Chat now with support
Chat with Support

Identity Manager 8.1.2 - Data Archiving Administration Guide

Advanced configuration for transferring data

There are tow scenarios for transferring data:

  • Scenario 1: The One Identity Manager History Database and One Identity Manager database are on the same database server.
  • Scenario 2: The One Identity Manager History Database and One Identity Manager database are on different database servers. The linked server is created by the One Identity Manager History Database's One Identity Manager Service.
  • Scenario 3: The One Identity Manager History Database and One Identity Manager database are on different database servers. There is a linked server available.
Scenario 1:

NOTE: If you work with sa, no other steps are required.

If you are working with granular permissions at server and database level, user Designer to create a database user in the One Identity Manager for transferring data.

To set up the database user in the One Identity Manager database

  1. In Designer, select the category Base data | Security settings | Database server permissions | Database server login.

  2. Click and enter the following information:

    Login name: SQL Server The user's login name used for process handling in the History Database (DialogDatabase.ConnectionString).

    Database user: Name of the database user.

  3. Select the Database and server roles tab and assign the role Database: Data archiving role.

  4. Save the changes.

The DBQueue Processor creates the database role OneIMHistoryRoleDB and the database users in the One Identity Manager database. The database user is connected with the SQL Server login and added in the database role.

Scenario 2:

NOTE: If you work with sa, no other steps are required.

If you are working with granular permissions at server and database level, additional permissions are required for creating a linked server and for data transfer.

  • To create a linked server, the user for process handling in the History Database (DialogDatabase.ConnectionString) requires the following permissions at server level:

    • Permission alter any linked server

      This permission is required for creating and deleting a linked server. The linked server allows distributed queries to be executed.

    • Permission alter any login

      This permission is required for creating and deleting a login name assignment on the local server and a login name on the linked server.

  • Create an SQL Server login for data transfer on the database server that hosts the One Identity Manager database.

  • In Designer, create a database user in the One Identity Manager database.

    To set up the database user in the One Identity Manager database

    1. In Designer, select the category Base data | Security settings | Database server permissions | Database server login.

    2. Click and enter the following information:

      Login name: SQL Server login for data transfer.

      Database user: Database user.

    3. Select the Database and server roles tab and assign the role Database: Data archiving role.

    4. Save the changes.

    The DBQueue Processor creates the database role OneIMHistoryRoleDB and the database users in the One Identity Manager database. The database user is connected with the SQL Server login and added in the database role.

Scenario 3:
  • Create an SQL Server login for data transfer on the database server that hosts the One Identity Manager database.

  • In Designer, create a database user in the One Identity Manager database.

    To set up the database user in the One Identity Manager database

    1. In Designer, select the category Base data | Security settings | Database server permissions | Database server login.

    2. Click and enter the following information:

      Login name: SQL Server login for data transfer.

      Database user: Database user.

    3. Select the Database and server roles tab and assign the role Database: Data archiving role.

    4. Save the changes.

    The DBQueue Processor creates the database role OneIMHistoryRoleDB and the database users in the One Identity Manager database. The database user is connected with the SQL Server login and added in the database role.

  • Set up the linked server and reference the SQL Server login for data transfer.

    To provide a linked server, it is recommended to use the SQL procedures sp_addlinkedserver, sp_setNetname and sp_addlinkedsrvlogin.

  • Keep the link server names ready. You need them when you declare the source database in the One Identity Manager History Database.

  • In the One Identity Manager History Database, enabled the configuration parameter HDB | UseNamedLinkedServer.

Tips for using more than one SQL Server

NOTE: If the One Identity Manager History Database database and the One Identity Manager database are on different servers, only matching versions and patches of the operating system and database system are supported.

If the One Identity Manager History Database and the One Identity Manager database are on different database server, the following prerequisites for data acquisition must be guaranteed on both servers:

  • Start of the services Microsoft Distributed Transaction Coordinator(DTC), RPC Client and Security Accounts Manager
  • For network communications between the server, check the firewall settings and, if required, adjust them according to the recommendations of the operating system in use. For more information, refer to the operating system documentation.

Enable the following options in the DTC security settings:

  • Network DTC Access
  • Allow Remote Clients
  • Allow Inbound
  • Allow Outbound
  • No Authentication Required

Configure the security settings in the Microsoft Management Console with the Component Services snap-in.

Figure 1: Configuring DTC Security Settings

The timeout for remote queries should be increased on the database server containing the One Identity Manager database if large amounts of data are transferred from the One Identity Manager History Database database to the One Identity Manager. The default setting is 600 seconds, which corresponds to 10 minutes latency. If the timeout expires, data transfer is aborted. The timeout for remote queries should be orientated on the runtime interval of the data transfer schedule.

You can query the timeout with the following statement:

select * from sys.configurations where name like '%remote query timeout%'

To change the timeout for remote queries, use the following statement:

exec sp_configure 'remote query timeout (s)',<new value>

RECONFIGURE WITH OVERRIDE

where:

<new value> = new timeout value in seconds

Tips for using integrated Windows authentication

If you use Windows integrated authentication, the data transfer takes place with the One Identity Manager History Database's One Identity Manager Service user account.

If the One Identity Manager History Database, One Identity Manager Service and the One Identity Manager database are on different server the following prerequisites have to be fulfilled:

  • The One Identity Manager Service user account requires a Service Principal Name (SPN) for authentication. This can be created with the following command line:

    SetSPN -A HTTP/<Full domain name> <Domain>\<user account>

  • The One Identity Manager Service user account must be available for delegation and use Kerberos for authentication.

    To do this, set the option Trust this user for delegation to any service (Kerberos only) on the Delegations tab in the Microsoft Management Console for Active Directory users and computers.

  • The SQL Server service requires a Service Principal Name for authentication. You can check this with the following command line call:

    SetSPN -L <name of database>

Setting up an Administrative Workstation

The system prerequisites for installing the One Identity Manager History Database tools on an administrative workstation and the permissions required are listed in the One Identity Manager Installation Guide.

You should install at least the following tools on an administrative workstation:

  • HistoryDB Manager
  • Job Queue Info
  • Configuration Wizard
  • Designer

The following prerequisites must be in place on the workstation on which the One Identity Manager History Database schema installation and update is run:

  • Installing the Configuration Wizard
  • Access to the installation sources

    NOTE: If you copy the installation files to a repository, you must ensure that the relative directory tree remains intact.

Use the installation wizard to install One Identity Manager History Database tools on workstations for the first time.

To install components

  1. Launch autorun.exe from the root directory of the One Identity Manager installation medium.
  2. Go to the Other products tab, select One Identity Manager History Database, and click Install.
  3. This starts the installation wizard. Select the language and click Next.
  4. Specify the data for installation source and target on Installation settings.

    • Select the directory with the installation files under Installation source.
    • Select the directory into which to install the History Database files under Installation folder.
    • Click Next.
  5. Specify machine roles and installation packages on Assign machine roles and click Next.

    NOTE: The machine roles appropriate for the One Identity Manager modules are activated. All installation subpackages are selected when you select the machine role. You can deselect individual packages.

  6. You can start different programs for further installation on the last page of the install wizard.
    • To perform installation of the One Identity Manager History Database schema, start the Configuration Wizard and follow the instructions of the Configuration Wizard.

      NOTE: Perform this step only on the work station on which you start the installation of the One Identity Manager History Database schema.

  1. Click Finish to close the installation wizard.
  2. Close the autorun program.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating