IBM Security Verify Governance Adapter v10.0.6 for IBM Security Verify Access is available. Compatibility, installation and other getting-started issues are addressed.
Copyright International Business Machines Corporation 2003,
2023. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Welcome to the IBM Security Verify Governance Adapter for IBM Security Verify Access, previously known as IBM Tivoli Access Manager Combo Adapter.
· IBM Security Verify Access Adapter Installation and Configuration Guide
The IBM Security Verify Access
Adapter is designed to create and manage accounts on the IBM Security Access
Manager for Web server. The adapter runs in "agentless" mode and
communicates using the IBM Security Access Manager RegistryDirect API to the
systems being managed.
The IBM Security Verify Governance Adapters are powerful tools that require Administrator
Level authority. Adapters operate much like a human system administrator,
creating accounts, permissions and home directories. Operations requested from IBM
Security Verify server, IBM Security Verify Privilege Vault, and IBM Security
Verify- Governance server will fail if the adapter is not given sufficient
authority to perform the requested task. IBM recommends that this adapter run
with administrative (sec_master) permissions.
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product. The license can be viewed from the "license" folder included in the adapter package.
Adapter Version
|
Component |
Version |
|
Build Date |
2023 March 08 03.46.57 |
|
Adapter Version |
10.0.6 |
|
Component Versions |
Adapter build: 10.0.6.1 Profile: 10.0.6.1 Connector: 10.0.6.1 Dispatcher 7.0.39 (or higher, packaged separately) |
|
Documentation |
The following guides are available in the IBM Verify Adapters Knowledge Center:
·IBM Security Verify Access Adapter Installation and Configuration Guide |
New Features
|
Internal#
|
Enhancement # (RFE) |
Description |
|
|
|
Items included in 10.0.6 release |
|
|
|
None |
|
|
|
Items included in 10.0.5 release |
|
RTC 190879 |
ADAPT-121 |
Add support for ISVA 10.0.4 |
|
|
|
Items included in 10.0.4 release |
|
RTC 190344 |
|
ISVA Internal Changes for SDI Log4j update |
|
|
|
Items included in 10.0.3 release |
|
RTC 189881 |
|
Added support for ISVA 10.0.2 |
|
|
|
Items included in 10.0.2 release |
|
|
|
None |
|
|
|
Items included in 10.0.1 release |
|
|
|
None |
|
|
|
Items included in 7.1.29 version |
|
|
|
None |
|
|
|
Items included in 7.1.28 version |
|
RTC 183244 |
|
Internal - ISAM 9.0.7 support |
|
RTC 184339 |
|
Internal - Attribute value lookup for IGI 5.2.5 |
|
|
Items included in 7.1.27 version |
|
|
|
RTC 182692 |
Add support for IGI 5.2.5
See “Limitation on how to use eritamcred attribute” section for more information. |
|
|
|
Items included in 7.0.26 version |
|
|
Add support for IGI 5.2.2 |
|
|
|
|
Items included in 7.0.25 version |
|
|
Add support for ISAM 9.0 |
|
|
|
RFE76110 |
Add ability to manage Disable Time Interval on each account |
|
|
INT126053 |
*** CHANGE IN DEFAULT
BEHAVIOR *** |
|
|
|
Items included in 7.0.24 version |
|
|
None |
|
|
|
|
Items included in 7.0.23 version |
|
|
RFE17072 |
Add ability to manage Max Password Age on each account |
|
|
RFE56722 |
Add ability to manage Max Concurrent Web Sessions on each account. The value must be an integer greater than zero, -3 for Displace, or -4 for Unlimited. |
|
|
RFE33651 |
Add ability to synchronize user password
to GSO credentials during account create. |
|
|
RFE61605 |
Boolean flag attributes are always converted to lowercase before checking their value. |
|
|
|
Initial release. |
|
Internal# |
Case# / APAR# |
Description |
|
|
|
Items included in 10.0.6 release |
|
RTC 190836 |
|
Remove Apache log4j from 3rd party libraries TAM/SVA adapter |
|
|
|
Items included in 10.0.5 release |
|
Bug 3785 RTC 190685 TS008649391 |
|
"Default_Ok" hook restored |
|
|
Items closed in 10.0.4 release |
|
|
Bug 3623 RTC 190036 TS006724428 |
IJ36550 |
Issue While Importing User from ISIM When AD is Used as Federated User Registry. |
|
|
|
Items closed in 10.0.3 release |
|
|
|
None |
|
|
|
Items closed in 10.0.2 release |
|
Bug 3390 TS004351858 |
IJ31246 |
ObjectClassViolation during tamAdd when using AD federated user registry. |
|
|
|
Items closed in 10.0.1 release |
|
RTC 187878 Bug 3359 TS004188986 |
IJ28694 |
ISAM Adapter returns STATUSCODE 3 when group does not exists in isam, breaks IGI flow. |
|
RTC 187879 Bug 3340 TS004159719 |
IJ28942 |
Recon fails with "Unparseable date" error for unknown attribute |
|
|
|
Items closed in 7.1.29 version |
|
RTC 186402, Bug 3106, TS002983015 |
IJ22617 |
ISAM adapter should restore PwdValid flag to existing value after change password operation |
|
|
|
Items closed in 7.1.28 version |
|
RTC 183804, Bug 2890 |
|
See “Add admin API option on service form” section for more information. |
|
|
|
Items closed in 7.1.27 version |
|
RTC 182698, Bug 2802 |
IJ13310 |
As an ISAM adapter developer, I must ensure that the adapter re-uses the LDAP connections |
|
RTC 182696 |
|
Internal - As an ISAM adapter developer, I must ensure that the operation name in service.def uses proper case |
|
|
|
Items closed in 7.0.26 version |
|
|
|
None |
|
|
|
Items closed in 7.0.25 version |
|
|
IV74759 |
Attempting to modify account with a non-existent group results in whole request failing. |
|
|
|
Items closed in 7.0.24 version |
|
INT123097 |
|
Changes for RFE61605 caused new accounts to be provisioned as inactive if "eraccountstatus" was not included in the request. |
|
|
|
Items closed in 7.0.23 version |
|
INT102186 |
|
The previously deprecated LDAP profile has been removed. Any installations that were using the LDAP profile will need to review the ISAM Service configuration in ISIM after loading the new profile. The service form is different, and some fields will need to be set. |
|
|
|
Initial release. |
Known Limitations
|
Internal# |
APAR# |
Case# / Description |
|
85051 |
|
When using the IBM Security Access Manager API method of reconciliation to reconcile IBM Security Access Manager accounts, if an IBM Security Access Manager account already in the IBM Security Identity registry becomes a malformed IBM Security Access Manager account then IBM Security Identity will identify this malformed IBM Security Access Manager account as no longer existing, and delete it from the IBM Security Identity registry. If the malformed IBM Security Access Manager account does not already exist within the IBM Security Identity server's known IBM Security Access Manager accounts, the account will not be added. This behavior does not provide any warning or failure message by the IBM Security Identity server. See the Installation guide for how to change the adapter configuration regarding this issue. |
|
|
|
During the creation of IBM Security Access Manager accounts when IBM Security Access Manager is configured against Windows Active Directory, the account is created as a GSO user even when the Single Signon Capability for the account is not checked (i.e. There is no request to create the account as a GSO user). This is a reflection of the operation of IBM Security Access Manager when administrating accounts. If GSO credentials are supplied with same request they will be created without warning that IBM Security Access Manager account doesn't have Single Signon Capability. |
|
93688 |
|
When IBM Security Access Manager is configured against Windows Active Directory, IBM Security Access Manager account's common name (cn) must be the same as the first RDN value of the Distinguished Name. For example, when requesting a new IBM Security Access Manager service account through the IBM Security Identity web console, the "Full name" specified in the Account form must be the same as the "cn" portion of the Distinguished Name. E.g. If a user has the Distinguished Name cn=JohnSmith,o=myCompany,c=com, then the "Full name" should also be set to JohnSmith. Not doing so could result in account modification issues. |
|
|
|
Adapter does not check syntax for any non-IBM Security Access Manager account attributes. This can result in those attributes not being set in the registry if their values have incorrect syntax. A possible consequence is that operations such as account creation may fail. |
|
|
|
In case an account already has SSO credentials and the checkbox Single Signon Capability is disabled during MODIFY operation, this will delete credentials in IBM Security Access Manager registry, but not in the IBM Security Identity server. A reconciliation is needed to synchronize the account attributes. |
|
|
|
If password synchronization is configured to synchronize passwords from WebSEAL via the IBM Security Identity server to other person accounts, the synchronization with SSO credential passwords is not supported. The synchronization with SSO credential passwords is supported only if the password change is initiated from the IBM Security Identity server, and the corresponding SDI Assembly Line is executed. |
|
|
|
If password synchronization is configured to synchronize passwords from WebSEAL the "Change password on next login" checkbox on the account form cannot be reset. This is due to a current limitation of the IBM Security Identity Manager Server. |
|
Internal# |
APAR# |
Case# / Description |
|
|
|
Limitation on how to use eritamcred attribute
Enter the value for eritamcred attribute in this format - “Name of the resource (Web Resource)|username|{clear}password” e.g. zira (Web Resource)|isupport|{clear}password
Please note that the password will be visible in clear text in the logs as option to encrypt the password is not available on IGI currently.
To avoid password in clear text, use the “Synchronize IBM Security Access Manager password in SSO Lockbox” checkbox to set the SSO credential password same as the ISAM account password. |
|
|
|
Adapter does not support modifying the last name (sn) attribute of IBM Security Access Manager account when IBM Security Access Manager Administration API is used since the API does not support modifying the last name. |
|
|
|
Management of non-standard IBM Security Access Manager account attributes is only available for user registries supported by Registry Direct API. |
|
|
|
IBM Security Access Manager Web Gateway appliance in standalone mode, PRIOR TO FP4, does not externalize the interface to its internal directory server. Consequently, Registry Direct API and managing non-standard ISAM account attributes are not supported by the adapter for the appliance versions 8.0 through 8.0.0.3. For example, the adapter cannot modify "mail" attribute of the user object stored in the appliance's internal directory server. In addition, only "TAM API" based reconciliation is supported for the appliance in standalone mode prior to FP4. |
|
|
|
Registry Direct API based reconciliation does not reconcile inetorgperson attributes by default. This is an optimization that was made in order to improve the performance of the reconciliation. In order to reconcile the inetorgperson attributes, edit "tamSearch" assemblyline in the profile to include the required attributes in the input mapping of the connector "tamIterRgy". Please refer to this technote for more details. |
|
|
|
The adapter does not support the modification of UID, CN, principal name, and attribute(s) that form the Distinguished Name(DN). |
|
|
|
Custom containers are not supported when creating an IBM Security Access Manager group. IBM Security Access Manager specifies a default |
|
|
|
Filtered reconciliation on groups is not supported. |
|
|
|
When "Single Signon Capability" attribute is unchecked and an account modification request is submitted, the SSO credentials for the account are removed in IBM Security Access Manager but this is not reflected in the ISIM server. This is due to the RMI protocol not allowing the response to contain the updated account information. In order to work around this limitation, edit the "modify" operation workflow for "IBM Security Access Manager Account" entity to delete "eritamcred" attribute when "eritamsinglesign" attribute is set to "false". For example, add a script element with the following script before "MODIFYACCOUNT" extension:
var
accountObj = account.get(); |
Known IBM Security Verify Access Issues
|
Internal# |
APAR# |
Case# / Description |
|
|
IV71775 |
The "com.tivoli.pd.rgy.jar" API library that can be downloaded from ISAM v8.0.1 appliance includes an incorrect search that will not return GSO enabled users during a reconciliation. This is corrected in the jar file available from the v8.0.1-FP1 appliance. |
|
|
|
Certain user management functions (e.g. enabling GSO) in IBM Security Access Manager do not work if the user ID contains "," and as such "," in the user ID is not supported by the adapter. |
|
|
|
When the Single Signon Capability of an IBM Security Access Manager user account is disabled (i.e. the user is no longer a GSO user), the GSO resource credentials for that account are also deleted. Hence when disabling the Single Signon Capability for a IBM Security Access Manager user account from the IBM Security Identity server, attempting to delete or modify resource credentials in the same request for that account results in "successful with warning" as the GSO credentials cannot be found. |
|
|
|
IBM Security Access Manager Java Admin API does not provide for a CN to be specified when creating a group. This is reflected in the adapter which does not manage this attribute when adding or modifying groups. |
|
|
|
If IBM Security Access Manager is configured against Windows Active Directory, an existing user or group description cannot be modified to a blank value. The description will remain unchanged. |
|
|
|
If IBM Security Access Manager is configured against Windows Active Directory, when importing an account using the pdadmin command line, the user name and first RDN value of the user DN must be the same. This issue is reflected in the adapter: User ID and first RDN value in the user Distinguished Name must be the same. |
|
|
|
If IBM Security Access Manager is configured against IBM Tivoli Directory Server 6.0, then Fix Pack 5 must be installed on the Directory Server. This fix pack addresses a problem that may affect adapter operation (APAR IO06328). |
See the Installation and Configuration guide for IBM Security Verify Governance Adapter for IBM Security Verify Access for detailed instructions.
Corrections to Installation Guide
Chapter 1: Overview
No Updates for the current release
Chapter 2: Planning
Prerequisites:
Directory Integrator:
Remove 7.2 + FP6 + 7.2.0-ISS-SDI-LA0019 from the description
Identity server:
Update description as below:
The following servers are supported:
- IBM Security Verify Governance Identity Manager v10.0.x
- IBM Security Verify Governance v10.0.x
IBM Security Verify Access:
Update the description as below:
Refer release notes for ISVA latest version
IBM Security Verify Access Java™ Runtime (previously known as IBM Tivoli® Access Manager):
Update the description as below:
Corresponding version to the IBM Security Verify Access Server. The IBM Security Verify Access Adapter supports IBM Security Verify Access versions 7.0, 8.0, 8.01, 9.0 and 10.0.x
Chapter 3: Installing
perform the steps in the configuration paragraph to establish the connection with the target system:
Service/Target form details:
IBM Security Verify Access Setup tab
Update below point to this section :
Open canonicalValuesMapping.json in itamprofile. Add “TAM” value to canonicalValues array of eritamapi entry. Update the entry as value: TAM, Display Value: $eritamapiadmin
Chapter 4: Upgrading
No updates for the current release
Chapter 5:Configuring
Add below configurations in adapter guide:
Installing IBM Security Verify Access
IBM Security Verify Access: Installing > Configuring the IBM Security Verify Access Run Time for Java™ System > Procedure
1.Log on as root for UNIX systems or a user with Administrator group privileges for Windows systems.
2.Download the runtime package file from the appliance.
a.Go to System > File Downloads.
b.Download the runtime package file pdjrte-10.0.2.0.zip for ISVA v10.0.4 from the Verify Access directory.
*There is a known problem with pdjrte-10.0.0.0.zip
The PD.jar and pd.rgy from that zip file is compiled using OpenJDK11
*The downloads area of the appliance now contains the PDJRTE distribution from the v10.0.2.0 release of IBM Security Verify Access. This version of the PDJRTE supports IBM Java. The PDJRTE does not currently support OpenJDK.
*Existing deployments still using IBM JVM 8 for APIs but have upgraded the Policy Server to 10.0.4.0 should move up to at least pdjrte-10.0.2.0.zip.
If the pdjrte-10.0.2.0.zip file is still not shipped in VA. Follow the steps below to activate the base component and install KML license.
3.Extract the contents of the pdjrte-10.0.2.0.zip for ISVA v10.0.4.
4.Ensure that either IBM Java™ Runtime or the JRE provided with WebSphere® Application Server is installed. IBM Security Verify Access Runtime Runtime for Java configures extra security features into the specified JRE and only these two JREs are supported.
5.To set up IBM Security Verify Access Runtime for Java with a configuration type of Full, ensure that both the policy server and registry server are running. If the configuration type is standalone, this step is not required.
6.Before you configure the IBM Security Verify Access Runtime for Java component, ensure that either the IBM Java Runtime or the JRE provided with WebSphere Application Server can be located by using the PATH environment variable.
7.To configure the IBM Security Verify Access Runtime for Java component, run the pdjrtecfgutility.
On UNIX systems, use the following command:
Pdjrte_DIR/sbin>pdjrtecfg -action config -interactive
On Windows systems, use the following command:
Pdjrte_DIR/sbin>pdjrtecfg.bat -action config -interactive
8.Chose configuration type – STANDALONE and provide the SDI JRE path
(If you choose type – full, enter the port number)
Configuring the IBM Security Verify Access Registry Direct API for Java System
You must use the Registry Direct API to improve the adapter performance.
Copy the com.tivoli.pd.rgy.jar file from downloaded pdjrte runtime package(pdjrte\java\export\rgy\com.tivoli.pd.rgy.jar) to IBM Security Directory Integrator JRE installation directory.
On a Linux® IBM Security Verify Access system, the com.tivoli.pd.rgy.jar file is typically at:
/opt/PolicyDirector/java/export/rgy
Copy this file to the following directory on the system where IBM Security Directory Integrator is installed:
/opt/IBM/TDI/V7.1/jvm/jre/lib/ext
For more information, see Appendix D. Registry Direct Java™ API in the IBM Security Verify Access: Administration Java Classes Development Reference.
Configuring the IBM Security Directory Integrator Java Runtime Environment into the IBM Security Verify Access secure domain
The Administration API is available as a deprecated option for customers who were using it before the introduction of the Registry Direct API. All new deployments must use the Registry Direct API because the Administration API might not be available in subsequent IBM Security Verify Access releases.
Follow the steps to configure using Registry Direct API:
``set PATH=SDI_HOME_DIR\jvm\jre\bin
set JAVA_HOME=SDI_HOME_DIR\jvm ``
``
SDI_HOME_DIR\jvm\jre\bin>java.exe -cp "PDJRTE_DIR\java\export\rgy\com.tivoli.pd.rgy.jar" com.tivoli.pd.rgy.util.RgyConfig "SDI_HOME_DIR\timsol\tam_rgy.conf" create Default Default "{ISVA_endpointIP}:{Port}:readwrite:5" "cn=root,secAuthority=Default" {enter_password} "SDI_HOME_DIR\timsol\serverapi\testadmin.jks" {truststore_password}
``
Chapter 6: Troubleshooting
Enable debug logging starting SDI 7.2 FP8 :
After applying the appropriate updates, modify the /etc/log4j2.xml file in SDI_HOME_DIR by updating the `` Rootlevel="info" `` to ``Root level="debug"``
Chapter 7: Reference
No updates for the current release
Password Synchronization Adapter is no longer included in the adapter package and can be downloaded separately from Passport Advantage. For Access Manager 8.0 or above, Password Synchronization Adapter is only available with the appliance and is pre-installed on the appliance.
The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Refer to the ‘IBM Security Verify Governance Adapter Development and Customization Guide’
Support for Customized Adapters
The
integration to the IBM Security Verify server "the adapter framework"
is supported. However, IBM does not support the customizations, scripts, or
other modifications. If you experience a problem with a customized adapter, IBM
Support may require the problem to be demonstrated on the GA version of the
adapter before a PMR is opened.
Installation Platform
The
IBM Security Verify Governance Adapter was built and tested on the following product
versions.
Adapter Installation Platform
Due to continuous Java security updates that may be applied to your IBM Security Verify server, IBM Security Verify Privilege Vault, and IBM Security Verify- Governance server, the following SDI releases are the officially supported versions:
· Security Directory Integrator 7.2 + FP8
Earlier versions of SDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters
Managed Resource
Please note that some IBM Security Access Manager versions are not supported on
some JREs associated with some Operating Systems. Please see the IBM Security Verify
Access Adapter Installation and Configuration Guide for further information.
Supported IBM Security Verify Governance servers
· IBM Security Verify Governance Identity Manager v10.0
· IBM Security Verify Governance v10.0
This information was developed for products and services
offered in the U.S.A. IBM may not offer the products, services, or features
discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available
in your area. Any reference to an IBM product, program, or service is not
intended to state or imply that only that IBM product, program, or service may
be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it
is the user's responsibility to evaluate and verify the operation of any
non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include
technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions
of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate
terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users of
this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.