ibm security identity manager: ibm security access manager...

IBM Security Identity ManagerVersion 6.0

IBM Security Access ManagerEnterprise Single Sign-On AdapterInstallation and Configuration Guide

IBM

ii IBM Security Identity Manager: IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and

Configuration Guide

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Chapter 1. Overview . . . . . . . . . 1Features of the adapter . . . . . . . . . . . 1Architecture of the adapter . . . . . . . . . 1Integration with IBM Security Identity Manager . . 2Communications among IBM Security products . . 4Supported configurations . . . . . . . . . . 5

Chapter 2. Planning. . . . . . . . . . 7Roadmap for IBM Tivoli Directory Integrator basedadapters, for IBM Security Identity Manager 6.x . . 7Prerequisites . . . . . . . . . . . . . . 8Software downloads . . . . . . . . . . . . 9Installation worksheet . . . . . . . . . . . 9

Chapter 3. Installing . . . . . . . . . 11Configuring Privileged Identity Management towork with the adapter . . . . . . . . . . . 11

Determining whether the Group Sharing Accountfeature is installed . . . . . . . . . . . 11Removing the Group Sharing Account feature . . 12

Installing the dispatcher . . . . . . . . . . 13Installing the adapter binaries or connector . . . . 13Configuring the IBM Security Access ManagerEnterprise Single Sign-On IMS Server . . . . . 14Configuring the SSL connection between Dispatcherand the IMS Server . . . . . . . . . . . . 15Restarting the adapter service . . . . . . . . 15Importing the adapter profile . . . . . . . . 16Creating an adapter service/target. . . . . . . 17Service/Target form details . . . . . . . . . 19Installing the adapter language package . . . . . 21

Verifying that the adapter is working correctly . . 21

Chapter 4. Upgrading . . . . . . . . 23

Chapter 5. Configuring . . . . . . . . 25Configuring the reconciliation operation for theadapter . . . . . . . . . . . . . . . . 25Configuring IBM Security Access ManagerEnterprise Single Sign-On workflow extensions . . 25

Adding a workflow extension . . . . . . . 25Defining workflows with extensions . . . . . 27Defining the IBM Security Access ManagerEnterprise Single Sign-On Authentication ServiceID and Service Prerequisite . . . . . . . . 30JavaScript for Lotus Notes account type . . . . 32

AccessProfiles creation for IBM Security AccessManager . . . . . . . . . . . . . . . 33Configuring IBM Security Access Manager as anenterprise authentication service . . . . . . . 33

Chapter 6. Troubleshooting . . . . . . 35Techniques for troubleshooting problems . . . . 35Error messages and problem solving . . . . . . 37

Chapter 7. Uninstalling . . . . . . . . 41Removing the adapter binaries or connector . . . 41Removing the adapter profile . . . . . . . . 41

Chapter 8. Reference . . . . . . . . 43Adapter attributes and object classes . . . . . . 43Adapter Configuration Properties . . . . . . . 43

Index . . . . . . . . . . . . . . . 45

iii

iv IBM Security Identity Manager: IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and

Configuration Guide

Figures

1. IBM Security Access Manager Enterprise SingleSign-On Adapter architecture . . . . . . . 2

2. Provisioning process . . . . . . . . . . 33. Single server configuration . . . . . . . . 5

v

vi IBM Security Identity Manager: IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and

Configuration Guide

Tables

1. Prerequisites to install the adapter . . . . . 82. Required information to install the adapter 103. Runtime problems . . . . . . . . . . 37

4. Supported attributes . . . . . . . . . 435. Supported object classes . . . . . . . . 43

vii

viii IBM Security Identity Manager: IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and

Configuration Guide

Chapter 1. Overview

An adapter is an interface between a managed resource and the IBM® SecurityIdentity server.

This adapter resides on the IBM Tivoli® Directory Integrator. The IBM SecurityIdentity Manager server manages access to the resource with your security system.

The adapter uses the IBM Tivoli Directory Integrator to facilitate communicationbetween the IBM Security Identity Manager server and IBM Security AccessManager Enterprise Single Sign-On (enterprise single sign-on) Server. The adapterfunctions as a trusted virtual administrator on the target platform. It performs suchtasks as creating and deleting user IDs and managing user account credentials.

The following sections provide information about the IBM Security AccessManager Enterprise Single Sign-On Adapter:v “Features of the adapter”v “Architecture of the adapter”v “Integration with IBM Security Identity Manager” on page 2v “Communications among IBM Security products” on page 4v “Supported configurations” on page 5

Features of the adapterThis adapter automates several administrative tasks on the IBM Security AccessManager Enterprise Single Sign-On IMS Server.

You can use the adapter automation to:v Create users.v Create and delete user accounts.v Change user accounts passwords.v Reconcile users and user attributes.v Add, modify, and remove account credentials.

Architecture of the adapterIBM Security Identity Manager administers IBM Security Access ManagerEnterprise Single Sign-On user accounts.

You can add, delete, search for, suspend, or restore an account. You also canchange its password.

Note: You must have IBM Security Access Manager Enterprise Single Sign-On IMSServer version 8.2 or later to suspend or restore an account.

The adapter consists of Tivoli Directory Integrator AssemblyLines. When an initialrequest is made by IBM Security Identity Manager server to the adapter, theAssemblyLines are loaded into the Tivoli Directory Integrator server. As a result,subsequent service requests do not require those same AssemblyLines to bereloaded.

1

The AssemblyLines use the Tivoli Directory Integrator components for usermanagement-related tasks on the IMS Server. This component utilization is doneremotely by SOAP over SSL. SOAP over SSL is the trusted IBM Security AccessManager Enterprise Single Sign-On Bridge agent.

The following diagram shows the various components for user management tasksin a Tivoli Directory Integrator environment.

For additional information about Tivoli Directory Integrator, see the IBM TivoliDirectory Integrator: Getting Started Guide.

Integration with IBM Security Identity ManagerIBM Security Access Manager Enterprise Single Sign-On integrates with both IBMSecurity Access Manager and IBM Security Identity Manager to provide a completeidentity and access management solution.

IBM Security Identity Manager provides the identity lifecycle management forapplication users. IBM Security Access Manager Enterprise Single Sign-Onprovides the real-time implementation of access security policies for users andapplications.

The integrated solution delivers seamless identity and access management thatprovides:v Application account provisioningv A centralized view of all application accountsv Sign-on and sign-off automationv Authentication managementv User-centric audit logs and reportingv Centralized deprovisioning of all accounts

IBM SecurityIdentity Server

Security AccessManager E-SSOConnector

Assembly Lines

Dispatcher

RMI callsIBM Security

Access ManagerE-SSO Server

Tivoli DirectoryIntegrator

Server

Figure 1. IBM Security Access Manager Enterprise Single Sign-On Adapter architecture

2 IBM Security Identity Manager: IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and

Configuration Guide

IBM Security Identity Manager is integrated with IBM Security Access ManagerEnterprise Single Sign-On so that you can automatically provision users created inIBM Security Identity Manager to the IMS Server.

This guide focuses on the IBM Security Identity Manager integration with IBMSecurity Access Manager Enterprise Single Sign-On. Application accounts that areprovisioned by IBM Security Identity Manager are automatically populated in thecorresponding IBM Security Access Manager Enterprise Single Sign-On wallets ofthe users. IBM Security Access Manager Enterprise Single Sign-On workflowextensions perform this task.

For information about intergation, see Chapter 5, “Configuring,” on page 25.

The following figure illustrates the workflow of the provisioning process:

The IBM Security Identity Manager must communicate with the IMS Server topopulate and manage credentials in the wallet. The adapter and the WorkflowExtension are the interface engines that act as intermediaries between the IMSServer and IBM Security Identity Manager.

The IBM Security Access Manager Enterprise Single Sign-On service uses the TivoliDirectory Integrator assembly lines of the adapter. These assembly lines performIBM Security Access Manager Enterprise Single Sign-On tasks such as:v Creating a user.v Deleting a user.v Changing a user password.v Searching for users.

IBM Security Identity Manager connects to the IMS Server by using the IBMSecurity Access Manager Enterprise Single Sign-On workflow extension to addaccount credentials to the wallets of users.

To enable single sign-on for all application accounts provisioned through IBMSecurity Identity Manager, you must:

Security AccessManager E-SSO

Workflow Extension

Tivoli DirectoryIntegrator Server

Security AccessManager E-SSO Adapter

IBM SecurityIdentity Manager

Server

Security AccessManager E-SSOConnector

Workflow Engine

RMI DispatcherRMI / SSL

IBM SecurityAccess Manager

E-SSO IMS Server

SOAP

Figure 2. Provisioning process

Chapter 1. Overview 3

v Add the workflow extension to IBM Security Identity Manager.v Configure the IBM Security Access Manager Enterprise Single Sign-On Service

on IBM Security Identity Manager.

Note: If the IMS Server, version 8.1 or later, is configured for Enterprise Directorypassword synchronization, the Active Directory account must exist beforeprovisioning the ISAMESSO account.

Communications among IBM Security productsThe adapter requires communication between multiple IBM Security products.

IBM Security Identity Manager, IBM Security Access Manager, IBM Security AccessManager Enterprise Single Sign-On IMS Server, and AccessAgent communicate asfollows:1. When IBM Security Identity Manager provisions a new user:

a. It raises an event in the configured IBM Security Access Manager EnterpriseSingle Sign-On service.

b. The service invokes the corresponding assembly line of the adapter in TivoliDirectory Integrator.

c. The assembly line in Tivoli Directory Integrator communicates with the IMSServer.The IMS Server uses SOAP over HTTPS to create the IBM Security AccessManager Enterprise Single Sign-On user.

2. The IBM Security Access Manager Enterprise Single Sign-On WorkflowExtension is inserted into the workflow of each application creation workflow.a. After IBM Security Identity Manager provisions a new user account, the

IBM Security Access Manager Enterprise Single Sign-On workflow extensionis invoked.

b. The Workflow Extension passes the IBM Security Access Manager accountdata to the adapter.

c. The adapter passes the data to the IMS Server.d. The wallet of the user is populated with the new IBM Security Access

Manager account data.3. The user logs on to the wallet by presenting one or more authentication factors

to AccessAgent.a. AccessAgent obtains the wallet that contains the new IBM Security Access

Manager account data from the IMS Server.b. Users must cache their wallets on the client computers so that AccessAgent

can process their credentials.4. AccessAgent performs sign-on automation for all types of applications:

enterprise, personal, certificate-enabled, and any Windows user accounts.a. AccessAgent automatically fills in the appropriate user credentials when an

application is launched and logs the user on to the application.b. When an application integrated with IBM Security Access Manager is

launched, AccessAgent automatically fills the IBM Security Access Manageruser name and password in the basic authentication logon prompt. The userdoes not need to know them.

5. When IBM Security Identity Manager deprovisions a user:a. It raises an event in the IBM Security Access Manager Enterprise Single

Sign-On Service.


Configuration Guide

b. The delete assembly line in the adapter communicates with the IMS Serverto delete the user.

6. The deleted user can no longer log on to AccessAgent for single sign-on.

Supported configurationsThe adapter supports several configurations and is designed to operate with IBMSecurity Identity Manager.

The fundamental components of an adapter environment are:v IBM Security Identity Managerv Tivoli Directory Integrator serverv IBM Security Access Manager Enterprise Single Sign-On Adapter.

Forming part of each configuration, the IBM Security Access Manager EnterpriseSingle Sign-On Adapter must physically reside on the computer that runs theTivoli Directory Integrator server.

For a single server configuration, you must install the IBM Security IdentityManager, Tivoli Directory Integrator server, and the IBM Security Access ManagerEnterprise Single Sign-On Adapter on one server. The server communicates withthe IMS Server.

IBM SecurityAccess ManagerE-SSO Server

IBM SecurityIdentity Manager

Serverwith

IBM TivoliDirectory Serverrunning Adapter

Figure 3. Single server configuration

Chapter 1. Overview 5


Configuration Guide

Chapter 2. Planning

Installing and configuring the adapter involves several steps that you mustcomplete in a specific sequence. Follow the roadmap for the main tasks.

Roadmap for IBM Tivoli Directory Integrator based adapters, for IBMSecurity Identity Manager 6.x

Follow this section when using the guide to install, configure, troubleshoot, oruninstall the adapter.

Pre-installation

Complete these tasks.1. Verify that your environment meets the software and hardware requirements

for the adapter. See Prerequisites.2. Obtain the installation software. See Software downloads.3. Obtain the necessary information for the installation and configuration. See

Installation worksheet.

Installation

Complete these tasks.1. Install the dispatcher.2. Install the adapter binaries or connector.3. Install 3rd party client libraries.4. Set up the adapter environment.5. Restart the adapter service.6. Import the adapter profile.7. Create an adapter service/target.8. Install the adapter language package.9. Verify that the adapter is working correctly.

Upgrade

To upgrade the adapter, do a complete re-installation of the adapter. Follow theInstallation roadmap.

Configuration

Complete these tasks.1. Configure secure communication between the IBM Security Identity server and

the adapter.a. Configure 1-way authentication.b. Configure 2-way authentication.

2. Configure secure communication between the adapter and the managed target.a. Configure 1-way authentication.b. Configure 2-way authentication.

7

3. Configure the adapter.4. Modify the adapter profiles.5. Customize the adapter.

Troubleshooting

See the following topics.v Techniques for troubleshooting problemsv Configure debuggingv Logsv Error messages and problem solving

Uninstallation

Complete these tasks.1. Stop the adapter service.2. Remove the adapter binaries or connector.3. Remove 3rd party client libraries.4. Delete the adapter service/target.5. Delete the adapter profile.

Reference

See the following topics.v Adapter attributes and object classesv Adapter attributes by operationsv Special attributes

PrerequisitesVerify that your environment meets the software and hardware requirements forthe adapter.

Table 1. Prerequisites to install the adapter

Prerequisite Description

Operating System The IBM Security Access Manager Enterprise SingleSign-On Adapter can be used on any operating systemthat is supported by Tivoli Directory Integrator.

Network Connectivity TCP/IP network

System Administrator Authority The person who installs the IBM Security AccessManager Enterprise Single Sign-On Adapter must havesystem administrator authority.


Configuration Guide

Table 1. Prerequisites to install the adapter (continued)

Prerequisite Description

Directory Integrator v IBM Tivoli Directory Integrator Version 7.1.1 +7.1.1-TIV-TDI-FP0004 + 7.2.0-ISS-SDI-LA0008

v IBM Security Directory Integrator Version 7.2

Note:

v Earlier versions of IBM Tivoli Directory Integrator thatare still supported might function properly. However,to resolve any communication errors, you mustupgrade your Directory Integrator release to theversions that the adapter officially supports.

v The adapter supports IBM Security DirectoryIntegrator 7.2, which is available only to customerswho have the correct entitlement. Contact your IBMrepresentative to find out whether you have theentitlement to download IBM Security DirectoryIntegrator 7.2.

IBM Security Identity server The following servers are supported:

v IBM Security Identity Manager server Version 6.0

v IBM Security Identity Manager server Version 7.0

v IBM Security Privileged Identity Manager Version 2.0

IBM Security Identity Manageradapter, also known as theDispatcher.

Obtain the dispatcher installer from the IBM PassportAdvantage website: http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm.

IBM Security Access ManagerEnterprise Single Sign-On IMSServer

For the supported version, see the IBM Security AccessManager Enterprise Single Sign-On Adapter ReleaseNotes.

Software downloadsDownload the software through your account at the IBM Passport Advantage®

website.

Go to IBM Passport Advantage.

See the corresponding IBM Security Identity server Download Document forinstructions.

Note:

You can also obtain additional adapter information from IBM Support.

Installation worksheetThe installation worksheet lists the information that is required to install andconfigure the adapter. Complete this worksheet before you start the installationprocedure for ease of reference. Make a copy of the worksheet for each adapterinstance you install.

Chapter 2. Planning 9

http://www-01.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

http://www-01.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Table 2. Required information to install the adapter

Required information Description

An administrator account onthe managed resource.

The account must have sufficient administrative rights.

IMS Server ConfigurationUtility

The location of the web-based IMS Server ConfigurationUtility. See the IBM Security Access Manager forEnterprise Single Sign-On Administrator Guide for moredetails.

IMS Server The IP address or host name and the SSL port number ofthe IMS Server.

Tivoli Directory Integrator homedirectory

The ITDI_HOME is the directory that contains thejars/connectors subdirectory for the adapter JAR files.

Adapters solution directory When you install the dispatcher, the adapter promptsyou to specify a file path for the solution directory. Formore information about the solution directory, see theDispatcher Installation and Configuration Guide.

Authentication Services to IBMSecurity Identity ManagerServices mapping

Create a list of services that you want to integrate withenterprise single sign-on. An existing AuthenticationService must be available on the IMS Server for each IBMSecurity Identity Manager Service you want to integrate.

Account Ownership Types to bemanaged

Determine whether your organization requires additionalownership types to be integrated. The individualownership type is automatically included.


Configuration Guide

Chapter 3. Installing

Installing the adapter mainly involves importing the adapter profile and creatingan adapter service. Depending on the adapter, several other tasks can be involvedto completely install it.

You must install and configure the adapter before IBM Security Access ManagerEnterprise Single Sign-On Adapter can communicate with IBM Security AccessManager.

Configuring Privileged Identity Management to work with the adapterIBM Security Identity Manager deprecated Group Sharing Account in the version5.x adapters and replaced it with Privileged Identity Management. If the GroupSharing Accounts is installed, you must remove it from the service to usePrivileged Identity Management.

To determine whether you must remove the Group Sharing Account feature, see“Determining whether the Group Sharing Account feature is installed.”

For instructions about removing the Group Sharing Accounts from the IBMSecurity Identity Manager server, see “Removing the Group Sharing Accountfeature” on page 12.

Determining whether the Group Sharing Account feature isinstalled

Determine whether you must remove the deprecated Group Sharing Accountfeature.

Procedure1. Log on to the IBM Security Identity Manager server with an account that has

the authority to perform administrative tasks.2. In the My Work pane, click Manage Services.3. From the Service type menu, select ISAM ESSO Profile.4. Click Search.5. Click the IBM Security Access Manager Enterprise Single Sign-On service to

display the adapter service form.6. Click Group Sharing Accounts Setup.v If this tab does not exist, the Group Sharing Accounts feature is not installed.v If the Mapping list is empty, the Group Sharing Accounts feature is installed,

but not configured.v If content exists for the Mapping list, the Group Sharing Accounts feature is

installed and configured.

What to do nextv If the Group Sharing Account feature is not installed, set up Privileged Identity

Management. See the IBM Security Privileged Identity Manager productdocumentation.

11

v If necessary, remove the Group Sharing Accounts feature. See “Removing theGroup Sharing Account feature.” Then, set up Privileged Identity Management.See the IBM Security Privileged Identity Manager product documentation.

Removing the Group Sharing Account featureIf the Group Sharing Accounts feature is installed, you must remove it from theservice to use Privileged Identity Management.

Before you beginv Determine whether you must remove the Group Sharing Account feature. See

“Determining whether the Group Sharing Account feature is installed” on page11.

v Verify that the role is not used for any purpose other than the Group SharingAccount feature. If it is used for another purpose, back it up; you can restore itlater. To back up the roles in IBM Security Identity Manager, see the IBMSecurity Identity Manager product documentation. Search for "Data import andexport."

Procedure1. Remove all the members in the roles corresponding to the Group Sharing

Account. See the IBM Security Identity Manager product documentation. Searchfor removing members from roles. The IBM Security Access Manager EnterpriseSingle Sign-On wallets of all the users of that role are cleared of the sharedaccount.

2. Remove all the roles corresponding to the Group Sharing Account. See the IBMSecurity Identity Manager product documentation. Search for removing roles.

3. Remove the Role Mapping from the ISAM ESSO Service.a. Click Manage Service.b. Search for and select the service that has the ISAM ESSO Profile service

type.c. Click Change.d. Click Group Sharing Account. If the Group Sharing Account tab is not

found, skip the next step.a. Delete all the mappings found in the list box.b. Click OK to close the form.

4. Restore the Change Password Workflow Extension for all the services that usedGroup Sharing Account feature.a. Click Configure System.b. Click Manage Operations.c. Select the appropriate Entity type or Entity that was previously modified

for Group Sharing Account.d. Click changePassword to launch the Workflow Extension editor for

changePassword.e. In the Workflow Extension editor, click the node that is configured with

changeSharedAccountPasswordWithTAMESSO.f. Take one of the following actions:v If you want to integrate this entity or entity type with IBM Security

Access Manager Enterprise Single Sign-On, change the Extension Name tochangeAccountPasswordWithTAMESSO.


Configuration Guide

v If you do not want to integrate it, remove the extension node and replaceit with the default change password extension.

g. Click Update.h. Click OK.i. Click Close.

5. Restore the Modify Person Workflow Extension for the Person entity.a. Click Configure System.b. Click Manage Operations.c. For the Operation Level, click Entity level.d. Select Person as the Entity type.e. Click modify to change operations such as specifying mail. The operation

diagram is displayed.f. Make the necessary changes to undo the modifications made for the Group

Sharing Account. See the Installation Guide of the specific version of theadapter that was used to set up the Group Sharing Account feature.

6. Remove the Workflow Extension from IBM Security Identity Manager.a. Edit the workflowextensions.xml file in the ITIM_HOME\data directory.b. Remove the following line:

<ACTIVITY ACTIVITYID="changeSharedAccountPasswordWithTAMESSO"LIMIT="600000">

c. Remove the XML:<ACTIVITY ACTIVITYID="isSharedRole" LIMIT="600000">

d. Restart the IBM Security Identity Manager application from either theWebSphere console or the WebSphere server.

Installing the dispatcherIf this is the first Tivoli Directory Integrator-based adapter installation, you mustinstall the RMI Dispatcher before you install the adapter. Install the RMIDispatcher on the same Tivoli Directory Integrator server where you want to installthe adapter.

If you already installed the RMI Dispatcher for another adapter, you do not needto reinstall it.

If you have not yet installed the RMI Dispatcher in the Tivoli Directory Integratorenvironment, download the Dispatcher installer from the IBM Passport Advantagewebsite. For more information about the installation, see the Dispatcher Installationand Configuration Guide.

Installing the adapter binaries or connectorThe connector might or might not be available with the base Tivoli DirectoryIntegrator or Security Directory Integrator product. The connector is required toestablish communication between the adapter and the Dispatcher.

Before you begin

Extract the files in the ISAMESSO_Adapter_6.0.x.zip file in the distribution packageto a temporary directory.

Chapter 3. Installing 13

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

About this task

The IBM Security Access Manager Enterprise Single Sign-On Adapter ships with aSAMESSOConnector.jar connector file.

Procedure1. Copy SAMESSOConnector.jar file from the installation package to the Tivoli

Directory Integrator directory. The location depends on your operating system.

WindowsITDI_HOME\jars\connectors

UNIX or LinuxITDI_HOME/jars/connectors

2. Restart the Dispatcher service. See Start, stop, and restart of the adapter service

Configuring the IBM Security Access Manager Enterprise SingleSign-On IMS Server

The IBM Security Access Manager Enterprise Single Sign-On provisioning agentmust authenticate with the IMS Server before it can call the provisioning services.

About this task

Authentication is through a shared secret between the provisioning agent and theIMS Server. Use the IMS Configuration Utility to configure these settings.

Procedure1. Start the IMS Configuration Utility.2. Click IMS Bridges on the left side under Advanced settings.3. Select IMS Bridge from the Add configuration group drop-down box4. Click Configure.5. Define a name and an IMS Bridge password, a shared secret, in the available

test input boxes.6. Enter an IMS Bridge IP address value. This address is the IP address of the

systems on which Tivoli Directory Integrator is installed.7. Click Add.8. Set the value for IMS Bridge Type to Provisioning.9. Click Add.

10. Log on to IBM Security Access Manager Enterprise Single Sign-OnAccessAdmin.

11. Navigate to System Policies > Sign up Policies > Option for specifyingsecret.

12. Choose Secret not required.13. Click Update.14. At the WebSphere console, restart the IMS Server application for the changes

to take effect.


Configuration Guide

Configuring the SSL connection between Dispatcher and the IMSServer

To enable communication between the adapter and the IMS Server, you mustconfigure keystores for the Dispatcher.

About this task

For more information about SSL configuration, see the Dispatcher Installation andConfiguration Guide.

Procedure1. Open a browser.2. Go to https://SAM_ESSO_server/. The SAM_ESSO_server is the IMS Server host

name.3. View the certificate.v Click SSL lock.v If your browser reports that revocation information is not available, click

View Certificate.4. Click Certification Path

5. Select the CA Root certificate.6. Export the certificate into a file encoded in the Base64 format.7. Take one of the following actions:v If the Dispatcher already has a configured keystore, use the keytool.exe

program to import the IMS Server certificate.v If the keystore is not configured, create it by running the following command

from a command prompt. Type the command on a single line.keytool -import -alias ims -file c:\TAMESSO.cer-keystore c:\truststore.jks -storepass passw0rd

8. Edit ITDI_HOME/timsol/solution.properties file to specify truststore andkeystore information. In the current release, only jks-type is supported:# Keystore file information for the server authentication.# It is used to verify the server’s public key.# examplejavax.net.ssl.trustStore=truststore.jksjavax.net.ssl.trustStorePassword=passw0rdjavax.net.ssl.trustStoreclass=jks

Note: If these key properties are not configured yet, you can set truststore tothe same value that contains the IBM Security Access Manager E-SSO IMSServer certificate. Otherwise, you must import the IMS Server certificate to thetruststore specified in javax.net.ssl.trustStore.

9. After modifying the solution.properties file, restart the Dispatcher. See Start,stop, and restart of the adapter service.

Restarting the adapter serviceVarious installation and configuration tasks might require the adapter to berestarted to apply the changes. For example, you must restart the adapter if thereare changes in the adapter profile, connector, or assembly lines. To restart theadapter, restart the Dispatcher.


The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Security Directory Integrator instance.

See the topic about starting, stopping, and restarting the Dispatcher service in theDispatcher Installation and Configuration Guide.

Importing the adapter profileAn adapter profile defines the types of resources that the IBM Security Identityserver can manage. It is packaged with the IBM Security Identity Adapter. Use theadapter profile to create an adapter service on IBM Security Identity server andestablish communication with the adapter.

Before you beginv The IBM Security Identity Manager server is installed and running.v You have root or administrator authority on the IBM Security Identity Manager

server.v The file to be imported must be a Java archive (JAR) file. The

<Adapter>Profile.jar file includes all the files that are required to define theadapter schema, account form, service/target form, and profile properties. Ifnecessary, you can extract the files from the JAR file, modify the files, andrepackage the JAR file with the updated files.The JAR file for IBM SecurityIdentity Manager is located in the top level folder of the installation package.

About this task

Service definition files are also called adapter profile files.

If the adapter profile is not installed correctly, the adapter cannot functioncorrectly. You cannot create a service with the adapter profile or open an accounton the service. You must import the adapter profile again.

Procedure1. Log on to the IBM Security Identity Manager server by using an account that

has the authority to perform administrative tasks.2. From the navigation tree, select Configure System > Manage Service Types.

The Manage Service Types page is displayed.3. On the Manage Service Types page, click Import. The Import Service Type page

is displayed.4. On the Import Service Type page, complete these steps:

a. In the Service Definition File field, type the directory location of the<Adapter>Profile.jar file, or click Browse to locate the file. For example, ifyou are installing the IBM Security Identity Adapter for a Windows serverthat runs Active Directory, locate and import the ADProfileJAR file.

b. Click OK to import the file.

Results

A message indicates that you successfully submitted a request to import a servicetype.


Configuration Guide

What to do nextv The import occurs asynchronously, which means it might take some time for the

service type to load into the IBM Security Identity server from the propertiesfiles and to be available in other pages. On the Manage Service Types page, clickRefresh to see the new service type. If the service type status is Failed, checkthe log files to determine why the import failed.

v If you receive a schema-related error, see the trace.log file for informationabout it. The trace.log file location is specified by the handler.file.fileDirproperty that is defined in the enRoleLogging.properties file. TheenRoleLogging.properties file is in the IBM Security Identity serverHOME\datadirectory. .

Creating an adapter service/targetAfter you import the adapter profile on the IBM Security Identity server, create aservice/target so that IBM Security Identity server can communicate with themanaged resource.

Before you begin

Complete “Importing the adapter profile” on page 16.

About this task

You must create an administrative user account for the adapter on the managedresource. You can provide the account information such as administrator name andpassword when you create the adapter service. Ensure that the account hassufficient privileges to administer the users. For information about creating anadministrative account, see the documentation for the managed resource.

To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.The service name and description that you provide for each service are displayedon the console. Therefore, it is important to provide values that make sense to yourusers and administrators.

Procedure1. From the navigation tree, click Manage Services. The Select a Service page is

displayed.2. On the Select a Service page, click Create. The Create a Service wizard is

displayed.3. On the Select the Type of Service page, click Search to locate a business unit.

The Business Unit page is displayed.4. On the Business Unit page, complete these steps:

a. Type information about the business unit in the Search information field.b. Select a business type from the Search by list, and then click Search. A list

of business units that matches the search criteria is displayed.If the table contains multiple pages, you can do the following tasks:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.


c. In the Business Units table, select business unit in which you want tocreate the service, and then click OK. The Select the Type of Service pageis displayed, and the business unit that you specified is displayed in theBusiness unit field.

5. On the Select the Type of Service page, select a service type, and then clickNext.If the table contains multiple pages, you can do the following tasks:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

6. On either the Service Information or General Information page, specify theappropriate values for the service instance. The content of the GeneralInformation page depends on the type of service that you are creating. Thecreation of some services might require more steps.

7. On the Authentication page, configure authentication (either password-basedor key-based) for the service, and then click Next or Finish. TheAuthentication page is displayed only if you are creating a POSIX serviceinstance.

8. On the Dispatcher Attributes page, specify information about the dispatcherattributes, and then click Next or OK. The Dispatcher Attributes page isdisplayed only for IBM Security Directory Integrator based services.

9. Optional: On the Access Information page, select the Define an Access checkbox to activate the access definition fields. Select the type of access you wantto enable. Specify the expected access information and any other optionalinformation such as description, search terms, more information, or badges.

10. On the Status and Information page, view information about the adapter andmanaged resource, and then click Next or Finish. The adapter must berunning to obtain the information.

11. On the Configure Policy page, select a provisioning policy option, and thenclick Next or Finish. The provisioning policy determines the ownership typesavailable for accounts. The default provisioning policy enables only Individualownership type accounts. Additional ownership types can be added bycreating entitlements on the provisioning policy.

Note: If you are creating a service for an identity feed, the Configure Policypage is not displayed.

12. Optional: On the Reconcile Supporting Data page, either do an immediatereconciliation for the service, or schedule a supporting data reconciliation, andthen click Finish. The Reconcile Supporting Data page is displayed for allservices except for identity feed services.The supporting data only reconciliation option retrieves only the supportingdata for accounts. The supporting data includes groups that are defined onthe service. The type of supporting data is defined in the adapter guide.

13. Optional: On the Service Information or General Information page, click TestConnection to validate that the data in the fields is correct, and then clickNext or Finish. If the connection fails, contact the analyst who is responsiblefor the computer on which the managed resource runs.

Results

A message is displayed, indicating that you successfully created the serviceinstance for a specific service type.


Configuration Guide

Service/Target form detailsComplete the service/target form fields.

Adapter details tab

Service nameSpecify a name that defines this adapter service on the IBMSecurity Identity server.

Description Optional: Specify a description for this service.

Tivoli Directory Integrator location

Specify the URL for the IBM Tivoli Directory Integrator instance.The valid syntax for the URL is rmi://ip-address:port/ITDIDispatcher, where ip-address is the IBM Tivoli DirectoryIntegrator host and port is the port number for the RMI Dispatcher.

The default URL for the default SDI1 instance isrmi://localhost:1099/ITDIDispatcher.

OwnerSpecify an existing user ID for the service owner that administersthe service instance. Click Search to find the name of the user youwant to assign as the owner of the service. Leave the field blank tospecify that any user can be used in administering the serviceinstance.

Service prerequisiteSpecify an existing service instance or function that the serviceinstance requires. Click Search to find existing service instances orfunctions that you want to assign as requirements for the serviceinstance. If a service has another service defined as a serviceprerequisite, a user must have an existing account on the serviceprerequisite. Otherwise the user cannot receive a new account onthis service.

ISAM ESSO server details tab

ISAM ESSO Server DNS name (DNS host name or IP)Specify the host name of the IMS Server host computer only ifDNS is set up correctly. Otherwise, use the IP address. Test theconnection by using the ping command from the command line onthe host that runs the adapter.

ISAM ESSO Server PortSpecify the IMS Server port number. The default value is 9443.

Bridge NameSpecify the IMS Bridge Name configured in the IMS Server. Thisfield is case-sensitive. The IMS Bridge Name must be enteredexactly as shown in the IMS Configuration Utility.

Bridge PasswordSpecify the password for the IMS Bridge. The password is alsoreferred to as a share secret. This field is case-sensitive. Enter thepassword exactly as configured in the IMS Configuration Utility.

Strip domain name from user ID during reconciliationSelect this check box to remove the domain name from user IDduring reconciliation.


Additional OwnershipTypes managed by ISAM ESSOType the name of additional Ownership Types that you want IBMSecurity Access Manager Enterprise Single Sign-On to manage.

By default, accounts that belong to Individual Ownership Type areincluded when the following operations are performed on a walletcredential:v Create an accountv Change passwordv Delete an account

Dispatcher Attributes tab

Disable AL CachingSelect the check box to disable the assembly line caching in thedispatcher for the service. The assembly lines for the add, modify,delete, and test operations are not cached.

AL FileSystem PathSpecify the file path from where the dispatcher loads the assemblylines. If you do not specify a file path, the dispatcher loads theassembly lines received from IBM Security Identity server. Forexample, you can specify the following file paths to load theassembly lines from the profiles directory of the operating system:

Windows operating systemsc:\Program Files\IBM\TDI\V7.0\profiles

UNIX and Linux operating systemssystem:/opt/IBM/TDI/V7.0/profiles

Max Connection CountSpecify the maximum number of assembly lines that the dispatchercan run simultaneously for the service. For example, enter 10 whenyou want the dispatcher to run a maximum of 10 assembly linessimultaneously for the service. If you enter 0 in the MaxConnection Count field, the dispatcher does not limit the numberof assembly lines that are run simultaneously for the service.

Status and information tabContains read only information about the adapter and managed resource.These fields are examples. The actual fields vary depending on the type ofadapter and how the service form is configured. The adapter must berunning to obtain the information. Click Test Connection to populate thefields.

If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the test request was successfully

sent to the adapter.v Verify the adapter configuration information.v Verify service parameters for the adapter profile. For example, verify the

work station name or the IP address of the managed resource and theport.

Last status update: DateSpecifies the most recent date when the Status and information tabwas updated.


Configuration Guide

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.

Managed resource status Specifies the status of the managed resource to which the adapteris connected.

Adapter version Specifies the version of the adapter that the service uses toprovision request to the managed resource.

Profile version Specifies the version of the profile that is installed on the IBMSecurity Identity server.

TDI version Specifies the version of the Tivoli Directory Integrator on which theadapter is deployed.

Dispatcher version Specifies the version of the Dispatcher.

Installation platformSpecifies summary information about the operating system onwhich the adapter is installed.

Adapter account Specifies the account that runs the adapter binary file.

Adapter up time: Date Specifies the date when the adapter started.

Adapter up time: Time Specifies the time of the date when the adapter started.

Adapter memory usage Specifies the memory usage for running the adapter.

Installing the adapter language packageThe adapters use a separate language package from IBM Security IdentityManager.

See Installing the adapter language pack from the IBM Security Identity Managerproduct documentation.

Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.

Procedure1. Test the connection for the service that you created on the IBM Security Identity

server.2. Run a full reconciliation from the IBM Security Identity server.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.


5. Verify the trace.log file to ensure that no errors are reported when you run anadapter operation.


Configuration Guide

Chapter 4. Upgrading

Upgrading an IBM Tivoli Directory Integrator-based adapter involves tasks such asupgrading the dispatcher, the connector, and the adapter profile. Depending on theadapter, some of these tasks might not be applicable. Other tasks might also berequired to complete the upgrade.

Before you begin

The upgrade path is from adapter version 5.1.10 to version 6.0. If your adapterlevel is earlier than 5.1.10, you must first upgrade the adapter to version 5.1.10. Nodirect upgrade paths for versions earlier than 5.1.10 exist.

You must have the following files:

From the adapter package

v SAMESSOConnector.jar

v subforms.zip

v enc_workflow_sample.xml

v SAMESSOWfe.jar

v The adapter profile in the TAMESSOProfile.jar

Before you import the new adapter profile, verify that the following conditions aremet:v The IBM Security Identity Manager server is installed and running.v You have root or Administrator authority on the IBM Security Identity Manager

server.

Procedure1. Upgrade the Security Access Manager E-SSO Connector.

a. Stop the Dispatcher service. See Start, stop, and restart of the adapterservice.

b. Delete sqljdbc.jar from the ITDI_HOME/jars/3rdparty/others directory.c. Replace the existing SAMESSOConnector.jar on Tivoli Directory Integrator

server with the SAMESSOConnector.jar from the adapter package.d. Start Dispatcher service.

2. Upgrade the SSL Configuration.If you upgraded the IMS Server or configured IMSBridge with some credentials,refresh the SSL configuration between the Dispatcher the IMS Server. See“Configuring the SSL connection between Dispatcher and the IMS Server” onpage 15.

3. On the IBM Security Access Manager Enterprise Single Sign-On product, enablethe changePassword operation.a. On the IBM Security Access Manager Enterprise Single Sign-On product, log

on to AccessAdmin.b. Navigate to System Policies > Sign up Policies > Option for specifying

secret.c. Choose Secret not required.d. Click update.

23

4. Upgrade the IBM Security Access Manager Enterprise Single Sign-On Profile.The adapter profile is contained within the JAR file, TAMESSOProfile.jar, whichis included in the IBM Security Access Manager Enterprise Single Sign-OnAdapter distribution package. To import the adapter profile, complete thefollowing steps:a. Import the adapter profile with the IBM Security Identity Manager import

feature. See Importing the adapter profile.b. Restart the Dispatcher service.

Note: If you receive an error related to the schema when you import theadapter profile, see the trace.log file for information about the error. Thetrace.log file location is specified with the handler.file.fileDir property,which is defined in the IBM Security Identity ManagerenRoleLogging.properties file. The enRoleLogging.properties file isinstalled in the ISIM_HOME\data directory.

5. Perform a full reconciliation on the service.a. Log on to IBM Security Identity Manager.b. Click Manage Services.c. Click Search.d. Click the arrow icon next to ISAMESSO Service.e. Click Reconcile Now.

6. Upgrade the IBM Security Access Manager Enterprise Single Sign-On workflowextensions.a. Edit the workflowextensions.xml file in the ISIM_HOME\data directory. Use

the enc_workflow_sample.xml file from the installation package as anexample.

b. Remove the old SAMESSOWfe.jar file from the appropriate directory. ForTivoli Identity Manager 5.1:WEBSPHERE_HOME\AppServer\profiles\SERVER_NAME\

installedApps\NODE_NAME\ITIM.ear\app_web.war\WEB-INF\lib

c. Copy SAMESSOWfe.jar from the installation package to the appropriatedirectory.

d. Extract the subforms.zip archive from the adapter package into a temporarydirectory.

e. Copy the folder and the files in subforms\samesso to theWEBSPHERE_HOME\AppServer\profiles\SERVER_NAME\installedApps\NODE_NAME\ITIM.ear\itim_console.war\subforms\samesso directory.

f. Restart the IBM Security Identity Manager from the Websphere ApplicationServer console.

What to do next

Verify the upgrade installation. See Verifying that the adapter is working correctly.


Configuration Guide

Chapter 5. Configuring

After you install the adapter, configure it to function correctly. Configuration isbased on your requirements or preference.

You can use the IBM Security Access Manager to manage your AccessProfiles. Thisconfiguration is an optional configuration for organizations that use IBM SecurityIdentity Manager with IBM Security Access Manager Enterprise Single Sign-On forprovisioning.

Note: If you perform this configuration after you configured the adapter, you mustupdate the Authentication Services Mapping on the service form.

Configuring the reconciliation operation for the adapterThis configuration is necessary only if you use the User Principal Name accountattribute.

The IBM Security Access Manager Enterprise Single Sign-On WebService APIadapter cannot retrieve this attribute from the service during reconciliation. Toavoid losing the User Principal Name attribute values, you must configure thereconciliation operation to exclude User Principal Name.

Reconciliation filters

The IMS Server reconciliation filters as case sensitive when performing a filteredreconciliation of IBM Security Access Manager Enterprise Single Sign-On accounts.

Perform a reconciliation with the (eruid=K*) filter in IBM Security IdentityManager. IBM Security Access Manager Enterprise Single Sign-On accounts thatstart with an uppercase letter K are returned. Accounts starting with a lowercaseletter k are removed.

To use a filter without case sensitivity, use both lower and uppercase in the filter.For example, (|(eruid=k*)(eruid=K*)). This filter returns all accounts that beginwith either an uppercase or lowercase k.

For more information about reconciliation, see the IBM Security Identity ManagerInformation Center.

Configuring IBM Security Access Manager Enterprise Single Sign-Onworkflow extensions

You can create custom workflow extensions for IBM Security Access ManagerEnterprise Single Sign-On to define how to process requests. These customizedworkflow extensions are workflow objects in the IBM Security Identity Manager.

Adding a workflow extensionThis section describes how to add custom workflow extensions, which areworkflow objects in IBM Security Identity Manager.

25

Procedure1. Edit the workflowextensions.xml file under the ITIM_HOME\data directory to

add a workflow extension. Add the following workflow extension:

Note: This sample is provided as part of installation package asenc_workflow_sample.xml file.<ACTIVITY ACTIVITYID="createAccountWithTAMESSO" LIMIT="600000"><IMPLEMENTATION_TYPE><APPLICATIONCLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension"METHOD_NAME="createAccountWithTAMESSO" />

</IMPLEMENTATION_TYPE><PARAMETERS><IN_PARAMETERS PARAM_ID="owner" RELEVANT_DATA_ID="owner" class="Person" /><IN_PARAMETERS PARAM_ID="service" RELEVANT_DATA_ID="service" class="Service" /><IN_PARAMETERS PARAM_ID="account" RELEVANT_DATA_ID="account" class="Account" /></PARAMETERS><TRANSITION_RESTRICTION JOIN="XOR" /><SCRIPT EVENT="onComplete"><![CDATA[WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeContext.getActivityResult());WorkflowRuntimeContext.setProcessResultDetail(WorkflowRuntimeContext.getActivityResultDetail()); ]] >

</SCRIPT></ACTIVITY>

<ACTIVITY ACTIVITYID="changePasswordWithTAMESSO" LIMIT="600000"><IMPLEMENTATION_TYPE><APPLICATIONCLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension"METHOD_NAME="changePasswordWithTAMESSO" />

</IMPLEMENTATION_TYPE><PARAMETERS><IN_PARAMETERS PARAM_ID="account" RELEVANT_DATA_ID="Entity" class="Account" /><IN_PARAMETERS PARAM_ID="notifyFlag" RELEVANT_DATA_ID="notifyFlag" class="String" /></PARAMETERS><TRANSITION_RESTRICTION JOIN="XOR" /><SCRIPT EVENT="onComplete"><![CDATA[WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeContext

.getActivityResult());WorkflowRuntimeContext.setProcessResultDetail(WorkflowRuntimeContext.getActivityResultDetail()); ]] >


<ACTIVITY ACTIVITYID="deleteAccountWithTAMESSO" LIMIT="600000"><IMPLEMENTATION_TYPE><APPLICATIONCLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension"METHOD_NAME="deleteAccountWithTAMESSO" />

</IMPLEMENTATION_TYPE><PARAMETERS><IN_PARAMETERS PARAM_ID="account" RELEVANT_DATA_ID="Entity" class="Account" /></PARAMETERS><TRANSITION_RESTRICTION JOIN="XOR" /><SCRIPT EVENT="onComplete"><![CDATA[WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeContext.getActivityResult());WorkflowRuntimeContext.setProcessResultDetail(WorkflowRuntimeContext.getActivityResultDetail()); ]] >

</SCRIPT></ACTIVITY><ACTIVITY ACTIVITYID="noExistingSSOAccount" LIMIT="600000">

<IMPLEMENTATION_TYPE><APPLICATION

CLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension"METHOD_NAME="noExistingSSOAccount" />

</IMPLEMENTATION_TYPE><PARAMETERS>

<IN_PARAMETERS PARAM_ID="owner" RELEVANT_DATA_ID="owner" TYPE="Person" /><IN_PARAMETERS PARAM_ID="service" RELEVANT_DATA_ID="service" TYPE="Service" /><IN_PARAMETERS PARAM_ID="account" RELEVANT_DATA_ID="account" TYPE="Account" />

</PARAMETERS><TRANSITION_RESTRICTION JOIN="XOR" /><SCRIPT EVENT="onComplete">

<![CDATA[WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeContext.getActivityResult());WorkflowRuntimeContext.setProcessResultDetail(WorkflowRuntimeContext.getActivityResultDetail());]]



Configuration Guide

2. Copy the SAMESSOWfe.jar file from the installation package to theWEBSPHERE_HOME\AppServer\profiles\SERVER_NAME\installedApps\NODE_NAME\ITIM.ear\app_web.war\WEB-INF\lib directory. If no directory exists, create one.

3. Extract the subforms.zip archive from the adapter package into a temporaryfolder.

4. Copy the folder and the files in subforms\samesso to the WEBSPHERE_HOME\AppServer\profiles\SERVER_NAME\installedApps\NODE_NAME\ITIM.ear\itim_console.war\subforms\samesso directory:

5. Restart the IBM Security Identity Manager application from the WebSphereconsole, or restart the WebSphere server itself.

What to do next

After a successful restart, define the workflow. See “Defining workflows withextensions.”

Defining workflows with extensionsDefine the workflow extension for each type of account integrated with the IBMSecurity Access Manager Enterprise Single Sign-On service. Include the accounttype.

Procedure1. Log on to IBM Security Identity Manager.2. Select Configure System > Manage Operations.3. For the Operation Level, click Entity level.

Note: If you want to integrate all account types with the service, click Entitytype level instead.

4. Select Account as the Entity type.5. Select the type of account you want to integrate with the service.

Note: If you want to integrate the ITIM Account with the service, selectIdentity Manager User as the Entity type.

6. Click Add to create an add operation if it does not exist. The operationdiagram is displayed.

7. Remove the transition from CREATEACCOUNT to End.8. Add an extension node between CREATEACCOUNT and End.

Note: Configure the properties of the default extension nodes for theseoperations with the following values:

Chapter 5. Configuring 27

Entity Operation ActivityID Extension Name

Account changePassword CHANGEPASSWORDWITHTAMESSO changePasswordWithTAMESSO

account delete DELETEACCOUNTWITHTAMESSO deleteAccountWithTAMESSO

ITIMaccount

add CREATEACCOUNTWITHTAMESSO createAccountWithTAMESSO

9. Double-click the new Extension node. A pop-up window displays all theextensions that were registered with workflowextensions.xml.

Properties: Extension Node

Postscript

Description

Join Type

CREATEACCOUNTWITHTAMESSO

Split Type AND

createAccountWithTAMESSO(Person owner, Service service, Account account)

General

*Activity ID

Activity Name

*Extension Name

AND OR OR

Input Parameters

ID

owner

service

account

Relevant Data ID

Search Relevant Data

Search Relevant Data

*Required Property † Accepts text template

Type

Output Parameters

ID Type

Ok Cancel

Relevant Data ID

owner

service

account

Person

Service

Account

10. In the Activity ID field type CREATEACCOUNTWITHTAMESSO.11. Select createAccountWithTAMESSO as the Extension Name.12. Click Ok and attach the transitions to the newly added extension.

Workflow Diagram

Approval

Mail

RFI

Operation

Loop

Extension

Start CREATEACCOUNT CREATEACCOUNTWITHAME880 End

Operation Name

Target

Add

Account

Operation Diagram

High Contrast Properties Update

Extension

Extension

13. Double-click the transition from CREATEACCOUNT toCREATEACCOUNTWITHTAMESSO to edit the properties.

14. Click Custom and type the following code:activity.resultSummary==activity.SUCCESS


Configuration Guide

*Required Property † Accepts text template

Ok Cancel

Name

Description

From

To

No Activity Name

(ID: CREATEACCOUNT)

No Activity Name

(ID: CREATEACCOUNTWITHAMESSO)

activity.resultSummary==activity.SUCCESS

Condition AcceptedApproved Custom

Properties: Transition

15. Click Ok to close the property window.16. Click Update and then click OK.17. Click Close to close the Operations window.18. Repeat Steps 2 - 12 for changePassword, and delete operations, or for the add

operation for the ITIM account.

Redefining IBM Security Access Manager Enterprise SingleSign-On account add operationYou must redefine the IBM Security Access Manager Enterprise Single Sign-Onaccount add operation to prevent duplicate accounts or multiple accounts per userfrom being created.

About this task

Each IBM Security Access Manager Enterprise Single Sign-On account mustcorrespond to only a single Person in IBM Security Identity Manager.

Procedure1. Select Configure System > Manage Operations.2. Click Entity level as the Operation Level.3. Select Account as the Entity type.4. Select ISAM ESSO Account for Entity

5. Click Refresh to get a list of operation changes from default.6. Take one of the following actions:v If the add operation is not on the list, click Add and define the Operation

Name as add. Click Continue to modify the workflow.v If the add operation is on the list, click the operation to modify the

workflow.7. Modify the operation workflow.

a. Add an Extension node between Start and CREATEACCOUNT.

b. Configure the extension node to use Extension NamenoExistingSSOAccount and provide an Activity ID, for exampleNOEXISTINGSSOACCOUNT. Set the Split Type to OR.

c. Double-click the transition from NOEXISTINGSSOACCOUNT toCREATEACCOUNT to edit the properties.


d. Click Custom and type the following code:activity.resultSummary==activity.SUCCESS

e. Create a transition from the NOEXISTINGSSOACCOUNT node to theEnd node.

f. Double-click the transition from NOEXISTINGSSOACCOUNT node toEnd node to edit the properties.

g. Click Custom and type the following code:if(activity.resultSummary==activity.FAILED){WorkflowRuntimeContext.setProcessResult(process.FAILED);return true;}

8. Click Update. The workflow is displayed.

Extension

Extension

NOEXISTINGSSOACCOUNT

CREATEACCOUNT

Start

9. Click OK.10. Click Close to exit the Operations window.

Defining the IBM Security Access Manager Enterprise SingleSign-On Authentication Service ID and Service Prerequisite

For sign-on automation to work, all application services in IBM Security IdentityManager must have an IBM Security Access Manager Enterprise Single Sign-OnAuthentication Service ID. This ID is defined on its service form. You must alsoassign the service as a prerequisite service. Otherwise, sign-on automation does notwork.

About this task

No IBM Security Access Manager Enterprise Single Sign-On AuthenticationService ID and Service Prerequisite fields exist on the service form by default.You must create this field on the service form.

Procedure1. Log on to IBM Security Identity Manager.2. Click Configure System > Design Forms.3. Double-click Service and then double-click the specific service.4. From the Attribute List, double-click erservicessomapping. The attribute is

displayed in the service tab field on the design form.5. From the Properties menu, change the Label for this attribute to ISAM E-SSO

Authentication Service.6. Click the erservicessomapping attribute.7. Click Attributes > Change to > Subform. The Subform Editor window is

displayed.8. In the customServletURI field, type samesso/samesso.jsp.9. Click OK to close the Subform Editor window.

10. From the Attribute List, double-click erprerequisite. The attribute is displayedin the service tab field on the design form.

11. Click to select the erprerequisite attribute.


Configuration Guide

12. Click Attributes > Change to > Search Control. The Search Control Editorwindow is displayed.

13. In the Category listbox, select Service.14. In the Type list, select Single Value.

15. Click OK to close the Search Control Editor window.16. Save the form template and close the Form Designer window.

What to do next

Configure the service. See “Configuring the service.”

Configuring the serviceYou must map an IBM Security Identity Manager service to a valid AuthenticationService ID in IBM Security Access Manager Enterprise Single Sign-On. After thismapping is complete, you can store account credentials in the wallet.

Before you begin

To obtain details about the authentication service ID:1. Log on to the IMS Configuration Utility.2. Select Authentication Services from the Basic Settings menu. A list of available

authentication services is displayed.3. Select the appropriate authentication service to view the authentication service

ID and the account data template.

About this task

When you modify an account attribute, the changes do not automaticallypropagate to the IBM Security Access Manager Enterprise Single Sign-On server.No workflow extension exists to trigger the adapter. When you change a secondkey or second secret value, you must explicitly change the password for thecorresponding account. If you specify a data template with second key or secondsecret attribute, a valid value for the corresponding attribute must exist for the Addand Change password operations to succeed.

Procedure1. Log in to the IBM Security Identity Manager server with an account that has

the authority to perform administrative tasks.2. Click Managed Services.3. Click Search to view the available services.4. Click the service that requires IBM Security Access Manager Enterprise Single

Sign-On integration. The Change service pane is displayed.5. Locate the ISAM ESSO Authentication Service field.6. Click Details to display the SAMESSO Authentication Service Information

Subform.7. Type the authentication service ID in the Authentication Service ID field.8. Select the appropriate Account Data Template for that authentication service.9. If necessary, complete the Second Key attribute mapping and Second Secret

attribute mapping with the attribute name from the ITIM service or accountschema. The attribute value from the service or account is saved as the secondkey or second secret in IBM Security Access Manager Enterprise Single


Sign-On. If the Second Key or Second Secret is a constant value, then add theprefix '@' in the text. For example: @sampleConstantValue

Tip: To get the attribute name from the service or account schema:a. Click Configure System > Manage Service Types.b. Select the service type corresponding to the service being integrated.c. Select the Service tab for the service schema or Account tab for account

schema.d. Click the attribute to view its schema name. Use the schema name for the

attribute mapping field.10. Click OK to save the configuration in the subform and close it.

Setting the service prerequisiteTo use IBM Security Access Manager Enterprise Single Sign-On with a service, youmust assign it as a service prerequisite for that service.

Before you begin

The Service prerequisite field must exist in the ITIM Service form template inLDAP.


the authority to perform administrative tasks.2. Click Managed Services.3. Click Search to view the available services.4. Click the service for which you want to provide Single Sign-On.5. On the General tab, locate Service Prerequisite.6. Click Search.7. Select the IBM Security Access Manager Enterprise Single Sign-On service that

you previously configured.8. Click OK.9. Click OK.

What to do next

Provide Single Sign-On for additional services. For more information aboutmanaging services, see the IBM Security Identity Manager Information Center.

JavaScript for Lotus Notes account typeThe attribute erUid might not be the value to be pass to the wallet.

The following JavaScript is an example that can be used for the Lotus Notesadd/changePassword/delete operations before calling the ENC* extensions.var acct = Entity.get();var fn = acct.getProperty(’ernotesfullname’);for(x=0;x<fn.length;x++){

if(fn[x].indexOf(’/’) != -1){var buff = new Array();var splt = fn[x].split(’/’);for(i=0;i<splt.length;i++){var prt1 = splt[i].indexOf(’=’) + 1;var stri = splt[i].substring(prt1,splt[i].length);


Configuration Guide

buff[i]= stri;}

var id = buff.join(’/’);acct.setProperty(’eruid’,id);Entity.set(acct);}

}

AccessProfiles creation for IBM Security Access ManagerThis section provides information about creating an AccessProfile for IBM SecurityAccess Manager.

You can create an AccessProfile for the IBM Security Access Manager basicauthentication logon prompt, which is displayed by Internet Explorer. It uses theIBM Security Access Manager dir_tam authentication service and the app_iexploreapplication.

AccessAgent uses AccessProfiles to recognize the IBM Security Access Managerbasic authentication logon prompt. AccessAgent automatically fills in the logonprompt with the IBM Security Access Manager user name and the password.Before using AccessStudio, log on to AccessAgent as the IBM Security AccessManager administrator.

To create AccessProfiles for IBM Security Access Manager, see the IBM SecurityAccess Manager Information Center. Search for AccessProfile.

Configuring IBM Security Access Manager as an enterpriseauthentication service

Configure IBM Security Access Manager as an enterprise authentication service inthe IMS Server so that AccessAgent can manage IBM Security Access Manager asan enterprise authentication service.

About this task

Audit logs are submitted to the IMS Server when users log on to IBM SecurityAccess Manager. Use the AccessAdmin web interface to configure the IMS Server.

Procedure1. Log on to AccessAgent as an administrator of IBM Security Access Manager.2. Launch AccessAdmin. Typically, you access it at https://imsserver, where

imsserver is the host name of the IMS Server.3. Click Authentication service policies in the left panel. The current list of

authentication services is shown in the right panel.4. In the right panel, under Personal Authentication Services, look for IBM

Security Access Manager.5. Select the check box.6. Click Move to enterprise authentication services. IBM Security Access

Manager is moved to the list of enterprise authentication services.



Configuration Guide

Chapter 6. Troubleshooting

Troubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur during the adapter installation.

Techniques for troubleshooting problemsCertain common techniques can help with the task of troubleshooting. The firststep in the troubleshooting process is to describe the problem completely.

Problem descriptions help you and the IBM technical-support representative findthe cause of the problem. This step includes asking yourself basic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When you start to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one operating system, or is it common across multiple

operating systems?v Is the current environment and configuration supported?v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

35

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration. Many problems can betraced back to incompatible levels of software that are not intended to run togetheror are not fully tested together.

When does the problem occur?

Develop a detailed timeline of events that lead up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you use the first suspicious event that you find in adiagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being done?v Is a certain sequence of events required for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might occur around the same time, the problems arenot necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Problems that you canreproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?


Configuration Guide

v Do multiple users or applications have the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

Error messages and problem solvingYou might encounter some problems at run time. Use this information to resolvesome of these common runtime problems.

Runtime problems and corrective actions are described in the following table.

Table 3. Runtime problems

Problem Corrective Action

Reconciliation does not return all IMS Serveraccounts. Reconciliation is successful but someaccounts are missing.

If the allocated JVM memory is not largeenough, an attempt to reconcile many accountswith the adapter results in log file errors. Thereconciliation process fails.

The adapter log files contain entries that stateErmPduAddEntry failed. TheWebSphere_install_dir/logs/itim.log filecontains java.lang.OutOfMemoryErrorexceptions.

For the adapter to reconcile manyaccounts successfully, you might need toincrease the WebSphere JVM memory. Thecomplete the following steps on theWebSphere host computer:Note: Do not increase the JVM memoryto a value higher than the systemmemory.

1. Log in to the administrative console.

2. Expand Servers in the left menu andselect Application Servers.

3. A table displays the names of knownapplication servers on your system.Click the link for your primaryapplication server.

4. Select Process Definition from theConfiguration tab.

5. Select the Java Virtual Machineproperty.

6. Enter a new value for the MaximumHeap Size. The default value is 256MB.

Chapter 6. Troubleshooting 37

Table 3. Runtime problems (continued)


Test Connection fails when creating the IBMSecurity Access Manager Enterprise SingleSign-On service. The following errors resultwhen attempting to establish a connection:

CTGIMU107W

The connection to the specifiedservice cannot be established.Verify the service information,and try again.

CTGIMT605E

An error occurred while processingthe CTGIMT401E An error occurredwhile starting the Test_TAMESSO_test-no-requestid_30cd36f8-28d9-11b2-10c6-00000a0203f0 agent. Error:CTGDIS084I Initialization of Testfailed: java.lang.Exception: [Test]CTGDIS025E Exception while loadingconfiguration: java.lang.Exception:[Test] CTGDIS497W Cannot find thejava class for system:/Connectors/ibmdi.TAMESSO. The jar file maybe corrupted... operation on theIBM Tivoli Directory Integratorserver. Error: {1}

An error similar to the following is printed inthe trace.log:

Exception while loadingconfiguration:java.lang.Exception:[Test] CTGDIS497WCannot find the java class forsystem:/Connectors/ibmdi.TAMESSO.The jar file may be corrupted.

