55.6 Upgrading Identity Reporting

Identity Reporting includes two drivers. Also, you might need to migrate content from NetIQ Event Auditing Service to Sentinel Log Management for IGA. Perform the upgrade in the following order:

  1. Upgrade the driver package for the Data Collection Services.

  2. Upgrade the driver package for the Managed System Gateway Service.

  3. Migrate to Sentinel Log Management for IGA

  4. Upgrade Identity Reporting

55.6.1 Upgrading the Driver Packages for Identity Reporting

This section explains how to update the packages for the Managed System Gateway and Data Collection Service drivers to the latest version. You must perform this task before upgrading Identity Reporting.

  1. In Designer, open your current project.

  2. Right-click Package Catalog > Import Package.

  3. Select the appropriate package. For example, Manage System Gateway Base package 2.0.0.20120509205929.

  4. Click OK.

  5. In the Developer View, right-click the driver and then click Properties.

  6. Navigate to the Packages tab in the Properties page.

  7. Click the Add package (+) symbol in the top right corner.

  8. Select the package, and then click OK.

  9. Complete the configuration process for the driver. For more information, see the following sections:

  10. Repeat Step 2 through Step 9 to upgrade the package for the Data Collection Service Driver.

  11. Ensure that the Managed System Gateway Driver and Data Collection Service Driver are connected to the upgraded Identity Manager.

55.6.2 Migrating from Event Auditing Service to Sentinel Log Management for IGA

This section provides information about migrating existing data from NetIQ Event Auditing Service (EAS) to Sentinel Log Management for IGA.

Preparing for Migration

Before you start the migration, you need to prepare the SLM for IGA and EAS databases. This involves importing the required connector to receive events from SLM for IGA and upgrading all the Identity Manager components to 4.6.

Perform the following actions before migrating your EAS data to SLM for IGA.

  1. Import the NetIQ-Audit_2011.1r4-201701130600-release.cnz connector into EAS.

  2. Upgrade all the existing Identity Manager components from 4.5.4 to 4.6.

  3. Ensure that you take a backup of the logevent.conf file.

    Linux: /etc/logevent.conf

    Windows: C:\Windows\logevent.cfg

    The logevent.conf file should contain EAS details.

  4. Ensure that the following Identity Manager components are running:

    • eDirectory

    • Identity Manager Engine

    • iManager

    • Identity Applications (specifically OSP, SSPR, and RBPM)

  5. Update the audit server details for SSPR:

    1. Log in to SSPR portal as an administrator.

    2. Navigate to Configuration Editor and specify the configuration password.

    3. Select Settings > Auditing > Audit Forwarding.

    4. Provide SLM for IGA details under Syslog Audit Server. For example, tls,<sentinel IP>,1443.

    5. Click Clear to clear the Syslog Audit Server certificates.

    6. Click Import from server to import certificates from the updated Syslog Audit Server.

    7. Save your changes.

  6. Ensure that your EAS server is running until all the cached audit events from all Identity Manager components are sent to EAS.

  7. Stop the following Identity Manager components:

    • eDirectory

    • Identity Manager Engine

    • iManager

    • Identity Applications (specifically OSP, SSPR, and RBPM)

  8. Stop the Novell Audit lcache and jcache processes.

    kill -15 <PID of lcache>

    kill -15 <PID of jcache>

  9. Follow the steps mentioned in Step 1 to Step 6 of Enabling SSL between Sentinel and User Application to create naudit certificates so that User Application can connect to SLM for IGA.

  10. Modify the LogHost entry to point to SLM for IGA in the logevent.conf file.

  11. Start the following Identity Manager components.

    • eDirectory

    • Identity Manager Engine

    • iManager

    • Identity Applications (specifically OSP, SSPR, and RBPM)

Migrating Data to the New PostgreSQL Database

This section provides information about migrating the SIEM data from the EAS database to a supported PostgreSQL database. For information about installing a PostgreSQL database, see Section 28.0, Installing PostgreSQL and Tomcat.

You must create the required roles and table spaces to ensure there are no failures during migration.

Preparing the New PostgreSQL Database

  1. Stop EAS to ensure that none of the events are sent to the EAS server.

  2. Using iManager, stop the DCS driver:

    1. Log in to iManager.

    2. Stop the DCS driver.

    3. Edit the driver properties to change the startup option to Manual.

      This step ensures that the driver does not start automatically.

  3. Run the following SQL commands to create the required roles, table space, and database using PGAdmin.

    This step ensures there are no failures during migration.

    1. Run the following commands to create the required roles:

      CREATE ROLE esec_app
        NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
       
      CREATE ROLE esec_user
        NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
       
      CREATE ROLE admin LOGIN
        ENCRYPTED PASSWORD '<specify the password for admin>'
        NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
      GRANT esec_user TO admin;
       
      CREATE ROLE appuser LOGIN
        ENCRYPTED PASSWORD '<specify the password for appuser>'
        NOSUPERUSER INHERIT NOCREATEDB CREATEROLE;
      GRANT esec_app TO appuser;
       
      CREATE ROLE dbauser LOGIN
        ENCRYPTED PASSWORD '<specify the password for dbauser>'
        SUPERUSER INHERIT CREATEDB CREATEROLE; 
      
      CREATE ROLE idmrptsrv LOGIN
        ENCRYPTED PASSWORD '<specify the password for idmrptsrv>'
        NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
      GRANT esec_user TO idmrptsrv;
       
      CREATE ROLE idmrptuser LOGIN
        ENCRYPTED PASSWORD '<specify the password for idmrptuser>'
        NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
      
      CREATE ROLE rptuser LOGIN
        ENCRYPTED PASSWORD '<specify the password for rptuser>'
        NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
      GRANT esec_user TO rptuser; 
    2. Run the following command for creating table spaces:

       CREATE TABLESPACE sendata1
        OWNER dbauser
        LOCATION '<provide the location where table space has to be created>'; 

      For example,

      CREATE TABLESPACE sendata1
        OWNER dbauser
        LOCATION '</opt/netiq/idm/apps/postgres/data>';
    3. Run the following command for creating a SIEM database:

      CREATE DATABASE "SIEM"
        WITH OWNER = dbauser
             ENCODING = 'UTF8'
             TABLESPACE = sendata1
             CONNECTION LIMIT = -1;

Exporting Data from EAS

  1. Stop EAS to ensure that none of the events are sent to the EAS server.

  2. Using iManager, stop the DCS driver:

    1. Log in to iManager.

    2. Stop the DCS driver.

    3. Edit the driver properties to change the startup option to Manual.

      This step ensures that the driver does not start automatically.

  3. Export the data from EAS database to a file:

    1. Log in to the EAS user account:

      # su - novleas

    2. Specify a location where the EAS user has full access, for example, /home/novleas.

    3. Navigate to the PostgreSQL installation directory and execute the following commands:

      For example,

      export PATH=/opt/novell/sentinel_eas/3rdparty/postgresql/bin/:$PATH

      export LD_LIBRARY_PATH=/opt/novell/sentinel_eas/3rdparty/postgresql/lib/:$LD_LIBRARY_PATH

    4. Export the data to a .sql file using the following command:

      ./pg_dump -p <portnumber> -U <username> -d <dbname> -f <export location>

      For example,

      ./pg_dump -p 15432 -U dbauser SIEM -f /home/novleas/SIEM.sql

Importing Data into the New PostgreSQL Database

  1. Stop EAS to ensure that none of the events are sent to the EAS server.

  2. Using iManager, stop the DCS driver:

    1. Log in to iManager.

    2. Stop the DCS driver.

    3. Edit the driver properties to change the startup option to Manual.

      This step ensures that the driver does not start automatically.

  3. Import the data to the new PostgreSQL database:

    1. (Conditional) Create a postgres user.

      This is specific to Windows only. A user is automatically created on Linux.

    2. Copy the file exported in Step 3.d to a location to which the postgres user has full access. For example,

      • Linux: /opt/netiq/idm/apps/postgres

      • Windows: C:\NetIQ\IdentityManager\apps\postgres

    3. Execute the following command to import data to the PostgreSQL database.

      psql -d <dbname> -U <username> -f <full path where the exported file is located>

      For example,

      • Linux: psql -d SIEM -U postgres -f /opt/netiq/idm/apps/postgres/SIEM.sql

      • Windows: psql -d SIEM -U postgres –f C:\NetIQ\IdentityManager\apps\postgres\SIEM.sql

  4. Check for any migration log errors and resolve them.

NOTE:The Identity Manager 4.6 reports will not use the audit data that is migrated from EAS to SLM for IGA. Instead, these reports will use the audit data that is directly synchronized from SLM for IGA.

