5.9 Configuring Identity Reporting

After installing Identity Reporting, you can still modify many of the installation properties. To make changes, run the configuration update utility (configupdate.sh) file.

If you change any setting for Identity Reporting with the configuration tool, you must restart Tomcat for the changes to take effect. However, you do not need to restart the server after making changes in the web user interface for Identity Reporting.

5.9.1 Manually Adding the DataSource in the Identity Data Collection Services Page

  1. Log in to Identity Reporting application.

  2. Click Data Sources.

  3. Click Add.

  4. In the Add Data Source dialog box, click the Select from predefined list radio button.

  5. Select IDMDCSDataSource.

  6. Click Save.

5.9.2 Running Reports on an Oracle Database

Identity Reporting provides the ability to run reports against remote Oracle databases. Ensure that you have the ojbc.jar file on the server where you are running the Oracle Database.

5.9.3 Manually Generating the Database Schema

To manually generate the database schema after installation, perform one of the following procedures for your database:

Configuring Create_rpt_roles_and_schemas.sql Schema against PostgreSQL Database

  1. Add the required roles to the database using the create_dcs_roles_and_schemas.sql and create_rpt_roles_and_schemas.sql SQLs located in /opt/netiq/idm/apps/IDMReporting/sql/.

  2. Log in to PGAdmin as a postgres user.

  3. Run the Query tool.

  4. To create Create_rpt_roles_and_schemas and Create_dcs_roles_and_schemas procedures, copy the content from these SQLs to the Query tool and execute against the connected database.

  5. To create IDM_RPT_DATA, IDM_RPT_CFG, and IDMRPTUSER roles, execute the following commands in the given order:

    Select CREATE_DCS_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_DATA>', '<Set pwd for IDMRPTUSER>');
    Select CREATE_RPT_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_CFG>');

    For example, if the password for IDM_RPT_DATA, IDMRPTUSER, and IDM_RPT_CFG are password, password1, and password2 respectively, then you must execute the following commands:

    Select CREATE_DCS_ROLES_AND_SCHEMAS('password', 'password1');
    Select CREATE_RPT_ROLES_AND_SCHEMAS('password2');
  6. Copy the content of get_formatted_user_dn.sql from /opt/netiq/idm/apps/IDMReporting/sql/ to the Query tool and execute against the connected database.

    NOTE:The get_formatted_user_dn.sql function must be added manually when you select database schema creation option as File. If you select the database schema creation option as Now or Startup, the installer will add this function to the database.

Configuring Create_rpt_roles_and_schemas.sql Schema against Oracle Database

  1. Add the required roles to the database using create_dcs_roles_and_schemas-orcale.sql and create_rpt_roles_and_schemas-orcale.sql from /opt/netiq/idm/apps/IDMReporting/sql/.

  2. Log in to SQL Developer as a database admin (sysdba) user.

  3. Assign the following permissions:

    • GRANT ALL ON IDM_RPT_DATA.SENTINEL_EVENTS TO IDM_RPT_DATA;

    • GRANT SELECT ON IDM_RPT_DATA.SENTINEL_EVENTS TO PUBLIC;

    • GRANT CREATE PUBLIC SYNONYM to IDM_RPT_CFG;

  4. To create Create_rpt_roles_and_schemas and Create_dcs_roles_and_schemas procedures, copy the content from these SQLs to SQL Developer and execute against the connected database.

  5. To create IDM_RPT_DATA, IDM_RPT_CFG, and IDMRPTUSER roles, execute the following commands in the given order:

    begin
    CREATE_DCS_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_DATA>', '<Set pwd for IDMRPTUSER>');
    end;
    
    begin
    CREATE_RPT_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_CFG>');
    end; 

    For example, if the password for IDM_RPT_DATA, IDMRPTUSER, and IDM_RPT_CFG are password, password1, and password2 respectively, then you must execute the following commands:

    begin
    CREATE_DCS_ROLES_AND_SCHEMAS('password', 'password1');
    end;
    
    begin
    CREATE_RPT_ROLES_AND_SCHEMAS('password2');
    end; 
  6. Copy the content of get_formatted_user_dn-oracle.sql to SQL Developer from /opt/netiq/idm/apps/IDMReporting/sql/ and execute against the connected database.

