72
IBM Security Identity Manager Version 6.0 Salesforce.com Adapter Installation and Configuration Guide SC27-4413-03

Installation and Configuration Guide · PDF file Installation and Configuration Guide ... Installation and Configuration Guide ... For technical training

  • Upload
    dinhnga

  • View
    352

  • Download
    13

Embed Size (px)

Citation preview

Page 1: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

IBM Security Identity ManagerVersion 6.0

Salesforce.com Adapter Installationand Configuration Guide

SC27-4413-03

���

Page 2: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training
Page 3: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

IBM Security Identity ManagerVersion 6.0

Salesforce.com Adapter Installationand Configuration Guide

SC27-4413-03

���

Page 4: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

NoteBefore using this information and the product it supports, read the information in “Notices” on page 53.

Edition notice

Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to allsubsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012, 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Page 5: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . xStatement of Good Security Practices . . . . . . x

Chapter 1. Overview of the adapter . . . 1Features of the adapter . . . . . . . . . . . 1Architecture of the adapter . . . . . . . . . 1Supported configurations . . . . . . . . . . 2

Chapter 2. Adapter installation planning 5Preinstallation roadmap . . . . . . . . . . 5Installation roadmap. . . . . . . . . . . . 5Prerequisites . . . . . . . . . . . . . . 6Prerequisites to run the connector . . . . . . . 6Installation worksheet for the adapter . . . . . . 7Software downloads . . . . . . . . . . . . 7

Chapter 3. Adapter installation . . . . . 9Dispatcher installation verification . . . . . . . 9Exporting and importing the Salesforce.com SSLcertificate . . . . . . . . . . . . . . . 9Installing the adapter . . . . . . . . . . . 10Installation verification . . . . . . . . . . 11Adapter service start, stop, and restart . . . . . 11Importing the adapter profile into the IBM SecurityIdentity Manager server . . . . . . . . . . 12Adapter profile installation verification . . . . . 13Adapter user account creation . . . . . . . . 13Configuring suspend and restore operations . . . 13Creating a service . . . . . . . . . . . . 14Permissions for the /tmp directory . . . . . . . 18

Chapter 4. First steps after installation 19Adapter configuration . . . . . . . . . . . 19

Customized attributes . . . . . . . . . . 19Editing Salesforce adapter profiles on the UNIXor Linux operating system . . . . . . . . 23Modification of the maximum length of theaccount form attributes . . . . . . . . . 24Creating a JAR file and importing the profile intothe IBM Security Identity Manager . . . . . 24

Language pack installation for the Salesforceadapter . . . . . . . . . . . . . . . . 25Verifying the adapter installation . . . . . . . 25

Chapter 5. Adapter errortroubleshooting . . . . . . . . . . . 27Techniques for troubleshooting problems . . . . 27Known behaviors . . . . . . . . . . . . 29

Chapter 6. Adapter upgrade. . . . . . 31Connector upgrade . . . . . . . . . . . . 31Profile upgrade . . . . . . . . . . . . . 31

Chapter 7. Adapter uninstallation . . . 33Uninstalling the adapter from the Tivoli DirectoryIntegrator server. . . . . . . . . . . . . 33Adapter profile removal from the IBM SecurityIdentity Manager server . . . . . . . . . . 33

Chapter 8. Adapter reinstallation . . . 35

Appendix A. Files . . . . . . . . . . 37The schema.dsml file . . . . . . . . . . . 37

Object identifier . . . . . . . . . . . . 38Attribute definition . . . . . . . . . . . 38Classes . . . . . . . . . . . . . . . 39

CustomLabels.properties file . . . . . . . . 40

Appendix B. Adapter attributes . . . . 41Attribute descriptions . . . . . . . . . . . 41

Appendix C. Definitions for ITDI_HOMEand ISIM_HOME directories . . . . . . 45

Appendix D. Support information . . . 47Searching knowledge bases . . . . . . . . . 47Obtaining a product fix . . . . . . . . . . 48Contacting IBM Support . . . . . . . . . . 48

Appendix E. Accessibility features forIBM Security Identity Manager . . . . 51

Notices . . . . . . . . . . . . . . 53

Index . . . . . . . . . . . . . . . 57

© Copyright IBM Corp. 2012, 2013 iii

Page 6: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

iv IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 7: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Figures

1. The architecture of the Salesforce.com Adapter 22. Example of a single server configuration . . . 2

3. Example of a multiple server configuration 3

© Copyright IBM Corp. 2012, 2013 v

Page 8: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

vi IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 9: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Tables

1. Preinstallation roadmap . . . . . . . . . 52. Installation roadmap . . . . . . . . . . 53. Prerequisites to install the adapter . . . . . 64. Salesforce.com connector prerequisites . . . . 6

5. Required information to install the adapter 76. Adapter component . . . . . . . . . . 117. Syntax tag data types and values . . . . . 398. Attributes for the erSFAccount object class 41

© Copyright IBM Corp. 2012, 2013 vii

Page 10: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

viii IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 11: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Preface

About this publication

The Salesforce.com Adapter Installation and Configuration Guide provides the basicinformation that you can use to install and configure the IBM® Security IdentityManager Salesforce.com Adapter.

IBM Security Identity Manager was previously known as Tivoli® Identity Manager.

The adapter enables connectivity between the IBM Security Identity Managerserver and the managed resource.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website.”

IBM Security Identity Manager library

For a complete listing of the IBM Security Identity Manager and IBM SecurityIdentity Manager Adapter documentation, see the online library(http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome).

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Identity Manager libraryThe product documentation site (http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome) displays the welcome page andnavigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications CenterThe IBM Publications Center site ( http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss) offers customized search functionsto help you find all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

© Copyright IBM Corp. 2012, 2013 ix

Page 12: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

Appendix D, “Support information,” on page 47 provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

x IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 13: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Chapter 1. Overview of the adapter

An adapter provides an interface between a managed resource and the IBMSecurity Identity Manager server.

Adapters can be on the managed resource. The IBM Security Identity Managerserver manages access to the resource by using your security system.

Adapters function as trusted virtual administrators on the target operating system.They do tasks such as creating, suspending, and restoring user accounts, and otheradministrative functions that are done manually. The adapter runs as a service,independently of whether you are logged on to the IBM Security Identity Managerserver.

The Salesforce.com Adapter enables communication between the IBM SecurityIdentity Manager server and the Salesforce.com server.

Features of the adapterThe adapter automates user account management tasks.v Creating user accounts in Salesforce.com

Use the adapter to add, modify, or delete the user accounts.v Assigning roles to users

Use the adapter to assign or unassign roles to the users.v Assigning profiles to users

Use the adapter to assign or unassign profiles to the users.v Reconciling user account information

Use the adapter to reconcile information from the managed resource to IBMSecurity Identity Manager for synchronization.

v Reconciling support dataUse the adapter to reconcile support data.

v Suspending and restoring usersUse the adapter to suspend users or restore users.

Architecture of the adapterYou must install the following components for the adapter to function correctly:v The RMI Dispatcherv The Tivoli Directory Integrator connectorv The IBM Security Identity Manager adapter profile

You must install the RMI Dispatcher and the adapter profile; however, the TivoliDirectory Integrator connector might already be installed with the base TivoliDirectory Integrator product.

Figure 1 on page 2 describes the components that work together to complete theuser account management tasks in a Tivoli Directory Integrator environment.

© Copyright IBM Corp. 2012, 2013 1

Page 14: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

For more information about Tivoli Directory Integrator, see the Quick Start Guide atIBM Security Identity Manager product documentation.

Supported configurationsThere are fundamental components in each environment.

Supported configurations have the following components:v The IBM Security Identity Manager serverv The Tivoli Directory Integrator serverv The managed resourcev The adapter

The adapter must be installed directly on the server that runs the Tivoli DirectoryIntegrator server.

Single server configuration

In a single server configuration, install the IBM Security Identity Manager server,the Tivoli Directory Integrator server, and the Salesforce.com Adapter on oneserver to establish communication with Salesforce.com.

The Salesforce.com server is on the Internet as described in Figure 2.

Multiple server configuration

In a multiple server configuration, the IBM Security Identity Manager server, theTivoli Directory Integrator server, and the Salesforce.com Adapter, are installed ondifferent servers.

Install the Tivoli Directory Integrator server and the Salesforce.com Adapter on thesame server as described in Figure 3 on page 3.

RMI callsIBM SecurityIdentityManagerServer

DispatcherService(an instanceof the IBMTivoliDirectoryIntegrator)

Adapterresource

Figure 1. The architecture of the Salesforce.com Adapter

IBM SecurityIdentity Manager Server

Tivoli DirectoryIntegrator Server

Adapter

Managed

resource

Figure 2. Example of a single server configuration

2 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 15: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

IBM SecurityIdentity Managerserver

Tivoli DirectoryIntegrator server Managed

resource

Adapter

Figure 3. Example of a multiple server configuration

Chapter 1. Overview of the adapter 3

Page 16: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

4 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 17: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Chapter 2. Adapter installation planning

Installing and configuring the adapter involves several steps that you mustcomplete in an appropriate sequence. Review the roadmaps before you begin theinstallation process.

Preinstallation roadmapBefore adapter installation, you must prepare the environment.

Do the tasks in Table 1.

Table 1. Preinstallation roadmap

Task For more information

Obtain the installation software. Download the software from PassportAdvantage® website. See “Softwaredownloads” on page 7.

Verify that your environment meets thesoftware and hardware requirements for theadapter.

See “Prerequisites” on page 6 and“Prerequisites to run the connector” on page6.

Obtain the necessary information for theinstallation and configuration.

See “Installation worksheet for the adapter”on page 7.

Export and import the Salesforce.com SSLcertificate.

See “Exporting and importing theSalesforce.com SSL certificate” on page 9.

Installation roadmapTo install the adapter, complete the tasks that are listed in the following table:

Table 2. Installation roadmap

Task For more information

Verify the Dispatcher installation. See “Dispatcher installation verification” onpage 9.

Install the adapter. See “Installing the adapter” on page 10.

Verify the adapter installation. See “Installation verification” on page 11.

Import the adapter profile. See “Importing the adapter profile into theIBM Security Identity Manager server” onpage 12.

Verify the profile installation. See “Adapter profile installationverification” on page 13.

Create an adapter user account. See “Adapter user account creation” on page13.

Create a service. See “Creating a service” on page 14.

Configure the adapter. See “Adapter configuration” on page 19.

© Copyright IBM Corp. 2012, 2013 5

Page 18: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

PrerequisitesVerify that your environment meets all the prerequisites before you install theadapter.

Table 3 identifies the software and operating system prerequisites for the adapterinstallation.

Ensure that you install the adapter on the same workstation as the IBM TivoliDirectory Integrator server.

Table 3. Prerequisites to install the adapter

Prerequisite Description

IBM Tivoli Directory Integrator Version 7.1 fix pack 5 or later

Version 7.1.1

IBM Security Identity Manager server Version 6.0

Salesforce.com API Version 23.0

System Administrator authority To complete the adapter installationprocedure, you must have systemadministrator authority.

Tivoli Directory Integrator adapters solutiondirectory

A Tivoli Directory Integrator adapterssolution directory is a Tivoli DirectoryIntegrator work directory for IBM SecurityIdentity Manager adapters.

For more information, see the DispatcherInstallation and Configuration Guide.

A Salesforce.com API user A Salesforce.com user with API permissionfor your organization. The user must have avalid user name, password, and securitytoken. For more information about securitytokens, see “Resetting Your Security Token”in the Salesforce online help.

Note: Set the environmental variable CLASSPATH to Java version 1.5 that isrequired for the adapter installation or upgrade.

For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.0: Administrator Guide.

Prerequisites to run the connectorThe following table lists the requirements to run the Salesforce.com connector.

Table 4. Salesforce.com connector prerequisites

Requirement Description Task

Export and Import the SSLcertificate

Export the SSL certificate fromthe managed resource andimport it to the certificateauthority (CA) certificates ofthe Tivoli Directory IntegratorJava virtual machine (JVM).

See “Exporting and importing theSalesforce.com SSL certificate” on page 9.

6 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 19: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Installation worksheet for the adapterThe following table identifies the information that you need before installing theadapter.

Table 5. Required information to install the adapter

Required information Description Value

Tivoli DirectoryIntegrator HomeDirectory

The ITDI_HOME directory containsthe jars/connectors subdirectorythat contains adapter JAR files. Forexample, the jars/connectorssubdirectory contains the JAR file forthe UNIX adapter.

If Tivoli DirectoryIntegrator is automaticallyinstalled with your IBMSecurity Identity Managerproduct, the defaultdirectory path for TivoliDirectory Integrator is asfollows:

Windows:

v For version 7.0:

drive\ProgramFiles\IBM\TDI\V7.0

UNIX:

v For version 7.0:

/opt/IBM/TDI/V7.0

Adapters solutiondirectory

When you install the dispatcher, theadapter prompts you to specify a filepath for the solution directory. Formore information about the solutiondirectory, see the DispatcherInstallation and Configuration Guide.

The default solutiondirectory is at:

Windows:

v For version 7.0:

drive\ProgramFiles\IBM\TDI\V7.0\timsol

UNIX:

v For version 7.0:

/opt/IBM/TDI/V7.0/timsol

Software downloadsDownload the software through your account at the IBM Passport Advantagewebsite.

Go to IBM Passport Advantage.

See the IBM Security Identity Manager Download Document for instructions.

Note:

You can also obtain additional adapter information from IBM Support.

Chapter 2. Adapter installation planning 7

Page 20: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

8 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 21: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Chapter 3. Adapter installation

All the adapters that are based on Tivoli Directory Integrator require theDispatcher for the adapters to function correctly.

If the Dispatcher is installed from a previous installation, do not reinstall it unlessthere is an upgrade to the Dispatcher. See “Dispatcher installation verification.”

After verifying the Dispatcher installation, you might be required to install theTivoli Directory Integrator connector. Depending on your adapter, the connectormight already be installed as part of the Tivoli Directory Integrator product and nofurther action is required.

Dispatcher installation verificationIf this installation is the first adapter installation that is based on the TivoliDirectory Integrator, you must install the RMI Dispatcher before you install theadapter.

You must install the dispatcher on the same Tivoli Directory Integrator serverwhere you want to install the adapter.

Obtain the dispatcher installer from the IBM Passport Advantage website,http://ww.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm.For information about Dispatcher installation, see the Dispatcher Installation andConfiguration Guide.

Exporting and importing the Salesforce.com SSL certificateTo enable communication between the Salesforce.com Adapter and theSalesforce.com server, keystores must be configured for the RMI Dispatcher.

Procedure1. Create a keystore that contains the Salesforce.com SSL certificates as trusted

certificate entries. Use Internet Explorer to download the Salesforce.com serverSSL certificate into the Windows certificate store from https://login.salesforce.com/. View the certificate by double-clicking the SSL lockicon. If your browser reports that revocation information is not available,double-click View Certificate.

2. Click Certification Path and select the CA Root certificate. The Java™ keytooldisplays a confirmation that the certificate is added to the keystore.

3. Click View Certificate.4. Click the Details tab and navigate to Copy to File using the Base-64 encoded

X.509 (.CER) format.v If the RMI Dispatcher has the configured keystore, use the keytool.exe

program to import the Salesforce.com server certificate.v If the keystore is not configured, create a keystore. Issue the following

command (as one line) from a command prompt:keytool -import -alias salesforce -filec:\salesforce.cer -keystore c:\truststore.jks -storepass passw0rd

© Copyright IBM Corp. 2012, 2013 9

Page 22: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

5. Edit the IDI_HOME/timsol/solution.properties file to specify truststore andkeystore information. In the current release, only jks-type is supported:# Keystore file information for the server authentication.# It is used to verify the server’s public key.# examplejavax.net.ssl.trustStore=truststore.jksjavax.net.ssl.trustStorePassword=passw0rdjavax.net.ssl.trustStoreType=jks

Note: If these key properties are not configured, you can set the truststore tothe same value that contains the Salesforce.com server certificate. Otherwise,you must import the Salesforce.com server certificate to the truststore specifiedin javax.net.ssl.trustStore.

6. After you modify the solution.properties file, restart the IBM SecurityIdentity Manager Adapter Service (RMI Dispatcher).

What to do next

For more information about SSL configuration, see the IBM Security DispatcherInstallation and Configuration Guide.

Installing the adapterYou can take these steps to install the adapter.

Before you begin

Do the following actions:v Verify that your site meets all the prerequisite requirements. See “Prerequisites”

on page 6.v Obtain a copy of the installation software. See “Software downloads” on page 7.v Obtain system administrator authority.v If you are updating a previous installation, the adapter you want to update must

exist. If it does not exist, the software generates the following message:Adapter is not found at specified location.Cannot perform Update Installation. Correctthe path of installed adapter or select Full Installation.

About this task

The adapter uses the Tivoli Directory Integrator Salesforce connector. Theconnector is not available with the base Tivoli Directory Integrator product. Theadapter installation involves the Tivoli Directory Integrator Salesforce.comconnector installation. Before you install the adapter, make sure that the Dispatcheris already installed. See “Dispatcher installation verification” on page 9.

Procedure

To install the adapter, take the following steps:1. Create a temporary directory on the workstation where you want to install the

adapter.2. Extract the contents of the compressed file in the temporary directory.3. Copy the SalesforceConnector.jar file to the ITDI_HOME/jars/connectors

directory.

10 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 23: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

4. Copy the sforce_partner.jar file to the ITDI_HOME/jars/patches directory.5. Restart the IBM Security Identity Manager adapter (Dispatcher) service.

What to do next

After you finish the adapter installation, do the following tasks:v Verify that the installation completed successfully. See “Installation verification.”v Import the adapter profile. See “Importing the adapter profile into the IBM

Security Identity Manager server” on page 12.v Create a user account for the adapter on IBM Security Identity Manager. See

“Adapter user account creation” on page 13.

