Chat now with support
Chat with Support

Identity Manager 9.2.1 - Installation Guide

About this guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing additional modules for a existing One Identity Manager installation Installing and updating an application server Installing the API Server Installing, configuring, and maintaining the Web Designer Web Portal Installing and updating the Manager web application Logging in to One Identity Manager tools Troubleshooting Advanced configuration of the Manager web application Machine roles and installation packages Configuration parameters for the email notification system How to configure the One Identity Manager database using SQL Server AlwaysOn availability groups

Configuration parameters for the email notification system

Use the following configuration parameters to configure the email notification system.

Table 54: General configuration parameters for mail notification

Configuration parameter

Meaning

Common | InternationalEMail

Specifies whether international domain names and unicode characters are supported in email addresses.

IMPORTANT: The mail server must also support this function. If necessary, you must override the script VID_IsSMTPAddress

Common | MailNotification

Specifies whether the configuration subparameters that deal with notifications take effect.

Common | MailNotification | AcceptSelfSignedCert

Specifies whether self-signed certificates for TLS connections are accepted.

Common | MailNotification | AllowServerNameMismatchInCert

Specifies whether server names that do not match are permitted by certificates for TLS connections.

Common | MailNotification | DefaultAddress

Default email address of the recipient of the notifications.

Common | MailNotification | DefaultCulture

Default language used to send email notifications if a language cannot be determined for a recipient.

Common | MailNotification | DefaultLanguage

Default language for sending email notifications.

Common | MailNotification | DefaultSender

Sender's default email address for sending automatically generated notifications.

Syntax:

sender@example.com

Example:

NoReply@company.com

You can enter the sender's display name in addition to the email address. In this case, ensure that the email address is enclosed in chevrons (<>).

Example:

One Identity <NoReply@company.com>

Common | MailNotification | Encrypt

Specifies whether emails are encrypted.

Common | MailNotification | Encrypt | ConnectDC

Domain controller of the requested domain to use.

Common | MailNotification | Encrypt | ConnectPassword

Password of the user account. This is optional.

Common | MailNotification | Encrypt | ConnectUser

User account for querying Active Directory. This is optional.

Common | MailNotification | Encrypt | DomainDN

Distinguished name of the domain to request.

Common | MailNotification | Encrypt | EncryptionCertificateScript

This configuration parameter contains the script that supplies a list of encrypted certificates (default: QBM_GetCertificates).

Common | MailNotification | NotifyAboutWaitingJobs

Specifies whether a message should be sent if the process steps have a particular status in the Job queue.

Common | MailNotification | SignCertificateThumbprint

SHA1 thumbprint of the certificate to use for the signature. This can be in the computer's or the user's certificate store.

NOTE: Ensure that the private key in the certificate is marked as exportable.

Common | MailNotification | SMTPAccount

User account name for authentication on an SMTP server.

Common | MailNotification | SMTPDomain

User account domain for authentication on the SMTP server.

Common | MailNotification | SMTPPassword

User account password for authentication on the SMTP server.

Common | MailNotification | SMTPPort

Port of the SMTP service on the SMTP server. Default: 25

Common | MailNotification | SMTPRelay

SMTP server for sending email notifications. If a server is not given, localhost is used.

Common | MailNotification | SMTPUseDefaultCredentials

Specifies which credentials are used for authentication on the SMTP server.

If this parameter is set, the One Identity Manager Service login credentials are used for authentication on the SMTP server.

If the configuration parameter is not set, the login data defined in the Common | MailNotification | SMTPDomain and Common | MailNotification | SMTPAccount or Common | MailNotification | SMTPPassword configuration parameters is used. (Default)

Common | MailNotification | TransportSecurity

Encryption method for sending email notifications. If none of the following options are given, the port is used to define the behavior (port 25: no encryption, port 465: with SSL/TLS encryption).

Permitted values are:

  • Auto: Identifies the encryption method automatically.

  • SSL: Encrypts the entire session with SSL/TLS.

  • STARTTLS: Uses the STARTTLS mail server extension. Switches TLS encryption after the greeting and loading the server capabilities. The connection fails if the server does not support the STARTTLS extension.

  • STARTTLSWhenAvailable: Uses the STARTTLS mail server extension if available. Switches on TLS encryption after the greeting and loading the server capabilities, however, only if it supports the STARTTLS extension.

  • None: No security for the transport layer. All data is sent as plain text.

Common | MailNotification | VendorNotification

Email address of your company's contact person. The email address is used as the return address for notifying vendors.

If the configuration parameter is set, One Identity Manager generates a list of system settings once a month and sends the list to One Identity. This list does not contain any personal data. You can check the latest system information at any time by selecting Help > Info in the menu.

The list will be reviewed by our customer support team, who will look for material changes in a proactive effort to identify potential issues before they materialize on your system. The lists may be used by our R&D staff for analysis, diagnosis, and replication for testing purposes. We will keep and refer to this information for as long as your company remains on support for this product.

Table 55: Additional parameters for email notifications
Configuration parameters Description

QER | Attestation | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about attestation cases. Replace the default address with a valid email address.

QER | ComplianceCheck | EmailNotification | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about rule checking. Replace the default address with a valid email address.

QER | ITShop | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about requests. Replace the default address with a valid email address.

QER | Policy | EmailNotification | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications when company policies are checked. Replace the default address with a valid email address.

QER | RPS | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about report subscriptions. Replace the default address with a valid email address.

TargetSystem | ADS | DefaultAddress

Default email address of the recipient for notifications about actions in the Active Directory target system.

