Managing System Settings

The System Settings section of the Settings page contains system operation and maintenance tools, which are described in the following sections.

System Lockdown indicates whether the Imprivata server is locked down and service is suspended for all users.

  • Administrators: Users with Administrator privileges can access the Imprivata Admin Console while the system is locked.

  • Users: Users who are not authorized for Offline Authentication can continue to work only until the next refresh interval. The next time the user’s agent contacts the Imprivata server, the user’s session is terminated. Users who are not logged in cannot log into Imprivata Enterprise Access Management (formerly Imprivata OneSign and Imprivata Confirm ID) while the system is locked; they can still log into their computers. Offline authentication is detailed in Configuring Authentication Methods in User Policies. Users who are authorized for Offline Authentication are still subject to the offline data expiration feature explained in Offline Authentication.

When to Lock Down the Imprivata Server

Lock down the Imprivata server to prevent unauthorized access to Imprivata domains and applications in the event of an intrusion or a disaster. Users currently in Offline Authentication will still have access until they reconnect to the Imprivata server.

When NOT to Lock Down the Imprivata Server

You do not need to lock down the server:

  • During routine changes

  • Synchronizing with an external user directory

  • Backing up the Imprivata database

Every five minutes, Imprivata can post heartbeat and system status to the appliance syslog and to a URL for external monitoring by a web-based network management application.

The data posted includes these statistics:

  • Number of agent authentications processed during the last hour

  • Average time to process the authentication messages

  • Number of agent ping messages processed during the last hour

  • Average time to process the periodic agent ping messages

  • Resource utilization indicators

  • Free disk space

  • Free memory and total memory in Tomcat

  • Number of concurrent threads in Tomcat

To post system status to a URL, enter a valid URL in the Post Heartbeat Info and System Status To field.

To post system status to the appliance syslog, select the Post Heartbeat Info and System Status to Syslog option. There is more information about the Syslog messages in the Imprivata OneSign Syslog Reference Guide.

For a comprehensive list of information that gets posted to syslog and URL, see this topic's Tag name section and the Imprivata OneSign Syslog Reference Guide.

Tag name

Description

ServerIP

Appliance IP address

ServerName

Appliance hostname

OneSignVersion

Imprivata OneSign version

SerialNumber

Appliance serial number

LastUpdated

Time heartbeat most recently updated (GMT)

SiteStatus

State of this appliance, an indicator of the overall health of replication components on this appliance.

AuthRequest

Number of agent authentications processed during the last hour (on this appliance only)

PingRequest

Number of agent ping messages processed during the last hour (on this appliance only)

AuthAvgResponse

Average time to process authentication messages in milliseconds

PingAvgResponse

Average time to process agent ping messages in milliseconds

OneSignUpTime

Elapsed time since this appliance was started/restarted

TomcatFreeMemory

The amount of free memory in the Java Virtual Machine

TomcatTotalMemory

The total amount of memory in the Java virtual machine. This value may vary over time, depending on the host environment.

DiskSpaceFree

Free disk space in GB

DiskSpacePercentFree

Disk free space statistic as a percent

CPU_Usage

Current CPU usage as a percent

Tomcat_Busy_Threads

Number of Tomcat busy threads on port 8080

For a comprehensive list of information that gets posted to syslog, see the Syslog Reference Guide.

Imprivata provides two levels of logging, Info and Debug, which are controlled by the System Logging Level in this Site setting on the Settings page.

  • Info — Logs the basic record information of the running system.

  • Debug — Generates more information for use in troubleshooting. Use Debug logging only with the guidance of an Imprivata Customer Support representative.

The Kerberos network authentication protocol enhances authentication performance for password users from Microsoft Active Directory domains. This setting is controlled by Use Kerberos when Authenticating with Password? on the Settings page.

Even if this is set to Yes, Imprivata cannot take advantage of the Kerberos protocol until there is a Kerberos keytab file on the Imprivata appliance.

See Kerberos Authentication for Microsoft Active Directory Passwords for more information about generating a Kerberos keytab file and uploading it to the Imprivata appliance.

NOTE: This setting only enforces Kerberos for password authentication. Smart card and USB token authentication also require Kerberos, but they are unaffected by this setting.

The Imprivata agent contacts the Imprivata server at the Refresh Interval when Agents Check Server for Updates in this Site set on the Settings page. Each time the Imprivata agent contacts the Imprivata server, the agent uploads audit log information and downloads user policy information and any new or updated application profiles.

If the agent cannot reach the Imprivata server, the agent:

  1. Attempts to connect to another Imprivata appliance in the same site according to the settings on the Sites page.

  2. Attempts to connect to another Imprivata appliance in the enterprise according to the settings on the Sites page.

  3. Switches to Offline Authentication if the user’s user policy authorizes Offline Authentication (in the user’s user policy) AND if the local computer’s computer policy does not override the offline authentication authorization.

  4. Switches to Disabled status.

In Offline Authentication, the agent continues to try to contact any Imprivata server at the refresh interval. When a server responds, the agent re-authenticates and resumes Online Mode. Users transitioning to Online Mode may be prompted to re-authenticate.

Ensuring Continued High Availability

The refresh interval is normally a light burden on the server, but very low values can set the burden unacceptably high if you provide SSO to many thousands of enabled users. Imprivata dynamically responds to the burden by raising the minimum value if necessary to maintain uninterrupted service. If Imprivata increases the minimum value, the new minimum value is automatically shown at the bottom end of the range.

Over time, if the minimum allowed refresh interval increases to become greater than the current refresh interval, then the current refresh interval is increased automatically to match that new minimum value. An email is sent to the Imprivata system administrator to notify them of this change, and to tell them that this change is normal behavior in response to a recent increase in the number of concurrent sessions serviced.

However, conversely, if over time the minimum allowed refresh interval decreases, the current refresh interval is not changed automatically and the Imprivata administrator is not notified by email. In this situation, if desired, the administrator can manually decrease the current refresh interval to match the new minimum value.

The periodic recalculation of the minimum allowed value for the refresh interval is designed to prevent the system from calculating and setting excessively large minimum allowed refresh interval values. Large minimum values can degrade system performance for end users.

For security reasons, the Imprivata Admin Console imposes a timeout period for inactive Administrator sessions. You can configure this value (up to 90 minutes) via the Imprivata Admin Console Session Timeout setting in the System Settings section of the Settings page.

Select a timezone — Exported reports are timestamped with the run time from that zone. This feature only applies to scheduled reports. Interactive reports are displayed with the timezone of the appliance from which they are launched.