Local service mode behaviors and files
Configuration files
When the Local Workstation Service is installed on the system, it first attempts to register with the Bravura Privilege server. After it has contacted the Bravura Privilege server for the first time, it retrieves configuration settings from the Bravura Privilege server. The service saves the settings in a configuration file, hipamlwsinst.dat, in the hipamlws directory.
For more information about configuration files, see Configuration files .
Resource key
Bravura Privilege uses a key to ensure secure communication between client and server. The key allows the Bravura Privilege server to verify the identity of a local service mode managed system, and to check whether the managed system is allowed to interact with the server. It also allows the Bravura Privilege service to confirm the identity of the Bravura Privilege server. This key is negotiated and set during the installation process of the Local Workstation Service.
Bravura Privilege also uses a key to encrypt sensitive data, such as passwords, passed to the Local Workstation Service. This key is changed periodically. The number of days this key is valid for is controlled by the RESOURCE KEY CHANGE INTERVAL setting.
If this encryption key is mismatched, the Bravura Privilege will renegotiate a new key to the Local Workstation Service and the data will be resent using the new key.
Setting the resource key change interval
Set the RESOURCE KEY CHANGE INTERVAL to control the interval, in days, after which workstation keys are changed. The default is 30 days.
You can set options for each managed system policy in the Options tab. Product administrators with all administrative privileges (superuser) can set it globally in the Manage the system > Privileged access > Options menu. Group level settings override global settings. See Privileged access management options for more information.
User attribute updates on local service mode systems
Changes made to user attributes on a local service mode managed system are updated on the next poll of the Local Workstation Service. You can configure this so that some user attributes are updated less frequently than the default poll time of the Local Workstation Service.
Using a separate time interval RES ATTRIBUTE UPDATE DELAY, you can control the delay in which the user attributes will be updated. By default, the delay is set to 1440 minutes (once a day).
Only user attributes specified in RES DELAY UPDATE ATTRIBUTES are updated according to this time interval, otherwise they are updated after every poll. By default, the pwda (password age) and llogon user attributes are updated using the RES ATTRIBUTE UPDATE DELAY.
Creating administrator accounts on target systems
When adding local service mode systems using import rules, Bravura Privilege can create new credentials on the systems in order to connect.
Connection credentials are not required. Bravura Privilege can also use no credentials.
If the administrator account creation fails, Bravura Privilege logs an appropriate error message, and retries at the interval specified by RES ADMIN CREATE RETRY INTERVAL .
By default, this interval is configured for 1440 minutes. Product administrators with all administrative privileges (superuser) can set the RES ADMIN CREATE RETRY INTERVAL system variable in the Manage the system > Privileged access > Options > Managed system policies menu.
This setting allows for minimal intervention when the failure is caused by an issue on the workstation, such as a random password that fails to meet local password policy requirements. In these cases, the issue may be resolved with subsequent attempts.
If an import rule is misconfigured, for example, with an invalid security group, before attempting to create an administrator account for the first time, you may need to recreate the import rule. Some settings, such as security group, can only be set once per import rule.
See Privileged access management options for more information about global managed system policy options.
Resynchronizing a local service mode system
Registered local service mode systems resynchronize themselves by regularly re-sending their system details to the Bravura Privilege instance server. Details sent include:
User lists
User attributes
Group lists
Group memberships
Computer attributes
Resynchronization is a recovery mechanism in case the Bravura Privilege instance server is missing or has conflicting data compared to the local service mode system. Resynchronization will often be sufficient in correcting any discrepancies. In the event that resynchronization does not immediately correct discrepancies, such as database errors, it can reset the data once the source issue has been corrected.
Resynchronization is automatically triggered as configured by the RES RESYNC INTERVAL. However, you may occasionally need to resynchronize manually. To do this:
Click Manage the system > Privileged access > Managed systems.
Select the managed system you want to manage.
Click Resynchronize.
When resynchronization is running – that is, the system is in resync mode – normal operations are paused and import rules are disabled.
Resynchronization and transaction failures
The Bravura Privilege instance server will request a resynchronization when a data transaction from the local service mode system fails. Resynchronization retries will occur as required.
Resynchronization and replication failures
In a replicated environment, only one node communicates directly with local service mode systems. Resynchronization will take place as scheduled automatically or manually, and the resulting state will be replicated to other nodes.