Set Up the Program Database

The first time you launch Privileged Identity, a setup wizard helps you configure various components of the Privileged Identity database. All of the component steps are optional except program data store configuration.

Note: If you need to run this setup wizard again, select Settings > Re-Run Setup Wizard in the management console.

Database Setup

  1. On Database Setup, click Change Settings to create and/or connect to the database Privileged Identity will use for its primary data store.

 

Database Data Store Configuration

  1. Complete the fields in the Database Connection Information section.

    Note: If you need to change this information later, select Settings > Data Store Configuration > Basic Configuration from the management console.

    1. Database access - Select the database provider the Privileged Identity components should use when connecting to the data store.
      1. OLEDB Provider: SQL Server - This is the default option.
      2. ODBC Driver: SQL Server Native Client - This is available if the SQL Server Native Client has been installed. You must use this option when connecting to mirrored databases, database availability groups, or Microsoft Azure SQL, or when using TLS v1.2 to encrypt database communications.
    2. Server name - Enter the name of the server where the database should be created. This can be a simple name, fully qualified domain name, or IP address. If connecting to a named instance of SQL Server, enter the name as ServerName\InstanceName. If connecting to a custom port, enter the server name and port number separated by a comma, as ServerName,####. If you click the dropdown arrow, Privileged Identity populates a list with databases on the local network.
    3. Authentication information - If you select Connect with Integrated Windows Authentication, then Privileged Identity connects to the data store using the service account or interactive management console account. This requires that these accounts (or groups they belong to) have been granted appropriate access to the database server and instance.

      If you select Use database native authentication mode, then Privileged Identity uses a Microsoft SQL account to access the data store. This account is created and managed within the target SQL Server instance. Use this option when the database host is not trusted by the Privileged Identity component host (e.g., management console or web app host) or when you do not want to provision Active Directory groups or users to the database.

    4. Encrypt communication with database - If this is deselected, traffic is encrypted using the database provider's encryption mode. Select this option to use SSL or TLS as controlled by your network administrator. The certificate must be trusted by the database server and all product component hosts.
    5. Add additional connection string parameters - Supply additional connection string parameters specific to your database without having to write the whole connection string. This option is typically used when connecting to mirrored data sources or SQL AlwaysOn sources. When adding two or more parameters, separate them with a semicolon.
    6. Override settings - use custom connection string - If you select this option, you can enter the connection string completely by hand. Only advanced database administrators should attempt this option.
    7. Test Connection - Click this button to verify that you can make a connection to the specified database using the specified credentials. Once the test has completed, you can see the outcome in the Status section at the bottom of the dialog.

    For more information on connecting to mirrored databases, database availability groups, or Microsoft Azure SQL, please see Connect to High-Availability and Cloud Databases.

  2. After you've successfully connected to your database, complete the fields in the Database Settings section.
    1. Name of the existing database to use - Select a database instance to use, or click Manage Database Instances to view all found instances, to create a new database instance, or to delete an existing instance.

      Important!

      Deleting a database instance removes it from the data store entirely, not just from this interface. A deleted database instance cannot be restored.

    2. Use an explicit (non-default) schema - This determines the context under which Privileged Identity will create database objects. We recommend checking this option and entering DBO in the field.

      If you leave this unchecked, then data is added under the context of your connected account. If this account is not in the sysadmin role, SQL Server creates a schema with your account name and creates all objects in that context. While this works for a single user or when using database native authentication, this option does not work well when using integrated security where connecting users are not sysadmin-level users.

      Important!

      If you switch schemas, then any data already added will be removed. Be very careful about switching schemas if you've already begun using this database for this or other applications.

  3. Optionally, enter Advanced Settings.
    1. Set explicit connection limit - This limits the number of connections made to the target database host. While this slows down job processing, it can improve stability when the database host is under-provisioned.
    2. Maximum number of active DB connections during normal operations - Set how many connections can be made at once.
    3. Overwrite the default database timeout value - Set how long Privileged Identity should wait for data to be returned from the database before the call times out. While 30 seconds should typically be enough, you may need to increase the timeout to handle high-latency, low-bandwidth links or while maintaining your database.
  4. Click OK. Privileged Identity will now create all required views, stored procedures, and tables on the database. If no issues occur, the Database Setup dialog reappears, with Settings are Valid appearing in green.

Deferred Processor Setup

  1. Next, you'll perform Deferred Processor Setup. The deferred processor performs all scheduled actions within Privileged Identity.

    Note: If you need to change this information later, select Settings > Application Components from the management console, and then select Deferred Processor Service from the dropdown.

    1. Supply a service account in the form of Domain\Account Name, and enter its password. This account must have local administrative rights, as well as the right to log in as a service on the local machine.

       

      Note: If you don't have an account available at this time, click Next to skip this step.

      For more information about the deferred processor account requirements, see Deferred Processor / Zone Processor Service Identity.

    2. Click Install/Start Service. Privileged Identity attempts to grant Logon as a Service to the account. If the process succeeds, you'll see Service is Running in green.

      If there are problems connecting to the database or granting rights, or if the account is not a local admin, the service fails to start. You can fix the issues now or after install.

    3. Click Next.

Email Setup

  1. To set up Privileged Identity to send email, enter Email Setup.

    Note: If you don't need Privileged Identity to send emails or if you don't have email server settings available at this time, click Next to skip this step.

    Note: If you need to change this information later, select Settings > Email Settings from the management console.

    1. Click Change Settings to start the setup.

     

     

    STMP Email Settings General

    1. On the General tab, at a minimum, enter:
      1. Name - The "from" name for the email.
      2. Organization - The name of your organization.
      3. Sender Email - The "from" address for the email.
      4. Reply-to Email - The address that replies should be sent to.

     

     

    SMTP Email Settings - Outgoing Server

    1. On the Outgoing Server tab, at a minimum, enter:
      1. Outgoing SMTP Server Name - The DNS or IP address of the mail server.
      2. Port - The port through which to connect to the mail server.
      3. Authentication Method - The authentication your mail server is configured to use. 
      4. Use Authentication Credentials - The username and password to connect to the mail server. If your mail server allows anonymous authentication, you can leave this unchecked. 
      5. Use SSL Client Certificate Authentication - Enter certificate information to secure mail traffic.
    2. Click Test Connection to verify the settings, and click Send Test Email to check that emails send successfully.
    3. Click OK. If there are no problems, you'll see No problems detected with settings in green.

    For details about SMTP email settings, please see Configure SMTP Email Settings.

Setup Complete

  1. On Setup Complete, click Edit Encryption Settings.

    Note: If you need to change this information later, select Settings > Encryption Settings from the management console.

     

     

    Encryption Settings

    1. We highly recommend that you check Use Encryption for Passwords in Database.
    2. Select the encryption type appropriate to your environment: software-based, FIPS 140-2, or PKCS #11. If you're unsure which to use, select Use software-based cryptography, with an Encryption Type of AES and a Key Length of 256 bit.
    3. Click OK.

For details about encryption settings, please see Configure Encryption Options.

  1. We recommend that you skip managing web application instances at this time, as not all web site options are enabled until you've completed registration. Furthermore, the web app requires the web service, which you have not yet configured.

For information on installing the web app, please see "Install the Web Application" on page 1.

  1. Click Set Recovery Access Password to change the default password.

     

    Note: You can change this password later by selecting Manage > View Stored Managed Passwords from the management console. If the password has not been set, you'll receive a prompt to set the password. Otherwise, from the Stored Passwords dialog, select Access > Change Recovery Access Password.

  2. Click Finish.