6.8 Configuring Identity Reporting

After installing Identity Reporting, you can still modify many of the installation properties. To make changes, run the configuration update utility (configupdate.sh) file.

If you change any setting for Identity Reporting with the configuration tool, you must restart Tomcat for the changes to take effect. However, you do not need to restart the server after making changes in the web user interface for Identity Reporting.

6.8.1 Configuring the Managed System Gateway Driver

The installer creates and configures the Data Collection Services Driver and the Managed System Gateway Driver for Identity Reporting.

Once the Managed System Gateway driver is configured, NetIQ recommends you to modify the KMO to SSL EC Certificate DNS. To modify the KMO, perform the following steps:

  1. Log in to iManager.

  2. Click Identity Manager Administration> Identity Manager Overview.

  3. Browse to and select the driver set object, then click Search.

  4. In the upper right corner of the Managed System Gateway driver icon, click Edit Properties.

  5. In the Driver Configuration tab, perform the following steps:

    1. Select show from the Show connection parameters field.

    2. In the KMO Name field, change the value from SSL CertificateDNS to SSL EC Certificate DNS.

    3. Click Apply and then click OK.

6.8.2 Manually Adding the DataSource in the Identity Data Collection Services Page

  1. Log in to Identity Reporting application.

  2. Click Data Sources.

  3. Click Add.

  4. In the Add Data Source dialog box, click the Select from predefined list radio button.

  5. Select IDMDCSDataSource.

  6. Click Save.

6.8.3 Running Reports on an Oracle Database

Identity Reporting provides the ability to run reports against remote Oracle databases. Ensure that you have the ojbc8.jar file on the server where you are running the Oracle Database.

6.8.4 Manually Generating the Database Schema

To manually generate the database schema after installation, perform one of the following procedures for your database:

Configuring Create_rpt_roles_and_schemas.sql Schema against PostgreSQL Database

  1. Add the required roles to the database using the create_dcs_roles_and_schemas.sql and create_rpt_roles_and_schemas.sql SQLs located in /opt/netiq/idm/apps/IDMReporting/sql/.

  2. Log in to PGAdmin as a postgres user.

  3. Run the Query tool.

  4. To create Create_rpt_roles_and_schemas and Create_dcs_roles_and_schemas procedures, copy the content from these SQLs to the Query tool and execute against the connected database.

  5. To create IDM_RPT_DATA, IDM_RPT_CFG, and IDMRPTUSER roles, execute the following commands in the given order:

    Select CREATE_DCS_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_DATA>', '<Set pwd for IDMRPTUSER>');
    Select CREATE_RPT_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_CFG>');

    For example, if the password for IDM_RPT_DATA, IDMRPTUSER, and IDM_RPT_CFG are password, password1, and password2 respectively, then you must execute the following commands:

    Select CREATE_DCS_ROLES_AND_SCHEMAS('password', 'password1');
    Select CREATE_RPT_ROLES_AND_SCHEMAS('password2');

  6. Copy the content of get_formatted_user_dn.sql from /opt/netiq/idm/apps/IDMReporting/sql/ to the Query tool and execute against the connected database.

    NOTE:The get_formatted_user_dn.sql function must be added manually when you select database schema creation option as File. If you select the database schema creation option as Now or Startup, the installer will add this function to the database.

Configuring Create_rpt_roles_and_schemas.sql Schema against Oracle Database

  1. Add the required roles to the database using create_dcs_roles_and_schemas-orcale.sql and create_rpt_roles_and_schemas-orcale.sql from /opt/netiq/idm/apps/IDMReporting/sql/.

  2. Log in to SQL Developer as a database admin (sysdba) user.

  3. To create Create_rpt_roles_and_schemas and Create_dcs_roles_and_schemas procedures, copy the content from these SQLs to SQL Developer and execute against the connected database.

  4. To create IDM_RPT_DATA, IDM_RPT_CFG, and IDMRPTUSER roles, execute the following commands in the given order:

    begin
CREATE_DCS_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_DATA>', '<Set pwd for IDMRPTUSER>');
end;

begin
CREATE_RPT_ROLES_AND_SCHEMAS('<Set pwd for IDM_RPT_CFG>');
end;

    For example, if the password for IDM_RPT_DATA, IDMRPTUSER, and IDM_RPT_CFG are password, password1, and password2 respectively, then you must execute the following commands:

    begin
CREATE_DCS_ROLES_AND_SCHEMAS('password', 'password1');
end;

begin
CREATE_RPT_ROLES_AND_SCHEMAS('password2');
end;

  5. Assign the following permission:

    GRANT CREATE PUBLIC SYNONYM to IDM_RPT_CFG;

  6. Copy the content of get_formatted_user_dn-oracle.sql to SQL Developer from /opt/netiq/idm/apps/IDMReporting/sql/ and execute against the connected database.

    NOTE:The get_formatted_user_dn-oracle.sql function must be manually added to the database when you select database schema creation option as File. If you select the database schema creation option as Now or Startup, the installer will add this function to the database.

Configuring Create_rpt_roles_and_schemas.sql Schema against MS SQL Database

  1. Execute delete_create_dcs_roles_and_schemas-mssql.sql and delete_get_formatted_user_dn-mssql.sql.

  2. Add the required roles to the database using create_dcs_roles_and_schemas.mssql and create_rpt_roles_and_schemas.mssql from /opt/netiq/idm/apps/IDMReporting/sql/.

  3. Log in to SQL Developer as a database admin user.

  4. To create Create_rpt_roles_and_schemas and Create_dcs_roles_and_schemas procedures, copy the content from create_dcs_roles_and_schemas.mssql and create_rpt_roles_and_schemas.mssql to SQL Developer and execute against the connected database.

