integrating ibm security privileged identity manager with ... · before deploying observeit on...

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

Copyright © 2013 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only.

www.observeit.com

Contents 1 About This Document ................................................................................................... 2

2 Overview ...................................................................................................................... 2

3 Before You Begin .......................................................................................................... 2

4 Deploying ObserveIT with IBM SPIM ............................................................................. 3

5 Configuring the ObserveIT Web Server for SSO .............................................................. 5 5.1 Enabling Windows Authentication for Windows Server 2008/R2 (IIS 7.0 or higher) .............................. 6 5.2 Enabling Windows Authentication for the “SessionRecordingView” Website ........................................ 7 5.3 Enabling Extended Protection for the “SessionRecordingView” Website ............................................... 7 5.4 Adding Providers for Windows Authentication ....................................................................................... 8 5.5 Configuring Browser Security Settings (IIS 7.0 or higher) ........................................................................ 8

6 Defining the ObserveIT Web Console’s Permitted Users ............................................... 12

7 Importing the ObserveIT Reporting Package to IBM SPIM ............................................ 13

8 Configuring IBM SPIM Integration with ObserveIT ....................................................... 17

9 Viewing Privileged User Sessions on the Integrated Portal ........................................... 19 9.1 RDP to a Remote Server using a Shared User Account .......................................................................... 19 9.2 Running an Integrated Report to Show Privileged Sessions in the IBM SPIM Console .......................... 20 9.3 Searching for Privileged Sessions by Keyword in the ObserveIT Web Console ..................................... 23

INTEGRATING IBM SECURITY PRIVILEGED IDENTITY MANAGER WITH OBSERVEIT ENTERPRISE SESSION RECORDING 2


www.observeit.com

1 About This Document This document provides instructions on how to configure ObserveIT in order to integrate ObserveIT’s Enterprise

Session Recording with IBM Security Privileged Identity Manager, for the purpose of monitoring privileged user

activity on managed endpoints.

2 Overview The configuration of ObserveIT in the IBM Security Privileged Identity Manager enables administrators to access

specific Web pages in the ObserveIT Web Management Console in order to search for IBM privileged user activity on

managed endpoints. By configuring SSO (Single Sign-On) as the authentication method, logged-in administrators can

gain access to the ObserveIT Web pages directly without being prompted to log in again to access the ObserveIT

system.

3 Before You Begin Before you begin the configuration process, please review the ObserveIT System Requirements and Supported

Platforms.

Note: The most up-to-date release product documentation is available online at:

http://www.observeit.com/Support/Documentation.

http://www.observeit.com/Products/documentation/index.htm#system_requirements_for_observeit_components.htm

http://www.observeit.com/Products/documentation/index.htm#system_requirements_for_observeit_components.htm

http://www.observeit.com/Support/Documentation



www.observeit.com

4 Deploying ObserveIT with IBM SPIM This section describes the requirements for deploying ObserveIT with IBM SPIM.

The ObserveIT Server must be deployed on a Windows-based server. For detailed information about the ObserveIT

Server installation, please refer to the ObserveIT Installation Guide.

After installation of the ObserveIT Server components, you must configure the ObserveIT Web Server for SSO, as

described in the next section Configuring the ObserveIT Web Server for SSO.

ObserveIT Agents must be deployed on all Windows-based or Unix/Linux-based servers that SPIM administrators wish

to monitor.

In order to enforce secondary authentication for all shared accounts, you must configure a recording policy in the

ObserveIT Web Management Console. This is done in the “Identification Policy” section of the Server Policies page

(Configuration >Server Policies), as shown in the following screenshot.

http://www.observeit.com/Products/documentation/index.htm#installation_guide.htm



www.observeit.com



www.observeit.com

5 Configuring the ObserveIT Web Server for SSO In order to integrate IBM Security Privileged Identity Manager with the ObserveIT system, the ObserveIT Web Server

must be configured for SSO. ObserveIT configures IWA (Integrated Windows Authentication) to enable direct login to

the ObserveIT system with the same user that logged on to the computer.

Note: Before installing ObserveIT using the "One Click" installation method, you must define SSO in the

“ObserveIT.Installer.exe.config” file, as follows:

1 From the “TypicalInstall” folder under the ObserveIT installation package path (e.g., ObserveIT_Setup_v5.6.8\TypicalInstall), open the “ObserveIT.Installer.exe.config” file.

2 Verify that following key is set to: <add key=”SSO” value=”True”/>.

During installation of the ObserveIT Web Management Console, ObserveIT configures a new Website named

“SessionRecordingView”, which contains the parameters required for integration with ObserveIT. The parameters are

received via a URL from IBM, as shown in the following example:

http://localhost:4884/ObserveIT/Integration/SessionRecordingView/Login.aspx?prd=Tivoli-

IDM&startTime=YYYYMMDDHHMMSS&endTime=YYYYMMDDHHMMSS&servername=serverName&loginID=doma

in@login&userID=domain@user

The following steps are required to configure the ObserveIT Web Server for SSO authentication:

Enabling Windows Authentication for Windows Server 2008/R2 (IIS 7.0 or higher)

Enabling Windows Authentication for the “SessionRecordingView” Website

Enabling Extended Protection for the “SessionRecordingView” Website

Adding Providers for Windows Authentication

Configuring Browser Security Settings (IIS 7.0 or higher)

Important Notes:

When deploying ObserveIT on Windows Server 2003 with IIS 6.0, no manual configuration is required after

installing the ObserveIT Server.

Before deploying ObserveIT on Windows Server 2012 with IIS 8.0, please follow the instructions described in

the product documentation here.

http://localhost:4884/ObserveIT/Integration/SessionRecordingView/Login.aspx?prd=Tivoli-IDM&startTime=YYYYMMDDHHMMSS&endTime=YYYYMMDDHHMMSS&servername=serverName&loginID=domain@login&userID=domain@user



http://www.observeit.com/Products/documentation/index.htm#installing_iis_8_x_on_windows_server_2012.htm



www.observeit.com

5.1 Enabling Windows Authentication for Windows Server 2008/R2 (IIS 7.0 or higher)

The following configuration must be done before installing ObserveIT on IIS 7.0:

1 On the taskbar, click Start, point to Administrative Tools, and select Server Manager.

2 In the Server Manager hierarchy pane, expand Roles, and then select Web Server (IIS).

3 In the Web Server (IIS) pane, scroll to the Role Services section, and select Add Role Services.

4 On the Select Role Services page of the Add Roles Wizard, under Security (Installed) select the Windows Authentication check box.

Note: If you are configuring Windows authentication on Windows Server 2012 (with IIS 8.0), the Select

Server roles page will look like this:

5 Click Next. Check your selections, and then click Install.

6 When the Results page appears, click Close.

http://i2.iis.net/images/configreference/windowsAuthentication_setup_1.png?cdn_id=2012-12-19-001



www.observeit.com

5.2 Enabling Windows Authentication for the “SessionRecordingView” Website

Note: During the ObserveIT installation, the “SessionRecordingView” Website is created under the ObserveIT Web

Console folder: C:\Program Files (x86)\ObserveIT\Web\ObserveIT\Integration.

This procedure describes how to enable Windows Authentication for the Website.

1 Open Internet Information Services (IIS) Manager.

Windows Server 2008 or Windows Server 2008 R2:

1. On the taskbar, click Start.

2. Point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

Windows Vista or Windows 7:

1. On the taskbar, click Start, and then click Control Panel.

2. Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

2 Under IIS Manager, expand the server name, expand Sites, and then expand ObserveIT Application=> ObserveIT =>Integration =>SessionRecordingView.

3 Scroll to the Security section in the Home pane of the SessionRecordingView Web site, and double-click Authentication.

4 In the Authentication pane, select Windows Authentication, and then click Enable in the Actions pane.

5.3 Enabling Extended Protection for the “SessionRecordingView” Website

After enabling Windows Authentication for the “SessionRecordingView “ Website (described above), you should

provide extended protection for the Windows authentication, as follows:

1 In the Actions pane, click Advanced Settings.

2 In the Advanced Settings dialog box, select the required option from the Extended Protection drop-down list:

Accept - To enable extended protection while providing down-level support for clients that do not support

extended protection.

