Content

Basic session recording

Basic Session Recording is a licensed feature in IBM Security Secret Server. It relies on the protocol handler configured on client computers through IBM Security Secret Server’s launcher. By using the launcher, IBM Security Secret Server captures second-by-second screenshots on the client computer during a recorded session. These images of the screen are compiled into a video that you can download and play back for auditing and security purposes. Activity that is recorded in the session is based on screen changes only.

Advanced session recording

Advanced Session Recording is a licensed feature of IBM Security Secret Server that adds capabilities to those offered by basic session recording. You install the Advanced Session Recording Agent, which uses the Remote Desktop Protocol, on any client machine where you want more information from the recorded sessions.
 
Note: Advanced session recording  is not available for users of the Mac launcher.

Advanced Session Recording enhances the launcher sessions. Launcher sessions typically include screenshots, keystrokes, and process activity.

Advanced Session Recording features include:

• Screen Capture: The IBM Security Secret Server launcher records second-by-second screen images that is compiled into a playback video of the user’s session. This screen capture is essentially the same as basic session recording.
• Logged Processes: The Advanced Session Recording Agent logs all processes started and stopped during a user’s session.
• Recorded Key Strokes: The Advanced Session Recording Agent records all user keystrokes during the session.

Advanced Session Recording includes these enhanced video playback features:

• Searchable Video: You can search video activity to find locations where specific activities, such as specific keystrokes ran processes.
• Enhanced Playback: Sessions that are recorded by using Advanced Session Recording display additional data on playback, such as the current active window, the used processes, and keystrokes in the session.

Basic session recording requirements - IBM Security Secret Server

Advanced Session Recording requirements

Note: This section applies to Advanced Session Recording and IBM Security Secret Server.
 

System capacity specifications

Session recording capacity - IBM Security Secret Server

Note: This section applies to both advanced session recording and basic session recording.

Note: You can increase the Maximum Concurrent Session Conversions per node. See http://www.ibm.com/support/docview.wss?uid=ibm10883016

Caveats and suggestions

General

• System requirements apply to both physical and virtual machines.
• IBM Security Secret Server does not support the following web servers:
  • Any Client OS
  • Domain Controllers
  • SharePoint Servers
  • Small Business Server (SBS)
  • Windows Server Essentials
• For best performance, it is suggested that you use dedicated servers for hosting IBM Security Secret Server.
• If .NET and IIS features are not already installed on the web server, the IBM installer adds and configures them automatically.

Database

• Database disk storage depends directly on how many recorded videos are stored to disk. For active users, it is suggested that you use a 1 TB shared or local drive for archival or storage space. For light users, we recommend beginning with 300 GB. Monitor your disk space usage closely, and tailor it for best results.
• Carefully consider how quickly your allotted storage will be exhausted. Once again, it is highly variable, but you might expect around 15 hours of recording per GB of storage. Using the example of encoding capacity used in the Session Recording section, if you wanted to record one year of usage by your 60 8-hour users, you would need around 11 TBs of storage (given vacations and holidays). The suggested amount of 1 TB lasts nearly a month in that scenario. A session retention policy by using the automatic deletion feature is likely your best option.
• If Microsoft SQL Server is not already installed on your database server, the installer can set up SQL Express on the web server. However, SQL Express is only for trials and sandbox environments. Though IBM Security Secret Server supports SQL Express, your users will likely experience performance issues due to memory and product limitations. If you are experiencing performance issues while using SQL Express, it suggested that you upgrade to Microsoft SQL Server prior to contacting IBM Support.

Note: See Microsoft documentation on SQL Express at: https://docs.microsoft.com/en-us/sql/sql-server/editions-and-components-of-sql-server-2017

Network bandwidth and video

• IBM Security Secret Server 10.6 Advanced Session Recording, requires around 300 Kbps. Earlier versions of Session Recording require 1-3 Mbps.

Note: The Mac launcher uses the older bit rate.

• Session recording bandwidth requirements can vary widely based on the monitor resolution and image complexity. Higher resolutions and more complex images, (for example, simpler screen images compress better) and use more bandwidth. For example, with a 1024×768 screen resolution, the required network bandwidth is typically between 0.1 Mbps and 1 Mbps.
• If your connection cannot support the needed bandwidth, the session data is still transmitted, but it will take longer to process each session.
• If a user tries to cancel the transmission, this activity appears in the audit record for the Session Recording Secret.
• All sessions are recorded at 1080p.

Note: For versions of IBM Security Secret Server earlier than version 10.6, session recordings that are 1080p or higher are not supported due to a limitation in Microsoft Internet Information Services. The session video that is recorded might be corrupted.

• Sessions are recorded by using the H.264 MPEG-4 codec.

Session recording

• Server hosting session recording requires fixed RAM and Disk Space. It is strongly suggested that you do not apply dynamic settings.
• Do not record more sessions than you can encode. If more concurrent sessions are recorded than the system can process, the sessions wait in a queue and are processed when enough server resources become available, which can be in a very long time or perhaps never if your storage is overwhelmed.
• The frame rate we can encode varies dramatically based on many factors, so testing what encoding rate your session recording configuration can sustain is a must. From there, you can get an idea of what is possible. For example, you find that you can process 20 FPS on average on your Xeon processors. Given that rate, we encode around 1 minute of a session recording in 3 seconds, or 1 hour in 3 minutes, or 1 day in 72 minutes—giving you perhaps 480 session hours per day. Take that figure which is based on your typical usage to arrive at a maximum potential usage, for example, 60 people doing 8-hours of session recording.
• Typically, you can record up to one hundred sessions at a time per web node, load balanced, which can handle large use cases.
• CPU usage during video processing varies depending on concurrent users and recording length. It is suggested that you monitor CPU percentages closely on your web server during video processing, as well on your client machines during recording, to increase CPU count for workstations, if needed.
• It is suggested that you set up RabbitMQ as the backbone service bus in session recording environments. To set up RabbitMQ, go to https://www-01.ibm.com/support/docview.wss?uid=ibm10880037.

Limitation

The session recording process only tracks and records the process that is initiated by Secret Server. It does not record sub processes that are subsequently created by the process started by Secret Server.