Chat now with support
Chat with Support

Identity Manager 8.1.4 - Installation Guide

About this guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing and updating an application server Installing the API Server Installing, configuring, and maintaining the Web Portal Installing and updating the Manager web application Logging in to One Identity Manager tools Troubleshooting Creating a One Identity Manager database for a test or development environment from a database backup Advanced configuration of the Manager web application Machine roles and installation packages

Setting up the email notification system

One Identity Manager sends email notifications about various actions taken within the system. Thus, various notifications are sent to requester and approver within the request process. In the same way, notifications about attestation cases are sent or reports delivered by email. Notifications are sent when an actions is successfully or unsuccessfully executed during process handling.

You can implement custom notifications in addition to predefined notification processes.

To use the notification system

  1. Use the Job Server Editor to set up a Job server as a SMTP host for mail distribution.

  2. In the Designer, check the configuration parameters of the email notification system in the Base data | General | Configuration parameters category and customize the values.

    NOTE: In addition to the configuration parameters listed in the following table, configuration parameters may be necessary for different notification processes. Some configuration parameters are only available if the module is installed.

Table 21: General configuration parameters for mail notification

Configuration parameter

Meaning

Common | InternationalEMail

This parameter specifies whether international domain names and unicode characters are supported in email addresses.

IMPORTANT: The mail server must also support this function. If necessary, you must override the script VID_IsSMTPAddress

Common | MailNotification

Notification data.

Common | MailNotification | AcceptSelfSignedCert

If this configuration parameter is set, self-signed TLS connection certificates are accepted.

Common | MailNotification | AllowServerNameMismatchInCert

If this configuration parameter is set, server names that do not match are permitted by TLS connection certificates.

Common | MailNotification | DefaultAddress

Default email address (recipient) for sending notifications.

Common | MailNotification | DefaultCulture

Default language that emails are sent in if no language can be determined for a recipient.

Common | MailNotification | DefaultLanguage

Default language for sending messages.

Common | MailNotification | DefaultSender

Default email address (sender) for sending notifications.

Common | MailNotification | Encrypt

Specifies whether emails are encrypted.

Common | MailNotification | Encrypt | ConnectDC

Domain controller to use.

Common | MailNotification | Encrypt | ConnectPassword

User password. This is optional.

Common | MailNotification | Encrypt | ConnectUser

User account for querying Active Directory. This is optional.

Common | MailNotification | Encrypt | DomainDN

Distinguished name of the domain to search through.

Common | MailNotification | Encrypt | EncryptionCertificateScript

Script that supplies a list of encrypted certificates (default: QBM_GetCertificates).

Common | MailNotification | NotifyAboutWaitingJobs

Specifies whether a message should be sent if the process steps have a particular status in the job queue.

Common | MailNotification | SignCertificateThumbprint

SHA1 thumbprint of the certificate to use for the signature. This can be in the computer's or the user's My Store.

Common | MailNotification | SMTPAccount

User account name for authentication on an SMTP server.

Common | MailNotification | SMTPDomain

User account domain for authentication on the SMTP server.

Common | MailNotification | SMTPPassword

User account password for authentication on the SMTP server.

Common | MailNotification | SMTPPort

Port for SMTP services on the SMTP server (default: 25).

Common | MailNotification | SMTPRelay

SMTP server for sending notifications.

Common | MailNotification | SMTPUseDefaultCredentials

If this parameter is set, the One Identity Manager Service login credentials are used for authentication on the SMTP server. If the configuration parameter is not set, the login data defined in the Common | MailNotification | SMTPDomain and Common | MailNotification | SMTPAccount or Common | MailNotification | SMTPPassword configuration parameters is used.

Common | MailNotification | TransportSecurity

This configuration parameter defined the encryption method for sending notification by email. If none of the following options are given, the port is used to define the behavior (port: 25 = no encryption, port: 465 = with SSL/TLS encryption).

Permitted values are:

  • Auto: Identifies the encryption method automatically.

  • SSL: Encrypts the entire session with SSL/TLS.

  • STARTTLS: Uses the STARTLS mail server extension. Switches TLS encryption after the greeting and loading the server capabilities. The connection fails if the server does not support the STARTTLS extension.