Required - To enable extended protection without providing down-level support.

http://i3.iis.net/images/configreference/windowsAuthentication_howto_1.png?cdn_id=2012-12-19-001

http://i1.iis.net/images/configreference/extendedProtection_howto_1.png?cdn_id=2012-12-19-001



www.observeit.com

3 Click OK to close the Advanced Settings dialog box.

5.4 Adding Providers for Windows Authentication

After installing ObserveIT and enabling Windows Authentication for the “SessionRecordingView “ Website, you can

also add providers for the Windows authentication.

The following steps describe how to configure the NTLM provider for Windows Authentication:

1 In the Actions pane, click Providers.

2 In the Providers dialog box, make sure that “NTLM” appears in the list of Enabled Providers. If not, add the NTLM provider from the Available Providers section.

3 Click OK to close the Providers dialog box.

5.5 Configuring Browser Security Settings (IIS 7.0 or higher)

The following procedures describe how to:

Configure the “SessionRecordingView “ Website in your browser.

Enable automatic logon with the current username and password.

Note: Configuring browser settings is done after installing ObserveIT.



www.observeit.com

To configure the “SessionRecordingView “ Website in Internet Explorer 8 or 9:

1. From the Tools menu, select Internet Options.

2. In the Security tab of the Internet Options dialog box, select the Local intranet zone, and click Sites.

3. In the Local intranet dialog box, click Advanced.



www.observeit.com

4. Add your trusted “SessionRecordingView “ Website to the local intranet zone.

5. Click Close.

Notes about configuring the Website on other browsers:

o On Chrome browsers, trusted Website settings are automatically inherited from Internet Explorer.

o To configure a trusted Website in Firefox:

1 In the Firefox address bar, enter “about:config”.

2 Enter “network.automatic-ntlm-auth.trusted-uris” in the Search field, then double-click it.

3 In the dialog box that opens, enter your Website (https://name of computer), then click OK.

To enable the user to log on to ObserveIT’s Web Management Console automatically with the current username and password, do the following:

1 After adding your trusted Website in your browser (Internet Explorer 8 or 9), in the Local intranet dialog box, click the Custom level … button.



www.observeit.com

2 In the Security Settings dialog box, select User Authentication => Logon => Automatic logon with current user name and password.

3 Click OK.

4 Save your browser security settings by clicking Apply and then OK in the Internet Options dialog box.

Note the following:

1 You must make sure that the server and client PC are Windows 7 and are in the same domain.

2 Since your client PC is part of a domain, you must have a GPO (Group Policy Object) for these settings, otherwise, the settings will revert back the next time that the user logs on to Windows.

The same user that logged on to the computer can now access the ObserveIT system directly without receiving

any username and password prompts!



www.observeit.com

6 Defining the ObserveIT Web Console’s Permitted Users In order for administrators to access the ObserveIT Web Management Console for viewing user activity, they must be

defined in the ObserveIT Web console’s list of permitted users. When deploying ObserveIT with IBM Security

Privileged Identity Manager, ObserveIT’s Identification policy requires that users provide their Active Directory ID

when logging in with a shared account as “Administrator”. The following procedure describes how to configure new

console users with an Active Directory ID.

To create a new Active Directory user

1 Run the ObserveIT “One-Click” installation setup.

2 In the ObserveIT Web Management Console, open the “Configuration” => “Console Users” tab.

3 Create a new Active Directory user.

4 Log off from the current session (which was used to perform the installation).

5 Log on with the new Active Directory user.



www.observeit.com

7 Importing the ObserveIT Reporting Package to IBM SPIM 1 Download the “PIM Session Replay Report.zip” from here.

2 Copy the reporting package to the IBM PIM Server at the following location: “C:\IBM\tivoli\tipv2Components\TCRComponent\cognos\deployment”.

3 Log in to the Integrated Portal: https://<SPIM hostname/IP>:16311/ibm/console/secure/securelogon.do.

4 Under “Reporting > Common Reporting”, select the “Public folders” tab, and then select the check box alongside “PIM Session Replay Reporting Model”.