Setting up the Reporting Server

After importing the EAS data to the new PostgreSQL database, configure your Reporting database with the new PostgreSQL database.

This section assumes that you have installed Identity Reporting on the same server where you migrated the database server (SLM for IGA database). For more information about installing Identity Reporting, see Using the Guided Process to Install Identity Reporting.

  1. In the configupdate utility, perform the following steps to configure the new reporting server details:

    1. At the command prompt, use one of the following methods to run configupdate utility.

      Linux: ./configupdate.sh

      Windows: configupdate.bat

    2. Change the OAuth Redirect URL to point to the new Identity Reporting server and port details. For more information, see Reporting.

  2. Edit the DCS driver configuration to include the new reporting server details using Designer or iManager.

  3. Start the DCS driver.

Creating the Data Synchronization Policy

After the Reporting server is configured, enable SLM for IGA to forward the events to an external database. There are two ways through which you can create the data synchronization policy:

Using the JAR File

Identity Manager provides a utility that creates the data synchronization policy in SLM for IGA for forwarding events from SLM for IGA to an external database. The utility is located in the IdentityReporting/Sentinel folder.

Create the data synchronization policy using the following steps:

  1. Navigate to the Data Synchronization utility directory and run the following command:

    <java path>/bin/java –jar sentineldatasync.jar, where <java path> is the JRE installed location.

    This opens the data synchronization utility.

    NOTE:If Identity Reporting is running with an Oracle database, verify that the ojdbc<version>.jar is present in the <java path>/lib/ext directory, where <java path> is the JRE installed location

  2. In the Sentinel Settings tab of the utility, specify the following details:

    • IP Address: Specify the IP address of the computer where SLM for IGA is installed.

    • Port: Specify the port for the SLM for IGA server. The default port is 8443.

    • Password: Specify the password for the SLM for IGA user.

    • Event Retention Period: Specify the duration for the events to persist in the database before they are deleted. The default is 90 days.

    • Delete RDD Definitions: While creating the data synchronization policy on SLM for IGA, the default setting is to delete the default Sentinel policies. If you want to execute Sentinel reports, you need not delete the default Sentinel policies.

      IMPORTANT:Deselect this option if you are using Sentinel or Identity Tracking.

    • Advanced: If you are using Advanced mode, you may edit the following parameter:

      • Event Table Payload: Contains a JSON document for creating the data synchronization table through REST APIs. The authentication information is substituted when a request is sent for creating the data synchronization table.

      • Data Sync Policy Payload: Contains a JSON document for creating the data synchronization table through REST APIs. The authentication information is substituted when a request is sent for creating the data synchronization table.

        NOTE:To add additional fields to the data synchronization policy, modify the JSON document in Data Sync Policy Payload. Ensure that the changes are present in both event table and the data synchronization policy. Otherwise, the policy creation fails.

  3. In the Database settings tab, specify the following details. For example, if you select PostgresSQL as your database, the Database settings screen would look like the following:

    • IP Address: Specify the IP address of the database.

    • Port: Specify the port for the database.

    • Password: Specify a password to connect to the database.

    • Database Name: Specify a target database name where Reporting is installed.

      For example, if you are migrating from EAS, you can specify SIEM and if you are performing a new install of SLM for IGA, specify idmrptdb.

    • Database Type: Select the database type from the drop-down list.

    • Update Views Only: Select this option only if you encounter errors while updating the views. When this option is selected, the Data Synchronization utility updates the views and does not create the data synchronization policy in SLM for IGA.

    • Partition Table: Partitioning the table improves the overall query performance and table management capability. The database stores the events received from Sentinel in separate partitions on a daily basis. You are recommended to leave this setting as is.

    • PostgreSQL Install Location: This option is available only if you select PostgresSQL in the Database Type field. This option specifies the location where PostgreSQL is installed. For example, /opt/netiq/idm/apps/postgres/.

      If you are using PostgreSQL on a different server, you need to copy the sentineldatasync.jar to the server where PostgreSQL is installed.

    • Advanced: If you are using Advanced mode, you may edit the following parameter:

      Partition SQL: This contains the SQL script for partitioning the table. The script is specific to the selected database.

  4. In the Logs tab, specify the name of the log file.

    The log file is located in the same location as your Data Synchronization utility.

Using the SLM for IGA Interface

To ensure that SLM for IGA receives the events from the specified Identity Manager collectors, you can modify the filter for the data synchronization policy.

  1. Log in to the SLM for IGA main interface as an administrator.

  2. Click Storage > Data Synchronization.

  3. Click Edit to configure the data synchronization policy.

  4. Edit the required information:

    Criteria: Specify a valid Lucene query.

    The following query is an example of a criteria for receiving events only from Identity Manager components:

    (pn:"NetIQ Identity Manager" OR pn:"NetIQ Self Service Password Reset" OR pn:"NetIQ eDirectory" OR pn:"NetIQ NMAS" OR pn:"NetIQ iManager" OR pn:"NetIQ One SSO Provider") AND (sev:[0 TO 5]) AND NOT (evt:"CombinedRealTimeSummariesStatus" OR evt:"EnginePerformanceSummary" OR evt:"EventThroughputUtilization" OR evt:"LostConnection")

    Policy Name: Specify a name for the data synchronization policy.

    Retention Period: Specify the duration for which the events will be persisted in the sentinel_events table of the Reporting database.

    Batch Size: Specify the number of events that can be sent to the external database in one batch.

    Sleep period: Specify the duration after which the data synchronization process checks for more events to process.

    Schedule: Select an appropriate option to synchronize the data to the external database.

    • All the time: If you select this option, the events are synchronized to the external database immediately after any event is modified.

    • Custom: This option allows you to configure specific time intervals to synchronize data.

      If you select Custom, provide the following information to set the custom synchronization time:

      • Day of the Week: Select the required day of the week or select Everyday.

      • Start time: Specify the time at which the data synchronization process should start.

      • Duration: Specify the synchronization period in minutes.

    If you do not see the data in the database tables immediately, you need to wait for the next synchronization cycle.

NOTE:If Identity Reporting is running with an Oracle database, log in to the query tool as the database administrator (sysdba) and assign the following permissions:

  • GRANT ALL ON IDM_RPT_DATA.SENTINEL_EVENTS TO IDM_RPT_DATA;

  • GRANT SELECT ON IDM_RPT_DATA.SENTINEL_EVENTS TO PUBLIC;

  • GRANT CREATE PUBLIC SYNONYM to IDM_RPT_CFG;

55.6.3 Upgrading Identity Reporting

Before upgrading Identity Reporting, you must upgrade the identity applications and SLM for IGA. To upgrade Identity Reporting from version 4.0.2 or later, install the new version on top of the older version. For more information, see Installing Identity Reporting.

55.6.4 Changing the References to reportRunner in the Database

After upgrading Identity Reporting and before starting Tomcat for the first time, ensure that you update the references to reportRunner from the database.

  1. Stop Tomcat.

  2. Navigate to the Identity Reporting installation directory and rename the reportContent folder to ORG-reportContent.

    For example: /opt/netiq/idm/apps/IdentityReporting

  3. Clean the temporary and work directories under the Tomcat folder.

  4. Log in to the PostgreSQL database.

    1. Locate the reportRunner references in the following tables:

      • idm_rpt_cfg.idmrpt_rpt_params

      • idm_rpt_cfg.idmrpt_definition

    2. Issue the following delete statements:

      DELETE FROM idm_rpt_cfg.idmrpt_rpt_params WHERE rpt_def_id='com.novell.content.reportRunner';
      DELETE FROM idm_rpt_cfg.idmrpt_definition WHERE def_id='com.novell.content.reportRunner';
  5. Start Tomcat.

    Check the logs to see if the reports are regenerated with the correct reportRunner.

  6. Log into Identity Reporting and run the reports.

55.6.5 Verifying the Upgrade for Identity Reporting

  1. Launch Identity Reporting.

  2. Verify that old and new reports are being displayed in the tool.

  3. Look at the Calendar to see whether your scheduled reports appear.

  4. Ensure that the Settings page displays your previous settings for managed and unmanaged applications.

  5. Verify that all other settings look correct.

  6. Verify whether the application lists your completed reports.