The Configuration Logging feature allows you to keep track of administrative changes made to your server farm environment. By generating the reports that this feature makes available, you can determine what changes were made to your server farm, when they were made, and which administrators made them. This is especially useful when multiple administrators are modifying the configuration of your server farm. It also facilitates the identification and, if necessary, reversion of administrative changes that may be causing problems for the server farm.
The Configuration Logging feature, after it is properly enabled, runs in the background as administrative changes trigger entries in the Configuration Logging database. The only activities that are initiated by the user are generating reports, clearing the Configuration Logging database, and displaying the Configuration Logging properties.
To generate a configuration logging report, use the PowerShell command Get-CtxConfigurationLogReport. For more information, see help for Get-CtxConfigurationLogReport or Windows PowerShell with Common Commands.
The Configuration Logging feature supports Microsoft SQL Server and Oracle databases; for information about supported versions, see CTX114501.
The Configuration Logging database must be set up before Configuration Logging can be enabled. Only one Configuration Logging database is supported per server farm, regardless of how many domains are in the farm. When the Configuration Logging database is set up, you also must ensure that the appropriate database permissions are provided for XenApp so that it can create the database tables and stored procedures (preceded by “CtxLog_AdminTask_”) needed for Configuration Logging. Do this by creating a database user who has “ddl_admin” or “db_owner” permissions for SQL Server, or a user who has the "connect" and "resource" roles and "unlimited tablespace" system privilege for Oracle. This is used to provide XenApp full access to the Configuration Logging data.
The Configuration Logging feature does not allow you to use a blank password to connect to the Configuration Logging database.
Each server in the server farm must have access to the Configuration Logging database.
Only one server farm is supported per Configuration Logging database. To store Configuration Logging information for a second farm, create a second Configuration Logging database.
When using Windows Integrated Authentication, only fully qualified domain logons are valid. Local user account credentials will fail to authenticate on the database server that hosts the Configuration Logging database.
Ensure that all Citrix administrators accessing the same farm are configured to use the same default schema. The database user who will create the Configuration Logging tables and stored procedures must be the owner of the default schema. If you are using dbo as the default schema, the database user must have db_owner permissions. If you are using ddl_admin as the default schema, the database user must have ddl_admin permissions.
See the SQL Server documentation for information about managing and using schemas.
Only one farm is supported per schema. To store Configuration Logging information for a second farm in the same database instance, use a different schema. Tables and stored procedures are created in the schema associated with the user who initially configured the Configuration Logging feature. For information about managing and using a different schema, see the Oracle documentation.
Before running the Delivery Services Console, update the Oracle tnsnames.ora client file to include the connectivity information needed to access the available databases.
The first time the Configuration Logging feature is enabled, it connects to the Configuration Logging database and discovers that the database schema does not exist. XenApp then creates the database schema, tables, and stored procedures. To create a database schema, XenApp needs full access to the database. After the database schema is created, full access is no longer necessary and you have the option of creating additional users with fewer permissions.
|Configuration Logging task||Database permissions needed|
To create log entries in the database tables
To clear the log
To create a report
The Configuration Logging components must have access to the GetFarmData stored procedure to find out if a Configuration Logging database is associated with a farm. If you do not have permission to execute an existing GetFarmData stored procedure, this farm is invisible to the Configuration Logging components.
Before you configure the Configuration Logging database connection, grant EXECUTE permission to the sp_databases system stored procedure to list the databases on the database server.
The authentication mode must be the same for the database user who creates log entries in the database tables and the database user who clears the log.
After the Configuration Logging database is set up by your database administrator and the appropriate database credentials are provided to XenApp, use the Configuration Logging Database wizard to configure the connection to the database.
After you configure the connection to the Configuration Logging database, you cannot set the database back to None. To stop logging, clear the Log administrative tasks to Configuration Logging database check box in the Configuration Logging dialog box.
Full Citrix administrators can edit the Configuration Logging settings and clear the log, or they can authorize other administrators to perform these tasks by assigning them the delegated administration Edit Configuration Logging Settings permission. Without this permission, ordinary administrators cannot perform these functions.
It may become necessary to clear the entries in the Configuration Logging database if the population of the tables becomes too large.
To manage which database users can clear the configuration log, Citrix recommends that you enable the Require administrators to enter database credentials before clearing the log check box in the Configuration Logging properties. Anyone attempting to clear the log is prompted for database credentials.
Use one of the following methods to clear log entries from the Configuration Logging database:
Independent Management Architecture (IMA) is the underlying architecture used in XenApp for configuring, monitoring, and operating all XenApp functions. The IMA data store stores all XenApp configurations.
IMA encryption protects administrative data used by Configuration Logging. This information is stored in the IMA data store. For IT environments with heightened security requirements, using IMA encryption provides a higher degree of security for Configuration Logging. One example would include environments that require strict separation of duties or where the Citrix Administrator should not have direct access to the Configuration Logging database.
|CTXKEYTOOL||Also known as the IMA encryption utility, CTXKEYTOOL is a command-line utility you use to manage IMA encryption and generate key files. CTXKEYTOOL is in the Support folder of the XenApp media.|
|Key file||The key file contains the encryption key used to encrypt sensitive IMA data. You create the key file using CTXKEYTOOL. To preserve the integrity of the encryption, Citrix recommends that you keep the key file in a secure location and that you do not freely distribute it.|
|Key||The same valid IMA encryption key must be loaded on all servers in the farm if IMA encryption is enabled. After copying the key file to a server, you load the key by using CTXKEYTOOL.|
Citrix recommends that if you are enabling IMA encryption in environments that have multiple farms, you give the key for each farm a different name.
You can store the CTXKEYTOOL.exe file and the Resource\en folder anywhere on your computer, provided you maintain the same relative directory structure used on the media.
Before enabling IMA encryption on the first server in the XenApp farm (that is, the server on which you created the farm), install and configure XenApp, and restart the server.
Citrix suggests naming the key after the farm on which it will be used; for example, farmakey.ctx. Citrix also suggests saving the key to a folder that uses the name of your farm; for example, Farm A Key.
If the key file generates successfully, the message “Key successfully generated" appears.
Before enabling IMA encryption on servers you are joining to a XenApp farm, install and configure XenApp, but do not restart the server.
Repeat this procedure on all servers you configure to join the farm.
If you move a server that has IMA encryption to a farm that has IMA encryption enabled, run CTXKEYTOOL with the load option (specifying the key that was generated for the new farm) on that server is configured but before it is restarted.
If you move a server that has IMA encryption enabled to a farm that does not have IMA encryption enabled, IMA encryption is disabled automatically on the server being moved.
IMA encryption includes other features that you can use as needed:
If you disable IMA encryption, to access the Configuration Logging database, you must reenter the password for the Configuration Logging database. In addition, no configuration information is logged until you reenter your database credentials.
To reenable IMA encryption after you disabled it, run CTXKEYTOOL with the enable option. After enabling IMA encryption, Citrix recommends that you run CTXKEYTOOL with the query option to verify that IMA encryption is enabled.
For more information about CTXKEYTOOL, see the XenApp Command Reference documentation.