IBM Security Verify Governance Adapter v10.0.6 for IBM Security Verify Access is available. Compatibility, installation and other getting-started issues are addressed.
Copyright
International Business Machines Corporation 2003, 2023. All rights
reserved.
US Government Users Restricted Rights -- Use,
duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Welcome to the IBM Security Verify Governance Adapter for IBM Security Verify Access, previously known as IBM Tivoli Access Manager Combo Adapter.
· IBM Security Verify Access Adapter Installation and Configuration Guide
The
IBM Security Verify Access Adapter is designed to create and manage
accounts on the IBM Security Access Manager for Web server. The
adapter runs in "agentless" mode and communicates using the
IBM Security Access Manager RegistryDirect API to the systems being
managed.
The IBM Security Verify Governance
Adapters are powerful tools that require Administrator Level
authority. Adapters operate much like a human system administrator,
creating accounts, permissions and home directories. Operations
requested from IBM Security Verify server, IBM Security Verify
Privilege Vault, and IBM Security Verify- Governance server will fail
if the adapter is not given sufficient authority to perform the
requested task. IBM recommends that this adapter run with
administrative (sec_master) permissions.
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product. The license can be viewed from the "license" folder included in the adapter package.
Adapter Version
Component |
Version |
Build Date |
2024 April 19 20.22.09 |
Adapter Version |
10.0.6 |
Component Versions |
Adapter build: 10.0.6.1 Profile: 10.0.6.1 Connector: 10.0.6.1 Dispatcher 7.0.39 (or higher, packaged separately) |
Documentation |
The following guides are available in the IBM Verify Adapters Knowledge Center:
·IBM Security Verify Access Adapter Installation and Configuration Guide |
New Features
Internal#
|
Enhancement # (RFE) |
Description |
|
|
Items included in 10.0.6 release |
SVGAD-1229 |
ADAPT-133 |
Add support for ISVA 10.0.6 |
SVGAD-451 |
ADAPT-133 |
Add support for ISVA 10.0.5 |
SVGAD-1821 |
ADAPT-150 |
Certify the adapter for use with IBM Security Verify Directory Integrator version 10.0.0 |
|
|
Items included in 10.0.5 release |
RTC 190879 |
ADAPT-121 |
Add support for ISVA 10.0.4 |
|
|
Items included in 10.0.4 release |
RTC 190344 |
|
ISVA Internal Changes for SDI Log4j update |
|
|
Items included in 10.0.3 release |
RTC 189881 |
|
Added support for ISVA 10.0.2 |
|
|
Items included in 10.0.2 release |
|
|
None |
|
|
Items included in 10.0.1 release |
|
|
None |
|
|
Items included in 7.1.29 version |
|
|
None |
|
|
Items included in 7.1.28 version |
RTC 183244 |
|
Internal - ISAM 9.0.7 support |
RTC 184339 |
|
Internal - Attribute value lookup for IGI 5.2.5 |
|
Items included in 7.1.27 version |
|
|
RTC 182692 |
Add support for IGI 5.2.5
See “Limitation on how to use eritamcred attribute” section for more information. |
|
|
Items included in 7.0.26 version |
|
Add support for IGI 5.2.2 |
|
|
|
Items included in 7.0.25 version |
|
Add support for ISAM 9.0 |
|
|
RFE76110 |
Add ability to manage Disable Time Interval on each account |
|
INT126053 |
*** CHANGE IN DEFAULT BEHAVIOR
*** |
|
|
Items included in 7.0.24 version |
|
None |
|
|
|
Items included in 7.0.23 version |
|
RFE17072 |
Add ability to manage Max Password Age on each account |
|
RFE56722 |
Add ability to manage Max Concurrent Web Sessions on each account. The value must be an integer greater than zero, -3 for Displace, or -4 for Unlimited. |
|
RFE33651 |
Add ability to synchronize user password to
GSO credentials during account create. |
|
RFE61605 |
Boolean flag attributes are always converted to lowercase before checking their value. |
|
|
Initial release. |
Internal# |
Case# / APAR# |
Description |
|
|
Items included in 10.0.6 release |
RTC 190836 |
|
Remove
Apache log4j from 3rd party libraries TAM/SVA adapter |
|
|
Items included in 10.0.5 release |
Bug 3785 RTC 190685 TS008649391 |
|
"Default_Ok" hook restored |
|
Items closed in 10.0.4 release |
|
Bug 3623 RTC 190036 TS006724428 |
IJ36550 |
Issue While Importing User from ISIM When AD is Used as Federated User Registry. |
|
|
Items closed in 10.0.3 release |
None |
||
|
|
Items closed in 10.0.2 release |
Bug 3390 TS004351858 |
IJ31246 |
ObjectClassViolation during tamAdd when using AD federated user registry. |
|
|
Items closed in 10.0.1 release |
RTC 187878 Bug 3359 TS004188986 |
IJ28694 |
ISAM Adapter returns STATUSCODE 3 when group does not exists in isam, breaks IGI flow. |
RTC 187879 Bug 3340 TS004159719 |
IJ28942 |
Recon fails with "Unparseable date" error for unknown attribute |
|
|
Items closed in 7.1.29 version |
RTC 186402, Bug 3106, TS002983015 |
IJ22617 |
ISAM adapter should restore PwdValid flag to existing value after change password operation |
|
|
Items closed in 7.1.28 version |