TargetSystem | ADS | Exchange2000 | DefaultAddress

Default email address of the recipient for notifications about actions in the Microsoft Exchange target system.

TargetSystem | ADS | MemberShipRestriction | MailNotification

Default email address for sending warning emails.

TargetSystem | AzureAD | DefaultAddress

Default email address of the recipient for notifications about actions in the Azure Active Directory target system.

TargetSystem | AzureAD | ExchangeOnline | DefaultAddress

Default email address of the recipient for notifications about actions in the Exchange Online target system.

TargetSystem | CSM | DefaultAddress

Default email address of the recipient for notifications about actions in the cloud target system.

TargetSystem | EBS | DefaultAddress

Default email address of the recipient for notifications about actions in the Oracle E-Business Suite target system.

TargetSystem | LDAP | DefaultAddress

Default email address of the recipient for notifications about actions in the LDAP target system.

TargetSystem | NDO | DefaultAddress

Default email address of the recipient for notifications about actions in the HCL Domino target system.

TargetSystem | OneLogin | DefaultAddress

Default email address of the recipient for notifications about actions in the OneLogin target system.

TargetSystem | PAG| DefaultAddress

Default email address of the recipient for notifications about actions in the Privileged Account Management system.

TargetSystem | SAPR3 | DefaultAddress

Default email address of the recipient for notifications about actions in the SAP R/3 target system.

TargetSystem | SharePoint | DefaultAddress

Default email address of the recipient for notifications about actions in the SharePoint target system.

TargetSystem | Unix | DefaultAddress

Default email address of the recipient for notifications about actions in the Unix-based target system.

TargetSystem | UNS | DefaultAddress

Default email address of the recipient for notifications about actions in the custom target system.

Detailed information about this topic

How to configure the One Identity Manager database using SQL Server AlwaysOn availability groups

Only the settings for working with One Identity Manager are described below. For more information about SQL Server AlwaysOn availability groups, see Always On availability groups: a high-availability and disaster-recovery solution.

NOTE: If you want to include a One Identity Manager database in an SQL Server AlwaysOn availability group, note that one availability group is required per availability database.

Example:

You want two databases (for example, UAC and QA) to be part of an SQL Server AlwaysOn availability group as availability databases. Each database requires its own availability group (for example, AGUAC and AGQA).

NOTE: Custom SQL Server logins for the One Identity Manager database must be available on all nodes.

If you are working with granular permissions, you must also provide the SQL Server logins on all nodes. Ensure that a SQL Server login with the connected server roles is created on all nodes with the same security ID (SID), otherwise failover problems may occur.

Prerequisite

A failover cluster manager has been configured. Therefore, run the Server Manager on the database server and install the Failover Clustering feature.

Installing One Identity Manager
  1. Run the program Configuration Wizard against a cluster node and follow the installation instructions.

  2. Install and launch the One Identity Manager Service. After all processes in the Job queue have been processed, stop the One Identity Manager Service.

  3. Run the Designer and set up the staging layer for the database.

  4. In SQL Server Management Studio, change the recovery model for the One Identity Manager database from Simple to Full.

  5. Create a full backup of the database.

  6. Make sure that the firewall is configured to support cluster communication.

  7. Run the SQL Server Configuration Manager and locate the SQL Server service. Open the properties and enable Always-On Availability Groups. Restart the SQL Server service on all nodes.

    For more information, see Enable or Disable Always On availability group feature.

Configuring the SQL Server AlwaysOn availability groups
  1. In SQL Server Management Studio, connect the server instance that hosts the primary node. To configure the availability groups, navigate to AlwaysOn High Availability, right-click and select New Availability Group Wizard.

    For more information about the New Availability Group Wizard, see Use the Availability Group Wizard (SQL Server Management Studio).

  2. In the New Availability Group Wizard, enter the name of the new availability group and select the One Identity Manager database to be included in the new availability group.

  3. In the New Availability Group Wizard, you create and configure a replica for the new availability group.

    1. Add the secondary SQL Server cluster node.

    2. Enable automatic failover and synchronous handover for both nodes.

    3. Make all nodes a readable secondary node; select the Yes value.

    4. Specify an availability group listener.

      For example, for the DNS name, use the same name as the availability group but with the suffix "L", and use port 1433. Assign an IP address on the same subnet as the SQL Server.

      For more information, see Specify Replicas Page (New Availability Group Wizard: Add Replica Wizard).

  4. In the New Availability Group Wizard, you define the settings for data synchronization. The settings for data synchronization depend on your infrastructure.

    If you are using a network share to synchronize data between replicas, select the Full option and specify the network location. Server instances hosting a replica require read and write access to the share.

One Identity Manager configuration
  1. Run the program Database Compiler. Connect to the primary node and compile the database. Do not change the database connection data at this time.

    For more information, see the One Identity Manager Operational Guide.

  2. Then update the database connection data in the Designer.

    1. Start the Designer and connect to the primary node.

    2. In the Designer, select the Base Data > General > Databases category.

    3. Select the database in the List Editor.

    4. Select the Define connection string for database task.

    5. Enter the connection data for the database. Use the DNS name of the listener instead of the server name.

    For more information, see the One Identity Manager Configuration Guide.

  3. Run the program Database Compiler and compile the database. Use the listener.

  4. Run the Job Service Configuration and change the connection details for the One Identity Manager Service. Use the listener.

    It is recommended to change the queue name to better reflect the cluster. Note that you also update the queue name in Designer.

    For more information, see the One Identity Manager Configuration Guide.

  5. Ensure that Job servers, application servers, front-ends, web applications, and synchronization projects use the listener to log in to the database.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating