2.4 Configuring the Drivers

The following drivers are required by the reporting module:

These drivers are installed automatically by the Integrated Installer for Identity Manager, so the steps provided below are only necessary if you are running the stand-alone versions of the install programs.

If you are running the stand-alone versions of the install programs, you can use the new package management tools provided with Designer for Identity Manager to install and configure the drivers.

2.4.1 Installing the Packages

Before you attempt to configure the drivers, you need to be sure you have all of the necessary packages in the Package Catalog. When you create a new Identity Manager project, the user interface automatically prompts you to import several packages into the new project. If you choose not to import the packages at the time you create your project, you need to install them later, as described below.

  1. After you create a new Identity Manager project in Designer, select the Package Catalog and click Import Package.

    Designer displays the Select Package dialog box.

  2. Click Select All, then click OK.

    Designer adds several new package folders under the Package Catalog. These package folders correspond to the objects in the palette on the right side of the Modeler view in Designer.

  3. Click Save to save your project.

Configuring Drivers for the Roles Based Provisioning Module: At this point, you would typically want to configure the User Application Driver and the Roles and Resources Driver in Designer, which are required for the Roles Based Provisioning Module. The procedure for configuring these drivers is described in the Roles Based Provisioning Module Installation Guide. The sections that follow describe the steps you would take to configure the Managed System Gateway Driver and the Data Collection Service Driver.

2.4.2 Configuring the Managed System Gateway Driver

  1. In the Modeler view, select Service > Managed System Gateway in the palette.

  2. Drag the icon for the Managed System Gateway application onto the Modeler view.

    Designer displays the Driver Configuration Wizard.

  3. Select Managed System Gateway Base and click Next.

    NOTE:For the 4.0.2 release, you need to have version 2.0.0.20120509205929 of the Managed System Gateway Base package.

    The Driver Configuration Wizard now shows the Select Mandatory Features screen.

  4. Make sure the mandatory features listed are selected and click Next.

    The interface displays a dialog box to inform you that need an additional package called Advanced Java Class.

  5. Click OK to install the required package.

    The wizard displays a screen that allows you to specify a name for the driver.

  6. Specify the name you want to use for the driver, then click Next.

    The wizard now displays a screen that allows you to specify the connection parameters for the driver.

  7. Specify the IP address and port the driver should listen on, as well as the protocol you want to use.

    The reporting module requests data from the Managed System Gateway Driver. Therefore, it needs to know which IP address, port, and protocol to use (http or https).

    NOTE:Do not assign an address of localhost for the Managed System Gateway Driver if you want to be able to use the REST end points. You cannot connect remotely to localhost through REST testing tools.

  8. (Optional) If you specify https as the protocol you want to use, you must also specify the KMO name stored in the Identity Vault.

  9. (Optional) If you want to enable end-point tracing, select true from the dropdown menu for Enable end-point tracing, then specify the location you want to use for storing trace files.

  10. Click Next.

    The wizard now displays a screen that asks whether you plan to connect to a remote loader.

  11. Select yes or no to indicate whether you will using a remote loader, then click Next.

  12. If everything looks correct on the Confirm Installation Tasks screen, click Finish.

    Designer adds the Managed System Gateway Driver to the Modeler view:

  13. To configure additional settings for the driver, right-click the line connecting the Managed System Gateway Driver to the driver set and select Properties.

  14. Designer displays the Properties for Managed System Gateway Driver dialog box:

  15. Select Driver Configuration in the left menu and click the Startup Option tab. Select Manual for the startup setting:

  16. Click the Driver Parameters tab and select show under Connection Parameters to show the settings you provided to the wizard:

  17. Select show under Driver Parameters.

    You can optionally make changes to the Connection Parameters, Driver Parameters, and Publisher Options settings. The settings that you might want to modify are described below:

    Parameter Type

    Parameter

    Description

    Connection Parameters

    Address(es)

    IP address on which the driver should listen. If you want the driver to listen on more than one interface, you can provide a comma-separated list of addresses.

    NOTE:If you use the loopback address of 127.0.0.1 as the IP address for the Managed System Gateway driver when configuring with the integrated installer, that is valid and will work correctly. However, when you use the endpoints, having the IP address be the loopback (127.0.0.1) does not work. In this case, you need to specify the correct IP address.