Verify that you installed the IBM SecurityAccess Manager Enterprise SingleSign-On connector correctly. TheSAMESSOConnector.jar file is in theITDI_HOME/jars/connectors directory. Youmust restart the dispatcher after makingthis JAR file available. For completeinstallation procedures, see Chapter 3,“Installing,” on page 11.

IBM Security Access Manager Enterprise SingleSign-On Single Sign-On does not work for anapplication after you create or modify thecredentials with the adapter. The logon detailsthat are automatically completed for the userinclude the old password and therefore preventa successful logon. The wallet used byAccessAgent does not contain the updatedpassword.

Ensure that you synchronizedAccessAgent with IBM Security AccessManager Enterprise Single Sign-On todownload the latest credentials in to theuser’s wallet.

1. Right-click on the icon in the systemtray while AccessAgent is running.

2. Select Synchronize with IMS.

If this option is not available, you mustenable the WalletSyncManualEnabledregistry setting.

1. Type regedit on a command line.

2. Click HKEY_LOCAL_MACHINE >SOFTWARE > Encentuate > Temp

3. Set WalletSyncManualEnabled to 1.

4. Click File > Exit.

Try the synchronization steps again.


Configuration Guide

Table 3. Runtime problems (continued)


Error 1392509705 can occur when you add anIBM Security Access Manager Enterprise SingleSign-On account. A message similar to thefollowing is in the Result details section of theProcess Details screen for the add request:

ERROR [C:\Program Files\IBM\TDI\V7.1\timsol\ITIM_RMI.xml] - COMPONENT Add:ERROR Add user failed with error:1392509705

Ensure that

v The user account that you areattempting to add is a valid ActiveDirectory or LDAP user.

v The user name and user principal nameare the same as the ones defined inActive Directory.

v The password is correct if the IMSServer is configured to synchronize thepassword with Active Directory.

Error 1392509704 can occur when you add anIBM Security Access Manager Enterprise SingleSign-On account. A message similar to thefollowing is in the Result details section of theProcess Details screen for the add request:

ERROR [C:\Program Files\IBM\TDI\V7.1\timsol\ITIM_RMI.xml] - COMPONENT Add:ERROR Add user failed with error:1392509704

You must create the account in ActiveDirectory before you provision the IBMSecurity Access Manager Enterprise SingleSign-On account. The IMSAccount IDmust include the domain, if

v IBM Security Access ManagerEnterprise Single Sign-On is configuredfor Enterprise Directory passwordsynchronization.

v An IMSAccount is provisioned beforethe AD account.

For example: ibm.com\alblair.

An error can occur when you add an IBMSecurity Access Manager Enterprise SingleSign-On account. A message similar to thefollowing is in the Result details section of theProcess Details screen for the add request:

ERROR [C:\Program Files\IBM\TDI\V7.1\timsol\ITIM_RMI.xml] - COMPONENTOperationName: ERROR OperationNameuser failed with error:IntValue ResultCode

Go to https://isamesso_server_name/ims/ui/diagnostics for explanation of allIBM Security Access Manager EnterpriseSingle Sign-On error codes. Find out whatthe result code in the message means andthen fix the problem.

Chapter 6. Troubleshooting 39


Configuration Guide

Chapter 7. Uninstalling

To remove an adapter from the IBM Security Identity server for any reason, youmust remove all the components that were added during installation. Uninstallingan IBM Tivoli Directory Integrator based adapter mainly involves removing theconnector file, and the adapter profile from the IBM Security Identity server.Depending on the adapter, some of these tasks might not be applicable, or therecan be other tasks.

Removing the adapter binaries or connectorThe adapter installation process also installs the Tivoli Directory Integrator IBMSecurity Access Manager Enterprise Single Sign-On connector. Therefore, you mustremove the TAMESSOConnector.jar file from the Tivoli Directory Integrator

Procedure1. Stop the Dispatcher service.2. Remove the TAMESSOConnector.jar file from the ITDI_HOME/jars/connectors

directory.3. Start the Dispatcher service.

Removing the adapter profileYou remove the adapter profile when you delete the service type from the IBMSecurity Identity Manager.

Before you begin

Before removing the adapter profile, ensure that no objects exist on the IBMSecurity Identity Manager server that reference the adapter profile.

Examples of objects on the IBM Security Identity Manager server that can referencethe adapter profile are:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

About this task

The Dispatcher component must be installed on your system for adapters tofunction correctly in a Tivoli Directory Integrator environment. When you deletethe adapter profile for the IBM Security Access Manager Enterprise Single Sign-OnAdapter, do not uninstall the Dispatcher.

For information about how to remove the adapter profile, see the IBM SecurityIdentity Manager Information Center. Search on deleting service types.


the authority to perform administrative tasks.

41

2. From the navigation tree, click Configure System > Manage Service Types.The Manage Service Types page is displayed.

3. Select the check box for service profile you want to delete.4. Click Delete.5. On the Confirm page, click Delete or click Cancel.

Results

A message indicates that you successfully deleted the service type.


Configuration Guide

Chapter 8. Reference

Reference information is organized to help you locate particular facts quickly, suchas adapter attributes, registry settings, and environment variables.

Adapter attributes and object classesThe IBM Security Identity server communicates with the adapter by usingattributes, which are included in transmission packets that are sent over a network.

After you install the adapter profile, the IBM Security Access Manager EnterpriseSingle Sign-On Adapter supports a standard set of attributes. You can use theseattributes to customize IBM Security Access Manager Enterprise Single Sign-Onservice and account forms.

The following tables show the standard attributes and object classes supported bythe adapter.

Table 4. Supported attributes

IBM SecurityIdentity ManagerName Attribute Name Description Data Type

Account Name eruid IBM Security AccessManager EnterpriseSingle Sign-On useraccount

String

Password erpassword IBM Security AccessManager EnterpriseSingle Sign-On userpassword

Password

User Principal Name ertamessoprincipalname User Principal Name inActive Directory

String

Table 5. Supported object classes

Description Object class name in schema Superior

Account class ertamessoaccount top

Service class ertamessoservice2 top

Adapter Configuration PropertiesFor information about setting Tivoli Directory Integrator configuration propertiesfor the operation of the adapter, see the Dispatcher Installation and ConfigurationGuide.

43


Configuration Guide

Index

AAccessProfiles, creation 33adapter

configuration properties 43installation

verifying 21adapters

architecture 1attributes 43configuration 11features 1installation

overview 11prerequisites 8worksheet 10

overview 1profiles

removal 41supported configurations 5uninstall 41upgrading from earlier versions 23

add operations, redefining workflowextensions 29

architectureoverview 1supported configurations 5

attributes 43

Ccommunication among IBM Security

products 4configuration

adapter 11for reconciliation 25for SSL 15for the IMS Server 14IBM Security Access Manager 25supported 5

connector, installation 13creating

services 17creation

of AccessProfiles 33of services 31

Ddefining an authentication service ID 30defining workflow extensions 27determining if group sharing accounts is

installed 11dispatcher

installation 13download, software 9

Eenterprise authentication service

configuring IBM Security AccessManager 33

Ggroup sharing account feature

installed, determining if 11removing 12

IIBM Security Access Manager

configuring as an enterpriseauthentication service 33

IBM security productscommunications among 4

identity managementprivileged 11

IMS Serverconfiguring for single sign-on 14

installationadapter 11connector 13language pack 21prerequisites 8roadmap 7troubleshooting 35uninstall 41verification

adapter 21worksheet 10

integrated solutions 2integrating

IBM Security Access Manager SingleSign-On 2

IBM Security Identity Manager 2

JJavaScript

Lotus Notes account type 32

Llanguage pack

installation 21same for adapters and server 21

Lotus Notes account typeJavaScript 32

Mmigration

to privileged identitymanagement 11

Ooverview

of the adapter 1

Pplanning the installation 7privileged identity management 11

migration 11profile

removing 41

Rreconciliation

configuring 25redefining the add operation 29removing group sharing account 12removing the adapter profile 41roadmap for installing 7runtime

troubleshooting 37

Sservice

configuring 31restart 16start 16stop 16

service formdefining an authentication service

ID 30service prerequisite 32service type

removal 41service, creating 17setting service prerequisites 32setting up privileged identity

management 11software

download 9website 9

SSL configuration 15supported configurations 5

Ttroubleshooting

identifying problems 35runtime problems 37techniques for 35

troubleshooting adapter installation 35troubleshooting and support

troubleshooting techniques 35

45

Uuninstall the adapter 41upgrading the adapter 23

Vverification

dispatcher installation 13installation 21

Wworkflow extensions 25

adding 26addition 26defining 27redefining 29


Configuration Guide

IBM®

Printed in USA

ibm security identity manager: ibm security access manager...

Documents