System settings — Audit, event log

Pointsharp ID Admin GUI > TOOLS > System Settings

These are the system-wide settings for the Pointsharp ID service.

When changing any of the system settings, a full restart is required. That is for both the Pointsharp ID service, web services, and the Pointsharp ID Admin GUI.

Parameter Description

Parameter	Description
Enable Debug Logging	Enables the enhanced logging, which is a powerful and helpful tool to debug the system whenever an unexpected behaviour shows. The log files are found in the `/logs` folder in the installation. Pointsharp ID service logs to psid.log, and the Pointsharp ID administration client logs to admin.log.
Use Paged Search	Check the Use Paged Search checkbox to enable Pointsharp ID to perform LDAP searches using so-called LDAP paging. Please consult the documentation of the LDAP directory that is in use since some vendors do not support this feature. For Microsoft ActiveDirectory, it is recommended to enable this, due to a default parameter of maximum search results set to 1000.
Page Size	This is the number of entries that the client is ready to handle in each page. Only used in conjunction with the Use Paged Search checkbox. This value is recommended to be set to 1000.
Use No Referral Search	Check the Use No Referral Search checkbox to enable Pointsharp ID to perform LDAP searches without referrals. Please consult the documentation of the LDAP directory that is in use since some vendors do not support this feature. For Microsoft ActiveDirectory, it is recommended to enable this.
Certificate Folder	Set a folder name where all server certificates per User Storage is stored. This is valid for all User Storages configured to use LDAP over SSL. The folder is created relative to the `/bin` folder in the Pointsharp ID installation. The certificates are stored once per User Storage and this feature can be useful when the CA must be added to the Trusted Root Certificate Authorities certificate store in order to browse the LDAP over SSL directory. Default this is empty, which is equivalent to disabling this feature.
Verify Server Certificates	Check this to enable server certificate verification; all SSL connections to Pointsharp Storage, Pointsharp Password Storage, and User Storages, will require a valid server certificate. Default this is disabled, all server certificates are valid.

Enable Debug Logging

Enables the enhanced logging, which is a powerful and helpful tool to debug the system whenever an unexpected behaviour shows.

The log files are found in the /logs folder in the installation. Pointsharp ID service logs to psid.log, and the Pointsharp ID administration client logs to admin.log.

Use Paged Search

Check the Use Paged Search checkbox to enable Pointsharp ID to perform LDAP searches using so-called LDAP paging. Please consult the documentation of the LDAP directory that is in use since some vendors do not support this feature.

For Microsoft ActiveDirectory, it is recommended to enable this, due to a default parameter of maximum search results set to 1000.

Page Size

This is the number of entries that the client is ready to handle in each page. Only used in conjunction with the Use Paged Search checkbox.

This value is recommended to be set to 1000.

Use No Referral Search

Check the Use No Referral Search checkbox to enable Pointsharp ID to perform LDAP searches without referrals. Please consult the documentation of the LDAP directory that is in use since some vendors do not support this feature.

For Microsoft ActiveDirectory, it is recommended to enable this.

Certificate Folder

Set a folder name where all server certificates per User Storage is stored. This is valid for all User Storages configured to use LDAP over SSL. The folder is created relative to the /bin folder in the Pointsharp ID installation. The certificates are stored once per User Storage and this feature can be useful when the CA must be added to the Trusted Root Certificate Authorities certificate store in order to browse the LDAP over SSL directory.

Default this is empty, which is equivalent to disabling this feature.

Verify Server Certificates

Check this to enable server certificate verification; all SSL connections to Pointsharp Storage, Pointsharp Password Storage, and User Storages, will require a valid server certificate.

Default this is disabled, all server certificates are valid.

Audit

These are the system-wide settings for the Audit service in the Pointsharp ID.

Parameter Description

Event Log

Check this to enable the event logging to the PointsharpID_AuditLog event log file.

Default this is enabled. It is strongly recommended to have this enabled for full traceability if, or when, SQL logging fails.

SQL Log

Check this to enable SQL logging.

Default this is false.

SQL Connection String

Set a SQL server connection string for Pointsharp ID to use when connecting to the SQL server. If a password must be entered, use the {password} syntax, and set a password by pressing Set.

For more information about connections string, see for example: http://msdn.microsoft.com/en-us/library/cc716756.aspx.

Default: data source=.\\Express;initial catalog=psid;integrated security=true

SQL Connection Password

Press Set in order to set a password value to be added inside the SQL Connection String above. This value will be replacing any {password} string inside the connection string.

SQL Connection String (readonly)

Set an SQL server connection string for Pointsharp ID to use when connecting to the SQL server using a readonly account. If a password must be entered, use the {password} syntax, and set a password by pressing Set.

For more information about connections string, see for example: http://msdn.microsoft.com/en-us/library/cc716756.aspx.

Default: data source=.\\Express;initial catalog=psid;integrated security=true

SQL Connection Password (readonly)

Press Set in order to set a password value to be added inside the SQL Connection String (readonly) above. This value will be replacing any {password} string inside the connection string.