     

    Port

    The port on which the driver accepts requests. If multiple addresses are specified, the same port number is used to listen on all the interfaces. For example, if the address is set to 164.99.88.30,127.0.0.1, and the port is set to 9000, then the driver listens on the following:

    164.99.88.30:9000
    127.0.0.1:9000
    

     

    Protocol

    Protocol for accessing the driver. The choices are HTTP and HTTPS. If you select HTTPS, you need to provide the KMO name.

     

    Session timeout interval

    Defines a timer for the session that controls how long (in minutes) the session can be inactive before it is terminated.

    Driver Parameters

    Duration result is kept

    Specifies the duration (in minutes) for which query results are available before they are marked for purging. All results that exceed this duration are purged in the next purge cycle.

     

    Purge interval

    Specifies the duration (in hours) between purge cycles. A new purge cycle is executed when this interval is reached. The purge cycle cleans up all results that have been marked for purging.

     

    End-point tracing

    For release 4.0.2, the following options have been added to give you control over end-point tracing for the driver. The end-point logs are useful for debugging connection issues:

    • Enable end-point tracing: If set to true, all end-point invocations will be logged to a file.

    • Trace file location: Specifies the directory where the trace files will be created. A trace file named MsGateway.log will be written to this location.

    • Trace file size: Specifies the maximum size for a trace file in MB. Once the maximum size is reached or the driver is restarted, the trace file is backed up.

    • Maximum number of trace files: Specifies the maximum number of trace files that should be preserved. Older trace files are deleted when the maximum count is reached.

    Publisher Options

    Publisher heartbeat interval

    Specifies the duration (in minutes) between heartbeats. Whenever this interval is reached and there has been no traffic on the Publisher channel, a new heartbeat is sent.

  18. Optionally, open the GCVs tab to set the Global Configuration Values for the server.

    In release 4.0.2, you can set the following values for the Managed System Gateway Driver:

    • Query Managed Systems across driversets: Defines the scope of operation for the Managed System Gateway Driver. If set to true, the driver returns information about managed systems across driversets. Otherwise, the scope is restricted to the local driverset.

    • Add end-point request data to queries: Specifies whether end-point request data be added to the queries sent by the driver. This will be added as an operation-data node.

    • End-point request data node name: Specifies a node-name that will be added to the operation-data of the queries. The node attributes will contain the details about the request.

  19. Open the other tabs associated with Driver Configuration to review the settings.

    You can make changes to the settings, if you like, but you do not need to in order to get the driver up and running.

  20. Select the Packages option in the left menu to see which packages have been installed.

    You do not need to change the Operation settings unless you want to uninstall a particular package.

  21. Click Apply when you are satisfied with all of the settings.

  22. After configuring the driver packages and parameters, you must enable synchronization on the Subscriber channel of the Managed System Gateway Driver for the Reporting Module to function correctly.

2.4.3 Configuring the Identity Manager Driver for Data Collection Service

NOTE:After you configure the Data Collection Service driver, ensure that you install all available entitlement packages for the other drivers in your environment. The Data Collection Service driver requires these entitlement packages, even if you do not use entitlements to manage objects.

  1. In the Modeler view, select Service > Data Collection Service in the palette.

  2. Drag the icon for the Data Collection Service application onto the Modeler view.

    Designer displays the Driver Configuration Wizard.

  3. Select Data Collection Service Base and click Next.

    NOTE:For the 4.0.2 release, you need to have version 2.0.0.20120509205909 of the Data Collection Service Base package.

  4. Make sure any mandatory features listed are selected and click Next.

  5. Make sure the optional features listed are selected and click Next.

  6. The interface displays a dialog box to inform you that need an additional package called LDAP Library. Click OK to install the required package.

  7. (Optional) On the Install LDAP Library page, if you want to configure a global connection profile for all drivers, click the dropdown menu and select Yes.

  8. Click Next.

  9. Specify the Data Collection Service driver name you want to use, then click Next.

  10. Specify the IP address and port of the reporting module, as well as the protocol you want to use. Also, specify the user and password of the Reporting Administrator for authentication.

  11. Click Next.

    The wizard now displays a screen that allows you to specify settings for the Identity Vault Registration and Managed System Gateway Registration.

  12. For the Identity Vault Registration, provide a name and description, as well as the IP address for the Identity Vault.

  13. Select Yes for Register Managed System Gateway. For the Managed System Gateway Registration, provide the DN for the driver, as well as the user and password for the LDAP administrator.

    NOTE:Because the driver has not yet been deployed, the browse function does not show the Managed System Gateway driver you just configured, so you might need to type the DN for the driver.

  14. Click Next.

    The wizard now displays the Confirm Installation Tasks screen.

  15. If everything looks correct, click Finish.

    Designer adds the Data Collection Service Driver to the Modeler view:

  16. To configure additional settings for the driver, right-click the line connecting the Data Collection Service Driver to the driver set and select Properties.

    Designer now displays the Properties for Data Collection Service Driver dialog.

  17. Select Driver Configuration in the left menu and click the Startup Option tab. Select Manual for the startup setting:

  18. Select Driver Configuration in the left menu and click the Driver Parameters tab. Select show under Connection Parameters. Also, select show under Driver Parameters.

  19. Scroll down to the settings shown in the Driver Parameters section.

    You might want to change the values for some of these settings. In a test environment, you might want to use low numbers to be sure your events are being processed correctly. However, in a production environment, you probably want to use higher numbers so that the system does not process events unnecessarily:

    You can optionally make changes to the Connection Parameter, Identity Vault Registration, Managed System Gateway Registration, and Driver Parameters settings. The settings that you might want to modify are described below:

    Parameter Type

    Parameter

    Description

    Connection Parameters

    IP Address

    IP address where the reporting module is installed and running.

     

    Port

    Port number for the reporting module (for REST connections).

     

    Protocol

    Protocol for accessing the reporting module. The choices are HTTP and HTTPS. If you select HTTPS, you need to indicate whether you always trust the server’s certificate.

    Identity Vault Registration

    Name

    Provides the name you want to use to refer to your Identity Vault within the reporting module.

     

    Description

    A short description of the Identity Vault.

     

    Address

    IP address of the Identity Vault.

    164.99.130.127
    

    NOTE:You must specify an IP address. Do not specify an address of localhost for the Identity Vault Registration.

    Managed System Gateway Registration

    Register Managed System Gateway

    Indicates whether you want to register the Managed System Gateway Driver.

     

    Managed System Gateway Driver DN (slash)

    Specifies the DN of the Managed System Gateway Driver in slash format.

     

    User DN (LDAP)

    Specifies the LDAP DN of the user that the driver should use to authenticate to the Managed System Gateway Driver. This DN must exist in the Identity Vault.

     

    Password

    Specifies the password for the user.

    Driver Parameters

    Time interval between submitting events

    The maximum amount of time, in minutes, that an event can remain in the persistence layer before being submitted to the DCS (and to the database for the reporting module).

     

    Number of events to be sent in batch

    Specifies the number of events that can be gathered by the persistence layer before it sends them over to the DCS (without waiting for the timeout to occur).

    NOTE:In environments where the driver receives large numbers of events, we recommend setting the number of events per batch to 500. This batch size helps to increase the speed at which the driver processes events.

     

    Maximum number of batches in the file

    Defines an upper limit for the storage capacity of the persistence layer.

    NOTE:In environments where the driver receives large numbers of events, we recommend setting the number of batches per file to no more than 10. If you set this parameter to a value greater than 10, the driver cannot process events as efficiently.

  20. Select Engine Control Values in the left menu.

    For the Qualified form for DN-syntax attribute values setting, be sure that True is selected so that DNs are configured properly.

  21. Open the other tabs associated with Driver Configuration to review the settings.

    You can make changes to the settings, if you like, but you do not need to in order to get the driver up and running.

  22. Select GCVs in the left menu, then select Show for Show override options.

  23. (Optional) Provide new values that override the global configuration values.

  24. Click OK.

    Designer returns you to the Modeler view.

2.4.4 Deploying the Drivers

To deploy the drivers you just configured:

  1. Select the driver set (either in the Modeler view or in the Outline view).

  2. Choose Live > Deploy.

    Designer displays a progress window that shows which objects are being deployed:

    For each driver deployed, you see a dialog box prompting you for the security equivalent. You need to provide the LDAP Administrator for each driver.

2.4.5 Backing Up and Restoring the Reporting Module

If necessary, you can back up the EAS PostgreSQL database the Identity Reporting Module uses to store audit data, event data, and configuration information. The database contains three separate schemas:

  • public: Stores audit data, event source configuration information, and other administrative information.

  • idm_rpt_data: Stores data collected by the Managed System Gateway Driver and the Data Collection Service Driver, as well as data collection configuration information.

  • idm_rpt_cfg: Stores reporting configuration information, reports, and report scheduling information.