RTC 183804, Bug 2890 |
|
Usage of Admin API deprecated
See “Add admin API option on service form” section for more information. |
|
|
Items closed in 7.1.27 version |
RTC 182698, Bug 2802 |
IJ13310 |
As an ISAM adapter developer, I must ensure that the adapter re-uses the LDAP connections |
RTC 182696 |
|
Internal - As an ISAM adapter developer, I must ensure that the operation name in service.def uses proper case |
|
|
Items closed in 7.0.26 version |
|
|
None |
|
|
Items closed in 7.0.25 version |
|
IV74759 |
Attempting to modify account with a non-existent group results in whole request failing. |
|
|
Items closed in 7.0.24 version |
INT123097 |
|
Changes for RFE61605 caused new accounts to be provisioned as inactive if "eraccountstatus" was not included in the request. |
|
|
Items closed in 7.0.23 version |
INT102186 |
|
The previously deprecated LDAP profile has been removed. Any installations that were using the LDAP profile will need to review the ISAM Service configuration in ISIM after loading the new profile. The service form is different, and some fields will need to be set. |
|
|
Initial release. |
Known Limitations
Internal# |
APAR# |
Case# / Description |
85051 |
|
When using the IBM Security Access Manager API method of reconciliation to reconcile IBM Security Access Manager accounts, if an IBM Security Access Manager account already in the IBM Security Identity registry becomes a malformed IBM Security Access Manager account then IBM Security Identity will identify this malformed IBM Security Access Manager account as no longer existing, and delete it from the IBM Security Identity registry. If the malformed IBM Security Access Manager account does not already exist within the IBM Security Identity server's known IBM Security Access Manager accounts, the account will not be added. This behavior does not provide any warning or failure message by the IBM Security Identity server. See the Installation guide for how to change the adapter configuration regarding this issue. |
|
|
During the creation of IBM Security Access Manager accounts when IBM Security Access Manager is configured against Windows Active Directory, the account is created as a GSO user even when the Single Signon Capability for the account is not checked (i.e. There is no request to create the account as a GSO user). This is a reflection of the operation of IBM Security Access Manager when administrating accounts. If GSO credentials are supplied with same request they will be created without warning that IBM Security Access Manager account doesn't have Single Signon Capability. |
93688 |
|
When IBM Security Access Manager is configured against Windows Active Directory, IBM Security Access Manager account's common name (cn) must be the same as the first RDN value of the Distinguished Name. For example, when requesting a new IBM Security Access Manager service account through the IBM Security Identity web console, the "Full name" specified in the Account form must be the same as the "cn" portion of the Distinguished Name. E.g. If a user has the Distinguished Name cn=JohnSmith,o=myCompany,c=com, then the "Full name" should also be set to JohnSmith. Not doing so could result in account modification issues. |
|
|
Adapter does not check syntax for any non-IBM Security Access Manager account attributes. This can result in those attributes not being set in the registry if their values have incorrect syntax. A possible consequence is that operations such as account creation may fail. |
|
|
In case an account already has SSO credentials and the checkbox Single Signon Capability is disabled during MODIFY operation, this will delete credentials in IBM Security Access Manager registry, but not in the IBM Security Identity server. A reconciliation is needed to synchronize the account attributes. |
|
|
If password synchronization is configured to synchronize passwords from WebSEAL via the IBM Security Identity server to other person accounts, the synchronization with SSO credential passwords is not supported. The synchronization with SSO credential passwords is supported only if the password change is initiated from the IBM Security Identity server, and the corresponding SDI Assembly Line is executed. |
|
|
If password synchronization is configured to synchronize passwords from WebSEAL the "Change password on next login" checkbox on the account form cannot be reset. This is due to a current limitation of the IBM Security Identity Manager Server. |
Internal# |
APAR# |
Case# / Description |
|
|
Limitation on how to use eritamcred attribute
Enter the value for eritamcred attribute in this format - “Name of the resource (Web Resource)|username|{clear}password” e.g. zira (Web Resource)|isupport|{clear}password
Please note that the password will be visible in clear text in the logs as option to encrypt the password is not available on IGI currently.
