Maintaining Central Permissions Collection and Central Data Classification Engines

Maintaining Central Permissions Collection and Central Data Classification Engines

About Central Permissions Collection and Central Data Classification Engines

When implemented as engines, the Central Permissions Collection and Central Data Classification engines are installed as central services located in the central File Access Manager installation site; these engines communicate with individual Permission Collection and Data Classification agents that are installed near the endpoints they interact with.

This implementation is best suited for a distributed architecture, where some endpoints may be located far from the central File Access Manager site, in hybrid cloud/on-premise environments, or in large-scale environments with a significant number of endpoints. For this configuration, you must also install the RabbitMQ service to act as a message broker between the central “engine” services and the agent “collector” services. It is recommended that the RabbitMQ be installed in the central File Access Manager site.

Prerequisites

Before installing or moving a service, the File Access Manager Server Installer must be installed on each of the servers involved (for example, in case of a move, on both the server a service is currently on, and the server it will be moved to).

Installing the Engine Service

Note: These instructions are applicable to both the Central Permissions Collection engine and the Central Data Classification engine. These steps use the Central Permissions Collection engine as the example; for the Central Data Classification engine, substitute the service name and service details as needed.

  1. Launch the File Access Manager Server Installer on the central/core services server.
  2. Choose Use an existing IdentityIQ File Access Manager Database.
  3. Enter the database credentials and click Next.
  4. In the Action Select page, select Create / Edit installation configuration and click Next.
  5. If the server where you want to install the service is not in the server list, add it by entering the details of the server. For new servers, provide the Server Local Name (short NETBIOS name) and Server FQDN (Fully Qualified Domain Name). Then click Add to add this server to the Server List.
  6. Click Next.
  7. Click on the drop-down list for the Central Permissions Collection service, and choose the server where you want to install it.
  8. Enter a name for the service (for example, CPC-1).
  9. If you want to add additional Central Permissions Collection services, click the + button, and provide a server and service name for each new service.
  10. Click Next.
  11. In the next panel:
    • If you are installing this service on the same server where you are running the Server Installer, click Save Configuration and Perform current Server's installation Tasks.
    • If you will install this service on a different server, click Save Configuration Only and refer to the Installing on a Separate Server section below.
  12. Click Next.
  13. When the progress bar shows Finished, click Next. This opens the Installation Summary window.

Checking the Logs

  1. In the the Installation Summary window, check the Open Installation Log box, then click Finish. This opens the installation log.
  2. In the installation log, search for the term ERROR (using all capital letters) to see if any errors occurred during installation of the engine.
  3. In case of errors, you can try to troubleshoot the error, or contact SailPoint Support for further assistance. If you contact Support, you will need to send the install log to analyze the issue.

Installing an Engine on a Separate Server

To install the engine on a different server than the one you were working on in the section above, follow these additional steps:

  1. On the new server, install the File Access Manager Server Installer if it is not present already.
  2. Launch the File Access Manager Server Installer.
  3. When prompted, choose Use an existing IdentityIQ File Access Manager Database
  4. Enter the database credentials to connect to the same database you created or connected to in the section above, and click Next.
  5. On the Action Select page, choose Perform Current Server's Installation Tasks and click Next.
  6. The next panel lists the services the installer will install on this server. Verify the configuration and click Next.
  7. Click Next, then click Finish to complete the installation and open the Installation Summary window.
  8. Check the installer logs as described in the Checking the Logs section above.

Next Steps

  1. Open the File Access Manager Admin Client and edit your application(s) to select the Central Permissions Collection/Central Data Classification service that you just installed.
  2. Save the changes.
  3. Launch the crawler or Permission collection task to start the process in the “in-memory” mode.
  4. These steps can be repeated to configure a single Central Permissions Collection/Central Data Classification with multiple applications.

Note: A single Central Permissions Collection/Central Data Classification can only execute one task at a time. Multiple tasks scheduled to run on a single Central Permissions Collection/Central Data Classification will be executed sequentially.

Central Permissions Collection/Central Data Classification with one application in-memory modeCentral Permissions Collection/Central Data Classification with one application in-memory mode

 

 

Central Permissions Collection/Central Data Classification with multiple applications in-memory mode.Central Permissions Collection/Central Data Classification with multiple applications in-memory mode.

Moving an Engine

Services may sometimes need to be moved due to architecture or hardware changes in your environment.

Important: If the engines are associated with any collector agents, all the associated collector agents should be uninstalled prior to moving the engine. Use the File Access Manager Collector Manager to uninstall the collector agents. An exception to this requirement is if the engine is running in "in-memory" mode; in this case you do not need to uninstall the collector agents.

