IBM Security Verify Governance Adapter v 10.0.12 for Microsoft Azure Active Directory is available. Compatibility, installation, and other getting-started issues are addressed.
Copyright
International Business Machines Corporation 2022, 2023. All rights
reserved.
US
Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Welcome to the IBM Security Verify Governance Adapter for Microsoft Azure AD.
Microsoft Azure Active Directory Adapter Installation and Configuration Guide for IGI
The Microsoft Azure AD Adapter is designed to create and manage User Accounts on the Microsoft Azure AD domain. The adapter runs in "agentless" mode and communicates using the Graph API to the Microsoft Azure Domain being managed.
The IBM Security Verify Governance Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Verify Identity server, IBM Security Verify Privilege Vault, and IBM Security Verify Governance server will fail if the Adapter is not given sufficient authority to perform the requested task.
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product. The license can be viewed from the "license" folder included in the product package.
Adapter Version
Component |
Version |
Build Date |
2024 April 19 18.46.41 |
Adapter Version |
10.0.12 |
Component Versions |
Adapter build: 10.0.12.66 Profile: 10.0.12.66 Connector: 10.0.12.66 Dispatcher 7.1.39 or higher (packaged separately) |
Documentation |
The following guides will be made available in the IBM Knowledge Center - Microsoft Azure Active Directory Adapter Installation and Configuration Guide |
New Features
Internal # |
Enhancement # (RFE / IDEA) |
Description |
Items included in 10.0.12 current release |
||
|
|
|
SVGAD-2030 |
ISIM-I-5036 |
Azure Adapter should support custom and inactive roles |
SVGAD-2089 |
|
Properties file update for additional Attributes. Additional Attributes of the Azure Adapter need to be listed with additionalAttributes key as mentioned below: additionalAttributes=createdDateTime,ageGroup,businessPhones,companyName,consentProvidedForMinor,creationType,employeeHireDate,employeeId,employeeType,legalAgeGroupClassification,lastPasswordChangeDateTime,onPremisesDistinguishedName,onPremisesDomainName,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,passwordPolicies,preferredDataLocation,proxyAddresses,securityIdentifier,signInSessionsValidFromDateTime,imAddresses,provisionedPlans,licenseAssignmentStates,assignedPlans,onPremisesProvisioningErrors,deletedDateTime,signInActivity,division,costCenter,refreshTokensValidFromDateTime,employeeLeaveDateTime,employeeOrgData,manager,manager_FULLSUPPORT
|
Items included in 10.0.11 release |
||
|
|
|
|
|
|
|
|
|
Items included in 10.0.10 release |
||
SVGAD-174 |
|
|
SVGAD-187 |
Added Support for Additional On-Premises Group Attributes. |
|
Items included in 10.0.9 release |
||
|
|
Azure - Adapter refresh and Guest account support |
Items included in 10.0.8 release |
||
|
|
Support has been added for a number of additional attributes which can be included or excluded by updating a configuration file. For more information regarding the attributes that are now available to be included/excluded and the configuration file specification see Chapter 3 and Chapter 7 of the updates to the installation and configuration guide paragraph. |
|
Items included in 10.0.7 release |
|
|
None |
|
|
Items included in 10.0.6 release |
|
|
None |
|
|
Items included in 10.0.5 release
|
|
None |
||
|
Items included in 10.0.4 release
|
|
None |
||
|
Items included in 10.0.3 release
|
|
None |
||
|
Items included in 10.0.2 release
|
|
None |
||
|
Items included in 10.0.1 release
|
|
|
None |
|
|
Items included in 7.1.9 release
|
|
|
None |
|
|
Items included in 7.1.8 release |
|
|
None |
|
|
Items included in 7.1.7 release
|
|
|
None |
|
|
Items included in 7.1.6 release |
|
|
167913 |
Azure Roles and Azure Licenses appear as Service Groups.
|
|
Items included in 7.1.5 release |
|
|
154049 |
Roles are dynamically populated for the given tenant via tha API when creating or modifying a user.
|
|
Items included in 7.1.4 release |
|
|
Add
support for IGI 5.2.2
|
|
|
Items included in 7.0.3 release |
|
|
136762 |
Added Configurable parameter to specify the Recon Page Size in Service Form
|
|
Items included in 7.0.2 release |
|
|
131874 |
Upgraded to Graph API version 1.6, support to the latest version provided by Microsoft.
|
|
Items included in 7.0.1 release |
|
|
Initial Release.
|
Closed Issues
Internal# |
APAR# / Case# |
Description |
|
|
|
Bug 4291 / SVGAD-1980 |
TS014785408 APAR: DT257601 |
Azure Adapter is running very slow Performance enhancement of Full Recon. This is a fix which provide support of endsWithFilter on eruid (User Principal Name) only, which is also a part of performance enhancement. Microsoft document for filter - https://learn.microsoft.com/en-us/graph/filter-query-parameter?tabs=http. EndsWithFilter reconciliation support filtered user data. (* must be at first place only like given example) EndsWithFilter Example : (eruid=*@ibm.com) or (eruid=*abc@ibm.com) or (eruid=*@consultant.ibm.com) For below cases endsWithFilter with eruid will not work on API : 1. more than one * in the filter 2. * is not appears at first place like (eruid=abc*@ibm.com) |
|
|
|
|
|
|
|
|
|
|
|
|
|
TS011850962 |
|
|
TS013089169 |
|
SVGAD-345 |
|
|
|
|
|
SVGAD-214 |
TS012598809 |
User Type Attribute support has been provided |
SVGAD-202 |
|
AzureAD password change request is not a password change request |
SVGAD-255 |
|
|
SVGAD-204 |
|
|
Bug 3932 SVGAD-189 |
|
|
|
|
|
Bug
4036 |
TS012022819 |
ISVG - Azure connector moving to Stop with no reason |
Bug
3999 |
TS011223164 |
SVG 10 AZURE connector takes long time to Sync |
|
Items closed in 10.0.7 release
|
|
Bug
4058 |
TS012182768 |
Azure group members are missing in ISIM for few Azure AD groups. |
Bug 4048 RTC-191370 SVGAD-94 |
|
Adapter Azure AD - Problem Reconciliation |
Bug 3877 RTC-190922
|
|
Azure Adapter not retrieving more than 100 role or group memberships |
Bug 3798
|
|
Azure adapter |
Bug 4001 RTC-191165
|
|
SVG10 Azure 10.0.4 does not syncing one entry |
Bug 3849 RTC-190671
|
|
Azure recon filter fails |
|
Items closed in 10.0.6 release
|
|
RTC
191023 |
TS010589688 |
ISVG Microsoft cloud based adapters documentation clarification |
RTC
190548 |
ISIM 6.0 Microsoft Azure AD Adapter 6.0.9 - Customer questions |
|
|
Items closed in 10.0.5 release
|
|
RTC 190671 Bug 3849 |
TS009152967 |
Azure recon filter fail |
RTC 190673 Bug 3881 |
TS009629523 |
Reconcile Azure groups does not work correctly |
|
Items closed in 10.0.4 release
|
|
RTC 190567 Bug 3791 |
TS008284489 |
DN value too large when synching reconciled Azure AD groups to database |
RTC 190589 Bug 3828 |
TS009154416 |
Azure User and Group connector: connector config parameter "Application Key" is wrongly referenced |
RTC 190585 Bug 3830 |
TS009154081 |
Azure adapter full reconciliation does not return all account attributes |
|
Items closed in 10.0.3 release
|
|
Bug 3742 |
TS008090689 |
Strange behavior while reconciling accounts |
Bug 3748 |
TS008239362 |
Azure AD adapter update on user mail attribute |
Bug 3747 |
TS008340486 |
Azure AD Adapter Chinese Language Code is incorrect |
|
Items closed in 10.0.2 release
|
|
RTC-189750 Bug 3556 |
APAR IJ34789 TS005863375 |
Azure Adapter - Issues with the Azure AD Connector in ISIM |
|
Items closed in 10.0.1 release
|
|
RTC-187877 Bug 3343 |
APAR IJ28198 TS004183133 |
Azure Adapter - Token is not auto-regenerated on expiration |
|
Items closed in 7.1.9 release
|
|
RTC 186401 Bug 3159 |
APAR IJ22880 TS003347193 |
Azure adapter - Multivalued support for Administrator Role Membership attribute - erazureroleoid |
|
Items closed in 7.1.8 release
|
|
Bug
3063 |
|
Azure AD Adapter error during Change Log Sync operation |
Bug
3088 |
|
Adazure recon filter causes odata.error":{"code":"Request_BadRequest"} |
|
Items closed in 7.1.7 release
|
|
RTC 181613
|
Facing issue while performing Change Password operation for Azure adapter on IGI 5.2.5. |
|
Internal-RTC 181729
|
Internal D - As an Azure Developer, I must ensure that the adapter should create User in Active state when request is from IGI |
|
RTC 179378
|
APAR IJ09099, Bugz 2710 |
D - As an Azure adapter developer, I must ensure that the adapter sends back correct error message when user does not exist during a delete operation |
Internal- RTC 181519
|
Azure adapter Profile change for IGI 5.2.5 - eruid target attribute should be mapped to CODE governance attribute by default
|
|
|
Items closed in 7.1.5 release
|
|
154049 |
The 'directoryRoles' segment is used to manage roles instead of 'roles' and objectId to reference roles. This is due to a change in Microsoft API.
|
|
154150 |
52088,800,624/RTC 47191 |
The license removal needs an explicit call to remove the SKU in case no service plans are enabled. This is due to a change in Microsoft API.
|
|
Items closed in 7.1.4 release
|
|
|
Initial Release compliant with IGI 5.2.2
|
|
|
Items closed in 7.0.3 release
|
|
135407 |
App Key masked in the debug logs
|
|
136311 |
License deprovisioning fixed. Only the licenses which are enabled and applicable to User are allowed.
|
|
139239 |
ObjectId changed to roleTemplateId due to change in Microsoft API response
|
|
|
Items closed in 7.0.2 release
|
|
132799 |
The App key is hidden in service form. The attribute "erazureappkey" is added in password.attributes list in enRole.properties in <ISIM_HOME>/data directory.
|
|
|
Items closed in 7.0.1 release
|
|
|
Initial Release.
|
Known Limitations
Internal# |
APAR# / PMR# |
Description |
N/A |
N/A |
Attributes that require an SharePoint Online (SPO) license are not supported in the release of the adapter.
|
N/A |
N/A |
Attributes and/or operations that are not supported in the production version of Microsoft Graph API are not supported in the adapter.
|
N/A |
N/A |
Currently,
we don't support "Directory (Azure AD) extensions"
attributes called also as the custom attributes indicated in this
document:
|
N/A
|
N/A
|
The adapter doesn't support deletion of all mails in otherMails attribute in case of ISVG.
|
N/A
|
N/A
|
The adapter supports each user to enroll in 999 groups, and user can enroll for 999 roles.
|
N/A |
N/A |
The adapter does not support case insensitive filter search with (eruid=username@domainname.com). This is a known issue with the Dispatcher which does filtering during reconciliation. Exact user name will need to be used during filter recon until this issue is fixed in the Dispatcher.
|
N/A |
N/A |
The adapter does not support duplicated Group Display Name.
|
N/A |
N/A |
The adapter does not support change of Group Name. This is a limitation of the IBM Security Verify Identity. Attempting to change the Group Name will result in the following error: " CTGIMI046E You cannot change the value of the attribute that is mapped to ergroupname."
|
N/A |
N/A |
The adapter does not support setting the group attribute 'mailNickName'. This is a limitation of the Windows Azure Active Directory Graph API. The API only accepts 'BposMailNickName' as the value for this attribute during group creation. Any other value will result in the following error: "Invalid value specified for property 'mailNickname' of resource 'Group'".
|
N/A |
N/A |
The service principal that represents the adapter service must be in an administrator role that has permissions to modify role objects to send POST or DELETE requests. It must be in a role that has permissions to read role objects to send GET requests. For more information about administrator roles in Windows Azure AD Graph, see Windows Azure AD Graph and Role-Based Access Control. http://msdn.microsoft.com/en-us/library/azure/dn385717.aspx
|
N/A |
N/A |
Microsoft has a limitation that user accounts cannot be added or modified in a federated domain from an on-premise Dir Sync Active Directory, which is not the default domain. Provisioning of users in such domain can be done by using the AD adapter and then syncing it back to the Azure Directory using the Microsoft DirSync tool.
|
N/A |
N/A |
The "Enable detailed TDI debugging" on the Service Form has been removed from 7.0.2 release due to security reasons. Instead, "DEBUG" in the ITDI log4j.properties file is to be used to enable extra debug logging.
|
N/A |
N/A |
Only the license and service plans that are enabled for provisioning and are applicable at the user level, are available for provisioning using the adapter. Company wide licenses are not supported.
|
N/A |
N/A |
User Principal Name is ReadWrite Attribute. It is not recommended to update User Principal Name from target as after reconciliation new user will be created and you need to associate user manually again for that user. Always prefer to update User Principal Name from ISIM/IGI to maintain consistency.
|
See the IBM Security Verify Governance Adapter Installation and Configuration Guide for detailed instructions.
Supported API
Now supporting Graph API.
Corrections to Installation Guide:
Chapter 1:
Overview
->
Features of the adapter
(modify
the section by adding below point and a note.)
-
Create, modify, suspend, restore, change password, and delete a user
and guest user.
-
Sending guest account Invitations.
Note
: See
https://www.ibm.com/docs/en/svgaa?topic=reference-adapter-attributes-by-operations
for more details on guest account creation and operations related
to it.
Chapter
2: Planning
->
Prerequisites
Directory
Integrator:
Update
the description as below:
IBM
Security Directory Integrator, consult the release notes for the
currently supported versions
Chapter
3: Installing
->
Installing ILMT-Tags File
(Please add new section "Installing ILMT-Tags" File under the section Installing > Installing ILMT-Tags in install guide.)
Before you begin:
- The Dispatcher must be installed
Procedure:
Copy the files in the ILMT-Tags folder to the specified location:
1. Windows: <SDI-HOME>/swidtag
2. Unix/Linux: <SDI-HOME>/swidtag
->
Installing in the Verify Governance Virtual Appliance
(
Please add this new section at knowledge centre (under Installing >
Installing in the Verify Governance Virtual Appliance) for Azure AD
Adapter to describe installation procedure of adapter in Verify
Governance Virtual Appliance:
https://www.ibm.com/docs/en/svgaa?topic=ldap-installing-in-virtual-appliance.
Please add this below note as well after adding the description.)
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Security_Verify_Governance_Enterprise-xxxx.swidtag file
is common to all adapters. In addition to the common swidtag file, an
application adapter
needs ibm.com_IBM_Security_Verify_Governance_Application_Adapters-xxxx.swidtag file
and an infra adapter
needs ibm.com_IBM_Security_Verify_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Security_Verify_Governance_Compliance-xxxx.swidtag files.
So, if an application adapter is already installed and this is an
infra adapter, then only install the infra-specific swidtags and the
other way around. Please visit IBM
Security Verify Governance Adapters v10.x link
to identify the adapter type of the installed adapters.
-> (Update
sub-section "Service/Target form details" of "Installing"
section and add below content.)
(in Installing > Service/Target form details > Complete the
service/target form fields > Azure Active Directory Domain
Details)
Configuration File Path
Specify the location of the .properties file containing the additional attributes that the adapter must support. (See "Configuration for additional attributes")
Select Groups to Sync
Please
choose an option to sync Groups: (Default) Fetch Only Azure AD Groups
or Fetch Azure AD and Active Directory Groups
(Default) Fetch
Only Azure AD Groups- By default Adapter will only fetch Azure
AD(Cloud Groups) Groups.
Fetch Azure AD and Active Directory
Groups: To sync all Groups(Cloud Groups and On-premises Groups) from
Azure AD. (Only If ISVG and Identity Manager in hybrid AD/Azure AD
environment with AD Sync synchronization enabled.)
-> (Add the below sub-section under Installing section:
"Configuration for additional attributes")
-> Configuration for additional attributes
The AzureAD adapter is configured to support all the standard user account attributes provided by the Azure. Since collecting additional attributes during reconciliation might have a negative impact on performance, support for additional attributes can be activated using a configuration file. This file must include the additional attributes that are required by your organization.
The additional attributes that currently are supported needs to be added to the configuration file.
==>
Follow the below steps to set up and configure the path of Additional
Attribute file:
(A sample
AzureAd-Attributes.properties file, in which all the supported
additional attributes are specified, is available in the adapter
package.)
1) In the Adapter Connector/Service form details you
can find Configuration File Path.
2) Specify the file location in the configuration file path. (e.g. C:\Program Files\IBM\TDI\V7.2\timsol\properties\AzureAD-Attributes.properties)
- The file must be in .properties formate (Follow steps of setting up the AzureAD-Attributes.properties file).
- The file must be located in the same machine where the dispatcher is running. (e.g. <SDI_Solution_Directory>\properties\AzureAD-Attributes.properties)
- You must provide the full path of the file in the "Configuration File Path" section of the service form. See "Service/Target form details"
3) Restart dispatcher service.
4) Perform reconciliation.
==>
Notes of Additional Attribute Configuration file:
- The
Additional Attributes Configuration
file(AzureAD-Attributes.properties) must be a list of comma separated
values.
- Attribute names are case sensitive.
- A warning message will be generated in the SDI log for attributes that can't be processed
- If you try to modify any Additional Attributes and the execution of operation returns success, but the attribute is not actually modified at the target, then verify if this attribute exists in the additional attribute configuration file, and the name matches the name as provided in the "Additional User Attributes" table.
-
If you update the contents of the configuration file, then it is
required to restart the dispatcher and perform a
reconciliation.
- Sample File Data (Ex: You can provide attribute in a file in
the below way and attributes can be included or excluded as needed.)
additionalAttributes=createdDateTime,ageGroup,businessPhones,companyName,consentProvidedForMinor,creationType,employeeHireDate,employeeId,employeeType,legalAgeGroupClassification,lastPasswordChangeDateTime,onPremisesDistinguishedName,onPremisesDomainName,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,passwordPolicies,preferredDataLocation,proxyAddresses,securityIdentifier,signInSessionsValidFromDateTime,imAddresses,provisionedPlans,licenseAssignmentStates,assignedPlans,onPremisesProvisioningErrors,deletedDateTime,signInActivity,division,costCenter,refreshTokensValidFromDateTime,employeeLeaveDateTime,employeeOrgData,manager,manager_FULLSUPPORT
- On
Premises Attributes:
1) onPremisesDistinguishedName: Contains the on-premises
Active Directory distinguished name or DN.
2) onPremisesDomainName:
Contains the on-premises domainFQDN, also called dnsDomainName
synchronized from the on-premises directory.
3)
onPremisesImmutableId:
This property is used to associate an on-premises Active Directory
user account to their Azure AD user object.
4) onPremisesLastSyncDateTime:
Indicates the last time at which the object was synced with the
on-premises directory.
5) onPremisesSamAccountName: Contains the on-premises samAccountName synchronized from the on-premises directory.
6) onPremisesSecurityIdentifier: Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud.
7)
onPremisesSyncEnabled:
True, if this user object is currently being synced from an
on-premises Active Directory (AD). Otherwise the user isn't being
synced and can be managed in Azure Active Directory.
8) onPremisesUserPrincipalName: Contains
the on-premises userPrincipalName synchronized from the on-premises
directory.
- ageGroup
and consentProvidedForMinor
are optional properties used by Azure AD administrators to help
ensure the use of an account is handled correctly based on the
age-related regulatory rules governing the user's country or
region.
- Value of some attributes are depend on other attributes, so once
you update such attributes perform reconciliation to fetch dependent
attribute value.
legalAgeGroupClassification: This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties.
-
manager
:
This property do not support full reconciliation.
- manager_FULLSUPPORT : To enable full reconciliation in manager use this property in additional attribute configuration file.
-
For SignIn
Activity attributes
(Last Interactive Sign In Date and Time, Request Identifier of the
Last Interactive Sign In, Last Non Interactive Sign In Date and Time,
Request Identifier of the Last Non Interactive Sign In):
to
get details for this property require an Azure AD
Premium P1/P2 license and the AuditLog.Read.All permission.
- Note : At IBM Security Verify Identity Manager(ISIM) For Employee Leave Date Time and Employee Hire Date Time attributes, if its date and time values are empty then by default never check-box will be enabled.
-
Note: If you are using Employee Hire Date attribute in
previous versions of Azure AD Adapter v10.0.8 and v10.0.9, at IBM
Security Verify Governance(IGI) then follow below steps to get the
Employee Hire Date in proper fromat:
1) Open Access Governance
Core option > select Account Configurations > Target Attributes
select Employee Hire Date attribute, remove and save it.
2)
Then import the profile jar of Azure AD adapter latest version
v10.0.10.
3) Open Access Governance Core option > select
Account Configurations > Target Attributes then do Discover
Account attributes from Target and add Employee Hire Date attribute.
-
Not Included following Attributes as they require various license and
few are just in beta of Graph APIs are listed below:
aboutMe - require a SPO license.
birthday - require a SPO license.
hireDate - require a SPO license.
interests - require a SPO license.
mailboxSettings - require a M365 License.
mySite - require a SPO license.
pastProjects - require a SPO license.
preferredName - require a SPO license.
responsibilities - require a SPO license.
schools - require a SPO license.
skills - require a SPO license.
showInAddressList - Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin centre instead.
==>
Steps to update design form in IGI:
- Select Access Governance Core > manage > Account Configuration.
- Select AzureAD adapter Account you created.
- Select on Target Attributes > action > Discover Attributes from Target > Select only attributes you want to process (Only those attributes will be processed - this is applicable to additional attributes only.).
- Update Editable to false for read only attributes.
-
Click Save.
- Make sure to include these list of attributes in Attribute
Additional file.
==>
Steps to update Design form in ISIM:
- Select Configure System > Design Forms
- - Configure the form and include the additional attributes that you
want to include and/or remove unneeded attributes.
(Account > Azure Account >
$erazureadditionaldetails)
- Click Save.
- Make sure to include these list of attributes in Attribute
Additional file.
->
Upgrading the adapter binaries or connector
(Please
update Upgrading the adapter binaries or connector section at
Installing
> Upgrading the adapter binaries or connector)
- Take backup of adapter binaries or connector
Procedure:
Take backup of below files before performing upgrade.
If AzureADConnector.jar exists then take a backup of it.
<SDI-HOME>/jars/connectors/AzureADConnector.jar.
If Microsoft365Connector.jar exists then take a backup of it.
<SDI-HOME>/jars/connectors/Microsoft365Connector.jar
There will be either AzureADConnector.jar or Microsoft365Connector.jar in the <SDI-HOME>/jars/connectors/ directory.
Note: Stop the dispatcher service before the upgrading the connector and start it again after the upgrade is complete.
- Upgrade adapter binaries or connector Procedure:
There is Microsoft365Connector.jar included in the Microsoft Azure AD Adapter distribution package.
Copy Microsoft365Connector.jar from the adapter package to the
<SDI-HOME>/jars/connectors directory.
If AzureADConnector.jar exists in <SDI-HOME>/jars/connectors directory then delete AzureADConnector.jar.
- Upgrading the adapter profile
Read the adapter Release Notes for any specific instructions before you import a new adapter profile.
- Upgrading the AzureAD-Attributes.properties file
Properties file update for additional Attributes. Additional Attributes of the Azure Adapter need to be listed with additionalAttributes key as mentioned below:
additionalAttributes=createdDateTime,ageGroup,businessPhones,companyName,consentProvidedForMinor,creationType,employeeHireDate,employeeId,employeeType,legalAgeGroupClassification,lastPasswordChangeDateTime,onPremisesDistinguishedName,onPremisesDomainName,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,passwordPolicies,preferredDataLocation,proxyAddresses,securityIdentifier,signInSessionsValidFromDateTime,imAddresses,provisionedPlans,licenseAssignmentStates,assignedPlans,onPremisesProvisioningErrors,deletedDateTime,signInActivity,division,costCenter,refreshTokensValidFromDateTime,employeeLeaveDateTime,employeeOrgData,manager,manager_FULLSUPPORT
Properties file location updated to : <SDI_Solution_Directory>\properties\AzureAD-Attributes.properties
Note: Restart
the Dispatcher service after importing the profile, connector jar or
properties file. Restarting the Dispatcher clears the assembly lines
cache and ensures that the dispatcher runs the assembly lines from
the updated adapter profile.
The AzureAD (from 10.0.11v) and
O365 (from 10.0.9v) adapter are using a single combined
Microsoft365Connector.jar implementation.
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note: The container must be restarted after installing or uninstalling the adapter and any changes to the configuration yaml. To activate changes and restart the container run the following commands:
� <path_to_starterkit>/bin/createConfigs.sh isvdi
� For OpenShift container: oc -n isvgim rollout restart deployment isvdi
� For kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Use the below command to install / upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-AzureAD-*.zip" accept
Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script is installed and /path/to/Adapter-AzureAD-*.zip is the location where the Adapter zip file is staged on the machine running Kubernetes cli.
Manually copying files to Persistent Volume
Copy the files to the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image as per the given directory structure:
Microsoft365Connector.jar
Copy this file to the <Persistent_Volume>/jars/connectors directory.
ILMT-Tags
Copy below files to the <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag
AzureAD-Attributes.properties
Copy this file to the <Persistent_Volume>/timsol/properties directory.
Copying 3rd party libraries:
Using Script
Use the below command to copy the 3rd party jars:
/path/to/adapterUtil.sh -copyToPatches "/path/to/httpclient-*.jar"
/path/to/adapterUtil.sh -copyToPatches "/path/to/httpcore-*.jar"
/path/to/adapterUtil.sh -copyToPatches "/path/to/ commons-logging-*.jar"
This command will copy the 3rd party jars to the <Persistent_Volume>/jars/patches directory.
Manually copying files to the Persistent Volume
Copy below 3rd party jar files to the <Persistent_Volume>/jars/patches directory (Refer release notes for the supported jar versions):
httpclient-*.jar
httpcore-*.jar
commons-logging-*.jar
Configuring the SSL connection between the IBM Security Verify Directory Integrator Container and the Azure AD Target
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates page from SVDI
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have a trusted-certificates element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates to add a trusted-certificates section to the config.yaml file.
To add a trusted-certificates element (if it doesn�t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container, download the DigiCert Global Root CA and DigiCert Global Root G2 certificates in DER/CRT format from https://www.digicert.com/kb/digicert-root-certificates.htm and place the certificate in the certs directory of the config volume which contains the config.yaml file. The default location for this config volume is /opt/IBM/dispatcher/config.