    NOTE:The get_formatted_user_dn-oracle.sql function must be manually added to the database when you select database schema creation option as File. If you select the database schema creation option as Now or Startup, the installer will add this function to the database.

Clearing the Database Checksums

  1. Locate the following .sql files in /opt/netiq/idm/apps/IDMReporting/sql.

    • DbUpdate-01-run-as-idm_rpt_cfg.sql

    • DbUpdate-02-run-as-idm_rpt_cfg.sql

    • DbUpdate-03-run-as-idm_rpt_data.sql

    • DbUpdate-04-run-as-idm_rpt_data.sql

    • DbUpdate-05-run-as-idm_rpt_data.sql

    • DbUpdate-06-run-as-idm_rpt_cfg.sql

  2. Clear the database checksums

    1. To run the clearchsum command with each .sql, append the following line at the beginning of each file:

      update DATABASECHANGELOG set MD5SUM = NULL; 

      The modified content should look similar to the following:

      -- *********************************************************************
      -- Update Database Script
      -- *********************************************************************
      -- Change Log: IdmDcsDataDropViews.xml
      -- Ran at: 2/23/18 5:17 PM
      -- Against: IDM_RPT_CFG@jdbc:oracle:thin:@192.99.170.20:1521/orcl
      -- Liquibase version: 3.5.1
      -- *********************************************************************
      update databasechangelog set md5sum = null; 
    2. Run each .sql with the corresponding user.

  3. Commit the changes to the database.

5.9.4 Deploying REST APIs for Identity Reporting

Identity Reporting incorporates several REST APIs that enable different features within the reporting functionality. These REST API uses the OAuth2 protocol for authentication.

On Tomcat, the rptdoc war and the dcsdoc war are automatically deployed when Identity Reporting is installed.

5.9.5 Connecting to a Remote PostgreSQL Database

If your PostgreSQL database is installed on a separate server, you need to change the default settings in the postgresql.conf and pg_hba.conf files in the remote database.

  1. Change the listening address in the postgresql.conf file.

    By default, PostgreSQL allows to listen for the localhost connection. It does not allow a remote TCP/IP connection. To allow a remoteTCP/IP connection, add the following entry to the /opt/netiq/idm/postgres/data/postgresql.conf file:

    listen_addresses = '*'

    If you have multiple interfaces on the server, you can specify a specific interface to be listened.

  2. Add a client authentication entry to the pg_hba.conf file.

    By default, PostgreSQL accepts connections only from the localhost. It refuses remote connections. This is controlled by applying an access control rule that allows a user to log in from an IP address after providing a valid password (the md5 keyword). To accept a remote connection, add the following entry to the /opt/netiq/idm/postgres/data/pg_hba.conf file.

    host all all 0.0.0.0/0 md5

    For example, 192.168.104.24/26 trust

    This works only for IPv4 addresses. For IPv6 addresses, add the following entry:

    host all all ::0/0 md5

    If you want to allow connection from multiple client computers on a specific network, specify the network address in the CIDR-address format in this entry.

    The pg_hba.conf file supports the following client authentication formats.

    • local database user authentication-method [authentication-option]

    • host database user CIDR-address authentication-method [authentication-option]

    • hostssl database user CIDR-address authentication-method [authentication-option]

    • hostnossl database user CIDR-address authentication-method [authentication-option]

    Instead of CIDR-address format, you can specify the IP address and the network mask in separate fields using the following format:

    • host database user IP-address IP-mask authentication-method [authentication-option]

    • hostssl database user IP-address IP-mask authentication-method [authentication-option]

    • hostnossl database user IP-address IP-mask authentication-method [authentication-option]

  3. Test the remote connection.

    1. Restart the remote PostgreSQL server.

    2. Log in to the server remotely using the username and password.