Chat now with support
Chat with Support

Identity Manager 9.3 - Installation Guide

About this guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing additional modules for a existing One Identity Manager installation Installing and updating an application server Installing and updating an API Server Installing and updating the Manager web application Logging in to One Identity Manager tools Troubleshooting Advanced configuration of the Manager web application Machine roles and installation packages Configuration parameters for the email notification system How to configure the One Identity Manager database using SQL Server AlwaysOn availability groups

Load balancing of the Manager web application

The Manager web application provides simple load balancing in order to distribute user sessions and the resulting load across multiple processes or even servers. To do this, the application is installed multiple times on the same or on other servers.

All collaborating applications that can be logged in to, are declared in the applications' Application pool. The selection algorithm for load distribution distributes user logins across the defined applications.

NOTE: Even if only one application is installed, it must be defined in your application pool, otherwise you cannot log in.

Table 32: Supported algorithms for load balancing
Algorithm Description

DistributeEqually

This algorithm distributes user logins such that each application in one language has the same number of active users, if possible. This algorithm is the default and is required in most cases.

DistributeSuccessively

This algorithm distributes user logins by order of application definition in the application pool. First of all, all user logins are forwarded to the first application in the desired language. When this has reached it maximum load, logins are forwarded to the next application.

Load balancing solves the following problems:

  • Multilingual

    Language is fixed for per application so that an application can only provide user sessions in one language. If users can log in with multiple languages, at least one application must be installed for each language.

  • Bypassing resource limitations

    If multiple web applications are installed and these are assigned to different Internet Information Services application pools, these are started in separate processes.

  • Increasing performance

    Performance can be noticeably improved by installing on several servers.

  • Redundancy

    Multiple installation does not necessary complete outage if just one of the installed application fails.

Related topics

Manager web application single sign-on

The Manager web application supports a single sign-on mechanism that enables authentication of a user without the user having to repeatedly enter their user name and password.

Prerequisites required:

  • Anonymous access disabled.

  • Configuration of an authentication module capable of single sign-on.

    For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

  • Permissions in the application’s own application pool.

You can disable anonymous access on the web server. This means the user's browser must provide the data required for authentication.

To disable the anonymous access

  1. open the configuration of the Manager web application in the Internet Information Services and activate the configuration for Authentication.

  2. Change the value of the status to disabled in Anonymous Authentication.

Related topics

Machine roles and installation packages

The following table contains possible machine roles and installation package descriptions. The machine role selected determines which installation packages are installed on a workstation or on a Job server.

For more information about machine roles, see the One Identity Manager Configuration Guide.

NOTE: Other machine roles and installation packages may be available depending on which One Identity Manager modules are installed.

Table 33: Machine role and installation package options
Machine role Description of the installation package

Database Agent

Contains the DatabaseAgentServiceCmd.exe program for running the Database Agent Service from the command line.

Documentation

Contains One Identity Manager documentation in different languages.

Server

Contains all the basic components for setting up a server.

Server | Job Server

Contains the One Identity Manager Service and basic processing components. Additional machine roles contain connectors for synchronizing individual target systems.

Server | Job Server | Configuration tool

Contain configuration tool for the One Identity Manager Service.

Server | Web

Contains all the basic components for setting up a web server.

Server | Web | Application Server

Contains the components for setting up an application server. The machine roles Search Service and Search Indexing Service are required for indexing the full-text search. These machine roles are always used together.

Server | Web | Business API Server

Contains the components for setting up an API Server.

Server | Web | Business API Server | Application Insights Integration

Contains the plugin for integration with Microsoft Application Insights.

Server | Web | Business API Server | SCIM Provider

Contains the SCIM Plugin for the API Server

Server | Web | Manager Web Application

Contains the tools for installing and configuring the Manager on a web server.

Workstation

Contains all basic components for installing tools on an administrative workstation.

Workstation | Administration

Contains administration tools required by default users for fulfilling their tasks with One Identity Manager. In addition to the tools that ensure basic functionality for working with One Identity Manager, the administration machine role includes the Manager as a main administration tool.

Workstation | Command line administration tools

Contains various command line programs.

Workstation | Configuration

Contains all tools for the default user and additional programs required to configure the system. For example, these include the Configuration Wizard, Database Compiler, Database Transporter, Crypto Configuration, Designer as well as configuration tools for the One Identity Manager Service.

Workstation | Development and Testing

Contains the tools to develop and test custom scripts, such as the System Debugger.

Workstation | Monitoring

Contains programs for monitoring the system status, for example the Job Queue Info program.

Configuration parameters for the email notification system

Use the following configuration parameters to configure the email notification system.

NOTE: Some configuration parameters are only available if the One Identity Manager modules are installed.

Table 34: General configuration parameters for mail notification

Configuration parameter

Meaning

Common | InternationalEMail

Specifies whether international domain names and unicode characters are supported in email addresses.

IMPORTANT: The mail server must also support this function. If necessary, you must override the script VID_IsSMTPAddress

Common | MailNotification

Specifies whether the configuration subparameters that deal with notifications take effect.

Common | MailNotification | AcceptSelfSignedCert

Specifies whether self-signed certificates for TLS connections are accepted.

Common | MailNotification | AllowServerNameMismatchInCert

Specifies whether server names that do not match are permitted by certificates for TLS connections.

Common | MailNotification | DefaultAddress

Default email address of the recipient of the notifications.

Common | MailNotification | DefaultCulture

Default language used to send email notifications if a language cannot be determined for a recipient.

Common | MailNotification | DefaultLanguage

Default language for sending email notifications.

Common | MailNotification | DefaultSender

Sender's default email address for sending automatically generated notifications.

Syntax:

sender@company.com

Example:

noreply@company.com

You can enter the sender's display name in addition to the email address. In this case, ensure that the email address is enclosed in chevrons (<>).

Example:

One Identity <noreply@company.com>

Common | MailNotification | Encrypt

Specifies whether emails are encrypted.

Common | MailNotification | Encrypt | AuthenticationType

Authentication method for logging in to LDAP.

Permitted values are:

  • Basic: Uses default authentication.

  • Negotiate: Uses Negotiate authentication from Microsoft.

  • Kerberos: Uses Kerberos authentication.

  • NTLM: Uses Windows NT Challenge/Response (NTLM) authentication.

Default: Basic

For more information about authentication types, see the MSDN Library.

Common | MailNotification | Encrypt | ConnectDC

Domain controller of the requested domain to use.

Common | MailNotification | Encrypt | ConnectPassword

Password of the user account. This is optional.

Common | MailNotification | Encrypt | ConnectUser

User account for querying Active Directory. This is optional.

Common | MailNotification | Encrypt | DomainDN

Distinguished name of the domain to request.

Common | MailNotification | Encrypt | EncryptionCertificateScript

Script that supplies a list of encryption certificates. Default: QBM_GetCertificates

This parametrizes the script code using the other parameters and creates an Active Directory request with user and password in the form LDAP://<connect domain controller:389/<domain to query>.

Common | MailNotification | Encrypt | Port

Server port for secure access to LDAP. Default: 389

Common | MailNotification | Encrypt | UseSSL

Specifies whether to use an SSL/TLS encrypted connection.

Common | MailNotification | NotifyAboutWaitingJobs

Specifies whether a message should be sent if the process steps have a particular status in the Job queue.

Common | MailNotification| O365ClientId

Application client ID used to send the emails. You can find your application ID in the Microsoft Entra ID Admin Center under Applications > App registrations < <your application> > Overview > Application (client) ID.

Common | MailNotification | SignCertificateThumbprint

SHA1 thumbprint of the certificate to use for the signature. This can be in the computer's or the user's certificate store.

NOTE: Ensure that the private key in the certificate is marked as exportable.

Common | MailNotification | SMTPAccount

User account name for authentication on an SMTP server.

Common | MailNotification | SMTPDomain

User account domain for authentication on the SMTP server.

Common | MailNotification | SMTPPassword

User account password for authentication on the SMTP server.

Common | MailNotification | SMTPPort

Port of the SMTP service on the SMTP server. Default: 25

Common | MailNotification | SMTPRelay

SMTP server for sending email notifications. If a server is not given, localhost is used.

Common | MailNotification | SMTPUseDefaultCredentials

Specifies which credentials are used for authentication on the SMTP server.

If this parameter is set, the One Identity Manager Service login credentials are used for authentication on the SMTP server.

If the configuration parameter is not set, the login data defined in the Common | MailNotification | SMTPDomain and Common | MailNotification | SMTPAccount or Common | MailNotification | SMTPPassword configuration parameters is used. (Default)

Common | MailNotification | TransportSecurity

Encryption method for sending email notifications. If none of the following options are given, the port is used to define the behavior (port 25: no encryption, port 465: with SSL/TLS encryption).

Permitted values are:

  • Auto: Identifies the encryption method automatically.

  • SSL: Encrypts the entire session with SSL/TLS.

  • STARTTLS: Uses the STARTTLS mail server extension. Switches TLS encryption after the greeting and loading the server capabilities. The connection fails if the server does not support the STARTTLS extension.

  • STARTTLSWhenAvailable: Uses the STARTTLS mail server extension if available. Switches on TLS encryption after the greeting and loading the server capabilities, however, only if it supports the STARTTLS extension.

  • None: No security for the transport layer. All data is sent as plain text.

Common | MailNotification | VendorNotification

Email address of your company's contact person. The email address is used as the return address for notifying vendors.

If the configuration parameter is set, One Identity Manager generates a list of system settings once a month and sends the list to One Identity. This list does not contain any personal data. You can check the latest system information at any time by selecting Help > Info in the menu.

The list will be reviewed by our customer support team, who will look for material changes in a proactive effort to identify potential issues before they materialize on your system. The lists may be used by our R&D staff for analysis, diagnosis, and replication for testing purposes. We will keep and refer to this information for as long as your company remains on support for this product.

Table 35: Additional parameters for email notifications
Configuration parameters Description

QER | Attestation | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about attestation cases. Replace the default address with a valid email address.

QER | ComplianceCheck | EmailNotification | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about rule checking. Replace the default address with a valid email address.

QER | ITShop | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about requests. Replace the default address with a valid email address.

QER | Policy | EmailNotification | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications when company policies are checked. Replace the default address with a valid email address.

QER | RPS | DefaultSenderAddress

Sender's default email address for sending automatically generated notifications about report subscriptions. Replace the default address with a valid email address.

TargetSystem | ADS | DefaultAddress

Default email address of the recipient for notifications about actions in the Active Directory target system.

TargetSystem | ADS | Exchange2000 | DefaultAddress

Default email address of the recipient for notifications about actions in the Microsoft Exchange target system.

TargetSystem | ADS | MemberShipRestriction | MailNotification

Default email address for sending warning emails.

TargetSystem | AzureAD | DefaultAddress

Default email address of the recipient for notifications about actions in the Microsoft Entra ID target system.

TargetSystem | AzureAD | ExchangeOnline | DefaultAddress

Default email address of the recipient for notifications about actions in the Exchange Online target system.

TargetSystem | CSM | DefaultAddress

Default email address of the recipient for notifications about actions in the cloud target system.

TargetSystem | EBS | DefaultAddress

Default email address of the recipient for notifications about actions in the Oracle E-Business Suite target system.

TargetSystem | LDAP | DefaultAddress

Default email address of the recipient for notifications about actions in the LDAP target system.

TargetSystem | NDO | DefaultAddress

Default email address of the recipient for notifications about actions in the HCL Domino target system.

TargetSystem | OneLogin | DefaultAddress

Default email address of the recipient for notifications about actions in the OneLogin target system.

TargetSystem | PAG| DefaultAddress

Default email address of the recipient for notifications about actions in the Privileged Account Management system.

TargetSystem | SAPR3 | DefaultAddress

Default email address of the recipient for notifications about actions in the SAP R/3 target system.

TargetSystem | SharePoint | DefaultAddress

Default email address of the recipient for notifications about actions in the SharePoint target system.

TargetSystem | Unix | DefaultAddress

Default email address of the recipient for notifications about actions in the Unix-based target system.

TargetSystem | UNS | DefaultAddress

Default email address of the recipient for notifications about actions in the custom target system.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating