Symantec IGA

 View Only
  • 1.  Change of domain controller AD

    Posted May 25, 2023 07:05 AM

    Hi Team ,

    we are planning to change domain controller AD  from older version win server 2008 to newer version windows server 2016 .
    We wanted to know if there is any dependency with IDM ?

    Thanks



    ------------------------------
    Network and security Engineer technical associative
    Cas Trading House
    Putalisadak, KTM
    ------------------------------


  • 2.  RE: Change of domain controller AD

    Broadcom Employee
    Posted May 26, 2023 02:17 AM

    Hi Sudip

    Depending on the Identity Manager release you are running, please ensure to check the relevant Platform Support Matrix to confirm Microsoft Active Directory 2016 is certified. It is the case, for example, for Identity Manager 14.4 https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/platform-support-matrix/connectors-and-endpoint-types.html

    Regards
    Rinat




  • 3.  RE: Change of domain controller AD

    Posted May 26, 2023 02:40 AM

    Hi Rinat ,
    Thanks for your quick response .
    we have identity manager version 14.3 and we are already planning to upgrade .
    Also we are currently running active directory on windows server 2008 with IDM .
    Our team have already Migrated same AD to newer version  win server 2016.
    No we have to check depedency regarding what we need to do in Identity Manager as well as in New AD .

    Thanks



    ------------------------------
    Network and security Engineer technical associative
    Cas Trading House
    Putalisadak, KTM
    ------------------------------



  • 4.  RE: Change of domain controller AD

    Broadcom Employee
    Posted May 26, 2023 03:17 AM

    Hi Sudip

    Good to hear you have plans in place to upgrade the soon to be EOS 14.3
    Without knowing the extent of the change:
    1. If there is any change to IP and / or credentials - you can follow https://knowledge.broadcom.com/external/article/186271/update-ad-endpoint-password.html to update the details.
    2. If using SSL, ensure to validate any SSL certificate in use.
    Regards
    Rinat




  • 5.  RE: Change of domain controller AD

    Posted May 28, 2023 12:20 AM

    Hi Rinat ,

    Last time while creating new active directory endpoint we faced issue .

    https://knowledge.broadcom.com/external/article/97594/im-connector-server-add-failed-code-80.html

    we had to intstall C++ connector server management .Then it worked .
    Now since we are changing Domain Controller AD this one is also similar case .
    You did not mention about that so wanted to make sure

    Thanks in Advance



    ------------------------------
    Network and security Engineer technical associative
    Cas Trading House
    Putalisadak, KTM
    ------------------------------



  • 6.  RE: Change of domain controller AD

    Broadcom Employee
    Posted May 30, 2023 04:33 AM

    Hi Sudip

    In order to manage an AD endpoint, a CCS has to be installed. This is clearly indicated in the documentation under https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-exchange-and-skpye-for-business(lync).html 
    Active Directory connector connects C++ Connector Server (CCS) to Active Directory, Exchange, and Skype for Business (formerly, Lync) servers. 

    This is also mentioned in the Platform Support Matrix under the managed endpoint
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/platform-support-matrix/connectors-and-endpoint-types.html

    Therefore having a CCS a basic requirement.

    Regards
    Rinat




  • 7.  RE: Change of domain controller AD

    Posted Jun 05, 2023 11:15 AM
    Edited by Alan Baugher Jun 05, 2023 11:37 AM

    Hi Sudip,

    Enclosing a high level view of the IGA solution components in play for Active Directory and other managed endpoints.   

    We use this diagram to help outline the data flows through the solution stack, including Active Directory.

    The point we want to raise, is besides the C++ connector, if you are using a remote configuration (which is the new default when using the IGA virtual appliance), you may need to adjust configurations/parameters from default values to increase performance and scale to larger transaction loads.

    • You may wish to review documentation on the MS Win OS ENV variables that override defaults of the C++ connector.
    • You may wish to adjust the JCS parameters/configurations that improve scalability of 1000's of submissions.
    • The connector tier stability is very important, as any delay here, will impact the IM UI submission rate.
      • We recommend a minimal 1:2 ratio of IME (top tier) to the IMPS/JCS/CCS (provisioning/connector tiers) to avoid process delays.   The solution can be impacted by both bad data at the endpoint and/or through a incorrect submission.  Having additional provisioning/connector tiers will lower this risk.

    References that may be of value:

    Lifecycle of the userPassword in CA Identity Manager & Use of Jmeter for scalability testing

    https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=024589bb-63c6-4314-b1e1-579b482ddb7d&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295#bm024589bb-63c6-4314-b1e1-579b482ddb7d

    Monitoring Load Balancing of JCS Tier & Refresh Rate

    https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=3bb43ed0-6895-44b0-9001-b91e3dadd8f8&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295#bm3bb43ed0-6895-44b0-9001-b91e3dadd8f8

    Monitor data flow path for the CA Identity Suite CCS Service to Active Directory 

    https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?GroupId=2197&MID=793765&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer

    ....

    Depending on the release version of the IGA solution and the AD endpoint when you re-acquire an AD endpoint, you may wish to test performance by the embedded authentication by testing with one of three (3) login formats:

    • UPN (aka email format)  administrator@domain.com    {preferred}
    • LDAP DN:    cn=administrator,cn=users,dc=domain,dc=com
    • NT4:     domain\administrator

    Recommend use of openssl s_client to validate the ADS Domain public CA root cert, to ensure it is still correct.  If a prior public CA root cert still existing in the MS Windows keystore (certlm.msc), this can impact TLS communication from the C++ server to the MS Windows host(s).  Typically, this is a challenge when you are managing multiple ADS domains that do not have ADS trust between them.   You can validate the public CA root cert with Jxplorer or other ldap client tools.

    Regards,



    ------------------------------
    Alan Baugher
    ANA
    ------------------------------