IBM Security Verify Governance adapter v10.0.2 for SCIMHR is available. Compatibility, installation, and other getting-started issues are addressed.
Copyright
International Business Machines Corporation 2021, 2023. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Welcome to the IBM Security Verify Governance adapter for SCIMHR.
This Release Notes contain information for the following products that was not available when the IBM Security Verify Governance manuals were printed:
The SDI-based IBM Security Verify Governance Adapter for SCIMHR is designed to reconcile users, groups and roles on SCIMHR supported applications. It also supports user management tasks such as account add, modify, suspend, restore and password change.
The adapter runs in "agentless" mode and communicates using HTTPS protocol.
The IBM Verify Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, managing users, groups and permissions. Operations requested from the IBM Security verify Governance will fail if the Adapter is not given sufficient authority to perform the requested task. IBM recommends that this Adapter run with administrative permissions.
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product.
The license can be viewed from the "license" folder included in the product package.
Adapter Version
|
Component |
Version |
|
Release Date |
2023 March 17 01.38.23 |
|
Adapter Version |
10.0.2 |
|
Component Versions |
Adapter build: 10.0.2.1 Profile: 10.0.2.1 Connector: 10.0.2.1 Dispatcher 7.1.39 or higher (packaged separately) SCIM connector version: 10.0.3 |
|
Documentation |
The following guides are available in the IBM Knowledge Center
IBM Security Verify Governance Adapter for SCIMHR Installation and Configuration Guide |
New Features
|
Internal# |
Enhancement# (RFE / Idea) |
Description |
|
Items included in current release (10.0.2) |
||
|
RTC 191179 |
ISIM-103/ADAPT-124 |
Add support for IBM Security Verify Governance Identity Manager (ISVGIM) starting v10.0.1 FP4 release onwards |
|
RTC 191411 |
Build with SCIM connector version 10.0.3 |
|
|
|
|
Items included in release (10.0.1) |
|
RTC 189950 |
Initial release.Added Extended Schema Attribute Support,Aquera Support. |
Closed Issues
|
Internal# |
APAR# / Case# |
Description |
|
|
|
Items included in current release (10.0.2) |
|
|
None |
|
|
|
|
Items included in release (10.0.1) |
|
|
Initial release. |
|
Internal# |
APAR# |
Case # / Description |
|
|
|
Installation and Configuration Notes
See the Installation Guide for IBM Security Verify Governance SCIMHR adapter for detailed instructions.
Corrections to Installation guide:
Chapter 1: Overview
No updates for the current release
Chapter 2: Planning
Prerequisites:
Please consult the release notes for the currently supported versions of the below products
Directory Integrator:
Remove Version 7.2 + FP6 + 7.2.0-ISS-SDI-LA0019 from the description
Identity
server Verify Governance Server:
Update description as below:
The following servers are supported:
- IBM Security Verify Governance Identity Manager
- IBM Security Verify Governance
Chapter 3: Installing
Installing the adapter binaries or connector
Procedure
1. Copy tdi/connectors/*.jar ScimConnector.jar from the adapter
package to the ITDI_HOME/jars/connectors directory.
2.
Copy tdi/functions/*.jar from the adapter package to the
ITDI_HOME/jars/functions directory
Installing 3rd party client libraries
Third party client libraries are libraries and/or configuration files that are provided by the target vendor. These 3rd party client libraries must be installed with the adapter. This is not required for all adapters.This topic is not applicable for this adapter. The adapter requires access to the following jars at runtime.
About
this task Before you begin:
Download Jars listed below (Refer release notes for the supported library version details) and copy them to the Security Directory Integrator environment:
- httpclient-<version>.jar
- httpcore-<version>.jar
- json-simple-<version>.jar
Procedure:
1. Download the above-mentioned JAR files. Copy the files into SDI_HOME\jars\3rdparty\others directory.
Note: If there are issues with NoClassDefFoundError, copy the files into SDI_HOME\jars\patches instead of SDI_HOME\jars\3rd party\others.
2. Restart the Dispatcher service once all JAR files are placed under SDI_HOME\jars\3rdparty\others directory.
For information about starting and stopping the service, see the Dispatcher Installation and Configuration Guide.
Verifying the adapter installation
|
Table 1. Adapter components |
|
|
Directory |
Adapter component |
|
|
ScimConnector |
|
|
|
|
|
httpclient-<version>.jar httpcore-<version>.jar json-simple-<version>.jar |
|
|
|
|
|
|
Attribute Mapping (This is applicable only for IBM Security Verify Governance)
Remove existing content of this section and add below details:
Attribute mapping is required to define which target attributes correspond to the Verify Governance User or OU attributes.
About this task
This task involves either an user or OU attribute mapping definition file, which is included in the HR adapter package.
The file consists of Verify Governance User or OU attributes and their equivalent attributes in the managed HR target. The file is structured as <IGI_attribute> = <HR_target_attribute>.
The <IGI_attribute> is fixed and must not be modified. Edit only the <HR_target_attribute>. Some <IGI_attribute> already has a fixed equivalent <HR_target_attribute>. For example:
GIVEN_NAME=erscimhrgivenname
Some <IGI_attribute> do not have a defined <HR_target_attribute> and you can assign the mapping. For example:
USER_TYPE=USER_TYPE
ATTR1=ATTR1
Note:
- The default mapping is already included out-of-the box. If there are no changes to the attribute mapping, there is no need to import the attribute mapping files.
- It might take up to 10 minutes for the attribute mapping changes to take effect once the file is imported.
Procedure
1. Open the mapping definition file by using any text editor.
2. Edit the mapping.
3. If the target attribute has a list of predefined values, use the following syntax to convert its values to the corresponding Verify Governance attribute values.
[conversion].<HR_target_attribute>.<IGI_attribute>
=
[<HR_target_attribute_value1>=<IGI_attribute_value1>;...;<HR_target_attribute_valuen>=<IGI_attribute_valuen>]
For example:
[conversion].erscimhrgender.GENDER=[M=0;F=1]
4. For attributes that contains date and time, use the following syntax to convert its values.
For example:
[conversion.date].erscimhrdob.BIRTHDAY=[yyyyMMdd=dd/MM/yyyy HH:mm:ss]
[conversion.date].ACCOUNT_EXPIRY_DATE.ACCOUNT_EXPIRY_DATE=[dd/MM/yyyy HH:mm:ss=dd/MM/yyyy HH:mm:ss]
5. Import the updated mapping definition file through the Enterprise Connectors module. For more information, see Attribute-to-permission mapping service in the IBM Security Verify Governance product documentation.
Service/Target form
Adapter Details tab
SCIM Base URL (https://<domain.com>/v2.0)
Specify IBM Security Verify Adapter for SCIM Adapter URL of the IBM Security Verify Adapter for SCIM Adapter resource in this format: https://<Instance- name>. For example, https://cloud.com/v2.0.
Note: If the target system is integrated with Aquera, provide the SCIM Base URL generated by Aquera.
Authentication type
Specify the authentication type. Currently SCIM only supports OAuth. For example, OAuth.
Client ID
Specify the Client ID of API Client that is created with Administrator privileges. Obtain the Client ID from the Configuration > API Access -> from IBM Security Verify Adapter for SCIM Adapter.
Client Secret
Specify the client secret of the associated Client ID. Obtain the client secret from the Configuration > API Access tab from IBM Security Verify Adapter for SCIM Adapter.
Username
Specify the user name based on the authentication type and the target, if required.
Password
Specify the password based on the authentication type and the target, if required.
Bearer Token
Specify the bearer token based on the authentication type and the target, if required.
Note: If the target system is integrated with Aquera, provide the SCIM Base URL generated by Aquera.
SCIM Schema Extended File Path
Specify the SCIM Schema Extended File Path if target supports extended schema attributes. For example, {SDI_HOME}/timsol/MappingFile/AttributeMapping.txt.
Person profile name (This is an additional attributes applicable only for IBM Security Verify Governance Identity Manager)
This is a read only field with "ScimHRPerson" value.
Use workflow (This is an additional attributes applicable only for IBM Security Verify Governance Identity Manager)
If this check box is checked, then an identity policy needs to be created for the IBM Security Governance Identity Manager account for the new person. By default, Use workflow check box is checked.
Evaluate separation of duty policy when workflow is used (This is an additional attributes applicable only for IBM Security Verify Governance Identity Manager)
This check box should be check if evaluation of separation of duty policy is required when the workflow is used.
Placement rule (This is an additional attributes applicable only for IBM Security Verify Governance Identity Manager)
Provide details for Placement rule. If you do not specify, the default org is used.
SAP
Connection Details tab:
Target
Client
The SAP instance
client number. This field is mandatory.
Login ID
The SAP
User account login ID that adapter uses to connect to the SAP instance. This
field is mandatory.
Password
Password
for SAP User account. This field is mandatory.
SAP System
(DNS hostname or IP)
Host name
of the SAP server host computer only if DNS is set up correctly. Otherwise, use
the IP address. This field is mandatory.
SAP Systems
Number
The SAP
server system number. This field is mandatory.
SAP Logon
Language
The language
ISO identifier to be used by the adapter. This parameter is optional.
Reconciliation
Advanced Mapping tab
Settings in
this tab apply only during reconciliation and search operation requests.
The
following attributes of this tab are all optional service attribute.
- Search
Person Basic Iterate Request XSL Stylesheets
- Search
Person Basic Iterate Response Stylesheet
Chapter 4: Upgrading
No updates for the current release
Enabling TLSv1.2 in Security Directory Integrator
Procedure:
1. Apply recommended fix packs and limited availability (LA) versions on the Security Directory Integrator. See Recommended fixes for IBM Tivoli Directory Integrator (TDI) & IBM Security Directory Integrator (SDI).
2. After applying the appropriate updates, modify the /solution.properties file by appending the following text to the bottom of the file:
#####################
# # Protocols to enforce SSL protocols in a SDI Server
# # Optional values for com.ibm.di.SSL* property (TLSv1, TLSv1.1, TLSv1.2). # # This can be a multi-valued comma separated property
# # Optional values for com.ibm.jsse2.overrideDefaultProtocol property (SSL_TLSv2, TLSv1,TLSv11,TLSv12).
# # This is a single value property.
#####################
-
com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv1
com.ibm.jsse2.overrideDefaultTLS=true
#####################
Customizing the adapter
The adapters can be customized or extended or both. The type and method of this customization varies depending on the adapter.
Customizing and extending adapters requires a number of skills. The developer must be familiar with the following concepts and skills:
- IBM Security Verify Governance Identity Manager administration
- IBM Security Verify Governance administration
- IBM Security Directory Integrator management
- Security Directory Integrator Assembly Line development
- LDAP schema management
- Working knowledge of Java™ scripting language
- Working knowledge of LDAP object classes and attributes
- Working knowledge of XML document structure
Note: If the customization requires a new Security Directory Integrator connector, the developer must also be familiar with Security Directory Integrator connector development and working knowledge of Java programming language.
Support for custom adapters
The integration to IBM Security Verify Governance servers "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Chapter 6: Troubleshooting
Enabling DEBUG Logs on SDI Server
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
4. Start the SDI Server process
5. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
Chapter 7: Reference
No updates for the current release
Installation Platform
The IBM Security Verify Governance Adapter for SCIMHR was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to your ISVG or ISVGIM servers, the following SDI releases are the officially supported versions:
Note: Earlier SDI supported version may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters
3rd Party Client Libraries:
· httpclient-4.5.2.jar
Download the httpclient-4.5.2.jar from https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.2
· httpcore-4.4.4.jar
Download the httpcore-4.4.4.jar from https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.4
· json-simple-1.1.1.jar
Download the json-simple-1.1.1.jar from https://mvnrepository.com/artifact/com.googlecode.json-simple/json-simple/1.1.1
Managed Resource:
· SCIM Supported Target
· Aquera – Target registered with Aquera
IBM Security Verify Governance Servers:
· IBM Security Verify Governance Identity Manager (v10.0.1 FP4 release or later)
· IBM Security Verify Governance v10.0
This information was developed for products and services
offered in the U.S.A. IBM may not offer the products, services, or features
discussed in this document in other countries. Consult your local IBM representative
for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state
or imply that only that IBM product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe any
IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product,
program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM
Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual
Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include
technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions
of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM
Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate
terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements will
be the same on generally available systems. Furthermore, some measurements may
have been estimated through extrapolation. Actual results may vary. Users of
this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.