  • STARTTLSWhenAvailable: Uses the STARTTLS mail server extension if available. Switches on TLS encryption after the greeting and loading the server capabilities, however, only if it supports the STARTTLS extension.

  • None: No security for the transport layer. All data is sent as plain text.

Common | MailNotification | VendorNotification

Enables the email address of your company's contact person. The email address is used as the return address for notifying vendors.

If the configuration parameter is set, One Identity Manager generates a list of system settings once a month and sends the list to One Identity. This list does not contain any personal data. You can check the latest system information at any time by selecting Help | Info in the menu. The list will be reviewed by our customer support team, who will look for material changes in a proactive effort to identify potential issues before they materialize on your system. The lists may be used by our R&D staff for analysis, diagnosis, and replication for testing purposes. We will keep and refer to this information for as long as your company remains on support for this product.

Table 22: Additional parameters for email notifications
Configuration parameter Description

QER | Attestation | DefaultSenderAddress

This configuration parameter contains the sender email address for messages automatically generated for attestation.

QER | ComplianceCheck | EmailNotification | DefaultSenderAddress

This configuration parameter contains the sender email address for automatically generated messages during rule checking.

QER | ITShop | DefaultSenderAddress

This configuration parameter contains the sender email address for automatically generated messages within the IT Shop.

QER | Policy | EmailNotification | DefaultSenderAddress

This configuration parameter contains the sender email address for automatically generated messages within company policy checking.

QER | RPS | DefaultSenderAddress

This configuration parameter contains the sender email address for automatically generated notifications.

TargetSystem | ADS | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the Active Directory target system.

TargetSystem | ADS | Exchange2000 | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the Microsoft Exchange target system.

TargetSystem | ADS | MemberShipRestriction | MailNotification

This configuration parameter contain the default email address for sending warnings by email.

TargetSystem | AzureAD | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the Azure Active Directory target system.

TargetSystem | AzureAD | ExchangeOnline | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the Exchange Online target system.

TargetSystem | CSM | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the cloud target system.

TargetSystem | EBS | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system.

TargetSystem | LDAP | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the LDAP target system.

TargetSystem | NDO | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the IBM Notes target system.

TargetSystem | SAPR3 | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the SAP R/3 target system.

TargetSystem | SharePoint | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the SharePoint target system.

TargetSystem | Unix | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the Unix target system.

TargetSystem | UNS | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the custom target system.

TargetSystem | PAG| DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the Privileged Account Management system.

Related topics

Installing and configuring the One Identity Manager Service

The One Identity Manager Service handles defined processes. The service has to be installed on the One Identity Manager network server to execute the processes. The server must be declared as a Job server in the One Identity Manager database.

Setting up a Job server requires the following steps:

  • Create an entry for the Job server in the One Identity Manager database.

  • Specify the machine roles and server functions for the Job server.

    Installation packages to be installed on the Job server are found, depending on the selected machine roles. The server function defines the functionality of a server in One Identity Manager. One Identity Manager processes are handled with respect to the server function.

  • Install the One Identity Manager Service.

  • Configure the One Identity Manager Service.

  • Start the One Identity Manager Service.

NOTE: On Linux operating systems, use of oneidentity/oneim-job docker images is recommended.

Related topics

Setting up Job servers

Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the Job queue using exactly this queue name:

  • Enter this queue name in the One Identity Manager Service configuration file.

  • A Job server must be known in the One Identity Manager database for each queue.

There are several methods for setting up a Job server:

  • For the initial schema installation with the Configuration Wizard, you already set up a Job server with the SQL processing server and Update server server functions. Use the Configuration Wizard to configure the service and install the service remotely on a server.

  • To configure further Job servers, use the Server Installer program.

    Using the Server Installer, you create the Job server with its machine roles and server functions in the database. Use the Server Installer to configure the service and install the service remotely on a server.

  • You can create Job servers in the Designer.

    In the Designer, you can create a Job server with the machine roles and server functions, configure the service on the server and install the service remotely. For detailed information, see One Identity Manager Configuration Guide.

  • If a remote installation is not possible, you can install and configure the service locally on a server.

    • Install the service components on the server using the installation wizard.

    • Configure the service using the Job Service Configuration program. For more detailed information about configuring the One Identity Manager Service, see the One Identity Manager Configuration Guide.