On the current server (where the engine is installed now):

  1. Launch the File Access Manager Server Installer.
  2. Choose Use an existing IdentityIQ File Access Manager Database.
  3. Enter the database credentials and click Next.
  4. In the Action Select page, select Create / Edit Installation Configuration and click Next.
  5. If the server you want to move the engine to is not in the server list, add it by entering the details of the server. For new servers, provide the Server Local Name (short NETBIOS name) and Server FQDN (Fully Qualified Domain Name). Then click Add to add this server to the Server List.
  6. Click Next.
  7. Click on the drop-down list for the engine you want to move, and choose the server you want to move it to.
  8. Click Next.
  9. In the next panel, click Save Configuration and Perform current Server's installation Tasks.
  10. Click Next. This launches the uninstall process for the engine.
  11. Click Finish. This opens the Installation Summary window. Check the logs for errors as described in the Checking the Logs section above.

On the new server (the one you want to move the service to):

  1. Launch the File Access Manager Server Installer.
  2. Choose Use an existing IdentityIQ File Access Manager Database.
  3. Enter the database credentials and click Next.
  4. In the Action Select page, select Perform current Server's installation Tasks and click Next.
  5. The next page shows a summary of the engine/services that will be moved to this server. Verify the configuration and click Next.
  6. Click Next, then click Finish to complete the installation.
  7. When the progress bar shows Finished, click Next to open the Installation Summary window. Check the installer logs as described in the Checking the Logs section above.
  8. Reinstalling collector agents: If you uninstalled any collector agents (see the Important note at the beginning of this section), you can reinstall the agents now, using the File Access Manager Collector Manager, and associate them to the appropriate engine(s).

Uninstalling an Engine

Important: If the engines are associated with any collector agents, all the associated collector agents should be uninstalled prior to uninstalling the engine. Use the File Access Manager Collector Manager to uninstall the collector agents. An exception to this requirement is if the engine is running in "in-memory" mode; in this case you do not need to uninstall the collector agents.

To uninstall an engine:

  1. Launch the File Access Manager Server Installer on the server where the engine is installed.
  2. Choose Use an existing IdentityIQ File Access Manager Database.
  3. Enter the database credentials and click Next.
  4. In the Action Select page, select Uninstall File Access Manager features from the current server and click Next.
  5. Select the engine service(s) you want to uninstall.
    Note: By default, all the services installed on the server are selected for uninstall. Click Select All to de-select all the options and individually select the services as desired.
  6. Click Next to start the uninstall process.
  7. When the progress bar shows Finished, click Next to open the Installation Summary window. Check the installer logs as described in the Checking the Logs section above.

Troubleshooting

Issue: Crawl and/or permission collection tasks stay "Pending" indefinitely.
Resolution: Follow these steps:

If your environment does not have RabbitMQ installed:

  1. Using the File Access Manager Admin Client, edit the application that the task is running on, and verify that a Permission Collection service is assigned.
  2. Browse to the Central Permissions Collection's server, and verify that the service is running.
  3. Review the log for the Central Permissions Collection service to make sure that no other service is already running.
  4. If there is already a job running, the crawl or permissions collection task you launched will begin running after the existing job completes.
  5. If there is not a job running:
    1. Stop the Central Permissions Collection service using the services.msc window.
    2. Confirm that the service has stopped.
    3. Start the Central Permissions Collection service.
    4. Review the log for the Central Permissions Collection service to make sure there were no errors while starting the service.
    5. Confirm that all services appear as GREEN in the Health Center.
  6. Right-click on the crawl/permissions collection job that is pending, and click Force clear.
  7. Launch a new crawl/permission collection job for the application.

If your environment has RabbitMQ installed:

  1. Using the File Access Manager Admin Client, edit the application that the task is running on, and verify that a Permission Collection service is assigned. 
  2. Browse to the Central Permissions Collection's server, and verify that the service is running.
  3. Browse to the RabbitMQ server and verify that RabbitMQ is running.
  4. Review the log for the Central Permissions Collection service to make sure that no other service is already running.
  5. If there is already a job running, the crawl or permissions collection task you launched will begin running after the existing job completes.
  6. If there is not a job running, there may be an issue with communication between RabbitMQ, the collectors, and the Central Permissions Collection engine. To troubleshoot this:
    1. Stop the collector agent services associated with the application.
    2. Stop the Central Permissions Collection service.
    3. Stop the RabbitMQ service.
    4. Confirm that all the services have stopped.
    5. Start the RabbitMQ service.
    6. Start the Central Permissions Collection service.
    7. Start the collector agent services.
    8. Review all relevant logs to make sure there were no errors while starting the services.
    9. Confirm that all services appear as GREEN in the Health Center.
  7. Right-click on the crawl/permissions collection job that is pending, and click Force clear.
  8. Launch a new crawl/permission collection job for the application.
Comments

Are these steps same in 8.1 ?

Version history
Revision #:
10 of 10
Last update:
‎Aug 23, 2019 05:04 PM
Updated by: