Chat now with support
Chat with Support

Identity Manager 8.0 - Password Capture Agent Administration Guide

The One Identity Manager Password Capture Agent Appendix About us

Configuration Targets

To be able to use the Password Capture Agent Windows PowerShell module to remotely configure the Password Capture Agent on the domain controllers, these servers need to have Windows PowerShell Remoting configured and enabled. For more information, see the remote troubleshooting guide for Windows PowerShell (http://technet.microsoft.com/en-us/library/hh847850.aspx).

Installing the Password Capture Agent Windows PowerShell Module

Installing the Password Capture Agent Windows PowerShell Module

To install the Password Capture Agent Windows PowerShell module

  • Copy the folder OneIM-PasswordCaptureAgentMgmt, including content, to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ - the systems global Password Capture Agent Windows PowerShell module path.

    - OR -

  • Copy this folder OneIM-PasswordCaptureAgentMgmt to any path on your host, and add this path to the environment variable PSModulePath.

Before installing Password Capture Agent on a domain controller:

  • Ensure that Webservice is installed and configured.
  • Ensure that the certificate, to decrypt passwords with, is installed with private key in LocalMachine\My certificate store on the server hosting the Webservice.
  • Ensure that the certificate, to encrypt passwords with, is installed with private key in LocalMachine\My certificate store on all domain controllers.

You should have prepared:

  • the thumbprint of the certificate for password encryption, for example:

    1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188

  • the URL to the Webservice, for example:

    https://servername.domain.com/SoapService/Q1IMService.asmx

Using the Password Capture Agent Windows PowerShell Module

Using the Password Capture Agent Windows PowerShell Module

Using the Password Capture Agent Windows PowerShell module to install Password Capture Agent on a specific domain controller

  1. Sign on to the workstation installed with Password Capture Agent Windows PowerShell module as member of the group "Domain Admins".
  2. Copy Password Capture Agent.msi to a network share that can be accessed by you on all domain controllers. e.g."\\StorageServer\SHARE\Password Capture Agent.msi".
  3. Open an elevated Windows PowerShell.
  4. Execute Command:

    Import-Module OneIM-PasswordCaptureAgentMgmt

  5. Execute commands to define your configuration profile:

    $ConfigProfile = New-PCAConfigProfile

    $ConfigProfile['WebClient.WebServiceURL'].ConfigValue = 'https://server.domain.com/SoapService/Q1IMService.asmx'

    $ConfigProfile['WebClient.WebServiceType'].ConfigValue = 'Soap'

    $ConfigProfile['Backend.Credential'].ConfigValue = Get-Credential viCaptureAgent

    $ConfigProfile['Backend.CertificateThumbprint'].ConfigValue = '1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188'

  6. Execute Command:

    Install-PasswordCaptureAgent`

    -ComputerName "DC01.DEMOCORP.COM"`

    -Setup "\\StorageServer\SHARE\Password Capture Agent.msi"`

    -ConfigurationProfile $ConfigProfile

    By running this command, you install the Password Capture Agent on DC01.DEMOCORP.COM. The installation will be run off a network location and WebServiceURL/CertificateThumbprint are passed to the setup.

    Because the -Restart switch is not specified, the domain controllers will not automatically reboot after successful installation.

Using the Password Capture Agent Windows PowerShell module to install Password Capture Agent on all domain controllers

  1. Sign on to workstation with installed Password Capture Agent Windows PowerShell module as member of the group "Domain Admins".
  2. Copy Password Capture Agent.msi to a network share that can be accessed by you on all domain controllers. e.g."\\StorageServer\SHARE\Password Capture Agent.msi".
  3. Open an elevated Windows PowerShell.
  4. Execute Command:

    Import-Module OneIM-PasswordCaptureAgentMgmt

  5. Execute commands to define your configuration profile:

    $ConfigProfile = New-PCAConfigProfile

    $ConfigProfile['WebClient.WebServiceURL'].ConfigValue = 'https://server.domain.com/SoapService/Q1IMService.asmx'

    $ConfigProfile['WebClient.WebServiceType'].ConfigValue = 'Soap'

    $ConfigProfile['Backend.Credential'].ConfigValue = Get-Credential viCaptureAgent

    $ConfigProfile['Backend.CertificateThumbprint'].ConfigValue = '1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188'

  6. Execute Command:

    Get-DomainController | Install-PasswordCaptureAgent`

    -Setup \\StorageServer\SHARE\ One Identity Manager Password Capture Agent.msi`

    -ConfigurationProfile $ConfigProfile

    -Restart

    By running this command, you receive a list of domain controllers and sequentially start the install on each one. The install will be run off a network location and WebServiceURL/CertificateThumbprint are passed to the setup.

    Because the -Restart switch is specified, the domain controllers will automatically reboot after successful installation.

Working with Configuration Profiles

The Password Capture Agent Windows PowerShell module includes functions to create, show, get, set, import and export a Password Capture Agent configuration profile.

NOTE: The function Show-PCAConfigProfile may also be used to get an overview of all parameters and read their descriptions or destinations.

Getting and setting the configuration profile is only possible if the Password Capture Agent is installed and running. It is not possible to access the secured configuration parameters without it.

Example 1: Creating new profile and editing it

Import-Module OneIM-PasswordCaptureAgentMgmt

$ConfigProfile = New-PCAConfigProfile

$ConfigProfile['WebClient.WebServiceURL'].ConfigValue = 'https://fqdn.democorp.com/Q1IMService/Q1IMService.asmx'

$ConfigProfile['WebClient.AuthenticationType'].ConfigValue = 'WindowsIntegrated'

$ConfigProfile['Backend.AuthenticationModule'].ConfigValue = 'DialogUser'

$ConfigProfile['Backend.Credential'].ConfigValue = Get-Credential viCaptureAgent

$ConfigProfile['Backend.CertificateThumbprint'].ConfigValue = '0123456789ABCED0123456789ABCED0123456789'

Example 2: Read current profile and show it using GUI

Import-Module OneIM-PasswordCaptureAgentMgmt

$ConfigProfile = Get-PCAConfigProfile

Show-PCAConfigProfile -ConfigurationProfile $ConfigProfile

Example 3: Read current profile and export it to xml

Import-Module OneIM-PasswordCaptureAgentMgmt

$ConfigProfile = Get-PCAConfigProfile

Export-PCAConfigProfile -ConfigurationProfile $ConfigProfile -FilePath C:\tmp\CurrentPCAConfig.xml

Example 4: Import profile, edit and set it

Import-Module OneIM-PasswordCaptureAgentMgmt

$ConfigProfile = Import-PCAConfigProfile -Filepath C:\tmp\CurrentPCAConfig.xml

$ConfigProfile['Backend.CertificateThumbprint'].ConfigValue = '0123456789ABCED0123456789ABCED0123456780'

Set-PCAConfigProfile -ConfigurationProfile $ConfigProfile

Example 5: Import profile and install Password Capture Agent

Import-Module OneIM-PasswordCaptureAgentMgmt

$ConfigProfile = Import-PCAConfigProfile -Filepath C:\CurrentPCAConfig.xml

Install-PasswordCaptureAgent`

–LogFile <Full UNC path to the log file on the remote server>`

-Setup <UNC path for Password Capture Agent MSI>`

-ConfigurationProfile $ConfigProfile

Example 6: Changing parts of the configuration

Import-Module OneIM-PasswordCaptureAgentMgmt

$ConfigProfile = Get-PCAConfigProfile

$ConfigProfile['Backend.Credential'].ConfigValue = Get-Credential viCaptureAgent

Set-PCAConfigProfile -ConfigurationProfile $ConfigProfile

Example 7: Changing parts of the configuration on all domain controllers

Get-DomainController | Foreach-Object {

$ConfigurationProfile = Get-PCAConfigProfile -ComputerName $_

$ConfigurationProfile['Backend.CertificateThumbprint'].ConfigValue = '1800b62e8cf19d1c4bcdcd2b6e435c3c85e04188'

Set-PCAConfigProfile -ComputerName $_ -ConfigurationProfile $ConfigurationProfile -RestartService

}

Related Documents