    • If the Common | Jobservice | AutoCreateServerFromQueues configuration parameter is enabled, in response to queries from the One Identity Manager Service for unknown queues, new Job servers are created in the database. Information about machine roles and server functions is transferred to the database.

NOTE: If you subsequently change server functions for a Job server in the database, for example using the Designer, the system checks whether the required components are installed on the server, and updates the server if necessary. To enable this, automatic software updates must be active.

Related topics

Remote installation of the One Identity Manager Service with the Server Installer

IMPORTANT: If you are working with an encrypted One Identity Manager database, see Advice on working with an encrypted One Identity Manager database.

Use the One Identity Manager Service to install the Server Installer. The program executes the following steps:

  • Sets up a Job server.

  • Specifies machine roles and server function for the Job server.

  • Remotely installs One Identity Manager Service components corresponding to the machine roles.

  • Configures the One Identity Manager Service.

  • Starts the One Identity Manager Service.

NOTE: To generate processes for the Job server, you need the provider, connection parameters, and the authentication data. By default, this information is determined from the database connection data. If the Job server runs through an application server, you must configure extra connection data in the Designer. For detailed information about setting up Job servers, see the One Identity Manager Configuration Guide.

NOTE: The program performs a remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain.

To remotely install the One Identity Manager Service, you must have an administrative workstation on which the One Identity Manager components are installed.

To remotely install and configure One Identity Manager Service on a server

  1. Start the Server Installer program on your administrative workstation.

  2. On the Database connection page, enter the valid connection credentials for the One Identity Manager database.

  3. On the Server properties page, specify the server on which you want to install the One Identity Manager Service.

    1. Select a Job server from the Server menu.

      - OR -

      To create a new Job server, click Add.

    2. Enter the following data for the Job server.

      • Server: Name of the Job server.

      • Queue: Name of the queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the Job queue using this unique queue identifier. The queue identifier is entered in the One Identity Manager Service configuration file.

      • Full server name: Full server name in accordance with DNS syntax.

        Syntax:

        <Name of servers>.<Fully qualified domain name>

      NOTE: You can use the Extended option to make changes to other properties for the Job server. You can also edit the properties later with the Designer.

  4. On the Machine roles page specify which roles the Job server is to have in One Identity Manager. Installation packages to be installed on the Job server are found depending on the selected machine role.

  5. On the Server functions page, specify the function of the server in the One Identity Manager environment. One Identity Manager processes are handled with respect to the server function.

    The server's functions depend on which machine roles you have selected. You can limit the server's functionality further here.

  6. On the Service Settings page, enter the connection data and check the One Identity Manager Service configuration.

    NOTE: The initial service configuration is predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For detailed information about configuring the service, see the One Identity Manager Configuration Guide.

    • For a direct connection to the database:

      1. Select Process collection | sqlprovider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the One Identity Manager database.

    • For a connection to the application server:

      1. Select Process collection, click the Insert button and select AppServerJobProvider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the application server.

      4. Click the Authentication data entry and click the Edit button.

      5. Select the authentication module. Depending on the authentication module, other data may be required, such as user and password. For detailed information about the One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

  7. To configure remote installations, click Next.

  8. Confirm the security prompt with Yes.

  9. On the Select installation source page, select the directory with the install files.

  10. On the Select private key file page, select the file with the private key.

    NOTE: This page is only displayed when the database is encrypted.

  11. On the Service access page, enter the service's installation data.

    • Computer: Name or IP address of the server that the service is installed and started on.

    • Service account: User account data for the One Identity Manager Service.

      • To start the service under the NT AUTHORITY\SYSTEM account, set the Local system account option.

      • To start the service under another account, disable the Local system account option and enter the user account, password and password confirmation.

    • Installation account: Data for the administrative user account to install the service.

      • To use the current user’s account, set the Current user option.

      • To use another user account, disable the Current user option and enter the user account, password and password confirmation.

    • To change the install directory, names, display names, or description of the One Identity Manager Service, use the other options.

  12. Click Next to start installing the service.

    Installation of the service occurs automatically and may take some time.

  13. Click Finish on the last page of the Server Installer.

    NOTE: In a default installation, the service is entered in the server’s service management with the name One Identity Manager Service.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating