IBM iAdapter Installation and Configuration Guide · IBM iAdapter Installation and Configuration Guide ... IBM iAdapter Installation and Configuration Guide SC27-4396-01. Note Before

IBM Security Identity ManagerVersion 6.0

IBM i Adapter Installation andConfiguration Guide

SC27-4396-01

��

IBM Security Identity ManagerVersion 6.0

IBM i Adapter Installation andConfiguration Guide

SC27-4396-01

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 49.

Edition notice

Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to allsubsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012, 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . xStatement of Good Security Practices . . . . . . x

Chapter 1. Overview of the adapter . . . 1Features of the adapter . . . . . . . . . . . 1Architecture of the adapter . . . . . . . . . 1Supported configurations . . . . . . . . . . 2

Chapter 2. Adapter installation planning 5Preinstallation road map . . . . . . . . . . 5Installation roadmap. . . . . . . . . . . . 5Prerequisites . . . . . . . . . . . . . . 6Installation worksheet for the adapter . . . . . . 8Software download for the adapter . . . . . . . 8

Chapter 3. Adapter installation . . . . . 9Dispatcher installation verification . . . . . . . 9Installing the adapter . . . . . . . . . . . 9Adapter service start, stop, and restart . . . . . . 9Importing the adapter profile into the IBM SecurityIdentity Manager server . . . . . . . . . . 10Adapter profile installation verification . . . . . 11Adapter user account creation . . . . . . . . 11Configuring the Directory Server . . . . . . . 11Creating a service . . . . . . . . . . . . 12

Chapter 4. First steps after installation 17Adapter configuration . . . . . . . . . . . 17

Customizing the adapter profile . . . . . . 17Password management when restoring accounts . . 19

Language pack installation . . . . . . . . . 20Verifying that the adapter is working correctly . . 20

Chapter 5. Adapter errortroubleshooting . . . . . . . . . . . 21Techniques for troubleshooting problems . . . . 21Warning and error messages. . . . . . . . . 23

Chapter 6. Upgrade of the adapter . . . 27Upgrade of the adapter profile . . . . . . . . 27

Chapter 7. Uninstallation of the adapter 29Removal of the adapter profile from the IBMSecurity Identity Manager server . . . . . . . 29

Chapter 8. Reinstallation of the adapter 31

Appendix A. Adapter attributes . . . . 33

Appendix B. Configuring certificatesfor one-way SSL authentication . . . . 37

Appendix C. Definitions for ITDI_HOMEand ISIM_HOME directories . . . . . . 41

Appendix D. Support information . . . 43Searching knowledge bases . . . . . . . . . 43Obtaining a product fix . . . . . . . . . . 44Contacting IBM Support . . . . . . . . . . 44

Appendix E. Accessibility features forIBM Security Identity Manager . . . . 47

Notices . . . . . . . . . . . . . . 49

Index . . . . . . . . . . . . . . . 53

© Copyright IBM Corp. 2012, 2013 iii

iv IBM Security Identity Manager: IBM i Adapter Installation and Configuration Guide

Figures

1. The architecture of the IBM i Adapter . . . . 22. Example of a single server configuration . . . 2

3. Example of multiple server configuration 3

© Copyright IBM Corp. 2012, 2013 v

vi IBM Security Identity Manager: IBM i Adapter Installation and Configuration Guide

Tables

1. Preinstallation road map . . . . . . . . 52. Installation roadmap . . . . . . . . . . 53. Requirements to install the adapter . . . . . 6

4. Required information to install the adapter 85. Warning and error messages . . . . . . . 236. Attributes, descriptions and permissions 33

© Copyright IBM Corp. 2012, 2013 vii

viii IBM Security Identity Manager: IBM i Adapter Installation and Configuration Guide

Preface

About this publication

The IBM i Adapter Installation and Configuration Guide (previously titled the IBMi5/OS Adapter Installation and Configuration Guide) provides the basic informationthat you need to install and configure the IBM® Security Identity Manager IBM iAdapter (IBM i Adapter).

IBM Security Identity Manager was previously known as Tivoli® Identity Manager.The IBM i Adapter enables connectivity between the IBM Security IdentityManager server and an IBM i system. The IBM Security Identity Manager server isthe server for your IBM Security Identity Manager product.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website.”

IBM Security Identity Manager library

For a complete listing of the IBM Security Identity Manager and IBM SecurityIdentity Manager Adapter documentation, see the online library(http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm).

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Identity Manager libraryThe product documentation site (http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm) displays the welcome page and navigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications CenterThe IBM Publications Center site ( http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss) offers customized search functionsto help you find all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

© Copyright IBM Corp. 2012, 2013 ix

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm





https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcome

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

Appendix D, “Support information,” on page 43 provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

x IBM Security Identity Manager: IBM i Adapter Installation and Configuration Guide

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Chapter 1. Overview of the adapter

The IBM i Adapter enables communication between the IBM Security IdentityManager server and an IBM i system.

An adapter provides an interface between a managed resource and the IBMSecurity Identity Manager server. Adapters might reside on the managed resource.The IBM Security Identity Manager server manages access to the resource by usingyour security system. Adapters function as trusted virtual administrators on thetarget platform. They perform tasks, such as creating, suspending, and restoringuser accounts, and other administrative functions that are performed manually. Theadapter runs as a service, independently of whether you are logged on to the IBMSecurity Identity Manager server.

Features of the adapterThe adapter automates various user account administrative tasks.

The adapter automates the following user account management tasks:v Reconciling user accounts and other support datav Adding user accountsv Modifying user account attributesv Modifying user account passwordsv Suspending, restoring, and deleting user accounts

Architecture of the adapterYou must install several components for the adapter to function correctly.

You must install the following components:v The Dispatcherv The Tivoli Directory Integrator connectorv The IBM Security Identity Manager adapter profile

You need to install the RMI Dispatcher and the adapter profile; however, the TivoliDirectory Integrator connector might already be installed with the base TivoliDirectory Integrator product.

A directory server is installed by default on the IBM i operating system. All usersprovisioned on the IBM i operating system are projected as directory entries onthis directory server. The Tivoli Directory Integrator LDAP connectorcommunicates with the directory server on the IBM i operating system to performuser account management operations.

Figure 1 on page 2 describes the components that work together to complete theuser account management tasks in a Tivoli Directory Integrator environment.

© Copyright IBM Corp. 2012, 2013 1

For more information about Tivoli Directory Integrator, see the Quick Start Guide atIBM Security Identity Manager product documentation.

Supported configurationsThe adapter supports both single server and multiple server configurations.

The fundamental components in each environment are:v The IBM Security Identity Manager serverv The IBM Tivoli Directory Integrator serverv The managed resourcev The adapter

The adapter must reside directly on the server running the Tivoli DirectoryIntegrator server.

Single server configuration

In a single server configuration, install the IBM Security Identity Manager server,the Tivoli Directory Integrator server, and the IBM i Adapter on one server toestablish communication with the IBM i system with a directory server interface.The IBM i system is installed on a different server as described in Figure 2.

Multiple server configuration

In a multiple server configuration, the IBM Security Identity Manager server, theTivoli Directory Integrator server, the IBM i Adapter, and the IBM i system areinstalled on different servers. Install the Tivoli Directory Integrator server and theIBM i Adapter on the same server as described in Figure 3 on page 3.

RMI callsIBM SecurityIdentityManagerServer

DispatcherService(an instanceof the IBMTivoliDirectoryIntegrator)

Adapterresource

Figure 1. The architecture of the IBM i Adapter

IBM SecurityIdentity Manager Server

Tivoli DirectoryIntegrator Server

Adapter

Managed

resource

Figure 2. Example of a single server configuration

2 IBM Security Identity Manager: IBM i Adapter Installation and Configuration Guide

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itim.doc/welcome.htm

IBM SecurityIdentity Managerserver

Tivoli DirectoryIntegrator server Managed

resource

Adapter

Figure 3. Example of multiple server configuration

Chapter 1. Overview of the adapter 3


Chapter 2. Adapter installation planning

Installing and configuring the adapter involves several steps that you mustcomplete in the appropriate sequence. Review the roadmaps before you begin theinstallation process.

Preinstallation road mapBefore you install the adapter, you must prepare the environment.

Perform the tasks that are listed in Table 1.

Table 1. Preinstallation road map

Task For more information

Obtain the installation software. Download the software from PassportAdvantage® website. See “Softwaredownload for the adapter” on page 8.

Verify that your environment meets thesoftware and hardware requirements for theadapter.

See “Prerequisites” on page 6.

Obtain and install the RMI Dispatcher. Download the software from PassportAdvantage website. See “Software downloadfor the adapter” on page 8. Follow theinstallation instructions in the dispatcherdownload package.

Obtain the necessary information for theinstallation and configuration.

See “Installation worksheet for the adapter”on page 8.

Installation roadmapYou must complete a task sequence to successfully install the adapter.

To install the adapter, complete the tasks that are listed in Table 2.

Table 2. Installation roadmap


Verify the Dispatcher installation. See “Dispatcher installation verification” onpage 9.

Install the adapter. See “Installing the adapter” on page 9.

Import the adapter profile. See “Importing the adapter profile into theIBM Security Identity Manager server” onpage 10.

Verify the profile installation. See “Adapter profile installationverification” on page 11.

Configuring the Directory Server See “Configuring the Directory Server” onpage 11.

Create an adapter user account. See “Adapter user account creation” on page11.

Create a service. See “Creating a service” on page 12.


Table 2. Installation roadmap (continued)


Configure the adapter. See “Adapter configuration” on page 17.

PrerequisitesVerify that your environment meets all the prerequisites before installing theadapter.

Table 3 identifies the software and operating system prerequisites for the adapterinstallation.

Ensure that you install the adapter on the same workstation as the Tivoli DirectoryIntegrator server.

Table 3. Requirements to install the adapter

Prerequisite Description

System v A supported hardware system.

– i5/OS V5R4

– IBM i V6R1

– IBM i V7R1

v A minimum of 16 MB of memory.

v A minimum of at least 20 MB of free disk space.


Table 3. Requirements to install the adapter (continued)

Softwarei5/OS V5R4

v 5722SS1, option 12 (Host Servers)

v 5722JC1 (IBM Toolbox for Java™)

The following software is required forsecure connections:

v 5722SS1, option 34 (Digital CertificateManager)

v 5722AC3 - V5R3 only (Crypto AccessProvider 128-bit)

v 5722DG1 (IBM HTTP Server)

The following administrative tool isneeded for the directory server:

iSeries® Navigator - included with iSeriesAccess EZSetup

IBM i 7.1

v 5770SS1, option 12 (Host Servers)

v 5761JV1 (IBM Developer Kit for Java)

The following software packages arerequired for secure connections:

v 5770SS1, option 34 (Digital CertificateManager)

v 5770SSI, option 35, (CCA CryptographicService Provider)

v 5770DG1 (IBM HTTP Server for i)

The following administrative tool isneeded for IBM Directory Server for iconfiguration and the Digital CertificateManager:

5770XH2 - IBM Navigator for i (includedin IBM i Access)

Network connectivity The adapter must be installed on a system that cancommunicate with the IBM Security IdentityManager service through the TCP/IP network.

System Administrator authority A user profile with the following privileges isneeded for the installation: User class=*SECOFR,SPCAUT=*USRCLS.

IBM Security Identity Manager server Version 6.0

Tivoli Directory Integrator server Version 7.1 fix pack 5 or later

Version 7.1.1

For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.1: Administrator Guide.

Chapter 2. Adapter installation planning 7

Installation worksheet for the adapterThe table in this topic identifies the information that you need before installing theadapter.

Table 4. Required information to install the adapter

Required information Description Value

Tivoli DirectoryIntegrator HomeDirectory

The ITDI_HOME directory containsthe jars/connectors subdirectorythat contains adapter jars.

If Tivoli DirectoryIntegrator version 7.1 isautomatically installed, thedefault directory pathdepends on the operatingsystem.

Windowsdrive\ProgramFiles\IBM\TDI\V7.1

UNIX /opt/IBM/TDI/V7.1

Solution Directory When you install the dispatcher, theadapter prompts you to specify a filepath for the solution directory. Formore information about the solutiondirectory, see the DispatcherInstallation and Configuration Guide.

The default solutiondirectory for version 7.1depends on the operatingsystem.

Windowsdrive\ProgramFiles\IBM\TDI\V7.1\timsol

UNIX /opt/IBM/TDI/V7.1/timsol

Software download for the adapterDownload the software through your account at the IBM Passport Advantagewebsite.

Go to IBM Passport Advantage.

See the IBM Security Identity Manager Download Document for instructions.

Note:

You can also obtain additional adapter information from IBM Support.


http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Chapter 3. Adapter installation

All the Tivoli Directory Integrator-based adapters require the Dispatcher for theadapters to function correctly.

If the Dispatcher is installed from a previous installation, do not reinstall it unlessthere is an upgrade to the Dispatcher. See “Dispatcher installation verification.”

After verifying the Dispatcher installation, you might need to install the TivoliDirectory Integrator connector. Depending on your adapter, the connector mightalready be installed as part of the Tivoli Directory Integrator product and nofurther action is required.

Dispatcher installation verificationIf this installation is the first Tivoli Directory Integrator-based adapter installation,you must install the Dispatcher before you install the adapter.

You must install the dispatcher on the same Tivoli Directory Integrator serverwhere you want to install the adapter.

Obtain the dispatcher installer from the IBM Passport Advantage website,http://ww.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm.For information about Dispatcher installation, see the Dispatcher Installation andConfiguration Guide.

Installing the adapterThe IBM i Adapter uses the Tivoli Directory Integrator LDAP connector. Thisconnector is available with the base Tivoli Directory Integrator product.

About this task

Make sure that the Dispatcher is installed. For more information, see “Dispatcherinstallation verification.”

Procedurev Import the adapter profile. See “Importing the adapter profile into the IBM

Security Identity Manager server” on page 10.v Create a user account for the adapter on IBM Security Identity Manager. See

“Adapter user account creation” on page 11.

Adapter service start, stop, and restartTo start, stop, or restart the adapter, you must start, stop, or restart the Dispatcher.

The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Tivoli Directory Integrator instance.

See the topic about starting stopping, and restarting the dispatcher service in theDispatcher Installation and Configuration Guide.


http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Importing the adapter profile into the IBM Security Identity Managerserver

Use the profile to create an adapter service on IBM Security Identity Managerserver and establish communication with the adapter.

About this task

An adapter profile defines the types of resources that the IBM Security IdentityManager server can manage. Before you can create an adapter service, the IBMSecurity Identity Manager server must have an adapter profile to recognize theadapter. The files that are packaged with the adapter include the adapter profileJAR file. You can import the adapter profile as a service profile on the server withthe Import feature of IBM Security Identity Manager.

The JAR file includes all the files that are required to define the adapter schema,account form, service form, and profile properties. You can extract the files fromthe JAR file to modify the necessary files and package the JAR file with theupdated files.

Before you begin to import the adapter profile, verify that the following conditionsare met:v The IBM Security Identity Manager server is installed and running.v You have root or Administrator authority on IBM Security Identity Manager.

Procedure1. Log on to the IBM Security Identity Manager server by using an account that

has the authority to perform administrative tasks.2. In the My Work pane, expand Configure System and click Manage Service

Types.3. On the Manage Service Types page, click Import to display the Import Service

Types page.4. Specify the location of the JAR file in the Service Definition File field by doing

one of the following tasks:v Type the complete location of where the file is stored.v Use Browse to navigate to the file.

5. Click OK.

What to do next

Note:

v When you import the adapter profile and if you receive an error related to theschema, see the trace.log file for information about the error. The trace.log filelocation is specified by using the handler.file.fileDir property defined in theIBM Security Identity Manager enRoleLogging.properties file. TheenRoleLogging.properties file is installed in the ITIM_HOME\data directory.

v Restart IBM Security Identity Manager for the change to take effect.


Adapter profile installation verificationAfter you install the adapter profile, verify that the installation was successful.

An unsuccessful installation:v Might cause the adapter to function incorrectly.v Prevents you from creating a service with the adapter profile.

To verify that the adapter profile is successfully installed, create a service with theadapter profile. For more information about creating a service, see “Creating aservice” on page 12.

If you are unable to create a service using the adapter profile or open an accounton the service, the adapter profile is not installed correctly. You must import theadapter profile again.

Adapter user account creationYou must create a user account for the adapter on the managed resource. You mustprovide the account information when you create a service.

For more information about creating a service, see “Creating a service” on page 12.

Ensure that the account has sufficient privileges to administer the IBM i users.

Configuring the Directory ServerThe LDAP Directory Server is part of the IBM i operating system. By default, thedirectory server is configured to start a non-secured service automatically.

About this task

For additional customization, you must install and use the iSeries Navigatorsoftware. For specific instructions about installing the software, see the EzSetup CDincluded with the operating system bundle.

Note: When you install the iSeries Navigator software on your system, you mustinstall all features. The typical installation option does not install the Networkfeature.

To start the Directory Server Configuration wizard:

Procedure1. Locate the connection to the iSeries system. If a connection does not exist, you

must create a connection.2. Expand the Network folder for the system.3. Expand Servers.4. Click TCP/IP.5. Right-click IBM Directory service, and select Properties.6. Ensure that the Start server when TCP is started check box is checked.

Chapter 3. Adapter installation 11

7. From the Database/Suffixes window, locate the System Objects Suffix field.For example, the value typed in this field might be os400-sys=MY400.IBM.COM.This information is needed to create the IBM i service. See “Creating aservice.”

8. Ensure that the Allow system object updates check box is checked.9. Click the Network tab. In the Connections to allow field, locate the ports

used for the directory server. The default port for a non-secured connection is389 and the default port for a secure connection is 636. Ensure that ServerAuthentication is selected.

Note:

v The SSL Directory service is not enabled until a certificate is assigned to theservice. See Appendix B, “Configuring certificates for one-way SSLauthentication,” on page 37 for more information about SSL authentication.

v If your system is being used as a Lotus® Notes® Domino® LDAP server,ensure that you specify different port numbers so that each server hasunique ports for SSL and non-SSL services.

10. Click OK.

Creating a serviceAfter the adapter profile is imported on IBM Security Identity Manager, you mustcreate a service so that IBM Security Identity Manager can communicate with theadapter.

About this task

To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.

Procedure1. Log on to the IBM Security Identity Manager server with an account that has

the authority to perform administrative tasks.2. In the My Work pane, click Manage Services and click Create.3. On the Select the Type of Service page, select IDI OS400 Profile.4. Click Next to display the adapter service form.5. Complete the following fields on the service form:

Service NameSpecify a name that defines the adapter service on the IBM SecurityIdentity Manager server.

Note: Do not use forward (/) or backward slashes (\) in the servicename.

DescriptionOptional: Specify a description that identifies the service for yourenvironment.

IBM Tivoli Directory Integrator locationOptional: Specify the URL for the Tivoli Directory Integrator instance.The valid syntax for the URL is rmi://ip-address:port/ITDIDispatcher, where ip-address is the Tivoli Directory Integrator hostand port is the port number for the RMI Dispatcher. The default URL isrmi://localhost:1099/ITDIDispatcher


For information about changing the port number, see the IBM SecurityDispatcher Installation and Configuration Guide.

URL Specify the location and port number of the directory server on theIBM i system. Valid syntax is ldap://ip-address:port, where ip-addressis the IBM i server host and port is the IBM i LDAP port number. Forexample, you might specify the URL as ldap://irvas02.eng.irvine.ibm.com:389. See “Configuring the DirectoryServer” on page 11 for information about setting the LDAP port.

Administrator nameSpecify the iSeries User ID. The user profile must have *SECADM,*ALLOBJ special authorities.

PasswordSpecify the password for the administrator name.

User container Base DNSpecify the distinguished name (DN) of the container or base pointwhere the user profiles are stored. The adapter creates new users underthis DN. Also, search operations return user account entries under thisDN. For example, you might specify the DN as cn=accounts,os400-sys=irvas02.eng.irvine.ibm.com. For more information about settingthe Base DN value for the target iSeries system, see “Configuring theDirectory Server” on page 11.

Use SSL communication with LDAPThis check box is used to specify whether SSL authentication is to beused between Tivoli Directory Integrator and the IBM i DirectoryServer. For more information about SSL authentication, see Appendix B,“Configuring certificates for one-way SSL authentication,” on page 37.

Value of OWNOBJOPT parm for deleteSpecify the type of operations that are being done on the owned objectsof the user profile that is being deleted. This field is a text field and canbe one of the following values:

*NODLTIf the user owns any objects other than the message queueassociated with the user profile, the owned objects for the userprofile do not change. The user profile is not deleted. If theuser owns only the message queue associated with the profile,then the message queue and the profile are deleted.

*DLT The objects owned by the user profile are deleted. If thedeletion of the objects is successful, the user enrollmentinformation is removed from OfficeVision*.

*CHGOWN usernameThe owned objects for the user profile have ownershiptransferred to the user profile specified in username. If thetransfer of all owned objects is successful, the user profile isdeleted.

Disable AL CachingSelect the check box to disable the assembly line caching in thedispatcher for the service. The assembly lines for the add, modify,delete, and test operations are not cached.

AL FileSystem PathSpecify the file path from where the dispatcher loads the assembly


lines. If you do not specify a file path, the dispatcher loads theassembly lines received from IBM Security Identity Manager. Forexample, you can specify the following file path to load the assemblylines from the profiles directory of the Windows operating system:drive:\Program Files\IBM\TDI\V7.0\profiles or you can specify thefollowing file path to load the assembly lines from the profilesdirectory of the UNIX and Linux operating system:/opt/IBM/TDI/V7.0/profiles

Max Connection CountSpecify the maximum number of assembly lines that the dispatcher canrun simultaneously for the service. For example, enter 10 when youwant the dispatcher to run a maximum of 10 assembly linessimultaneously for the service. If you enter 0 in the Max ConnectionCount field, the dispatcher does not limit the number of assembly linesthat are run simultaneously for the service.

On the Status and information tabThis page contains read only information about the adapter andmanaged resource. These fields are examples. The actual fields varydepending on the type of adapter and how the service form isconfigured. The adapter must be running to obtain the information.Click Test Connection to populate the fields.

Last status update: DateSpecifies the most recent date when the Status and informationtab was updated.

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.

Managed resource statusSpecifies the status of the managed resource that the adapter isconnected to.

Adapter versionSpecifies the version of the adapter that the IBM SecurityIdentity Manager service uses to provision requests to themanaged resource.

Profile versionSpecifies the version of the profile that is installed in the IBMSecurity Identity Manager server.

TDI versionSpecifies the version of the Tivoli Directory Integrator on whichthe adapter is deployed.

Dispatcher versionSpecifies the version of the Dispatcher.

Installation platformSpecifies summary information about the operating systemwhere the adapter is installed.

Adapter accountSpecifies the account that runs the adapter binary file.

Adapter up time: DateSpecifies the date when the adapter started.


Adapter up time: TimeSpecifies the time of the date when the adapter started.

Adapter memory usageSpecifies the memory usage for running the adapter.

If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the IBM Security Identity

Manager test request was successfully sent to the adapter.v Verify the adapter configuration information.v Verify IBM Security Identity Manager service parameters for the

adapter profile. For example, verify the work station name or the IPaddress of the managed resource and the port.

6. Click Finish.

Note: If the following fields on the service form are changed for an existingservice, restart the IBM Security Identity Manager Adapter service on the TivoliDirectory Integrator server.v User container Base DN

v Use SSL communication with LDAP

v Value of OWNOBJOPT parm for delete

v Max Connection Count



Chapter 4. First steps after installation

After you install the adapter, you must perform several other tasks. The tasksinclude configuring the adapter, setting up SSL, installing the language pack, andverifying the adapter works correctly.

Adapter configurationUse these options to configure the IBM i Adapter.v “Customizing the adapter profile”v “Specifying the format for date, date separator, and time separator” on page 18v “Editing adapter profiles on the UNIX or Linux operating system” on page 19

See the IBM Security Dispatcher Installation and Configuration Guide for additionalconfiguration options such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication

Customizing the adapter profileTo customize the adapter profile, you must modify the IBM i Adapter JAR file,IDIOS400profile.jar. You might customize the adapter profile to change theaccount form or the service form.

About this task

The IDIOS400profile.jar file is included in the IBM i Adapter compressed file thatyou downloaded from the IBM website. The JAR file contains the following files:

Note: You cannot modify the schema for this adapter. Attributes cannot be addedto or deleted from the schema.v CustomLabels.propertiesv er IDIOS400Account.xmlv er IDIOS400RMIService.xmlv service.defv schema.dsmlv IDIOS400AL.xmlv IDIOS400Add.xmlv IDIOS400Delete.xmlv IDIOS400Modify.xmlv IDIOS400Search.xmlv IDIOS400Test.xml

To edit the JAR file, complete these steps:


1. Log on to the workstation where the IBM i Adapter is installed.2. Copy the JAR file into a temporary directory.3. Extract the contents of the JAR file into the temporary directory by running the

following command. The following example applies to the IBM i Adapterprofile. Type the name of the JAR file for your operating system.#cd /tmp#jar -xvf IDIOS400profile.jar

The jar command extracts the files into the IDIOS400profile directory.4. Edit the file that you want to change.

After you edit the file, you must import the file into the IBM Security IdentityManager server for the changes to take effect.

To import the file, perform these steps:1. Create a JAR file by using the files in the /tmp directory by running the

following commands:#cd /tmpjar -cvf IDIOS400profile.jar IDIOS400profile

2. Import the JAR file into the IBM Security Identity Manager application server.For more information about importing the JAR file, see “Importing the adapterprofile into the IBM Security Identity Manager server” on page 10.

3. Stop and start the IBM Security Identity Manager server.4. Stop and start the IBM i Adapter service. See “Adapter service start, stop, and

restart” on page 9 for information about stopping and starting the IBM iAdapter service.

Specifying the format for date, date separator, and timeseparatorYou can specify how you want to have the time and date displayed by the adapter.

About this task

The IBM i supports the following format for date, date separator, and timeseparator:v Date format = YMD, MDY, DMY, and julianv Date separator = / , . -v Time separator = : ,

The adapter uses the following formats as default format:v Date format = YMDv Date separator = /v Time separator = :

If the format used by the adapter and the resource format is the same, thencustomization is not required. However, if the format is different, you cancustomize the service profile.

Note: The adapter does not support the Julian date format.

Procedure1. Log on to IBM Security Identity Manager as an administrator.


2. In the My Work pane, expand Configure System and click Design Forms todisplay the Design Forms page.

3. From the applet, double-click Service to display the service form profiles.4. Double-click the service form profile that has the service form you want to

customize.5. From the Attributes List window, double-click the eros400dateformat,

eros400dateseparatorattribute, eros400timeseparator to add it to the serviceform.

6. Click Save Form Template icon.

Editing adapter profiles on the UNIX or Linux operating systemThe adapter profile .jar file might contain ASCII files that are created by using theMS-DOS ASCII format.

About this task

If you edit an MS-DOS ASCII file on the UNIX operating system, you might see acharacter ^M at the end of each line. These characters indicate new lines of text inMS-DOS. The characters can interfere with the running of the file on UNIX orLinux systems. You can use tools, such as dos2unix, to remove the ^M characters.You can also use text editors, such as the vi editor, to remove the charactersmanually.

Example

You can use the vi editor to remove the ^M characters. From the vi commandmode, run the following command and press Enter::%s/^M//g

When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V CtrlM sequentially. The ^v instructs the vi editor to use the next keystroke instead ofissuing it as command.

Password management when restoring accountsWhen an account is restored from being previously suspended, you are promptedto supply a new password for the reinstated account. However, in some cases youmight not want to supply a new password.

When IBM Tivoli Directory Server is used to restore accounts, you are alwaysprompted to enter the new password. But when Sun Java System Directory Serveris used to restore an account, you are not required to enter a new password. ForIBM i Adapter, the password requirement to restore an account on the directoryserver falls into two categories: allowed and required.

How each restore action interacts with its corresponding managed resourcedepends on either the managed resource, or the business processes that youimplement. Certain resources reject a password when a request is made to restorean account. In this case, you can configure IBM Security Identity Manager toforego the new password requirement. You can set the IBM i Adapter to require anew password when the account is restored, if your company has a businessprocess in place that dictates that the account restoration process must beaccompanied by resetting the password.

Chapter 4. First steps after installation 19

In the service.def file, you can define whether a password is required as a newprotocol option. When you import the adapter profile, if an option is not specified,the adapter profile importer determines the correct restoration password behaviorfrom the schema.dsml. Adapter profile components also enable remote services tofind out if you discard a password that is entered by the user in a situation wheremultiple accounts on disparate resources are being restored. In this situation, onlysome of the accounts being restored might require a password. Remote servicesdiscard the password from the restore action for those managed resources that donot require them.

Edit the service.def file to add the new protocol options, for example:<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_REQUIRED_ON_RESTORE"><value>true</value></property><Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_ALLOWED_ON_RESTORE"><value>false</value></property>

By adding the two options in the example above, you are ensuring that you arenot prompted for a password when an account is restored.

Note: Before you set the property password_not_required_on_restore to true,ensure that the operating system supports restoring of an account without apassword.

Language pack installationThe adapters use the same language package as IBM Security Identity Manager.

See the IBM Security Identity Manager library and search for information aboutinstalling language packs.

Verifying that the adapter is working correctlyAfter you install and configure the adapter, take steps to verify that the installationand configuration are correct.

Procedure1. Test the connection for the service that you created on IBM Security Identity

Manager.2. Run a full reconciliation from IBM Security Identity Manager.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the IBM Security Identity Manager log file trace.log to ensure that no

errors are reported when you run an adapter operation.


Chapter 5. Adapter error troubleshooting

Troubleshooting can help you determine why a product does not function properly.

These topics provide information and techniques for identifying and resolvingproblems with the adapter. It also provides information about troubleshootingerrors that might occur during the adapter installation.

Techniques for troubleshooting problemsTroubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. Certain common techniques can help with the task oftroubleshooting.

The first step in the troubleshooting process is to describe the problem completely.Problem descriptions help you and the IBM technical-support representative knowwhere to start to find the cause of the problem. This step includes asking yourselfbasic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When starting to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one platform or operating system, or is it common

across multiple platforms or operating systems?v Is the current environment and configuration supported?


v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration; many problems can betraced back to incompatible levels of software that are not intended to run togetheror have not been fully tested together.

When does the problem occur?

Develop a detailed timeline of events leading up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you need to look only as far as the first suspicious eventthat you find in a diagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being performed?v Does a certain sequence of events need to happen for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might have occurred around the same time, theproblems are not necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Consequently,problems that you can reproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,


re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?v Are multiple users or applications encountering the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

For information about obtaining support, see Appendix D, “Support information,”on page 43.

Warning and error messagesA warning or error might be displayed in the user interface to provide informationthat your must know about the adapter or when an error occurs.

Table 5 contains warnings or errors which might be displayed in the user interface.

Table 5. Warning and error messages

Warning or error message Corrective action

No login or an invalid credential was supplied in therequest.

The adapter cannot bind to a naming context or isunable to initialize because invalid credentials wereprovided. To fix this problem, ensure that:

v The managed resource is functioning properly and thatyou are connected to the correct resource.

v The naming context is correct if the naming context iscustomized.

v The administrator ID specified on the service form iscorrect.

v The administrator password specified on the serviceform is correct.

An error occurred while establishing communicationwith the IBM Tivoli Directory Integrator server.

IBM Security Identity Manager cannot establish aconnection with Tivoli Directory Integrator server. To fixthis problem, ensure that:

v The Tivoli Directory Integrator server is running

v The URL specified on the service form for the TivoliDirectory Integrator server is correct.

Insufficient 'add' privilege. The administrator ID that is specified on the service formdoes not have privileges to add a user under the baseDN. You must change the administrator ID to anadministrator ID that has the correct privileges or assignprivileges for the specified administrator ID.

User Already Exists orexception:javax.naming.NameAlreadyBoundException.

The user has already been added to the resource. Thiserror might occur if you are attempting to add a user tothe directory server and IBM Security Identity Manageris not synchronized with the resource. To fix thisproblem, schedule a reconciliation between IBM SecurityIdentity Manager and the resource. See the online helpfor information about scheduling a reconciliation.

Chapter 5. Adapter error troubleshooting 23

Table 5. Warning and error messages (continued)


Unknown Error while adding user on resource. This error might occur for several reasons. To fix thisproblem, ensure that:



v The base point is correct, if it is customized.

v The administrator ID has the correct privileges tomodify a user account under the base DN.

v The network connection is not slow.

Cannot add user to specific group. If you cannot add a user to a group, ensure that thespecified group was created on the resource.

User not found. This error might occur when you attempt to add, modify,delete, or search for a user. This error might also occur ifyou attempt to change the password for a user. To fix theproblem, ensure that:

v The server that is specified for the adapter is correct.




If the error continues to occur, check to ensure that

v The user was created on the directory server.

v The user was not moved or deleted from the directoryserver.

To fix the problem, add the user to the directory serverand then schedule a reconciliation. See the online helpfor information about scheduling a reconciliation.

Unknown error while modifying user on resource. This error might occur for several reasons. To fix thisproblem, ensure that:




v The administrator ID has the correct privileges tomodify a user account under the base DN.



Table 5. Warning and error messages (continued)


Error adding user to group. If you cannot add a user to a group, ensure that

v The user was created on the resource.

v The user is not already a member of the group.

v The group was created on the resource.

If the user does not exist on the resource, you mustcreate the user. If a user is already a member of a group,you cannot add the user to the group. If the group doesnot exist on the resource, you must add the group to theresource before you can add a user to the group. See theonline help for information about creating groups oradding users to groups.

Insufficient 'delete' privilege. The administrator ID that is specified on the service formdoes not have privileges to delete a user under the baseDN. You must change the administrator ID to anadministrator ID that has the correct privileges or assignprivileges for the specified administrator ID.

Search failed. This error might occur for several reasons. To fix theproblem, ensure that:


v The resource is not overloaded with network traffic.

v The Tivoli Directory Integrator server has sufficientmemory, if you have a large number of users andgroups.

Chapter 5. Adapter error troubleshooting 25


Chapter 6. Upgrade of the adapter

The adapter is upgraded by installing the new version of the adapter.

Upgrading the adapter might also involve tasks, such as upgrading the connector,the dispatcher, and the existing adapter profile. To verify the required version ofthese adapter components, see the adapter release notes. For the installation steps,see Chapter 3, “Adapter installation,” on page 9.

Upgrade of the adapter profileRead the adapter release notes for any specific instructions before importing a newadapter profile on IBM Security Identity Manager.

For more information, see “Importing the adapter profile into the IBM SecurityIdentity Manager server” on page 10.

Note: Restart the dispatcher service after importing the profile. Restarting thedispatcher clears the assembly lines cache and ensures that the dispatcher runs theassembly lines from the updated adapter profile.



Chapter 7. Uninstallation of the adapter

To completely uninstall the adapter, remove the adapter profile from the IBMSecurity Identity Manager server.

Before removing the adapter profile ensure that no objects exist on your IBMSecurity Identity Manager server that reference the adapter profile.

Examples of objects on theIBM Security Identity Manager server that can referencethe adapter profile are:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

For specific information on how to remove the adapter profile, see the online helpor the IBM Security Identity Manager product documentation.

Removal of the adapter profile from the IBM Security Identity Managerserver

Before removing the adapter profile, ensure that no objects exist on your IBMSecurity Identity Manager server that reference the adapter profile.

Examples of objects on the IBM Security Identity Manager server that can referencethe adapter profile are:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

For specific information about removing the adapter profile, see the IBM SecurityIdentity Manager product documentation.



Chapter 8. Reinstallation of the adapter

There are no special considerations for reinstalling the adapter. You do not need toremove the adapter before reinstalling.

For more information, see Chapter 6, “Upgrade of the adapter,” on page 27.



Appendix A. Adapter attributes

The IBM Security Identity Manager server communicates with the IBM i Adapterusing attributes that are included in transmission packets that are sent over anetwork.

The combination of attributes depends on the type of action that the IBM SecurityIdentity Manager server requests from the IBM i Adapter. The following table liststhe attributes that are used by the IBM i Adapter.

Table 6. Attributes, descriptions and permissions

Attribute Description Permissions

erOS400AcctgCode Specifies the accountingcode.

Read and Write

erOS400AsstLevel Specifies the assistance level. Read and Write

erOS400AttnPgm Specifies the attentionprogram.

Read and Write

erOS400AuditLevel Specifies the level ofauditing.

Read

erOS400Aut Specifies the type ofauthority.

Read and Write

erOS400CharIdCtrl Specifies the characteridentifier control for the job.

Read and Write

erOS400CntryID Specifies the countryidentifier.

Read and Write

erOS400CodedCharSetID Specifies the coded characterset identifier.

Read and Write

erOS400Curlib Specifies the current library. Read and Write

erOS400Delivery Specifies the delivery type. Read and Write

erOS400DispSgnOnData Specifies to display thesign-on data at logon.

Read and Write

erOS400DocPwd Specifies the documentpassword.

Read and Write

erOS400Eimassoc Specifies the user profileattribute specificallydesigned to aid inconfiguring EnterpriseIdentity Mapping (EIM).

Read

erOS400GroupAuth Specifies the group authority. Read and Write

erOS400GroupAuthType Specifies the type of groupauthority.

Read and Write

erOS400GroupID Specifies the group ID. Read

erOS400GroupMembers Displays the members of thisgroup.

Read

erOS400GroupName Specifies the name of thegroup.

Read

erOS400GroupProfile Specifies the profile of thegroup.

Read and Write


Table 6. Attributes, descriptions and permissions (continued)


erOS400HomeDir Specifies the home directory. Read and Write

erOS400IaspStorageInfo Specifies the Iasp storageinformation.

Read

erOS400IaspStorageUsed Specifies the amount of Iaspstorage used.

Read

erOS400InitialMenu Specifies the initial menu. Read and Write

erOS400InitialPgm Specifies the initial program. Read and Write

erOS400JobDesc Specifies the job description. Read and Write

erOS400KeybrdBuff Specifies to use keyboardbuffering.

Read and Write

erOS400LangID Specifies the language to use. Read and Write

erOS400LimitCapabilities Specifies to limit capabilities. Read and Write

erOS400LimitDeviceSessions Specifies to limit the numberof device sessions.

Read and Write

erOS400Locale Specifies the locale. Read and Write

erOS400LocalPwdMgmt Specifies to enable localpassword management.

Read

erOS400MaxStorage Specifies the maximumamount of storage.

Red and Write

erOS400MessageQ Specifies the message queue. Read and Write

erOS400NumInvalidSignOn Specifies the number ofinvalid signons.

Read

erOS400ObjAuditing Specifies to enable objectauditing.

Read

erOS400OutQ Specifies the output queue. Read and Write

erOS400Owner Specifies the owner. Read and Write

erOS400PrintDevice Specifies the print device. Read and Write

erOS400PriorityLimit Specifies the priority limit. Read and Write

erOS400PwdExpDate Specifies the date that thepassword expires.

Read

erOS400PwdExpired Specifies whether thepassword is expired.

Read and Write

erOS400PwdExpiredInterval Specifies the time before apassword expires.

Read and Write

erOS400PwdLastChanged Specifies when the passwordwas last changed.

Read

erOS400SetJobAttr Specifies the job attributes tobe taken from the locale.

Read and Write

erOS400SevCodeFilter Specifies the severity codefilter.

Read and Write

erOS400SortSeq Specifies the sort sequence Read and Write

erOS400SpecialAuth Specifies whether specialauthority is granted.

Read and Write

erOS400SpecialEnv Specifies specialenvironment.

Read and Write


Table 6. Attributes, descriptions and permissions (continued)


erOS400StorageCurrUsed Specifies the storagecurrently being used.

Read

erOS400SuppGroupProfile Specifies the supplementarygroup profile.

Read and Write

erOS400Text Specifies a description of theprofile.

Read and Write

erOS400UID Specifies the UID. Read and Write

erOS400UserClass Specifies the user class. Read and Write

erOS400UserOptions Specifies any user options. Read and Write

erAccountStatus Specifies whether the accountis enabled or disabled.

Read and Write

erPassword Specifies the password. Read and Write

Eruid Specifies the login name anduser name.

Read and Write

Appendix A. Adapter attributes 35


Appendix B. Configuring certificates for one-way SSLauthentication

For secure communications, you must configure certificates for one-way SSLcommunication between IBM Tivoli Directory Integrator and the IBM i DirectoryServer

About this task

You must configure the certificates for each iSeries system on which you want touse secure connectivity.

Note: The following steps apply to the IBM i V6R1 Digital Certificate Managerweb page. If you are using the IBM i V7R1 Digital Certificate Manager web page,the navigation might be different, but the concept is the same.

Procedure1. Sign on to the iSeries Digital Certificate Manager web page.

a. Log on to the iSeries Tasks menu. Using a browser, enter:http://YouriSeriesServer:2001

If the web page is not displayed, type the following command on the IBM icommand line:STRTCPSVR *HTTP HTTPSVR(*ADMIN)

b. Authenticate with an IBM i user ID and password.

Note: The user profile must have *ALLOBJ and *SECADM specialauthorities.

c. Click Digital Certificate Manager.2. Create a certificate authority (CA).

a. In the left menu of the Digital Certificate Manager, click Create a CertificateAuthority (CA).

b. Complete the form.

Certificate store passwordSpecifies your certificate password. Record this importantinformation in a secure location for later use.

Certificate Authority (CA) nameSpecifies the specific system. For example, irvas01.irvine.ibm.com.

Note: If you need assistance with any of the other fields, click the help icon(?) in the upper right corner of the display.

c. Click Continue.

Note: Do not install the certificate now.d. Click Cancel to exit the menu.e. In the left menu of the Digital Certificate Manager, click Install Local CA

certificate on your PC.f. Select Copy and paste certificate. A Base 64 encoded ASCII certificate file is

displayed.


g. Copy all the text from 'begin certificate' to 'end certificate'. Paste it to a textfile on the workstation that is running the Tivoli Directory Integratordispatcher service.

h. Click OK.3. Create a *SYSTEM certificate store (database).

a. In the left menu of the Digital Certificate Manager, click Create NewCertificate Store.

b. Select Other System Certificate Store and click Continue.c. Select option No – Do not create certificates in the store.d. In the Certificate store path and filename field, enter the path and file

name that you want to use for the new certificate store.e. Type the Certificate store password. Record this important information in a

secure location for later use.f. Click Continue. The left pane of DCM is refreshed and the *SYSTEM store is

created.g. Click OK.h. Click Cancel to exit out of the menu.

4. Define a CA trust list.a. Click Select Certificate Store.b. Select *SYSTEM and click Continue.c. Type the certificate store password and click Continue. The screen is

refreshed.d. Click Manager Applications on the left menu.e. Select Define CA Trust List and click Continue.

1) Select Server and click Continue.2) Select IBM Directory Server and click Define CA Trust List.3) Check the LOCAL_CERTIFICATE_AUTHORITY check box.4) Click OK.

Repeat steps 4b through 4e for IBM Directory Sever Publishing and IBMDirectory Server Client, but select Client for step 4e1.

5. Create a CA Certificate in the *SYSTEM store.a. In the left menu of the Digital Certificate Manager click Create Certificate.b. Select Server or client certificate and click Continue.c. Select Local Certificate Authority (CA) and click Continue.d. Fill out the form.

Note: If you need assistance with any of the other fields, click the help icon(?) in the upper right corner of the display.

e. Click Continue.6. Associate applications with the CA certificate created in the previous step.

a. Ensure that the components are marked to trust the CA certificate that wascreated in the previous step.v Tivoli Directory Serverv Tivoli Directory Server publishingv Tivoli Directory Server client

b. Click Continue.c. Click OK.


d. Click Cancel to exit the menu.e. Restart the Directory Server.

1) At the command prompt type: ENDTCPSVR *DIRSRV and press Enter.2) Wait for the service to end.3) At the command prompt type: STRTCPSVR *DIRSRV and press Enter.

7. Add CA to signer certificates on the workstation where the Tivoli DirectoryIntegrator is installed.a. Start the iKeyman utility. In the ITDI_HOME_DIR\_jvm\jre\bin directory issue

the command ikeyman.exe.b. Create a .jks keystore.c. Select Signer Certificates.d. Click Add.e. Specify the path of the file where IBM i local CA was saved. See step 2 g.f. Type a description for the file.g. Exit the iKeyman utility.

8. Edit the global.properties and the solution.properties files on the workstationwhere the Tivoli Directory Integrator is installed.a. Depending on whether a solutions directory is set up for the Tivoli

Directory Integrator, open one or both of these files in a flat editor such asNotepad.v ITID_HOME_DIR\global.propertiesv ITDI_SOL_DIR\solution.properties

b. Edit the server authentication section. For example:javax.net.ssl.trustStore=C:\itdicertkeys\iseries.jksjavax.net.ssl.trustStorePassword=fred2134javax.net.ssl.trustStoreType=jks

c. Repeat the same steps for the client authentication section.d. Restart the dispatcher service.

9. Modify the IBM i service:a. Adjust the URL to use the LDAP SSL port. For example:

ldap://irvas01.irvine.ibm.com:636.b. Ensure that the Use SSL check box is selected.c. Verify that you typed the password.d. Click Test Connection at the bottom of the page.

Appendix B. Configuring certificates for one-way SSL authentication 39


Appendix C. Definitions for ITDI_HOME and ISIM_HOMEdirectories

ITDI_HOME is the directory where Tivoli Directory Integrator is installed.ISIM_HOME is the directory where IBM Security Identity Manager is installed.

ITDI_HOMEThis directory contains the jars/connectors subdirectory that contains filesfor the adapters.

Windowsdrive\Program Files\IBM\TDI\ITDI_VERSION

For example the path for version 7.1:C:\Program Files\IBM\TDI\V7.1

UNIX/opt/IBM/TDI/ITDI_VERSION

For example the path for version 7.1:/opt/IBM/TDI/V7.1

ISIM_HOMEThis directory is the base directory that contains the IBM Security IdentityManager code, configuration, and documentation.

Windowspath\IBM\isim

UNIXpath/IBM/isim



Appendix D. Support information

You have several options to obtain support for IBM products.v “Searching knowledge bases”v “Obtaining a product fix” on page 44v “Contacting IBM Support” on page 44

Searching knowledge basesYou can often find solutions to problems by searching IBM knowledge bases. Youcan optimize your results by using available resources, support tools, and searchmethods.

About this task

You can find useful information by searching the product documentation for IBMSecurity Identity Manager. However, sometimes you must look beyond the productdocumentation to answer your questions or resolve problems.

Procedure

To search knowledge bases for information that you need, use one or more of thefollowing approaches:1. Search for content by using the IBM Support Assistant (ISA).

ISA is a no-charge software serviceability workbench that helps you answerquestions and resolve problems with IBM software products. You can findinstructions for downloading and installing ISA on the ISA website.

2. Find the content that you need by using the IBM Support Portal.The IBM Support Portal is a unified, centralized view of all technical supporttools and information for all IBM systems, software, and services. The IBMSupport Portal lets you access the IBM electronic support portfolio from oneplace. You can tailor the pages to focus on the information and resources thatyou need for problem prevention and faster problem resolution. Familiarizeyourself with the IBM Support Portal by viewing the demo videos(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)about this tool. These videos introduce you to the IBM Support Portal, exploretroubleshooting and other resources, and demonstrate how you can tailor thepage by moving, adding, and deleting portlets.

3. Search for content about IBM Security Identity Manager by using one of thefollowing additional technical resources:v IBM Security Identity Manager version 6.0 technotes and APARs (problem

reports).v IBM Security Identity Manager Support website.v IBM Redbooks®.v IBM support communities (forums and newsgroups).

4. Search for content by using the IBM masthead search. You can use the IBMmasthead search by typing your search string into the Search field at the top ofany ibm.com® page.

