Cisco Unified Communications Manager Adapter …...Note: The managed resource does not support the Suspend and Restore user operations. Architecture of the adapter The Cisco Unified

IBM Security Identity ManagerVersion 6.0

Cisco Unified CommunicationsManager Adapter Installation andConfiguration Guide

SC27-4389-00

��

IBM Security Identity ManagerVersion 6.0

Cisco Unified CommunicationsManager Adapter Installation andConfiguration Guide

SC27-4389-00

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 55.

Edition notice

Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to allsubsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . xStatement of Good Security Practices . . . . . . x

Chapter 1. Cisco UnifiedCommunications ManagerAdapter Installation and ConfigurationGuide . . . . . . . . . . . . . . . . 1Overview of the adapter . . . . . . . . . . 1

Features of the adapter . . . . . . . . . . 1Architecture of the adapter . . . . . . . . 2Supported configurations . . . . . . . . . 2

Chapter 2. Adapter installation planning 5Preinstallation roadmap . . . . . . . . . . 5Installation roadmap. . . . . . . . . . . . 5Prerequisites . . . . . . . . . . . . . . 6Installation worksheet for the adapter . . . . . . 6Software download . . . . . . . . . . . . 7

Chapter 3. Adapter installation . . . . . 9Dispatcher installation verification . . . . . . . 9Installing the adapter . . . . . . . . . . . 9Installation verification . . . . . . . . . . 10Adapter service start, stop, and restart . . . . . 10Importing the adapter profile into the IBM SecurityIdentity Manager server . . . . . . . . . . 11Adapter profile installation verification . . . . . 12Adapter user account creation . . . . . . . . 12Creating a service . . . . . . . . . . . . 12

Chapter 4. First steps after installation 17Adapter configuration . . . . . . . . . . . 17

Customizing the adapter profile . . . . . . 17Editing the adapter profile on the UNIX or Linuxoperating system . . . . . . . . . . . 18

Password management for account restoration . . 19Language pack installation . . . . . . . . . 19Verifying that the adapter is working correctly . . 20

Chapter 5. SSL communicationconfiguration for the adapter . . . . . 21SSL terminology for adapters . . . . . . . . 21One-way and two-way SSL authentication . . . . 22

Configuring SSL for one-way SSL communication 22

Configuring SSL for two-way SSL communication 23Tasks done on the SSL server . . . . . . . . 24

Creating a keystore for the Tivoli DirectoryIntegrator server. . . . . . . . . . . . 25Creating a truststore for the Tivoli DirectoryIntegrator server. . . . . . . . . . . . 25Creating a self-signed certificate for the TivoliDirectory Integrator server . . . . . . . . 26Extracting a CA certificate for the Tivoli DirectoryIntegrator . . . . . . . . . . . . . . 26Importing the WebSphere CA certificate in theTivoli Directory Integrator truststore . . . . . 27Configuring the Tivoli Directory Integrator to usethe keystores . . . . . . . . . . . . . 27Configuring Tivoli Directory Integrator to use thetruststores . . . . . . . . . . . . . . 28Enabling the adapter service to use SSL . . . . 28

Tasks performed on the SSL client (IBM SecurityIdentity Manager and WebSphere ApplicationServer workstation). . . . . . . . . . . . 29

Creating a signed certificate for the IBM SecurityIdentity Manager server . . . . . . . . . 29Extracting a WebSphere Application Server CAcertificate for IBM Security Identity Manager . . 29Importing the IBM Security Identity Manager CAcertificate in the WebSphere Application Servertruststore . . . . . . . . . . . . . . 30

Chapter 6. Adapter errortroubleshooting . . . . . . . . . . . 31Techniques for troubleshooting problems . . . . 31Warning and error messages. . . . . . . . . 33

Chapter 7. Adapter upgrade. . . . . . 35Connector upgrade . . . . . . . . . . . . 35Upgrade of an existing adapter profile . . . . . 35

Chapter 8. Uninstalling the adapter . . 37Uninstalling the adapter from the Tivoli DirectoryIntegrator . . . . . . . . . . . . . . . 37Adapter profile removal from the Security IdentityManager server . . . . . . . . . . . . . 37

© Copyright IBM Corp. 2012 iii

Chapter 9. Adapter reinstallation . . . 39

Chapter 10. Adapter attributes. . . . . 41

Chapter 11. Adapter installation on az/OS operating system . . . . . . . . 45

Appendix A. Definitions for ITDI_HOMEand ISIM_HOME directories . . . . . . 47

Appendix B. Support information . . . 49Searching knowledge bases . . . . . . . . . 49

Obtaining a product fix . . . . . . . . . . 50Contacting IBM Support . . . . . . . . . . 50

Appendix C. Accessibility features forIBM Security Identity Manager . . . . 53

Notices . . . . . . . . . . . . . . 55

Index . . . . . . . . . . . . . . . 59

iv Cisco Unified Communications Manager Adapter Installation and Configuration Guide

Figures

1. The architecture of the Cisco UnifiedCommunications Manager Adapter . . . . . 2

2. Example of a single server configuration . . . 33. Example of multiple server configuration 3

4. One-way SSL communication (servercommunication) . . . . . . . . . . . 22

5. Two-way SSL communication (clientcommunication) . . . . . . . . . . . 24

© Copyright IBM Corp. 2012 v

vi Cisco Unified Communications Manager Adapter Installation and Configuration Guide

Tables

1. Preinstallation road map . . . . . . . . 52. Installation roadmap . . . . . . . . . . 53. Prerequisites to install the adapter . . . . . 64. Required information to install the adapter 75. Operating system and JAR file path . . . . 10

6. Messages and corrective action . . . . . . 337. Required attributes for the erCUCMAccount

object class . . . . . . . . . . . . . 418. Optional attributes for the erCUCMAccount

object class . . . . . . . . . . . . . 41

© Copyright IBM Corp. 2012 vii

viii Cisco Unified Communications Manager Adapter Installation and Configuration Guide

Preface

About this publicationThe Cisco Unified Communications Manager Adapter Installation and ConfigurationGuide provides the basic information that you need to install and configure theIBM® Security Identity Manager Cisco Unified Communications Manager Adapter.

IBM Security Identity Manager was previously known as Tivoli® Identity Manager.The Cisco Unified Communications Manager Adapter enables connectivitybetween the Security Identity Manager server and a Cisco UnifiedCommunications Manager server.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website.”

IBM Security Identity Manager library

For a complete listing of the IBM Security Identity Manager and IBM SecurityIdentity Manager Adapter documentation, see the online library(http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm).

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Identity Manager libraryThe product documentation site (http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm) displays the welcome page and navigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications CenterThe IBM Publications Center site ( http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss) offers customized search functionsto help you find all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

© Copyright IBM Corp. 2012 ix

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm





https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcome

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

Appendix B, “Support information,” on page 49 provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

x Cisco Unified Communications Manager Adapter Installation and Configuration Guide

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Chapter 1. Cisco Unified Communications ManagerAdapter Installation and Configuration Guide

This installation guide provides the basic information that you need to install andconfigure the Cisco Unified Communications Manager Adapter. The adapterenables connectivity between the IBM Security Identity Manager server and themanaged resource.

Overview of the adapterAn adapter provides an interface between a managed resource and the SecurityIdentity Manager server. Adapters might reside on the managed resource.

The Security Identity Manager server manages access to the resource by using yoursecurity system. Adapters function as trusted virtual administrators on the targetplatform. They perform tasks, such as creating, modifying, and deleting useraccounts, and other manual functions. The adapter runs as a service,independently of whether you are logged on to the Security Identity Managerserver.

The Cisco Unified Communications Manager Adapter enables communicationbetween the Security Identity Manager server and the Cisco UnifiedCommunications Manager server.

Features of the adapterThe adapter automates various user account administrative tasks.

The adapter automates the following user account management tasks:

Managing user accountsUse the adapter to add, modify, or delete user accounts.

Changing the user account password or personal identification number (PIN)Use the adapter to change the password or PIN or both for a user.

Adding users to groupsUse the adapter to add and to remove users from groups.

Associating users with phones, phone profiles, and extensionsUse the adapter to associate the user with multiple phones, phone profiles,and a single primary extension.

Reconciling user account informationUse the adapter to reconcile information from the managed resource toSecurity Identity Manager server for synchronization.

Reconciling support dataUse the adapter to reconcile support data information, such as phones,phone profiles, lines, and groups.

Managing remote destination profilesUse the adapter to add and delete remote destination profiles with defaultvalues.

© Copyright IBM Corp. 2012 1

Note: The managed resource does not support the Suspend and Restoreuser operations.

Architecture of the adapterThe Cisco Unified Communications Manager Adapter depends on severalcomponents for it to function correctly.

Security Identity Manager communicates with the Cisco Unified CommunicationsManager Adapter to administer users on the Cisco Unified CommunicationsManager resource.

You must install the following components for the adapter to function correctly:v The Dispatcherv The Tivoli Directory Integrator connectorv The Security Identity Manager adapter profile

You must install the Dispatcher and the adapter profile, however, the TivoliDirectory Integrator connector might already be installed with the base TivoliDirectory Integrator product.

Figure 1 describes the components that work together to complete the user accountmanagement tasks in a Tivoli Directory Integrator environment.

For more information about Tivoli Directory Integrator, see the Quick Start Guide athttp://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Fic-homepage.htm.

Supported configurationsThe adapter supports both single server and multiple server configurations.

The fundamental components in each environment are:v The Security Identity Manager serverv The Tivoli Directory Integrator serverv The managed resourcev The adapter

The adapter must reside directly on the server running the Tivoli DirectoryIntegrator server.

Single server configurationIn a single server configuration, install the Security Identity Managerserver, the Tivoli Directory Integrator server, and the Cisco UnifiedCommunications Manager Adapter on one server to establish

RMI callsIBM SecurityIdentityManagerServer

DispatcherService(an instanceof the IBMTivoliDirectoryIntegrator)

Adapterresource

Figure 1. The architecture of the Cisco Unified Communications Manager Adapter

2 Cisco Unified Communications Manager Adapter Installation and Configuration Guide

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Fic-homepage.htm

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Fic-homepage.htm

communication with the Cisco Unified Communications Manager server.Install the Cisco Unified Communications Manager server on a differentserver as described Figure 2.

Multiple server configurationIn multiple server configuration, install the Security Identity Managerserver, the Tivoli Directory Integrator server, the Cisco UnifiedCommunications Manager Adapter, and the Cisco Unified CommunicationsManager server on different servers. Install the Tivoli Directory Integratorserver and the Cisco Unified Communications Manager Adapter on thesame server as described Figure 3.

IBM SecurityIdentity Manager Server

Tivoli DirectoryIntegrator Server

Adapter

Managed

resource

Figure 2. Example of a single server configuration

IBM SecurityIdentity Managerserver

Tivoli DirectoryIntegrator server Managed

resource

Adapter

Figure 3. Example of multiple server configuration

Chapter 1. Cisco Unified Communications Manager Adapter Installation and Configuration Guide 3


Chapter 2. Adapter installation planning

Installing and configuring the adapter involves several steps that you mustcomplete in an appropriate sequence. Review the roadmaps before you begin theinstallation process.

Preinstallation roadmapUse the preinstallation roadmap to guide you in preparing the environment beforethe installation of the adapter.

Before you install the adapter, you must prepare the environment by performingthe tasks that are listed in Table 1.

Table 1. Preinstallation road map

Task For more information

Obtain the installation software Download the software from PassportAdvantage® Web site. See “Softwaredownload” on page 7.

Verify that your environment meets thesoftware and hardware requirements for theadapter.

See “Prerequisites” on page 6.

Obtain and install the RMI Dispatcher. Download the software from PassportAdvantage website. See “Softwaredownload” on page 7. Follow theinstallation instructions in the dispatcherdownload package.

Obtain the necessary information for theinstallation and configuration.

See “Installation worksheet for the adapter”on page 6.

Installation roadmapUse the installation road map to guide you in completing the different tasksrequired to install the adapter.

To install the adapter, complete the tasks that are listed in Table 2.

Table 2. Installation roadmap


Install the adapter. See “Installing the adapter” on page 9.

Verify the installation. See “Installation verification” on page 10.

Import the adapter profile. See “Importing the adapter profile into theIBM Security Identity Manager server” onpage 11.

Verify the profile installation. See “Adapter profile installationverification” on page 12.

Create a service. See “Creating a service” on page 12.

Create an adapter user account. See “Adapter user account creation” on page12.


Table 2. Installation roadmap (continued)


Configure the adapter. See “Adapter configuration” on page 17.

PrerequisitesVerify that your environment meets all the prerequisites before you install theadapter.

Table 3 identifies the software and operating system prerequisites for the adapterinstallation.

Ensure that you install the adapter on the same workstation as the Tivoli DirectoryIntegrator server.

Table 3. Prerequisites to install the adapter

Prerequisite Description

IBM Tivoli Directory Integrator Version 7.1 fix pack 5 or later

Version 7.1.1

IBM Tivoli Identity Manager server Version 6.0

Cisco Unified Communications Manager Version 6.0.1

System Administrator AuthorityTo complete the adapter installationprocedure, you must have systemadministrator authority.

Tivoli Directory Integrator adapters solutiondirectory

A Tivoli Directory Integrator adapterssolution directory is a Tivoli DirectoryIntegrator work directory for SecurityIdentity Manager adapters. See theDispatcher Installation and Configuration Guide.

For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.1: Administrator Guide.

Installation worksheet for the adapterUse the installation worksheet as reference for the information that is requiredduring the installation of the adapter. The worksheet includes further descriptionsof the requirements, including possible values.

Table 4 on page 7 identifies the information that you need before installing theadapter.


Table 4. Required information to install the adapter

Required information Description Value

Tivoli DirectoryIntegrator HomeDirectory

The ITDI_HOME directory containsthe jars/connectors subdirectory.This subdirectory contains adapterjars.

If Tivoli DirectoryIntegrator is automaticallyinstalled with SecurityIdentity Manager, thedefault directory path forTivoli Directory Integratoris as follows:

Windows:

v for version 7.1:

drive:\ProgramFiles\IBM\TDI\V7.1

UNIX:

v for version 7.1:

/opt/IBM/TDI/V7.1

Adapters solutiondirectory

This is the default directory. Whenyou install the dispatcher, theadapter prompts you to specify a filepath for the adapter solutiondirectory. For more informationabout the adapter solution directory,see theDispatcher Installation andConfiguration Guide.

Windows:

v for version 7.1:

drive:\ProgramFiles\IBM\TDI\V7.1\timsol

UNIX:

v for version 7.1:

/opt/IBM/TDI/V7.1/timsol

Software downloadDownload the software through your account at the IBM Passport Advantagewebsite.

Go to IBM Passport Advantage.

See the IBM Security Identity Manager Download Document for instructions.

Note:

You can also obtain additional adapter information from IBM Support.

Chapter 2. Adapter installation planning 7

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm


Chapter 3. Adapter installation

The Cisco Unified Communications Manager Adapter requires a Dispatcher andTivoli Directory Integrator for the adapter to function correctly.

If the Dispatcher is installed from a previous installation, do not reinstall it unlessthere is an upgrade to the Dispatcher. See “Dispatcher installation verification.”

After verifying the Dispatcher installation, you might need to install the TivoliDirectory Integrator connector. Depending on your adapter, the connector mightalready be installed as part of the Tivoli Directory Integrator product and nofurther action is required.

Dispatcher installation verificationIf the adapter installation is the first installation that is based on the TivoliDirectory Integrator, you must install the RMI Dispatcher before you install theadapter.

You must install the dispatcher on the same Tivoli Directory Integrator serverwhere you want to install the adapter.

Obtain the dispatcher installer from the IBM Passport Advantage website,http://ww.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm.For information about Dispatcher installation, see the Dispatcher Installation andConfiguration Guide.

Installing the adapterInstalling the adapter involves the installation of adapter JAR files andconfiguration of the Tivoli Directory Integrator CiscoUniComMgr connector.

Before you begin

Make sure that you do the following tasks:v Meet all the prerequisites. See “Prerequisites” on page 6.v Obtain a copy of the installation software. See “Software download” on page 7.v Obtain system administrator authority. See “Prerequisites” on page 6.

About this task

The adapter uses the Tivoli Directory Integrator CiscoUniComMgr connector. Thisconnector is not available with the base Tivoli Directory Integrator product. Theadapter installation involves the Tivoli Directory Integrator CiscoUniComMgrconnector. Ensure that the RMI Dispatcher is already installed before you continue.See “Dispatcher installation verification.”

Note: If you are running on a 64-bit operating system, you must use the TivoliDirectory Integrator-supplied JVM. The JVM is in ITDI_HOME/jvm/jre/bin/, whereITDI_HOME is the directory where Tivoli Directory Integrator is installed.


http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Procedure1. Create a temporary directory on the workstation where you want to install the

adapter.2. Extract the contents of the compressed file in the temporary directory.3. Install the adapter JAR files. Copy the CiscoUniComMgr.jar file from the

adapter package to the ITDI_HOME/jars/connectors directory.4. Optional: Enable Unicode See the JVM information in the IBM Security

Dispatcher Installation and Configuration Guide.5. To enable the connector, stop and start the Dispatcher service.

What to do next

After you finish the adapter installation, do the following tasks:v Verify that the installation completed successfully. See “Installation verification.”v Import the adapter profile. See “Importing the adapter profile into the IBM

Security Identity Manager server” on page 11.v Create a user account for the adapter on Security Identity Manager. See

“Adapter user account creation” on page 12.

Installation verificationTo ensure that the adapter is successfully installed, verify that the adapter JAR fileis in its expected location. Additionally, check for any log errors and verify theversion number of the connector.

Table 5 lists the location where the CiscoUniComMgrConnector.jar file is createdafter you installed the adapter.

Table 5. Operating system and JAR file path

Operating system JAR file path

Windows drive:\Program Files\IBM\TDI\V7.1\jars\connectors\

UNIX /opt/IBM/TDI/V7.1/jars/connectors/

Review the installer log file, CiscoUniComMgrAdapter_Installer.log, that is in theadapter installer directory for any errors.

If this installation is to upgrade a connector, then send a request from SecurityIdentity Manager. Verify that the version number in the ibmdi.log matches theversion of the connector that you installed. The ibmdi.log file is atITDI_Home\adapter solution directory\logs.

Adapter service start, stop, and restartTo start, stop, or restart the adapter, you must start, stop, or restart the Dispatcher.

The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Tivoli Directory Integrator instance.

See the topic about starting stopping, and restarting the dispatcher service in theDispatcher Installation and Configuration Guide.


Importing the adapter profile into the IBM Security Identity Managerserver

An adapter profile defines the types of resources that the IBM Security IdentityManager server can manage. Use the profile to create an adapter service on IBMSecurity Identity Manager server and establish communication with the adapter.

About this task

Before you can add an adapter as a service, the server must have an adapterprofile. The profile enables the server to recognize the adapter as a service. Thefiles that are packaged with the adapter include the adapterCiscoUniComMgrProfile.jar file. You can import the adapter profile as a serviceprofile on the server with the Import feature of IBM Security Identity Manager.

The CiscoUniComMgrProfile.jar file includes all the files that are required to definethe adapter schema, account form, service form, and profile properties. You canextract the files from the JAR file to modify the necessary files and package theJAR file with the updated files.

Before you begin to import the adapter profile, verify that the following conditionsare met:v The IBM Security Identity Manager server is installed and running.v You have root or Administrator authority on IBM Security Identity Manager.

To import the adapter profile, perform the following steps:1. Log on to the IBM Security Identity Manager server by using an account that

has the authority to perform administrative tasks.2. In the My Work pane, expand Configure System and click Manage Service

Types.3. On the Manage Service Types page, click Import to display the Import Service

Types page.4. Specify the location of the CiscoUniComMgrProfile.jar file in the Service

Definition File field by performing one of the following tasks:v Type the complete location of where the file is stored.v Use Browse to navigate to the file.

5. Click OK.

When you import the adapter profile and if you receive an error related to theschema, see the trace.log file for information about the error. The trace.log filelocation is specified by using the handler.file.fileDir property defined in theIBM Security Identity Manager enRoleLogging.properties file. TheenRoleLogging.properties file is installed in the IBM Security Identity Manager\data directory.

Note: The erCUCMPwdPin and erCUCMPwdDigestCredentials attributes aresecurity sensitive attributes in the user account class erCUCMAccount. Perform thefollowing steps to ensure that the values of these attributes are stored in theencrypted format on the IBM Security Identity Manager1. Import the adapter profile CiscoUniComMgrProfile.jar.2. Add the attributes erCUCMPwdPin and erCUCMPwdDigestCredentials to the

password.attributes property in the enRole.properties file of IBM Security

Chapter 3. Adapter installation 11

Identity Manager. For more information about the enRole.properties filelocation, see the IBM Security Identity Manager product documentation.

3. Restart the IBM Security Identity Manager server for the change to take effect.

Adapter profile installation verificationThere are different ways to determine whether the adapter profile installationfailed or is successful.

An unsuccessful installation:v Might cause the adapter to function incorrectly.v Prevents you from creating a service with the adapter profile.

To verify that the adapter profile is successfully installed, create a service with theadapter profile. For more information about creating a service, see “Creating aservice.”

If you are unable to create a service with the adapter profile or open an account onthe service, the adapter profile is not installed correctly. You must import theadapter profile again.

Adapter user account creationYou must create an administrative user account for the adapter on the managedresource.

Provide the account information when you create a service. For more informationabout creating a service, see “Creating a service.”

Ensure that the account has sufficient privileges to administer the Cisco UnifiedCommunications Manager users.

Creating a serviceAfter the adapter profile is imported on IBM Security Identity Manager, you mustcreate a service so that IBM Security Identity Manager can communicate with theadapter.

About this task

To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.

Note: If the following fields on the service form are changed for an existingservice, the IBM Security Identity Manager Adapter service on the Tivoli DirectoryIntegrator server must be restarted.v AL FileSystem Path

v Max Connection Count

Procedure1. Log on to the IBM Security Identity Manager server with an account that has

the authority to perform administrative tasks.2. In the My Work pane, click Manage Services and click Create.3. On the Select the Type of Service page, select IDI CiscoUniComMgr Profile.


4. Click Next to display the adapter service form.5. Complete the following fields on the service form:

On the Cisco Unified Call Manager Profile tab:

Service NameSpecify a name that defines the adapter service on the IBMSecurity Identity Manager server.

Note: Do not use forward (/) or backward slashes (\) in theservice name.

DescriptionOptional: Specify a description that identifies the service foryour environment.

Tivoli Directory Integrator URLSpecify the URL for the Tivoli Directory Integrator instance. Thevalid syntax for the URL is rmi://ip-address:port/ITDIDispatcher, where ip-address is the Tivoli DirectoryIntegrator host and port is the port number for the RMIDispatcher. The default URL isrmi://localhost:1099/ITDIDispatcher

For information about changing the port number, see the IBMSecurity Dispatcher Installation and Configuration Guide.

On the CiscoUniComMgr Connection tab:

Cisco Server IP AddressSpecify the IP address of the Cisco Unified CommunicationsManager server.

Cisco Server IP PortSpecify the port number of the Cisco Unified CommunicationsManager server.

Administrator NameSpecify the administrator user that is used to log on to theresource and perform user management operations.

Administrator PasswordSpecify the password for the administrator.

SOAP Server IP Address (If Different From Cisco Server IP Address)Optional: Specify the IP Address of the Cisco UnifiedCommunications Manager SOAP server.

SOAP Server Port (If Different From Cisco Server Port)Optional: Specify the port number of Cisco UnifiedCommunications Manager SOAP server.

On the Dispatcher Attributes tab:

Disable AL CachingSelect the check box to disable the assembly line (test, add,modify, delete) caching in the dispatcher for the service.

AL FileSystem PathSpecify the file path from where the dispatcher loads theassembly lines. If you do not specify a file path, the dispatcherloads the assembly lines received from IBM Security IdentityManager. For example, you can specify the following file path


to load the assembly lines from the profiles directory of theWindows operating system: c:\Files\IBM\TDI\V7.1\profilesor you can specify the following file path to load the assemblylines from the profiles directory of the UNIX and Linuxoperating:system:/opt/IBM/TDI/V7.1/profiles

Max Connection CountSpecify the maximum number of assembly lines that thedispatcher can run simultaneously for the service. For example,enter 10 when you want the dispatcher to run maximum 10assembly lines simultaneously for the service. If you enter 0 inthe Max Connection Count field, the dispatcher does not limitthe number of assembly line that run simultaneously for theservice.

On the Status and information tabThis page contains read only information about the adapter andmanaged resource. These fields are examples. The actual fields varydepending on the type of adapter and how the service form isconfigured. The adapter must be running to obtain the information.Click Test Connection to populate the fields.

Last status update: DateSpecifies the most recent date when the Status and informationtab was updated.

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.

Managed resource statusSpecifies the status of the managed resource that the adapter isconnected to.

Adapter versionSpecifies the version of the adapter that the IBM SecurityIdentity Manager service uses to provision request to themanaged resource.

Profile versionSpecifies the version of the profile that is installed in the IBMSecurity Identity Manager server.

TDI versionSpecifies the version of the Tivoli Directory Integrator on whichthe adapter is deployed.

Dispatcher versionSpecifies the version of the Dispatcher.

Installation platformSpecifies summary information about the operating systemwhere the adapter is installed.

Adapter accountSpecifies the account that running the adapter binary file.

Adapter up time: DateSpecifies the date when the adapter started.

Adapter up time: TimeSpecifies the time of the date when the adapter started.


Adapter memory usageSpecifies the memory usage for running the adapter.

If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the IBM Security Identity

Manager test request was successfully sent to the adapter.v Verify the adapter configuration information.v Verify IBM Security Identity Manager service parameters for the

adapter profile. For example, verify the work station name or the IPaddress of the managed resource and the port.

6. Click Finish.



Chapter 4. First steps after installation

After you install the adapter, you must perform several other tasks. The tasksinclude configuring the adapter, setting up SSL, installing the language pack, andverifying the adapter works correctly.

Adapter configurationThe configuration of the Cisco Unified Communications Manager Adapter involvesprofile customization, password management, and configuring settings for JVM,dispatcher information, logon and SSL communication.v “Customizing the adapter profile”v “Editing the adapter profile on the UNIX or Linux operating system” on page 18v “Password management for account restoration” on page 19

See the IBM Security Dispatcher Installation and Configuration Guide for additionalconfiguration options such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication

Customizing the adapter profileTo customize the Cisco Unified Communications Manager Adapter profile, youmust modify the Cisco Unified Communications Manager Adapter JAR file.

About this task

You can customize the adapter profile to change the account form or the serviceform. You can also change the labels on the forms by using the Form Designer orCustomLabels.properties. Each adapter has a CustomLabels.properties file forthat adapter.

Note: You cannot modify the schema of the Cisco Unified CommunicationsManager Adapter.

The JAR file is included in the Cisco Unified Communications Manager Adaptercompressed file that you downloaded from the IBM website.

The following files are included in the Cisco Unified Communications ManagerAdapter JAR file:v CiscoUniComMgrAdapter.xmlv CiscoUniComMgrAdd.xmlv CiscoUniComMgrDelete.xmlv CiscoUniComMgrModify.xmlv CiscoUniComMgrSearch.xmlv CiscoUniComMgrTest.xml


v CustomLabels.propertiesv erCiscoUniComMgrAccount.xmlv erCiscoUniComMgrRMIservice.xmlv schema.dsmlv service.def

To edit the JAR file, complete these steps:1. Log on to the workstation where the Cisco Unified Communications Manager

Adapter is installed.2. Copy the JAR file into a temporary directory.3. Extract the contents of the JAR file into the temporary directory by running the

following command:#cd /tmp#jar -xvf CiscoUniComMgrProfile.jar

The jar command extracts the files into the CiscoUniComMgrProfile directory.4. Edit the file that you want to change.

After you edit the file, you must import the file into the Security Identity Managerserver for the changes to take effect.

To import the file, complete these steps:1. Create a JAR file by using the files in the /tmp directory by running the

following commands:#cd /tmp#jar -cvf CiscoUniComMgrProfile.jar CiscoUniComMgrProfile

2. Import the JAR file into the Security Identity Manager application server. Formore information about importing the JAR file, see “Importing the adapterprofile into the IBM Security Identity Manager server” on page 11.

3. Stop and start the Security Identity Manager server.4. Stop and start the Cisco Unified Communications Manager Adapter service. See

“Adapter service start, stop, and restart” on page 10 for information aboutstarting, stopping, and restarting the Cisco Unified Communications ManagerAdapter service.

Editing the adapter profile on the UNIX or Linux operatingsystem

The adapter profile .jar file might contain ASCII files that are created by using theMS-DOS ASCII format.

About this task

If you edit an MS-DOS ASCII file on the UNIX operating system, you might see acharacter ^M at the end of each line. These characters indicate new lines of text inMS-DOS. The characters can interfere with the running of the file on UNIX orLinux systems. You can use tools, such as dos2unix, to remove the ^M characters.You can also use text editors, such as the vi editor, to remove the charactersmanually.

Example

You can use the vi editor to remove the ^M characters. From the vi commandmode, run the following command and press Enter:


:%s/^M//g

When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V CtrlM sequentially. The ^v instructs the vi editor to use the next keystroke instead ofissuing it as command.

Password management for account restorationWhen an account is restored from being previously suspended, you are notprompted to supply a new password for the reinstated account. However, in somecases you might want to be prompted for a password.

The password requirement to restore an account falls into two categories: allowedand required.

How each restore action interacts with its corresponding managed resourcedepends on either the managed resource, or the business processes that youimplement. Certain resources reject a password when a request is made to restorean account. In this case, you can configure Security Identity Manager to forego thenew password requirement. , Your company might have a business process thatdictates that the account restoration process must be accompanied by resetting thepassword. If so, you can set the Cisco Unified Communications Manager Adapterto require a new password when the account is restored

In the service.def file, you can define whether a password is required as a newprotocol option. When you import the adapter profile, if an option is not specified,the adapter profile importer determines the correct restoration password behaviorfrom the schema.dsml file. Adapter profile components also enable remote servicesto determine if you discard a password that is entered by the user in a situationwhere multiple accounts on disparate resources are being restored. In thissituation, only some of the accounts might require a password. Remote servicesdiscard the password from the restore action for those managed resources that donot require them.

Edit the service.def file to add the new protocol options, for example:<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_REQUIRED_ON_RESTORE"<value>false</value></property><Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_ALLOWED_ON_RESTORE"<value>false</value></property>

By adding the two options in the example above, you are ensuring that you areprompted for a password when an account is restored.

Note: The Cisco Unified Communications Manager Adapter does not supportsuspend operations or restore operations. There is no provision on the CiscoUnified Communications Manager server to suspend an account.

Language pack installationThe adapters use the same language package as IBM Security Identity Manager.

See the IBM Security Identity Manager library and search for information aboutinstalling language packs.

Chapter 4. First steps after installation 19

Verifying that the adapter is working correctlyAfter you install and configure the adapter, take steps to verify that the installationand configuration are correct.

Procedure1. Test the connection for the service that you created on IBM Security Identity

Manager.2. Run a full reconciliation from IBM Security Identity Manager.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the IBM Security Identity Manager log file trace.log to ensure that no

errors are reported when you run an adapter operation.


Chapter 5. SSL communication configuration for the adapter

You must configure Secure Sockets Layer (SSL) communication between theadapters that are based on Tivoli Directory Integrator and the WebSphere®

Application Server.

You can configure the Tivoli Directory Integrator to use SSL and also configureWebSphere with the default keystore and default truststore. For more informationabout WebSphere SSL configuration, see the WebSphere online help from theWebSphere Application Server Administrative Console.

SSL terminology for adaptersThere are several SSL terms that apply to adapters.

SSL serverThe workstation on which the Tivoli Directory Integrator is installed is theSSL server. It listens for connection requests.

SSL clientThe workstation on which the IBM Security Identity Manager server andWebSphere Application Server are installed. The client submits connectionrequests to the Tivoli Directory Integrator.

Signed certificatesAn industry-standard method of verifying the authenticity of an entity,such as a server, a client, or an application. Signed certificates are issued bya third-party certificate authority for a fee. Some utilities, such as theiKeyman utility can also issue signed certificates. Use a certificate authority(CA) certificate to verify the origin of a signed digital certificate.

Signer certificates (CA certificates)When an application receives the signed certificate of another application,the application uses a CA certificate to verify the originator of thecertificate. You can configure many applications. For example, you canconfigure web browsers with the CA certificates of well-known certificateauthorities. This type of configuration can eliminate or reduce the task ofdistributing CA certificates across the security zones in a network.

Self-signed certificatesA self-signed certificate contains information about the owner of thecertificate and the signature of the owner. You can also use a signedcertificate as a CA certificate. To use self-signed certificates, you mustextract the CA certificate to configure SSL.

SSL keystoreA key database file that is designated as a keystore. The file contains theSSL certificate.

Note: You can use a keystore and truststore as the same physical file.

SSL truststoreA key database file that is designated as a truststore. The SSL truststorecontains the list of signer certificates (CA certificates) that define, whichcertificates the SSL protocol trusts. Only a certificate that is issued by oneof the listed trusted signers is accepted.


Note: You can use a keystore and truststore as the same physical file.

One-way SSL communicationFor one-way SSL communication, you must have a:v Keystore and a certificate on the SSL server (the Tivoli Directory

Integrator server)v Truststore on the SSL client-side (the IBM Security Identity Manager

server)

Two-way SSL communicationFor two-way SSL (client-side) communication, you must have a:v Keystore with a certificatev Truststore that contains the signer certificate that issued the certificate

from the other side.

You require the keystore and the truststore on the SSL server and the SSLclient-side.

One-way and two-way SSL authenticationConfiguring communication between an SSL server and client can use one-way ortwo-way SSL authentication.

For the following tasks, the SSL client is the computer on which the IBM SecurityIdentity Manager server is installed, and the SSL server is theTivoli DirectoryIntegrator.

Configuring SSL for one-way SSL communicationUse one-way SSL communication when the client must authenticate the server.

About this task

One-way authentication requires a truststore on the client and a keystore on theserver. In this example, CA certificate "A" exists in the truststore on the SSL clientand also in the keystore on the SSL server. The client sends a request to the SSLserver. The SSL server sends Certificate A from the keystore to the client. The clientvalidates Certificate A against the certificates that are contained in the truststore. Ifthe certificate is found in the truststore, the client accepts communication from theSSL server.

The following figure describes SSL configuration for one-way SSL communication.

Note: IBM Security Identity Manager uses the existing truststore of theWebSphereApplication Server.

KeystoreTruststore

CA certificate "A" Certificate “A”

IBM Security IdentityManager (SSL client)

Tivoli DirectoryIntegrator (SSL server)

Figure 4. One-way SSL communication (server communication)


Procedure1. Create a keystore for the Tivoli Directory Integrator server.2. Create a truststore for the Tivoli Directory Integrator server. One-way SSL

communication on the Tivoli Directory Integrator server does not require thetruststore. However, you must configure the truststore for the Remote MethodInvocation (RMI) SSL initialization.

3. Create a server-signed certificate for the Tivoli Directory Integrator server.4. Create a CA certificate for the Tivoli Directory Integrator server.5. Import the Tivoli Directory Integrator CA certificate in the WebSphere

Application Server truststore.

Note: You can modify the solution.properties file for steps 6, 7, and 8 in asingle operation. When you do so, do not stop and restart the adapter serviceat the end of steps 6 and 7.

6. Configure the Tivoli Directory Integrator to use keystores.7. Configure the Tivoli Directory Integrator to use truststores.8. Enable the adapter service to use SSL.9. Stop and restart the adapter service.

10. Stop and restart WebSphere Application Server.

Configuring SSL for two-way SSL communicationUse two-way SSL communication when the client must authenticate the server andthe server must authenticate the client.

About this task

Two-way authentication requires a truststore and a keystore on both the client andthe server. In this example, CA certificate "A" exists in the truststore and a CAcertificate "B" in the keystore of the client. CA certificate "B" exists in the truststoreand a CA certificate "A" in the keystore of the server. The client sends a request tothe SSL server. The SSL server sends Certificate A from the keystore to the client.The client validates Certificate A against the certificates that are contained in thetruststore.

If the certificate is found in the truststore, the client accepts communication fromthe SSL server. The server sends an authentication request to the client. The clientsends Certificate B from the keystore to the server. The server validates CertificateB against the certificates that are contained in the truststore. If the certificate isfound in the truststore, the server accepts communication from the client.

The following figure describes SSL configuration for two-way SSL communication.

Chapter 5. SSL communication configuration for the adapter 23

Note: IBM Security Identity Manager uses the existing truststore and keystore oftheWebSphere Application Server.

Procedure

To configure two-way SSL, do the following tasks:1. Create a keystore for the Tivoli Directory Integrator server.2. Create a truststore for the Tivoli Directory Integrator server. Do not do this

task if you use the same file for keystore and truststore.3. Create a server-signed certificate for the Tivoli Directory Integrator server.4. Create a CA certificate for the Tivoli Directory Integrator server.5. Import the Tivoli Directory Integrator CA certificate in the WebSphere

Application Server truststore.

Note: You can modify the solution.properties file for steps 6, 7, and 8 in asingle operation. When you do so, do not stop and restart the adapter serviceat the end of steps 6 and 7.

6. Configure the Tivoli Directory Integrator to use keystores.7. Configure the Tivoli Directory Integrator to use truststores.8. Enable the adapter service to use SSL.9. Create a certificate for the IBM Security Identity Manager server.

10. Create a CA certificate for IBM Security Identity Manager.11. Import the WebSphere Application Server CA Certificate in Tivoli Directory

Integrator truststore.12. Stop and restart the adapter service.13. Stop and restart WebSphere Application Server.

Tasks done on the SSL serverYou can configure the Tivoli Directory Integrator as the SSL server.

Do all of these tasks on the Tivoli Directory Integrator server workstation.

Note: File names such as tdikeys.jks and locations such as ITDI_HOME\keys areexamples. Actual file names and locations might differ.

IBM Security IdentifyManager (SSL client)

Truststore

CA certificate “A”

Keystore

Certificate “B”

Tivoli DirectoryIntegrator (SSL server)

Truststore

CA certificate “B”

Keystore

Certificate “A”

Figure 5. Two-way SSL communication (client communication)


Creating a keystore for the Tivoli Directory Integrator serverYou must create a keystore to hold the certificates that the SSL server uses toauthenticate itself to clients.

About this task

A keystore is a database of private keys and the associated certificates thatauthenticate the corresponding public keys. Digital certificates are stored in akeystore file. A keystore also manages certificates from trusted entities.

Procedure1. Navigate to the ITDI_HOME\jvm\jre\bin directory.2. Start the ikeyman.exe file (for Windows operating systems) or ikeyman (for

UNIX and Linux operating systems).3. From the Key Database File menu, select New.4. Select the key database type of JKS.5. Type the keystore file name. For example, type tdikeys.jks.6. Type the location. For example, type .

Note: Ensure that location that you specify exists.7. Click OK.8. Type a password for the keystore. The default password is secret.9. Click OK.

Creating a truststore for the Tivoli Directory Integrator serverYou must create a truststore on the SSL server to hold trusted certificates, so thatclients can authenticate to the server.

About this task

A truststore is a database of public keys for target servers. The SSL truststorecontains the list of signer certificates (CA certificates) that define which certificatesthe SSL protocol trusts. Only a certificate that is issued by one of these listedtrusted signers can be accepted. Do not do the following task if you use the samefile for keystore and truststore.

Procedure1. Navigate to the ITDI_HOME\jvm\jre\bin directory.2. Start the ikeyman.exe file (for Windows operating systems) or ikeyman (for

UNIX and Linux operating systems).3. From the Key Database File menu, select New.4. Select JKS.5. Type the keystore file name. For example, type tdikeys.jks.6. Type the location. For example, type .

Note: Ensure that location that you specify exists.7. Click OK.8. Type a password for the keystore. The default password is secret.9. Click OK.


Creating a self-signed certificate for the Tivoli DirectoryIntegrator server

A self-signed certificate contains information about the owner of the certificate andthe signature of the owner. This type of certificate is typically used in a testingenvironment.

About this task

A self-signed certificate is a signed certificate and also a CA certificate. To useself-signed certificates, you must extract the CA certificate from the self-signedcertificate to configure SSL. You can purchase a certificate from a well-knownauthority, such as VeriSign. You can also use a certificate server, such as the oneincluded with the MicrosoftWindows 2003 Advanced Server, to generate your owncertificates.

Procedure1. Navigate to the ITDI_HOME\jvm\jre\bin directory.2. Start the ikeyman.exe file (for Windows operating system) or ikeyman (for

UNIX and Linux operating systems).3. From the Key Database File menu, select Open.4. Navigate to the keystore file that was created previously:

ITDI_HOME\keys\tdikeys.jks.5. Enter the keystore password. The default password is secret.6. Select Create > New Self Signed certificate.7. Set the Key Label to tdiserver.8. Use your system name (DNS name) as the Common Name (workstation

name).9. Enter the name of your organization. For example, enter IBM.

10. Click OK.

Extracting a CA certificate for the Tivoli Directory IntegratorUse a CA certificate to verify the origin of a signed digital certificate.

About this task

When an application receives signed certificate of another application, it uses a CAcertificate to verify the originator of the certificate. You can configure manyapplications. For example, you can configure web browsers with the CA certificatesof well-known certificate authorities. This type of configuration can eliminate orreduce the task of distributing CA certificates across the security zones in anetwork.

Procedure1. Navigate to the ITDI_HOME\jvm\jre\bin directory.2. Launch the ikeyman.exe file (for Windows operating system) or ikeyman (for

UNIX and Linux operating system).3. From the Key Database File menu, select Open.4. Navigate to the keystore file that was created previously:

ITDI_HOME\keys\tdikeys.jks

5. Enter the keystore password. The default password is secret.6. Extract the Server certificate for client use by selecting Extract Certificate.


7. Select Binary DER data as the data type.8. Enter the certificate file name: idiserver.der.9. Enter the location as ITDI_HOME\keys.

10. Click OK.11. Copy the idiserver.der certificate file to the workstation on which IBM

Security Identity Manager is installed.

Importing the WebSphere CA certificate in the Tivoli DirectoryIntegrator truststore

IBM Security Identity Manager uses the WebSphere CA certificate, to authenticateto the Tivoli Directory Integrator.

About this task

After you extract the WebSphere CA certificate, you must import it into the TivoliDirectory Integrator truststore. After it is stored in the truststore, the SSL server canrecognize the credentials of the client and authenticate the client.

Procedure1. Navigate to the ITDI_HOME\jvm\jre\bin directory.2. Start the ikeyman.exe file (Windows operating system) or ikeyman (UNIX and

Linux operating system).3. From the Key Database File menu, select Open.4. Select JKS.5. Type the keystore file name: tditrust.jks.6. Type the location: ITDI_HOME\keys and click OK.7. Click Signer Certificates in the dropdown menu and click Add.8. Select Binary DER data as the data type.9. Use Browse to select the timclient.der file that is stored in ITDI_HOME\keys

directory.10. Use timclient as the label.11. Click OK to continue.

Configuring the Tivoli Directory Integrator to use thekeystores

You can configure the Tivoli Directory Integrator properties file to use keystores.

Procedure1. Navigate to the ITDI_HOME\timsol directory.2. Open the Tivoli Directory Integrator solution.properties file in an editor.3. Edit the following lines under client authentication:

javax.net.ssl.keyStore=ITDI_HOME\keys\tdikeys.jks{protect}-javax.net.ssl.keyStorePassword=secretjavax.net.ssl.keyStoreType=JKS

a. Uncomment them, if necessary.b. Set the location, password, and type of keystore to match the keystore you

created.4. Save your changes.5. Stop and restart the adapter service.


Note: You can modify the solution.properties file in a single operation. Donot stop and restart the adapter service after you configure the Tivoli DirectoryIntegrator to use the keystores and truststores. You can stop and restart theadapter after you enable the adapter service to use SSL.

Configuring Tivoli Directory Integrator to use the truststoresYou can configure the Tivoli Directory Integrator properties file to use truststores.

Procedure1. Navigate to the ITDI_HOME\timsol directory.2. Open the Tivoli Directory Integrator solution.properties file in an editor.3. Edit the following lines under client authentication:

javax.net.ssl.trustStore=ITDI_HOME\keys\tditrust.jks{protect}-javax.net.ssl.trustStorePassword=secretjavax.net.ssl.trustStoreType=JKS

a. Uncomment them, if necessary.b. Set the location, password, and type of keystore to match the keystore you

created.4. Save your changes.5. Stop and restart the adapter service.

Note: You can modify the solution.properties file in a single operation. Donot stop and restart the adapter service after you configure the Tivoli DirectoryIntegrator to use the keystores and truststores. You can stop and restart theadapter after you enable the adapter service to use SSL.

Enabling the adapter service to use SSLYou can configure the Tivoli Directory Integrator properties file to enable theadapter service to use SSL.

Procedure1. Navigate to the ITDI_HOME\timsol directory.2. Open the Tivoli Directory Integrator solution.properties file in an editor.3. Edit the following two lines, which depend on the type of secure

communications you want to use.

For no SSLcom.ibm.di.dispatcher.ssl=falsecom.ibm.di.dispatcher.ssl.clientAuth=false

For one-way SSLcom.ibm.di.dispatcher.ssl=truecom.ibm.di.dispatcher.ssl.clientAuth=false

For two-way SSLcom.ibm.di.dispatcher.ssl=truecom.ibm.di.dispatcher.ssl.clientAuth=true

4. Save your changes.5. Stop and restart the adapter service.


Tasks performed on the SSL client (IBM Security Identity Manager andWebSphere Application Server workstation)

You must do several tasks to establish SSL communication between IBM SecurityIdentity Manager and Tivoli Directory Integrator.

Procedure

Perform the following tasks on the server workstation on which IBM(r) SecurityIdentity Manager and Websphere Application Server are installed:1. “One-way and two-way SSL authentication” on page 222. “Creating a signed certificate for the IBM Security Identity Manager server”3. “Extracting a WebSphere Application Server CA certificate for IBM Security

Identity Manager”4. “Importing the IBM Security Identity Manager CA certificate in the WebSphere

Application Server truststore” on page 30

Creating a signed certificate for the IBM Security IdentityManager server

You can use a well-known authority or your own certificate server to generate acertificate.

About this task

In this case, use the Personal certificates requests option to produce a certificaterequest to send to the well-known authority or to your certificate server. You canuse the Accept option under Personal certificates to load the data sent by thecertificate authority in response to the request.

Procedure1. Connect to the WebSphere Application Server Administrative Console.2. Navigate to Security > SSL certificate and key management > Keystores and

certificates.3. Select NodeDefaultKeyStore.4. Select Personal certificates.5. Select Create a self-signed certificate.6. Set appropriate values for the certificate fields:

a. Set the Alias to timclient.b. Use your system name (DNS name) as the Common Name (workstation

name).c. Enter the name of your organization. For example, enter IBM.

7. Click OK and save.8. Extract the CA certificate from the self-signed certificate.

Extracting a WebSphere Application Server CA certificate forIBM Security Identity Manager

To establish a secure communication between IBM Security Identity Manager andthe adapter you must extract a WebSphere Application Server CA certificate forIBM Security Identity Manager.


Procedure1. Connect to the WebSphere Application Server Administrative Console.2. Navigate to Security > SSL certificate and key management > Keystores and

certificates.3. Select NodeDefaultKeyStore.4. Select Personal certificates.5. Select the check box against the certificate that you created and select Extract.6. Enter a file name: C:\keys\timclient.der.7. Select Binary DER data as the data type.8. Click OK.

Importing the IBM Security Identity Manager CA certificate inthe WebSphere Application Server truststore

After you create a WebSphere Application Server CA certificate for IBM SecurityIdentity Manager, you must import the IBM Security Identity Manager CAcertificate in the WebSphere Application Server truststore.

Procedure1. Copy the SSL server CA certificate file, idiserver.der, to the C:\keys directory

on the workstation on which IBM Security Identity Manager is installed.2. Connect to the WebSphere Application Server Administrative Console.3. Navigate to Security > SSL certificate and key management > Keystores and

certificates.4. Select NodeDefaultTrustStore.5. Select Signer certificates.6. Click Add.

a. Set the Alias to idiserver.b. Specify the file name of the exported Tivoli Directory Integrator server

certificate: C:\ keys\idiserver.der.c. Select Binary DER data as the data type.

7. Click OK to continue and save.


Chapter 6. Adapter error troubleshooting

Troubleshooting can help you determine why a product does not function properly.

These topics provide information and techniques for identifying and resolvingproblems with the adapter. It also provides information about troubleshootingerrors that might occur during the adapter installation.

Techniques for troubleshooting problemsTroubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem.

Certain common techniques can help with the task of troubleshooting. The firststep in the troubleshooting process is to describe the problem completely. Problemdescriptions help you and the IBM technical-support representative know where tostart to find the cause of the problem. This step includes asking yourself basicquestions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When starting to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one platform or operating system, or is it common

across multiple platforms or operating systems?v Is the current environment and configuration supported?


v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration; many problems can betraced back to incompatible levels of software that are not intended to run togetheror have not been fully tested together.

When does the problem occur?

Develop a detailed timeline of events leading up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you need to look only as far as the first suspicious eventthat you find in a diagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being performed?v Does a certain sequence of events need to happen for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might have occurred around the same time, theproblems are not necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Consequently,problems that you can reproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,


re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?v Are multiple users or applications encountering the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

For information about obtaining support, see Appendix B, “Support information,”on page 49.

Warning and error messagesWarnings or error messages are provided to guide you when you encounter aproblem. These messages contain unique message IDs and corrective actions.

Table 6 contains warnings or errors that might be displayed on the user interface.

Table 6. Messages and corrective action

Message number Message Corrective action

CTGIMT001E The following error occurred.

Either the Cisco UnifiedCommunications Manager servicename is incorrect or the service isnot up.

Ensure that service name given on Tivoli IdentityManager service form is running.

CTGIMT001E The following error occurred.

Either the Cisco UnifiedCommunications Manager host orport is incorrect.

Verify that the host workstation name and the port forCisco Unified Communications Manager server arecorrectly specified.

CTGIMT002E The login credential is missing orincorrect. Verify that login credential specified on service form is

correct.

CTGIMT003E The account already exists. The user has already been added to the resource. Thiserror might occur if you are attempting to add a user tothe managed resource and Tivoli Identity Manager is notsynchronized with the resource. To fix this problem,schedule a reconciliation between Tivoli IdentityManager and the resource. See the online help forinformation about scheduling a reconciliation.

CTGIMT006E An error occurred while establishingcommunication with the IBM TivoliDirectory Integrator server.

v Verify that the Tivoli Directory Integrator-BasedAdapter Service is running.

v Verify that the Web address specified on the serviceform for Tivoli Directory Integrator is correct.

Chapter 6. Adapter error troubleshooting 33

Table 6. Messages and corrective action (continued)

Message number Message Corrective action

CTGIMT009E The account username cannot bemodified because it does not exist.

This error might occur when you attempt to modify auser. This error might also occur if you attempt tochange the password for a user. To fix the problem,ensure that:

v The location specified for the managed resource iscorrect.

v The user was created on the resource.

v The user was not deleted from the resource.

v If the user does not exist on the resource, create theuser on the resource and then schedule areconciliation. See the online help for informationabout scheduling a reconciliation.

CTGIMT015E An error occurred while deleting theusername account because theaccount does not exist.

This error might occur when you attempt to delete auser. This error might also occur if you attempt tochange the password for a user. To fix the problem,ensure that:

v The location specified for the managed resource iscorrect.

v The user was created on the resource.

v The user was not deleted from the resource.

v If the user does not exist on the resource, no action isnecessary.


Chapter 7. Adapter upgrade

Install a new version of the adapter to upgrade it.

Upgrading the adapter might also involve tasks, such as upgrading the connector,the dispatcher, and the existing adapter profile. To verify the required version ofthese adapter components, see the adapter release notes. For the installation steps,see Chapter 3, “Adapter installation,” on page 9.

Connector upgradeUpgrading the adapter involves tasks such as upgrading the connector.

Before you upgrade the connector, verify the version of the connector.v If the connector version mentioned in the release notes is later than the existing

version on your workstation, install the connector.v If the connector version mentioned in the release notes is the same or earlier

than the existing version, do not install the connector.

Note: Stop the dispatcher service before the upgrading the connector and start itagain after the upgrade is complete.

Upgrade of an existing adapter profileUpgrading the adapter involves tasks such as upgrading the existing adapterprofile.

Read the adapter release notes for any specific instructions before importing a newadapter profile on Security Identity Manager

See “Importing the adapter profile into the IBM Security Identity Manager server”on page 11.

Note: Restart the dispatcher service after importing the profile. Restarting thedispatcher clears the assembly lines cache and ensures that the dispatcher runs theassembly lines from the updated adapter profile.



Chapter 8. Uninstalling the adapter

Uninstalling the Cisco Unified Communications Manager Adapter completelyinvolves its uninstallation from the server and the removal of its profile.

About this task1. Uninstall the adapter from the Tivoli Directory Integrator server.2. Remove the adapter profile from the Security Identity Manager server.

Uninstalling the adapter from the Tivoli Directory IntegratorRemove the Tivoli Directory Integrator Cisco Unified Communications Managerconnector to uninstall the adapter from the Tivoli Directory Integrator.

About this task

To remove the Cisco Unified Communications Manager Adapter, complete thesesteps:

Procedure1. Stop the Dispatcher service.2. Remove the CiscoUniComMgr.jar file from the ITDI_HOME/jars/connectors

directory.3. Start the Dispatcher service.

Adapter profile removal from the Security Identity Manager serverBefore you remove the adapter profile, ensure that no objects exist on your IBMSecurity Identity Manager server that reference the adapter profile.

Examples of objects on theIBM Security Identity Manager server that can referencethe adapter profile are:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

Note: The RMI Dispatcher component must be installed on your system foradapters to function correctly in a Tivoli Directory Integrator environment. Whenyou delete the adapter profile for the Cisco Unified Communications ManagerAdapter, do not uninstall the RMI Dispatcher.

For specific information about how to remove the adapter profile, see the onlinehelp or the IBM Security Identity Manager product documentation.



Chapter 9. Adapter reinstallation

There are no special considerations for reinstalling the adapter. You do not need toremove the adapter before reinstalling.

See Chapter 7, “Adapter upgrade,” on page 35 for more information.



Chapter 10. Adapter attributes

The IBM Security Identity Manager server communicates with the adapter byusing attributes that are included in transmission packets that are sent over anetwork.

The combination of attributes, included in the packets, depends on the type ofaction that the IBM Security Identity Manager server requests from the adapter.

Table 7 lists the attributes that are used by the adapter. The table gives a briefdescription, constraints, and permissions.

Use the following keys for the permissions column:R = Read onlyRW = Add, read, modify, writeAR = Add, Read

Table 7. Required attributes for the erCUCMAccount object class

Attribute name and descriptionDatatype

Singlevalued

Permissions Constraints

Attribute name on CUCMserver

eruid

Specifies the user login ID.

String Yes AR Maximumlength is128characters

User ID

sn

Specifies the last name of the user.

String No RW Maximumlength is 64characters

Last Name

Table 8. Optional attributes for the erCUCMAccount object class


Singlevalued



erPassword

Specifies the password of the user.

String Yes RW Maximumlength is 128characters

Password

givenname

Specifies the first name of the user.


First Name

erCUCMPwdPin

Specifies the PIN associated with theuser.

Integer Yes RW Mustcontain 1-127numericcharacters

Pin

erCUCMTelePhoneNumber

Specifies the telephone number of theuser.


Telephone Number

erCUCMDepartment

Specifies the department of the user.


Department

erCUCMManagerId

Specifies the manager of the user.


Manager ID


Table 8. Optional attributes for the erCUCMAccount object class (continued)


Singlevalued



erCUCMUserLocale

Specifies the locale of the user.

String Yes RW NA User Locale

erCUCMAssociatedPC

Specifies the PC associated with theuser.


Associated PC

erCUCMPwdDigestCredentials

Specifies the digest credentials of theuser.


Digest Credentials

erCUCMLineName

Specifies the primary extensionassociated with the user.

String Yes RW Must not benull inmodifyoperation

Primary Extension

erCUCMEnabMobility

Specifies the mobility of the user.

Boolean Yes RW NA Enable Mobility

erCUCMEnabMobVoiceAccess

Specifies whether the Mobile VoiceAccess is enabled for the user.

Boolean Yes RW NA Enable Mobile Voice Access

erCUCMMaxWaitTimeForDeskPickup

Specifies the maximum time to waitfor the desk phone to pick up.

Integer Yes RW Must be aNumber inthe range of0 - 30000milliseconds

Maximum Wait Time for DeskPickup

erCUCMRemDestLimit

Specifies the remote destination limitsassociated with the user.

Integer Yes RW Must be aNumber inthe range of1 - 10

Remote Destination Limit

erCUCMRemDestProfileName

Specifies the remote destination profilenames associated with the user.


Remote Destination Profile

erCUCMAccessList

Lists the access lists associated withthe user.

String No R NA Access List

erCUCMEnableCTI

Specifies to enable computer-telephonyintegration.

Boolean Yes RW NA Allow Control of Devices fromCTI

erCUCMDevices

Specifies the phones associated withthe user.

String No RW NA Controlled Devices

erCUCMDeviceProfiles

Specifies the phone profiles associatedwith the user.

String No RW NA Controlled Device Profiles


Table 8. Optional attributes for the erCUCMAccount object class (continued)


Singlevalued



erCUCMAssociatedGroups

Specifies the groups associated withthe user.

String No RW NA Groups

erCUCMRoles

Lists the roles associated with thegroups to which the user belongs.

String No R NA Roles

Chapter 10. Adapter attributes 43


Chapter 11. Adapter installation on a z/OS operating system

To install the adapters on the zOS UNIX file system, you need to install theDispatcher only. The adapter uses the Tivoli Directory Integrator JDBC connectorthat is available with the base Tivoli Directory Integrator product.

For information about installing the Dispatcher, see the Dispatcher Installation andConfiguration Guide.

After the installation of the adapter is complete, to verify the startup andshutdown of the adapter go to “Adapter service start, stop, and restart” on page10.



Appendix A. Definitions for ITDI_HOME and ISIM_HOMEdirectories

ITDI_HOME is the directory where Tivoli Directory Integrator is installed.ISIM_HOME is the directory where IBM Security Identity Manager is installed.

ITDI_HOMEThis directory contains the jars/connectors subdirectory that contains filesfor the adapters.

Windowsdrive\Program Files\IBM\TDI\ITDI_VERSION

For example the path for version 7.1:C:\Program Files\IBM\TDI\V7.1

UNIX/opt/IBM/TDI/ITDI_VERSION

For example the path for version 7.1:/opt/IBM/TDI/V7.1

ISIM_HOMEThis directory is the base directory that contains the IBM Security IdentityManager code, configuration, and documentation.

Windowspath\IBM\isim

UNIXpath/IBM/isim



Appendix B. Support information

You have several options to obtain support for IBM products.v “Searching knowledge bases”v “Obtaining a product fix” on page 50v “Contacting IBM Support” on page 50

Searching knowledge basesYou can often find solutions to problems by searching IBM knowledge bases. Youcan optimize your results by using available resources, support tools, and searchmethods.

About this task

You can find useful information by searching the product documentation for IBMSecurity Identity Manager. However, sometimes you must look beyond the productdocumentation to answer your questions or resolve problems.

Procedure

To search knowledge bases for information that you need, use one or more of thefollowing approaches:1. Search for content by using the IBM Support Assistant (ISA).

ISA is a no-charge software serviceability workbench that helps you answerquestions and resolve problems with IBM software products. You can findinstructions for downloading and installing ISA on the ISA website.

2. Find the content that you need by using the IBM Support Portal.The IBM Support Portal is a unified, centralized view of all technical supporttools and information for all IBM systems, software, and services. The IBMSupport Portal lets you access the IBM electronic support portfolio from oneplace. You can tailor the pages to focus on the information and resources thatyou need for problem prevention and faster problem resolution. Familiarizeyourself with the IBM Support Portal by viewing the demo videos(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)about this tool. These videos introduce you to the IBM Support Portal, exploretroubleshooting and other resources, and demonstrate how you can tailor thepage by moving, adding, and deleting portlets.

3. Search for content about IBM Security Identity Manager by using one of thefollowing additional technical resources:v IBM Security Identity Manager version 6.0 technotes and APARs (problem

reports).v IBM Security Identity Manager Support website.v IBM Redbooks®.v IBM support communities (forums and newsgroups).

4. Search for content by using the IBM masthead search. You can use the IBMmasthead search by typing your search string into the Search field at the top ofany ibm.com® page.

5. Search for content by using any external search engine, such as Google, Yahoo,or Bing. If you use an external search engine, your results are more likely to


http://www.ibm.com/software/support/isa/

http://www.ibm.com/support/entry/portal/overview/software/tivoli/tivoli_identity_manager

https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

http://publib-b.boulder.ibm.com/Redbooks.nsf/portals/Tivoli

http://www.ibm.com/software/sysmgmt/products/support/Tivoli_Communities.html

include information that is outside the ibm.com domain. However, sometimesyou can find useful problem-solving information about IBM products innewsgroups, forums, and blogs that are not on ibm.com.

Tip: Include “IBM” and the name of the product in your search if you arelooking for information about an IBM product.

Obtaining a product fixA product fix might be available to resolve your problem.

About this task

You can get fixes by following these steps:

Procedure1. Obtain the tools that are required to get the fix. You can obtain product fixes

from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.2. Determine which fix you need.3. Download the fix. Open the download document and follow the link in the

“Download package” section.4. Apply the fix. Follow the instructions in the “Installation Instructions” section

of the download document.

Contacting IBM SupportIBM Support assists you with product defects, answers FAQs, and helps usersresolve problems with the product.

Before you begin

After trying to find your answer or solution by using other self-help options suchas technotes, you can contact IBM Support. Before contacting IBM Support, yourcompany or organization must have an active IBM software subscription andsupport contract, and you must be authorized to submit problems to IBM. Forinformation about the types of available support, see the Support portfolio topic inthe “Software Support Handbook”.

Procedure

To contact IBM Support about a problem:1. Define the problem, gather background information, and determine the severity

of the problem. For more information, see the Getting IBM support topic in theSoftware Support Handbook.

2. Gather diagnostic information.3. Submit the problem to IBM Support in one of the following ways:

v Using IBM Support Assistant (ISA):Any data that has been collected can be attached to the service request.Using ISA in this way can expedite the analysis and reduce the time toresolution.a. Download and install the ISA tool from the ISA website. See

http://www.ibm.com/software/support/isa/.b. Open ISA.


http://www.ibm.com/support/fixcentral/

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/offerings.html

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/getsupport.html

http://www.ibm.com/software/support/isa/

c. Click Collection and Send Data.d. Click the Service Requests tab.e. Click Open a New Service Request.

v Online through the IBM Support Portal: You can open, update, and view allof your service requests from the Service Request portlet on the ServiceRequest page.

v By telephone for critical, system down, or severity 1 issues: For the telephonenumber to call in your region, see the Directory of worldwide contacts webpage.

Results

If the problem that you submit is for a software defect or for missing or inaccuratedocumentation, IBM Support creates an Authorized Program Analysis Report(APAR). The APAR describes the problem in detail. Whenever possible, IBMSupport provides a workaround that you can implement until the APAR isresolved and a fix is delivered. IBM publishes resolved APARs on the IBM Supportwebsite daily, so that other users who experience the same problem can benefitfrom the same resolution.

Appendix B. Support information 51

http://www.ibm.com/software/support/

http://www.ibm.com/planetwide/


Appendix C. Accessibility features for IBM Security IdentityManager

Accessibility features help users who have a disability, such as restricted mobilityor limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in IBM Security IdentityManager.v Support for the Freedom Scientific JAWS screen reader applicationv Keyboard-only operationv Interfaces that are commonly used by screen readersv Keys that are discernible by touch but do not activate just by touching themv Industry-standard devices for ports and connectorsv The attachment of alternative input and output devices

The IBM Security Identity Manager library, and its related publications, areaccessible.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

Related accessibility information

The following keyboard navigation and accessibility features are available in theform designer:v You can use the tab keys and arrow keys to move between the user interface

controls.v You can use the Home, End, Page Up, and Page Down keys for more

navigation.v You can launch any applet, such as the form designer applet, in a separate

window to enable the Alt+Tab keystroke to toggle between that applet and theweb interface, and also to use more screen workspace. To launch the window,click Launch as a separate window.

v You can change the appearance of applets such as the form designer by usingthemes, which provide high contrast color schemes that help users with visionimpairments to differentiate between controls.

IBM and accessibility

See the IBM Human Ability and Accessibility Center For more information aboutthe commitment that IBM has to accessibility.


http://www.ibm.com/able


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to


IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

If you are viewing this information softcopy, the photographs and colorillustrations might not appear.

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 57

http://www.ibm.com/legal/copytrade.shtml

Java™ and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, ("SoftwareOfferings") may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, and to tailor interactionswith the end user or for other purposes. In many cases, no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled "Cookies, Web Beacons and Other Technologies and SoftwareProducts and Software-as-a Service".


http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en

Index

Aaccessibility x, 53adapter

account, creating 12attributes 41customization 17features

group management 1password change 1remote destination profiles 1support data 1user account management 1

installation 9dispatcher requirement 9troubleshooting errors 31verifying 10, 20warnings 31

installation worksheet 6profile

customizing 17importing 11removing 37service creation 12upgrade 35upgrading 11verifying 12

supported configurations 2uninstall 37uninstallation 37upgrading 35z/OS systems 45

adaptersservice, enabling SSL 28

attributes, adapter 41authentication

communication with SSL 22SSL, one-way and two-way 22

Ccertificates

extractingCA for Tivoli Directory

Integrator 26WebSphere Application Server

CA 30importing 27importing to truststore 30origin verification 26, 30self-signed 26signed 29

CiscoUniComMgr.jar file 37communication

SSL client 29SSL one-way 22SSL two-way 23WebSphere Application Server

workstation 29

configuringkeystores, Security Directory

Integrator 27Security Directory Integrator

for keystores 27for truststores 28

truststores, configuring SecurityDirectory Integrator 28

connector, upgrade 35creating

accounts for the adapter 12services 12

customizing adapter profile 17

Ddefinition

certificate authority 21certificates 21private key 21

dispatcherarchitecture 2installation, verifying 9

download, software 7

Eeducation xerror messages 33extracting certificates 30

IIBM

Software Support xSupport Assistant x

IBM Support Assistant 50iKeyman utility 21importing

certificates 27importing certificates

to truststores 30installation

adapterdispatcher requirement 9profile 11software 9

dispatcher, verify 9language pack 19planning roadmaps 5roadmap 5subsequent steps

adapter configuration 17adapter verification 17language pack installation 17SSL setup 17

uninstall 37verification

adapter 20verify 10

installation (continued)worksheet 6z/OS systems 45

ISA 50ISIM_HOME definition 47ITDI_HOME definition 47

Kkey management utility, iKeyman 21keystore

creating 25directory integrator usage 25server authentication to clients 25

knowledge bases 49

Llanguage pack

installation 19same for adapters and server 19

logs, trace.log file 11

Mmessages

error 33warning 33

MS-DOS ASCII characters 18

Nnotices 55

Oonline

publications ixterminology ix

operating system prerequisites 6

Ppost-installation steps

adapterconfiguration 17verification 17

language pack installation 17SSL setup 17

preinstallation roadmap 5private key, definition 21problem-determination xprofile

customizing 17editing on UNIX or Linux 18management 17settings

dispatcher 17


profile (continued)settings (continued)

JVM 17SSL communication 17

protocolSSL

certificate management 25client authentication 25keystore 25truststore 25

SSL, overview 21publications

accessing online ixlist of ix

Rremoving adapter profiles 37restoring accounts, password

requirements 19RMI dispatcher installation, verifying 9roadmaps

installation 5planning 5preinstallation 5

SSecure Sockets Layer

terminology 21self-signed certificates 26server, SSL tasks 24service

creating 12restart 10SSL, enabling for adapter 28start 10stop 10

signed certificatescreating 29for server 29

softwaredownload 7requirements 6website 7

SSLadapter service, enabling 28authentication 22certificate installation 21client communication 29communication, one-way and

two-way 22creating a keystore 25creating truststores 25one-way communication 22overview 21tasks done on the server 24terminology 21two-way communication 23workstation communication 29

SSL certificatesself-signed 26

support contact information 50supported configurations

adapter 2overview 2

Tterminology ix

SSL 21tivoli directory integrator connector 2trace.log file 11training xtroubleshooting

contacting support 50getting fixes 50identifying problems 31searching knowledge bases 49support website xtechniques 31techniques for 31

truststoreimporting certificates 30

truststoresclient authentication to server 25creating 25

Uuninstallation

adapter 37CiscoUniComMgr.jar file 37server and profile 37

upgradeadapter 35connector 35existing adapter profile 35

Vverification

installation 20operating system prerequisites 6operating system requirements 6software prerequisites 6software requirements 6

vi command 18

Wwarning messages 33

Zz/OS operating systems, installing

on 45


��

Printed in USA

SC27-4389-00

Documents

Cisco Unified Communications Manager Adapter …...Note: The managed resource does not support the Suspend and Restore user operations. Architecture of the adapter The Cisco Unified