SQL Authentication Command

Enter a SQL command to use when SQL logging authentication requests and replies. Default: INSERT INTO psid.dbo.authn (Host,AuthenticationDate,AuthenticationMethod,Code,Username,UserStorage,Client,SessionId,AuditMessage) VALUES (@host,@authenticationdate,@authenticationmethod,@code,@username,@userstorage,@client,@sessionid,@auditmessage)

SQL Authorization Command

Enter an SQL command for the authorization service (Web Service for Access Gateway) to use when SQL logging.

Default: INSERT INTO psid.dbo.authz (Host,AuthorizationDate,Code,Username,UserStorage,UserAgent,DeviceId,DeviceType,RuleName,RulePolicy,Client,AuditMessage) VALUES (@host,@authorizationdate,@code,@username,@userstorage,@useragent,@deviceid,@devicetype,@rulename,@rulepolicy,@client,@auditmessage)

SQL SA Account Password

The password created for the SA (system administrator) account. This value only appears when the SA account was created using Pointsharp services, and the password was not communicated during the installation phase.

To view or copy the password in order to change it on the SQL server, press the eye-button to the right of the password field.

This password is not used by any Pointsharp service and is only provided here to enable SQL service administration for the installations using the build-in SQL database setup. To remove the password from this configuration, either make it obsolete by changing the password on the SQL server, or remove it manually from the configuration file. The XML-tag is SaAccountPassword under Accounting.

Test

Press Test for a "real" SQL logging test for both authentication and authorization.

Test (readonly)

Press Test (readonly) to verify that the SQL settings are correct for the readonly configuration. This test will first try to add a row into the authentication and authorization tables and is expected to fail, and then confirm that the account have read rights by selecting the top row in each table.

Setup

SQL logging requires two tables in the SQL database. An example on how to create these two tables is listed here.

Table for Authentication service

To create the table for the authentication service to use, execute the following query in a database called psid:

USE [psid]
GO
CREATE TABLE [authn]
(
Id int IDENTITY,
Host VARCHAR(256),
AuthenticationDate DATETIME,
AuthenticationMethod VARCHAR(256),
Code INT,
Username VARCHAR(256),
UserStorage VARCHAR(256),
Client VARCHAR(256),
SessionId VARCHAR(256),
AuditMessage VARCHAR(MAX),
Ip VARCHAR(256)
)
GO
CREATE CLUSTERED INDEX DateClusteredIndex ON [authn] (AuthenticationDate)
GO
ALTER TABLE [authn] ADD CONSTRAINT pk_authn PRIMARY KEY(Id)
GO

Table for Authorization service

Create the table for the authorization service to use, execute the following query in a database called psid:

USE [psid]
GO
CREATE TABLE [authz]
(
Id int IDENTITY,
Host VARCHAR(256),
Client VARCHAR(256),
AuthorizationDate DATETIME,
Code INT,
Username VARCHAR(256),
UserStorage VARCHAR(256),
UserAgent VARCHAR(256),
DeviceId VARCHAR(256),
DeviceType VARCHAR(256),
RuleName VARCHAR(256),
RulePolicy VARCHAR(256),
AuditMessage VARCHAR(MAX),
Ip VARCHAR(256)
)
GO
CREATE CLUSTERED INDEX DateClusteredIndex ON [authz] (AuthorizationDate)
GO
ALTER TABLE [authz] ADD CONSTRAINT pk_authz PRIMARY KEY(Id)
GO

Run for authn

Remove primary key

USE [psid]
GO
DECLARE @table NVARCHAR(512), @sql NVARCHAR(MAX);
SELECT @table = N'dbo.authn';
SELECT @sql = 'ALTER TABLE ' + @table
+ ' DROP CONSTRAINT ' + name + ';'
FROM sys.key_constraints
WHERE [type] = 'PK'
AND [parent_object_id] = OBJECT_ID(@table);
EXEC sp_executeSQL @sql;
GO

Add clustered index

USE [psid]
GO
CREATE CLUSTERED INDEX DateClusteredIndex ON [authn] (AuthenticationDate)
GO

Add column Id as primary key

USE [psid]
GO
ALTER TABLE [authn] ADD CONSTRAINT pk_authn PRIMARY KEY(Id)
GO

Done

Run for authz

Remove primary key

USE [psid]
GO
DECLARE @table NVARCHAR(512), @sql NVARCHAR(MAX);
SELECT @table = N'dbo.authz';
SELECT @sql = 'ALTER TABLE ' + @table
+ ' DROP CONSTRAINT ' + name + ';'
FROM sys.key_constraints
WHERE [type] = 'PK'
AND [parent_object_id] = OBJECT_ID(@table);
EXEC sp_executeSQL @sql;
GO

Add clustered index

USE [psid]
GO
CREATE CLUSTERED INDEX DateClusteredIndex ON [authz] (AuthorizationDate)
GO

Add column Id as primary key

USE [psid]
GO
ALTER TABLE [authz] ADD CONSTRAINT pk_authz PRIMARY KEY(Id)
GO

Done