Novell IDENTITY MANAGER Integration Guide For Novell Audit
Novell®
www.novell.com
Integration Guide For Novell Audit
Identity Manager
novdocx (en) 11 July 2008
AUTHORIZED DOCUMENTATION
3.6
July 23, 2008
Identity Manager 3.6 Integration Guide for Novell Audit
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 11 July 2008
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 11 July 2008
novdocx (en) 11 July 2008
Contents
About This Guide 7
1Overview 9
1.1 Novell Audit Integrated Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Installing and Configuring Novell Audit 11
2.1 Installing Novell Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Configuring the Secure Logging Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Configuring the Data Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 Configuring System Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Installing and Configuring the Platform Agent 13
novdocx (en) 11 July 2008
3.1 Installing the Platform Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Configuring the Platform Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Managing Identity Manager Events 17
4.1 Selecting Events to Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1.1 Selecting Events for the User Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1.2 Selecting Events for the Driver Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.1.3 Selecting Events for a Specific Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.1.4 Identity Manager Log Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.2 User-Defined Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2.1 Using Policy Builder to Generate Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2.2 Using Status Documents to Generate Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.3 eDirectory Objects that Store Identity Manager Event Data. . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5 Using Status Logs 27
5.1 Setting the Log Level and Maximum Log Size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.1.1 Setting the Log Level and Log Size for the Driver Set. . . . . . . . . . . . . . . . . . . . . . . . 27
5.1.2 Setting the Log Level and Log Size for the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2 Viewing Status Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2.1 Accessing the Driver Set Status Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2.2 Accessing the Publisher Channel and Subscriber Channel Status Logs . . . . . . . . . 30
6 Securing the Connection with Novell Audit 31
6.1 Updating the Novell Audit Certificate Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.2 The Novell Audit AudCGen Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.3 Creating a Root Certificate for the Secure Logging Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.3.1 Creating a Self-Signed Root Certificate for the Secure Logging Server . . . . . . . . . . 35
6.3.2 Using a Third-Party Root Certificate for the Secure Logging Server . . . . . . . . . . . . . 35
6.4 Creating Logging Application Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
6.4.1 Enabling the Identity Manager Instrumentation to Use a Custom Certificate . . . . . . 36
6.5 Validating Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Contents 5
6.6 Securing Custom Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.6.1 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.6.2 Linux and Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
A Identity Manager Events 39
A.1 Event Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A.2 Error and Warning Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A.3 Job Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
A.4 Remote Loader Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
A.5 Object Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
A.6 Password Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
A.7 Search List Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
A.8 Engine Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
A.9 Server Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
A.10 Security Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
A.11 Workflow Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
A.12 Driver Start and Stop Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
novdocx (en) 11 July 2008
B Novell Audit Reports 43
B.1 Administrative Action Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
B.2 Historical Approval Flow Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
B.3 Resource Provisioning Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
B.4 Specific User Audit Trail Report I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
B.5 Specific User Audit Trail Report II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
B.6 Specific User Audit Trail III. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
B.7 Specific User Provisioning Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
B.8 User Provisioning Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6 Identity Manager 3.6 Integration Guide for Novell Audit
About This Guide
Welcome to the Novell® Identity Manager Integration Guide for Novell Audit. This guide provides
the information necessary to integrate Novell Audit with Identity Manager to provide auditing and
reporting services for Identity Manager.
Chapter 1, “Overview,” on page 9
Chapter 2, “Installing and Configuring Novell Audit,” on page 11
Chapter 3, “Installing and Configuring the Platform Agent,” on page 13
Chapter 4, “Managing Identity Manager Events,” on page 17
Chapter 5, “Using Status Logs,” on page 27
Chapter 6, “Securing the Connection with Novell Audit,” on page 31
Appendix A, “Identity Manager Events,” on page 39
Appendix B, “Novell Audit Reports,” on page 43
novdocx (en) 11 July 2008
Audience
This guide is intended for network administrators.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
Documentation Updates
For the most recent version of the Identity Manager 3.6 Integration Guide for Novell Audit, visit the
Identity Manager Documentation Web site (http://www.novell.com/documentation/idm36).
Additional Documentation
For the current Novell Audit documentation, see the Novell Audit Documentation Web site (http://
www.novell.com/documentation/novellaudit20/index.html).
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
A trademark symbol (®, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
About This Guide 7
novdocx (en) 11 July 2008
8 Identity Manager 3.6 Integration Guide for Novell Audit
1
eDirectory
Secure Logging
Server
Identity
Manager
Platform
Agent
Events
Cache
When disconnected
from the Secure
Logging Server
When reconnected
to the Secure
Logging Server
Configuration
data via
iManager
Novell Audit
Report
iManager
Queries
Crystal
Reports
Data Store
Port 289
Overview
Adding Novell® Audit to you Identity Manager solution provides auditing and reporting services.
By adding auditing and reporting, you can demonstrate that the business policies are implemented as
designed with your Identity Manager solution.
1.1 Novell Audit Integrated Architecture
The following diagram illustrates the Identity Manager logging and reporting architecture when
integrated with Novell Audit.
Figure 1-1 Identity Manager and Novell Audit Integrated Architecture
novdocx (en) 11 July 2008
1
For more information about the Novell Audit architecture, see “System Architecture” in the Novell
Audit 2.0 Administration Guide.
1. An Identity Manager event occurs and it is sent to the Platform Agent. To capture all Identity
Manager events, the Platform Agent must be installed and configured on each Identity Manager
server.
2. (Conditional) If the Platform Agent cannot connect to the Secure Logging Server, the events
are stored in cache until the connection is reestablished.
3. The Platform Agents sends the event to the Secure Logging Server.
TM
4. The Secure Logging Server sends the events to eDirectory
the objects that store the events.
5. The Secure Logging Server sends the event to the data store, which stores the events. The data
store is a database that stores the events until they are needed.
The stored events are displayed through Novell Audit reports and iManager queries.
. Through iManager, you configure
Overview
9
novdocx (en) 11 July 2008
10 Identity Manager 3.6 Integration Guide for Novell Audit
2
Installing and Configuring Novell
novdocx (en) 11 July 2008
Audit
In order to audit the Identity Manager events, the Novell® Audit server must be installed into the
same eDirectory
to Section 2.2, “Configuring the Secure Logging Server,” on page 11. If you do not have a Novell
Audit server installed, continue with Section 2.1, “Installing Novell Audit,” on page 11.
Section 2.1, “Installing Novell Audit,” on page 11
Section 2.2, “Configuring the Secure Logging Server,” on page 11
Section 2.3, “Configuring the Data Store,” on page 11
Section 2.4, “Configuring System Notifications,” on page 11
2.1 Installing Novell Audit
You should install Novell Audit on a different server than the server running Identity Manager.
Auditing is an intensive process that depends upon how many events you are auditing and how
many drivers are in your environment. For the installation instructions, see Novell Audit 2.0
Installation Guide (http://www.novell.com/documentation/novellaudit20/install/data/
bktitle.html#bktitle).
TM
tree. If you already have Novell Audit installed in your eDirectory tree, proceed
2
2.2 Configuring the Secure Logging Server
Configure the Secure Logging Server to log Identity Manager events. For more information, see
“Configuring the Secure Logging Server” (http://www.novell.com/documentation/novellaudit20/
novellaudit20/data/al3p1eu.html#al3p1eu) in the Novell Audit 2.0 Administration Guide.
2.3 Configuring the Data Store
Configure the data store to store the Identity Manager events. For more information, see
“Configuring the Data Store” (http://www.novell.com/documentation/novellaudit20/novellaudit20/
data/al4gkai.html#al4gkai) in the Novell Audit 2.0 Administration Guide.
2.4 Configuring System Notifications
Novell Audit provides the ability to send a notification when a specific event occurs or does not
occur. Notifications can be sent based on any value in one or more events. Notifications can be sent
to any logging channel, enabling you to log notifications to a database, a Java* application or SNMP
management system, or several other locations. For details on creating Novell Audit notifications
based on Identity Manager events, see “Configuring Filters and Event Notifications” (http://
www.novell.com/documentation/novellaudit20/index.html?page=/documentation/novellaudit20/
novellaudit20/data/al0lg08.html#al0lg08) in the Novell Audit 2.0 Administration Guide.
Installing and Configuring Novell Audit
11
novdocx (en) 11 July 2008
12 Identity Manager 3.6 Integration Guide for Novell Audit
3
Installing and Configuring the
novdocx (en) 11 July 2008
Platform Agent
The logevent Platform Agent is the client portion of the Novell® auditing system. It receives
logging information and system requests from Identity Manager and transmits the information to
either Novell Audit.
Section 3.1, “Installing the Platform Agent,” on page 13
Section 3.2, “Configuring the Platform Agent,” on page 13
3.1 Installing the Platform Agent
The Platform Agent is automatically installed if either the Novell Identity Manager Metadirectory
Server or Novell Identity Manager Connected System option is selected during the Identity Manager
installation. For more information on the Identity Manager installation, see the Identity Manager 3.6
Installation Guide.
IMPORTANT: The Platform Agent must be configured for every server running Identity Manager
if you want to log Identity Manager events.
3.2 Configuring the Platform Agent
3
After you install Identity Manager, you can configure the Platform Agent. The Platform Agent’s
configuration settings are stored in a simple, text-based logevent configuration file. By default,
logevent is located in the following directories:
Table 3-1 Platform Agent Configuration File
Operating System File
Linux /etc/logevent.conf
Solaris* /etc/logevent.conf
Windows* \Windows_Directory\logevent.cfg
The Windows_Directory is usually drive:\windows.
The following is a sample logevent.cfg file.
LogHost=127.0.0.1
LogCacheDir=c:\logcache
LogCachePort=288
LogEnginePort=289
LogCacheUnload=no
LogReconnectInterval=600
LogDebug=never
LogSigned=always
Installing and Configuring the Platform Agent
13
The entries in the logevent file are not case sensitive, entries can appear in any order, empty lines
are valid, and any line that starts with a hash (#) is commented out.
The following table provides an explanation of each setting in the logevent file.
IMPORTANT: You must restart the Platform Agent any time you make a change to the
configuration.
Table 3-2 logevent Settings
Setting Description
LogHost=dns_name The hostname or IP address of the Novell Audit Secure Logging
Server where the Platform Agent sends events.
In an environment where the Platform Agent connects to multiple
hosts—for example, to provide load balancing or system
redundancy—separate the IP address of each server with commas
in the LogHost entry. For example,
novdocx (en) 11 July 2008
LogHost=192.168.0.1,192.168.0.3,192.168.0.4
The Platform Agent connects to the servers in the order specified.
If the first logging server goes down, the Platform Agent tries to
connect to the second logging server, and so on.
For more information on configuring multiple hosts, see
“Configuring Multiple Secure Logging Servers” in the Novell Audit
2.0 Administration Guide.
LogCacheDir=path The directory where the Platform Agent stores the cached event
information if the Novell Audit Secure Logging Server becomes
unavailable.
LogEnginePort=port The port at which the Platform Agent can connect to the Novell
Audit Secure Logging Server. By default, this is port 289.
LogCachePort=port The port at which the Platform Agent connects to the Logging
Cache Module.
If the connection between the Platform Agent and the Secure
Logging Server fails, Identity Manager continues to log events to
the local Platform Agent. The Platform Agent simply switches into
Disconnected Cache mode; that is, it begins sending events to the
Logging Cache module (lcache). The Logging Cache module
writes the events to the Disconnected Mode Cache until the
connection is restored.
When the connection to the Novell Audit Secure Logging Server is
restored, the Logging Cache Module transmits the cache files to
the Secure Logging Server. To protect the integrity of the data
store, the Secure Logging Server validates the authentication
credentials in each cache file before logging its events.
LogCacheUnload=Y|N Set the parameter to N to prevent lcache from being unloaded.
LogCacheSecure=Y|N Set the parameter to Y to encrypt the local cache file.
14 Identity Manager 3.6 Integration Guide for Novell Audit
Setting Description
LogReconnectInterval=seconds The interval, in seconds, at which the Platform Agent and the
Platform Agent Cache try to reconnect to the Novell Audit Secure
Logging Server if the connection is lost.
LogDebug=Never|Always|Server The Platform Agent debug setting.
Set to Never to never log debug events.
Set to Always to always log debug events.
Leave out or set to Server to use the default setting
provided by the Log Debug Events attribute in the Novell
Audit Secure Logging Server Configuration page.
NOTE: The Server option applies only to Novell Audit systems.
LogSigned=Never|Always|Server The signature setting for Platform Agent events.
Set to Never to never sign or chain events.
Set to Always to always log events with a digital signature
and to sequentially chain events.
Leave out, or set to Server to use the default setting
provided by the Sign Events attribute in the Novell Audit
Secure Logging Server Configuration page.
novdocx (en) 11 July 2008
For more information on event signatures, see “Signing Events” in
the Novell Audit 2.0 Administration Guide.
LogMaxBigData=bytes The maximum size of the event data field. The default value is
3072 bytes. Set this value to the maximum number of bytes the
client allows. Data that exceeds the maximum is truncated or not
sent if the application doesn’t allow truncated events to be logged.
LogMaxCacheSize=bytes The maximum size, in bytes, of the Platform Agent cache file.
LogCacheLimitAction=stop
logging|drop cache
The action that you want the cache module to take when it reaches
the maximum cache size limit.
Set to stop logging if you want to stop collecting new
events.
Set to drop cache if you want to delete the cache and start
over with any new events that are generated.
For complete information on the Novell Audit Platform Agent, see “Configuring the Platform
Agent” in the Novell Audit 2.0 Administration Guide.
Installing and Configuring the Platform Agent 15
novdocx (en) 11 July 2008
16 Identity Manager 3.6 Integration Guide for Novell Audit
4
Managing Identity Manager Events
The event information sent to Novell® Audit ® is managed through product-specific
instrumentations, or plug-ins. The Identity Manager Instrumentation allows you to configure which
events are logged to your data store. You can select predefined log levels, or you can individually
select the events you want to log. You can also add user-defined events to the Identity Manager
schema.
The following sections review how to manage Identity Manager events:
Section 4.1, “Selecting Events to Log,” on page 17
Section 4.2, “User-Defined Events,” on page 21
Section 4.3, “eDirectory Objects that Store Identity Manager Event Data,” on page 25
4.1 Selecting Events to Log
novdocx (en) 11 July 2008
4
The Identity Manager Instrumentation allows you to select events to be logged for a driver set, a
specific driver, or for the User Application. The User Application consists of the User Application
driver, the Role Based Provisioning driver, and workflows.
NOTE: Drivers can inherit logging configuration from the driver set.
The following sections document how to select events for the User Application, driver set, or a
specific driver:
“Selecting Events for the Driver Set” on page 19
“Selecting Events for a Specific Driver” on page 20
“Identity Manager Log Levels” on page 20
4.1.1 Selecting Events for the User Application
The User Application enables you to change the log level settings of individual loggers and enable
logging to the Novell Audit Platform Agent:
1 Log in to the User Application as the User Application Administrator.
2 Select the Administration tab.
3 Select the Logging link.
The Logging Configuration page appears.
Managing Identity Manager Events
17
novdocx (en) 11 July 2008
4 Select one of the following log levels for the listed logs.
Log Level Description
Fatal Writes Fatal level messages to the log.
Error Writes Fatal and Error level messages to the log.
Warn Writes Fatal, Error, and Warn level messages to the log.
Info Writes Fatal, Error, Warn, and Info level messages to the log.
Debug Writes Fatal, Error, Warn, Info, and debugging information to the log.
Trace Writes Fatal, Error, Warn, Info, debugging, and tracing information to the log.
18 Identity Manager 3.6 Integration Guide for Novell Audit
Loading...