40.1 Configuring Drivers for Identity Reporting

This section helps you install and configure the Managed System Gateway and Data Collection Service drivers for Identity Reporting.

NOTE:This section assumes that you have already installed and configured the User Application and Roles and Resources drivers for RBPM. For more information, see Section 33.0, Creating and Deploying the Drivers for the Identity Applications.

40.1.1 Installing the Driver Packages for Identity Reporting

Before you attempt to configure the drivers, you must have all of the necessary packages for the drivers in the Package Catalog. When you create a new Identity Manager project in Designer, the user interface automatically prompts you to import several packages into the new project. You do not need to import the packages during installation but you must install them at some point for Identity Reporting to function appropriately.

  1. Open your project in Designer.

  2. Select Package Catalog > Import Package.

  3. In the Select Package dialog box, click Select All, and then click OK.

    Designer adds several new package folders under the Package Catalog. These package folders correspond to the objects in the palette on the right side of the Modeler view in Designer.

  4. Click Save.

40.1.2 Configuring the Managed System Gateway Driver

  1. Open your project in Designer.

  2. In the palette of the Modeler view, select Service > Managed System Gateway.

  3. Drag the icon for Managed System Gateway onto the Modeler view.

  4. In the Driver Configuration Wizard, select Managed System Gateway Base, and then click Next.

  5. In the Select Mandatory Features window, select the mandatory features, and then click Next.

  6. (Conditional) If the application prompts you for an additional package called Advanced Java Class, select the package and then click OK.

  7. (Optional) Specify the name that you want to use for the driver.

  8. Click Next.

  9. For Connection Parameters, specify the values that Identity Reporting uses to request data from the driver.

    When you specify more than one IP address, you continue to use the same port number to listen on all the interfaces. For example, if you specify 164.99.88.30,127.0.0.1 for the address and 9000 for the port, then the driver uses the following settings:

    164.99.88.30:9000
    127.0.0.1:9000
  10. (Optional) To enable end-point tracing, select true and then specify a location for the trace file.

  11. Click Next.

  12. (Optional) To connect the driver to a remote loader, complete the following steps:

    1. In the Remote Loader window, select yes.

    2. Specify the settings for the remote loader that you want to use.

  13. Click Next.

  14. Review the information in the Confirm Installation Tasks window, and then click Finish.

  15. (Optional) To configure additional settings for the driver, complete the following steps in the Modeler view:

    1. Right-click the line connecting the Managed System Gateway Driver to the driver set, and then click Properties.

    2. In the Properties dialog box, select Driver Configuration > Startup Option.

    3. Select Manual for the startup option, and then click Apply.

    4. Select the Driver Parameters tab.

    5. (Optional) In the Driver Options tab, modify the settings for the driver, connections, and end-point tracing.

      You might need to select show under Connection Parameters and Driver Parameters to display the settings.

    6. (Optional) To have the driver send periodic status messages on the Publisher channel, click the Publisher Options tab, and then specify a value in minutes for Publisher heartbeat interval.

      If no traffic occurs on the Publisher channel within the specified interval, the driver sends a new heartbeat.

    7. Click Apply.

  16. (Optional) To specify global configuration values for the server, complete the following steps:

    1. In the navigation pane, select GCVs.

    2. Specify global configuration values, such as the following:

      Query Managed Systems across driversets

      Defines the scope of operation for the Managed System Gateway Driver. If set to true, the driver returns information about managed systems across driversets. Otherwise, the scope is restricted to the local driverset.

      Add end-point request data to queries

      Specifies whether end-point request data be added to the queries sent by the driver. This will be added as an operation-data node.

      End-point request data node name

      Specifies a node-name that will be added to the operation-data of the queries. The node attributes will contain the details about the request.

    3. Click Apply.

  17. (Optional) To review the packages that have been installed, click Packages in the navigation pane.

    You do not need to change the Operation settings unless you want to uninstall a particular package.

  18. Click OK.

  19. Enable the Subscriber channel for Identity Reporting to function correctly.

40.1.3 Configuring the Driver for Data Collection Service

  1. Open your project in Designer.

  2. In the palette of the Modeler view, select Service > Data Collection Service.

  3. Drag the icon for Data Collection Service onto the Modeler view.

  4. In the Driver Configuration Wizard, select Data Collection Service Base, and then click Next.

  5. In the Select Mandatory Features window, select the mandatory features, and then click Next.

  6. Select the optional features that you want to apply, and then click Next.

  7. (Conditional) If the application prompts you for an additional package called LDAP Library, complete the following steps:

    1. Select the package, and then click OK.

    2. (Optional) To configure a global connection profile for all drivers, on the Install LDAP Library page, select Yes.

  8. Click Next.

  9. (Optional) Specify the name that you want to use for the driver.

  10. Click Next.

  11. For Connection Parameters, specify the values that Identity Reporting uses to request data from the driver.

    For example, specify the user and password of the Reporting Administrator for authentication.

    When you specify more than one IP address, you continue to use the same port number to listen on all the interfaces. For example, if you specify 164.99.88.30,127.0.0.1 for the address and 9000 for the port, then the driver uses the following settings:

    164.99.88.30:9000
    127.0.0.1:9000
  12. Click Next.

  13. For Identity Vault Registration, specify the settings for the Identity Vault.

    You must specify an IP address. Do not specify an address of localhost for the Identity Vault Registration.

  14. (Optional) To register the Managed System Gateway driver, complete the following steps:

    1. For Managed System Gateway Registration, click yes.

    2. Specify the DN for the driver, as well as the user and password for the LDAP administrator.

      NOTE:Because the driver has not yet been deployed, the browse function does not show the Managed System Gateway driver you just configured, so you might need to type the DN for the driver.

  15. Click Next.

  16. (Optional) To connect the driver to a remote loader, complete the following steps:

    1. In the Remote Loader window, select yes.

    2. Specify the settings for the remote loader that you want to use.

  17. Click Next.

  18. For Scoping Configuration, specify the role for the Data Service Collection driver.

  19. Review the information in the Confirm Installation Tasks window, and then click Finish.

  20. (Optional) To configure additional settings for the driver, complete the following steps in the Modeler view:

    1. Right-click the line connecting the Data Collection Service driver to the driver set, and then click Properties.

    2. In the Properties dialog box, select Driver Configuration > Startup Option.

    3. Select Manual for the startup option, and then click Apply.

    4. Select the Driver Parameters tab.

      In environments where the driver receives large numbers of events, NetIQ recommends setting the number of batches per file to no more than 5. If you set this parameter to a value greater than 5, the driver cannot process events efficiently.

    5. (Optional) In the Driver Options tab, modify the settings for the driver, connections, and registration.

      In a test environment, you might want to use low numbers to be sure your events are processed correctly. However, in a production environment, you probably want to use higher numbers so that the system does not process events unnecessarily.

      IP Address

      Specifies the IP address of the server that hosts Identity Reporting.

      Port

      Specifies the port number that Identity Reporting uses for REST connections.

      Protocol

      Specifies the protocol for accessing Identity Reporting. If you select HTTPS, you must also indicate whether you want to trust the server’s certificate.

      Name

      Specifies the name that you want to use to refer to your Identity Vault within Identity Reporting.

      Description

      Specifies a short description of the Identity Vault.

      Address

      Specifies the IP address of the Identity Vault.

      164.99.130.127

      NOTE:You must specify an IP address. Do not specify an address of localhost for the Identity Vault Registration.

      Register Managed System Gateway

      Specifies whether you want to register the Managed System Gateway Driver.

      Managed System Gateway Driver DN (LDAP)

      Specifies the DN of the Managed System Gateway Driver in slash format.

      Managed System Gateway Driver Configuration Mode

      Specifies whether the driver is configured locally or is remote.

      User DN (LDAP)

      Specifies the LDAP DN of the user that the driver should use to authenticate to the Managed System Gateway Driver. This DN must exist in the Identity Vault.

      Password

      Specifies the password for the user.

      Time interval between submitting events

      The maximum amount of time, in minutes, that an event can remain in the persistence layer before being submitted to the DCS (and to the database for Identity Reporting).

    6. (Conditional) To collect data from the identity applications, specify the values for SSO Service Support. For more information, see Section 40.1.4, Configuring Identity Reporting to Collect Data from the Identity Applications.

    7. Click Apply.

  21. To configure DNs, complete the following steps:

    1. In the navigation menu, select Engine Control Values.

    2. For the Qualified form for DN-syntax attribute values setting, select True.

    3. Click Apply.

  22. (Optional) To specify global configuration values for the server, complete the following steps:

    1. In the navigation pane, select GCVs.

    2. For Show override options, select Show.

    3. Modify the settings to override the global configuration values.

    4. Click Apply.

  23. Click OK.

40.1.4 Configuring Identity Reporting to Collect Data from the Identity Applications

For Identity Reporting to collect data from the identity applications, you must configure the DCS driver to support the single sign-on process.

  1. Open your project in Designer.

  2. In the Outline view, right-click the Data Collection Service driver, then click Properties.

  3. Click Driver Configuration > Driver Parameters.

  4. Click Show connection parameters > show.

  5. Click SSO Service Support > Yes.

  6. Specify the parameters for single sign-on functionality:

    SSO Service Address

    Required

    Specifies the relative URL of the authentication server that issues tokens to OSP. For example, 10.10.10.48.

    This value must match the value that you specified in the RBPM configuration utility for OSP server host identifier. For more information, see Section 35.3.1, Authentication Server.

    SSO Service Port

    Required

    Specifies the port for the authentication server. The default value is 8180.

    This value must match the value that you specified in the RBPM configuration utility for OSP server TCP port. For more information, see Section 35.3.1, Authentication Server.

    SSO Service Client ID

    Required

    Specifies the name that you want to use to identify the single sign-on client for the DCS driver to the authentication server. The default value is dcsdrv.

    This value must match the value that you specified in the RBPM configuration utility for OSP client ID. For more information, see Section 35.4.4, Reporting.

    SSO Service Client Secret

    Required

    Specifies the password for the single sign-on client for the DCS driver.

    This value must match the value that you specified in the RBPM configuration utility for OSP client secret. For more information, see Section 35.4.4, Reporting.

    Protocol

    Specifies whether the service client uses the http (non-secure) or https (secure) protocol when communicating with the authentication server.

  7. Click Apply, then click OK.

  8. (Conditional) If you changed these settings after deploying the driver, you must deploy and restart the driver. For more information, see Section 40.2, Deploying and Starting Drivers for Identity Reporting.

  9. Repeat this procedure for each DCS driver in your environment.