Skip to main content

Listing accounts and other objects from target systems

Most of the Bravura Security Fabric connectors support auto discovery. They can connect to target systems and collect an inventory of login IDs. If supported, connectors may collect other information such as account attributes, groups, server or workstation computers on a domain, hardware token lists, and extended target system information. Collecting information (user listing) is usually performed during auto discovery. The process is initiated and controlled by the psupdate program.

List timeout

Connectors should be given a finite amount of time to run during listing, before Bravura Security Fabric stops them. The default setting for the List timeout field is -1 (infinite), because the product can’t tell how long each target can take to list. A correctly configured target system should not use infinite timeouts.

Problem with infinite timeout

Target systems can go down for updates or maintenance or the connection to them may drop unexpectedly while the connector is listing. If the timeout is -1 on a target system that runs into those situations, the psupdate program will never finish and the rogue agent process that holds it up may have to be killed.

Caution

Do not kill psupdate . This can cause problems with automation or lead to data loss in Bravura Security Fabric.

When a target system has an infinite list timeout and hangs up psupdate , only that target system’s agent process needs to be killed. A good way to determine long-running agents, either hours or days after the incident, is to open PowerShell and run a piped command similar to the following:

Get-Process | Where {$_.name -eq "<agent>"} | Select name,id,starttime

and then determine the parent process for the listed agent processes.

If the parent process is psupdate , the agent can be killed; if it is agtsvc, the agent is being run for a persistent listing target system and does not have to be killed. If you think there is something wrong with a persistent listed target, use the agtsvccli utility to do a full listing.

Once you have a process ID for a rogue agent using the previous command, you can find its parent process with a command such as:

wmic process get processid,parentprocessid,executablepath|find "<agent_processId>"

Alternatively, use sys internals’ Process Explorer in tree mode if you have it on the Bravura Security Fabric server.

Best practice for determining list timeout

Here is a best practice to determine a useful timeout that results in relatively fast psupdate processing even when connection to a target system drops, and still allows the connector to finish listing (and automatically restore the list backups) when that happens:

  1. Perform several full lists on each given target system (psupdate -target <targetID> -list) at the time auto discovery is normally scheduled to run, and with the target system running at high load.

  2. Time each list operation in seconds to get the maximum time it takes to list completely and successfully, then add a margin of error as follows:

    For target systems listing under 30 minutes, you can double the list time to get the timeout; for target systems that take upwards of three hours you could add an extra hour; if you schedule auto discovery several times a day you need to balance the duration of each auto discovery with the time available for it to run. Note that psupdate runs several connectors at once (controlled by system variable UPDATE SYSTEM AGENT COUNT , by default 50), so you can take that into account when determining the timeouts.

Extended attributes

The extended target system information can be viewed from the Extended attributes section of the target configuration page after auto discovery . The pop-up page will contain information regarding the host name, operating system version, and various other target system information.

Incremental listing

To reduce the amount of data that is discovered each time, Bravura Security Fabric supports incremental listing of account attributes on some target system types, such as LDAP and Active Directory. For these target systems, once the initial discovery has been run, Bravura Security Fabric only lists attributes for accounts where it detects a change on subsequent runs of auto discovery . The incremental listing setting is enabled by default for target systems that support it.

When listing takes a long time, or if time zone/daylight savings gets processed on the target system while listing is happening, some attribute changes on the target system can be missed, so:

  1. If full attribute listing from a target does not take too long, it is recommended to turn off incremental listing for that target;

  2. For target systems that take a long time listing attributes, find a time when auto discovery is not running and run full attribute listing (but only for those target systems).

Persistent listing

Target systems can change (sometimes drastically) between scheduled discoveries. Bravura Security Fabric supports persistent listing for Active Directory DN or LDAP Directory Service target systems. Persistent listing allows Bravura Security Fabric to list changes as soon as they happen on the domain controller to which the Persistent Connector Service (agtsvc) connects. It makes these target systems good candidates for a Source of Record ; it would update the Bravura Security Fabric database and trigger any configured automation as soon as possible after changes were made.

Note

Persistent Connector service can be installed as an optional sub-feature in the proxy msi allowing persistent listing to run on a proxy server.

When persistent listing is enabled:

  • Regular auto discovery is disabled for the target system. The target system’s Run discovery button is changed to a Start discovery button. Click this button to run the Persistent Connector Service on the target.

  • The first time the Persistent Connector Service runs it will list all objects and will then just list changes.

  • To stop the service, click the Stop discovery button on the Target system information page.

  • If it is stopped, upon restart it will list all changes since it was stopped.

  • The domain controller that it lists from can be changed without losing data.

  • Target systems configured in the address field to use OU lists will work correctly.

  • If you change what objects are listed, where objects are listed from, or which attributes are listed (for example, such as to change the OUs to list users or groups from):

    • Use targetsync to synchronize the instance database state with the state of the target system.

    • Stop discovery on the target system then use the Persistent Connector Service client program, agtsvccli , to make a new full list with the -full option.

  • You can create a target system with persistent listing enabled; there is no need to do a regular list before enabling persistent listing.

  • For LDAP, persistent listing only works for Active Directory Lightweight Directory Services (AD LDS), formerly Active Directory Application Mode (ADAM).

    Note

    Starting persistent listing from the Start discovery button for the target system or with the agtsvccli client program without the -full option will continue persistent listing from the previous list. If a full list to reload all data must be redone, this can only be accomplished using the -full option with the agtsvccli client program.

The Persistent Connector Service by default will resynchronize accounts and groups when running a full list. This means that when accounts or groups are not found during listing and there are changes such as for a modification for the filters, they will now be invalidated on a full list.

This option can be disabled using the AGTSVC_RESYNC_ON_FULL registry key:

  1. Go to Start menu, type regedit in the search box, and click on the program to access the Registry Editor.

  2. In HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance name>, create a DWORD value called AGTSVC_RESYNC_ON_FULL and set its value to 0.

Manual listing

If auto discovery is not supported by your system or if for some reason you will not configure Bravura Security Fabric to collect information, you must manually provide an inventory of login IDs and any other items. This is normally done using a scripted (batch) process on the target system that lists, formats and places the required files in Bravura Security Fabric ’s psconfig directory.

You can create a SQLite .db file in the following way:

  1. Add a target as close as possible to the type of the target that can't be listed directly, but target a reachable system.

  2. Use the target system's List Override option to automatically copy the list file during auto-discovery.

    See the Connector Pack documentation for an example of Creating a list file to support challenge-response authenticationfor RADIUS .

Exploring an existing list file

List files since version 12.0.0 and Connector Pack 4.0.0 are sqlite3 databases ( .db files).

Their schema can vary from version to version.

Their table contents can be checked with any Sqlite3 client, using the command lineor a visual browser.

The examples linked here are just examples, not endorsements.

Modifying listed data before loading

List files can be changed after listing from their targets or before loading into the Bravura Security Fabric database in one of two ways:

  1. Use an existing loaddb component; for example, Functional.hid_loaddb_transform or Custom, that uses a policy table to specify changes to specific listed objects.

  2. If the first method can not be used, or leads to consuming too many system resources, use a psupdate plugin to run SQL commands directly against the list file via an sqlite3 command line utility. Usually the plugin is psupdate_loaddb_pre, however,psupdate_list_AD_post be used.

Both of these methods require knowledge of the component framework or scripting, SQL, the schema of the list files and the way each listed object type is processed. A Professional Services engagement is recommended for these types of scripted integrations.

In this section: