5.5 Configuring the Rogue Administration Control

There are additional configuration steps required to implement the Rogue Administration Control.

5.5.1 Enabling Auditing on All Endpoint Systems

You must enable each endpoint system to audit the desired account management events. This process defines which events are sent to Sentinel to track. The endpoint systems are the systems that are part of the Identity Manager solution. For example, eDirectory or Active Directory are endpoint systems.

Configuration steps are different for each endpoint system. For example, in eDirectory you set the events to track on the properties of each object. You need to track events that are related to account management, such as, a user create, a user delete, or a user modify. Figure 4-1 is an example of enabling events on the server object.

Figure 5-1 Enabling Audit Events on eDirectory

5.5.2 Copying Script Files

There are script files that are included in the Rogue Administration Control that must be copied to the ESEC_HOME/config/exec directory. These scripts simplify the addition of entries to the IDMManagedSystems map and the ApprovedAccount Admins map.

To copy the scripts:

  1. Launch the Solution Manager by selecting Tools > Solution Pack in the toolbar for the Sentinel Control Center.

  2. Select Identity Tracking Solution Pack, then click Open with Solution Manager.

    Opening the Solution Manager

  3. In the left pane, browse to and select the IdTApprovedAccountAdmins.

  4. In the right pane, select Add2ApprovedAccountAdmins.bat or Add2ApprovedAccountAdmins.sh, then click Save.

    The .bat files is for Windows and the .sh file is for Linux/UNIX.

    Saving the script file

  5. In the left pane, browse to and select IDManagedSystems.

  6. In the right pane, select Add2IDManagedSystems.bat or Add2IDManagedSystems.sh, then click Save.

5.5.3 Configuring Right-Click Menu Options

  1. From the Sentinel Control Center, select the Admin tab.

  2. Click Admin > Event Menu Configuration.

  3. Click Add.

  4. Use the following information to complete the configuration:

    • Name: Specify the name as Identity Tracking/Add to ApprovedAccountAdmins map.

    • Description: Specify the description as Adds InitUserName and InitUserDomain from the current event to the ApprovedAccountAdmins map.

    • Action: Select Execute Command from the drop-down list.

    • File Type: Leave this field blank.

    • Command/URL: Specify Add2ApprovedAccountAdmins.bat or Add2ApprovedAccountAdmins.sh as the name of the script file to execute.

      The .bat file is for Windows and the .sh file is for Linux/UNIX.

    • Parameters: Specify %InitUserName% %InitUserDomain% for the parameters.

      The delimiter for Linux/UNIX is a space and the delimiter for Windows is a comma.

  5. Click the Add Action button.

    Adding an Action

  6. Select Import an Action plugin file (.zip), then click Next.

  7. Browse to and select the Rogue Administration Action, then click Open.

    The Rogue Administration Action filename is Start-Rogue-Admin-Workflow_6.1r1.acz.zip.

  8. In the Action Name field, specify Start Rogue Admin Workflow, then click Save.

    Saving and Action

  9. Click OK.

  10. Click Add.

  11. Use the following information to configure a second option:

    • Name: Specify the name as Identity Tracking/Add to IDManagedSystems map.

    • Description: Specify the description as Adds Collector from the current event to the IDManagedSystems map.

    • Action: Select Execute Command from the drop-down list.

    • File Type: Leave this field blank.

    • Command/URL: Specify Add2IDManagedSystems.bat or Add2IDManagedSystems.sh as the name of the script file to execute.

      The .bat file is for Windows and the .sh file is for Linux/UNIX.

    • Parameters: Specify %CollectorId% for the parameters.

      The delimiter for Linux/UNIX is a space and the delimiter for Windows is a comma.

  12. Click OK to save the changes.

5.5.4 Populating the ApprovedAccountAdmin Map

The ApprovedAccountAdmin map must be populated with an administrator username and the domain of the integrated systems.

  1. Create a test identity and ensure that the account is create in the integrated system.

  2. Find the associated event in the Sentinel Active view.

  3. Right-click the event, then select the Identity Tracking submenu.

  4. Click Add to ApprovedAccountAdmins map.

5.5.5 Populating the IdentityManagedSystems Map

To populate the IdentityManagedSystems map with the CollectorID of the systems that have accounts managed by Identity Manager:

  1. Generate activity on each integrated system.

  2. Find the associated events in the Sentinel Active view.

  3. Right-click an event, then select the new Identity Tracking submenu.

  4. Click Add to IDManagedSystems map.

5.5.6 Configuring the SOAP Integrator

Sentinel contains a SOAP Integrator that allow Sentinel to Integrate with the User Application. The SOAP Integrator must be configured to communicate to the User Application. After the Rogue Administration Control is installed, the SOAP Integrator must be configured to communicate with the User Application server.

  1. In the Sentinel Control Center, click Tools > Integrator Manager from the toolbar.

  2. Select the Identity Manager SOAP Integrator from the list on the left.

    NOTE:The the SOAP Integrator must be named Identity Manager SOAP.

  3. Click the SOAP Connection Settings tab, then use the following information to configure the connection settings on the Identity Manager SOAP Integrator:

    • URL: Specify the Web service URL used to get WSDL from the User Application server. The User Application is the SOAP provider for Identity Manager. The correct URL is located in the server.xml file for Tomcat on the User Application server.

      For example, specify http://10.0.0.3:8444/IDMProv/provisioning/service?wsdl.

    • Service Name: Specify ProvisioningService as a SOAP service.

    • Port: Specify ProvisioningPort as the SOAP port.

    • Use SSL: Select Use SSL if the connection to the User Application server is secure.

    • Use Authentication: Select Use Authentication to enable authentication to the User Application server.

    • Username: Specify a user with administrative rights to start workflows. Use LDAP notation with the DN of the user.

    • Password: Specify the administrator's password.

  4. Click Refresh Web Service API to regenerate the WSDL API.

  5. Click Test, then verify that the Integrator test completes successfully.

  6. Click Save to save the changes.

5.5.7 Configuring the LDAP Integrator

Sentinel contains an LDAP Integrator that allows Sentinel to communicate with eDirectory. After the Rogue Administration Control is installed, the LDAP Integrator must be configured to communicate with eDirectory.

  1. In the Sentinel Control Center, click Tools > Integrator Manager in the toolbar.

  2. Select the Identity Vault from the list on the left.

    NOTE:The LDAP Integrator must be named Identity Vault.

  3. Click the LDAP Connection Settings tab, then use the following information to configure the connections setting on the Identity Vault Integrator:

    • Server: Specify the IP address of the eDirectory server.

    • Port: Specify the TCP port LDAP uses on the eDirectory server.

      The default port for unsecured communication is 389.

    • Use SSL: Select this option to use a secure connection to the eDirectory server.

      The default port for secure communication is 636.

    • Login: Specify the DN of a user that has administrative rights to eDirectory.

      Use the LDAP format. For example, cn=admin,o=novell.

    • Password: Specify the administrator user’s password.

  4. Click Save to save the changes.