Installation verificationIf the adapter is installed correctly, adapter components exist in the specifieddirectory.

Table 6. Adapter component

Adapter component Directory

SalesforceConnector.jarOn the Windows operating system

drive:\ProgramFiles\IBM\TDI\V7.0\jars\connectors\

On the UNIX operating system/opt/IBM/TDI/V7.0/jars/connectors/

sforce_partner.jarOn the Windows operating system

drive:\ProgramFiles\IBM\TDI\V7.0\jars\patches\

On the UNIX operating system/opt/IBM/TDI/V7.0/jars/patches/

Review the installer log file, SalesforceAdapter_Installer.log, that is in theadapter installer directory for any errors.

If this installation is to upgrade a connector, then send a request from IBM SecurityIdentity Manager. Verify that the version number in the ibmdi.log matches theversion of the connector that you installed. The ibmdi.log file is in theITDI_Home\adapter solution directory\logs directory.

Adapter service start, stop, and restartTo start, stop, or restart the adapter, you must start, stop, or restart the Dispatcher.

The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Tivoli Directory Integrator instance.

See the topic about starting stopping, and restarting the dispatcher service in theDispatcher Installation and Configuration Guide.

Chapter 3. Adapter installation 11

Page 24: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Importing the adapter profile into the IBM Security Identity Managerserver

An adapter profile defines the types of resources that the IBM Security IdentityManager server can manage.

About this task

Use the profile to create an adapter service on IBM Security Identity Managerserver and establish communication with the adapter.

You can add an adapter as a service to the IBM Security Identity Manager server.However, the server must first have an adapter profile to recognize the adapter asa service. The files that are packaged with the adapter include the adapterSalesforceProfile.jar file. You can import the adapter profile as a service profileon the server with the Import feature of IBM Security Identity Manager.

The SalesforceProfile.jar file includes all the files that are required to define theadapter schema, account form, service form, and profile properties. You can extractthe files from the JAR file to modify the necessary files and package the JAR filewith the updated files.

Before you begin to import the adapter profile, verify that the following conditionsare met:v The IBM Security Identity Manager server is installed and running.v You have root or Administrator authority on IBM Security Identity Manager.

To import the adapter profile, do the following steps:

Procedure1. Log on to the IBM Security Identity Manager server by using an account that

has the authority to do administrative tasks.2. In the My Work pane, expand Configure System and click Manage Service

Types.3. On the Manage Service Types page, click Import to display the Import Service

Types page.4. Specify the location of the SalesforceProfile.jar file in the Service Definition

File field by doing one of the following tasks:v Type the complete location of where the file is stored.v Use Browse to navigate to the file.

5. Click OK.

What to do nextv Update the enRole.properties file that is located under the server home data

directory. Append the attribute erSFloginPassword to the list of attributes of thepassword.attribute property.############################################################# Schema information############################################################ specifies which attribute will be encrypted by the dataservices component.

password.attributes=ersynchpassword erServicePassword erServicePwd1erServicePwd2 erServicePwd3 erServicePwd4 erADDomainPassword erPersonPasswordhi erNotesPasswdAddCert eritamcred erep6umds erposixpassphrase erSFloginPassword

12 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 25: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

v When you import the adapter profile and if you receive an error that is relatedto the schema, see the trace.log file for information about the error. Thetrace.log file location is specified by using the handler.file.fileDir propertythat is defined in the IBM Security Identity Manager enRoleLogging.propertiesfile. The enRoleLogging.properties file is installed in the ITIM_HOME\datadirectory.

v Restart the IBM Security Identity Manager for the change to take effect.

Adapter profile installation verificationAfter you install the adapter profile, verify that the installation was successful.

An unsuccessful installation:v Might cause the adapter to function incorrectly.v Prevents you from creating a service with the adapter profile.

To verify that the adapter profile is successfully installed, create a service with theadapter profile. See “Creating a service” on page 14.

If you are unable to create a service with the adapter profile or open an account onthe service, the adapter profile is not installed correctly. You must import theadapter profile again.

Adapter user account creationYou must create a user account for the adapter on the managed resource. You mustprovide that account information when you create a service.

For more information about creating a service, see “Creating a service” on page 14.

Ensure that the account has sufficient privileges to administer the Salesforce.comusers.

Configuring suspend and restore operationsThis version of the adapter supports suspension and restoration of Salesforce.comaccounts.

About this task

The Salesforce.com Adapter supports Suspend Account and Restore Accountoperations, which are not enabled by default. The default setting of AccountOperations Settings in the service form of the adapter is Disable Suspend/Restore(Accounts cannot be reactivated), which does not enable Suspend Account orRestore Account operations.

To successfully suspend an account or restore an account, you must set the serviceto enable Suspend Account and Restore Account operations. The setting causes theadapter to deactivate or reactivate the account on Salesforce.com.

Note: Enabling the Suspend Account and Restore Account operations causesdeleted accounts to reconcile as orphan accounts in the service.

Procedure1. In the service form, access the Connection tab.

Chapter 3. Adapter installation 13

Page 26: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

2. In the Account Operations Settings menu, select Enable Suspend/Restore(Deleted accounts reconciled as orphan accounts).

3. Enter the Salesforce.com API user password in the Salesforce API Passwordfield.

4. Click OK to save the changes.

Creating a serviceAfter the adapter profile is imported on IBM Security Identity Manager, you mustcreate a service so that IBM Security Identity Manager can communicate with theadapter.

About this task

To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.

Procedure1. Log on to the IBM Security Identity Manager server by using an account that

has the authority to do administrative tasks.2. In the My Work pane, click Manage Services and click Create.3. On the Select the Type of Service page, select IDI Salesforce Profile.4. Click Next to display the adapter service form.5. Complete the following fields on the service form:

Connector Profile

Service NameSpecify a name that defines the adapter service on the IBMSecurity Identity Manager server.

Note: Do not use forward (/) or backward slashes (\) in theservice name.

DescriptionOptionally, specify a description that identifies the service foryour environment.

Tivoli Directory Integrator locationOptionally, specify the URL for the Tivoli Directory Integratorinstance. The valid syntax for the URL is rmi://ip-address:port/ITDIDispatcher, where ip-address is the TivoliDirectory Integrator host and port is the port number for theDispatcher. The default URL isrmi://localhost:1099/ITDIDispatcher

For information about changing the port number, see IBMSecurity Identity Manager Dispatcher Installation and ConfigurationGuide.

Account Operations SettingsDefine the behavior of account deletion and enable or disablethe Suspend Account and Restore Account operations:v Enable Suspend/Restore (Deleted accounts are reconciled as

orphan accounts.)

14 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 27: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Select this option to enable the Suspend and Restore accountoperations. Suspended users are marked as “Inactive” onSalesforce. At account deletion, the user is marked “Inactive”on Salesforce; however, the adapter reconciles the user backas an Orphan Account.

v Disable Suspend/Restore (Accounts can be reactivated)Select this option to disable Suspend and Restore accountoperations. An error is returned when an account under theSalesforce.com Service is submitted for restoration orsuspension. Deleted accounts are not reconciled. If theaccount was deleted and is later re-created in IBM SecurityIdentity Manager, it is restored from Salesforce.com bymarking it as “Active” again.

v Disable Suspend/Restore (Accounts cannot be reactivated)This default option has behavior that is compatible withprevious versions of the adapter. Accounts that are deletedcannot be restored. If the account is re-created later, it fails.

OwnerOptionally, specify a IBM Security Identity Manager user as aservice owner.

Service PrerequisiteOptionally, specify a IBM Security Identity Manager service thatis prerequisite to this service.

Connection

Salesforce.com API URLSpecify the URL to access the Salesforce.com API.

The default URL for logging in to the Salesforce.com APIWebservices is https://login.salesforce.com/services/Soap/u/version_number. For example, if the API version number is23.0, specify https://login.salesforce.com/services/Soap/u/23.0 as the login URL.

For more information about login URLs, see "ImplementationConsiderations" in the Salesforce.com API Developer Guide.

UserNameSpecify the user name that is used to log in to the resource anddo user management operations on the organization. Make surethat the user has API access privilege on Salesforce.com.

PasswordSpecify the password for the user.

If a password generator is used when you create or change userpasswords, IBM Security Identity Manager must generate apassword with enough complexity to meet Salesforce.comrequirements. If necessary, create an IBM Security IdentityManager password policy that meets Salesforce.comrequirements. For information about creating a password policyin IBM Security Identity Manager, see "PasswordAdministration" in the IBM Security Identity ManagerAdministration Guide.

You can also use the Salesforce.com Administration UserInterface to modify the Salesforce.com password complexity

Chapter 3. Adapter installation 15

Page 28: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

policy. For information about password policies, see "SettingPassword Policies" in the Salesforce.com online help.

Security TokenSpecify the security token that is associated with this username.

To use the Webservices API on Salesforce.com, a valid securitytoken must be generated for the Salesforce.com user. A securitytoken is unique to a specific user. To generate a security tokenfor the user to manage the Salesforce.com service in IBMSecurity Identity Manager, see “Resetting Your Security Token”in the Salesforce.com online help.

Profile for Suspended Users (deprecated)Specify the name of the profile that is assigned to suspendedusers on Salesforce.com.

User Fields for ReconciliationOptionally, specify the fields that are reconciled for users onSalesforce.com. The fields in the list are separated by commas.You must specify Email, Username, LastName, Alias,TimeZoneSidKey, LocaleSidKey, EmailEncodingKey, ProfileId,LanguageLocaleKey, IsActive, Id. You can specify more fields.However, the reconciliation performance might be affected. Ifyou leave this field blank, all fields are reconciled by default.

Dispatcher Attributes:

Disable AL CachingSelect the check box to disable the assembly line caching in thedispatcher for the service. The assembly lines for add, modify,delete, and test operations are not cached.

AL FileSystem PathSpecify the file path from where the dispatcher loads theassembly lines. If you do not specify a file path, the dispatcherloads the assembly lines that are received from IBM SecurityIdentity Manager. For example, you can specify the followingfile path to load the assembly lines from the profiles directoryof the Windows operating system: c:\ProgramFiles\IBM\TDI\V7.0\profiles or you can specify the followingfile path to load the assembly lines from the profiles directoryof the UNIX and Linux operating: system:/opt/IBM/TDI/V7.0/profiles

Max Connection CountSpecify the maximum number of assembly lines that thedispatcher can run simultaneously for the service. For example,enter 10 when you want the dispatcher to run maximum 10assembly lines simultaneously for the service. If you enter 0 inthe Max Connection Count field, the dispatcher does not limitthe number of assembly lines that are run simultaneously forthe service.

Status and informationContains read only information about the adapter and managedresource. These fields are examples. The actual fields vary depending

16 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 29: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

on the type of adapter and how the service form is configured. Theadapter must be running to obtain the information. Click TestConnection to populate the fields.

Last status update: DateSpecifies the most recent date when the Status and informationtab was updated.

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.

Managed resource statusSpecifies the status of the managed resource to which theadapter is connected.

Adapter versionSpecifies the version of the adapter that the IBM SecurityIdentity Manager service uses to provision request to themanaged resource.

Profile versionSpecifies the version of the profile that is installed in the IBMSecurity Identity Manager server.

TDI versionSpecifies the version of the Tivoli Directory Integrator on whichthe adapter is deployed.

Dispatcher versionSpecifies the version of the Dispatcher.

Installation platformSpecifies summary information about the operating systemwhere the adapter is installed.

Adapter accountSpecifies the account that is running the adapter binary file.

Adapter up time: DateSpecifies the date when the adapter started.

Adapter up time: TimeSpecifies the time of the date when the adapter started.

Adapter memory usageSpecifies the memory usage for running the adapter.

If the connection fails, follow the instructions in the error message.Also:v Verify the adapter log to ensure that the IBM Security Identity

Manager test request was successfully sent to the adapter.v Verify the adapter configuration information.v Verify IBM Security Identity Manager service parameters for the

adapter profile. For example, verify the work station name or the IPaddress of the managed resource and the port.

6. Click Finish.

Chapter 3. Adapter installation 17

Page 30: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Permissions for the /tmp directoryThe permissions for the /tmp directory on the managed resource must be set to 777when you do the reconciliation operation by using the sudo user.

18 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 31: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Chapter 4. First steps after installation

After you install the adapter, you must do several other tasks. The tasks includeconfiguring the adapter, setting up SSL, installing the language pack, and verifyingthat the adapter works correctly.

Adapter configurationYou have configuration options for the Salesforce.com Adapter.v “Customized attributes”v “Editing Salesforce adapter profiles on the UNIX or Linux operating system” on

page 23v “Modification of the maximum length of the account form attributes” on page 24v “Creating a JAR file and importing the profile into the IBM Security Identity

Manager” on page 24

See the IBM Security Dispatcher Installation and Configuration Guide for moreconfiguration options such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication

Customized attributesUse these tasks to configure the Salesforce.com Adapter to support customizedSalesforce.com attributes.

Salesforce.com supports custom fields for the user object. However, theSalesforce.com Adapter supports only the standard set of attributes.

You can customize the adapter to support custom attributes. Complete thefollowing tasks to customize the Salesforce.com Adapter to support custom fieldsin Salesforce.com.

Schema extensions and custom attributesUse the interface and tools that are provided by Salesforce.com to extend theSalesforce.com User schema and add the custom attributes.

For more information about adding new attributes to the Salesforce.com Userschema, see the Salesforce.com documentation.

The Salesforce.com Adapter supports the following types of custom attributes:v Booleanv Integerv Case-sensitive stringv Not case-sensitive stringv Coordinated Universal Time (UTC) coded time

© Copyright IBM Corp. 2012, 2013 19

Page 32: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Prefix the attribute names with erSF to easily identify the attributes that are usedwith IBM Security Identity Manager.

Note:

v If Tivoli Directory Server is being used as the directory server application, thename of the attribute must be unique within the first 16 characters.

v The Salesforce.com Adapter supports a multi-line value for custom attributeswith string syntax.

v The custom attributes are supported for User account class only.

Copying the SalesforceProfile.jar file and extracting the filesUse these tasks to customize your environment.

About this task

The profile JAR file, SalesforceProfile.jar, is included in the Salesforce.comAdapter compressed file that you downloaded from the IBM website. TheSalesforceProfile.jar file contains a folder named SalesforceProfile with thefollowing files:v CustomLabels.properties

v erSalesforceAccount.xml

v erSalesforceService.xml

v schema.dsml

v service.def

v sforceAdd.xml

v sforceChangePassword.xml

v sforceDelete.xml

v sforceModify.xml

v sforceRecon.xml

v sforceRestore.xml

v sforceSuspend.xml

v sforceTest.xml

You can modify these files to customize your environment. When you finishupdating the profile JAR file, rebuild the JAR file and install it on the IBM SecurityIdentity Manager server. For more information about the profile installation, see“Importing the adapter profile into the IBM Security Identity Manager server” onpage 12.

Procedure1. Log in to the system where the Salesforce.com Adapter is installed.2. On the Start menu, click Programs > Accessories > Command Prompt.3. Copy the SalesforceProfile.jar file into a temporary directory.4. Extract the contents of` the SalesforceProfile.jar file into the temporary

directory. Run the following commands:cd c:\tempjar -xvf SalesforceProfile.jar

The jar command creates the c:\temp\SalesforceProfile directory.

20 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 33: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

What to do next

Edit the appropriate files by completing the following tasks.

Modifying the assembly linesUse this task to add new mappings to the assembly lines for custom attributes.

About this task

The Salesforce.com Adapter uses Tivoli Directory Integrator to process requestsbefore you submit them to Salesforce.com.

The Salesforce.com assembly lines contain mapping instructions from a IBMSecurity Identity Manager request to Salesforce.com. Modify the assembly lines toadd new mappings for custom attributes.

Procedure1. Start the Tivoli Directory Integrator Configuration Editor.2. Open the sforceAdd.xml file. Click File > Open Tivoli Directory Integrator

Configuration File....a. Browse to the SalesforceProfile directory.b. Select the sforceAdd.xml file.

3. Optional: If previously edited, assign this configuration file to an existingproject. Otherwise, proceed to the next screen to create a project and name itSalesforceProfile.

4. After the file is imported, expand the project to display the AssemblyLinestree in the Navigator pane.

5. Right click sfAdd assemblyline and select Open. The Add assemblylineconfiguration is displayed in the main panel.

6. Click Show Mapping in the main panel. The mapping table for the assemblyline is displayed in the main panel.

7. Locate the AddUser section and left click to select it in the table.8. Click Map to display the Add attribute dialog.9. Enter the name of the custom field exactly as displayed in the API Name on

Salesforce.com. For example, Custom1__c.10. After the field is added, locate it in the mapping table and double-click the

corresponding row to display an edit dialog.11. Change the default value of work.[custom field name] to work.[custom

attribute name]. For example, change work.Custom1__c towork.erSFCustom1__c.

12. Save the changes. Click File > Save.13. Right click the project in the Navigator pane and select the Export... option to

export the new assembly line.14. In the first screen of the Export dialog, expand the IBM Tivoli Directory

Integrator folder and select Runtime Configuration.15. Click Next.16. In the file path field, browse to the SalesforceProfile directory and select the

file with the same name from step 2 to overwrite it.17. Click Finish.18. Repeat the steps 5 through 17 for the Modify assembly line.

Chapter 4. First steps after installation 21

Page 34: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

19. Repeat steps 5 through 17 for the Recon assembly line and do the followingsteps instead of steps 10 and 11:a. Locate the field in the mapping table and click the Work Attribute cell

corresponding to the custom field to rename it.b. Enter the attribute name that is specified previously in step 11. For

example, erSFCustom1__c.

Updating the schema.dsml fileThe Salesforce.com Adapter schema.dsml file identifies all of the standard Useraccount attributes. Modify this file to identify new custom attributes.

About this task

For more information about the attributes in this file, see “The schema.dsml file” onpage 37.

Procedure1. Locate the schema.dsml file in the \SalesforceProfile directory.2. Edit the schema.dsml file to add an attribute definition for each custom

attribute. The Object Identifier (OID) is increased by 1, based on the last entryin the file. For example, if the last attribute in the file uses the OID1.3.6.1.4.1.6054.3.161.2.85, the first new attribute uses the OID1.3.6.1.4.1.6054.3.161.2.86.You might want to start a new range of numbers for your custom attributes.For example, start custom attributes with OID 1.3.6.1.4.1.6054.3.161.2.100. Thisrange prevents duplicate OIDs if the adapter is upgraded to support newattributes that are standard for newer versions of Salesforce.com API.

3. Add each of the new attributes to the account class. For example, add thefollowing attribute definition under the erSalesforceAccount section of theschema.dsml file:<attribute ref="erSFCustom1__c" required="false"/>

4. Save the file when you are finished.

Modifying the CustomLabels.properties fileAfter you add the custom attributes to the schema.dsml file, the attributes areavailable for use on the Salesforce.com Adapter form.

About this task

The attributes are displayed in the attribute list for the account form. You canmodify the attribute names that are in the attribute list. See“CustomLabels.properties file” on page 40.

To add the attribute and its corresponding label to the CustomLabels.propertiesfile, complete the following steps:

Procedure1. Locate the CustomLabels.properties file in the \SalesforceProfile directory.2. Edit the CustomLabels.properties file to add the attribute and its

corresponding label. Use the following format:attribute=label

Note: The attribute name must be in lowercase. For example:

22 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 35: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

#Adapter Labels definitions#ersfcustom1__c=Custom Field Oneersfcustom2__c=Custom Attribute Field Two

3. Save the file when you are finished.

Creating a JAR file and installing the new attributes on the IBMSecurity Identity Manager serverYou must import the modified assembly lines, schema.dsml,CustomLabels.properties, and any other files in the profile that were modified forthe adapter. The changes do not take effect until after the files are imported intothe IBM Security Identity Manager server.

Procedure1. Create a JAR file by using the files in the \temp directory. Run the following

commands:cd c:\tempjar -cvf SalesforceProfile.jar SalesforceProfile

2. Import the SalesforceProfile.jar file into the IBM Security Identity Managerserver. For more information about importing the file, see “Importing theadapter profile into the IBM Security Identity Manager server” on page 12.

3. Start and stop the IBM Security Identity Manager server.

Note: If you are upgrading an existing adapter profile, the new adapter profileschema is not reflected immediately. You must stop and start the IBM SecurityIdentity Manager server to refresh the cache and the adapter schema. SeeChapter 6, “Adapter upgrade,” on page 31.

Adapter form modification (optional)After the changes are available in the IBM Security Identity Manager server, youcan modify the Salesforce.com Adapter forms to use the new custom attributes.

You do not have to add the attributes to the Salesforce.com Adapter form unlessyou want them to be available. The attributes are returned during reconciliationsunless you explicitly exclude them.

For more information about modifying the adapter form, see the IBM SecurityIdentity Manager product documentation.

Editing Salesforce adapter profiles on the UNIX or Linuxoperating system

The adapter profile .jar file might contain ASCII files that are created by using theMS-DOS ASCII format.

About this task

If you edit an MS-DOS ASCII file on the UNIX operating system, you might see acharacter ^M at the end of each line. These characters indicate new lines of text inMS-DOS. The characters can interfere with the running of the file on UNIX orLinux systems. You can use tools, such as dos2unix, to remove the ^M characters.You can also use text editors, such as the vi editor, to remove the charactersmanually.

Chapter 4. First steps after installation 23

Page 36: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Example

You can use the vi editor to remove the ^M characters. From the vi commandmode, run the following command and press Enter::%s/^M//g

When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V CtrlM sequentially. The ^v instructs the vi editor to use the next keystroke instead ofissuing it as command.

Modification of the maximum length of the account formattributes

When you want to modify the maximum length of the attributes on the accountform, modify the schema.dsml file with their required length.

For example, when you want 2048 as the maximum length of the First Nameattribute, modify the schema.dsml file as:Old profile:

<!-- ******************************************************** --><!-- erRsaAmFirstName --><!-- ******************************************************** --><attribute-type single-value = "true" ><name>erRsaAmFirstName</name><description>First Name</description><object-identifier>1.3.6.1.4.1.6054.3.150.2.1</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.15{1024}</syntax>

</attribute-type>

Modified profile:

<!-- ******************************************************** --><!-- erRsaAmFirstName --><!-- ******************************************************** --><attribute-type single-value = "true" ><name>erRsaAmFirstName</name><description>First Name</description><object-identifier>1.3.6.1.4.1.6054.3.150.2.1</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.15{2048}</syntax></attribute-type>

Creating a JAR file and importing the profile into the IBMSecurity Identity Manager

After you modify the schema.dsml or any other profile files, you must import thesefiles, into IBM Security Identity Manager for the changes to take effect.

About this task

Note: If you are upgrading an existing adapter profile, the new adapter profileschema is not reflected immediately. You must stop and start the IBM SecurityIdentity Manager server to refresh the cache and the adapter schema. For moreinformation about upgrading an existing adapter, see Chapter 6, “Adapterupgrade,” on page 31.

Procedure1. Extract the contents of the SalesforceProfile.jar file into the temporary

directory by running the following command:

24 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 37: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

cd c:\tempjar -xvf SalesforceProfile.jar

The jar command creates the c:\temp\SalesforceProfile directory.2. Update the profile files.3. Create a JAR file with the files in the \temp directory by running the following

commands:cd c:\tempjar -cvf SalesforceProfile.jar SalesforceProfile

4. Import the SalesforceProfile.jar file into the IBM Security Identity Managerserver. For more information about importing the file, see “Importing theadapter profile into the IBM Security Identity Manager server” on page 12.

5. Stop and start the IBM Security Identity Manager server.

Language pack installation for the Salesforce adapterThe adapters use a separate language package from the IBM Security IdentityManager.

See the IBM Security Identity Manager library and search for information aboutinstalling the adapter language pack.

Verifying the adapter installationAfter you install and configure the adapter, verify the installation.

Procedure1. Test the connection for the service that you created on IBM Security Identity

Manager.2. Do a full reconciliation from IBM Security Identity Manager.3. Perform all supported operations on one user account. Do these steps when

you verify the suspend and restore operations, if it is configured on the serviceform.a. Suspend the account.b. Verify that the account is disabled by checking the user's IsActive status on

Salesforce.com.c. Restore the account.d. Verify that the account is enabled by checking the user's IsActive status on

Salesforce.com.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the IBM Security Identity Manager log file trace.log to ensure that no

errors are reported when you run an adapter operation.

Chapter 4. First steps after installation 25

Page 38: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

26 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 39: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Chapter 5. Adapter error troubleshooting

Troubleshooting can help you determine why a product does not function properly.

Use this information and techniques to identify and resolve problems with theadapter. They also provide information about troubleshooting errors that mightoccur during the adapter installation.

Techniques for troubleshooting problemsTroubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. Certain common techniques can help with the task oftroubleshooting.

The first step in the troubleshooting process is to describe the problem completely.Problem descriptions help you and the IBM technical-support representative knowwhere to start to find the cause of the problem. This step includes asking yourselfbasic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When you start to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one operating system, or is it common across multiple

operating systems?v Is the current environment and configuration supported?

© Copyright IBM Corp. 2012, 2013 27

Page 40: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration. Many problems can betraced back to incompatible levels of software that are not intended to run togetheror are not fully tested together.

When does the problem occur?

Develop a detailed timeline of events that lead up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you must look only as far as the first suspicious event thatyou find in a diagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being done?v Does a certain sequence of events happen for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Just because multipleproblems occur around the same time, the problems are not necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Problems that you canreproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,

28 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 41: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?v Do multiple users or applications encounter the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

For information about obtaining support, see Appendix D, “Support information,”on page 47.

Known behaviorsThe following behaviors and limitations are known to exist in the operation of theSalesforce.com Adapter.

Email address change of a Salesforce user

When IBM Security Identity Manager changes an email address for aSalesforce.com account, it updates the email address in its directory store as soonas the request is successfully sent to Salesforce.com. However, the change is notimmediately reflected in Salesforce.com. Salesforce.com requires users to verify theemail address change request at the inbox of the new email address. Therefore, aperiod exists when IBM Security Identity Manager contains the updated emailaddress, while Salesforce.com contains the old email address. During this period,one of these behaviors can occur:

The email address is verified by the user.The email address is synchronized between IBM Security Identity Managerand Salesforce.com. No further action is needed.

The email address is not verified by the user.The email address in IBM Security Identity Manager reverts to the oldemail address at the next reconciliation operation.

The user verifies that the email address after reconciliation occurs.IBM Security Identity Manager reverts to the old email address with thereconciliation operation. Salesforce.com updates IBM Security IdentityManager with the new email address at the next reconciliation operation.

Set up a reconciliation policy with sufficient frequency to help keep emailaddresses consistent between Salesforce.com and IBM Security Identity Manager.

Account deletion from the IBM Security Identity ManagerSalesforce.com Service

Salesforce.com does not delete users. Therefore, the Salesforce.com Adapter marksa user account as Inactive when it receives a request to delete the account fromIBM Security Identity Manager. If a Salesforce.com administrator reactivates a userfrom the Salesforce.com user interface, the user is returned as an orphan account atthe next reconciliation.

Timeout issues

A network socket timeout might occur if the Salesforce.com connector is unable tocomplete a network-related operation with the Salesforce.com server within thetimeout period specified. The timeout period can be affected by many settings:

Chapter 5. Adapter error troubleshooting 29

Page 42: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

v Adapter configurationv IBM Security Identity Manager server configurationv Dispatcher configurationv Java VM configurationv Operating system configurationv Network equipment configuration such as switches or firewalls.

Refer to the corresponding documentation for the default settings of the vendors.

To resolve timeout issues that are related to the Salesforce.com Adapter:v Edit the default socket timeout value for the Salesforce.com connector in the

service.def file. Change the SFSocketTimeout value. By default, it is set to 600seconds or 10 minutes. This setting corresponds to the default DispatcherSearchALUnusedTimeout setting. Increase both of these values, if the reconciliationoperation takes longer than 10 minutes. See the Dispatcher documentation forinstructions about setting the SearchALUnusedTimeout value.

v The adapter might timeout when it communicates with Salesforce.com becauseof network issues. To have the connector reestablish a connection to theSalesforce.com server and try the operation again, edit the ITDI_HOME\timsol\etc\reconnect.rules file. Add the line:com.ibm.di.connector.salesforce.SalesforceConnector::com.ibm.di.connector.salesforce.SalesforceConnectorException:reconnect:

The line is a generic rule for the connector to reconnect when any exception isencountered.

Session handling

You might receive an INVALID_SESSION_ID exception that is logged in your TivoliDirectory Integrator logs. When an INVALID_SESSION_ID exception is encountered,the connector automatically tries to establish a new connection to Salesforce.combefore it tries the API call again. Otherwise, a failure might occur because of atimeout in the session.

You can ignore INVALID_SESSION_ID warnings that are followed immediately bylogs that display RECOVERING FROM INVALID SESSION ID.

30 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 43: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Chapter 6. Adapter upgrade

Upgrading the adapter involves tasks, such as upgrading the connector, dispatcher,and the existing adapter profile.

To verify the required version of these adapter components, see the adapter releasenotes.

Connector upgradeBefore you upgrade the connector, verify the version of the connector.v If the connector version is higher or same as the previous version, the installer

installs the new connector.v If the connector version is lower than the existing connector version, the installer

does not install the connector. A message is displayed indicating that no upgradeis required.

Note: Stop the dispatcher service before the upgrading the connector and start itagain after the upgrade is complete.

Profile upgradeRead the adapter Release Notes for any specific instructions before you import anew adapter profile into IBM Security Identity Manager.

See “Importing the adapter profile into the IBM Security Identity Manager server”on page 12.

Note: Restart the dispatcher service after you import the profile. Restarting thedispatcher clears the assembly lines cache and ensures that the dispatcher runs theassembly lines from the updated adapter profile.

© Copyright IBM Corp. 2012, 2013 31

Page 44: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

32 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 45: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Chapter 7. Adapter uninstallation

To completely uninstall the Salesforce.com Adapter, do two procedures.1. Uninstall the adapter from Tivoli Directory Integrator server.2. Remove the adapter profile from the IBM Security Identity Manager server.

Uninstalling the adapter from the Tivoli Directory Integrator serverThe Salesforce.com Adapter installation installs the Tivoli Directory IntegratorSalesforce.com connector.

About this task

To uninstall the Dispatcher, see the Dispatcher Installation and Configuration Guide.

Procedure1. Stop the Dispatcher service.2. Remove the SalesforceConnector.jar file from ITDI_HOME/jars/connectors

directory.3. Start the Dispatcher service.

Adapter profile removal from the IBM Security Identity Manager serverBefore you remove the adapter profile, ensure that no objects exist on your IBMSecurity Identity Manager server that reference the adapter profile.

These objects on the IBM Security Identity Manager server that can reference theadapter profile:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

Note: The Dispatcher component must be installed on your system for adapters tofunction correctly in a Tivoli Directory Integrator environment. When you deletethe adapter profile for the Salesforce.com Adapter, do not uninstall the Dispatcher.

For specific information about how to remove the adapter profile, see the onlinehelp or the IBM Security Identity Manager product documentation.

© Copyright IBM Corp. 2012, 2013 33

Page 46: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

34 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 47: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Chapter 8. Adapter reinstallation

There are no special considerations for reinstalling the adapter. You are notrequired to remove the adapter before reinstalling.

For more information, see Chapter 6, “Adapter upgrade,” on page 31.

© Copyright IBM Corp. 2012, 2013 35

Page 48: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

36 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 49: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Appendix A. Files

You can configure several adapter-specific files that are associated with theSalesforce.com adapter.v “The schema.dsml file”v “CustomLabels.properties file” on page 40

The schema.dsml fileThe schema.dsml file contains all of the attributes that are common to all adapters.This common file also contains IBM Security Identity Manager server attributesthat can be used by any adapter. The schema.dsml file defines all of the classes thatare used by the adapter. The classes are used to declare accounts, services, andsupporting data.

The schema.dsml file defines the attributes and objects that the adapter supportsand uses to communicate with the IBM Security Identity Manager server. Allattributes must be unique. Therefore, they are assigned an object identifier (OID).

The OID is defined with the <object-identifier>...</object-identifier>

The schema.dsml file has the following format:SCHEMA.DSML File<?xml version="1.0" encoding="UTF-8"?><dsml><!-- ******************************************************** --><!-- Schema supported by the Salesforce.com adapter. --><!-- ******************************************************** --><directory-schema> ...<!-- ******************************************************** --><!-- eraSFString1--><!-- ******************************************************** --><attribute-type single-value="true"><name>erSFString1</name><description/><object-identifier>1.3.6.1.4.1.6054.3.162.2.100</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax></attribute-type><!-- ******************************************************** --><!-- erSFInteger--><!-- ******************************************************** --><attribute-type single-value="true"><name>erSFInteger</name><description/><object-identifier>1.3.6.1.4.1.6054.3.162.2.101</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.27</syntax></attribute-type><!-- ******************************************************** --><!-- erSFDate--><!-- ******************************************************** --><attribute-type single-value="true"><name>erSFDate</name><description/><object-identifier>1.3.6.1.4.1.6054.3.162.2.102</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.24</syntax></attribute-type><!-- ******************************************************** --><!-- erSFBoolean-->

© Copyright IBM Corp. 2012, 2013 37

Page 50: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

<!-- ******************************************************** --><attribute-type single-value="true"><name>erSFBoolean</name><description/><object-identifier>1.3.6.1.4.1.6054.3.162.2.103</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.7</syntax></attribute-type><!-- ******************************************************** --><!-- erSFMultiValueString--><!-- ******************************************************** --><attribute-type><name>erSFMultiValueString</name><description>List of string values</description><object-identifier>1.3.6.1.4.1.6054.3.162.2.104</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax></attribute-type> ...<!-- ******************************************************** --><!-- erSalesforceAccount Class --><!-- ******************************************************** --><class superior="top"><name>erSalesforceAccount</name><description>Class representing a Salesforce account.</description><object-identifier>1.3.6.1.4.1.6054.3.162.1.1</object-identifier> ...<attribute ref="erSFBoolean" required="false"/><attribute ref="erSFDate" required="false"/><attribute ref="erSFInteger" required="false"/><attribute ref="erSFMultiValueString" required="false"/><attribute ref="erSFString1" required="false"/></class> ...</directory-schema></dsml>

Object identifierThe IBM Security Identity Manager server uses LDAP directory services to add,delete, modify, and search IBM Security Identity Manager data. Each data item inan LDAP directory server must have a unique object identifier (OID). Therefore,each attribute and class that is defined in the schema.dsml file in IBM SecurityIdentity Manager has an OID.

OIDs have the following syntax:enterprise ID.product ID.adapter ID.object ID.instance ID

v The enterprise ID is always 1.3.6.1.4.1.6054 for IBM.v The product ID is always 3 because these schema.dsml files are used with

adapters.v The adapter ID is 161 for the Salesforce.com Adapter.v The object ID is 2. An attribute uses 2 as the object ID.v The instance ID is a sequential number of the object.

Attribute definitionBefore you define unique attributes for the adapter, ensure that the attribute doesnot exist in the common schema.dsml file.

The following example defines an attribute:<!-- *********************************************** --><!-- erSampleHome --><!-- *********************************************** --><attribute-type single-value = "true" ><name>erSampleHome</name>

38 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 51: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

<description>User home directory</description><object-identifier>1.3.6.1.4.1.6054.3.125.2.100</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax></attribute-type>

Comment lines are denoted by the <!-- ... --> markers

The attribute type is defined as single-value or multi-value. A single-value attributeis denoted by the line: <attribute-type single-value ="true">. To denote amulti-valued attribute, change the true value to false.

The name of the attribute that is used by the IBM Security Identity Manager serveris defined in the schema. To simplify the tracking of new Salesforce.com adapterattributes, use erSF as the preface for all new attributes.

The description of the attribute is denoted by the line: <description>...</description> tag.

The OID is defined by the <object-identifier>...</object-identifier> tag.Because OIDs are already assigned to the existing, standard attributes, the OID canbe copied from the last attribute in the list. However, the last number must beincremented by one for each new attribute that you add to the schema.dsml file.

The data type is defined with the <syntax>...</syntax> tag. The following tablelists various data types and the value you specify in the syntax tags.

Table 7. Syntax tag data types and values

Data type Value

Bit string 1.3.6.1.4.1.1466.115.121.1.6

Boolean 1.3.6.1.4.1.1466.115.121.1.7

Directory string 1.3.6.1.4.1.1466.115.121.1.15

UTC coded time 1.3.6.1.4.1.1466.115.121.1.24

Integer 1.3.6.1.4.1.1466.115.121.1.27

ClassesAt least one account class and one service class must be defined in the schema.dsmlfile.

Each class requires at least one attribute to identify the class: a name attribute.More attributes might be required depending on the class that is defined.

The following syntax defines a class:<class superior="top"><name> ... </name><description> ... </description><object-identifier> ... </object-identifier><attribute ref = "..." required = "true" /><attribute ref = "..." required = "true" /></class>

To make an attribute optional for a class, change required = "true" to required ="false" in the <attribute ref> tag.

Appendix A. Adapter-specific files 39

Page 52: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

An account class defines the attributes that are used to describe an account. Anaccount class must be defined in the schema.dsml file.

The following example defines an account class:<class superior="top" ><name>erSampleAccount</name><description>Sample Account</description><object-identifier>1.3.6.1.4.1.6054.3.125.1.101</object-identifier><attribute ref = "eruid" required = "true" /><attribute ref = "erAccountStatus" required = "false" /><attribute ref = "erSampleGroups" required = "false" /><attribute ref = "erSampleHome" required = "false" /><attribute ref = "erSampleDesc" required = "false" /><attribute ref = "erPassword" required = "false" /></class>

In the preceding example, the class name is erSampleAccount and the onlyrequired attribute is eruid. However, erAccountStatus is a required attribute tosuspend or restore accounts.

CustomLabels.properties fileThe CustomLabels.properties file is a text file that defines the labels on the formfor the adapter.

Use this syntax for the information in the file:attribute=text

where:v attribute is the same attribute that is defined in the schema.dsml file.v text is the label that is on the form in the IBM Security Identity Manager user

interface for the account.

The value of attribute must be in lowercase. This requirement is from the IBMSecurity Identity Manager server.

40 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 53: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Appendix B. Adapter attributes

An adapter provides an interface between a managed resource and the IBMSecurity Identity Manager server.

As part of the adapter implementation, a dedicated account for IBM SecurityIdentity Manager to access the Salesforce.com is created on the Salesforce.com. Theadapter consists of files and directories that are owned by the IBM SecurityIdentity Manager account. These files establish communication with the IBMSecurity Identity Manager server.

Attribute descriptionsThe IBM Security Identity Manager server communicates with the Salesforce.comAdapter with attributes that are included in transmission packets that are sent overa network.

The combination of attributes, included in the packets, depends on the type ofaction that the IBM Security Identity Manager server requests from theSalesforce.com Adapter.

Table 8 is a listing of the attributes that are used by the Salesforce.com Adapter.The table gives a brief description and corresponding values of the attribute.

Use this key for the permissions column.R = Read onlyRW = Add, read, modify, writeAR = Add, Read

Table 8. Attributes for the erSFAccount object class

Attribute name and definition Data typeSingle-valued Permissions Required

erSFaboutMe String Yes RW No

erSFaccountId String Yes R No

erSFalias String Yes RW Yes

erSFcallCenterId String Yes RW No

erSFcity String Yes RW No

erSFcommunityNickname String Yes RW No

erSFcompanyName String Yes RW No

erSFcontactId String Yes RW No

erSFcountry String Yes RW No

erSFcreatedById String Yes R No

erSFcreatedDate Datetime Yes R No

erSFcurrentStatus String Yes RW No

erSFdelegatedApproverId String Yes RW No

erSFdepartment String Yes RW No

erSFdigestFrequency String Yes RW No

erSFdivision String Yes RW No

© Copyright IBM Corp. 2012, 2013 41

Page 54: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Table 8. Attributes for the erSFAccount object class (continued)

Attribute name and definition Data typeSingle-valued Permissions Required

erSFemail String Yes RW Yes

erSFemailEncodingKey String Yes RW Yes

erSFemployeeNumber String Yes RW No

erSFextension String Yes RW No

erSFfax String Yes RW No

erSFfederationIdentifier String Yes RW No

erSFfirstName String Yes RW No

erSFforecastEnabled Boolean Yes RW No

erSFfullPhotoUrl String Yes R No

erSFisActive Boolean Yes RW No

erSFlanguageLocaleKey String Yes RW Yes

erSFlastLoginDate Datetime Yes R No

erSFlastModifiedById String Yes R No

erSFlastModifiedDate Datetime Yes R No

erSFlastName String Yes RW Yes

erSFlastPasswordChangeDate Datetime Yes R No

erSFlocaleSidKey String Yes RW Yes

erSFmanagerId String Yes RW No

erSFmobilePhone String Yes RW No

erSFname String Yes R No

erSFofflinePdaTrialExpirationDate Datetime Yes R No

erSFofflineTrialExpirationDate Datetime Yes R No

erSFphone String Yes RW No

erSFpostalCode String Yes RW No

erSFprofileId String Yes RW Yes

erSFreceivesAdminInfoEmails Boolean Yes RW No

erSFreceivesInfoEmails Boolean Yes RW No

erSFsmallPhotoUrl String Yes R No

erSFstate String Yes RW No

erSFstreet String Yes RW No

erSFsystemModstamp Datetime Yes R No

erSFtimeZoneSidKey String Yes RW Yes

erSFtitle String Yes RW No

erSFuserPermissionsCallCenterAutoLogin Boolean Yes RW No

erSFuserPermissionsInteractionUser Boolean Yes RW No

erSFuserPermissionsKnowledgeUser Boolean Yes RW No

erSFuserPermissionsMarketingUser Boolean Yes RW No

erSFuserPermissionsMobileUser Boolean Yes RW No

erSFuserPermissionsOfflineUser Boolean Yes RW No

42 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 55: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Table 8. Attributes for the erSFAccount object class (continued)

Attribute name and definition Data typeSingle-valued Permissions Required

erSFuserPermissionsSFContentUser Boolean Yes RW No

erSFuserPermissionsSupportUser Boolean Yes RW No

erSFuserPreferencesActivityRemindersPopup Boolean Yes RW No

erSFuserPreferencesApexPagesDeveloperMode Boolean Yes RW No

erSFuserPreferencesDisableAutoSubForFeeds Boolean Yes RW No

erSFuserPreferencesEventRemindersCheckboxDefault Boolean Yes RW No

erSFuserPreferencesReminderSoundOff Boolean Yes RW No

erSFuserPreferencesTaskRemindersCheckboxDefault Boolean Yes RW No

erSFuserRoleId String Yes RW No

erSFuserType String Yes R No

eruid String Yes R Yes

erPassword String Yes RW Yes

erSFuserGroupId String No RW No

Appendix B. Adapter attributes 43

Page 56: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

44 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 57: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Appendix C. Definitions for ITDI_HOME and ISIM_HOMEdirectories

ITDI_HOME is the directory where Tivoli Directory Integrator is installed.ISIM_HOME is the directory where IBM Security Identity Manager is installed.

ITDI_HOMEThis directory contains the jars/connectors subdirectory that contains filesfor the adapters.

Windowsdrive\Program Files\IBM\TDI\ITDI_VERSION

For example the path for version 7.1:C:\Program Files\IBM\TDI\V7.1

UNIX/opt/IBM/TDI/ITDI_VERSION

For example the path for version 7.1:/opt/IBM/TDI/V7.1

ISIM_HOMEThis directory is the base directory that contains the IBM Security IdentityManager code, configuration, and documentation.

Windowspath\IBM\isim

UNIXpath/IBM/isim

© Copyright IBM Corp. 2012, 2013 45

Page 58: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

46 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 59: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Appendix D. Support information

You have several options to obtain support for IBM products.v “Searching knowledge bases”v “Obtaining a product fix” on page 48v “Contacting IBM Support” on page 48

Searching knowledge basesYou can often find solutions to problems by searching IBM knowledge bases. Youcan optimize your results by using available resources, support tools, and searchmethods.

About this task

You can find useful information by searching the product documentation for IBMSecurity Identity Manager. However, sometimes you must look beyond the productdocumentation to answer your questions or resolve problems.

Procedure

To search knowledge bases for information that you need, use one or more of thefollowing approaches:1. Search for content by using the IBM Support Assistant (ISA).

ISA is a no-charge software serviceability workbench that helps you answerquestions and resolve problems with IBM software products. You can findinstructions for downloading and installing ISA on the ISA website.

2. Find the content that you need by using the IBM Support Portal.The IBM Support Portal is a unified, centralized view of all technical supporttools and information for all IBM systems, software, and services. The IBMSupport Portal lets you access the IBM electronic support portfolio from oneplace. You can tailor the pages to focus on the information and resources thatyou need for problem prevention and faster problem resolution. Familiarizeyourself with the IBM Support Portal by viewing the demo videos(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)about this tool. These videos introduce you to the IBM Support Portal, exploretroubleshooting and other resources, and demonstrate how you can tailor thepage by moving, adding, and deleting portlets.

3. Search for content about IBM Security Identity Manager by using one of thefollowing additional technical resources:v IBM Security Identity Manager version 6.0 technotes and APARs (problem

reports).v IBM Security Identity Manager Support website.v IBM Redbooks®.v IBM support communities (forums and newsgroups).

4. Search for content by using the IBM masthead search. You can use the IBMmasthead search by typing your search string into the Search field at the top ofany ibm.com® page.

5. Search for content by using any external search engine, such as Google, Yahoo,or Bing. If you use an external search engine, your results are more likely to

© Copyright IBM Corp. 2012, 2013 47

Page 60: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

include information that is outside the ibm.com domain. However, sometimesyou can find useful problem-solving information about IBM products innewsgroups, forums, and blogs that are not on ibm.com.

Tip: Include “IBM” and the name of the product in your search if you arelooking for information about an IBM product.

Obtaining a product fixA product fix might be available to resolve your problem.

About this task

You can get fixes by following these steps:

Procedure1. Obtain the tools that are required to get the fix. You can obtain product fixes

from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.2. Determine which fix you need.3. Download the fix. Open the download document and follow the link in the

“Download package” section.4. Apply the fix. Follow the instructions in the “Installation Instructions” section

of the download document.

Contacting IBM SupportIBM Support assists you with product defects, answers FAQs, and helps usersresolve problems with the product.

Before you begin

After trying to find your answer or solution by using other self-help options suchas technotes, you can contact IBM Support. Before contacting IBM Support, yourcompany or organization must have an active IBM software subscription andsupport contract, and you must be authorized to submit problems to IBM. Forinformation about the types of available support, see the Support portfolio topic inthe “Software Support Handbook”.

Procedure

To contact IBM Support about a problem:1. Define the problem, gather background information, and determine the severity

of the problem. For more information, see the Getting IBM support topic in theSoftware Support Handbook.

2. Gather diagnostic information.3. Submit the problem to IBM Support in one of the following ways:

v Using IBM Support Assistant (ISA):Any data that has been collected can be attached to the service request.Using ISA in this way can expedite the analysis and reduce the time toresolution.a. Download and install the ISA tool from the ISA website. See

http://www.ibm.com/software/support/isa/.b. Open ISA.

48 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 61: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

c. Click Collection and Send Data.d. Click the Service Requests tab.e. Click Open a New Service Request.

v Online through the IBM Support Portal: You can open, update, and view allof your service requests from the Service Request portlet on the ServiceRequest page.

v By telephone for critical, system down, or severity 1 issues: For the telephonenumber to call in your region, see the Directory of worldwide contacts webpage.

Results

If the problem that you submit is for a software defect or for missing or inaccuratedocumentation, IBM Support creates an Authorized Program Analysis Report(APAR). The APAR describes the problem in detail. Whenever possible, IBMSupport provides a workaround that you can implement until the APAR isresolved and a fix is delivered. IBM publishes resolved APARs on the IBM Supportwebsite daily, so that other users who experience the same problem can benefitfrom the same resolution.

Appendix D. Support information 49

Page 62: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

50 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 63: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Appendix E. Accessibility features for IBM Security IdentityManager

Accessibility features help users who have a disability, such as restricted mobilityor limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in IBM Security IdentityManager.v Support for the Freedom Scientific JAWS screen reader applicationv Keyboard-only operationv Interfaces that are commonly used by screen readersv Keys that are discernible by touch but do not activate just by touching themv Industry-standard devices for ports and connectorsv The attachment of alternative input and output devices

The IBM Security Identity Manager library, and its related publications, areaccessible.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

Related accessibility information

The following keyboard navigation and accessibility features are available in theform designer:v You can use the tab keys and arrow keys to move between the user interface

controls.v You can use the Home, End, Page Up, and Page Down keys for more

navigation.v You can launch any applet, such as the form designer applet, in a separate

window to enable the Alt+Tab keystroke to toggle between that applet and theweb interface, and also to use more screen workspace. To launch the window,click Launch as a separate window.

v You can change the appearance of applets such as the form designer by usingthemes, which provide high contrast color schemes that help users with visionimpairments to differentiate between controls.

IBM and accessibility

See the IBM Human Ability and Accessibility Center For more information aboutthe commitment that IBM has to accessibility.

© Copyright IBM Corp. 2012, 2013 51

Page 64: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

52 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 65: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

© Copyright IBM Corp. 2012, 2013 53

Page 66: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to

54 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 67: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

If you are viewing this information softcopy, the photographs and colorillustrations might not appear.

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 55

Page 68: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, ("SoftwareOfferings") may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, and to tailor interactionswith the end user or for other purposes. In many cases, no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled "Cookies, Web Beacons and Other Technologies and SoftwareProducts and Software-as-a Service".

56 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 69: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

Index

Aaccessibility x, 51adapter

attributesdescriptions 41

configuration 19features 1installation 9installation worksheet 7installing 10supported configurations 2uninstall 33

adapter configuration 19adapter form

modifying 23adapter installation 9

troubleshooting errors 27verifying 11warnings 27

adapter overview 1adapter profile

importing 12upgrading 12verifying 13

attributeclasses 39

attributescustomizing 19defining 38definitions

attributes 38descriptions 41installing on server 23modifying the adapter form 23names and descriptions 41object identifier 38

Bbehaviors 29

Cclasses

attributes 39configuring

adapter 19connector

prerequisites 6connectors

upgrading 31creating

services 14custom attributes

modifyingCustomLabels.properties 22

updating schema.dsml file 22customizing attributes 19CustomLabels.properties 40

modifying 22

Ddispatcher installation

verifying 9download, software 7

Eeducation x

Ffiles

CustomLabels.properties 22, 40JAR 23SalesforceProfile.jar 20schema.dsml 22, 37

IIBM

Software Support xSupport Assistant x

IBM Support Assistant 48installation

adapter 9, 10adapter profile 12language pack 25road map 5uninstall 33verify 11verify dispatcher 9worksheet 7

ISA 48ISIM_HOME definition 45ITDI_HOME definition 45

JJAR files

creating 23extracting files 20

Kknowledge bases 47known behaviors 29

Llanguage pack

installation 25same for adapters and server 25

logs, trace.log file 12

MMS-DOS ASCII characters 23

Nnotices 53

Oobject identifier 38OID 38online

publications ixterminology ix

operating system prerequisites 6overview

adapter 1

Ppreinstallation

road map 5prerequisites

connector 6problem-determination xprofile

editing on UNIX or Linux 23publications

accessing online ixlist of ix

Rrequirements

connector 6restoring users 13RMI dispatcher 1road maps

installation 5preinatallation 5

Ssalesforce SSL certificate

exporting 9importing 9

schema.dsml 37updating 22

Security directory integrator connector 1service

creating 14restart 11start 11stop 11

softwaredownload 7website 7

software requirements 6SSL certificate

salesforce 9support contact information 48supported configurations

adapter 2

© Copyright IBM Corp. 2012, 2013 57

Page 70: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

supported configurations (continued)overview 2

suspending users 13

Tterminology ixtrace.log file 12training xtroubleshooting

contacting support 48getting fixes 48identifying problems 27known behaviors 29searching knowledge bases 47support website xtechniques for 27

troubleshooting and supporttroubleshooting techniques 27

Uuninstallation 33uninstalling the adapter 33upgrade

connectors 31

Vverification

operating system prerequisites 6operating system requirements 6software prerequisites 6software requirements 6

verifying the installation 25vi command 23

58 IBM Security Identity Manager: Salesforce.com Adapter Installation and Configuration Guide

Page 71: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training
Page 72: Installation and Configuration Guide · PDF file  Installation and Configuration Guide ...   Installation and Configuration Guide ... For technical training

����

Printed in USA

SC27-4413-03