Step 2 - Setup the ALM Engine Service

The ALM Engine is a Windows Service that runs on your organization’s hardware. It manages interactions between the ALM cloud service and your Active Directory installation. It also supports the ALM integration partnered with your organization’s Secret Server instance.

ALM Engine Service Requirements

The ALM Engine Windows service must:

  • Be able to reach your domain controller over LDAPS.

  • Run on a domain controller or a domain-joined machine, with both Windows Server 2012 or later, and Microsoft .NET 4.7.1 or later installed.

  • Run as a non-domain joined computer, automatically using Network Service as the service account, OR as an AD account with AD permissions to:

    • Create, delete, and manage User accounts.
    • Reset User passwords and force next-login password changes.
    • Read all User information.
    • Modify the membership of a Group.

Required Ports

The ALM Engine will communicate to *.accountlifecyclecloud.com over port 443

The ALM Engine will communicate through port 5671 to the URLs noted below for each region.

Region URL Port
US East thycotic-enza-prod-eastus-sb01.servicebus.windows.net 5671
AU Cen thycotic-enza-prod-auscen-sb01.servicebus.windows.net 5671
CAN Cen thycotic-enza-prod-cac-sb01.servicebus.windows.net 5671
EU West thycotic-enza-prod-westeuro-sb01.servicebus.windows.net 5671

ALM Engine Installation

To install a new ALM Engine do the following:

  1. Select Integrations in the left navigation panel.

  2. In the Engines tab, select Download Installer to obtain the installer files:

    "Install Engine"

  3. Copy the installer to the computer that will host the ALM Engine, unzip the file and run: install.cmd.

  4. Follow the prompts until the installation finishes.

The activation token for the ALM Engine will last 8 hours. If the engine needs to be reinstalled, a new token will need to be obtained.

ALM Engine Login Account Configuration in AD

Change the login account for the Delinea ALM Engine to an AD account with the following AD permissions:

AD Object Permissions for ALM Engine
Organizational Unit list contents
read all properties
create User objects
delete User objects
User list contents
read all properties
change password
reset password
write all properties
Groups list contents
read all properties
write member

To Change the Login Account:

  1. Run services.msc to open the Services Control Manager.
  2. Find Thycotic ALM Engine, right-click, and select Properties.
  3. In the Properties panel, select Log On.
  4. Select This account:
  5. Supply the AD account name for the ALM Engine service, along with the account credentials, and select OK.
  6. Restart the ALM Engine service by right-clicking Thycotic ALM Engine and selecting Restart.
  7. Back in ALM, the new ALM Engine will appear in the Unassigned ALM Engines section.
  8. Select the ALM Engine, assign it to a pool, and choose Activate.

Additional ALM Engine Login Account Information

The ALM Engine’s AD Service Account requires several machine-specific permissions. The installer sets these permissions, you will not need to perform these steps as part of your initial ALM setup:

  • Local Security or Domain Policy: “Log on as a service”.
  • Registry: Full Control on Computer\HKLM\SOFTWARE\Thycotic Software Ltd
  • File System: C:\ProgramData\Thycotic Software Ltd

If the service account changes, you may need to reapply these permissions.

ALM Engine Logs

Administrators can view ALM Engine error messages and sync information in the ALM Engine Log, available in ALM under Audit > ALM Engine Logs. This is an abbreviated log, the ALM Engine does not send all log messages back to ALM.

View Full Versions of ALM Engine Logs

Use these steps to view the full version of logs on the machine hosting the ALM Engine service:

  1. Log into the machine where the ALM Engine is located.
  2. From root, navigate to: ProgramData > Thycotic Software Ltd > ALMEngine > packages > Thycotic Provision
  3. Locate the appsettings.json file.
  4. Open appsettings.json with Notepad or another suitable text editor.
  5. Under the Serilog section, you will see MinimumLevel, and below that, Default : Information
  6. Change that to Default : Verbose
  7. Save the file.
  8. Open Services.
  9. Restart the ALM Engine service.

You can find the log files in the following locations:

  • C:\ProgramData\Thycotic Software Ltd\RemoteWorker\logs

  • C:\ProgramData\Thycotic Software Ltd\RemoteWorker\packages\Thycotic Provisioning\logs

If you're an administrator, you can view an abbreviated set of logs through the UI under Audit > Remote Worker Logs.

LDAPS

ALM requires LDAPS for AD integration, with reliance on port 636. The port number is not configurable.

ALM Engine Troubleshooting

If the ALM Engine does not run properly, review its operation logs for clues. If you cannot resolve the problem, contact Delinea for support.

See Also

See Also the ALM Engine Calibration Tool section of the ALM Administration article.