To avoid password in clear text, use the “Synchronize IBM Security Access Manager password in SSO Lockbox” checkbox to set the SSO credential password same as the ISAM account password. |
|
|
Adapter does not support modifying the last name (sn) attribute of IBM Security Access Manager account when IBM Security Access Manager Administration API is used since the API does not support modifying the last name. |
|
|
Management of non-standard IBM Security Access Manager account attributes is only available for user registries supported by Registry Direct API. |
|
|
IBM Security Access Manager Web Gateway appliance in standalone mode, PRIOR TO FP4, does not externalize the interface to its internal directory server. Consequently, Registry Direct API and managing non-standard ISAM account attributes are not supported by the adapter for the appliance versions 8.0 through 8.0.0.3. For example, the adapter cannot modify "mail" attribute of the user object stored in the appliance's internal directory server. In addition, only "TAM API" based reconciliation is supported for the appliance in standalone mode prior to FP4. |
|
|
Registry Direct API based reconciliation does not reconcile inetorgperson attributes by default. This is an optimization that was made in order to improve the performance of the reconciliation. In order to reconcile the inetorgperson attributes, edit "tamSearch" assemblyline in the profile to include the required attributes in the input mapping of the connector "tamIterRgy". Please refer to this technote for more details. |
|
|
The adapter does not support the modification of UID, CN, principal name, and attribute(s) that form the Distinguished Name(DN). |
|
|
Custom containers are not supported when creating an IBM Security Access Manager group. IBM Security Access Manager specifies a default |
|
|
Filtered reconciliation on groups is not supported. |
|
|
When "Single Signon Capability" attribute is unchecked and an account modification request is submitted, the SSO credentials for the account are removed in IBM Security Access Manager but this is not reflected in the ISIM server. This is due to the RMI protocol not allowing the response to contain the updated account information. In order to work around this limitation, edit the "modify" operation workflow for "IBM Security Access Manager Account" entity to delete "eritamcred" attribute when "eritamsinglesign" attribute is set to "false". For example, add a script element with the following script before "MODIFYACCOUNT" extension:
var accountObj = account.get(); |
Known IBM Security Verify Access Issues
Internal# |
APAR# |
Case# / Description |
|
IV71775 |
The "com.tivoli.pd.rgy.jar" API library that can be downloaded from ISAM v8.0.1 appliance includes an incorrect search that will not return GSO enabled users during a reconciliation. This is corrected in the jar file available from the v8.0.1-FP1 appliance. |
|
|
Certain user management functions (e.g. enabling GSO) in IBM Security Access Manager do not work if the user ID contains "," and as such "," in the user ID is not supported by the adapter. |
|
|
When the Single Signon Capability of an IBM Security Access Manager user account is disabled (i.e. the user is no longer a GSO user), the GSO resource credentials for that account are also deleted. Hence when disabling the Single Signon Capability for a IBM Security Access Manager user account from the IBM Security Identity server, attempting to delete or modify resource credentials in the same request for that account results in "successful with warning" as the GSO credentials cannot be found. |
|
|
IBM Security Access Manager Java Admin API does not provide for a CN to be specified when creating a group. This is reflected in the adapter which does not manage this attribute when adding or modifying groups. |
|
|
If IBM Security Access Manager is configured against Windows Active Directory, an existing user or group description cannot be modified to a blank value. The description will remain unchanged. |
|
|
If IBM Security Access Manager is configured against Windows Active Directory, when importing an account using the pdadmin command line, the user name and first RDN value of the user DN must be the same. This issue is reflected in the adapter: User ID and first RDN value in the user Distinguished Name must be the same. |
|
|
If IBM Security Access Manager is configured against IBM Tivoli Directory Server 6.0, then Fix Pack 5 must be installed on the Directory Server. This fix pack addresses a problem that may affect adapter operation (APAR IO06328). |
See the Installation and Configuration guide for IBM Security Verify Governance Adapter for IBM Security Verify Access for detailed instructions.
Corrections to Installation Guide
· Chapter 1: Overview
o No Updates for the current release
· Chapter 2: Planning
o No Updates for the current release
· Chapter 3: Installing
o perform the steps in the configuration paragraph to establish the connection with the target system:
§ Configuring the IBM Security Verify Access Runtime for Java System
§ Configuring the IBM Security Verify Access Registry Direct API for Java System
§ Configuring the IBM Security Directory Integrator Java Runtime Environment into the IBM Security Verify Access secure domain
Configuring the IBM Security Verify Access Run Time for Java™ System
Procedure
Refer the release notes to check which version of the external jar is required for ISVA.
1. Log on as root for UNIX systems or a user with Administrator group privileges for Windows systems.
2. Download the runtime package file from the appliance.
a. Go to System > File Downloads.
b. Download the runtime package file pdjrte-10.0.*.zip for ISVA from the Verify Access directory.
*There
is a known problem with pdjrte-10.0.*.zip The PD.jar and pd.rgy from
that zip file is compiled using OpenJDK11
.
*The downloads area of the appliance now contains the PDJRTE distribution from the v10.0.2.0 release of IBM Security Verify Access.
This version of the PDJRTE supports IBM Java. The PDJRTE does not currently support OpenJDK.
*Existing deployments still using IBM JVM 8 for APIs but have upgraded the Policy Server to 10.0.4.0 should move up to at least pdjrte-10.0.2.0.zip.
If the pdjrte-10.0.*.zip file is still not shipped in VA.
Follow the steps below to activate the base component and install KML license.
1. Obtain your activation key and support license.
2. Import the activation key, which is required.
3. Import the support license, which is optional. Import the license if you want to install service release updates.
4. Log in to the local management interface.
5. Click System > Updates and Licensing > Licensing and Activation.
6. Perform one or more of the following actions:
§ Import the activation key and deploy the changes:
1. In the Licensing and Activation window, click Import under Activated products.
2. Browse to the activation key file that you downloaded from Passport Advantage.
3. Select the activation file.
4. Click Open.
5. Click Save Configuration.
6. Deploy the changes:
a.In the undeployed change message, click Click here to review the changes or apply them to the system.
b.Click Deploy.
· Optional: Import the product support license so that you can update the appliance:
7. In the Licensing and Activation window, under Support license, click Select License.
8. Browse to the support license file that you downloaded from IBM Security Systems License Key Center.
9. Select the license file.
10. Click Save Configuration.
3. Extract the contents of the pdjrte-10.0.*.zip for ISVA.
4. Ensure that either IBM Java™ Runtime or the JRE provided with WebSphere® Application Server is installed. IBM Security Verify Access Runtime Runtime for Java configures extra security features into the specified JRE and only these two JREs are supported.
5. To set up IBM Security Verify Access Runtime for Java with a configuration type of Full, ensure that both the policy server and registry server are running. If the configuration type is standalone, this step is not required.
6. Before you configure the IBM Security Verify Access Runtime for Java component, ensure that either the IBM Java Runtime or the JRE provided with WebSphere Application Server can be located by using the PATH environment variable.
7. To configure the IBM Security Verify Access Runtime for Java component, run the pdjrtecfgutility.
Set
JAVA_HOME and set PATH
set
PATH=SDI_HOME_DIR\jvm\jre\bin
set
JAVA_HOME=SDI_HOME_DIR\jvm
set _JAVA_OPTIONS="--add-opens=java.base/sun.security.util=ALL-UNNAMED" (This is only for SDI 10v)
On UNIX systems, use the following command:
Pdjrte_DIR/sbin>pdjrtecfg -action config -interactive
On Windows systems, use the following command:
Pdjrte_DIR/sbin>pdjrtecfg.bat -action config -interactive
8.Chose configuration type –
STANDALONE and provide the SDI JRE path
(If you choose type –
full, enter the port number)
Configuring the IBM Security Verify Access Registry Direct API for Java System
You must use the Registry Direct API to improve the adapter performance.
Copy the com.tivoli.pd.rgy.jar and PD.jar files from downloaded pdjrte runtime package(pdjrte\java\export\rgy\com.tivoli.pd.rgy.jar, pdjrte\java\export\pdjrte\PD.jar) to IBM Security Directory Integrator JRE installation directory.
Copy these files to the following directory on the system where IBM Security Directory Integrator is installed:
If SDI 10v is being used then copy files at below location
<SDI_HOME>/jars/patches
For more information, see Appendix D. Registry Direct Java™ API in the IBM Security Verify Access: Administration Java Classes Development Reference.
Configuring the IBM Security Directory Integrator Java Runtime Environment into the IBM Security Verify Access secure domain
The Administration API is
available as a deprecated option for customers who were using it
before the introduction of the Registry Direct API. All new
deployments must use the Registry Direct API because the
Administration API might not be available in subsequent IBM Security
Verify Access releases.
Follow the steps to configure using
Registry Direct API:
1.
Open CMD and set JAVA_HOME and set PATH
set
PATH=SDI_HOME_DIR\jvm\jre\bin
set
JAVA_HOME=SDI_HOME_DIR\jvm
set _JAVA_OPTIONS="--add-opens=java.base/sun.security.util=ALL-UNNAMED" (This is only for SDI 10v)
2. Run the inline command for tam_rgy.conf (for registry direct API) under SDI_HOME_DIR/jvm/jre/bin:
SDI_HOME_DIR\jvm\jre\bin>java.exe -cp "PDJRTE_DIR\java\export\rgy\com.tivoli.pd.rgy.jar" com.tivoli.pd.rgy.util.RgyConfig "SDI_HOME_DIR\timsol\tam_rgy.conf" create Default Default "{ISVA_endpointIP}:{Port}:readwrite:5" "cn=root,secAuthority=Default" {enter_password} "SDI_HOME_DIR\timsol\serverapi\testadmin.jks" {truststore_password}
If you are using SDI 10v then instead of JKS keystore create and use PKCS12 keystore to in above command.
(Only in case of embeddedLDAP) Add the below cipher-suites property in the tam registry conf file (tam_rgy.conf) :
3. Upgrade the TDI-JRE (if required)
4. Copy the PD.jar and com.tivoli.pd.rgy.jar file from Pdjrte.zip to <TDI_HOME>/jvm/jre/lib/ext folder, if you are using SDI 10 then copy at <TDI_HOME>/jars/patches folder.
5.
Import
the LMI and LDAP Certificates
(You
will be required to import your LDAP server's certificate according
to your environment. In case using ISVA's embedded LDAP, import both
LMI and LDAP certificates into truststore.
If
you are using SDI 10v then import certificates in PKCS12 keystore.)
6. Below step is only for SDI v10.
Update Java command in <SDI_HOME>/ibmdisrv file like below:
"$TDI_JAVA_PROGRAM" $TDI_MIXEDMODE_FLAG -cp "$TDI_HOME_DIR/IDILoader.jar" "$LOG_4J" "$HOST" --add-exports java.base/sun.security.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-exports=java.base/com.sun.crypto.provider=ALL-UNNAMED --add-exports java.base/jdk.internal.misc=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.ldap=ALL-UNNAMED com.ibm.di.loader.ServerLauncher "$@" &
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note: The container must be restarted after installing or uninstalling the adapter and any changes to the configuration yaml. To active changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh isvdi
· For OpenShift container: oc -n isvgim rollout restart deployment isvdi
· For Kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Copy the files to the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image as per the given directory structure:
Use the below command to copy connector jar:
/path/to/adapterUtil.sh -copyToConnectors /path/to/TAMComboUtils.jar
Use the below command to copy Pdjrte-10.0.6.0.zip (Follow instruction in Installing> Configuring the IBM Security Verify Access Run Time for Java™ System to download pdjrte-10.0.6.0.zip and get certificates)
/path/to/adapterUtil.sh -copyFile /path/to/pdjrte-10.0.6.0.zip <Persistent_Volume>/isva
Use the below command to copy certificates:
/path/to/adapterUtil.sh -copyFile /path/to/certificate_name <Persistent_Volume>/isva
Use the below command to copy swidtags:
/path/to/adapterUtil.sh - copyToSwidtag /path/to/<swidtag_name>.swidtag
Copy below swidtags file:
ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag
Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script is installed and /path/to/TAMComboUtils.jar is the location where the TAMComboUtils.jar file is staged on the machine running Kubernetes cli.
Copying files to Persistent Volume
Copy the files to the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image as per the given directory structure:
TAMComboUtils.jar
Copy this file to the <Persistent_Volume>/jars/connectors directory.
ILMT-Tags
Copy below files to the <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag
Pdjrte-10.0.6.0.zip (Follow instruction in Installing> Configuring the IBM Security Verify Access Run Time for Java™ System to download pdjrte-*.zip and get certificates, Refer release notes for the supported pdjrte.zip versions)
Copy this file to the <Persistent_Volume>/isva path.
Certificates
Copy this file to the <Persistent_Volume>/isva path.
Configuring the IBM Security Verify Access Run Time for Container Image:
Follow below procedure to configure ISVA Runtime in container image:
Update ibmdisrv file
1. Copy ibmdisrv file from container using command:
For OpenShift container: oc cp -n isvgim <isvdi_pod_name>:/opt/IBM/TDI/ibmdisrv <destination_on_local_system>
For Kubernetes container: kubectl cp -n isvgim <isvdi_pod_name>:/opt/IBM/TDI/ibmdisrv <destination_on_local_system>
2. Update Java execution command of <destination_on_local_system>/ibmdisrv file, add below exports:
--add-exports java.base/com.sun.crypto.provider=ALL-UNNAMED --add-exports java.base/jdk.internal.misc=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.ldap=ALL-UNNAMED
3. copy ibmdisrv file to the <Persistent_Volume> path :
/path/to/adapterUtil.sh -copyFile <destination_on_local_system>/ibmdisrv <Persistent_Volume>
Create isva.sh script file having script as mentioned below:
4. Set java environment variable in a class path as below:
export PATH=$PATH:/opt/IBM/TDI/jvm/jre/bin
export JAVA_HOME=/opt/IBM/TDI/jvm
export _JAVA_OPTIONS="--add-opens=java.base/sun.security.util=ALL-UNNAMED"
5. Unzip <Persistent_Volume>/isva/pdjrte.zip file in a <Persistent_Volume>/isva directory.
unzip -o <Persistent_Volume>/isva/pdjrte.10.0.6.0.zip -d <Persistent_Volume>/isva
6. Copy <Persistent_Volume>/isva/pdjrte/java/export/rgy/com.tivoli.pd.rgy.jar to the /opt/IBM/TDI/jars/3rdparty/others directory.
7. Copy <Persistent_Volume>/isva/pdjrte/java/export/pdjrte/PD.jar jar to the /opt/IBM/TDI/jars/3rdparty/others directory.
8. Create IBM Security Verify Access Runtime by using following command:
<Persistent_Volume>/isva/pdjrte/sbin/pdjrtecfg -action config -host <isva_host_name> -port <isva_port> -java_home /opt/IBM/TDI/jvm/jre -cfgfiles_path /opt/IBM/TDI/jvm/jre -alt_config -config_type full
9. Generate p12 keystore in <Persistent_Volume>/timsol/serverapi directory
/opt/IBM/TDI/jvm/jre/bin/keytool -genkeypair -noprompt -alias <define_pkcs12_keystore_alias> -keystore <Persistent_Volume>/timsol/serverapi/keystore.p12 -storetype PKCS12 -keyalg RSA -storepass <Enter_pkcs12_keystore_password> -dname “<Enter_dn_name>”
Dname example, it should be based on your organization: “CN=ibm.com, OU=ID, O=IBM, L=AHM, S=GUJ, C=IN”
10. Generate conf file (for registry direct API)
java -cp <Persistent_Volume>/isva/pdjrte/java/export/rgy/com.tivoli.pd.rgy.jar “<Persistent_Volume>/timsol/tam_rgy.conf” create Default Default “<isva_endpoint_ip>:<port>:readwrite:5” “cn=root,secAuthority=Default” <enter_password> “<Persistent_Volume>/timsol/serverapi/keystore.p12” <pkcs12_keystore_password>
11. Import ldap certificate in p12 keystore.
/opt/IBM/TDI/jvm/jre/bin/keytool -importcert -noprompt -alias <define_ldap_cert_alias> -file <Persistent_Volume>/isva/ldap_cert_name -keystore <Persistent_Volume>/timsol/serverapi/keystore.p12 -storepass <pkcs12_keystore_password>
12. Copy ibmdisrv file to the /opt/IBM/TDI
cp <Persistent_Volume>/ibmdisrv /opt/IBM/TDI
Configure isva.sh script in the container:
Copy script to the <Persistent_Volume>/scripts directory manually in the container or you can use below command:
/path/to/adapterUtil.sh -copyFile /path/to/isva.sh
<Persistent_Volume>/scripts
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SVDI to add an advanced configuration element (if it don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
Add script (as mentioned in the SVDI guide) as below:
init:
aux-config-programs:
- command: /opt/IBM/svgadapters/scripts/isva.sh
Configure ISVA host in the container:
1. Add host in the <path_to_starterkit>/helm/templates/225-deployment-isvdi.yaml file.
Update like below in the container section:
hostAliases:
- ip: <isva_host_ip>
hostnames:
- <isva_host_name>
2. Run createConfigs.sh file using below command:
<path_to_starterkit>/bin/createConfigs.sh isvdi
3. Restart the container.
Enabling TLS 1.2
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SVDI to add an advanced configuration element (if it don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
To enable TLSv1.2, add 2 attr and value key pair (as mentioned in the SVDI guide) as below:
- attr: com.ibm.di.SSLProtocols
value: 'TLSv1.2'
- attr: com.ibm.di.SSLServerProtocols
value: 'TLSv1.2'
Enabling debug logs and disabling json-logging
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SVDI to add root-level and json-logging configuration elements (if they don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
To enable debug logs, set the value for root-level to debug. To and to disable json logging, set the value for json-logging element to false.
Uninstalling the adapter
Using Script
Use the below command to remove the adapter:
/path/to/adapterUtil.sh -removeAdapter Adapter-ISVA
Manually copying / removing files to / from the Persistent Volume
Remove files from the given directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.
Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:
TAMComboUtils.jar
Remove this file from <Persistent_Volume>/jars/connectors directory.
ILMT-Tags
Remove below files from <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.1.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.1.swidtag
ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.1.swidtag
3rd party jars
Remove the appropriate version of the 3rd party jar files used by this adapter as listed below from the <Persistent_Volume>/jars/patches directory:
com.tivoli.pd.rgy.jar
PD.jar
Chapter 4: Upgrading
o No updates for the current release
Chapter 5: Configuring
o No updates for the current release
Chapter 6: Troubleshooting
Enabling DEBUG Logs on SDI Server
Procedure:
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
From-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in the the <SDI_HOME_Directory>/etc/global.properties file.
6. Start the SDI Server process
7.Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
To
Resolve error when performing 'test connection' in service form in
ISIM console.
In
case of "exception": "java.lang.NullPointerException"
or "exception": "java.lang.NoClassDefFoundError:
com.tivoli.pd.rgy.ldap.LdapRgyRegistryFactory",
validate
the procedures documented below have already been performed:
o Configuring the IBM Security Verify Access Runtime for Java System
o Configuring the IBM Security Verify Access Registry Direct API for Java System
o Confirm that PD.jar and com.tivoli.pd.rgy.jar files are present in <TDI_HOME>/jvm/jre/lib/ext directory or at <TDI_HOME>/jars/patches.
In case of error, HPDAA0278E None of the configured LDAP servers of the appropriate type for the operation can be contacted."
1.
In
SDI machine add the host file entry as : <LDAP_IP>
<LDAP_HOST_NAME>
In
the generated .conf replace the LDAP IP with hostname.
2. Check if imported LDAP certificate is valid or not.
This is just a work around there might be other reasons as well for this error.
In case of error, ConfigurationErrorRgyException: HPDAA0333E Unable to determine the registry server type.
Error message HPDAA0337E The configured trust key store, <SDI_HOME>/timsol/serverapi/testadmin.jks of type jceks from provider SunJCE can not be loaded.
1. Instead of JKS keystore use PKCS12 key store to generate .conf file.
2. load certificates in that PKCS12 keystore.
While running the command " pdjrtecfg -action config -interactive "
In case of Exception, java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
Set environment variable, set _JAVA_OPTIONS="--add-opens=java.base/sun.security.util=ALL-UNNAMED"
While creating .conf file with PD.jar
In case of Exception, Exception in thread "main" [java.lang.IllegalStateException: java.lang.UnsupportedOperationException: This method is deprecated and marked for removal. Use the getPeerCertificates() method instead.
Instead of creating .conf file with PD.jar use com.tivoli.pd.rgy.jar
Chapter 7: Reference
· No updates for the current release
Password Synchronization Adapter is no longer included in the adapter package and can be downloaded separately from Passport Advantage. For Access Manager 8.0 or above, Password Synchronization Adapter is only available with the appliance and is pre-installed on the appliance.
The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Refer to the ‘IBM Security Verify Governance Adapter Development and Customization Guide’
Support
for Customized Adapters
The
integration to the IBM Security Verify server "the adapter
framework" is supported. However, IBM does not support the
customizations, scripts, or other modifications. If you experience a
problem with a customized adapter, IBM Support may require the
problem to be demonstrated on the GA version of the adapter before a
PMR is opened.
Installation Platform
The
IBM Security Verify Governance Adapter was built and tested on the
following product versions.
Adapter Installation Platform
Due to continuous Java security updates that may be applied to your IBM Security Verify server, IBM Security Verify Privilege Vault, and IBM Security Verify- Governance server, the following SDI releases are the officially supported versions:
Security Directory Integrator 7.2 + FP8
Security Verify Directory Integrator 10.0.0 (validated with pdjrte-10.0.6.0.zip)
Earlier versions of SDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters
Managed
Resource
· IBM Security Verify Access v10.0.2
· IBM Security Verify Access v10.0.4 (pdjrte-10.0.2.0.zip)
· IBM Security Verify Access v10.0.5
· IBM Security Verify Access v10.0.6 (pdjrte-10.0.6.0.zip)
Please
note that some IBM Security Access Manager versions are not supported
on some JREs associated with some Operating Systems. Please see the
IBM Security Verify Access Adapter Installation and Configuration
Guide for further information.
· Supported IBM Security Verify Governance servers:
- IBM Security Verify Governance Identity Manager v10.0*
- IBM Security Verify Governance v10.0
* Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10.
Notices
This information was developed for products and services offered in
the U.S.A. IBM may not offer the products, services, or features
discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently
available in your area. Any reference to an IBM product, program, or
service is not intended to state or imply that only that IBM product,
program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual
property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM
product, program, or service.
IBM may have patents or
pending patent applications covering subject matter described in this
document. The furnishing of this document does not give you any
license to these patents. You can send license inquiries, in writing,
to:
IBM
Director of Licensing
IBM Corporation
North Castle
Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual
Property Licensing
Legal and Intellectual Property Law
IBM
Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa
242-8502 Japan
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the
information herein; these changes will be incorporated in new
editions of the publication. IBM may make improvements and/or changes
in the product(s) and/or the program(s) described in this publication
at any time without notice.
Any references in this
information to non-IBM Web sites are provided for convenience only
and do not in any manner serve as an endorsement of those Web sites.
The materials at those Web sites are not part of the materials for
this IBM product and use of those Web sites is at your own risk.
IBM
may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to
you.
Licensees of this program who wish to have
information about it for the purpose of enabling: (i) the exchange of
information between independently created programs and other programs
(including this one) and (ii) the mutual use of the information which
has been exchanged should contact:
IBM
Corporation
2ZA4/101
11400 Burnet Road
Austin, TX
78758 U.S.A.
Such information may be available, subject to
appropriate terms and conditions, including in some cases, payment of
a fee.
The licensed program described in this information
and all licensed material available for it are provided by IBM under
terms of the IBM Customer Agreement, IBM International Program
License Agreement, or any equivalent agreement between us.
Any
performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating
environments may vary significantly. Some measurements may have been
made on development-level systems and there is no guarantee that
these measurements will be the same on generally available systems.
Furthermore, some measurements may have been estimated through
extrapolation. Actual results may vary. Users of this document should
verify the applicable data for their specific
environment.
Information concerning non-IBM products was
obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested
those products and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed
to the suppliers of those products.
Trademarks
IBM,
the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.
Microsoft,
Windows, and the Windows logo are trademarks of Microsoft Corporation
in the United States, other countries, or both.
Java and
all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.