Best Practices Guide
Information available in this section will help you ensure the proper functioning of your new and existing environments.
Certain Identity Director features require the configuration of an encryption key for your components. This can be done either during installation, or afterwards.
-
When installing the Transaction Engine component of Identity Director, you have the possibility to Generate or Add a previously generated encryption key.
That key will be used to encrypt some of your PowerShell data, especially related to credentials used for the script execution.
-
Please only use encryption keys that were generated using the Transaction Engine installer or the Management Portal.
Using a key that was not generated using Identity Director components is not supported. -
Make sure you save your encryption key and store it in a safe place.
-
Transaction Engine:
-
In the Windows Registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\RES\ITStore\Transaction Engine\DBEncryptionKey.
If DBEncryptionKey does not exist, you need to manually create it as a REG_SZ type. -
Add the previously generated key.
Example: cQLZvNLyaw2LAvSKMACKyJnVvO+cv7NCaWE2omNr3p8= -
Restart the Transaction Engine.
The key will be encrypted and ready to use.
-
-
Management Portal:
Before applying the encryption key for the Management Portal, make sure that the Load User Profile option is set to True for all the web components of Identity Director.
Option 1: Set the encryption key from the Management Portal- Open the Management Portal, go to Setup > Datastore and add the existing encryption key, or generate a new one.
-
Press the Test Connection button. If the test passes, you can press Save.
Option 2: Set the encryption key in WebConsole.config
-
Browse to C:\Program Files (x86)\RES Software\IT Store\Web Console\Config.
-
Within this folder, locate the WebConsole.config file, open it and go to webConsoleConfiguration > managementService > database > encryptionKey.
-
Add the generated key.
Example: cQLZvNLyaw2LAvSKMACKyJnVvO+cv7NCaWE2omNr3p8= -
Once you restart the Application Pool or perform an IIS reset, the key will be encrypted and ready to use.
- The encryption key is not visible in the Management Portal, at Setup > Datastore for security reasons.
- Applying a new encryption key when a key has already been configured in the Transaction Engine will cause existing scripts to fail.
- To see if an encryption key has been configured, look in your WebConsole.config file, in the section webConsoleConfiguration > managementService > database > encryptionKey.
- Remember to use the same encryption key for all Identity Director components.
- Seeing different values among the stored keys of the Transaction Engine and the Management Portal from the above locations does not necessarily mean that the encryption keys are different, only that they are encrypted differently.
-
If the encryption key is configured during upgrades, it does not automatically update on all the machines/components.
For Identity Director 2021.1.1, we have rewritten the queries responsible for loading organizations from the database.
For earlier versions, query performance is drastically affected by database index fragmentation, especially for indexes on the OR_Objects and OR_ObjectDescriptions tables. Therefore, if you choose not to upgrade to version 2021.1.1 or newer, we strongly recommend close monitoring and frequent reorganize/rebuild operations for those indexes, notably for environments with large numbers of organizations.
Multifactor authentication does not work on the components for which Identity Broker is active. Therefore, make sure you disable Identity Broker authentication in your environment before enabling multifactor authentication.
-
Authentication for the Management Portal and for the Web Portal is done through Identity Broker.
-
In this case, there is no component sending users to the enrollment process for multifactor authentication.
If they attempt to log into the Identity Director client, users need to provide a code generated by the authenticator. However, as they did not previously go through the enrollment process, they are unable to obtain the code and log in. -
Use of multifactor authentication is only supported with the Windows User Account as People Identifier.
If you want to use Identity Broker for both the Management Portal and the Web Portal, but use multifactor authentication for the Identity Director client, you need to first allow users to enroll their authentication applications.
To do so, enable only multifactor authentication on a web component on which the enrollment process can be completed (Management Portal or Web Portal).
The Load User Profile option must be set to True for the application pools that host the following web applications: Management Portal, Web Portal, and Mobile Gateway
-
Open the IIS Management Console.
-
Navigate to Application Pools > IT Store Management.
-
Open the Advanced Settings for IT Store Management.
-
In the Process Model section, make sure that the Load User Profile is set to True.
-
If the Load User Profile is set to False, set it to True and click Recycle.
-
If you have to change the configuration, make sure to exit the Management Portal first.
-
When you are installing Identity Director for the first time, a RES node is created in the Internet Information Services Manager (IIS), under Sites.
The information and settings contained by this node are preserved even if you uninstall Identity Director or any of its components. As a result, if you choose to re-install any components in a location that is different from the initial installation, you will have to manually update this in IIS. In order to do so, open the Internet Information Services Manager and go to Sites > RES. Open the Identity Director node and click on Advanced Settings... on the right side of the screen. In the Advanced Settings window, go to Physical Path and change this to lead to the new installation location of your components. The change must also be made on the Mobile node and on the RES node.