Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
5.5.2.1
Copyright 20032017 Lieberman Software Corporation.
All rights reserved.
The software contains proprietary information of Lieberman Software Corporation; it is provided
under a license agreement containing restrictions on use and disclosure and is also protected by
copyright law. Reverse engineering of the software is prohibited.
Due to continued product development this information may change without notice. The
information and intellectual property contained herein is confidential between Lieberman Software
and the client and remains the exclusive property of Lieberman Software. If there are any
problems in the documentation, please report them to Lieberman Software in writing. Lieberman
Software does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise without the
prior written permission of Lieberman Software.
Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. Other brands and product names are trademarks of their respective owners.
Contents
CHAPTER 1 INTRODUCTION ...................................................................................................1
1.1 Performance Notes ..................................................................................................................2
1.2 Background and Goals ..............................................................................................................2
1.3 Limited Warranty .....................................................................................................................4
1.4 License Agreement ...................................................................................................................4
CHAPTER 2 START HERE: INSTALLATION AND UPGRADE ROADMAP ........................................7
2.1 Installation Roadmap ...............................................................................................................7
2.2 Upgrade Roadmap....................................................................................................................9
CHAPTER 3 INSTALLING LIEBERMAN RED IDENTITY MANAGER PREREQUISITES ..................... 13
3.1 Understanding Prerequisites ..................................................................................................14
3.1.1 Recommended Knowledge ............................................................................................14
3.1.2 Product Requirements Overview ...................................................................................14
3.1.3 Console Host System Requirements ..............................................................................16
3.1.4 Web Service Host Requirements ....................................................................................19
3.1.5 Web Application Host Requirements .............................................................................20
3.1.6 Solution Database Requirements ...................................................................................21
3.1.7 Service Account Requirements ......................................................................................24
3.1.8 Port Requirements .........................................................................................................27
3.1.9 Managed Computer and Devices Requirements ...........................................................30
3.1.10 Managed Database Requirements .............................................................................32
3.2 Installing and Configuring IIS ..................................................................................................35
3.2.1 Installing IIS Components for Target Management Only ...............................................35
3.2.2 Installing Support for Web Service Hosting....................................................................38
3.2.3 Installing IIS for Web Hosting .........................................................................................42
3.2.4 Configuring SSL on IIS .....................................................................................................48
3.2.4.1 SSL with IIS - With an Existing Cert .......................................................................................... 48
3.2.4.2 SSL with IIS - No Existing Cert .................................................................................................. 52
3.3 Enabling Remote COM+ Access..............................................................................................63
3.3.1 Windows 2008 & Later Remote COM+ Access...............................................................63
3.3.2 Windows Firewall & COM+ Network Access ..................................................................66
3.4 Installing Database Providers (Connectors) ...........................................................................68
3.4.1 Installing the Microsoft SQL Server Provider .................................................................68
3.4.2 Installing the Oracle Provider .........................................................................................69
3.4.3 Installing the Sybase ASE Provider .................................................................................77
3.4.4 Installing the MySQL & MariaDB Provider .....................................................................88
3.4.5 Installing the IBM DB2 Provider .....................................................................................94
iv Contents
Chapter 1 Introduction
Lieberman RED Identity Manager is a solution designed to establish a base of knowledge regarding
the systems and devices in your network, what accounts are on those systems and devices, and
enable the ongoing password or SSH key rotation for those accounts. Once the credentials are
managed and/or securely stored in Lieberman RED Identity Manager, they may be securely
retrieved by users or processes in a variety of ways such as interactively through a web site or
programmatically via REST or SOAP based web service. Once Lieberman RED Identity Manager is
implemented, this will enhance the effectiveness of end user focused IAM/IDM solutions by
securing the credentials they use to perform their work. Lieberman RED Identity Manager is also
designed to take part in workflow, orchestration, and most importantly, incident response.
By placing Lieberman RED Identity Manager at the center or your incident response process, you
will not only achieve security for privileged identities, you will be able to automatically respond
security breaches that leverage or attack those credentials. Consider an edge protection device that
determines improper use of administrative or sensitive credentials. Such a product can trigger
Lieberman RED Identity Manager to automatically rotate those credentials and thereby change the
attack surface simply by having that device/service trigger a password or key rotation. Consider a
Kerberos golden ticket attack. Lieberman RED Identity Manager can reset the kerberos system for
the entire forest and thus dislodge an embedded attack leveraging that attack vector and taking
back control of your network.
This chapter includes an overview of Lieberman RED Identity Manager, what problems it is designed
to solve, performance information, and other legal information.
IN THIS CHAPTER
without any concern as to the consequences to the organization should these common credentials
be compromised.
With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security
Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the
implementation of reasonably hard to compromise local logon credentials is mandatory for most
organizations as a means for protecting not only the confidentiality of their data, but also to protect
against tampering.
the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival
purposes. The manual is a copyrighted work. Also-you may not make copies of the manual for any
purpose other than the use of the software.
3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,
de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE
files). If the SOFTWARE is an update, any transfer must include the update and all prior versions.
When used lawfully, this software periodically transmits to us the serial number and network
identification information of the machine running the software. No personally identifiable
information or usage details are transmitted to us in this case. The program does not contain any
spyware or remote control functionality that may be activated remotely by us or any other third
party.
IN THIS CHAPTER
database connections and encryption settings. Don't worry if you do not yet have all
information required at this point as all configurations may be performed or changed post
installation as well. See Mini-Setup Wizard (on page 126) for details.
d. Register Lieberman RED Identity Manager.
Completing the "Registration" dialog enables switching from demo mode to extended demo
mode or switching from demo mode to commercial mode. See Registration (on page 135) for
details.
e. Optional - Configure permissions to launch the management console.
Following installation, any user who is an administrator of the system where the management
console is installed and also has access to the program datastore will have the ability to launch
the application. Configuring these permissions allows you to enable MFA requirements for
launching the console as well as define what aspects of the management console are available
to users of the console. See the admin guide for more details.
f. Optional - Configure database settings.
If reconfiguration of database settings is required, such as provider, connection limits, or
connection strings for HA configurations, see Data Store Configuration Options (on page 217) for
more details.
g. Optional - Configure encryption settings.
Passwords managed and/or stored by Lieberman RED Identity Manager are encrypted and then
stored in the secure datastore. The use of HSM or software based encryption is supported at all
times and may be changed at any point in time. See Encryption Options (on page 234) for more
details.
5) Install the web application.
6) The web application is used by consumers and auditors. Consumers will retrieve secured
passwords or establish sessions through a delegated and audited process. Auditors will be able
to generate reports and audit settings. See the installation section for the Web Application (on
page 136) for more details.
7) Install the web service.
The web service provides API based functionality via a SOAP or REST based URI and is required
by the web application, PowerShell, federated (SAML/OAUTH) logins, and application launcher
(optional module) modules. The web service is deployed from a separate installer or can be
pushed from the management console with version 5.5.2.1 of the product or later. See the
installation section for the Web Service (on page 162) for more details.
8) Optional - Install one or more zone processors.
Start Here: Installation and Upgrade Roadmap 9
A zone processor is a remotely deployed scheduling service designated to perform specific jobs
against a specific list (management set) of systems and devices. Conversely, the default deferred
processor is installed with the management console and will handle any configured jobs against
any and all lists of systems. Zone processors are typically used in DMZs or distributed networks
where normal communication may not be allowed. Zone processors are also used to improve
the job processing throughput of the entire solution. Zone processors may also require
secondary installations of integration components and the cross platform support library. See
Installing and Configuring Zone Processors in the admin guide for more details.
9) Optional - Install the PowerShell cmdlets.
PowerShell cmdlets extend the management of Lieberman RED Identity Manager to a command
line /scripting environment. See Installing the PowerShell Cmdlets in the admin guide for more
details.
10) Install the application launching and session recording components.
Application launching allows users to enter a privileged session without gaining access to the
underlying credentials (password, key, etc.) via a secured host where session recording may also
be enabled for the session. See Installing the Application Launcher and Session Recording guide
for more details.
11) Optional - Install the Syslog Forwarder Service.
This service listed for Syslog UDP traffic and retransmits it using SSL and/or TCP on the same or
different port for greater security and reliability when forwarding events to loggers and SIEM
products. See Using the Syslog Forwarder in the admin guide for more details.
If upgrading from version 5.4.0 or earlier, zone processors should be removed first, then
re-installed due to file and registration differences. Failure to do so will render the zone
processors inoperable. Be sure to take notes on the current configuration.
Chapter 3 Installing
Lieberman RED Identity
Manager Prerequisites
This chapter documents the installation prerequisites for Lieberman RED Identity Manager. Based
on your starting host system configuration, your actual installation experience may vary.
Note the following topics are not covered:
Installation of Windows
Installation of Microsoft .Net Framework
Installation of Microsoft Windows Management Framework
Installation of Java JRE or Java SDK
See the Start Here: Installation and Upgrade Roadmap (on page 7) for a complete list of installation
tasks.
IN THIS CHAPTER
Knowledge of the program data store (MS SQL Server) and all target databases
IIS web server technologies
Network administration
System administration
Lieberman RED Identity Manager uses a management console application in conjunction with a local
service to set up recurring discovery jobs and password change jobs. The web application provides
access to managed credentials and other functionality using a web browser. The web application is
deployed as an IIS web application. It includes COM+ applications and a collection of ASP and
ASP.NET files that are set up in a virtual directory on the web server. The web server must be
Microsoft Internet Information Services. A Microsoft SQL Server database is required to store
program data.
Lieberman RED Identity Manager component host servers should be patched, secured, and properly
configured in conjunction with your corporate patching strategy to help ensure that the password
store system will not be compromised.
Management Console - the primary administrative interface for gross configuration of the
product.
Web Site - the primary user interface for retrieving managed credentials or establishing
sessions.
Web Service - the resource used by PowerShell, application launcher, the web site, and other
components to perform programmatic access and management of the product.
Installing Lieberman RED Identity Manager Prerequisites 15
Database - the datastore where managed passwords are stored and where most program
configurations are stored. All product components require communication to the database.
If any components will be shared on a single host, then simply combine the requirements. The
database in particular should be placed on a separate system to keep the encrypted data
segregated from the encryption key.
The product is supported in a physical, virtual (cloud), or physical-virtual mixed environment. The
virtual host platform is irrelevant to the support of the product. All virtualization platforms are
supported. Virtual host and virtual machine configurations, however, can severely impact or impede
the ability of the product to work because virtual host and guest configurations do affect every
component of the virtual guest that is running the product.
Additional components include the following:
The deferred processing service - Required to utilize scheduled jobs and automatic retry
options. Comes with the download package.
Zone processors - generally required to manage segregated and distributed networks
(additional license required).
Integration Components (IntegrationComponents.msi) - additional connectors used by zone
processors or remote web services and web applications to function with email, help desk
systems, syslog output, and more.
Cross Platform Support Library (CrossPlatformSupportLibrary.msi) - Required to manage and
discover non-Windows based systems and devices (e.g. Cloud, Linux, UNIX, and Cisco IOS
devices from zone processors). Comes with the download package.
An email server - Optional. The product can send email notifications. The configuration of the
email server (including enabling SSL and establishing a certificate trust) is done outside
Lieberman RED Identity Manager.
An IIS web server (supplied with host operating system) with ASP (Active Server Pages)
processing and ASP.NET enabled - Required to utilize the Lieberman RED Identity Manager web
application and web service.
IIS Media Services - Optional. When using application launching and the free/included session
recording, IIS Media Services must be installed to stream the recorded sessions. Comes with the
download package.
16 Installing Lieberman RED Identity Manager Prerequisites
Platform Requirements
A Windows Server operating system is required for a production installation of Lieberman RED
Identity Manager. The solution is fully supported on a physical server or a virtual machine,
regardless of the virtual host platform. For lab/testing environments, a workstation-class operating
system, such as Windows 10 Professional will suffice. All service pack levels and editions are
supported except where specifically noted. We recommend using Windows Server 2012 R2 as the
host platform.
Supported versions of Windows Server are:
Note: ERPM v4.83.8 and later is not supported on Windows Server 2008 (non-R2
revisions) and earlier operating systems due to inconsistencies in the OS.
Generally, these are compatibility problems, and in some cases, incomplete APIs.
Hardware Requirements
In addition to the requirements needed to support the host system and database, the product itself
requires at least the following:
1GB of RAM.
Installing Lieberman RED Identity Manager Prerequisites 17
Notes
If using a Windows Server 2008 R2 or later host operating system for Lieberman RED Identity
Manager, there will be inconsistencies with remote COM+ management interfaces when
managing COM+ on Windows 2000 target machines. This is by Microsoft's security design. For
further information on this matter, including how to address the issues, please read the
following article:
https://liebsoft.zendesk.com/hc/en-us/articles/236069048-Stub-Received-Bad-Data-When-Prop
agating-to-Windows-2000
(https://liebsoft.zendesk.com/hc/en-us/articles/236069048-Stub-Received-Bad-Data-When-Pro
pagating-to-Windows-2000)
18 Installing Lieberman RED Identity Manager Prerequisites
If attempting to manage databases other than Microsoft SQL Server, the most recent 32-bit
OLEDB providers, typically available from the database vendor or installation media, will be
required to be installed on any component that will manage the target database. This should
include the management console as well as any remote deferred or zone processors.
Before successfully installing the product, the Microsoft .NET Framework v4.5.2 or later must
also be installed; version 4.5.2 must be installed on operating systems prior to Windows Server
2016. The Microsoft .NET Framework version 3.5 SP1 is included in server 2008 R2. Windows
Server 2012 R2 includes.NET version 4.5.1 and will require additional steps to install version
4.5.2 or later. We recommend using the latest version and service pack of the Microsoft .NET
Framework.
Lieberman RED Identity Manager also ships with an optional Java-based SDK for
application-to-application and application-to-database secure password management. This is
available for both Windows and non-Windows operating systems. Java 1.5 or higher, 32-bit
edition is required to make use of this. If Java 1.5+ is not installed, the program's Java-based
SDK will not be available to Lieberman RED Identity Manager. If there are no plans to make use
of the program's Java-based SDK, then there is no need to install Java on the host system or
target systems.
If attempting to integrate System Center Service Manager (SCSM), the SCSM SDK binaries will
need to be obtained from the installation directory of SCSM and placed into the installation
directory of Lieberman RED Identity Manager.
If attempting to manage System Center Operations Manager (SCOM), the SCOM SDK binaries
will need to be obtained from the installation directory of SCOM and placed into the installation
directory of Lieberman RED Identity Manager.
Virtual environments are fully supported for all components of the solution. However, there
may be severe performance limitations depending on the virtual environment versus the
environment being managed.
Please refer to the following knowledge base article for more information on HA, DR, and basic
comments on security:
https://liebsoft.zendesk.com/hc/en-us/articles/236068808-Disaster-Recovery-Security-and-High
-Availability
(https://liebsoft.zendesk.com/hc/en-us/articles/236068808-Disaster-Recovery-Security-and-Hig
h-Availability)
Installing Lieberman RED Identity Manager Prerequisites 19
IMPORTANT! If the web service is hosted on at a different URL than the web
application, CORS support (Cross-Origin Resource Sharing) must also be enabled
in the web service's web.config file and additional browser configuration may be
required.
Static Content
Default Document
HTTP Errors (Required for secure file store.)
ASP.NET v 4.5
ASP (Active Server Pages)
Static Content
Static compression (Optional)
IIS Management console
IIS6 Metabase compatibility
Windows authentication (Required if using Windows integrated authentication. Optional,
otherwise.)
For more information, see Installing and Configuring IIS (on page 35).
The management console can push out the web application to a remote web server. If the website
will be hosted on a remote system (relative to the management console), enable remote COM+
Installing Lieberman RED Identity Manager Prerequisites 21
access on the web server to support an automated installation of the website. For information
about how to enable this access, see Enabling Remote COM+ and IIS Access.
Note: As of January 1, 2015, Oracle databases are no longer fully supported for use as
the back-end data store to Lieberman RED Identity Manager. Lieberman Software
will continue to support customers who maintain a support agreement and who
purchased Oracle datastore support. For details, contact you Lieberman Software
account representative. For more information on using Oracle as the datastore,
see Oracle as a Datastore (on page 265) addendum.
The database serves as the Lieberman RED Identity Manager storage and configuration datastore.
Management sets, system information, account information, stored passwords, event sinks, answer
files, email files, and more are stored in the database. Use an existing installation of a database
server, or implement a new instance on an existing database server or a different database server.
22 Installing Lieberman RED Identity Manager Prerequisites
We recommend placing the database on a system separate from other product components to keep
the encrypted data segregated from the encryption key.
Console application
Datastore Authentication
There are at least two ways to authenticate to a Microsoft SQL database
Local SQL Account Authentication / Explicit Database Authentication
Whichever method is configured in the management console at the time of component deployment
will also be the method used by the website COM applications as well as the Deferred Processor
(and zone processors).
The solution may use either authentication method, though Integrated Windows Authentication is
recommended. Windows Integrated Authentication is recommended as this permits much more
granular control when providing access to the information within ERPM and also allows for
additional logging. If using SQL authentication, all access to the database server happens in the
context of the SQL account rather than the user performing the action. Whatever method is chosen
for authentication, access will need to be provided for the solution database to the SQL account, the
Windows user account, or to a Windows group containing the Windows users.
Datastore Permissions
If using a dedicated instance of Microsoft SQL, simply grant:
SYSADMIN = server role
or
Control Server = database server right
This allows the granted users the rights to perform all actions within that instance of SQL including
creating the required databases, stored procedures, all other features in the main application, as
well as backup and restoration.
24 Installing Lieberman RED Identity Manager Prerequisites
If it is not desired or permitted to grant SYSADMIN or Control Server to the SQL instance, then the
database that Lieberman RED Identity Manager will use must be pre-created within the SQL Server
instance by the DBA. The SQL account or Windows users/groups will need to be granted the
following roles/rights over the Lieberman RED Identity Manager database:
DBO = user role
or
db_datareader = user role
Additionally, if using SQL 2008 or later, Lieberman RED Identity Manager can take advantage of the
performance recommendations made by SQL Server (for auto-index creation, defragmentation,
etc.). To be able to make use of this feature, the SQL account or Windows users/groups must be
granted the View Server State right on the host SQL server. To do this, open SQL manager and the
properties of the account/group, select Securables, add the database server, and scroll down the
list to View Server State and select the grant option next to that right. If this permission is not
granted, a DBA must be accountable for tuning the product database or performance will decrease
over time.
If using the explicit DB permissions rather than granting sysadmin or DBO, once the user account
has been granted the db_datareader, db_datawriter, and db_ddladmin roles, the EXECUTE
permission is granted via SQL statement such as GRANT EXECUTE TO user_name.
Management console
Web Services
Installing Lieberman RED Identity Manager Prerequisites 25
Web Site
All tiers may be on a single system or spread across multiple systems. All components operate
exclusively of each other. When deployed across multiple hosts, loss of the management console
has no functional effect on the website or web service and vice versa. Furthermore, the service
accounts that run each component have different requirements in terms of security and access
within your environment or within the solution. Because of these different requirements, it is
reasonable to employ multiple service accounts to separately perform the specific functions of the
solution and thus minimize permissions granted or required for any product component service
account. It is also fully supported to use the same service account for all functions of the solution.
This topic will cover the service accounts for the primary components. Service accounts for optional
components (Application Launcher and Session Recording) will be covered in their specific
sub-sections.
Domain User - recommended when authenticating domain users or working with domain
groups.*
*If multiple trusting domains will be managed by a single implementation of Lieberman RED Identity
Manager, the COM identity must be a trusted user for the target domain(s) or manual configuration
of an authentication server entry will be required with an explicit credential for that domain. If using
a directory other than active directory for user authentication, this requirement may be skipped
unless using Integrated Windows Authentication to the database.
The website COM application must be configured to run as a user account, but this account can be
automatically managed by Lieberman RED Identity Manager.
26 Installing Lieberman RED Identity Manager Prerequisites
Note: The COM account, if using a separate account than the deferred processing
account, may need administrative rights over target Windows systems. This right
becomes a requirement ONLY IF the website option to Block password Check-in if
account is in use is enabled. Enabling this option allows the COM application to
enumerate all active sessions and determine if the specified account is still
"logged in" according to the target Windows system.
Domain User - recommended when authenticating domain users or working with domain
groups.*
*If multiple trusting domains will be managed by a single implementation of Lieberman RED Identity
Manager, the COM identity must be a trusted user for the target domain(s) or manual configuration
of an authentication server entry will be required with an explicit credential for that domain. If using
a directory other than active directory for user authentication, this requirement may be skipped
unless using Integrated Windows Authentication to the database.
The website COM application must be configured to run as a user account, but this account can be
automatically managed by Lieberman RED Identity Manager.
Log on as a service*
Installing Lieberman RED Identity Manager Prerequisites 27
DBO rights for the application database (system admin of the DB not required) if using integrated
authentication
This account used to run the deferred processing service cannot manage itself! Managing this
account through a scheduled job will cause any job being run by that processor at that time to be
stopped mid-process which will leave the job in a locked and incomplete state requiring
administrative intervention to resolve in most cases. This will also cause all other scheduled jobs to
stop running until manual intervention is taken to start the service. An alternative to using a named
service account for the scheduling service is to configure the service to run as LocalSystem or use a
Microsoft Managed Service Account (MSA). This will negate password management requirements
for the service. However, to be successful in using this LocalSystem method, you must also grant
permissions to the database for the computer account (ComputerAccountName$) as well as
ensuring the computer account is seen as an administrator of all managed systems.
Note: If the computer account is added to a new group in Active Directory in order to
provide these administrative rights, the computer must be restarted.
* If the service account/interactive user account cannot be administrators of the target systems,
then alternate administrative accounts will need to be configured for use by the tool. Please see the
administrator's guide for steps on configuring alternate administrator accounts. If possible, avoiding
the use of alternate administrator accounts within Enterprise Random Password Manager when
managing COM+ and DCOM objects, including scheduled tasks should be avoided as these
interfaces do not allow for impersonation.
Note: The following ports are the standard well known ports for the various protocols.
These ports may have been changed on the target systems. It is the solution
Administrator's responsibility to determine if any of the target ports have been
changed and reflect that changed port when password change jobs or account
discovery jobs are performed.
28 Installing Lieberman RED Identity Manager Prerequisites
137 - UDP, outbound, NetBIOS name service - for older Windows OS; generally not required.
This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for
management of Windows systems.
138 - UDP, outbound, NetBIOS datagram service - for older Windows OS; generally not required
This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for
management of Windows systems.
139 - TCP, outbound, NetBIOS name service ports - for older Windows OS; generally not
required This port or port 445 (SMB) is required. If NetBIOS is disabled, port 445 is required for
management of Windows systems.
161 - TCP, outbound, SNMP - may be configured for use during system/network discovery
operations and device management functions.
389/636 - TCP, outbound, LDAP/LDAPS - LDAP compliant directories such as Active Directory or
Oracle Internet Directory.
443 - TCP, outbound, HTTPS - ESXi native management and various cloud service providers as
well as SAML/OAUTH authentication providers.
Installing Lieberman RED Identity Manager Prerequisites 29
445 - TCP, outbound, SMB - This port is required for Windows hosts from Windows Server 2008
and newer and is supported on Windows hosts from Windows Server 2000 and later.
514 - UDP, outbound, Syslog - Communication to logger systems such as ArcSight, QRadar,
Splunk, Syslog, etc.
623 - UDP, outbound, IPMI - management of lights out devices such as Dell DRAC, HP iLO, etc..
1025 - TCP, outbound, Teradata - used to discover and manage Teradata databases.
1433 - TCP, outbound, MS SQL Server - used for connecting product components to Microsoft
SQL Server datastore.
1521 - TCP, outbound, Oracle - used to discover and manage Oracle databases.
2002 - TCP, outbound, Java SDK remote connection to RMI host.
3306 - TCP, outbound, MySQL - used to discover and manage MySQL databases.
3389 - TCP, outbound and inbound, Remote Desktop Protocol (RDP) - used for remote
connections to target servers (automatic sessions) as well as inbound to application launch
server.
Port 5000 - TCP, outbound, Sybase - used to discover and manage Sybase ASE databases.
Port 5432 - TCP, outbound, PostgreSQL - used to discover and manage PostgreSQL databases.
Port 50000 - TCP, outbound, DB2 - used to discovery IBM DB2 databases.
Port - Other, depending on the application being managed, such as SharePoint. If additional
external items/processes are leveraged, additional ports will be required. Please refer to the
following requirements for known port connection requirements:
BMC Remedy - TCP/UDP, outbound, BMC_AR_Port.
Microsoft System Center Configuration Manager - TCP, outbound. Typically Microsoft File and
Printer Sharing or Remote management ports.
Additional ports may be required based on target system configuration or solution configuration.
For example, an SSH target listing on port 5555 must accept a connection from the solution and the
solution must be allowed to communicate out on that port to the target. Similarly, if web services or
30 Installing Lieberman RED Identity Manager Prerequisites
the web application on on non-default ports for their HTTP/S configuration, the firewalls must be
configured to allow communication on those ports.
Windows
See port requirements for further information:
File and Print Services for Microsoft Networks (enabled and installed by default).
Server Service (enabled and installed by default).
Remote Registry is optional and allows for further system information gathering such as MAC
address retrieval. If the service is disabled, MAC retrieval function will fail and DCOM
application discovery will fail. Other functions may suffer as a result.
If using Lieberman RED Identity Manager and propagating/managing/discovering the following
items, remote management support to:
Enabling remote access to COM+ and IIS requires additional configuration steps on the target
systems. These steps are outlined in the Enabling Remote COM+ and IIS Access section.
Linux / UNIX / OS X
Determine the current SSH port - Required for password change and account enumeration.
Login password or SSH key for login account and possibly for the account being managed
(operation specific requirement).
Low powered login account - Optional. Used if root accounts are not permitted to SSH to the
target system.
Some distributions of Solaris, AIX, or other Linux/UNIX distributions may require password
authentication be enabled in the /etc/ssh/sshd_config file. This will be obvious as there will be
errors to reflect this during a password change job in the log. To enable password authentication,
open the /etc/ssh/sshd_config file and set the PasswordAuthentication directive to yes. Then,
restart the SSH daemon. How to restart the daemon will be distro specific. Following are examples
of various restart commands:
FreeBSD: /etc/rc.d/sshd restart
Cisco
Login account username and password.
Current password for enable.
SSH or Telnet port if changed from the default.
IPMI
Root or admin level login account username and password.
SSH/Telnet Devices
Actual requirements will vary based on target type and embedded operating system.
Other
Other platforms will have requirements specific to their implementation and configuration and
defined policies. Please consult your target system/device/service documentation for servicing
requirements.
Note: Lieberman RED Identity Manager requires 32-bit database providers. 64-bit
providers are not supported.
The following databases require database-specific providers to allow for management of their
privileged identities from the Lieberman RED Identity Manager host system.
DB2
MySQL
Oracle
PostgreSQL
Sybase - Sybase ASE OleDB provider
Teradata
The rights required to change a target account's password will vary from database to database. The
rights required will also vary depending on the target account being changed. You will need other
information, such as instance or service name and possibly port. Refer to your database provider's
documentation for the most up-to-date description of rights required to change various identities.
Following is a partial list of possible rights required for various databases:
Installing Lieberman RED Identity Manager Prerequisites 33
DB2 - The rights required to change rights for accounts associated with a DB2 instance depends on
whether database is hosted on Windows or Linux/UNIX as DB2 has no local account store but
instead references accounts form the host or related directories. If DB2 is hosted on Windows,
follow the process for a typical Windows password change job. If DB2 is hosted on Linux/UNIX,
follow the process for a typical Linux/UNIX password change job. See the Admin Guide for more
information regarding password management for the target host platform.
To enumerate accounts in a DB2 database instance (accounts store view), the login account will
require:
CONNECT TO DB
GRANT SELECT on SYSIBM.SYSDBAUTH
Note: Lieberman RED Identity Manager can enumerate the local accounts associated
with the DB2 Instance. For this process to work, the Microsoft supplied DB2
database OLEDB provider must be installed. Changing DB2 account passwords
does not require a specialized provider, however, because DB2 utilizes the
database host system's local account store rather than providing its own internal
account store as does Microsoft SQL, Oracle, or MySQL.
Microsoft SQL- Microsoft SQL can leverage explicit SQL accounts or integrated authentication
accounts. Accounts using integrated authentication will be local computer accounts or accounts
from a trusted domain. In order for either of these account types to manage account passwords
within MS SQL, the following rights must be granted to the desired account or group:
Note: If the sysadmin right is given, no other rights will be required on the MS SQL
server.
MySQL / MariaDB - A MySQL login account will be required when configuring a MySQL password
change job. This login account must have sufficient rights to change the desired target account's
34 Installing Lieberman RED Identity Manager Prerequisites
password. Assuming the login account can connect to the specified MySQL service and target
database, the following global privilege must be granted to the desired login account:
UPDATE
To enumerate the user accounts in a MySQL instance (Account Store View in Enterprise Random
Password Manager), the following global privilege must be granted to the desired login account for
the appropriate database:
SELECT
Sybase - A login account will be required when configuring a Sybase password change job. This login
account must have sufficient rights to change the desired target account's password. Presuming the
login account can connect to the specified Sybase service (and instance, if applicable), the login
account must belong to the either of the following roles:
SSO_ROLE
SA_ROLE
To enumerate the user accounts in a Sybase instance (Account Store View in Enterprise Random
Password Manager), the following access must be granted to the desired login account:
SELECT access to the password column of the SYSLOGINS table in the MASTER database
Oracle - An Oracle login account is required when configuring an Oracle password change job. This
login account must have sufficient rights to change the desired target account's password. Assuming
the login account can connect to the specified Oracle service (and instance, if applicable), the
following rights must be granted to the desired login account:
ALTER USER
To enumerate the user accounts in an Oracle instance (Account Store View in Enterprise Random
Password Manager), the following rights must be granted to the desired login account:
In the command above, Web-Mgmt is the component required for managing Windows Server 2008
and later while Web-Metabase is the component required for managing Windows Server 2003.
Add-WindowsFeature Web-Mgmt-Console,Web-Metabase
In the command above, Web-Mgmt is the component required for managing Windows Server 2008
and later while Web-Metabase is the component required for managing Windows Server 2003.
11) If the management console or deferred processor/zone processor was running when this
process began, restart the management console or deferred processor/zone processor.
Web site
PowerShell
Application Launcher
Session Recording
Installing Lieberman RED Identity Manager Prerequisites 39
In the command above, Web-Windows-Auth is an optional parameter if it is desired for the web
service to be able to support Windows Integrated Authentication.
13) If the management console or deferred processor/zone processor was running when this
process began, restart the management console or deferred processor/zone processor.
Add-WindowsFeature AS-Http-Activation,Web-Windows-Auth
In the command above, Web-Windows-Auth is an optional parameter if it is desired for the web
service to be able to support Windows Integrated Authentication.
5) Under Application Server, expand Windows Process Activation Support and select HTTP
Activation and click Next. If any pop up dialogs appear indicating more features are required
(this includes multiple features including portions of IIS), click Add Features, then click Next.
6) On Web Server (IIS) click Next.
7) On Role Services, if it is desired to be able to support Windows Integrated Authentication, also
select Windows authentication under the Security node.
8) On Role Services click Next.
9) On Confirmation, validate your selections, then click Install.
10) If the management console or deferred processor/zone processor was running when this
process began, restart the management console or deferred processor/zone processor.
42 Installing Lieberman RED Identity Manager Prerequisites
Program database - If the program database is unavailable, the website will be fully unable to
function.
Web Service - if the web service is unavailable, the website will provide most of its functionality
but will be unable to provide access to managed passwords or any components that make use
of managed passwords such as application launcher. Further, all charts and quick search panels
will not function.
In the command above, Web-Windows-Auth is the only component not required. Adding that clause
installs Windows Integrated Authentication.
6) On Server Roles, select Web Server (IIS) and click Next. If prompted to add features required
for IIS (IIS Management Console), click Add Features, then click Next.
7) On Features, click Next.
8) On Web Server Role (IIS), click Next.
9) On Role Services, select the following components (other features may be removed or ignored):
a. Common HTTP Features
o Default Document
o HTTP Errors
o Static Content
b. Health and Diagnostics - optional - not required but useful for troubleshooting
o HTTP Logging
c. Performance
o Static Content Compression
d. Security - optional - read descriptions as some items may be required based on use cases...
o Request Filtering - enabled by default, install to be able to restrict clients from making
certain requests of the web server such as a collection of URLS that cannot be browsed
or limiting the sizes of requests.
o Client certificate mapping - install if users are provisioned user certificates via Active
Directory and User-Certificate based authentication is required. This will require
additional configuration in IIS.
o IIS certificate mapping - install if users are provisioned user certificates and it is desired
to have the mapping and certificate authentication performed in IIS rather than Active
Directory. This will require additional configuration in IIS.
o IP and Domain Restrictions - install to be able to restrict source IP and domain names
from making requests of the web server.
o URL authorization - install to be able to restrict URLs and verbs. This option can
increase security when used in conjunction with Windows authentication.
o Windows Authentication - install if it is desired to be able to use Integrated Windows
Authentication. This may require additional configuration in IIS.
e. Application Development
o ASP.NET 4.5 - if prompted for additional role services (ISAPI Filters, ISAPI Extensions,
.NET Extensibility 4.5) click Add Required Role Services
o .Net Extensibility 4.5
o ASP
44 Installing Lieberman RED Identity Manager Prerequisites
o ISAPI Extensions
o ISAPI Filters
f. Management Tools
o IIS Management Console
o IIS 6 Management Compatibility \ IIS 6 Metabase Compatibility
10) On Role Services, click Next.
11) On Confirmation, click Install.
Add-WindowsFeature
Web-Default-Doc,Web-Http-Errors,Web-Static-Content,Web-Http-Logging,Web-Stat-Compress
ion,Web-Windows-Auth,Web-Asp-Net,Web-Net-Ext,Web-ASP,Web-ISAPI-Ext,Web-ISAPI-Filter,W
eb-Mgmt-Console,Web-Metabase
Installing Lieberman RED Identity Manager Prerequisites 45
In the command above, Web-Windows-Auth is the only component not required. Adding that clause
installs Windows Integrated Authentication.
o URL authorization - install to be able to restrict URLs and verbs. This option can
increase security when used in conjunction with Windows authentication.
o Request Filtering - enabled by default, install to be able to restrict clients from making
certain requests of the web server such as a collection of URLS that cannot be browsed
or limiting the sizes of requests.
o IP and Domain Restrictions - install to be able to restrict source IP and domain names
from making requests of the web server.
e. Performance
o Static Content Compression
f. Management Tools
o IIS Management Console
o IIS 6 Management Compatibility \ IIS 6 Metabase Compatibility
7) On Role Services, click Next.
Installing Lieberman RED Identity Manager Prerequisites 47
Important! SSL and early version of TLS has been found to have certain security flaws.
Due to these flaws, Microsoft recommends disabling SSL v3 and earlier and
forcing the use of TLS 1.2. For more information, please refer to the following
Microsoft article for help on disabling older versions of SSL and TLS:
https://technet.microsoft.com/en-us/library/security/3009008.aspx
(https://technet.microsoft.com/en-us/library/security/3009008.aspx)
3) If certificates are installed on the system, they will be listed in the Server Certificates area.
9) Specify HTTPS as the protocol Type and assign the preferred SSL Port. If an alternate port
number is specified, this must be reflected in the URL as HTTPS://address:port_###/.
Installing Lieberman RED Identity Manager Prerequisites 51
10) Select the appropriate certificate from the SSL certificate drop-down list. Click OK.
11) Note that the HTTPS binding is now appended to the website. Click Close.
52 Installing Lieberman RED Identity Manager Prerequisites
12) To require the website to use SSL, go to either the website that hosts the Lieberman RED
Identity Manager web pages, or go to the virtual directory that hosts the web pages, and open
SSL Settings (located in the IIS area).
13) Select Require SSL. Click Apply. No other configuration options are required.
Caution! A self signed cert is generally not recommended for production as no other
system will trust that certificate. Some components and systems cannot work
with untrusted certificates. If the certificate is not distributed and installed on
ALL machines that will connect to the website or services, they will fail to
function at all and will always generate certificate errors until the certificate is
placed into the proper certificate store or replaced with a certificate created
by a trusted root certificate authority.
1) Open Internet Information Services (IIS) Manager from the Administrative Tools.
2) Select the server's node in the Connections pane and open Server Certificates in the center
pane.
To create a request to an off-line certificate authority (in house or 3rd party, e.g. Verisign), go to
step 5.
To create a request to an on-line certificate authority (in house, Enterprise CA), go to step 6.
3) To create a self-signed certificate, on the Actions pane, click Create Self-Signed Certificate.
54 Installing Lieberman RED Identity Manager Prerequisites
4) Type a friendly name for easy identification and click OK. The certificate will be created and
added to the list of certificates installed on the server. Click OK.
Go to step 11.
Go to step 7.
6) To create a certificate request to an on-line Enterprise CA, click Create Domain Certificate.
Go to step 7.
56 Installing Lieberman RED Identity Manager Prerequisites
7) On the Distinguished Name Properties dialog, specify the Common name (this is the name of
the server as will be entered in a browser) and all other properties, then click Next.
8) If this is going to an off-line CA, select the appropriate Cryptographic Service Provider
Properties. If this is going to an on-line CA, this page will not be presented. Bit length should be
set a 2048 bits or higher to maintain compatibility with modern browsers and systems. Click
Next.
If working with an off-line CA, go to step 9.
Installing Lieberman RED Identity Manager Prerequisites 57
9) If this is going to an off-line CA, a prompt for the name of the certificate request will be
presented. Supply the path and name for the certificate request file and click Finish. This text
file must then be sent to the CA for processing. Once the certificate is approved, simply follow
the wizard through the Complete Certificate Request screen.
58 Installing Lieberman RED Identity Manager Prerequisites
Go to step 11.
Installing Lieberman RED Identity Manager Prerequisites 59
10) If this is going to an on-line CA, select the name of the CA by clicking the Select button. Then
supply the friendly name of the website. The friendly name is the name of the server specified
in the URL. Click Finish.
11) Once the certificates are installed on the system, they will be listed in the Server Certificates
area.
17) Specify HTTPS as the protocol Type and assign the preferred SSL Port. If an alternate port
number is specified, this must be reflected in the URL as HTTPS://address:port_###/.
Installing Lieberman RED Identity Manager Prerequisites 61
18) Select the appropriate certificate from the SSL certificate drop-down list. Click OK.
19) Note that the HTTPS binding is now appended to the website. Click Close.
62 Installing Lieberman RED Identity Manager Prerequisites
20) To require the website to use SSL, go to either the website that hosts the Lieberman RED
Identity Manager web pages, or go to the virtual directory that hosts the web pages, and open
SSL Settings (located in the IIS area).
21) Select Require SSL. Click Apply. No other configuration options are required.
63
IN THIS CHAPTER
Enabling access via registry modification works on all Windows operating systems. However, it is the
only way to enable access on Windows Server Core operating systems as the application server role
is not available for Windows Server Core Operating systems. To make the change via the registry...
1) Run regedit.exe
2) In the registry, locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3.
3) Locate the key: RemoteAccessEnabled
4) Right-click RemoteAccessEnabled, and then click Modify.
5) In the Edit DWORD Value dialog box, type 1, then click OK.
6) No further action is necessary.
These same steps can also be performed via group policy preferences.
If a GUI is available and it is desired to use the server roles wizard, these steps will help guide the
installation process.
Add-WindowsFeature AS-Ent-Services
For IIS 6 and 7+, the rules are slightly different and the process names have changed since Windows
2003 was released. In addition to allows the COM Port Mapper (port 135) you will also need to
allow access to the IIS processes.
4) The only required item is Oracle Provider for OLE DB. Select Oracle Provider for OLE DB and
click Next.
74 Installing Lieberman RED Identity Manager Prerequisites
8) When the Oracle provider is installed, it will be listed as an available "Database Provider" when
adding an Oracle database to the Account Store View.
9) Repeat any installation of the Oracle OLEDB provider on any secondary management consoles
and zone processors that will be managing (discovery, password change, etc.) an Oracle
database instance.
2) Choose the installation directory for the Sybase files and click Next to continue.
3) If the directory does not exist, a prompt requesting to create the directory will appear.
80 Installing Lieberman RED Identity Manager Prerequisites
4) All that is required is the OLEDB providers. Choose the Custom option and click Next.
7) Choose the Sybase license use as is appropriate to your company. Click Next to continue.
Installing Lieberman RED Identity Manager Prerequisites 83
8) Select the licensing region and agree to the license agreement to continue installing the
software. Click Next to continue.
84 Installing Lieberman RED Identity Manager Prerequisites
11) When the installation is finished, click Next to continue the wizard.
Installing Lieberman RED Identity Manager Prerequisites 87
12) When the installation wizard is finished, click Finish to close the wizard.
88 Installing Lieberman RED Identity Manager Prerequisites
13) When the Sybase provider is installed, it will be listed as an available "Database Provider" when
adding a Sybase database to the Account Store View.
14) Repeat any installation of the Sybase OLEDB provider on any secondary management consoles
and zone processors that will be managing (discovery, password change, etc.) a Sybase database
instance.
6) When the MySQL provider is installed, it will be listed as an available "Database Provider" when
adding a MySQL database to the Account Store View.
7) Repeat any installation of the MySQL provider on any secondary management consoles and
zone processors that will be managing (discovery, password change, etc.) a MySQL or MariaDB
database instance.
http://download.microsoft.com/download/0/E/6/0E67502A-22B4-4C47-92D3-0D223F117190/DB2
OLEDB.exe
The installation routine has two prerequisites:
1) You have a version of Enterprise or Developer edition of Microsoft SQL 2005 or 2008, or some
component thereof which also implies that the version is licensed for use by your corporation.
2) The installer checks for the existence of certain registry keys and/or files to validate the
installation before the provider will install.
The presumption is that installing SQL server components to make use of the Microsoft supplied
DB2 provider is not permissible. The following steps document a registry manipulation which will
lead the installer to believe the requisites it looks for during installation are present.
Caution! Use of the registry editor can lead to system instability or loss of functionality.
Perform these steps at your own risk.
1) Launch the installer and click Microsoft OLE DB Provider for DB2.
Installing Lieberman RED Identity Manager Prerequisites 97
2) Enter the user name and organization name and click Next to continue.
98 Installing Lieberman RED Identity Manager Prerequisites
3) Choose to accept the licensing agreement if the requirements of licensing agreement are met
and click Next to continue.
Installing Lieberman RED Identity Manager Prerequisites 99
8) When the DB2 provider is installed, it will be listed as an available "Database Provider" when
adding a DB2 database to the Account Store View.
9) Repeat any installation of the DB2 OLEDB provider on any secondary management consoles and
zone processors that will be managing (discovery, etc.) a DB2 database instance.
1) Run the installer and read and accept the licensing agreement, then click Install.
3) When the PostgreSQL provider is installed, it will be listed as an available "Database Provider"
when adding a PostgreSQL database to the Account Store View.
4) Repeat any installation of the PostgreSQL provider on any secondary management consoles and
zone processors that will be managing (discovery, password change, etc.) a PostgreSQL database
instance.
5) Be sure to select the OLEDB Access Module. Select other modules as required, then click Install.
Installing Lieberman RED Identity Manager Prerequisites 111
6) Click Finish.
6) Click Install.
Installing Lieberman RED Identity Manager Prerequisites 117
8) The Teradata provider will now be listed as an available database provider when you add a
Teradata database to the Account Store View.
9) Repeat any installation of the PostgreSQL provider on any secondary management consoles and
zone processors that will be managing (discovery, password change, etc.) a PostgreSQL database
instance.
119
Chapter 4 Installing
Lieberman RED Identity
Manager
The chapter documents how to install Lieberman RED Identity Manager and perform
post-installation configuration tasks.
Important! See the Installation Roadmap (on page 7) for a complete list of installation
tasks.
This chapter will cover installation of the Lieberman RED Identity Manager components including:
Console
Web Service
Web Site
The general steps for installation order are as follows:
Management Console
1) First launch and mini-setup wizard
2) Web Application
3) Web Service
4) Application Launcher - optional
5) Session Recording - optional
Additional components such as PowerShell cmdlets, zone processors and their components are
covered in the Admin guide.
Application launcher and session recording installation are covered in the Application Launcher and
Session Recording guide.
120 Installing Lieberman RED Identity Manager
IN THIS CHAPTER
3) Read the entire license agreement. Once you have read the agreement, if you agree, select I
accept the license agreement, then click Next.
122 Installing Lieberman RED Identity Manager
PDF Encoder - recommended - provides Lieberman RED Identity Manager the ability to turn its
compliance reports into PDF documents.
RSA SecureID - install this option if RSA multi-factor authentication will be required to access the
management console, but this machine will NOT host the web application. If this machine will
host the web application, leave this option unselected as the application will be installed
automatically when the web application is installed.
6) Change the installation location if needed. The program will be installed to a sub-folder called
Roulette at the chosen location.
Installing Lieberman RED Identity Manager 123
7) Click Next.
8) Choose the identity to run the CLR COM+ application. The default is Network Service. The CLR
COM+ Identity is used to provide network and local system access for the solution to various
cloud services. Individual account stores (Azure, AWS, ESX, etc.) will be configured with specific
connection credentials when they are enrolled.
Options for the identity are:
Interactive User - Use the same logon information as the calling identity. This is an
administrator-level account because the calling identity will either be the admin running the
console, or the ERPM deferred processor service account. This option requires the least
configuration, but provides significantly more privileges than is required
Network Service - (Recommended) Use the network service account. For this option you do not
have to manage a password or grant additional rights, although in some cloud management
cases, you may need to grant additional permissions on the file system.
Local Service - Use the local service account. For this option you do not have to manage a
password or grant additional rights, although in some cloud management cases, you may need
to grant additional permissions on the file system. The local service account has many more
rights and privileges than the Network Service.
124 Installing Lieberman RED Identity Manager
This User - Use the supplied user name and password. This user could be a local account that is
configured to never authenticate to any other machine in the network (unlike Network Service
or Local Service), but it does represent another account to manage a credential for. In some
cloud management cases, you may need to grant additional permission to it on the file system.
This account also needs Logon as a batch rights granted to it.
9) Click Next.
Installing Lieberman RED Identity Manager 125
12) Once the program launches for the first time, the Mini-Setup Wizard (on page 126) will begin.
a. On Database Setup, click Change Settings to establish a connection to [and possibly create]
the database server and database that Lieberman RED Identity Manager will use for its
primary data store.
to connect to the data store. Database native authentication will use explicit database
credentials (e.g. SA) to connect to the data store.
o Database Settings - if you have the rights to create a new database, and one has not
already been created on the database server for you, select the option Create a new
database (with default settings). If a database already exists on the database server
that you should use, select the option Use an existing database on the server and
select the appropriate database. In either case, Lieberman RED Identity Manager will
create all required views, stored procedures and tables at this time.
o Create object in a non-default schema - enable this option and specify a specific
schema. We recommend using DBO. If this option is not specified and the connecting
user is not in the sysadmin role, SQL Server will create a schema named after the user
and create all objects in that context. While this will work for a single user (as well as
when using database native authentication), this option does not work well when using
integrated security where the connecting users are not sysadmin level users.
Installing Lieberman RED Identity Manager 129
o For more information about the remaining settings, see Data Store Configuration
Options (on page 217). For more information on connecting to mirrored databases or
database availability groups or Microsoft Azure SQL, see Connecting to Microsoft SQL
HA and Cloud Database Configurations (on page 223).
130 Installing Lieberman RED Identity Manager
About this step: The deferred processor is used to perform all scheduled actions in this product.
Refer to Service Account Requirements for more information on this account's requirements. If
an account is not yet available, simply click Next to skip this step.
a. Supply the name in the format of DOMAIN\AccountName and specify the password.
b. Click Install/Start Service. Setup will attempt to grant the specified account the Logon as a
Service right at this time. However, if there are any problems connecting to the database or
granting rights or local administrators group membership is not configured for the account,
the service will fail to start. This can be remedied now or post install. If there are no
problems, the service will be installed and the service status will indicate Service is Running.
c. Click Next.
4) Email Setup
About this step: Email can be sent from this product. If email will not be sent from this product
or email server settings are not yet available, simply click Next to skip this step. Email can be
configured later by opening the management console and going to Settings | Email Settings. For
more information on email server settings, see Email Settings (on page 251).
132 Installing Lieberman RED Identity Manager
a. Click Change Settings to setup the email server configuration for this product.
b. Supply the sender and email server settings then click OK. If there are no problems, the
Current Settings Status field will indicate No problems detected with settings.
c. Click Next.
5) Setup Complete
About this step: this page presents options to configure encryption and setup the web
application. Encryption should be configured at this time but can be configured later (or
re-configured) by opening the management console and going to Settings | Encryption Settings.
It is recommended to skip configuration of the web application at this stage if will be using a
commercial license as not all website options will be enabled until registration is complete.
Moreover, the web service is a requirement and will not yet have been configured thus the web
application will not function properly at this time until the web service is installed. The web
application can be installed and configured from the management console by clicking the
Manage Web App button on the left action pane. Configuration of the web application is
covered in great detail later in this guide in the section called Web Application (on page 136).
Installing Lieberman RED Identity Manager 133
c. Click OK.
4.3 REGISTRATION
If using the demo license and a commercial key is not yet available, there is no need to register at
this time. The product will be fully functional for 30 days and capable of managing 10 systems.
To input a [new] commercial key after the console is installed and the console has been opened for
the first time and the mini-setup wizard is completed, go to Help | Register.
Past in your license key. All other fields are optional.
Warning! Only perform this step on the primary licensed console. Do not perform this step on any
secondary/HA consoles as licnesing information will be lost on the primary console and it will be
reverted to demo mode.
After you have input a commercial license key, the solution will thank you for your purchase.
136 Installing Lieberman RED Identity Manager
3) On the Install Web Application dialog, select the target installation system. Local system in the
system you are on now. If installing to a remote system supply the remote system name as fully
qualified domain name.
4) Click Check System Compatibility. This will perform a check of the target system to validate IIS
is accessible, the file system is accessible, and remote registry and remote COM+ access are
possible. Fix any access errors before continuing. If the check proceeds without incident, the
Web Interface Files section will be filled in automatically.
Installing Lieberman RED Identity Manager 137
6) Web Application COM Components defines information for the COM+ application that will be
responsible for data access from the web application to the solution data store. Supply the
following information:
a. COM+ files destination files path - defaults to C:\Windows\System32 and will install to
\\serverName\admin$\syswow64 (c:\windows\syswow64). It is typically not necessary to
change this setting.
b. COM+ application name - defaults to PWCWebComApp. You may supply any name you
wish. This name is never visible to end users and is purely for identification when using the
Windows Components snap in.
138 Installing Lieberman RED Identity Manager
8) In the bottom section of the Install Web Application dialog, identify the use of SSL, any custom
port, or identify an explicit site address. Use an explicit site address when the URL to access the
web application will be different than the serverName (or serverName/virtualDirectoryName).
This would be the case when using a load balancer or if the server name will be aliased in DNS.
The information entered here has no functional effect on the website regarding end users. It
only affects the web application auto-launch capability from the Manage Web Application
Instances dialog in the management console.
9) Click Web App Settings to configure additional web application options. These options affect
security, sessions, and other integrations. For more information see Web Application
Configuration Options (on page 142).
The one option you must specify is the Web Service URI for REST web service endpoint on the
App Options tab. At this point, the web service is not yet installed. However, if the web service
Installing Lieberman RED Identity Manager 139
will be installed onto the same machine using default settings, the URI will be virtually the same
as the URL mentioned above. For example, if the server is defined to use SSL in the previous
step on the default port (443) and your SSL cert uses the FQDN of the server (e.g. yourco.int),
then the URI to enter will be
https://servername.yourco.int/erpmwebservice/authservice.svc/REST. everything after your
server name is standard: /erpmwebservice/authservice.svc/REST. If you were behind a load
balancer and the name of the load balanced cluster was "secureidmstore.yourco.com" the URI
to enter would be: https://secureidmstore.yourco.com/erpmwebservice/authservice.svc/REST.
Don't worry, if any information changes, the information can be updated at any time.
10) Then click Install.
11) You may receive a COM+ Account Confirmation warning after clicking. This dialog will appear if
the COM+ account specified on the installation dialog is different than the currently logged in
140 Installing Lieberman RED Identity Manager
user. The warning is asking you to be sure that the account specified has datastore access or the
web application will fail to function until the access issue is resolved.
12) If you are sure about the account information, click Yes to continue or No to change to a
different account.
13) When the web application installation is complete, a dialog indicating a successful install will
appear. Click OK.
14) You will next be prompted to launch the web application. Clicking yes will open your default
browser to the URL specified in step 8 above where it was identified as using SSL or not, any
custom port, or a specific URL.
Installing Lieberman RED Identity Manager 141
15) Click Yes to launch the web application. You will be logged into the web application as
[WebApplicationManager]. This is a built-in account. Its password is randomly generated with
each installation of this product.
16) Once the installation of the web application(s) is complete, the Manage Web Application
Instances dialog will be populated with a list of all known web applications.
See Post Installation or Upgrade Steps (on page 207) for additional steps and verifications.
To continue the basic installation, next install the Web Service (on page 162).
142 Installing Lieberman RED Identity Manager
App Options (on page 142) - basic global web application configuration options.
Password Access (on page 147) - timing and alerting settings for accessing stored passwords.
Direct Links (on page 150) - settings for allowing access and password requests via email link.
File Store Settings (on page 150) - settings surrounding file store permissions and access.
Account Elevation (on page 152) - timing and settings for account elevation operations and
alerting.
Security (on page 153) - security settings for the web application.
Multi-Factor Authentication (on page 156) - settings to enable the use of MFA.
User/Session Management (on page 157) - settings for external PUM integration as well as
recorded session playback.
Remote Sessions (on page 158) - settings for remote RDP, SSH, and Telnet based access.
Console Display (on page 160) - settings for SSH and Telnet terminals.
User Dashboards - Legacy Website (on page 161) - enable/disable dashboards and chart
controls.
Auto-spin recovered passwords - The web application can (default) creates a password change
job for each password recovered using the web application. The password change job
automatically uses the same settings as the previous password change job executed for that
account. For example:
If a random password for that account was set previously, the account will get a new random
password with the same settings.
If the password was set statically, then no automatic re-randomization job will be created and
the account will retain its current password.
If the password is a random password but the option to to Use the same random password for all
selected accounts is selected when configuring a password change job (on the password settings
tab of the job creation dialog), then no automatic re-randomization job will be created and the
account will only change its password on the standard schedule defined by the job.
Installing Lieberman RED Identity Manager 143
Password change jobs are executed by the deferred processing service (including zone
processors) and are scheduled based on the settings defined on the Password Access (on page
147) tab. Enabled is the recommended setting for most customers for most situations.
When passwords are recovered send emails to the following email address - The web
application will send an alert email when a user recovers a password through the web
application. The alert email will be sent to the address specified and will include the account
name of the recovered password, who recovered the password, and what time the password
was recovered. In order for this feature to work successfully, the Email Settings (on page 251)
must be properly configured. The email server settings that are configured for the console will
be used by the web application, so the settings must be valid on the web application server for
the email alerting feature to work.
Only show systems/accounts which match the search filter - In a default configuration, the
web application user will be able to see any and all systems/devices/credentials for which they
have access. This has the effect of causing the web application to retrieve that list and all
permissions on page load. This can be slow and can potentially show the user more information
than is intended in certain scenarios. Enabling this will prevent the display of all systems/devices
and force the user to specify a system filter in order to display any system(s) matching that filter
they have access to. This also has a positive side effect of allowing the web page to load quicker
is no systems/device information will be retrieved on page load. This affects the managed
passwords page.
Only show system/account names (hide system/account info columns) - In a default
configuration, the web application will display any and all information collected on the system
and/or account. Enabling this option will cause the web application to not display system
information like last managed time, IP address, etc. in the accounts or systems view of the
website. This can also be configured in the on a per-user basis by the user in the user's session
settings in the website.
Enable self recovery rules - Turns on the self-recovery aspect of the delegation system. This
feature allows for the creation of a one to one mapping of user to specific computers and allows
those users to log on and retrieve managed passwords for accounts on those computers only.
This feature overrides any other delegations at any other level (except for All Access) that would
otherwise limit their access to the target system. Self recovery rules use the self recovery
permissions which can be defined in the management console at Delegation | Web Application
Self Recovery Permissions. See the admin guide for more information.
Enable personal repository - Allows any user who can log into the web application to enter
individual passwords into the secure password store through the web application. The
passwords entered this way are only recoverable by logging into the web application by the
144 Installing Lieberman RED Identity Manager
user who input the credentials. The passwords are not available to any other user through any
other means and cannot currently be shared. Personal passwords are encrypted with the same
encryption mechanism as other stored passwords in the password store. Any sort of password
or other information can be stored in the personal vault from web page login information to
reminders or common passwords.
Allow website links to be stored with personal passwords - For personal password storage,
displays an extra field where a user can input a URL.
Enable description fields for personal passwords - Allows the user to input a comment for their
personal passwords.
Personal password store disclaimer text - A text message that will be displayed to users when
working in the personal password repository.
Enable phonetic information for passwords - Turns on a feature that helps the user pronounce
the password character by character. For example, the password EAYd|0lc would be written
out as ECHO ALPHA YANKEE delta Pipe Zero lima charlie. When enabled, the Show Phonetics
button becomes visible during a password recovery. Clicking the button displays phonetics for
the displayed password. Phonetics are currently available using international standards in
English.
Enable recursive group membership lookup - Default is disabled. Enabling this feature causes
the solution to perform a recursive lookup for all Windows global group memberships to
determine if a user should be allowed access. With the option disabled (default), a user must be
a direct member of a delegated group in order to gain the rights associated with that entity.
With the option enabled, a user can belong to a group which is a member of the group which
has the delegated rights. Enabling recursive lookups will slow down website authentication and
other functions which evaluate permissions.
Number of items returned per page - Limits the number of items displayed on any given page in
the web application. The default value is 30. A smaller number of items will speed the load time
of an individual page but will result in a greater number of pages for the user to search through
if the result is not on the first page. This can be configured in the user's session settings in the
web application. This setting affects the amount of information returned to the web services
API as well.
Number of rows to export on report - Limits the number of rows that will be exported from the
auditing area in the website. Caution! A large number of rows can cause database timeouts,
exhaust memory and COM resources. Individual results will vary. This settings affects the
amount of information returned to the web services API as well.
Installing Lieberman RED Identity Manager 145
Custom email message templates folder - This setting affects the legacy web application. For
the legacy web application, an email that relies on a default template, such as during the
password retrieval process, will leverage these templates. These templates permit the
customization of those emails for the legacy web application.
The default web application templates are stored in the program data store and accessible to all
components of the solution (except the legacy web application). These templates may be
modified or new ones added via the management console under Settings | Message Templates.
See the admin guide for more information.
Note: For the legacy web application, if installed on a machine where the management
console is NOT installed, this folder and the corresponding path should be
duplicated on the remote web server. This is not necessary for the
modern/default web application.
Default page on successful login operation - Sets the default page for a user's first time login.
Users may set their own default page in the user's session settings in the web application.
Alternate background colors for items in lists - This setting applied only the the legacy web
application. This setting determines the alternating color for rows on any page that lists data in
rows, such as passwords, systems, auditing, and so on.
Allow IPMI power operation in web interface - When an operating system is managed that also
has a managed IPMI device, this option will permit the IPMI device to have its power controls
exercised via the website, delegations permitting.
Display available operations with password summary page - Starting with version 5.5.2, this
settings applies only to the legacy web application (see the following note). Default is disabled.
This option toggles the passwords display page from either showing the users all options they
have for a given account (e.g. Recover Password, SSH, RDP, etc.) when the passwords page
loads or will require the user to expand the account to be able to see their available options.
Leaving this option enabled tends to be less work for end users however, turning this option off
can result in a much faster initial page load for the user. The required queries to determine
permissions will be made when the user later attempts to expand the account.
Note: With the default settings of "30" for Number of items returned per page, this can
save up to 300 round trip queries to the database per page load thus improving
the website experience for low powered users.
146 Installing Lieberman RED Identity Manager
Use asynchronous calls for page loads - Changes the way data is displayed when loading a given
page. With the settings enabled (default), the page will load data as it becomes available rather
than waiting for all data to be available before loading the page. Disabling this option can
potentially diminish the user experience, especially on a heavily loaded system, especially for
users who do not have All Access granted.
Default website style theme - This setting applies only the the legacy web application. Sets the
default theme and login page for the in the legacy web application. Once a user is logged in,
they can click the Session Information link and set a custom theme for their user account6.
Server certificate file in web application installation path - Used to duplicate functionality
found in client web browsers to make it easier for users who do not trust the server's SSL
certificate to download the certificate and install it themselves. Specifically, if the web
application is deployed using a certificate not trusted by all consumers of the website, the
administrator can place the servers certificate in the website installation path on the web
server. The user may then go to User Settings in their web session and download the certificate
and install the certificate.
Server certificate file for recordings in web application installation path - Used to duplicate
functionality found in client web browsers to make it easier for users who do not trust the
server's SSL certificate to download the certificate and install it themselves. Specifically, if the
ERPM session recording playback website is deployed using a certificate not trusted by all
consumers of the website, the administrator can place the servers certificate in the website
installation path on the web server. The user may then go to User Settings in their web session
and download the certificate and install the certificate.
Web service URI for WSDL web service endpoint - The complete URL to the SOAP-based web
service. The point of this is to display the actual URL to the SOAP-based web service in the
website. Use the TEST Connection button to test connectivity to the web service. This has no
functional value to the system.
Web service URI for REST web service endpoint - The complete URL to the REST-based web
service. Use the TEST Connection button to test connectivity to the web service. This field tells
the web application where to find the REST-based web service. This field is required for SAML,
OAUTH and ADFS authentication. If you enable SAML authentication and do not configure this
endpoint for all instances of the web application, the web application will display the following
message: "SAML authentication servers are enabled, but the web service URI is not configured."
Hide advanced options for launch app - Hides the advanced configurations for applications
launched with the optional Application Launcher.
Installing Lieberman RED Identity Manager 147
Enable Password Check-out - Enabled by default, this feature is often used to keep track of
exactly who has access to the administrative passwords at all times. When the password is
recovered, a lock is placed on the account and no other users will be allowed to recover that
same account password until one of three things happen:
The user checks the password back in.
A web application administrator overrides the Check-out and forces the password to be checked
in. he amount of time a user may have a password checked out can be configured by changing
the Check-out Window and Check-out Duration fields.
The group checkout feature is enabled and the original user checks out the password to the
group.
Default check-out/extension duration - The default amount of time in minutes a password will
be checked out before the check-out expires as well as the amount of time granted per
extension request. This means a user will be granted the password initially for this number of
minutes. If the user requests an extension, the extension will also be for this number of minutes
each time they request an extension. Extensions are cumulative. This means if the default check
out duration window is for 120 minutes and they immediately request two more extensions,
they will be granted the password for 360 minutes. Extensions can be requested at any time
prior to the password lifetime expiration otherwise the password will need to be checked out
again. Extensions will be granted until the Maximum Check-out Duration time would be
exceeded. This means if the Maximum Check-out Duration is set to 721 minutes (default), a
user can have the password for no longer than 720 minutes at a time including all check-out
extensions. Each platform can have its own password checkout duration.
Maximum Simultaneous Check-outs - Limits the number of separate passwords any one user
may check-out simultaneously. The default value is 3 passwords.
Block password check-in if password is in use - Enabling this setting will cause the web
application's COM+ application to attempt discovery against a target Windows system to
validate if the account is currently logged, as according to that target Windows system when the
user attempts to check the password back in. If the account is deemed as still logged in, the web
application will prevent the user of the web application from checking in the password until the
148 Installing Lieberman RED Identity Manager
account is no longer being used on the computer. This option requires that the account being
used to run the web application's COM+ application on the web server be seen as an
administrative account on the target Windows computer where the accounts are located. If the
web application does not have the appropriate rights to determine if the account is active, the
check-in is allowed and no event will be put in the target computer's application log. It is
generally not recommended to use this option as sessions may take minutes to terminate, as
according to the target Windows host, which can cause users to simply not check in the
password when they are done.
Log {option} to System's event log will log the described event to a specified Windows
computer's application event log when passwords are checked in or out using the web
interface. The web application can log if the account is in use when the password is checked in,
or log all password check-in operations. The event messages have Event ID 17 and Source
'Enterprise Random Password Manager'. In order to display the event message correctly on the
remote computer it is necessary to put the messages DLL in the path of that system. The
messages DLL comes with the software and is found in the installation directory as LiebMsgs.dll.
The field should contain a specific target computer name. If the field is left blank, the local host
name will be used instead.
Block password Check-out if password spin job creation fails - A failsafe mechanism in the
solution. When a password change job randomizes a password for any account, that job
becomes the "master" job. Subsequent re-randomization jobs (following recovery if auto-spin is
enabled) will use this job as a basis for re-randomizing the password. If this "master" job is
deleted, the re-randomization job cannot be properly created and will put the product into a
state where it cannot move forward until that re-randomization job is manually deleted or
edited and a new master job is created or re-randomization is turned off. This option, when
disabled (default), will allow recovery of the password and put the product into the degraded
state. If the option is enabled, the password cannot be recovered but the product will be placed
into a degraded state because of improper/inconsistent jobs.
Allow users to check out passwords to any group they are a member of - When enabled,
permits a user who has checked out a password to checkout the password to any other group,
that are configured as enrolled identities, that the user is a member of. Those subsequent
groups must already be able to view and recover/request access to the password.
Require check-in comment when password is checked in will prompt the user for a comment
when checking a password back in. The comment is logged to the database along with the
recovery operation. If this option is enabled, the comment will be optional.
Installing Lieberman RED Identity Manager 149
Require recovery comment for password recoveries will prompt the user for a comment when
recovering a password. The comment is logged to the database along with the recovery
operation. If this option is enabled, the comment will be mandatory.
Require ticket number for password recoveries will prompt the user for a ticket number. The
comment is logged to the database along with the recovery operation. If this option is enabled,
the comment will be optional.
Show ticket number in separate column in audit log - when enabled, will add the ticket number
the user enters into a separate column in the audit logs in addition to the audit message for the
operation.
Require ticket number with {Application} will force the solution to validate the input ticket
number with an existing ticket number in the designated application. The application must be
configured in the Settings | Extension Components section of the management console.
Password request timeout window - dictates how long a password request is valid before it
times out and can no longer be granted. A user can only make one request for a specific
password at a time, and once a request is made that request will remain active until this time
period elapses. If an administrator has not processed the request before the timeout occurs, the
request is moved to the timed out request status and the user can make a new password
request for the specific account.
Request Grant Timeout Window dictates how long after a request has been granted that a user
can recover the password. After the window expires, the grant is no longer valid and the user
will have to make another password request for the account if they wish to recover the
password.
Note: Check-out and check-in operation actions will only apply if the Enable Password
Check-out feature is enabled.
Allow users to request check-outs in the future and Password Request Window for Future
Check-outs (hours) defines if users are allowed to make password requests for future times
rather than only immediately and how far in the future that request can be made for.
Allow users to edit and delete managed random passwords - With this option enabled,
identities that have been delegated the ability to edit/delete passwords within the website, will
see two new links next to the random passwords and statically defined passwords in the
password recovery page of the web application. Editing of random passwords can cause
problems for future randomization job runs, password verification jobs, terminal service
sessions, or simple account utilization as a change to the password in the website does not
150 Installing Lieberman RED Identity Manager
affect the actual password configured on the target system. If this option is not enabled and an
identity has been delegated the ability to edit/delete passwords within the website, the logon
account will see an edit and delete link next to static passwords only. It is recommended to
leave this option disabled.
Web application processing to process un-authenticated address to use for direct links -
Supply the full URL to the web application as a user would enter it into their browser (e.g.
https://servername.yourco.com/pwcweb).
Allow web application to process un-authenticated direct links - When enabled, when an email
is sent to an approver and the approver clicks the grant or deny link, the approver will not need
to re-authenticate to the web application to grant or deny the request. If the option is not
enabled (default), when the approver clicks the link, they will first go through the authentication
process at the web application before the request will be granted or denied.
Embed direct approve/deny links in email notifications for password requests - When enabled,
clicking a grant or deny link in the email will grant or deny the request without further
navigation required by the approver.
o Embedded approve/deny link timeout - links are included in the request emails, the
approver will have this amount of time to use the one time grant/deny link. This
timeout will be superseded by the request timeout duration defined on the Password
Access (on page 147) tab.
Embed login URL for site in email notifications for password requests - The URL entered in the
Web application processing page field on this tab will be included in the request email.
additional security to sensitive data by also providing encryption for the data when stored to the
program's data store.
The file store is an optional component of Lieberman RED Identity Manager and requires an
additional license. If the installed license does not enable the file store, this tab will not be visible
and its abilities will be disabled.
Enable file store - Enabling this option will allow the upload, secure storage, delegated access,
and access auditing of files within the web application.
When files are accessed send emails to the following address - Any time a file is opened or
checked out this email address will receive a notification to that effect.
Enable file check-out - If this option is left disabled, any number of users may open the same
file at the same time. With this option enabled, a file is checked out to a single user at any
moment in time.
Check-out window/extension interval - Time in minutes that a user is guaranteed solitary
access to a given file, blocking any other user from checking the file out and making changes to
it.
Maximum check-out duration - The maximum time in minutes that a user may have any single
file checked out.
Maximum simultaneous check-outs - The maximum number of files a single user may have
checked out to them at any moment in time.
Log all file check-outs / check-ins to system's event log - Define a Windows event log server for
file vaulting operations by providing the NetBIOS name of a target Windows computer. Events
are written to the Application Log and will have a source of 'Enterprise Random Password
Manager'. There are also event sinks for file store operations which provide more functionality
and logging data. See the admin guide for more information.
Enable encryption for files in the store - Turns on encryption for files stored in the file store. By
default this is not enabled due to encryption export restrictions that are specific to each country
as applied to the encryption of data. This product will encrypt files using the same methods
used to encrypt the passwords it is storing. Please review country specific laws on encrypting
data before enabling this feature.
152 Installing Lieberman RED Identity Manager
Default file upload permissions - These values are used to define what permissions are assigned
to a file that is uploaded into the secure file store. If option is not enabled, when a user who
belongs to multiple identities that are also granted access to the solution uploads a file, full
control permissions will be granted to the user and all other identities the user belongs to. This
can have the unintended side affect of unnecessarily granting access to secondary identities.
Limit file sizes for uploaded files in the store - This is the maximum allowable size for file
uploads. Be aware that this size may still be limited by IIS settings which by default are more
restrictive. If IIS is set to a lower value, the IIS value will take precedence.
Enable self-service account elevation - Enables the account elevation feature. In order to make
use of this feature, an entity must have the permissions for View Systems and Elevate Account.
These rights can be defined globally, per system set, or per system, and is accessible in the
Systems area of the website. This option applies to all Windows systems, including domain
controllers.
Elevation local group name - The name of the [domain] local group to elevate an account to. If
the Elevate Account into Global Group on Domain Controllers option is NOT enabled, users will
be elevated to this domain local group in the domain if a domain controller is selected for
account elevation.
Elevation duration - The time in minutes that an account will remain elevated on the target
system.
Elevate account into global group on domain controllers - Overrides the previous account
elevation option when a domain controller is targeted for account elevation and will place the
target user into the defined global group listed in the elevation global group name field.
o Elevation global group name - The name of the global group to elevate an account to
when a domain controller is targeted for account elevation and the Elevate account
into global group on domain controllers option is selected.
Installing Lieberman RED Identity Manager 153
o Elevation duration - The time in minutes that an account will remain elevated on the
target system.
Enable arbitrary elevation in the web interface - A delegated user may place an arbitrary user
in an arbitrary target group on an arbitrary system for an arbitrary period of time. Typically, this
is only used by help desk personnel.
Enable email reminder of expiring elevations - For arbitrary elevations, an email reminder will
be sent to the user based on the Hours before expiration to send reminder setting.
Default short term elevation time - The default period of time that the user will be elevated if
short term elevation is selected.
Default long term elevation time - The default period of time that the user will be elevated if
long term elevation is selected.
Maximum elevation time - The maximum amount of time that the user can be elevated.
4.4.1.6 SECURITY
The Security tab is used to configure the basic web application security options. Some settings have
corresponding settings in IIS as well.
Allow default authenticated user access - Enabling this option provides a means for any user
who can authenticate against a central directory, such as Active Directory, to gain access to the
web console based on the rights delegated to the [DefaultAuthenticatedUserAccount]. This
provides an easy and global way to allow users to gain access to the web application to use
features such as the personal password store.
Hide recovered password after - If this option is not enabled, when a user recovers a password
and that password is displayed, the password will remain on the users display panel indefinitely
or until the user expressly navigates to a different page or closes the browser. Enabling this
option will force the Web application to redirect to the Main page after a set amount of time,
thus minimizing the usefulness of shoulder surfing.
Force inactive web session timeout - Time in minutes after which an idle login session will
expire and require re-authentication. Session state should be disabled in IIS, otherwise the
shorter of the two values will win. Session state within IIS MUST be disabled if the Web
application is configured on a Network Load Balanced web farm.
Require secure cookies - Requires that SSL be enabled for the site. (An SSL certificate is not
provided with the solution.) Enabling this feature will mark the cookies for use with SSL only;
the cookies will not be transmitted if SSL is not used. If this option is enabled and a user
154 Installing Lieberman RED Identity Manager
attempts to access a non SSL version of the page, the system will attempt to automatically
redirect to an SSL version of the page by changing the URL to HTTPS.
Note: Use of this feature will also require an SSL certificate be bound to the parent
website in IIS.
Enable Windows Integrated Authentication - If enabled will allow users of Internet Explorer
(and other support browsers) to enter the site using their already logged in credentials without
having to retype a user name and password. Use of this feature can be problematic if users
share machines. Users will still be prompted with a login page where they can enter a user
name and password or simply login.
Automatically login users using Windows Integrated Authentication in conjunction with
enabling Windows Integrated Authentication will automatically log in a user to the Web
application without ever prompting for a user name and password.
Note: Use of this feature will also require Windows Integrated Authentication be
enabled and all other forms of authentication be disabled in IIS.
Disable concurrent logins from a single user - Blocks a user from logging multiple times from
multiple source systems and/or browsers; any single user account is limited to a single session.
Embed unique identifier with each page - Gives each page a GUID that will be regenerated
every few page clicks. This provides a method to partially mitigate replay attacks.
Unique identifier valid for only one page request - Enabling this option will limit the page GUID
to only a single click per page after which the user must re-enter the page to perform a
subsequent action. This provides a method to mitigate replay attacks from the same system but
does mean more navigation as each page must be manually re-loaded after each action is
performed to obtain a new GUID.
Disable explicit web application accounts - Enabling this option stops the solution from
allowing its own explicit application accounts from logging in to the Web application.
Store only the authentication token in the cookie - Enabling this option removes information
from the session cookie regarding user access. This forces the web application to retrieve user
rights for each request and may slow down web site processing if enabled.
Force logout on any page error - Enabling this option will end the user's session if the Web
application encounters a page error. Errors are generated not only by product issues but also
Installing Lieberman RED Identity Manager 155
but improper commands being entered such as in the program URL which would result in a
permissions check failing.
Prevent the requesting user from granting a password request will stop a user who requests a
password, where they also have the rights to grant password requests for the same password,
from granting their own request.
Disable copy button for displayed passwords - Enabling this option disables the copy button
when a password is viewed in the Web application following a successful recovery.
Allow Client Certificates for User Authentication and Authorization will permit the product to
use certificates to authenticate users. Certificates may be in the form of simple user certificates,
smart cards, CAC/PIV cards, biometrics, etc.
Bypass login challenge for client certificate identities will auto-login an account past the forms
based login page and not require further credentials be supplied.
Frequent request redirection is designed to help prevent denial of service or brute force attacks
directly against the Web application. This setting prevents more than n requests of any type for
a specific session. Additional requests beyond the configured limit are ignored and not
processed, so they are not necessarily treated as errors. The session continues to work as
normal, but if the configuration is such that normal operations are triggering multiple
operations per second (as is the case with delay load operations or web service operations),
then this setting should be disabled or tuned (increased) so that normal operations are not
impacted for your specific workload. If you have many concurrent sessions or other security
settings, you may need to set this value to 200 or higher.
Enable account lockout if an identity attempts to login N number of times in N number of
minutes, they will be locked out for N number of minutes from the product. This applies to any
identity.
Escape all password input fields on submit escapes all input characters to help prevent cross
site scripting or SQL injection attacks.
Hide passwords in recovery page until shown stops the password from being displayed on
screen in the web site during a password recovery, unless the user explicitly clicks the Show
button. The additional functions of copy, show phonics, extend checkout,and check in will still
function normally.
Hide authenticator list (user names must be UPN/FQDN) simplifies the web login process by
removing the Authenticator drop-down list from the Web application login page. However, the
user must supply the user name in a UPN format such as lscadmin@demo.lsc.
Strip links to non-local resources will remove user supplied links to external content.
156 Installing Lieberman RED Identity Manager
No MFA is the default option where the web application installation will not use any form of
multi-factor authentication.
Enable internal MFA (OATH/Yubico) - If OATH tokens are configured in management console
and required for user logins and this option is enabled, a user must supply a proper passcode, in
addition to their standard login, in order to gain access to the web application. There are no
further infrastructure requirements for this form of two-factor authentication.
Enable external MFA (RADIUS and native integrations) - Enabling this option enables 2 factor
authentication for the web application but does not mandate it for login. If this check box is not
enabled, then the user will not be prompted to enter their MFA passcode unless their
delegation identity is also set to require two factor authentication. For this option to work the
two factor client must be correctly installed and configured on the web application host and the
two factor server must be accessible from the web application host. See the admin guide for
more information on configuring MFA.
Enable external and internal MFA - Enabling this option enables both the internal OATH and
External forms (RADIUS, RSA, Microsoft, etc.) of MFA. In this configuration, some user can be
configured with OATH while others can be configured with another external MFA. For a user
configured with both options (by configuration or combination of multiple identities, the user
will need to use the external MFA.
Use simple username for external MFA login checks - This option becomes available if the two
factor options are set to require or enable. Enabling this option permits the use of simple names
rather than fully decorated user names.
Require MFA for all interactive web application logins - Enabling this option forces the MFA
requirement for all users of the web application; it is no longer an option as it would be if only
Enable external [and internal] MFA was enabled.
Any MFA enabled user/group membership/role membership forces MFA for user - Enabling
this option will use the most restrictive setting for MFA. Without this box selected, if any of the
user's identities do not require MFA the user will not require MFA. With this box selected, if any
of the user's identities require MFA, the user will require MFA.
Installing Lieberman RED Identity Manager 157
Enable Privileged User Management integration support - Enables the integration with a
supported PUM provider.
PUM Gateway Server (optional) - The default name of the target Linux/UNIX server with the
PUM software to be targeted for the run commands.
PUM Gateway User (optional) - The default name of the account to be used.
Response configuration file location for PUM operations (optional) - The path on the web
application server to the PUM response XML file. The file can initially be found on the
application host system in the AnswerFiles sub-folder of the installation directory. If this field
is left blank, the response file is assumed to be in the website COM object installation path that
defaults to %systemroot%\system32 on 32-bit systems, or %systemroot%\SysWoW64 on 64-bit
systems.
Note: Other requirements for the PUM feature to work are that the
CrossPlatformSupportLibrary, available in the ERPM installation directory, must
be installed onto the web server (if it is a remote web server only).
Session playback URL - The URL that the compiled videos will stream from when the optional
application launching and session recording modules are enabled.
Enable session recording - When enabled and configured, this option allows the web
application to display the session recordings and related metadata information from Observe-IT,
a third party session recording product. When enabled, a Session Recording link appears in the
web interface under the Auditing menu that will allow access to these recordings and
metadata. For ObserveIT, the link would be similar to this:
https://server-name:4883/ObserveIT/Integration/SessionRecordingView/Search.asp
x
Additional steps may be required for the session recording service. Please refer to the third-party's
documentation for specifics.
158 Installing Lieberman RED Identity Manager
Enable RDP sessions using stored passwords to host system - Enables the automatic RDP
functionality of the web application.
Allow RDP sessions using stored passwords to any system - Permits the managed account to be
used to connect to any system if the target system permits it. This would be used by domain
accounts on domain joined systems.
Allow users to choose RDP gateway for web connections - Provides a list of RDP gateways for
the user to choose from when launching an RDP session. Use the Configure Gateways button to
add/import/edit the RDP gateway list.
Allow multiple RDP windows from a single session - Allows the launching of multiple RDP
sessions from the web application. If this box is disabled, the current auto-RDP session is
disconnected before the new session is established.
Open RDP windows maximized - Opens the RDP window using full screen instead of in a
window. If the host desktop resolution is low, this option should be selected.
Use the application launcher to launch terminal services on the client - Requires the Application
Launcher feature be enabled. This launches the user's local MS RDP flat client rather than the
Microsoft ActiveX control, which provides more options and support for NLA (network level
authentication).
Enable Telnet Console Access - Enable the launching of a Telnet session to the target system. Be
aware that Telnet CANNOT programmatically pass a password to a target system. Thus,
password retrieval is necessary prior to launching the Telnet session.
Allow multiple Telnet windows from a single session - Allows the launching of multiple Telnet
windows from the web application. If this box is disabled, the current Telnet session is
disconnected before the new session is established.
Installing Lieberman RED Identity Manager 159
Show message before creating remote sessions - Displays a message in the user's browser
before they connect to the target system. Typical examples of these messages include security
disclaimers or acceptable usage policy notifications.
Enable SSH Console Access - Enable the launching of an SSH session to the target system. This
securely and programmatically passes the target system/account credentials so users do not
need to be aware of the current password.
Allow SSH sessions using stored passwords to any system - Permits the managed account to be
used to connect to any system, if the target system permits it.
Allow multiple SSH windows from a single session - Allows the launching of multiple SSH
windows from the web application. If this box is disabled, the current Telnet session is
disconnected before the new session is established.
Proxy Type - Both the SOCKS and HTTP proxy protocols can be used to traverse firewalls. SOCKS
is usually used to create a raw TCP connection, and the HTTP proxy protocol can do the same
with the CONNECT method. If a proxy is required, also supply the Proxy Host, Proxy Port, and
Proxy Timeout.
SSH Protocol - When set to Auto, the control determines what the target supports and uses that.
Force a particular version if desired.
Handshake Timeout - Amount of time for the connection handshake to take place.
Key Exchange Timeout - Amount of time for the key exchange to take place.
Public Key Passphrase - Pass phrase for public key key-pair file.
Key Timing Noise when Sending Passwords - Enable to create a random timing offset for key
transfer (security).
Allow New Server - Enable to permit jumping from server to server from within the SSH session.
Enable X11 Forwarding - If X11 forwarding is enabled on the target host, this enables the feature
to function in the Java-based SSH session.
Allow SSH connections using public/private key pairs - If SSH keys are configured in the
solution, the Java-based SSH sessions may leverage keys to connect to the target systems.
160 Installing Lieberman RED Identity Manager
o Key location on client system is the physical path on the client's machine where the
SSH keys are physically stored.
o Allow clients to specify private key paths to identify the public key path on their own
system rather than relying on the globally configured option.
IMPORTANT! If the web service is installed on a machine that is NOT also hosting the
web application, the web service will fail to load unless additional actions are
taken. In this scenario, export the web application settings from the
management console, then import them onto the web service host.
To export the settings, from the management console:
the web application to function. In prior versions, the web service was an optional component used
only for PowerShell cmdlets, application launcher, session recording, and API access.
1) Click Manage Web App from the left action pane.
2) Select the desired web application instance from the list
3) Go to Advanced and select Export web app registry config. This will export a regedit file.
These steps provide the web service with the necessary information to connect to the
data store, HSM if configured, and the encryption key as well as other settings.
Any time these options change, it will be necessary to repeat these steps.
Important! If the web service is hosted on a different machine than the web application
host and the systems are accessed through a URL is different (specifically with
regards to the protocol, server name, or port), your web browser will block
access to the web service and many things will not function correctly. The
basic steps to resolve this are to open the web.config file for the web service
post installation and "EnableCORS" to "true". Additional configurations may be
required in your specific browser and may not work in all configurations
(non-Microsoft browsers especially). Please refer to your browser's specific
documentation for more information on enabling CORS support.
4) You will be prompted to generate the file for 64-bit Windows. Click Yes.
5) Copy the registry export to the target web service host and double click the file to import it.
Web service prerequisites are outlined in Web Service Host Requirements (on page 19) and its
service account requirements are outlined in Service Account Requirements (on page 24).
Installing Lieberman RED Identity Manager 163
The web service cannot be pushed to a target system from the management console; it must be
installed locally at this time. If installing the web service on the same machine as the management
console, the installation of the web service package may be initiated from the management console,
by clicking Manage Web App from the left action pane then clicking Install Web Service at the
bottom of the Manage Web Application Instances dialog. For remote systems, copy and use the
manual installer (ERPMWebService.exe) found in the SupplementalInstallers sub-folder in the
installation directory, typically %programfiles(x86)%\Lieberman\Roulette.
1) Launch the web service installer.
2) On the welcome page, click Next.
3) On the COM+ Object Identity, choose an appropriate identity and click Next. Valid identity
options are:
Network Service - use this option when using database native authentication mode to connect
to the database (e.g. SA).
Interactive User - not recommended - use this option when it is desired for the user calling the
web service to pass their authentication token as the authentication token to the database. This
is valid when using Windows Integrated Authentication but will require considerably more
security configurations in the program data store.
164 Installing Lieberman RED Identity Manager
Specific User - recommended, default - use this option when using Windows Integrated
Authentication to the database or when it is desired to minimize any rights granted to the
COM+ application. This is the most compatible option. User names should be supplied in the
format of DomainName\Username.
4) Select the location in the local IIS instance to install the web service to and click Next. Valid
options are:
Virtual Directory - default, recommended - will install the web service to a virtual directory called
ERPMWebService located under the parent website you select. This is the safest option to
choose for both security and configuration reasons.
Installing Lieberman RED Identity Manager 165
Site - use this option to install the web service to the root website. If there are multiple root web
sites configured on the host, you will also be presented with a selection of root web sites to
choose from.
166 Installing Lieberman RED Identity Manager
6) Select the authentication method for connecting to the web service then click Next. Only
methods available to the target parent website will be displayed. Valid methods include:
Anonymous Auth with SSL - use this option when SSL is configured but Windows Integrated
Authentication will not be used.
Anonymous Auth without SSL - not recommended - use this option when Windows Integrated
Authentication nor SSL will be used. Application Launcher will not work with this configuration.
Integrated Auth with SSL - use this option when SSL and Windows Integrated Authentication will
be used.
Integrated Auth without SSL - use this option when Windows Integrated Authentication will be
used without SSL. Application Launcher will not work with this configuration.
Installing Lieberman RED Identity Manager 167
SSL with User Certificates - use this option when users must supply a user based certificate
(smart card, biometrics, etc.) to authenticate to the website and web service. This will incur
much more overhead in the overall configuration and may cause problems with Application
Launcher.
168 Installing Lieberman RED Identity Manager
7) Select the destination folder for the web service to be installed to and click Next. The default
location is %inetpub%\wwwroot\ERPMWebService which already grants all required
permissionsto be properly hosted. Changing the location may require additional configurations
on the web administrator.
Important! If you chose to create a virtual directory, this process will create a virtual directory
called ERPMWebService. This will inherit the authentication and SSL and other settings from the
parent web site. This is important because if the parent web site is configured to use
anonymous authentication and the installer was configured to use Windows Integrated
Authentication, the virtual directory will be created with bad settings and it will be necessary to
open IIS and reconfigured the authentication settings post install.
170 Installing Lieberman RED Identity Manager
After clicking Finish, this will launch the web service page and web service tester. Make note of the
URL as it will be required when configuring the web application. At this point, the web service will
be non-functional as it also requires settings from the web application to function. If the website is
installed on the same host as the web service, no further configuration actions will be required for
the web service. If the web service and web application are installed on separate machines, it will
be required to export the web application server configuration and import it to the web service
system.
See Post Installation or Upgrade Steps (on page 207) for additional steps and verifications.
171
Chapter 5 Upgrading
Lieberman RED Identity
Manager
This chapter describes how to upgrade Lieberman RED Identity Manager from a previous
installation.
You can directly upgrade from any prior version of Lieberman RED Identity Manager to the current
release. For example, you can upgrade from version 4.83.0 to version 5.5.2.1 without first having to
upgrade to an intermediate version.
Note: Upgrading causes some saved preferences to reset to default values. If you
configured the management console to hide certain account store types, plan on
reapplying those settings following the upgrade.
Prior to upgrading, be sure to backup the program's database. During the upgrade, structures within
the database are updated and may not be compatible with older versions of the product.
If the program database is still running on SQL Server 2005 (or older), the database will need to be
re-hosted to SQL Server 2008 or newer prior to upgrade. For tips on how to move the program
database from one Microsoft SQL server to another, please refer to the following article:
https://liebsoft.zendesk.com/hc/en-us/articles/236069348-How-to-Move-Your-Program-Database-t
o-a-New-Server
(https://liebsoft.zendesk.com/hc/en-us/articles/236069348-How-to-Move-Your-Program-Database-
to-a-New-Server)
If upgrading from version 4.83.4 or older and you are running the solution on a Windows 2003
Server, it is necessary to migrate the installation to a Windows Server 2008 R2 or later operating
system. Lieberman RED Identity Manager is not supported on any version of Windows Server
prior to Windows Server 2008 R2. Contact a Lieberman Software account representative for
more information.
172 Upgrading Lieberman RED Identity Manager
Versions of the product prior to version 4.83.4 did not use ASP.NET. The ASP.NET IIS role feature
must be installed/enabled prior to upgrading to this version.
Starting with version 5.5.2 of the product, Microsoft .Net Framework version 4.5.2 is a
requirement for all components of the solution.
Starting with version 5.5.2 of the product, the web service is a requirement for the web
application to function. This also adds new requirements to the host servers that did not
previously exist.
Please refer to Understanding Prerequisites (on page 14) for more information prior to upgrading.
IN THIS CHAPTER
A recent backup of the database prior to the upgrade. This is performed within SQL Server, not
by Lieberman RED Identity Manager.
The encryption key. This can be had via the management console from Settings | Encryption
Settings, then clicking the Export button and saving the file to a secure location. If using an
HSM, be sure you know the key store and PIN to access your HSM.
The previous installation software.
If the management console is installed on a virtual machine, it may be prudent to simply snapshot
the virtual machine.
Upgrading Lieberman RED Identity Manager 173
Upgrade Outline
1) Stop the deferred processing and zone processor services. This ensures that jobs will not be
processed during the database upgrade and helps prevent any data loss or corruption.
2) Stop the web application and web services. This ensures users will not be able to generate new
database activity (jobs, auditing, etc.) while the upgrade takes place.
3) Upgrade the console.
4) Deploy the upgraded web application and web service.
5) Deploy the upgraded deferred and zone processor services.
6) Deploy ancillary components such as PowerShell, application launcher, etc.
3) On the Job Queues dialog, select all items where the zone processor column is NOT listed as
Deferred Processing Service and click Get Job Queue and Service Status.
4) Immediately expand each zone processor service and check the status column for Currently
Running. The status should indicate No jobs are currently being run by this processor.
If the status indicates a job is running, it is best to wait for the job to finish or you may damage
the job or cause other problems in your network due to a partially complete job. Further, if a job
is running, also check the Queued Jobs column for the deferred processor and note how many
jobs are in the queue to process. If will be best to wait for the jobs to finish or take not of their
Job IDs and disable them before they get run so you may perform the upgrade. Don't worry,
when you start the processors post-upgrade, all past due jobs will be run as soon as possible.
5) If the jobs list is empty, cancel the Job Queues dialog and click on Zone Processors from the
Stored Jobs dialog.
6) Right click on each zone processor and select Stop Service. If there are any problems
communicating with the services control manager on the remote systems, you will need to go to
each systems, open the Services snap-in within Windows, locate "RouletteSked${ZONE-NAME}"
and stop the service.
Upgrading Lieberman RED Identity Manager 175
IF THE REMOTE ZONE PROCESSOR HOST CAN BE MANAGED REMOTELY FROM THE MANAGEMENT
CONSOLE AND WAS DEPLOYED BY THE MANAGEMENT CONSOLE...
Note: There is no way to tell in the console how a zone processor was deployed. If you
are unsure, start by trying to remove the zone processor from the console. If there
are any failures to communicate or perform the first action (file removal), stop
and follow the steps in the next subsection.
1) From the management console, click Jobs from the left action pane.
2) From the Stored Jobs dialog, click Zone Processors.
3) From the Zone Processors dialog, right-click the zone processor(s) in question and select
Remove. You will be prompted to remove the service files, service registry settings, and finally
the service registration. Select Yes for each prompt.
IF THE REMOTE ZONE PROCESSOR HOST WAS NOT DEPLOYED BY THE MANAGEMENT CONSOLE...
Note: There is no way to tell in the console how a zone processor was deployed. If you
are unsure, start by trying to remove the zone processor from the console. If there
are any failures to communicate or perform the first action (file removal), stop
and follow the steps below.
5) Repeat this step for each web application and web service host.
For the web service application, right click on Lieberman ERPM WebService and select
shutdown.
3) Read the entire license agreement. Once you have read the agreement, if you agree, select I
accept the license agreement, then click Next.
Upgrading Lieberman RED Identity Manager 181
4) Click the READ ME! button and read the steps outlined in the document. It identifies the major
upgrade steps to take. As you perform each step, check the box to indicate you have performed
the step. When ready, click Next.
182 Upgrading Lieberman RED Identity Manager
PDF Encoder - recommended - provides Lieberman RED Identity Manager the ability to turn its
compliance reports into PDF documents.
RSA SecureID - install this option if RSA multi-factor authentication will be required to access the
management console, but this machine will NOT host the web application. If this machine will
host the web application, leave this option unselected as the application will be installed
automatically when the web application is installed.
7) Change the installation location if needed. The program will be installed to a sub-folder called
Roulette at the chosen location.
Upgrading Lieberman RED Identity Manager 183
8) Click Next.
9) Choose the identity to run the CLR COM+ application. The default is Network Service. The CLR
COM+ Identity is used to provide network and local system access for the solution to various
cloud services. Individual account stores (Azure, AWS, ESX, etc.) will be configured with specific
connection credentials when they are enrolled.
Options for the identity are:
Interactive User - Use the same logon information as the calling identity. This is an
administrator-level account because the calling identity will either be the admin running the
console, or the ERPM deferred processor service account. This option requires the least
configuration, but provides significantly more privileges than is required
Network Service - (Recommended) Use the network service account. For this option you do not
have to manage a password or grant additional rights, although in some cloud management
cases, you may need to grant additional permissions on the file system.
Local Service - Use the local service account. For this option you do not have to manage a
password or grant additional rights, although in some cloud management cases, you may need
to grant additional permissions on the file system. The local service account has many more
rights and privileges than the Network Service.
184 Upgrading Lieberman RED Identity Manager
This User - Use the supplied user name and password. This user could be a local account that is
configured to never authenticate to any other machine in the network (unlike Network Service
or Local Service), but it does represent another account to manage a credential for. In some
cloud management cases, you may need to grant additional permission to it on the file system.
This account also needs Logon as a batch rights granted to it.
13) Launch the program to perform the database upgrade. After this step is complete, repeat steps
1-12 for all other management consoles.
14) Continue the installation by upgrading the web application, then web service, then deferred and
zone processors.
1) In the management console, click the Manage Web App button from the left action pane.
2) If upgrading from version 5.5.1 or earlier, select your web application from the list then click
Remove. This step is necessary because the system name and registry settings have changed.
3) On the Manage Web Application Instances dialog, click Install, located in the lower left corner.
4) On the Install Web Application dialog, select the target installation system. Local system in the
system you are on now. If installing to a remote system supply the remote system name as fully
qualified domain name.
5) Click Check System Compatibility. This will perform a check of the target system to validate IIS
is accessible, the file system is accessible, and remote registry and remote COM+ access are
possible. Fix any access errors before continuing. If the check proceeds without incident, the
Web Interface Files section will be filled in automatically.
server. This makes it easier for end users recall and type. If the web server is a shared
server, you could inadvertently overwrite another web application.
o Installing to a virtual directory is the safest option as you will not overwrite any other
applications if the target is a shared server. The default virtual directory name is
PWCWeb. This name can be changed to any value permitted by IIS. The name supplied
here will be appended to the server name. In the default case the URL will target
https://serverName/pwcweb.
c. Web files destination path - this is where the web application files will be copied on the
target server. The path is resolved from IIS on the target server, which defaults to
%inetpub%\wwwroot. When installing to a virtual directory (default), the path is appended
with the name of the virtual directory.
d. Copy alternate web application files to target - not recommended - version 5.5.2 was the
last version to provide official support for the legacy web application. Although it is still
present in the current installer, it will be removed without notice from future iterations.
7) Web Application COM Components defines information for the COM+ application that will be
responsible for data access from the web application to the solution data store. Supply the
following information:
a. COM+ files destination files path - defaults to C:\Windows\System32 and will install to
\\serverName\admin$\syswow64 (c:\windows\syswow64). It is typically not necessary to
change this setting.
b. COM+ application name - defaults to PWCWebComApp. You may supply any name you
wish. This name is never visible to end users and is purely for identification when using the
Windows Components snap in.
c. Use existing COM+ application/config if possible - if upgrading from an existing installation,
this will attempt to leave the existing COM+ application configurations in tact and simply
replace the required COM component files (rouletteweb.dll).
d. COM+ application account - this is the identity that will actually run the COM+ application.
When using Windows Integrated Authentication, this is the account that will be responsible
for data access from the database server on the web application's behalf. Enter the
Upgrading Lieberman RED Identity Manager 189
9) In the bottom section of the Install Web Application dialog, identify the use of SSL, any custom
port, or identify an explicit site address. Use an explicit site address when the URL to access the
web application will be different than the serverName (or serverName/virtualDirectoryName).
This would be the case when using a load balancer or if the server name will be aliased in DNS.
The information entered here has no functional effect on the website regarding end users. It
only affects the web application auto-launch capability from the Manage Web Application
Instances dialog in the management console.
10) Click Web App Settings to configure additional web application options. These options affect
security, sessions, and other integrations. For more information see Web Application
Configuration Options (on page 142).
The one option you must specify is the Web Service URI for REST web service endpoint on the
App Options tab. At this point, the web service is not yet installed. However, if the web service
will be installed onto the same machine using default settings, the URI will be virtually the same
as the URL mentioned above. For example, if the server is defined to use SSL in the previous
step on the default port (443) and your SSL cert uses the FQDN of the server (e.g. yourco.int),
then the URI to enter will be
https://servername.yourco.int/erpmwebservice/authservice.svc/REST. everything after your
server name is standard: /erpmwebservice/authservice.svc/REST. If you were behind a load
190 Upgrading Lieberman RED Identity Manager
balancer and the name of the load balanced cluster was "secureidmstore.yourco.com" the URI
to enter would be: https://secureidmstore.yourco.com/erpmwebservice/authservice.svc/REST.
Don't worry, if any information changes, the information can be updated at any time.
11) Then click Install.
12) You may receive a COM+ Account Confirmation warning after clicking. This dialog will appear if
the COM+ account specified on the installation dialog is different than the currently logged in
user. The warning is asking you to be sure that the account specified has datastore access or the
web application will fail to function until the access issue is resolved.
Upgrading Lieberman RED Identity Manager 191
13) If you are sure about the account information, click Yes to continue or No to change to a
different account.
14) When the web application installation is complete, a dialog indicating a successful install will
appear. Click OK.
15) You will next be prompted to launch the web application. Clicking yes will open your default
browser to the URL specified in step 8 above where it was identified as using SSL or not, any
custom port, or a specific URL.
192 Upgrading Lieberman RED Identity Manager
16) Click Yes to launch the web application. You will be logged into the web application as
[WebApplicationManager]. This is a built-in account. Its password is randomly generated with
each installation of this product.
17) Once the installation of the web application(s) is complete, the Manage Web Application
Instances dialog will be populated with a list of all known web applications.
18) If the web service is hosted on the same machine, continue to Upgrading the Web Service. If the
web service is hosted on a different machine, then start the parent website in IIS on the web
application hosts only.
See Post Installation or Upgrade Steps (on page 207) for additional steps and verifications.
To continue the basic installation, next install the Web Service (on page 162).
Upgrading Lieberman RED Identity Manager 193
IMPORTANT! If the web service is installed on a machine that is NOT also hosting the
web application, the web service will fail to load unless additional actions are
taken. In this scenario, export the web application settings from the
management console, then import them onto the web service host.
To export the settings, from the management console:
Starting with Lieberman RED Identity Manager version 5.5.2, the web service is a requirement for
the web application to function. In prior versions, the web service was an optional component used
only for PowerShell cmdlets, application launcher, session recording, and API access.
1) Click Manage Web App from the left action pane.
2) Select the desired web application instance from the list
These steps provide the web service with the necessary information to connect to the
data store, HSM if configured, and the encryption key as well as other settings.
Any time these options change, it will be necessary to repeat these steps.
Important! If the web service is hosted on a different machine than the web application
host and the systems are accessed through a URL is different (specifically with
regards to the protocol, server name, or port), your web browser will block
access to the web service and many things will not function correctly. The
basic steps to resolve this are to open the web.config file for the web service
post installation and "EnableCORS" to "true". Additional configurations may be
required in your specific browser and may not work in all configurations
(non-Microsoft browsers especially). Please refer to your browser's specific
documentation for more information on enabling CORS support.
3) Go to Advanced and select Export web app registry config. This will export a regedit file.
4) You will be prompted to generate the file for 64-bit Windows. Click Yes.
5) Copy the registry export to the target web service host and double click the file to import it.
Web service prerequisites are outlined in Web Service Host Requirements (on page 19) and its
service account requirements are outlined in Service Account Requirements (on page 24).
194 Upgrading Lieberman RED Identity Manager
The web service cannot be pushed to a target system from the management console; it must be
installed locally at this time. If installing the web service on the same machine as the management
console, the installation of the web service package may be initiated from the management console,
by clicking Manage Web App from the left action pane then clicking Install Web Service at the
bottom of the Manage Web Application Instances dialog. For remote systems, copy and use the
manual installer (ERPMWebService.exe) found in the SupplementalInstallers sub-folder in the
installation directory, typically %programfiles(x86)%\Lieberman\Roulette.
During an upgrade, your previous settings will be remembered and will already be selected. You will
however need to re-enter the password for the COM+ identity.
1) Launch the web service installer.
2) On the welcome page, click Next.
3) On the COM+ Object Identity, choose an appropriate identity and click Next. Valid identity
options are:
Network Service - use this option when using database native authentication mode to connect
to the database (e.g. SA).
Interactive User - not recommended - use this option when it is desired for the user calling the
web service to pass their authentication token as the authentication token to the database. This
Upgrading Lieberman RED Identity Manager 195
is valid when using Windows Integrated Authentication but will require considerably more
security configurations in the program data store.
Specific User - recommended, default - use this option when using Windows Integrated
Authentication to the database or when it is desired to minimize any rights granted to the
COM+ application. This is the most compatible option. User names should be supplied in the
format of DomainName\Username.
4) Select the location in the local IIS instance to install the web service to and click Next. Valid
options are:
Virtual Directory - default, recommended - will install the web service to a virtual directory called
ERPMWebService located under the parent website you select. This is the safest option to
choose for both security and configuration reasons.
196 Upgrading Lieberman RED Identity Manager
Site - use this option to install the web service to the root website. If there are multiple root web
sites configured on the host, you will also be presented with a selection of root web sites to
choose from.
Upgrading Lieberman RED Identity Manager 197
6) Select the authentication method for connecting to the web service then click Next. Only
methods available to the target parent website will be displayed. Valid methods include:
Anonymous Auth with SSL - use this option when SSL is configured but Windows Integrated
Authentication will not be used.
Anonymous Auth without SSL - not recommended - use this option when Windows Integrated
Authentication nor SSL will be used. Application Launcher will not work with this configuration.
Integrated Auth with SSL - use this option when SSL and Windows Integrated Authentication will
be used.
Integrated Auth without SSL - use this option when Windows Integrated Authentication will be
used without SSL. Application Launcher will not work with this configuration.
198 Upgrading Lieberman RED Identity Manager
SSL with User Certificates - use this option when users must supply a user based certificate
(smart card, biometrics, etc.) to authenticate to the website and web service. This will incur
much more overhead in the overall configuration and may cause problems with Application
Launcher.
Upgrading Lieberman RED Identity Manager 199
7) Select the destination folder for the web service to be installed to and click Next. The default
location is %inetpub%\wwwroot\ERPMWebService which already grants all required
permissionsto be properly hosted. Changing the location may require additional configurations
on the web administrator.
Important! If you chose to create a virtual directory, this process will create a virtual directory
called ERPMWebService. This will inherit the authentication and SSL and other settings from the
parent web site. This is important because if the parent web site is configured to use
anonymous authentication and the installer was configured to use Windows Integrated
Authentication, the virtual directory will be created with bad settings and it will be necessary to
open IIS and reconfigured the authentication settings post install.
Upgrading Lieberman RED Identity Manager 201
After clicking Finish, this will launch the web service page and web service tester. Make note of
the URL as it will be required when configuring the web application. At this point, the web
service will be non-functional as it also requires settings from the web application to function. If
the website is installed on the same host as the web service, no further configuration actions
will be required for the web service. If the web service and web application are installed on
separate machines, it will be required to export the web application server configuration and
import it to the web service system.
10) Open IIS on the web application and web service host(s).
11) Expand the host server.
12) Expand sites.
13) Right-click on the parent root web site and click Manage Website | Start.
202 Upgrading Lieberman RED Identity Manager
14) Repeat this step for each web application and web service host.
See Post Installation or Upgrade Steps (on page 207) for additional steps and verifications.
ipworksauth9.dll
ipworkssmime9.dll
ipworksssl9.dll
ipworksssnmp9.dll
msvcp120.dll
msvcr120.dll
RouletteProc.exe
RouletteSked.exe
wkhtmltopdf.exe
zlibwapi.dll
7) Inability to connect to the program data store - check connectivity to database using the service
account credentials and the current data base provider is installed on the zone processor host
(the management console does not push database providers to the remote system).
8) Bad service account information - examine the Logon tab of the service in the Windows Services
snap-in and validate the username and password.
9) Repeat this processor for all zone processor hosts.
Bad service account information - examine the Logon tab of the service in the Windows Services
snap-in and validate the username and password.
Bad service account information - examine the Logon tab of the service in the Windows Services
snap-in and validate the username and password.
9) Repeat this entire process for zone processors hosts managing different zones or having
different configurations.
IN THIS CHAPTER
If the installation performed does not point to a virtual directory called PWCWeb directly off of a
root web site in IIS, take the following corrective actions:
1) Open IIS and locate the root website or virtual directory where the web application was
installed.
2) Expand this object and select the application called FileVault.
3) On FileVault, open Error Pages.
4) Edit the 404 error handler.
5) Edit the URL (Relative to site root) field and update the correct path. If the web application was
installed to a root directory, set the URL to /OutputFile.asp. If the web application was installed
to a virtual directory under a root other than PWCWeb immediately off the root such as /REDIM
then set the URL to /REDIM/OutputFile.asp.
Post Installation or Upgrade Steps 209
6.2 SSL
When installing to a virtual directory (or upgrading an existing installation), the virtual directory will
inherit the settings of the parent website. That means if the parent website has certain settings, the
virtual directory will automatically inherit those settings. Thus if the parent website is not
configured to require SSL, then your virtual directory will not be configured to require SSL.
To require SSL on your virtual directory, assuming your parent website already has a proper SSL
certificate and binding follow these steps:
1) Open IIS.
2) Open the virtual directory (default for web application and web service are PWCWeb and
ERPMWebService, respectively).
3) From the center pane, open SSL Settings.
4) Select the check box Require SSL.
5) Click Apply.
1) Open IIS.
2) Open the virtual directory (default for web application and web service are PWCWeb and
ERPMWebService, respectively).
3) From the center pane, open SSL Settings.
4) Select Require SSL.
5) Under Client Certificates select one of the following options:
Accept - allows users to pass a user certificate but will also allow users who do not have a user
certificate. Select this option if some users will require certificates but you are unsure if ALL
users will be using certificates.
Require - all users accessing this site must supply a valid user certificate.
6) Click Apply.
When installing to a root website, the same bad behavior can occur where it keeps redirecting to
itself.
To rectify the problem when dealing with a virtual directory, use the following steps. For root
directories see further down this page.
1) Open IIS.
2) Open the virtual directory (default for web application and web service are PWCWeb and
ERPMWebService, respectively).
3) From the center pane, open HTTP Redirect.
4) Clear all redirect options.
5) Click Apply.
Internet Explorer...
For Internet Explorer to willingly use Windows Integrated Authentication, the URL connecting to
must be seen as being part of the "Local Intranet" as opposed to Internet or Trusted. Internet
Explorer will only automatically treat locations entered with their short name (as opposed to an
FQDN) as being in the intranet zone. If you are accessing the web application and web service via
their short names, this battle is already won, SSL certificates permitting. If you are accessing the
Post Installation or Upgrade Steps 213
web application and web service via an FQDN, IE will not treat these URLS as intranet zone items
and Windows Integrated Authentication will fail.
To rectify this when using FQDN names, you may either have every user add the web application
and web service FQDN into the intranet zone in IE or use group policy to push out the proper
settings. To configure group policy, enable configure the following group policy to add the FQDN
(wild cards OK) as a trusted site:
Zone Assignment = 1
Firefox...
Recent versions of Firefox can support Windows Integrated Authentication when used from a
domain joined Windows system. To enable firefox to support Windows Integrated Authentication,
go to about:config and define the following items:
Chrome...
Recent versions of Chrome will support Windows Integrated Authentication when run from a
Windows host without further configuration required. Refer to your Google Chrome documentation
for more information or additional settings.
Note that Chrome may still not work properly when working with cross origin requests (CORS)
where the web service is located on a machine separate from the web application and called by a
different URL when using Windows Integrated Authentication.
215
Chapter 7 Addenda
The addenda section contains supplementary information about this solution or related
components.
IN THIS CHAPTER
SQL Server Native Client 10.0/11.0 (ODBC) - This options will be available if the Microsoft SQL
Server Native Client version 10 or 11 is installed on the management console host. It is not
recommended to use version 10 of the client. It is necessary to use the SQL Native Client via
ODBC when leveraging SQL Server database mirroring, data base availability groups (SQL Always
On) or Azure SQL or when using TLS v1.2 to encrypt data base communications. Be sure to
download the latest SQL Native Client to obtain the latest compatibility updates.
Oracle (through OLEDB) - Oracle is no longer supported as a back end data store for new
customers and is only supported for existing customer who purchased Oracle Data Store
support prior to January, 2015. For more information, see Oracle as a Datastore (on page 265).
Connection Settings
Database Name - the name of the server along with any instance and port configuration.
Directly to the server on the default port - enter the server name only, e.g. DBHOST.
Directly to the server on a non-default port - enter the server name and port number, separated
by a comma, e.g. DBHOST,55555.
To the server with a named instance - enter the server name and instance name, separated by a
back-slash, e.g. DBHOST\InstanceName.
218 Addenda
For more information on connecting to other SQL configurations like SQL AlwaysOn, mirroring,
or Azure SQL, see Connecting to Microsoft SQL HA and Cloud Database Configurations (on page
223).
Connect with Windows NT Integrated Security - use this option when it is desired to use
Windows Integrated Authentication to connect to the data store. This means the service
account's or interactive management console user's authentication token will be passed to the
Microsoft SQL server. This will require that these accounts (or groups they belong to) be
granted appropriate access to the data base server and database. See Solution Database
Requirements (on page 21) for more details.
Use database native authentication mode - use this option to use a Microsoft SQL account to
perform data store access. This account will be created and managed within the target SQL
Server instance. Use this option when the data base host is not trusted by the solution
component (i.e. management console or web hosts) or when it is not desired to provision Active
Directory groups or users to the database.
Encrypt communication with database - if it is desired to use SSL/TLS when communicating
with the database server, select this option. The certificate must be trusted by the database
server and all product component hosts.
Database Settings
Use an existing database on the server - if there is an existing empty or configured database
already provisioned on the database server, select it now from the drop down list. This will
cause an authenticated connection to be made using the authentication settings in the
Connection Settings area.
Create a new database (with default settings) - if no data store exists on the database server
and you or your login account has the permissions to create a new database on the target
server, select this option. The database and all necessary tables, views, stored procedures, etc.
will be created (at least attempted!) when you click OK.
Create objects in a non-default schema - it is recommended to always define this option and to
set it to a static value (we recommend DBO). If the connection account is not a sysadmin level
account and a custom schema is not defined, SQL Server will create a new database schema
named after the user and prefix that to all objects created in the database. While this is not
necessarily a problem when using database native authentication, it is a problem when using
Windows Integrated Authentication as each new user will attempt to create and or transfer
existing objects to the new schema name. Setting this value prevents these conflicts from
occurring.
Addenda 219
Advanced Settings
Set explicit connection limit - this will limit the number of connections made to the target
database host. This will have the impact of slowing down all job processing to wait for previous
threads to complete, however, it can improve stability when the database host is under
provisioned. The default setting is not configured.
Overwrite the default database timeout value - when not configured, the default value is 30
seconds. That means any call from a product component to the data base has 30 seconds for
data to return before timing out. If you encounter such a scenario, it is recommended to tune
and maintain your database (see admin guide for more details), however, you may need to
increase the timeout in the mean time or to handle high-latency low bandwidth links.
Add custom connection string parameters - supply additional connection string parameters
specific to your database without having to write a whole connection string. This option will
typically be used when connecting to mirrored data sources or SQL AlwaysOn sources.
220 Addenda
Use custom connection string - use this option to specify your own connection string to your
chosen data base host.
Addenda 221
222 Addenda
Addenda 223
This topic discusses configuration topics when connecting to a mirrored instance of Microsoft SQL
Server. This topic does not discuss using availability groups or Azure SQL Database or any other
options.
Addenda 225
226 Addenda
Note: Important! When using the SQL Native Client, it is recommended to user version
11 or later.
Database Name - The name provided in this field should be the name of the primary (currently
active) database partner. When connecting to a SQL instance, standard MS SQL naming
conventions apply: Sever\Instance,port.
Server default instance on default port (port 1433) - DBServerName or IP
Add Custom Connection String Parameters - This option must be defined. Modify the following
connection string parameters with the proper name of the secondary SQL server and name of
the target database:
Server=PRIMARY_SERVER_NAME;Failover_Parter=SECONDARY_SERVER_NAME;database=NAME_OF_TAR
GET_DATABASE
Then click the Update bottom at the lower left of the screen. Notice how the combined connection
string is now updated with all server and database name:
Driver={SQL Server Native Client
11.0};DataTypeCompatibility=80;Server=MSDB-1;Database=erpmdb;Trusted_Connection=yes;F
ailover_Parter=MSDB-2;database=ERPMDB;
Configure all other options as defined in Data Store Configuration Options (on page 217).
from the Manage Web App dialog by right-clicking on the website instance and selecting Replace
instance options with default web application options.
228 Addenda
This topic discusses configuration topics when connecting to a SQL Server database configured using
a SQL AlwaysOn configuration (also known as database availability groups).
Addenda 229
230 Addenda
Note: Important! When using the SQL Server Native Client, it is recommended to user
version 11 or later.
Database Name The name provided in this field should be the name of the Availability Group
Listener (AGListener). When connecting to an AGListener, standard MS SQL Server naming
conventions apply: AGListener,port.
Server default instance on default port (port 1433) - AGListener
Add Custom Connection String Parameters This option must be defined. Modify the following
connection string parameters with the proper name of the secondary SQL Server and name of
the target database:
AGListenerName,Database=NAME_OF_TARGET_DATABASE;MultiSubnetFailover=yes
Then click the Update bottom at the lower left of the screen. Notice how the combined connection
string is now updated with all server and database name:
Driver={SQL Server Native Client
11.0};DataTypeCompatibility=80;Server=AGListener;Database=ERPMDB;Trusted_Connection=y
es;AGListener,DBPort;Database=ERPMDB;MultiSubnetFailover=yes;
Configure all other options as defined in Data Store Configuration Options (on page 217).
This topic discusses configuration topics when connecting to a SQL Server database configured using
Azure SQL.
232 Addenda
Addenda 233
Database Provider All providers for SQL Server are always be available to this dialog. The SQL
Server Native Client 11.0 (ODBC) must be used. This provider must also be manually installed
on all web servers, web service servers, deferred processor hosts, and zone processor hosts. If
not, these instances will fail to connect to the database.
Database Name The name provided in this field should be the name of the Azure SQL
instance.
Configure all other options as defined in Data Store Configuration Options (on page 217).
234 Addenda
Note: If the web application is installed and you make changes to the encryption
settings, be sure to also update the web application settings so that the web
application has the appropriate encryption information.
Addenda 235
The passwords generated during a password change job can be stored encrypted in the database.
The current supported encryption type is AES in 128, 192, or 256-bit key lengths. When you enable
encryption or change encryption options, the passwords are decrypted and re-encrypted with the
new key. The web application settings, however, must be updated manually to reflect the new
encryption key. The key signature for the current key is shown in the following dialog. When
recovering stored passwords, this signature can be matched against the key signature for the stored
password to ensure that it was encrypted with the same key.
236 Addenda
encrypted key settings. These settings can later be imported to the same system or to a different
system by using the import feature or by double-clicking on the registry file.
The option Force change and clear any passwords which cannot be decrypted will examine all
passwords in the password store and clear all passwords that cannot be decrypted using the current
settings. This option is designed to clear erroneous data from the database when the correct
encryption key is unavailable. This is a single use optionafter the option is selected and the dialog
is OKed, the operation will take place; the next time the dialog is opened, the option will no longer
be selected.
When the hardware encryption device is installed, it will place a DLL onto the host computer.
This is required so that software can interface with it.
4) In the Interface library DLL path field, enter the path to the DLL that supports the HSM device.
After loading the DLL, options appropriate to the hardware device will become available and the
slot/token description field will be automatically filled out per the information provided by the
device.
Addenda 239
If the hardware device can support multi-threaded access, select the Initialize library for
multi-threaded access because this will greatly improve performance of the solution when
using a hardware encryption device.
5) Complete the Key and Encryption Method area to configure the appropriate key and
encryption mechanism. Values that can be selected here will depend on the hardware device
installed.
6) Once all of the options have been completed, click OK to close the dialog and implement the
encryption settings.
Any time you change encryption settings after you deploy the web application, be sure to also
update the web application and web service settings otherwise they will attempt to use invalid
encryption mechanisms and will fail to access stored credentials and data.
When testing your HSM it will likely require the host to register its IP address as a permitted client.
When testing connection status from the HSM utilities, an error stating No connection could be
made because th target machine actively refused it may appear (some information omitted).
Module #1
enquiry reply flags Failed UnprivOnly
enquiry reply level Six
serial number unknownunknown
240 Addenda
mode operational
version 0.0.0
speed index 0
rec. queue 0..0
level one flags none
version string unknown
checked in 0000000000000000 Wed Dec 31 16:00:00 1969
level two flags none
level four flags none
module type code 0
product name unknown
device name unknown
EnquirySix version 3
impath kx groups
feature ctrl flags none
features enabled none
version serial 0
connection status RemoteServerFailed, <us> (nCErrorno(ECONNREFUSED): No connection
could be made because the target machine actively refused it)
connection info esn = 6FBC-70AB-E4E3; addr = INET/192.168.99.5/9004; ku hash
= 98765a4321aaaaa1aa11aa11a1aa11c11223c4b5, mech = DSA; time-limit = 24h;
The connection status line indicates that the connection is being refused by the netHSM. This
means that the netHSM likely doesnt have this hosts IP address present in its client list. Another
possibility is that the host has two or more interfaces and the IP address listed in the netHSM is not
the one that the host is using to connect with.
You can check the client config from the front panel of the netHSM by navigating to 1-1-4
(System/System configuration/Client config) or looking in the RFS for this netHSM and checking the
netHSMs config file, which is copied to the RFS. One block of the config file (with the header
[hs_clients]) will be dedicated to the client list. The netHSMs config file can be found on the RFS in
one of a few different places, depending on the version of nCSS and the version of Windows in use:
Pre-v11 nCSS: C:\nfast\kmdata\hsm-<ESN>\config\config
v11 on 2003: C:\Documents and Settings\All Users\Application Data\nCipher\Key
Management Data\hsm-<ESN>\config\config
Another setting to check is the config file auto push settings. Try resetting the auto push for the
config file and it should show up on RFS.
Check the connection status again and it should read as OK.
Addenda 241
If there are no operator cards or softcards configured for the HSM, then the error Could not
enumerate slots on PKCS #11 interface device will appear.
The registration process with the HSM happens between the nCipher client software and the HSM.
Lieberman RED Identity Manager is not aware of the HSM, just where the PKCS#11 library
Lieberman RED Identity Manager uses the PKCS#11 library, whose requests are handled by the
nCipher client, which then sends instructions to the HSM to take specific actions (make a key, load a
key, encrypt data, etc.).
Verify registration of the nCipher client with the HSMs by running the following commands from
C:\Program Files (x86)\nCipher\nfast\bin:
enquiry
nfkminfo
ckCheck-inst
ex.client none
k-out-of-n 0/0
other quora
createtime 1970-01-01 00:00:00
nso timeout 0 min
Modules - list unavailable
No Pre-Loaded Objects
Based on this output, it is necessary to register this host with the netHSM using nethsmenroll. If the
host were properly registered, there would be some module output listed in the enquiry output.
To add a netHSM to this client:
1) Run nethsmenroll <IPofnetHSM> on the client to register it with the netHSM.
2) Go to the netHSM itself and add the clients IP Address to the client list (Menu > System >
System configuration > Client config).
Addenda 243
Next, bring the client into the same Security World as the netHSM:
Copy world and module_* files from RFS to bring this new host into the Security World, then run:
1) rfs-sync --setup --no-authentication <IPofRFS>
2) rfs-sync --update
Choose one of your CAs and locate the nCipher Key Management directory, typically,
C:\ProgramData\nCipher\Key Management Data\local.
Find the world files and module_* files and copy them to the Lieberman RED Identity Manager host.
You want to copy this to the same/corresponding Key Management Data\local directory on the
Lieberman RED Identity Manager host. Now, the client will be in the same Security World as the
HSM and the CAs.
To configure the PKCS#11 library, edit this file (or create it if it does not exist):
C:\Program Files (x86)\nCipher\nfast\toolkits\pkcs11\cknfastrc
where <TokenName> is just a string for a label (for example, LiebermanPM). Following this step a
prompt for a PIN will appear.
Now return to the Lieberman RED Identity Manager HSM configuration and complete the
configuration steps. The SoftCard just created will show up as a Hardware Slot/Token in their GUI
and will also require the PIN just created.
8) Click Load and Verify Library. This will verify that the DLL is present and functional; this does not
test HSM functionality or communication.
9) If the DLL verifies without a problem, click OK.
10) Once the DLL verifies OK, enter the PIN for the device. For Safenet KeySecure enter the PIN as
username:password.
Addenda 245
11) Select the key from the Key drop down list. If no key exists and the PIN entered above provides
sufficient access, use the Create button to create a new key. Through version 8.3, the KeySecure
provider could only successfully create AES encryption keys.
12) Select the desired Encryption Mechanism for the key if multiple mechanisms are available.
13) Then click OK.
246 Addenda
14) Click OK on the Encryption Settings dialog to implement the change. If there was already an
existing encryption mechanism in place, this will cause the solution to decrypt and re-encrypt
the secured items in the data store such as passwords and SSH keys.
15) If there were already deployed web applications, services, zone processors, or other consoles,
they must be updated with the new encryption scheme (and provider).
Addenda 247
Important! You must use the 32-bit variant of the PKCS#11R2 library (cs_pkcs11_R2.lib),
which is available on the SafeGuard SecurityServer 3.20.2 product CD.
To learn how to initialize slots, see section 4.2 of the PKCS#11 CryptoServer Administration Tool
documentation (CryptoServer_Manual_P11CAT.pdf) available on the Utimaco product CD.
250 Addenda
Once you have both the PCKS#11 DLL file loaded and the slot initialized, choose a slot and create a
new encryption key using the available methods, as shown below:
Addenda 251
Email Profile
Profile Name While multiple email profiles may be created, only one may be used. The default
profile name is called Default.
Addenda 253
Description - Text field that may be edited and used to enter a short note or description
regarding the email profile.
Sender Information
This information is sent with each email in its header and will appear when the recipient reads the
mail. Some email servers will reject messages that lack the proper address information for these
fields (i.e. wrong domain name).
Outgoing SMTP Server Name Enter the DNS name or IP address of the server.
Port Port 25 is standard for email. For SSL/TLS Encrypted email it may be port 25 or port 465
or 587.
Default (Button) Resets the port number value to port 25.
Server Timeout The default value of 30 seconds work in most cases. Increase this time if
necessary.
Authentication Method Choose the authentication option that your SMTP server is
configured to use. Incorrect method settings can prevent connectivity with a mail server even
when the credentials are correct.
USER_PASSWORD - basic username and password as spelled out in the Email Server
Authentication section.
NTLM - NTLM challenge-response authentication to email server which never actually sends a
user password.
SASLPLAIN - challenge-response authentication that does not protect the password in transit.
XOAUTH2 - Use XOAUTH2 method to authenticate to the email server. This will also require
configuration of the OAUTH2 Authentication tab.
SSL/TLS Channel Encryption If using SSL/TLS encryption, choose the option that your SMTP
server is configured to use.
AUTOMATIC - negotiate with the email server to find a supported SSL/TLS or plain text method.
Not all email servers support negotiation.
IMPLICIT - the mail server expects the initial connection to already be encrypted.
EXPLICIT - the mail server does not require the initial connection be made with SSL/TLS but may
use SSL/TLS after the connection is initiated.
NONE - use when automatic negotiation does not work and SSL/TLS is not configured on the
email server.
User Name The user name configured to authenticate to the SMTP server.
Password The password required to authenticate to the SMTP server.
User Authentication Certificate Store Enter the path to the certificate store if one is
configured.
User Certificate Password If required, enter the password that further secures the certificate
file.
Enable Cached Certificate Select to allow caching of the certificate information.
Test Options
Test Connection Click to verify connectivity to the SMTP server and that the server accepts
the configured credentials. This feature completes the handshake with the server to test that
mail can be sent, but it does not send mail.
The program log records the transaction details:
SetMailServer error: 11001, [11001] Host not found
Failed to fill SMTP settings
Failed to send email message error: Host not found.
Send Test Email Sends a test email message.
Addenda 257
Sign Email
To sign email you need a Secure Email certificate.
258 Addenda
Note: If the solution cannot read the specified signing file, the Sign Email check box is
automatically cleared the next time the dialog is reopened. To ensure that the
signing file is valid, click Verify before closing the dialog.
Sign Email Select this option to digitally sign the outgoing email. Digitally signing allows
recipients to confirm and verify that the message was sent and it was not tampered with. The
recipient must also trust the signing certificate. Choose from the following to specify the
certificate to use to sign the outgoing email:
Signing File To browse for a certificate located in the file store, select this option and click the
ellipsis ().
Signing Certificate Store To choose from a list of certificates held in the certificate store, select
this option and click the ellipsis ().
Signing Cert Password Enter the password that was used while exporting the certificate (if
applicable).
Hash Algorithm Choose the algorithm used to prepare the message digest for signature.
Enable Cached Certificate Select to allow caching the certificate in its database; clear this
option if the certificate should be loaded from the path or cert store that the dialog specifies.
Consider enabling this option if you run components on different servers and signing is failing
because the servers can't access the required certificates locally.
Attach Certificate to Email Specifies whether to include the signer's certificate with the signed
message. If this option is selected, the certificate used to sign the message will be encoded and
included in the message signature.
Verify Click to test that the email can be successfully signed.
Encrypt Email
S/MIME message encryption as implemented in this product requires an enterprise PKI. Only
messages sent to recipients in your organizations address list can be encrypted. Encrypted
messages sent to recipients who do not have a certificate cannot be read.
Note: If the solution cannot read the specified encryption file, the Encrypt Email check
box is automatically cleared the next time the dialog is reopened. To ensure that
the encryption file is valid, click Verify before closing the dialog.
Addenda 259
Encrypt Email - Select this option to encrypt outgoing email with the recipient's Public Key. The
recipient must have the corresponding private key to decrypt the email. Choose from the
following to specify the certificate to use to encrypt the outgoing email:
Encryption File - To browse for a certificate located in the file store, select this option and click
the ellipsis ().
Encryption Certificate Store - To choose from a list of certificates held in the certificate store,
select this option and click the ellipsis ().
Encrypt Cert Password - Enter the password that was used while exporting the certificate (if
applicable).
Encryption Algorithm - Choose the algorithm used to encrypt the email.
Enable Cached Certificate - Select to allow caching the certificate in the product's database;
clear this option if certificates should be loaded from the path or cert store that the dialog
specifies. Consider enabling this option if you run components on different servers and
encryption is failing because the servers can't access the required certificates locally.
Verify - Click to test that the email can be successfully encrypted.
260 Addenda
ClientId The ID of the OAuth client that was assigned when the application was registered
with the authorization server.
ClientSecret The secret value for the client when the application was registered.
ServerAuthURL The URL of the authorization server.
Addenda 261
Firewall Type - Select the type of firewall to connect through. The options are:
None - default. The client will connect directly to the mail server.
Tunnel - bypasses the local router and connects the email client directly to the email server.
SOCKS4 - basic proxy connection with no additional security that supports TCP only.
Addenda 263
SOCKS5 - basic proxy connection that combines TCP and UDP support and allows for domain
name resolutions (DNS).
Auto Detect Firewall - Tells the component whether or not to automatically detect and use
firewall system settings, if available.
Host - Enter the name or IP address of the firewall (optional). If a domain name is provided, a
DNS request will set this property to the corresponding address.
Port - The TCP port of the firewall host. This value is set automatically based on the value of the
Firewall Type setting. Edit the value to override the default setting.
User Name - Enter a user name if the firewall requires authentication.
Password - Enter a password if the firewall requires authentication.
264 Addenda
Enable Event Log Logging Select this option if the solution should write SMTP log events to
the Windows event log.
Addenda 265
Enable SMTP File Logging Select this option if the solution should write SMTP application log
events to a text file. Configure the following setting if Enable SMTP File Logging is enabled:
Log File Name Provide the path to the .txt file where SMTP events should be logged.
CONNECT
CREATE TRIGGER
CREATE SEQUENCE
CREATE TABLE
CREATE VIEW
Oracle uses overly-conservative initial configurations for a heavily threaded product such as
Lieberman RED Identity Manager. In a default configuration where Lieberman RED Identity Manager
is spawning at least 100 threads to the database, this can cause the database to run out of
resources, resulting in failed jobs (specifically, incomplete password changes). This behavior is easily
266 Addenda
seen and replicated by trying to do things such as changing passwords across a largish number of
systems. One way to combat this is to drop the thread count down to 20 threads or less (Settings |
Program Options). This has the effect of slowing down job processing while increasing the
likelihood of a successful job (as far as the database is concerned).
Another highly recommended option is to change the memory and thread allocation to the Oracle
database. Start with:
Where xxxx is the amount of memory allocated to the database, and yyyy is the number of threads.
We recommend a value of 2000 or much higher for the memory, and a minimum value of 1000
threads.
Note: The Oracle 11g R2 OLEDB provider (version 11.2.0.3) does not properly register on
Windows servers. If using this version of the OLEDB provider, please also run the
following command after installing the Oracle OLEDB provider on your Windows
server:
regsvr32 <OracleHome>\bin\OraOLEDB11.dll
When configuring the Oracle 32-bit OLEDB provider, although not a strict requirement, it may be
helpful to configure the local provider to use a tnsnames file because this will greatly simplify the
server lookup and naming requirements that the Lieberman RED Identity Manager database
configuration will require. If the Oracle database is on a non-standard port (other than 1521), use of
the tnsnames file will negate the need for a custom connection string where the Oracle account
password must also be supplied as part of the connection string in clear text.
267
Chapter 8 Index
A D
ACCOUNT ELEVATION 142 DATA STORE CONFIGURATION OPTIONS
8, 129, 223, 226, 230, 233
ACCOUNT ELEVATION 152
DATA STORE CONFIGURATION OPTIONS
ADDENDA 215 217
APP OPTIONS 142 DIRECT LINKS 142
APP OPTIONS 142 DIRECT LINKS 150
AZURE SQL 230
E
B EMAIL SETTINGS 132, 143
BACKGROUND AND GOALS 2 EMAIL SETTINGS 251
LIMITED WARRANTY 4
Index 269
W
WEB APPLICATION 8, 133, 134
WINDOWS INTEGRATED
AUTHENTICATION 212