5. Search for content by using any external search engine, such as Google, Yahoo,or Bing. If you use an external search engine, your results are more likely to


http://www.ibm.com/software/support/isa/

http://www.ibm.com/support/entry/portal/overview/software/tivoli/tivoli_identity_manager

https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

http://publib-b.boulder.ibm.com/Redbooks.nsf/portals/Tivoli

http://www.ibm.com/software/sysmgmt/products/support/Tivoli_Communities.html

include information that is outside the ibm.com domain. However, sometimesyou can find useful problem-solving information about IBM products innewsgroups, forums, and blogs that are not on ibm.com.

Tip: Include “IBM” and the name of the product in your search if you arelooking for information about an IBM product.

Obtaining a product fixA product fix might be available to resolve your problem.

About this task

You can get fixes by following these steps:

Procedure1. Obtain the tools that are required to get the fix. You can obtain product fixes

from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.2. Determine which fix you need.3. Download the fix. Open the download document and follow the link in the

“Download package” section.4. Apply the fix. Follow the instructions in the “Installation Instructions” section

of the download document.

Contacting IBM SupportIBM Support assists you with product defects, answers FAQs, and helps usersresolve problems with the product.

Before you begin

After trying to find your answer or solution by using other self-help options suchas technotes, you can contact IBM Support. Before contacting IBM Support, yourcompany or organization must have an active IBM software subscription andsupport contract, and you must be authorized to submit problems to IBM. Forinformation about the types of available support, see the Support portfolio topic inthe “Software Support Handbook”.

Procedure

To contact IBM Support about a problem:1. Define the problem, gather background information, and determine the severity

of the problem. For more information, see the Getting IBM support topic in theSoftware Support Handbook.

2. Gather diagnostic information.3. Submit the problem to IBM Support in one of the following ways:

v Using IBM Support Assistant (ISA):Any data that has been collected can be attached to the service request.Using ISA in this way can expedite the analysis and reduce the time toresolution.a. Download and install the ISA tool from the ISA website. See

http://www.ibm.com/software/support/isa/.b. Open ISA.


http://www.ibm.com/support/fixcentral/

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/offerings.html

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/getsupport.html

http://www.ibm.com/software/support/isa/

c. Click Collection and Send Data.d. Click the Service Requests tab.e. Click Open a New Service Request.

v Online through the IBM Support Portal: You can open, update, and view allof your service requests from the Service Request portlet on the ServiceRequest page.

v By telephone for critical, system down, or severity 1 issues: For the telephonenumber to call in your region, see the Directory of worldwide contacts webpage.

Results

If the problem that you submit is for a software defect or for missing or inaccuratedocumentation, IBM Support creates an Authorized Program Analysis Report(APAR). The APAR describes the problem in detail. Whenever possible, IBMSupport provides a workaround that you can implement until the APAR isresolved and a fix is delivered. IBM publishes resolved APARs on the IBM Supportwebsite daily, so that other users who experience the same problem can benefitfrom the same resolution.

Appendix D. Support information 45

http://www.ibm.com/software/support/

http://www.ibm.com/planetwide/


Appendix E. Accessibility features for IBM Security IdentityManager

Accessibility features help users who have a disability, such as restricted mobilityor limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in IBM Security IdentityManager.v Support for the Freedom Scientific JAWS screen reader applicationv Keyboard-only operationv Interfaces that are commonly used by screen readersv Keys that are discernible by touch but do not activate just by touching themv Industry-standard devices for ports and connectorsv The attachment of alternative input and output devices

The IBM Security Identity Manager library, and its related publications, areaccessible.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

Related accessibility information

The following keyboard navigation and accessibility features are available in theform designer:v You can use the tab keys and arrow keys to move between the user interface

controls.v You can use the Home, End, Page Up, and Page Down keys for more

navigation.v You can launch any applet, such as the form designer applet, in a separate

window to enable the Alt+Tab keystroke to toggle between that applet and theweb interface, and also to use more screen workspace. To launch the window,click Launch as a separate window.

v You can change the appearance of applets such as the form designer by usingthemes, which provide high contrast color schemes that help users with visionimpairments to differentiate between controls.

IBM and accessibility

See the IBM Human Ability and Accessibility Center For more information aboutthe commitment that IBM has to accessibility.


http://www.ibm.com/able


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to


IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

If you are viewing this information softcopy, the photographs and colorillustrations might not appear.

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 51

http://www.ibm.com/legal/copytrade.shtml

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, ("SoftwareOfferings") may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, and to tailor interactionswith the end user or for other purposes. In many cases, no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled "Cookies, Web Beacons and Other Technologies and SoftwareProducts and Software-as-a Service".


http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en

Index

Aaccessibility x, 47adapter

attributescommunication, adapter with

server 33network transmission packets 33

configuration ixcustomization 17features 1installation

Dispatcher requirement 9overview ixtroubleshooting 21verifying 20warnings 21worksheet 8

overview 1profile

importing 10upgrading 10, 27verifying 11

supported configurations 2uninstallation 29upgrading 27user account 11

after installationconfiguring 17setting up SSL 17verifying 17

architecture 1attributes

communication, adapter withserver 33

network transmission packets 33

Cclient authentication 37configuration

directory server 11SSL 37

customizeadapter profile 17JAR file 17

Ddate format 18directory integrator

connector 1LDAP connector 9

directory servercommunication with 37SSL communication 37

dispatcherarchitecture 1installation

connector installation, possible 9verifying 9

download, software 8

Eeducation xerror messages 23

Fformats

date 18time 18

IIBM

Software Support xSupport Assistant x

IBM Support Assistant 44installation

adapter 9language pack 20profile 10roadmap 5verification

adapter 20verification, dispatcher 9worksheet 8

ISA 44ISIM_HOME definition 41ITDI_HOME definition 41

Kknowledge bases 43

Llanguage pack

installation 20same for adapters and server 20

LDAP directory server 11logs, trace.log file 10

Mmessages 23MS-DOS ASCII characters 19

Nnotices 49

Oone-way configuration, SSL client 37

onlinepublications ixterminology ix

operating system prerequisites 6overview 1

Ppreinstallation road map 5problem-determination xprofile

editing on UNIX or Linux 19importing 10

protocol, SSL one-way configuration 37publications

accessing online ixlist of ix

Rreinstallation, adapter 31removing, adapter profile 29restoring accounts, password

requirements 19roadmap

installation 5preinstallation 5

Sservice

creating 11, 12form 12restart 9start 9stop 9

softwaredownload 8requirements 6website 8

SSL, one-way configuration 37support contact information 44supported configurations

adapter 2overview 2

Tterminology ixtime format 18trace.log file 10training xtroubleshooting

contacting support 44getting fixes 44identifying problems 21messages 23searching knowledge bases 43support website x


troubleshooting (continued)techniques 21

Uupgrading

adapter 27adapter profiles 27

Vverification

installation 20operating system

prerequisites 6requirements 6

softwareprerequisites 6requirements 6

vi command 19

Wwarning messages 23


��

Printed in USA

SC27-4396-01

Documents

IBM iAdapter Installation and Configuration Guide · IBM iAdapter Installation and Configuration Guide ... IBM iAdapter Installation and Configuration Guide SC27-4396-01. Note Before