Provide this path of the certificate in config.yaml file as shown in the example below:
keyfile:
trusted-certificates:
- '@/opt/IBM/dispatcher/config/certs/DigiCertGlobalRootG2.crt'
- '@/opt/IBM/dispatcher/config/certs/DigiCertGlobalRootCA.crt'
Enabling TLS 1.2
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SVDI to add an advanced configuration element (if it don�t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
To enable TLSv1.2, add 2 attr and value key pair (as mentioned in the SVDI guide) as below:
- attr: com.ibm.di.SSLProtocols
value: 'TLSv1.2'
- attr: com.ibm.di.SSLServerProtocols
value: 'TLSv1.2'
Enabling debug logs and disabling json-logging
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SVDI to add root-level and json-logging configuration elements (if they don�t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
To enable debug logs, set the value for root-level to debug. To disable json logging, set the value for json-logging element to false.
Uninstalling the adapter
Using Script
Use the below command to remove the adapter:
/path/to/adapterUtil.sh -removeAdapter Adapter-AzureAD
Manually copying / removing files to / from the Persistent Volume
Remove files from the given directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.
Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:
Microsoft365Connector.jar
Remove this file from <Persistent_Volume>/jars/connectors directory.
ILMT-Tags
Remove below files from <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag
3rd party jars
Remove the appropriate version of the 3rd party jar files used by this adapter as listed below from the <Persistent_Volume>/jars/patches directory:
httpclient-*.jar
httpcore-*.jar
commons-logging-*.jar
AzureAD-Attributes.properties
Remove this file from the <Persistent_Volume>/timsol/properties directory
Chapter
4: Configuring
(Add
this section Adapter
Installation and Configuration Guide)
- Enabling TLSv1.2 in Security Directory Integrator
Procedure:
1.
Apply recommended fix packs and limited availability (LA) versions on
the Security Directory Integrator. See Recommended fixes for IBM
Tivoli Directory Integrator (TDI) & IBM Security Directory
Integrator
(SDI).
2. After applying the appropriate updates, modify the /solution.properties file by appending the following text to the bottom of the file:
#####################
# # Protocols to enforce SSL protocols in a SDI Server
# # Optional values for com.ibm.di.SSL* property (TLSv1, TLSv1.1, TLSv1.2). # # This can be a multi-valued comma separated property
# # Optional values for com.ibm.jsse2.overrideDefaultProtocol property (SSL_TLSv2, TLSv1,TLSv11,TLSv12).
# # This is a single value property.
#####################
-
com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv1
com.ibm.jsse2.overrideDefaultTLS=true
#####################
Customizing the adapter
The adapters can be customized or extended or both. The type and method of this customization varies depending on the adapter.
Customizing and extending adapters requires a number of skills. The developer must be familiar with the following concepts and skills:
- IBM Security Verify Governance Identity Manager administration
- IBM Security Verify Governance administration
- IBM Security Directory Integrator management
- Security Directory Integrator Assembly Line development
- LDAP schema management
- Working knowledge of Java ˘ scripting language
- Working knowledge of LDAP object classes and attributes
- Working knowledge of XML document structure
Note: If the customization requires a new Security Directory Integrator connector, the developer must also be familiar with Security Directory Integrator connector development and working knowledge of Java programming language.
Support for custom adapters
The integration to IBM Security Verify Governance servers "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Chapter
5: Troubleshooting
Enabling
DEBUG Logs on SDI Server
Procedure:
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
Post-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in the the <SDI_HOME_Directory>/etc/global.properties file.
6. Start the SDI Server process
7. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
Chapter
6: Uninstalling
No
updates for the current release
Chapter 7:
Reference
(Please
make update into below tables for the section "Adapter
Attributes and Object classes".)
- Rename the table name "Table 1. Supported user attributes"
to "Table 1. Default User Attributes".
- Make a new table for the section "Adapter Attributes and
Object classes" with table name as " Table 2. Additional
User Attributes".
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
Attribute Type |
|
User Creation Date and Time |
erazurecreateddatetime |
createdDateTime |
String |
Read Only |
|
Age Group |
erazureagegroup |
ageGroup |
String |
Read Write |
|
Business Phone |
erazurebusinessphones |
businessPhones |
String |
Read Write |
|
Company Name |
erazurecompanyname |
companyName |
String |
Read Write |
|
Consent Provider for Minor |
erazureconsentproviderforminor |
consentProvidedForMinor |
String |
Read Write |
|
User Creation Type |
erazurecreationtype |
creationType |
String |
Read Only |
|
Employee Hire Date |
erazureemployeehiredate |
employeeHireDate |
String |
Read Write |
|
Employee Id |
erazureemployeeid |
employeeId |
String |
Read Write |
|
Employee Type |
erazureemployeetype |
employeeType |
String |
Read Write |
|
Legal Age Group Classification of User |
erazurelegalagegroupclassification |
legalAgeGroupClassification |
String |
Read Only |
|
Last Password Change Date Time Of User |
erazurelastpasswordchangedatetime |
lastPasswordChangeDateTime |
String |
Read Only |
|
On Premises Active Directory Distinguished Name |
erazureonpremisesdistiguishedname |
onPremisesDistinguishedName |
String |
Read Only |
|
On Premises DomainFQDN / DnsDomainName |
erazureonpremisesdomainname |
onPremisesDomainName |
String |
Read Only |
|
On Premises Immutable ID |
erazureonpremisesimmutableid |
onPremisesImmutableId |
String |
Read Write |
|
On Premises Last Sync Date Time |
erazureonpremiseslastsyncdatetime |
onPremisesLastSyncDateTime |
String |
Read Only |
|
samAccountName Synchronized From On Premises Directory |
erazureonpremisessamaccountname |
onPremisesSamAccountName |
String |
Read Only |
|
On Premises Security Identifier (SID) |
erazureonpremisessecurityidentifier |
onPremisesSecurityIdentifier |
String |
Read Only |
|
On Premises Sync Enabled |
erazureonpremisessyncenabled |
onPremisesSyncEnabled |
String |
Read Only |
|
On Premises User Principal Name |
erazureonpremisesuserprincipalname |
onPremisesUserPrincipalName |
String |
Read Only |
|
Security Identifier (Sid) Of The User |
erazuresecurityidentifier |
securityIdentifier |
String |
Read Only |
|
Sessions Valid From Date and Time |
erazuresigninsessionvalidfromdate |
signInSessionsValidFromDateTime |
String |
Read Only |
|
Preferred Data Location |
erazurepreferreddatalocation |
preferredDataLocation |
String |
Read Only |
|
Password Policies |
erazurepasswordpolicies |
passwordPolicies |
String |
Read Write |
|
Proxy Addresses |
erazureproxyaddresses |
proxyAddresses |
String |
Read Only |
|
IM Addresses |
erazureimaddresses |
imAddresses |
String |
Read Only |
|
Provisioned Plans |
erazureassignedplans |
provisionedPlans |
String |
Read Only |
|
License Assignment States |
erazurelicenseassignmentstates |
licenseAssignmentStates |
String |
Read Only |
|
Assigned Plans |
erazureprovisionedplans |
assignedPlans |
String |
Read Only |
|
Date Time Of User Deletion |
erazuredeleteddatetime |
deletedDateTime |
String |
Read Only |
|
On-Premises Provisioning Errors |
erazureonpremisesprovisioningerrors |
onPremisesProvisioningErrors |
String |
Read Only |
|
Last Interactive Sign In Date and Time |
erazurelastsignindatetime |
lastSignInDateTime |
String |
Read Only |
|
Request Identifier of the Last Interactive Sign In |
erazurelastsigninrequestid |
lastSignInRequestId |
String |
Read Only |
|
Last Non Interactive Sign In Date and Time |
erazurelastnoninteractivesignindatetime |
lastNonInteractiveSignInDateTime |
String |
Read Only |
|
Request Identifier of the Last Non Interactive Sign In |
erazurelastnoninteractivesigninrequestid |
lastNonInteractiveSignInRequestId |
String |
Read Only |
|
Division |
erazuredivision |
division |
String |
Read Write |
|
Cost Center |
erazurecostcenter |
costCenter |
String |
Read Write |
|
Refresh Tokens Valid From Date Time |
erazurerefreshtokensvalidfromdatetime |
refreshTokensValidFromDateTime |
String |
Read Only |
|
Employee Leave Date Time |
erazureemployeeleavedatetime |
employeeLeaveDateTime |
String |
Read Write |
|
Identities |
erazureidentities |
identities |
String |
Read Write |
|
Manager |
erazuremanager |
manager |
String |
Read Write |
|
-
Note : We can delete any identity value in identities attribute
except for the userPrincipalName
-
Note : To enter Identities on the ISVG/ISVG Identity Manager, you
must follow below mentioned syntax :
``
a|b|c ``
a=Issuer
b=SignIn
Type
c=
Issuer Assigned ID
example
: contoso.onmicrosoft.com|federated|username@contoso.com
- Rename the table name "Table 2. Supported group attributes" to "Table 3. Default Group Attributes".
(Please
make update into below tables for the section "Adapter
Attributes and Object classes".)
- Make a new table for the section "Adapter Attributes and
Object classes" with table name as " Table 4. Supported
On-premise Group Attributes".
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
On-premises Group Domain Name |
erazuregrponpremisesdomainname |
onPremisesDomainName |
String |
On-premises Last Sync Date and Time |
|
onPremisesLastSyncDateTime |
String |
On-premises SamAccount Name |
erazuregrponpremisessamaccountname |
onPremisesSamAccountName |
String |
On-premises Security Identifier |
erazuregrponpremisessecurityidentifier |
onPremisesSecurityIdentifier |
String |
On-premises SyncEnabled Status |
erazuregrponpremisessyncenabled |
onPremisesSyncEnabled |
String |
On-premises NetBiosName |
erazuregrponpremisesnetbiosname |
onPremisesNetBiosName |
String |
- Rename the table name "Table 3. Supported object classes" to "Table 5. Supported Object Classes".
-
Make a new table for the section "Adapter Attributes and Object
classes" with table name as " Table 6. Default GuestUser
Attributes".
Also
add below written paragraph after the table
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
User Type |
erazureusertype |
userType |
String |
External User State change Date and Time |
erazurestatechangedatetime |
stateChangeDateTime |
String |
Guest Invitation Status |
erazuregueststatus |
guestStatus |
String |
Identities |
erazureidentities |
identities |
String |
For more information regarding the usage of attributes that are related to inviting and/or creating guest accounts refer: "Adapter attributes by operations"
- Adapter attributes by operations
Add below to "Adapter attributes by operations"
section
Guest
User attributes
The following tables show the attributes and object classes that are
supported by the Azure Active Directory Adapter for creating guest
Account.
- Make
a new table for the section " Guest User attributes" with
table name as " Table 1. Additional GuestUser Attributes".
Also
add below written paragraph after the table
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
Required |
User Type |
erazureusertype |
userType |
String |
Yes |
External User State change Date and Time |
erazurestatechangedatetime |
stateChangeDateTime |
String |
No(ReadOnly) |
Guest Invitation Status |
erazuregueststatus |
guestStatus |
String |
No (ReadOnly) |
Guest Redirect Url |
erazureredirecturl |
redirectUrl |
String |
Yes |
Send Guest Invitation Mail |
erazuresendinvitation |
sendInvitation |
Boolean |
No |
Reset Redemption |
erazureresetredemption |
resetRedemption |
Boolean |
No |
Guest Redeem URL |
erazureredeemurl |
redeemUrl |
Boolean |
No |
Redemption Email |
erazureredemptionmail |
redemptionMail |
String |
Yes(only in case of Reset Redemption) |
Custom Message Body |
erazurecustommessage |
customMessageBody |
String |
No |
erazuremail |
String |
Yes |
||
CC Recipient Mail Address |
erazureccrecipientmail |
ccRecipientMail |
String |
No |
Preferred Message Language |
erazureprefmessagelang |
preferredMessageLanguage |
String |
No |
Identities |
erazureidentities |
identities |
String |
No |
Info
: The following operations are supported by adapter for guest
Accounts.
-
Creation of guest accounts through invitation.
-
Modify, suspend, restore, delete guest user accounts.
-
Resend invitation to guest user accounts.
-
Reset redemption of guest user accounts.
Note
: In
case of Reset redemption, the Redemption Email should match any
emails on the user object. If an e-mail address that does not yet
exist in AzureAD for this user is specified as the value for the
redemption e-mail adddress in ISVG /ISVG Identity Manager for reset
redemption operation and the response shows "Account is
modified, reset redemption is unsuccessful", please retry after
few minutes starting with filter reconciliation and recheck that the
new redemption email matches the mails in otherMails attribute.
For
more details on requesting and maintaining guest accounts, visit :
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/user-properties
and
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/reset-redemption-status
The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Refer to the 'IBM Security Verify Governance Adapter Development and Customization Guide'
Support
for Customized Adapters
The
integration to the IBM Security Verify Governance server "the
adapter framework" is supported. However, IBM does not support
the customizations, scripts, or other modifications. If you
experience a problem with a customized adapter, IBM Support may
require the problem to be demonstrated on the GA version of the
adapter before a case
is
opened.
Installation Platform
The IBM Security Verify Governance Adapter for Microsoft Azure AD was built and tested on the following product versions.
Adapter
Installation Platform:
Due
to continuous Java security updates that may be applied to your IBM
Security Verify Governance server and IBM Security Verify Governance
Identity Manager server, the following SDI releases are the
officially supported versions:
-
Security
Directory Integrator 7.2
+ FP12
-
Security
Verify Directory Integrator 10.0.0
Note: Earlier versions of SDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters. Please refer to the adapter's installation and configuration guides for the latest update on IBM Security Directory Integrator versions and fix packs
Managed Resource:
Azure AD supported HTTP Client component:
- Apache HTTP Component Client
3rd Party Client Libraries:
httpclient-4.5.14.jar
Download the httpclient-4.5.14.jar from
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.14
httpcore-4.4.16.jar
Download the httpcore-4.4.16.jar from
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16
commons-logging-1.2.jar
Download the commons-logging-1.2.jar from
https://mvnrepository.com/artifact/commons-logging/commons-logging/1.2
Supported IBM Security Verify Governance servers:
- IBM Security Verify Governance Identity Manager v10.0
- IBM Security Verify Governance v10.0
This information
was developed for products and services offered in the U.S.A. IBM may
not offer the products, services, or features discussed in this
document in other countries. Consult your local IBM representative
for information on the products and services currently available in
your area. Any reference to an IBM product, program, or service is
not intended to state or imply that only that IBM product, program,
or service may be used. Any functionally equivalent product, program,
or service that does not infringe any IBM intellectual property right
may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or
service.
IBM may have patents or pending patent
applications covering subject matter described in this document. The
furnishing of this document does not give you any license to these
patents. You can send license inquiries, in writing, to:
IBM
Director of Licensing
IBM Corporation
North Castle
Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual
Property Licensing
Legal and Intellectual Property Law
IBM
Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa
242-8502 Japan
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the
information herein; these changes will be incorporated in new
editions of the publication. IBM may make improvements and/or changes
in the product(s) and/or the program(s) described in this publication
at any time without notice.
Any references in this
information to non-IBM Web sites are provided for convenience only
and do not in any manner serve as an endorsement of those Web sites.
The materials at those Web sites are not part of the materials for
this IBM product and use of those Web sites is at your own risk.
IBM
may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to
you.
Licensees of this program who wish to have
information about it for the purpose of enabling: (i) the exchange of
information between independently created programs and other programs
(including this one) and (ii) the mutual use of the information which
has been exchanged should contact:
IBM
Corporation
2ZA4/101
11400 Burnet Road
Austin, TX
78758 U.S.A.
Such information
may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed
program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer
Agreement, IBM International Program License Agreement, or any
equivalent agreement between us.
Any performance data
contained herein was determined in a controlled environment.
Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these
measurements will be the same on generally available systems.
Furthermore, some measurements may have been estimated through
extrapolation. Actual results may vary. Users of this document should
verify the applicable data for their specific
environment.
Information concerning non-IBM products was
obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested
those products and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed
to the suppliers of those products.
Trademarks
IBM,
the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.
Microsoft,
Windows, and the Windows logo are trademarks of Microsoft Corporation
in the United States, other countries, or both.
Java and
all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.