Backing Up and Restoring the idm_rpt_data and idm_rpt_cfg Schemas

We recommend you use the standard PostgreSQL backup and restore procedures to back up or restore the idm_rpt_data and idm_rpt_cfg schemas. For detailed information on backing up and restoring PostgreSQL databases, see Backup and Restore in the PostgreSQL documentation

Backing Up and Restoring the public Schema

However, for the public schema, you should use the backup_util.sh utility provided with Identity Manager. The utility is located in the /opt/novell/sentinel/bin directory on the Identity Manager server.

For detailed information on using the backup_util.sh script, see Backing Up and Restoring Data, in the NetIQ Sentinel Administration Guide.

2.4.6 Runtime Configuration and Troubleshooting

This section provides some additional configuration steps you should take to ensure that the runtime environment is operating correctly. It also provides troubleshooting techniques, as well as some information about database tables that are of particular interest.

Verifying That the Managed Systems Are Working

Before you start the Managed System Gateway Driver and the Data Collection Service Driver, you should confirm that the underlying managed systems are properly configured. By doing this, you can isolate problems with your environment that do not relate to the configuration of the reporting drivers.

To troubleshoot your Active Directory environment, for example, you might want to test an Active Directory entitlement by assigning a resource in the User Application.

NOTE:Details on configuring the Active Directory driver are provided in the Driver for Active Directory Implementation Guide.

The following steps demonstrate one way to confirm that Active Directory is properly configured:

  1. Make sure that the User Application and the Identity Reporting Module are both running on the same server.

  2. In iManager, verify that the User Application Driver and the Role and Resource Service Driver are running, and make sure that the driver for the managed system is running:

  3. To verify that the User Application can retrieve information from Active Directory, first log into the User Application as a User Application Administrator:

  4. In the Resource Catalog, create a new resource for Active Directory accounts:

  5. Bind the resource to an entitlement within the Active Directory Driver, such as User Account Entitlement:

    Notice that the User Application is able to retrieve the entitlement from the driver.

  6. Because this particular resource pertains to accounts, configure the resource to assign an account value:

  7. Select the account value and click Add:

    This release supports two entitlement parameter formats, one for legacy values, and one for Identity Manager 4.0.2. When you create a new driver, the policy format used is the new format for Identity Manager 4.0.2.

  8. Now create another resource that assigns groups:

  9. Bind the resource to an entitlement that is suitable for groups. For this particular resource, map to the Group Membership Entitlement:

  10. Configure this resource so that the entitlement value is assigned by the user at request time, and allow the user to select multiple values for a single assignment request:

  11. Verify that the entitlements were created successfully:

    At this point, you can see that the underlying architecture for the managed system (in this case, Active Directory) is functioning properly. This can help you to troubleshoot any problems that might arise later on.

Starting the Drivers

This section provides instructions for starting the Managed System Gateway Driver and the Data Collection Service Driver.

  1. In iManager, first start the Managed System Gateway Driver:

  2. Now start the Data Collection Service Driver:

  3. Verify that both drivers started successfully:

  4. After the drivers have started, you should see some additional information in the server console:

  5. Now log in to the reporting module as a Reporting Administrator:

  6. On the Overview page, verify that one Identity Vault has been configured:

  7. Look at the Identity Vaults page to see details about the Data Collection Service Driver and the Managed System Gateway Driver. The Managed System Gateway Driver status should indicate that the driver has been initialized:

    At this point, you can look at the contents of the Identity Information Warehouse to learn more about the rich data that is stored about the Identity Vault, as well as the managed systems in your enterprise.

  8. To see the data in the Identity Information Warehouse, use a database administration tool such as PGAdmin for PostgreSQL to look at the contents of the SIEM database. When you look at the SIEM database, you should see three schemas:

    The SIEM database is installed by the EAS installer. The public schema includes information about events captured by EAS. The other two schemas, idm_rpt_cfg and idm_rpt_data, are added by the installer for the Identity Reporting Module. The idm_rpt_cfg schema contains reporting configuration data, such as report definitions and schedules. The idm_rpt_data schema contains information collected by the Managed System Gateway Driver and the Data Collection Service Driver.

  9. To see data collected by the Managed System Gateway Driver and the Data Collection Service Driver, look at the idm_rpt_data schema:

  10. First, look at the idmrpt_idv table:

  11. Check to see if a single row was added to this table for the new Data Collection Service Driver that was registered:

  12. Check to see if the data for this table shows the name of the Identity Vault:

    If you see the new row in this table, the driver registration process was successful.

Migrating the Data Collection Service Driver

  1. In iManager, go to the Overview panel for the Data Collection Service Driver, and select Migrate From Identity Vault:

  2. Select the organizations that contain relevant data, and click Start:

    Depending on the amount of data you have, the migration process could take several minutes.

    IMPORTANT:Be sure to wait until the migration process is complete before you proceed.

  3. Look at the following tables, which provide information about the identities and accounts in the Identity Vault:

    • idmrpt_identity

    • idmrpt_acct

    After the migration, the idmrpt_identity table, for example, contains the following types of information:

  4. Look at an LDAP browser to verify that the migration process also adds a DirXML-Associations reference for each user:

  5. Verify that the migration process adds a DirXML-Associations reference for each group, as well:

  6. Look at data in the idmrpt_group table:

    This table shows the name for each group, as well as flags indicating whether the group is dynamic or nested. It also shows whether the group has been migrated. The synchronization status (idmrpt_syn_state) could possibly be set to 0 if an object had been modified in the User Application but not yet migrated. For example, if a user were added to a group, and the driver had not been migrated yet, this value might be set to 0.

  7. (Optional) Look at the following tables:

    • idmrpt_approver

    • idmrpt_association

    • idmrpt_category

    • idmrpt_container

    • idmrpt_idv_drivers

    • idmrpt_idv_prd

    • idmrpt_role

    • idmrpt_resource

    • idmrpt_sod

  8. (Optional) Look at the idmrpt_ms_collect_state table, which is of particular importance.

    This table shows information about the data collection state for the Managed System Gateway Driver, which includes data about which REST endpoints for managed systems have been executed. At this point, the table has no rows, because the collection process has not yet been started for this driver.

Starting the Collection Process for the Managed System Gateway Driver

This section provides instructions for starting the data collection process for the Managed System Gateway Driver.

IMPORTANT:Before activating the data collection process for the first time, you need to be sure you have performed all of the configuration steps in the correct order.

  1. Start the Data Collection Service Driver and the Managed System Gateway Driver.

  2. Verify that the Data Collection Service Driver has registered properly with the DCS services.

  3. Migrate the Data Collection Service Driver and wait until the migration process is complete.

If you do not follow these steps in order, some data might be in a transitional state, and you might see two rows for the same managed system. Because there is no way to determine programmatically whether the migration process is complete, you need to wait until the migration process is complete before you activate the data collection process.

After the configuration steps have been performed in order, you can proceed with the initial data collection.

  1. In the user interface for the Identity Reporting Module, navigate to the Identity Vault Data Sources page. Then, click Start data source for the driver and click Save:

  2. Now look at the idmrpt_ms table:

    This table contains information about the Managed System Gateway Driver.

  3. In the data for this table, verify that there is a single row representing the Managed System Gateway Driver registration:

    At this point, some of the information in this table is still blank, because the Data Collection Service Driver has not yet been migrated from the Identity Vault.

  4. Verify that the idmrpt_ms_collect_state table contains several rows of data showing which endpoints have been executed.

  5. (Optional) Sort the list by ms_collect_time to see the order in which they were executed:

    If any of the endpoints fails to execute properly, the value for ms_collect_state is FALSE. If the driver is not configured properly, the ms_collect_state for the /ms endpoint is FALSE, and the other endpoints are not not executed. If this happens, you should enable tracing on the driver to determine the underlying cause of the problem.

To initiate a subsequent data collection process for the Managed System Gateway Driver:

  1. In the user interface for the Identity Reporting Module, click Start Data Collection on the General Settings page:

  2. Look at the idmrpt_ms_collect_state table to verify that several additional rows have been added to show the execution of additional REST endpoints.

  3. Look at the following tables to see the kinds of information that has been collected about the managed systems:

    • idmrpt_ms_acct

    • idmrpt_ms_ent_trust

    • idmrpt_ms_identity

    The idmrpt_ms_acct table, for example, provides useful information about the accounts for each of the managed systems.

    The acct_id_type column shows the type for each account in the managed system (in this case, Active Directory). In addition, the idv_managed column indicates whether the account is currently being managed. In this particular situation, the user accounts in the Identity Vault are not actively being managed within Active Directory, so the column value is FALSE.

    In this table, you might also want to look at the idv_sync column, which indicates whether the account has been migrated, as well as the idmrpt_valid_from and idmrpt_valid_to columns. The timestamps for the idmrpt_valid_from and idmrpt_valid_to columns are updated whenever data is modified, and a corresponding row is added to a history table.

  4. Look at the idmrpt_ms_ent_trust table to see information about the entitlements that have been assigned to trustees within the managed system:

    The trustee_type_id column indicates whether the trustee is an identity or a group.

  5. Look at the idmrpt_ms_identity table to see the identities in the managed system:

    Notice that the first name is available for users, but not groups. This particular example shows data for a test system, so not all of the values are available.

Adding Support for Custom Attributes and Objects

You can configure the Data Collection Service driver to gather and persist data for custom attributes and objects that are not part of the default data collection scheme. To do this, you need to modify the Data Collection Service driver filter. Modifying the filter does not trigger object synchronization immediately. Instead, the newly added attributes and objects are sent to the data collection services when add, modify, or delete events occur in the Identity Vault.

When you add support for custom attributes and objects, you need to modify the reports in order to include the extended attribute and object information. The following views provide current and historic data on the extended objects and attributes:

  • idm_rpt_cfg.idmrpt_ext_idv_item_v

  • idm_rpt_cfg.idmrpt_ext_item_attr_v

Configuring the Driver to Use Extended Objects

You can add any object or attribute to the Data Collection Service filter policy. When you add a new object or attribute, you need to make sure you map the GUID (with subscriber sync) and the Object Class (with subscriber notify), as shown in the following example:

<filter-class class-name="Device" publisher="ignore" publisher-create-homedir="true" publisher-track-template-member="false" subscriber="sync"> 
<filter-attr attr-name="CN" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="sync"/> 
<filter-attr attr-name="Description" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="sync"/> 
<filter-attr attr-name="GUID" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="sync"/> 
<filter-attr attr-name="Object Class" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="notify"/> 
<filter-attr attr-name="Owner" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="sync"/> 
<filter-attr attr-name="Serial Number" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="sync"/> 
<filter-attr attr-name="sampleDeviceModel" from-all-classes="true" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="sync"/> 
<filter-attr attr-name="sampleDeviceType" from-all-classes="true" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="sync"/> 
</filter-class> 
Including a Name and Description in the Database

If you want the object to have a name and description in the database, you need to add a schema mapping policy for _dcsName and _dcsDescription. The schema mapping policy maps the attribute values on the object instance to the columns idmrpt_ext_idv_item.item_name and idmrpt_ext_idv_item.item_desc, respectively. If you do not add a schema mapping policy, the attributes will be populated in the child table idmrpt_ext_item_attr.

Here’s an example:

<attr-name class-name="Device"> 
<nds-name>CN</nds-name> 
<app-name>_dcsName</app-name> 
</attr-name> 
<attr-name class-name="Device"> 
<nds-name>Description</nds-name> 
<app-name>_dcsDescription</app-name> 
</attr-name>

Here is some sample SQL that allows you to show these object and attribute values in the database:

SELECT        
    item.item_dn, 
    item.item_name, 
    item.item_desc, 
    attr.attribute_name, 
    itemAttr.attribute_value, 
    item.idmrpt_deleted as item_deleted, 
    itemAttr.idmrpt_deleted as attr_deleted, 
    item.item_desc, 
    obj.object_class 
FROM 
    idm_rpt_data.idmrpt_ext_idv_item as item, idm_rpt_data.idmrpt_ext_item_attr itemAttr, idm_rpt_data.idmrpt_ext_attr as attr, idm_rpt_data.idmrpt_ext_obj as obj 
WHERE 
    item.object_id = obj.object_id and itemAttr.attribute_id = attr.attribute_id and itemAttr.cat_item_id = item.item_id 
ORDER BY 
    item.item_dn, item.item_name 
Adding Extended Attributes to Known Object Types

If an attribute is added to the filter policy on the Data Collection Service driver and not explicitly mapped to the reporting database in the XML reference file (IdmrptIdentity.xml), the value is populated and maintained in the idmrpt_ext_item_attr table, with an attribute reference in the idmrpt_ext_attr table.