5 Click the Delete icon at the upper right corner. Click OK in the pop-up menu.

6 Select Launch > Administration.

https://www.ibm.com/developerworks/community/wikis/form/anonymous/api/wiki/bac21ec8-ddf8-48bc-9513-d0597088e029/page/51c3eecc-acc6-497a-a77a-7b85ef8a85bf/attachment/396456a2-0f7e-44de-bdec-62ce897d8e56/media/PIM%20ObserveIT%20-%20Integration%20Package.zip



www.observeit.com

7 In the Administration window, click the Configuration tab.

8 Delete the PIM Session Replay Report by selecting the check box and clicking the icon in the upper menu options.

9 Click the New Import icon in the upper menu.

10 In the New Import wizard, select PIM Session Replay Report. Click Next.



www.observeit.com

11 Click Next again.

12 Select the check box next to PIM Session Replay Report, and click Next.

13 Click Next twice. In the “Review the summary” page of the New Import wizard, check the settings. If the settings are correct, click Next.

14 In the next page, make sure that the “Save and run once” option is selected, and then click Finish.

15 In the “Run with options” page, select when you want to run the report, and click Run.

16 On the next page, check your configured settings, and then click OK.

The new ObserveIT reporting package is imported into the IBM PIM model.



www.observeit.com

17 By clicking the Home page icon, you can also see that the IBM PIM model was updated.



www.observeit.com

8 Configuring IBM SPIM Integration with ObserveIT 1 In the Integrated Portal, under “Reporting > Common Reporting”, select the “Public folders” tab, and then

select “PIM Session Replay Reporting Model”.

2 Open the report "Application Usage with session replay Report”.

3 Navigate to Query Explorer.



www.observeit.com

4 Edit the query name "Main query" by configuring the parameters shown below.



www.observeit.com

9 Viewing Privileged User Sessions on the Integrated Portal

This section describes how to:

RDP to a remote server using a shared user account

Run an integration report to show privileged user sessions

View session summaries and video recordings

Search for specific user sessions and replay them

9.1 RDP to a Remote Server using a Shared User Account

1 A privileged user opens an RDP session (Windows or Unix) to the required server and logs in via the IBM Security Privileged Identity Manager using a shared account.

2 After entering a shared access ID, if ObserveIT’s Identification Services are enabled, users will be requested to identify themselves by a secondary ObserveIT log on prompt.

Note: Secondary authentication is currently supported only on Windows. Future versions will also provide

support for Unix secondary authentication.



www.observeit.com

After successful login, a user session automatically begins and all user actions will be recorded. After sessions

are recorded, you can review session activity summaries and session videos directly from within the IBM

Security Privileged Identity Manager Admin Console. You can find recorded Windows or Unix sessions by

running Reports or by using the Search option.

9.2 Running an Integrated Report to Show Privileged Sessions in the IBM SPIM Console

1 In the Integrated Portal, under “Reporting > Common Reporting”, select the “Public folders” tab, and then select “PIM Session Replay Reporting Model”.

2 Open the report “Application Usage with Session Replay Report” by clicking the link.

The Application Usage Report enables you to review session activity summaries and session videos

directly from within the IBM Security Privileged Identity Manager.

3 You can filter user sessions to review them by date/time, user, or endpoint. The following screenshots provide an example of the Application Usage Report filtered according to user name “kristin”.



www.observeit.com

4 After specifying the filter parameters and clicking on “Finish”, the list of sessions will be displayed.

5 To view a summary of all sessions that were captured by ObserveIT, click the “Video” icon next to the session that you are interested in.



www.observeit.com

6 To view a summary of all user activities in the recorded session, click the “+” sign to the left of the session details.

7 To view a video recording of the session, click the “Video” icon alongside the session.

The Session Player opens. It plays the recorded session starting from the first slide throughout the entire

recording until it reaches the last slide. You can also click on a window title in the user activities list in order to

play the recorded session directly from that point onwards.



www.observeit.com

9.3 Searching for Privileged Sessions by Keyword in the ObserveIT Web Console

In the ObserveIT Web Console, you can perform “Google-like” searches for sessions and user activities, based on

keywords in the metadata information that is stored in the database.

You can expand the user session in which you are interested by clicking the [+] sign to the left of the user session. You

can read through the textual transcript and find the user action that is of interest.

By clicking the Video icon next to the user session, the ObserveIT Session Player will begin replaying the entire

recorded session from beginning to end. The replay can be paused, resumed, fast forwarded or rewound, and zoomed

in or out.

integrating ibm security privileged identity manager with ... · before deploying observeit on...

Documents