REDIM Installation Guide 5.5.2.1

Installation Guide
Lieberman RED Identity Manager
5.5.2.1
Copyright 20032017 Lieberman Software Corporation.
All rights reserved.
The software contains proprietary information of Lieberman Software Corporation; it is provided
under a license agreement containing restrictions on use and disclosure and is also protected by
copyright law. Reverse engineering of the software is prohibited.
Due to continued product development this information may change without notice. The
information and intellectual property contained herein is confidential between Lieberman Software
and the client and remains the exclusive property of Lieberman Software. If there are any
problems in the documentation, please report them to Lieberman Software in writing. Lieberman
Software does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise without the
prior written permission of Lieberman Software.
Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. Other brands and product names are trademarks of their respective owners.
Lieberman Software Corporation

1875 Century Park East, Suite 1200
Los Angeles, CA 90067
(310) 550-8575
Support: https://liebsoft.zendesk.com
Website: http://www.liebsoft.com
iii
Contents
CHAPTER 1 INTRODUCTION ...................................................................................................1
1.1 Performance Notes ..................................................................................................................2
1.2 Background and Goals ..............................................................................................................2
1.3 Limited Warranty .....................................................................................................................4
1.4 License Agreement ...................................................................................................................4
CHAPTER 2 START HERE: INSTALLATION AND UPGRADE ROADMAP ........................................7
2.1 Installation Roadmap ...............................................................................................................7
2.2 Upgrade Roadmap....................................................................................................................9
CHAPTER 3 INSTALLING LIEBERMAN RED IDENTITY MANAGER PREREQUISITES ..................... 13
3.1 Understanding Prerequisites ..................................................................................................14
3.1.1 Recommended Knowledge ............................................................................................14
3.1.2 Product Requirements Overview ...................................................................................14
3.1.3 Console Host System Requirements ..............................................................................16
3.1.4 Web Service Host Requirements ....................................................................................19
3.1.5 Web Application Host Requirements .............................................................................20
3.1.6 Solution Database Requirements ...................................................................................21
3.1.7 Service Account Requirements ......................................................................................24
3.1.8 Port Requirements .........................................................................................................27
3.1.9 Managed Computer and Devices Requirements ...........................................................30
3.1.10 Managed Database Requirements .............................................................................32
3.2 Installing and Configuring IIS ..................................................................................................35
3.2.1 Installing IIS Components for Target Management Only ...............................................35
3.2.2 Installing Support for Web Service Hosting....................................................................38
3.2.3 Installing IIS for Web Hosting .........................................................................................42
3.2.4 Configuring SSL on IIS .....................................................................................................48
3.2.4.1 SSL with IIS - With an Existing Cert .......................................................................................... 48
3.2.4.2 SSL with IIS - No Existing Cert .................................................................................................. 52
3.3 Enabling Remote COM+ Access..............................................................................................63
3.3.1 Windows 2008 & Later Remote COM+ Access...............................................................63
3.3.2 Windows Firewall & COM+ Network Access ..................................................................66
3.4 Installing Database Providers (Connectors) ...........................................................................68
3.4.1 Installing the Microsoft SQL Server Provider .................................................................68
3.4.2 Installing the Oracle Provider .........................................................................................69
3.4.3 Installing the Sybase ASE Provider .................................................................................77
3.4.4 Installing the MySQL & MariaDB Provider .....................................................................88
3.4.5 Installing the IBM DB2 Provider .....................................................................................94
iv Contents
3.4.6 Installing the PostgreSQL Provider ...............................................................................103

3.4.7 Installing the Teradata Provider ...................................................................................105
CHAPTER 4 INSTALLING LIEBERMAN RED IDENTITY MANAGER ........................................... 119
4.1 Management Console ..........................................................................................................120
4.2 Mini-Setup Wizard................................................................................................................126
4.3 Registration ..........................................................................................................................135
4.4 Web Application ...................................................................................................................136
4.4.1 Web Application Configuration Options ......................................................................142
4.4.1.1 App Options ...........................................................................................................................142
4.4.1.2 Password Access ....................................................................................................................147
4.4.1.3 Direct Links ............................................................................................................................150
4.4.1.4 File Store Settings ..................................................................................................................150
4.4.1.5 Account Elevation ..................................................................................................................152
4.4.1.6 Security ..................................................................................................................................153
4.4.1.7 Multi-Factor Authentication ..................................................................................................156
4.4.1.8 User/Session Management ...................................................................................................157
4.4.1.9 Remote Sessions ....................................................................................................................158
4.4.1.10 Console Display .................................................................................................................160
4.4.1.11 User Dashboards - Legacy Website ...................................................................................161
4.5 Web Service ..........................................................................................................................162
CHAPTER 5 UPGRADING LIEBERMAN RED IDENTITY MANAGER .......................................... 171
5.1 Preparing for the Upgrade ...................................................................................................172
5.2 Upgrading the Management Console ..................................................................................178
5.3 Upgrading the Web Application ...........................................................................................186
5.4 Upgrading the Web Service ..................................................................................................193
5.5 Upgrading Scheduling Services.............................................................................................202
5.6 Upgrading PowerShell ..........................................................................................................205
5.7 Upgrading Application Launcher and Session Recording .....................................................206
CHAPTER 6 POST INSTALLATION OR UPGRADE STEPS ......................................................... 207
6.1 File Store ...............................................................................................................................207
6.2 SSL.........................................................................................................................................209
6.3 User Certificates ...................................................................................................................209
6.4 URL Redirects .......................................................................................................................210
6.5 Windows Integrated Authentication ....................................................................................212
CHAPTER 7 ADDENDA........................................................................................................ 215
7.1 Data Store Configuration Options ........................................................................................217
7.2 Connecting to Microsoft SQL HA and Cloud Database Configurations ................................223
7.2.1 Mirrored Databases......................................................................................................223
7.2.2 SQL AlwaysOn ...............................................................................................................226
Contents v
7.2.3 Azure SQL .....................................................................................................................230

7.3 Encryption Options ...............................................................................................................234
7.3.1 Thales/nCipher HSM.....................................................................................................239
7.3.2 Safenet/Gemalto - KeySecure ......................................................................................243
7.3.3 UTIMACO HSM .............................................................................................................247
7.4 Email Settings .......................................................................................................................251
7.4.1 SMTP Settings: General ................................................................................................252
7.4.2 SMTP Settings: Outgoing Server ...................................................................................254
7.4.3 SMTP Settings: S/MIME ................................................................................................257
7.4.4 SMTP Settings: OAUTH2 Authentication ......................................................................260
7.4.5 SMTP Settings: Firewall Configuration .........................................................................262
7.4.6 SMTP Settings: SMTP Logging ......................................................................................264
7.5 Oracle as a Datastore ...........................................................................................................265
CHAPTER 8 INDEX .............................................................................................................. 267
1
Chapter 1 Introduction
Lieberman RED Identity Manager is a solution designed to establish a base of knowledge regarding
the systems and devices in your network, what accounts are on those systems and devices, and
enable the ongoing password or SSH key rotation for those accounts. Once the credentials are
managed and/or securely stored in Lieberman RED Identity Manager, they may be securely
retrieved by users or processes in a variety of ways such as interactively through a web site or
programmatically via REST or SOAP based web service. Once Lieberman RED Identity Manager is
implemented, this will enhance the effectiveness of end user focused IAM/IDM solutions by
securing the credentials they use to perform their work. Lieberman RED Identity Manager is also
designed to take part in workflow, orchestration, and most importantly, incident response.
By placing Lieberman RED Identity Manager at the center or your incident response process, you
will not only achieve security for privileged identities, you will be able to automatically respond
security breaches that leverage or attack those credentials. Consider an edge protection device that
determines improper use of administrative or sensitive credentials. Such a product can trigger
Lieberman RED Identity Manager to automatically rotate those credentials and thereby change the
attack surface simply by having that device/service trigger a password or key rotation. Consider a
Kerberos golden ticket attack. Lieberman RED Identity Manager can reset the kerberos system for
the entire forest and thus dislodge an embedded attack leveraging that attack vector and taking
back control of your network.
This chapter includes an overview of Lieberman RED Identity Manager, what problems it is designed
to solve, performance information, and other legal information.
IN THIS CHAPTER
Performance Notes ................................................................................... 2

Background and Goals ............................................................................... 2
Limited Warranty ...................................................................................... 4
License Agreement .................................................................................... 4
2 Introduction
1.1 PERFORMANCE NOTES

Lieberman RED Identity Manager is multi-threaded and supports automatic retry for failed systems
in an operation. At the default settings of 100 threads (100 simultaneous connections) on a
well-connected network (100Mbps) where all systems are accessible, password change
performance is typically 400-500 machines per minute for a simple password change (not including
propagation steps). This is not a guarantee of service because off-line systems, high-latency,
low-bandwidth, and unhealthy systems can affect performance. That said, a single Lieberman RED
Identity Manager node, hosted on Windows Server 2012 R2 or later, can easily scale to 1,000 to
2,000 nodes per minute just by changing one setting in ERPM to boost the maximum thread count.
It is highly recommended to run this product on Windows Server 2012 R2 for best performance.
With the introduction of SMB 3.0, Windows management and threading performance was
significantly enhanced with most customers able to spawn 250-300 threads or more simultaneously
rather than only 100 threads. Windows 2008 R2 will likely encounter thread loss and thread
abandonment past 200 threads when managing other Windows systems due to limitations in the
SMB 2.0 stack.
You can tune threading options up or down by changing the maximum number of threads that will
be dispatched from the Program Options dialog under Settings | Program Options. Variances in
customer environments and provided hardware may permit more simultaneous threads or may
require a reduced number of threads.
All scheduled operations and job retries are handled in the background by a deferred processor
service. The effect on network traffic during an operation using the default settings is about 2% of
available bandwidth. (In Windows environments this is equivalent to WINS type traffic.) Typically,
target machine impact will not be noticed (CPU, Memory, Hard Disk, Network) but will vary based
on the type of operation performed (for example, changing an account password versus changing a
password change and restarting a service).
1.2 BACKGROUND AND GOALS

The Need for Strong Local Credentials
Organizations with a need for the most basic access security should use unique local logon
credentials customized for each workstation and server in their environment. Unfortunately, most
organizations use common credentials (same user name and password for the built-in administrator
account) for each system for the ease of creating and managing those systems by the IT Department
Introduction 3
without any concern as to the consequences to the organization should these common credentials
be compromised.
With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security
Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the
implementation of reasonably hard to compromise local logon credentials is mandatory for most
organizations as a means for protecting not only the confidentiality of their data, but also to protect
against tampering.
Creating Strong Local Credentials

Lieberman RED Identity Manager can change any common account on all workstations and servers
in just a few minutes without the need for scripts or any other type of program. The new common
credentials can be stored in a local or remote SQL Server database and can be recovered on demand
using the web client.
ERPM can be configured to regularly change the passwords of common accounts on all target
systems (i.e. workstation built-in administrator account) according to a schedule so that each
account receives a fresh cryptographically strong password regularly. This product feature protects
the overall security of an organization so that the compromise of a single machines local
administrator password does not lead to the total compromise of the entire organizations security.
Lieberman RED Identity Manager further builds on these concepts by automatically discovering all
references to the specified account, such as services, tasks, COM and DCOM objects, and more, and
following a password change for a user's account, whether domain or local, propagating the new
password to all those references.
Delegated Password Recovery

Lieberman RED Identity Manager also contains a web client to allow the remote recovery of
passwords, access to privileges sessions, and more. The web client is a web application comprised of
ASP and ASP.NET web pages that allows any user with the appropriate group memberships the right
to use the application, as well as the right to recover passwords for accounts managed by the
program. All access to the ERPM web client and all actions taken therein are logged, and the history
is also available via the same web interface to authorized users.
Because this application protects and provides extremely sensitive information, it is essential that
particular attention be payed to the security settings of the application and also use appropriate
encryption such as SSL based on the scope of access provided.
For more information on security hardening, please refer to the proposed options for server
hardening: https://liebsoft.zendesk.com/hc/en-us/articles/236120887-Server-Hardening-Guide
(https://liebsoft.zendesk.com/hc/en-us/articles/236120887-Server-Hardening-Guide).
4 Introduction
1.3 LIMITED WARRANTY

The media (optional) and manual that make up this software are warranted by Lieberman Software
Corporation to be free of defects in materials and workmanship for a period of 30-days from the
date of your purchase. If you notify us within the warranty period of such defects in material and
workmanship, we will replace the defective manual or media (if either were supplied).
The sole remedy for breach of this warranty is limited to replacement of defective materials and/or
refund of purchase price and does not include any other kinds of damages.
Apart from the foregoing limited warranty, the software programs are provided "AS-IS," without
warranty of any kind, either expressed or implied. The entire risk as to the performance of the
programs is with the purchaser. Lieberman Software does not warrant that the operation will be
uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind
for errors in the programs or documentation of/for consequences of any such errors.
This agreement is governed by the laws of the State of California.
Should you have any questions concerning this Agreement, or if you wish to contact Lieberman
Software, please write:
You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or
e-mail us at: sales@liebsoft.com.
1.4 LICENSE AGREEMENT

This is a legal and binding contract between you, the end user, and Lieberman Software
Corporation. By using this software, you agree to be bound by the terms of this agreement. If you
do not agree to the terms of this agreement, you should return the software and documentation, as
well as all accompanying items promptly for a refund.
1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of
Enterprise Random Password Manager to control the licensed number of systems and/or devices.
2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by
United States copyright law and international treaty provisions. Therefore, you must treat the
software like any other copyrighted material (e.g. a book or musical recording) except that you may
either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer
Introduction 5
the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival
purposes. The manual is a copyrighted work. Also-you may not make copies of the manual for any
purpose other than the use of the software.
3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,
de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE
files). If the SOFTWARE is an update, any transfer must include the update and all prior versions.
When used lawfully, this software periodically transmits to us the serial number and network
identification information of the machine running the software. No personally identifiable
information or usage details are transmitted to us in this case. The program does not contain any
spyware or remote control functionality that may be activated remotely by us or any other third
party.

310.550.8575
Internet E-Mail: support@liebsoft.com
Website: http://www.liebsoft.com
7
Chapter 2 Start Here:

Installation and Upgrade
Roadmap
This chapter outlines what is required to install or upgrade Lieberman RED Identity Manager.
IN THIS CHAPTER
Installation Roadmap ................................................................................ 7

Upgrade Roadmap..................................................................................... 9
2.1 INSTALLATION ROADMAP

The following roadmap outlines the steps to follow to install Lieberman RED Identity Manager.
1) Understand the product requirements prior to installation.
a. Check the release notes for important information on this release of the product.
b. Ensure you are prepared for the installation by reading Understanding Prerequisites (on
page 14).
2) Install the Lieberman RED Identity Manager prerequisites.
For details, see Installing Lieberman RED Identity Manager Prerequisites (on page 13).
3) Install the base Lieberman RED Identity Manager program.
This step will install the management console. See Install the Lieberman RED Identity Manager |
Management Console (on page 120) for details.
4) Configure and Register Lieberman RED Identity Manager.
c. Complete the mini-setup wizard.
The first time Lieberman RED Identity Manager is run, a mini-setup wizard will run through a
series of pages that handle the configuration of the various components of the product such as
8 Start Here: Installation and Upgrade Roadmap
database connections and encryption settings. Don't worry if you do not yet have all
information required at this point as all configurations may be performed or changed post
installation as well. See Mini-Setup Wizard (on page 126) for details.
d. Register Lieberman RED Identity Manager.
Completing the "Registration" dialog enables switching from demo mode to extended demo
mode or switching from demo mode to commercial mode. See Registration (on page 135) for
details.
e. Optional - Configure permissions to launch the management console.
Following installation, any user who is an administrator of the system where the management
console is installed and also has access to the program datastore will have the ability to launch
the application. Configuring these permissions allows you to enable MFA requirements for
launching the console as well as define what aspects of the management console are available
to users of the console. See the admin guide for more details.
f. Optional - Configure database settings.
If reconfiguration of database settings is required, such as provider, connection limits, or
connection strings for HA configurations, see Data Store Configuration Options (on page 217) for
more details.
g. Optional - Configure encryption settings.
Passwords managed and/or stored by Lieberman RED Identity Manager are encrypted and then
stored in the secure datastore. The use of HSM or software based encryption is supported at all
times and may be changed at any point in time. See Encryption Options (on page 234) for more
details.
5) Install the web application.
6) The web application is used by consumers and auditors. Consumers will retrieve secured
passwords or establish sessions through a delegated and audited process. Auditors will be able
to generate reports and audit settings. See the installation section for the Web Application (on
page 136) for more details.
7) Install the web service.
The web service provides API based functionality via a SOAP or REST based URI and is required
by the web application, PowerShell, federated (SAML/OAUTH) logins, and application launcher
(optional module) modules. The web service is deployed from a separate installer or can be
pushed from the management console with version 5.5.2.1 of the product or later. See the
installation section for the Web Service (on page 162) for more details.
8) Optional - Install one or more zone processors.
Start Here: Installation and Upgrade Roadmap 9
A zone processor is a remotely deployed scheduling service designated to perform specific jobs
against a specific list (management set) of systems and devices. Conversely, the default deferred
processor is installed with the management console and will handle any configured jobs against
any and all lists of systems. Zone processors are typically used in DMZs or distributed networks
where normal communication may not be allowed. Zone processors are also used to improve
the job processing throughput of the entire solution. Zone processors may also require
secondary installations of integration components and the cross platform support library. See
Installing and Configuring Zone Processors in the admin guide for more details.
9) Optional - Install the PowerShell cmdlets.
PowerShell cmdlets extend the management of Lieberman RED Identity Manager to a command
line /scripting environment. See Installing the PowerShell Cmdlets in the admin guide for more
details.
10) Install the application launching and session recording components.
Application launching allows users to enter a privileged session without gaining access to the
underlying credentials (password, key, etc.) via a secured host where session recording may also
be enabled for the session. See Installing the Application Launcher and Session Recording guide
for more details.
11) Optional - Install the Syslog Forwarder Service.
This service listed for Syslog UDP traffic and retransmits it using SSL and/or TCP on the same or
different port for greater security and reliability when forwarding events to loggers and SIEM
products. See Using the Syslog Forwarder in the admin guide for more details.
2.2 UPGRADE ROADMAP

The following roadmap outlines the steps to follow to install Lieberman RED Identity Manager.
12) Backup the solution's datastore and encryption key.
If there are any difficulties during or post upgrade and a rollback is required, the upgraded
database may prevent previous functionality from working. The database and encryption key (or
related settings) are required for DR purposes.
13) Understand the product requirements prior to installation.
a. Check the release notes for important information on this release of the product.
b. Ensure you are prepared for the installation by Understanding the Prerequisites.
14) Stop the existing Deferred Processing Service.
Use the management console or Windows Services snap-in to stop the existing deferred
processing service. If using the services snap-in, the Deferred Processing Service was called
"Enterprise Random Password Manager Deferred Processing Service" in product versions

5.5.2 and earlier.
15) Stop any and remove existing zone processors.
If upgrading from version 5.5.0 or later, it is sufficient to re-copy and replace the updated zone
processor files and upgrade the Integration Components and Cross Platform Support Library. Be
sure to take notes on the current configuration.
If upgrading from version 5.4.0 or earlier, zone processors should be removed first, then
re-installed due to file and registration differences. Failure to do so will render the zone
processors inoperable. Be sure to take notes on the current configuration.
16) Remove existing websites.

If upgrading from version 5.5.2 or earlier, the website registration and naming process follows a
different process than 5.5.2.1 or later. Failure to remove existing websites will cause multiple
registration with different names to appear in the website registration dialog and can cause
your security and other settings to not take effect.
17) Install the base Lieberman RED Identity Manager program.
This step will install the management console. See Install the Lieberman RED Identity Manager
Management Console for details.
18) Configure and Register Lieberman RED Identity Manager.
a. Complete the mini-setup wizard.
The first time Lieberman RED Identity Manager is run, a mini-setup wizard will run through a
series of pages that handle the configuration of the various components of the product such as
database connections and encryption settings. Don't worry if you do not yet have all
information required at this point as all configurations may be performed or changed post
installation as well. See Complete the Mini-Setup Wizard for details.
b. Register Lieberman RED Identity Manager.
Completing the "Registration" dialog enables switching from demo mode to extended demo
mode or switching from demo mode to commercial mode. See Register in the admin guide for
details.
c. Optional - Configure permissions to launch the management console.
Following installation, any user who is an administrator of the system where the management
console is installed and also has access to the program datastore will have the ability to launch
the application. Configuring these permissions allows you to enable MFA requirements for
launching the console as well as define what aspects of the management console are available
to users of the console.
d. Optional - Configure database settings.
Start Here: Installation and Upgrade Roadmap 11
If reconfiguration of database settings is required, such as provider, connection limits, or

connection strings for HA configurations, see Configuring Database Settings in the admin guide
for more details.
e. Optional - Configure encryption settings.
Passwords managed and/or stored by Lieberman RED Identity Manager are encrypted and then
stored in the secure datastore. The use of HSM or software based encryption is supported at all
times and may be changed at any point in time. See Configuring Encryption Settings in the
admin guide for more details.
19) Install the web application.
The web application is used by consumers and auditors. Consumers will retrieve secured
passwords or establish sessions through a delegated and audited process. Auditors will be able
to generate reports and audit settings. See Installing the Web Application for more details.
20) Install the web service.
The web service provides API based functionality via a SOAP or REST based URI and is required
by the web application, PowerShell, federated (SAML/OAUTH) logins, and application launcher
(optional module) modules. The web service is deployed from a separate installer or can be
pushed from the management console with version 5.5.2.1 of the product or later. See Installing
the Web Service for more details.
21) Optional - Install one or more zone processors.
A zone processor is a remotely deployed scheduling service designated to perform specific jobs
against a specific list (management set) of systems and devices. Conversely, the default deferred
processor is installed with the management console and will handle any configured jobs against
any and all lists of systems. Zone processors are typically used in DMZs or distributed networks
where normal communication may not be allowed. Zone processors are also used to improve
the job processing throughput of the entire solution. Zone processors may also require
secondary installations of integration components and the cross platform support library. See
Installing and Configuring Zone Processors for more details.
22) Optional - Install the PowerShell cmdlets.
PowerShell cmdlets extend the management of Lieberman RED Identity Manager to a command
line /scripting environment. See Installing the PowerShell Cmdlets for more details.
23) Install the application launching and session recording components.
Application launching allows users to enter a privileged session without gaining access to the
underlying credentials (password, key, etc.) via a secured host where session recording may also
be enabled for the session. See Installing the Application Launcher and Session Recording for
more details.
24) Optional - Install the Syslog Forwarder Service.

This service listed for Syslog UDP traffic and retransmits it using SSL and/or TCP on the same or
different port for greater security and reliability when forwarding events to loggers and SIEM
products. See Using the Syslog Forwarder for more details.
If you are ready to begin your upgrade to the latest version of Lieberman RED Identity Manager,
be sure to first visit Understanding Prerequisites (on page 14), and then Upgrading Lieberman
RED Identity Manager (on page 171).
13
Chapter 3 Installing
Lieberman RED Identity
Manager Prerequisites
This chapter documents the installation prerequisites for Lieberman RED Identity Manager. Based
on your starting host system configuration, your actual installation experience may vary.
Note the following topics are not covered:
Installation of Windows
Installation of Microsoft .Net Framework
Installation of Microsoft Windows Management Framework
Installation of Java JRE or Java SDK
See the Start Here: Installation and Upgrade Roadmap (on page 7) for a complete list of installation
tasks.
IN THIS CHAPTER
Understanding Prerequisites ................................................................... 14

Installing and Configuring IIS ................................................................... 35
Enabling Remote COM+ Access............................................................... 63
Installing Database Providers (Connectors) ............................................ 68
14 Installing Lieberman RED Identity Manager Prerequisites
3.1 UNDERSTANDING PREREQUISITES

This section describes the requirements and prerequisites necessary to install Lieberman RED
Identity Manager, and to manage target systems and devices.
3.1.1 Recommended Knowledge

While Lieberman Software provides documentation and support to set up and configure Lieberman
RED Identity Manager in conjunction with the various technologies that it uses, product
administrators should have knowledge in the following areas:
Knowledge of the program data store (MS SQL Server) and all target databases
IIS web server technologies
Network administration
System administration
Lieberman RED Identity Manager uses a management console application in conjunction with a local
service to set up recurring discovery jobs and password change jobs. The web application provides
access to managed credentials and other functionality using a web browser. The web application is
deployed as an IIS web application. It includes COM+ applications and a collection of ASP and
ASP.NET files that are set up in a virtual directory on the web server. The web server must be
Microsoft Internet Information Services. A Microsoft SQL Server database is required to store
program data.
Lieberman RED Identity Manager component host servers should be patched, secured, and properly
configured in conjunction with your corporate patching strategy to help ensure that the password
store system will not be compromised.
3.1.2 Product Requirements Overview

The solution is an n-tier product where individual components can and should be (resources
permitting) distributed across multiple systems. The primary components are:
Management Console - the primary administrative interface for gross configuration of the
product.
Web Site - the primary user interface for retrieving managed credentials or establishing
sessions.
Web Service - the resource used by PowerShell, application launcher, the web site, and other
components to perform programmatic access and management of the product.
Installing Lieberman RED Identity Manager Prerequisites 15
Database - the datastore where managed passwords are stored and where most program
configurations are stored. All product components require communication to the database.
If any components will be shared on a single host, then simply combine the requirements. The
database in particular should be placed on a separate system to keep the encrypted data
segregated from the encryption key.
The product is supported in a physical, virtual (cloud), or physical-virtual mixed environment. The
virtual host platform is irrelevant to the support of the product. All virtualization platforms are
supported. Virtual host and virtual machine configurations, however, can severely impact or impede
the ability of the product to work because virtual host and guest configurations do affect every
component of the virtual guest that is running the product.
Additional components include the following:
The deferred processing service - Required to utilize scheduled jobs and automatic retry
options. Comes with the download package.
Zone processors - generally required to manage segregated and distributed networks
(additional license required).
Integration Components (IntegrationComponents.msi) - additional connectors used by zone
processors or remote web services and web applications to function with email, help desk
systems, syslog output, and more.
Cross Platform Support Library (CrossPlatformSupportLibrary.msi) - Required to manage and
discover non-Windows based systems and devices (e.g. Cloud, Linux, UNIX, and Cisco IOS
devices from zone processors). Comes with the download package.
An email server - Optional. The product can send email notifications. The configuration of the
email server (including enabling SSL and establishing a certificate trust) is done outside
Lieberman RED Identity Manager.
An IIS web server (supplied with host operating system) with ASP (Active Server Pages)
processing and ASP.NET enabled - Required to utilize the Lieberman RED Identity Manager web
application and web service.
IIS Media Services - Optional. When using application launching and the free/included session
recording, IIS Media Services must be installed to stream the recorded sessions. Comes with the
download package.
3.1.3 Console Host System Requirements

This section covers requirements for the management console and deferred processing tier of
Lieberman RED Identity Manager.
Platform Requirements
A Windows Server operating system is required for a production installation of Lieberman RED
Identity Manager. The solution is fully supported on a physical server or a virtual machine,
regardless of the virtual host platform. For lab/testing environments, a workstation-class operating
system, such as Windows 10 Professional will suffice. All service pack levels and editions are
supported except where specifically noted. We recommend using Windows Server 2012 R2 as the
host platform.
Supported versions of Windows Server are:
Windows Server 2012 R2

Windows Server 2012
Windows Server 2008 R2
The following versions are suitable for testing only. These host systems are not supported in
production environments. (Note that ERPM is a 32-bit application and will run in a WOW64
environment on 64-bit systems. Microsoft certifies WOW64 to run on these versions.)
Windows 10 Professional or higher, 64-bit version

Windows 8.1 Professional or higher, 64-bit version
Note: ERPM v4.83.8 and later is not supported on Windows Server 2008 (non-R2
revisions) and earlier operating systems due to inconsistencies in the OS.
Generally, these are compatibility problems, and in some cases, incomplete APIs.
Hardware Requirements
In addition to the requirements needed to support the host system and database, the product itself
requires at least the following:
1GB of RAM.
Approximately 1GB of hard drive space to install.

Note that this does not include space required by logging files. Log files are enabled by default
and can consume enormous amounts of space over time.
Intel or AMD multi-core processor or multi-CPU system.
Microsoft .NET Framework 4.5.2 or later.
Windows Management Framework v4.0 or later for Windows 2008 R2 or Windows 2012. This is
part of Windows 2012 R2 (https://www.microsoft.com/en-us/download/details.aspx?id=40855
(https://www.microsoft.com/en-us/download/details.aspx?id=40855)).
The suggested minimum configuration is:
Windows Server 2012 R2.

2GB of RAM for the application in addition to the host OS and other applications.
4GB+ of hard drive space for local log files.
Intel or AMD multi-core or multi-proc/multi-core processors with 4 or more CPU sores.
4GB+ RAM for the program database.
Microsoft .NET Framework version 4.5.2 or later.
At least 32-bit Java v1.5. (Optional.)
Windows Management Framework v4.0 or later for Windows 2008 R2 or Windows 2012. This is
part of Windows 2012 R2 (https://www.microsoft.com/en-us/download/details.aspx?id=40855
(https://www.microsoft.com/en-us/download/details.aspx?id=40855)).
Note: This manual does not cover installing or administering Windows.
Notes
If using a Windows Server 2008 R2 or later host operating system for Lieberman RED Identity
Manager, there will be inconsistencies with remote COM+ management interfaces when
managing COM+ on Windows 2000 target machines. This is by Microsoft's security design. For
further information on this matter, including how to address the issues, please read the
following article:
https://liebsoft.zendesk.com/hc/en-us/articles/236069048-Stub-Received-Bad-Data-When-Prop
agating-to-Windows-2000
(https://liebsoft.zendesk.com/hc/en-us/articles/236069048-Stub-Received-Bad-Data-When-Pro
pagating-to-Windows-2000)
If attempting to manage databases other than Microsoft SQL Server, the most recent 32-bit
OLEDB providers, typically available from the database vendor or installation media, will be
required to be installed on any component that will manage the target database. This should
include the management console as well as any remote deferred or zone processors.
Before successfully installing the product, the Microsoft .NET Framework v4.5.2 or later must
also be installed; version 4.5.2 must be installed on operating systems prior to Windows Server
2016. The Microsoft .NET Framework version 3.5 SP1 is included in server 2008 R2. Windows
Server 2012 R2 includes.NET version 4.5.1 and will require additional steps to install version
4.5.2 or later. We recommend using the latest version and service pack of the Microsoft .NET
Framework.
Lieberman RED Identity Manager also ships with an optional Java-based SDK for
application-to-application and application-to-database secure password management. This is
available for both Windows and non-Windows operating systems. Java 1.5 or higher, 32-bit
edition is required to make use of this. If Java 1.5+ is not installed, the program's Java-based
SDK will not be available to Lieberman RED Identity Manager. If there are no plans to make use
of the program's Java-based SDK, then there is no need to install Java on the host system or
target systems.
If attempting to integrate System Center Service Manager (SCSM), the SCSM SDK binaries will
need to be obtained from the installation directory of SCSM and placed into the installation
directory of Lieberman RED Identity Manager.
If attempting to manage System Center Operations Manager (SCOM), the SCOM SDK binaries
will need to be obtained from the installation directory of SCOM and placed into the installation
directory of Lieberman RED Identity Manager.
Virtual environments are fully supported for all components of the solution. However, there
may be severe performance limitations depending on the virtual environment versus the
environment being managed.
Please refer to the following knowledge base article for more information on HA, DR, and basic
comments on security:
https://liebsoft.zendesk.com/hc/en-us/articles/236068808-Disaster-Recovery-Security-and-High
-Availability
(https://liebsoft.zendesk.com/hc/en-us/articles/236068808-Disaster-Recovery-Security-and-Hig
h-Availability)
3.1.4 Web Service Host Requirements

This section covers requirements for the Lieberman RED Identity Manager web application.
Requirements for the management console are covered in Console Host System Requirements (on
page 16). Requirements for the web application are covered in Web Application Host Requirements
(on page 20).
The web service is required for the web application to function. If the web service is unavailable,
managed passwords will be unavailable for retrieval. Additionally, the web service is required for
use with the supplied PowerShell cmdlets as well as application launching and SAML and OAUTH
user authentication.
Web Service Server Requirements

The system hosting the web service requires the following components:
Windows Server 2008 R2 or later (Windows Server 2012 R2 recommended)

Microsoft .NET Framework version 4.5.2 or later
Application Server Role with Web Server (IIS) Support and related IIS requirements
Valid SSL certificate is highly recommended
Starting with Lieberman RED Identity Manager version 5.5.2.1, the web service can be installed via
the web service installer (ERPMWebService.exe) or pushed via the management console. To push
the web service from the management console will also require the web service host system to
enable:
Application Server Role with COM+ Network Access

Remote Registry service running
IMPORTANT! If the web service is hosted on at a different URL than the web
application, CORS support (Cross-Origin Resource Sharing) must also be enabled
in the web service's web.config file and additional browser configuration may be
required.
For more information, see Web Service (on page 162).

3.1.5 Web Application Host Requirements

This section covers requirements for the Lieberman RED Identity Manager web application.
Requirements for the management console are covered in Console Host System Requirements (on
page 16). Requirements for the web service are covered in Web Service Host Requirements (on
page 19).
Web Application Server Requirements

The system hosting the ERPM web client tier requires the following components:
Windows Server 2008 R2 or later (Windows Server 2012 R2 recommended)

Internet Information Services (IIS)
Microsoft .NET Framework version 4.5.2 or later
Lieberman RED Identity Manager web service
Internet Information Services (IIS) with support for Active Server Pages and ASP.NET must be
installed on the system that will host the web application.
IIS requires the following role services be included when configuring IIS:
Static Content
Default Document
HTTP Errors (Required for secure file store.)
ASP.NET v 4.5
ASP (Active Server Pages)
Static Content
Static compression (Optional)
IIS Management console
IIS6 Metabase compatibility
Windows authentication (Required if using Windows integrated authentication. Optional,
otherwise.)
For more information, see Installing and Configuring IIS (on page 35).
The management console can push out the web application to a remote web server. If the website
will be hosted on a remote system (relative to the management console), enable remote COM+
access on the web server to support an automated installation of the website. For information
about how to enable this access, see Enabling Remote COM+ and IIS Access.
Supported Web Browsers

The web application is compatible with the following browsers:
Internet Explorer 9, 10, and 11

Microsoft Edge
Firefox *
Google Chrome *,**
Safari ***
Konqueror ***
Opera ***
* Click-Once extension required to support application launching.
** Recent versions of this browser have disabled support for Java. As a result, the included SSH
terminal (MindTerm) cannot function with this browser.
*** Lieberman Software is unaware of any extensions which can enable Click-Once support, thus
application launching is not supported with these browsers.
3.1.6 Solution Database Requirements

A Microsoft SQL database is required at the time of product installation. Lieberman Software
recommends not sharing database instances with other applications.
Note: As of January 1, 2015, Oracle databases are no longer fully supported for use as
the back-end data store to Lieberman RED Identity Manager. Lieberman Software
will continue to support customers who maintain a support agreement and who
purchased Oracle datastore support. For details, contact you Lieberman Software
account representative. For more information on using Oracle as the datastore,
see Oracle as a Datastore (on page 265) addendum.
The database serves as the Lieberman RED Identity Manager storage and configuration datastore.
Management sets, system information, account information, stored passwords, event sinks, answer
files, email files, and more are stored in the database. Use an existing installation of a database
server, or implement a new instance on an existing database server or a different database server.
We recommend placing the database on a system separate from other product components to keep
the encrypted data segregated from the encryption key.
Supported Versions for Production Environments

We strongly recommend using SQL Server 2012 or later. The following versions of Microsoft SQL
Server are supported for both test environments and production environments:
Microsoft Azure SQL Database

Note: Microsoft Azure SQL Database requires Lieberman RED Identity Manager to use the latest
version of the Microsoft SQL Native Client (not supplied with product download). As of this
writing, that is version 11.
Microsoft SQL Server 2016
Microsoft SQL Server 2008 R2
Both 32 and 64-bit versions of Microsoft SQL Server database are supported. Standard and
Enterprise editions are supported. Basic installation and configuration of Microsoft SQL Server is
covered in the next section.
Supported Versions for Test Environments Only

SQL Express is a lightweight version of SQL Server that is made available for free download from the
Microsoft website. MIcrosoft SQL Server Express should be used for testing scenarios only. Be
aware: use of SQL Express will impact performance, scalability as well as high availability and
disaster recovery options. See Microsoft's documentation for more information. The following
versions are supported:
Microsoft SQL Server 2016 Express

Microsoft SQL Server 2008 R2 Express
SQL Express configures itself to a random port number during installation. The port number is
required to complete the installation of Lieberman RED Identity Manager.
Components Needing Datastore Access

There are at least four Lieberman RED Identity Manager components that access the database:
Website COM application
Web Service COM application
Deferred Processor / Zone Processors
Console application
Datastore Authentication
There are at least two ways to authenticate to a Microsoft SQL database
Local SQL Account Authentication / Explicit Database Authentication
Integrated Windows Authentication
Whichever method is configured in the management console at the time of component deployment
will also be the method used by the website COM applications as well as the Deferred Processor
(and zone processors).
The solution may use either authentication method, though Integrated Windows Authentication is
recommended. Windows Integrated Authentication is recommended as this permits much more
granular control when providing access to the information within ERPM and also allows for
additional logging. If using SQL authentication, all access to the database server happens in the
context of the SQL account rather than the user performing the action. Whatever method is chosen
for authentication, access will need to be provided for the solution database to the SQL account, the
Windows user account, or to a Windows group containing the Windows users.
Datastore Permissions
If using a dedicated instance of Microsoft SQL, simply grant:
SYSADMIN = server role
or
Control Server = database server right
This allows the granted users the rights to perform all actions within that instance of SQL including
creating the required databases, stored procedures, all other features in the main application, as
well as backup and restoration.
If it is not desired or permitted to grant SYSADMIN or Control Server to the SQL instance, then the
database that Lieberman RED Identity Manager will use must be pre-created within the SQL Server
instance by the DBA. The SQL account or Windows users/groups will need to be granted the
following roles/rights over the Lieberman RED Identity Manager database:
DBO = user role
or
db_datareader = user role
db_datawriter = user role
db_ddladmin = user role
Execute = database permission
Create Tables = database permission needed during install/upgrade
Create Views = database permission needed during install/upgrade
Additionally, if using SQL 2008 or later, Lieberman RED Identity Manager can take advantage of the
performance recommendations made by SQL Server (for auto-index creation, defragmentation,
etc.). To be able to make use of this feature, the SQL account or Windows users/groups must be
granted the View Server State right on the host SQL server. To do this, open SQL manager and the
properties of the account/group, select Securables, add the database server, and scroll down the
list to View Server State and select the grant option next to that right. If this permission is not
granted, a DBA must be accountable for tuning the product database or performance will decrease
over time.
If using the explicit DB permissions rather than granting sysadmin or DBO, once the user account
has been granted the db_datareader, db_datawriter, and db_ddladmin roles, the EXECUTE
permission is granted via SQL statement such as GRANT EXECUTE TO user_name.
3.1.7 Service Account Requirements

Lieberman RED Identity Manager is an n-tier architecture that consists of the following tiers:
Database
Management console
Web Services
Web Site
Scheduling services (deferred processors and zone processors)
Application Launcher - optional
Session Recording - optional
All tiers may be on a single system or spread across multiple systems. All components operate
exclusively of each other. When deployed across multiple hosts, loss of the management console
has no functional effect on the website or web service and vice versa. Furthermore, the service
accounts that run each component have different requirements in terms of security and access
within your environment or within the solution. Because of these different requirements, it is
reasonable to employ multiple service accounts to separately perform the specific functions of the
solution and thus minimize permissions granted or required for any product component service
account. It is also fully supported to use the same service account for all functions of the solution.
This topic will cover the service accounts for the primary components. Service accounts for optional
components (Application Launcher and Session Recording) will be covered in their specific
sub-sections.
Web Application Identity

Lieberman RED Identity Manager use a COM+ application for its interactions from the web server to
the application database. This object requires the use of a privileged account. This account should
be a domain member (as applicable) and have the following rights and memberships:
Administrator of the web server host system - required.
Domain User - recommended when authenticating domain users or working with domain
groups.*
Log on as a batch job
DBO rights for the application database if using integrated authentication
*If multiple trusting domains will be managed by a single implementation of Lieberman RED Identity
Manager, the COM identity must be a trusted user for the target domain(s) or manual configuration
of an authentication server entry will be required with an explicit credential for that domain. If using
a directory other than active directory for user authentication, this requirement may be skipped
unless using Integrated Windows Authentication to the database.
The website COM application must be configured to run as a user account, but this account can be
automatically managed by Lieberman RED Identity Manager.
Note: The COM account, if using a separate account than the deferred processing
account, may need administrative rights over target Windows systems. This right
becomes a requirement ONLY IF the website option to Block password Check-in if
account is in use is enabled. Enabling this option allows the COM application to
enumerate all active sessions and determine if the specified account is still
"logged in" according to the target Windows system.
Web Services Identity

Lieberman RED Identity Manager use a COM+ application for its interactions from the web services
server to the application database. This object requires the use of a privileged account. This account
can be configured as NetworkService if using explicit database authentication (SQL Account) though
it should be configured as a domain member when using Integrated Windows Authentication to the
database. If using a named identity, the account must have the following rights and memberships:
Administrator of the web server host system - required.
Domain User - recommended when authenticating domain users or working with domain
groups.*
Log on as a batch job
DBO rights for the application database if using integrated authentication
*If multiple trusting domains will be managed by a single implementation of Lieberman RED Identity
Manager, the COM identity must be a trusted user for the target domain(s) or manual configuration
of an authentication server entry will be required with an explicit credential for that domain. If using
a directory other than active directory for user authentication, this requirement may be skipped
unless using Integrated Windows Authentication to the database.
The website COM application must be configured to run as a user account, but this account can be
automatically managed by Lieberman RED Identity Manager.
Deferred Processor / Zone Processor Service Identity

Lieberman RED Identity Manager performs all scheduled jobs such as password change jobs or
password verification reports by using a service on the management console host system or a
standalone service called a zone processor. The account should be a domain member (as applicable)
and have the following rights and memberships:
Administrator of the management console host system
Log on as a service*
DBO rights for the application database (system admin of the DB not required) if using integrated
authentication
Administrative rights over target managed systems**
This account used to run the deferred processing service cannot manage itself! Managing this
account through a scheduled job will cause any job being run by that processor at that time to be
stopped mid-process which will leave the job in a locked and incomplete state requiring
administrative intervention to resolve in most cases. This will also cause all other scheduled jobs to
stop running until manual intervention is taken to start the service. An alternative to using a named
service account for the scheduling service is to configure the service to run as LocalSystem or use a
Microsoft Managed Service Account (MSA). This will negate password management requirements
for the service. However, to be successful in using this LocalSystem method, you must also grant
permissions to the database for the computer account (ComputerAccountName$) as well as
ensuring the computer account is seen as an administrator of all managed systems.
Note: If the computer account is added to a new group in Active Directory in order to
provide these administrative rights, the computer must be restarted.
* If the service account/interactive user account cannot be administrators of the target systems,
then alternate administrative accounts will need to be configured for use by the tool. Please see the
administrator's guide for steps on configuring alternate administrator accounts. If possible, avoiding
the use of alternate administrator accounts within Enterprise Random Password Manager when
managing COM+ and DCOM objects, including scheduled tasks should be avoided as these
interfaces do not allow for impersonation.
3.1.8 Port Requirements

The following ports may be used by Lieberman RED Identity Manager. Actual port usage will vary
based on the options used and the systems managed. The defined port directions refer to the
direction relative to the Lieberman RED Identity Manager component.
Note: The following ports are the standard well known ports for the various protocols.
These ports may have been changed on the target systems. It is the solution
Administrator's responsibility to determine if any of the target ports have been
changed and reflect that changed port when password change jobs or account
discovery jobs are performed.
22 - TCP, outbound, SSH - used for managing SSH based devices.

23 - TCP, outbound, Telnet - used for managing non-Windows devices that support Telnet.
25/465/587 - TCP, outbound, SMTP - for e-mail sending support. Only required if email
notifications will be sent from the solution.
80/443 - TCP, inbound, HTTP/S - required for access to the web application and web service.
135 & Ephemeral ports - TCP/UDP, outbound, RPC Port mapper service - used for most
Windows COM/DCOM based operations. Remote DCOM management port and ephemeral
ports typically provided by granting access to DLLHOST.EXE in the %systemroot%\system32
directory. Ephemeral ports vary by target Windows operating systems.
This port is also required to support automated installation of the web application and web
service. The web application can be manually installed on the target web server, so this port
does not need to be open on the web server unless you are also managing the following items:
COM/DCOM/MTS.
Internet Information Services (IIS).
Scheduled Tasks (iTask interface).
SQL Server Reporting Services action account (SSRS).
SCOM RunAs accounts.
137 - UDP, outbound, NetBIOS name service - for older Windows OS; generally not required.
This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for
management of Windows systems.
138 - UDP, outbound, NetBIOS datagram service - for older Windows OS; generally not required
This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for
139 - TCP, outbound, NetBIOS name service ports - for older Windows OS; generally not
required This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for
161 - TCP, outbound, SNMP - may be configured for use during system/network discovery
operations and device management functions.
389/636 - TCP, outbound, LDAP/LDAPS - LDAP compliant directories such as Active Directory or
Oracle Internet Directory.
443 - TCP, outbound, HTTPS - ESXi native management and various cloud service providers as
well as SAML/OAUTH authentication providers.
445 - TCP, outbound, SMB - This port is required for Windows hosts from Windows Server 2008
and newer and is supported on Windows hosts from Windows Server 2000 and later.
514 - UDP, outbound, Syslog - Communication to logger systems such as ArcSight, QRadar,
Splunk, Syslog, etc.
623 - UDP, outbound, IPMI - management of lights out devices such as Dell DRAC, HP iLO, etc..
1025 - TCP, outbound, Teradata - used to discover and manage Teradata databases.
1433 - TCP, outbound, MS SQL Server - used for connecting product components to Microsoft
SQL Server datastore.
1521 - TCP, outbound, Oracle - used to discover and manage Oracle databases.
2002 - TCP, outbound, Java SDK remote connection to RMI host.
3306 - TCP, outbound, MySQL - used to discover and manage MySQL databases.
3389 - TCP, outbound and inbound, Remote Desktop Protocol (RDP) - used for remote
connections to target servers (automatic sessions) as well as inbound to application launch
server.
Port 5000 - TCP, outbound, Sybase - used to discover and manage Sybase ASE databases.
Port 5432 - TCP, outbound, PostgreSQL - used to discover and manage PostgreSQL databases.
Port 50000 - TCP, outbound, DB2 - used to discovery IBM DB2 databases.
Port - Other, depending on the application being managed, such as SharePoint. If additional
external items/processes are leveraged, additional ports will be required. Please refer to the
following requirements for known port connection requirements:
BMC Remedy - TCP/UDP, outbound, BMC_AR_Port.
HP Service Manager - TCP, outbound, HPSM Port.
Microsoft SharePoint Server - TCP outbound, the SharePoint administrative port.
Microsoft System Center Configuration Manager - TCP, outbound. Typically Microsoft File and
Printer Sharing or Remote management ports.
Oracle WebLogic - TCP outbound.
IBM WebSphere - TCP outbound.
Additional ports may be required based on target system configuration or solution configuration.
For example, an SSH target listing on port 5555 must accept a connection from the solution and the
solution must be allowed to communicate out on that port to the target. Similarly, if web services or
the web application on on non-default ports for their HTTP/S configuration, the firewalls must be
configured to allow communication on those ports.
3.1.9 Managed Computer and Devices Requirements

This section lists many of the services and expected configurations for target managed computers
and devices. The requirements are generally the same: a credential with the ability to connect and
perform the desired management function. For those items that will take part in password rotation,
it will also be helpful to know what your required password policy is (length, complexity, character
constraints, etc.) as well as any other restrictions regarding minimum lifetime and so on. Lieberman
RED Identity Manager can attempt to set passwords which may not match the requirements of your
situation and in some cases, those changes may be successful in terms of operation, but may cause
problems later. For example, a device may permit the command to include special characters such
as an @ symbol, but when the command is processed on the device, the device may parse the @
symbol as a string delimiter and either cause the whole command to fail or report success but in the
process lock you out of management. Please be aware of your devices and their limitations.
Windows
See port requirements for further information:
File and Print Services for Microsoft Networks (enabled and installed by default).
Server Service (enabled and installed by default).
Remote Registry is optional and allows for further system information gathering such as MAC
address retrieval. If the service is disabled, MAC retrieval function will fail and DCOM
application discovery will fail. Other functions may suffer as a result.
If using Lieberman RED Identity Manager and propagating/managing/discovering the following
items, remote management support to:
COM+/MTS - Requires application server role with network COM+ access.

DCOM - requires remote registry service.
IIS - If you intend to manage IIS on a target system, IIS management components must also be
installed on the host system. The application server role with network COM+ access is required.
WMI - For SQL Server Reporting Services action account. Also required is placement of the
SCOM SDK binaries (from the SCOM server) in the Enterprise Random Password Manager
installation directory.
Enabling remote access to COM+ and IIS requires additional configuration steps on the target
systems. These steps are outlined in the Enabling Remote COM+ and IIS Access section.
Linux / UNIX / OS X
Determine the current SSH port - Required for password change and account enumeration.
Login password or SSH key for login account and possibly for the account being managed
(operation specific requirement).
Low powered login account - Optional. Used if root accounts are not permitted to SSH to the
target system.
Some distributions of Solaris, AIX, or other Linux/UNIX distributions may require password
authentication be enabled in the /etc/ssh/sshd_config file. This will be obvious as there will be
errors to reflect this during a password change job in the log. To enable password authentication,
open the /etc/ssh/sshd_config file and set the PasswordAuthentication directive to yes. Then,
restart the SSH daemon. How to restart the daemon will be distro specific. Following are examples
of various restart commands:
FreeBSD: /etc/rc.d/sshd restart
Solaris: svcadm restart network/ssh
Suse: rcsshd restart
Ubuntu: sudo /etc/init.d/ssh restart
Red Hat/Fedora/CentOS: /etc/init.d/sshd restart OR service sshd restart
Cisco
Login account username and password.
Current password for enable.
SSH or Telnet port if changed from the default.
IPMI
Root or admin level login account username and password.
SSH/Telnet Devices
Actual requirements will vary based on target type and embedded operating system.
Login account username and password or SSH key.

SSH or Telnet port if changed from the default.

You may need to give special consideration to these devices with regards to the process used to
update stored passwords. Please review the Admin Guide for information about modifying the XML
files used for SSH/Telnet targets.
Other
Other platforms will have requirements specific to their implementation and configuration and
defined policies. Please consult your target system/device/service documentation for servicing
requirements.
3.1.10 Managed Database Requirements

Various databases can be managed within Lieberman RED Identity Manager. In order to connect to
and manage these databases, the appropriate database provider will need to be installed on the
host system performing the management tasks. The providers may be downloaded from the
database manufacturer. A provider for Microsoft SQL Server is already provided with Windows.
Note: Lieberman RED Identity Manager requires 32-bit database providers. 64-bit
providers are not supported.
The following databases require database-specific providers to allow for management of their
privileged identities from the Lieberman RED Identity Manager host system.
DB2
MySQL
Oracle
PostgreSQL
Sybase - Sybase ASE OleDB provider
Teradata
The rights required to change a target account's password will vary from database to database. The
rights required will also vary depending on the target account being changed. You will need other
information, such as instance or service name and possibly port. Refer to your database provider's
documentation for the most up-to-date description of rights required to change various identities.
Following is a partial list of possible rights required for various databases:
DB2 - The rights required to change rights for accounts associated with a DB2 instance depends on
whether database is hosted on Windows or Linux/UNIX as DB2 has no local account store but
instead references accounts form the host or related directories. If DB2 is hosted on Windows,
follow the process for a typical Windows password change job. If DB2 is hosted on Linux/UNIX,
follow the process for a typical Linux/UNIX password change job. See the Admin Guide for more
information regarding password management for the target host platform.
To enumerate accounts in a DB2 database instance (accounts store view), the login account will
require:
CONNECT TO DB
GRANT SELECT on SYSIBM.SYSDBAUTH
Note: Lieberman RED Identity Manager can enumerate the local accounts associated
with the DB2 Instance. For this process to work, the Microsoft supplied DB2
database OLEDB provider must be installed. Changing DB2 account passwords
does not require a specialized provider, however, because DB2 utilizes the
database host system's local account store rather than providing its own internal
account store as does Microsoft SQL, Oracle, or MySQL.
Microsoft SQL- Microsoft SQL can leverage explicit SQL accounts or integrated authentication
accounts. Accounts using integrated authentication will be local computer accounts or accounts
from a trusted domain. In order for either of these account types to manage account passwords
within MS SQL, the following rights must be granted to the desired account or group:
GRANT VIEW ANY DEFINITION

GRANT CONTROL SERVER
The interactive login account and/or the deferred processing account requires these rights to
change passwords and enumerate accounts within the SQL database. Rights must be granted to a
Windows user or group for Integrated Windows authentication. The database instance name and
port (if different than the default) will be required.
Note: If the sysadmin right is given, no other rights will be required on the MS SQL
server.
MySQL / MariaDB - A MySQL login account will be required when configuring a MySQL password
change job. This login account must have sufficient rights to change the desired target account's
password. Assuming the login account can connect to the specified MySQL service and target
database, the following global privilege must be granted to the desired login account:
UPDATE
To enumerate the user accounts in a MySQL instance (Account Store View in Enterprise Random
Password Manager), the following global privilege must be granted to the desired login account for
the appropriate database:
SELECT
Sybase - A login account will be required when configuring a Sybase password change job. This login
account must have sufficient rights to change the desired target account's password. Presuming the
login account can connect to the specified Sybase service (and instance, if applicable), the login
account must belong to the either of the following roles:
SSO_ROLE
SA_ROLE
To enumerate the user accounts in a Sybase instance (Account Store View in Enterprise Random
Password Manager), the following access must be granted to the desired login account:
SELECT access to the password column of the SYSLOGINS table in the MASTER database
Oracle - An Oracle login account is required when configuring an Oracle password change job. This
login account must have sufficient rights to change the desired target account's password. Assuming
the login account can connect to the specified Oracle service (and instance, if applicable), the
following rights must be granted to the desired login account:
ALTER USER
To enumerate the user accounts in an Oracle instance (Account Store View in Enterprise Random
Password Manager), the following rights must be granted to the desired login account:
SELECT ANY DICTIONARY

PostgreSQL - A PostgreSQL login account will be required when configuring a PostgreSQL password
change job. The login account must have sufficient rights to change the desired target account's
password as well as connect/login.
3.2 INSTALLING AND CONFIGURING IIS

The following sections detail how to install and configure IIS.
Even if the ERPM web client is not installed locally on the ERPM host system, you must install IIS to
be able to remotely install the web client to a remote server, and also to be able to manage the
remote IIS installations. Only a couple of elements are required, however, as outlined in the
following sections.
3.2.1 Installing IIS Components for Target Management Only

If the Lieberman RED Identity Manager console host or zone processor will not host the website or
web service, certain components of IIS may still be required. This is because the management
interfaces to control IIS on other systems is provided by local IIS resources that are not present until
they are installed.
Installing Remote IIS Management

To install the IIS components required for remote management, either follow the steps below using
the GUI or use PowerShell. This section has instructions for both Server 2012 R2 and Server 2008
R2.
FROM POWERSHELL ON SERVER 2012 R2...

Install-WindowsFeature Web-Mgmt-Console,Web-Metabase
In the command above, Web-Mgmt is the component required for managing Windows Server 2008
and later while Web-Metabase is the component required for managing Windows Server 2003.
FROM THE 2012 R2 GUI...

1) On the Lieberman RED Identity Manager console host (and potentially zone processor hosts),
open Server Manager.
2) On Dashboard, click Add roles and features.
3) On Before You Begin, click Next .
4) On Installation Type, select Role-based or feature-based installation then click Next.
5) On Server Selection, select your host server (or remote host server if managing a core
installation) and click Next.
6) On Server Roles, click Web Server (IIS) and click Next. If any pop up dialogs appear indicating
more features are required, click Add Features, then click Next.
7) On Features, click Next.
8) On Web Server Role (IIS) click Next.

9) On Role Services, presuming no other IIS features are required for anything else on the target
host, de-select the top node called Web Server to de-select almost every option.
10) Scroll to the bottom of the Role Services list, and ensure the following item(s) are selected:
a. Management Tools
o IIS Management Console - enable if managing IIS for Windows Server 2008 or later
o IIS 6 Management Compatibility \ IIS 6 Metabase Compatibility - enable if managing IIS
for Windows Server 2003
11) On Role Services click Next.
12) On Confirmation, validate your selections, then click Install.
13) If the management console or deferred processor/zone processor was running when this
process began, restart the management console or deferred processor/zone processor.

import-module servermanager
Add-WindowsFeature Web-Mgmt-Console,Web-Metabase
In the command above, Web-Mgmt is the component required for managing Windows Server 2008
and later while Web-Metabase is the component required for managing Windows Server 2003.

2) Click the Roles node in the left pane, then click Add Roles in the right pane.
4) On Server Roles, click Web Server (IIS) and click Next.
6) On Web Server (IIS) click Next.
7) On Role Services, presuming no other IIS features are required for anything else on the target
host, de-select the top node called Web Server to de-select almost every option.
8) Scroll to the bottom of the Role Services list, and ensure the following item(s) are selected:
a. Management Tools
o IIS Management Console - enable if managing IIS for Windows Server 2008 or later
o IIS 6 Management Compatibility \ IIS 6 Metabase Compatibility - enable if managing IIS
for Windows Server 2003
3.2.2 Installing Support for Web Service Hosting

If a Windows server will host the Lieberman RED Identity Manager web services, certain
components of the IIS and Application Server roles will be required. The requirements are different
that those required to host the web site.
The web service is used by the following components:
Web site
PowerShell
Application Launcher
Session Recording
Installing Web Service Support

Be sure that the Microsoft .NET Framework v4.5.2 or later is already installed on the host system. To
install the required web service support infrastructure, either follow the steps below using the GUI
or use PowerShell. This section has instructions for both Server 2012 R2 and Server 2008 R2.

Install-WindowsFeature AS-Http-Activation,Web-Windows-Auth
In the command above, Web-Windows-Auth is an optional parameter if it is desired for the web
service to be able to support Windows Integrated Authentication.

4) On Installation Type, select Role-based or feature-based installation then click Next.
5) On Server Selection, select your host server (or remote host server if managing a core
installation) and click Next.
6) On Server Roles, expand Application Server
7) Under Application Server, expand Windows Process Activation Support and select HTTP
Activation and click Next. If any pop up dialogs appear indicating more features are required
(this includes multiple features including portions of IIS), click Add Features, then click Next.
9) On Web Server Role (IIS) click Next.
10) On Role Services, if it is desired to be able to support Windows Integrated Authentication, also
select Windows authentication under the Security node.

Add-WindowsFeature AS-Http-Activation,Web-Windows-Auth
In the command above, Web-Windows-Auth is an optional parameter if it is desired for the web
service to be able to support Windows Integrated Authentication.

4) On Server Roles, expand Application Server.
5) Under Application Server, expand Windows Process Activation Support and select HTTP
Activation and click Next. If any pop up dialogs appear indicating more features are required
(this includes multiple features including portions of IIS), click Add Features, then click Next.
6) On Web Server (IIS) click Next.
7) On Role Services, if it is desired to be able to support Windows Integrated Authentication, also
select Windows authentication under the Security node.
3.2.3 Installing IIS for Web Hosting

If a Windows server will host the Lieberman RED Identity Manager website, certain components of
IIS will be required. The requirements are different that those required to host the web service. The
server requirements for hosting the web service are covered in Installing Support for Web Service
Hosting (on page 38).
The web site is reliant on the following components:
Program database - If the program database is unavailable, the website will be fully unable to
function.
Web Service - if the web service is unavailable, the website will provide most of its functionality
but will be unable to provide access to managed passwords or any components that make use
of managed passwords such as application launcher. Further, all charts and quick search panels
will not function.
Installing IIS to Host the Web Site

Be sure that the Microsoft .NET Framework v4.5.2 or later is already installed on the host system. To
install the IIS components required for remote management, either follow the steps below using
the GUI or use PowerShell. This section has instructions for both Server 2012 R2 and Server 2008
R2.

Install-WindowsFeature
Web-Default-Doc,Web-Http-Errors,Web-Static-Content,Web-Http-Logging,Web-Stat-Compress
ion,Web-Windows-Auth,Web-Asp-Net45,Web-Net-Ext45,Web-ASP,Web-ISAPI-Ext,Web-ISAPI-Filt
er,Web-Mgmt-Console,Web-Metabase
In the command above, Web-Windows-Auth is the only component not required. Adding that clause
installs Windows Integrated Authentication.

1) On the Lieberman RED Identity Manager web site host(s) , open Server Manager.
3) On Before You Begin, click Next.
4) On Installation Type, select Role-based or feature-based installation and click Next.
5) On Server Selection, select the target server and click Next.
6) On Server Roles, select Web Server (IIS) and click Next. If prompted to add features required
for IIS (IIS Management Console), click Add Features, then click Next.
8) On Web Server Role (IIS), click Next.
9) On Role Services, select the following components (other features may be removed or ignored):
a. Common HTTP Features
o Default Document
o HTTP Errors
o Static Content
b. Health and Diagnostics - optional - not required but useful for troubleshooting
o HTTP Logging
c. Performance
o Static Content Compression
d. Security - optional - read descriptions as some items may be required based on use cases...
o Request Filtering - enabled by default, install to be able to restrict clients from making
certain requests of the web server such as a collection of URLS that cannot be browsed
or limiting the sizes of requests.
o Client certificate mapping - install if users are provisioned user certificates via Active
Directory and User-Certificate based authentication is required. This will require
additional configuration in IIS.
o IIS certificate mapping - install if users are provisioned user certificates and it is desired
to have the mapping and certificate authentication performed in IIS rather than Active
Directory. This will require additional configuration in IIS.
o IP and Domain Restrictions - install to be able to restrict source IP and domain names
from making requests of the web server.
o URL authorization - install to be able to restrict URLs and verbs. This option can
increase security when used in conjunction with Windows authentication.
o Windows Authentication - install if it is desired to be able to use Integrated Windows
Authentication. This may require additional configuration in IIS.
e. Application Development
o ASP.NET 4.5 - if prompted for additional role services (ISAPI Filters, ISAPI Extensions,
.NET Extensibility 4.5) click Add Required Role Services
o .Net Extensibility 4.5
o ASP
o ISAPI Extensions
o ISAPI Filters
f. Management Tools
o IIS Management Console
o IIS 6 Management Compatibility \ IIS 6 Metabase Compatibility
10) On Role Services, click Next.
11) On Confirmation, click Install.

Add-WindowsFeature
Web-Default-Doc,Web-Http-Errors,Web-Static-Content,Web-Http-Logging,Web-Stat-Compress
ion,Web-Windows-Auth,Web-Asp-Net,Web-Net-Ext,Web-ASP,Web-ISAPI-Ext,Web-ISAPI-Filter,W
eb-Mgmt-Console,Web-Metabase
In the command above, Web-Windows-Auth is the only component not required. Adding that clause
installs Windows Integrated Authentication.

1) On the Lieberman RED Identity Manager web site host(s), open Server Manager.
4) On Server Roles, select Web Server (IIS) and click Next. If prompted to Add features required
for IIS (IIS Management Console), click Add Features, then click Next.
5) On Web Server (IIS), click Next.
6) On Role Services, select the following components (other features may be removed or ignored):
a. Common HTTP Features
o Static Content
o Default Document
o HTTP Errors
b. Application Development
o ASP.NET - if prompted for additional role services (ISAPI Filters, ISAPI Extensions, .NET
Extensibility) click Add Required Role Services
o .Net Extensibility
o ASP
o ISAPI Extensions
o ISAPI Filters
c. Health and Diagnostics - optional - not required but useful for troubleshooting
o HTTP Logging
d. Security - optional - read descriptions as some items may be required based on use cases...
o Windows Authentication - install if it is desired to be able to use Integrated Windows
Authentication. This may require additional configuration in IIS.
o Client certificate mapping - install if users are provisioned user certificates via Active
Directory and User-Certificate based authentication is required. This will require
additional configuration in IIS.
o IIS certificate mapping - install if users are provisioned user certificates and it is desired
to have the mapping and certificate authentication performed in IIS rather than Active
Directory. This will require additional configuration in IIS.
o URL authorization - install to be able to restrict URLs and verbs. This option can
increase security when used in conjunction with Windows authentication.
o Request Filtering - enabled by default, install to be able to restrict clients from making
certain requests of the web server such as a collection of URLS that cannot be browsed
or limiting the sizes of requests.
o IP and Domain Restrictions - install to be able to restrict source IP and domain names
from making requests of the web server.
e. Performance
o Static Content Compression
f. Management Tools
o IIS Management Console
o IIS 6 Management Compatibility \ IIS 6 Metabase Compatibility
7) On Role Services, click Next.

3.2.4 Configuring SSL on IIS

This product does not ship with an SSL certificate for encryption between the web application or
web service and the client browser. This means it is up to the web server admin to configure SSL
Important! SSL and early version of TLS has been found to have certain security flaws.
Due to these flaws, Microsoft recommends disabling SSL v3 and earlier and
forcing the use of TLS 1.2. For more information, please refer to the following
Microsoft article for help on disabling older versions of SSL and TLS:
https://technet.microsoft.com/en-us/library/security/3009008.aspx
(https://technet.microsoft.com/en-us/library/security/3009008.aspx)
and determine which certificate to use.

See the following pages for configuring SSL.
3.2.4.1 SSL WITH IIS - WITH AN EXISTING CERT

In order to encrypt transmissions between the web server (IIS) and the client browser, and to
protect the privileged passwords while they are in transit, you have to configure SSL. This product
does not ship with a pre-configured SSL certificate. You can obtain a certificate from a public
certification authority, an internal private certificate authority, or by using a free utility. You can also
use/create a self-signed certificate in IIS. The following steps assume that a certificate is already
installed on the host web server and must be requested.
1) Open Internet Information Services (IIS) Manager from Administrative Tools.
2) Select the server's node in the Connections pane and open Server Certificates in the center
pane.
3) If certificates are installed on the system, they will be listed in the Server Certificates area.
4) In the Connections pane, expand the server.

5) Under the server, Sites.
6) Select the parent website that hosts the Lieberman RED Identity Manager web pages or virtual
directory.
7) In the Actions pane, click Bindings.
8) On the Site Bindings dialog, click Add.
9) Specify HTTPS as the protocol Type and assign the preferred SSL Port. If an alternate port
number is specified, this must be reflected in the URL as HTTPS://address:port_###/.
10) Select the appropriate certificate from the SSL certificate drop-down list. Click OK.
11) Note that the HTTPS binding is now appended to the website. Click Close.
12) To require the website to use SSL, go to either the website that hosts the Lieberman RED
Identity Manager web pages, or go to the virtual directory that hosts the web pages, and open
SSL Settings (located in the IIS area).
13) Select Require SSL. Click Apply. No other configuration options are required.
3.2.4.2 SSL WITH IIS - NO EXISTING CERT

In order to encrypt transmissions between the web server (IIS) and the client browser, and to
protect the privileged passwords while they are in transit, you have to configure SSL. This product
does not ship with a pre-configured SSL certificate. You can obtain a certificate from a public
certification authority, an internal private certificate authority, or by using a free utility. You can also
use a self-signed certificate in IIS. The following steps detail how to request and install a self-signed
certificate as well a request a certificate from an on-line and off-line certificate authority.
Caution! A self signed cert is generally not recommended for production as no other
system will trust that certificate. Some components and systems cannot work
with untrusted certificates. If the certificate is not distributed and installed on
ALL machines that will connect to the website or services, they will fail to
function at all and will always generate certificate errors until the certificate is
placed into the proper certificate store or replaced with a certificate created
by a trusted root certificate authority.
1) Open Internet Information Services (IIS) Manager from the Administrative Tools.
2) Select the server's node in the Connections pane and open Server Certificates in the center
pane.
To create a self signed cert, go to step 3.
To create a request to an off-line certificate authority (in house or 3rd party, e.g. Verisign), go to
step 5.
To create a request to an on-line certificate authority (in house, Enterprise CA), go to step 6.
3) To create a self-signed certificate, on the Actions pane, click Create Self-Signed Certificate.
4) Type a friendly name for easy identification and click OK. The certificate will be created and
added to the list of certificates installed on the server. Click OK.
Go to step 11.
5) To create a certificate request to a third-party CA or an off-line CA, click Create Certificate

Request.
Go to step 7.
6) To create a certificate request to an on-line Enterprise CA, click Create Domain Certificate.
Go to step 7.
7) On the Distinguished Name Properties dialog, specify the Common name (this is the name of
the server as will be entered in a browser) and all other properties, then click Next.
8) If this is going to an off-line CA, select the appropriate Cryptographic Service Provider
Properties. If this is going to an on-line CA, this page will not be presented. Bit length should be
set a 2048 bits or higher to maintain compatibility with modern browsers and systems. Click
Next.
If working with an off-line CA, go to step 9.
If working with an on-line CA, go to step 10.
9) If this is going to an off-line CA, a prompt for the name of the certificate request will be
presented. Supply the path and name for the certificate request file and click Finish. This text
file must then be sent to the CA for processing. Once the certificate is approved, simply follow
the wizard through the Complete Certificate Request screen.
Go to step 11.
10) If this is going to an on-line CA, select the name of the CA by clicking the Select button. Then
supply the friendly name of the website. The friendly name is the name of the server specified
in the URL. Click Finish.
11) Once the certificates are installed on the system, they will be listed in the Server Certificates
area.
12) In the Connections pane, expand the server.

13) Under the server, Sites.
14) Select the parent website that hosts the Lieberman RED Identity Manager web pages or virtual
directory.
15) In the Actions pane, click Bindings.
16) On the Site Bindings dialog, click Add.
17) Specify HTTPS as the protocol Type and assign the preferred SSL Port. If an alternate port
number is specified, this must be reflected in the URL as HTTPS://address:port_###/.
18) Select the appropriate certificate from the SSL certificate drop-down list. Click OK.
19) Note that the HTTPS binding is now appended to the website. Click Close.
20) To require the website to use SSL, go to either the website that hosts the Lieberman RED
Identity Manager web pages, or go to the virtual directory that hosts the web pages, and open
SSL Settings (located in the IIS area).
21) Select Require SSL. Click Apply. No other configuration options are required.
63
3.3 ENABLING REMOTE COM+ ACCESS

There are multiple scenarios in which Lieberman RED Identity Manager will require remote COM+:
Performing discovery of COM+ applications on remote systems.

Performing management of COM+ applications on remote systems.
Pushing the web application to a remote system.
Pushing the web service to a remote system.
In each of the above cases, without remote COM+ access enabled on the target systems, Lieberman
RED Identity Manager will fail to perform the requested function and will log a message that
operation failed because the component is likely disabled. Even if remote COM+ access is enabled,
you will also need to ensure your firewall permits the required traffic from the Lieberman RED
Identity Manager host(s) - console, zone processors - or a similar error condition will also apply.
Generally speaking, the communication begins on port 135 (RPC Port Mapper) which then
negotiates a target ephemeral port for the solution to connect to and perform the requested work.
Ephemeral port ranges are initially determined by Microsoft and are specific to the Windows
version being targeted. However, administrators also have in their power to change those ports.
Please refer to Microsoft documentation for more information.
For more information, on enabling COM+ Network Access in Windows, go to Windows 2008 & Later
Remote COM+ Access (on page 63).
For more information on opening the Windows firewall to permit network COM+ access and IIS
remote management access, go to Windows Firewall & COM+ Network Access (on page 66).
IN THIS CHAPTER
Windows 2008 & Later Remote COM+ Access ....................................... 63

Windows Firewall & COM+ Network Access ........................................... 66
3.3.1 Windows 2008 & Later Remote COM+ Access

To manage COM+, IIS and similar components remotely, remote COM+ access must be enabled.
This can be accomplished by adding the server role or by editing the registry. If dealing with a server
core instance of Windows, registry is the only option.
Enabling access via registry modification works on all Windows operating systems. However, it is the
only way to enable access on Windows Server Core operating systems as the application server role
is not available for Windows Server Core Operating systems. To make the change via the registry...
1) Run regedit.exe
2) In the registry, locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3.
3) Locate the key: RemoteAccessEnabled
4) Right-click RemoteAccessEnabled, and then click Modify.
5) In the Edit DWORD Value dialog box, type 1, then click OK.
6) No further action is necessary.
These same steps can also be performed via group policy preferences.
If a GUI is available and it is desired to use the server roles wizard, these steps will help guide the
installation process.

Install-WindowsFeature AS-Ent-Services
FROM GUI ON SERVER 2012 R2...

1) On the server, open Server Manager.
4) On Installation Type, select Role-based or feature-based installation and click Next.
5) On Server Selection, select the target server and click Next.
6) On Server Roles, expand Application Server, select COM+ Network Access and click Next. If
prompted to add features required for Application Server (.Net Environment, Process Model,
etc.), click Add Features, then click Next.

Import-Module ServerManager
Add-WindowsFeature AS-Ent-Services
FROM GUI ON SERVER 2008 R2...

1) On the server, open Server Manager.
4) On Server Roles, select Application Server and click Next. If prompted to Add features required
for Application Server (.Net ENvironment, Process Model, etc.), click Add Features, then click
Next.
5) On Server Roles, click Next to continue.
6) On Application Server, click Next to continue.
7) On Role Services, select COM+ Network Access, then click Next.

3.3.2 Windows Firewall & COM+ Network Access

To enable the Windows firewall to permit remote access to the COM+ system, create the following
rules:
Rule Program to Allow Local Remo Proto Local Remo

Addre te col Port te
ss Addre Port
ss
COM %systemroot%\system32\dllho Any Soluti Any Any Any

In st.exe on IP
COM Any Any Soluti TCP 135 Any

Port on IP
Mapp
er In
For IIS 6 and 7+, the rules are slightly different and the process names have changed since Windows
2003 was released. In addition to allows the COM Port Mapper (port 135) you will also need to
allow access to the IIS processes.
Rule Program to Allow Local Remo Proto Local Remo

Addre te col Port te
ss Addre Port
ss
IIS 6 %windir%\system32\inetsrv\iis Any Soluti Any Ephe Any

In rstas.exe on IP meral
ports
IIS 7+ %windir%\system32\inetsrv\in Any Soluti Any Ephe Any
In etinfo.exe on IP meral
ports
COM Any Any Soluti TCP 135 Any

Port on IP
Mapp
er In
3.4 INSTALLING DATABASE PROVIDERS (CONNECTORS)

For each supported database target, a specific OLEDB provider needs to be installed. These
providers, with the exception of the DB2 provider, are supplied by the database vendorfor
example, Oracle for Oracle, Sybase for Sybase ASE, and MySQL for MySQL. For Microsoft SQL Server,
Microsoft provides the required connectors with the operating system, though the SQL Native
Client may be required for some specific configurations which will necessitate downloading the SQL
Native Client provider.
After installing the proper 32bit OLEDB provider, it is available to Lieberman RED Identity Manager
and is visible in the Add Target dialog when you add a new database target.
Version 4.83.6 of Lieberman RED Identity Manager added support for the Microsoft SQL Server
Native Client for Microsoft SQL Server only. We recommend using the latest SQL Server Native
Client provider available. Version 10 of the SQL Server Native Client can provide undesirable
behavior and we recommended using the SQL Server 2012 (or later) Native Client (v11) instead.
The following sections provide guidelines for installing the required providers. Links are provided,
but note that these links can become obsolete at any time. Some vendors may require a login, a
licensing agreement, and other prerequisites. Lieberman Software is not responsible for third-party
installations. All licensing and use restrictions surrounding these providers are the responsibility of
the end-user.
3.4.1 Installing the Microsoft SQL Server Provider

Microsoft provides the required SQL Server OLEDB provider with the operating system, so there is
nothing to install or configure if you opt to use the OLEDB provider.
The built-in SQL Server OLEDB provider can be used to connect to almost all database
configurations, though there may be limitations as noted below.
SQL Server via OLEDB (Built-in, default)

Single server.
Clustered Servers.
Mirrored databases (SQL 2008 - 2012) - OK, but must incur manual fail-over for solution
components via DNS/HOST file, management console or Registry.
AlwaysOn (SQL 2012 and later) - OK, but must incur manual fail-over for solution components
via DNS/HOST file, management console or Registry.
All options OK for SSL and TLS 1.0.
Cannot be used for Azure SQL.
SQL Native Client via OLEDB (download required)

Single server.
Clustered Servers.
Mirrored databases (SQL 2008 - 2012) - OK, but must incur manual fail-over for solution
components via DNS/HOST file, management console or Registry.
AlwaysOn (SQL 2012 and later) - OK, but must incur manual fail-over for solution components
via DNS/HOST file, management console or Registry.
Cannot be used for Azure SQL.
SQL Native Client via ODBC (download required)

Single server.
Clustered Servers.
Mirrored databases (SQL 2008 - 2012) - OK, for manual or automatic fail-over.
AlwaysOn (SQL 2012 and later) - OK, for manual or automatic fail-over.
Requirement for TLS 1.2 support.
Must be used for Azure SQL.
It is recommended to use the latest SQL Server Native Client provider available. The SQL Server
2012 Native Client (version 11; all SQL from 2012 through 2016 point to this location) can be
downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=29065.
Download the x64 installer. This installer also installs the 32 bit provider as well.
Repeat any installation of the SQL Native Client on all web application hosts, web service hosts,
secondary management consoles and zone processors.
3.4.2 Installing the Oracle Provider

To manage and discover Oracle database instances requires the Oracle database provider. This can
be downloaded from the Oracle downloads website:
http://www.oracle.com/technology/software/products/database/index.html
(Registration required for download.)

Lieberman RED Identity Manager only works with the 32-bit provider for Oracle, regardless of the
host operating system or target database. Be sure to use only the 32-bit Oracle provider. This is not
to be confused with the Oracle back-end database, which can be a 32 or 64-bit database. Lieberman
RED Identity Manager can discover and manage accounts in an Oracle database. Supported Oracle
database versions start at version 9i and later presuming the 11g provider is installed. Actual
support is limited by the provider you install. See Oracle support documentation for more
information. Supported providers include:
11g OLEDB - 11g r2 is recommended. Download and install Oracle InstantClient.

12c OLEDB - download and install Oracle ODAC.
This section details the Oracle 11g R2 installation.
1) Launch the installer, select Custom, and click Next to continue.
2) Select any appropriate languages and click Next.

3) Choose the installation directories and click Next.

4) The only required item is Oracle Provider for OLE DB. Select Oracle Provider for OLE DB and
click Next.
5) On the summary page, click Finish to begin the installation.

6) The installation will proceed to copy new files.

7) When the installation is complete, click Close.

8) When the Oracle provider is installed, it will be listed as an available "Database Provider" when
adding an Oracle database to the Account Store View.
9) Repeat any installation of the Oracle OLEDB provider on any secondary management consoles
and zone processors that will be managing (discovery, password change, etc.) an Oracle
database instance.
3.4.3 Installing the Sybase ASE Provider

To manage and discover Sybase database instances requires the Sybase database provider. This is
not available for general download. You will be required to use your existing Sybase source files to
perform the provider installation.
1) Launch the installer and click Next to continue.

2) Choose the installation directory for the Sybase files and click Next to continue.
3) If the directory does not exist, a prompt requesting to create the directory will appear.
4) All that is required is the OLEDB providers. Choose the Custom option and click Next.
5) De-select all options except for:

ASE Data Providers > ASE ODBC Driver
ASE Data Providers > ASE OLE DB Driver

6) Click Next to continue.

7) Choose the Sybase license use as is appropriate to your company. Click Next to continue.
8) Select the licensing region and agree to the license agreement to continue installing the
software. Click Next to continue.
9) On the summary screen, click Next to continue.

10) Files will be copied to the host system.

11) When the installation is finished, click Next to continue the wizard.
12) When the installation wizard is finished, click Finish to close the wizard.
13) When the Sybase provider is installed, it will be listed as an available "Database Provider" when
adding a Sybase database to the Account Store View.
14) Repeat any installation of the Sybase OLEDB provider on any secondary management consoles
and zone processors that will be managing (discovery, password change, etc.) a Sybase database
instance.
3.4.4 Installing the MySQL & MariaDB Provider

To manage and discover MySQL or MariaDB database instances requires the MySQL database
provider. This can be downloaded from the MySQL downloads website (Registration required for
download):
http://www.mysql.com/downloads/connector/odbc/
Download the provider appropriate to your version of Windows such as the "Windows (x86, 32-bit),
MSI Installer" for Windows. At this time, the product is still a 32bit product thus necessitating the
need for 32bit OLEDB/ODBC drivers.
1) Launch the installer and click Next to continue.

2) Select the Complete setup type and click Next to continue.

3) On the installation summary page, click Install to continue.

4) The installation will proceed to copy new files.

5) When the installation is complete, click Finish.

6) When the MySQL provider is installed, it will be listed as an available "Database Provider" when
adding a MySQL database to the Account Store View.
7) Repeat any installation of the MySQL provider on any secondary management consoles and
zone processors that will be managing (discovery, password change, etc.) a MySQL or MariaDB
database instance.
3.4.5 Installing the IBM DB2 Provider

IBM DB2 does not use an internal/explicit account store as do SQL Server, Sybase, MySQL, Oracle,
and other database systems. Rather, DB2 databases leverage the local account store of the host
system. This means that in order to change a password for an account associated with DB2, it must
be determined if DB2 is hosted on a Windows, Linux, or UNIX platform and choose that platform as
the target platform when managing DB2 accounts.
Additional OLEDB drivers are not required to manage passwords within DB2.
Accounts associated with DB2 can be enumerated from the Account Store View. To determine (for
display purposes only) the accounts associated with DB2 will require the DB2 OLEDB driver be
installed on the host system. This is not a required step to change passwords.
ERPM support for DB2 is limited to using the Microsoft provider for DB2 available from the
Microsoft SQL 2005 or SQL 2008 feature packs. Search from http://microsoft.com/downloads for
DB2 OLEDB or as of this writing, download the file directly from here:
http://download.microsoft.com/download/0/E/6/0E67502A-22B4-4C47-92D3-0D223F117190/DB2
OLEDB.exe
The installation routine has two prerequisites:
1) You have a version of Enterprise or Developer edition of Microsoft SQL 2005 or 2008, or some
component thereof which also implies that the version is licensed for use by your corporation.
2) The installer checks for the existence of certain registry keys and/or files to validate the
installation before the provider will install.
The presumption is that installing SQL server components to make use of the Microsoft supplied
DB2 provider is not permissible. The following steps document a registry manipulation which will
lead the installer to believe the requisites it looks for during installation are present.
Caution! Use of the registry editor can lead to system instability or loss of functionality.
Perform these steps at your own risk.
1) Open the registry editor on the ERPM host system.

2) Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL
Server\90\Tools\Setup
3) Add a new string value called: Version
4) Modify the new "version" value and make its data: 10.0.1600
5) Add a new string value called: EditionType
6) Modify the new "version" value and make its data: Enterprise Edition
7) Add a new string value called: Edition
8) Modify the new "version" value and make its data: Enterprise Edition
Once the registry is configured, the installation of the Microsoft Provider for DB2 can proceed.
1) Launch the installer and click Microsoft OLE DB Provider for DB2.
2) Enter the user name and organization name and click Next to continue.
3) Choose to accept the licensing agreement if the requirements of licensing agreement are met
and click Next to continue.
4) Click Next past the installation location page.

5) Click the Install button to begin the installation.

6) The installation routine will run.

7) Click Finish when prompted.

8) When the DB2 provider is installed, it will be listed as an available "Database Provider" when
adding a DB2 database to the Account Store View.
9) Repeat any installation of the DB2 OLEDB provider on any secondary management consoles and
zone processors that will be managing (discovery, etc.) a DB2 database instance.
3.4.6 Installing the PostgreSQL Provider

Download the PostgreSQL provider from here: http://www.postgresql.org/ftp/odbc/versions/msi/
(http://www.postgresql.org/ftp/odbc/versions/msi/). Get the latest 32-bit version (64-bit versions
include x64 in their name).
Lieberman RED Identity Manager has been tested with the 9.x PostgreSQL database providers.
1) Run the installer and read and accept the licensing agreement, then click Install.
2) Click Close when the setup has completed successfully.

3) When the PostgreSQL provider is installed, it will be listed as an available "Database Provider"
when adding a PostgreSQL database to the Account Store View.
4) Repeat any installation of the PostgreSQL provider on any secondary management consoles and
zone processors that will be managing (discovery, password change, etc.) a PostgreSQL database
instance.
3.4.7 Installing the Teradata Provider

This section describes how to install the 32-bit Teradata base components, and the Teradata 32-bit
OLEDB provider for Windows, both of which are required. ERPM requires a 32-bit Teradata
connector/provider to manage a Teradata database. ERPM has been tested with the 15.n Teradata
database providers.
To Download the 32-bit Teradata Drivers

Download the Teradata Tools and Utilities for Windows (approx 500MB) here:
https://downloads.teradata.com/download/tools/teradata-tools-and-utilities-windows-installat
ion-package
https://downloads.teradata.com/download/tools/teradata-tools-and-utilities-windows-installat
ion-package
Download the Teradata OLEDB Provider (approx 17MB) here:

https://downloads.teradata.com/download/connectivity/ole-db-provider
https://downloads.teradata.com/download/connectivity/ole-db-provider
To Install Teradata Tools and Utilities for Windows

1) Launch the installer and click Next.
2) Click Next on the welcome page

3) Read and accept the licensing agreement, then click Next.

4) Define the installation location, then click Next.

5) Be sure to select the OLEDB Access Module. Select other modules as required, then click Install.
6) Click Finish.
To Install the OLEDB Provider

1) Launch the installer, select your language (only English was tested), then click OK.
2) Click Next on the welcome page.

3) Read and accept the licensing agreement, then click Next.

4) Confirm the installation location and click Next.

5) Choose the Complete setup option, then click Next.

6) Click Install.
7) When the install is complete, click Finish.

8) The Teradata provider will now be listed as an available database provider when you add a
Teradata database to the Account Store View.
9) Repeat any installation of the PostgreSQL provider on any secondary management consoles and
zone processors that will be managing (discovery, password change, etc.) a PostgreSQL database
instance.
119
Chapter 4 Installing
Manager
The chapter documents how to install Lieberman RED Identity Manager and perform
post-installation configuration tasks.
Important! See the Installation Roadmap (on page 7) for a complete list of installation
tasks.
This chapter will cover installation of the Lieberman RED Identity Manager components including:
Console
Web Service
Web Site
The general steps for installation order are as follows:
Management Console
1) First launch and mini-setup wizard
2) Web Application
3) Web Service
4) Application Launcher - optional
5) Session Recording - optional
Additional components such as PowerShell cmdlets, zone processors and their components are
covered in the Admin guide.
Application launcher and session recording installation are covered in the Application Launcher and
Session Recording guide.
120 Installing Lieberman RED Identity Manager
IN THIS CHAPTER
Management Console ........................................................................... 120

Mini-Setup Wizard................................................................................. 126
Registration ........................................................................................... 135
Web Application .................................................................................... 136
Web Service ........................................................................................... 162
4.1 MANAGEMENT CONSOLE

Before installing the management console, ensure your host server meets the prerequisites as
defined in Console Host System Requirements (on page 16).
1) Launch the Lieberman RED Identity Manager installer.
2) On the Welcome screen, click Next.
Installing Lieberman RED Identity Manager 121
3) Read the entire license agreement. Once you have read the agreement, if you agree, select I
accept the license agreement, then click Next.
4) Enter your name and organization name, then click Next.
5) Select the features to install:

Lieberman RED Identity Manager is the only required element.
PuTTY Terminal Emulator - installs the open source PuTTY software.
PDF Encoder - recommended - provides Lieberman RED Identity Manager the ability to turn its
compliance reports into PDF documents.
RSA SecureID - install this option if RSA multi-factor authentication will be required to access the
management console, but this machine will NOT host the web application. If this machine will
host the web application, leave this option unselected as the application will be installed
automatically when the web application is installed.
6) Change the installation location if needed. The program will be installed to a sub-folder called
Roulette at the chosen location.
7) Click Next.
8) Choose the identity to run the CLR COM+ application. The default is Network Service. The CLR
COM+ Identity is used to provide network and local system access for the solution to various
cloud services. Individual account stores (Azure, AWS, ESX, etc.) will be configured with specific
connection credentials when they are enrolled.
Options for the identity are:
Interactive User - Use the same logon information as the calling identity. This is an
administrator-level account because the calling identity will either be the admin running the
console, or the ERPM deferred processor service account. This option requires the least
configuration, but provides significantly more privileges than is required
Network Service - (Recommended) Use the network service account. For this option you do not
have to manage a password or grant additional rights, although in some cloud management
cases, you may need to grant additional permissions on the file system.
Local Service - Use the local service account. For this option you do not have to manage a
password or grant additional rights, although in some cloud management cases, you may need
to grant additional permissions on the file system. The local service account has many more
rights and privileges than the Network Service.
This User - Use the supplied user name and password. This user could be a local account that is
configured to never authenticate to any other machine in the network (unlike Network Service
or Local Service), but it does represent another account to manage a credential for. In some
cloud management cases, you may need to grant additional permission to it on the file system.
This account also needs Logon as a batch rights granted to it.
9) Click Next.
10) Once the basic configurations are complete, click Next.

11) When the installer is complete, click Finish.
12) Once the program launches for the first time, the Mini-Setup Wizard (on page 126) will begin.
4.2 MINI-SETUP WIZARD

The first time Lieberman RED Identity Manager is launched, a mini-setup wizard will run through a
series of pages that handle the configuration of the various components of the solution. Each page
of the wizard allows configuration of a different component and all of the component setup steps
are optional except program data store configuration. This setup wizard can be run again after
completing it from the Settings > Re-Run Setup Wizard menu item.
1) Database Setup
About this step: The first page is the database setup page. This step is mandatory but can be
changed later from the Data Store Configuration located in the management console at Settings
| Data Store Configuration | Basic Configuration.
a. On Database Setup, click Change Settings to establish a connection to [and possibly create]
the database server and database that Lieberman RED Identity Manager will use for its
primary data store.
2) Configure the database settings...

a. Supply the following information then click OK. If all settings are good and no problems are
encountered, the Database Settings dialog will reappear and state Settings are Valid in the
Are Settings Valid? field.
o Database Name - name of the server to connect to. This could be entered as a simple
name, FQDN, or IP address. If connecting to a named instance of MS SQL Server,
specify the name as ServerName\InstanceName. If connecting to a custom port, specify
the name as ServerName,PORT####.
o Authentication - Connect with Windows NT Integrated Security (A.K.A. Integrated
Windows Authentication) or Use database native authentication mode. Windows NT
Integrated Security will use the currently logged in user's (or service account's) identity
to connect to the data store. Database native authentication will use explicit database
credentials (e.g. SA) to connect to the data store.
o Database Settings - if you have the rights to create a new database, and one has not
already been created on the database server for you, select the option Create a new
database (with default settings). If a database already exists on the database server
that you should use, select the option Use an existing database on the server and
select the appropriate database. In either case, Lieberman RED Identity Manager will
create all required views, stored procedures and tables at this time.
o Create object in a non-default schema - enable this option and specify a specific
schema. We recommend using DBO. If this option is not specified and the connecting
user is not in the sysadmin role, SQL Server will create a schema named after the user
and create all objects in that context. While this will work for a single user (as well as
when using database native authentication), this option does not work well when using
integrated security where the connecting users are not sysadmin level users.
o For more information about the remaining settings, see Data Store Configuration
Options (on page 217). For more information on connecting to mirrored databases or
database availability groups or Microsoft Azure SQL, see Connecting to Microsoft SQL
HA and Cloud Database Configurations (on page 223).
3) Deferred Processor Setup

About this step: The deferred processor is used to perform all scheduled actions in this product.
Refer to Service Account Requirements for more information on this account's requirements. If
an account is not yet available, simply click Next to skip this step.
a. Supply the name in the format of DOMAIN\AccountName and specify the password.
b. Click Install/Start Service. Setup will attempt to grant the specified account the Logon as a
Service right at this time. However, if there are any problems connecting to the database or
granting rights or local administrators group membership is not configured for the account,
the service will fail to start. This can be remedied now or post install. If there are no
problems, the service will be installed and the service status will indicate Service is Running.
c. Click Next.
4) Email Setup
About this step: Email can be sent from this product. If email will not be sent from this product
or email server settings are not yet available, simply click Next to skip this step. Email can be
configured later by opening the management console and going to Settings | Email Settings. For
more information on email server settings, see Email Settings (on page 251).
a. Click Change Settings to setup the email server configuration for this product.
b. Supply the sender and email server settings then click OK. If there are no problems, the
Current Settings Status field will indicate No problems detected with settings.
c. Click Next.
5) Setup Complete
About this step: this page presents options to configure encryption and setup the web
application. Encryption should be configured at this time but can be configured later (or
re-configured) by opening the management console and going to Settings | Encryption Settings.
It is recommended to skip configuration of the web application at this stage if will be using a
commercial license as not all website options will be enabled until registration is complete.
Moreover, the web service is a requirement and will not yet have been configured thus the web
application will not function properly at this time until the web service is installed. The web
application can be installed and configured from the management console by clicking the
Manage Web App button on the left action pane. Configuration of the web application is
covered in great detail later in this guide in the section called Web Application (on page 136).
a. Click Edit Encryption Settings.
6) Configure encryption settings...

a. Enable the check box Use Encryption for Password in Database.
b. Select the appropriate option for encryption. If you are unsure of what option to use, select
Use software-based cryptography, set Encryption Type to AES and set Key Length to 256
bit.
c. Click OK.
7) On Setup Complete, click Finish.

Clicking Finish will launch Lieberman RED Identity Manager. On initial launch you will open to the
Account Store View in a management set named Default that will be populated with the Windows
system you just installed the software on.
To continue the basic installation, next install the Web Application (on page 136).
4.3 REGISTRATION
If using the demo license and a commercial key is not yet available, there is no need to register at
this time. The product will be fully functional for 30 days and capable of managing 10 systems.
To input a [new] commercial key after the console is installed and the console has been opened for
the first time and the mini-setup wizard is completed, go to Help | Register.
Past in your license key. All other fields are optional.
Warning! Only perform this step on the primary licensed console. Do not perform this step on any
secondary/HA consoles as licnesing information will be lost on the primary console and it will be
reverted to demo mode.
After you have input a commercial license key, the solution will thank you for your purchase.
4.4 WEB APPLICATION

The web application is the primary mechanism for users to gain access to the credentials stored in
the solution, whether managed or static, as well as to audit access to those credentials. The web
application also performs other functions as well such as a secure file store, privilege escalation, and
secure personal password store.
This section shows how to install the web application from the management console. Please see
Web Application Host Requirements (on page 20) for more information on the web application host
prerequisites prior to installation.
1) In the management console, click the Manage Web App button from the left action pane.
2) On the Manage Web Application Instances dialog, click Install, located in the lower left corner.
3) On the Install Web Application dialog, select the target installation system. Local system in the
system you are on now. If installing to a remote system supply the remote system name as fully
qualified domain name.
4) Click Check System Compatibility. This will perform a check of the target system to validate IIS
is accessible, the file system is accessible, and remote registry and remote COM+ access are
possible. Fix any access errors before continuing. If the check proceeds without incident, the
Web Interface Files section will be filled in automatically.
5) In the Web Interface Files section, supply the following information:

a. Install to target website - any and all root web sites on the target server will be listed here.
Choose the root website to host the web application.
b. Choose Install to root of website or Install to virtual directory:
o Installing to root of website will replace the existing website configuration at the
targeted website. The URL of the web application will simply target the name of the
server. This makes it easier for end users recall and type. If the web server is a shared
server, you could inadvertently overwrite another web application.
o Installing to a virtual directory is the safest option as you will not overwrite any other
applications if the target is a shared server. The default virtual directory name is
PWCWeb. This name can be changed to any value permitted by IIS. The name supplied
here will be appended to the server name. In the default case the URL will target
https://serverName/pwcweb.
c. Web files destination path - this is where the web application files will be copied on the
target server. The path is resolved from IIS on the target server, which defaults to
%inetpub%\wwwroot. When installing to a virtual directory (default), the path is appended
with the name of the virtual directory.
d. Copy alternate web application files to target - not recommended - version 5.5.2 was the
last version to provide official support for the legacy web application. Although it is still
present in the current installer, it will be removed without notice from future iterations.
6) Web Application COM Components defines information for the COM+ application that will be
responsible for data access from the web application to the solution data store. Supply the
following information:
a. COM+ files destination files path - defaults to C:\Windows\System32 and will install to
\\serverName\admin$\syswow64 (c:\windows\syswow64). It is typically not necessary to
change this setting.
b. COM+ application name - defaults to PWCWebComApp. You may supply any name you
wish. This name is never visible to end users and is purely for identification when using the
Windows Components snap in.
c. Use existing COM+ application/config if possible - if upgrading from an existing installation,

this will attempt to leave the existing COM+ application configurations in tact and simply
replace the required COM component files (rouletteweb.dll).
d. COM+ application account - this is the identity that will actually run the COM+ application.
When using Windows Integrated Authentication, this is the account that will be responsible
for data access from the database server on the web application's behalf. Enter the
username as DomainName\UserName. For more information see Service Account
Requirements (on page 24).
e. COM+application password - this is the password for the COM+ application account.
7) Click Test COM+ Credentials. This will attempt to validate the credentials defined are in fact
valid credentials.
8) In the bottom section of the Install Web Application dialog, identify the use of SSL, any custom
port, or identify an explicit site address. Use an explicit site address when the URL to access the
web application will be different than the serverName (or serverName/virtualDirectoryName).
This would be the case when using a load balancer or if the server name will be aliased in DNS.
The information entered here has no functional effect on the website regarding end users. It
only affects the web application auto-launch capability from the Manage Web Application
Instances dialog in the management console.
9) Click Web App Settings to configure additional web application options. These options affect
security, sessions, and other integrations. For more information see Web Application
Configuration Options (on page 142).
The one option you must specify is the Web Service URI for REST web service endpoint on the
App Options tab. At this point, the web service is not yet installed. However, if the web service
will be installed onto the same machine using default settings, the URI will be virtually the same
as the URL mentioned above. For example, if the server is defined to use SSL in the previous
step on the default port (443) and your SSL cert uses the FQDN of the server (e.g. yourco.int),
then the URI to enter will be
https://servername.yourco.int/erpmwebservice/authservice.svc/REST. everything after your
server name is standard: /erpmwebservice/authservice.svc/REST. If you were behind a load
balancer and the name of the load balanced cluster was "secureidmstore.yourco.com" the URI
to enter would be: https://secureidmstore.yourco.com/erpmwebservice/authservice.svc/REST.
Don't worry, if any information changes, the information can be updated at any time.
10) Then click Install.
11) You may receive a COM+ Account Confirmation warning after clicking. This dialog will appear if
the COM+ account specified on the installation dialog is different than the currently logged in
user. The warning is asking you to be sure that the account specified has datastore access or the
web application will fail to function until the access issue is resolved.
12) If you are sure about the account information, click Yes to continue or No to change to a
different account.
13) When the web application installation is complete, a dialog indicating a successful install will
appear. Click OK.
14) You will next be prompted to launch the web application. Clicking yes will open your default
browser to the URL specified in step 8 above where it was identified as using SSL or not, any
custom port, or a specific URL.
15) Click Yes to launch the web application. You will be logged into the web application as
[WebApplicationManager]. This is a built-in account. Its password is randomly generated with
each installation of this product.
16) Once the installation of the web application(s) is complete, the Manage Web Application
Instances dialog will be populated with a list of all known web applications.
See Post Installation or Upgrade Steps (on page 207) for additional steps and verifications.
To continue the basic installation, next install the Web Service (on page 162).
4.4.1 Web Application Configuration Options

This section outlines the configuration options for the web application. Settings include:
App Options (on page 142) - basic global web application configuration options.
Password Access (on page 147) - timing and alerting settings for accessing stored passwords.
Direct Links (on page 150) - settings for allowing access and password requests via email link.
File Store Settings (on page 150) - settings surrounding file store permissions and access.
Account Elevation (on page 152) - timing and settings for account elevation operations and
alerting.
Security (on page 153) - security settings for the web application.
Multi-Factor Authentication (on page 156) - settings to enable the use of MFA.
User/Session Management (on page 157) - settings for external PUM integration as well as
recorded session playback.
Remote Sessions (on page 158) - settings for remote RDP, SSH, and Telnet based access.
Console Display (on page 160) - settings for SSH and Telnet terminals.
User Dashboards - Legacy Website (on page 161) - enable/disable dashboards and chart
controls.
4.4.1.1 APP OPTIONS

The App Options tab provides for configuration of web application generic settings.
Auto-spin recovered passwords - The web application can (default) creates a password change
job for each password recovered using the web application. The password change job
automatically uses the same settings as the previous password change job executed for that
account. For example:
If a random password for that account was set previously, the account will get a new random
password with the same settings.
If the password was set statically, then no automatic re-randomization job will be created and
the account will retain its current password.
If the password is a random password but the option to to Use the same random password for all
selected accounts is selected when configuring a password change job (on the password settings
tab of the job creation dialog), then no automatic re-randomization job will be created and the
account will only change its password on the standard schedule defined by the job.
Password change jobs are executed by the deferred processing service (including zone
processors) and are scheduled based on the settings defined on the Password Access (on page
147) tab. Enabled is the recommended setting for most customers for most situations.
When passwords are recovered send emails to the following email address - The web
application will send an alert email when a user recovers a password through the web
application. The alert email will be sent to the address specified and will include the account
name of the recovered password, who recovered the password, and what time the password
was recovered. In order for this feature to work successfully, the Email Settings (on page 251)
must be properly configured. The email server settings that are configured for the console will
be used by the web application, so the settings must be valid on the web application server for
the email alerting feature to work.
Only show systems/accounts which match the search filter - In a default configuration, the
web application user will be able to see any and all systems/devices/credentials for which they
have access. This has the effect of causing the web application to retrieve that list and all
permissions on page load. This can be slow and can potentially show the user more information
than is intended in certain scenarios. Enabling this will prevent the display of all systems/devices
and force the user to specify a system filter in order to display any system(s) matching that filter
they have access to. This also has a positive side effect of allowing the web page to load quicker
is no systems/device information will be retrieved on page load. This affects the managed
passwords page.
Only show system/account names (hide system/account info columns) - In a default
configuration, the web application will display any and all information collected on the system
and/or account. Enabling this option will cause the web application to not display system
information like last managed time, IP address, etc. in the accounts or systems view of the
website. This can also be configured in the on a per-user basis by the user in the user's session
settings in the website.
Enable self recovery rules - Turns on the self-recovery aspect of the delegation system. This
feature allows for the creation of a one to one mapping of user to specific computers and allows
those users to log on and retrieve managed passwords for accounts on those computers only.
This feature overrides any other delegations at any other level (except for All Access) that would
otherwise limit their access to the target system. Self recovery rules use the self recovery
permissions which can be defined in the management console at Delegation | Web Application
Self Recovery Permissions. See the admin guide for more information.
Enable personal repository - Allows any user who can log into the web application to enter
individual passwords into the secure password store through the web application. The
passwords entered this way are only recoverable by logging into the web application by the
user who input the credentials. The passwords are not available to any other user through any
other means and cannot currently be shared. Personal passwords are encrypted with the same
encryption mechanism as other stored passwords in the password store. Any sort of password
or other information can be stored in the personal vault from web page login information to
reminders or common passwords.
Allow website links to be stored with personal passwords - For personal password storage,
displays an extra field where a user can input a URL.
Enable description fields for personal passwords - Allows the user to input a comment for their
personal passwords.
Personal password store disclaimer text - A text message that will be displayed to users when
working in the personal password repository.
Enable phonetic information for passwords - Turns on a feature that helps the user pronounce
the password character by character. For example, the password EAYd|0lc would be written
out as ECHO ALPHA YANKEE delta Pipe Zero lima charlie. When enabled, the Show Phonetics
button becomes visible during a password recovery. Clicking the button displays phonetics for
the displayed password. Phonetics are currently available using international standards in
English.
Enable recursive group membership lookup - Default is disabled. Enabling this feature causes
the solution to perform a recursive lookup for all Windows global group memberships to
determine if a user should be allowed access. With the option disabled (default), a user must be
a direct member of a delegated group in order to gain the rights associated with that entity.
With the option enabled, a user can belong to a group which is a member of the group which
has the delegated rights. Enabling recursive lookups will slow down website authentication and
other functions which evaluate permissions.
Number of items returned per page - Limits the number of items displayed on any given page in
the web application. The default value is 30. A smaller number of items will speed the load time
of an individual page but will result in a greater number of pages for the user to search through
if the result is not on the first page. This can be configured in the user's session settings in the
web application. This setting affects the amount of information returned to the web services
API as well.
Number of rows to export on report - Limits the number of rows that will be exported from the
auditing area in the website. Caution! A large number of rows can cause database timeouts,
exhaust memory and COM resources. Individual results will vary. This settings affects the
amount of information returned to the web services API as well.
Custom email message templates folder - This setting affects the legacy web application. For
the legacy web application, an email that relies on a default template, such as during the
password retrieval process, will leverage these templates. These templates permit the
customization of those emails for the legacy web application.
The default web application templates are stored in the program data store and accessible to all
components of the solution (except the legacy web application). These templates may be
modified or new ones added via the management console under Settings | Message Templates.
See the admin guide for more information.
Note: For the legacy web application, if installed on a machine where the management
console is NOT installed, this folder and the corresponding path should be
duplicated on the remote web server. This is not necessary for the
modern/default web application.
Default page on successful login operation - Sets the default page for a user's first time login.
Users may set their own default page in the user's session settings in the web application.
Alternate background colors for items in lists - This setting applied only the the legacy web
application. This setting determines the alternating color for rows on any page that lists data in
rows, such as passwords, systems, auditing, and so on.
Allow IPMI power operation in web interface - When an operating system is managed that also
has a managed IPMI device, this option will permit the IPMI device to have its power controls
exercised via the website, delegations permitting.
Display available operations with password summary page - Starting with version 5.5.2, this
settings applies only to the legacy web application (see the following note). Default is disabled.
This option toggles the passwords display page from either showing the users all options they
have for a given account (e.g. Recover Password, SSH, RDP, etc.) when the passwords page
loads or will require the user to expand the account to be able to see their available options.
Leaving this option enabled tends to be less work for end users however, turning this option off
can result in a much faster initial page load for the user. The required queries to determine
permissions will be made when the user later attempts to expand the account.
Note: With the default settings of "30" for Number of items returned per page, this can
save up to 300 round trip queries to the database per page load thus improving
the website experience for low powered users.
Use asynchronous calls for page loads - Changes the way data is displayed when loading a given
page. With the settings enabled (default), the page will load data as it becomes available rather
than waiting for all data to be available before loading the page. Disabling this option can
potentially diminish the user experience, especially on a heavily loaded system, especially for
users who do not have All Access granted.
Default website style theme - This setting applies only the the legacy web application. Sets the
default theme and login page for the in the legacy web application. Once a user is logged in,
they can click the Session Information link and set a custom theme for their user account6.
Server certificate file in web application installation path - Used to duplicate functionality
found in client web browsers to make it easier for users who do not trust the server's SSL
certificate to download the certificate and install it themselves. Specifically, if the web
application is deployed using a certificate not trusted by all consumers of the website, the
administrator can place the servers certificate in the website installation path on the web
server. The user may then go to User Settings in their web session and download the certificate
and install the certificate.
Server certificate file for recordings in web application installation path - Used to duplicate
functionality found in client web browsers to make it easier for users who do not trust the
server's SSL certificate to download the certificate and install it themselves. Specifically, if the
ERPM session recording playback website is deployed using a certificate not trusted by all
consumers of the website, the administrator can place the servers certificate in the website
installation path on the web server. The user may then go to User Settings in their web session
and download the certificate and install the certificate.
Web service URI for WSDL web service endpoint - The complete URL to the SOAP-based web
service. The point of this is to display the actual URL to the SOAP-based web service in the
website. Use the TEST Connection button to test connectivity to the web service. This has no
functional value to the system.
Web service URI for REST web service endpoint - The complete URL to the REST-based web
service. Use the TEST Connection button to test connectivity to the web service. This field tells
the web application where to find the REST-based web service. This field is required for SAML,
OAUTH and ADFS authentication. If you enable SAML authentication and do not configure this
endpoint for all instances of the web application, the web application will display the following
message: "SAML authentication servers are enabled, but the web service URI is not configured."
Hide advanced options for launch app - Hides the advanced configurations for applications
launched with the optional Application Launcher.
4.4.1.2 PASSWORD ACCESS

The Password Access tab controls what happens when a password is checked out such as checkout
durations and ticketing system requirements for checkouts.
Enable Password Check-out - Enabled by default, this feature is often used to keep track of
exactly who has access to the administrative passwords at all times. When the password is
recovered, a lock is placed on the account and no other users will be allowed to recover that
same account password until one of three things happen:
The user checks the password back in.
The Check-out time expires.
A web application administrator overrides the Check-out and forces the password to be checked
in. he amount of time a user may have a password checked out can be configured by changing
the Check-out Window and Check-out Duration fields.
The group checkout feature is enabled and the original user checks out the password to the
group.
Default check-out/extension duration - The default amount of time in minutes a password will
be checked out before the check-out expires as well as the amount of time granted per
extension request. This means a user will be granted the password initially for this number of
minutes. If the user requests an extension, the extension will also be for this number of minutes
each time they request an extension. Extensions are cumulative. This means if the default check
out duration window is for 120 minutes and they immediately request two more extensions,
they will be granted the password for 360 minutes. Extensions can be requested at any time
prior to the password lifetime expiration otherwise the password will need to be checked out
again. Extensions will be granted until the Maximum Check-out Duration time would be
exceeded. This means if the Maximum Check-out Duration is set to 721 minutes (default), a
user can have the password for no longer than 720 minutes at a time including all check-out
extensions. Each platform can have its own password checkout duration.
Maximum Simultaneous Check-outs - Limits the number of separate passwords any one user
may check-out simultaneously. The default value is 3 passwords.
Block password check-in if password is in use - Enabling this setting will cause the web
application's COM+ application to attempt discovery against a target Windows system to
validate if the account is currently logged, as according to that target Windows system when the
user attempts to check the password back in. If the account is deemed as still logged in, the web
application will prevent the user of the web application from checking in the password until the
account is no longer being used on the computer. This option requires that the account being
used to run the web application's COM+ application on the web server be seen as an
administrative account on the target Windows computer where the accounts are located. If the
web application does not have the appropriate rights to determine if the account is active, the
check-in is allowed and no event will be put in the target computer's application log. It is
generally not recommended to use this option as sessions may take minutes to terminate, as
according to the target Windows host, which can cause users to simply not check in the
password when they are done.
Log {option} to System's event log will log the described event to a specified Windows
computer's application event log when passwords are checked in or out using the web
interface. The web application can log if the account is in use when the password is checked in,
or log all password check-in operations. The event messages have Event ID 17 and Source
'Enterprise Random Password Manager'. In order to display the event message correctly on the
remote computer it is necessary to put the messages DLL in the path of that system. The
messages DLL comes with the software and is found in the installation directory as LiebMsgs.dll.
The field should contain a specific target computer name. If the field is left blank, the local host
name will be used instead.
Block password Check-out if password spin job creation fails - A failsafe mechanism in the
solution. When a password change job randomizes a password for any account, that job
becomes the "master" job. Subsequent re-randomization jobs (following recovery if auto-spin is
enabled) will use this job as a basis for re-randomizing the password. If this "master" job is
deleted, the re-randomization job cannot be properly created and will put the product into a
state where it cannot move forward until that re-randomization job is manually deleted or
edited and a new master job is created or re-randomization is turned off. This option, when
disabled (default), will allow recovery of the password and put the product into the degraded
state. If the option is enabled, the password cannot be recovered but the product will be placed
into a degraded state because of improper/inconsistent jobs.
Allow users to check out passwords to any group they are a member of - When enabled,
permits a user who has checked out a password to checkout the password to any other group,
that are configured as enrolled identities, that the user is a member of. Those subsequent
groups must already be able to view and recover/request access to the password.
Require check-in comment when password is checked in will prompt the user for a comment
when checking a password back in. The comment is logged to the database along with the
recovery operation. If this option is enabled, the comment will be optional.
Require recovery comment for password recoveries will prompt the user for a comment when
recovering a password. The comment is logged to the database along with the recovery
operation. If this option is enabled, the comment will be mandatory.
Require ticket number for password recoveries will prompt the user for a ticket number. The
comment is logged to the database along with the recovery operation. If this option is enabled,
the comment will be optional.
Show ticket number in separate column in audit log - when enabled, will add the ticket number
the user enters into a separate column in the audit logs in addition to the audit message for the
operation.
Require ticket number with {Application} will force the solution to validate the input ticket
number with an existing ticket number in the designated application. The application must be
configured in the Settings | Extension Components section of the management console.
Password request timeout window - dictates how long a password request is valid before it
times out and can no longer be granted. A user can only make one request for a specific
password at a time, and once a request is made that request will remain active until this time
period elapses. If an administrator has not processed the request before the timeout occurs, the
request is moved to the timed out request status and the user can make a new password
request for the specific account.
Request Grant Timeout Window dictates how long after a request has been granted that a user
can recover the password. After the window expires, the grant is no longer valid and the user
will have to make another password request for the account if they wish to recover the
password.
Note: Check-out and check-in operation actions will only apply if the Enable Password
Check-out feature is enabled.
Allow users to request check-outs in the future and Password Request Window for Future
Check-outs (hours) defines if users are allowed to make password requests for future times
rather than only immediately and how far in the future that request can be made for.
Allow users to edit and delete managed random passwords - With this option enabled,
identities that have been delegated the ability to edit/delete passwords within the website, will
see two new links next to the random passwords and statically defined passwords in the
password recovery page of the web application. Editing of random passwords can cause
problems for future randomization job runs, password verification jobs, terminal service
sessions, or simple account utilization as a change to the password in the website does not
affect the actual password configured on the target system. If this option is not enabled and an
identity has been delegated the ability to edit/delete passwords within the website, the logon
account will see an edit and delete link next to static passwords only. It is recommended to
leave this option disabled.
4.4.1.3 DIRECT LINKS

The Direct Links tab is used to enable and configure the email based approval and denial when
users request access to passwords and to the application launcher.
Note: Emails are not sent encrypted and signed.
Web application processing to process un-authenticated address to use for direct links -
Supply the full URL to the web application as a user would enter it into their browser (e.g.
https://servername.yourco.com/pwcweb).
Allow web application to process un-authenticated direct links - When enabled, when an email
is sent to an approver and the approver clicks the grant or deny link, the approver will not need
to re-authenticate to the web application to grant or deny the request. If the option is not
enabled (default), when the approver clicks the link, they will first go through the authentication
process at the web application before the request will be granted or denied.
Embed direct approve/deny links in email notifications for password requests - When enabled,
clicking a grant or deny link in the email will grant or deny the request without further
navigation required by the approver.
o Embedded approve/deny link timeout - links are included in the request emails, the
approver will have this amount of time to use the one time grant/deny link. This
timeout will be superseded by the request timeout duration defined on the Password
Access (on page 147) tab.
Embed login URL for site in email notifications for password requests - The URL entered in the
Web application processing page field on this tab will be included in the request email.
4.4.1.4 FILE STORE SETTINGS

The file store is a secured area of the program which permits uploading of documents or other
arbitrary file based data into the program's data store. When enabled, the program can provide an
ACL for each item, version tracking, and auditing of access for the data. The file repository provides
additional security to sensitive data by also providing encryption for the data when stored to the
program's data store.
The file store is an optional component of Lieberman RED Identity Manager and requires an
additional license. If the installed license does not enable the file store, this tab will not be visible
and its abilities will be disabled.
Enable file store - Enabling this option will allow the upload, secure storage, delegated access,
and access auditing of files within the web application.
When files are accessed send emails to the following address - Any time a file is opened or
checked out this email address will receive a notification to that effect.
Enable file check-out - If this option is left disabled, any number of users may open the same
file at the same time. With this option enabled, a file is checked out to a single user at any
moment in time.
Check-out window/extension interval - Time in minutes that a user is guaranteed solitary
access to a given file, blocking any other user from checking the file out and making changes to
it.
Maximum check-out duration - The maximum time in minutes that a user may have any single
file checked out.
Maximum simultaneous check-outs - The maximum number of files a single user may have
checked out to them at any moment in time.
Log all file check-outs / check-ins to system's event log - Define a Windows event log server for
file vaulting operations by providing the NetBIOS name of a target Windows computer. Events
are written to the Application Log and will have a source of 'Enterprise Random Password
Manager'. There are also event sinks for file store operations which provide more functionality
and logging data. See the admin guide for more information.
Enable encryption for files in the store - Turns on encryption for files stored in the file store. By
default this is not enabled due to encryption export restrictions that are specific to each country
as applied to the encryption of data. This product will encrypt files using the same methods
IMPORTANT! When changing system wide encryption keys, it is recommended to first

disable this encryption, then change the encryption key for the system, update
the web application, then re-enable file store encryption.
used to encrypt the passwords it is storing. Please review country specific laws on encrypting
data before enabling this feature.
Default file upload permissions - These values are used to define what permissions are assigned
to a file that is uploaded into the secure file store. If option is not enabled, when a user who
belongs to multiple identities that are also granted access to the solution uploads a file, full
control permissions will be granted to the user and all other identities the user belongs to. This
can have the unintended side affect of unnecessarily granting access to secondary identities.
Limit file sizes for uploaded files in the store - This is the maximum allowable size for file
uploads. Be aware that this size may still be limited by IIS settings which by default are more
restrictive. If IIS is set to a lower value, the IIS value will take precedence.
4.4.1.5 ACCOUNT ELEVATION

Account Elevation allows the requesting logon account, via the web application or web service, to
have its group membership elevated on the target Windows system to a pre-defined level for a
pre-defined period of time. The goal is to provide a more direct audit trail of user actions without
circumventing any domain level policies. Access to this feature is found in the systems view of the
web application. This feature requires the deferred processor or zone processor to be installed and
running.
Enable self-service account elevation - Enables the account elevation feature. In order to make
use of this feature, an entity must have the permissions for View Systems and Elevate Account.
These rights can be defined globally, per system set, or per system, and is accessible in the
Systems area of the website. This option applies to all Windows systems, including domain
controllers.
Elevation local group name - The name of the [domain] local group to elevate an account to. If
the Elevate Account into Global Group on Domain Controllers option is NOT enabled, users will
be elevated to this domain local group in the domain if a domain controller is selected for
account elevation.
Elevation duration - The time in minutes that an account will remain elevated on the target
system.
Elevate account into global group on domain controllers - Overrides the previous account
elevation option when a domain controller is targeted for account elevation and will place the
target user into the defined global group listed in the elevation global group name field.
o Elevation global group name - The name of the global group to elevate an account to
when a domain controller is targeted for account elevation and the Elevate account
into global group on domain controllers option is selected.
o Elevation duration - The time in minutes that an account will remain elevated on the
target system.
Enable arbitrary elevation in the web interface - A delegated user may place an arbitrary user
in an arbitrary target group on an arbitrary system for an arbitrary period of time. Typically, this
is only used by help desk personnel.
Enable email reminder of expiring elevations - For arbitrary elevations, an email reminder will
be sent to the user based on the Hours before expiration to send reminder setting.
Default short term elevation time - The default period of time that the user will be elevated if
short term elevation is selected.
Default long term elevation time - The default period of time that the user will be elevated if
long term elevation is selected.
Maximum elevation time - The maximum amount of time that the user can be elevated.
4.4.1.6 SECURITY
The Security tab is used to configure the basic web application security options. Some settings have
corresponding settings in IIS as well.
Allow default authenticated user access - Enabling this option provides a means for any user
who can authenticate against a central directory, such as Active Directory, to gain access to the
web console based on the rights delegated to the [DefaultAuthenticatedUserAccount]. This
provides an easy and global way to allow users to gain access to the web application to use
features such as the personal password store.
Hide recovered password after - If this option is not enabled, when a user recovers a password
and that password is displayed, the password will remain on the users display panel indefinitely
or until the user expressly navigates to a different page or closes the browser. Enabling this
option will force the Web application to redirect to the Main page after a set amount of time,
thus minimizing the usefulness of shoulder surfing.
Force inactive web session timeout - Time in minutes after which an idle login session will
expire and require re-authentication. Session state should be disabled in IIS, otherwise the
shorter of the two values will win. Session state within IIS MUST be disabled if the Web
application is configured on a Network Load Balanced web farm.
Require secure cookies - Requires that SSL be enabled for the site. (An SSL certificate is not
provided with the solution.) Enabling this feature will mark the cookies for use with SSL only;
the cookies will not be transmitted if SSL is not used. If this option is enabled and a user
attempts to access a non SSL version of the page, the system will attempt to automatically
redirect to an SSL version of the page by changing the URL to HTTPS.
Note: Use of this feature will also require an SSL certificate be bound to the parent
website in IIS.
Enable Windows Integrated Authentication - If enabled will allow users of Internet Explorer
(and other support browsers) to enter the site using their already logged in credentials without
having to retype a user name and password. Use of this feature can be problematic if users
share machines. Users will still be prompted with a login page where they can enter a user
name and password or simply login.
Automatically login users using Windows Integrated Authentication in conjunction with
enabling Windows Integrated Authentication will automatically log in a user to the Web
application without ever prompting for a user name and password.
Note: Use of this feature will also require Windows Integrated Authentication be
enabled and all other forms of authentication be disabled in IIS.
Disable concurrent logins from a single user - Blocks a user from logging multiple times from
multiple source systems and/or browsers; any single user account is limited to a single session.
Embed unique identifier with each page - Gives each page a GUID that will be regenerated
every few page clicks. This provides a method to partially mitigate replay attacks.
Unique identifier valid for only one page request - Enabling this option will limit the page GUID
to only a single click per page after which the user must re-enter the page to perform a
subsequent action. This provides a method to mitigate replay attacks from the same system but
does mean more navigation as each page must be manually re-loaded after each action is
performed to obtain a new GUID.
Disable explicit web application accounts - Enabling this option stops the solution from
allowing its own explicit application accounts from logging in to the Web application.
Store only the authentication token in the cookie - Enabling this option removes information
from the session cookie regarding user access. This forces the web application to retrieve user
rights for each request and may slow down web site processing if enabled.
Force logout on any page error - Enabling this option will end the user's session if the Web
application encounters a page error. Errors are generated not only by product issues but also
but improper commands being entered such as in the program URL which would result in a
permissions check failing.
Prevent the requesting user from granting a password request will stop a user who requests a
password, where they also have the rights to grant password requests for the same password,
from granting their own request.
Disable copy button for displayed passwords - Enabling this option disables the copy button
when a password is viewed in the Web application following a successful recovery.
Allow Client Certificates for User Authentication and Authorization will permit the product to
use certificates to authenticate users. Certificates may be in the form of simple user certificates,
smart cards, CAC/PIV cards, biometrics, etc.
Bypass login challenge for client certificate identities will auto-login an account past the forms
based login page and not require further credentials be supplied.
Frequent request redirection is designed to help prevent denial of service or brute force attacks
directly against the Web application. This setting prevents more than n requests of any type for
a specific session. Additional requests beyond the configured limit are ignored and not
processed, so they are not necessarily treated as errors. The session continues to work as
normal, but if the configuration is such that normal operations are triggering multiple
operations per second (as is the case with delay load operations or web service operations),
then this setting should be disabled or tuned (increased) so that normal operations are not
impacted for your specific workload. If you have many concurrent sessions or other security
settings, you may need to set this value to 200 or higher.
Enable account lockout if an identity attempts to login N number of times in N number of
minutes, they will be locked out for N number of minutes from the product. This applies to any
identity.
Escape all password input fields on submit escapes all input characters to help prevent cross
site scripting or SQL injection attacks.
Hide passwords in recovery page until shown stops the password from being displayed on
screen in the web site during a password recovery, unless the user explicitly clicks the Show
button. The additional functions of copy, show phonics, extend checkout,and check in will still
function normally.
Hide authenticator list (user names must be UPN/FQDN) simplifies the web login process by
removing the Authenticator drop-down list from the Web application login page. However, the
user must supply the user name in a UPN format such as lscadmin@demo.lsc.
Strip links to non-local resources will remove user supplied links to external content.
4.4.1.7 MULTI-FACTOR AUTHENTICATION

The Multi-Factor Authentication page is used to configure the global multi-factor options that the
web application will use. Multi-factor authentication settings must still be configured in the
management console under the Delegation | External 2 Factor Configuration menu.
No MFA is the default option where the web application installation will not use any form of
multi-factor authentication.
Enable internal MFA (OATH/Yubico) - If OATH tokens are configured in management console
and required for user logins and this option is enabled, a user must supply a proper passcode, in
addition to their standard login, in order to gain access to the web application. There are no
further infrastructure requirements for this form of two-factor authentication.
Enable external MFA (RADIUS and native integrations) - Enabling this option enables 2 factor
authentication for the web application but does not mandate it for login. If this check box is not
enabled, then the user will not be prompted to enter their MFA passcode unless their
delegation identity is also set to require two factor authentication. For this option to work the
two factor client must be correctly installed and configured on the web application host and the
two factor server must be accessible from the web application host. See the admin guide for
more information on configuring MFA.
Enable external and internal MFA - Enabling this option enables both the internal OATH and
External forms (RADIUS, RSA, Microsoft, etc.) of MFA. In this configuration, some user can be
configured with OATH while others can be configured with another external MFA. For a user
configured with both options (by configuration or combination of multiple identities, the user
will need to use the external MFA.
Use simple username for external MFA login checks - This option becomes available if the two
factor options are set to require or enable. Enabling this option permits the use of simple names
rather than fully decorated user names.
Require MFA for all interactive web application logins - Enabling this option forces the MFA
requirement for all users of the web application; it is no longer an option as it would be if only
Enable external [and internal] MFA was enabled.
Any MFA enabled user/group membership/role membership forces MFA for user - Enabling
this option will use the most restrictive setting for MFA. Without this box selected, if any of the
user's identities do not require MFA the user will not require MFA. With this box selected, if any
of the user's identities require MFA, the user will require MFA.
4.4.1.8 USER/SESSION MANAGEMENT

The User/Session Management tab provides configuration for integrating with a Privileged User
Management (PUM) system, as well as a session recording system.
Privileged User Management products provide access controls to perform actions as an elevated
user account on a target Linux/UNIX system using the PUM system as a command proxy that
additionally will log all actions taken through this process.
Enable Privileged User Management integration support - Enables the integration with a
supported PUM provider.
PUM Gateway Server (optional) - The default name of the target Linux/UNIX server with the
PUM software to be targeted for the run commands.
PUM Gateway User (optional) - The default name of the account to be used.
Response configuration file location for PUM operations (optional) - The path on the web
application server to the PUM response XML file. The file can initially be found on the
application host system in the AnswerFiles sub-folder of the installation directory. If this field
is left blank, the response file is assumed to be in the website COM object installation path that
defaults to %systemroot%\system32 on 32-bit systems, or %systemroot%\SysWoW64 on 64-bit
systems.
Note: Other requirements for the PUM feature to work are that the
CrossPlatformSupportLibrary, available in the ERPM installation directory, must
be installed onto the web server (if it is a remote web server only).
Session playback URL - The URL that the compiled videos will stream from when the optional
application launching and session recording modules are enabled.
Enable session recording - When enabled and configured, this option allows the web
application to display the session recordings and related metadata information from Observe-IT,
a third party session recording product. When enabled, a Session Recording link appears in the
web interface under the Auditing menu that will allow access to these recordings and
metadata. For ObserveIT, the link would be similar to this:
https://server-name:4883/ObserveIT/Integration/SessionRecordingView/Search.asp
x
Additional steps may be required for the session recording service. Please refer to the third-party's
documentation for specifics.
4.4.1.9 REMOTE SESSIONS

The web application can provide a remote session via RDP, SSH, or Telnet that attempts to
auto-login to the target system without ever displaying the password of the managed account. This
is a separate feature than the application launcher that requires no separate licensing. While these
are global options. A user can change these options for themselves in the session settings within the
web application.
Use of RDP requires Internet Explorer to make the RDP connection as this feature leverages a
Microsoft supplied ActiveX control. SSH and Telnet connections require a browser That supports the
Java Run Time environment (JRE). As of this writing, the latest versions of chrome do not support
Java and Mozilla (Firefox) is in the process of phasing out support for Java.
Enable RDP sessions using stored passwords to host system - Enables the automatic RDP
functionality of the web application.
Allow RDP sessions using stored passwords to any system - Permits the managed account to be
used to connect to any system if the target system permits it. This would be used by domain
accounts on domain joined systems.
Allow users to choose RDP gateway for web connections - Provides a list of RDP gateways for
the user to choose from when launching an RDP session. Use the Configure Gateways button to
add/import/edit the RDP gateway list.
Allow multiple RDP windows from a single session - Allows the launching of multiple RDP
sessions from the web application. If this box is disabled, the current auto-RDP session is
disconnected before the new session is established.
Open RDP windows maximized - Opens the RDP window using full screen instead of in a
window. If the host desktop resolution is low, this option should be selected.
Use the application launcher to launch terminal services on the client - Requires the Application
Launcher feature be enabled. This launches the user's local MS RDP flat client rather than the
Microsoft ActiveX control, which provides more options and support for NLA (network level
authentication).
Enable Telnet Console Access - Enable the launching of a Telnet session to the target system. Be
aware that Telnet CANNOT programmatically pass a password to a target system. Thus,
password retrieval is necessary prior to launching the Telnet session.
Allow multiple Telnet windows from a single session - Allows the launching of multiple Telnet
windows from the web application. If this box is disabled, the current Telnet session is
Show message before creating remote sessions - Displays a message in the user's browser
before they connect to the target system. Typical examples of these messages include security
disclaimers or acceptable usage policy notifications.
Enable SSH Console Access - Enable the launching of an SSH session to the target system. This
securely and programmatically passes the target system/account credentials so users do not
need to be aware of the current password.
Allow SSH sessions using stored passwords to any system - Permits the managed account to be
used to connect to any system, if the target system permits it.
Allow multiple SSH windows from a single session - Allows the launching of multiple SSH
windows from the web application. If this box is disabled, the current Telnet session is
Proxy Type - Both the SOCKS and HTTP proxy protocols can be used to traverse firewalls. SOCKS
is usually used to create a raw TCP connection, and the HTTP proxy protocol can do the same
with the CONNECT method. If a proxy is required, also supply the Proxy Host, Proxy Port, and
Proxy Timeout.
SSH Protocol - When set to Auto, the control determines what the target supports and uses that.
Force a particular version if desired.
SSH Port - The SSH target port.
Connection Timeout - Initial connection timeout.
Handshake Timeout - Amount of time for the connection handshake to take place.
Key Exchange Timeout - Amount of time for the key exchange to take place.
Public Key Passphrase - Pass phrase for public key key-pair file.
Compression Level - Possible values are 0-9. 0 = no compression, 9 = best compression/slowest.
Key Timing Noise when Sending Passwords - Enable to create a random timing offset for key
transfer (security).
Allow New Server - Enable to permit jumping from server to server from within the SSH session.
Enable X11 Forwarding - If X11 forwarding is enabled on the target host, this enables the feature
to function in the Java-based SSH session.
Allow SSH connections using public/private key pairs - If SSH keys are configured in the
solution, the Java-based SSH sessions may leverage keys to connect to the target systems.
o Key location on client system is the physical path on the client's machine where the
SSH keys are physically stored.
o Allow clients to specify private key paths to identify the public key path on their own
system rather than relying on the globally configured option.
4.4.1.10 CONSOLE DISPLAY

The Console Display tab is used to configure the default session properties for the built-in
MindTerm SSH/Telnet sessions. These settings may also be overridden by a user's specific setting as
defined in their user settings when logged into the web application.
Display ASCII - Use ASCII Line-draw-characters instead of drawing.

Auto Linefeed - Do auto-linefeed.
Auto Wrap - Auto wrapping of line if output reaches edge of window.
<CR><NL> not <CR> for copy/paste - Put <CR><NL> instead of <CR> at end of lines in
copy/paste.
Copy on mouse select - Copy directly on mouse-selection.
Send <CR><LF> not <CR><NUL> - Send carriage returns as Telnet <CR><LF>.
Ignore NULL inputs - Ignore any null bytes in the data-stream.
Insert mode enabled - Toggles insert mode.
Local Echo - Enable local echo.
Local Page keys - Use PgUp, PgDn, Home, End keys for local scroll or escape them.
Map Ctrl+Space to NULL - Typically used for emacs.
Reposition screen to bottom in input - Reposition scroll-area to bottom on keyboard input.
Reposition screen to bottom on output - Reposition scroll-area to bottom on output to screen.
Mouse button to paste - Click the mouse button to paste the copy buffer.
Allow window to resize - Allow the window size to be changed or fixed.
Visible cursor - Toggles if cursor is visible or not.
Visual bell - Toggles if audible or visual bell will be used.
Send on Backspace - Character to send on BACKSPACE: BS (^h, 0x08), DEL (^?, 0x7f), or ERASE
(^E[3~).
Send on Delete - Character to send on DELETE: BS (^h, 0x08), DEL (^?, 0x7f), or ERASE (^E[3~).
Scrollbar Position - Relative scrollbar position (none/left/right).

Terminal Type - Name of terminal to emulate (xterm, linux, scoansi, att6386, sun, aixterm,
vt220, vt100, ansi, vt52, xterm-color, linux-lat, at386, vt320, vt102 and tn6530-8).
Background Color - Color of the background.
Cursor Color - Color of the cursor.
Foreground Color - Color of the foreground window.
Rows - Number of rows to display in the terminal.
Columns - Number of columns to display in the terminal.
Font Name - The font name to use in the terminal.
Font Size - Size of the font displayed in the terminal
Line space Delta - Number of pixels to modify the line spacing with.
Line Buffer - Number of lines to save in scroll back buffer.
4.4.1.11 USER DASHBOARDS - LEGACY WEBSITE

A number of dashboards and visualizations are available in the legacy website. To enable the
feature, select the check box on the User Dashboards tab.
To be able to view/configure charts, a user must have either of the following Web Application
Global Delegations:
Grant All Access

View Dashboards
4.5 WEB SERVICE

Starting with Lieberman RED Identity Manager version 5.5.2, the web service is a requirement for
IMPORTANT! If the web service is installed on a machine that is NOT also hosting the
web application, the web service will fail to load unless additional actions are
taken. In this scenario, export the web application settings from the
management console, then import them onto the web service host.
To export the settings, from the management console:
the web application to function. In prior versions, the web service was an optional component used
only for PowerShell cmdlets, application launcher, session recording, and API access.
1) Click Manage Web App from the left action pane.
2) Select the desired web application instance from the list
3) Go to Advanced and select Export web app registry config. This will export a regedit file.
These steps provide the web service with the necessary information to connect to the
data store, HSM if configured, and the encryption key as well as other settings.
Any time these options change, it will be necessary to repeat these steps.
Important! If the web service is hosted on a different machine than the web application
host and the systems are accessed through a URL is different (specifically with
regards to the protocol, server name, or port), your web browser will block
access to the web service and many things will not function correctly. The
basic steps to resolve this are to open the web.config file for the web service
post installation and "EnableCORS" to "true". Additional configurations may be
required in your specific browser and may not work in all configurations
(non-Microsoft browsers especially). Please refer to your browser's specific
documentation for more information on enabling CORS support.
4) You will be prompted to generate the file for 64-bit Windows. Click Yes.
5) Copy the registry export to the target web service host and double click the file to import it.
Web service prerequisites are outlined in Web Service Host Requirements (on page 19) and its
service account requirements are outlined in Service Account Requirements (on page 24).
The web service cannot be pushed to a target system from the management console; it must be
installed locally at this time. If installing the web service on the same machine as the management
console, the installation of the web service package may be initiated from the management console,
by clicking Manage Web App from the left action pane then clicking Install Web Service at the
bottom of the Manage Web Application Instances dialog. For remote systems, copy and use the
manual installer (ERPMWebService.exe) found in the SupplementalInstallers sub-folder in the
installation directory, typically %programfiles(x86)%\Lieberman\Roulette.
1) Launch the web service installer.
2) On the welcome page, click Next.
3) On the COM+ Object Identity, choose an appropriate identity and click Next. Valid identity
options are:
Network Service - use this option when using database native authentication mode to connect
to the database (e.g. SA).
Interactive User - not recommended - use this option when it is desired for the user calling the
web service to pass their authentication token as the authentication token to the database. This
is valid when using Windows Integrated Authentication but will require considerably more
security configurations in the program data store.
Specific User - recommended, default - use this option when using Windows Integrated
Authentication to the database or when it is desired to minimize any rights granted to the
COM+ application. This is the most compatible option. User names should be supplied in the
format of DomainName\Username.
4) Select the location in the local IIS instance to install the web service to and click Next. Valid
options are:
Virtual Directory - default, recommended - will install the web service to a virtual directory called
ERPMWebService located under the parent website you select. This is the safest option to
choose for both security and configuration reasons.
Site - use this option to install the web service to the root website. If there are multiple root web
sites configured on the host, you will also be presented with a selection of root web sites to
choose from.
5) Select the parent website and click Next.
6) Select the authentication method for connecting to the web service then click Next. Only
methods available to the target parent website will be displayed. Valid methods include:
Anonymous Auth with SSL - use this option when SSL is configured but Windows Integrated
Authentication will not be used.
Anonymous Auth without SSL - not recommended - use this option when Windows Integrated
Authentication nor SSL will be used. Application Launcher will not work with this configuration.
Integrated Auth with SSL - use this option when SSL and Windows Integrated Authentication will
be used.
Integrated Auth without SSL - use this option when Windows Integrated Authentication will be
used without SSL. Application Launcher will not work with this configuration.
SSL with User Certificates - use this option when users must supply a user based certificate
(smart card, biometrics, etc.) to authenticate to the website and web service. This will incur
much more overhead in the overall configuration and may cause problems with Application
Launcher.
7) Select the destination folder for the web service to be installed to and click Next. The default
location is %inetpub%\wwwroot\ERPMWebService which already grants all required
permissionsto be properly hosted. Changing the location may require additional configurations
on the web administrator.
8) When ready, click Install.

Important! If you chose to create a virtual directory, this process will create a virtual directory
called ERPMWebService. This will inherit the authentication and SSL and other settings from the
parent web site. This is important because if the parent web site is configured to use
anonymous authentication and the installer was configured to use Windows Integrated
Authentication, the virtual directory will be created with bad settings and it will be necessary to
open IIS and reconfigured the authentication settings post install.
9) Click Finish when the installer is finished.
After clicking Finish, this will launch the web service page and web service tester. Make note of the
URL as it will be required when configuring the web application. At this point, the web service will
be non-functional as it also requires settings from the web application to function. If the website is
installed on the same host as the web service, no further configuration actions will be required for
the web service. If the web service and web application are installed on separate machines, it will
be required to export the web application server configuration and import it to the web service
system.
171
Chapter 5 Upgrading
Manager
This chapter describes how to upgrade Lieberman RED Identity Manager from a previous
installation.
You can directly upgrade from any prior version of Lieberman RED Identity Manager to the current
release. For example, you can upgrade from version 4.83.0 to version 5.5.2.1 without first having to
upgrade to an intermediate version.
Note: Upgrading causes some saved preferences to reset to default values. If you
configured the management console to hide certain account store types, plan on
reapplying those settings following the upgrade.
Prior to upgrading, be sure to backup the program's database. During the upgrade, structures within
the database are updated and may not be compatible with older versions of the product.
If the program database is still running on SQL Server 2005 (or older), the database will need to be
re-hosted to SQL Server 2008 or newer prior to upgrade. For tips on how to move the program
database from one Microsoft SQL server to another, please refer to the following article:
https://liebsoft.zendesk.com/hc/en-us/articles/236069348-How-to-Move-Your-Program-Database-t
o-a-New-Server
(https://liebsoft.zendesk.com/hc/en-us/articles/236069348-How-to-Move-Your-Program-Database-
to-a-New-Server)
If upgrading from version 4.83.4 or older and you are running the solution on a Windows 2003
Server, it is necessary to migrate the installation to a Windows Server 2008 R2 or later operating
system. Lieberman RED Identity Manager is not supported on any version of Windows Server
prior to Windows Server 2008 R2. Contact a Lieberman Software account representative for
more information.
172 Upgrading Lieberman RED Identity Manager
Versions of the product prior to version 4.83.4 did not use ASP.NET. The ASP.NET IIS role feature
must be installed/enabled prior to upgrading to this version.
Starting with version 5.5.2 of the product, Microsoft .Net Framework version 4.5.2 is a
requirement for all components of the solution.
Starting with version 5.5.2 of the product, the web service is a requirement for the web
application to function. This also adds new requirements to the host servers that did not
previously exist.
Please refer to Understanding Prerequisites (on page 14) for more information prior to upgrading.
IN THIS CHAPTER
Preparing for the Upgrade .................................................................... 172

Upgrading the Management Console ................................................... 178
Upgrading the Web Application ............................................................ 186
Upgrading the Web Service ................................................................... 193
Upgrading Scheduling Services ............................................................. 202
Upgrading PowerShell ........................................................................... 205
Upgrading Application Launcher and Session Recording ...................... 206
5.1 PREPARING FOR THE UPGRADE

As with most any product, it is always prudent to err on the side of caution, and be sire to backup
the system prior to performing an upgrade. To fully restore to the previous installation, should it
become necessary, you will need to have:
A recent backup of the database prior to the upgrade. This is performed within SQL Server, not
by Lieberman RED Identity Manager.
The encryption key. This can be had via the management console from Settings | Encryption
Settings, then clicking the Export button and saving the file to a secure location. If using an
HSM, be sure you know the key store and PIN to access your HSM.
The previous installation software.
If the management console is installed on a virtual machine, it may be prudent to simply snapshot
the virtual machine.
Upgrading Lieberman RED Identity Manager 173
Upgrade Outline
1) Stop the deferred processing and zone processor services. This ensures that jobs will not be
processed during the database upgrade and helps prevent any data loss or corruption.
2) Stop the web application and web services. This ensures users will not be able to generate new
database activity (jobs, auditing, etc.) while the upgrade takes place.
3) Upgrade the console.
4) Deploy the upgraded web application and web service.
5) Deploy the upgraded deferred and zone processor services.
6) Deploy ancillary components such as PowerShell, application launcher, etc.
Stop the Existing Deferred Processing Services

1) From the management console, click Jobs from the left action pane.
2) On the Stored Jobs dialog, click Job Queues.
3) On the Job Queues dialog, select all items of type Deferred Processing Service and click Get Job
Queue and Service Status.
4) Immediately expand each Deferred Processing Service and check the status column for
Currently Running. The status should indicate No jobs are currently being run by this
processor.
If the status indicates a job is running, it is best to wait for the job to finish or you may damage
the job or cause other problems in your network due to a partially complete job. Further, if a job
is running, also check the Queued Jobs column for the deferred processor and note how many
jobs are in the queue to process. If will be best to wait for the jobs to finish or take not of their
Job IDs and disable them before they get run so you may perform the upgrade. Don't worry,
when you start the processors post-upgrade, all past due jobs will be run as soon as possible.
5) If the jobs list is empty, go to the Services snap-in within Windows, locate "RED Identity
Management Deferred Processing Service" (this service was called "Enterprise Random
Password Manager Deferred Processing Service" in version 5.5.2 of the software) and stop the
service.
6) Repeat step 5 for each management console installed.
Stop any Existing Zone Processors

2) On the Stored Jobs dialog, click Job Queues.
3) On the Job Queues dialog, select all items where the zone processor column is NOT listed as
Deferred Processing Service and click Get Job Queue and Service Status.
4) Immediately expand each zone processor service and check the status column for Currently
Running. The status should indicate No jobs are currently being run by this processor.
If the status indicates a job is running, it is best to wait for the job to finish or you may damage
the job or cause other problems in your network due to a partially complete job. Further, if a job
is running, also check the Queued Jobs column for the deferred processor and note how many
jobs are in the queue to process. If will be best to wait for the jobs to finish or take not of their
Job IDs and disable them before they get run so you may perform the upgrade. Don't worry,
when you start the processors post-upgrade, all past due jobs will be run as soon as possible.
5) If the jobs list is empty, cancel the Job Queues dialog and click on Zone Processors from the
Stored Jobs dialog.
6) Right click on each zone processor and select Stop Service. If there are any problems
communicating with the services control manager on the remote systems, you will need to go to
each systems, open the Services snap-in within Windows, locate "RouletteSked${ZONE-NAME}"
and stop the service.
7) Repeat step 6 for each zone processor.
Remove any Existing Deferred Processing Services - Maybe

Shortcut! If you are upgrading from version 5.5.0 or later of the solution, you may simply replace
key files on the zone processor host or you may follow the removal/re-deploy steps that follow. If
simply replacing the files, the file list is provided later in this process.
If upgrading from version 5.4.0 or earlier, all previous zone processor installations should be
removed. The required files and registry configurations have changed.
IF THE REMOTE ZONE PROCESSOR HOST CAN BE MANAGED REMOTELY FROM THE MANAGEMENT
CONSOLE AND WAS DEPLOYED BY THE MANAGEMENT CONSOLE...
Note: There is no way to tell in the console how a zone processor was deployed. If you
are unsure, start by trying to remove the zone processor from the console. If there
are any failures to communicate or perform the first action (file removal), stop
and follow the steps in the next subsection.
2) From the Stored Jobs dialog, click Zone Processors.
3) From the Zone Processors dialog, right-click the zone processor(s) in question and select
Remove. You will be prompted to remove the service files, service registry settings, and finally
the service registration. Select Yes for each prompt.
IF THE REMOTE ZONE PROCESSOR HOST WAS NOT DEPLOYED BY THE MANAGEMENT CONSOLE...
Note: There is no way to tell in the console how a zone processor was deployed. If you
are unsure, start by trying to remove the zone processor from the console. If there
are any failures to communicate or perform the first action (file removal), stop
and follow the steps below.
1) Login to the zone processor host.

2) Open Programs and Features.
3) Find the Zone Processor installer. It will have a name similar to "Lieberman Zone Processor" and
remove it.
5) From the Stored Jobs dialog, click Zone Processors.
6) From the Zone Processors dialog, right-click the zone processor(s) in question and select Delete
Registration.
Stop the Web Application and Web Service in IIS

1) Open IIS on the web application and web service host(s).
2) Expand the host server.
3) Expand sites.
4) Right-click on the parent root web site and click Manage Website | Stop.
5) Repeat this step for each web application and web service host.
Stop the Web Application and Web Service COM+ Applications

1) Open Component Services (dcomcnfg.exe) on the web application and web service host(s).
2) Expand Component Services.
3) Expand Computers.
4) Expand My Computer.
5) Select the COM+ Applications folder.
6) Shut down the COM+ application:
For the web application, right click on PWCWebComApp and select shutdown.
For the web service application, right click on Lieberman ERPM WebService and select
shutdown.
5.2 UPGRADING THE MANAGEMENT CONSOLE

An upgrade installation if very much like an initial installation with the exception that things like
email database configurations, and registration configurations have already been performed.
Before installing the management console, ensure your host server meets the prerequisites as
defined in Console Host System Requirements (on page 16).
After upgrading the management console, and before performing any other steps, be sire to launch
the management console at least once. This step is required to upgrade the database.
If you have multiple management consoles, upgrade your primary licensed management console
first, launch that console, then upgrade any other management consoles.
1) Launch the Lieberman RED Identity Manager installer.
2) On the Welcome screen, click Next.

3) Read the entire license agreement. Once you have read the agreement, if you agree, select I
accept the license agreement, then click Next.
4) Click the READ ME! button and read the steps outlined in the document. It identifies the major
upgrade steps to take. As you perform each step, check the box to indicate you have performed
the step. When ready, click Next.
5) Enter your name and organization name, then click Next.
6) Select the features to install:

Lieberman RED Identity Manager is the only required element.
PuTTY Terminal Emulator - installs the open source PuTTY software.
PDF Encoder - recommended - provides Lieberman RED Identity Manager the ability to turn its
compliance reports into PDF documents.
RSA SecureID - install this option if RSA multi-factor authentication will be required to access the
management console, but this machine will NOT host the web application. If this machine will
host the web application, leave this option unselected as the application will be installed
automatically when the web application is installed.
7) Change the installation location if needed. The program will be installed to a sub-folder called
Roulette at the chosen location.
8) Click Next.
9) Choose the identity to run the CLR COM+ application. The default is Network Service. The CLR
COM+ Identity is used to provide network and local system access for the solution to various
cloud services. Individual account stores (Azure, AWS, ESX, etc.) will be configured with specific
connection credentials when they are enrolled.
Options for the identity are:
Interactive User - Use the same logon information as the calling identity. This is an
administrator-level account because the calling identity will either be the admin running the
console, or the ERPM deferred processor service account. This option requires the least
configuration, but provides significantly more privileges than is required
Network Service - (Recommended) Use the network service account. For this option you do not
have to manage a password or grant additional rights, although in some cloud management
cases, you may need to grant additional permissions on the file system.
Local Service - Use the local service account. For this option you do not have to manage a
password or grant additional rights, although in some cloud management cases, you may need
to grant additional permissions on the file system. The local service account has many more
rights and privileges than the Network Service.
This User - Use the supplied user name and password. This user could be a local account that is
configured to never authenticate to any other machine in the network (unlike Network Service
or Local Service), but it does represent another account to manage a credential for. In some
cloud management cases, you may need to grant additional permission to it on the file system.
This account also needs Logon as a batch rights granted to it.
10) Click Next.

11) Once the basic configurations are complete, click Next.

12) When the installer is complete, click Finish.
13) Launch the program to perform the database upgrade. After this step is complete, repeat steps
1-12 for all other management consoles.
14) Continue the installation by upgrading the web application, then web service, then deferred and
zone processors.
5.3 UPGRADING THE WEB APPLICATION

The web application is the primary mechanism for users to gain access to the credentials stored in
the solution, whether managed or static, as well as to audit access to those credentials. The web
application also performs other functions as well such as a secure file store, privilege escalation, and
secure personal password store.
This section shows how to install the web application from the management console. Please see
Web Application Host Requirements (on page 20) for more information on the web application host
prerequisites prior to installation.
1) In the management console, click the Manage Web App button from the left action pane.
2) If upgrading from version 5.5.1 or earlier, select your web application from the list then click
Remove. This step is necessary because the system name and registry settings have changed.
3) On the Manage Web Application Instances dialog, click Install, located in the lower left corner.
4) On the Install Web Application dialog, select the target installation system. Local system in the
system you are on now. If installing to a remote system supply the remote system name as fully
qualified domain name.
5) Click Check System Compatibility. This will perform a check of the target system to validate IIS
is accessible, the file system is accessible, and remote registry and remote COM+ access are
possible. Fix any access errors before continuing. If the check proceeds without incident, the
Web Interface Files section will be filled in automatically.
6) In the Web Interface Files section, supply the following information:

a. Install to target website - any and all root web sites on the target server will be listed here.
Choose the root website to host the web application.
b. Choose Install to root of website or Install to virtual directory:
o Installing to root of website will replace the existing website configuration at the
targeted website. The URL of the web application will simply target the name of the
server. This makes it easier for end users recall and type. If the web server is a shared
server, you could inadvertently overwrite another web application.
o Installing to a virtual directory is the safest option as you will not overwrite any other
applications if the target is a shared server. The default virtual directory name is
PWCWeb. This name can be changed to any value permitted by IIS. The name supplied
here will be appended to the server name. In the default case the URL will target
https://serverName/pwcweb.
c. Web files destination path - this is where the web application files will be copied on the
target server. The path is resolved from IIS on the target server, which defaults to
%inetpub%\wwwroot. When installing to a virtual directory (default), the path is appended
with the name of the virtual directory.
d. Copy alternate web application files to target - not recommended - version 5.5.2 was the
last version to provide official support for the legacy web application. Although it is still
present in the current installer, it will be removed without notice from future iterations.
7) Web Application COM Components defines information for the COM+ application that will be
responsible for data access from the web application to the solution data store. Supply the
following information:
a. COM+ files destination files path - defaults to C:\Windows\System32 and will install to
\\serverName\admin$\syswow64 (c:\windows\syswow64). It is typically not necessary to
change this setting.
b. COM+ application name - defaults to PWCWebComApp. You may supply any name you
wish. This name is never visible to end users and is purely for identification when using the
Windows Components snap in.
c. Use existing COM+ application/config if possible - if upgrading from an existing installation,
this will attempt to leave the existing COM+ application configurations in tact and simply
replace the required COM component files (rouletteweb.dll).
d. COM+ application account - this is the identity that will actually run the COM+ application.
When using Windows Integrated Authentication, this is the account that will be responsible
for data access from the database server on the web application's behalf. Enter the
username as DomainName\UserName. For more information see Service Account

Requirements (on page 24).
e. COM+application password - this is the password for the COM+ application account.
8) Click Test COM+ Credentials. This will attempt to validate the credentials defined are in fact
valid credentials.
9) In the bottom section of the Install Web Application dialog, identify the use of SSL, any custom
port, or identify an explicit site address. Use an explicit site address when the URL to access the
web application will be different than the serverName (or serverName/virtualDirectoryName).
This would be the case when using a load balancer or if the server name will be aliased in DNS.
The information entered here has no functional effect on the website regarding end users. It
only affects the web application auto-launch capability from the Manage Web Application
Instances dialog in the management console.
10) Click Web App Settings to configure additional web application options. These options affect
security, sessions, and other integrations. For more information see Web Application
Configuration Options (on page 142).
The one option you must specify is the Web Service URI for REST web service endpoint on the
App Options tab. At this point, the web service is not yet installed. However, if the web service
will be installed onto the same machine using default settings, the URI will be virtually the same
as the URL mentioned above. For example, if the server is defined to use SSL in the previous
step on the default port (443) and your SSL cert uses the FQDN of the server (e.g. yourco.int),
then the URI to enter will be
https://servername.yourco.int/erpmwebservice/authservice.svc/REST. everything after your
server name is standard: /erpmwebservice/authservice.svc/REST. If you were behind a load
balancer and the name of the load balanced cluster was "secureidmstore.yourco.com" the URI
to enter would be: https://secureidmstore.yourco.com/erpmwebservice/authservice.svc/REST.
Don't worry, if any information changes, the information can be updated at any time.
11) Then click Install.
12) You may receive a COM+ Account Confirmation warning after clicking. This dialog will appear if
the COM+ account specified on the installation dialog is different than the currently logged in
user. The warning is asking you to be sure that the account specified has datastore access or the
web application will fail to function until the access issue is resolved.
13) If you are sure about the account information, click Yes to continue or No to change to a
different account.
14) When the web application installation is complete, a dialog indicating a successful install will
appear. Click OK.
15) You will next be prompted to launch the web application. Clicking yes will open your default
browser to the URL specified in step 8 above where it was identified as using SSL or not, any
custom port, or a specific URL.
16) Click Yes to launch the web application. You will be logged into the web application as
[WebApplicationManager]. This is a built-in account. Its password is randomly generated with
each installation of this product.
17) Once the installation of the web application(s) is complete, the Manage Web Application
Instances dialog will be populated with a list of all known web applications.
18) If the web service is hosted on the same machine, continue to Upgrading the Web Service. If the
web service is hosted on a different machine, then start the parent website in IIS on the web
application hosts only.
To continue the basic installation, next install the Web Service (on page 162).
5.4 UPGRADING THE WEB SERVICE
IMPORTANT! If the web service is installed on a machine that is NOT also hosting the
web application, the web service will fail to load unless additional actions are
taken. In this scenario, export the web application settings from the
management console, then import them onto the web service host.
To export the settings, from the management console:
Starting with Lieberman RED Identity Manager version 5.5.2, the web service is a requirement for
the web application to function. In prior versions, the web service was an optional component used
only for PowerShell cmdlets, application launcher, session recording, and API access.
1) Click Manage Web App from the left action pane.
2) Select the desired web application instance from the list
These steps provide the web service with the necessary information to connect to the
data store, HSM if configured, and the encryption key as well as other settings.
Any time these options change, it will be necessary to repeat these steps.
Important! If the web service is hosted on a different machine than the web application
host and the systems are accessed through a URL is different (specifically with
regards to the protocol, server name, or port), your web browser will block
access to the web service and many things will not function correctly. The
basic steps to resolve this are to open the web.config file for the web service
post installation and "EnableCORS" to "true". Additional configurations may be
required in your specific browser and may not work in all configurations
(non-Microsoft browsers especially). Please refer to your browser's specific
documentation for more information on enabling CORS support.
3) Go to Advanced and select Export web app registry config. This will export a regedit file.
4) You will be prompted to generate the file for 64-bit Windows. Click Yes.
5) Copy the registry export to the target web service host and double click the file to import it.
Web service prerequisites are outlined in Web Service Host Requirements (on page 19) and its
service account requirements are outlined in Service Account Requirements (on page 24).
The web service cannot be pushed to a target system from the management console; it must be
installed locally at this time. If installing the web service on the same machine as the management
console, the installation of the web service package may be initiated from the management console,
by clicking Manage Web App from the left action pane then clicking Install Web Service at the
bottom of the Manage Web Application Instances dialog. For remote systems, copy and use the
manual installer (ERPMWebService.exe) found in the SupplementalInstallers sub-folder in the
installation directory, typically %programfiles(x86)%\Lieberman\Roulette.
During an upgrade, your previous settings will be remembered and will already be selected. You will
however need to re-enter the password for the COM+ identity.
1) Launch the web service installer.
2) On the welcome page, click Next.
3) On the COM+ Object Identity, choose an appropriate identity and click Next. Valid identity
options are:
Network Service - use this option when using database native authentication mode to connect
to the database (e.g. SA).
Interactive User - not recommended - use this option when it is desired for the user calling the
web service to pass their authentication token as the authentication token to the database. This
is valid when using Windows Integrated Authentication but will require considerably more
security configurations in the program data store.
Specific User - recommended, default - use this option when using Windows Integrated
Authentication to the database or when it is desired to minimize any rights granted to the
COM+ application. This is the most compatible option. User names should be supplied in the
format of DomainName\Username.
4) Select the location in the local IIS instance to install the web service to and click Next. Valid
options are:
Virtual Directory - default, recommended - will install the web service to a virtual directory called
ERPMWebService located under the parent website you select. This is the safest option to
choose for both security and configuration reasons.
Site - use this option to install the web service to the root website. If there are multiple root web
sites configured on the host, you will also be presented with a selection of root web sites to
choose from.
5) Select the parent website and click Next.
6) Select the authentication method for connecting to the web service then click Next. Only
methods available to the target parent website will be displayed. Valid methods include:
Anonymous Auth with SSL - use this option when SSL is configured but Windows Integrated
Authentication will not be used.
Anonymous Auth without SSL - not recommended - use this option when Windows Integrated
Authentication nor SSL will be used. Application Launcher will not work with this configuration.
Integrated Auth with SSL - use this option when SSL and Windows Integrated Authentication will
be used.
Integrated Auth without SSL - use this option when Windows Integrated Authentication will be
used without SSL. Application Launcher will not work with this configuration.
SSL with User Certificates - use this option when users must supply a user based certificate
(smart card, biometrics, etc.) to authenticate to the website and web service. This will incur
much more overhead in the overall configuration and may cause problems with Application
Launcher.
7) Select the destination folder for the web service to be installed to and click Next. The default
location is %inetpub%\wwwroot\ERPMWebService which already grants all required
permissionsto be properly hosted. Changing the location may require additional configurations
on the web administrator.
8) When ready, click Install.

Important! If you chose to create a virtual directory, this process will create a virtual directory
called ERPMWebService. This will inherit the authentication and SSL and other settings from the
parent web site. This is important because if the parent web site is configured to use
anonymous authentication and the installer was configured to use Windows Integrated
Authentication, the virtual directory will be created with bad settings and it will be necessary to
open IIS and reconfigured the authentication settings post install.
9) Click Finish when the installer is finished.
After clicking Finish, this will launch the web service page and web service tester. Make note of
the URL as it will be required when configuring the web application. At this point, the web
service will be non-functional as it also requires settings from the web application to function. If
the website is installed on the same host as the web service, no further configuration actions
will be required for the web service. If the web service and web application are installed on
separate machines, it will be required to export the web application server configuration and
import it to the web service system.
10) Open IIS on the web application and web service host(s).
11) Expand the host server.
12) Expand sites.
13) Right-click on the parent root web site and click Manage Website | Start.
14) Repeat this step for each web application and web service host.
5.5 UPGRADING SCHEDULING SERVICES

This section covers upgrading the Deferred Processing Services as well as zone processors. not all
methods below will necessarily apply to your installation. Please choose the sub headings that apply
to your situation and upgrade accordingly.
Deferred Processing Services

Follow these steps if the deferred processor was previously installed.
1) Once the management console has been upgraded, open the management console and
navigate to Settings | Application Components.
2) Note the component version. It should match the build date of the management console as
noted in Help | About (see the build number in parenthesis, e.g. 170123).
3) Once verified, click Jobs from the left action pane.
4) Click Deferred Processor, then click Start.
5) There should be no errors when starting the deferred processor as no settings will have
changed. The deferred processor will begin polling the database looking for work.
Zone Processors - Upgrading from 5.5.0 and later, Manual Method

1) Assuming the zone processors were not installed using the Zone Processor Standalone installer
(check Programs and Features on the zone processor host), If upgrading zone processors on
existing zone processor hosts that were running version 5.5.0 and later, it is not necessary to
uninstall and remove the previous files (though certainly may!). Rather, simply re-copy the
following files from the program installation directory to the zone processor installation
directory (typically C:\LiebermanZoneProcessor):
ipworks9.dll
ipworksauth9.dll
ipworkssmime9.dll
ipworksssl9.dll
ipworksssnmp9.dll
msvcp120.dll
msvcr120.dll
RouletteProc.exe
RouletteSked.exe
wkhtmltopdf.exe
zlibwapi.dll
2) If previously installed, copy IntegrationComponents.msi (installer ticketing systems, email, etc.)

and/or CrossPlatformSupportLibrary.msi (installer for SSH, Telnet and other non-Windows
support) from the SupplementalInstallers subdirectory to the target zone processor host.
3) On the zone processor host, open Programs and Features.
4) If upgrading from any version of the CrossPlatformSupportLibrary or IntegrationComponents
prior to version 5.5.2, uninstall the existing Cross Platform Support Library and/or Integration
Components programs.
5) Run the installers for Integration Components and/or CrossPlatformSupportLibrary.
6) Start the zone processor (this will cause data base re-registration for this zone processor) using
the Windows Services Snap-in. The service will be named RouletteSked${ZoneName}. The
service should start without any problems. Typical errors at this point include:
7) Inability to connect to the program data store - check connectivity to database using the service
account credentials and the current data base provider is installed on the zone processor host
(the management console does not push database providers to the remote system).
8) Bad service account information - examine the Logon tab of the service in the Windows Services
snap-in and validate the username and password.
9) Repeat this processor for all zone processor hosts.
Zone Processors - Console Push Method

In Preparing for the Upgrade (on page 172), it was noted to remove the zone processors using the
management console if the zone processor host could be reached from the console (remote registry
and file system) and/or you were upgrading from version 5.4.0 or earlier.
2) Click Zone Processors from the Stored Jobs dialog left action pane.
3) Click Install.
4) Supply all necessary information to fully re-configure the service - zone ID, service account, job
types, and management set affinity.
5) Click OK.
10) Start the zone processor (this will cause data base re-registration for this zone processor) by
right-clicking on the service registration and selecting Start. The service should start without any
problems. Typical errors at this point include:
Inability to connect to the program data store - check connectivity to database using the service
Bad service account information - examine the Logon tab of the service in the Windows Services
11) Repeat this processor for all zone processor hosts.

Zone Processors - Standalone Installer

If zone processors were previously deployed using the Standalone Zone Processor Installer (typically
due to inability to connect to the zone processor host from the management console), open
Windows Explorer and navigate to the program installation directory and open the
SupplementalInstallers sub-directory.
1) Launch CreateZoneInstaller.exe.
2) Supply the necessary information to the installer and click Create.
3) Copy the created file to the target zone processor host(s) and run the package to update
installed zone processors.
8) Start the zone processor (this will cause data base re-registration for this zone processor) by
right-clicking on the service registration and selecting Start. The service should start without any
problems. Typical errors at this point include:
Inability to connect to the program data store - check connectivity to database using the service
Bad service account information - examine the Logon tab of the service in the Windows Services
9) Repeat this entire process for zone processors hosts managing different zones or having
different configurations.
5.6 UPGRADING POWERSHELL

For the users leveraging the PowerShell cmdlets, the PowerShell upgrade is simply a matter of
distributing the updated cmdlet DLLs.
1) On the management console host, open Windows Explorer.
2) Navigate to the SupplementalInstallers folder from the program installation directory.
3) Open the LSCPowerShelCmdlets folder.

4) Open LSClientAgentCommandlets.
5) Distribute LSClientAgentCommandlets.dll to the users who use the PowerShell cmdlets.
6) Replace LSCClientAgentCommandlets.dll on the client systems. The default recommended
location is
%userprofile%\Documents\WindowsPowerShell\Modules\LSClientAgentCommandlets.
7) Version 5.5.2 introduced two new sets of cmdlets called LSClientUpdateConfiguration and
LSClientUpdatePassword. For any users leveraging these additional cmdlets, copy and replace
those DLLs into their respective folders as well.
5.7 UPGRADING APPLICATION LAUNCHER AND SESSION

RECORDING
Please refer to the Application Launcher and Session Recording Guide for information on
installing/upgrading these components.
207
Chapter 6 Post Installation or

Upgrade Steps
6fter the web application or web service is installed there may be additional steps to take
depending on the options enabled or desired. Additional actions may be required for the following
scenarios:
Use of Windows Integrated Authentication for web application access.
SSL should be required.
Redirects are enabled in IIS.
User certificates are required for web application access.
File Store is enabled for use.
IN THIS CHAPTER
File Store................................................................................................ 207

SSL ......................................................................................................... 209
User Certificates .................................................................................... 209
URL Redirects ........................................................................................ 210
Windows Integrated Authentication..................................................... 212
6.1 FILE STORE

The web application does not dynamically create the web.config configuration file for the file store.
Rather the web.config file is pre-configured to always point to a virtual directory called PWCWeb. As
a result, if the installation of the web application is instead directed to a root directory or a virtual
directory other than PWCWeb, the file store will not function.
208 Post Installation or Upgrade Steps
If the installation performed does not point to a virtual directory called PWCWeb directly off of a
root web site in IIS, take the following corrective actions:
1) Open IIS and locate the root website or virtual directory where the web application was
installed.
2) Expand this object and select the application called FileVault.
3) On FileVault, open Error Pages.
4) Edit the 404 error handler.
5) Edit the URL (Relative to site root) field and update the correct path. If the web application was
installed to a root directory, set the URL to /OutputFile.asp. If the web application was installed
to a virtual directory under a root other than PWCWeb immediately off the root such as /REDIM
then set the URL to /REDIM/OutputFile.asp.
Post Installation or Upgrade Steps 209
6.2 SSL
When installing to a virtual directory (or upgrading an existing installation), the virtual directory will
inherit the settings of the parent website. That means if the parent website has certain settings, the
virtual directory will automatically inherit those settings. Thus if the parent website is not
configured to require SSL, then your virtual directory will not be configured to require SSL.
To require SSL on your virtual directory, assuming your parent website already has a proper SSL
certificate and binding follow these steps:
1) Open IIS.
2) Open the virtual directory (default for web application and web service are PWCWeb and
ERPMWebService, respectively).
3) From the center pane, open SSL Settings.
4) Select the check box Require SSL.
5) Click Apply.
6.3 USER CERTIFICATES

configured to require user certificates, then your virtual directory will not be configured to require
user certificates.
To require user certificates on your virtual directory, assuming your parent website already has a
proper SSL certificate and binding and user certificates are properly configured, follow these steps:
1) Open IIS.
3) From the center pane, open SSL Settings.
4) Select Require SSL.
5) Under Client Certificates select one of the following options:
Accept - allows users to pass a user certificate but will also allow users who do not have a user
certificate. Select this option if some users will require certificates but you are unsure if ALL
users will be using certificates.
Require - all users accessing this site must supply a valid user certificate.
6) Click Apply.
6.4 URL REDIRECTS

URL redirects are not configured by default in IIS. In fact, they are not even available in a default
installation of IIS and must be enabled. URL redirects are typically used to that when a user
connects to a particular address, say a root website using HTTP, they may be redirected to the
proper virtual directory with HTTPS.
virtual directory will automatically inherit those settings. Thus if the parent website is configured
with a redirect, the virtual directory will be configured with a redirect. In this particular case, this
can cause a redirect loop which will cause the user to never be able to connect to the web
application or web service. In short, the redirect needs to be removed from the virtual directory.
When installing to a root website, the same bad behavior can occur where it keeps redirecting to
itself.
To rectify the problem when dealing with a virtual directory, use the following steps. For root
directories see further down this page.
1) Open IIS.
3) From the center pane, open HTTP Redirect.
4) Clear all redirect options.
5) Click Apply.
Other options to control switching from HTTP to HTTPS include:
Using the Microsoft IIS URL Rewrite Module.

Crafting a new default login page and configuring that new page as the Default Document for
the website or virtual directory
6.5 WINDOWS INTEGRATED AUTHENTICATION

configured to use WIndows Integrated Authentication (or is mis-configured by also enabling another
form of authentication), then your virtual directory will inherit the same bad settings.
To require Windows Integrated Authentication on your virtual directory, assuming the IIS module
for Windows Integrated Authentication is already installed, follow these steps:
1) Open IIS.
3) From the center pane select Authentication.
4) Right click on Windows Authentication and select Enable (note the status column changes to
enabled).
5) If any other form of authentication is enabled, right click on those methods and disable them.
Next, your browsers may require additional configuration.
Internet Explorer...
For Internet Explorer to willingly use Windows Integrated Authentication, the URL connecting to
must be seen as being part of the "Local Intranet" as opposed to Internet or Trusted. Internet
Explorer will only automatically treat locations entered with their short name (as opposed to an
FQDN) as being in the intranet zone. If you are accessing the web application and web service via
their short names, this battle is already won, SSL certificates permitting. If you are accessing the
web application and web service via an FQDN, IE will not treat these URLS as intranet zone items
and Windows Integrated Authentication will fail.
To rectify this when using FQDN names, you may either have every user add the web application
and web service FQDN into the intranet zone in IE or use group policy to push out the proper
settings. To configure group policy, enable configure the following group policy to add the FQDN
(wild cards OK) as a trusted site:
Computer Configuration | Administrative Templates | Windows Components | Internet

Explorer | Internet Control Panel | Security Page > Site to Zone Assignment List
Zone Assignment = 1
Firefox...
Recent versions of Firefox can support Windows Integrated Authentication when used from a
domain joined Windows system. To enable firefox to support Windows Integrated Authentication,
go to about:config and define the following items:
For Kerberos authentication: network.negotiate-auth.trusted-uris

Define if Kerberos ticket passing is required: network.negotiate.auth.delegation-uris
Define if NTLM authentication is allowed: network.automatic-ntlm-auth.trusted-uris
In each policy, define the name of the domain. If your domain name were called "lsds.int". The
domain name entered for the Kerberos exchange would be .lsds.int, notice the leading dot. For
more information refer to Mozilla Firefox documentation.
Note that firefox may still not work properly when working with cross origin requests (CORS) where
the web service is located on a machine separate from the web application and called by a different
URL when using Windows Integrated Authentication. These settings have also been noted to be lost
between Firefox upgrades.
Chrome...
Recent versions of Chrome will support Windows Integrated Authentication when run from a
Windows host without further configuration required. Refer to your Google Chrome documentation
for more information or additional settings.
Note that Chrome may still not work properly when working with cross origin requests (CORS)
where the web service is located on a machine separate from the web application and called by a
different URL when using Windows Integrated Authentication.
215
Chapter 7 Addenda
The addenda section contains supplementary information about this solution or related
components.
IN THIS CHAPTER
Data Store Configuration Options ......................................................... 217

Connecting to Microsoft SQL HA and Cloud Database Configurations . 223
Encryption Options ................................................................................ 234
Email Settings ........................................................................................ 251
Oracle as a Datastore ............................................................................ 265
217
7.1 DATA STORE CONFIGURATION OPTIONS

For more information on connecting to mirrored databases or database availability groups or
Microsoft Azure SQL, see Connecting to Microsoft SQL HA and Cloud Database Configurations (on
page 223).
For single or standard clustered instances, no special configurations are required in Lieberman RED
Identity Manager.
This section outlines the configuration settings on the data store dialog. To configure these settings,
go to Settings | Data Store Configuration > Basic Configuration.
Basic Database Connection Information

Database Provider - the database provider for the solution components to use when connecting
to the primary data store. The default option is SQL Server (through OLEDB). Other options
include:
SQL Server Native Client 10.0/11.0 (OLEDB) - This option will be available if the Microsoft SQL
Server Native Client version 10 or 11 is installed on the management console host. It is not
recommended to use version 10 of the client.
SQL Server Native Client 10.0/11.0 (ODBC) - This options will be available if the Microsoft SQL
Server Native Client version 10 or 11 is installed on the management console host. It is not
recommended to use version 10 of the client. It is necessary to use the SQL Native Client via
ODBC when leveraging SQL Server database mirroring, data base availability groups (SQL Always
On) or Azure SQL or when using TLS v1.2 to encrypt data base communications. Be sure to
download the latest SQL Native Client to obtain the latest compatibility updates.
Oracle (through OLEDB) - Oracle is no longer supported as a back end data store for new
customers and is only supported for existing customer who purchased Oracle Data Store
support prior to January, 2015. For more information, see Oracle as a Datastore (on page 265).
Connection Settings
Database Name - the name of the server along with any instance and port configuration.
Directly to the server on the default port - enter the server name only, e.g. DBHOST.
Directly to the server on a non-default port - enter the server name and port number, separated
by a comma, e.g. DBHOST,55555.
To the server with a named instance - enter the server name and instance name, separated by a
back-slash, e.g. DBHOST\InstanceName.
218 Addenda
For more information on connecting to other SQL configurations like SQL AlwaysOn, mirroring,
or Azure SQL, see Connecting to Microsoft SQL HA and Cloud Database Configurations (on page
223).
Connect with Windows NT Integrated Security - use this option when it is desired to use
Windows Integrated Authentication to connect to the data store. This means the service
account's or interactive management console user's authentication token will be passed to the
Microsoft SQL server. This will require that these accounts (or groups they belong to) be
granted appropriate access to the data base server and database. See Solution Database
Requirements (on page 21) for more details.
Use database native authentication mode - use this option to use a Microsoft SQL account to
perform data store access. This account will be created and managed within the target SQL
Server instance. Use this option when the data base host is not trusted by the solution
component (i.e. management console or web hosts) or when it is not desired to provision Active
Directory groups or users to the database.
Encrypt communication with database - if it is desired to use SSL/TLS when communicating
with the database server, select this option. The certificate must be trusted by the database
server and all product component hosts.
Database Settings
Use an existing database on the server - if there is an existing empty or configured database
already provisioned on the database server, select it now from the drop down list. This will
cause an authenticated connection to be made using the authentication settings in the
Connection Settings area.
Create a new database (with default settings) - if no data store exists on the database server
and you or your login account has the permissions to create a new database on the target
server, select this option. The database and all necessary tables, views, stored procedures, etc.
will be created (at least attempted!) when you click OK.
Create objects in a non-default schema - it is recommended to always define this option and to
set it to a static value (we recommend DBO). If the connection account is not a sysadmin level
account and a custom schema is not defined, SQL Server will create a new database schema
named after the user and prefix that to all objects created in the database. While this is not
necessarily a problem when using database native authentication, it is a problem when using
Windows Integrated Authentication as each new user will attempt to create and or transfer
existing objects to the new schema name. Setting this value prevents these conflicts from
occurring.
Addenda 219
Advanced Settings
Set explicit connection limit - this will limit the number of connections made to the target
database host. This will have the impact of slowing down all job processing to wait for previous
threads to complete, however, it can improve stability when the database host is under
provisioned. The default setting is not configured.
Overwrite the default database timeout value - when not configured, the default value is 30
seconds. That means any call from a product component to the data base has 30 seconds for
data to return before timing out. If you encounter such a scenario, it is recommended to tune
and maintain your database (see admin guide for more details), however, you may need to
increase the timeout in the mean time or to handle high-latency low bandwidth links.
Add custom connection string parameters - supply additional connection string parameters
specific to your database without having to write a whole connection string. This option will
typically be used when connecting to mirrored data sources or SQL AlwaysOn sources.
220 Addenda
Use custom connection string - use this option to specify your own connection string to your
chosen data base host.
Addenda 221
222 Addenda
Addenda 223
7.2 CONNECTING TO MICROSOFT SQL HA AND CLOUD

DATABASE CONFIGURATIONS
For more information about the basic data source settings, see Data Store Configuration Options
(on page 217).
This section shows example configurations for connection to:
Mirrored Databases
SQL AlwaysOn (Database availability groups)
Azure SQL
7.2.1 Mirrored Databases

The database settings are access in the management console under Settings | Data Store
Configuration > Basic Settings. If database settings are changed in any way, restart the deferred
processor and update the application configuration. The web application settings can be updated
from the Manage Web App dialog by right-clicking on the website instance and selecting Replace
instance options with default web application options.
224 Addenda
This topic discusses configuration topics when connecting to a mirrored instance of Microsoft SQL
Server. This topic does not discuss using availability groups or Azure SQL Database or any other
options.
Addenda 225
226 Addenda
In this dialog, the following items must be configured:

Database Provider - All providers for MS SQL will always be available to this dialog. Although all
listed SQL Server providers will work, to leverage the high availability and fail-over features of a
SQL mirror, the SQL Server Native Client 11.0 (ODBC) must be used. This provider must also be
manually installed on all web servers, web service servers, deferred and zone processor hosts. If
it is not, they will fail to connect to the database.
Note: Important! When using the SQL Native Client, it is recommended to user version
11 or later.
Database Name - The name provided in this field should be the name of the primary (currently
active) database partner. When connecting to a SQL instance, standard MS SQL naming
conventions apply: Sever\Instance,port.
Server default instance on default port (port 1433) - DBServerName or IP
Server default instance non-default port (port 55555) - DBServerName,55555 or

IPAddress,55555
Server named instance (RedIM) on default port - DBServerName\SQLExpress or

IPAddress\RedIM
Add Custom Connection String Parameters - This option must be defined. Modify the following
connection string parameters with the proper name of the secondary SQL server and name of
the target database:
Server=PRIMARY_SERVER_NAME;Failover_Parter=SECONDARY_SERVER_NAME;database=NAME_OF_TAR
GET_DATABASE
Then click the Update bottom at the lower left of the screen. Notice how the combined connection
string is now updated with all server and database name:
Driver={SQL Server Native Client
11.0};DataTypeCompatibility=80;Server=MSDB-1;Database=erpmdb;Trusted_Connection=yes;F
ailover_Parter=MSDB-2;database=ERPMDB;
Configure all other options as defined in Data Store Configuration Options (on page 217).
7.2.2 SQL AlwaysOn

Addenda 227
228 Addenda
This topic discusses configuration topics when connecting to a SQL Server database configured using
a SQL AlwaysOn configuration (also known as database availability groups).
Addenda 229
230 Addenda

Database Provider All providers for MS SQL will always be available to this dialog. Although all
listed SQL Server providers will work, to leverage the high availability and fail-over features of a
SQL mirror, the SQL Server Native Client 11.0 (ODBC) must be used. This provider must also be
manually installed on all web servers, web service servers, deferred and zone processor hosts. If
it is not, they will fail to connect to the database.
Note: Important! When using the SQL Server Native Client, it is recommended to user
version 11 or later.
Database Name The name provided in this field should be the name of the Availability Group
Listener (AGListener). When connecting to an AGListener, standard MS SQL Server naming
conventions apply: AGListener,port.
Server default instance on default port (port 1433) - AGListener
Server default instance non-default port (port 55555) - AGListener,55555
Server non-default instance - AGListener,InstanceName
Add Custom Connection String Parameters This option must be defined. Modify the following
connection string parameters with the proper name of the secondary SQL Server and name of
the target database:
AGListenerName,Database=NAME_OF_TARGET_DATABASE;MultiSubnetFailover=yes
Then click the Update bottom at the lower left of the screen. Notice how the combined connection
string is now updated with all server and database name:
Driver={SQL Server Native Client
11.0};DataTypeCompatibility=80;Server=AGListener;Database=ERPMDB;Trusted_Connection=y
es;AGListener,DBPort;Database=ERPMDB;MultiSubnetFailover=yes;
7.2.3 Azure SQL

Addenda 231
This topic discusses configuration topics when connecting to a SQL Server database configured using
Azure SQL.
232 Addenda
Addenda 233
Database Provider All providers for SQL Server are always be available to this dialog. The SQL
Server Native Client 11.0 (ODBC) must be used. This provider must also be manually installed
on all web servers, web service servers, deferred processor hosts, and zone processor hosts. If
not, these instances will fail to connect to the database.
Note: Version 11 or later is required
Database Name The name provided in this field should be the name of the Azure SQL
instance.
234 Addenda
7.3 ENCRYPTION OPTIONS

This section documents how to configure Lieberman RED Identity Manager to work with
Software-Based or Hardware-Based Encryption.
The Encryption sub-sections show some of the documented configurations for specific HSMs but
should not be construed as an all inclusive list of supported HSM modules/devices.
Encryption Settings are found at Settings | Encryption Settings.
Note: If the web application is installed and you make changes to the encryption
settings, be sure to also update the web application settings so that the web
application has the appropriate encryption information.
Addenda 235
The passwords generated during a password change job can be stored encrypted in the database.
The current supported encryption type is AES in 128, 192, or 256-bit key lengths. When you enable
encryption or change encryption options, the passwords are decrypted and re-encrypted with the
new key. The web application settings, however, must be updated manually to reflect the new
encryption key. The key signature for the current key is shown in the following dialog. When
recovering stored passwords, this signature can be matched against the key signature for the stored
password to ensure that it was encrypted with the same key.
236 Addenda
Configuring Software-Based Encryption

The encryption key generated here is unique to your installation. If this key is not backed up,
Lieberman Software has no way to help you regain access to your managed passwords.
To change a key is a manual processes. From the Encryption Settings dialog, click the New Key
button. If an HSM is used for encryption, neither this button nor the Import Key or Export key
buttons will be active .
Although the encryption algorithms used are FIPS algorithms, the use of external FIPS 140-2
certified encryption modules is supported. FIPS 140-2 certified encryption may be required in
government organizations that require the use of FIPS 140-2. The encryption code is the same
whether using the built-in encryption or the FIPS 140-2 certified encryption; the FIPS 140-2 method
simply uses the encryption procedures in a manner that is compatible with the certification.
FIPS 140-2 certified usage requires using a module that has been certified as a stand-alone module.
The Crypto++ library that Lieberman RED Identity Manager uses leverages the exact same
cryptography code as the certified module. In the built-in case, the code is compiled into the
solution (which is not a certified usage); in the certified case, the code is being used through a call to
an external DLL (that has been certified). The certified usage case is slightly less secure, because it
susceptible to replacement of the external DLL file, whereas changing the built-in cryptography
would require modification to the application itself (which would invalidate the digital signature).
To enable FIPS 140-2 certified encryption, download and install the FIPS certified support library,
which contains the add-on components necessary to support this mode (including the FIPS 140-2
certified Crypto++ module). Once this has been installed, open the Encryption Settings dialog and
select the Use FIPS 140-s software provider if available option. Usage of the FIPS 140-2 provider
(fail if not available) can be required, otherwise the application will default to the identical (but not
FIPS 140-2 certified) internal code if the certified provider is not available.
Note: The certification number for the FIPS module is 819.
The certification for the module can be found at:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt819.pdf
More information about FIPS 140-2 certification can be found at:
http://csrc.nist.gov/groups/STM/cmvp/standards.html
From the Encryption Settings dialog, you can test the validity of the current encryption key, export
the current key, or import a previous key. The export feature will write a registry (.reg) file with the
Addenda 237
Warning: Be careful when saving/importing/exporting encryption keys. In the event of

disaster recovery, if the encryption key is lost, passwords that have been
encrypted with that specific key will be un-recoverable. If the encryption keys
are exported, keep them in a secure location, as they can be used to decrypt
all stored encrypted passwords.
encrypted key settings. These settings can later be imported to the same system or to a different
system by using the import feature or by double-clicking on the registry file.
The option Force change and clear any passwords which cannot be decrypted will examine all
passwords in the password store and clear all passwords that cannot be decrypted using the current
settings. This option is designed to clear erroneous data from the database when the correct
encryption key is unavailable. This is a single use optionafter the option is selected and the dialog
is OKed, the operation will take place; the next time the dialog is opened, the option will no longer
be selected.
Configuring Hardware Encryption

Hardware security module (HSM) technology off-loads the encryption process from the solution
(and the system it runs on) to an external hardware device. Any HSM that uses a PKCS#11 interface
and supplies a 32bit provider should be usable, though some vendors do take certain liberties! For a
current list of tested hardware devices, please contact Lieberman Software.
HSM technology has been utilized for years in the government, military, and intelligence industries
to protect against the security flaws of conventional encryption software. In software-based
solutions, even when keys are encrypted, software debuggers can locate and access the encryption
key, allowing critical data to be compromised. With an HSM, there is no record of keys stored in
memory. Instead the keys are stored in a secure device, physically located inside an external piece
of hardware.
To Configure HSM Encryption

1) In the management console, choose Settings > Encryption Settings.
The "Encryption Settings" dialog opens.
2) Select the Use Hardware Cryptography Module for hardware-based cryptography option.
3) Click the ellipses (...) to configure the hardware key.
238 Addenda
The PKCS #11 Interface to HSM Settings dialog opens.
When the hardware encryption device is installed, it will place a DLL onto the host computer.
This is required so that software can interface with it.
4) In the Interface library DLL path field, enter the path to the DLL that supports the HSM device.
After loading the DLL, options appropriate to the hardware device will become available and the
slot/token description field will be automatically filled out per the information provided by the
device.
Addenda 239
If the hardware device can support multi-threaded access, select the Initialize library for
multi-threaded access because this will greatly improve performance of the solution when
using a hardware encryption device.
Enter a PIN if the device also requires a PIN to access it.
5) Complete the Key and Encryption Method area to configure the appropriate key and
encryption mechanism. Values that can be selected here will depend on the hardware device
installed.
6) Once all of the options have been completed, click OK to close the dialog and implement the
encryption settings.
Any time you change encryption settings after you deploy the web application, be sure to also
update the web application and web service settings otherwise they will attempt to use invalid
encryption mechanisms and will fail to access stored credentials and data.
7.3.1 Thales/nCipher HSM

The following depictions are created in reference to Thales/nCipher HSMs. Lieberman Software is
unable to provide support for your specific HSM. All support for your specific HSM will need to be
handled by your HSM provider.
Ideally, once the HSM is installed and available and the option to use the HSM is selected,
<PAMProdcuctName> will display the message PKCS #11 interface DLL verified. This only indicates
that the DLL is configured, not that the HSM is ready to use.
When testing your HSM it will likely require the host to register its IP address as a permitted client.
When testing connection status from the HSM utilities, an error stating No connection could be
made because th target machine actively refused it may appear (some information omitted).
Module #1
enquiry reply flags Failed UnprivOnly
enquiry reply level Six
serial number unknownunknown
240 Addenda
mode operational
version 0.0.0
speed index 0
rec. queue 0..0
level one flags none
version string unknown
checked in 0000000000000000 Wed Dec 31 16:00:00 1969
level two flags none
level four flags none
module type code 0
product name unknown
device name unknown
EnquirySix version 3
impath kx groups
feature ctrl flags none
features enabled none
version serial 0
connection status RemoteServerFailed, <us> (nCErrorno(ECONNREFUSED): No connection
could be made because the target machine actively refused it)
connection info esn = 6FBC-70AB-E4E3; addr = INET/192.168.99.5/9004; ku hash
= 98765a4321aaaaa1aa11aa11a1aa11c11223c4b5, mech = DSA; time-limit = 24h;
The connection status line indicates that the connection is being refused by the netHSM. This
means that the netHSM likely doesnt have this hosts IP address present in its client list. Another
possibility is that the host has two or more interfaces and the IP address listed in the netHSM is not
the one that the host is using to connect with.
You can check the client config from the front panel of the netHSM by navigating to 1-1-4
(System/System configuration/Client config) or looking in the RFS for this netHSM and checking the
netHSMs config file, which is copied to the RFS. One block of the config file (with the header
[hs_clients]) will be dedicated to the client list. The netHSMs config file can be found on the RFS in
one of a few different places, depending on the version of nCSS and the version of Windows in use:
Pre-v11 nCSS: C:\nfast\kmdata\hsm-<ESN>\config\config
v11 on 2003: C:\Documents and Settings\All Users\Application Data\nCipher\Key
Management Data\hsm-<ESN>\config\config
v11 on 2008: C:\ProgramData\nCipher\Key Management Data\hsm-<ESN>\config\config
Another setting to check is the config file auto push settings. Try resetting the auto push for the
config file and it should show up on RFS.
Check the connection status again and it should read as OK.
Addenda 241
If there are no operator cards or softcards configured for the HSM, then the error Could not
enumerate slots on PKCS #11 interface device will appear.
The registration process with the HSM happens between the nCipher client software and the HSM.
Lieberman RED Identity Manager is not aware of the HSM, just where the PKCS#11 library
Lieberman RED Identity Manager uses the PKCS#11 library, whose requests are handled by the
nCipher client, which then sends instructions to the HSM to take specific actions (make a key, load a
key, encrypt data, etc.).
Verify registration of the nCipher client with the HSMs by running the following commands from
C:\Program Files (x86)\nCipher\nfast\bin:
enquiry
nfkminfo
ckCheck-inst
Output will look like this:

C:\Program Files (x86)\nCipher\nfast\bin>enquiry
Server:
enquiry reply flags none
enquiry reply level Six
serial number
mode operational
version 2.42.17
speed index 0
rec. queue 2..50
level one flags none
version string 2.42.17cam8,
checked in 00000000487debd5 Wed Jul 16 05:38:45 2008
level two flags none
max. write size 8192
level three flags none
level four flags ServerHasPollCmds ServerHasLongJobs ServerHasCreateClient
module type code 0
242 Addenda
product name nFast server

device name
EnquirySix version 4
impath kx groups
feature ctrl flags none
features enabled none
version serial 0
remote server port 9004
C:\Program Files (x86)\nCipher\nfast\bin>nfkminfo
World generation 1
state 0x0 !Initialised !Usable !Recovery !PINRecovery !ExistingClient !RT
C !NVRAM !FTO !SEEDebug Unchecked
n_modules 0
hknso 0000000000000000000000000000000000000000
hkm 0000000000000000000000000000000000000000 (type DES3)
hkmwk 0000000000000000000000000000000000000000
hkre 0000000000000000000000000000000000000000
hkra 0000000000000000000000000000000000000000
hkmc 0000000000000000000000000000000000000000
hkmnull 0000000000000000000000000000000000000000
ex.client none
k-out-of-n 0/0
other quora
createtime 1970-01-01 00:00:00
nso timeout 0 min
Modules - list unavailable
No Pre-Loaded Objects
C:\Program Files (x86)\nCipher\nfast\bin>ckCheck-inst

ckCheck-inst: C_Initialize failed rv = 00000006 (CKR_FUNCTION_FAILED)
(Use nfkmcheck to check your security world,
Set CKNFAST_DEBUG to turn on PKCS #11 logging.)
Based on this output, it is necessary to register this host with the netHSM using nethsmenroll. If the
host were properly registered, there would be some module output listed in the enquiry output.
To add a netHSM to this client:
1) Run nethsmenroll <IPofnetHSM> on the client to register it with the netHSM.
2) Go to the netHSM itself and add the clients IP Address to the client list (Menu > System >
System configuration > Client config).
Addenda 243
Next, bring the client into the same Security World as the netHSM:
Copy world and module_* files from RFS to bring this new host into the Security World, then run:
1) rfs-sync --setup --no-authentication <IPofRFS>
2) rfs-sync --update
Choose one of your CAs and locate the nCipher Key Management directory, typically,
C:\ProgramData\nCipher\Key Management Data\local.
Find the world files and module_* files and copy them to the Lieberman RED Identity Manager host.
You want to copy this to the same/corresponding Key Management Data\local directory on the
Lieberman RED Identity Manager host. Now, the client will be in the same Security World as the
HSM and the CAs.
To configure the PKCS#11 library, edit this file (or create it if it does not exist):
C:\Program Files (x86)\nCipher\nfast\toolkits\pkcs11\cknfastrc
Make sure that the file contains the following line:

CKNFAST_LOADSHARING=1
This turns on the HA and fail-over features of the PKCS#11 library.

Next, create a login token for the Lieberman RED Identity Manager PKCS#11 login. Run the following
nCipher command:
ppmk --new <TokenName>
where <TokenName> is just a string for a label (for example, LiebermanPM). Following this step a
prompt for a PIN will appear.
Now return to the Lieberman RED Identity Manager HSM configuration and complete the
configuration steps. The SoftCard just created will show up as a Hardware Slot/Token in their GUI
and will also require the PIN just created.
7.3.2 Safenet/Gemalto - KeySecure

Safenet/Gemalto KeySecure devices have been tested and validated using the 32bit Ingrian
provider, version 8.2.1.1 and later. However, when using versions 8.3 of the Ingrian provider, DO
NOT enable multi-threaded support. Providers published after version 8.3 address this problem.
The process below shows configuration of a provider after version 8.3.
1) Install the HSM provider.
244 Addenda
2) From the management console, go to Settings | Encryption Settings.

3) Select the radio button to Use Hardware Cryptography Module for hardware-based
cryptography.
4) Click the ellipses (...) to the right of the Key field.
5) Supply the path to the PKCS#11 library.
6) To initialize for multi-threaded access, which can drastically improve performance, enable the
check box Initialize library for multi-threaded access.
7) A warning message will appear indicating that even though the test may pass verification
(depends on HSM provider vendor for actual multi-threaded check response), it may still
encounter problems during actual use. If you are comfortable that the provider is fully
compatible, click Yes, otherwise, click No.
8) Click Load and Verify Library. This will verify that the DLL is present and functional; this does not
test HSM functionality or communication.
9) If the DLL verifies without a problem, click OK.
10) Once the DLL verifies OK, enter the PIN for the device. For Safenet KeySecure enter the PIN as
username:password.
Addenda 245
11) Select the key from the Key drop down list. If no key exists and the PIN entered above provides
sufficient access, use the Create button to create a new key. Through version 8.3, the KeySecure
provider could only successfully create AES encryption keys.
12) Select the desired Encryption Mechanism for the key if multiple mechanisms are available.
13) Then click OK.
246 Addenda
14) Click OK on the Encryption Settings dialog to implement the change. If there was already an
existing encryption mechanism in place, this will cause the solution to decrypt and re-encrypt
the secured items in the data store such as passwords and SSH keys.
15) If there were already deployed web applications, services, zone processors, or other consoles,
they must be updated with the new encryption scheme (and provider).
Addenda 247
7.3.3 UTIMACO HSM

The following depictions are created in reference to UTIMACO HSMs. Lieberman Software is unable
to provide support for your specific HSM. All support for your specific HSM will need to be handled
by your HSM provider.
Lieberman RED Identity Manager is fully compatible with the following UTIMACO HSM models and
firmware:
HSM Model:
SafeGuard CryptoServer CS(e)-Series/Se-Series PCI(e)

SafeGuard CryptoServer CS(e)-Series/Se-Series LAN
SafeGuard CryptoServer Simulator
Firmware:
HSM Firmware SafeGuard SecurityServer 3.20.2
Important! You must use the 32-bit variant of the PKCS#11R2 library (cs_pkcs11_R2.lib),
which is available on the SafeGuard SecurityServer 3.20.2 product CD.
Verify that a system variable named CS_PKCS11_R2_CFG is pointing to your PKCS#11R2

configuration file (cs_pkcs11_R2.cfg). This variable is automatically created if you follow the
Safe-Guard SecurityServer 3.20.2 installation wizard. If the wizard was not used the variable has to
be created manually.
Ideally, once the HSM is installed and available and the option to use the HSM is selected, a dialog
will appear indicating "PKCS #11 interface DLL verified." This message indicates that the DLL is
configured; it does not mean that the HSM is ready to use.
248 Addenda
Check that there is a ready slot available on CryptoServer, as shown below:

Addenda 249
To learn how to initialize slots, see section 4.2 of the PKCS#11 CryptoServer Administration Tool
documentation (CryptoServer_Manual_P11CAT.pdf) available on the Utimaco product CD.
250 Addenda
Once you have both the PCKS#11 DLL file loaded and the slot initialized, choose a slot and create a
new encryption key using the available methods, as shown below:
Addenda 251
7.4 EMAIL SETTINGS

Email settings are found at Settings > Email Settings.
Lieberman RED Identity Manager can send email via SMTP for reporting and alerting purposes.
Access to an SMTP email server is required. This topic documents how to configure the SMTP Email
Settings dialog.
252 Addenda
7.4.1 SMTP Settings: General

Use the General tab to configure settings for sending SMTP email messages, including sender
information; priority, sensitivity, and importance settings; and custom message headers.
Email Profile
Profile Name While multiple email profiles may be created, only one may be used. The default
profile name is called Default.
Addenda 253
Description - Text field that may be edited and used to enter a short note or description
regarding the email profile.
Sender Information
This information is sent with each email in its header and will appear when the recipient reads the
mail. Some email servers will reject messages that lack the proper address information for these
fields (i.e. wrong domain name).
Name - The friendly name of the email sender.

Organization - Enter the name of your organization.
Sender Email - Enter an email address that tells the recipient who this is message is "From".
Reply-to Email - If a user replied to the email, this is the address the email will be sent back
"To".
Read Receipts Email - Optional. Enter the address that a read receipt should be sent to. Adds
the Disposition-Notification-To header field to the email message. The read receipt is a
request for the receiving email client to send a delivery status notification as soon as the person
opens the email. If the reader approves the read receipt be returned, the reader's email client
will send a reply email to the reply-to email address specified in the profile settings.
Return Receipt To Email - Optional. Enter the address that a delivery receipt for the message
should be sent to. Adds the Return-Receipt-To header field to the email message. The
delivery receipt is a request for the receiving mail server to send a delivery status notification as
soon as it receives the email.
Priority / Sensitivity / Importance

(Optional) For each property, select the value that should be applied to email messages sent by
this product. How these settings are processed depends on the client application that receives
the email. For example, in Microsoft Outlook, a message with a Priority setting of Urgent
displays with an exclamation mark (!) next to the message.
Advanced Message Settings

This section should not be confused with email subject lines. Do not enter any information in these
fields if you are not comfortable writing customer MIME headers for email. Use this section to enter
a custom message header (MIME header) to be included in all email messages. Message headers
are special text added to the message before the body of the message appears. Leave this section
blank if special headers are not needed.
254 Addenda
Name - The attribute name to include in the message header.

Value - The attribute value to include in the message header.
7.4.2 SMTP Settings: Outgoing Server

Use the Outgoing Server tab to configure SMTP server settings.
Outgoing SMTP Server Settings

How you configure these settings will depend on how your SMTP server is configured.
Addenda 255
Outgoing SMTP Server Name Enter the DNS name or IP address of the server.
Port Port 25 is standard for email. For SSL/TLS Encrypted email it may be port 25 or port 465
or 587.
Default (Button) Resets the port number value to port 25.
Server Timeout The default value of 30 seconds work in most cases. Increase this time if
necessary.
Authentication Method Choose the authentication option that your SMTP server is
configured to use. Incorrect method settings can prevent connectivity with a mail server even
when the credentials are correct.
USER_PASSWORD - basic username and password as spelled out in the Email Server
Authentication section.
CRAMMD5 - challenge-response authentication mechanism protects the password in transit.
NTLM - NTLM challenge-response authentication to email server which never actually sends a
user password.
SASLPLAIN - challenge-response authentication that does not protect the password in transit.
KERBEROS - Kerberos authentication with the email server.
XOAUTH2 - Use XOAUTH2 method to authenticate to the email server. This will also require
configuration of the OAUTH2 Authentication tab.
SSL/TLS Channel Encryption If using SSL/TLS encryption, choose the option that your SMTP
server is configured to use.
AUTOMATIC - negotiate with the email server to find a supported SSL/TLS or plain text method.
Not all email servers support negotiation.
IMPLICIT - the mail server expects the initial connection to already be encrypted.
EXPLICIT - the mail server does not require the initial connection be made with SSL/TLS but may
use SSL/TLS after the connection is initiated.
NONE - use when automatic negotiation does not work and SSL/TLS is not configured on the
email server.
Email Server Authentication

Use Authentication Credentials Select this option if your SMTP server requires authentication;
otherwise, clear it to use Anonymous authentication.
256 Addenda
The following settings are required if Use Authentication Credentials is enabled.
User Name The user name configured to authenticate to the SMTP server.
Password The password required to authenticate to the SMTP server.
Email Server SSL Settings

Use SSL Client Certificate Authentication Select this option if your SMTP server is configured to
use SSL encryption. SSL encryption allows both logon credentials and data to be encrypted during
the SMTP transaction. The server must be already set up to use SSL encryption for this option to
work. Test the SSL functionality with an email client to confirm that all SSL components are
configured correctly,
The following settings are required if Use SSL Client Certificate Authentication is enabled.
Choose one of the following options:

User Certificate File Enter the path to the security certificate file.
User Authentication Certificate Store Enter the path to the certificate store if one is
configured.
User Certificate Password If required, enter the password that further secures the certificate
file.
Enable Cached Certificate Select to allow caching of the certificate information.
Test Options
Test Connection Click to verify connectivity to the SMTP server and that the server accepts
the configured credentials. This feature completes the handshake with the server to test that
mail can be sent, but it does not send mail.
The program log records the transaction details:
SetMailServer error: 11001, [11001] Host not found
Failed to fill SMTP settings
Failed to send email message error: Host not found.
Send Test Email Sends a test email message.
Addenda 257
7.4.3 SMTP Settings: S/MIME

Use the S/MIME tab to configure secure email settings. Secure Multi-Purpose Internet Mail
Extensions (S/MIME) is a system for sending email securely using encryption and digital signatures.
Sign Email
To sign email you need a Secure Email certificate.
258 Addenda
Note: If the solution cannot read the specified signing file, the Sign Email check box is
automatically cleared the next time the dialog is reopened. To ensure that the
signing file is valid, click Verify before closing the dialog.
Sign Email Select this option to digitally sign the outgoing email. Digitally signing allows
recipients to confirm and verify that the message was sent and it was not tampered with. The
recipient must also trust the signing certificate. Choose from the following to specify the
certificate to use to sign the outgoing email:
Signing File To browse for a certificate located in the file store, select this option and click the
ellipsis ().
Signing Certificate Store To choose from a list of certificates held in the certificate store, select
this option and click the ellipsis ().
Signing Cert Password Enter the password that was used while exporting the certificate (if
applicable).
Hash Algorithm Choose the algorithm used to prepare the message digest for signature.
Enable Cached Certificate Select to allow caching the certificate in its database; clear this
option if the certificate should be loaded from the path or cert store that the dialog specifies.
Consider enabling this option if you run components on different servers and signing is failing
because the servers can't access the required certificates locally.
Attach Certificate to Email Specifies whether to include the signer's certificate with the signed
message. If this option is selected, the certificate used to sign the message will be encoded and
included in the message signature.
Verify Click to test that the email can be successfully signed.
Encrypt Email
S/MIME message encryption as implemented in this product requires an enterprise PKI. Only
messages sent to recipients in your organizations address list can be encrypted. Encrypted
messages sent to recipients who do not have a certificate cannot be read.
Note: If the solution cannot read the specified encryption file, the Encrypt Email check
box is automatically cleared the next time the dialog is reopened. To ensure that
the encryption file is valid, click Verify before closing the dialog.
Addenda 259
Encrypt Email - Select this option to encrypt outgoing email with the recipient's Public Key. The
recipient must have the corresponding private key to decrypt the email. Choose from the
following to specify the certificate to use to encrypt the outgoing email:
Encryption File - To browse for a certificate located in the file store, select this option and click
the ellipsis ().
Encryption Certificate Store - To choose from a list of certificates held in the certificate store,
select this option and click the ellipsis ().
Encrypt Cert Password - Enter the password that was used while exporting the certificate (if
applicable).
Encryption Algorithm - Choose the algorithm used to encrypt the email.
Enable Cached Certificate - Select to allow caching the certificate in the product's database;
clear this option if certificates should be loaded from the path or cert store that the dialog
specifies. Consider enabling this option if you run components on different servers and
encryption is failing because the servers can't access the required certificates locally.
Verify - Click to test that the email can be successfully encrypted.
260 Addenda
7.4.4 SMTP Settings: OAUTH2 Authentication

Configure the OAUTH2 Authentication tab if you choose to authenticate to your SMTP server using
the OAuth2 protocol. This is an experimental feature. Customer feedback is welcome.
ClientId The ID of the OAuth client that was assigned when the application was registered
with the authorization server.
ClientSecret The secret value for the client when the application was registered.
ServerAuthURL The URL of the authorization server.
Addenda 261
ServerTokenURL The URL used to obtain the access token.

AuthorizationScope (Optional) The scope request or response parameter used during
authorization. If the scope is not set, the authorization server will use the default access scope
for your application as determined by the server. To request a specific access scope set this
property to a space separated list of strings as defined by the authorization server.
Authentication Value Provide an authentication value if required by the authorization server.
Get OAUTH Authentication Click to start the authorization process. A browser window opens
to the OAuth authentication page that you specified so that you can complete the
authentication flow.
Sample Data Populates the configuration fields with sample data for a demo application.
Warning! Clicking this button will overwrite your form entries.
Hide Browser Response Click to suppress the confirmation pop-up that indicates if
authorization was successful.
262 Addenda
7.4.5 SMTP Settings: Firewall Configuration

If necessary, use the Firewall Configuration tab to configure the settings needed to connect to your
SMTP server through a firewall.
Firewall Type - Select the type of firewall to connect through. The options are:
None - default. The client will connect directly to the mail server.
Tunnel - bypasses the local router and connects the email client directly to the email server.
SOCKS4 - basic proxy connection with no additional security that supports TCP only.
Addenda 263
SOCKS5 - basic proxy connection that combines TCP and UDP support and allows for domain
name resolutions (DNS).
Auto Detect Firewall - Tells the component whether or not to automatically detect and use
firewall system settings, if available.
Host - Enter the name or IP address of the firewall (optional). If a domain name is provided, a
DNS request will set this property to the corresponding address.
Port - The TCP port of the firewall host. This value is set automatically based on the value of the
Firewall Type setting. Edit the value to override the default setting.
User Name - Enter a user name if the firewall requires authentication.
Password - Enter a password if the firewall requires authentication.
264 Addenda
7.4.6 SMTP Settings: SMTP Logging

Use the SMTP Logging tab to configure logging options for SMTP email. Communication transaction
details are logged as SMTP operations are performed. These options are useful for debugging
problems with SMTP traffic.
Enable Event Log Logging Select this option if the solution should write SMTP log events to
the Windows event log.
Addenda 265
Enable SMTP File Logging Select this option if the solution should write SMTP application log
events to a text file. Configure the following setting if Enable SMTP File Logging is enabled:
Log File Name Provide the path to the .txt file where SMTP events should be logged.
7.5 ORACLE AS A DATASTORE

As of January 1, 2015, Oracle databases are no longer supported for use as the back-end data
store to Lieberman RED Identity Manager. Lieberman Software will continue to support
customers who maintain a support agreement and who purchased Oracle datastore support prior
to this date. For details, contact you Lieberman Software account representative.
The following documentation is provided for customers who have purchased support to use Oracle
database as a back-end datastore.
Supported versions of Oracle database include:
Oracle Database 11g R1, 32-bit

Standard Edition One, Standard Edition, Enterprise Edition are supported. The Oracle database may
be hosted on a Windows or non-Windows platform.
Lieberman RED Identity Manager requires its own table space and must be granted an unlimited
quota on this table space.
The following rights are required by the account used to connect to the Oracle database:
CONNECT
CREATE TRIGGER
CREATE SEQUENCE
CREATE TABLE
CREATE VIEW
Oracle uses overly-conservative initial configurations for a heavily threaded product such as
Lieberman RED Identity Manager. In a default configuration where Lieberman RED Identity Manager
is spawning at least 100 threads to the database, this can cause the database to run out of
resources, resulting in failed jobs (specifically, incomplete password changes). This behavior is easily
266 Addenda
seen and replicated by trying to do things such as changing passwords across a largish number of
systems. One way to combat this is to drop the thread count down to 20 threads or less (Settings |
Program Options). This has the effect of slowing down job processing while increasing the
likelihood of a successful job (as far as the database is concerned).
Another highly recommended option is to change the memory and thread allocation to the Oracle
database. Start with:
show parameter memory

show parameter process
This will give you your baseline settings. To change the allocations use:
alter system set memory_target=xxxxM scope=spfile;
alter system set processes=yyyy scope=spfile;
Where xxxx is the amount of memory allocated to the database, and yyyy is the number of threads.
We recommend a value of 2000 or much higher for the memory, and a minimum value of 1000
threads.
Note: The Oracle 11g R2 OLEDB provider (version 11.2.0.3) does not properly register on
Windows servers. If using this version of the OLEDB provider, please also run the
following command after installing the Oracle OLEDB provider on your Windows
server:
regsvr32 <OracleHome>\bin\OraOLEDB11.dll
When configuring the Oracle 32-bit OLEDB provider, although not a strict requirement, it may be
helpful to configure the local provider to use a tnsnames file because this will greatly simplify the
server lookup and naming requirements that the Lieberman RED Identity Manager database
configuration will require. If the Oracle database is on a non-standard port (other than 1521), use of
the tnsnames file will negate the need for a custom connection string where the Oracle account
password must also be supplied as part of the connection string in clear text.
267
Chapter 8 Index
A D
ACCOUNT ELEVATION 142 DATA STORE CONFIGURATION OPTIONS
8, 129, 223, 226, 230, 233
ACCOUNT ELEVATION 152
DATA STORE CONFIGURATION OPTIONS
ADDENDA 215 217
APP OPTIONS 142 DIRECT LINKS 142
APP OPTIONS 142 DIRECT LINKS 150
AZURE SQL 230
E
B EMAIL SETTINGS 132, 143
BACKGROUND AND GOALS 2 EMAIL SETTINGS 251
C ENABLING REMOTE COM+ ACCESS 63

CONFIGURING SSL ON IIS 48
ENCRYPTION OPTIONS 8
CONNECTING TO MICROSOFT SQL HA
ENCRYPTION OPTIONS 234
AND CLOUD DATABASE
CONFIGURATIONS 129, 217, 218 F
CONNECTING TO MICROSOFT SQL HA FILE STORE 207
AND CLOUD DATABASE
CONFIGURATIONS 223 FILE STORE SETTINGS 142
CONSOLE DISPLAY 142 FILE STORE SETTINGS 150
CONSOLE DISPLAY 160 I

INSTALLATION ROADMAP 119
CONSOLE HOST SYSTEM REQUIREMENTS
16, 19, 20, 120, 178 INSTALLATION ROADMAP 7
INSTALLING AND CONFIGURING IIS 20

268 Index
INSTALLING AND CONFIGURING IIS 35 M

INSTALLING DATABASE PROVIDERS MANAGED COMPUTER AND DEVICES
(CONNECTORS) 68 REQUIREMENTS 30
INSTALLING IIS COMPONENTS FOR MANAGED DATABASE REQUIREMENTS 32

TARGET MANAGEMENT ONLY 35
MANAGEMENT CONSOLE 7
INSTALLING IIS FOR WEB HOSTING 42
MANAGEMENT CONSOLE 120
INSTALLING LIEBERMAN RED IDENTITY
MINI-SETUP WIZARD 8, 126
MANAGER 119
MINI-SETUP WIZARD 126
INSTALLING LIEBERMAN RED IDENTITY
MANAGER PREREQUISITES 7, 13 MIRRORED DATABASES 223
INSTALLING SUPPORT FOR WEB SERVICE MULTI-FACTOR AUTHENTICATION 142
HOSTING 38, 42
MULTI-FACTOR AUTHENTICATION 156
INSTALLING THE IBM DB2 PROVIDER 94
O
INSTALLING THE MICROSOFT SQL SERVER
PROVIDER 68 ORACLE AS A DATASTORE 21, 217
INSTALLING THE MYSQL & MARIADB ORACLE AS A DATASTORE 265

PROVIDER 88
P
INSTALLING THE ORACLE PROVIDER 69 PASSWORD ACCESS 142, 143, 150
INSTALLING THE POSTGRESQL PROVIDER PASSWORD ACCESS 147

103
PERFORMANCE NOTES 2
INSTALLING THE SYBASE ASE PROVIDER
77 PORT REQUIREMENTS 27
INSTALLING THE TERADATA PROVIDER POST INSTALLATION OR UPGRADE STEPS

105 141, 170, 192, 202, 207
INTRODUCTION 1 PREPARING FOR THE UPGRADE 204
L PREPARING FOR THE UPGRADE 172
LICENSE AGREEMENT 4 PRODUCT REQUIREMENTS OVERVIEW 14
LIMITED WARRANTY 4
Index 269
R SSL WITH IIS - WITH AN EXISTING CERT

48
RECOMMENDED KNOWLEDGE 14
START HERE
REGISTRATION 8
Installation and Upgrade Roadmap 7, 13
REGISTRATION 135
REMOTE SESSIONS 142 T

THALES/NCIPHER HSM 239
REMOTE SESSIONS 158
U
S
UNDERSTANDING PREREQUISITES 7, 12,
SAFENET/GEMALTO - KEYSECURE 243 172
SECURITY 142 UNDERSTANDING PREREQUISITES 14
SECURITY 153 UPGRADE ROADMAP 9
SERVICE ACCOUNT REQUIREMENTS 24, UPGRADING APPLICATION LAUNCHER
138, 162, 188, 193 AND SESSION RECORDING 206
SMTP SETTINGS UPGRADING LIEBERMAN RED IDENTITY
Firewall Configuration 262 MANAGER 12, 171
General 252 UPGRADING POWERSHELL 205
OAUTH2 Authentication 260 UPGRADING SCHEDULING SERVICES 202
Outgoing Server 254 UPGRADING THE MANAGEMENT

CONSOLE 178
S/MIME 257
UPGRADING THE WEB APPLICATION 186
SMTP Logging 264
UPGRADING THE WEB SERVICE 193
SOLUTION DATABASE REQUIREMENTS 21,
218 URL REDIRECTS 210
SQL ALWAYSON 226 USER CERTIFICATES 209
SSL 209 USER DASHBOARDS - LEGACY WEBSITE

142
SSL WITH IIS - NO EXISTING CERT 52
USER DASHBOARDS - LEGACY WEBSITE
161
270 Index
USER/SESSION MANAGEMENT 142
USER/SESSION MANAGEMENT 157
UTIMACO HSM 247
W
WEB APPLICATION 8, 133, 134
WEB APPLICATION 136
WEB APPLICATION CONFIGURATION

OPTIONS 138, 142, 189
WEB APPLICATION HOST REQUIREMENTS

19, 20, 136, 186
WEB SERVICE 8, 19, 141, 192
WEB SERVICE 162
WEB SERVICE HOST REQUIREMENTS 19,

20, 162, 193
WINDOWS 2008 & LATER REMOTE COM+

ACCESS 63
WINDOWS FIREWALL & COM+ NETWORK

ACCESS 63, 66
WINDOWS INTEGRATED
AUTHENTICATION 212

REDIM Installation Guide 5.5.2.1

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

REDIM Installation Guide 5.5.2.1

Caricato da

Copyright:

Formati disponibili

Installation Guide

Lieberman RED Identity Manager

Lieberman Software Corporation

3.4.6 Installing the PostgreSQL Provider ...............................................................................103

7.2.3 Azure SQL .....................................................................................................................230

Performance Notes ................................................................................... 2

1.1 PERFORMANCE NOTES

1.2 BACKGROUND AND GOALS

Creating Strong Local Credentials

Delegated Password Recovery

1.3 LIMITED WARRANTY

1.4 LICENSE AGREEMENT

Lieberman Software Corporation

Chapter 2 Start Here:

Installation Roadmap ................................................................................ 7

2.1 INSTALLATION ROADMAP

2.2 UPGRADE ROADMAP

"Enterprise Random Password Manager Deferred Processing Service" in product versions

16) Remove existing websites.

If reconfiguration of database settings is required, such as provider, connection limits, or

24) Optional - Install the Syslog Forwarder Service.

Understanding Prerequisites ................................................................... 14

3.1 UNDERSTANDING PREREQUISITES

3.1.1 Recommended Knowledge

3.1.2 Product Requirements Overview

3.1.3 Console Host System Requirements

Windows Server 2012 R2

Windows 10 Professional or higher, 64-bit version

Approximately 1GB of hard drive space to install.

Windows Server 2012 R2.

Note: This manual does not cover installing or administering Windows.

3.1.4 Web Service Host Requirements

Web Service Server Requirements

Windows Server 2008 R2 or later (Windows Server 2012 R2 recommended)

Application Server Role with COM+ Network Access

For more information, see Web Service (on page 162).

3.1.5 Web Application Host Requirements

Web Application Server Requirements

Windows Server 2008 R2 or later (Windows Server 2012 R2 recommended)

Supported Web Browsers

Internet Explorer 9, 10, and 11

3.1.6 Solution Database Requirements

Supported Versions for Production Environments

Microsoft Azure SQL Database

Supported Versions for Test Environments Only

Microsoft SQL Server 2016 Express

Components Needing Datastore Access

Web Service COM application

Deferred Processor / Zone Processors

Integrated Windows Authentication

db_datawriter = user role

db_ddladmin = user role

Execute = database permission

Create Tables = database permission needed during install/upgrade

Create Views = database permission needed during install/upgrade

3.1.7 Service Account Requirements

Scheduling services (deferred processors and zone processors)

Application Launcher - optional

Session Recording - optional

Web Application Identity

Log on as a batch job

DBO rights for the application database if using integrated authentication

Web Services Identity

Log on as a batch job