Here is some sample SQL that shows these extended attributes:

SELECT 
    acct.idv_acct_dn, 
    attrDef.attribute_name,   
    attribute_value, 
    attrVal.idmrpt_valid_from, 
    cat_item_attr_id, 
    attrVal.idmrpt_deleted, 
    attrVal.idmrpt_syn_state 
FROM 
    idm_rpt_data.idmrpt_ext_item_attr as attrVal, idm_rpt_data.idmrpt_ext_attr as attrDef, idm_rpt_data.idmrpt_identity as idd, idm_rpt_data.idmrpt_idv_acct as acct 
WHERE attrVal.attribute_id = attrDef.attribute_id and idd.identity_id = acct.identity_id and attrVal.cat_item_id = acct.identity_id and cat_item_type_id = 'IDENTITY' 

In addition to the User object, you can add extended attributes to the filter policy on the following objects and populate the database with these attributes:

  • nrfRole

  • nrfResource

  • Containers

    NOTE:The installed product provides support for organizationUnit, Organization, and Domain. The container types are maintained in the idmrpt_container_types table.

  • Group

  • nrfSod

You can see the association of the extended attributes to the parent table or object by looking at the idmrpt_cat_item_types.idmrpt_table_name column. This column describes how to join the idm_rpt_data.idmrpt_ext_item_attr.cat_item_id column to the primary key of the parent table.

Adding Support for Multiple Driversets

The new Data Collection Service Scoping package (NOVLDCSSCPNG) provides static and dynamic scoping capabilities for enterprise environments with multiple driversets and multiple pairs of Data Collection Service Drivers and Managed System Gateway Drivers.

During or after installation, you need to determine the role for the Data Collection Service Driver that the package is being installed on. You need to select one of the following roles:

  • Primary The driver synchronizes everything except subtrees of other driver sets. A primary Data Collection Service Driver may well service a whole Identity Vault or it may work in conjunction with one or multiple secondary drivers.

  • Secondary The driver synchronizes only its own driver set, but nothing else. A secondary Data Collection Service Driver usually requires a primary driver to run in a different driverset or no data outside the local driver set is sent to the Data Collection Service.

  • Custom Allows the administrator to define custom scoping rules. The only implicit scope is the local driver set, everything else is considered out-of-scope, unless it is explicitly added to the list of custom scopes. A custom scope is the distinguished name in slash format of a container in the Identity Vault whose subordinates or subtree should be synchronized.

The scoping package is only required in some configuration scenarios, as described below:

  • Single server with a single driver set Identity Vault For this scenario, you do not need scoping, and, therefore, you do not need to install the scoping package.

  • Multiple servers with a single driver set Identity Vault For this scenario, you need to follow these guidelines:

    • Make sure the Identity Manager server holds replicas of all partitions from which data should be collected.

    • For this scenario, no scoping is required, so do not install the scoping package

  • Multiple servers with a multiple driver set Identity Vault In this scenario, there are two basic configurations:

    • All servers hold a replica of all partitions from which data should be collected.

      For this configuration, you need to follow these guidelines:

      • Scoping is required to avoid the same change being processed by multiple DCS drivers.

      • You need to install the scoping package on all DCS drivers.

      • You need to select one DCS driver to be the Primary driver.

      • You need to configure all other DCS drivers to be Secondary drivers.

    • All servers do not hold a replica of all partitions from which data should be collected.

      Within this configuration, there are two possible situations:

      • All partitions from which data should be collected are being held by only one Identity Manager server

        In this case, you need to follow these guidelines:

        • Scoping is required to avoid the same change being processed by multiple DCS drivers.

        • You need to install the scoping package on all DCS drivers.

        • You need to configure all DCS drivers to be Primary drivers.

      • All partitions from which data should be collected are not being held by only one Identity Manager server (some partitions are held by more than one Identity Manager server).

        In this case, you need to follow these guidelines:

        • Scoping is required to avoid the same change being processed by multiple DCS drivers.

        • You need to install the scoping package on all DCS drivers.

        • You need to configure all DCS drivers to be Custom drivers.

          You need to define custom scoping rules for each driver and be sure not to create any overlapping scopes.

Configuring the Drivers to Run in Remote Mode with SSL

When running in remote mode, you can configure the Data Collection Service and Managed System Gateway drivers to use SSL. This section provides steps for configuring the drivers to run in remote mode with SSL.

To configure SSL using a Keystore for the Managed System Gateway Driver:

  1. Create a server certificate in iManager.

    1. In the Roles and Tasks view, click Novell Certificate Server > Create Server Certificate.

    2. Browse to and select the server object where the Managed System Gateway Driver is installed.

    3. Specify a certificate nickname.

    4. Select Standard as the creation method, then click Next.

    5. Click Finish, then click Close.

  2. Export the server certificate using iManager.

    1. In the Roles and Tasks view, click Novell Certificate Access > Server Certificates.

    2. Select the certificate created in Step 1 and click Export.

    3. Select your certificate name from the Certificates drop-down.

    4. Ensure that the option Export private key is checked.

    5. Enter a password and click Next.

    6. Click Save the exported certificate, and save the exported pfx certificate.

  3. Import the pfx certificate exported in Step 2 into the java key-store.

    1. Use the keytool available with Java. You must use JDK 6 or later.

    2. Enter the following command at a command prompt:

      keytool -importkeystore -srckeystore <pfx certificate> -srcstoretype
      PKCS12 -destkeystore <Keystore Name>
      

      For example:

      keytool -importkeystore -srckeystore cert.pfx -srcstoretype PKCS12
      -destkeystore msgw.jks
      
    3. Enter the password when prompted to do so.

  4. Modify the Managed System Gateway Driver configuration to use the keystore using iManager.

    1. From Identity Manager Overview, click the driverset containing the Managed System Gateway Driver.

    2. Click on the driver state icon and select Edit properties > Driver configuration.

    3. Set Show Connection Parameters to true and set the Driver configuration mode to remote.

    4. Enter the complete path of the keystore file and the password.

    5. Save and restart the driver.

  5. Modify the Data Collection Service Driver configuration to use the keystore using iManager.

    1. From Identity Manager Overview, click the driverset containing the Managed System Gateway Driver.

    2. Click on the driver state icon and select Edit properties > Driver configuration.

    3. Under the Managed System Gateway Registration header, set Managed System Gateway Driver Configuration Mode to remote.

    4. Enter the complete path of the keystore, password and the alias enter in Step 1.c.

    5. Save and restart the driver.

Troubleshooting the Drivers

If you have problems with one or more of the drivers that are difficult to understand, see Section 14.0, Troubleshooting the Drivers.

2.4.7 Recommended Auditing Flags for the Drivers

This section outlines the recommended auditing settings for the Managed System Gateway Driver and the Data Collection Service Driver.

Recommended Identity Manager Auditing Flags

The following Identity Manager auditing flags should be enabled for the drivers:

Table 2-3 Identity Manager Auditing Flags

Category

Recommended Flags

Metadirectory Engine Events

  • Metadirectory Engine Warnings

Status Events

  • Success

    NOTE:The Correlated Resource Assignment Events per User report requires the Success flag. If you want to be able to run this report or customized versions of it, then you need to enable the Success flag.

  • Error

  • Fatal

Operation Events

  • Modify

  • Add Association

  • Check Password

  • Add Value

  • Add

  • Rename

  • Remove Association

  • Check Object Password

  • Clear Attribute

  • Remove Value

  • Get Named Password

  • Remove

  • Move

  • Change Password

  • Add Value (on modify)

  • Reset Attributes

Transformation Events

  • Password Reset

  • User Agent Request

  • Password Sync

Credential Provisioning Events

  • Set SSO Credentials

  • Clear SSO Credentials

  • Set SSO Passphrase

These flags are for Novell Auditing (not XDAS) and are set under Driver Set Properties > Log Level > Log specific events in iManager, as shown below:

Figure 2-1 Events Selected in iManager

Recommended eDirectory Auditing Flags

The following eDirectory auditing flags should be enabled for the drivers:

Table 2-4 eDirectory Auditing Flags

Category

Recommended Flags

Global

  • Do Not Send Replicated Events

Meta

  • (Select all flags)

Objects

  • Add Property

  • Allow Login

  • Change Password

  • Change Security Equals

  • Create

  • Delete

  • Delete Property

  • Login

  • Logout

  • Modify RDN

  • Move (Source)

  • Move (Destination)

  • Remove

  • Rename

  • Restore

  • Search

  • Verify Password

Attributes

  • (Select all flags)

Agent

  • DS Reloaded

  • Local Agent Opened

  • Local Agent Closed

  • NLM Loaded

Miscellaneous

  • Generate CA Keys

  • Recertified Public Key

LDAP

  • LDAP Bind

  • LDAP Bind Response

  • LDAP Modify

  • LDAP Modify Response

  • LDAP Password Modify

  • LDAP Unbind

  • LDAP Delete

  • LDAP Delete Response

  • LDAP Modify DN

  • LDAP Modify DN Response

  • LDAP Search

  • LDAP Search Response

  • LDAP Add

  • LDAP Add Response

These flags need to be set under the eDirectory Auditing > Audit Configuration > Novell Auditing plug-in in iManager.