立即与支持人员聊天
与支持团队交流

Identity Manager 9.3 - Installation Guide

About this guide One Identity Manager overview Installation prerequisites Installing One Identity Manager Installing and configuring the One Identity Manager Service Automatic updating of One Identity Manager Updating One Identity Manager Installing additional modules for a existing One Identity Manager installation Installing and updating an application server Installing and updating an API Server Installing and updating the Manager web application Logging in to One Identity Manager tools Troubleshooting Advanced configuration of the Manager web application Machine roles and installation packages Configuration parameters for the email notification system How to configure the One Identity Manager database using SQL Server AlwaysOn availability groups

Tips for setting up a One Identity Manager database

Note the following information when setting up the One Identity Manager database.

Installing and configuring a One Identity Manager database

IMPORTANT: Always start the Configuration Wizard on an administrative workstation. If you start the Configuration Wizard on a server on which you also want to configure a One Identity Manager Service, simply skip the section for installing the service on the local server in the Configuration Wizard.

To install a database in the Configuration Wizard

  1. Start the Configuration Wizard.

  2. On the Configuration Wizard's home page, select the Create and install database option and click Next.

  3. To install a new database, enter the following database connection data on the Create administrative connection page.

    • Server: Database server.

    • Windows authentication: (Optional) Specifies whether the integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

    • User: SQL login name of the installation user.

    • Password: Password for the installation user.

    • Encrypt communication: Specifies whether encryption is required for exchanging data between the client and server. Select the minimum encryption level. The encryption level that is actually used depends on the database server configuration. For more information, see the documentation from Microsoft.

      Permitted values are:

      • Optional: Communication is not encrypted.

      • Mandatory: Data exchange is encrypted. The Trust server certificate option, allows you to also specify whether to verify the server certificate.

      • Strict (SQL Server 2022 and Azure SQL): The data exchange is encrypted.  The server certificate is always verified.

    • Trust server certificate: If this option is enabled, the data exchange between the client and server is encrypted. However, the server certificate is not verified.

    - OR -

    To use an existing empty database, on the Create administrative connectionpage, select the Use an existing, empty database for installation option and enter the database connection information.

    NOTE: To install the One Identity Manager schema in an existing database in Azure SQL Database, enable the option and enter the database connection credentials.

    NOTE: To install the One Identity Manager schema in an existing database in Amazon RDS for SQL Server, enable the option and enter the database connection credentials.

    • Server: Database server.

    • (Optional) Windows Authentication: Specifies whether the integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

    • User: SQL login name of the installation user.

    • Password: Password for the installation user.

    • Database: Name of the database.

    • Encrypt communication: Specifies whether encryption is required for exchanging data between the client and server. Select the minimum encryption level. The encryption level that is actually used depends on the database server configuration. For more information, see the documentation from Microsoft.

      Permitted values are:

      • Optional: Communication is not encrypted.

      • Mandatory: Data exchange is encrypted. The Trust server certificate option, allows you to also specify whether to verify the server certificate.

      • Strict (SQL Server 2022 and Azure SQL): The data exchange is encrypted.  The server certificate is always verified.

    • Trust server certificate: If this option is enabled, the data exchange between the client and server is encrypted. However, the server certificate is not verified.

    TIP: To configure additional connection settings, enable the Advanced option.

  4. If you are creating a new database, perform the following tasks on the Create database page.

    1. In the Database properties view, enter the following information about the database.

      Table 18: Database properties
      Data Description

      Database name

      Name of the database.

      Data directory

      Directory in which the data file is created. You have the following options:

      • <default>: The database server’s default directory.

      • <browse>: Select a directory using the file browser.

      • <directory name>: Directory in which data files are already installed.

      Log directory

      Directory in which the transaction log file is created. You have the following options:

      • <default>: The database server’s default directory.

      • <browse>: Select a directory using the file browser.

      • <directory name>: Directory in which transaction log files are already installed.

      Memory tables directory

      Directory for the data file group and the database file for memory-optimized tables. You have the following options:

      • <default>: The database server’s default directory.

      • <browse>: Select a directory using the file browser.

      • No memory-optimized file group (only History Database): No directory is created for the data file group and the database file for memory-optimized tables. This setting is only allowed for installing a History Database.

      • <Directory name>: Directory in which data files for memory-optimized tables are already installed.

      Initial size

      Initial size of the database files. You have the following options:

      • <Default>: Default entry for the database server.

      • <custom>: User-defined entry.

      • Different recommended sizes: Depending on the number of identities being administrated.

    2. In the Installation source pane, select the directory with the installation files.

    - OR -

    If you are using an existing database, on the Create database page, Installation source view, select the directory containing the installation files.

  5. On the Select configuration module page, select the configuration module .

    • If you started the Configuration Wizard from the install wizard, the configuration modules for the selected edition are already activated. In this case, check over the module selection.
    • Select the configuration module at this point if you started the Configuration Wizard directly. Dependent configuration modules are selected automatically.
  6. Error that prevent processing the database are displayed on the Database check page. Correct the errors before you continue with the installation.

  7. On the Create a new login for administrators page, decide which SQL login to use for administrative users. You have the following options:

    • Create new logins for the database: Select this option if you want to work with granular permissions.

      This creates a new administrative SQL login for the database.

      • Enter the login name, password, and password confirmation for the new SQL login.

      Later on in the process, the Configuration Wizard sets up additional SQL logins for the configuration user and the end user.

    • Use an existing SQL login: Select this option if you have already created an administrative SQL login and want to use it. Later on in the process, the Configuration Wizard sets up additional SQL logins for the configuration user and the end user.

      1. Enter the login name, password, and password confirmation for the SQL login.

      2. Set the Permissions option so that the SQL login obtains permissions for the database. If this option is not set, only the permissions are tested.

    • Use the current SQL login for the database: When you select this option, no additional SQL logins are created for the database. In this case, you cannot work with the granular permissions concept at SQL level. The user you specified is used to connect to the database.

      NOTE: To install the One Identity Manager schema in an existing database in Amazon RDS for SQL Server, select this option. The granular permissions concept is not supported.

      NOTE: If you want to switch to granular permissions at a later time, contact Support. To access the Support Portal, go to https://support.oneidentity.com/identity-manager/.

  8. The installation steps are shown on the Processing database page.

    Installation and configuration of the database are automatically carried out by the Configuration Wizard. This procedure may take some time depending on the amount of data and system performance. Once processing is complete, click Next.

    TIP: Set Advanced to obtain detailed information about processing steps and the migration log.

  9. On the Create logins for configuration and end users page, enter the login name, the password, and password confirmation for the SQL logins of configuration users and end users.

    NOTE: The password must meet the Windows policy requirements for passwords.

  10. On the System information page, enter the customer information and create administrative system users for One Identity Manager.

    1. In the Customer information view, enter the full name of the company.

    2. In the System user view, configure the predefined administrative system users and enter your own administrative system users.

      • Enter a password and password confirmation for the predefined system users.

      • To create customer-specific system users, click the button and enter the name, password, and password confirmation.

      TIP: Use the <...> button next to the name of a system user to configure additional settings for that system user. You can also adjust these settings in the Designer at a later time.

    3. (Optional) Create custom permissions groups.

      The Configuration Wizard creates custom permissions groups, which you can use to define permissions for any custom schema extensions you require.

      • For non role-based login, the CCCViewPermissions and CCCEditPermissions are created permission groups. Administrative system users are automatically added to these permissions groups.

      • For role-based login, the CCCViewRole and CCCEditRole permission groups are created.

      To create more permissions groups

      1. Enable the Advanced option and in the Permissions groups view, click the button.

      2. Enter the name of the permissions group. Label custom permission groups with the prefix CCC.

      3. For role-based permissions groups, enable the Role-based option.

  11. On the Enable database encryption page, select one of the following options:

    • Skip database encryption: The database is not encrypted. You can encrypt the database at later date using the Crypto Configuration program.

    • Enable database encryption: The database is encrypted in the next step.

      1. In the Private key field, enter the name of the key file (default: private.key).

      2. Click New and, using the file browser, select the where you want to store the key file.

      3. Click Save.

        This generates the key file (*.key). This closes the file browser and displays the path and file name under Private key.

      4. Confirm that you have saved the key file.

        Take the Tips for working with an encrypted One Identity Manager database into account.

  12. On the Service installation page, you can create a Job server for the server on which the One Identity Manager database is installed.

    NOTE: If you do not want to set up a Job server with the One Identity Manager Service at this stage, select the Skip service installation option.

    1. In the Installation data pane, enter the following data for installing the One Identity Manager Service.

      • Computer: Select the server, on which you want to install and start the service, from the drop-down or enter the server's name or IP address.

        To run the installation locally, select Local installation from the drop-down.

      • Service account: Enter the details of the user account that the One Identity Manager Service is running under. Enter the user account, the user account's password and password confirmation.

      The service is installed using the user account with which you are logged in to the administrative workstation. If you want to use another user account for installing the service, you can enter it in the advanced options.

      You can also change other One Identity Manager Service details in the advanced options, such as the installation directory, name, display name, and the One Identity Manager Service description.

    2. In the Machine roles pane, select the machine role for the service. By default, the Server | Job Server machine role is set. You can add more machine roles.

    3. (Optional) Enable the Advanced option and, in the Configuration pane, check the configuration of the One Identity Manager Service.

      NOTE: The initial service configuration is predefined already. If additional changes need to be made to the configuration, you can do this later with the Designer. For more information about configuring the One Identity Manager Service, see the One Identity Manager Configuration Guide.

    4. Click Next to start installing the service.

      Installation of the service occurs automatically and may take some time.

      NOTE: In a default installation, the service is entered in the server’s service management with the name One Identity Manager Service.

  13. The Processing database tasks page only appears if there are still tasks for the DBQueue Processor queued in the DBQueue that are required for installing the database. Once processing is complete, click Next.

  14. On the last page of the Configuration Wizard, click Finish.

Related topics

Editing a One Identity Manager database during setup using the Configuration Wizard

Installation and configuration of the One Identity Manager database is automatically carried out by the Configuration Wizard. The Configuration Wizard can create a new database and install the One Identity Manager schema. Alternatively, the One Identity Manager schema can be installed in an existing database.

The Configuration Wizard performs the following steps when processing the database:

  • Creates the required SQL logins and database users with permissions for the administrative user, configuration user and end user. For more information, see Users and permissions for the One Identity Manager database on an SQL Server.

  • Installs the One Identity Manager schema.

    Before the schema installation can take place, the Configuration Wizard tests the database. Error messages are displayed in a separate window. The errors must be corrected manually. The schema installation cannot be started until these are resolved.

    All the tables, data types, or database procedures that are required are loaded into the database through migration. The selected editions and configuration modules are enabled. During migration, calculation tasks are queued in the database. These are processed by the DBQueue Processor.

    When a schema is installed with the Configuration Wizard, migration date and migration revision are recorded in the database's transport history.

  • Compiles the system.

    Scripts, templates, and processes are declared in the database. The System user authentication module with the viadmin system user is used for compilation.

  • Uploads files for automatic software update.

    In order to distribute One Identity Manager files using the automatic software updating mechanism, the files are loaded into the One Identity Manager database.

  • Creates administrative system users and permissions groups.

    A system user is required for authentication in One Identity Manager. One Identity Manager provides various system users whose permissions are matched to the various tasks. For more information about system users, permissions groups, and granting permissions, see the One Identity Manager Authorization and Authentication Guide.

    The viadmin system user is the default system user in One Identity Manager. This system user can be used to compile and initialize the One Identity Manager database and for the first user login to the administration tools.

    IMPORTANT: Do not use the viadmin system user in a production environment. Create your own system user with the appropriate permissions.

    Custom system users are created as administrative system users by the Configuration Wizard. Administrative system users are automatically added to all non role-based permissions groups, and are assigned all permissions of the system user viadmin.

  • Installs and configures a One Identity Manager Service with direct access to the database for handling SQL processes and automatic server software updates.

    The One Identity Manager Service handles defined processes. The service has to be installed on the One Identity Manager network server to run the processes. The server must be declared as a Job server in the One Identity Manager database.

    During the initial schema installation with the Configuration Wizard, in the One Identity Manager database a Job server is already created for the server on which the One Identity Manager database is installed. This Job server receives the server functions SQL processing server and Update server:

    • The SQL processing server handles SQL processes.

    • The update sever ensures that software is updated automatically on other servers.

    The SQL processing server and the update server require a direct connection to the One Identity Manager database to handle processes. Use the Configuration Wizard to install the One Identity Manager Service on a server for handling these processes.

    The Configuration Wizard carries out the following steps.

    • Installs the One Identity Manager Service components.

    • Configuring the One Identity Manager Service

    • Starts the One Identity Manager Service.

  • Installs and configures the Database Agent Service.

    The Database Agent Service controls processing of DBQueue Processor tasks. The Database Agent Service is deployed through the One Identity Manager Service plugin. Alternatively, the Database Agent Service can be run from the DatabaseAgentServiceCmd.exe command line program.

    NOTE: If the Database Agent Service is not working, a message is displayed in the status bar in all the administration tools. To see this message, users must have at least the configuration user access level.

Related topics

Configuring a One Identity Manager database for testing, development, or production

Use the staging level of the One Identity Manager database to specify whether the database is a test database, development database, or a production database. A number of database settings are controlled by the staging level.

If you change the database's staging level, the following settings are configured.

  • Color of the One Identity Manager tools status bar

    • Development: none

    • Test: green

    • Production: yellow

  • Maximum runtime for the central dispatcher to process DBQueue Processor tasks

    • Development: 20 minutes

    • Test: 40 minutes

    • Production: 120 minutes

  • Maximum number of slots for processing DBQueue Processor tasks

    • Development: 5

    • Test: 7

    • Production: maximum number of slots according to hardware configuration

The default configuration settings for processing DBQueue Processor tasks are configured for normal operation and usually do not need to be modified. If required, you can control processing using different configuration settings. For more information, see the One Identity Manager Configuration Guide.

To modify a database staging level

  1. Start the Launchpad and log in to the One Identity Manager database.

  2. In the Installation overview > Installation Checklist section, select the Database staging level entry and click Run.

    This starts the Designer.

  3. In the Designer, select the Base Data > General > Databases category.

  4. In the List Editor, select the database.

  5. In the edit view, select the General tab.

  6. Change the value of the Staging level property to Test environment, Development system, or Production system.

  7. Confirm the security prompt with Yes.

  8. Select the Database > Save to database and click Save.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级