Testing connectors
Testing connections for a target system
You can perform the following tests to help determine whether your target system has been set up and added to Bravura Security Fabric correctly (required client software is installed, target system address and target system administrator credentials are accurate, and so on). This is not supported for IT Service Management (Ticket) systems.
Administrator credentials
For this test, Bravura Security Fabric performs simple password verifications using the selected target system administrators’ credentials. The test uses the connector’s ’get server information’ operation.
To run this test:
Navigate to the target system’s Test connection page (Manage the System > Resources > Target systems> [Manually defined | Automatically discovered] > < Target system >).
If required, clear the checkboxes next to the target system administrator whose credentials you do not want to test.
Click Test credentials.
Bravura Security Fabric displays the results next to each target system administrator .
Warning
Depending on your target system’s security policies, testing an invalid password too many times may trigger an intruder lockout on that system. Do not repeat this operation if you are unsure of the actual password.
User lists
For this test, Bravura Security Fabric performs a list operation to enumerate user accounts on the target system. The results of the list operation are for testing purposes only and, unlike during auto discovery , will not be loaded into the database.
Warning
Listing can be a costly operation on the target system. When you click Test list , the operation is run to completion which may take a long time on some systems.
To run this test:
Navigate to the target system’s Test connection page (Manage the System > Resources > Target systems> [Manually defined | Automatically discovered] > < Target system > ).
If required, type the Timeout (in seconds) for list operation.
You may need to increase the timeout if there are many accounts on the target system.
Click Test list.
Bravura Security Fabric begins the user list operation.
Click Show users to display the contents of the generated user list file (<target ID>.test.db).
Conversely, you can click Hide users to hide the list file contents.
While the list operation is running, you can click the Refresh button in the Bravura Security Fabric navigation bar to update the page status. When the operation completes, the “Number of users found” should match the number of accounts on the target system.
See also
The Test list button executes the testlist program. See below for usage information.
Use the testlist program to test the user list operation for a specified target system.
This program generates a SQLite-based user list file, <target ID>.test.db, in the \<instance>\psconfig\ directory. This program is run by the Manage the system (PSA) module when you click Test list on a target’s Test connection page .
testlist -targetid <target ID> -timeout <seconds>
Argument | Description |
|---|---|
-h, --help | Print out help/usage message and exit |
-v, --version | Print out version and exit |
-quiet | Only output result of operation |
-targetid <target ID> | The ID of the target system for which to perform the user list operation |
-testconnect | Execute serverinfo operation to test target connection |
-timeout <seconds> | The timeout, in seconds, for the list operation |
To test the list operation for your WINDOM1 target system, run:
testlist.exe -targetid WINDOM1
To execute serverinfo during the list operation where list operation will timeout after specified seconds, run:
testlist.exe -targetid WINDOM1 -testconnect -timeout 60
Testing all operations
Test all operations required by the Bravura Security Fabric solution from a connector when:
New target systems are created
At least one target system has to be tested for each target system type, when:
A target system configuration changes the way an administrator interacts with that target system within the same target system type; for example scripted target systems like Unix/Linux SSH types.
A target system is run on a different Bravura Security Fabric proxy server.
New or custom connectors are used.
There are changes in target system configuration relevant to the operations required for integration
idmsuite.logreports warnings or errors from a connector communicating with an existing target system.
Each connector can implement different sets of operations, and those sets of operations can be read at any time from the connector with the instance's loadplatform utility.
All operations triggered during target listing (Connect, serverinfo, listobj) must be supported by the connector that runs the list operations, and all have to succeed, in order for the newly listed target data to be loaded and processed during discovery.
There are two methods of testing operations:
This takes longer, but it is more relevant testing, because the input KVGs to the test connector will be exactly those created by the product.
Triggering operations
To list only accounts, navigate to Manage the System > Resources > Target systems [Manually defined | Automatically discovered] > < Target system > > Test connection > Test list.
To test complete listing as configured on the target system's page (account attributes, groups, group attributes, group members):
Open a command prompt in the environment of the Bravura Security Fabric service account, for example:
runas /user:psadmin cmdIn that command prompt, navigate to the instance's util\ directory.
Run:
psupdate-list -target <TARGETID>where <TARGETID> is the ID of the target system being tested
To test password verify, trigger it from the Front-end (psf) LOGIN screen as part of a passwords.pss authentication chain:
Associate at least one account from that target system with a test profile.
Place the test target system in the Manage the system > Policies > Authentication List.
To test password resets, change passwords via:
Change passwords (pss)
Help users (ida)
Password Manager service (
idpm), using transparent synchronization. This triggers verifyreset instead of reset.
To test challenge-response configure a challenge-response authentication chain module and trigger it with a test user that exists both in the Bravura Security Fabric database and in the two-factor target system (RSA, DUO, RADIUS)
Other operations like account provisioning, adding accounts to groups, moving account context (from one OU to another) need to be triggered as part of the configured workflow.
The methods described above can generate errors from other product modules, services, scripting and other automation, like workflow configuration, so it is not testing only the connector.
Editing input files
The following is a more advanced but more time efficient method of testing connectors:
Collect input KVGroups from all operations needed as they run on a working target system.
Contact support for help with collecting input.
Use a text editor that doesn't change line endings and text encoding (like Notepad++) to edit the input KVGs and change the details required for testing (targetid, address field, attributes, etc).
Ensure that no strings enclosed in double quotes are broken by stray double quotes, or by Enter/EOL/special characters.
Redirect the modified input KVGs into the test connector:
Open a command prompt in the environment of the Bravura Security Fabric service account, for example:
runas /User:Psadmin CmdIn that command prompt, navigate to the instance's agent\ directory.
Run:
<connector> < <input-connector-operation>.kvgwhere:
<connector>is the binary name of the connector being tested; for example "agtaddn-orig"<input-connector-operation>is a suggested name scheme specific to each input KVG; for example input-agtaddn-create-JohnDoe.kvg
Check:
Error pop-up windows
The output of the connector printed at the console
The
idmsuite.logfor errors or warnings
Testing auto discovery duration
When adding a target system, a suitable List timeout value is unknown, so the value is set to -1 (infinite). If that default value is not changed, listing issues or issues with the target system could cause auto discovery to never end. To avoid this, replace the initial value with a suitable timeout value after the target is successfully configured and tested.
To calculate the listing duration value:
Time how long it usually takes to list. The
idmsuite.logrecords duration at the end of the agent's execution.Multiply by 2 and transform to seconds.
Replace the List timeout value of that target with the result.
If the listing duration is too long:
Reconsider what the target is configured to list.
List only the objects required for the integration:
Accounts - only list managed accounts.
Attributes - only if needed, and only the attributes used.
Groups - only if needed; if thousands of groups are listed; for example, from Active Directory, consider listing a reduced number of groups from a specific OU or other container.
Group members:
If all security groups are not needed, do not select "All groups" under the target tab option for "Groups whose membership will be listed".
Only manage groups if their members are used.
If the listing duration is still long after completing the steps, just increase the time enough so it can account for typical differences in listing duration due to network and target system load instead of multiplying by 2.
If the timeout duration is exceeded when listing, the listing operation will be aborted, and the previous listing from auto-discovery for the target will be used.