  5. To create IDM_RPT_DATA, IDM_RPT_CFG, and IDMRPTUSER roles, execute the following commands in the given order:

    execute CREATE_DCS_ROLES_AND_SCHEMAS '<Set pwd for IDM_RPT_DATA>', '<Set pwd for IDMRPTUSER>'

    execute CREATE_RPT_ROLES_AND_SCHEMAS \'<Set pwd for IDM_RPT_CFG>\'

  6. Copy the content of get_formatted_user_dn.sql to SQL Developer from /opt/netiq/idm/apps/IDMReporting/sql/ and execute against the connected database.

Clearing the Database Checksums

  1. Locate the following .sql files in /opt/netiq/idm/apps/IDMReporting/sql.

    • DbUpdate-001-run-as-idm_rpt_data.sql

    • DbUpdate-01-run-as-idm_rpt_cfg.sql

    • DbUpdate-02-run-as-idm_rpt_cfg.sql

    • DbUpdate-03-run-as-idm_rpt_data.sql

    • DbUpdate-04-run-as-idm_rpt_data.sql

    • DbUpdate-05-run-as-idm_rpt_data.sql

    • DbUpdate-06-run-as-idm_rpt_cfg.sql

  2. Clear the database checksums

    1. To run the clearchsum command with each .sql, append the following line at the beginning of each file:

      update DATABASECHANGELOG set MD5SUM = NULL
go

      The modified content should look similar to the following:

      -- *********************************************************************
-- Update Database Script
-- *********************************************************************
-- Change Log: IdmDcsDataDropViews.xml
-- Ran at: 2/23/18 5:17 PM
-- Against: IDM_RPT_CFG@jdbc:oracle:thin:@192.168.0.1:1521/orcl
-- Liquibase version: 3.5.1
-- *********************************************************************
update databasechangelog set md5sum = null
go

    2. Run each .sql with the corresponding user.

  3. Commit the changes to the database.

(Optional) Increasing the Column Data Size

In previous versions of Identity Manager, long data fields failed to synchronize data with the Identity Reporting server due to character limitations. Identity Manager 4.8 provides an option to increase the character limitation with PostgreSQL, Oracle, and MS SQL databases for the following tables and their respective columns:

Name of the Table

Name of the Column

idm_rpt_data.idmrpt_idv_ent_bindings

ent_param_str

idm_rpt_data.idmrpt_idv_ent_bindings

ent_param_val

idm_rpt_data.idmrpt_idv_identity_trust

idv_ent_ref

idm_rpt_data.idmrpt_idv_identity_trust

trust_params

idm_rpt_data.idmrpt_idv_ent_bindings_hist

ent_param_str

idm_rpt_data.idmrpt_idv_ent_bindings_hist

ent_param_val

idm_rpt_data.idmrpt_idv_identity_trust_hist

idv_ent_ref

idm_rpt_data.idmrpt_idv_identity_trust_hist

trust_params

  • For PostgreSQL, the character limitation has been increased automatically with Identity Manager 4.8 for all the fields as mentioned in the above table.

  • For Oracle, you must run the alter_column_length-oracle.sql script from /opt/netiq/idm/apps/IDMReporting/sql/ directory to increase the character limitation for all the columns as mentioned in above table.

  • For MS SQL, you must run the alter_column_length-mssql.sql script from /opt/netiq/idm/apps/IDMReporting/sql/ directory to increase the character limitation for indexed columns only. In this case, ENT_PARAM_STR is the only indexed column under the table idmrpt_idv_ent_bindings.

6.8.5 Deploying REST APIs for Identity Reporting

Identity Reporting incorporates several REST APIs that enable different features within the reporting functionality. These REST API uses the OAuth2 protocol for authentication.

On Tomcat, the rptdoc war and the dcsdoc war are automatically deployed when Identity Reporting is installed.

6.8.6 Connecting to a Remote PostgreSQL Database

If your PostgreSQL database is installed on a separate server, you need to change the default settings in the postgresql.conf and pg_hba.conf files in the remote database.

  1. Change the listening address in the postgresql.conf file.

    By default, PostgreSQL allows to listen for the localhost connection. It does not allow a remote TCP/IP connection. To allow a remoteTCP/IP connection, add the following entry to the /opt/netiq/idm/postgres/data/postgresql.conf file:

    listen_addresses = '*'

    If you have multiple interfaces on the server, you can specify a specific interface to be listened.

  2. Add a client authentication entry to the pg_hba.conf file.

    By default, PostgreSQL accepts connections only from the localhost. It refuses remote connections. This is controlled by applying an access control rule that allows a user to log in from an IP address after providing a valid password (the md5 keyword). To accept a remote connection, add the following entry to the /opt/netiq/idm/postgres/data/pg_hba.conf file.

    host all all 0.0.0.0/0 md5

    For example, 192.168.104.24/26 trust

    This works only for IPv4 addresses. For IPv6 addresses, add the following entry:

    host all all ::0/0 md5

    If you want to allow connection from multiple client computers on a specific network, specify the network address in the CIDR-address format in this entry.

    The pg_hba.conf file supports the following client authentication formats.

    • local database user authentication-method [authentication-option]

    • host database user CIDR-address authentication-method [authentication-option]

    • hostssl database user CIDR-address authentication-method [authentication-option]

    • hostnossl database user CIDR-address authentication-method [authentication-option]

    Instead of CIDR-address format, you can specify the IP address and the network mask in separate fields using the following format:

    • host database user IP-address IP-mask authentication-method [authentication-option]

    • hostssl database user IP-address IP-mask authentication-method [authentication-option]

    • hostnossl database user IP-address IP-mask authentication-method [authentication-option]

  3. Test the remote connection.

    1. Restart the remote PostgreSQL server.

    2. Log in to the server remotely using the username and password.