line prompt on a domain controller or any machine with the AD tools installed:

    Run the following command to remove the SPN from the computer object:

    setspn -D DataGoverance.Server(DEPLOYMENT)/SERVER.DOMAIN.TLD SERVERNAME

    For example:

    setspn -D DataGovernance.Server(DEFAULT)/MYDGESERVER.MYDOMAIN.local MYDGESERVER

    Run the following command to add the SPN of the service account:

    setspn -A DataGovernance.Server(DEPLOYMENT)/SERVER.DOMAIN.TLD USERNAME

    For example:

    setspn -A DataGovernance.Server(DEFAULT)/MYDGESERVER.MYDOMAIN.local MYUSER

    Where:

    • DEPLOYMENT is the deployment name assigned to the Data Governance deployment.
    • SERVER.DOMAIN.TLD is the fully qualified domain name of the Data Governance server where the Data Governance service is installed.
    • SERVERNAME is the short name of the Data Governance server.
    • USERNAME is the SAM account name of the service account.
  3. Restart the Data Governance service.
Related Documents